Cisco VPN LAB 1: Simple Easy VPN Example between Routers

VPN Lab Series:
Cisco VPN LAB 1 : Simple Easy VPN Example between Routers and Comparison with DMVPN
Cisco VPN LAB 2 : IPSec VPN Example Between Two ASA 8.4.2
Cisco VPN LAB 3 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software

Working on Easy VPN and DMVPN, I completed this first lab for EZVPN lab and also list some using resource at the bottom of this post.

1. Topology

It is still with my favorite IOU rack v3. The physical connection with IP addresses have been shown on the diagram.

R1 will be easy VPN server and R2 will be the client. This lab will show how to configure a basic easy vpn client / server set up. R3 and R6 will be only used to do test ping with only default route and interface ip configured on them.

2. Configuration: (Redundancy configuration have been omitted)

@EZVPN Server Configuration
R1#show run
Building configuration...

Current configuration : 2631 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 1

!--- Enable Authentication, Authorizing and Accounting (AAA)

!--- for user authentication and group authorization.

aaa new-model

!--- Enable the AAA commands in order 
!--- to enable Xauth for user authentication.

aaa authorization network hw-client-groupname local 

!--- Enable the AAA commands
!--- in order to enable group authorization.

aaa authorization network groupauthor local 
!
!
!         
!
aaa session-id common
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
ip cef
no ip domain lookup
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated

!--- Define the username and password to use for Xauth.

username cisco password 0 cisco123
!
redundancy
! 

!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

crypto isakmp policy 1
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!

!--- Create a group with the pre-shared key for IKE authentication.

crypto isakmp client configuration group hw-client-groupname
 key hw-client-password

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set transform-1 esp-des esp-sha-hmac 
!

!--- Create a dynamic map and
!--- apply the transform set that was created earlier.

crypto dynamic-map dynmap 1
 set transform-set transform-1 
 reverse-route
!

!--- Create the actual crypto map,
!--- and apply the AAA lists that were created earlier.
!--- These commands associate the AAA commands to the crypto map.

crypto map dynmap isakmp authorization list hw-client-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap 
!

!--- Apply the crypto map on the interface where
!--- traffic leaves the router.

interface Ethernet0/0
 description connected to Internet
 ip address 20.20.20.2 255.255.255.0
 crypto map dynmap
!
interface Ethernet0/1
 no ip address
 shutdown 
!
interface Ethernet0/2
 ip address 30.30.30.1 255.255.255.0
!
!
ip forward-protocol nd
!
!         
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
exception data-corruption buffer truncate

end

@EZVPN Client Configuration
R2#sh run
Building configuration...

Current configuration : 2420 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
security passwords min-length 1
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
aaa session-id common
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
!
ip cef
no ip domain lookup
ip domain name cisco.com
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
username cisco password 0 cisco123
!
redundancy

!--- Set the parameters to connect to the 
!--- appropriate Easy VPN group on the Easy VPN server.

crypto ipsec client ezvpn hw-client
 connect auto
 group hw-client-groupname key hw-client-password
 mode client
 peer 20.20.20.2
 xauth userid mode interactive
!

!--- Use the crypto ipsec client ezvpn <name> command on the
!--- interface that connects to the Easy VPN server
!--- in order to complete the Easy VPN.

interface Ethernet0/0
 description INTERNET
 ip address 20.20.20.1 255.255.255.0
 crypto ipsec client ezvpn hw-client

!--- Define the inside interfaces that will access 
!--- and can be accessed via Easy VPN.

interface Ethernet0/1
 description LAN
 ip address 10.10.10.1 255.255.255.0
 crypto ipsec client ezvpn hw-client inside
!
interface Ethernet0/2
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
exception data-corruption buffer truncate
end

3. Verify

R2#show crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr 20.20.20.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.30.30.20/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 20.20.20.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 20.20.20.2
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x2B595786(727275398)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xD56D693B(3580717371)

R2#show crypto ipsec client ezvpn 
Easy VPN Remote Phase: 8

Tunnel name : hw-client
Inside interface list: Ethernet0/1
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 30.30.30.20 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 30.30.30.10
DNS Secondary: 30.30.30.11
NBMS/WINS Primary: 30.30.30.12
NBMS/WINS Secondary: 30.30.30.13
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 20.20.20.2

When ping from R2 (10.10.10.1) to R6 (30.30.30.30) and show crypto ipsec sa, we see encrypted packet is 5 but decrypted packet is 4. That is because first ping packet failed to reach the destination as we can see it from ping following result. After that, all ping packets will be encrypted and decrypted properly.

R2#ping 30.30.30.30 source 10.10.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.30.30.30, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms

R2#show crypto ipsec sa            

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr 20.20.20.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.30.30.20/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 20.20.20.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

******Some Other Resources. 

From Cisco page:

• Cisco Enhanced Easy VPN and DMVPN Comparison

Service/Feature Name	Enhanced Easy VPN	DMVPN
Scalability per Hub	Large number of spokes can be supported per hub	Depends on routing protocol chosen
Identical Configuration for All Spokes	Yes	No
Cross-Platform Support	Yes	No
Support for Software/Hardware Client	Yes	No software client support
Stateful Failover	No; but available with legacy Easy VPN	Depends on routing protocol for recovery
Always up Tunnel to Hub	Not required	Yes
Support for Multicast Traffic	Yes	Yes
Spoke-to-Spoke Direct Communication	No	Yes
Support for QoS	Yes	Yes
Support for Routing Protocols	No	Yes
Support for Certificates	Yes	Yes

• Cisco Site-to-Site VPN Solution Comparison

	Cisco GET-VPN	Cisco DMVPN	Cisco GRE-Based VPN	Cisco Easy VPN	Standard IPsec VPN
		Tunnel-less VPN		Tunnel-based VPN
Customer Benefits	• Simplifies encryption integration on IP and Multiprotocol Label Switching (MPLS) WANs • Simplifies encryption management through use of "group laying" instead of point-to-point key pairs • Enables scalable and manageable any-to-any connectivitiy between sites • Supports quality of services (QoS) multicase and routing	• Simplifies encryption of configuration and management for point-to-point GRE tunnels • Supports QoS, multicast, and routing	• Enable transport of multicast and routing traffic across an IPsec VPN • Support non-IP protocols • Supports QoS	• Simplifies IPsec and remote-site device management through dynamic configuration policy-push • Supports QoS	• Provides encryption between sites • Supports QoS
When to Use	• Add encryption to MPLS or IP WANs while preserving any-to-any connectivity and networking features • Other scalable, full-time meshing for IPsec VPNS • Enables participation of smaller routers in meshed networks • Simplifies encryption key management while supporting routing, QoS, and multicast	• Simplifies configuration for hub-and-spoke VPNs while supporting routing, QoS, and multicast • Provides low-scale, on-demand meshing	• Use when routing must be supported across the VPN • Use for same functions as hub-and-spoke DMVPN, but it requires more detailed configuration	• Use when simplifying overall VPN • Configuration and management is the primary goal but only limited networking features are required • Use to provide simple, unified configuration framework for mix of Cisco VPN products	• Use when multivendor interoperability is required
Product Interoperability	Cisco routers only	Cisco routers only	Cisco routers only	Cisco ASA 5500 Series, Cisco VPN 3000 Series, and Cisco PIX® Firewall	Mutlivendor
Scale	Thousands	Thousands hub and spoke; hundreds partially meshed spoke-to-spoke connections	Thousands	Thousands	Thousands
Provisioning and Management	CLI Cisco Security Manager	Cisco Security Manager and Cisco Router and Security Device Manager	Cisco Security Manager and Cisco Router and Security Device Manager	Configuration automatically pushed to remote sites from headend; headend policies defined in Cisco Security Manager or Cisco Router and Security Device Manager	Cisco Security Manager and Cisco Router and Security Device Manager
Topology	Hub and spoke; any-to-any	Hub and spoke on-demand spoke-to-spoke partial mesh; spoke-to-spoke connections automatically terminated when no traffic present	Hub and spoke; small-scale meshing as manageability allows	Hub and spoke	Hub and spoke; small-scale meshing as manageability allows
Routing	Supported; Cisco GET-VPN any-to-any connectivity capability can also be used to provide secure routing across any entire router backbone	Supported	Supported	Not Supported	Not Supported
QoS	Supported	Supported	Supported	Supported but QoS policy is not dynamically pushed to the remote sites	Supported
Multicast	Natively supported across MPLS and private IP networks, tunneled across Internet-based WANs	Tunneled	Tunneled	Not Supported	Not Supported
Non-IP Protocols	Not Supported	Not Supported	Supported	Not Supported	Not Supported
Private IP Addressing	Requires use of GRE or DMVPN with Cisco GET-VPN to support private addresses across public Internet backbones	Supported	Supported	Supported	Supported
High Availability	Routing	Routing	Routing	Stateless failover	Stateless failover