378 Chapter 16: Configuring Cisco Easy VPN
11.
Which command will allow a network administrator to view real-time information regarding
ISAKMP connections on an Easy VPN Server?
a. debug crypto isakmp
b. debug ip isakmp
c. debug crypto ipsec
d. debug ip ipsec
12. In cases where AAA services are in use, which command will allow a network administrator
to monitor activity related to username and password exchanges in real time?
a. debug crypto isakmp
b. debug crypto ipsec
c. debug aaa authentication
d. debug aaa authorization
The answers to the “Do I Know This Already?” quiz are found in Appendix A, “Answers to the
‘Do I Know This Already?’ Quizzes and Q&A Sections.” The suggested choices for your next step
are as follows:
■ 8 or fewer overall score—Read the entire chapter. This includes the “Foundation Topics,”
“Foundation Summary,” and “Q&A” sections.
■ 9 or 10 overall score—Begin with the “Foundation Summary” section, and then go to the
“Q&A” section.
■ 11 or more overall score—If you want more review on these topics, skip to the “Foundation
Summary” section, and then go to the “Q&A” section. Otherwise, move to the next chapter.
150x01x.book Page 378 Monday, June 18, 2007 8:52 AM
Cisco Easy VPN Components 379
Foundation Topics
The growing move toward the Service-Oriented Network Architecture (SONA) is laying down a
path of evolution that will enable clients of all types to access network resources, applications, and
services available to those in the corporate headquarters site. This allows enterprise networks to
move further toward the goal of providing a single experience to all users regardless of the method
by which they access those applications and services.

The Cisco Easy VPN solution simplifies the deployment of remote offices and teleworkers.
Teleworkers, on the whole, represent one of the fastest growth areas of network users. The
availability of high bandwidth at low cost is spurring a great deal of industry evolution. Along with
this growth in remote connection requests comes a similar, if not greater, growth in security needs
of the network.
Cisco Easy VPN serves to simplify client configuration and allow for a centralized management
model of VPN Clients. This client configuration can be dynamically pushed to remote clients.
Cisco Easy VPN provides a quick, efficient, and, most importantly, secure means of configuring
VPN services for remote users of all kinds. It consists of two primary components, Easy VPN
Remote and Easy VPN Server.
Using Internet Key Exchange (IKE) Mode Config functionality to push configuration parameters
to clients, the clients can be preconfigured to conform to a set of IKE policies and IPsec transform
sets. This ensures that all clients are up to date with the latest policies in place prior to establishing
connections.
Cisco Easy VPN Components
The Cisco Easy VPN solution consists of two components, Server and Remote. Cisco Easy VPN
Server allows Cisco IOS Routers, Cisco PIX Security Appliances, and Cisco VPN 3000
Concentrators to act as VPN headend devices in site-to-site or remote-access VPN models. Easy
VPN–enabled devices can terminate IPsec tunnels initiated by teleworkers using the Cisco VPN
Client software on a PC. This makes it possible for mobile and remote workers to access corporate
services and applications.
Easy VPN Remote
Cisco Easy VPN Remote enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3000
series hardware/software clients to act as remote VPN Clients. They receive security policies from
an Easy VPN Server. This minimizes the need for manual configuration tasks. Easy VPN Remote
provides for automated, centralized management of the following:
150x01x.book Page 379 Monday, June 18, 2007 8:52 AM
380 Chapter 16: Configuring Cisco Easy VPN
■ Tunnel parameter negotiation (addresses, algorithms, and duration)
■ Tunnel establishment according to set parameters

■ Automatic creation of Network Address Translation (NAT) and Port Address Translation
(PAT) as well as any needed access control lists (ACL)
■ User authentication
■ Security key management for encryption and decryption
■ Tunneled data authentication, encryption, and decryption
Easy VPN Remote supports three modes of operation:
■ Client—Specifies that NAT or PAT be used so that end stations at the remote end of the VPN
tunnel do not use IP addresses in the space of the destination server. The needed security
associations (SA) are created automatically for IP addresses assigned to remote hosts.
■ Network Extension—Specifies that remote-end hosts use IP addresses that are fully routable
and reachable by the destination network over the tunnel connection so that they form a single
logical network. In such cases, PAT is not used, to allow remote-end PCs direct access to
destination network services and applications.
■ Network Extension Plus—Identical to Network Extension mode with the additional
capability of being able to request an IP address via mode configuration and automatically
assign it to an available loopback interface. The IPsec SAs for this IP address are
automatically created.
Client mode is relatively simple and is used on a regular basis in countless deployments. Figure
16-1 shows an example of the Easy VPN Client concept.
Figure 16-1 Easy VPN Remote Client Mode
Easy
VPN
Remote
Easy
VPN
Server
VPN Tunnel
Internet
10.1.1.1
172.16.0.0/11

