CCBOOTCAMP Webinar - Cisco Easy VPN ( EZVPN )

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody looks like it's noon my time so we're gonna going to get started with this before I do I just want to make sure the audio is working on my side I want to be sure everybody if you're using the GoToWebinar dashboard you should have a chat down at the bottom I'm going to type in a test here just to see if you guys can see it this will be just to let me know that I'm not just talking to empty air and and haven't turned on the broadcast properly here so does anybody have that chat functionality I just typed a test in there I'm going to anybody has a microphone just let me know if you can hear me anybody out here at all Kenya okay I want to make sure I haven't least one person listening okay I see nobody's replied to the chat the only guys have the shad active okay I've muted everybody so we don't get that nasty feedback looks like it might be that my chat isn't showing the responses for now I'm going to assume that everybody can hear me I heard at least one person can at the end when we do Q&A we'll have you guys just use the put your hand up and then I will unmute you so you can ask the questions in audio since it doesn't look like my chat is working with that stated let's let's get started here hopefully everybody can see my screen we are doing ez VPN this time so this webinar is for network engineers people that that might want to use this in the real world people that are getting ready especially for their CCI security lab it's one of the I guess harder to configure topics when you when you get it on the lab so we're gonna try to you know do a breakdown of the configuration all the little parts and pieces so we understand what they all do so it's hopefully a little bit less confusing I know the configuration when you see it for the first time at least on the server side looks like a big wall of text so like I said we're going to break down each of the individual configuration component so here's a kind of a breakdown of the topics we're gonna see we'll start out with doing an intro what is easy VPN hopefully most of you guys have an idea of what that is already how to configure the server how to configure the client how it differs between configuring it on a pics or an AS a versus a router and then we'll be doing some lab demos of the various types of easy VPN so we can see it like I mentioned at the end we'll be doing a little question-and-answer you know we'll be doing that that audio again because my chat doesn't look like it's working and then I'll direct you to some further resources at the end so that after the webinar you can still ask me questions and other members of CC bootcamp and and so on so before we get started here just a little bit about myself I've been in the IT industry for a little over 15 years and I've been doing strictly network engineering and security engineering for the last ten or so done a lot of work on the Las Vegas Strip a lot of those a lot of those networks there you know all the Caesars and Flamengo and and you know the Rio and things like that the wind stratosphere so I do have some experience doing this in the in the real world not just in the classroom or in the lab in addition I don't have my security CCIE I passed the lab last time but failed on the open ended question so ouch there but in any case I have a good idea of how you might see this on the lab so I can speak from that standpoint as well so with that said those are I guess a little bit of my credentials let's let's get started here with easy VPN all right what is EZ VPN the idea behind it is to make the configuration of VPN a little easier anybody who's ever seen the configuration for EZ bpn might go yeah that's a little bit of a misnomer it's not really easy to configure it like I mentioned it does look like a like a wall of text the configuration the first time you look at it a lot of people end up for that reason doing it from a SDM or SDM the the gooeys on the devices I'm kind of of the opinion that you shouldn't push the button if you don't know what it does so I like to do things in the command line or at least understand what all of those lines of text do so easy VPN the whole idea behind it is you centralized policy for your VPN connections on a central headend device maybe you're you know corporate officer data center that policy can then be pushed out to the clients when they connect the clients have a just you know six or ten lines of configuration on them and that makes it a lot easier to roll out clients this is particularly helpful when you've got a lot of remote access clients the software clients as well as you want to send out you know say you have two hundred branch offices around the US and you want to send them all out an 800 series router so they'll connect up you can pre configure those send them out all the person has to do is plug them in and they'll automatically connect up and have a VPN tunnel rather than having to manually configure all those devices on-site so that's the easy part that's why it's easy you do a little bit of upfront work configuring the server and after that the clients are next to nothing to configure okay so easy VPN server like I mentioned is a head end device and this is the basics of how it works you do Ike phase one and our works just like a regular site-to-site IPSec tunnel in between Ike phase one - is where and all the work happens you have optional EXO authentication so they don't just have a pre-shared key like they would with their iso camp policy there's also a an additional prompt for username and password and that gets used most of the time with EZ VPN like I said it is optional but but almost everybody uses this after authentication occurs I commode configuration actually pushes out the rest of the rest of the IPSec policy to the device as well as other things like DNS servers win server's IP address tunneling ACLs and so on that all gets pushed out in between Ike phase one and two after that I commode configuration happened to move on Dyck phase to negotiate the the essays which were sent by the server and the tunnel is now up so again this uses the same basic principles the same technologies as a site-to-site VPN tunnel wood it just has these additional phases here that happen in between Ike phase one and two okay so what can you use as an easy VPN server the answer is almost any iOS router assuming that you have the right the right code so that includes even 800 and 1800 series you know which are usually small office home office type of routers they'll act as an easy VPN server but the specs on those you have to check them you can you can get on google and cisco has a list of them they only support so many connections so if you need a thousand plus clients connected at once you might want to look at a higher-end router okay so the themselves like it says here they're usually lower end routers you're free to you know have a a more powerful router be a client but again these are usually not used for site the site type tunnels that there are branch offices you know small office type things and even software clients so usually it's lower end routers 800 series routers with the ASA's only the 5505 can be a hardware client for easy VPN so you can't have a fifty five ten or fifty five twenty something of that nature now the software clients are the cisco VPN software hopefully you guys have all seen that but if you haven't it's this little Cisco golden lockdown here this VPN quieted okay so as it says here the clients just have kind of a basic Ike policy setup and then a little easy VPN config and we're gonna we're going to see the conflict coming up here shortly but the rest of the configuration gets pushed out by the server though so once again that's the easy part of easy VPN you don't have to do a lot of work on the clients all right the clients themselves run in one of two modes the first one is going to be client mode and with client mode when you connect up to the server an IP address gets pushed out to you from a pool that's configured on the server everything on the inside of your network from the clients perspective is going to be an added port address translated to that address this is by far the most common mode you see with easy VPN the other one you don't necessarily see as much so client mode this is going to be when your software clients connect and even a lot of times when your your hardware clients connect as well so the the second mode here is network extension mode the addresses aren't going to be translated you are going to have a real routable at least real on your network routable IP space behind the client so this is really similar to a site-to-site VPN you have to have those devices pre I peed with something that routes on your network and you have to route the traffic from your head end across to the client ok so the server itself here's here's the deal with it like I said the configuration can be kind of complex so we're gonna break it down into all of its little components here when you go to configure the server you need to configure triple a4x off assuming that you're going to be using it and again if you're using an EZ VPN you're probably going to be using X off the ice account policy and this is so the client can initiate the the tunnel as well as you know have the X off work in between Ike phase 1 & 2 the group policy is where you set up all of the settings that are going to push out to your clients all the authentication settings and things like that IPSec configuration this is the actual protocol AES Triple DES etc that's going to be used across the tunnel and this really means a transform set and then finally you're going to apply the configuration somewhere and you're either going to do that through the use of a crypto map or through dynamic virtual tunnel interfaces and fee or not we're going to see exact invigoration and examples of both of those both of those methods so the first part of this Triple A again this is used when you want to do X off and and once again just to be clear with it it's optional you don't have to use X off you can you can skip that but you probably don't want to you probably want to have people authenticated before they make this this tunnel connection this just adds an additional layer of protection you could just use strictly pre-shared keys but again what happens here is say that you're rolling out you know all of these remote access clients Hardware clients etc anybody know how hard it is to break the encryption on a pre-shared key from the cisco VPN client but obviously you can't answer but but the answer is it's not very hard at all you can use a program like Cain and Abel or something like that find the little you know connection file and just cut and paste that encrypted password in and then you'll you'll get the pre-shared key so the point I'm getting out there is just using a pre-shared key might not be that secure and if an employee leaves or an IT employee you don't want to have to change that pre-shared key on all you know thousand laptops that are connecting to this server or all 200 of your Hardware clients and so on so again X auth is a an additional layer of authentication okay so the commands here not that difficult if you've seen any kind of Triple A before Triple A new model that sets up Triple A on the device and this is for iOS router Triple A authentication login the name of the group you're going to you're gonna create so you can call it ACS or easy VPN or whatever you want and then what method you're going to use to authenticate you can authenticate locally with a tax server radius server and and so on and then finally triple-a authorization network again a group name and the method you're going to use so no more no more difficult than that like I said pretty pretty basic triple-a all right so here's an example of local authentication hopefully you guys have seen this before as well you know username cisco password 0 which means enter this unencrypted and then cisco for the password as an example you might do this for each person that's gonna authenticate you might have it per per type of device or you might have one for one for each site or or whatever but it's just the regular username command so username cisco password cisco etc okay so the next part of this is setting up your iso camp policy if any of you guys have set up a site-to-site tunnel this is going to look very familiar it's absolutely no different then you you would do for a site-to-site tunnel so you can see down here crypto icecap policy 10 that's just the sequence number encryption aes hash sha diffie-hellman group 2 authentication pre share the the note down here and this is important if you are using pre-shared keys ike phase 1 is going to use aggressive mode and of course the difference between aggressive and and main mode and ike phase 1 is that all of the ike proposals diffie-hellman algorithm pre shared key etc is all sent across in the in the the first two packets so instead of doing a a three-way negotiation it does a two-way negotiation and it's a little less secure so that that's that's something to note if you're if you're worried about using aggressive mode you don't want to use you don't want to use pre-shared keys you can authenticate with with certificates instead and of course that's a little bit more work you have to set up a CA and get a certificate on all devices and so on okay the group policy this is the main part of the configuration for for easy BPM this is as it says here what the where the server is gonna do all of its work so you're setting up most of your client settings and again that means things like DNS split tunnel ACLs wind servers DHCP information and and so on there there are a lot of settings that you can that you can configure here and and because of time we're not going to go through it because of time and bore them we're not going to go through them some of them are corner case type of stuff that you wouldn't use that often and of course cisco has very good docs on their website for what each of those settings do so here's on the next slide a sample configuration with typed out explanations that i put together and this is a typically what you'll see for the for the group policy configuration so crypto iso camp client configuration group and then you give it this name I've called it easy VPN in this case you probably gonna want to make the name descriptive if you're gonna have more than one of these group policies set up you know maybe one for eastern region western region etc you got your own naming conventions I'm sure you can come up with those key Cisco one two three this is the pre shared key for the group so usually you want to use a little bit stronger pre shared key then that then something like that that would be guessable with a dictionary attack you might want to use a sixteen character random string that you keep in a password vault software or something like that ACO 101 so I've set up a split tunnel ACL and we'll get into the the syntax for the split tunnel ACLs and how those work later this is just saying push this split tunneling ACL out to the client a pool easy pool this pool has been previously created before we set up this group policy and this is what the clients are going to receive when they log in in the case of client mode and remember client mode this IP address gets pushed out to the client and everything gets matted through this IP address for the the tunnel traffic a safe password you'll see this often on hardware clients at least what this does is it allows the X auth credentials to be saved on the client and that means in the running configuration of the device startup configuration running configuration the point of that is again so that you can ship a device out like a 800 series router once it gets to the site they can just plug it in you don't have to talk some of the on-site through typing in the command to manually connect the device we'll just we'll just connect up so that's a typical group policy again not an exhaustive list of the settings in here but but one that you'll kind of typically see alright not much to say about the IP set configuration this is basically your transform set and it's exactly the same as you would type in for a site-to-site tunnel so crypto IPSec transform set called ez VPN is going to use AES and sha again very very typical hopefully all the audience that's that's watching this has probably set up a site-to-site tunnel before and that is familiar with the transform sets alright so we've config all of that and that wasn't all that difficult again once you break down what each section does so just like with a site-to-site VPN you type in all these things and they all get pulled together and referenced usually in a crypto map and then you apply that crypto map to an interface so the same concept here you can tie together the group policy the transform set you're using the peer your going to connect to all that stuff is going to be put together in a crypto map or there's an additional way to do this and again this tends to be one of the confusing topics on the the CCIE lab dynamic virtual tunnel interfaces this is used for a little bit more advanced configurations so let's say that your Western Region is going to use voice over IP and you want one QoS policy to be applied to them so their voice traffic gets priority across these tunnels and and for your East you're not gonna be using VoIP phones but you are going to be using video so you want a different QoS policy to be applied to those clients that's what dynamic virtual tunnel interfaces get used for you basically create a virtual interface that's a template for each of these connections the the group policy gets applied to that virtual tunnel interface when a connection is made an individual virtual interface is spawned using the settings from from the virtual tunnel and that includes things like again QoS policy or different login credentials or what have you and again you can you can use that so you can have different groups of clients having having different different tunnel settings so basic easy VPN yeah the crypto map works and it works fine if you need to get a little bit more advanced or granular than dynamic virtual tunnel interfaces might be what you're looking for and what we'll see examples of this you know the configuration put up on these slides as well as when we do the practical lab demo you guys will get to see how that works okay so there's a two part configuration for the crypto map first you create a dynamic crypto map and that's going to set the transform set and if you want reverse route injection then you're going to do the crypto map itself which is going to reference that dynamic crypto map so use this use this transform set and use reverse route injection as well as referencing the the triple-a commands or you can do it another way see if I can clear off these drawings here you can set up a authentication authorization group policy etc reference that different group policy and an ISO Camp profile and then the ISO cap profile can be referenced in the dynamic crypto map and then that in addition it's referenced in the crypto map it sounds like you're doing a lot of steps there but it'll all become clear when you see the configuration example it's really not that hard and again it gives you a little bit more flexibility if you don't need to go quite as far as per tunnel you know dynamic virtual tunnel interface configurations but you do want to have they said maybe a different settings for remote access clients versus Hardware clients etc you can you can do it this way okay so I know talking about all of that and a lump might confuse the issue so it's always easier if you see the actual configuration and go through it so this is your standard Plain Jane easy-easy VPN server configuration as far as the crypto map part of it goes so remember it's a two part thing you got to do your dynamic crypto map so crypto dynamic map ez VPN tan set transform set ez VPN obviously you had to have previously created add and then reverse route and again this is reverse route injection so what this is going to do is when each client connects a route for the IP address of their assign static route is going to be generated you can then like do a redistribute static into the ITR P or OSPF whatever's running on your corporate network and everybody will have a route to that whether you use reverse routing or not that depends on your your network configuration if you know you have just a default route pointing out to the Internet and this ez VPN server is your internet facing device okay great then you don't need reverse routing because everything is going to go out that way anyway in many cases in enterprise networks you have more than one egress point to the internet you know you might have a firewall or a set of firewalls that goes out to the Internet for regular Internet traffic you might have a solely VPN only device that everybody VPNs into in a case like that yeah you might want to use reverse routing or you know you can always static route to that device for the subnets you're going to assign for your easy VPN it's it's up to you I mean that's that standard network engineering stuff the reverse route is fairly easy because again it does it for you just whenever the client connects a static route for that particular IP address so it just does a you know 32-bit mask a host address a host route for each individual high that connects okay so back to our back to our configuration here we did the dynamic crypto map now we're going to do crypto map name it easy client authentication list easy this list here is what you set in your Triple A authentication setup earlier on when we were doing the server so that's just that's just referencing that and this is just going to be like I said radius TAC axe or local crypto map easy ISO camp authorization list easy and again that's what we created in our triple a set up that Triple A authorization network statement that's referencing this crypto map ez client configuration address respond this one again is one of those things that is confusing when you when you see it what does respond mean all it means is when these clients connect up they're going to ask for an IP address assuming that you're assigning IP addresses and not using network extension mode this means that the server will hand out an IP address so you don't need this line if you're doing network extension mode but you do need it for for quiet mode okay so those are the three lines that we need in a crypto map then crypto map easy one IPSec I so camp dynamic ez VPN and what that does is it ties this dynamic crypto map to the to the crypto map itself and and that's it as far as the crypto map you'll notice that unlike a site-to-site VPN there's no set PR in here obviously the reason for that is the peers could be coming from any IP address that's why we use the crypt dynamic map it says IP addresses can our client clients can come from any IP address all right so once you've done all of that created your crypto map reference to the dynamic crypto map go to an interface serial 0 0 0 in this case apply the map with crypto map and the name of the map and at that point the server is up and ready to accept requests from clients you should see a pop up if you're on the console and app console messages or if you're you know SSH den and ESET terminal monitor you'll see a pop up saying I so camp is on and again at that point you're ready to receive the the clients ok we mentioned earlier that if you wanted to do different group policies for different people you know maybe one for remote access clients and one for one for your hardware clients or one for marketing and one for engineering or you know whatever you can at that point use the the icecap profiles so in this case we're only creating one ISO cam profile crypto ryskamp profile I called it easy v you are going to match identity group which means this size account profile will be using the group ez VPN instead of having this in the crypto map you put the authentication list and the authorization list in the size account profile as well and the client configuration address respond so you could create a second nice account profile reference a different identity group which again that's the the group policy then under your phil map through your do your dynamic map instead of instead of just setting the transform set and reverse route we also set a nice account profile here's the actual crypto map itself crypto map tan IP set guys to camp dynamic ez VPN you could very easily on the next line say crypto map 20 the the next line down the same thing but uh but a different a different dynamic dynamic map with a with a different group policy attached to it so in that way they would get they would get checked in in order we'll see later on the clients where you set what what group you're trying to connect as but again this is a way to have more than one group policy each with different settings be available on the same same device alright