Describe the Easy VPN Server

The Easy VPN Server is a product introduced in Cisco IOS Software Release 12.2(8)T. It enables administrators to consolidate IPsec and user policies at a single manageable location that is the endpoint for multiple VPN connections. Each client that connects to this endpoint will download its policy during the VPN negotiation. This centralized management reduces management overhead and increases security.

Easy VPN Server Functionality

The Easy VPN Server provides the following functionality:

• Split tunneling control

• Initial contact

• IKE xauth version 6 support

• Mode configuration version 6 support

• Group-based policy control

Configuring the Easy VPN Server

To configure Easy VPN Server on your Cisco IOS router, you must complete the following tasks using the listed commands:

1. Prepare the router for Easy VPN Server. Enable AAA on the router:

aaa new-model

Define an address pool:

ip local pool pool-name low-address high-address

2. Configure the group policy lookup:

aaa authorization network group-name local [local][radius]

3. Create the ISAKMP policy for the remote VPN clients. Enable ISAKMP:

crypto isakmp enable

Define the IKE priority:

crypto isakmp policy priority_number

Define the peer-authentication method:

authen peer_authentication_method

Define the encryption algorithm:

encryption encryption_algorithm

Diffie-Hellman group (group 2 supported):

group diffie-hellman_group

4. Define a group policy for a mode configuration push. Create the group that is being defined:

crypto isakmp client configuration group group-name

Configure the preshared key. This is the password that the user enters when using the VPN client software:

key preshared_key

Define the DNS servers. By doing so, you designate the DNS servers to be used via the VPN


dns primary_server secondary_server

Define the DNS domain. By doing so, you identify the FQDN for the network the Easy VPN Server is protecting:

domain domain_name

Define WINS servers. By doing so, you designate the WINS servers to be used via the VPN connection:

wins primary_server secondary_server

Define the local IP address pool. By doing so, you identify the IP address scope to be assigned to remote VPN users that connect via the Easy VPN Server:

pool name

5. Create the transform set:

crypto ipsec transform-set name [transforml] [transform2] [transform 3]

6. Create the dynamic crypto maps with RRI. Create the dynamic crypto map:

crypto dynamic-map dynamic_map_name sequence_number

Define the transform set:

set transform-set transform-set_name

Enable RRI:


7. Apply the mode configuration to the dynamic crypto map. Configure the router to respond to requests:

crypto map map_name client configuration address respond

Enable IKE queries for group policy lookup:

crypto map map_name isakmp authorization list list_name

Apply the changes to the dynamic crypto map:

crypto map map_name sequence_number ipsec-isakmp dynamic dynamic_map_name

8. Apply the dynamic crypto map to the interface. Enter the interface configuration mode:

interface interface_name

Apply the crypto map:

crypto map map_name

9. Enable IKE DPD:

crypto isakmp keepalive seconds retries

10. Configure Xauth.

Enable AAA login authentication:

aaa authentication login list_name method1 [method 2]

Configure the Xauth timeout value: crypto isakmp xauth timeout seconds

Configure the Xauth dynamic crypto map:

crypto map map_name client authentication list list_name

Easy VPN Modes of Operation

• Client mode Supports and requires NAT or PAT

• Network extension mode Does not support NAT or PAT

• Network extension plus Like network extension, but assigns IP to loopback interface


0 0

Post a comment