Cisco Router 850 Series Software Configuration Guide

							 
6-11
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Verifying Your Easy VPN Configuration
Verifying Your Easy VPN Configuration
Router# show crypto ipsec client ezvpn
Tunnel name :ezvpnclientInside interface list:vlan 1
Outside interface:fastethernet 4
Current State:IPSEC_ACTIVELast Event:SOCKET_UP
Address:8.0.0.5
Mask:255.255.255.255Default Domain:cisco.com
Configuration Example
The following configuration example shows a portion of the configuration file for the VPN and IPSec 
tunnel described in this chapter.
!
aaa new-model
!aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
aaa session-id common
Step 5exit
Example:
Router(config-crypto-ezvpn)# exitRouter(config)# 
Returns to global configuration mode.
Step 6interface type number
Example:
Router(config)# interface fastethernet 4
Router(config-if)# 
Enters the interface configuration mode for the 
interface to which you want the Cisco Easy VPN 
remote configuration applied.
NoteFor routers with an ATM WAN interface, 
this command would be interface atm 0.
Step 7crypto ipsec client ezvpn name [outside | inside] 
Example:
Router(config-if)# crypto ipsec client 
ezvpn ezvpnclient outside
Router(config-if)# 
Assigns the Cisco Easy VPN remote configuration 
to the WAN interface, causing the router to 
automatically create the NAT or port address 
translation (PAT) and access list configuration 
needed for the VPN connection.
Step 8exit
Example:
Router(config-crypto-ezvpn)# exitRouter(config)# 
Returns to global configuration mode.
Command or Action Purpose 
						

							 
6-12
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Configuration Example
!username Cisco password 0 Cisco
!
crypto isakmp policy 1encryption 3des
authentication pre-share
group 2lifetime 480
!
crypto isakmp client configuration group rtr-remotekey secret-password
dns 10.50.10.1 10.60.10.1
domain company.compool dynpool
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac!
crypto ipsec security-association lifetime seconds 86400
!crypto dynamic-map dynmap 1
set transform-set vpn1
reverse-route!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
crypto ipsec client ezvpn ezvpnclient
connect autogroup 2 key secret-password
mode client
peer 192.168.100.1!
interface fastethernet 4crypto ipsec client ezvpn ezvpnclient outside
crypto map static-map
!interface vlan 1
crypto ipsec client ezvpn ezvpnclient inside
! 
						

							
CH A P T E R
 
7-1
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
7
Configuring VPNs Using an IPSec Tunnel and 
Generic Routing Encapsulation
The Cisco 850 and Cisco 870 series routers support the creation of virtual private networks (VPNs).
Cisco routers and other broadband devices provide high-performance connections to the Internet, but 
many applications also require  the security of VPN connections which perform a high level of 
authentication and which encrypt the data between two particular endpoints. 
Two types of VPNs are supported—site-to-site and remo te access. Site-to-site VPNs are used to connect 
branch offices to corporate offices,  for example. Remote access VPNs are used by remote clients to log 
in to a corporate network.
The example in this chapter illustrates the configurat ion of a site-to-site VPN that uses IPSec and the 
generic routing encapsulation (GRE) protocol to se cure the connection between the branch office and 
the corporate network. 
Figure 7-1 shows a typical deployment scenario. 
Figure 7-1 Site-to-Site VPN Using an IPSec Tunnel and GRE
121783
Internet
3
1
2457
6
8
9
1Branch office containing multiple LANs and VLANs
2Fast Ethernet LAN interface—Wi th address 192.165.0.0/16 (also the inside interface for NAT)
3VPN client—Cisco 850 or Cisco 870 series access router
4Fast Ethernet or ATM interface—With address 200.1.1.1 (also the outside interface for NAT)
5LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1
6VPN client—Another router, which controls access to the corporate network
7LAN interface—Connects to the co rporate network, with inside interface address of 10.1.1.1
8Corporate office network
9IPSec tunnel with GRE 
						

