My First EZVPN COnfiguration on a PIX
The configuration of the ASA is:
hostname EzVPNServer
username CISCO password TYX7NfYD.Yf733Bn encrypted
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.1.29.9 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.19.9 255.255.255.0
!
access-list EZACL extended permit ip 150.1.19.0 255.255.255.0 any
ip local pool xEz 192.168.3.0-192.168.3.255 mask 255.255.255.0
!
router ospf 1
network 0.0.0.0 0.0.0.0 area 0
log-adj-changes
redistribute static subnets
!
crypto ipsec transform-set X esp-3des esp-md5-hmac
crypto dynamic-map DMAP 10 set transform-set X
crypto dynamic-map DMAP 10 set reverse-route
crypto map STATIC 10 ipsec-isakmp dynamic DMAP
crypto map STATIC interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
group-policy T internal
group-policy T attributes
dns-server value 1.2.3.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZACL
address-pools value xEz
tunnel-group EzTunnel type remote-access
tunnel-group EzTunnel general-attributes
address-pool xEz
default-group-policy T
tunnel-group EzTunnel ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:fe78832de471bc1fc7e2040783f61405
on the IOS the Client Mode is:
R3(config)#crypto ipsec client ezvpn EzTunnel
R3(config-crypto-ezvpn)#?
Crypto EzVPN configuration commands:
acl Specify access-list identifier for SA establishment
backup Configure an EzVPN as a backup
connect Connect
exit Exit from EzVPN configuration mode
group Group Name
local-address Interface to use for local address for this ezvpn
configuration
mode Mode
no Negate a command or set its defaults
peer Allowed Encryption/Decryption Peer
username User Name
xauth XAuth parameters
R3(config-crypto-ezvpn)#group EzTunnel ?
key Group Key
R3(config-crypto-ezvpn)#group EzTunnel key CISCO
R3(config-crypto-ezvpn)#peer 10.1.29.9
R3(config-crypto-ezvpn)#connect ?
acl Configure matching ACL to trigger EzVPN connection
auto Automatic
manual Manual
R3(config-crypto-ezvpn)#connect manual
R3(config-crypto-ezvpn)#exit
R3(config)#int lo0
R3(config-if)#crypto ipsec client ezvpn EzTunnel inside
R3(config)#int f0/0
R3(config-if)#crypto ipsec client ezvpn EzTunnel outside
R3(config-if)#
R3(config-if)#
R3(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
EZVPN(EzTunnel): Current State: IDLE
EZVPN(EzTunnel): Event: VALID_CONFIG_ENTERED
EZVPN(EzTunnel): ezvpn_check_tunnel_interface_state
EZVPN(EzTunnel): New State: VALID_CFG
EZVPN(EzTunnel): Current State: VALID_CFG
EZVPN(EzTunnel): Event: VALID_CONFIG_ENTERED
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: VALID_CFG
EZVPN(EzTunnel): Event: TUNNEL_INTERFACE_UP
EZVPN(EzTunnel): ezvpn_check_tunnel_interface_address
EZVPN(EzTunnel): New State: TUNNEL_INT_UP
EZVPN(EzTunnel): Current State: TUNNEL_INT_UP
EZVPN(EzTunnel): Event: TUNNEL_HAS_PUBLIC_IP_ADD
EZVPN(EzTunnel): New State: TRACKING
EZVPN(EzTunnel): Current State: TRACKING
R3(config-if)#
R3(config-if)#
EZVPN(EzTunnel): Event: TRACKED OBJECT UP
EZVPN(EzTunnel): New State: CONNECT_REQUIRED
R3(config-if)#do crypto ipsec client ezvpn connect
R3(config-if)#
EZVPN(EzTunnel): Deleted PSK for address 10.1.29.9
EZVPN(EzTunnel): Current State: CONNECT_REQUIRED
EZVPN(EzTunnel): Event: CONNECT
EZVPN(EzTunnel): ezvpn_connect_request
EZVPN(EzTunnel): Found valid peer 10.1.29.9
EZVPN(EzTunnel): Added PSK for address 10.1.29.9
EZVPN(EzTunnel): New State: READY
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: IKE_PFS
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: CONN_UP
EZVPN(EzTunnel): ezvpn_conn_up 4C3F5510 A7DE64D0 ED55F8C7 034BCBAF
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: XAUTH_REQUEST
