Configuring Easy VPN Server on Cisco IOS

Part I: Configuring Easy VPN Server on Cisco IOS Routers with CCP

Table of Contents

VPN Overview

A virtual private network (VPN) is as an encrypted connection between private networks over a public network
such as the Internet.
The word virtual in VPN refers to a logical connection between two devices. Information within a private network is transported over a public network.
The word Private means the traffic is encrypted to keep the data confidential.
A Virtual Private Network (VPN) provides the same network connectivity for remote users over a public infrastructure as they would have over a private network.
VPN services or benefits for network connectivity include:
- Authentication: ensures that only authorized senders and devices enter the network.
- Data integrity: guarantees that no tamperingmanipulación or alterations occur. Using hashing.
- Data Confidentiality: Protects data against eavesdroppers (spoofing). By configuring encryption.

Types of VPN

There are two major categories into which VPNs could be placed: remote-access and site-to-site.

Site-to-Site VPNs:

Connects entire networks to each other.
VPN hosts do not require VPN client software.
VPNs send and receive normal TCP/IP traffic through a VPN “gateway” such as a Cisco ISR or an ASA.
The VPN gateway is responsible for encapsulating and encrypting outbound traffic over the Internet to a peer VPN gateway.
Upon receipt, the peer VPN gateway decrypts the content and relays the packet toward the target host inside its private network.
Many Cisco devices can work together to form the VPN, including routers, firewalls, and Adaptive Security Appliances.
You can deploy Site-to-Site IPSec VPN between routers, router and ASA, and between ASAs.

Remote Access VPNs:

They securely connect remote users, such as mobile users and telecommuters, to the enterprise.
In a remote-access VPN, each host typically has Cisco VPN Client software or Cisco Anyconnect.
The client encapsulates and encrypts that traffic and sends it over the Internet to the target VPN gateway.
The VPN gateway behaves as it does for site-to-site VPNs.

The different types of Remote Access VPNs are:

Clientless SSL VPN (WebVPN):
- Browser-based VPN that lets users establish a secure, remote-access VPN tunnel to the ASA/ISR using a web browser.
- After authentication, users access a portal page and can access specific, supported internal resources.
Client-Based SSL VPN:
- Provides full tunnel SSL VPN connection but requires a VPN client application to be installed on the remote host.
- Requires a client, such as the Cisco AnyConnect VPN client to be installed on the host.
Cisco Easy VPN (IPSec Remote Access VPN):
- Cisco Easy VPN is an IP Security (IPsec) virtual private network (VPN) solution supported by Cisco routers and security appliances.
- It greatly simplifies VPN deployment for remote offices and mobile workers.
- Cisco Easy VPN can be deployed in a Cisco IOS router or an ASA appliance.
- We need a Cisco VPN client software that can be installed on an operating system.

Configuring Easy VPN Server on Cisco IOS with CCP

The Cisco Easy VPN server allows a remote user to connect to the corporate network using an IPSec tunnel. Easy VPN servers can be deployed in a Cisco IOS router or an ASA appliance. To connect with the VPN server, we can use a Cisco VPN client software that can be installed on an operating system. The Easy VPN feature minimizes the configuration requirement at a remote location where we can put all the configuration on a VPN server and push the access policies to the client upon a VPN tunnel connection from a Cisco VPN server.

Another option to connect with the VPN server is by using Easy VPN Remote, that enables Cisco routers and security appliances to establish a site-to-site VPN connection to a Cisco Easy VPN Server.

GNS3 example

You don’t need a real router to practise most of the CCNAS labs. GNS3 works fine and you can simulate ASA, IPS, ISR routers, etc.

Anchor 1

Here, CCP_connection is a cloud simulating a loopback interface with IP address of 192.168.0.3/24 .

CCP and Cisco VPN client are installed on my PC.

Allow CCP connection

First of all, you must configure the router to allow CCP access. The commands are:

hostname R2

username juantron privilege 15 password 0 juantron

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

no shutdown

ip http server

ip http secure-server

ip http authentication local

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

privilege level 15

transport input telnet ssh

Prerrequisites: AAA must be enabled to configure Easy VPN Server (the wizard ask us to configure it).

The tasks to configure are:

Select the interface on which client connections will terminate and selec the method to authenticate VPN clients (PSK, digital certificates (RSA Signatures) or both).
Configure IKE policies (IKE Phase 1): select encryption algorithms for confidenciality (DES, 3DES, AES, SEAL, RSA); select hashing algorithms for data integrity (MD5, SHA); select secure key exchange algorithms (DH group).
Configure a IPSec transform set (IKE Phase 2).
Select the Group Authorization method: Local, RADIUS, RADIUS and Local or AAA. Here you can create users.
Create a Group Policy: stablish the key for PSK; create a POOL to allocate an internal IP address to a client.

Go to Configure > Security > VPN > Easy VPN Server .

Click Launch Easy VPN Server Wizard .

Note: you can see the following message:

You have to configure AAA before start the Easy VPN Server Configuration. So, click Yes:

Click Deliver to continue:

Note Choice group5 for D-H Group in this case, but Maybe VPN Server doesn’t support group5.

Click OK and Next and Configure Transform Set. Click Add (when you add a transform set, Cisco CP Default transform set is deleted):

Home Page