							 
7-2
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configure a VPN
GRE Tunnels
GRE tunnels are typically used to establish a VPN between the Cisco router and a remote device that 
controls access to a private network, such as a corporate network. Traffic forwarded through the GRE 
tunnel is encapsulated and routed out onto the physical interface of the router. When a GRE interface is 
used, the Cisco router and the router that controls access to the corporate network can support dynamic 
IP routing protocols to exchange routing updates over the tunnel, and to enable IP multicast traffic. 
Supported IP routing protocols include Enhanced Interior Gateway Routing Protocol (EIGRP), Routing 
Information Protocol (RIP), Intermediate System-to-Intermediate System (IS-IS), Open Shortest Path 
First (OSPF), and Border Gateway Protocol (BGP).
NoteWhen IP Security (IPSec) is used with GRE, the access list for encrypting traffic does not list the desired 
end network and applications, but instead refers to the permitted source and destination of the GRE 
tunnel in the outbound direction. All packets forwarded to the GRE tunnel are encrypted if no further 
access control lists (ACLs) are applied to the tunnel interface. 
VPNs
VPN configuration information must be configured on both endpoints; for example, on your Cisco router 
and at the remote user, or on your Cisco router and on another router. You must specify parameters, such 
as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address 
Translation (NAT).
Configuration Tasks
Perform the following tasks to configure this network scenario:
 Configure a VPN
 Configure a GRE Tunnel
A configuration example showing the results of these configuration tasks is provided in the 
“Configuration Example” section on page 7-9.
NoteThe procedures in this chapter assume that you have already configured basic router features as well as 
PPPoE or PPPoA with NAT, DCHP, and VLANs. If you have not performed these configurations tasks, 
see 
Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” 
Chapter 4, “Configuring PPP over ATM with NAT,” and Chapter 5, “Configuring a LAN with DHCP and 
VLANs,” as appropriate for your router.
Configure a VPN
Perform the following tasks to configure a VPN over an IPSec tunnel:
 Configure the IKE Policy
 Configure Group Policy Information
 Enable Policy Lookup
 Configure IPSec Transforms and Protocols
 Configure the IPSec Crypto Method and Parameters
 Apply the Crypto Map to the Physical Interface 
						

							
 
7-3
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation   Configure a VPN
Configure the IKE Policy
Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global 
configuration mode:
Command or ActionPurpose
Step 1crypto isakmp policy priority  
Example:
Router(config)#  crypto isakmp policy 1
Router(config-isakmp)# 
Creates an IKE policy that is used during IKE 
negotiation. The priority is a number from 1 to 
10000, with 1 being the highest.
Also enters Internet Secu rity Association and Key 
Management Protocol (ISAKMP) policy 
configuration mode.
Step 2encryption  {des  | 3des  | aes  | aes 192  | aes 256 }
Example:
Router(config-isakmp)#  encryption 3desRouter(config-isakmp)# 
Specifies the encryption algorithm used in the IKE 
policy. 
The example uses 168-bit Data Encryption 
Standard (DES).
Step 3hash  {md5  | sha }
Example:
Router(config-isakmp)#  hash md5
Router(config-isakmp)# 
Specifies the hash algorithm used in the IKE 
policy. 
The example specifies the Message Digest 5 
(MD5) algorithm. The default is Secure Hash 
standard (SHA-1).
Step 4authentication  {rsa-sig  | rsa-encr  | pre-share } 
Example:
Router(config-isakmp)#  authentication 
pre-share
Router(config-isakmp)# 
Specifies the authenticati on method used in the 
IKE policy. 
The example uses a pre-shared key.
Step 5group  {1  | 2  | 5 }
Example:
Router(config-isakmp)#  group 2Router(config-isakmp)# 
Specifies the Diffie-Hellman group to be used in 
the IKE policy.
Step 6lifetime seconds
Example:
Router(config-isakmp)#  lifetime 480
Router(config-isakmp)# 
Specifies the lifetime, 60–86400 seconds, for an 
IKE security association (SA).
Step 7exit
Example:
Router(config-isakmp)# exit
Router(config)# 
Exits IKE policy configuration mode, and enters 
global configuration mode. 
						

