Using VPN Tracker 5 with a Cisco Easy VPN Server

When I wanted to connect my Mac to a Dynamic Multipoint VPN (a proprietary Cisco VPN technology) I quickly learned this could only be done by creating an Easy VPN Server on the DMVPN Hub and connect VPN Tracker to it. This simple guide explains how to configure VPN Tracker 5 if you rolled out your own Easy VPN Server (the connection to a DMVPN network is optional).

If you want to use VPN Tracker with a Cisco Easy VPN Server that you set up on your router there’s no default template (it only ships with templates for the PIX firewall and the Concentrator product line). Fortunately it’s all sort of the same and VPN Tracker does support the Cisco Easy VPN protocol perfectly so all you have to do is synchronize the phase 1 and phase 2 settings, set your passwords and off you go. Here’s a quick tutorial on how to do it.

First choose to create a new custom profile as shown here:

create_connection

Next let’s set the basic stuff.

basic_settings

– Use Cisco EasyVPN for Client provisioning. It will ensure the proper parameters (like a split-tunnel) are being parsed correctly.
– Enter your VPN Gateway IP address or host name and your primary authentication. This example is based on my setup of an Easy VPN Server as illustrated here. In this case I used preshared keys for authentication (this is your group password). I also used Extended Authentication (local users), you should tick this box and supply a username and password if required.
– The local identifier is the group name that you’re trying to connect to. For remote you can set this to Remote Endpoint IP Address.
– I didn’t use DNS as I used a split tunnel and didn’t run a DNS server in my network. If you don’t run a split-tunnel or if you specified dns servers in your client configuration you can tick this box. VPN tracker will warn you if you made the wrong choice here so feel free to experiment.

Now it’s time for the advanced settings.

advanced_settings

Copy the general settings as displaed in the picture. In my example I used the following:

crypto ipsec transform-set ts1 esp-3des esp-sha-hmac

This means that the phase 1 negotiations will be using a 3des encryption and a sha1 hash. For phase 2 you can use the crypto isakmp policy. I didn’t use NAT-Transversal but you can set it to automatic so you don’t have to worry about the different types of routers you’ll be connecting through. This is how my policy looked:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

In case you want to migrate a Cisco VPN Client profile you can look here for a good guide on how to do this. If you’re interested in building your own DMVPN and/or Easy VPN Server you can read my other tutorial here. Any feedback is appreciated.

Advertisements

Comments are closed.

%d bloggers like this: