Network Guys

Share your knowledge!

Site2Site VPN Tunnel with ClientVPN @ Cisco IOS

Good Morning everyone!

I want to describe several VPN configurations on a Cisco router, ASA firewall and Sophos UTM. I will start with Cisco IOS on a Cisco router. In this example you will learn to configure a site2site VPN tunnel with a coincident client VPN access.

First we will configure the basic IPsec VPN settings. Start with Phase 1:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

There are other commands you can use for this like hash or lifetime. Not seeing this in your config means, that the default value is configured. For example: lifetime is by default 86400 seconds (1 day). After this we will configure the site2site parameters like remote IP address, pre shared key and Phase 2 values. In our example we (subnet 192.168.10.0 /24) want to connect to 44.55.66.77 to our Brasilia branch office (subnet 172.16.8.0 /24).

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto isakmp key MyLittlePr3Sh@r3dK3y address 44.55.66.77 no-xauth

crypto map MyCompanyMap 10 ipsec-isakmp
set peer 44.55.66.77
set security-association lifetime seconds 28800
set transform-set ESP-AES-SHA
match address vpn-brasilia

ip access-list extended vpn-brasilia
permit ip 192.168.10.0 0.0.0.255  172.16.8.0 0.0.0.255

interface Dialer1
description My WAN Link (can also be a Ethernet-Interface)
ip access-group wan_in in
crypto map MyCompanyMap

ip access-list extended wan_in
remark Protocols for VPN
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp

ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended tonat
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list tonat interface Dialer1 overload

be sure to allow the protocols from outside to inside. I always choose AES and SHA because its more secure and much more faster than 3DES (three times DES). I also got problems with MD5 between Cisco and Juniper. On Brasilia Router you need to configure the same only with the opposite values such remote peer address and the access-list for vpn-interested traffic like our “vpn-brasilia”. Keep in mind to not (!) nat into this networks!

To add Cisco Client VPN (EasyVPN) to this config you need to add this:

We will use local authentication but you can also use a RADIUS server for this.

aaa new-model
aaa authentication login userauth local
aaa authorization network groupauth local

username drdoom password !nh3LL

!define the IP address pool for the connected VPN clients:
ip local pool vpn-pool 192.168.255.1 192.168.255.254

!define the network where your vpn clients can connect to; this will also be the route(s) for your client
ip access-list extended vpn-clients
permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255

!configure a new VPN group; you can configure more than one
crypto isakmp client configuration group myVPNclients
key The3ndIsN3@r
dns 192.168.10.6
domain mycompany.local
pool vpn-pool
acl vpn-clients
netmask 255.255.255.0
!this will enable saving the clients password to the cisco vpn client; its very insecure because the password is stored (encrypted) locally at C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles
save-password

crypto dynamic-map DynamicPeers 10
set transform-set ESP-AES-SHA

crypto map MyCompanyMap client authentication list userauth
crypto map MyCompanyMap isakmp authorization list groupauth
crypto map MyCompanyMap client configuration address respond
crypto map MyCompanyMap 200 ipsec-isakmp dynamic DynamicPeers
! the dynamic crypto map needs to have the highest order number at the crypto map MyCompanyMap because your VPN clients are always coming from a dynamic WAN address and in other case the fix site2site VPN tunnels are not working.

 

 

Now you can download the Cisco VPN client at www.cisco.com with a CCO account and can configure a new entry:

 

cisco-vpn-client

 

Feel free to comment and ask to this post, I can explaine in more detail and can extend this tutorial.

Leave a Reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Certificates

ekahau Certified Survey Engineer
ATP_wsrgb
ACMP2
suca
Post Categories
Post Archives