EasyVPN Server and DMVPN Hub on 1 Cisco router tutorial

The Cisco Dynamic Multipoint VPN is a great technique to easily deploy a multi-site VPN in a fully meshed setup. This means that all locations can see and talk to each other directly without any extra configuration and since you can set it up with the SDM tool from Cisco it’s the fastest way to get things working.

However when you want to extend your network with let’s say simple IPSec (Easy) VPN access for remote users you’ll find yourself stuck. The SDM will just mess up your configuration and although there’s lots of documentation available online, most of it is either not tailored to your needs, incomplete or contains errors.

I wanted to extend my SDM-designed DMVPN network with an Easy VPN Server so mobile clients could dial into the network and connect to servers located at different active DMVPN spokes. The Easy VPN server would ideally serve a split-tunnel to prevent it from overloading and be based on pre-skared keys as my network was too small to justify a complex PKI setup. This is how it would look:


The dotted line indicates a connection over the internet to the DMVPN Hub that should act as an Easy VPN server and grant access to the entire network. In my case the client would use the rather excellent VPN tracker from Equinux but the normal Cisco VPN Client software will work as well as it is built into the iPhone since software version 2.0.

I started with this deployment guide from Cisco that illustrates quite well how such a network must be built. While the example needlessly complicates things by mixing a PKI and PSK infrastructure it does expose the required solution to make this work. By using crypto profiles for the DMVPN part and using so-called dynamic crypto maps for the Easy VPN part it’s possible to run both services on 1 interface.

I started with the simple Easy VPN server setup to get a feel for how it’s supposed to work. In the example there’s a Access Control Server for Extended Authentication (this is the username/password part in addition to the normal group name and password) but you can also use local authentication if you omit the group parameter from the aaa lines like this:

aaa new-model
!!! The ACS stuff used to be here
aaa authentication login easyVPN local
aaa authorization network easyVPN local
!!! notice the omitted ‘group EzVPN’ part from both lines

The next part includes the keyring for the preshared key used in the Easy VPN Server. Keyrings are nice because you can create multiple of them and connect them to different crypto profiles, effectively assigning different PSK’s to the Easy VPN Server and the DMVPN Hub. Note that in the SDM -built DMVPN there’s a line that starts with ‘crypto isakmp key ‘ that overrides that so make sure that you remove it from your configuration.

After the keyring the example declares a isakmp (phase 2) policy as shown here and a profile for the Easy VPN group that will be used. I’ll be creating only one group as all users will be stored locally and there’s no point in dividing them up into groups anyway.

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group easyvpn-group
pool easyvpn-pool
acl 101
crypto isakmp profile easyvpn-group
keyring ezvpn-spokes
match identity group easyvpn-group
client authentication list easyVPN
isakmp authorization list easyVPN
client configuration address respond

We then set the transform-set for the phase 1 negotiation (3des and sha1) and build the dynamic crypto map that will be assigned to the interface so it will not conflict with the DMVPN part. There’s a type in this part, the name of the isakmp-profile should say easyvpn-group instead of easyvpn as shown here:

crypto ipsec transform-set ts1 esp-3des esp-sha-hmac

crypto dynamic-map dmap 10
set transform-set ts1
!!! We associate the ezvpn isakmp profile to a dynamic crypto map.
set isakmp-profile easyvpn (you should replace easyvpn with easyvpn-group here)
!!! Reverse-route is used to allow the ezvpn assigned ip address to be injected into the corporate network. This used when a remote device will be visible from the corporate, which is needed for IP telephony, etc.

We’re almost done, declare the dynamic map as a crypto map and assign it to the correct (outside) interface as shown here:

interface FastEthernet0
ip address
duplex auto
speed auto
crypto map ezvpn-map !!! Here it is

Please make sure that you also assign a local ip pool with IP addresses that do NOT overlap an existing subnet, otherwise it’s impossible to route it! Mine looks like this:

ip local pool easyvpn-pool

You now have a working Easy VPN Server, test it and congratulate yourself with your copy-paste skills so we can move on.

