dynamips lab:Cisco IOS Easy VPN Server & Remote on Dynamips
This test note describes how to configure Cisco Remote access IPSec VPN on Cisco IOS routers.
I have completed this lab on Dynamips 7200 simulator, the topology is as follow:
The Dynagen configuration is as follow:
|
autostart = false [[router R1]] |
1. Easy VPN Server Configuration (R2).
server(config)# username steve password cisco!define the username and password for XAUTH, we can also use CISCO ACS to store the user information.
server(config)#aaa new-modelserver(config)#aaa authentication login default local
!define the default aaa authentication list, allow the administrator to login this router, this configuration is foreign to the ezvpn.
server(config)#aaa authentication login ezvpn-authentication local!define xauth authentication list.
server(config)#aaa authorization network ezvpn-authorization local!define the authorization list.server(config)#ip local pool ezvpn-pool 192.168.1.1 192.168.1.254server(config)#crypto isakmp policy 10server(config-isakmp)#authentication pre-shareserver(config-isakmp)#encryption 3des
server(config-isakmp)#hash sha
server(config-isakmp)#group 2
server(config-isakmp)#exit
server(config)#access-list 101 permit ip 10.10.1.0 0.0.0.255 any!define the split tunnel list, pay attention, the destination address is always “any”, and the source address is the network address of inside network.server(config)#crypto isakmp client configuration group myezvpnserver(config-isakmp-group)#key cisco1234server(config-isakmp-group)#dns 10.8.1.10
server(config-isakmp-group)#domain njut.edu.cn
server(config-isakmp-group)#pool ezvpn-pool
server(config-isakmp-group)#acl 101
!the acl is split tunnel acl.
server(config-isakmp-group)#save-password!allow the client save xauth password locally.
server(config-isakmp-group)#exitserver(config)#crypto ipsec transform-set ccsp esp-3des esp-sha-hmac server(cfg-crypto-trans)#mode tunnelserver(cfg-crypto-trans)#exit
server(config)#crypto dynamic-map ezvpn-dynamic-map 10 server(config-crypto-map)#set transform-set ccspserver(config-crypto-map)#reverse-route
server(config)#crypto map cisco client authentication list ezvpn-authentication!choose the xauth authentication list.server(config)#crypto map cisco isakmp authorization list ezvpn-authorization!choose the authorization list.
server(config)#crypto map cisco client configuration address respond!respond the client address request.server(config)#crypto map cisco 10 ipsec-isakmp dynamic ezvpn-dynamic-mapserver(config)#int s1/0server(config-if)#ip address 173.16.1.5 255.255.255.252server(config-if)#crypto map cisco
server(config)#int fa0/0server(config-if)#ip address 10.10.1.1 255.255.255.0server(config)#ip route 0.0.0.0 0.0.0.0 173.16.1.62. Easy VPN Remote Configuration (R1).
remote(config)#crypto ipsec client ezvpn newlabremote(config-crypto-ezvpn)#connect auto
remote(config-crypto-ezvpn)#group myezvpn key cisco1234
remote(config-crypto-ezvpn)#mode client
remote(config-crypto-ezvpn)#peer 173.16.1.5
remote(config-crypto-ezvpn)#username steve password cisco
!if you didn’t open save-password option on the ezvpn server, you should issue “crypto ipsec client ezvpn xauth” command to complete xauth.
!
remote(config)#interface FastEthernet0/0
remote(config-if)#ip address 10.30.1.1 255.255.255.0
remote(config-if)#crypto ipsec client ezvpn newlab inside!
remote(config)#interface Serial1/1
remote(config-if)#ip address 173.16.1.1 255.255.255.252
remote(config-if)#crypto ipsec client ezvpn newlab outside
3. Use the Cisco VPN Client Software to connect to Easy VPN Server.
The easy vpn server can also be connected by the Cisco VPN Client Software, you can download the software from cco site.
