Cisco Router 850 Series Software Configuration Guide

CH A P T E R
 
6-1
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
6
Configuring a VPN Using Easy VPN and an IPSec 
Tunnel
The Cisco 870 series routers support the creation of Virtual Private Networks (VPNs).
Cisco routers and other broadband devices provide high-performance connections to the Internet, but 
many applications also require the security of VPN connections which perform a high level of 
authentication and which encrypt the data between two...

 
6-2
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  
Figure 6-1 Remote Access VPN Using IPSec Tunnel
2
1
121782
Internet
34
5
6
1Remote, networked users
2VPN client—Cisco 870 series access router
3Router—Providing the corporate office network access
4VPN server—Easy VPN server; for example, a  Cisco VPN 3000 concentrator with outside 
interface address 210.110.101.1
5Corporate office...

 
6-3
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
NoteThe Cisco Easy VPN client feature supports configuration of only one destination peer. If your 
application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and 
Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the 
server. 
Configuration Tasks 
Perform...

 
6-4
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Configure the IKE Policy
Configure the IKE Policy
Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global 
configuration mode:
Command or ActionPurpose
Step 1crypto isakmp policy  priority  
Example:
Router(config)#  crypto isakmp policy 1Router(config-isakmp)# 
Creates an IKE policy th at is used...

 
6-5
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel   Configure Group Policy Information
Configure Group Policy Information
Perform these steps to configure the group policy, beginning in global configuration mode:
Command or ActionPurpose
Step 1crypto isakmp client configuration group 
{ group-name  | default }
Example:
Router(config)#  crypto isakmp client 
configuration group...

 
6-6
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Apply Mode Configura tion to the Crypto Map
Apply Mode Configuration to the Crypto Map
Perform these steps to apply mode configuration to  the crypto map, beginning in global configuration 
mode:
Command or ActionPurpose
Step 1crypto map  map-name isakmp authorization list 
list-name
Example:
Router(config)#  crypto map dynmap isakmp...

 
6-7
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Configure IPSec Transforms and Protocols
Configure IPSec Transforms and Protocols
A transform set represents a certain combination of security protocols and algorithms. During IKE 
negotiation, the peers agree to use a particular transform set for protecting data flow. 
During IKE negotiations, the peers search in multiple transform sets...

 
6-8
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Configure the IPSec Crypto Method and Parameters
Perform these steps to specify the IPSec transform se t and protocols, beginning in global configuration 
mode:
Command or ActionPurpose
Step 1crypto ipsec transform-set  transform-set-name 
transform1  [transform2 ] [transform3 ] 
[ transform4 ]
Example:
Router(config)#  crypto ipsec...

 
6-9
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Apply the Crypto Map to the Physical Interface
Apply the Crypto Map to the Physical Interface
The crypto maps must be applied to each interface through which IP Security (IPSec) traffic flows. 
Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against 
the security associations database....

 
6-10
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Create an Easy VPN Remote Configuration
Create an Easy VPN Remote Configuration 
The router acting as the IPSec remote router must create an Easy VPN remote configuration and assign 
it to the outgoing interface. 
Perform these steps to create the remote configuration, beginning in global configuration mode:
Step 2crypto map map-name...