10.1.1.2
10.1.1.3
10.1.1.4
150x01x.book Page 380 Monday, June 18, 2007 8:52 AM
Cisco Easy VPN Components 381
In the figure, the hosts at the teleworker’s home are all addressed with RFC 1918 addresses, as are
the destination resources at the corporate office site. RFC 1918 addresses are nonroutable
addresses within the public Internet; however, NAT/PAT allow them to be translated and routed
across. With the VPN connection running in Client mode, routing information can pass between
the customer premises equipment (CPE) and the corporate office site.
Network Extension mode is very similar in concept to Client mode. So long as the addresses in
the teleworker subnet are fully routable and unique within the corporate infrastructure, Figure 16-1
can also be said to be an example of Network Extension mode. If not, there will need to be a NAT/
PAT operation performed at the VPN Server to pass traffic into the corporate network and back to
the teleworker premises.
Easy VPN Server Requirements
To implement Easy VPN Remote capabilities, a number of prerequisite guidelines must be met.
The Cisco Easy VPN Remote feature requires that the destination peer be a Cisco Easy VPN
Server or VPN Concentrator that supports the Cisco Easy VPN Server feature. Essentially, the
hardware and software feature sets must be those capable of performing the roles and functions of
the Easy VPN solution. To that end, a minimum Cisco IOS version is required as follows:
■ Cisco 831, 836, 837, 851, 857, 871, 876, 877, and 878 Series Routers—Cisco IOS Software
Release 12.2(8)T or later (note that 800 series routers are not supported in Cisco IOS
12.3(7)XR but are supported in 12.3(7)XR2
■ Cisco 1700 Series Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 2600 Series Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 3600 Series Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 7100 Series VPN Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 7200 Series Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 7500 Series Routers—Cisco IOS Software Release 12.2(8)T or later

■ Cisco PIX 500 Series—PIX OS Release 6.2 or later
■ Cisco VPN 3000 Series—Software Release 3.11 or later
Additionally, requirements for Easy VPN Servers include the need for Internet Security
Association and Key Management Protocol (ISAKMP) policies using Diffie-Hellman group 2
(1024-bit) IKE negotiation. This is necessary because the Cisco Unity protocol supports only
ISAKMP policies using group 2 IKE. The Cisco Unity protocol refers to a methodology VPN
clients use to determine the order of events when attempting a connection to a VPN server. The
150x01x.book Page 381 Monday, June 18, 2007 8:52 AM
382 Chapter 16: Configuring Cisco Easy VPN
Cisco Unity protocol operates based on the notion of a client group. A Unity client must identify
and authenticate itself by group first and, if XAUTH enabled, by user later. The Easy VPN Server
cannot be configured for ISAKMP group 1 or 5 when used with Easy VPN Clients.
To ensure secure tunnel connections, the Cisco Easy VPN Remote feature does not support
transform sets providing encryption without authentication or those providing authentication
without encryption. Both encryption and authentication must be represented.
The Cisco Unity protocol does not support Authentication Header (AH) authentication but it does
support Encapsulation Security Payload (ESP).
Sometimes, a VPN connection might be used as a backup connection meant to be established and
used when the primary link is unavailable. Various backup capabilities are available to meet such
a need, including, but not limited to, dial backup. When using dial backup scenarios with Easy
VPN, it should be understood that any backup method based on line status is not supported. This
means that a primary interface in up/down state will not trigger the VPN connection establishment.
Also worthy of mention at this point is the fact that NAT interoperability is not supported in Client
mode when split tunneling is enabled. This is because the client will be connected to both the
central site and to the local LAN, with routing enabled to both networks per the split tunneling
definition. Without split tunneling, the IP address assigned by the central site will become the
address of the client interface. This avoids any possibility of address overlapping. When split
tunneling is enabled, this cannot always be the case. When the connection is established and a
route is injected into the central site network for remote site reachability, the route must be unique.
Split tunneling allows the possibility for address overlap.

Easy VPN Connection Establishment
Easy VPN connectivity is relatively straightforward. The configuration and connection phases are
subject to certain restrictions as listed in the previous section. The Cisco Easy VPN Remote feature
supports a two-stage process for client/server authentication:
■ Stage 1 is Group Level Authentication, which represents a portion of the channel creation
process. During this stage, two types of authentication can be used, either preshared keys or
digital certificates.
■ Stage 2 of the authentication is known as Extended Authentication, or Xauth. The remote side
of the connection submits a username and password to the central site VPN device. This is the
same method that is used when a Cisco VPN Software Client is prompted for a username and
password to activate a VPN tunnel. However, in this case, a user is not authenticated to the
central site. Instead, the Easy VPN Remote Router, itself, is authenticated. Xauth, while
150x01x.book Page 382 Monday, June 18, 2007 8:52 AM
Easy VPN Connection Establishment 383
optional, is typically used in order to improve security. Once the Xauth is successfully
completed and the VPN tunnel is created, all PCs behind the Easy VPN Remote Router can
use the connection.
The following list represents a step-by-step method used to establish Easy VPN Remote Client
connectivity with an Easy VPN Server gateway:
Step 1 The VPN Client initiates IKE phase 1.
Step 2 The VPN Client establishes an ISAKMP SA.
Step 3 The Easy VPN Server accepts the SA proposal.
Step 4 The Easy VPN Server initiates user authentication.
Step 5 Mode configuration begins.
Step 6 The Reverse Route Injection (RRI) process begins.
Step 7 IPsec quick mode completes the connection.
At each step, decisions are made and/or information is exchanged. The following sections describe
further details about each step in the process.
IKE Phase 1
During the initial step of the connection attempt, the IKE phase 1 process is initiated. There are

two separate manners in which authentication can be performed when initiating IKE phase 1:
■ Use of a preshared key for authentication—The VPN Client initiates aggressive mode.
Each peer is aware of the key of the other peer. Preshared keys are visible in the running-
config of the router or VPN device on which they reside. With this in mind, an optional
encrypted preshared key option is available. An accompanying group must be entered in the
configuration of the VPN Client. This group name is used to identify the group profile
associated with the VPN Client.
■ Use of a digital certificate for authentication—The VPN Client initiates main mode. Digital
certificates use Rivest, Shamir, and Adelman (RSA) signatures on Easy VPN Remote devices.
This support is provided by an RSA certificate stored in a central repository or on the remote
device itself. With digital certificates, an organizational unit of a distinguished name is used
to identify the group profile to be used. Cisco recommends a timeout of 40 seconds when
using digital certificates with Easy VPN.
When using aggressive mode for connections, the identity of the Cisco IOS VPN device should be
changed using the crypto isakmp identity hostname command. Changing the name will have no
150x01x.book Page 383 Monday, June 18, 2007 8:52 AM
384 Chapter 16: Configuring Cisco Easy VPN
effect on the certificate authentication via IKE main mode. The crypto isakmp identity command
allows the use of an address or a hostname. To set an address, use the following:
BM2821(config)#cc
cc
rr
rr
yy
yy
pp
pp
tt
tt
oo

