EzVPN Configuration on a PIX (>I)

My First EZVPN COnfiguration on a PIX
The configuration of the ASA is:
hostname EzVPNServer
username CISCO password TYX7NfYD.Yf733Bn encrypted
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.1.29.9 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.19.9 255.255.255.0
!
access-list EZACL extended permit ip 150.1.19.0 255.255.255.0 any
ip local pool xEz 192.168.3.0-192.168.3.255 mask 255.255.255.0
!
router ospf 1
network 0.0.0.0 0.0.0.0 area 0
log-adj-changes
redistribute static subnets
!
crypto ipsec transform-set X esp-3des esp-md5-hmac
crypto dynamic-map DMAP 10 set transform-set X
crypto dynamic-map DMAP 10 set reverse-route
crypto map STATIC 10 ipsec-isakmp dynamic DMAP
crypto map STATIC interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
group-policy T internal
group-policy T attributes
dns-server value 1.2.3.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZACL
address-pools value xEz
tunnel-group EzTunnel type remote-access
tunnel-group EzTunnel general-attributes
address-pool xEz
default-group-policy T
tunnel-group EzTunnel ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:fe78832de471bc1fc7e2040783f61405
on the IOS the Client Mode is:
R3(config)#crypto ipsec client ezvpn EzTunnel
R3(config-crypto-ezvpn)#?
Crypto EzVPN configuration commands:
acl            Specify access-list identifier for SA establishment
backup         Configure an EzVPN as a backup
connect        Connect
exit           Exit from EzVPN configuration mode
group          Group Name
local-address  Interface to use for local address for this ezvpn
configuration
mode           Mode
no             Negate a command or set its defaults
peer           Allowed Encryption/Decryption Peer
username       User Name
xauth          XAuth parameters
R3(config-crypto-ezvpn)#group EzTunnel ?
key  Group Key
R3(config-crypto-ezvpn)#group EzTunnel key CISCO
R3(config-crypto-ezvpn)#peer 10.1.29.9
R3(config-crypto-ezvpn)#connect ?
acl     Configure matching ACL to trigger EzVPN connection
auto    Automatic
manual  Manual
R3(config-crypto-ezvpn)#connect manual
R3(config-crypto-ezvpn)#exit
R3(config)#int lo0
R3(config-if)#crypto ipsec client ezvpn EzTunnel inside
R3(config)#int f0/0
R3(config-if)#crypto ipsec client ezvpn EzTunnel outside
R3(config-if)#
R3(config-if)#
R3(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
EZVPN(EzTunnel): Current State: IDLE
EZVPN(EzTunnel): Event: VALID_CONFIG_ENTERED
EZVPN(EzTunnel): ezvpn_check_tunnel_interface_state
EZVPN(EzTunnel): New State: VALID_CFG
EZVPN(EzTunnel): Current State: VALID_CFG
EZVPN(EzTunnel): Event: VALID_CONFIG_ENTERED
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: VALID_CFG
EZVPN(EzTunnel): Event: TUNNEL_INTERFACE_UP
EZVPN(EzTunnel): ezvpn_check_tunnel_interface_address
EZVPN(EzTunnel): New State: TUNNEL_INT_UP
EZVPN(EzTunnel): Current State: TUNNEL_INT_UP
EZVPN(EzTunnel): Event: TUNNEL_HAS_PUBLIC_IP_ADD
EZVPN(EzTunnel): New State: TRACKING
EZVPN(EzTunnel): Current State: TRACKING
R3(config-if)#
R3(config-if)#
EZVPN(EzTunnel): Event: TRACKED OBJECT UP
EZVPN(EzTunnel): New State: CONNECT_REQUIRED
R3(config-if)#do crypto ipsec client ezvpn connect
R3(config-if)#
EZVPN(EzTunnel): Deleted PSK for address 10.1.29.9
EZVPN(EzTunnel): Current State: CONNECT_REQUIRED
EZVPN(EzTunnel): Event: CONNECT
EZVPN(EzTunnel): ezvpn_connect_request
EZVPN(EzTunnel): Found valid peer 10.1.29.9
EZVPN(EzTunnel): Added PSK for address 10.1.29.9
EZVPN(EzTunnel): New State: READY
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: IKE_PFS
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: CONN_UP
EZVPN(EzTunnel): ezvpn_conn_up 4C3F5510 A7DE64D0 ED55F8C7 034BCBAF
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: XAUTH_REQUEST
R3(config-if)#
EZVPN(EzTunnel): ezvpn_xauth_request
EZVPN(EzTunnel): ezvpn_parse_xauth_msg
