Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Virtual Office

Cisco Virtual Office-Converged Virtual Private Network Deployment Guide

Downloads

Picture 408

Introduction

This white paper provides detailed design and implementation information relating to the deployment of Converged VPN with the Cisco® Virtual Office.
Please refer to the Cisco Virtual Office overview (http://www.cisco.com/go/cvo) for more information about the solution, its architecture, and all of its components.
This document shows how to configure the Cisco Virtual Office VPN headend routers. Three types of VPN technologies are configured in the same headend to handle multiple methods of connecting to the corporate network: Dynamic Multipoint VPN (DMVPN) for teleworkers and small-office sites, Easy VPN for mobile VPN client users, and Secure Sockets Layer (SSL) VPN for SSL-based mobile users.
With the Cisco Converged VPN solution, you can consolidate all possible VPN deployment types in one headend design. This consolidation can lower your total cost of ownership (TCO) because it helps advance standardization of network infrastructure for achieving efficient networks.
The document provides three configuration samples for the most common VPN headend scenarios:

• Single hub: Cisco 3800 Integrated Services Routers or Cisco 7200 Series Routers

• High-concentration hub with integrated encryption plus a server farm: Cisco Catalyst® 6500 Series Switches with high-performance encryption cards plus a server farm consisting of Cisco 7200 Series Routers

• High-concentration hub with distributed encryption plus a server farm: Cisco Catalyst 6500 Series Switches plus a server farm consisting of Cisco 7200 Series Routers

Platforms and Images

Images based on Cisco IOS® Software Release 12.4(15)T are recommended for headend routers.
The VPN headend router can be one of the following:

• Cisco 3800 Integrated Services Router with a VPN encryption card (AIM-VPN/SSL-3)

• Cisco 7206VXR Router with a Cisco VPN Services Adapter (VSA) encryption card and Cisco 7200 Series NPE-G2 Network Processing Engine

• Cisco Catalyst 6500 with a server-load-balancing (SLB) design and a server farm consisting of Cisco 7206 Routers: The Cisco Catalyst 6500 uses the Cisco Catalyst 6500 Series Supervisor Engine 720 and the Cisco IP Security (IPsec) VPN Shared Port Adapter (SPA) (in the scenario with integrated encryption) and runs Cisco IOS Software Release 12.2(18)SXH2 or later

For SSL VPN full-tunnel mode, you need to install a client package on the hub. AnyConnect Version 2.2.0128 or later is recommended. Please refer to the SSL VPN guide available at http://www.cisco.com/go/cvo for more information about where to get the extra SSL files and how to install them.

Converged VPN Solution

This section shows how to deploy the three main VPN solutions in one hub.
Following is a summary of each of the technologies:

• Dynamic Multipoint VPN: DMVPN provides a full end-to-end VPN solution that allows for dynamic direct, secure connections between remote sites (that is, dynamic spoke-to-spoke tunnel) and full access to corporate services, including multicast forwarding support. For this technology, a Cisco IOS Software router is required at the remote site.

• Enhanced Easy VPN: Enhanced Easy VPN provides a point-to-point secure connection between a remote device and a corporate headend. This technology simplifies the configuration for hardware-based clients, and supports software version clients. For this technology, the remote site can have either a Cisco IOS Software router or a PC running Windows, Mac OS, or Linux.

• SSL VPN: SSLVPN provides secure access to corporate servers from any PC, even if it is connecting from a public location. This technology uses an SSL-enabled web browser to establish an SSL tunnel back to the corporate securely. For this technology, the remote site can be any mobile devices that have Cisco AnyConnect clients available.

In addition to the VPN configuration, you need to provision other services before you can use the VPN:

• Public key infrastructure (PKI) using Cisco IOS Certificate Server or other Certificate Authority

• Authentication, authorization and accounting (AAA) using Cisco Secure Access Control Server (ACS) or other AAA servers

Please refer to the respective guides at http://www.cisco.com/go/cvo for more information.
This document then shows the full configuration that you can use to combine DMVPN with Enhanced Easy VPN and SSL VPN, all in the same hub. For Enhanced Easy VPN, two profiles are configured: one for PKI and one for preshared keys.
Each VPN configuration is shown with different formatting. The rest of the configuration is shared by all.
Following are some notes about the configuration:

• DMVPN and Enhanced Easy VPN can use the same PKI certificate server, or they can each use a different one. For Enhanced Easy VPN, the spokes need to have the subject name OU field set to match the Easy VPN group name.

