Configuring Remote Access IPSec VPNs


Remote access VPNs let single users connect to a central site through a secure connection over a TCP/IP network such as the Internet.

This chapter describes how to build a remote access VPN connection. It includes the following sections:

Summary of the Configuration

Configuring Interfaces

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface

Configuring an Address Pool

Adding a User

Creating a Transform Set

Defining a Tunnel Group

Creating a Dynamic Crypto Map

Creating a Crypto Map Entry to Use the Dynamic Crypto Map

Summary of the Configuration

This chapter uses the following configuration to explain how to configure a remote access connection. Later sections provide step-by-step instructions.

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config)# no shutdown
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
hostname(config)# write memory

Configuring Interfaces

A security appliance has at least two interfaces, referred to here as outside and inside. Typically, the outside interface is connected to the public Internet, while the inside interface is connected to a private network and is protected from public access.

To begin, configure and enable two interfaces on the security appliance. Then assign a name, IP address and subnet mask. Optionally, configure its security level, speed and duplex operation on the security appliance.

To configure interfaces, perform the following steps, using the command syntax in the examples:


Step 1 To enter Interface configuration mode, in global configuration mode enter the interface command with the default name of the interface to configure. In the following example the interface is ethernet0.

hostname(config)# interface ethernet0
hostname(config-if)#

Step 2 To set the IP address and subnet mask for the interface, enter the ip address command. In the following example the IP address is 10.10.4.100 and the subnet mask is 255.255.0.0.

hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)#

Step 3 To name the interface, enter the nameif command, maximum of 48 characters. You cannot change this name after you set it. In the following example the name of the ethernet0 interface is outside.

hostname(config-if)# nameif outside
hostname(config-if)##

Step 4 To enable the interface, enter the no version of the shutdown command. By default, interfaces are disabled.

hostname(config-if)# no shutdown
hostname(config-if)#

Step 5 To save your changes, enter the write memory command.

hostname(config-if)# write memory
hostname(config-if)#

Step 6 To configure a second interface, use the same procedure.


Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface

The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets two hosts agree on how to build an IPSec Security Association. Each ISAKMP negotiation is divided into two sections called Phase1 and Phase2.

Phase 1 creates the first tunnel to protect later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data travelling across the secure connection.

To set the terms of the ISAKMP negotiations, you create an ISAKMP policy. It includes the following:

An authentication method, to ensure the identity of the peers.

An encryption method, to protect the data and ensure privacy.

A Hashed Message Authentication Codes method to ensure the identity of the sender and to ensure that the message has not been modified in transit.

A Diffie-Hellman group to set the size of the encryption key.

A time limit for how long the security appliance uses an encryption key before replacing it.

See on page 27-3 in the "Configuring IPSec and ISAKMP" chapter of this guide for detailed information about the IKE policy keywords and their values.

To configure ISAKMP policies, in global configuration mode, enter the isakmp policy command with its various arguments. The syntax for ISAKMP policy commands is
isakmp policy priority attribute_name [attribute_value | integer].

Perform the following steps and use the command syntax in the following examples as a guide.


Step 1 Set the authentication method. The following example configures preshared key. The priority is 1 in this and all following steps.

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)#

Step 2 Set the encryption method. The following example configures 3DES.

hostname(config)# isakmp policy 1 encryption 3des
hostname(config)#

Step 3 Set the HMAC method. The following example configures SHA-1.

hostname(config)# isakmp policy 1 hash sha
hostname(config)#

Step 4 Set the Diffie-Hellman group. The following example configures Group 2.

hostname(config)# isakmp policy 1 group 2
hostname(config)#

Step 5 Set the encryption key lifetime. The following example configures 43,200 seconds (12 hours).

hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)#

Step 6 Enable ISAKMP on the interface named outside.

hostname(config)# isakmp enable outside
hostname(config)#

Step 7 To save your changes, enter the write memory command.

hostname(config)# write memory
hostname(config)#


Configuring an Address Pool

The security appliance requires a method for assigning IP addresses to users. A common method is using address pools. The alternatives are having a DHCP server assign address or having an AAA server assign them. The following example uses an address pool.


Step 1 To configure an address pool, enter the ip local pool command. The syntax is
ip local pool poolname first_address-last_address. In the following example the pool name is testpool.

hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

hostname(config)#

Step 2 Save your changes.

hostname(config)# write memory
hostname(config)#

Adding a User

To identify remote access users to the security appliance, configure usernames and passwords.


Step 1 To add users, enter the username command. The syntax is username username password password. In the following example the username is testuser and the password is 12345678.

hostname(config)# username testuser password 12345678

hostname(config)#

Step 2 Repeat Step 1 for each additional user.


Creating a Transform Set

A transform set combines an encryption method and an authentication method. During the IPSec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. The transform set must be the same for both peers.

A transform set protects the data flows for the access list specified in the associated crypto map entry. You can create transform sets in the security appliance configuration, and then specify a maximum of 11 of them in a crypto map or dynamic crypto map entry. For more overview information, including a table that lists valid encryption and authentication methods, see Creating a Transform Set in Chapter 36, "Configuring LAN-to-LAN IPsec VPNs" of this guide.


Step 1 To configure a transform set, in global configuration mode enter the crypto ipsec transform-set command. The syntax is:

crypto ipsec transform-set transform-set-name encryption-method authentication-method

The following example configures a transform set with the name FirstSet, esp-3des encryption, and esp-md5-hmac authentication:

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
hostname(config)#

Step 2 Save the changes.

hostname(config)# write memory
hostname(config)#


Defining a Tunnel Group

A tunnel group is a set of records that contain tunnel connection policies. You configure a tunnel group to identify AAA servers, specify connection parameters, and define a default group policy. The security appliance stores tunnel groups internally.

There are two default tunnel groups in the security appliance system: DefaultRAGroup, which is the default IPSec remote-access tunnel group, and DefaultL2Lgroup, which is the default IPSec LAN-to-LAN tunnel group. You can change them but not delete them. The security appliance uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation.

To establish a basic remote access connection, you must set three attributes for a tunnel group:

Set the connection type to IPSec remote access.

Configure the address assignment method, in the following example, address pool.

Configure an authentication method, in the following example, preshared key.


Step 1 To set the connection type to IPSec remote access, enter the tunnel-group command. The command syntax is tunnel-group name type type, where name is the name you assign to the tunnel group, and type is the type of tunnel. The tunnel types as you enter them in the CLI include the following:

ipsec-ra (IPSec remote access)

ipsec-l2l (IPSec LAN to LAN)

In the following example the name of the tunnel group is testgroup.

hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)#

Step 2 To configure an authentication method for the tunnel group, enter the general-attributes mode and then enter the address-pool command to create the address pool. In the following example the name of the group is testgroup and the name of the address pool is testpool.

hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool

Step 3 To configure the authentication method, enter the ipsec-attributes mode and then enter the pre-shared-key command to create the preshared key. You need to use the same preshared key on both the security appliance and the client.


Note The preshared key must be no larger than that used by the VPN client. If a Cisco VPN Client with a different preshared key size tries to connect to a security appliance, the client logs an error message indicating it failed to authenticate the peer.


The key is an alphanumeric string of 1-128 characters. In the following example the preshared key is 44kkaol59636jnfx.

hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

Step 4 Save your changes.

hostname(config)# write memory
hostname(config)#

Creating a Dynamic Crypto Map

The security appliance uses dynamic crypto maps to define a policy template where all the parameters do not have to be configured. These dynamic crypto maps let the security appliance receive connections from peers that have unknown IP addresses. Remote access clients fall in this category.

Dynamic crypto map entries identify the transform set for the connection. You also enable reverse routing, which lets the security appliance learn routing information for connected clients, and advertise it via RIP or OSPF.


Step 1 To specify a transform set for a dynamic crypto map entry, enter the crypto dynamic-map set transform-set command.

The syntax is crypto dynamic -map dynamic-map-name seq-num set transform-set transform-set-name. In the following example the name of the dynamic map is dyn1, the sequence number is 1, and the transform set name is FirstSet.

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)#

Step 2 To enable RRI for any connection based on this crypto map entry, enter the crypto dynamic-map set reverse route command.

hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)#

Step 3 Save your changes.

hostname(config)# write memory
hostname(config)#


Creating a Crypto Map Entry to Use the Dynamic Crypto Map

Next create a crypto map entry that lets the security appliance use the dynamic crypto map to set the parameters of IPSec security associations.

In the following examples for this command, the name of the crypto map is mymap, the sequence number is 1, and the name of the dynamic crypto map is dyn1, which you created in the previous section, "Creating a Dynamic Crypto Map." Enter these commands in global configuration mode.


Step 1 To create a crypto map entry that uses a dynamic crypto map, enter the crypto map command. The syntax is crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name.

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1

hostname(config)#

Step 2 To apply the crypto map to the outside interface, enter the crypto map interface command.

The syntax is crypto map map-name interface interface-name

hostname(config)# crypto map mymap interface outside
hostname(config)#