EasyVPNServerTheEasyVPNServerfeatureintroducesserversupportfortheCiscoVPNClientRelease3.
xandlatersoftwareclientsandCiscoVPNhardwareclients(suchastheCiscoASR1000SeriesAggregationServicesRouters).
ThisfeatureallowsaremoteendusertocommunicateusingIPsecwithanyCiscoIOSXEVPNgateway.
CentrallymanagedIPsecpoliciesare"pushed"totheclientdevicebytheserver,minimizingconfigurationbytheenduser.
FindingFeatureInformation,page1RestrictionsforEasyVPNServer,page1InformationAboutEasyVPNServer,page3HowtoConfigureEasyVPNServer,page20ConfigurationExamplesforEasyVPNServer,page48AdditionalReferences,page63FeatureInformationforEasyVPNServer,page65FindingFeatureInformationYoursoftwarereleasemaynotsupportallthefeaturesdocumentedinthismodule.
Forthelatestfeatureinformationandcaveats,seethereleasenotesforyourplatformandsoftwarerelease.
Tofindinformationaboutthefeaturesdocumentedinthismodule,andtoseealistofthereleasesinwhicheachfeatureissupported,seetheFeatureInformationTableattheendofthisdocument.
UseCiscoFeatureNavigatortofindinformationaboutplatformsupportandCiscosoftwareimagesupport.
ToaccessCiscoFeatureNavigator,gotowww.
cisco.
com/go/cfn.
AnaccountonCisco.
comisnotrequired.
RestrictionsforEasyVPNServerUnsupportedProtocolsThetablebelowoutlinesIPsecprotocoloptionsandattributesthatarenotsupportedbyCiscoVPNclients.
Theseoptionsandattributesshouldnotbeconfiguredonthedevicefortheseclients.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S1Table1:UnsupportedIPsecProtocolOptionsandAttributesAttributesOptionsAuthenticationwithpublickeyencryptionDigitalSignatureStandard(DSS)Authenticationtypes1Diffie-Hellman(DH)groupsIPSEC_AHIPsecprotocolidentifierTransportmodeIPsecprotocolmodeManualkeysPerfectForwardSecrecy(PFS)MiscellaneousCiscoSecureVPNClient1.
xRestrictionsWhenusedwiththeEasyVPNServerfeature,theCiscoSecureVPNClient1.
xhasthefollowingrestrictions:Itdoesnotsupportdeadpeerdetection(DPD)oranyotherkeepalivescheme.
Itdoesnotsupportinitialcontact.
Thisfeaturecannotuseper-groupattributepolicyprofilessuchasIPaddressesandDomainNameService(DNS).
Thus,customersmustcontinuetousetheexisting,globallydefinedparametersfortheIPaddressassignment,WindowsInternetNamingService(WINS),DNS,andpresharedkeys.
MulticastandStaticNATMulticastandstaticNetworkAddressTranslation(NAT)aresupportedonlyforEasyVPNserversusingdynamicvirtualtunnelinterfaces(DVTIs).
VirtualIPsecInterfaceRestrictionsTheVirtualIPsecInterfaceSupportfeatureworksonlywithaCiscosoftwareVPNClientversion4.
xorlaterandanEasyVPNremotedevicethatisconfiguredtouseavirtualinterface.
CiscoTunnelControlProtocolRestrictionsIfaportisbeingusedforCiscoTunnelControlProtocol,theportcannotbeusedforotherapplications.
CiscoTunnelControlProtocolcanbeusedononlytenportsatatime.
CiscoTunnelControlProtocolissupportedononlyEasyVPNservers.
IfaCiscoTunnelControlProtocolconnectionissetuponaport,CiscoTunnelControlProtocolcannotbedisabledonthatportbecausedoingsocausestheexistingconnectiontostopreceivingtraffic.
HighAvailabilityofCiscoTunnelControlProtocolisnotsupportedontheEasyVPNserver.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S2EasyVPNServerRestrictionsforEasyVPNServerUniversalClientModeTheEasyVPNServerfeaturedoesnotsupportuniversalclientmodeusingDynamicHostConfigurationProtocol(DHCP).
InformationAboutEasyVPNServerHowItWorksWhentheclientinitiatesaconnectionwithaCiscoIOSXEVPNdevice,the"conversation"thatoccursbetweenthepeersconsistsofdeviceauthenticationviaInternetKeyExchange(IKE),followedbyuserauthenticationusingIKEExtendedAuthentication(Xauth),VPNpolicypush(usingModeConfiguration),andIPsecsecurityassociation(SA)creation.
Anoverviewofthisprocessisasfollows:TheclientinitiatesIKEPhase1viaaggressivemode(AM)ifapresharedkeyisusedforauthentication.
Iftheclientidentifiesitselfwithapresharedkey,theaccompanyinggroupnameenteredintheconfigurationGUI(ID_KEY_ID)isusedtoidentifythegroupprofileassociatedwiththisclient.
Ifdigitalcertificatesareusedtheclientinitiatesmainmode(MM).
Theorganizationalunit(OU)fieldofadistinguishedname(DN)isusedtoidentifythegroupprofilewhendigitalcertificatesareused.
Becausetheclientmaybeconfiguredforpresharedkeyauthentication,whichinitiatesIKEAM,itisrecommendedthattheadministratorchangetheidentityoftheVPNdeviceviathecryptoisakmpidentityhostnamecommand.
ThiswillnotaffectcertificateauthenticationviaIKEMM.
NoteTheclientattemptstoestablishanIKESAbetweenitspublicIPaddressandthepublicIPaddressoftheVPNdevice.
Toreducetheamountofmanualconfigurationontheclient,everycombinationofencryptionandhashalgorithms,inadditiontoauthenticationmethodsandDHgroupsizes,isproposed.
DependingonitsIKEpolicyconfiguration,theVPNdevicewilldeterminewhichproposalisacceptabletocontinuenegotiatingPhase1.
IKEpolicyisglobalfortheVPNdeviceandcanconsistofseveralproposals.
Inthecaseofmultipleproposals,theVPNdeviceusesthefirstmatch,soyoushouldalwayslistyourmostsecurepoliciesfirst.
TipDeviceauthenticationendsanduserauthenticationbeginsatthispoint.
NoteAftertheIKESAissuccessfullyestablished,andiftheVPNdeviceisconfiguredforXauth,theclientwaitsfora"username/password"challengeandthenrespondstothechallengeofthepeer.
Theinformationthatisenteredischeckedagainstauthenticationentitiesusingauthentication,authorization,andaccounting(AAA)protocolssuchasRADIUSandTACACS+.
TokencardsmayalsobeusedviaAAAproxy.
DuringXauth,itisalsopossibleforauser-specificattributetoberetrievedifthecredentialsofthatuserarevalidatedviaRADIUS.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S3EasyVPNServerInformationAboutEasyVPNServerVPNdevicesthatareconfiguredtohandleremoteclientsshouldalwaysbeconfiguredtoenforceuserauthentication.
NoteIftheVPNdeviceindicatesthatauthenticationwassuccessful,theclientrequestsfurtherconfigurationparametersfromthepeer.
Theremainingsystemparameters(forexample,IPaddress,DNS,andsplittunnelattributes)arepushedtotheclientatthistimeusingModeConfiguration.
TheIPaddresspoolandgrouppresharedkey(ifRivest,Shamir,andAdelman[RSA]signaturesarenotbeingused)aretheonlyrequiredparameterinagroupprofile,allotherparametersareoptional.
NoteAftereachclientisassignedaninternalIPaddressviaModeConfiguration,itisimportantthattheVPNdeviceknowshowtoroutepacketsthroughtheappropriateVPNtunnel.
Reverserouteinjection(RRI)ensuresthatastaticrouteiscreatedontheVPNdeviceforeachclientinternalIPaddress.
ItisrecommendedthatyouenableRRIonthecryptomap(staticordynamic)forthesupportofVPNclientsunlessthecryptomapisbeingappliedtoaGenericRoutingEncapsulation(GRE)tunnelthatisalreadybeingusedtodistributeroutinginformation.
NoteAftertheconfigurationparametershavebeensuccessfullyreceivedbytheclient,IKEquickmodeisinitiatedtonegotiateIPsecSAestablishment.
AfterIPsecSAsarecreated,theconnectioniscomplete.
RADIUSSupportforGroupProfilesGrouppolicyinformationisstoredinaprofilethatcanbedefinedlocallyintherouterconfigurationoronaRADIUSserverthatisaccessiblebytheVPNdevice.
IfRADIUSisused,youmustconfigureaccesstotheserverandallowtheVPNdevicetosendrequeststotheserver.
TodefinegrouppolicyattributesforRADIUS,youmustdothefollowingtaskonyourRADIUSserver:DefineauserthathasanameequaltothegroupnameasdefinedintheclientGUI.
Forexample,ifusersareconnectingtotheVPNdeviceusingthegroupname"sales,"youneedauserwhosenameis"sales.
"Thepasswordforthisuseris"cisco,"whichisaspecialidentifierthatisusedbytherouterforRADIUSpurposes.
Theusernamemustthenbemadeamemberofagroupinwhichthecorrectpolicyisdefined.
Forsimplicity,itisrecommendedthatthegroupnamebethesameastheusername.
Usetheradius-serverhostip-address[auth-portport-number][acct-portport-number][keystring]commandtoconfigureaccesstotheRADIUSserverandallowtheVPNdevicetosendrequeststotheserver.
YouneedtoconfigurethiscommandonlyifyouchoosetostoregrouppolicyinformationinaRADIUSserver.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S4EasyVPNServerRADIUSSupportforGroupProfilesForaCiscoSecureAccessControlServerIfyouareusingaCiscosecureaccesscontrolserver(ACS),youmayconfigureyourremoteaccessVPNgroupprofilesonthisserver.
Toperformthistask,youmustensurethatIETFRADIUSattributesareselectedforgroupconfigurationasshowninthefigurebelow.
(ThisfigurealsoshowsthecompulsoryattributesrequiredforaremoteaccessVPNgroup.
)AllvaluesmustbeenteredexcepttheTunnel-Passwordattribute,whichisactuallythepresharedkeyforIKEpurposes;ifdigitalcertificatesarepreferred,thisattributemaybeomitted.
Figure1:IETFRADIUSAttributesSelectionforGroupConfigurationInadditiontothecompulsoryattributesshowninthefigureabove,othervaluescanbeenteredthatrepresentthegrouppolicythatispushedtotheremoteclientviaModeConfiguration.
Thefigurebelowshowsanexampleofagrouppolicy.
Allattributesareoptionalexcepttheaddr-pool,key-exchange=preshared-key,andkey-exchange=ikeattributes.
ThevaluesoftheattributesarethesameasthesettingthatisusedifthepolicyEasyVPNConfigurationGuide,CiscoIOSXERelease3S5EasyVPNServerRADIUSSupportforGroupProfilesisdefinedlocallyontherouterratherthaninaRADIUSserver.
Thesevaluesareexplainedinthesection"DefiningGroupPolicyInformationforModeConfigurationPush,onpage22".
Figure2:CiscoSecureACSGroupPolicySetupEasyVPNConfigurationGuide,CiscoIOSXERelease3S6EasyVPNServerRADIUSSupportforGroupProfilesEasyVPNConfigurationGuide,CiscoIOSXERelease3S7EasyVPNServerRADIUSSupportforGroupProfilesAfterthegroupprofileiscreated,auserwhoisamemberofthegroupshouldbeadded.
(Rememberthattheusernamethatisdefinedmapstothegroupnameasdefinedontheremoteclient,andthepassworddefinedfortheusernameintheRADIUSdatabasemustbe"cisco.
")IfdigitalcertificatesarethepreferredmethodofIKEauthentication,theusernameshouldreflecttheOUfieldinthecertificatepresentedbytheremoteclient.
ForAllOtherRADIUSServersEnsurethatyourRADIUSserverallowsyoutodefineattribute-value(AV)pairs.
Foranexample,seethesection"ExampleConfiguringCiscoIOSXEforEasyVPNServer,onpage48".
Ifdigitalcertificatesareused,theusernamedefinedinRADIUSmustbeequaltotheOUfieldoftheDNofthecertificateoftheclient.
NoteRADIUSSupportforUserProfilesAttributesmayalsobeappliedonaper-userbasis.
Ifyouapplyattributesonaper-userbasis,youcanoverrideagroupattributevaluewithanindividualuserattribute.
TheattributesareretrievedatthetimetheuserauthenticationviaXauthoccurs.
TheattributesarethencombinedwithgroupattributesandappliedduringModeConfiguration.
User-basedattributesareavailableonlyifRADIUSisbeingusedforuserauthentication.
TodefineuserpolicyattributesforRADIUS,youmustdothefollowingtaskonyourRADIUSserver:DefineauseroraddattributestotheexistingprofileofauserinyourRADIUSdatabase.
ThepasswordfortheuserwillbeusedduringXauthuserauthentication,oryoumayproxytoathird-partyserver,suchasatokencardserver.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S8EasyVPNServerRADIUSSupportforUserProfilesThefigurebelowshowshowCiscoSecureACSmaybeusedforuserauthenticationandfortheassignmentofaFramed-IP-Addressattributethatmaybepushedtotheclient.
Thepresenceofthisattributemeansthatthelocaladdresspooldefinedforthegrouptowhichthatuserbelongswillbeoverridden.
Figure3:CiscoSecureACSUserProfileSetupForAllOtherRADIUSServersEnsurethatyourRADIUSserverallowsyoutodefineAVpairs.
Foranexample,seethe"ExampleConfiguringCiscoIOSXEforEasyVPNServer,onpage48"section.
EasyVPNServerSupportedProtocolsThetablebelowoutlinessupportedIPsecprotocoloptionsandattributesthatcanbeconfiguredforthisfeature.
(SeetheUnsupportedProtocolssectionintheRestrictionsforEasyVPNServerforunsupportedoptionsandattributes.
)EasyVPNConfigurationGuide,CiscoIOSXERelease3S9EasyVPNServerEasyVPNServerSupportedProtocolsTable2:SupportedIPsecProtocolOptionsandAttributesAttributesOptionsHashedMessageAuthenticationCodeswithmessagedigestalgorithm5(HMAC-MD5)HMAC-SecureHashAlgorithm1(HMAC-SHA1)AuthenticationalgorithmsPresharedkeysRSAdigitalsignaturesAuthenticationtypes25D-HgroupsDataEncryptionStandard(DES)TripleDataEncryptionStandard(3DES)Encryptionalgorithms(IKE)DES3DESNULLEncryptionalgorithms(IPsec)EncapsulatingSecurityPayload(ESP)IPLempel-Ziv-Staccompression(IPCOMP-LZS)IPsecprotocolidentifiersTunnelmodeIPsecprotocolmodeTable3:AAAprotocolsandservicessupportedbyEasyVPNServerDatabaseTypeAAAServiceLocalTACACS+RADIUSYesYesYesAuthenticationYesYesYesAuthorizationNoYesYesAccountingEasyVPNConfigurationGuide,CiscoIOSXERelease3S10EasyVPNServerEasyVPNServerSupportedProtocolsWerecommendchoosingRADIUSoverTACACS+.
EasyVPNdoesnotsupportotherAAAprotocolssuchasLDAPandKerberos.
FunctionsSupportedbyEasyVPNServerModeConfigurationVersion6SupportModeConfigurationversion6issupportedformoreattributes(asdescribedinanIETFdraftsubmission).
XauthVersion6SupportCiscoIOSXEsoftwarehasbeenenhancedtosupportversion6ofXauth.
XauthforuserauthenticationisbasedonanIETFdraftsubmission.
IKEDeadPeerDetectTheclientimplementsanewkeepalivesscheme--IKEDPD.
DPDallowstwoIPsecpeerstodeterminewhethertheotherisstill"alive"duringthelifetimeofaVPNconnection.