dynamic virtual interfaces so as I mentioned you're going to create these virtual interfaces each of the virtual interfaces have to be tied to a physical interface so the the peers are going to connect to the physical interfaces IP address but depending on how the ISO cam profile is set up for each of those virtual interfaces again you can apply different policy and that usually gets used to to do to do QoS the other time this might get used is when you have different types of VPN tunnels terminating on the the same same interface in the same device so you might have your dmvpn hub router already up and running some site-to-site tunnels but you want your remote access to use easy VPN in a case like that you can use dynamic virtual tunnel interfaces as well so both of those technologies could be running on the same same device okay so here's a just a an example of that I've set my drawing up here's our group policy we create a group called easy group has a regular pre shared key a pool of addresses and we set safe password up this is going to be used for Hardware clients for example set up the ISO camp profile this one's called easy profile match identity group easy group which means use this group policy for this ice account profile again set up the authentication list and the authorization list configuration address respond again we're going to be in client mode then finally virtual template one so this is how you tie this isuh camp profile which is already tied to this group policy to a particular virtual interface so we're going to be tying this to virtual interface one okay form set still because we're still going to be encrypting traffic so our transform set here is called easy TS it's going to use AES and sha instead of creating a crypto map we're gonna create an IPSec profile this one's called ez profile and we'll set the transform set in there so this takes the place of the the crypto map all right here's the virtual interface itself interface virtual template one type tunnel so again this is this is virtual interface number one and that's what we referenced in our our AIESEC app profile IP unnumbered serial 0 0 1 the unnumbered means we're not giving this interface a static IP address we're going to use whatever IP address is configured on the on the tunnel itself or excuse me on the physical interface itself so we said tunnel mode to IPSec ipv4 we're going to be using IPSec and then finally tunnel protection we'll use our ipsec profile ez profile and that's the the profile that we've that we've set up here so again we are setting up the transform set in this eyepiece profile sticking it on the tunnel that's gonna let the tunnel know okay we can initiate IPSec tunnels on serial 0:01 using its configured IP address and then just to go back one slide here the ISO camp profile is tied to the virtual interface using using this line so all that setup and basically ties the group policy and the transform set to that virtual tunnel what's not shown there and what I mentioned earlier on is on this virtual tunnel interface you can go in again and set individual QoS policies or you know different access lists etc alright so that was the that was the server portion and like I said don't worry we're going to we're going to take a look later on at an actual an actual configuration and we'll see how to verify that it's up and running and all that good stuff so the server has a lot to it a lot of different parts and pieces the client configuration is is super easy and this is where the easy part of easy VPN comes in you set up an ISO cam profile or excuse me an ISO camp policy just like you would for a site-to-site tunnel set up the client configuration and that's where you set up what server you're going to connect to what the pre share is etc and then inside and outside interfaces so you're outside interface is going to be facing the internet and your insight is facing your corporate network once you set both of that both of those up you're free to connect to the EZ VPN server and as you'll see there's not really much configuration to it okay it says here as stated before the ISO camp policy is optional did I state that I did okay when you configure your client configuration on your on your client device and again these are the hardware clients we're talking about you know like an 800 series router or 1800 series etc you don't have to configure a nice camp policy at all there's actually a default list of advise account policies when you when you set up the client that that will automatically get inserted on on the router generally you do though want to set up a nice account policy but you don't have to so yeah the configuration for the ICN policy is standard crypto ic-cap policy ten authentication pre share hash sha encryption a EAS group two etc just like a site-to-site oh of course it has to match one of the policies that you have configured on your on your ez VPN server unlike us site tunnel when you configure this thing you don't need to actually type in a line for the pre-shared key the crypto ice camp key Cisco address whatever you don't have to do all that it's all set up in the client configuration and again we're gonna are going to see that here so here's the here's the client configuration we created a nice camp policy or didn't it doesn't matter crypto IP set client easy VPN and we are naming it easy VPN in hindsight maybe when I created these slides I should have called that something more descriptive or something less confusing but that last word there is the the actual name of the of the group that you're connecting with okay so it's called easy VPN connect Auto again I always look at this from the perspective of I'm going to pre configure this device you know at my desk and I'm gonna ship it out to one of 200 locations around the US I just want them to be able to plug it in so connect Auto is what that's for assuming this thing is powered up and has an IP address and and so on it'll just automatically try to initiate the tunnel you can set it to manual but you're gonna have to have somebody on site to get on the router console itself and type in manually the command to connect and put in the username and password that's fine if you have on-site IT staff and then you don't want this router to fall into somebody's hands and have them be able to connect to your network either way it depends on what your what your policy is group ez VPN key Cisco one two three this is the group that's configured on your server and the pre shared key that's configured on your server so that group policy that we created on the server that is what this is referencing so obviously that stuff has to match both the group name and the pre shared key so this pre shared key here is in lieu of your regular site-to-site tunnel-like configuration where you would type in a key mode quiet and you could also use network extension if you were using that we'll see an example of that later but this is the the client mode where it's going to request an IP address and not everything through that IP pier 21.1 - in this case that's the the address of the EZ VPN server obviously it's usually going to be an Internet routable public address I just used the one that I set up in my lab username cisco password cisco you only have to put this in here if you're going to connect automatically if you're going to be connecting manually you're going to type these in and password into the console because I am going to have this set up to connect auto I put the username and password in here but yes this is in clear text by the way so don't give the people at the branch office access to the router X auth user ID mode local again this is for when you want to connect automatically it means that the X off credentials the username and password we have above here is going to be stored locally all right so why this you just need to set your inside and outside interfaces again you're outside interface unless you're doing this over a private network it's going to be your internet facing interface so that command is crypto IP set client easy VPN the name of the client policy that we just set up on the last page and inside so this is your inside facing your corporate network sorry I'm having trouble with the tools here here's my internet facing interface serial zero zero one and crypto IP set client easy VPN and easy VPN you don't