EasyVPN Server and DMVPN Hub on 1 Cisco router tutorial

The Cisco Dynamic Multipoint VPN is a great technique to easily deploy a multi-site VPN in a fully meshed setup. This means that all locations can see and talk to each other directly without any extra configuration and since you can set it up with the SDM tool from Cisco it’s the fastest way to get things working.

However when you want to extend your network with let’s say simple IPSec (Easy) VPN access for remote users you’ll find yourself stuck. The SDM will just mess up your configuration and although there’s lots of documentation available online, most of it is either not tailored to your needs, incomplete or contains errors.

I wanted to extend my SDM-designed DMVPN network with an Easy VPN Server so mobile clients could dial into the network and connect to servers located at different active DMVPN spokes. The Easy VPN server would ideally serve a split-tunnel to prevent it from overloading and be based on pre-skared keys as my network was too small to justify a complex PKI setup. This is how it would look:

dmvpn_setup

The dotted line indicates a connection over the internet to the DMVPN Hub that should act as an Easy VPN server and grant access to the entire network. In my case the client would use the rather excellent VPN tracker from Equinux but the normal Cisco VPN Client software will work as well as it is built into the iPhone since software version 2.0.

I started with this deployment guide from Cisco that illustrates quite well how such a network must be built. While the example needlessly complicates things by mixing a PKI and PSK infrastructure it does expose the required solution to make this work. By using crypto profiles for the DMVPN part and using so-called dynamic crypto maps for the Easy VPN part it’s possible to run both services on 1 interface.

I started with the simple Easy VPN server setup to get a feel for how it’s supposed to work. In the example there’s a Access Control Server for Extended Authentication (this is the username/password part in addition to the normal group name and password) but you can also use local authentication if you omit the group parameter from the aaa lines like this:

aaa new-model
!!! The ACS stuff used to be here
aaa authentication login easyVPN local
aaa authorization network easyVPN local
!!! notice the omitted ‘group EzVPN’ part from both lines

The next part includes the keyring for the preshared key used in the Easy VPN Server. Keyrings are nice because you can create multiple of them and connect them to different crypto profiles, effectively assigning different PSK’s to the Easy VPN Server and the DMVPN Hub. Note that in the SDM -built DMVPN there’s a line that starts with ‘crypto isakmp key ‘ that overrides that so make sure that you remove it from your configuration.

After the keyring the example declares a isakmp (phase 2) policy as shown here and a profile for the Easy VPN group that will be used. I’ll be creating only one group as all users will be stored locally and there’s no point in dividing them up into groups anyway.

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group easyvpn-group
key
pool easyvpn-pool
acl 101
save-password
crypto isakmp profile easyvpn-group
keyring ezvpn-spokes
match identity group easyvpn-group
client authentication list easyVPN
isakmp authorization list easyVPN
client configuration address respond

We then set the transform-set for the phase 1 negotiation (3des and sha1) and build the dynamic crypto map that will be assigned to the interface so it will not conflict with the DMVPN part. There’s a type in this part, the name of the isakmp-profile should say easyvpn-group instead of easyvpn as shown here:

crypto ipsec transform-set ts1 esp-3des esp-sha-hmac

crypto dynamic-map dmap 10
set transform-set ts1
!!! We associate the ezvpn isakmp profile to a dynamic crypto map.
set isakmp-profile easyvpn (you should replace easyvpn with easyvpn-group here)
!!! Reverse-route is used to allow the ezvpn assigned ip address to be injected into the corporate network. This used when a remote device will be visible from the corporate, which is needed for IP telephony, etc.
reverse-route

We’re almost done, declare the dynamic map as a crypto map and assign it to the correct (outside) interface as shown here:

interface FastEthernet0
ip address 217.115.195.99 255.255.255.0
duplex auto
speed auto
crypto map ezvpn-map !!! Here it is

Please make sure that you also assign a local ip pool with IP addresses that do NOT overlap an existing subnet, otherwise it’s impossible to route it! Mine looks like this:

ip local pool easyvpn-pool 192.168.24.24 192.168.24.48

You now have a working Easy VPN Server, test it and congratulate yourself with your copy-paste skills so we can move on.

Adding the DMVPN hub to the example

We can now add the DMVPN Hub functionality to the configuration without disturbing the Easy VPN Server. I skipped the explanations in the deployment guide that talk about the different modes to connect to the VPN (you can use either client mode or network mode if you use a Cisco router) since there’s no real point in adding a router over Easy VPN while you already have a fully meshed DMVPN running. I also chose a split-tunnel to prevent any unwanted traffic from passing through the Easy VPN tunnel, this means you’ll have to make an access-list that holds all the subnets of the networks you want the Easy VPN client to connect to. This is no biggie, we’ll get to it later. You can choose to omit this access-list from your configuration which will ensure all client traffic will flow through the tunnel. This can be a good thing if you want to use this setup to ensure you always have a safe connection from wherever you connect but in this case also make sure you pass along working dns servers or else your clients won’t be able to resolve any domain names.

The first lines of the example are all the same, skip the part with the crypto pki stuff, you won’t be needing it. We’ll be adding a second crypto policy for the DMVPN tunnel that also indicates the requirement for a pre-shared key. I chose to use AES here instead of 3des, it’s more robust and unless you have very slow routers there’s no reason not to use it.

If you did’t already add the split-tunnel acl to your crypto isakmp client configuration this is the time to do it, mine looks like this:

crypto isakmp client configuration group easyvpn-group
key
pool easyvpn-pool
acl 101 !!! This is the access-list we’ll be using to identify the subnets that the Easy VPN tunnel should accept.
save-password

The example makes note of a second crypto ipsec transform set that comes with the mode transport require setting enabled. I found that I had to disable it to get my current DMVPN setup working again. I have no clue what it does, Cisco’s own CLI explanation tool (found here) left me in the dark on this one.

The crypto ipsec profile for our DMVPN is incomplete, if you want to use PSK you’ll need to add another keyring and extend this profile with a isakmp profile. This is how I did it (inspired by this other example from Cisco):

crypto keyring dmvpnspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key

crypto isakmp profile DMVPN
keyring dmvpnspokes
match identity address 0.0.0.0
!!! This will ensure the correct key is used and it can be used by all addresses. This makes it work like the way SDM does it with ‘crypto isakmp key address 0.0.0.0 0.0.0.0’ which you should remove from your config.

crypto ipsec profile dmvpn-profile
set security-association lifetime seconds 120
set transform-set ts2
set isakmp-profile DMVPN
!!! Note the extra isakmp-profile that’s not in the example (since they’re using PKI I presume).

Next the example lists an extra dynamic crypto map for the PKI part, you can omit it.

Now look at your DMVPN tunnel, the last line should be set to the correct ploicly like this:

tunnel protection ipsec profile dmvpn-profile

Finally we get to create that acl list. Just add the subnets to the access-list you chose (I used 101) like this:

access-list 100 permit ip 192.168.24.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.13.0 0.0.0.255 any

In the example other interesting stuff like metrics and split-tunnels for DMVPN spokes are covered. I did not require them in my setup and you cal safely omit them form your configuration if you do no have such requirements in your network.

That’s it! If you did everything correctly you can now see your DMVPN spokes reconnect and fire up your VPN client to connect. However if you want to connect to servers that are directly connected to the DMVPN Hub and they have a NAT policy applied you’re in for a treat.

Fixing the NAT configuration to allow Easy VPN traffic from a local subnet attached to the DMVPN Hub.

Credit goes to Rik Bain for this solution, I found it here. If you look at the access-list for your NAT configuration you’ll notice that all traffic is being directed to it. Create an exception for traffic that’s destined to flow back to the Easy VPN tunnel like this:

access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 any

That’s it really. If you’re interested in the full config file you can drop a comment line that tells me how to get in touch with you. Any feedback is appreciated.

Advertisements

2 Responses to EasyVPN Server and DMVPN Hub on 1 Cisco router tutorial

  1. Xin says:

    good, I would like to have a look at your configuration file and how to publish the Easyvpn client IP routing into the other spoke routers.

