Using VPN Tracker 5 with a Cisco Easy VPN Server

When I wanted to connect my Mac to a Dynamic Multipoint VPN (a proprietary Cisco VPN technology) I quickly learned this could only be done by creating an Easy VPN Server on the DMVPN Hub and connect VPN Tracker to it. This simple guide explains how to configure VPN Tracker 5 if you rolled out your own Easy VPN Server (the connection to a DMVPN network is optional).

If you want to use VPN Tracker with a Cisco Easy VPN Server that you set up on your router there’s no default template (it only ships with templates for the PIX firewall and the Concentrator product line). Fortunately it’s all sort of the same and VPN Tracker does support the Cisco Easy VPN protocol perfectly so all you have to do is synchronize the phase 1 and phase 2 settings, set your passwords and off you go. Here’s a quick tutorial on how to do it.

First choose to create a new custom profile as shown here:

create_connection

Next let’s set the basic stuff.

basic_settings

– Use Cisco EasyVPN for Client provisioning. It will ensure the proper parameters (like a split-tunnel) are being parsed correctly.
– Enter your VPN Gateway IP address or host name and your primary authentication. This example is based on my setup of an Easy VPN Server as illustrated here. In this case I used preshared keys for authentication (this is your group password). I also used Extended Authentication (local users), you should tick this box and supply a username and password if required.
– The local identifier is the group name that you’re trying to connect to. For remote you can set this to Remote Endpoint IP Address.
– I didn’t use DNS as I used a split tunnel and didn’t run a DNS server in my network. If you don’t run a split-tunnel or if you specified dns servers in your client configuration you can tick this box. VPN tracker will warn you if you made the wrong choice here so feel free to experiment.

Now it’s time for the advanced settings.

advanced_settings

Copy the general settings as displaed in the picture. In my example I used the following:

crypto ipsec transform-set ts1 esp-3des esp-sha-hmac

This means that the phase 1 negotiations will be using a 3des encryption and a sha1 hash. For phase 2 you can use the crypto isakmp policy. I didn’t use NAT-Transversal but you can set it to automatic so you don’t have to worry about the different types of routers you’ll be connecting through. This is how my policy looked:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

In case you want to migrate a Cisco VPN Client profile you can look here for a good guide on how to do this. If you’re interested in building your own DMVPN and/or Easy VPN Server you can read my other tutorial here. Any feedback is appreciated.

Advertisements

EasyVPN Server and DMVPN Hub on 1 Cisco router tutorial

The Cisco Dynamic Multipoint VPN is a great technique to easily deploy a multi-site VPN in a fully meshed setup. This means that all locations can see and talk to each other directly without any extra configuration and since you can set it up with the SDM tool from Cisco it’s the fastest way to get things working.

However when you want to extend your network with let’s say simple IPSec (Easy) VPN access for remote users you’ll find yourself stuck. The SDM will just mess up your configuration and although there’s lots of documentation available online, most of it is either not tailored to your needs, incomplete or contains errors.

I wanted to extend my SDM-designed DMVPN network with an Easy VPN Server so mobile clients could dial into the network and connect to servers located at different active DMVPN spokes. The Easy VPN server would ideally serve a split-tunnel to prevent it from overloading and be based on pre-skared keys as my network was too small to justify a complex PKI setup. This is how it would look:

dmvpn_setup

The dotted line indicates a connection over the internet to the DMVPN Hub that should act as an Easy VPN server and grant access to the entire network. In my case the client would use the rather excellent VPN tracker from Equinux but the normal Cisco VPN Client software will work as well as it is built into the iPhone since software version 2.0.

I started with this deployment guide from Cisco that illustrates quite well how such a network must be built. While the example needlessly complicates things by mixing a PKI and PSK infrastructure it does expose the required solution to make this work. By using crypto profiles for the DMVPN part and using so-called dynamic crypto maps for the Easy VPN part it’s possible to run both services on 1 interface.

I started with the simple Easy VPN server setup to get a feel for how it’s supposed to work. In the example there’s a Access Control Server for Extended Authentication (this is the username/password part in addition to the normal group name and password) but you can also use local authentication if you omit the group parameter from the aaa lines like this:

aaa new-model
!!! The ACS stuff used to be here
aaa authentication login easyVPN local
aaa authorization network easyVPN local
!!! notice the omitted ‘group EzVPN’ part from both lines

The next part includes the keyring for the preshared key used in the Easy VPN Server. Keyrings are nice because you can create multiple of them and connect them to different crypto profiles, effectively assigning different PSK’s to the Easy VPN Server and the DMVPN Hub. Note that in the SDM -built DMVPN there’s a line that starts with ‘crypto isakmp key ‘ that overrides that so make sure that you remove it from your configuration.

After the keyring the example declares a isakmp (phase 2) policy as shown here and a profile for the Easy VPN group that will be used. I’ll be creating only one group as all users will be stored locally and there’s no point in dividing them up into groups anyway.