• When the same WAN-facing interface is shared by Enhanced Easy VPN and DMVPN, you must use the same cryptography profile for protecting both VPNs. The "shared" keyword is used to achieve this objective under the tunnel command. For example:

tunnel protection ipsec profile my-profile shared
The following Converged VPN headend configuration sample is valid for a Cisco 3845 Integrated Services Router and a Cisco 7206 Router. Only interface names are different from one platform to the other.

Converged VPN Configuration for Cisco 3800 and Cisco 7206

DMVPN
ENHANCED EASY VPN
SSL VPN
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname converged-vpn-hub
!
boot-start-marker
boot-end-marker
!
enable secret <removed>
!
aaa new-model
!
!
aaa group server radius EzVPN-Users
server-private 10.99.99.6 auth-port 1812 acct-port 1813 key <removed>
ip radius source-interface Loopback0
!
!!! This AAA group is used to authenticate device's PKI certificates
!!! against their respective AAA profile
!
aaa group server radius pki-aaa-server
server-private 10.99.99.6 auth-port 1812 acct-port 1813 key <removed>
!
aaa group server radius SSLVPN-Users
server-private 10.99.99.5 auth-port 1812 acct-port 1813 key <removed>
ip radius source-interface Loopback1
!
aaa authentication login default local group SSLVPN-Users
aaa authentication login admin group tacacs+ enable
aaa authentication login easyVPN local group EzVPN-Users
aaa authorization exec default none
aaa authorization network easyVPN local group EzVPN-Users
aaa authorization network pkiaaa group pki-aaa-server
!
aaa session-id common
!
!
clock timezone pst -8
clock summer-time pdt recurring
no ip source-route
ip cef
!
ip domain name cisco.com
ip name-server 172.16.0.10
ip multicast-routing
!
crypto pki trustpoint verisign
enrollment terminal
fqdn none
subject-name cn=web-vpn-server.cisco.com,o=Cisco Systems,c=US,st=California
revocation-check crl
rsakeypair web-vpn-server.cisco.com
!
crypto pki trustpoint dmvpn-pki-server
enrollment url http://dmvpn-pki-server:80
serial-number
ip-address none
revocation-check crl
auto-enroll 75
authorization list pkiaaa
!
crypto pki trustpoint easyvpn-pki-server
enrollment url http://easyvpn-pki-server:80
serial-number
ip-address none
revocation-check crl
auto-enroll 75
authorization list pkiaaa
!
!
!
crypto pki certificate map 1 10
subject-name co easyvpn-pki-group
!
crypto pki certificate chain verisign
certificate <removed>
certificate ca <removed>
crypto pki certificate chain dmvpn-pki-server
certificate ca <removed>
certificate <removed>
crypto pki certificate chain easyvpn-pki-server
certificate <removed>
certificate ca <removed>
!
!
crypto isakmp policy 10
encr 3des
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 30
crypto isakmp xauth timeout 10
!
crypto isakmp client configuration group pki-group
dns 172.16.10.120 172.16.10.183
wins 172.16.10.28 171.16.10.87
domain cisco.com
pool easyvpn-pool
acl ezvpn-split-tunnel
save-password
backup-gateway 172.16.0.2
banner ^C
You are connecting to a Converged VPN server using PKI
^C
!
crypto isakmp client configuration group pre-shared-group
key EasyVPN-Secret-KEY
dns 172.16.10.120 172.16.10.183
wins 172.16.10.28 171.16.10.87
domain cisco.com
pool easyvpn-pool
acl ezvpn-split-tunnel
save-password
firewall are-u-there
backup-gateway 172.16.0.2
banner ^C
You are connecting to a Converged VPN server using Pre-shared
^C
crypto isakmp profile pre-shared-group
description PSK group
match identity group pre-shared-group
client authentication list easyVPN
isakmp authorization list easyVPN
client configuration address respond
virtual-template 3
crypto isakmp profile pki-group
description PKI group
ca trust-point dmvpn-pki-server