oo


ii
ii
ss
ss
aa
aa
kk
kk
mm
mm
pp
pp


ii
ii
dd
dd
ee
ee
nn
nn
tt
tt
ii
ii
tt

tt
yy
yy


aa
aa
dd
dd
dd
dd
rr
rr
ee
ee
ss
ss
ss
ss
BM2821(config)#cc
cc
rr
rr
yy
yy
pp
pp
tt
tt
oo

oo


ii
ii
ss
ss
aa
aa
kk
kk
mm
mm
pp
pp


kk
kk
ee
ee
yy
yy


ss
ss
hh
hh
aa

aa
rr
rr
ee
ee
dd
dd
kk
kk
ee
ee
yy
yy
ss
ss
tt
tt
rr
rr
ii
ii
nn
nn
gg
gg


aa
aa
dd

dd
dd
dd
rr
rr
ee
ee
ss
ss
ss
ss


11
11
99
99
22
22


11
11
66
66
88
88


11

11


33
33
33
33
This effectively sets the ISAKMP identity to the specified IP address. To change it to use a
hostname instead, use the following:
BM2821(config)#cc
cc
rr
rr
yy
yy
pp
pp
tt
tt
oo
oo


ii
ii
ss
ss
aa
aa
kk

kk
mm
mm
pp
pp


ii
ii
dd
dd
ee
ee
nn
nn
tt
tt
ii
ii
tt
tt
yy
yy


hh
hh
oo
oo
ss

ss
tt
tt
nn
nn
aa
aa
mm
mm
ee
ee
BM2821(config)#cc
cc
rr
rr
yy
yy
pp
pp
tt
tt
oo
oo


ii
ii
ss
ss
aa

aa
kk
kk
mm
mm
pp
pp


kk
kk
ee
ee
yy
yy


ss
ss
hh
hh
aa
aa
rr
rr
ee
ee
dd
dd
kk

kk
ee
ee
yy
yy
ss
ss
tt
tt
rr
rr
ii
ii
nn
nn
gg
gg


hh
hh
oo
oo
ss
ss
tt
tt
nn
nn
aa

aa
mm
mm
ee
ee


RR
RR
ee
ee
mm
mm
oo
oo
tt
tt
ee
ee
RR
RR
oo
oo
uu
uu
tt
tt
ee
ee
rr

rr


ee
ee
xx
xx
aa
aa
mm
mm
pp
pp
ll
ll
ee
ee


cc
cc
oo
oo
mm
mm
BM2821(config)#ii
ii
pp
pp



hh
hh
oo
oo
ss
ss
tt
tt


RR
RR
ee
ee
mm
mm
oo
oo
tt
tt
ee
ee
RR
RR
oo
oo
uu
uu
tt

tt
ee
ee
rr
rr


ee
ee
xx
xx
aa
aa
mm
mm
pp
pp
ll
ll
ee
ee


cc
cc
oo
oo
mm
mm



11
11
99
99
22
22


11
11
66
66
88
88


11
11


33
33
33
33
The two configurations essentially have identical results.
Establishing an ISAKMP SA
When a VPN Client attempts to establish an SA between peers, it sends multiple ISAKMP
proposals to the Easy VPN Server. As mentioned previously, Easy VPN supports only group 2
ISAKMP policy.

The VPN Client attempts to establish an SA between the peer IP addresses through the
transmission of multiple ISAKMP proposals to the Easy VPN Server.
To reduce the amount of manual configuration of devices necessary to implement and support the
Easy VPN solution, ISAKMP proposals include multiple combinations of encryption and hash
algorithms, authentication methods, and Diffie-Hellman group sizes.
SA Proposal Acceptance
Several proposals can compose an ISAKMP policy. When multiple proposals exist, the Easy VPN
Server will make a choice by first match. For this reason, the most secure policies should be first
in the list to ensure the most secure connectivity.
As mentioned, the VPN Client sends multiple proposals to the Easy VPN Server. Once a proposal
is accepted (that is, the ISAKMP SA is established), the device is considered to be authenticated
and user authentication begins.
Easy VPN User Authentication
Now that the SA is accepted and the device is authenticated, a challenge is issued according to the
configured methodology. If the Easy VPN Server is configured (as is typical) for Xauth, the VPN
Client will wait for a username/password challenge.
Obviously, some input from the user is required at this point. The username and password are
entered upon receipt of the prompt. This information is checked against some authentication
entity, be it local authentication or some combination of TACACS, RADIUS, and/or hard/soft
token service.
150x01x.book Page 384 Monday, June 18, 2007 8:52 AM
Easy VPN Server Configuration 385
Authentication, authorization, and accounting (AAA) policies define which users can perform
which functions on a managed device and keeps track of the changes made. Chapter 20, “Using
AAA to Scale Access Control,” covers AAA in more depth.
All Easy VPN Servers should be configured to manage VPN Clients and enforce user
authentication
Mode Configuration
Once the Easy VPN Server indicates a successful authentication, the VPN Client requests any
remaining configuration parameters that may have been configured in the VPN Server. Mode

configuration begins and parameters such as IP address, DNS, split tunneling information, and
other available configuration options are downloaded to the client. The only mandatory
component to be downloaded to the client is the IP addressing information. Other mentioned
parameters are optional.
Reverse Route Injection
Reverse Route Injection (RRI) is the process of injecting a static route into the Interior Gateway
Protocol (IGP) routing table. This static route points to the client’s destination network. This is
useful when per-client static IP addressing is used with VPN Clients rather than per-VPN address
pools.
RRI should be enabled on the dynamic crypto map when per-user IP addresses are used in
environments where multiple VPN Servers are used. The redistribution of the RRI ensures
reachability to the client host(s).
IPsec Quick Mode
When all authentication is complete, the parameters provided from the VPN Server to the VPN
Client, and the RRI is injected, IPsec quick mode is initiated to negotiate an IPsec SA
establishment. This is the final step in the VPN connection establishment. Once the IPsec SA is
created, the connection is complete and active.
Easy VPN Server Configuration
To configure the Easy VPN Server, some amount of information gathering is necessary. The
information necessary includes the user’s account information, any required enable secret
passwords, AAA configuration (if not already done), and the configuration of the Easy VPN
Server itself. The configuration can be done through the traditional command-line interface (CLI)
or through the Security Device Manager (SDM) interface of the router itself.
150x01x.book Page 385 Monday, June 18, 2007 8:52 AM
386 Chapter 16: Configuring Cisco Easy VPN
SDM provides a graphical, web-based interface for configuring and monitoring an individual
router. SDM also includes a number of wizards expressly for purposes of configuring common
components of routing, firewall, intrusion detection/prevention, and VPN connectivity. One of the
wizards associated with VPN connectivity is the Easy VPN Server Wizard. Figure 16-2 shows the
home page of SDM running on a Cisco Integrated Services Router (ISR).

Figure 16-2 Cisco SDM
The SDM interface is quite straightforward and intuitive. The buttons across the top provide
various options for configuration, monitoring, and saving configuration changes. By clicking the
Configure button, the interface changes to the Configure page with the Tasks bar displayed down
the left side of the screen. This is the primary configuration interface for the router. Figure 16-3
shows the Configure Tasks page.
By default, the SDM Configure page begins on the Interfaces and Connections page. This is where
interface connectivity options and specific parameters are configured for each of the router’s
interfaces.
The third icon under the Tasks bar is VPN. Clicking this icon opens the page where the Easy VPN
Server configuration is performed, as shown in Figure 16-4.
150x01x.book Page 386 Monday, June 18, 2007 8:52 AM
Easy VPN Server Configuration 387
Figure 16-3 SDM Configure Page
Figure 16-4 SDM VPN Page
150x01x.book Page 387 Monday, June 18, 2007 8:52 AM
388 Chapter 16: Configuring Cisco Easy VPN
Several options are available on the left side of the page. Out-of-the-box, an ISR can support Site-
to-Site VPN, Easy VPN Remote, Easy VPN Server, and Dynamic Multipoint VPN (DMVPN)
functionality. Obviously, the desired connection type for this discussion is Easy VPN Server.
Clicking the Easy VPN Server selection opens the first page of the Easy VPN Server Wizard.
The Easy VPN Server Wizard includes a number of tasks in the configuration:
■ Selection of the IPsec termination interface
■ IKE policy configuration
■ Group policy lookup methodology configuration
■ User authentication
■ Local group policy configuration
■ IPsec transform set configuration
Any and all services to be used by Easy VPN Clients should be configured prior to the Easy VPN
Server configuration. This includes all services to be used by AAA (RADIUS/TACACS+), IP

addressing and routing for client subnets, certification authorities (CA) as needed, and additional
services such as DNS and NTP settings (for proper PKI operation).
User Configuration
The configuration of users via the SDM interface is performed via the Additional Tasks button at
the bottom of the Tasks bar on the Configure page. Figure 16-5 shows the User Accounts/View
screen.
The figure shows the result of clicking Additional Tasks > Router Access > User Accounts/View
> Add. The options available allow the administrator to add, edit, or delete users.
150x01x.book Page 388 Monday, June 18, 2007 8:52 AM
Easy VPN Server Configuration 389
Figure 16-5 SDM User Configuration
Easy VPN Server Wizard
Returning the discussion to the actual Easy VPN Server configuration, the Easy VPN Server
Wizard is now ready to be run. AAA and necessary user information and privilege levels have been
set. Click the Launch the Selected Task button on the Easy VPN Server screen to launch the
wizard. The initial screen is a summary of tasks to be performed similar to that shown on the first
page of the Easy VPN Server Wizard. If AAA has not already been configured, the wizard prompts
you for the required AAA configuration information at this point. AAA must be enabled for Easy
VPN Server to function properly. Additionally, at least one user must have privilege level 15
before enabling AAA on the device.
Click Next to open the Select an Interface screen, where you select the interface to be used with
Easy VPN. This will be the interface through which all Easy VPN Clients connect. From the
perspective of a NAT process, this is the outside interface. Figure 16-6 shows the Select an
Interface screen of SDM.
150x01x.book Page 389 Monday, June 18, 2007 8:52 AM
390 Chapter 16: Configuring Cisco Easy VPN
Figure 16-6 SDM Interface Selection
After you select the interface, click Next to move the wizard to the next step, where you can
configure the needed IKE proposals.
You can use the default IKE proposals already configured by the wizard, or you can manually