have to say outside you just have to type in the name and you didn't type inside there's only only two choices so good you can you can see here you've you've configured this and assuming that you have set up to connect auto like I did on the last slide the router is instantly going to try to try to make the connection middle it'll come up assuming that you've you've configured everything correctly alright on the on the a si you can set up well it says here an a sa can also be either a VPN server or a client only the a sa 5505 can be a client I mentioned that in the beginning of the presentation so there there are some similarities in the convicts I'm showing the 8.0 code because that's what they're currently using on the CCIE lab and that's what I'm what I'm familiar with I don't think there's a lot of changes until you get to I don't think there's a lot of changes to to this but I'm not running 8.3 or 8.4 in any of my any of my customers that I work with or labs in the QA if anybody is they can they can you know speak up alright so your ISO cap policy your IP pools split tunnel ACLs transform sets etc those are typed in just like just like an iOS so that there's the the similarities the a sa for all kinds of VPN connections uses group policies and tall groups instead of that group policy being set in the crypto ic-cap client so here's an example of the of the group policy some of the differences group policy easy VPN internal so that means internal means the group policy is configured on the device itself not on like a remote radius server once you've done that it's created you can then go group policy the name easy VPN and attributes and that drops you into a sub configuration mode where you can set up the address pool whether you're going to use foot tunneling or not if you're using split tunneling what the split tunnel ACL is and then things like password storage enable which like it says here let's client store the password locally okay so when the client puts in that group name and his client configuration instead of it being the group policy it's actually what's called a tunnel group and again if you've ever done site to site tunnels on a SA you're familiar with Tunnel groups already with the site to site tunnels the the tunnel name is usually the IP address or if you're using appreciator keys it has to be the IP address of the peer here it doesn't have to be because it's a remote access tunnel group so you can just give it a name so here's how you create those tunnel group easy VPN type IPSec are a so remote access tunnel group easy VPN general attributes the default group policy for this tunnel group will be easy VPN and that's the group policy we created on the last page Tunnel group easy VPN IPSec attributes another the IPSec attributes that's where you set your set your pre shared key you can also set up the the CA the trust point that you'll use if you're doing certificate authentication here as well okay so once you've set the group policy and set up the tunnel group you're going to apply it and and like it says here very similar to doing the the crypto map version on IPS you create a dynamic crypto map you set up your transform set and reverse routing if you want it under that dynamic crypto map you reference that dynamic crypto map in the regular crypto map and apply that to the interface there's no virtual tunnel interfaces on the on the a Si and of course QoS is much more limited on the a si than it is on on an iOS router so kind of pick your boys in there do you want to terminate this on an AS a kind of depends on what configuration you need do you need you know granular QoS if so do it our router if not you're fine doing it on the a si so here's here's an example crypto dynamic map easy VPN five set your transform set easy VPN set it to use reverse route then create a normal crypto map easy VPN ten referencing the dynamic crypto map finally ice camp a naval outside that turns on icy camp that's a very common thing that people forget you know they do this whole configuration for easy VPN apply a crypto map to an interface doesn't work ah what's happening it doesn't work maybe my settings are wrong show crypto ISO camp no I see camp essays what's happening I know I have this setup right it's because you forgot this command you have to enable eyes the camp on the interface that the clients are going to be connecting to so remember that in real life remembered on the CCIE lab etc so here's how you apply it to a interface crypto map easy VPN interface outside it's that simple of course if you want you can do different group policies and have different lines in your crypto map like I said one for Hardware clients one for remote access clients etc final note here remember to not exempt traffic from your inside network to the client addresses the firewalls are of course almost always going to be connected to the internet usually when you're doing that you're nodding traffic so that all of your inside hosts can get out to the internet and surf the web and all that good stuff if you're not not exempting the traffic it's not going to go through the tunnel it's just going to get it's just going to get an added and sent out to the Internet where it will be dropped because you're using private addresses this note is not just for ASAS if you are doing that on your iOS router that you're using as an easy VPN server you're going to have to not exempt as well net net exemption is fairly easy on an a si on an iOS router you have to do it in your that statement referencing a route map which references an ACL if you have to do that and that's not clear or any more information google it there's plenty of examples on how to do it or you can you can get on our our forum and ask me or or some of the other people there I'll show the forum at the end of the presentation ok easy VPN client on the on the aasa' we've mentioned before it's only fifty five oh five s little baby ASAS and it's done by using the VPN client commands so here's an example config and I will say that I have not used the 5505 s as a client myself in the in the real world or even in a lab so this example is straight out of the the cisco docs but it'll probably work so VPN client sir whatever the IP address of your server is again I used a private address but it's gonna be a real Internet address in the real world a VPN mode quiet or it could be Network extension if you're using our contention mode VPN client VPN group ez VPN password Cisco so that's your ez VPN group on the server your tunnel group and the appreciator key for that tunnel group VPN client username cisco password cisco and again that's your your EXO credentials and then finally VPN client enable and that turns on turns on VPN like I said I haven't done this one myself the EZ VPN hardware configurations or Hardware clients that I've used of Alban routers so somebody can speak up in the in the Q&A session at the end if they've if they've done this ok so that's it for the the lecture part of the presentation now let's now let's see how this this actually works so we're going to we're going to do this first with kind of a small network here Robert one is going to be our hardware client and router 2 will be the EZ VPN server and then we have some routers on the respective corporate networks for for each of these devices and they're basically going to be acting as hosts so router 3 think of it as a PC you know connecting to some servers or something I got a couple of loopback addresses on router for the 30 network back here as well if all goes well here with these configurations and they should because I pre-configured them and tested them then once router one connects to router to router three should be able to paying into into these networks and then the returned traffic should go back so let's let's take a look at that let me get connected to all the devices here I got him booted up I just want to make sure that they're still on and responding hey there's a router one I got timed out so I have to clear the console lines from my road access server okay you don't have to memorize that Vizio that I put up earlier I'll reference back to it throughout the rest of this the rest of this demo okay normally in a class at this point I would quiz you on what configuration we need to do first but again we're kind of limited with the with the chat functionality I'm just