R3(config-if)#
EZVPN(EzTunnel): ezvpn_xauth_request
EZVPN(EzTunnel): ezvpn_parse_xauth_msg
EZVPN: Attributes sent in xauth request message:
XAUTH_TYPE_V2(EzTunnel): 0
XAUTH_USER_NAME_V2(EzTunnel):
XAUTH_USER_PASSWORD_V2(EzTunnel):
EZVPN(EzTunnel): New State: XAUTH_REQ
R3(config-if)#
EZVPN(EzTunnel): Pending XAuth Request, Please enter the following command:
EZVPN: crypto ipsec client ezvpn xauth
R3(config-if)#do crypto ipsec client ezvpn xauth
Username: CISC
EZVPN(EzTunnel): Current State: XAUTH_REQ
EZVPN(EzTunnel): Event: XAUTH_PROMPTING
EZVPN(EzTunnel): New State: XAUTH_PROMPT
CISCO
Password:
R3(config-if)#
EZVPN(EzTunnel): Current State: XAUTH_PROMPT
EZVPN(EzTunnel): Event: XAUTH_REQ_INFO_READY
EZVPN(EzTunnel): ezvpn_xauth_reply
XAUTH_TYPE_V2(EzTunnel): 0
XAUTH_USER_NAME_V2(EzTunnel): CISCO
XAUTH_USER_PASSWORD_V2(EzTunnel): <omitted>
EZVPN(EzTunnel): New State: XAUTH_REPLIED
EZVPN(EzTunnel): Current State: XAUTH_REPLIED
EZVPN(EzTunnel): Event: XAUTH_STATUS
EZVPN(EzTunnel): xauth status received: Success
EZVPN(EzTunnel): New State: READY
EZVPN(EzTunnel): Current State: READY
EZVPN(EzTunnel): Event: MODE_CONFIG_REPLY
EZVPN(EzTunnel): ezvpn_mode_config
EZVPN(EzTunnel): ezvpn_parse_mode_config_msg
EZVPN: Attributes sent in message:
Address: 192.168.2.1
Mask: 255.255.255.0
DNS Primary: 1.2.3.4
Savepwd off
Split Tunnel List: 1
Address : 150.1.19.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
EZVPN: Unk
R3(config-if)#nown/Unsupported Attr: APPLICATION_VERSION (0x7)
EZVPN(EzTunnel): ezvpn_nat_config
EZVPN(EzTunnel): New State: SS_OPEN
EZVPN(EzTunnel): Current State: SS_OPEN
EZVPN(EzTunnel): Event: SOCKET_READY
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: SS_OPEN
EZVPN(EzTunnel): Event: MTU_CHANGED
EZVPN(EzTunnel): No state change
EZVPN(EzTunnel): Current State: SS_OPEN
EZVPN(EzTunnel): Event: SOCKET_UP
ezvpn_socket_up
%CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=EzTunnel Client_public_ad
dr=10.1.23.3 Server_public_addr=10.1.29.9 Assigned_client_addr=192.168.3.1
EZVPN(EzTunnel): Tunnel UP! Letting user know about it
EZVPN(EzTunnel): New State: IPSEC_ACTIVE
R3(config-if)#
%LINK-3-UPDOWN: Interface Loopback1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R3(config-if)#do show ip int brief
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 10.1.23.3 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
NVI0 unassigned NO unset up up
Loopback0 150.1.3.3 YES manual up up
Loopback1 192.168.3.1 YES manual up up
R3(config-if)#
on R1 we get, because route-reverse
R1#show ip route ospf
10.0.0.0/24 is subnetted, 3 subnets
O 10.1.29.0 [110/20] via 10.1.19.9, 00:04:21, FastEthernet0/0
O 10.1.23.0 [110/30] via 10.1.19.9, 00:04:21, FastEthernet0/0
192.168.3.0/32 is subnetted, 1 subnets
O 192.168.3.1 [110/31] via 10.1.19.9, 00:04:21, FastEthernet0/0
150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
O 150.1.3.3/32 [110/31] via 10.1.19.9, 00:04:21, FastEthernet0/0
O 150.1.2.2/32 [110/21] via 10.1.19.9, 00:04:21, FastEthernet0/0
R1#
back to R3
R3#ping 10.1.19.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
R3#ping 10.1.19.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.3.3
.
Success rate is 0 percent (0/1)
R3#ping 10.1.19.1 so lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/112/144 ms
R3#
on the PIX
EzVPNServer(config)# %PIX-3-106014: Deny inbound icmp src outside:10.1.23.3 dst
inside:10.1.19.1 (type 8, code 0)
%PIX-3-106014: Deny inbound icmp src outside:10.1.23.3 dst inside:10.1.19.1 (typ
e 8, code 0)
%PIX-6-302020: Built inbound ICMP connection for faddr 192.168.3.1/7 gaddr 10.1.