Adding the DMVPN hub to the example

We can now add the DMVPN Hub functionality to the configuration without disturbing the Easy VPN Server. I skipped the explanations in the deployment guide that talk about the different modes to connect to the VPN (you can use either client mode or network mode if you use a Cisco router) since there’s no real point in adding a router over Easy VPN while you already have a fully meshed DMVPN running. I also chose a split-tunnel to prevent any unwanted traffic from passing through the Easy VPN tunnel, this means you’ll have to make an access-list that holds all the subnets of the networks you want the Easy VPN client to connect to. This is no biggie, we’ll get to it later. You can choose to omit this access-list from your configuration which will ensure all client traffic will flow through the tunnel. This can be a good thing if you want to use this setup to ensure you always have a safe connection from wherever you connect but in this case also make sure you pass along working dns servers or else your clients won’t be able to resolve any domain names.

The first lines of the example are all the same, skip the part with the crypto pki stuff, you won’t be needing it. We’ll be adding a second crypto policy for the DMVPN tunnel that also indicates the requirement for a pre-shared key. I chose to use AES here instead of 3des, it’s more robust and unless you have very slow routers there’s no reason not to use it.

If you did’t already add the split-tunnel acl to your crypto isakmp client configuration this is the time to do it, mine looks like this:

crypto isakmp client configuration group easyvpn-group
pool easyvpn-pool
acl 101 !!! This is the access-list we’ll be using to identify the subnets that the Easy VPN tunnel should accept.

The example makes note of a second crypto ipsec transform set that comes with the mode transport require setting enabled. I found that I had to disable it to get my current DMVPN setup working again. I have no clue what it does, Cisco’s own CLI explanation tool (found here) left me in the dark on this one.

The crypto ipsec profile for our DMVPN is incomplete, if you want to use PSK you’ll need to add another keyring and extend this profile with a isakmp profile. This is how I did it (inspired by this other example from Cisco):

crypto keyring dmvpnspokes
pre-shared-key address key

crypto isakmp profile DMVPN
keyring dmvpnspokes
match identity address
!!! This will ensure the correct key is used and it can be used by all addresses. This makes it work like the way SDM does it with ‘crypto isakmp key address’ which you should remove from your config.

crypto ipsec profile dmvpn-profile
set security-association lifetime seconds 120
set transform-set ts2
set isakmp-profile DMVPN
!!! Note the extra isakmp-profile that’s not in the example (since they’re using PKI I presume).

Next the example lists an extra dynamic crypto map for the PKI part, you can omit it.

Now look at your DMVPN tunnel, the last line should be set to the correct ploicly like this:

tunnel protection ipsec profile dmvpn-profile

Finally we get to create that acl list. Just add the subnets to the access-list you chose (I used 101) like this:

access-list 100 permit ip any
access-list 101 permit ip any
access-list 101 permit ip any

In the example other interesting stuff like metrics and split-tunnels for DMVPN spokes are covered. I did not require them in my setup and you cal safely omit them form your configuration if you do no have such requirements in your network.

That’s it! If you did everything correctly you can now see your DMVPN spokes reconnect and fire up your VPN client to connect. However if you want to connect to servers that are directly connected to the DMVPN Hub and they have a NAT policy applied you’re in for a treat.

Fixing the NAT configuration to allow Easy VPN traffic from a local subnet attached to the DMVPN Hub.

Credit goes to Rik Bain for this solution, I found it here. If you look at the access-list for your NAT configuration you’ll notice that all traffic is being directed to it. Create an exception for traffic that’s destined to flow back to the Easy VPN tunnel like this:

access-list 102 deny ip
access-list 102 permit ip any

That’s it really. If you’re interested in the full config file you can drop a comment line that tells me how to get in touch with you. Any feedback is appreciated.