configure additional IKE proposals. Required parameters are as follows:
■ IKE proposal priority
■ Diffie-Hellman group (1, 2, or 5)
■ Encryption algorithm (DES, 3DES, AES, or SEAL)
■ HMAC (SHA-1 or MD5)
■ IKE lifetime
Figure 16-7 shows the IKE Proposals page where a new proposal is being added to the list of
available proposals.
150x01x.book Page 390 Monday, June 18, 2007 8:52 AM
Easy VPN Server Configuration 391
Figure 16-7 Easy VPN Server IKE Proposals
After you select all the appropriate options, click Next to move the wizard to the page where you
can configure the transform sets.
As with IKE proposals, there is a default SDM transform set. The parameters for the transform set
are as follows:
■ Transform set name
■ Encryption algorithm
■ HMAC
■ Compression (optional)
■ Mode of operation (tunnel or transport)
Figure 16-8 shows the Transform Set page where a new transform set is being added to the list of
available transform sets.
150x01x.book Page 391 Monday, June 18, 2007 8:52 AM
392 Chapter 16: Configuring Cisco Easy VPN
Figure 16-8 Easy VPN Server Transform Sets
With transform sets completed, the next step is group authorization/policy configuration. This is
used for groups of VPN Clients who use the same authentication and configuration information.
You can configure the policies on the local Easy VPN Server, an external Radius/TACACS+
server, or both. The AAA method lists will be used in defining the order in which policies are
searched.

If you select local authentication, you must configure the user accounts in the Router Access
portion of SDM. If you select RADIUS or TACACS+, you must configure the appropriate servers
using the appropriate drop-down boxes. Once you select the option in the Method Selection box,
the adjacent button becomes active and you can configure servers.
The second portion of the configuration is the method for user authentication (Xauth). Xauth is an
enhancement of the existing IKE protocol. Xauth allows all Cisco IOS AAA authentication
methods to perform user authentication in a separate phase after the IKE phase 1 exchange. With
Xauth, IKE can provide user authentication using the device. This is possible only after the device
has been successfully authenticated during normal IKE authentication. Any AAA method can be
configured to accomplish this.
Figure 16-9 shows the User Authentication configuration page of the Easy VPN Server Wizard.
150x01x.book Page 392 Monday, June 18, 2007 8:52 AM
Easy VPN Server Configuration 393
Figure 16-9 Easy VPN Server User Authentication Page
Note that this screen provides options to add new users should the need exist. Clicking the Add
User Account button opens the same dialog box shown in Figure 16-5.
Click Next to move the wizard to the Group Authorization/User Group Policies page. This page
allows you to configure groups of remote users who will be using Cisco VPN Clients and/or Easy
VPN Remote Clients. Attributes configured on this page are downloaded through the client or
device according to its group membership. Group names should be configured identically on both
Remote Client and Device to ensure that the appropriate group attributes are downloaded to each.
Figure 16-10 shows the Group Authorization/User Group Policies page with the Add Group Policy
dialog box open (accessed by clicking the Add button), which is used to insert a new group policy.
150x01x.book Page 393 Monday, June 18, 2007 8:52 AM
394 Chapter 16: Configuring Cisco Easy VPN
Figure 16-10 Easy VPN Server Group Authorization/User Group Policies Page
Note that the Add Group Policy dialog box has a collection of tabs across the top. These tabs can
be used to configure options for all users within the group membership, including
■ Group Name
■ Pre-Shared Key

■ Pool Information (IP addressing)
■ DNS/WINS (DNA and WINS server information
■ Split Tunneling (if enabled, configure accessible protected subnets as necessary and/or
configure split tunneling ACLs)
■ Backup Servers (additional VPN access concentrators)
■ Personal Firewall Information
■ Local LAN Access while connected (non-split tunneling)
■ Maximum Number of Group Connections
150x01x.book Page 394 Monday, June 18, 2007 8:52 AM
Easy VPN Server Configuration 395
■ Xauth Options such as Group Lock (adding group name to the Xauth username) and Saved
Password capability
■ Maximum Number of Logins Per User
After you enter the policy information and save it to the Group configuration, click the Next button
to access the wizard’s configuration summary page. This page details all of the information
entered regarding the Easy VPN Server configuration prior to its upload to the router.
Also included on the summary page is an option to test the VPN connection after the configuration
is uploaded to the router. If this box is checked, the configuration will be uploaded and then a
simulated connection attempt will be made to the VPN Server to establish connectivity.
The commands relevant to the configuration entered via the wizard will be uploaded to the router
and a summary page will be displayed showing success or failure of the configuration commands
entry. With that done, the test can be initiated. Figure 16-11 shows the results of the VPN test for
the Easy VPN Server configured throughout this chapter.
Figure 16-11 Easy VPN Server Connection Test
150x01x.book Page 395 Monday, June 18, 2007 8:52 AM
396 Chapter 16: Configuring Cisco Easy VPN
Monitoring the Easy VPN Server
At the top of the main SDM page is a row of buttons listed as Home, Configure, Monitor, Refresh,
Save, and Help. The Home and Configure settings have been discussed in some detail in this
chapter. This section discusses the monitoring of an Easy VPN Server. Figure 16-12 shows the