19.1/0 laddr 10.1.19.1/0 (CISCO)
%PIX-6-302020: Built outbound ICMP connection for faddr 192.168.3.1/7 gaddr 10.1
.19.1/0 laddr 10.1.19.1/0
My First EzVPN Configuration:
The configuration of the PIX (>I) is:
username CISCO password TYX7NfYD.Yf733Bn encrypted ! interface Ethernet0 nameif outside security-level 0 ip address 10.1.29.9 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 10.1.19.9 255.255.255.0 ! access-list EZACL extended permit ip 150.1.19.0 255.255.255.0 any ip local pool xEz 192.168.3.0-192.168.3.255 mask 255.255.255.0 ! router ospf 1 network 0.0.0.0 0.0.0.0 area 0 log-adj-changes redistribute static subnets ! for RRI ! crypto ipsec transform-set X esp-3des esp-md5-hmac crypto dynamic-map DMAP 10 set transform-set X crypto dynamic-map DMAP 10 set reverse-route crypto map STATIC 10 ipsec-isakmp dynamic DMAP crypto map STATIC interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 no crypto isakmp nat-traversal group-policy T internal group-policy T attributes dns-server value 1.2.3.4 split-tunnel-policy tunnelspecified split-tunnel-network-list value EZACL address-pools value xEz tunnel-group EzTunnel type remote-access tunnel-group EzTunnel general-attributes address-pool xEz default-group-policy T tunnel-group EzTunnel ipsec-attributes pre-shared-key * prompt hostname context
on the IOS the Client Mode Configuration is:
R3(config)#crypto ipsec client ezvpn EzTunnel R3(config-crypto-ezvpn)#? Crypto EzVPN configuration commands: acl Specify access-list identifier for SA establishment backup Configure an EzVPN as a backup connect Connect exit Exit from EzVPN configuration mode group Group Name local-address Interface to use for local address for this ezvpn configuration mode Mode no Negate a command or set its defaults peer Allowed Encryption/Decryption Peer username User Name xauth XAuth parameters R3(config-crypto-ezvpn)#group EzTunnel ? key Group Key R3(config-crypto-ezvpn)#group EzTunnel key CISCO R3(config-crypto-ezvpn)#peer 10.1.29.9 R3(config-crypto-ezvpn)#connect ? acl Configure matching ACL to trigger EzVPN connection auto Automatic manual Manual R3(config-crypto-ezvpn)#connect manual R3(config-crypto-ezvpn)#exit R3(config)#int lo0 R3(config-if)#crypto ipsec client ezvpn EzTunnel inside R3(config)#int f0/0 R3(config-if)#crypto ipsec client ezvpn EzTunnel outside R3(config-if)# R3(config-if)# R3(config-if)# %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON EZVPN(EzTunnel): Current State: IDLE EZVPN(EzTunnel): Event: VALID_CONFIG_ENTERED EZVPN(EzTunnel): ezvpn_check_tunnel_interface_state EZVPN(EzTunnel): New State: VALID_CFG EZVPN(EzTunnel): Current State: VALID_CFG EZVPN(EzTunnel): Event: VALID_CONFIG_ENTERED EZVPN(EzTunnel): No state change EZVPN(EzTunnel): Current State: VALID_CFG EZVPN(EzTunnel): Event: TUNNEL_INTERFACE_UP EZVPN(EzTunnel): ezvpn_check_tunnel_interface_address EZVPN(EzTunnel): New State: TUNNEL_INT_UP EZVPN(EzTunnel): Current State: TUNNEL_INT_UP EZVPN(EzTunnel): Event: TUNNEL_HAS_PUBLIC_IP_ADD EZVPN(EzTunnel): New State: TRACKING EZVPN(EzTunnel): Current State: TRACKING R3(config-if)# R3(config-if)# EZVPN(EzTunnel): Event: TRACKED OBJECT UP EZVPN(EzTunnel): New State: CONNECT_REQUIRED</pre> !Here need to connect R3(config-if)#do crypto ipsec client ezvpn connect R3(config-if)# EZVPN(EzTunnel): Deleted PSK for address 10.1.29.9 EZVPN(EzTunnel): Current State: CONNECT_REQUIRED EZVPN(EzTunnel): Event: CONNECT EZVPN(EzTunnel): ezvpn_connect_request EZVPN(EzTunnel): Found valid peer 10.1.29.9 EZVPN(EzTunnel): Added PSK for address 10.1.29.9 EZVPN(EzTunnel): New State: READY EZVPN(EzTunnel): Current State: READY EZVPN(EzTunnel): Event: IKE_PFS EZVPN(EzTunnel): No state change EZVPN(EzTunnel): Current State: READY EZVPN(EzTunnel): Event: CONN_UP EZVPN(EzTunnel): ezvpn_conn_up 