Select Page

IPsec VPN With IOS EzVPN Server, IOS EzVPN NEM Mode

by | 8-May-2021 | Cisco, Security, VPN

Applied version

  • IOS-S10 (EzVPN Server)
    • Cisco IOS version 15.2(4)S7
  • IOS-C11 (EzVPN Remote)
    • Cisco IOS version 15.5(2)T

Configuration & Verification

!! IOS-C11 EzVPN Remote !! Version 15.5(2)T Expected result

! Client Mode (for comparison)

crypto ipsec client ezvpn EZVPN_REMOTE

group EZVPN_GROUP1 key ISAKMP_KEY_G1

mode client

connect auto

peer 1.1.10.10

username user1 password cisco1

xauth userid mode local

 

 

 

 

 

 

 

 

 

 

 

 

! IPSEC FLOW

permit ip host 172.16.20.100 0.0.0.0/0.0.0.0

 

! Connectivity [R3] to [WEB2]

[R3] ping to [WEB2], 10.3.3.3 to 172.16.10.2 [OK]

[IOS-C11] PAT/NAT 10.3.3.3 into 172.16.20.100

[ASA-9] see ESP traffic from 1.1.11.11 to 1.1.10.10 //Tunnel Mode

[R3] see ICMP traffic from 172.16.20.100 to 172.16.10.2 //NAT/PAT

 

There is NAT/PAT

IOS-C11#show ip nat translations

icmp 172.16.20.100:0 10.3.3.3:0 172.16.10.2:0 172.16.10.2:0

There is IP Loopback Client

IOS-C11#show ip interface brief

Loopback10000  172.16.20.100 YES TFTP  up up

 

! Connectivity [WEB2] to [R3]

[WEB2] ping to [IOS-C11-Lo10000], 172.16.10.2 to 172.16.20.100 [OK]

[WEB2] ping to [R3], 172.16.10.2 to 10.3.3.3 [NOK]

//WEB2 can’t initiate traffic to R3

! Network Extension Mode (NEM)

crypto ipsec client ezvpn EZVPN_REMOTE

group EZVPN_GROUP1 key ISAKMP_KEY_G1

mode network-extension

connect auto

peer 1.1.10.10

username user1 password cisco1

xauth userid mode local

 

 

 

 

 

 

! IPSEC FLOW

permit ip 10.3.3.0/255.255.255.0 172.16.10.0/255.255.255.0

 

! Connectivity [R3] to [WEB2]

[R3] ping to [WEB2], 10.3.3.3 to 172.16.10.2 [OK]

[ASA-9] see ESP traffic from 1.1.11.11 to 1.1.10.10 //Tunnel Mode

[R3] see ICMP traffic from 10.3.3.3 to 172.16.10.2 //No NAT/PAT

 

There is no NAT/PAT

There is no IP Loopback Client

 

! Connectivity [WEB2] to [R3]

[WEB2] ping to [R3], 172.16.10.2 to 10.3.3.3 [OK]

 //WEB2 can initiate traffic to R3

! Network Extension Plus Mode (NEM+)

crypto ipsec client ezvpn EZVPN_REMOTE

group EZVPN_GROUP1 key ISAKMP_KEY_G1

mode network-plus

connect auto

peer 1.1.10.10

username user1 password cisco1

xauth userid mode local

 

 

 

 

 

 

 

 

 

 

! IPSEC FLOW

permit ip host 172.16.20.101 172.16.10.0/255.255.255.0

permit ip 10.3.3.0/255.255.255.0 172.16.10.0/255.255.255.0

 

! Connectivity [R3] to [WEB2]

[R3] ping to [WEB2], 10.3.3.3 to 172.16.10.2 [OK]

[ASA-9] see ESP traffic from 1.1.11.11 to 1.1.10.10 //Tunnel Mode

[R3] see ICMP traffic from 10.3.3.3 to 172.16.10.2 //No NAT/PAT

 

There is no NAT/PAT

There is IP Loopback Client

IOS-C11#show ip interface brief

Loopback10000  172.16.20.100 YES TFTP  up up

 

! Connectivity [WEB2] to [R3]

[WEB2] ping to [IOS-C11-Lo10000], 172.16.10.2 to 172.16.20.100 [OK]

[WEB2] ping to [R3], 172.16.10.2 to 10.3.3.3 [OK]

 //WEB2 can initiate traffic to R3

Recent Comments

    0 Comments

    Submit a Comment

    Your email address will not be published. Required fields are marked *