DPDisusefulbecauseahostmayreboot,orthedialuplinkofaremoteusermaydisconnectwithoutnotifyingthepeerthattheVPNconnectionisterminated.
WhenanIPsechostdeterminesthataVPNconnectionnolongerexists,thehostcannotifyauser,attempttoswitchtoanotherIPsechost,orcleanupvaluableresourcesthatwereallocatedforthepeerthatnolongerexists.
AVPNdevicecanbeconfiguredtosendandreplytoDPDmessages.
DPDmessagesaresentifnoothertrafficisbeingpassedthroughtheVPNtunnel.
Ifaconfiguredamountoftimehaslapsedsincethelastinbounddatawasreceived,DPDwillsendamessage("DPDR-U-THERE")thenexttimeitsendsoutboundIPsecdatatothepeer.
DPDmessagesareunidirectionalandareautomaticallysentbyCiscoVPNclients.
DPDmustbeconfiguredontherouteronlyifthereisaneedtosendDPDmessagestotheVPNclienttodeterminethehealthoftheclient.
Thecryptoisakmpkeepaliveseconds[retries]commandallowsthegatewaytosendDPDmessagestotherouter.
ThesecondsargumentspecifiesthenumberofsecondsbetweenDPDmessages(therangeisfrom1to3600seconds);theretriesargumentspecifiesthenumberofsecondsbetweenretriesifDPDmessagesfail(therangeisfrom2to60seconds).
SplitTunnelingControlRemoteclientscansupportsplittunneling,whichenablesaclienttohaveintranetandInternetaccessatthesametime.
Ifsplittunnelingisnotconfigured,theclientwilldirectalltrafficthroughthetunnel,eventrafficdestinedfortheInternet.
Thesplittunnelaccesscontrollist(ACL)hasalimitof50accesscontrolentries(ACEs).
Ifmorethan50ACEsareconfiguredinasplittunnelACL,onlythefirst50ACEsareconsidered.
TheseACEsaresenttotheclientduringModeConfiguration.
NoteEasyVPNConfigurationGuide,CiscoIOSXERelease3S11EasyVPNServerFunctionsSupportedbyEasyVPNServerInitialContactIfaclientissuddenlydisconnected,thegatewaymaynotbenotified.
Consequently,removalofconnectioninformation(IKEandIPsecSAs)forthatclientwillnotimmediatelyoccur.
Iftheclientattemptstoreconnecttothegatewayagain,thegatewaywillrefusetheconnectionbecausethepreviousconnectioninformationisstillvalid.
Toavoidsuchascenario,anewcapabilitycalledinitialcontacthasbeenintroduced;itissupportedbyallCiscoVPNproducts.
IfaclientorrouterisconnectingtoanotherCiscogatewayforthefirsttime,aninitialcontactmessageissentthattellsthereceivertoignoreanddeleteanyoldconnectioninformationthathasbeenmaintainedforthenewlyconnectingpeer.
InitialcontactensuresthatconnectionattemptsarenotrefusedbecauseofSAsynchronizationproblems,whichareoftenidentifiedviainvalidsecurityparameterindex(SPI)messagesandwhichrequiredevicestohavetheirconnectionscleared.
Group-BasedPolicyControlPolicyattributessuchasIPaddresses,DNS,andsplittunnelaccesscanbeprovidedonaper-grouporper-userbasis.
User-BasedPolicyControlAttributesmayalsobeappliedonaper-userbasis.
Youcanoverrideagroupattributevaluewithanindividualuserattribute.
TheattributesareretrievedatthetimewhenuserauthenticationviaXauthoccurs.
TheyarethencombinedwithgroupattributesandappliedduringModeConfiguration.
Attributescanbeappliedonaper-userbasisaftertheuserhasbeenauthenticated.
Theseattributescanoverrideanysimilargroupattributes.
User-basedattributesareavailableonlyifRADIUSisusedasthedatabase.
Framed-IP-AddressToselecttheFramed-IP-AddressattributeforCiscoSecureforNT,dothefollowing:Undertheuserprofile,choosethe"usethisIPaddress"optionunderaddressingandmanuallyentertheaddress.
(YoushouldcheckthemethodofconfiguringaframedIPaddresswithyourownRADIUSserverbecausethisprocedurewillvary.
)IfaframedIPaddressispresent,andthereisalsoalocalpooladdressconfiguredforthegroupthattheuserbelongsto,theframedIPaddresswilloverridethelocalpoolsetting.
NoteDHCPClientProxyEasyVPNserverscurrentlyassignanIPaddresstoaremotedeviceusingeitheralocalpoolthatisconfiguredontherouterortheframedIPaddressattributethatisdefinedinRADIUS.
TheDHCPClientProxyfeatureprovidestheoptionofconfiguringanEasyVPNservertoobtainanIPaddressfromaDHCPserver.
TheIPaddressispushedtotheremotedeviceusingModeConfiguration.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S12EasyVPNServerFunctionsSupportedbyEasyVPNServerThisfeaturedoesnotincludethefunctionalityfortheDHCPservertopushtheDNS,WINSserver,ordomainnametotheremoteclient.
NoteToconfigureDHCPClientProxy,seethesection"ConfiguringanEasyVPNServertoObtainanIPAddressfromaDHCPServer,onpage45.
"BenefitsofDHCPClientProxyThefunctionalityprovidedwiththisfeaturehelpsinthecreationofdynamicDomainNameSystem(DDNS)entrieswhenaDNSserverexistsinconjunctionwiththeDHCPserver.
TheuserisnotrestrictedtoIPaddresspools.
User-Save-PasswordAsperthegroupdescription,theUser-Save-Passwordattributecanbereceivedinadditiontothegroupvariant(Save-Password),butifitisreceived,itwilloverridethevalueassertedbythegroup.
ThefollowingissampleoutputofaRADIUSAVpairfortheUser-Save-Passwordattribute:ipsec:user-save-password=1User-Include-Local-LANAsperthegroupdescription,theUser-Include-Local-LANattributecanbereceivedinadditiontothegroupvariant(Include-Local-LAN),butifitisreceived,itwilloverridethevalueassertedbythegroup.
ThefollowingissampleoutputofaRADIUSAVpairfortheUser-Include-LocalLANattribute:ipsec:user-include-local-lan=1User-VPN-GroupTheUser-VPN-GroupattributeisareplacementfortheGroup-Lock,onpage14attribute.
ItallowssupportforbothpresharedkeyandRSAsignatureauthenticationmechanismssuchascertificates.
Ifyouneedtocheckthatthegroupauserisattemptingtoconnecttoisindeedthegrouptheuserbelongsto,usetheUser-VPN-Groupattribute.
Theadministratorsetsthisattributetoastring,whichisthegroupthattheuserbelongsto.
ThegrouptheuserbelongstoismatchedagainsttheVPNgroupasdefinedbygroupname(ID_KEY_ID)forpresharedkeysorbytheOUfieldofacertificate.
Ifthegroupsdonotmatch,theclientconnectionisterminated.
ThisfeatureworksonlywithAAARADIUS.
LocalXauthauthenticationmuststillusetheGroup-Lockattribute.
ThefollowingissampleoutputofaRADIUSAVpairfortheUse-VPN-Groupattribute:ipsec:user-vpn-group=ciscoEasyVPNConfigurationGuide,CiscoIOSXERelease3S13EasyVPNServerFunctionsSupportedbyEasyVPNServerGroup-LockIfyouareonlyusingpresharedkeys(nocertificatesorotherRSAsignatureauthenticationmechanisms)withRADIUSorlocalAAA,youcancontinuetousetheGroup-Lockattribute.
Ifyouareonlyusingpresharedkeys(nocertificatesorotherRSAsignatureauthenticationmechanisms)withRADIUS,youcaneithercontinuetousetheGroup-LockattributeoryoucanusethenewUser-VPN-Group,onpage13attribute.
HowItworksThegrouplockfeatureallowsyoutoperformanextraauthenticationcheckduringXauth.
Withthisfeatureenabled,theusermustenterausername,groupname,anduserpasswordduringXauthtoauthenticate.
Theusernameandgroupnamecanbeenteredinanyofthefollowingformats:"username/groupname,""username\groupname,""username%groupname,"or"usernamegroupname.
"ThegroupnameenteredduringXauthiscomparedbytheserverwiththegroupnamesentforthepresharedkeydeviceauthentication.
Iftheydonotmatch,theserverdeniestheconnection.
Toenablethisfeature,usethegroup-lockcommandforthegroup.
CiscoIOSXEsoftwaredoesnotstripthe@groupfromtheXauthusername,sotheusernameuser@groupmustexistinthelocalorexternalAAAdatabasepointedtobytheInternetSecurityAssociationKeyManagementProtocol(ISAKMP)profileselectedatPhase1(machinegroupauthentication).
DonotusetheGroup-LockattributeifyouareusingRSAsignatureauthenticationmechanismssuchascertificates.
UsetheUser-VPN-Groupattributeinstead.
TheUser-VPN-GroupattributeisrecommendedregardlessofwhetherpresharedkeysorRSAsignatureisusedasthemethodofauthenticationwhenanexternalAAAdatabaseisused.
CautionSessionMonitoringforVPNGroupAccessItispossibletomimicthefunctionalityprovidedbysomeRADIUSserversforlimitingthemaximumnumberofconnectionstoaspecificservergroupandalsoforlimitingthenumberofsimultaneousloginsforusersinthatgroup.
Afteruser-definedthresholdsaredefinedineachVPNgroup,connectionswillbedenieduntilcountsdropbelowthesethresholds.
IfyouuseaRADIUSserver,suchasCiscoSecureACS,itisrecommendedthatyouenablethissessioncontrolontheRADIUSserverifthefunctionalityisprovided.
Inthisway,usagecanbecontrolledacrossanumberofserversbyonecentralrepository.
Whenenablingthisfeatureontherouteritself,onlyconnectionstogroupsonthatspecificdevicearemonitored.
Load-sharingscenariosarenotaccuratelyaccountedfor.
Toconfiguresessionmonitoring,usethecryptoisakmpclientconfigurationgroupcommandinglobalconfigurationmodeandthemax-usersandmax-loginscommandsincryptoISAKMPgroupconfigurationmode.
ThefollowingissampleoutputofRADIUSAVpairsthathavebeenaddedtotherelevantgroup:ipsec:max-users=1000ipsec:max-logins=1EasyVPNConfigurationGuide,CiscoIOSXERelease3S14EasyVPNServerFunctionsSupportedbyEasyVPNServerVirtualIPsecInterfaceSupportonaServerVirtualIPsecInterfaceSupportonaServerallowsyoutoselectivelysendtraffictodifferentEasyVPNconcentrators(servers)aswellastotheInternet.
WiththeVirtualIPsecInterfaceSupportonaServerfeature,thetunnel-upconfigurationcanbeappliedtoseparateinterfaces,makingiteasiertosupportseparatefeaturesattunnel-up.
Featuresthatareappliedtothetrafficgoingintothetunnelcanbeseparatefromthefeaturesthatareappliedtotrafficthatisnotgoingthroughthetunnel(forexample,split-tunneltrafficandtrafficleavingthedevicewhenthetunnelisnotup).
WhentheEasyVPNnegotiationissuccessful,thelineprotocolstateofthevirtual-accessinterfacegetschangedtoup.
WhentheEasyVPNtunnelgoesdownbecausetheSAexpiresorisdeleted,thelineprotocolstateofthevirtual-accessinterfaceschangestodown.
Thisfeaturedoesnotsupportmulticast.
NoteVirtualTunnelInterfacePer-UserAttributeSupportTheVirtualTunnelInterfaceprovidesper-userattributesupportforEasyVPNservers.
Formoreinformationaboutthisfeature,seetheIPsecVirtualTunnelInterfacefeature.
AttributesToSupportManagementofEasyVPNRemoteDevicesThefollowingfeaturesprovidesupportforattributesthataidinthemanagementoftheCiscoEasyVPNremotedevice.
BannerAnEasyVPNservercanbeconfiguredtopushthebannertotheEasyVPNremotedevice.
Abannerisneededfortheweb-basedactivationfeature.
ThebannerisdisplayedwhentheEasyVPNtunnelisupontheEasyVPNremoteconsoleorasanHTMLpageinthecaseofweb-basedactivation.
Auto-UpdateYoucanconfigureanEasyVPNservertoprovideanautomatedmechanismforsoftwareandfirmwareupgradesonanEasyVPNremotedevice.
UsethecryptoisakmpclientconfigurationgroupcommandtospecifythegrouptowhichapolicyprofileshouldbedefinedandtoentercryptoISAKMPgroupconfigurationmode.
Toconfigureauto-updateparametersforanEasyVPNremotedevice,usetheauto-updateclientcommandincryptoISAKMPgroupconfigurationmode.
BrowserProxyYoucanconfigureanEasyVPNserversothatanEasyVPNremotedevicecanaccessresourcesonthecorporatenetwork.
Usingthisfeature,youdonothavetomanuallymodifytheproxysettingsofthewebbrowserwhenconnectingtothecorporatenetworkusingCiscoVPNClientormanuallyreverttheproxysettingsupondisconnecting.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S15EasyVPNServerFunctionsSupportedbyEasyVPNServerUsethecryptoisakmpclientconfigurationbrowser-proxycommandinglobalconfigurationmodetoconfigurebrowser-proxyparametersforanEasyVPNremotedevice.
UsetheproxycommandinISAKMPbrowserproxyconfigurationmodetoconfigureproxyparametersforanEasyVPNremotedevice.
ConfigurationManagementEnhancementsPushingaConfigurationURLThroughaMode-ConfigurationExchangeWhenremotedevicesconnecttoacorporategatewayforcreatinganIPsecVPNtunnel,somepolicyandconfigurationinformationhastobeappliedtotheremotedevicewhentheVPNtunnelisactivetoallowtheremotedevicetobecomeapartofthecorporateVPN.
ThePushingaConfigurationURLThroughaMode-ConfigurationExchangefeatureprovidesforamode-configurationattributethat"pushes"aURLfromtheconcentrator(server)totheEasyVPNremotedevice.
TheURLcontainstheconfigurationinformationthattheremotedevicehastodownloadandapplytotherunningconfiguration,anditcontainstheCiscoIOSXECLIlisting.
(FormoreinformationaboutaCiscoIOSXECLIlisting,seeCiscoIOSXEdocumentationfortheconfigurationurlcommand.
)TheCLIforthisfeatureisconfiguredontheconcentrator.
Theconfigurationthatispushedtotheremotedeviceispersistentbydefault.
Thatis,theconfigurationisappliedwhentheIPsectunnelis"up,"butitisnotwithdrawnwhentheIPsectunnelgoes"down.
"However,itispossibletowriteasectionoftheconfigurationthatistransientinnature,inwhichcasetheconfigurationofthesectionisrevertedwhenthetunnelisdisconnected.
Therearenorestrictionsonwheretheconfigurationdistributionserverisphysicallylocated.
However,CiscorecommendsthatyouuseasecureprotocolsuchasSecureHTTP(HTTPS)toretrievetheconfiguration.
TheconfigurationservercanbelocatedinthecorporatenetworkandbecausethetransferhappensthroughtheIPsectunnel,insecureaccessprotocols(HTTP)canbeused.
Regardingbackwardcompatibility--theremotedeviceasksfortheCONFIGURATION-URLandCONFIGURATION-VERSIONattributes.
BecausetheCONFIGURATION-URLandCONFIGURATION-VERSIONattributesarenotmandatoryattributes,theserversendsthemonlyiftheseattributesareconfiguredforthegroup.
Thereisnobuilt-inrestrictiontopushtheconfiguration.
However,bootstrapconfigurations(suchas,fortheIPaddress)cannotbesentbecausethoseconfigurationsarerequiredtosetuptheEasyVPNtunnel,andtheCONFIGURATION-URLcomesintoeffectonlyaftertheEasyVPNtunnelcomesup.