4C3F5510 A7DE64D0 ED55F8C7 034BCBAF EZVPN(EzTunnel): No state change EZVPN(EzTunnel): Current State: READY EZVPN(EzTunnel): Event: XAUTH_REQUEST R3(config-if)# EZVPN(EzTunnel): ezvpn_xauth_request EZVPN(EzTunnel): ezvpn_parse_xauth_msg EZVPN: Attributes sent in xauth request message: XAUTH_TYPE_V2(EzTunnel): 0 XAUTH_USER_NAME_V2(EzTunnel): XAUTH_USER_PASSWORD_V2(EzTunnel): EZVPN(EzTunnel): New State: XAUTH_REQ EZVPN(EzTunnel): Current State: XAUTH_REPLIED EZVPN(EzTunnel): Event: XAUTH_STATUS EZVPN(EzTunnel): xauth status received: Success EZVPN(EzTunnel): New State: READY EZVPN(EzTunnel): Current State: READY EZVPN(EzTunnel): Event: MODE_CONFIG_REPLY EZVPN(EzTunnel): ezvpn_mode_config EZVPN(EzTunnel): ezvpn_parse_mode_config_msg EZVPN: Attributes sent in message: Address: 192.168.2.1 Mask: 255.255.255.0 DNS Primary: 1.2.3.4 Savepwd off Split Tunnel List: 1 Address : 150.1.19.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7) EZVPN(EzTunnel): ezvpn_nat_config EZVPN(EzTunnel): New State: SS_OPEN EZVPN(EzTunnel): Current State: SS_OPEN EZVPN(EzTunnel): Event: SOCKET_READY EZVPN(EzTunnel): No state change EZVPN(EzTunnel): Current State: SS_OPEN EZVPN(EzTunnel): Event: MTU_CHANGED EZVPN(EzTunnel): No state change EZVPN(EzTunnel): Current State: SS_OPEN EZVPN(EzTunnel): Event: SOCKET_UP ezvpn_socket_up %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=EzTunnel Client_public_ad dr=10.1.23.3 Server_public_addr=10.1.29.9 Assigned_client_addr=192.168.3.1 EZVPN(EzTunnel): Tunnel UP! Letting user know about it EZVPN(EzTunnel): New State: IPSEC_ACTIVE R3(config-if)# %LINK-3-UPDOWN: Interface Loopback1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up R3(config-if)#do show ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.1.23.3 YES manual up up FastEthernet0/1 unassigned YES unset administratively down down NVI0 unassigned NO unset up up Loopback0 150.1.3.3 YES manual up up Loopback1 192.168.3.1 YES manual up up R3(config-if)#
All right!!, now we can see that on R1 we get,
R1#show ip route ospf 10.0.0.0/24 is subnetted, 3 subnets O 10.1.29.0 [110/20] via 10.1.19.9, 00:04:21, FastEthernet0/0 O 10.1.23.0 [110/30] via 10.1.19.9, 00:04:21, FastEthernet0/0 192.168.3.0/32 is subnetted, 1 subnets O 192.168.3.1 [110/31] via 10.1.19.9, 00:04:21, FastEthernet0/0 150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks O 150.1.3.3/32 [110/31] via 10.1.19.9, 00:04:21, FastEthernet0/0 O 150.1.2.2/32 [110/21] via 10.1.19.9, 00:04:21, FastEthernet0/0 R1#
the 192.168.3.1 [110/31] via 10.1.19.9 route this ecause route-reverse injection, let go back to R3
R3#ping 10.1.19.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds:.. Success rate is 0 percent (0/2) R3#ping 10.1.19.1 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds: Packet sent with a source address of 150.1.3.3 . Success rate is 0 percent (0/1) R3#ping 10.1.19.1 so lo1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.19.1, timeout is 2 seconds: Packet sent with a source address of 192.168.2.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 88/112/144 ms R3#
on the PIX
EzVPNServer(config)# %PIX-3-106014: Deny inbound icmp src outside:10.1.23.3 dst inside:10.1.19.1 (type 8, code 0) %PIX-3-106014: Deny inbound icmp src outside:10.1.23.3 dst inside:10.1.19.1 (typ e 8, code 0) %PIX-6-302020: Built inbound ICMP connection for faddr 192.168.3.1/7 gaddr 10.1. 19.1/0 laddr 10.1.19.1/0 (CISCO) %PIX-6-302020: Built outbound ICMP connection for faddr 192.168.3.1/7 gaddr 10.1 .19.1/0 laddr 10.1.19.1/0 EzVPNServer# show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.1.23.3 Type : user Role : responder Rekey : no State : AM_ACTIVE EzVPNServer# %PIX-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa
on a Windows XP Machine, the Client Configuration is:
Nice!!!