    • Sander says:

      Hi Xin,

      It’s been a while since I set this up but here are the relevant config snippets of the DMVPN hub. As you can see I push all the subnets from the DMVPN spokes to the EasyVPN client with an acl (101 in my case). As all the spokes are approached from the hub the return path seems to automagically work.

      Hope this helps, if not let me know what you run into. This config lasted me for 2 years without any problems. It’s not a clean config by far but if should help you on your way. Config ran fine with 12.4T OS, I’ve had problems getting this to work with IOS 15.

      crypto keyring ezvpn-spokes
      pre-shared-key address 0.0.0.0 0.0.0.0 key
      crypto keyring dmvpnspokes
      pre-shared-key address 0.0.0.0 0.0.0.0 key
      !
      crypto isakmp policy 10
      encr 3des
      authentication pre-share
      group 2
      !
      crypto isakmp policy 20
      encr aes
      authentication pre-share

      crypto isakmp keepalive 30 5
      crypto isakmp nat keepalive 20
      crypto isakmp xauth timeout 20

      !
      crypto isakmp client configuration group easyvpn-group
      key
      dns
      pool easyvpn-pool
      acl 101
      save-password
      crypto isakmp profile easyvpn-group
      keyring ezvpn-spokes
      match identity group easyvpn-group
      client authentication list easyVPN
      isakmp authorization list easyVPN
      client configuration address respond
      crypto isakmp profile DMVPN
      keyring dmvpnspokes
      match identity address 0.0.0.0
      !
      !
      crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
      crypto ipsec transform-set ts2 esp-aes esp-sha-hmac
      !
      crypto ipsec profile dmvpn-profile
      set security-association lifetime seconds 120
      set transform-set ts2
      set isakmp-profile DMVPN
      !
      !
      crypto dynamic-map dmap 10
      set transform-set ts1
      set isakmp-profile easyvpn-group
      reverse-route
      !
      !
      crypto map ezvpn-map 1 ipsec-isakmp dynamic dmap
      !
      !
      interface Tunnel0
      ip address 172.16.1.13 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip mtu 1400
      no ip next-hop-self eigrp 113
      ip nhrp authentication DMVPN_NW
      ip nhrp map multicast dynamic
      ip nhrp network-id 100000
      ip nhrp holdtime 360
      ip tcp adjust-mss 1360
      no ip split-horizon eigrp 113
      delay 1000
      tunnel source FastEthernet0
      tunnel mode gre multipoint
      tunnel key 100000
      tunnel protection ipsec profile dmvpn-profile
      !
      !
      interface FastEthernet0
      ip address
      ip verify unicast reverse-path
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip nat outside
      ip virtual-reassembly
      ip route-cache flow
      duplex auto
      speed auto
      crypto map ezvpn-map !!this is important!!
      !
      interface Vlan1
      ip address 192.168.13.1 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip nat inside
      ip virtual-reassembly
      ip tcp adjust-mss 1452
      !

      router eigrp 113
      redistribute static
      network 172.16.1.0 0.0.0.255
      network 192.168.13.0
      no auto-summary
      !
      ip local pool easyvpn-pool 192.168.24.24 192.168.24.48
      no ip forward-protocol nd
      !
      ip nat inside source list 102 interface FastEthernet0 overload
      !
      logging trap debugging
      access-list 100 permit ip 192.168.13.0 0.0.0.255 any
      access-list 100 permit ip 192.168.24.0 0.0.0.255 any
      access-list 100 deny ip any any
      access-list 101 permit ip 192.168.16.0 0.0.0.255 any
      access-list 101 permit ip 192.168.17.0 0.0.0.255 any
      access-list 101 permit ip 192.168.18.0 0.0.0.255 any
      access-list 101 permit ip 192.168.19.0 0.0.0.255 any
      access-list 101 permit ip 192.168.20.0 0.0.0.255 any
      access-list 101 permit ip 192.168.21.0 0.0.0.255 any
      access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.24.0 0.0.0.255
      access-list 102 permit ip 192.168.13.0 0.0.0.255 any

%d bloggers like this: