Create an Easy VPN Remote Configuration | Cisco Systems C819GUK9

Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel

Configuration Tasks

Apply the Crypto Map to the Physical Interface

The crypto maps must be applied to each interface through which IP Security (IPSec) traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites. However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet.

Perform these steps to apply a crypto map to an interface, beginning in global configuration mode:

SUMMARY STEPS

1.interface type number

2.crypto map map-name

3.exit

DETAILED STEPS

	Command or Action	Purpose
Step 1
Step 1	interface type number	Enters the interface configuration mode for the
	Example:	interface to which you want the crypto map
	Example:	applied.
	Router(config)# interface fastethernet 4
	Router(config-if)#
Step 2
Step 2	crypto map map-name	Applies the crypto map to the interface.
	Example:	See Cisco IOS Security Command Reference for
	Example:	more details about this command.
	Router(config-if)# crypto map static-map	more details about this command.
	Router(config-if)# crypto map static-map
	Router(config-if)#
Step 3
Step 3	exit	Returns to global configuration mode.
	Example:
	Router(config-crypto-map)# exit
	Router(config)#

Create an Easy VPN Remote Configuration

The router acting as the IPSec remote router must create an Easy VPN remote configuration and assign it to the outgoing interface.

Perform these steps to create the remote configuration, beginning in global configuration mode:

SUMMARY STEPS

1.crypto ipsec client ezvpn name

2.group group-name key group-key

3.peer {ipaddress hostname}

	Cisco 819 Integrated Services Routers Software Configuration Guide
13-10	OL-23590-02

Image 158

Cisco Systems C819GUK9 Apply the Crypto Map to the Physical Interface, Create an Easy VPN Remote Configuration, 13-10