Easy VPN Monitor page.
Figure 16-12 Easy VPN Server Monitoring
As shown in the figure, each individual Easy VPN Server group configured in the router will be
monitored. Concurrent connections, addresses (both public and private), and encryption
information are listed in the two panes of the Monitor window.
Although security best practice calls for disabling HTTP access to the router, additional
monitoring can be performed via the traditional web interface, which provides access to Cisco IOS
commands and output information. SDM is accessed via secure HTTP. For the most part,
troubleshooting and debugging will be performed through either SDM or the CLI. Among the
commands that are useful for monitoring both the web interface and the CLI is the show crypto
isakmp sa command, as detailed in Example 16-1.
150x01x.book Page 396 Monday, June 18, 2007 8:52 AM
Monitoring the Easy VPN Server 397
The example shows the ISAKMP SA that has been proposed and accepted for the duration of the
connection. The information shown includes the destination and source IP addresses, the state of
the connection, a connection ID, the slot, and the status.
Also of particular use in monitoring and/or troubleshooting VPN connections is the show crypt
ipsec sa command, as shown in Example 16-2.
Example 16-1 show crypto isakmp sa Command Output
BM2821#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.0.4 172.16.1.40 QM_IDLE 1004 0 ACTIVE
IPv6 Crypto ISAKMP SA
Example 16-2 show crypto ipsec sa Command Output
BM2821#show crypto ipsec sa
interface: Vlan1
Crypto map tag: SDM_CMAP_1, local addr 172.16.0.4
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.16.1.190/255.255.255.255/0/0)
current_peer 172.16.1.40 port 500
PERMIT, flags={}
#pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
#pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1
local crypto endpt.: 172.16.0.4, remote crypto endpt.: 172.16.1.40
path mtu 1500, ip mtu 1500
current outbound spi: 0xD35124D3(3545310419)
inbound esp sas:
spi: 0x7783DD3C(2005130556)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4570709/3346)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
continues
150x01x.book Page 397 Monday, June 18, 2007 8:52 AM
398 Chapter 16: Configuring Cisco Easy VPN
The command output shows information pertinent to the existing connection(s). The highlighted
lines draw emphasis to the assigned IP address for the connection (inside) as well as the actual
source and destination IP addresses (local VPN gateway and destination client). Also of note are
the inbound and outbound transform sets configured by the VPN connection.
Troubleshooting the Easy VPN Server
Troubleshooting, like monitoring, can be performed from the SDM interface or the CLI; however,

it is usually more useful to gather CLI debugging information from various available commands
when working with Cisco’s Technical Assistance Center (TAC). To that end, this section presents
a few VPN troubleshooting commands for use in remedying VPN Server issues.
Example 16-3 shows the output from the debug crypto isakmp command. This command shows
the IKE communication negotiation and associated details for a new VPN connection. While there
is a great deal of output, the more important portions have been highlighted. Here is some
background on the connection for the sake of clarity:
■ VPN server address: 172.16.0.4
■ Client actual address: 172.16.1.40
■ Client VPN assigned address: 172.16.1.191
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD35124D3(3545310419)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4570711/3346)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Example 16-2 show crypto ipsec sa Command Output (Continued)
150x01x.book Page 398 Monday, June 18, 2007 8:52 AM
Troubleshooting the Easy VPN Server 399
In the output in Example 16-3, all the major steps of the connection negotiation can be viewed as
they occur. This is the output from an initial VPN connection request and negotiation.
Example 16-3 debug crypto isakmp Command Output
BM2821#dd

dd
ee
ee
bb
bb
uu
uu
gg
gg


cc
cc
rr
rr
yy
yy
pp
pp
tt
tt
oo
oo


ii
ii
ss
ss
aa

aa
kk
kk
mm
mm
pp
pp
BM2821#
000365: Mar 26 21:00:24.056: ISAKMP (0:0): received packet from 172.16.1.40 dport 500 sport
500 Global (N) NEW SA
000366: Mar 26 21:00:24.056: ISAKMP: Created a peer struct for 172.16.1.40, peer port 500
000367: Mar 26 21:00:24.056: ISAKMP: New peer created peer = 0x47910754 peer_handle =
0x80000006
000368: Mar 26 21:00:24.056: ISAKMP: Locking peer struct 0x47910754, refcount 1 for
crypto_isakmp_process_block
000369: Mar 26 21:00:24.056: ISAKMP:(0):Setting client config settings 487F46E4
000370: Mar 26 21:00:24.056: ISAKMP:(0):(Re)Setting client xauth list and state
000371: Mar 26 21:00:24.056: ISAKMP/xauth: initializing AAA request
! Beginning authentication process
000372: Mar 26 21:00:24.056: ISAKMP: local port 500, remote port 500
000373: Mar 26 21:00:24.056: ISAKMP: Find a dup sa in the avl tree during calling
isadb_insert sa = 47E78440
000374: Mar 26 21:00:24.056: ISAKMP:(0): processing SA payload. message ID = 0
000375: Mar 26 21:00:24.056: ISAKMP:(0): processing ID payload. message ID = 0
000376: Mar 26 21:00:24.056: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : BMHome
! – Configured Group ID
protocol : 17