gonna click on a little more time here to see if I got anything yeah still no still no chat so I'm not going to I'm not gonna not not going to quiz you and try to get you to remember I'll just show you the configuration okay so first we're going to do basic easy VPN and again I have these pre-configured in notepad which i think is the best way to type in commands lets you easily edit them and see them as a whole rather than you know putting them in the router and then doing a bunch of show commands and section commands and so on so if you recall we had to set up triple-a so here we go triple-a new-model authentication login we're calling this easy and we're going to be doing local just for the ease of ease of use here I'm not going to use a radius server or something like that Triple A authorization network easy and local as well so pretty pretty basic stuff there if you recall from our video here router 2 is going to be the server so we'll go to router 2 and paste that stuff in next up since we're doing local I'm going to need a local username and password that the client can can reference can login with when we do the X authentication so yeah I got that pre-configured here as well username cisco password cisco so that takes care of our triple a set up fairly basic and it's not too much harder even if you wanted to use tax or radius you would just have to do the tax server host whatever the IP address is and the key and then set this line here up to be group tax or group radius ok next part of our configuration ice account policy pretty basic here as well I'm using AES and sha cuz I like to use the most secure stuff available using diffie-hellman group two and we'll be using a pre shared key again much easier I don't want this to become a presentation on setting up the CA even though it's not that hard this will cut down on the confusion okay I'm created an ACL here mentioned earlier on in the presentation that we talked about split tunnel ACLs and and this is how they work you set up your access list with permit statements for the network's that you want to protect these are not the client side networks at all it's just permit IP from your corporate network from your corporate network from your corporate network to any that's how you do the split tunnel ACLs I know it might sound a little bit backwards because you're thinking in terms of the client that this is getting pushed out to you know the client would be coming from itself whatever its network is to the corporate network so remember that little that little trick or whatever you're configuring the server it's from the perspective of the server we want to encrypt traffic coming from the corporate network going to anywhere so I'll paste the the ACL in to split tunnel a CO and again that's going to be referenced later on during the group policy set up the pool configuration we didn't see this earlier either we just saw it referenced within the client configuration but it's really easy to set up I P local pool the name of the pool starting IP address ending IP address really really simple hard too hard to mess that one up okay here's our client configuration so we're going to create this group policy client configuration group called easy VPN the pre shared key will be Cisco 1-2-3 and once again normally and a site-to-site tunnel you would type that after you did your ice account policy crypto ic-cap key Cisco you know whatever address instead we're putting it here in the client configuration a Co 101 means we will be using split tunneling and we will use this ACL for split tunneling that's the ACL that we just created a few steps ago if you don't put this line in here you won't lose use your split tunneling and all of all of your traffic for the client will be attempted to be tunneled through the network whether you split tunneling or not is up to you if you don't want to use it you just don't put this ACL line in a pool ez pool is simply the the pool here that we created above that means clients using this group will receive one of these addresses and finally save safe password that allows us to to locally save the password here okay so I'm going to I'm going to paste that in okay crypto IPSec transform set easy VPN again if you've done a site-to-site tunnel before this is not a not a big deal it's just uh just the transform set we're going to use okay if you remember we're going to do the basic setup here which is just done with the crypto map so here's our dynamic crypto map which is going to set the transform set and yes we're going to use reverse route if you get on here in router for that's our client on the corporate network back here he just has his his connected routes and you can see here that he's running eigrp he's uh paired up with with router router two or yeah router two which is our server right now he only knows connected routes assuming we're properly setting up reverse route injection router for should get the client pool addresses when they when they connect so we'll be sure to check that once we once we get these connected up okay here's our crypto map and again we're going to set the authentication list to easy that's up here we're going to set the authorization list to easy and again we created that up here client configuration address respawn to remember that just means that the server is going to hand out IP addresses from the pool that we created here so let's let's paste all of that in finally and this is only if you are going to do reverse route injection we need to set up VI GRP to redistribute those static routes in the EIGRP I just used a bogus metric here just to have something in there that's because the IG RP requires a metric for redistribution the final step here of course is to apply the crypto map to an interface should see a pop up here yep telling me AIESEC amp just came on and this server is ready to rock and roll assuming that I didn't make any mistakes in my config there so serial zero zero one is our 20 Network here that's going to be connected over to the the client itself all right here's the client configuration again it's really easy just a few lines and you could you could easily cut and paste this you know into mass devices if you wanted to roll this out quickly to a bunch of devices so crypto IP set client ez VPN called ez VPN I know that's confusing but at least it's in caps let you know that's the name that I typed in and not command Connect Auto because I too lazy to type you know three three lines when I want to connect this device up group ez VPN again in the class IV quiz inu but this command is referencing the group policy on the server ez VPN obviously my key has to match what's in that group policy mode client instead of network extension here 21 1.2 again that's the address here of router twos serial interface username cisco password cisco those are my stored ex off authentication credentials because if you recall under my client configuration here I set the safe password command that lets me store credentials so username cisco password cisco that matches on the server this username and password I'm finally ex saw user ID mode local again that means I'm using my my locally stored credentials to to connect with the remainder of this is I'll go ahead and and paste this in I pasted it on the correct router here ok so that's all in there what remains is to apply this set my inside and outside interfaces if we go back here this is my corporate network so serial 0 1 1 is going to be inside serial 0 0 1 will be outside and because I've set this to connect Auto as soon as I configure both of these I should try to connect so let's let's see it here tells me I see camp is on tells me easy VPN connection is up user name Cisco Group easy VPN client public address that's my address on my internet facing interface servers public address is this and my assigned a client address was 1.20 so that's good because it means that the server assigned to me the first IP address in that easy VPN pool so that's that's good stuff that that early means you're up and running you can also see these loopback 10,000 and NB i0 interfaces get created do a show IP interface brief that n VI is my serial address might my outside interface IP address and the loopback 10,000 is the address that I was configured on my clients so that's the that's that virtual address that all of my inside corporate networks