EZVPN: Attributes sent in xauth request message:
XAUTH_TYPE_V2(EzTunnel): 0
XAUTH_USER_NAME_V2(EzTunnel):
XAUTH_USER_PASSWORD_V2(EzTunnel):
EZVPN(EzTunnel): New State: XAUTH_REQ
R3(config-if)#
EZVPN(EzTunnel): Pending XAuth Request, Please enter the following command:
EZVPN: crypto ipsec client ezvpn xauth
R3(config-if)#do crypto ipsec client ezvpn xauth
Username: CISC
EZVPN(EzTunnel): Current State: XAUTH_REQ
EZVPN(EzTunnel): Event: XAUTH_PROMPTING
EZVPN(EzTunnel): New State: XAUTH_PROMPT
CISCO
Password:
R3(config-if)#
EZVPN(EzTunnel): Current State: XAUTH_PROMPT
EZVPN(EzTunnel): Event: XAUTH_REQ_INFO_READY
EZVPN(EzTunnel): ezvpn_xauth_reply
XAUTH_TYPE_V2(EzTunnel): 0
XAUTH_USER_NAME_V2(EzTunnel): CISCO
XAUTH_USER_PASSWORD_V2(EzTunnel): <omitted>
EZVPN(EzTunnel): New State: XAUTH_REPLIED
EZVPN(EzTunnel): Current State: XAUTH_REPLIED
EZVPN(EzTunnel): Event: XAUTH_STATUS
EZVPN(EzTunnel): xauth status received: Success
EZVPN(EzTunnel): New State: READY
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: MODE_CONFIG_REPLY
EZVPN(EzTunnel): ezvpn_mode_config
EZVPN(EzTunnel): ezvpn_parse_mode_config_msg
EZVPN: Attributes sent in message:
Address: 192.168.2.1
Mask: 255.255.255.0
DNS Primary: 1.2.3.4
Savepwd off
Split Tunnel List: 1
Address    : 150.1.19.0
Mask       : 255.255.255.0
Protocol   : 0x0
Source Port: 0
Dest Port  : 0
EZVPN: Unk
R3(config-if)#nown/Unsupported Attr: APPLICATION_VERSION (0x7)
EZVPN(EzTunnel): ezvpn_nat_config
EZVPN(EzTunnel): New State: SS_OPEN
EZVPN(EzTunnel): Current State: SS_OPEN
EZVPN(EzTunnel): Event: SOCKET_READY
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: SS_OPEN
EZVPN(EzTunnel): Event: MTU_CHANGED
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: SS_OPEN
EZVPN(EzTunnel): Event: SOCKET_UP
ezvpn_socket_up
%CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=  Group=EzTunnel  Client_public_ad
dr=10.1.23.3  Server_public_addr=10.1.29.9  Assigned_client_addr=192.168.3.1
EZVPN(EzTunnel): Tunnel UP! Letting user know about it
EZVPN(EzTunnel): New State: IPSEC_ACTIVE
R3(config-if)#
%LINK-3-UPDOWN: Interface Loopback1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R3(config-if)#do show ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0            10.1.23.3       YES manual up                    up
FastEthernet0/1            unassigned      YES unset  administratively down down
NVI0                       unassigned      NO  unset  up                    up
Loopback0                  150.1.3.3       YES manual up                    up
Loopback1                  192.168.3.1     YES manual up                    up
R3(config-if)#
on R1 we get, because route-reverse
R1#show ip route ospf
10.0.0.0/24 is subnetted, 3 subnets
O       10.1.29.0 [110/20] via 10.1.19.9, 00:04:21, FastEthernet0/0
O       10.1.23.0 [110/30] via 10.1.19.9, 00:04:21, FastEthernet0/0
192.168.3.0/32 is subnetted, 1 subnets
O       192.168.3.1 [110/31] via 10.1.19.9, 00:04:21, FastEthernet0/0
150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
O       150.1.3.3/32 [110/31] via 10.1.19.9, 00:04:21, FastEthernet0/0
O       150.1.2.2/32 [110/21] via 10.1.19.9, 00:04:21, FastEthernet0/0
R1#
back to R3
R3#ping 10.1.19.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
R3#ping 10.1.19.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.3.3
.
Success rate is 0 percent (0/1)
R3#ping 10.1.19.1 so lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/112/144 ms
R3#
on the PIX
EzVPNServer(config)# %PIX-3-106014: Deny inbound icmp src outside:10.1.23.3 dst
inside:10.1.19.1 (type 8, code 0)
%PIX-3-106014: Deny inbound icmp src outside:10.1.23.3 dst inside:10.1.19.1 (typ
e 8, code 0)
%PIX-6-302020: Built inbound ICMP connection for faddr 192.168.3.1/7 gaddr 10.1.
19.1/0 laddr 10.1.19.1/0 (CISCO)
%PIX-6-302020: Built outbound ICMP connection for faddr 192.168.3.1/7 gaddr 10.1
.19.1/0 laddr 10.1.19.1/0

