Easy VPN Remote Phase Two

Cisco Easy VPN Remote Phase Two features introduced with Cisco IOS v 12.2(8)YJ provide greater flexibility and feature options to Easy VPN Remote client devices, including Cisco 806, 826, 827, 828, and 1700 series routers, plus the Cisco uBR905 and uBR925 cable access routers. The goal is to provide the greatest flexibility in high-performance connections to the Internet, combined with the security of VPN, while minimizing the client-side configuration and support.

Easy VPN Remote Phase Two features still rely on most VPN parameters being defined at a VPN remote access server, such as a Cisco VPN 3000 concentrator, PIX Firewall, or a Cisco IOS router. When the IPSec client then initiates the VPN tunnel connection, the VPN remote access server pushes the IPSec policies to the IPSec client and creates the corresponding a VPN tunnel connection.

Supported VPN Servers

VPN Remote Phase Two requires that the destination server support the new features. The following device and OS combinations currently meet the requirements.

Cisco uBR905 and uBR925 cable access routers running Cisco IOS v12.2(8)YJ or later
Cisco 806, 826, 827, 828, 1700 series, 2600 series, 3600 series, 7100 series, 7200 series, and 7500 series routers running Cisco IOS v12.2(8)YJ or later
Cisco PIX 500 series running software release 6.2 or later
Cisco VPN 3000 series devices running software release 3.11 or later

The Cisco 806, 826, 827, 828, 1700 series routers, and uBR905 and uBR925 cable access routers support simultaneous remote client and remote server roles, allowing them to provide easy-to-implement VPN connections from small branch locations to corporate centers. The device is a client to the corporate center and a server to their VPN remote clients.

Phase Two Features

Cisco Easy VPN Remote Phase Two provides automatic management of the following features:

Manual Tunnel Control
Multiple Inside Interface Enhancements
Multiple Outside Interfaces Support
NAT Interoperability Support
Local Address Support for Easy VPN Remote
Cable DHCP Proxy Enhancement
Peer Hostname Enhancement
Proxy DNS Server Support
PIX Interoperability Support
Cisco IOS Firewall Support
Simultaneous Easy VPN Client and Server Support
Cisco Easy VPN Remote Web Manager

Manual Tunnel Control

With the original Cisco Easy VPN Remote, the VPN tunnel connects automatically on configuration. If the tunnel times out or fails, it automatically reconnects or retries indefinitely. Phase Two implements manual control over IPSec VPN tunnels, making it possible to establish and terminate the tunnel on demand. The manual feature is implemented with a new subcommand under the crypto ipsec client ezvpn command. The syntax is as follows:

Rtr1(config)#crypto ipsec client ezvpn name
Rtr1(config-crypto-ezvpn)#connect [auto | manual]

Automatic is the default setting, compatible with Phase One functionality. As such, the subcommand with the autoparameter is only needed to reverse the manual option.

With the manual option, the Easy VPN Client waits for the following command to attempt to establish the connection or to reestablish a timed out or failed session:

Rtr1#crypto ipsec client ezvpn connect name

Use the following clear command to disconnect an established tunnel.

Rtr1#clear crypto ipsec client ezvpn [name]

Multiple Inside Interface Enhancements

Phase One supports only one inside interface on the remote client router. The crypto ipsec client ezvpn name inside command option allows designating up to three inside interfaces. Each inside interface supports only one tunnel. The syntax is as follows:

Rtr1(config-if)#interface interface-id
Rtr1(config-if)#crypto ipsec client ezvpn name [outside | inside]

The following example shows configuring an outside interface using the default designation outside:

Rtr1(config)#interface ethernet 0
Rtr1(config-if)#crypto ipsec client ezvpn vpn1 inside

Multiple Outside Interfaces Support

Phase One supports only one outside interface on the remote client router. The crypto ipsec client ezvpn name outside command option allows designating up to four outside interfaces. The default option is outside. The syntax is as follows:

Rtr1(config-if)#interface interface-id
Rtr1(config-if)#crypto ipsec client ezvpn name [outside | inside]

This feature is applicable only to platforms, such as the Cisco 1700 series routers, that support multiple outside interfaces.