AftertheConfigurationHasBeenAcquiredbytheEasyVPNRemoteDeviceAftertheconfigurationhasbeenacquiredbytheEasyVPNremotedevice,theremotedevicesendsanewISAKMPnotificationtotheEasyVPNserver.
Thenotificationcontainsseveralmanageabilityinformationmessagesabouttheclient(remotedevice).
TheEasyVPNservertakestwoactionswhenthisinformationisreceived:TheEasyVPNservercachestheinformationinitspeerdatabase.
Theinformationcanbedisplayedbyusingtheshowcryptoisakmppeerconfigcommand.
Thiscommandoutputdisplaysallmanageabilityinformationthatissentbytheclient(remotedevice).
Ifaccountingisenabled,theEasyVPNserversendsanaccountingupdaterecordthatcontainsthemanageabilityinformationmessagesabouttheremotedevicetotheaccountingRADIUSserver.
ThisaccountingupdateislateravailableintheaccountinglogoftheRADIUSserver.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S16EasyVPNServerFunctionsSupportedbyEasyVPNServerHowtoConfigureThisFeatureThecommandsthatareusedtoconfigurethisfeatureandtheattributes,CONFIGURATION-URLandCONFIGURATION-VERSIONaredescribedinthecryptoisakmpclientconfigurationgroupcommanddocumentation.
PerUserAAADownloadwithPKIWiththeSupportofPerUserAAADownloadwithpublickeyinfrastructure(PKI)feature,userattributesareobtainedfromtheAAAserverandpushedtotheremotedevicethroughModeConfiguration.
Theusernamethatisusedtogettheattributesisretrievedfromtheremotedevicecertificate.
Per-UserAttributeSupportforEasyVPNServersThePer-UserAttributeSupportforEasyVPNServersfeatureprovidesuserswiththeabilitytosupportper-userattributesonEasyVPNservers.
Theseattributesareappliedonthevirtualaccessinterface.
LocalEasyVPNAAAServerForalocalEasyVPNAAAserver,theper-userattributescanbeappliedatthegrouplevelorattheuserlevelusingtheCLI.
Toconfigureper-userattributesforalocalEasyVPNserver,see"ConfiguringPer-UserAttributesonaLocalEasyVPNAAAServer,onpage35"section.
RemoteEasyVPNAAAServerAVpairscanbedefinedonaremoteEasyVPNAAAserverasshowninthisexample:cisco-avpair="ip:outacl#101=permittcpanyanyestablishedPer-UserAttributesThefollowingper-userattributesaredefinedintheAAAserverandareapplicabletoIPsec:inaclinterface-configoutaclpolicy-routeprefixrouterte-fltr-inrte-fltr-outsub-policy-Insub-policy-OutEasyVPNConfigurationGuide,CiscoIOSXERelease3S17EasyVPNServerFunctionsSupportedbyEasyVPNServerEasyVPNSyslogMessagesAlongwiththeezvpn_connection_upandezvpn_connection_downsyslogmessages,thefollowingsyslogmessagesaresupported:AuthenticationPassedAuthenticationRejectedGroupLockEnabledIncorrectUsernameorPasswordMaxUsersexceeded/MaxLoginsexceededNo.
ofRetriesexceededAuthenticationFailed(AAANotContactable)IPPoolNotpresent/NoFreeIPAddressavailableinthepoolACLassociatedwithEzvpnpolicybutNOTdefined(hence,nosplittunnelingpossible)SavepasswordTurnedONIncorrectfirewallrecordbeingsentbyClient(incorrectvendor|product|capability)AuthenticationRejectedAccessrestrictedviaincominginterfaceGroupdoesnotexistToenableEasyVPNsyslogmessagesonaserver,usethecryptologgingezvpn[groupgroup-name]command.
Ifagroupnameisnotprovided,syslogmessagesareenabledforallEasyVPNconnectionstotheserver.
Ifagroupnameisprovided,syslogmessagesareenabledforthatparticulargrouponly.
NetworkAdmissionControlSupportforEasyVPNNetworkAdmissionControlprovidesawaytodeterminewhetheraPCclientshouldbeallowedtoconnecttotheLAN.
NetworkAdmissionControlusesExtensibleAuthenticationProtocoloverUDP(EAPoUDP)toquerytheCiscotrustagentonthePCandallowsaPCtoaccessthenetworkiftheclientstatusishealthy.
DifferentpoliciescanbeappliedontheservertodenyorlimitaccessofPCsthatareinfected.
NetworkAdmissionControlcanbeusedtomonitorthestatusofremotePCclientsaswell.
AftertheEasyVPNtunnelcomesupandthePCstartstosendtraffic,thetrafficisinterceptedattheEasyVPNserver,andtheposturevalidationprocessstarts.
TheposturevalidationprocessconsistsofsendinganEAPoUDPrequestovertheEasyVPNtunnelandqueryingtheCiscotrustagent.
Theauthenticationserverisconfiguredinsidethetrustednetwork,behindtheIPsecaggregation.
TheconfigurationofanEasyVPNserverthathasNetworkAdmissionControlenabledisshownintheExampleNetworkAdmissionControl,onpage57.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S18EasyVPNServerFunctionsSupportedbyEasyVPNServerCentralPolicyPushFirewallPolicyPushTheEasyVPNserversupportsCentralPolicyPush(CPP)FirewallPolicyPush.
ThisfeatureallowsadministratorstopushpoliciesthatenforcesecuritytotheCiscoEasyVPN(software)clientandrelatedfirewallsoftware.
Asplittunnelenablesaccesstocorporatenetworks,butitalsoallowsaremotedevicetobeexposedtoattacksfromtheInternet.
Thisfeatureenablestheservertodeterminewhethertoallowordenyatunneliftheremotedevicedoesnothavearequiredfirewall,therebyreducingexposuretoattacks.
Thefollowingfirewalltypesaresupported:Cisco-Integrated-firewall(central-policy-push)Cisco-Security-Agent(check-presence)Zonelabs-Zonealarm(both)Zonelabs-ZonealarmPro(both)Theservercanbeusedeithertocheckthepresenceofafirewallontheclient(remotedevice)usingthecheck-presenceoptionortospecifythespecificsofthefirewallpoliciesthatmustbeappliedbytheclientusingthecentral-policy-push.
Toenablethisfeature,seethesectionConfiguringaCentralPolicyPushFirewall,onpage36.
SyslogSupportforCPPFirewallPolicyPushSyslogsupportcanbeenabledbyusingthecryptologgingezvpncommandonyourrouter.
CPPsyslogmessageswillbeprintedforthefollowingerrorconditions:Ifapolicyisconfiguredonagroupconfiguration(usingthefirewallpolicycommand),butaglobalpolicywiththesamenameisnotdefined(usingthecryptoisakmpclientfirewallcommand).
Thesyslogmessageisasfollows:PolicyenabledongroupconfigurationbutnotdefinedTunnelsetupproceedsasnormal(withthefirewall).
Ifanincorrectfirewallrequest(vendor/product/capincorrectorder)isreceived,thesyslogmessageisasfollows:IncorrectfirewallrecordreceivedfromclientIfapolicymismatchoccursbetweentheCiscoVPNclientandtheserver,thesyslogisasfollows:CPPpolicymismatchbetweenclientandheadendPasswordAgingIfyouhaveconfiguredthePasswordAgingfeature,theEasyVPNclientisnotifiedwhenapasswordhasexpired,andyouarepromptedtoenteranewpassword.
ToconfigurethePasswordAgingfeature,seethesection"ConfiguringPasswordAging,onpage40.
"EasyVPNConfigurationGuide,CiscoIOSXERelease3S19EasyVPNServerFunctionsSupportedbyEasyVPNServerFormoreinformationaboutPasswordAging,seethereferencefor"PasswordAging"inthesectionRelatedDocuments,onpage63.
SplitDNSTheSplitDNSfeatureenablestheEasyVPNhardwareclienttouseprimaryandsecondaryDNSvaluestoresolveDNSqueries.
ThesevaluesarepushedbytheEasyVPNservertotheEasyVPNremotedevice.
Toconfigurethisfeatureonyourserver,usethesplit-dnscommand(seethesection"DefiningGroupPolicyInformationforModeConfigurationPush,onpage22").
Configuringthiscommandaddsthesplit-dnsattributetothepolicygroup.
Theattributewillincludethelistofdomainnamesthatyouconfigured.
AllothernameswillberesolvedusingthepublicDNSserver.
FormoreinformationaboutconfiguringsplitDNS,see"ConfiguringSplitandDynamicDNSontheCiscoVPN3000"atthefollowingURL:http://www.
cisco.
com/warp/public/471/dns_split_dynam.
pdf.
VRFAssignmentbyaAAAServerToassignVPNRoutingandForwarding(VRF)toEasyVPNusers,enablethefollowingattributesonaAAAserver:Cisco-avpair"ip:interface-config=ipvrfforwardingexample1"Cisco-avpair"ip:interface-config=ipunnumberedloopback10"HowtoConfigureEasyVPNServerEnablingPolicyLookupviaAAAToenablepolicylookupviaAAA,performthefollowingtask.
SUMMARYSTEPS1.
enable2.
configureterminal3.
aaanew-model4.
aaaauthenticationpassword-prompttext-string5.
aaaauthenticationusername-prompttext-string6.
aaaauthenticationloginlist-namemethod1[method2.
.
.
]7.
aaaauthorizationnetworklist-namelocal[groupradius]8.
usernamename[passwordencryption-typeencrypted-password]DETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1EasyVPNConfigurationGuide,CiscoIOSXERelease3S20EasyVPNServerHowtoConfigureEasyVPNServerPurposeCommandorActionExample:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2EnablesAAA.
aaanew-modelExample:Router(config)#aaanew-modelStep3(Optional)Changesthetextdisplayedwhenusersarepromptedforapassword.
aaaauthenticationpassword-prompttext-stringExample:Router(config)#aaaauthenticationpassword-prompt"Enteryourpasswordnow:"Step4(Optional)Changesthetextdisplayedwhenusersarepromptedtoenterausername.
aaaauthenticationusername-prompttext-stringExample:Router(config)#aaaauthenticationusername-prompt"Enteryournamehere:"Step5SetsAAAauthenticationatlogin.
aaaauthenticationloginlist-namemethod1[method2.
.
.
]Step6Example:Router(config)#aaaauthenticationloginuserlistlocalgroupradiusAlocalandRADIUSservermaybeusedtogether.
ThiscommandmustbeenabledtoenforceXauth.
NoteEnablesgrouppolicylookup.
aaaauthorizationnetworklist-namelocal[groupradius]Step7AlocalandRADIUSservermaybeusedtogether.
Example:Router(config)#aaaauthorizationnetworkgrouplistlocalgroupradius(Optional)DefineslocalusersforXauthifRADIUSorTACACS+isnotused.
usernamename[passwordencryption-typeencrypted-password]Step8Example:Router(config)#usernameserver-rpassword7121F0A18Usethiscommandonlyifnoexternalvalidationrepositorywillbeused.
NoteEasyVPNConfigurationGuide,CiscoIOSXERelease3S21EasyVPNServerEnablingPolicyLookupviaAAADefiningGroupPolicyInformationforModeConfigurationPushAlthoughuserscanbelongtoonlyonegroupperconnection,theymaybelongtospecificgroupswithdifferentpolicyrequirements.
Thus,usersmaydecidetoconnecttotheclientusingadifferentgroupIDbychangingtheirclientprofileontheVPNdevice.
TodefinethepolicyattributesthatarepushedtotheclientviaModeConfiguration,performthefollowingtask.
SUMMARYSTEPS1.
enable2.
configureterminal3.
cryptoisakmpclientconfigurationgroup{group-name|default}4.
keyname5.
dnsprimary-server[secondary-server]6.
winsprimary-server[secondary-server]7.
domainname8.
poolname9.
netmaskname10.
aclnumber11.
access-restrict{interface-name}12.
firewallpolicypolicy-name13.
group-lock14.
include-local-lan15.
save-password16.
backup-gatewayipaddress17.
pfsDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2EasyVPNConfigurationGuide,CiscoIOSXERelease3S22EasyVPNServerDefiningGroupPolicyInformationforModeConfigurationPushPurposeCommandorActionSpecifiesthepolicyprofileofthegroupthatwillbedefinedandentersISAKMPgroupconfigurationmode.
cryptoisakmpclientconfigurationgroup{group-name|default}Step3Example:Router(config)#cryptoisakmpclientconfigurationgroupgroup1Ifnospecificgroupmatchesandadefaultgroupisdefined,userswillautomaticallybegiventhepolicyofadefaultgroup.
SpecifiestheIKEpresharedkeyforgrouppolicyattributedefinition.
keynameStep4Example:Router(config-isakmp-group)#keygroup1Thiscommandmustbeenablediftheclientidentifiesitselfwithapresharedkey.
Note(Optional)SpecifiestheprimaryandsecondaryDNSserversforthegroup.
dnsprimary-server[secondary-server]Example:Router(config-isakmp-group)#dns10.
2.
2.
210.
3.
3.
3Step5(Optional)SpecifiestheprimaryandsecondaryWINSserversforthegroup.
winsprimary-server[secondary-server]Example:Router(config-isakmp-group)#wins10.
10.
10.
1010.
12.
12.
12Step6(Optional)SpecifiestheDNSdomaintowhichagroupbelongs.
domainnameExample:Router(config-isakmp-group)#domaindomain.
comStep7Definesalocalpooladdress.
poolnameStep8Example:Router(config-isakmp-group)#poolpool1Althoughausermustdefineatleastonepoolname,aseparatepoolmaybedefinedforeachgrouppolicy.
ThiscommandmustbedefinedandrefertoavalidIPlocalpooladdressortheclientconnectionwillfail.
Note(Optional)Specifiesthesubnetmasktobedownloadedtotheclientforlocalconnectivity.
netmasknameExample:Router(config-isakmp-group)#netmask255.
255.
255.
255Step9SomeVPNclientsusethedefaultmaskfortheirparticularclassesofaddress.
However,forarouter,thehost-basedmaskistypicallyused(/32).
Ifyouwanttooverridethedefaultmask,usethenetmaskcommand.
Note(Optional)Configuressplittunneling.
aclnumberStep10EasyVPNConfigurationGuide,CiscoIOSXERelease3S23EasyVPNServerDefiningGroupPolicyInformationforModeConfigurationPushPurposeCommandorActionExample:Router(config-isakmp-group)#acl199ThenumberargumentspecifiesagroupofACLrulesthatrepresentprotectedsubnetsforsplittunnelingpurposes.
Restrictsclientsinagrouptoaninterface.
access-restrict{interface-name}Example:Router(config-isakmp-group)#access-restrictfastethernet0/0Step11(Optional)Specifiesafirewallpolicy.
firewallpolicypolicy-nameExample:Router(config-isakmp-group)#firewallpolicypolicy1Step12Enforcesthegrouplockfeature.
group-lockExample:Router(config-isakmp-group)#group-lockStep13(Optional)ConfigurestheInclude-Local-LANattributetoallowanonsplit-tunnelingconnectiontoaccessthelocalsubnetworkatthesametimeastheclient.
include-local-lanExample:Router(config-isakmp-group)#include-local-lanStep14(Optional)SavesyourXauthpasswordlocallyonyourPC.
save-passwordExample:Router(config-isakmp-group)#save-passwordStep15(Optional)Ratherthanhavebackupgatewaysaddedtoclientconfigurationsmanually,itispossibletohavetheserver"pushdown"alistofbackupgatewaystotheclientdevice.
backup-gatewayipaddressExample:Router(config-isakmp-group)#backup-gateway10.
1.
1.
1Step16Thesegatewaysaretriedsequentiallywhenapreviousgatewayfails.
YoucanspecifythegatewaysusingIPaddressesorhostnames.