							
 
7-4
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configure a VPN
Configure Group Policy Information
Perform these steps to configure the group policy, beginning in global configuration mode:
Command or ActionPurpose
Step 1crypto isakmp client configuration group  
{ group-name  | default }
Example:
Router(config)#  crypto isakmp client 
configuration group rtr-remote
Router(config-isakmp-group)# 
Creates an IKE policy  group that contains 
attributes to be downloaded to the remote client.
Also enters Internet Security Association Key 
Management Protocol (ISAKMP) policy 
configuration mode.
Step 2key  name  
Example:
Router(config-isakmp-group)#  key 
secret-password
Router(config-isakmp-group)# 
Specifies the IKE pre-sh ared key for the group 
policy.
Step 3dns  primary-server
Example:
Router(config-isakmp-group)#  dns 10.50.10.1
Router(config-isakmp-group)# 
Specifies the primary Domain Name Service 
(DNS) server for the group.
NoteYou may also want to specify Windows 
Internet Naming Service (WINS) servers 
for the group by using the  wins command.
Step 4domain  name
Example:
Router(config-isakmp-group)#  domain 
company.com
Router(config-isakmp-group)# 
Specifies group domain membership.
Step 5exit
Example:
Router(config-isakmp-group)#  exit
Router(config)# 
Exits IKE group policy configuration mode, and 
enters global configuration mode.
Step 6ip local pool {default  | poolname } 
[ low-ip-address  [high-ip-address ]]
Example:
Router(config)#  ip local pool dynpool 
30.30.30.20 30.30.30.30
Router(config)# 
Specifies a local address pool for the group.
For details about this command and additional 
parameters that can be set, see the 
Cisco IOS Dial 
Technologies Command Reference. 
						

							
 
7-5
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation   Configure a VPN
Enable Policy Lookup
Perform these steps to enable policy lookup through AAA, beginning in global configuration mode:
Command or ActionPurpose
Step 1aaa new-model
Example:
Router(config)# aaa new-model
Router(config)# 
Enables the AAA access control model.
Step 2aaa authentication login  {default  |  list-name } 
method1  [ method2... ] 
Example:
Router(config)#  aaa authentication login 
rtr-remote local
Router(config)# 
Specifies AAA authentication of selected users at 
login, and specifies the method used.
This example uses a local  authentication database. 
You could also use a RADIUS server for this. See 
the 
Cisco IOS Security Configuration Guide and 
the Cisco IOS Security Command Reference for 
details.
Step 3aaa authorization  {network  | exec  | commands 
level  | reverse-access  | configuration } {default  | 
list-name } [method1  [ method2... ]]
Example:
Router(config)#  aaa authorization network 
rtr-remote local
Router(config)# 
Specifies AAA authorization of all 
network-related service requests, including PPP, 
and the method used to do so.
This example uses a loca l authorization database. 
You could also use a RADIUS server for this. See 
the 
Cisco IOS Security Configuration Guide and 
the Cisco IOS Security Command Reference for 
details.
Step 4username  name  {nopassword  | password  
password  | password  encryption-type  
encrypted-password }
Example:
Router(config)#  username cisco password 0 
cisco
Router(config)# 
Establishes a username-b ased authentication 
system.
This example implements a username of  cisco 
with an encrypted password of  cisco.
Configure IPSec Transforms and Protocols
A transform set represents a certain combination of  security protocols and algorithms. During IKE 
negotiation, the peers agree to use a particular transform set for protecting data flow. 
During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at 
both peers. When such a transform set is found, it is  selected and applied to the protected traffic as a part 
of both peers’ configurations.  
						