While each inside or outside interface supports only one tunnel, multiple inside interfaces can be mapped to one outside interface.

The following example shows configuring an outside interface using the designation outside. As the default, the outside didn’t need to be included:

Rtr1(config)#interface serial 0/0
Rtr1(config-if)#crypto ipsec client ezvpn vpn1 outside

NAT Interoperability Support

With the Easy VPN Client, the features automatic NAT and access list configuration replaced any existing NAT and access list configuration. If a tunnel timed out or dropped its connection, the NAT and access configuration were removed automatically, preventing any Internet access even to nontunnel destinations.

Cisco Easy VPN Remote Phase Two supports interoperability with locally configured NAT. When the IPSec VPN tunnel is down, the router automatically restores the previous NAT configuration. Users can continue to access nontunnel Internet connections when the tunnel times out or disconnects.

Local Address Support for Easy VPN Remote

Easy VPN Remote Phase Two provides an interface configuration option, which makes it possible to specify the interface to use in determining the IP address as the source of VPN tunnel traffic. Typically, the loopback interface is the interface used to source tunnel traffic. The syntax is as follows:

Rtr1(config)#crypto ipsec client ezvpn name
Rtr1(config-crypto-ezvpn)#local-address interface-id

The following example shows the local-address subcommand used to specify the loopback0 interface for sourcing tunnel traffic:

Rtr1#config t Rtr1(config)#crypto ipsec client ezvpn telecom-client
Rtr1(config-crypto-ezvpn)#local-address loopback0 Rtr1(config-crypto-ezvpn)#

Cable DHCP Proxy Enhancement

With Phase Two, cable providers can use the Cable DHCP Proxy feature to obtain a public IP address, assign it to the loopback interface, and then have the cable modem interface get its IP address from the loopback interface. The Phase Two feature enhancement applies to the existing cable-modem dhcp-proxy interface configuration command for the uBR905 and uBR925 cable access routers.

For the router to configure the loopback interface automatically with the public IP address obtained from the DHCP server, the loopback interface must be created before issuing the cable-modem dhcp-proxy interface command.

The following example shows a loopback interface created first, and then the loopback interface being specified, so the router automatically assigns it with the public IP address:

Rtr1#config t
Rtr1(config)#interface loopback 0
Rtr1(config-if)#interface cable-modem 0
Rtr1(config-if)#cable-modem dhcp-proxy interface loopback0

Note?

The cable-modem dhcp-proxy interface command is currently only supported for the Cisco uBR905 and uBR925 cable access routers.

Peer Host Name Enhancement

When defining the VPN peer, you can use either an IP address or a host name. When a host name is used, a DNS lookup is performed immediately to resolve the name to an IP address. Because Phase Two supports manual tunnel control, and to support DNS entry changes, the host name text string is stored and the DNS lookup is performed at the time of the tunnel connection. The host name enabling syntax is as follows:

Rtr1(config)#crypto ipsec client ezvpn name
Rtr1(config-crypto-ezvpn)#peer [ip-address | hostname]

The following shows the crypto entries:

Rtr1(config)#crypto ipsec client ezvpn vpn-client
Rtr1(config-crypto-ezvpn)#connect auto
Rtr1(config-crypto-ezvpn)#group vpn-client-grp key vpn-client-password
Rtr1(config-crypto-ezvpn)#local-address Loopback0
Rtr1(config-crypto-ezvpn)#mode client
Rtr1(config-crypto-ezvpn)#peer vpn-server

Proxy DNS Server Support

When the VPN connection to the corporate network is up, the enterprise DNS servers should resolve domain names to IP addresses. But when the VPN connection to the enterprise is down, the ISP or cable provider DNS servers should be used to resolve DNS requests.