(Optional)Notifiestheclientofthecentral-sitepolicyregardingwhetherPFSisrequiredforanyIPsecSA.
pfsExample:Router(config-isakmp-group)#pfsStep17BecausetheclientdevicedoesnothaveauserinterfaceoptiontoenableordisablePFSnegotiation,theserverwillnotifytheclientdeviceofthecentralsitepolicyusingthisparameter.
TheEasyVPNConfigurationGuide,CiscoIOSXERelease3S24EasyVPNServerDefiningGroupPolicyInformationforModeConfigurationPushPurposeCommandorActionDHgroupthatisproposedforPFSwillbethesamethatwasnegotiatedinPhase1oftheIKEnegotiation.
EnablingVPNSessionMonitoringPerfomthefollowingtasktosetrestrictionsonthemaximumnumberofconnectionstotherouterperVPNgroupandthemaximumnumberofsimultaneousloginsperuser.
SUMMARYSTEPS1.
enable2.
configureterminal3.
cryptoisakmpclientconfigurationgroupgroup-name4.
max-loginsnumber-of-logins5.
max-usersnumber-of-users6.
end7.
showcryptosessiongroup8.
showcryptosessionsummaryDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2SpecifiesthepolicyprofileofthegroupthatwillbedefinedandentersISAKMPgroupconfigurationmode.
cryptoisakmpclientconfigurationgroupgroup-nameStep3Example:Router(config)#cryptoisakmpclientconfigurationgroupgroup1group-name--Groupdefinitionthatidentifieswhichpolicyisenforcedforusers.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S25EasyVPNServerEnablingVPNSessionMonitoringPurposeCommandorAction(Optional)Limitsthenumberofsimultaneousloginsforusersinaspecificservergroup.
max-loginsnumber-of-loginsExample:Router(config-isakmp-group)#max-logins10Step4(Optional)Limitsthenumberofconnectionstoaspecificservergroup.
max-usersnumber-of-usersExample:Router(config-isakmp-group)#max-users1000Step5ExitsISAKMPgroupconfigurationmodeandentersprivilegedEXECmode.
endExample:Router(config-isakmp-group)#endStep6(Optional)DisplaysgroupsthatarecurrentlyactiveontheVPNdevice.
showcryptosessiongroupExample:Router#showcryptosessiongroupStep7(Optional)DisplaysgroupsthatarecurrentlyactiveontheVPNdeviceandtheusersthatareconnectedforeachofthosegroups.
showcryptosessionsummaryExample:Router#showcryptosessionsummaryStep8ApplyingModeConfigurationandXauthModeConfigurationandXauthmustbeappliedtoacryptomaptobeenforced.
ToapplyModeConfigurationandXauthtoacryptomap,performthefollowingtask.
SUMMARYSTEPS1.
enable2.
configureterminal3.
cryptomaptagclientconfigurationaddress{initiate|respond}4.
cryptomapmap-nameisakmpauthorizationlistlist-name5.
cryptomapmap-nameclientauthenticationlistlist-nameEasyVPNConfigurationGuide,CiscoIOSXERelease3S26EasyVPNServerApplyingModeConfigurationandXauthDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2ConfigurestheroutertoinitiateorreplytoModeConfigurationrequests.
cryptomaptagclientconfigurationaddress{initiate|respond}Step3Example:Router(config)#cryptomapdynclientconfigurationaddressinitiateCiscoclientsrequiretherespondkeywordtobeused;however,iftheCiscoSecureVPNClient1.
xisused,theinitiatekeywordmustbeused;initiateandrespondkeywordsmaybeusedsimultaneously.
NoteEnablesIKEqueryingforagrouppolicywhenrequestedbytheclient.
cryptomapmap-nameisakmpauthorizationlistlist-nameStep4Example:Router(config)#cryptomapmap1isakmpauthorizationlistlist1Thelist-nameargumentisusedbyAAAtodeterminewhichstoragesourceisusedtofindthepolicy(localorRADIUS)asdefinedintheaaaauthorizationnetworkcommand.
EnforcesXauth.
cryptomapmap-nameclientauthenticationlistlist-nameStep5Thelist-nameargumentisusedtodeterminetheappropriateusernameandpasswordstoragelocation(localorRADIUS)asdefinedintheaaaauthenticationlogincommand.
Example:Router(config)#cryptomapxauthmapclientauthenticationlistxauthlistEnablingReverseRouteInjectionfortheClientToenableRRIonthecryptomap(staticordynamic)forVPNclientsupport,performthefollowingtask.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S27EasyVPNServerEnablingReverseRouteInjectionfortheClientSUMMARYSTEPS1.
enable2.
configureterminal3.
Dooneofthefollowing:cryptodynamic-mapmap-nameseq-numcryptomapmap-nameseq-numipsec-isakmp4.
setpeerip-address5.
settransform-settransform-set-name6.
reverse-route7.
matchaddressextended-access-listDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmodeenableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2Createsadynamiccryptomapentryandenterscryptomapconfigurationmode.
Dooneofthefollowing:Step3cryptodynamic-mapmap-nameseq-numorAddsadynamiccryptomapsettoastaticcryptomapsetandenterscryptomapconfigurationmode.
cryptomapmap-nameseq-numipsec-isakmpExample:Router(config)#cryptodynamic-mapmymap10Example:EasyVPNConfigurationGuide,CiscoIOSXERelease3S28EasyVPNServerEnablingReverseRouteInjectionfortheClientPurposeCommandorActionExample:Example:Router(config)#cryptomapyourmap15ipsec-isakmpSpecifiesanIPsecpeerIPaddressinacryptomapentry.
setpeerip-addressStep4Example:Router(config-crypto-map)#setpeer10.
20.
20.
20Thisstepisoptionalwhenconfiguringdynamiccryptomapentries.
Specifieswhichtransformsetsareallowedforthecryptomapentry.
settransform-settransform-set-nameExample:Router(config-crypto-map)#settransform-setset1Step5Listsmultipletransformsetsinorderofpriority(highestpriorityfirst).
Thislististheonlyconfigurationstatementrequiredindynamiccryptomapentries.
NoteCreatessourceproxyinformation.
reverse-routeExample:Router(config-crypto-map)#reverse-routeStep6Specifiesanextendedaccesslistforacryptomapentry.
matchaddressextended-access-listStep7Example:Router(config-crypto-map)#matchaddress2001Thisstepisoptionalwhenconfiguringdynamiccryptomapentries.
ConfiguringthePushingofaConfigurationURLThroughaMode-ConfigurationExchangeToconfigureanEasyVPNservertopushaconfigurationURLthroughaMode-ConfigurationExchange,performthefollowingtask.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S29EasyVPNServerConfiguringthePushingofaConfigurationURLThroughaMode-ConfigurationExchangeSUMMARYSTEPS1.
enable2.
configureterminal3.
cryptoisakmpclientconfigurationgroupgroup-name4.
configurationurlurl5.
configurationversionversion-numberDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2SpecifiestowhichgroupapolicyprofilewillbedefinedandenterscryptoISAKMPgroupconfigurationmode.
cryptoisakmpclientconfigurationgroupgroup-nameExample:Router(config)#cryptoisakmpclientconfigurationgroupGroup1Step3SpecifiestheURLtheremotedevicemustusetogettheconfigurationfromtheserver.
configurationurlurlExample:Router(config-isakmp-group)#configurationurlhttp://10.
10.
88.
8/easy.
cfgStep4TheURLmustbeanon-NULLterminatedASCIIstringthatspecifiesthecompletepathoftheconfigurationfile.
Specifiestheversionoftheconfiguration.
configurationversionversion-numberStep5Example:Router(config-isakmp-group)#configurationversion10Theversionnumberwillbeanunsignedintegerintherangefrom1to32767.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S30EasyVPNServerConfiguringthePushingofaConfigurationURLThroughaMode-ConfigurationExchangeConfiguringPerUserAAADownloadwithPKI--ConfiguringtheCryptoPKITrustpointToconfigureaAAAservertopushuserattributestoaremotedevice,performthefollowingtask.
BeforeYouBeginBeforeconfiguringaAAAservertopushuserattributestoaremotedevice,youmusthaveconfiguredAAA.
ThecryptoPKItrustpointmustalsobeconfigured(seethefirstconfigurationtaskbelow).
Itispreferablethatthetrustpointconfigurationcontaintheauthorizationusernamecommand.
SUMMARYSTEPS1.
enable2.
configureterminal3.
cryptopkitrustpointname4.
enrollmenturlurl5.
revocation-checknone6.
rsakeypairkey-label7.
authorizationusernamesubjectnamecommonname8.
exitDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2Declaresthetrustpointthatyourroutershoulduseandentersca-trustpointconfigurationmode.
cryptopkitrustpointnameExample:Router(config)#cryptopkitrustpointca-serverStep3EasyVPNConfigurationGuide,CiscoIOSXERelease3S31EasyVPNServerConfiguringPerUserAAADownloadwithPKI--ConfiguringtheCryptoPKITrustpointPurposeCommandorActionSpecifiestheURLofthecertificationauthority(CA)servertowhichtosendenrollmentrequests.
enrollmenturlurlExample:Router(config-ca-trustpoint)#enrollmenturlhttp://10.
7.
7.
2:80Step4Checkstherevocationstatusofacertificate.
revocation-checknoneExample:Router(config-ca-trustpoint)#revocation-checknoneStep5Specifieswhichkeypairtoassociatewiththecertificate.
rsakeypairkey-labelExample:Router(config-ca-trustpoint)#rsakeypairrsa-pairStep6SpecifiestheparametersforthedifferentcertificatefieldsthatareusedtobuildtheAAAusername.
authorizationusernamesubjectnamecommonnameExample:Router(config-ca-trustpoint)#authorizationusernamesubjectnamecommonnameStep7Exitsca-trustpointconfigurationmode.
exitExample:Router(config-ca-trustpoint)#exitStep8ConfiguringtheActualPerUserAAADownloadwithPKIToconfiguretheactualper-userdownloadwithPKI,performthefollowingtask.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S32EasyVPNServerConfiguringtheActualPerUserAAADownloadwithPKISUMMARYSTEPS1.
enable2.
configureterminal3.
cryptoisakmppolicypriority4.
group{1|2}5.
exit6.
cryptoisakmpprofileprofile-name7.
matchcertificatecertificate-map8.
clientpkiauthorizationlistlistname9.
clientconfigurationaddress{initiate|respond}10.
virtual-templatetemplate-number11.
exit12.
cryptoipsectransform-settransform-set-nametransform1[transform2][transform3][transform4]13.
exit14.
cryptoipsecprofilename15.
settransform-settransform-set-nameDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2DefinesanIKEpolicyandentersISAKMPpolicyconfigurationmode.
cryptoisakmppolicypriorityExample:Router(config)#cryptoisakmppolicy10Step3SpecifiestheDHgroupidentifierwithinanIKEpolicy.
group{1|2}Example:Router(config-isakmp)#group2Step4EasyVPNConfigurationGuide,CiscoIOSXERelease3S33EasyVPNServerConfiguringtheActualPerUserAAADownloadwithPKIPurposeCommandorActionExitsISAKMPpolicyconfigurationmodeandentersglobalconfigurationmode.
exitExample:Router(config-isakmp)#exitStep5DefinesanISAKMPprofileandauditsIPsecusersessionsandenterscryptoISAKMPprofileconfigurationmode.
cryptoisakmpprofileprofile-nameExample:Router(config)#cryptoisakmpprofileISA-PROFStep6AssignsanISAKMPprofiletoapeeronthebasisofthecontentsofarbitraryfieldsinthecertificate.
matchcertificatecertificate-mapExample:Router(config-isa-prof)#matchcertificatecert-mapStep7SpecifiestheauthorizationlistofAAAserversthatwillbeusedforobtainingper-userAAAattributesonthebasisoftheusernameconstructedfromthecertificate.
clientpkiauthorizationlistlistnameExample:Router(config-isa-prof)#clientpkiauthorizationlistusrgrpStep8ConfiguresIKEconfigurationmodeintheISAKMPprofile.
clientconfigurationaddress{initiate|respond}Example:Router(config-isa-prof)#clientconfigurationaddressrespondStep9Specifieswhichvirtualtemplatewillbeusedtoclonevirtualaccessinterfaces.
virtual-templatetemplate-numberExample:Router(config-isa-prof)#virtual-template2Step10ExitscryptoISAKMPprofileconfigurationmodeandentersglobalconfigurationmode.
exitExample:Router(config-isa-prof)#exitStep11Definesatransformset--anacceptablecombinationofsecurityprotocolsandalgorithmsandenterscryptotransformconfigurationmode.
cryptoipsectransform-settransform-set-nametransform1[transform2][transform3][transform4]Example:Router(config)#cryptoipsectransform-settrans2esp-3desesp-sha-hmacStep12EasyVPNConfigurationGuide,CiscoIOSXERelease3S34EasyVPNServerConfiguringtheActualPerUserAAADownloadwithPKIPurposeCommandorActionExitscryptotransformconfigurationmodeandentersglobalconfigurationmode.
exitExample:Router(cfg-crypto-trans)#exitStep13DefinestheIPsecparametersthataretobeusedforIPsecencryptionbetweentwoIPsecroutersandentersIPsecprofileconfigurationmode.
cryptoipsecprofilenameExample:Router(config)#cryptoipsecprofileIPSEC-PROFStep14Specifieswhichtransformsetscanbeusedwiththecryptomapentry.
settransform-settransform-set-nameExample:Router(ipsec-profile)#settransform-settrans2Step15ConfiguringPer-UserAttributesonaLocalEasyVPNAAAServerToconfigureper-userattributesonalocalEasyVPNAAAserver,performthefollowingtask.
SUMMARYSTEPS1.
enable2.
configureterminal3.
aaaattributelistlist-name4.
attributetypenamevalue[serviceservice][protocolprotocol]5.
exit6.
cryptoisakmpclientconfigurationgroupgroup-name7.
cryptoaaaattributelistlist-nameDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S35EasyVPNServerConfiguringPer-UserAttributesonaLocalEasyVPNAAAServerPurposeCommandorActionEntersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2DefinesaAAAattributelistlocallyonarouterandentersattributelistconfigurationmode.
aaaattributelistlist-nameExample:Router(config)#aaaattributelistlist1Step3Definesanattributetypethatistobeaddedtoanattributelistlocallyonarouter.
attributetypenamevalue[serviceservice][protocolprotocol]Step4Example:Router(config-attr-list)#attributetypeattributeattribute-nameserviceikeprotocolipYoucanchoosetheattributetypethatshouldbeaddedfromthelistofgivenattributes.
Exitsattributelistconfigurationmode.
exitExample:Router(config-attr-list)#exitStep5SpecifiestowhichgroupapolicyprofilewillbedefinedandentersISAKMPgroupconfigurationmode.
cryptoisakmpclientconfigurationgroupgroup-nameExample:Router(config)#cryptoisakmpclientconfigurationgroupgroup1Step6DefinesaAAAattributelistlocallyonarouter.
cryptoaaaattributelistlist-nameExample:Router(config-isakmp-group)#cryptoaaaattributelistlistname1Step7ConfiguringaCentralPolicyPushFirewallYoucanconfigureaCPPfirewall,usingalocalAAAserverorusingaremoteAAAserver.
ConfiguringaCPPFirewallPolicyPushUsingaLocalAAAServerPerformthefollowingtasktoconfigureaCPPfirewallpolicypushusingalocalAAAserver.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S36EasyVPNServerConfiguringaCentralPolicyPushFirewallSUMMARYSTEPS1.
enable2.
configureterminal3.
cryptoisakmpclientfirewallpolicy-name{required|optional}firewall-type4.
policycheck-presence5.
exit6.
cryptoisakmpclientconfigurationgroupgroup-name7.
firewallpolicypolicy-name8.
end9.
debugcryptoisakmpDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2DefinestheCPPfirewallpushpolicyonaserverandentersISAKMPclientfirewallconfigurationmode.
cryptoisakmpclientfirewallpolicy-name{required|optional}firewall-typeStep3Example:Router(config)#cryptoisakmpclientpolicy-name--Uniquelyidentifiesapolicy.