port : 500
length : 14
000377: Mar 26 21:00:24.056: ISAKMP:(0):: peer matches *none* of the profiles
000378: Mar 26 21:00:24.056: ISAKMP:(0): processing vendor id payload
000379: Mar 26 21:00:24.056: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
000380: Mar 26 21:00:24.056: ISAKMP:(0): vendor ID is XAUTH
000381: Mar 26 21:00:24.056: ISAKMP:(0): processing vendor id payload
000382: Mar 26 21:00:24.056: ISAKMP:(0): vendor ID is DPD
000383: Mar 26 21:00:24.056: ISAKMP:(0): processing vendor id payload
000384: Mar 26 21:00:24.056: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000385: Mar 26 21:00:24.056: ISAKMP:(0): vendor ID is NAT-T v2
000386: Mar 26 21:00:24.056: ISAKMP:(0): processing vendor id payload
000387: Mar 26 21:00:24.060: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
000388: Mar 26 21:00:24.060: ISAKMP:(0): processing vendor id payload
000389: Mar 26 21:00:24.060: ISAKMP:(0): vendor ID is Unity
000390: Mar 26 21:00:24.060: ISAKMP:(0): Authentication by xauth preshared
000391: Mar 26 21:00:24.060: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1
policy
! – Check ISAKMP against first transform set
000392: Mar 26 21:00:24.060: ISAKMP: encryption AES-CBC
000393: Mar 26 21:00:24.060: ISAKMP: hash SHA
continues
150x01x.book Page 399 Monday, June 18, 2007 8:52 AM
400 Chapter 16: Configuring Cisco Easy VPN
000394: Mar 26 21:00:24.060: ISAKMP: default group 2
000395: Mar 26 21:00:24.060: ISAKMP: auth XAUTHInitPreShared
000396: Mar 26 21:00:24.060: ISAKMP: life type in seconds
000397: Mar 26 21:00:24.060: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000398: Mar 26 21:00:24.060: ISAKMP: keylength of 256
000399: Mar 26 21:00:24.060: ISAKMP:(0):Encryption algorithm offered does not match policy!

! – No match, go on to the next one.
000400: Mar 26 21:00:24.060: ISAKMP:(0):atts are not acceptable. Next payload is 3
000401: Mar 26 21:00:24.060: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1
policy
! – Check ISAKMP against second transform set
000402: Mar 26 21:00:24.060: ISAKMP: encryption AES-CBC
000403: Mar 26 21:00:24.060: ISAKMP: hash MD5
000404: Mar 26 21:00:24.060: ISAKMP: default group 2
000405: Mar 26 21:00:24.060: ISAKMP: auth XAUTHInitPreShared
000406: Mar 26 21:00:24.060: ISAKMP: life type in seconds
000407: Mar 26 21:00:24.060: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000408: Mar 26 21:00:24.060: ISAKMP: keylength of 256
000409: Mar 26 21:00:24.060: ISAKMP:(0):Encryption algorithm offered does not match policy!
! – No match, go on to the next one.
000410: Mar 26 21:00:24.060: ISAKMP:(0):atts are not acceptable. Next payload is 3
! – Check ISAKMP against third transform set
000471: Mar 26 21:00:24.064: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1
policy
000472: Mar 26 21:00:24.064: ISAKMP: encryption 3DES-CBC
000473: Mar 26 21:00:24.064: ISAKMP: hash SHA
000474: Mar 26 21:00:24.064: ISAKMP: default group 2
000475: Mar 26 21:00:24.064: ISAKMP: auth XAUTHInitPreShared
000476: Mar 26 21:00:24.068: ISAKMP: life type in seconds
000477: Mar 26 21:00:24.068: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000478: Mar 26 21:00:24.068: ISAKMP:(0):atts are acceptable. Next payload is 3
000479: Mar 26 21:00:24.068: ISAKMP:(0): processing KE payload. message ID = 0
000480: Mar 26 21:00:24.096: ISAKMP:(0): processing NONCE payload. message ID = 0
000481: Mar 26 21:00:24.096: ISAKMP:(0): vendor ID is NAT-T v2
000482: Mar 26 21:00:24.096: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
000483: Mar 26 21:00:24.096: ISAKMP:(0):Old State = IKE_READY New State =

IKE_R_AM_AAA_AWAIT
000484: Mar 26 21:00:24.100: ISAKMP:(1005): constructed NAT-T vendor-02 ID
000485: Mar 26 21:00:24.100: ISAKMP:(1005):SA is doing pre-shared key authentication plus
XAUTH using id type ID_IPV4_ADDR
! – Match successful. Accept and begin parameter download
000486: Mar 26 21:00:24.100: ISAKMP (0:1005): ID payload
next-payload : 10
type : 1
address : 172.16.0.4
protocol : 17
port : 0
Example 16-3 debug crypto isakmp Command Output (Continued)
150x01x.book Page 400 Monday, June 18, 2007 8:52 AM
Troubleshooting the Easy VPN Server 401
length : 12
000487: Mar 26 21:00:24.100: ISAKMP:(1005):Total payload length: 12
000488: Mar 26 21:00:24.100: ISAKMP:(1005): sending packet to 172.16.1.40 my_port 500
peer_port 500 (R) AG_INIT_EXCH
000489: Mar 26 21:00:24.100: ISAKMP:(1005):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
000490: Mar 26 21:00:24.100: ISAKMP:(1005):Old State = IKE_R_AM_AAA_AWAIT New State =
IKE_R_AM2
000491: Mar 26 21:00:24.108: ISAKMP (0:1005): received packet from 172.16.1.40 dport 500
sport 500 Global (R) AG_INIT_EXCH
000492: Mar 26 21:00:24.108: ISAKMP:(1005): processing HASH payload. message ID = 0
000493: Mar 26 21:00:24.108: ISAKMP:(1005): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 47E78440
000494: Mar 26 21:00:24.112: ISAKMP:received payload type 20
000495: Mar 26 21:00:24.112: ISAKMP:received payload type 20
000496: Mar 26 21:00:24.112: ISAKMP:(1005):SA authentication status:
authenticated