An Easy VPN Remote Phase Two router can be configured to act as a proxy DNS server. As a proxy DNS server for LAN, the router receives DNS queries from local users on behalf of the enterprise DNS server. The DHCP server sends out the router’s LAN address as the DNS server IP address. When the VPN tunnel connection comes up, the router forwards the DNS queries to the enterprise DNS server. Otherwise, they’re forwarded to the ISP DNS.

To enable the proxy DNS server functionality with the ip dns server command in Global Configuration mode, use the following commands beginning in Global Configuration mode.

PIX Interoperability Support

Cisco Easy VPN Remote Phase Two more fully supports the Cisco PIX Firewall v6.2 features than the original implementation of Easy VPN Remote.

Cisco IOS Firewall Support

Cisco Easy VPN Remote Phase Two more fully supports the Cisco IOS Firewall feature set than the original implementation of Easy VPN Remote.

Simultaneous Easy VPN Client and Server Support

Cisco Easy VPN Remote Phase Two more fully supports configuring simultaneous Easy VPN Client and Cisco Easy VPN Server support on the same Cisco 1700 series routers. You can configure one outside interface as a Cisco Easy VPN Server and another outside interface on the same router as a Cisco Easy VPN Client. Figure 12-12 shows an example of a router (Rtr2) acting as both an Easy VPN Client and a Server.

Figure 12-12: Router (Rtr2) acting as both an Easy VPN Client and a Server

The following example shows the configuration for the VPN client and server features on Rtr2. Some lines were eliminated to conserve space:

Rtr2#show run
version 12.2
!
hostname Rtr2
!
aaa new-model
aaa authorization network vpn-client-grp local 
aaa session-id common
!
ip subnet-zero
no ip domain-lookup
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local loc-pool
!
crypto isakmp client configuration group vpn-server-grp
 key vpn-grp-key
 dns 192.168.0.13 192.168.0.15
 wins 192.168.0.14 192.168.0.16
 domain vpn-test.com
 pool loc-pool
!
crypto ipsec transform-set trans-set-1 esp-3des esp-md5-hmac 
!
crypto ipsec client ezvpn client1
 connect auto
 group vpn-client-grp key vpn-grp-key
 mode client
 peer 1.1.100.17 ???????????????????????????????(Rtr1)
!
crypto dynamic-map dyn-map 1
 set transform-set trans-set-1 
!
crypto map dyn-map isakmp authorization list vpn-server-grp
crypto map dyn-map client configuration address respond
crypto map dyn-map 1 ipsec-isakmp dynamic dyn-map 
!
interface FastEthernet0/0
 description Connection to Branch Office - VPN Clients
 ip address 5.0.0.1 255.0.0.0
 crypto ipsec client ezvpn client1 inside
!
interface Serial0/0
 description Connection to Corporate Network - VPN Server
 ip address 1.0.0.1 255.0.0.0
 no fair-queue
 crypto ipsec client ezvpn client1
!
interface Serial0/1
 description Connection to telecommuters - VPN Clients
 ip address 1.2.0.1 255.255.0.0
 crypto map dyn-map ???????????????????????????(for server functionality)
 crypto ipsec client ezvpn client1 inside ?????(for client functionality)
!
ip local pool loc-pool 1.2.0.3 1.2.0.31 
ip classless
!
line con 0
line aux 0
line vty 0 4
end
Rtr2#

Cisco Easy VPN Remote Web Manager

Cisco Easy VPN Remote Phase Two introduced using the Cisco Easy VPN Remote Web Manager to manage the Cisco uBR905 and Cisco uBR925 cable access routers. The Cisco Easy VPN Remote Web Manager is a built-in web-interface application resident on the uBR905 and uBR925 devices. The Web Manager enables the user to avoid the command-line interface (CLI) to perform the following functions: