CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.

html

Home News Contacts

Company Technology Services Knowledge Base Corporate IT Training Customer Portal Tools

Home Knowledge Base CCIE Security Pursuit CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication
Search

CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication

This is a basic CCIE Security lab setup. Diagram and configurations are compatible with Proctor Labs.
Moving your apps to
You can simply paste configs in the proper routers and topology will work. Amazon or
Miscrosoft Clouds?
You can go to http://www.proctorlabs.com/ and purchase rack time. 8 hour slot will be enough to test this configuration.
We can help you analyze your
existing infrastructure, identify
the cost savings we can
Proctor Labs Configurations (POD 108):
achieve by migrating to a cloud
R2 provider. We can then execute
R4 end-to-end migration plan of
your infrastructure and bringing
R5
down your TCO.
R6
ASA1
CAT1
CAT2
CAT3 Ready for IPv6
CAT4 Migration?
PC The Internet is running out of
ACS the equivalent of phone
numbers - familiar problem,
Tasks: non-trivial solution.
1. Configure R6 to be Remote Access VPN Hub. The world has to move to IPv6,
Use local authentication and authorization on R6. with its 128-bit addresses. But
Configure R4 as RA Client. The only interface on R4 that is allowed to initiate communications to R2 L22 is Lo44. that's easier said than done.

R6 Lo66 is not allowed to communicate back to R4 Lo44.

Configure R2 as RA Client. Any host on R2 "inside" network is allowed to communicate to R6 Lo66
R6 Lo66 is also allowed to initiate connectivity to R2 "inside" network.
Use ISAKMP Profiles
Are you fluent in
Use Dynamic VTI "Linux"?
2. Configure PC as RA Client. Use local authentication and authorization. Learn Linux from a leading
expert and quickly master you
Linux skills.

Learn how to simplify your

workflow and increase your
productivity using tips and
techniques of the pros.

Ideal training for Corporate IT

Beginners and Advanced IT
Admins alike.

1 of 10 12/18/2012 8:32 AM
CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.html

Who's Online
We have 6 guests and no
members online

R6 configuration uses two (2) ISAKMP profiles. Once for R4 and one for R2. Later in the exercise you will understand why we split
them in two.

R4's ISAKMP profile will be also used by TEST-PC vpn. Since both of the will run client mode, and follow same model we will put
them in VPN_GROUP1.

R6#
conf t
netwoaaa new-model
aaa authentication login LOCALAUTH local
aaa authorization network LOCALAUTH local
aaa authentication login TACAUTH none
aaa authorization network TACAUTH none
username vpnuser1 password 0 cisco123
username vpnuser2 password 0 cisco123

2 of 10 12/18/2012 8:32 AM
CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.html

crypto isakmp policy 1

encr 3des
authentication pre-share
group 2
exit

crypto ipsec transform-set TS1 esp-3des esp-sha-hmac

exit

ip local pool VPN_POOL1 44.44.100.1 44.44.100.100

access-list 150 permit ip 66.66.66.66 0.0.0.0 any

# User PC VPN Group

crypto isakmp client configuration group VPN_GROUP1
acl 150
key cisco123
pool VPN_POOL1
save-password
exit

# R2 Client Mode VPN

crypto isakmp client configuration group VPN_GROUP2
acl 150
key cisco123
pool VPN_POOL1
save-password
exit

# ISAKMP Profile for User PC VPN

crypto isakmp profile ISAKMP_PROF1
match identity group VPN_GROUP1
client authentication list LOCALAUTH
isakmp authorization list LOCALAUTH
client configuration address respond
virtual-template 2
exit

# ISAKMP Profile for R2 Client Mode VPN

crypto isakmp profile ISAKMP_PROF2
match identity group VPN_GROUP2
client authentication list LOCALAUTH
isakmp authorization list LOCALAUTH
client configuration address respond
virtual-template 3
exit

crypto ipsec profile IPSEC_PROF1

set transform-set TS1
exit

# Use this Template for User PC VPN

interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel mode ipsec ipv4

3 of 10 12/18/2012 8:32 AM
CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.html

tunnel protection ipsec profile IPSEC_PROF1

exit

# Use this Template for R2 Client Mode VPN

interface Virtual-Template3 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROF1
exit

end

wr mem

R2 will be running in network extension mode which allows host on it's "inside" network to be accessible from the other side of the
VPN tunnel.

R2# conf t
line vty 0 4
privilege level 15
password cisco123
exit

interface Virtual-Template1 type tunnel

ip unnumbered G0/0
exit

crypto ipsec client ezvpn CLIENT

connect auto
group VPN_GROUP2 key cisco123
mode network-extension
peer 44.44.2.6
username vpnuser2 password cisco123
xauth userid mode local
virtual-interface 1
exit

interface GigabitEthernet0/0
description Outside interface
crypto ipsec client ezvpn CLIENT outside
exit

interface GigabitEthernet0/1
description Inside interface
crypto ipsec client ezvpn CLIENT inside
exit

interface Lo22
description Inside interface
crypto ipsec client ezvpn CLIENT inside
exit

end

4 of 10 12/18/2012 8:32 AM
CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.html

wr mem

#---------------------------------------
#--- Outputs
#---------------------------------------

R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

2.0.0.0/24 is subnetted, 1 subnets

C 2.2.2.0 is directly connected, Loopback2
66.0.0.0/32 is subnetted, 1 subnets
S 66.66.66.66 [1/0] via 0.0.0.0, Virtual-Access2
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Loopback22
122.0.0.0/32 is subnetted, 1 subnets
C 122.122.122.122 is directly connected, Loopback0
44.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 44.44.2.0/24 [110/12] via 44.44.4.5, 00:00:24, GigabitEthernet0/0
O 44.44.3.0/24 [110/2] via 44.44.4.5, 00:00:25, GigabitEthernet0/0
C 44.44.4.0/24 is directly connected, GigabitEthernet0/0
C 44.44.5.0/24 is directly connected, GigabitEthernet0/1
C 44.44.100.1/32 is directly connected, Loopback10000
R2#

R2#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 8

Tunnel name : CLIENT

Inside interface list: Loopback0
Outside interface: Virtual-Access2 (bound to GigabitEthernet0/0)
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 44.44.100.1 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Allowed
Split Tunnel List: 1
Address : 66.66.66.66
Mask : 255.255.255.255
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 44.44.2.6

R2#

In addition to that as you can see R6 has VPN reachability to R2 Lo22.

5 of 10 12/18/2012 8:32 AM
CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.html

R6#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 44.44.2.10 to network 0.0.0.0

66.0.0.0/24 is subnetted, 1 subnets

C 66.66.66.0 is directly connected, Loopback66
6.0.0.0/24 is subnetted, 1 subnets
C 6.6.6.0 is directly connected, Loopback6
22.0.0.0/24 is subnetted, 1 subnets
S 22.22.22.0 [1/0] via 0.0.0.0, Virtual-Access2
44.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 44.44.2.0/24 is directly connected, FastEthernet0/0
S 44.44.5.0/24 [1/0] via 0.0.0.0, Virtual-Access2
S 44.44.100.4/32 [1/0] via 0.0.0.0, Virtual-Access3
S 44.44.100.5/32 [1/0] via 44.44.5.100, Virtual-Access4
S* 0.0.0.0/0 [1/0] via 44.44.2.10
R6#

R6#
R6#telnet 22.22.22.22 /source-interface Lo66
Trying 22.22.22.22 ... Open

User Access Verification

Password: xyz
R2#show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:24
*578 vty 0 idle 00:00:00 66.66.66.66

Interface User Mode Idle Peer Address

R2#

R4 is running in client mode, and uses local authentication.

R4#
conf t
line vty 0 4
privilege level 15
password cisco123
exit

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/0

6 of 10 12/18/2012 8:32 AM
CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.html

exit

crypto ipsec client ezvpn CLIENT

connect auto
group VPN_GROUP1 key cisco123
mode client
peer 44.44.2.6
virtual-interface 1
username vpnuser1 password cisco123
xauth userid mode local
exit

interface Loopback4
crypto ipsec client ezvpn CLIENT inside
exit
interface Loopback44
crypto ipsec client ezvpn CLIENT inside
exit
interface FastEthernet0/0
description Internet Connection
crypto ipsec client ezvpn CLIENT
exit
end
wr mem

#---------------------------------------
#--- Outputs
#---------------------------------------

R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

4.0.0.0/24 is subnetted, 1 subnets

C 4.4.4.0 is directly connected, Loopback4
66.0.0.0/32 is subnetted, 1 subnets
S 66.66.66.66 [1/0] via 0.0.0.0, Virtual-Access2
44.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O 44.44.2.0/24 [110/12] via 44.44.4.5, 00:02:31, FastEthernet0/0
O 44.44.3.0/24 [110/2] via 44.44.4.5, 00:02:31, FastEthernet0/0
C 44.44.4.0/24 is directly connected, FastEthernet0/0
O 44.44.5.0/24 [110/2] via 44.44.4.2, 00:02:31, FastEthernet0/0
C 44.44.44.0/24 is directly connected, Loopback44
C 44.44.100.4/32 is directly connected, Loopback10000
R4#
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

7 of 10 12/18/2012 8:32 AM
CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.html

44.44.2.6 44.44.4.4 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

R4#show crypto ipsec sa

interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 44.44.4.4

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 44.44.2.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 44.44.4.4, remote crypto endpt.: 44.44.2.6

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF8BA85AA(4172973482)
PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xD62CB5F(224578399)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: Virtual-Access2-
head-0
sa timing: remaining key lifetime (k/sec): (4584463/3505)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xF8BA85AA(4172973482)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: Virtual-Access2-
head-0
sa timing: remaining key lifetime (k/sec): (4584462/3505)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R4#

8 of 10 12/18/2012 8:32 AM
CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.html

R4#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 8

Tunnel name : CLIENT

Inside interface list: Loopback4, Loopback44
Outside interface: Virtual-Access2 (bound to FastEthernet0/0)
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 44.44.100.4 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Allowed
Split Tunnel List: 1
Address : 66.66.66.66
Mask : 255.255.255.255
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 44.44.2.6

R4#

R4#ping 66.66.66.66

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 66.66.66.66, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

R4#ping 66.66.66.66 source Lo4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 66.66.66.66, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms

R4#ping 66.66.66.66 source Lo44

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 66.66.66.66, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#

And finally there are couple Cisco VPN Client screenshots.

9 of 10 12/18/2012 8:32 AM
CCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication http://www.isrcomputing.com/knowledge-base/ccie-security-pursuit/181-ccie-security-vpn-study-guide-dynamic-vti-local-authentication.html

Go to top

Copyright © 2004 - 2011 ISR Computing, Inc. All rights reserved. Valid Sitemap , XHTML and CSS

10 of 10 12/18/2012 8:32 AM