close
Top Panel
Top Panel
Top Panel
Remote Access IPsec. Cisco IOS router as an ezVPN Server PDF Print E-mail
Written by Alexei Spirin   
Wednesday, 16 July 2008 17:48
IOS Config: IPSec ezVPN Server with local authentication
aaa authentication login aaaVPN local
aaa authorization network aaaVPN local
!
username UserTest privilege 0 secret PleaseChangeMe!
!
crypto isakmp policy 10
hash sha
encryption aes
authentication pre-share
group 2
!
crypto isakmp client configuration group grpVPN
netmask 255.255.255.0
pool poolVPN
acl aclSPLIT
dns 192.168.100.1 !Internal DNS-server
domain mycompany.local
split-dns mycompany.local
key PleaseChangeMe!
!
crypto isakmp profile ikePRF1
match identity group grpVPN
client authentication list aaaVPN
isakmp authorization list aaaVPN
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ts1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile crPRF1
set transform-set ts1
!
interface Loopback0
ip address 192.168.255.255 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile crPRF1
!
ip local pool poolVPN 192.168.101.240 192.168.101.254
!
ip access-list extended aclSPLIT
permit ip 192.168.100.0 0.0.0.255 192.168.101.240 0.0.0.15

Some notes:

User authentication done via local router database

192.168.100.0/24 is considered as an address range for corporate network

192.168.101.240/28 is considered as VPN user address range

To successfully connect user must know group name and group key (grpVPN and PLeaseChangeMe! in this example) and personal login and password (UserTest and PLeaseChangeMe! in this example)

Cisco ezVPN configuration examples

Cisco IOS Security Configuration Guide, Release 12.4T

Last Updated on Monday, 28 February 2011 13:33