Note

It is recommended that you enable RRI on the crypto map (static or dynamic) for the support of VPN clients unless the crypto map is being applied to a Generic Routing Encapsulation (GRE) tunnel that is already being used to distribute routing information.

• After the configuration parameters have been successfully received by the client, IKE quick mode is initiated to negotiate IPsec SA establishment. After IPsec SAs are created, the connection is complete.

Configuring the Easy VPN Server

Remember the Easy VPN Server configuration is important because it is the central location where the other VPN client connections terminate. To configure Easy VPN Server on your Cisco IOS 12.2(8)T or later router, follow these steps: Step 1.

Create the IP address pool (remote router) .

Step 2.

Prepare the router for Easy VPN Server . Step 3.

Configure the group policy lookup . Step 4.

Create the ISAKMP policy for the remote VPN clients . Step 5.

Define a group policy for a mode configuration push . Step 6.

Create the transform set . Step 7.

Create the dynamic crypto maps with RRI . Step 8.

Apply the mode configuration to the dynamic crypto map . Step 9.

Apply the dynamic crypto map to the interface .

Step 10.

Enable IKE DPD .

Step 11.

Configure Xauth .

For the purpose of this exercise, see Figure 22-4 . This figure depicts the address space used between the headquarters and the remote office. The remote office is located in the resort town of Windham, New York, and is connected to the Internet via a 1700 series router.

Figure 22-4. VPN Connection Between New York Headquarters and

Remote Office

[View full size image]

Figure 22-4. VPN Connection Between New York Headquarters and

Remote Office

[View full size image]

Create IP Address Pool

The configuration of IP DHCP address pool is required for Easy VPN Remote in client mode. The local router uses DHCP to assign IP addresses to the PCs connected to the router's LAN interface. The router then uses NAT or PAT to translate these IP addresses into a single of group of IP addresses that is transmitted across the VPN tunnel connection. Use the following steps to configure DHCP on the remote router: Step 1.

Create a name for the DHCP server address pool using the ip dhcp pool pool-name global configuration command. This command will put you in the DHCP pool configuration mode.

Step 2.

Specify the IP network number and subnet mask of the DHCP address pool that is to be used by using the network command in dhcp configuration mode.

Step 3.

Specify the IP address of the default router for DHCP client using the default-router address command in the DHCP configuration mode.

Step 4.

Import the domain name, DNS server, and NetBIOS Windows Internet Name Service (WINS) server from a central DHCP server into the router's local DHCP database using import all command in DHCP configuration mode. These items are also defined in the mode configuration push.

Step 5.

Exclude the specified IP addresses, such as the router's IP address, from the DHCP server pool using the ip dhcp excluded-address lan-ip-address command in global configuration mode.

Example 22-1 shows an Easy VPN Remote router using 10.1.1.0 for the LAN subnet pool called NYCRemote. In this case, the router's interface IP address of 10.1.1.1 is being excluded from the DHCP pool.

0 0

Post a comment