Home Security Cisco Security EzVPN Server on IOS in three different flavous

EzVPN Server on IOS in three different flavous

Posted on by jimmy

Comparizon between 3 different ways to configure EzVPN on IOS.

Example 1: EzVPN-server vanilla-style


aaa new-model
!
!
aaa authentication login default none
aaa authentication login AAA-AUTHEN local
aaa authorization network default none
aaa authorization network AAA-AUTHOR local
!
!
username cisco password 0 cisco
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group MYGROUP
key cisco
dns 8.8.8.8
pool LOCALPOOL
acl SPLITTUNNEL
save-password
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set TSET
reverse-route
!
!
crypto map CMAP client authentication list AAA-AUTHEN
crypto map CMAP isakmp authorization list AAA-AUTHOR
crypto map CMAP client configuration address respond
crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
!
interface GigabitEthernet0/1
crypto map CMAP
!
!
ip access-list extended SPLITTUNNEL
permit ip 8.9.5.0 0.0.0.255 any
permit ip 8.9.6.0 0.0.0.255 any
!
!

Example 2: Vanilla-style with ISAKMP profile on top


aaa new-model
!
!
aaa authentication login default none
aaa authentication login AAA-AUTHEN local
aaa authorization network default none
aaa authorization network AAA-AUTHOR local
!
!
crypto keyring EZVPN-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group MYGROUP
key cisco
dns 8.8.8.8
pool LOCALPOOL
acl SPLITTUNNEL
save-password
!
crypto isakmp profile ISAKMP-PROFILE
keyring EZVPN-KEYRING
match identity group MYGROUP
client authentication list AAA-AUTHEN
isakmp authorization list AAA-AUTHOR
client configuration address respond
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set TSET
set isakmp-profile ISAKMP-PROFILE
reverse-route
!
!
crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
!
!
interface GigabitEthernet0/1
crypto map CMAP
!
ip local pool LOCALPOOL 8.9.24.201 8.9.24.254
!
!
!
ip access-list extended SPLITTUNNEL
permit ip 8.9.5.0 0.0.0.255 any
permit ip 8.9.6.0 0.0.0.255 any
!
!

Differences between Example 1 and Example 2:

crypto keyring EZVPN-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp profile ISAKMP-PROFILE
keyring EZVPN-KEYRING
match identity group MYGROUP
client authentication list AAA-AUTHEN
isakmp authorization list AAA-AUTHOR
client configuration address respond
!
crypto dynamic-map DYNMAP 10
set isakmp-profile ISAKMP-PROFILE
!
crypto map CMAP client authentication list AAA-AUTHEN
crypto map CMAP isakmp authorization list AAA-AUTHOR
crypto map CMAP client configuration address respond

Example 3: DVTI

aaa new-model
!
!
aaa authentication login default none
aaa authentication login AAA-AUTHEN local
aaa authorization network default none
aaa authorization network AAA-AUTHOR local
!
!
username cisco password 0 cisco
!
crypto keyring EZVPN-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group MYGROUP
key cisco
dns 8.8.8.8
pool LOCALPOOL
acl SPLITTUNNEL
save-password
!
crypto isakmp profile ISAKMP-PROFILE
keyring EZVPN-KEYRING
match identity group MYGROUP
client authentication list AAA-AUTHEN
isakmp authorization list AAA-AUTHOR
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TSET
set isakmp-profile ISAKMP-PROFILE
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
!
ip local pool LOCALPOOL 8.9.24.201 8.9.24.254
!
!
ip access-list extended SPLITTUNNEL
permit ip 8.9.5.0 0.0.0.255 any
permit ip 8.9.6.0 0.0.0.255 any

Differences between Example 2 and Example 3

crypto isakmp profile ISAKMP-PROFILE
virtual-template 1
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TSET
set isakmp-profile ISAKMP-PROFILE
!
crypto dynamic-map DYNMAP 10
set transform-set TSET
set isakmp-profile ISAKMP-PROFILE
reverse-route
!
!
crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
!
interface GigabitEthernet0/0
crypto map CMAP
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
!

Tagged with: , ,
Posted in Cisco Security

Signuppp

[mc4wp_form id="2457"]
Website Security Test