Contents

Americas Headquarters Text Part Number OL-23590-02 September 2Page N T E N T S Data Account Provisioning Configuring a Cellular Interface Specifying a Synchronous Serial Interface Create a Cisco Easy VPN Remote Configuration NAT Getting Help TACACS+ OL-23590-02 Product Overview General Description 1shows the Cisco 819HG ISR SKU Information New Features3G Features Security Features Wlan FeaturesPlatform Features Wireless Device Overview ScanSafe Color Description Tftp support with Ethernet WAN interfaceLEDs Rssi Router# show controllers cellular Dual-Radio Wireless Local Area NetworkWlan Features Dynamic Frequency Selection CleanAir TechnologyImages Supported LEDs Wlan LED OL-23590-02 4G LTE Wireless WAN OL-23590-02 Basic Router Configuration Router Interface Port Label Default ConfigurationInterface Ports Information Needed for Configuration OL-23590-02 Configuring Command-Line Access Line aux console tty vty line-number Password password Login Command Purpose Example Exits line configuration mode and returns to Enables password checking at the virtual terminalSession login Privileged Exec mode Configuring Global Parameters No shutdown Exit Configuring WAN InterfacesConfiguring a Gigabit Ethernet WAN Interface Configuring the Cellular Wireless WAN Interface Example Prerequisites for Configuring the 3G Wireless Interface Restrictions for Configuring the Cellular Wireless Interface Command or Action Purpose Data Account Provisioning Details about the command parameters Shows the radio signal strengthSignal strength, the network security, and so on Displays the cellular gps information Manual Activation 2lists the modem data profile parametersActivation and Provisioning Process Carrier Cellular unit cdma activate manual mdn msid msl Router # cellular 0 cdma activate otasp phonenumber Activating with Over-the-Air Service ProvisioningCellular cdma activate iota Configuring a Cellular Interface Configuring DDR Interface cellular Dialer string string Specifies the number of the dialer access group to Enters global configuration modeEnables DDR and configures the specified serial Enters the global configuration mode Exits line configuration mode Specifies the line configuration mode. It is alwaysSpecifies a default modem chat script Configures this line for GSM Examples for Configuring Cellular Wireless Interfaces This section provides the following configuration examples Tunnel over Cellular Interface Configuration Following shows how to configure an HSPA+ modem Configuring Dual SIM for Cellular Networks Command Syntax Description Cellular GSM SIM Perform the following commands to manually switch the SIMFollowing command forces the modem to connect to SIM1 Locks or unlocks the SIM Rommon Behavior IOS Behavior Output When Button Is Not Pushed ExampleOutput When Button Is Pushed Example Push Button in Wlan AP Configuring a Loopback InterfaceConfiguring the Fast Ethernet LAN Interfaces Verifying Configuration Router# show interface loopback Configuring Static Routes Another way to verify the loopback interface is to ping it Example Configuring Dynamic RoutesVerifying Configuration Router rip Version 1 Configuring Routing Information ProtocolCommand Task No auto-summary End Configuring Enhanced Interior Gateway Routing Protocol Router eigrp as-number Eigrp on the router. The autonomous-system Enters router configuration mode and enablesBe applied, using the IP address of the network Number identifies the route to other Eigrp routers OL-23590-02 819 Yes Configuring Backup Data Lines and Remote ManagementConfiguring Backup Interfaces Assigns an interface as the secondary or backup Enters interface configuration mode forInterface for which you want to configure backup Be configured to back up a serial 0 interface Configure terminal Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch Dialer watch group group-number Using the chat script command Enables dialer watch on the backup interfaceDo not use the access list permit all command to Specifies the interface Configuring DDR Backup Using Floating Static Route No aaa new-model Source-interface Dialer2 Line vty 0 4 login Scheduler max-task-time Webvpn cef end Dial Backup and Remote Management Through the Auxiliary Port Ip name-server server-address Ip dhcp pool name Exit Sample commands that you can use in Dhcp Enters Dhcp pool configuration mode. The nameConfigure the Dhcp address pool. For Pool configuration mode, see the Example Enters configuration mode for the line interface Enters configuration mode for the auxiliary Switches the port from console to auxiliary portExits the configure interface mode Enables hardware signal flow control Ppp authentication pap callin PC IP address behind CPE OL-23590-02 Environmental and Power Management Router# show environment Environmental and Power Management Cisco EnergyWise Support Cisco EnergyWise Support Configuring the Serial Interface WAN Concentration Legacy Protocol Transport Configuring Serial InterfacesProduct Number Cable Type Length Connector Type PPP Encapsulation Information About Configuring Serial InterfacesCisco Hdlc Encapsulation Keepalive Timer Multilink PPP Frame Relay Encapsulation LMI on Frame Relay Interfaces How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface This section contains the following tasks Specifying Synchronous Serial Encapsulation Configures synchronous serial encapsulationSpecifying a Synchronous Serial Interface Signals Configuring PPPConfigures an Sdlc interface for half-duplex mode Encapsulation hdlc Compress stac Configuring Compression of Hdlc DataUsing the Nrzi Line-Coding Format Nrzi-encoding Transmit-clock-internal Inverting the Transmit Clock SignalEnabling the Internal Clock Invert txclock Invert rxclock Ignoring DCD and Monitoring DSR as Line Up/Down Indicator Setting Transmit DelayConfiguring DTR Signal Pulsing Specifying the Serial Network Interface Module Timing Dce-terminal-timing enableConfigures the DCE to use Scte from the DTE Ignore-dcd Specifies timing configuration to invert TXC clock Dte-invert-txc Configuring Low-Speed Serial Interfaces Understanding Half-Duplex