Easy VPN setup and configuration are both complex and long. For this reason, it was more appropriate to divide it into a few different chapters rather than explaining all the content within a single article. In the first part, I will be giving information about what Cisco Pods Easy VPN solution is and how it works.
The Cisco Easy VPN is made up of two components: Easy VPN Server and Easy VPN Remote. Easy VPN Server will terminate VPN connections of remote users, which may be Cisco IOS Router, Cisco Pix and ASA or VPN Concentrator, and transfer the configuration information we call Mode Configuration. Easy VPN Remote can be a Router, Firewall or VPN Client software to connect to VPN Server. In fact, it is the party that will initiate the VPN connection.
Remote users will receive security-related policies from the VPN Server. If we consider that the remote users or the users who call Teleworker connected to the center with a software such as VPN Client, the information about this subject is generally low, we can say that Packet Tracer VPN Server is an ideal and cheap solution. With Easy VPN, remote users will only be able to provide a secure connection by entering a user name and password.
Router and IOS information supporting Cisco Easy VPN Server feature is from cisco.com and is below.
As a detail about Easy VPN Server, IKE Phase 1 supports only the Diffie-Hellman group 2 key exchange from ISAKMP Policemen we identified during Phase 1. Group 1 and 5 cannot be used on Easy Vpn server.
In a previously published article, we said that IPSec VPN consists of two phases, which we call IKE Phase 1 and 2, and that IKE Phase 1 represents ISAKMP, IKE Phase 2 represents IPSec. When Easy VPN is included, there will be another section called IKE Phase 1.5 which includes extra configurations for remote users (Xauth, Mode Config).
With IKE Phase 1.5, our security policies and IP configuration of our VPN Client are transferred to the client. Now we’re going to examine step by step which messages are exchanged between Easy VPN Server and Easy VPN Remote and the VPN tunnel is established. First, the Easy VPN Client side starts IKE Phase 1. What VPN Client decides here is the method to be used for authentication, which it actually knows from the configuration on it. Two different methods can be used for authentication. Pre-Shared Key or Digital Certificates. In our article series, we will primarily focus on pre-shared key authentication. In order to do this, define the group name and password in the command line or graphical interface of our VPN client. Policemen are determined on a group basis.
In the second step, VPN Client SA sends the requests to the parameters to be decided.
Here, in order to make the VPN Client configuration as simple as possible, many different configurations of the following parameters are sent to the Easy VPN Server.
1. Encryption and Hashing Algorithms
2. Authentication methods
3. Diffie-hellman Groups
The Easy VPN Server examines the combinations sent to it by the VPN Client and accepts a policy group configured on it, informing the VPN Client of the policy group it has accepted at this point. Here, the Policemen defined on the VPN Server are controlled from top to bottom according to their priority values. At this stage, client authentication is finished and now it is time for the user authentication that we have specified as Xauth (Extenden Authentication) in IKE Phase 1.5.
User authentication (Xauth phase) is configured on the Easy VPN Server and the client will wait for the username and password to be presented by the VPN Server. From a security point of view, VPN Servers must provide user authentication. User authentication will be done with AAA. Therefore, the AAA must be enabled on the VPN server.
Router (config) #aaa new-model
Here we can use Radius Server, for example Cisco Secure ACS, or create local user names and passwords on the Router. Both can be used. In such a case, the Router first checks the server that we define as AAA Server, and if the server fails, it switches to local database.
After exceeding user authentication, the Mode Config phase is started and required parameters are requested on the VPN Server. These parameters, especially IP Configuration, are sent to the client by the VPN Server. After this point, the VPN tunnel was established and we came to what we call RRI (Reverse Route Injection).