Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

 

 

 

BETA DRAFT - CISCO CONFIDENTIAL

 

 

 

 

 

 

 

1

Remote, networked users

 

 

 

 

2

VPN client—Cisco 1800 series integrated services router

 

 

 

 

3

Router—Providing the corporate office network access

 

 

 

 

4

VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside

 

 

 

interface address 192.168.101.1

 

 

 

 

5

Corporate office with a network address of 10.1.1.1

 

 

 

 

6

IPSec tunnel

 

 

 

 

Cisco Easy VPN

The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the Cisco Unity Client protocol. This protocol allows most VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, WINS server addresses, and split-tunneling flags, to be defined at a VPN server, such as a Cisco VPN 3000 series concentrator that is acting as an IPSec server.

An Easy VPN server–enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs. Easy VPN server–enabled devices allow remote routers to act as Easy VPN Remote nodes.

The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network extension mode. Client mode is the default configuration and allows only devices at the client site to access resources at the central site. Resources at the client site are unavailable to the central site.

Network extension mode allows users at the central site (where the VPN 3000 series concentrator is located) to access network resources on the client site.

After the IPSec server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a supported Cisco 1800 integrated services router. When the IPSec client initiates the VPN tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection.

Note The Cisco Easy VPN client feature supports configuration of only one destination peer. If your application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the server.

Configuration Tasks

Perform the following tasks to configure your router for this network scenario:

Configure the IKE Policy

Configure Group Policy Information

Apply Mode Configuration to the Crypto Map

Enable Policy Lookup

Configure IPSec Transforms and Protocols

Configure the IPSec Crypto Method and Parameters

Apply the Crypto Map to the Physical Interface

Create an Easy VPN Remote Configuration

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

6-2

OL-6426-02

 

 

Page 74
Image 74
Cisco Systems OL-6426-02 manual Cisco Easy VPN