							
 
7-6
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configure a VPN
Perform these steps to specify the IPSec transform se t and protocols, beginning in global configuration 
mode:
Command or ActionPurpose
Step 1crypto ipsec transform-set  transform-set-name 
transform1  [transform2 ] [transform3 ] 
[ transform4 ]
Example:
Router(config)#  crypto ipsec transform-set 
vpn1 esp-3des esp-sha-hmac
Router(config)# 
Defines a transform set—An acceptable 
combination of IPSec security protocols and 
algorithms.
See the  Cisco IOS Security Command Reference  
for detail about the valid transforms and 
combinations.
Step 2crypto ipsec security-association lifetime  
{ seconds  seconds  | kilobytes  kilobytes }
Example:
Router(config)#  crypto ipsec 
security-association lifetime seconds 86400
Router(config)# 
Specifies global lifetime values used when 
negotiating IPSec security associations.
See the  Cisco IOS Security Command Reference  
for details.
NoteWith manually established security associations, there is no negotiation with the peer, and both sides 
must specify the same transform set. 
Configure the IPSec Crypto Method and Parameters
A dynamic crypto map policy processes  negotiation requests for new security associations from remote 
IPSec peers, even if the router do es not know all the crypto map para meters (for example, IP address).
Perform these steps to configure the IPSec crypto method, beginning in global configuration mode:
Command or ActionPurpose
Step 1crypto dynamic-map dynamic-map-name 
dynamic-seq-num
Example:
Router(config)#  crypto dynamic-map dynmap 1
Router(config-crypto-map)# 
Creates a dynamic crypto map entry, and enters 
crypto map configuration mode.
See the Cisco IOS Security Command Reference  
for more detail about this command.
Step 2set transform-set transform-set-name 
[ transform-set-name2 ...transform-set-name6 ] 
Example:
Router(config-crypto-map)#  set 
transform-set vpn1
Router(config-crypto-map)# 
Specifies which transform sets can be used with 
the crypto map entry. 
						

							 
7-7
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configure a VPN
Apply the Crypto Map to the Physical Interface
The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the 
crypto map to the physical interface instructs the router to evaluate all the traffic against the security 
associations database. With the default configurations, the router provides secure connectivity by 
encrypting the traffic sent between remote sites. However, the public interface still allows the rest of the 
traffic to pass and provides connectivity to the Internet.
Perform these steps to apply a crypto map to an interface, beginning in global configuration mode:
Step 3reverse-route
Example:
Router(config-crypto-map)# reverse-routeRouter(config-crypto-map)# 
Creates source proxy information for the crypto 
map entry.
See the Cisco IOS Security Command Reference 
for details.
Step 4exit
Example:
Router(config-crypto-map)# exit
Router(config)# 
Enters global configuration mode.
Step 5crypto map map-name seq-num [ipsec-isakmp] 
[dynamic dynamic-map-name] [discover] 
[profile profile-name] 
Example:
Router(config)# crypto map static-map 1 
ipsec-isakmp dynamic dynmap
Router(config)# 
Creates a crypto map profile.
Command or Action Purpose
Command or ActionPurpose
Step 1interface type number
Example:
Router(config)# interface fastethernet 4
Router(config-if)# 
Enters interface configuration mode for the 
interface to which you want to apply the crypto 
map. 
						

							 
7-8
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configure a GRE Tunnel
Configure a GRE Tunnel
Perform these steps to configure a GRE tunnel, beginning in global configuration mode: 
Step 2crypto map map-name
Example:
Router(config-if)# crypto map static-mapRouter(config-if)# 
Applies the crypto map to the interface.
See the Cisco IOS Security Command Reference 
for more detail about this command.
Step 3exit
Example:
Router(config-if)# exit
Router(config)# 
Enters global configuration mode.
Command or Action Purpose
Command or ActionPurpose
Step 1interface type number
Example:
Router(config)# interface tunnel 1
Router(config-if)# 
Creates a tunnel interface and enters interface 
configuration mode.
Step 2ip address ip-address mask
Example:
Router(config-if)# 10.62.1.193 
255.255.255.252
Router(config-if)# 
Assigns an address to the tunnel.
Step 3tunnel source interface-type number
Example:
Router(config-if)# tunnel source 
fastethernet 0
Router(config-if)# 
Specifies the source endpoint of the router for the 
GRE tunnel.
Step 4tunnel destination default-gateway-ip-address
Example:
Router(config-if)# tunnel destination 
192.168.101.1
Router(config-if)# 
Specifies the destination endpoint of the router for 
the GRE tunnel.