ApolicynamecanbeassociatedwiththeEasyVPNclientgroupconfigurationoftheserver(localgroupconfiguration)orontheAAAserver.
firewallhw-client-g-cpprequiredcisco-security-agentrequired--Policyismandatory.
IftheCPPpolicyisdefinedasmandatoryandisincludedintheEasyVPNserverconfiguration,thetunnelsetupisallowedonlyiftheclientconfirmstothispolicy.
Otherwise,thetunnelisterminated.
optional--Policyisoptional.
IftheCPPpolicyisdefinedasoptional,andisincludedintheEasyVPNserverconfiguration,thetunnelsetupiscontinuedeveniftheclientdoesnotconfirmthedefinedpolicy.
firewall-type--Typeoffirewall(seethecryptoisakmpclientfirewallcommandforalistoffirewalltypes).
DefinestheCPPfirewallpolicypush.
policycheck-presenceStep4EasyVPNConfigurationGuide,CiscoIOSXERelease3S37EasyVPNServerConfiguringaCentralPolicyPushFirewallPurposeCommandorActionExample:Router(config-ikmp-client-fw)#policycheck-presencecheck-presence--Denotesthattheservershouldcheckforthepresenceofthespecifiedfirewallasshownbythevalueofthefirewall-typeargumentontheclient.
ExitsISAKMPclientfirewallconfigurationmodeandentersglobalconfigurationmode.
exitExample:Router(config-ikmp-client-fw)#exitStep5SpecifiestowhichgroupapolicyprofilewillbedefinedandentersISAKMPgroupconfigurationmode.
cryptoisakmpclientconfigurationgroupgroup-nameExample:Router(config)#cryptoisakmpclientconfigurationgrouphw-client-gStep6SpecifiestheCPPfirewallpushpolicynameforthecryptoISAKMPclientconfigurationgrouponalocalauthentication,AAAserver.
firewallpolicypolicy-nameExample:Router(crypto-isakmp-group)#firewallpolicyhw-client-g-cppStep7ExitsISAKMPgroupconfigurationmodeandentersprivilegedEXECmode.
endExample:Router(crypto-isakmp-group)#endStep8(Optional)DisplaysmessagesaboutIKEevents.
debugcryptoisakmpExample:Router#debugcryptoisakmpStep9ConfiguringaCPPFirewallPolicyPushUsingaRemoteAAAServerPerformthefollowingtasktoconfigureaCPPfirewallpolicypushusingaremoteAAAserver.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S38EasyVPNServerConfiguringaCentralPolicyPushFirewallSUMMARYSTEPS1.
enable2.
configureterminal3.
cryptoisakmpclientfirewallpolicy-name{required|optional}firewall-type4.
policycheck-presence5.
exit6.
AddtheVSA"cpp-policy"underthegroupdefinitionthatisdefinedinRADIUS.
7.
exit8.
debugcryptoisakmpDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2DefinestheCPPfirewallpushpolicyonaserverandentersISAKMPclientfirewallconfigurationmode.
cryptoisakmpclientfirewallpolicy-name{required|optional}firewall-typeStep3Example:Router(config)#cryptoisakmpclientpolicy-name--Uniquelyidentifiesapolicy.
ApolicynamecanbeassociatedwiththeEasyVPNclientgroupconfigurationoftheserver(localgroupconfiguration)orontheAAAserver.
firewallhw-client-g-cpprequiredCisco-Security-Agentrequired--Policyismandatory.
IftheCPPpolicyisdefinedasmandatoryandisincludedintheEasyVPNserverconfiguration,thetunnelsetupisallowedonlyiftheclientconfirmstothispolicy.
Otherwise,thetunnelisterminated.
optional--Policyisoptional.
IftheCPPpolicyisdefinedasoptional,andisincludedintheEasyVPNserverconfiguration,thetunnelsetupiscontinuedeveniftheclientdoesnotconfirmthedefinedpolicy.
firewall-type--Typeoffirewall(seethecryptoisakmpclientfirewallcommandforalistoffirewalltypes).
DefinestheCPPfirewallpolicypush.
policycheck-presenceStep4EasyVPNConfigurationGuide,CiscoIOSXERelease3S39EasyVPNServerConfiguringaCentralPolicyPushFirewallPurposeCommandorActionExample:Router(config-ikmp-client-fw)#policycheck-presencecheck-presence--Denotesthattheservershouldcheckforthepresenceofthespecifiedfirewallasshownbythevalueofthefirewall-typeargumentontheclient.
ExitsISAKMPclientfirewallconfigurationmodeandentersglobalconfigurationmode.
exitExample:Router(config-ikmp-client-fw)#exitStep5DefinestheCPPfirewallpushpolicyforaremoteserver.
AddtheVSA"cpp-policy"underthegroupdefinitionthatisdefinedinRADIUS.
Step6Example:ipsec:cpp-policy="EnterpriseFirewall"ExitsglobalconfigurationmodeandentersprivilegedEXECmode.
exitExample:Router(config)#exitStep7(Optional)DisplaysmessagesaboutIKEevents.
debugcryptoisakmpExample:Router#debugcryptoisakmpStep8ConfiguringPasswordAgingToconfigurePasswordAgingsothattheEasyVPNclientisnotifiedifthepasswordhasexpired,performthefollowingtask.
ThefollowingrestrictionsapplytothePasswordAgingfeature:NoteItworksonlywithVPNsoftwareclients.
ItdoesnotworkwithVPNclienthardware.
ItworksonlywithRADIUSservers.
>EasyVPNConfigurationGuide,CiscoIOSXERelease3S40EasyVPNServerConfiguringPasswordAgingSUMMARYSTEPS1.
enable2.
configureterminal3.
aaanew-model4.
aaaauthenticationloginlist-namepasswd-expirygroupradius5.
radius-serverhostip-address[auth-portport-number][acct-portport-number][keystring]6.
cryptoisakmpprofileprofile-name7.
matchcertificatecertificate-map8.
clientauthenticationlistlist-nameDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2EnablesAAA.
aaanew-modelExample:Router(config)#aaanew-modelStep3ConfigurestheauthenticationlistsothatthePasswordAgingfeatureisenabled.
aaaauthenticationloginlist-namepasswd-expirygroupradiusExample:Router(config)#aaaauthenticationloginuserauthpaswd-expirygroupradiusStep4ConfigurestheRADIUSserver.
radius-serverhostip-address[auth-portport-number][acct-portport-number][keystring]Step5Example:Router(config)#radius-serverhost172.
19.
217.
96auth-port1645acct-port1646keyciscoradius-servervsasendauthenticationEasyVPNConfigurationGuide,CiscoIOSXERelease3S41EasyVPNServerConfiguringPasswordAgingPurposeCommandorActionDefinesanISAKMPprofileandauditsIPsecusersessionsandenterscryptoISAKMPprofileconfigurationmode.
cryptoisakmpprofileprofile-nameExample:Router(config)#cryptoisakmpprofileprofile2Step6AssignsanISAKMPprofiletoapeeronthebasisofthecontentsofarbitraryfieldsinthecertificate.
matchcertificatecertificate-mapExample:Router(config-isa-prof)#matchidentitygroupbranchStep7ConfiguresIKEextendedauthentication(Xauth)inanISAKMPprofileandincludestheauthenticationlistthatwasdefinedabove.
clientauthenticationlistlist-nameExample:Router(config-isa-prof)#clientauthenticationlistuserauthStep8ConfiguringSplitDNSToconfigureSplitDNS,performthefollowingtask.
ThetaskalsoprovidesinformationonhowtoverifyandmonitortheSpiltDNSconfiguration.
BeforeYouBeginBeforetheSplitDNSfeaturecanwork,thefollowingcommandsshouldhavebeenconfiguredontheEasyVPNremote:ipdnsserveripdomain-lookupYoucanusetheshowanddebugcommandsinanyorder.
NoteEasyVPNConfigurationGuide,CiscoIOSXERelease3S42EasyVPNServerConfiguringSplitDNSSUMMARYSTEPS1.
enable2.
configureterminal3.
cryptoisakmpclientconfigurationgroup{group-name|default}4.
dnsprimary-serversecondary-server5.
split-dnsdomain-name6.
end7.
showipdnsname-list[name-list-number]8.
showipdnsview[vrfvrf-name][default|view-name]9.
showipdnsview-list[view-list-name]10.
debugipdnsname-list11.
debugipdnsview12.
debugipdnsview-listDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2SpecifiesthepolicyprofileofthegroupthatwillbedefinedandentersISAKMPgroupconfigurationmode.
cryptoisakmpclientconfigurationgroup{group-name|default}Step3Example:Router(config)#cryptoisakmpclientconfigurationgroupgroup1Ifnospecificgroupmatchesandadefaultgroupisdefined,userswillautomaticallybegiventhepolicyofadefaultgroup.
SpecifiestheprimaryandsecondaryDNSserversforthegroup.
dnsprimary-serversecondary-serverExample:Router(config-isakmp-group)#dns10.
2.
2.
210.
3.
3.
3Step4EasyVPNConfigurationGuide,CiscoIOSXERelease3S43EasyVPNServerConfiguringSplitDNSPurposeCommandorActionSpecifiesadomainnamethatmustbetunneledorresolvedtotheprivatenetwork.
split-dnsdomain-nameExample:Router(config-isakmp-group)#split-dnsdomain.
comStep5ExitsISAKMPgroupconfigurationmodeandentersprivilegedEXECmode.
endExample:Router(config-isakmp-group)#endStep6DisplaysinformationaboutDNSnamelists.
showipdnsname-list[name-list-number]Example:Router#showipdnsname-list1Step7DisplaysinformationaboutDNSviews.
showipdnsview[vrfvrf-name][default|view-name]Example:Router#showipdnsviewdefaultStep8DisplaysinformationaboutDNSviewlists.
showipdnsview-list[view-list-name]Example:Router#showipdnsview-listezvpn-internal-viewlistStep9EnablesdebuggingoutputforDNSname-listevents.
debugipdnsname-listExample:Router#debugipdnsname-listStep10EnablesdebuggingoutputforDNSviewevents.
debugipdnsviewExample:Router#debugipdnsviewStep11EnablesdebuggingoutputforDNSview-listevents.
debugipdnsview-listExample:Router#debugipdnsview-listStep12EasyVPNConfigurationGuide,CiscoIOSXERelease3S44EasyVPNServerConfiguringSplitDNSConfiguringanEasyVPNServertoObtainanIPAddressfromaDHCPServerWhentheEasyVPNserverselectsthemethodforaddressassignment,itdoessointhefollowingorderofprecedence:1SelectstheframedIPaddress.
2UsestheIPaddressfromtheauthenticationserver(group/user).
3UsestheglobalIKEaddresspools.
4UsesDHCP.
ToenabletheEasyVPNservertoobtainanIPaddressfromaDHCPserver,removeotheraddressassignments.
NoteToconfigureanEasyVPNservertoobtainanIPaddressfromaDHCPserver,performthefollowingtask.
SUMMARYSTEPS1.
enable2.
configureterminal3.
cryptoisakmpclientconfigurationgroupgroup-name4.
dhcpserver{ip-address|hostname}5.
dhcptimeouttime6.
dhcpgiaddrip-addressDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
Entersglobalconfigurationmode.
configureterminalExample:Router#configureterminalStep2Specifiestowhichgroupapolicyprofilewillbedefined.
cryptoisakmpclientconfigurationgroupgroup-nameStep3EnteringthiscommandplacestheCLIinISAKMPgroupconfigurationmode.
Fromthismode,youcanusesubcommandstospecifycharacteristicsforthegrouppolicy.
NoteEasyVPNConfigurationGuide,CiscoIOSXERelease3S45EasyVPNServerConfiguringanEasyVPNServertoObtainanIPAddressfromaDHCPServerPurposeCommandorActionExample:Router(config)#cryptoisakmpclientconfigurationgroupgroup1Specifiesaprimary(andbackup)DHCPservertoallocateIPaddressestousersenteringaparticularpublicdatanetwork(PDN)accesspoint.
dhcpserver{ip-address|hostname}Example:Router(config-isakmp-group)#dhcpserver10.
10.
1.
2Step4SetsthewaittimeinsecondsbeforethenextDHCPserveronthelististried.
dhcptimeouttimeExample:Router(config-isakmp-group)#dhcptimeout6Step5SpecifiesthegiaddrfortheDHCPscope.
dhcpgiaddrip-addressExample:Router(config-isakmp-group)#dhcpgiaddr10.
1.
1.
4Step6VerifyingandMonitoringDHCPClientProxyVerifyingandMonitoringDHCPClientProxyToverifyandmonitoryourDHCPclientproxyconfiguration,performthefollowingtask.
Youcanusetheshowanddebugcommandsinanyorder.
NoteEasyVPNConfigurationGuide,CiscoIOSXERelease3S46EasyVPNServerVerifyingandMonitoringDHCPClientProxySUMMARYSTEPS1.
enable2.
showdhcplease3.
showipdhcppool4.
showipdhcpbinding5.
debugcryptoisakmp6.
debugdhcp7.
debugdhcpdetail8.
debugipdhcpservereventsDETAILEDSTEPSPurposeCommandorActionEnablesprivilegedEXECmode.
enableStep1Example:Router>enableEnteryourpasswordifprompted.
DisplaysinformationabouttheDHCPaddresspools.
showdhcpleaseStep2Example:Router#showdhcpleaseUsethiscommandwhenanexternalDHCPisused.
NoteDisplaysinformationabouttheDHCPaddresspools.
showipdhcppoolStep3Example:Router#showipdhcppoolThiscommandisapplicableonlywhentheEasyVPNserverisalsotheDHCPserver(generallynotthecasebecauseinmostcases,theDHCPserverisanexternalserver).
NoteDisplaysaddressbindingsontheDHCPserver.
showipdhcpbindingStep4Example:Router#showipdhcpbindingThiscommandisapplicableonlywhentheEasyVPNserverisalsotheDHCPserver(generallynotthecasebecauseinmostcases,theDHCPserverisanexternalserver).
NoteDisplaysmessagesaboutIKEevents.
debugcryptoisakmpExample:Router#debugcryptoisakmpStep5Reportsserverevents,likeaddressassignmentsanddatabaseupdates.
debugdhcpExample:Router#debugdhcpStep6EasyVPNConfigurationGuide,CiscoIOSXERelease3S47EasyVPNServerVerifyingandMonitoringDHCPClientProxyPurposeCommandorActionDisplaysdetailedDHCPdebugginginformation.
debugdhcpdetailExample:Router#debugdhcpdetailStep7Reportsserverevents,likeaddressassignmentsanddatabaseupdates.
debugipdhcpservereventsStep8Example:Router#debugipdhcpservereventsThiscommandisapplicableonlywhentheEasyVPNserverisalsotheDHCPserver(generallynotthecasebecauseinmostcases,theDHCPserverisanexternalserver).
NoteConfigurationExamplesforEasyVPNServerExampleConfiguringCiscoIOSXEforEasyVPNServerThefollowingexampleshowshowtodefinegrouppolicyinformationlocallyforModeConfiguration.
Inthisexample,agroupisnamed"cisco"andanothergroupisnamed"default.
"Thepolicyisenforcedforalluserswhodonotofferagroupnamethatmatches"cisco.
"!
Enablepolicylook-upviaAAA.
Forauthenticationandauthorization,sendrequeststo!
RADIUSfirst,thentrylocalpolicy.
aaanew-modelaaaauthenticationloginuserlistgroupradiuslocalaaaauthorizationnetworkgrouplistgroupradiuslocalenablepasswordXXXX!
usernameciscopassword0ciscoclocktimezonePST-8ipsubnet-zero!
