Easy VPN with Hardware client, NEM enabled, auto connect:-
Easy VPN SERVER (Cisco ASA 5520):-
- NAT is required between the encryption domains if NAT/PAT is present on the outside interface.
- ACL for split-tunnel (if required)
- ISAKMP policy and IPsec transform-set
- Dynamic-map and crypto-map
- Group-policy attributes (nem enabled)
- Tunnel-group (xauth is the default authentication in ASA, disable it if the client connects automatically)
nat (inside,outside) source static 4.4.4.4 4.4.4.4 destination static 11.11.11.11 11.11.11.11 no-proxy-arp route-lookup ! access-list splitacl1 standard permit host 4.4.4.4 ! crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! crypto ipsec ikev1 transform-set esp-3des esp-3des esp-sha-hmac ! crypto dynamic-map dyn-map 10 set ikev1 transform-set esp-3des crypto dynamic-map dyn-map 10 set reverse-route crypto map outmap 100 ipsec-isakmp dynamic dyn-map crypto map outmap interface outside ! group-policy r1policy internal group-policy r1policy attributes group-lock value R1 split-tunnel-policy tunnelspecified split-tunnel-network-list value splitacl1 nem enable ! tunnel-group R1 type remote-access tunnel-group R1 general-attributes default-group-policy r1policy tunnel-group R1 ipsec-attributes ikev1 pre-shared-key ***** ikev1 user-authentication none
Easy VPN Hardware CLIENT (Cisco 1760 router):-
- crypto ipsec client ezvpn HQVPN – configure the client setting under this command
- connect auto – always on connection. No authentication required by the HW client
- group R1 key ciscor1 – Tunnel-group and pre-shared key configured on the EZ VPN server
- local-address – the IP address that is advertised to the server. The intermediary routers should have a route to this IP address. Example; if the local-address is a loopback IP address on the hardware client the intermediary routers should have a route for the loopback IP.
- mode – network-extension (Extended LAN, similar to a Site-to-Site VPN)
- peer – IP of the EZ VPN server
crypto ipsec client ezvpn HQ connect auto group R1 key ******* local-address Loopback1 mode network-extension peer 10.1.111.1 xauth userid mode interactive ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 crypto ipsec client ezvpn HQ inside ! interface Loopback1 ip address 111.111.111.111 255.255.255.255 crypto ipsec client ezvpn HQ inside ! interface FastEthernet0/0 ip address 10.1.101.1 255.255.255.0 speed auto crypto ipsec client ezvpn HQ outside
Verification:-
ASA1# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 111.111.111.111 Type : user Role : responder Rekey : no State : AM_ACTIVE R1# show crypto ipsec client ezvpn Easy VPN Remote Phase: 4 Tunnel name : HQ Inside interface list: Loopback0 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Save Password: Disallowed Split Tunnel List: 1 Address : 4.4.4.4 Mask : 255.255.255.255 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 10.1.111.1 R1#show crypto isakmp sa dst src state conn-id slot status 10.1.111.1 111.111.111.111 QM_IDLE 5 0 ACTIVE
Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/