IPSec Remote Access Example

To help you understand the configuration of IPSec remote access on a router, review Figure 20-1, which I use for the following example. Example 20-4 displays a sample configuration for the router shown in Figure 20-1.

Example 20-4. Setting up a Simple Configuration on an EVS for Remote Access

Router(config)# aaa new-model                                     (1)

Router(config)# aaa authentication login vpnauthenticate local

Router(config)# aaa authorization network quizware local

Router(config)# username richard secret hispassword

Router(config)# username natalie secret herpassword

Router(config)# crypto isakmp policy 10                           (2)

Router(config-isakmp)# encryption 3des

Router(config-isakmp)# hash md5

Router(config-isakmp)# authentication pre-share

Router(config-isakmp)# group 2

Router(config-isakmp)# exit

Router(config)# crypto isakmp keepalive 20 10                     (3)

Router(config)# crypto isakmp xauth timeout 45

Router(config)# ip local pool quizware_pool                       (4)


Router(config)# crypto isakmp client configuration group quizware (5)

Router(config-isakmp-group)# key quizwarekey

Router(config-isakmp-group)# pool quizware_pool

Router(config-isakmp-group)# domain quizware.com

Router(config-isakmp-group)# dns

Router(config-isakmp-group)# split-dns quizware.com

Router(config-isakmp-group)# include-local-lan

Router(config-isakmp-group)# exit

Router(config)# crypto ipsec transform-set easyclients            (6)

                        esp-3des esp-sha-hmac

Router(config)# crypto dynamic-map dynamic_map 10                 (7)

Router(config-crypto-map)# set transform-set easyclients

Router(config-crypto-map)# exit

Router(config)# crypto map static_map client authentication       (8)

                        list vpnauthenticate

Router(config)# crypto map static_map isakmp authorization        (9)

                        list quizware

Router(config)# crypto map static_map client configuration       (10)

                        address respond

Router(config)# crypto map static_map client configuration

                        address initiate

Router(config)# crypto map static_map 999 ipsec-isakmp           (11)

                        dynamic dynamic_map

Router(config)# access-list 100 permit udp any                   (12)

                        host eq isakmp

Router(config)# access-list 100 permit esp any


Router(config)# access-list 100 permit udp any

                        host eq 4500

Router(config)# remark <--include other ACL statements 

                          for ACL 100-->

Router(config)# interface ethernet1                              (13)

Router(config-if)# ip address

Router(config-if)# ip access-group 100 in

Router(config-if)# crypto map static_map

The following is an explanation of the configuration in Example 20-4, with reference to the numbering on the right side:

  1. The first three aaa commands enable AAA, define authentication for remote access, and specify the remote-access group called quizware, respectively. The two username commands set up user accounts for XAUTH.

  2. The IKE Phase 1 policy defines 3DES encryption, an MD5 hash function, device authentication with preshared keys, and DH group 2 keys.

  3. IKE DPD is defined with a keepalive interval of 20 seconds and a retry period of 10 seconds. The XAUTH authentication timeout period has been changed to 45 seconds.

  4. An internal address pool for remote-access clients includes addresses from to

  5. The quizware remote-access group is defined. The preshared key for this group is set to quizwarekey, and the address pool assigned to this group is the one defined in the ip local pool command: quizware_pool. The domain name is defined as quizware.com, and the DNS server is Split DNS is set up so that the remote-access VPN connection is used to resolve any devices within quizware.com and the user's local DNS configuration is used to resolve other names. The include-local-lan allows split tunneling for only the remote-access user's local LAN segment: All other traffic must be tunneled to the central site.

  6. A transform set is built for the remote-access clients, specifying only the ESP protocol with 3DES encryption and SHA as a hashing protocol.

  7. A dynamic crypto map, called dynamic_map, specifies the transform set for remote-access clients.

  8. Remote-access VPN authentication list (vpnauthenticate) from the aaa authentication login command is tied to the static crypto map.

  9. The remote-access group from the aaa authorization network command, quizware, is associated with the static crypto map.

  10. These two commands allow the router to respond to IKE mode requests, as well as to initiate them to a client.

  11. The remote-access dynamic crypto map is referenced in a static crypto map entry. Notice that I have given the entry a higher number, just in case I decide later to add L2L connections, which should have a lower number than this.

  12. This ACL is used to allow remote-access users to terminate their IPSec connections on the router. Notice that the source address is unknown and, therefore, is specified as any. Also, the third statement, with UDP port 4500, allows remote-access connections from EVCs that need to use NAT-T.

  13. The static crypto map is activated on the router's public interface.

As you can see from this example, this simple configuration for remote-access users is more complicated than an L2L configuration.

EasyVPN Deception

EasyVPN is a marketing term developed by someone at Cisco to attempt to make the setup of remote-access VPNs seem easy. Actually, there is nothing "easy" about setting up and troubleshooting any type of VPN connection, remote access or L2L. The first time I set up a remote-access VPN on a Cisco router, it took me more than a day to get every-thing running correctly. Based on this experience, I prefer to use Cisco remote-access concentrators for remote access, and, in many cases, L2L connections. The concentrators support all of the VPN functions of the router, plus a lot more?especially when it concerns remote-access features and functions, such as SSL VPNs. In addition, the concentrators support an easy-to-use GUI interface. When you compare the cost of a concentrator with SEP cards to a comparable 7200 with VPN accelerator cards, the concentrators are a better, more scalable VPN purchase. About the only time I use routers for VPN connections is when they already exist in the network and I need to support only a small number of VPN connections. If I need to support a lot of connections, especially remote access, I prefer to use a concentrator. However, Cisco is making strides in simplifying the configuration of VPNs with its VPN Device Manager (VDM), Security Device Manager (SDM), and Router Management Console (MC)?the latter is a part of CiscoWorks VMS.