Good Morning everyone!
I want to describe several VPN configurations on a Cisco router, ASA firewall and Sophos UTM. I will start with Cisco IOS on a Cisco router. In this example you will learn to configure a site2site VPN tunnel with a coincident client VPN access.
First we will configure the basic IPsec VPN settings. Start with Phase 1:
crypto isakmp policy 10
There are other commands you can use for this like hash or lifetime. Not seeing this in your config means, that the default value is configured. For example: lifetime is by default 86400 seconds (1 day). After this we will configure the site2site parameters like remote IP address, pre shared key and Phase 2 values. In our example we (subnet 192.168.10.0 /24) want to connect to 18.104.22.168 to our Brasilia branch office (subnet 172.16.8.0 /24).
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto isakmp key MyLittlePr3Sh@r3dK3y address 22.214.171.124 no-xauth
crypto map MyCompanyMap 10 ipsec-isakmp
set peer 126.96.36.199
set security-association lifetime seconds 28800
set transform-set ESP-AES-SHA
match address vpn-brasilia
ip access-list extended vpn-brasilia
permit ip 192.168.10.0 0.0.0.255 172.16.8.0 0.0.0.255
description My WAN Link (can also be a Ethernet-Interface)
ip access-group wan_in in
crypto map MyCompanyMap
ip access-list extended wan_in
remark Protocols for VPN
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended tonat
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list tonat interface Dialer1 overload
be sure to allow the protocols from outside to inside. I always choose AES and SHA because its more secure and much more faster than 3DES (three times DES). I also got problems with MD5 between Cisco and Juniper. On Brasilia Router you need to configure the same only with the opposite values such remote peer address and the access-list for vpn-interested traffic like our “vpn-brasilia”. Keep in mind to not (!) nat into this networks!
To add Cisco Client VPN (EasyVPN) to this config you need to add this:
We will use local authentication but you can also use a RADIUS server for this.
aaa authentication login userauth local
aaa authorization network groupauth local
username drdoom password !nh3LL
!define the IP address pool for the connected VPN clients:
ip local pool vpn-pool 192.168.255.1 192.168.255.254
!define the network where your vpn clients can connect to; this will also be the route(s) for your client
ip access-list extended vpn-clients
permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255
!configure a new VPN group; you can configure more than one
crypto isakmp client configuration group myVPNclients
!this will enable saving the clients password to the cisco vpn client; its very insecure because the password is stored (encrypted) locally at C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles
crypto dynamic-map DynamicPeers 10
set transform-set ESP-AES-SHA
crypto map MyCompanyMap client authentication list userauth
crypto map MyCompanyMap isakmp authorization list groupauth
crypto map MyCompanyMap client configuration address respond
crypto map MyCompanyMap 200 ipsec-isakmp dynamic DynamicPeers
! the dynamic crypto map needs to have the highest order number at the crypto map MyCompanyMap because your VPN clients are always coming from a dynamic WAN address and in other case the fix site2site VPN tunnels are not working.
Now you can download the Cisco VPN client at www.cisco.com with a CCO account and can configure a new entry:
Feel free to comment and ask to this post, I can explaine in more detail and can extend this tutorial.