are gonna get matted to so I can make my connection over to the other side okay so verification commands for this other than seeing those pop-up messages you can do a show crypto iso camp sa and you should have an essay between you the source and the destination which is the server the state should be qm idle which is quick mode quick mode is ike phase 2 if you see QM idle in any kind of IPSec connection you know that you have gotten through ike phase 1 & 2 this is what you want to see if you're troubleshooting this and you see something else in here like a.m. and nits or something like that these these first two letters here are the the ike mode they are in so if you see am and it that means the aggressive mode ike phase 1 running in an aggressive mode in it which is the first first first conversation first two packets that go from you to the server and back something went wrong there and usually that's ike phase one thing so the isaac at policy didn't match the pre shared key didn't match etc so use these states if you end up enough troubleshooting okay what else can we do to verify crypto IPSec client easy VPN that's my that's my connection sorry show crypto that that command that I just showed is how you would manually connect we're set up to use Auto but if you weren't you could connect using that that series of commands it's good that I screwed up and show that okay so show crypto IPSec client easy VPN okay so I'm gonna get a little bit of information now about the the tunnel tunnel name is easy VPN here's the inside and outside interfaces current state is IPSec active and that means the tunnel is up and working here's the address I received and it was applied to loopback 10,000 we knew that already safe password is allowed we know that here's my ACL entries for split tunneling and again this lets me know connecting from me to go to any of these IP addresses and subnets that I'll be encrypted it also tells me my current peer so there's a little bit of information about what I got from the from the server when I connect it the final command here and then maybe not the final there's a few commands you can do you can do a show crypto IPSec show crypto session is the one I was thinking of this will again for any IPSec connection tells you that okay on interface serial 0 0 1 that's my outside interface my peer is dot 2 port 500 that's that's I so camp UDP port 500 I've got this si active the IKS a and I've got this IPSec flow which is permit IP from host the address I was assigned going to anywhere but the real one that I want to show you is hopefully a command you're familiar with which is show crypto IPSec si I like this command because it has counters on it and counters are a good thing so this tells us that I have this I of this IPSec yes and I got counters for encapsulation and decapsulation it tells me for what traffic am i encrypting and and so on okay I mentioned on router for we were gonna check some some routing stuff so here's a show IP route and you'll notice that I now have a external AI GRP route that means it redistributed route for 1.20 so that means my reverse route injection works properly which is good because it means that router 4 which again we're using as our internal corporate network on the head end side it'll be able to route the packets back across to the client so final test where the rubber meets the road we're gonna try to ping from router 3 which is acting as our host on the remote network over to these loopback addresses I'll just pick one of them here so let's jump on over to router 1 excuse me router 3 there's too many too many labs in my head and we're going to try to / - - - - okay it was successful how do we know it encrypted let's jump back up to router one here and do the show crypto IPSec si and we can see that our five ICMP packets were encapsulated they went over to the other side five ICMP echo replies came back they were decrypted and D capsulated so our tunnel is is is up up and working so that was the that was the easy version of easy VPN real quick here what I'm going to do is reload routers one and two they're going to come back up and fault state and we're going to show you the dynamic virtual tunnel interface version of this okay so a lot of this is going to look the same triple-a new model you know our authentication list I call them local list in this case I still have a local password still have the same or at a different pool different different set of IP addresses AES sha pre shared authentication group to still have a split tunnel list it's the same one same client configuration all this stuff is the same where we start to differ here is we have a nice account profile called easy profile matching identity group easy group which means for this profile we'll be using this particular group policy here's my authentication and authorization lists up here referenced and I'm going to be using virtual template one so we saw all this in the presentation here's my transform set I created an IPSec profile again in lieu of a crypto map here's my virtual template one that's what we're using for this particular ISO cam profile IP unnumbered serial 0 0 1 which again if we go back here that's going to be our internet facing where we want the peers to connect to tunnel mode IPSec ipv4 and finally protect traffic using this particular transform set then I have my redistribute static in here okay so I'm also doing a virtual template on the client a virtual template one type tunnel IP on number in serial zero zero one under my client configuration here I'm referencing that virtual interface so you can do this on the client as well as the server with it with the virtual tunnel interfaces let's see if my routers are back up here looks like they are ok so rather than paste in each part individually I am going to paste the entire thing in over here on router 2 okay that's all in there eisah camp is on virtual template one is set to down let's grab the configuration here for the client side and again it's just going to connect Auto because I don't want to type in uh-oh looks like I typed in a typed in the pure name wrong here connect auto my group screwed up there that was that was a little odd not sure what once I put that pure address in there correctly you can see that my client came up and we can do some of the same type of testing show crypto ice camp assay here's Mike um idle that's that's good news I can do a show crypto IP set client easy VPN got my split tunnel ACO got my address first address in the in the pool handed out to me and I can uh I can show my si if I jump over to the server here I can do a show IP interface brief and you can you can see that this virtual access this is this was the the virtual interface that got spawned from my template his is up and up it came up there could do a show IP route here got a static route generated for 192 168 1.50 that's that's good news that means reverse route injection is working I can jump over to my router 4 which is my host he's got that same reverse route injection address set up and as as before on the client I can try pinging to one of the loopback addresses it comes back I can do a show crypto ipsec si got packets encapsulated ante capsulated and and everybody's happy okay so uh let me bring my my console up here and we'll actually know before we start the Q&A I want to show you some stuff here I swear I'm not a sales guy not very good at this but there's a special on the the CCI security training right now so for just under two thousand dollars you can go to one of our CCI security advanced lab bootcamp again this is for people prepping for their CCIE lab it's a five-day instructor led by one of our one of our CCIE instructors going through it's basically a five a five day monster lab that will hit all the high points all the topics in detail that you typically see on the CCIE security lab so if you don't want to study everything and you kind of want to get a short list of stuff that you can work with and ask and the structure questions about this is this is a great class in addition to the class itself you'll get all of our security work books a foundation workbook so lets you touch all the technology the advanced lab workbook which is ten mock labs that are pretty close to the the security exam itself not not violating the NDA obviously but i wrote part of that advanced lab workbook