To help you understand the configuration of IPSec remote access on a router, review Figure 20-1, which I use for the following example. Example 20-4 displays a sample configuration for the router shown in Figure 20-1.
Router(config)# aaa new-model (1) Router(config)# aaa authentication login vpnauthenticate local Router(config)# aaa authorization network quizware local Router(config)# username richard secret hispassword Router(config)# username natalie secret herpassword Router(config)# crypto isakmp policy 10 (2) Router(config-isakmp)# encryption 3des Router(config-isakmp)# hash md5 Router(config-isakmp)# authentication pre-share Router(config-isakmp)# group 2 Router(config-isakmp)# exit Router(config)# crypto isakmp keepalive 20 10 (3) Router(config)# crypto isakmp xauth timeout 45 Router(config)# ip local pool quizware_pool (4) 192.168.1.200 192.168.1.254 Router(config)# crypto isakmp client configuration group quizware (5) Router(config-isakmp-group)# key quizwarekey Router(config-isakmp-group)# pool quizware_pool Router(config-isakmp-group)# domain quizware.com Router(config-isakmp-group)# dns 192.168.1.2 Router(config-isakmp-group)# split-dns quizware.com Router(config-isakmp-group)# include-local-lan Router(config-isakmp-group)# exit Router(config)# crypto ipsec transform-set easyclients (6) esp-3des esp-sha-hmac Router(config)# crypto dynamic-map dynamic_map 10 (7) Router(config-crypto-map)# set transform-set easyclients Router(config-crypto-map)# exit Router(config)# crypto map static_map client authentication (8) list vpnauthenticate Router(config)# crypto map static_map isakmp authorization (9) list quizware Router(config)# crypto map static_map client configuration (10) address respond Router(config)# crypto map static_map client configuration address initiate Router(config)# crypto map static_map 999 ipsec-isakmp (11) dynamic dynamic_map Router(config)# access-list 100 permit udp any (12) host 188.8.131.52 eq isakmp Router(config)# access-list 100 permit esp any host 184.108.40.206 Router(config)# access-list 100 permit udp any host 220.127.116.11 eq 4500 Router(config)# remark <--include other ACL statements for ACL 100--> Router(config)# interface ethernet1 (13) Router(config-if)# ip address 18.104.22.168 255.255.255.0 Router(config-if)# ip access-group 100 in Router(config-if)# crypto map static_map
The following is an explanation of the configuration in Example 20-4, with reference to the numbering on the right side:
The first three aaa commands enable AAA, define authentication for remote access, and specify the remote-access group called quizware, respectively. The two username commands set up user accounts for XAUTH.
The IKE Phase 1 policy defines 3DES encryption, an MD5 hash function, device authentication with preshared keys, and DH group 2 keys.
IKE DPD is defined with a keepalive interval of 20 seconds and a retry period of 10 seconds. The XAUTH authentication timeout period has been changed to 45 seconds.
An internal address pool for remote-access clients includes addresses from 192.168.1.200 to 192.168.1.254.
The quizware remote-access group is defined. The preshared key for this group is set to quizwarekey, and the address pool assigned to this group is the one defined in the ip local pool command: quizware_pool. The domain name is defined as quizware.com, and the DNS server is 192.168.1.2. Split DNS is set up so that the remote-access VPN connection is used to resolve any devices within quizware.com and the user's local DNS configuration is used to resolve other names. The include-local-lan allows split tunneling for only the remote-access user's local LAN segment: All other traffic must be tunneled to the central site.
A transform set is built for the remote-access clients, specifying only the ESP protocol with 3DES encryption and SHA as a hashing protocol.
A dynamic crypto map, called dynamic_map, specifies the transform set for remote-access clients.
Remote-access VPN authentication list (vpnauthenticate) from the aaa authentication login command is tied to the static crypto map.
The remote-access group from the aaa authorization network command, quizware, is associated with the static crypto map.
These two commands allow the router to respond to IKE mode requests, as well as to initiate them to a client.
The remote-access dynamic crypto map is referenced in a static crypto map entry. Notice that I have given the entry a higher number, just in case I decide later to add L2L connections, which should have a lower number than this.
This ACL is used to allow remote-access users to terminate their IPSec connections on the router. Notice that the source address is unknown and, therefore, is specified as any. Also, the third statement, with UDP port 4500, allows remote-access connections from EVCs that need to use NAT-T.
The static crypto map is activated on the router's public interface.
As you can see from this example, this simple configuration for remote-access users is more complicated than an L2L configuration.
EasyVPN is a marketing term developed by someone at Cisco to attempt to make the setup of remote-access VPNs seem easy. Actually, there is nothing "easy" about setting up and troubleshooting any type of VPN connection, remote access or L2L. The first time I set up a remote-access VPN on a Cisco router, it took me more than a day to get every-thing running correctly. Based on this experience, I prefer to use Cisco remote-access concentrators for remote access, and, in many cases, L2L connections. The concentrators support all of the VPN functions of the router, plus a lot more?especially when it concerns remote-access features and functions, such as SSL VPNs. In addition, the concentrators support an easy-to-use GUI interface. When you compare the cost of a concentrator with SEP cards to a comparable 7200 with VPN accelerator cards, the concentrators are a better, more scalable VPN purchase. About the only time I use routers for VPN connections is when they already exist in the network and I need to support only a small number of VPN connections. If I need to support a lot of connections, especially remote access, I prefer to use a concentrator. However, Cisco is making strides in simplifying the configuration of VPNs with its VPN Device Manager (VDM), Security Device Manager (SDM), and Router Management Console (MC)?the latter is a part of CiscoWorks VMS.