IPsec VPN With IOS EzVPN Server, IOS EzVPN Client Mode
|
Applied version
|
Configuration & Verification
| !! IOS-S10 EzVPN Server !! v15.2(4)S7 | !! IOS-C11 EzVPN Remote !! v15.5(2)T |
|
! IP Routing between underlay
[IOS-S10] to [IOS-C11], 1.1.10.10 to 1.1.11.11
! IOS EzVPN Server configuration Refer to “IOS EzVPN Server With Cisco VPN Client”
|
! IP Routing between underlay
[IOS-C11] to [IOS-S10], 1.1.11.11 to 1.1.10.10
! EzVPN client connection profile crypto ipsec client ezvpn EZVPN_REMOTE group EZVPN_GROUP1 key ISAKMP_KEY_G1 mode client connect manual peer 1.1.10.10
! Apply EzVPN client connection profile interface Ethernet0/1 description ##To R3 (Client)## crypto ipsec client ezvpn EZVPN_REMOTE inside
interface Ethernet0/0 description ##To IOS-S10 (VPN Server)## crypto ipsec client ezvpn EZVPN_REMOTE outside
|
|
##Another option – from IOS-C11 connect mode## ! IOS EzVPN Client connect to IOS-S10 (auto) crypto ipsec client ezvpn EZVPN_REMOTE connect auto username user1 password cisco1 xauth userid mode local
! IOS EzVPN Client connect to IOS-S10 (acl) ip access-list extended EZVPN_CONNECT_ACL permit ip host 10.3.3.3 172.16.10.0 0.0.0.255
crypto ipsec client ezvpn EZVPN_REMOTE connect acl EZVPN_CONNECT_ACL username user1 password cisco1 xauth userid mode local
|
##Option 1 – from IOS-C11 connect using manual mode## ! IOS EzVPN Client connect to IOS-S10 (manual) IOS-C11#crypto ipsec client ezvpn connect
Phase 1 ISAKMP:(1001):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE
Phase 1.5 ISAKMP:(1001):Need XAUTH ISAKMP (1001): received packet from 1.1.10.10 dport 500 sport 500 Global (I) CONF_XAUTH ISAKMP: set new node 2022411530 to CONF_XAUTH ISAKMP:(1001):checking request: ISAKMP: XAUTH_USER_NAME_V2 ISAKMP: XAUTH_USER_PASSWORD_V2 ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REPLY_AWAIT
EZVPN(EZVPN_REMOTE): Pending XAuth Request, Please enter the following command: EZVPN: crypto ipsec client ezvpn xauth
! Cisco VPN Client send user credential IOS-C11#crypto ipsec client ezvpn xauth Username: user1 Password: cisco1
IOS-C11# ISAKMP:(1001):Old State = IKE_XAUTH_REPLY_AWAIT New State = IKE_XAUTH_REPLY_SENT ISAKMP (1001): received packet from 1.1.10.10 dport 500 sport 500 Global (I) CONF_XAUTH ISAKMP:(1001):checking SET: ISAKMP: XAUTH_STATUS_V2 XAUTH-OK ISAKMP:(1001):deleting node 2112757967 error FALSE reason “Done with xauth request/reply exchange”
Phase 2 IOS-C11# ISAKMP:(1001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
! EzVPN Tunnel become UP IOS-C11# %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=EZVPN_GROUP1 Client_public_addr=1.1.11.11 Server_public_addr=1.1.10.10 Assigned_client_addr=172.16.20.100 %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
IOS-C11#show ip interface brief Loopback10000 172.16.20.105 up up |
|
! Routing via RRI
IOS-S10#show ip route 172.16.20.100 S 172.16.20.100/32 [1/0] via 1.1.22.22
! IPsec VPN session IOS-S10#show crypto session detail Interface: FastEthernet0/0 Username: user1 Group: EZVPN_GROUP1 Assigned address: 172.16.20.100 Session status: UP-ACTIVE Peer: 1.1.11.11 port 500 fvrf: (none) ivrf: (none) Phase1_id: EZVPN_GROUP1 IKEv1 SA: local 1.1.10.10/500 remote 1.1.11.11/500 Active Capabilities:CX connid:1001 lifetime:23:47:49 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.20.100 Active SAs: 2, origin: dynamic crypto map Inbound: #pkts dec’ed 5 drop 0 life (KB/Sec) 4356637/2882 Outbound: #pkts enc’ed 5 drop 0 life (KB/Sec) 4356637/2882
[Connectivity] [WEB2] ping to [IOS-C11], 172.16.10.2 to 172.16.20.100 [OK] [WEB2] ping to [R3], 172.16.10.2 to 10.3.3.3 [NOK] //Need to be initiated from R3
|
! Routing via Static Route (manual)
[R3] to [WEB2], 10.3.3.3 to 172.16.10.2 [IOS-C11] to [WEB2], VPN_IP to 172.16.10.2 IOS-C11(config)#ip route 172.16.10.0 255.255.255.0 Ethernet0/0 1.1.11.9
! IPsec VPN session IOS-C11#show crypto session detail Interface: Ethernet0/0 Session status: UP-ACTIVE Peer: 1.1.10.10 port 500 fvrf: (none) ivrf: (none) Phase1_id: 1.1.10.10 Session ID: 0 IKEv1 SA: local 1.1.11.11/500 remote 1.1.10.10/500 Active Capabilities:CX connid:1001 lifetime:23:45:23 IPSEC FLOW: permit ip host 172.16.20.100 0.0.0.0/0.0.0.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec’ed 5 drop 0 life (KB/Sec) 4199946/2750 Outbound: #pkts enc’ed 5 drop 0 life (KB/Sec) 4199946/2750
[Connectivity] [R3] ping to [WEB2], 10.3.3.3 to 172.16.10.2 [ OK] [IOS-C11] PAT/NAT 10.3.3.3 into 172.16.20.100
IOS-C11#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 172.16.20.100:0 10.3.3.3:0 172.16.10.2:0 172.16.10.2:0
|
0 Comments