Configure Cisco Router for Remote Access IPsec VPN Connections
In this article I’ll walk through the configuration of the IOS on a Cisco router to support remote access IPsec VPN connections. IPsec is a suite of protocols that provides for authentication and encryption of packets. Traditionally PPTP has been extensively used as a VPN because of it’s simplicity of configuration, especially on the client side. However, the security vulnerabilities of the PPTP protocol have been well documented. Cisco now has a feature called EasyVPN that allows us to specify client configuration on the server and minimize direct configuration of the VPN on the client.
In this example I will make use of the fantastic GNS3/Dynamips software for router emulation. I’ve had some difficulties with IPsec and the Dynamips emulator, the VPN connection will start and work for a short time but then the connection will freeze. I have tested this configuration and it does work on a physical router, however.
I have set up my Cisco router with two interfaces, FastEthernet0/0 and FastEthernet0/1. The router is also configured with NAT overload for the internal network. Here is my network diagram, pretty basic configuration with an external and an internal network:
Here is my starting configuration of the router. Basically I’ve assigned IP addresses to the interfaces, configured the default route, and activated NAT. I’m using an extended access list to permit NAT traffic, this will be important later because we’ll need disable NAT between the internal interface and the IP address pool that our VPN clients will use.
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no aaa new-model memory-size iomem 5 ip cef ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! interface FastEthernet0/0 ip address 192.168.10.2 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex ! interface FastEthernet0/1 ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.10.254 ! ip http server no ip http secure-server ip nat inside source list NAT interface FastEthernet0/0 overload ! ip access-list extended NAT permit ip any any ! control-plane ! line con 0 line aux 0 line vty 0 4 ! end
Initially we’ll start by setting up a local account on the Cisco router itself to use for VPN client authentication. Later once we’ve confirmed that this configuration works we can move on to modifying it to authenticate users against a central user data via the RADIUS protocol to ease our administrative burdens.
Let’s begin by adding a user to the local router database. We’ll use the secret command modifier instead of password to specify a type 5 password that uses the MD5 hashing algorithm. This is more secure and will make decryption tougher:
R1(config)# conf t R1(config)# username aaron secret p@ssw0rd
Now we need to activate the AAA new model to expose the new command set:
R1(config)# aaa new-model
We need to set up extended authentication (Xauth). Users will be logged in using the local user database.
R1(config)# aaa authentication login VPN_CLIENT_LOGIN local
We must set up AAA to authorize the clients to use the network. In this example I’ll set up a named authorization list.
R1(config)# aaa authorization network VPN_CLIENT_GROUP local
We need to set up an address pool to assign VPN clients with IP addresses. The clients will be on a virtual subnet distinct from the subnets of the existing interfaces on the Cisco router.
R1(config)# ip local pool VPN_CLIENT_POOL 192.168.20.200 192.168.20.210
Configuring ISAKMP Policy
ISAKMP is the Internet Security Association and Key Management Protocol. For short called IKE it is the protocol that negotiates to allow two hosts to decide on how to build an IPsec security association (SA). There are two phases to the negotiation. The phase 1 negotiation sets up the tunnel to secure future management traffic. Phase 2 creates a tunnel to protect the actual data crossing the connection.
Now we will create the ISAKMP policies for clients. Here we will define the authentication and encryption methods that the hosts will use. All of the parameters of the policy must match and be agreed upon between the hosts or the secure connection will not be established.
First we’ll ensure that ISAKMP is turned on.
R1(config)# crypto isakmp enable
Now we’ll define a policy number. The lower policy numbers have preference and will be used first if the parameters match. If not the next policy will be tested.
R1(config)# crypto isakmp policy 10
We will use a preshared key that we’ll type into both the router and the VPN client. Optionally we can use certificates which is more complex to set up but will simplify management later.
R1(config-isakmp)# authentication pre-share
We’ll use triple DES for the encryption level to generate our symmetric shared secret key.
R1(config-isakmp)# encryption 3des
We will use the SHA hashing algorithm which is used to check the integrity of the data transmitted in our secure tunnel.
R1(config-isakmp)# hash sha
We will specify Diffie-Hellman group 2 for our method of establishing secure communication. The groups specify different levels of encryption of DH asymmetric key set, I believe group 2 is 1024 bit.
R1(config-isakmp)# group 2
Optionally we can specify a lifetime when our symmetric key is regenerated, I believe the default is 86400.
R1(config-isakmp)# lifetime 3600 R1(config-isakmp)# exit
We need to specify the VPN client group settings. Here is where we specify what settings will by assigned to the VPN client group, we will need to specify this VPN group name later in the VPN client software.
R1(config)# crypto isakmp client configuration group VPN_CLIENTS
In this config we will identify the preshared key for this group. We will also specify the DNS server to use, the default domain name, and the pool from which the VPN client will receive an IP address.
R1(config-isakmp-group)# key ClientVpnKey R1(config-isakmp-group)# dns 192.168.2.4 R1(config-isakmp-group)# domain test.local R1(config-isakmp-group)# pool VPN_CLIENT_POOL
We also need to have this group use an access list that will allow us to implement a split tunnel. This will allow encryption of traffic sent between the VPN clients and the internal network but not encrypt everything else. Traffic to the internet will not utilize the VPN tunnel.
R1(config-isakmp-group)# acl 110 R1(config-isakmp-group)# exit
We must now create the access control list where we define the subnets for the internal network and the VPN client pool.
R1(config)# access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
It is time to specify the IPSec transform set which will use the ISAKMP Phase 2 policy parameters we set earlier.
R1(config)# crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac R1(config)# exit
Now it is time to create a dynamic crypto map entry. This is an empty shell of a map so we must also create a real map later.
R1(config)# crypto dynamic-map EXT_DYNAMIC_MAP 10 R1(config-crypto-map)# set transform-set TRANS_3DES_SHA R1(config-crypto-map)# exit
This will turn on server response to client configuration requests, such as when then client requests the DNS settings specified in the client configuration group earlier. We must include the dynamic crypto map name as well.
R1(config)# crypto map EXT_MAP client configuration address respond
We need to apply the AAA authentication and authorization methods to the crypto ISAKMP policy. Again we are using the local database of users.
R1(config)# crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN R1(config)# crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
Now we need to attach the dynamic crypto map template to the real crypto map. Our real crypto map may have other connections like site to site VPN included as well.
R1(config)# crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
Now we need to attach the real crypto map to our external interface.
R1(config)# int f0/0 R1(config-if)# crypto map EXT_MAP R1(config-if)# exit
Now we will tell NAT to not translate traffic from the internal subnet destined for our VPN client pool. We have to insert the deny statement before the existing permit, so we’ll specify 5 for the sequence number (the default for the permit should be 10):
R1(config)# ip access-list extended NAT R1(config-ext-nacl)# 5 deny ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
Whew! Okay we should finally be done. Exit and write to memory:
R1(config-ext-nacl)# exit R1(config)# wr
IPsec EasyVPN Client Configuration
Now we’ll configure the client side of things. As you’ll see the IPsec EasyVPN makes this as the name suggests easy! Install the Cisco VPN Client and reboot. Once completed launch the application:
Enter a connection entry name and type the external interface name of the router. Enter the VPN group name that you entered in the Cisco IOS earlier along with the key for the group (ClientVpnKey) as the password. Click Save. That’s it for the client configuration!
Highlight the connection you created and click Connect. If all goes well it will prompt you for a username/password. Enter the information that you specified for the user in the Cisco IOS local database (aaron/p@ssw0rd). Hopefully you will now be connected!