Configure Cisco Router for Remote Access IPsec VPN Connections

In this article I’ll walk through the configuration of the IOS on a Cisco router to support remote access IPsec VPN connections.  IPsec is a suite of protocols that provides for authentication and encryption of packets.  Traditionally PPTP has been extensively used as a VPN because of it’s simplicity of configuration, especially on the client side.  However, the security vulnerabilities of the PPTP protocol have been well documented.  Cisco now has a feature called EasyVPN that allows us to specify client configuration on the server and minimize direct configuration of the VPN on the client.

In this example I will make use of the fantastic GNS3/Dynamips software for router emulation.  I’ve had some difficulties with IPsec and the Dynamips emulator, the VPN connection will start and work for a short time but then the connection will freeze.  I have tested this configuration and it does work on a physical router, however.

I have set up my Cisco router with two interfaces, FastEthernet0/0 and FastEthernet0/1.  The router is also configured with NAT overload for the internal network.  Here is my network diagram, pretty basic configuration with an external and an internal network:

Here is my starting configuration of the router.  Basically I’ve assigned IP addresses to the interfaces, configured the default route, and activated NAT.  I’m using an extended access list to permit NAT traffic, this will be important later because we’ll need disable NAT between the internal interface and the IP address pool that our VPN clients will use.

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
interface FastEthernet0/0
ip address 192.168.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.254
!
ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
permit ip any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
end

Initially we’ll start by setting up a local account on the Cisco router itself to use for VPN client authentication.  Later once we’ve confirmed that this configuration works we can move on to modifying it to authenticate users against a central user data via the RADIUS protocol to ease our administrative burdens.

Let’s begin by adding a user to the local router database.  We’ll use the secret command modifier instead of password to specify a type 5 password that uses the MD5 hashing algorithm.  This is more secure and will make decryption tougher:

R1(config)# conf t
R1(config)# username aaron secret p@ssw0rd

Now we need to activate the AAA  new model to expose the new command set:

R1(config)# aaa new-model

We need to set up extended authentication (Xauth).  Users will be logged in using the local user database.

R1(config)# aaa authentication login VPN_CLIENT_LOGIN local

We must set up AAA to authorize the clients to use the network.  In this example I’ll set up a named authorization list.

R1(config)# aaa authorization network VPN_CLIENT_GROUP local

We need to set up an address pool to assign VPN clients with IP addresses.  The clients will be on a virtual subnet distinct from the subnets of the existing interfaces on the Cisco router.

R1(config)# ip local pool VPN_CLIENT_POOL 192.168.20.200 192.168.20.210

Configuring ISAKMP Policy

ISAKMP is the  Internet Security Association and Key Management Protocol.  For short called IKE it is the protocol that negotiates to allow two hosts to decide on how to build an IPsec security association (SA).  There are two phases to the negotiation.  The phase 1 negotiation sets up the tunnel to secure future management traffic.  Phase 2 creates a tunnel to protect the actual data crossing the connection.

Now we will create the ISAKMP policies for clients.  Here we will define the authentication and encryption methods that the hosts will use.  All of the parameters of the policy must match and be agreed upon between the hosts or the secure connection will not be established.

First we’ll ensure that ISAKMP is turned on.

R1(config)# crypto isakmp enable

Now we’ll define a policy number.  The lower policy numbers have preference and will be used first if the parameters match.  If not the next policy will be tested.

R1(config)# crypto isakmp policy 10

We will use a preshared key that we’ll type into both the router and the VPN client.  Optionally we can use certificates which is more complex to set up but will simplify management later.

R1(config-isakmp)# authentication pre-share

We’ll use triple DES for the encryption level to generate our symmetric shared secret key.

R1(config-isakmp)# encryption 3des

We will use the SHA hashing algorithm which is used to check the integrity of the data transmitted in our secure tunnel.

R1(config-isakmp)# hash sha

We will specify Diffie-Hellman group 2 for our method of establishing secure communication.  The groups specify different levels of encryption of DH asymmetric key set, I believe group 2 is 1024 bit.

R1(config-isakmp)# group 2

Optionally we can specify a lifetime when our symmetric key is regenerated, I believe the default is 86400.

R1(config-isakmp)# lifetime 3600
R1(config-isakmp)# exit

We need to specify the VPN client group settings.  Here is where we specify what settings will by assigned to the VPN client group, we will need to specify this VPN group name later in the VPN client software.

R1(config)# crypto isakmp client configuration group VPN_CLIENTS

In this config we will identify the preshared key for this group.  We will also specify the DNS server to use, the default domain name, and the pool from which the VPN client will receive an IP address.

R1(config-isakmp-group)# key ClientVpnKey
R1(config-isakmp-group)# dns 192.168.2.4
R1(config-isakmp-group)# domain test.local
R1(config-isakmp-group)# pool VPN_CLIENT_POOL

We also need to have this group use an access list that will allow us to implement a split tunnel.  This will allow encryption of traffic sent between the VPN clients and the internal network but not encrypt everything else.  Traffic to the internet will not utilize the VPN tunnel.

R1(config-isakmp-group)# acl 110
R1(config-isakmp-group)# exit

We must now create the access control list where we define the subnets for the internal network and the VPN client pool.

R1(config)# access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.20.0
0.0.0.255

It is time to specify the IPSec transform set which will use the ISAKMP Phase 2 policy parameters we set earlier.

R1(config)# crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
R1(config)# exit

Now it is time to create a dynamic crypto map entry.  This is an empty shell of a map so we must also create a real map later.

R1(config)# crypto dynamic-map EXT_DYNAMIC_MAP 10
R1(config-crypto-map)# set transform-set TRANS_3DES_SHA
R1(config-crypto-map)# exit

This will turn on server response to client configuration requests, such as when then client requests the DNS settings specified in the client configuration group earlier.  We must include the dynamic crypto map name as well.

R1(config)# crypto map EXT_MAP client configuration address respond

We need to apply the AAA authentication and authorization methods to the crypto ISAKMP policy.  Again we are using the local database of users.

R1(config)# crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
R1(config)# crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP

Now we need to attach the dynamic crypto map template to the real crypto map.  Our real crypto map may have other connections like site to site VPN included as well.

R1(config)# crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

Now we need to attach the real crypto map to our external interface.

R1(config)# int f0/0
R1(config-if)# crypto map EXT_MAP
R1(config-if)# exit

Now we will tell NAT to not translate traffic from the internal subnet destined for our VPN client pool.  We have to insert the deny statement before the existing permit, so we’ll specify 5 for the sequence number (the default for the permit should be 10):

R1(config)# ip access-list extended NAT
R1(config-ext-nacl)# 5 deny ip 192.168.2.0 0.0.0.255 192.168.20.0
0.0.0.255

Whew!  Okay we should finally be done.  Exit and write to memory:

R1(config-ext-nacl)# exit
R1(config)# wr

IPsec EasyVPN Client Configuration

Now we’ll configure the client side of things.  As you’ll see the IPsec EasyVPN makes this as the name suggests easy!  Install the Cisco VPN Client and reboot.  Once completed launch the application:

Click New.

Enter a connection entry name and type the external interface name of the router.  Enter the VPN group name that you entered in the Cisco IOS earlier along with the key for the group (ClientVpnKey) as the password.  Click Save.  That’s it for the client configuration!

Highlight the connection you created and click Connect.  If all goes well it will prompt you for a username/password.  Enter the information that you specified for the user in the Cisco IOS local database (aaron/p@ssw0rd).  Hopefully you will now be connected!