authentication method IP addressing and
routing for clients You must also install
prerequisite services to your network before configuring the
Cisco Easy VPN Server. Which services are required depends on
the chosen design, but may include some of the following:
- RADIUS or TACACS+ server installation and
configuration.
- CA installation and configuration if
the public key infrastructure (PKI) is used for authentication.
Also, enroll the router with the certificate authority (CA) to
obtain the CA-signed certificate and the identity certificate
of the router that can later be used to enable PKI for the
VPN.
- DNS resolution for the addresses of the VPN
servers.
- Network Time Protocol (NTP) for the PKI to
operate properly.
Content 3.8
Configuring Easy VPN Server using Cisco SDM 3.8.2
Configuring the Prerequisites with VPN Wizards
Configuring Cisco Easy VPN Server functionality using the SDM
consists of two parts: - Configuring prerequisites, such
as AAA, privileged users, and enable secret, based on the VPN
design you choose
- Configuring the Cisco Easy VPN
Server
Use a browser to connect to the Cisco Easy
VPN Server router, where you can follow the link to the SDM.
The VPN configuration page shown in Figure lists the VPN
wizards that are used to implement different types of
IPsec-based VPNs. Select the Easy VPN Server page from the SDM
main page and navigate to the Easy VPN Server page by following
this procedure: Step 1 Click the Configure icon
in the toolbar at the top of the window. Step 2 Click
the VPN icon in the Tasks toolbar on the left side of
the window. Step 3 Choose the Easy VPN Server
option in the middle part of the window. Enabling AAA on
the Router
If you have not configured AAA, the wizard
asks you to configure it. If AAA is disabled on the router, you
have to configure AAA before Easy VPN Server configuration
begins. To configure AAA, complete Steps 1 and 2. Step
1 Click the Enable AAA link at the bottom of the
Create Easy VPN Server tab. Step 2 A warning
window opens, warning you to configure a user account with
privilege level 15 before enabling AAA. Click OK to the
warning window. Creating Privileged Users
The screen
in Figure appears, and the wizard asks you to create an
administrative user. To create an administrative user, follow
this procedure: Step 1 Click the Additional
Tasks icon in the Tasks toolbar on the left side of
the window. Step 2 Click the User Accounts/View
option under the Router Access option in the middle
part of the window. Step 3 Click Add in the top
right side of the window to add a user. The Add an
Account window shown in Figure opens. Step 1 Enter
the administrative user username. Step 2 Enter a
password in the Password field. Use a password with at
least eight characters made up of numbers and letters. Step
3 Choose 15 from the Privilege Level
drop-down menu. Step 4 Assign this user to have the SDM
administrative role by choosing the SDM_Administrator
(root) option in the View Name drop-down menu.
Step 5 Click View Details to review the details of
the currently chosen role. When done, click OK. Step
6 Click OK again. Step 7 If the enable
secret password is not configured on your router, the Enable
Secret Password window appears and you are asked to enter
the enable secret password. Step 8 Enter and re-enter a
secure secret password, and then click OK. Enabling
AAA
Finally, you can return to the Easy VPN Server page
of the SDM wizard and enable AAA services on the Easy VPN
Server: Step 1 Click the Enable AAA link on the
Create Easy VPN Server tab to enable AAA services.
Step 2 An Enable AAA window opens. Click
Yes to enable AAA.
Content 3.8 Configuring
Easy VPN Server using Cisco SDM 3.8.3 Start the
Easy VPN Server Wizard With AAA services enabled, click the
Launch Easy VPN Server Wizard button on the Create
Easy VPN Server tab to start the Easy VPN Server
wizard. Select Interface for Terminating IPsec
The
Interface and Authentication window shown in Figure
opens. Here you can select the outside interface toward the
IPsec peer over the untrusted network. This is the interface
where clients connect to the server: Step 1 Select the
interface that you want to use from the Interface for this
Easy VPN Server drop-down menu. Step 2 Click
Next to continue to the IKE proposal page.
Content
3.8 Configuring Easy VPN Server using Cisco SDM
3.8.4 Configure IKE Proposals When configuring
IKE proposals, you can use the IKE proposal that is predefined
by SDM or add a custom IKE proposal specifying these required
parameters: - IKE proposal priority
- DH group (1,
2, or 5)
- Encryption algorithm (DES, 3DES, AES, or
SEAL)
- HMAC (SHA-1 or MD5)
- IKE lifetime
After selecting the interface for terminating IPsec, the
screen in Figure appears. This screen is where you configure
new IKE proposals: Step 1 In the IKE Proposals
window, click Add to add an IKE proposal. Step
2 The Add IKE Policy window opens. Enter all IKE
parameters, and then click OK. Step 3 Click
Next to continue.
Content 3.8
Configuring Easy VPN Server using Cisco SDM 3.8.5
Configure the Transform Set Cisco SDM provides a
default transform set. You can use the default or create a new
IPsec transform set configuration using these parameters:
- Transform set name
- Encryption algorithm (DES,
3DES, AES, or SEAL)
- HMAC (SHA-1 or MD5)
- Optional compression
- Mode of operation (tunnel or
transport)
Once you click Next on the IKE
proposals window, the Transform Set window appears. The
next step in configuring an Easy VPN Server is to configure a
transform set: Step 1 In the Transform Set
window, choose a default or configured transform set in the
Select Transform Set drop-down menu. If you choose an
existing transform set, skip Steps 2 and 3. Step 2
Click Add to add an IPsec transform set. Step 3
The Add Transform Set window opens. Enter the IPsec
transform set parameters and click OK. Step 4
Click Next to continue.
Content 3.8
Configuring Easy VPN Server using Cisco SDM 3.8.6
Storing Group Policy Configurations on the Local Router
After you click Next in the Transform Set window, the
Group Authorization and Group Policy Lookup window appears. You
can choose from three options for the location where Easy VPN
group policies can be stored: - Local: All the
groups will be in the router configuration in NVRAM.
- RADIUS: The router will use RADIUS server for group
authorization.
- RADIUS and local: The router
will also be able to look up policies stored in an AAA server
database that can be reached via RADIUS.
From the
Group Authorization and Group Policy Lookup window, you
must select the location where user records for Xauth will be
stored. This topic uses a local user database. The next topic
discusses the option of an external database using RADIUS for
group authentication. The first option is to configure the
group policies on the local server. Figure shows this option:
Step 1 In the Group Authorization and Group Policy
Lookup window, click the Local radio button in the Method
List for Group Policy Lookup section. Step 2 Click
Next to continue. The screen shown in Figure appears. To
store the user records to a local user database follow three