and I've taken the version three test the one that you'll get right now several times so I got a good picture of what's on it those are those are really good workbooks you also get 25 sessions of rack time that means 25 eight hour sessions so that's a that's a good amount accessing the racks to what what I'm using here has multiple ASAS to ASAS ten routers or switches an IPS and an ACS server basically everything you'll need for prepping for your exam so again that's that's the end of the sales stuff if you like you can contact Jerry Jerry's one of our sales guys he's he's a good guy he won't steer you wrong there's his email address Jerry at CC bootcamp com or you can call our 800 number eight seven seven six five four two two four three so that's it for the the sales part of it again great great value there that's it that's it that's an awesome price considering all you get if you compare that to anybody else out there you'll find that that's a great price if you want to view this video if you didn't catch something the first time I said it it is going to be available for a limited time on LMS CC boot camp comm you can go there sign up and then watch this webinar as well as other webinars that we do in this series I think there's a NATO to dot 1x1 I did a CCI security troubleshooting section and so on so within 24 hours of when I'm done with this you can access it again by going to that site finally if you want to ask further questions that don't get answered in the Q&A it's likely that that'll happen we don't have that much time for QA and I certainly you know I'm not an encyclopedia of easy VPN knowledge but security ie comm if you go to that forum it's very active there's there's a ton of experts on their current CCIE students current CC II's themselves I'm active on there Tim Rowley who's our CC IT security instructor as active there as well if you have a question either about your real network about the lab about a particular type of technology go there post you're going to get responses the same day I love to lab stuff up when people ask me things that I don't know so again post there and and and we'll get you sorted one way or one way or the other it's a great resource ok so that's the that's the end of the presentation let's let's move on to doing some QA here again the chat doesn't work but I do have an attendee list here and there is a raise your hand thing I can unmute you anybody anybody have any questions about ez VPN about the lab as it currently stands you're free to to use that hand raise and I'll unmute you here okay Aaron I've got you unmuted but I can't hear any any audio yeah I still I'm still not not hearing anything okay I see that the the hand went down there so anybody anybody else have any any questions at all or is it that only one person could figure out how to raise their hand well really you know if you're not with this stuff I tried to be thorough in the in the presentation there are III know it's kind of a lot of stuff to take in even even with somebody explaining it to you I would say that as far as easy VPN goes there like I said I've used it in the real world let's see here I got a chat message okay so there's a there's a questions box see if you can you can you can type stuff in there I see that the chats don't show up in a chat portion it shows up here okay so I'm going to try to expand this a little bit so I can actually so I can actually see it I do see a lot of a lot of chats here okay so somebody asked do you need virtual template under the crypto ISO camp profile yeah that's that's where you're going to tie the ISO camp profile to the to the virtual template itself so yeah you you need that under there and it says where should we configure reverse route that's that's an interesting question because you'll notice if you take a look at my configuration here for the dynamic virtual tunnel interfaces nowhere here did I type in reverse route so it's automatically when you're using the dynamic virtual tunnel interfaces it's automatically generating that that River throughout that static route again here's my my nothing up my sleeve moment nowhere in this configuration is there reverse route configured that that just automatically happens it is important though you still have to even though that route or that static route automatically gets generated you still have to be distributed into your into your dynamic routing protocol whether it's OSPF EIGRP somebody else asked used AES but did not specify 128 192 or 256 so let's let's take a look at that yes the under the transform set show crypto sessions does it show it under there doesn't say whether season AES or not I know the heist account policy will show the the ike part of it uses 128 show crypto IP sick sa does that show a yes or not i that doesn't shows the spae s whatever the default is for that is what it'll be if you want you can you can post that on security ie and will will lab it up later and see if you can specify it or not okay the next one although just a demonstration have a preference on Whitey's default a s 128 versus 256 no it was just it was just a demo so I use the default you can use you can use whatever you you see fit if you if you feel like it's not going to put significant load on a router to use AES 256 you can you can certainly do that and I always like to use the the most secure protocol that I have available to me so that's my that's my preference Scott asked a general question here about the CCI security lab does that lab have the IPS included if you mean and I assume you can correct me here if I'm wrong I assume you mean the CCI security lab rather than iOS IPS on on my demo the security lab for sure has IPS and and all of its all of its forms are on it so yeah you have to prep for that okay so that's the and of the questions that I have listed here Scot was was that what you were asking were you asking about the the CCIE security lab in general SEC boot camp rental rack yes for both so when you come to our classes live you could assign a rack for the duration of the class and and not just for business hours you can you know you get it for after-hours as well and yes you have you have an IPS available to you as part of the rack that that means one of the appliance IPS is not the not the SSM module for the ASAS that's that's not part of the security lab just the just the appliance is so yeah when you do rack rentals or the classroom IPS is using our same racks and then they have an IPS in them okay does anybody anybody have any any other questions again about ez VPN or about the the ie security lab in general yay I'm not not seeing anything come in once again I would I would urge everybody if you are either prepping for your for your lab or just a security professional in general that that security ie forum is is a really active forum it's it's not but it's not like something where you'll post a question and wait a week you'll get immediate or fairly immediate responses to whatever questions you have and it can really help cut through some of the the learning curve that there is for prepping for your your lab or even if you're not prepping for the lab just meeting general info or specific info even about a particular feature whether it's easy VPN or something else anything that isn't easily asked in you know this is this QA and then you may have wanted to do it somewhere else that that security ieave forum is a great resource so I urge you to to sign up for that and post anything all right so I guess that's it I want to thank everybody for for coming it's like I said a good topic one that is initially looks like it's going to be complex but like anything else once you break it down and find out how each piece works it's it's not so not so bad that's that's it for the presentation and hopefully you got some good information out of it and any further security presentations webinars that we do you are likely on the list and you'll get information about about those upcoming ones as well so thanks a lot once again and I'm going to go ahead and sign off

Info

Channel: ccietraining

Views: 9,268

Rating: 5 out of 5

Keywords: CCBOOTCAMP, Webinar, Cisco, Easy, VPN, EZVPN, EasyVPN, CCIE, Training, CCNP, CCNA, Network, certification, training, ipexpert, internetwork, expert

Id: 4Eq_2yyHy6A

Channel Id: undefined

Length: 100min 11sec (6011 seconds)

Published: Thu Aug 11 2011