EZVPN is a client/server VPN solution where dynamic tunnels are created.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-4t/sec-sec-for-vpns-w-ipsec-12-4t-book/sec-ipsec-virt-tunnl.html
In IPSec, you need to remember 3 things.
Who
What
How
Who: Who’s the endpoint
What: Proxy ACL
How: Transform set
!!!!SERVER
!
!!Configure authentication. Local for testing
!
aaa new-model
aaa authentication login local_list local
aaa authorization network local_list local
aaa session-id common
!
username cisco password cisco
!
!!Create isakmp policy for phase 1.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
hash sha
!
!!Create IP pool
!
ip local pool group1pool 192.168.1.1 192.168.1.254
!
!!Create split tunnel ACL
!
ip access-list extended SPLIT_ACL
permit ip 172.16.0.0 0.0.255.255 any
!
!!Isakmp phase 1.5. Create isakmp group config.
!
crypto isakmp client configuration group group1
key cisco
pool group1pool
save-password
acl SPLIT_ACL
!
!!Isakmp dynamic profile config. Phase 1.5
!
crypto isakmp profile vpn1-ra
match identity group group1
client authentication list local_list
isakmp authorization list local_list
client configuration address respond
virtual-template 1
!
!!Create transform set for phase 2
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
!
!!Apply transform set to phase 2 profile.
!
crypto ipsec profile test-vti1
set transform-set VTI-TS
!
!!Configure DVTI interface
!
interface Virtual-Template1 type tunnel
ip unnumbered loopback0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile test-vti1
!
!
!!!!!!CLIENT
!
!!Configure client section.
!
crypto ipsec client ezvpn xauth
connect manual
mode network-extension
xauth userid mode interactive
crypto ipsec client ezvpn EZVPN_CLIENT_GROUP
connect auto
group group1 key cisco
mode client
peer 200.0.23.3
xauth userid mode interactive
!
!!Assign inside and outside interfaces
!
interface FastEthernet0/0
ip address 10.0.56.5 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN_CLIENT_GROUP inside
!
interface FastEthernet0/1
ip address 10.0.125.5 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN_CLIENT_GROUP
!!!!!!!WINDOWS CLIENT
0 Comments