match identity group pki-group
match certificate 1
client authentication list easyVPN
isakmp authorization list easyVPN
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set t1 esp-3des esp-sha-hmac
mode transport require
!
crypto ipsec profile my-profile
set transform-set t1
!
interface Tunnel1
bandwidth 2000
ip address 10.250.250.1 255.255.254.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-dense-mode
ip multicast rate-limit out 768
ip nhrp map multicast dynamic
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 7
ip summary-address eigrp 7 10.100.8.0 255.255.248.0 5
ip summary-address eigrp 7 10.100.16.0 255.255.240.0 5
delay 2000
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile my-profile shared
!
interface Loopback0
ip address 10.100.200.1 255.255.254.0
ip ospf network point-to-point
!
interface Loopback1
ip address 10.100.100.1 255.255.254.0
ip ospf network point-to-point
!
interface GigabitEthernet0/0
ip address 172.16.0.1 255.255.255.248
ip pim sparse-dense-mode
duplex full
speed 1000
media-type sfp
!
interface GigabitEthernet0/1
no ip address
shutdown
!
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
ip pim dr-priority 10
ip pim sparse-mode
ip multicast rate-limit out 768
tunnel mode ipsec ipv4
tunnel protection ipsec profile my-profile shared
!
interface Virtual-Template3 type tunnel
ip unnumbered GigabitEthernet0/0
ip pim dr-priority 10
ip pim sparse-mode
ip multicast rate-limit out 768
tunnel mode ipsec ipv4
tunnel protection ipsec profile my-profile shared
!
router eigrp 7
description DMVPN internal routing
redistribute ospf 5 route-map split_in
network 10.250.250.0 0.0.1.255
default-metric 2000 1000 255 1 1500
distribute-list split_out in Tunnel1
no auto-summary
no eigrp log-neighbor-changes
!
router ospf 5
descrition Corporate internal routing
log-adjacency-changes
area 24 nssa
redistribute static subnets route-map RRI-spokes
redistribute eigrp 7 metric 40 subnets route-map split_out
network 10.100.100.0 0.0.1.255 area 24
network 10.100.200.0 0.0.1.255 area 24
network 172.16.0.1 0.0.0.15 area 24
!
!
ip local pool webvpn-pool 10.100.100.2 10.100.101.253
ip local pool easyvpn-pool 10.100.200.2 10.100.201.253
!
ip route 0.0.0.0 0.0.0.0 172.16.0.14
!
no ip http server
ip http authentication aaa
ip http secure-server
ip http secure-trustpoint verisign
ip pim bidir-enable
ip pim ssm range multicast_ssm_range
!
ip access-list extended ezvpn-split-tunnel
!!! These are internal corporate subnets, which are allowed to
!!! be advertised to EzVPN spokes. In other words, the networks
!!! that are part of the split tunnel
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.3.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended RRI-spokes
!!! These are Enhanced Easy VPN spokes, which use
!!! network-extension to connect
permit ip 10.100.27.88 0.0.0.7 any
permit ip 10.100.11.144 0.0.0.15 any
permit ip 10.100.13.0 0.0.0.255 any
permit ip 10.100.11.240 0.0.0.15 any
permit ip 10.100.27.56 0.0.0.7 any
permit ip 10.100.22.144 0.0.0.15 any
permit ip 10.100.22.192 0.0.0.7 any
permit ip 10.100.24.248 0.0.0.7 any
ip access-list standard no_split_in
!!! This list, if used, allows all internal corporate subnets to
!!! be advertised to DMVPN spokes.
permit 0.0.0.0
ip access-list standard split_in
!!! These are internal corporate subnets, which are allowed to
!!! be advertised to DMVPN spokes. In other words, the networks
!!! that are part of the split tunnel
permit 10.0.0.0
permit 192.168.0.0
permit 144.254.0.0
permit 172.16.0.0
ip access-list standard split_out
Remark: These are DMVPN spokes subnets
permit 10.100.20.0 0.0.0.255
permit 10.100.21.0 0.0.0.255
permit 10.100.22.0 0.0.0.255
permit 10.100.23.0 0.0.0.255
permit 10.100.24.0 0.0.0.255