My First EzVPN Configuration:


212

The configuration of the PIX (>I) is:

username CISCO password TYX7NfYD.Yf733Bn encrypted
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.1.29.9 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.19.9 255.255.255.0
!
access-list EZACL extended permit ip 150.1.19.0 255.255.255.0 any
ip local pool xEz 192.168.3.0-192.168.3.255 mask 255.255.255.0
!
router ospf 1
network 0.0.0.0 0.0.0.0 area 0
log-adj-changes
redistribute static subnets ! for RRI
!
crypto ipsec transform-set X esp-3des esp-md5-hmac
crypto dynamic-map DMAP 10 set transform-set X
crypto dynamic-map DMAP 10 set reverse-route
crypto map STATIC 10 ipsec-isakmp dynamic DMAP
crypto map STATIC interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal

group-policy T internal
group-policy T attributes
dns-server value 1.2.3.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZACL
address-pools value xEz
tunnel-group EzTunnel type remote-access
tunnel-group EzTunnel general-attributes
address-pool xEz
default-group-policy T
tunnel-group EzTunnel ipsec-attributes
pre-shared-key *
prompt hostname context

on the IOS the Client Mode Configuration is:


R3(config)#crypto ipsec client ezvpn EzTunnel
R3(config-crypto-ezvpn)#?
Crypto EzVPN configuration commands:
acl            Specify access-list identifier for SA establishment
backup         Configure an EzVPN as a backup
connect        Connect
exit           Exit from EzVPN configuration mode
group          Group Name
local-address  Interface to use for local address for this ezvpn
configuration
mode           Mode
no             Negate a command or set its defaults
peer           Allowed Encryption/Decryption Peer
username       User Name
xauth          XAuth parameters
R3(config-crypto-ezvpn)#group EzTunnel ?
key  Group Key
R3(config-crypto-ezvpn)#group EzTunnel key CISCO
R3(config-crypto-ezvpn)#peer 10.1.29.9
R3(config-crypto-ezvpn)#connect ?
acl     Configure matching ACL to trigger EzVPN connection
auto    Automatic
manual  Manual
R3(config-crypto-ezvpn)#connect manual
R3(config-crypto-ezvpn)#exit
R3(config)#int lo0
R3(config-if)#crypto ipsec client ezvpn EzTunnel inside
R3(config)#int f0/0
R3(config-if)#crypto ipsec client ezvpn EzTunnel outside
R3(config-if)#
R3(config-if)#
R3(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
EZVPN(EzTunnel): Current State: IDLE
EZVPN(EzTunnel): Event: VALID_CONFIG_ENTERED
EZVPN(EzTunnel): ezvpn_check_tunnel_interface_state
EZVPN(EzTunnel): New State: VALID_CFG
EZVPN(EzTunnel): Current State: VALID_CFG
EZVPN(EzTunnel): Event: VALID_CONFIG_ENTERED
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: VALID_CFG
EZVPN(EzTunnel): Event: TUNNEL_INTERFACE_UP
EZVPN(EzTunnel): ezvpn_check_tunnel_interface_address
EZVPN(EzTunnel): New State: TUNNEL_INT_UP
EZVPN(EzTunnel): Current State: TUNNEL_INT_UP
EZVPN(EzTunnel): Event: TUNNEL_HAS_PUBLIC_IP_ADD
EZVPN(EzTunnel): New State: TRACKING
EZVPN(EzTunnel): Current State: TRACKING
R3(config-if)#
R3(config-if)#
EZVPN(EzTunnel): Event: TRACKED OBJECT UP
EZVPN(EzTunnel): New State: CONNECT_REQUIRED</pre>
!Here need to connect 
R3(config-if)#do crypto ipsec client ezvpn connect
R3(config-if)#
EZVPN(EzTunnel): Deleted PSK for address 10.1.29.9
EZVPN(EzTunnel): Current State: CONNECT_REQUIRED
EZVPN(EzTunnel): Event: CONNECT
EZVPN(EzTunnel): ezvpn_connect_request
EZVPN(EzTunnel): Found valid peer 10.1.29.9
EZVPN(EzTunnel): Added PSK for address 10.1.29.9
EZVPN(EzTunnel): New State: READY
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: IKE_PFS
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: CONN_UP
EZVPN(EzTunnel): ezvpn_conn_up 4C3F5510 A7DE64D0 ED55F8C7 034BCBAF
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: XAUTH_REQUEST
R3(config-if)#
EZVPN(EzTunnel): ezvpn_xauth_request
EZVPN(EzTunnel): ezvpn_parse_xauth_msg
EZVPN: Attributes sent in xauth request message:
XAUTH_TYPE_V2(EzTunnel): 0
XAUTH_USER_NAME_V2(EzTunnel):
XAUTH_USER_PASSWORD_V2(EzTunnel):
EZVPN(EzTunnel): New State: XAUTH_REQ
EZVPN(EzTunnel): Current State: XAUTH_REPLIED
EZVPN(EzTunnel): Event: XAUTH_STATUS
EZVPN(EzTunnel): xauth status received: Success
EZVPN(EzTunnel): New State: READY
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: MODE_CONFIG_REPLY
EZVPN(EzTunnel): ezvpn_mode_config
EZVPN(EzTunnel): ezvpn_parse_mode_config_msg
EZVPN: Attributes sent in message:
        Address: 192.168.2.1
        Mask: 255.255.255.0
        DNS Primary: 1.2.3.4
        Savepwd off
        Split Tunnel List: 1
              Address    : 150.1.19.0
              Mask       : 255.255.255.0
              Protocol   : 0x0
              Source Port: 0
              Dest Port  : 0
EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
EZVPN(EzTunnel): ezvpn_nat_config
EZVPN(EzTunnel): New State: SS_OPEN
EZVPN(EzTunnel): Current State: SS_OPEN
EZVPN(EzTunnel): Event: SOCKET_READY
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: SS_OPEN
EZVPN(EzTunnel): Event: MTU_CHANGED
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: SS_OPEN
EZVPN(EzTunnel): Event: SOCKET_UP
ezvpn_socket_up
%CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=  Group=EzTunnel  Client_public_ad
dr=10.1.23.3  Server_public_addr=10.1.29.9  Assigned_client_addr=192.168.3.1
EZVPN(EzTunnel): Tunnel UP! Letting user know about it
EZVPN(EzTunnel): New State: IPSEC_ACTIVE
R3(config-if)#
%LINK-3-UPDOWN: Interface Loopback1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R3(config-if)#do show ip int brief