000497: Mar 26 21:00:24.112: ISAKMP:(1005):SA has been authenticated with 172.16.1.40
000498: Mar 26 21:00:24.112: ISAKMP:(1005):SA authentication status:
Authenticated
! - Authentication process complete.
000499: Mar 26 21:00:24.112: ISAKMP:(1005): Process initial contact,
bring down existing phase 1 and 2 SA’s with local 172.16.0.4 remote 172.16.1.40 remote port
500
000500: Mar 26 21:00:24.112: ISAKMP:(1005):returning IP addr to the address pool
000501: Mar 26 21:00:24.112: ISAKMP: Trying to insert a peer 172.16.0.4/172.16.1.40/500/,
and inserted successfully 47910754.
000502: Mar 26 21:00:24.112: ISAKMP: set new node 1714588361 to CONF_XAUTH
000503: Mar 26 21:00:24.112: ISAKMP:(1005):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 1210114920, message ID = 1714588361
000504: Mar 26 21:00:24.112: ISAKMP:(1005): sending packet to 172.16.1.40 my_port 500
peer_port 500 (R) QM_IDLE
000505: Mar 26 21:00:24.112: ISAKMP:(1005):purging node 1714588361
000506: Mar 26 21:00:24.112: ISAKMP: Sending phase 1 responder lifetime 86400
000507: Mar 26 21:00:24.112: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
000508: Mar 26 21:00:24.112: ISAKMP:(1005):Old State = IKE_R_AM2 New State =
IKE_P1_COMPLETE
000509: Mar 26 21:00:24.112: ISAKMP:(1005):Need XAUTH
000510: Mar 26 21:00:24.112: ISAKMP: set new node -1119688077 to CONF_XAUTH
000511: Mar 26 21:00:24.112: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
000512: Mar 26 21:00:24.112: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
000513: Mar 26 21:00:24.112: ISAKMP:(1005): initiating peer config to 172.16.1.40. ID = -
1119688077
000514: Mar 26 21:00:24.112: ISAKMP:(1005): sending packet to 172.16.1.40 my_port 500
peer_port 500 (R) CONF_XAUTH
000515: Mar 26 21:00:24.116: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Example 16-3 debug crypto isakmp Command Output (Continued)

continues
150x01x.book Page 401 Monday, June 18, 2007 8:52 AM
402 Chapter 16: Configuring Cisco Easy VPN
000516: Mar 26 21:00:24.116: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State =
IKE_XAUTH_REQ_SENT
000517: Mar 26 21:00:28.836: ISAKMP (0:1005): received packet from 172.16.1.40 dport 500
sport 500 Global (R) CONF_XAUTH
000518: Mar 26 21:00:28.836: ISAKMP:(1005):processing transaction payload from 172.16.1.40.
message ID = -1119688077
000519: Mar 26 21:00:28.840: ISAKMP: Config payload REPLY
000520: Mar 26 21:00:28.840: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
000521: Mar 26 21:00:28.840: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
000522: Mar 26 21:00:28.840: ISAKMP:(1005):deleting node -1119688077 error FALSE reason
“Done with xauth request/reply exchange”
000523: Mar 26 21:00:28.840: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
000524: Mar 26 21:00:28.840: ISAKMP:(1005):Old State = IKE_XAUTH_REQ_SENT New State =
IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
000525: Mar 26 21:00:28.848: ISAKMP: set new node 375567395 to CONF_XAUTH
000526: Mar 26 21:00:28.848: ISAKMP:(1005): initiating peer config to 172.16.1.40. ID =
375567395
000527: Mar 26 21:00:28.848: ISAKMP:(1005): sending packet to 172.16.1.40 my_port 500
peer_port 500 (R) CONF_XAUTH
000528: Mar 26 21:00:28.848: ISAKMP:(1005):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
000529: Mar 26 21:00:28.848: ISAKMP:(1005):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New
State = IKE_XAUTH_SET_SENT
000530: Mar 26 21:00:28.848: ISAKMP (0:1005): received packet from 172.16.1.40 dport 500
sport 500 Global (R) CONF_XAUTH
000531: Mar 26 21:00:28.848: ISAKMP:(1005):processing transaction payload from 172.16.1.40.
message ID = 375567395
000532: Mar 26 21:00:28.848: ISAKMP: Config payload ACK

000533: Mar 26 21:00:28.848: ISAKMP:(1005): (blank) XAUTH ACK Processed
000534: Mar 26 21:00:28.848: ISAKMP:(1005):deleting node 375567395 error FALSE reason
“Transaction mode done”
000535: Mar 26 21:00:28.848: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
000536: Mar 26 21:00:28.848: ISAKMP:(1005):Old State = IKE_XAUTH_SET_SENT New State =
IKE_P1_COMPLETE
000537: Mar 26 21:00:28.848: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000538: Mar 26 21:00:28.848: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
000539: Mar 26 21:00:28.892: ISAKMP (0:1005): received packet from 172.16.1.40 dport 500
sport 500 Global (R) QM_IDLE
000540: Mar 26 21:00:28.892: ISAKMP: set new node 893794532 to QM_IDLE
000541: Mar 26 21:00:28.892: ISAKMP:(1005):processing transaction payload from 172.16.1.40.
message ID = 893794532
000542: Mar 26 21:00:28.892: ISAKMP: Config payload REQUEST
000543: Mar 26 21:00:28.892: ISAKMP:(1005):checking request:
000544: Mar 26 21:00:28.892: ISAKMP: IP4_ADDRESS
000545: Mar 26 21:00:28.892: ISAKMP: IP4_NETMASK
000546: Mar 26 21:00:28.892: ISAKMP: IP4_DNS
Example 16-3 debug crypto isakmp Command Output (Continued)
150x01x.book Page 402 Monday, June 18, 2007 8:52 AM