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group easyvpn-group
key
pool easyvpn-pool
acl 101
save-password
crypto isakmp profile easyvpn-group
keyring ezvpn-spokes
match identity group easyvpn-group
client authentication list easyVPN
isakmp authorization list easyVPN
client configuration address respond

We then set the transform-set for the phase 1 negotiation (3des and sha1) and build the dynamic crypto map that will be assigned to the interface so it will not conflict with the DMVPN part. There’s a type in this part, the name of the isakmp-profile should say easyvpn-group instead of easyvpn as shown here:

crypto ipsec transform-set ts1 esp-3des esp-sha-hmac

crypto dynamic-map dmap 10
set transform-set ts1
!!! We associate the ezvpn isakmp profile to a dynamic crypto map.
set isakmp-profile easyvpn (you should replace easyvpn with easyvpn-group here)
!!! Reverse-route is used to allow the ezvpn assigned ip address to be injected into the corporate network. This used when a remote device will be visible from the corporate, which is needed for IP telephony, etc.
reverse-route

We’re almost done, declare the dynamic map as a crypto map and assign it to the correct (outside) interface as shown here:

interface FastEthernet0
ip address 217.115.195.99 255.255.255.0
duplex auto
speed auto
crypto map ezvpn-map !!! Here it is

Please make sure that you also assign a local ip pool with IP addresses that do NOT overlap an existing subnet, otherwise it’s impossible to route it! Mine looks like this:

ip local pool easyvpn-pool 192.168.24.24 192.168.24.48

You now have a working Easy VPN Server, test it and congratulate yourself with your copy-paste skills so we can move on.

Adding the DMVPN hub to the example

We can now add the DMVPN Hub functionality to the configuration without disturbing the Easy VPN Server. I skipped the explanations in the deployment guide that talk about the different modes to connect to the VPN (you can use either client mode or network mode if you use a Cisco router) since there’s no real point in adding a router over Easy VPN while you already have a fully meshed DMVPN running. I also chose a split-tunnel to prevent any unwanted traffic from passing through the Easy VPN tunnel, this means you’ll have to make an access-list that holds all the subnets of the networks you want the Easy VPN client to connect to. This is no biggie, we’ll get to it later. You can choose to omit this access-list from your configuration which will ensure all client traffic will flow through the tunnel. This can be a good thing if you want to use this setup to ensure you always have a safe connection from wherever you connect but in this case also make sure you pass along working dns servers or else your clients won’t be able to resolve any domain names.

The first lines of the example are all the same, skip the part with the crypto pki stuff, you won’t be needing it. We’ll be adding a second crypto policy for the DMVPN tunnel that also indicates the requirement for a pre-shared key. I chose to use AES here instead of 3des, it’s more robust and unless you have very slow routers there’s no reason not to use it.

If you did’t already add the split-tunnel acl to your crypto isakmp client configuration this is the time to do it, mine looks like this:

crypto isakmp client configuration group easyvpn-group
key
pool easyvpn-pool
acl 101 !!! This is the access-list we’ll be using to identify the subnets that the Easy VPN tunnel should accept.
save-password

The example makes note of a second crypto ipsec transform set that comes with the mode transport require setting enabled. I found that I had to disable it to get my current DMVPN setup working again. I have no clue what it does, Cisco’s own CLI explanation tool (found here) left me in the dark on this one.

The crypto ipsec profile for our DMVPN is incomplete, if you want to use PSK you’ll need to add another keyring and extend this profile with a isakmp profile. This is how I did it (inspired by this other example from Cisco):

crypto keyring dmvpnspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key

crypto isakmp profile DMVPN
keyring dmvpnspokes
match identity address 0.0.0.0
!!! This will ensure the correct key is used and it can be used by all addresses. This makes it work like the way SDM does it with ‘crypto isakmp key address 0.0.0.0 0.0.0.0’ which you should remove from your config.

crypto ipsec profile dmvpn-profile
set security-association lifetime seconds 120
set transform-set ts2
set isakmp-profile DMVPN
!!! Note the extra isakmp-profile that’s not in the example (since they’re using PKI I presume).

Next the example lists an extra dynamic crypto map for the PKI part, you can omit it.

Now look at your DMVPN tunnel, the last line should be set to the correct ploicly like this:

tunnel protection ipsec profile dmvpn-profile

Finally we get to create that acl list. Just add the subnets to the access-list you chose (I used 101) like this:

access-list 100 permit ip 192.168.24.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.13.0 0.0.0.255 any

In the example other interesting stuff like metrics and split-tunnels for DMVPN spokes are covered. I did not require them in my setup and you cal safely omit them form your configuration if you do no have such requirements in your network.

That’s it! If you did everything correctly you can now see your DMVPN spokes reconnect and fire up your VPN client to connect. However if you want to connect to servers that are directly connected to the DMVPN Hub and they have a NAT policy applied you’re in for a treat.

Fixing the NAT configuration to allow Easy VPN traffic from a local subnet attached to the DMVPN Hub.

Credit goes to Rik Bain for this solution, I found it here. If you look at the access-list for your NAT configuration you’ll notice that all traffic is being directed to it. Create an exception for traffic that’s destined to flow back to the Easy VPN tunnel like this:

access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 any

That’s it really. If you’re interested in the full config file you can drop a comment line that tells me how to get in touch with you. Any feedback is appreciated.