ConfigureIKEpolicies,whichareassessedinordersothatthefirstpolicythatmatchestheproposaloftheclientwillbeused.
cryptoisakmppolicy1group2!
cryptoisakmppolicy3hashmd5authenticationpre-sharegroup2cryptoisakmpidentityhostname!
!
Define"cisco"grouppolicyinformationformodeconfigpush.
cryptoisakmpclientconfigurationgroupciscokeyciscodns10.
2.
2.
210.
2.
2.
3wins10.
6.
6.
6domaincisco.
compoolpool1acl199!
Definedefaultgrouppolicyformodeconfigpush.
cryptoisakmpclientconfigurationgroupdefaultkeyciscodns10.
2.
2.
210.
3.
2.
3EasyVPNConfigurationGuide,CiscoIOSXERelease3S48EasyVPNServerConfigurationExamplesforEasyVPNServerpoolpool1acl199!
!
cryptoipsectransform-setset1esp-desesp-sha-hmac!
cryptodynamic-mapmode1settransform-setset1!
!
Applymodeconfigandxauthtocryptomap"mode.
"Thelistnamesthataredefinedhere!
mustmatchthelistnamesthataredefinedintheAAAsectionoftheconfig.
cryptomapmodeclientauthenticationlistuserlistcryptomapmodeisakmpauthorizationlistgrouplistcryptomapmodeclientconfigurationaddressrespondcryptomapmode1ipsec-isakmpdynamicmode!
!
controllerISA1/1!
!
interfaceGigabitEthernet0/0ipaddress10.
6.
1.
8255.
255.
0.
0iproute-cacheipmroute-cacheduplexautospeedautocryptomapmode!
interfaceGigabitEthernet0/1ipaddress192.
168.
1.
28255.
255.
255.
0noiproute-cachenoipmroute-cacheduplexautospeedauto!
SpecifyIPaddresspoolsforinternalIPaddressallocationtoclients.
iplocalpoolpool1192.
168.
2.
1192.
168.
2.
10ipclasslessiproute0.
0.
0.
00.
0.
0.
010.
6.
0.
1!
!
Defineaccesslistsforeachsubnetthatshouldbeprotected.
access-list199permitip192.
168.
1.
00.
0.
0.
255anyaccess-list199permitip192.
168.
3.
00.
0.
0.
255any!
!
SpecifyaRADIUSserverhostandconfigureaccesstotheserver.
radius-serverhost192.
168.
1.
1auth-port1645acct-port1646keyXXXXXradius-serverretransmit3!
!
linecon0exec-timeout00length25transportinputnonelineaux0linevty515!
ExampleRADIUSGroupProfilewithIPsecAVPairsThefollowingexampleshowsastandardRADIUSgroupprofilethatincludesRADIUSIPsecAVpairs.
Togetthegroupauthorizationattributes,"cisco"mustbeusedasthepassword.
client_rPassword="cisco"Service-Type=Outboundcisco-avpair="ipsec:tunnel-type*ESP"cisco-avpair="ipsec:key-exchange=ike"cisco-avpair="ipsec:tunnel-password=lab"cisco-avpair="ipsec:addr-pool=pool1"EasyVPNConfigurationGuide,CiscoIOSXERelease3S49EasyVPNServerExampleRADIUSGroupProfilewithIPsecAVPairscisco-avpair="ipsec:default-domain=cisco"cisco-avpair="ipsec:inacl=101"cisco-avpair="ipsec:access-restrict=fastethernet0/0"cisco-avpair="ipsec:group-lock=1"cisco-avpair="ipsec:dns-servers=10.
1.
1.
110.
2.
2.
2"cisco-avpair="ipsec:firewall=1"cisco-avpair="ipsec:include-local-lan=1"cisco-avpair="ipsec:save-password=1"cisco-avpair="ipsec:wins-servers=10.
3.
3.
310.
4.
4.
4"cisco-avpair="ipsec:split-dns=green.
com"cisoc-avpair="ipsec:ipsec-backup-gateway=10.
1.
1.
1"cisoc-av5pair="ipsec:ipsec-backup-gateway=10.
1.
1.
2"cisoc-avpair="ipsec:pfs=1"cisco-avpair="ipsec:cpp-policy="EnterpriseFirewall"cisco-avpair="ipsec:auto-update="Winhttp://example.
com4.
0.
1"cisco-avpair="ipsec:browser-proxy=bproxy_profile_A"cisco-avpair="ipsec:banner=Xauthbannertexthere"ThefollowingexampleshowsaRADIUSuserprofilethatissetupforagroupthathasgroup-lockconfigured.
Theusernameisenteredinthesameformatastheuser@domainformat.
abc@example.
comPassword="abcll1111"cisco-avpair="ipsec:user-include-local-lan=1"cisco-avpair="ipsec:user-save-password=1"Framed-IP-Address=10.
10.
10.
10ExampleRADIUSUserProfilewithIPsecAVPairsThefollowingexampleshowsastandardRADIUSuserprofilethatincludesRADIUSIPsecAVpairs.
TheseuserattributeswillbeobtainedduringXauth.
ualluallPassword="uall1234"cisco-avpair="ipsec:user-vpn-group=unity"cisco-avpair="ipsec:user-include-local-lan=1"cisco-avpair="ipsec:user-save-password=1"Framed-IP-Address=10.
10.
10.
10ExampleBackupGatewaywithMaximumLoginsandMaximumUsersThefollowingexampleshowsthatfivebackupgatewayshavebeenconfigured,thatthemaximumusershavebeensetto250,andthatmaximumloginshavebeensetto2:cryptoisakmpclientconfigurationgroupsdmkey6RMZPPMRQMSdiZNJg`EBbCWTKSTi\d[poolPOOL1acl150backup-gateway172.
16.
12.
12backup-gateway172.
16.
12.
13backup-gateway172.
16.
12.
14backup-gateway172.
16.
12.
130backup-gateway172.
16.
12.
131max-users250max-logins2ExampleEasyVPNwithanIPsecVirtualTunnelInterfaceThefollowingexampleshowsthatEasyVPNhasbeenconfiguredwithanIPsecvirtualtunnelinterface.
!
version15.
0EasyVPNConfigurationGuide,CiscoIOSXERelease3S50EasyVPNServerExampleRADIUSUserProfilewithIPsecAVPairsservicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecnoservicepassword-encryption!
hostnameRouter!
boot-start-markerboot-end-marker!
!
aaanew-model!
!
aaaauthenticationlogindefaultlocalaaaauthorizationnetworkdefaultlocal!
aaasession-idcommon!
resourcepolicy!
clocktimezoneIST0ipsubnet-zeroipcefnoipdomainlookupnoipdhcpusevrfconnected!
usernamelabpassword0lab!
cryptoisakmppolicy3authenticationpre-sharegroup2cryptoisakmpxauthtimeout90!
cryptoisakmpclientconfigurationgroupeasykeyciscodomainfoo.
compooldpoolacl101cryptoisakmpprofilevimatchidentitygroupeasyisakmpauthorizationlistdefaultclientconfigurationaddressrespondclientconfigurationgroupeasyvirtual-template1!
!
cryptoipsectransform-setsetesp-3desesp-sha-hmac!
cryptoipsecprofilevisettransform-setsetsetisakmp-profilevi!
!
interfaceLoopback0ipaddress10.
4.
0.
1255.
255.
255.
0!
interfaceGigabitEthernet0/0ipaddress10.
3.
0.
2255.
255.
255.
0nokeepalivenocdpenableinterfaceGigabitEthernet1/0noipaddressnokeepalivenocdpenable!
interfaceVirtual-Template1typetunnelipunnumberedGigabitEthernet0/0tunnelmodeipsecipv4tunnelprotectionipsecprofilevi!
iplocalpooldpool10.
5.
0.
110.
5.
0.
10!
ipclasslessEasyVPNConfigurationGuide,CiscoIOSXERelease3S51EasyVPNServerExampleEasyVPNwithanIPsecVirtualTunnelInterfaceiproute10.
2.
0.
0255.
255.
255.
010.
3.
0.
1noiphttpservernoiphttpsecure-server!
!
access-list101permitip10.
4.
0.
00.
0.
0.
255anynocdprun!
!
linecon0lineaux0linevty04!
endExamplesPushingaConfigurationURLThroughaMode-ConfigurationExchangeThefollowingshowcryptoipsecclientezvpncommandoutputdisplaystheModeConfigurationURLlocationandversion:Router#showcryptoipsecclientezvpnEasyVPNRemotePhase:5Tunnelname:branchInsideinterfacelist:Vlan1Outsideinterface:FastEthernet0CurrentState:IPSEC_ACTIVELastEvent:SOCKET_UPAddress:172.
16.
1.
209Mask:255.
255.
255.
255DefaultDomain:cisco.
comSavePassword:AllowedConfigurationURL[version]:tftp://172.
16.
30.
2/branch.
cfg[11]Configstatus:applied,Lastsuccessfullyappliedversion:11CurrentEzVPNPeer:192.
168.
10.
1Thefollowingshowcryptoisakmppeersconfigcommandoutputdisplaysallmanageabilityinformationthatissentbytheremotedevice.
Router#showcryptoisakmppeersconfigClient-Public-Addr=192.
168.
10.
2:500;Client-Assigned-Addr=172.
16.
1.
209;Client-Group=branch;Client-User=branch;Client-Hostname=branch.
;Client-Platform=Cisco1711;Client-Serial=FOC080210E2(412454448);Client-Config-Version=11;Client-Flash=33292284;Client-Available-Flash=10202680;Client-Memory=95969280;Client-Free-Memory=14992140;Client-Image=flash:c1700-advipservicesk9-mz.
ef90241;Client-Public-Addr=192.
168.
10.
3:500;Client-Assigned-Addr=172.
16.
1.
121;Client-Group=store;Client-User=store;Client-Hostname=831-storerouter.
;Client-Platform=CiscoC831;Client-Serial=FOC08472UXR(1908379618);Client-Config-Version=2;Client-Flash=24903676;Client-Available-Flash=5875028;Client-Memory=45298688;Client-Free-Memory=6295596;Client-Image=flash:c831-k9o3y6-mz.
ef90241ExamplePerUserAAADownloadwithPKIThefollowingexampleshowsthatthePerUserAAADownloadwithPKIfeaturehasbeenconfiguredontheEasyVPNserver.
Router#showrunning-configBuildingconfiguration.
.
.
Currentconfiguration:7040bytes!
!
Lastconfigurationchangeat21:06:51UTCTueJun282005!
version15.
0noservicepadservicetimestampsdebuguptimeEasyVPNConfigurationGuide,CiscoIOSXERelease3S52EasyVPNServerExamplesPushingaConfigurationURLThroughaMode-ConfigurationExchangeservicetimestampsloguptimenoservicepassword-encryption!
hostnameGEN!
boot-start-markerboot-end-marker!
!
aaanew-model!
!
aaagroupserverradiususrgrppkiserver10.
76.
248.
201auth-port1645acct-port1646!
aaaauthenticationloginxauthgroupusrgrppkiaaaauthenticationloginusrgrpgroupusrgrppkiaaaauthorizationnetworkusrgrpgroupusrgrppki!
aaasession-idcommon!
resourcepolicy!
ipsubnet-zero!
!
ipcef!
!
ipaddress-poollocal!
!
cryptopkitrustpointca-serverenrollmenturlhttp://10.
7.
7.
2:80revocation-checknonersakeypairrsa-pair!
Specifythefieldwithinthecertificatethatwillbeusedasausernametodoaper-userAAAlookupintotheRADIUSdatabase.
Inthisexample,thecontentsofthecommonnamewillbeusedtodoaAAAlookup.
Intheabsenceofthisstatement,bydefaultthecontentsofthe"unstructuredname"fieldinthecertificateisusedforAAAlookup.
authorizationusernamesubjectnamecommonname!
!
cryptopkicertificatemapCERT-MAP1subject-namecoyournamenamecoyourname!
cryptopkicertificatechainca-servercertificate02308201EE30820157A003020102020102300D06092A864886F70D01010405003014311230100603550403130963612D736572766572301E170D3035303632383230303731345A170D3036303632383230303731345A30153113301106092A864886F70D010902160447454E2E30819F300D06092A864886F70D010101050003818D0030818902818100ABF8F0FDFFDF8DF22098D6A48EE0C3F505DD96C0022EA4EAB95EE81F97F450990BB0E6F2B7151FC5C7939193822FE4DEE5B00CA03412BB9B715AADD6C31F93D8802658AF9A886663811942913D0C02C3E328CC1C046E94F73B7C1A4497F86E74A627BCB809A3ED293C15F28DCFA2175160F9A409D52044350F85AF08B357F5D70203010001A34F304D300B0603551D0F0404030205A0301F0603551D23041830168014F9BC44983DA4D51D451EFEFD5B1F5F738D7B1C9B301D0603551D0E041604146BF6B2DFD11FE237FF23294129E55D9C48CCB046300D06092A864886F70D0101040500038181004AFF2BE300C115D0B191C20D06E0260305A69DF610BB242115165AE73B6278E01FE40785776D3ADFA3E2CE0644321C93E82D93B5F2AB9661EDD3499C49A8F87CA5539132F2391D50187D21CC3148681F50432F2685BCF544F4FF8DF535CBE55B5F3631FFF0258969D9F8418C8AB7C569B02246C3C63A22DD6516C503D6C83D81quitcertificateca01308202013082016AA003020102020101300D06092A864886F70D01010405003014311230100603550403130963612D736572766572301E170D3035303632383230303535375A170D3038303632373230303535375A3014311230100603550403130963612D73657276657230819F300D06092A864886F70D010101050003818D0030818902818100BA1A441396339C6BD36BD720D25C9A44E0627A2997E06F2A69B268ED08C7144E7058948DBEA512D440588B87322C5D79689427CA5C54B3BAEasyVPNConfigurationGuide,CiscoIOSXERelease3S53EasyVPNServerExamplePerUserAAADownloadwithPKI82FAEC53F6AC0B5C615D032C910CA203AC6AB681290D9EEDD31EB1858D98E1E7FF73613C32290FD6A0CBDC406E4D6B39DE1D86BADE77A55EF15299FF97D7C185919F81C130027E0F0203010001A3633061300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020186301F0603551D23041830168014F9BC44983DA4D51D451EFEFD5B1F5F738D7B1C9B301D0603551D0E04160414F9BC44983DA4D51D451EFEFD5B1F5F738D7B1C9B300D06092A864886F70D0101040500038181003EF397F4D98BDEA4322FAF4737800F1671F77EBD6C45AEFB91B28CF04C98F0135A40C6635FDC2963C733735D5BBC9AF1BBD235F66CE1AD6B4BFC7AAB18C8CC1AB93AF37AC67436930E9C81F43F7570A8FE09AE3DEA01D1DA6BD0CB83F9A77F1DFAFE5E2F1F206BF1FDD8BE6BB57A3C8D03115DB1F64A3F7A7557C109B0A34ADBquit!
!
cryptoisakmppolicy10group2cryptoisakmpkeepalive10cryptoisakmpprofileISA-PROFmatchcertificateCERT-MAPisakmpauthorizationlistusrgrpclientpkiauthorizationlistusrgrpclientconfigurationaddressrespondclientconfigurationgrouppkiuservirtual-template2!
!
cryptoipsectransform-settrans2esp-3desesp-sha-hmac!
cryptoipsecprofileIPSEC_PROFsettransform-settrans2!
cryptoipsecprofileISC_IPSEC_PROFILE_1settransform-settrans2!
!
cryptocalladmissionlimitikesa40!
!
interfaceLoopback0ipaddress10.
3.
0.
1255.
255.
255.
255noiproute-cachecefnoiproute-cache!
interfaceLoopback1ipaddress10.
76.
0.
1255.
255.
255.
255noiproute-cachecefnoiproute-cache!
interfaceGigabitEthernet3/0ipaddress10.
76.
248.
209255.
255.
255.
255noiproute-cachecefnoiproute-cacheduplexhalf!