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.23.3       YES manual up                    up
FastEthernet0/1            unassigned      YES unset  administratively down down
NVI0                       unassigned      NO  unset  up                    up
Loopback0                  150.1.3.3       YES manual up                    up
Loopback1                  192.168.3.1     YES manual up                    up
R3(config-if)#

All right!!, now we can see that on R1 we get,

R1#show ip route ospf
10.0.0.0/24 is subnetted, 3 subnets
O       10.1.29.0 [110/20] via 10.1.19.9, 00:04:21, FastEthernet0/0
O       10.1.23.0 [110/30] via 10.1.19.9, 00:04:21, FastEthernet0/0
192.168.3.0/32 is subnetted, 1 subnets
O       192.168.3.1 [110/31] via 10.1.19.9, 00:04:21, FastEthernet0/0
150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
O       150.1.3.3/32 [110/31] via 10.1.19.9, 00:04:21, FastEthernet0/0
O       150.1.2.2/32 [110/21] via 10.1.19.9, 00:04:21, FastEthernet0/0
R1#

the 192.168.3.1 [110/31] via 10.1.19.9 route this ecause route-reverse injection, let go back to R3

R3#ping 10.1.19.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:..

Success rate is 0 percent (0/2)
R3#ping 10.1.19.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.3.3
.
Success rate is 0 percent (0/1)
R3#ping 10.1.19.1 so lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/112/144 ms
R3#

on the PIX

EzVPNServer(config)# %PIX-3-106014: Deny inbound icmp src outside:10.1.23.3 dst
inside:10.1.19.1 (type 8, code 0)
%PIX-3-106014: Deny inbound icmp src outside:10.1.23.3 dst inside:10.1.19.1 (typ
e 8, code 0)
%PIX-6-302020: Built inbound ICMP connection for faddr 192.168.3.1/7 gaddr 10.1.
19.1/0 laddr 10.1.19.1/0 (CISCO)
%PIX-6-302020: Built outbound ICMP connection for faddr 192.168.3.1/7 gaddr 10.1
.19.1/0 laddr 10.1.19.1/0
EzVPNServer# show crypto isakmp sa
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 10.1.23.3
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
EzVPNServer#
%PIX-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa

on a Windows XP Machine, the Client Configuration is:

2121

2122

2123

Nice!!!

A Networker Blog

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s