![]() This mode allows the EzVPN client to present a full, routable network to the tunneled network.įigure 4-3 EzVPN IPSec Network Extension Mode Connection Network Extension Modeįigure 4-3 shows an EzVPN client in Network Extension Mode. The IOS command crypto isakmp client configuration group vpngroup defines the attributes for the VPN group that was assigned to the EzVPN client. Username password 0 ezvpn1east username password 0 ezvpn2eastĪaa authentication login vpn local aaa authorization network vpn localĬrypto isakmp client configuration group vpngroup key ciscoezvpn dns 10.1.1.10 wins 10.1.1.11 pool vpnpool include-local-lan backup-gateway 9.1.1.36Ĭrypto ipsec transform-set vpn esp-3des esp-sha-hmacĬrypto map vpn client authentication list vpn crypto map vpn isakmp authorization list vpn crypto map vpn client configuration address respondĬrypto map vpn 3 ipsec-isakmp dynamic dynamic EzVPN Server-side Configuration vpn-gw1-east# The configuration of the EzVPN server is shown in Example 4-5. Spoke-ezvpn1-east#show crypto ipsec client ezvpn Verification of EzVPN Client Mode Configuration spoke-ezvpn1-east#show crypto isakmp sa Example 4-4 shows how to monitor an EzVPN client configuration. Notice that in the EzVPN client configuration, none of the IPSec policies, encryption algorithms, and so forth are configured. EzVPN Client Mode Configuration spoke-ezvpn1-east#Ĭrypto ipsec client ezvpn vpn connect auto group vpngroup key ciscoezvpn local-address Ethernet0 mode client peer 9.1.1.35 username password ezvpn1east The configuration of the EzVPN hardware client is shown in Example 4-3. The client keeps track of the mappings so that it can be forwarded to the correct host on the private network. In Figure 4-2, all traffic from the hosts on the FastEthernet interface on the EzVPN client is translated by NAT to a source IP address of 10.0.68.5, which is assigned by the EzVPN server as an attribute using MODECFG. In this mode, all traffic from the client side uses a single IP address for all hosts on the private network. Automatic configuration- Performed by pushing attributes such as IP address, DNS, WINs, and so on, using MODECFG.įigure 4-2 EzVPN IPSec Client Mode ConnectionĮzVPN Client Mode is also known as Network/Port Address Translation (NAT/PAT) Mode.User authentication- This entails validating user credentials by way of XAUTH.Negotiating tunnel parameters- This is done with encryption algorithms, SA lifetimes, and so on. ![]() EzVPN provides the following general functions in order to simplify the configuration process: Minimal configuration is required at the EzVPN client. ![]() The tunnel on the EzVPN client can be initiated automatically or manually, or it could be traffic triggered, depending on the configuration or type of EzVPN client used. When an EzVPN client initiates an IPSec tunnel connection, the EzVPN server pushes the IPSec policies and other attributes required to form the IPSec tunnel to the EzVPN client and creates the corresponding IPSec tunnel connection. The Cisco Easy VPN feature, also known as EzVPN, eases IPSec configuration by allowing an almost no-touch configuration of the IPSec client.ĮzVPN uses the Unity client protocol, which allows most IPSec VPN parameters to be defined at an IPSec gateway, which is also the EzVPN server. In a large corporate environment with hundreds of sites, managing the IPSec configuration can get quite tedious. This includes IPSec policies, Diffie-Hellman parameters, encryption algorithms, and so on. As you saw in Chapter 2, "IPSec Overview," for an IPSec tunnel to be established between two peers, there is a significant amount of configuration required on both peers. ![]()
0 Comments
Leave a Reply. |