!
interfaceGigabitEthernet3/2ipaddress10.
2.
0.
1255.
255.
255.
0noiproute-cachecefnoiproute-cacheduplexhalf!
!
interfaceSerial4/0noipaddressnoiproute-cachecefnoiproute-cacheshutdownserialrestart-delay0!
interfaceSerial4/1noipaddressnoiproute-cachecefnoiproute-cacheEasyVPNConfigurationGuide,CiscoIOSXERelease3S54EasyVPNServerExamplePerUserAAADownloadwithPKIshutdownserialrestart-delay0!
interfaceSerial4/2noipaddressnoiproute-cachecefnoiproute-cacheshutdownserialrestart-delay0!
interfaceSerial4/3noipaddressnoiproute-cachecefnoiproute-cacheshutdownserialrestart-delay0!
interfaceFastEthernet5/0ipaddress10.
9.
4.
77255.
255.
255.
255noiproute-cachecefnoiproute-cacheduplexhalf!
interfaceFastEthernet6/0ipaddress10.
7.
7.
1255.
255.
255.
0noiproute-cachecefnoiproute-cacheduplexfull!
interfaceVirtual-Template1noipaddress!
interfaceVirtual-Template2typetunnelipunnumberedLoopback0tunnelsourceEthernet3/2tunnelmodeipsecipv4tunnelprotectionipsecprofileIPSEC_PROF!
routereigrp20network172.
16.
0.
0auto-summary!
iplocalpoolourpool10.
6.
6.
6ipdefault-gateway10.
9.
4.
1ipclasslessiproute10.
1.
0.
1255.
255.
255.
25510.
0.
0.
2iproute10.
2.
3.
0255.
255.
0.
010.
2.
4.
4iproute10.
9.
1.
0255.
255.
0.
010.
4.
0.
1iproute10.
76.
0.
0255.
255.
0.
010.
76.
248.
129iproute10.
11.
1.
1255.
255.
255.
010.
7.
7.
2!
noiphttpservernoiphttpsecure-server!
!
loggingalarminformationalarp10.
9.
4.
10011.
bcb4.
d40aARPA!
!
radius-serverhost10.
76.
248.
201auth-port1645acct-port1646keycisco!
control-plane!
!
gatekeepershutdown!
!
linecon0stopbits1lineaux0stopbits1linevty04EasyVPNConfigurationGuide,CiscoIOSXERelease3S55EasyVPNServerExamplePerUserAAADownloadwithPKI!
!
endExamplePer-UserAttributesonanEasyVPNServerThefollowingexampleshowsthatper-userattributeshavebeenconfiguredonanEasyVPNserver.
!
aaanew-model!
!
aaaauthenticationlogindefaultlocalaaaauthenticationloginnoAAAnoneaaaauthorizationnetworkdefaultlocal!
aaaattributelistper-groupattributetypeinacl"per-group-acl"serviceikeprotocolipmandatory!
aaasession-idcommon!
resourcepolicy!
ipsubnet-zero!
!
ipcef!
!
usernameexamplepassword0example!
!
cryptoisakmppolicy3authenticationpre-sharegroup2cryptoisakmpxauthtimeout90!
cryptoisakmpclientconfigurationgroupPerUserAAAkeyciscopooldpoolcryptoaaaattributelistper-group!
cryptoisakmpprofilevimatchidentitygroupPerUserAAAisakmpauthorizationlistdefaultclientconfigurationaddressrespondclientconfigurationgroupPerUserAAAvirtual-template1!
!
cryptoipsectransform-setsetesp-3desesp-sha-hmac!
cryptoipsecprofilevisettransform-setsetsetisakmp-profilevi!
!
interfaceGigabitEthernet0/0description'EzVPNPeer'ipaddress192.
168.
1.
1255.
255.
255.
128duplexfullspeed100media-typerj45nonegotiationauto!
interfaceGigabitEthernet0/1noipaddressshutdownduplexautoEasyVPNConfigurationGuide,CiscoIOSXERelease3S56EasyVPNServerExamplePer-UserAttributesonanEasyVPNServerspeedautomedia-typerj45nonegotiationautointerfaceVirtual-Template1typetunnelipunnumberedGigabitEthernet0/0tunnelmodeipsecipv4tunnelprotectionipsecprofilevi!
iplocalpooldpool10.
5.
0.
110.
5.
0.
10ipclassless!
noiphttpservernoiphttpsecure-server!
!
ipaccess-listextendedper-group-aclpermittcpanyanydenyicmpanyanyloggingalarminformationalloggingtrapdebugging!
control-plane!
gatekeepershutdown!
linecon0lineaux0stopbits1linevty04!
!
endExampleNetworkAdmissionControlThefollowingexampleshowsthatanEasyVPNserverthathasbeenenabledwithNetworkAdmissionControl.
NetworkAdmissionControlissupportedonanEasyVPNserveronlywhentheserverusesIPsecvirtualinterfaces.
NetworkAdmissionControlisenabledonthevirtualtemplateinterfaceandappliestoallPCclientsthatusethisvirtualtemplateinterface.
NoteRouter#showrunning-configBuildingconfiguration.
.
.
Currentconfiguration:5091bytes!
version15.
0!
hostnameRouter!
aaanew-model!
!
aaaauthenticationloginuserlistlocal!
aaaauthenticationeoudefaultgroupradiusaaaauthorizationnetworkhw-client-groupnamelocalaaaaccountingupdatenewinfoaaaaccountingnetworkaccliststart-stopbroadcastgroupradiusaaasession-idcommon!
!
!
Note1:EAPoUDPpacketswillusetheIPaddressoftheloopbackinterfacewhensendingEasyVPNConfigurationGuide,CiscoIOSXERelease3S57EasyVPNServerExampleNetworkAdmissionControltheEAPoUDPhellototheEasyVPNclient.
UsingtheIPaddressensuresthatthereturningEAPoUDPpacketscomebackencryptedandareassociatedwiththecorrectvirtualaccessinterface.
Theipadmission(ipadmissionsource-interfaceLoopback10)commandisoptional.
Insteadofusingthiscommand,youcanspecifytheIPaddressofthevirtualtemplatetobeanaddressintheinsidenetworkspaceasshownintheconfigurationofthevirtualtemplatebelowinNote2.
ipadmissionsource-interfaceLoopback10ipadmissionnametesteapoudpinactivity-time60!
!
eouclientlessusernameciscoeouclientlesspasswordciscoeouallowip-station-ideoulogging!
usernamelabpassword0labusernamelab@easypassword0lab!
!
cryptoisakmppolicy3encr3desauthenticationpre-sharegroup2!
!
cryptoisakmpkey0ciscoaddress10.
53.
0.
1cryptoisakmpclientconfigurationgroupeasykeyciscodomaincisco.
compooldynpoolaclsplit-aclgroup-lockconfigurationurltftp://10.
13.
0.
9/Config-URL_TFTP.
cfgconfigurationversion111!
cryptoisakmpprofilevimatchidentitygroupeasyclientauthenticationlistuserlistisakmpauthorizationlisthw-client-groupnameclientconfigurationaddressrespondclientconfigurationgroupeasyaccountingacclistvirtual-template2!
cryptoipsecsecurity-associationlifetimeseconds120cryptoipsectransform-setsetesp-3desesp-sha-hmaccryptoipsectransform-setaes-transesp-aesesp-sha-hmaccryptoipsectransform-settransform-1esp-desesp-sha-hmaccryptoipsecprofilevisetsecurity-associationlifetimeseconds3600settransform-setsetaes-transtransform-1setisakmp-profilevi!
!
cryptodynamic-mapdynmap1settransform-setaes-transtransform-1reverse-route!
interfaceLoopback10ipaddress10.
61.
0.
1255.
255.
255.
255!
interfaceFastEthernet0/0ipaddress10.
13.
11.
173255.
255.
255.
255duplexautospeedauto!
interfaceFastEthernet0/1ipaddress10.
55.
0.
1255.
255.
255.
255duplexautospeedauto!
!
interfaceVirtual-Template2typetunnelEasyVPNConfigurationGuide,CiscoIOSXERelease3S58EasyVPNServerExampleNetworkAdmissionControl!
Note2:UsetheIPaddressoftheloopback10.
ThisensuresthattheEAPoUDPpacketsthatareattachedtovirtual-accessinterfacesthatareclonedfromthisvirtualtemplatecarrythesourceaddressoftheloopbackaddressandthatresponsepacketsfromtheVPNclientcomebackencrypted.
!
ipunnumberedLoopback10!
EnableNetworkAdmissionControlforremoteVPNclients.
ipadmissiontesttunnelmodeipsecipv4tunnelprotectionipsecprofilevi!
!
iplocalpooldynpool172.
16.
2.
65172.
16.
2.
70ipclasslessipaccess-listextendedClientExceptionpermitipanyhost10.
61.
0.
1ipaccess-listextendedsplit-aclpermitiphost10.
13.
11.
185anypermitip10.
61.
0.
0255.
255.
255.
255anypermitip10.
71.
0.
0255.
255.
255.
255anypermitip10.
71.
0.
0255.
255.
255.
25510.
52.
0.
00.
255.
255.
255permitip10.
55.
0.
0255.
255.
255.
255any!
ipradiussource-interfaceFastEthernet0/0access-list102permitespanyanyaccess-list102permitahpanyanyaccess-list102permitudpanyanyeq21862access-list102permitospfanyanyaccess-list102denyipanyanyaccess-list195denyospfanyanyaccess-list195permitip10.
61.
0.
0255.
255.
255.
25510.
51.
0.
0255.
255.
255.
255!
!
radius-serverattribute6on-for-login-authradius-serverattribute8include-in-access-reqradius-serverhost10.
13.
11.
185auth-port1645acct-port1646keyciscoradius-servervsasendaccountingradius-servervsasendauthentication!
endExampleConfiguringPasswordAgingThefollowingexampleshowsthatpasswordaginghasbeenconfiguredsothatifthepasswordexpires,theEasyVPNclientisnotified.
Currentconfiguration:4455bytes!
version15.
0servicetimestampsdebugdatetimemsecservicetimestampslogdatetimemsecnoservicepassword-encryption!
!
!
aaanew-model!
!
aaaauthenticationloginUSERAUTHpasswd-expirygroupradiusaaaauthorizationnetworkbranchlocal!
aaasession-idcommon!
ipcefusernameciscoprivilege15secret5$1$A3HU$bCWjlkrEztDJx6JJzSnMV1!
!
cryptoisakmppolicy1encr3desauthenticationpre-sharegroup2EasyVPNConfigurationGuide,CiscoIOSXERelease3S59EasyVPNServerExampleConfiguringPasswordAgingcryptoisakmpclientconfigurationaddress-poollocaldynpool!
cryptoisakmpclientconfigurationgroupbranchkeyciscodomaincisco.
compooldynpool!
!
cryptoipsectransform-settransform-1esp-3desesp-sha-hmac!
cryptoisakmpprofileprofile2clientauthenticationlistUSERAUTHmatchidentitygroupbranchisakmpauthorizationlistbranchclientconfigurationaddressrespondvirtual-template1cryptoipsecprofilevisettransform-settransform-1interfaceGigabitEthernet0/0description$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE0/0$ipaddress192.
168.
1.
100255.
255.
255.
0duplexautospeedautocryptomapdynmap!
interfaceGigabitEthernet0/1description$ES_LAN$ipaddress172.
19.
217.
96255.
255.
255.
0duplexautospeedauto!
!
interfaceVirtual-Template1typetunnelipunnumberedGigabitEthernet0/2noclnsroute-cachetunnelmodeipsecipv4tunnelprotectionipsecprofilevi!
iplocalpooldpool10.
0.
0.
110.
0.
0.
3!
radius-serverhost172.
19.
220.
149auth-port1645acct-port1646keyciscoradius-servervsasendauthentication!
control-plane!
!
endExampleSplitDNSInthefollowingexample,thesplittunnellistnamed"101"containsthe10.
168.
0.
0/16network.
ItisnecessarytoincludethisnetworkinformationsothattheDNSrequeststotheinternalDNSserverof10.
168.
1.
1areencrypted.
cryptoisakmpclientconfigurationgrouphomekeyabcdacl101dns10.
168.
1.
1.
10.
168.
1.
2showOutputThefollowingexampleshowsthatwww.
ciscoexample1.
comandwww.
ciscoexample2.
comhavebeenaddedtothepolicygroup:Router#showrunning-config|securitygroupcryptoisakmpclientconfigurationgroup831serverkeyabcddns10.
104.
128.
248split-dnswww.
ciscoexample1.
comEasyVPNConfigurationGuide,CiscoIOSXERelease3S60EasyVPNServerExampleSplitDNSsplit-dnswww.
ciscoexample2.
comgrouphome2keyabcdThefollowingsampleoutputfromtheshowipdnsviewcommanddisplayscurrentlyconfiguredDNSviews:Router#showipdnsviewDNSViewdefaultparameters:LoggingisoffDNSResolversettings:DomainlookupisenabledDefaultdomainname:cisco.
comDomainsearchlist:Lookuptimeout:3secondsLookupretries:2Domainname-servers:172.
16.
168.
183DNSServersettings:ForwardingofqueriesisenabledForwarderaddresses:DNSViewezvpn-internal-viewparameters:LoggingisoffDNSResolversettings:DomainlookupisenabledDefaultdomainname:Domainsearchlist:Lookuptimeout:3secondsLookupretries:2Domainname-servers:10.
104.
128.
248DNSServersettings:ForwardingofqueriesisenabledForwarderaddresses:Thefollowingsampleoutputfromtheshowipdnsview-listcommanddisplayscurrentlyconfiguredDNSviewlists.
Router#showipdnsview-listView-listezvpn-internal-viewlist:Viewezvpn-internal-view:Evaluationorder:10Restricttoipdnsname-list:1Viewdefault:Evaluationorder:20Thefollowingsampleoutputfromtheshowipdnsname-listcommanddisplaysDNSnamelists.
Router#showipdnsname-listipdnsname-list1permitwww.
ciscoexample1.
compermitwww.
ciscoexample2.
comExampleDHCPClientProxyThefollowingexamplesdisplayDHCPclientproxyoutputinformationusingshowanddebugcommands.
showOutputTousetheshowipdhcpcommand,theDHCPservermustbeaCiscoIOSXEserver.
NoteThefollowingsampleoutputfromtheshowipdhcppoolcommandprovidesinformationabouttheDHCPparameters:Router#showipdhcppoolEasyVPNConfigurationGuide,CiscoIOSXERelease3S61EasyVPNServerExampleDHCPClientProxyPooldynpool:Utilizationmark(high/low):100/0Subnetsize(first/next):0/0Totaladdresses:254Leasedaddresses:1Pendingevent:none1subnetiscurrentlyinthepool:CurrentindexIPaddressrangeLeasedaddresses10.
3.
3.
1-10.
3.
3.
2541NorelaytargetsassociatedwithclassaclassThefollowingsampleoutputfromtheshowipdhcpcommandprovidesinformationabouttheDHCPbindings:Router#showipdhcpbindingBindingsfromallpoolsnotassociatedwithVRF:IPaddressClient-ID/LeaseexpirationTypeHardwareaddress/Username10.
3.
3.
50065.
7a76.
706e.
2d63.
Apr04200606:01AMAutomatic6c69.
656e.
74debugOutputThefollowingexampleshowshowthedebugcryptoisakmpanddebugipdhcpservereventscommandscanbeusedtotroubleshootyourDHCPclientproxysupportconfiguration:*Apr306:01:32.
047:ISAKMP:ConfigpayloadREQUEST*Apr306:01:32.
047:ISAKMP:(1002):checkingrequest:*Apr306:01:32.
047:ISAKMP:IP4_ADDRESS*Apr306:01:32.
047:ISAKMP:IP4_NETMASK*Apr306:01:32.
047:ISAKMP:MODECFG_CONFIG_URL*Apr306:01:32.