DTE and DCE State Machines Half-Duplex DCE State Machines Half-Duplex DCE Transmit State Machine Places a low-speed serial interface Constant-carrier modeNo half-duplex controlled-carrier Physical-layer sync async Sdlc cts-delay Sdlc rts-timeoutChanging Between Synchronous and Asynchronous Modes Returns the interface to its default mode, which is Configuration ExamplesInterface Enablement Configuration Examples No physical-layer Low-Speed Serial Interface Examples Synchronous or Asynchronous Mode ExamplesHalf-Duplex Timers Example Configuring Security Features Authentication, Authorization, and Accounting Configuration Commands Configuring AutoSecureConfiguring Access Lists ACL Type Configuring Cisco IOS Firewall Access Groups URL Filtering Configuring Cisco IOS IPSConfiguring VPN Remote Access VPN VPN client-Cisco 819 ISR Site-to-Site VPNBranch office containing multiple LANs and VLANs Corporate office network Configure the IKE Policy Configuration ExamplesConfigure a VPN over an IPSec Tunnel Command or Action Purpose Configure Group Policy Information Domain name Exit For details about this command and additional Apply Mode Configuration to the Crypto MapExits IKE group policy configuration mode Specifies a local address pool for the group Enable Policy Lookup Crypto ipsec profile profile-name Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters See Cisco IOS Security Command Reference for Crypto map map-name Exit Where to Go NextApply the Crypto Map to the Physical Interface Crypto ipsec client ezvpn name outside inside Exit Create a Cisco Easy VPN Remote ConfigurationCrypto ipsec client ezvpn name Configuration Example Configure a Site-to-Site GRE Tunnel Creates a tunnel interface and enters interface Returns to global configuration mode No cdp run Restrictions for the FE Switch Configuring the Ethernet SwitchesSwitch Port Numbering and Naming 10-1 Information About Ethernet Switches Igmp Snooping Switched Port AnalyzerOverview of Snmp MIBs Storm Control MIBs MIBs Link BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW 10-4 MAC Address Notification 10-5 VLANs on the FE Ports How to Configure Ethernet SwitchesConfiguring VLANs 10-6 VLANs on the GE Port Configuring Layer 2 InterfacesSwitchport mode dynamic desirable Comand Purpose 10-8 Configuring 802.1x AuthenticationConfiguring Spanning Tree Protocol Port Security Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol 10-9 Configuring Igmp Snooping Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring Per-Port Storm Control Configuring Fallback Bridging 10-11 Managing the Switch 10-12 Configuring PPP over Ethernet with NAT 11-1 PPPoE Configuration TasksConfigure the Virtual Private Dialup Network Group Number 11-2 Configure the Fast Ethernet WAN Interfaces 11-3 Configure the Dialer Interface 11-4 Ip address negotiated Ip mtu bytes 11-5 Configure Network Address Translation 11-6 Ip nat inside outside No shutdown Exit 11-7 11-8 Configuration Example 11-9 11-10 Verifying Your Configuration 11-11 11-12 Configuring a LAN with Dhcp and VLANs 12-1 12-2 Configure DhcpVLANs Detailed Steps 12-3 Verify Your Dhcp Configuration 12-4 12-5 Configure VLANsVlan ? Example Assign a Switch Port to a VlanSwitchport access vlan vlan-id End 12-6 Verify Your Vlan Configuration 12-7 12-8 Router# vlan database Router# show vlan-switch 12-9 12-10 Configuring a VPN Using Easy VPN and an IPSec Tunnel 13-1 VPN client-Cisco 819 ISRs Cisco Easy VPNRemote, networked users VPN server-Easy VPN server Configure the IKE Policy 13-3 Lifetime seconds Exit For the group by using the wins command Configure Group Policy InformationInternet Naming Service Wins servers 13-5 Apply Mode Configuration to the Crypto Map 13-6 13-7 Enable Policy LookupLogin, and specifies the method used 13-8 Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters 13-9 13-10 Create an Easy VPN Remote ConfigurationApply the Crypto Map to the Physical Interface Mode client network-extension network extension plus Exit 13-11 13-12 Verifying Your Easy VPN ConfigurationFollowing example verifies your easy vpn connection 13-13 13-14 Configuring the Router from a PC Cisco IOS Software Basic Skills Understanding Command Modes PC Operating System Terminal Emulation Software User Exec Begin a session with To exit to user Exec Use this mode toGlobal Enter the configure As interface atm Router Enter one of the router Configuration mode Routing protocol AppropriateGetting Help Router rip-from You can now make changes to your router configuration Enable Secret Passwords and Enable PasswordsEntering Global Configuration Mode Undoing Commands Using CommandsAbbreviating Commands Command-Line Error Messages Summary Saving Configuration ChangesWhere to Go Next OL-18906-02 Concepts Network Protocols Protocol Ideal Topology Metric Routing Updates Routing Protocol Options PPP Authentication Protocols Enhanced Igrp Ethernet Chap Floating Static Routes Dial BackupBackup Interface Dialer Watch Easy IP Phase QoS IP Precedence PPP Fragmentation and Interleaving Access Lists Low Latency Queuing OL-18906-02 ROM Monitor Configure terminal Enters global configuration modeConfig-reg Resets the configuration register Entering the ROM Monitor Reload ROM Monitor CommandsExits global configuration mode Prompt increments with each new line Command Description Command DescriptionsDisaster Recovery with Tftp Download Required Variables Tftp Download Command VariablesVariable Command Optional Variables Using the Tftp Download CommandConfigures how the router displays file Examples You will see an output similar to the following Type Embedded AP s Appendix C ROM Monitor Configuration Register Appendix C ROM Monitor Configuration Register Changing the Configuration Register Manually Changing the Configuration Register Using Prompts Command Description Console Download Context-Displays processor context for example Debug CommandsError Reporting Exiting the ROM Monitor Appendix C ROM Monitor Exiting the ROM Monitor Common Port Assignments Port Keyword Description Procedure Call Any private RJE serviceISO-Transport Service Access Point Authentication service