047:ISAKMP:MODECFG_CONFIG_VERSION*Apr306:01:32.
047:ISAKMP:IP4_DNS*Apr306:01:32.
047:ISAKMP:IP4_DNS*Apr306:01:32.
047:ISAKMP:IP4_NBNS*Apr306:01:32.
047:ISAKMP:IP4_NBNS*Apr306:01:32.
047:ISAKMP:SPLIT_INCLUDE*Apr306:01:32.
047:ISAKMP:SPLIT_DNS*Apr306:01:32.
047:ISAKMP:DEFAULT_DOMAIN*Apr306:01:32.
047:ISAKMP:MODECFG_SAVEPWD*Apr306:01:32.
047:ISAKMP:INCLUDE_LOCAL_LAN*Apr306:01:32.
047:ISAKMP:PFS*Apr306:01:32.
047:ISAKMP:BACKUP_SERVER*Apr306:01:32.
047:ISAKMP:APPLICATION_VERSION*Apr306:01:32.
047:ISAKMP:MODECFG_BANNER*Apr306:01:32.
047:ISAKMP:MODECFG_IPSEC_INT_CONF*Apr306:01:32.
047:ISAKMP:MODECFG_HOSTNAME*Apr306:01:32.
047:ISAKMP/author:AuthorrequestforgrouphomesuccessfullysenttoAAA*Apr306:01:32.
047:ISAKMP:(1002):Input=IKE_MESG_FROM_PEER,IKE_CFG_REQUEST*Apr306:01:32.
047:ISAKMP:(1002):OldState=IKE_P1_COMPLETENewState=IKE_CONFIG_AUTHOR_AAA_AWAIT*Apr306:01:32.
047:ISAKMP:(1002):attributessentinmessage:*Apr306:01:32.
047:Address:10.
2.
0.
0*Apr306:01:32.
047:RequestingDHCPServer0address10.
3.
3.
3*Apr306:01:32.
047:DHCPD:SendingnotificationofDISCOVER:*Apr306:01:32.
047:DHCPD:htype1chaddraabb.
cc00.
6600*Apr306:01:32.
047:DHCPD:circuitid00000000*Apr306:01:32.
047:DHCPD:Seeingifthereisaninternallyspecifiedpoolclass:*Apr306:01:32.
047:DHCPD:htype1chaddraabb.
cc00.
6600*Apr306:01:32.
047:DHCPD:circuitid00000000*Apr306:01:34.
063:DHCPD:Addingbindingtoradixtree(10.
3.
3.
5)*Apr306:01:34.
063:DHCPD:Addingbindingtohashtree*Apr306:01:34.
063:DHCPD:assignedIPaddress10.
3.
3.
5toclient0065.
7a76.
706e.
2d63.
6c69.
656e.
74.
*Apr306:01:34.
071:DHCPD:SendingnotificationofASSIGNMENT:*Apr306:01:34.
071:DHCPD:address10.
3.
3.
5mask255.
255.
255.
0*Apr306:01:34.
071:DHCPD:htype1chaddraabb.
cc00.
6600*Apr306:01:34.
071:DHCPD:leasetimeremaining(secs)=86400*Apr306:01:34.
183:ObtainedDHCPaddress10.
3.
3.
5*Apr306:01:34.
183:ISAKMP:(1002):allocatingaddress10.
3.
3.
5*Apr306:01:34.
183:ISAKMP:Sendingprivateaddress:10.
3.
3.
5*Apr306:01:34.
183:ISAKMP:Sendingsubnetmask:255.
255.
255.
0EasyVPNConfigurationGuide,CiscoIOSXERelease3S62EasyVPNServerExampleDHCPClientProxyExampleVRFAssignmentbyaAAAServerThefollowingexampledisplaysthatneitheraVRFnoranIPaddresshasbeendefined:aaanew-modelaaaauthenticationloginVPNgroupradiusaaaauthorizationnetworkVPNgroupradius!
ipvrfexample1rd1:1!
cryptoisakmpprofileexample1matchidentitygroupexample1groupclientauthenticationlistVPNisakmpauthorizationlistVPNclientconfigurationaddressrespondvirtual-template10!
cryptoipsectransform-setTSesp-3desesp-sha-hmac!
cryptoipsecprofileexample1settransform-setTSsetisakmp-profileexample1!
interfaceVirtual-Template10typetunnel!
ThenextlineshowsthatneitherVRFnoranIPaddresshasbeendefined.
noipaddresstunnelmodeipsecipv4tunnelprotectionipsecprofileexample1AdditionalReferencesRelatedDocumentsDocumentTitleRelatedTopicCiscoIOSMasterCommandsList,AllReleasesCiscoIOScommandsCiscoIOSSecurityCommandReference"ConfiguringSecurityforVPNswithIPsec"moduleintheCiscoIOSXESecurityConfigurationGuide:SecureConnectivityGeneralinformationonIPsecandVPN"ReverseRouteInjection"moduleintheCiscoIOSXESecurityConfigurationGuide:SecureConnectivityRRIConfiguringSplitandDynamicDNSontheCiscoVPN3000SplitDNSEasyVPNConfigurationGuide,CiscoIOSXERelease3S63EasyVPNServerExampleVRFAssignmentbyaAAAServerStandardsTitleStandards--Nonewormodifiedstandardsaresupportedbythisfeature,andsupportforexistingstandardshasnotbeenmodifiedbythisfeature.
MIBsMIBsLinkMIBsTolocateanddownloadMIBsforselectedplatforms,Ciscosoftwarereleases,andfeaturesets,useCiscoMIBLocatorfoundatthefollowingURL:http://www.
cisco.
com/go/mibsRFCsTitleRFCs--NonewormodifiedRFCsaresupportedbythisfeature,andsupportforexistingRFCshasnotbeenmodifiedbythisfeature.
TechnicalAssistanceLinkDescriptionhttp://www.
cisco.
com/cisco/web/support/index.
htmlTheCiscoSupportandDocumentationwebsiteprovidesonlineresourcestodownloaddocumentation,software,andtools.
UsetheseresourcestoinstallandconfigurethesoftwareandtotroubleshootandresolvetechnicalissueswithCiscoproductsandtechnologies.
AccesstomosttoolsontheCiscoSupportandDocumentationwebsiterequiresaCisco.
comuserIDandpassword.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S64EasyVPNServerStandardsFeatureInformationforEasyVPNServerTable4:FeatureInformationforEasyVPNServerFeatureInformationReleasesFeatureNameTheCentralPolicyPushFirewallPolicyPushfeaturewasintegratedforuseontheEasyVPNServer.
CiscoIOSXERelease2.
1CentralPolicyPushFirewallPolicyPushfeatureTheEasyVPNServerfeatureintroducesserversupportfortheCiscoVPNClientRelease3.
xandlatersoftwareclientsandCiscoVPNhardwareclients(suchastheCiscoASR1000SeriesRouters).
ThisfeatureallowsaremoteendusertocommunicateusingIPsecwithanyCiscoIOSXEVPNgateway.
CentrallymanagedIPsecpoliciesare"pushed"totheclientdevicebytheserver,minimizingconfigurationbytheenduser.
CiscoIOSXERelease2.
1EasyVPNServerRADIUSsupportforuserprofiles,user-basedpolicycontrol,sessionmonitoringforVPNgroupaccess,backup-gatewaylist,andPFSwereadded.
CiscoIOSXERelease2.
1ThenetmaskcommandwasintegratedforuseontheEasyVPNserver.
CiscoIOSXERelease2.
1ThefollowingfeaturewasintegratedforuseontheEasyVPNServer:CiscoIOSXERelease2.
1EasyVPNConfigurationGuide,CiscoIOSXERelease3S65EasyVPNServerFeatureInformationforEasyVPNServerFeatureInformationReleasesFeatureNameThefollowingfeatureswereintegratedforuseontheEasyVPNServer:ConfigurationManagementEnhancements(PushingaConfigurationURLThroughaMode-ConfigurationExchange)PerUserAAADownloadwithPKISyslogMessageEnhancementsNetworkAdmissionControlforEasyVPNPasswordAgingVirtualIPsecInterfaceSupportCiscoIOSXERelease2.
1ThefollowingfeatureswereintegratedforuseontheEasyVPNServer:DHCPClientProxyVirtualTunnelInterfacePer-UserAttributeSupportforEasyVPNServers.
SplitDNSPer-UserAttributeSupportforEasyVPNServersVRFAssignmentbyaAAAServerThefollowingcommandswereintroduced:cryptoaaaattributelist,debugipdns,dhcp-server(isakmp),dhcp-timeout,showipdnsname-list,showipdnsview,andshowipdnsview-listCiscoIOSXERelease2.
1Thefollowingcommandwasmodified:cryptoisakmpclientconfigurationgroupEasyVPNConfigurationGuide,CiscoIOSXERelease3S66EasyVPNServerFeatureInformationforEasyVPNServerFeatureInformationReleasesFeatureNameTheDHCPClientProxyfeaturewasupdatedtoincludemanageabilityenhancementsforremoteaccessVPNs.
Thefollowingcommandsweremodified:clearcryptosession,cryptoisakmpclientconfigurationgroup,debugcryptocondition,showcryptodebug-condition,showcryptoisakmppeers,showcryptoisakmpprofile,showcryptoisakmpsa,showcryptosessionCiscoIOSXERelease2.
1GlossaryAAA--authentication,authorization,andaccounting.
Frameworkofsecurityservicesthatprovidesthemethodforidentifyingusers(authentication),forremoteaccesscontrol(authorization),andforcollectingandsendingsecurityserverinformationusedforbilling,auditing,andreporting(accounting).
aggressivemode(AM)--ModeduringInternetKeyExchangenegotiation.
Comparedtomainmode(MM),AMeliminatesseveralsteps,whichmakesitfasterbutlesssecurethanMM.
CiscoIOSXEsoftwarewillrespondinaggressivemodetoanIKEpeerthatinitiatesaggressivemode.
AVpair--attribute-valuepair.
Additionalauthenticationandauthorizationinformationinthefollowingformat:Cisco:AVPair="protocol:attribute=value".
IKE--InternetKeyExchange.
HybridprotocolthatimplementsOakleykeyexchangeandSkemekeyexchangeinsidetheISAKMPframework.
AlthoughIKEcanbeusedwithotherprotocols,itsinitialimplementationiswithIPsec.
IKEprovidesauthenticationoftheIPsecpeers,negotiatesIPseckeys,andnegotiatesIPsecsecurityassociations.
IPsec--IPSecurityProtocol.
Frameworkofopenstandardsthatprovidesdataconfidentiality,dataintegrity,anddataauthenticationbetweenparticipatingpeers.
IPsecprovidesthesesecurityservicesattheIPlayer.
IPsecusesIKEtohandlenegotiationofprotocolsandalgorithmsbasedonlocalpolicyandtogeneratetheencryptionandauthenticationkeystobeusedbyIPsec.
IPseccanbeusedtoprotectoneormoredataflowsbetweenapairofhosts,betweenapairofsecuritygateways,orbetweenasecuritygatewayandahost.
ISAKMP--InternetSecurityAssociationKeyManagementProtocol.
Protocolframeworkthatdefinespayloadformats,themechanicsofimplementingakeyexchangeprotocol,andthenegotiationofasecurityassociation.
MM--mainmode.
ModethatisslowerthanaggressivemodebutmoresecureandmoreflexiblethanaggressivemodebecauseitcanofferanIKEpeermoresecurityproposals.
ThedefaultactionforIKEauthentication(Rivest,Shamir,andAdelmansignature(rsa-sig),RSAencryption(rsa-encr),orpreshared)istoinitiatemainmode.
policypush--AllowsadministratorstopushpoliciesthatenforcesecuritytotheCiscoEasyVPN(software)Clientandrelatedfirewallsoftware.
reverserouteinjection(RRI)--SimplifiednetworkdesignforVPNsonwhichthereisarequirementforredundancyorloadbalancing.
RRIworkswithbothdynamicandstaticcryptomaps.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S67EasyVPNServerFeatureInformationforEasyVPNServerInthedynamiccase,asremotepeersestablishIPsecsecurityassociationswithanRRIenabledrouter,astaticrouteiscreatedforeachsubnetorhostprotectedbythatremotepeer.
Forstaticcryptomaps,astaticrouteiscreatedforeachdestinationofanextendedaccess-listrule.
SA--securityassociation.
Descriptionofhowtwoormoreentitieswillutilizesecurityservicestocommunicatesecurely.
Forexample,anIPsecSAdefinestheencryptionalgorithm(ifused),theauthenticationalgorithm,andthesharedsessionkeytobeusedduringtheIPsecconnection.
BothIPsecandIKErequireanduseSAstoidentifytheparametersoftheirconnections.
IKEcannegotiateandestablishitsownSA.
TheIPsecSAisestablishedeitherbyIKEorbymanualuserconfiguration.
VPN--VirtualPrivateNetwork.
Frameworkthatconsistsofmultiplepeerstransmittingprivatedatasecurelytooneanotheroveranotherwisepublicinfrastructure.
Inthisframework,inboundandoutboundnetworktrafficisprotectedusingprotocolsthattunnelandencryptalldata.
Thisframeworkpermitsnetworkstoextendbeyondtheirlocaltopology,whileremoteusersareprovidedwiththeappearanceandfunctionalityofadirectnetworkconnection.
EasyVPNConfigurationGuide,CiscoIOSXERelease3S68EasyVPNServerFeatureInformationforEasyVPNServer
IT狗为用户提供 在线ping、在线tcping、在线路由追踪、域名被墙检测、域名被污染检测 等实用工具。【工具地址】https://www.itdog.cn/【工具特色】1、目前同类网站中,在线ping 仅支持1次或少量次数的测试,无法客观的展现目标服务器一段时间的网络状况,IT狗Ping工具可持续的进行一段时间的ping测试,并生成更为直观的网络质量柱状图,让用户更容易掌握服务器在各地区、各线...
对于Megalayer云服务器提供商在之前也有对于他们家的美国服务器和香港服务器进行过评测和介绍,但是对于大部分网友来说需要独立服务器和站群服务器并不是特别的普及,我们很多网友使用较多的还是云服务器或者VPS主机比较多。在前面也有在"Megalayer新增香港VPS主机 1GB内存 50GB SSD 2M带宽 月59元"文章中有介绍到Megalayer商家有新增香港CN2优化VPS主机。那时候看这...
搬瓦工最新优惠码优惠码:BWH3HYATVBJW,节约6.58%,全场通用!搬瓦工关闭香港 PCCW 机房通知下面提炼一下邮件的关键信息,原文在最后面。香港 CN2 GIA 机房自从 2020 年上线以来,网络性能大幅提升,所有新订单都默认部署在香港 CN2 GIA 机房;目前可以免费迁移到香港 CN2 GIA 机房,在 KiwiVM 控制面板选择 HKHK_8 机房进行迁移即可,迁移会改变 IP...
www.168dy.com为你推荐
.cn域名cn域名有什么用啊?硬盘工作原理硬盘的工作原理是什么?比肩工场比肩接踵的意思陈嘉垣陈嘉桓是谁?psbc.comwww.psbc.com怎样注册haole018.comse.haole004.com为什么手机不能放?5xoy.com求个如月群真汉化版下载地址www.mywife.ccMywife-No 00357 MANAMI SAITO种子下载地址有么?求好心人给www.bbb551.combbb是什么意思99nets.com99nets网游模拟娱乐社区怎么打不开了?????????谁能告诉我 ???、
东莞虚拟主机 顶级域名 香港服务器租用99idc sharktech 荣耀欧洲 hostmaster 主机评测 韩国俄罗斯 外国空间 鲜果阅读 php探针 绍兴高防 嘉洲服务器 e蜗牛 ibox官网 爱奇艺vip免费试用7天 服务器合租 免费私人服务器 闪讯官网 web服务器搭建 更多