Cisco 2900 series routers with Cisco VPN client

Hi All,

Anybody know if the new cisco 2900 series can utilize the use of Cisco VPN client for remote access? I noticed they are talking a lot about easy-vpn, but I just want to use the old cisco vpn client if possible.

Anyone with any experiences here?

Pash

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

ColbyG

Haven't touched them yet, but I'm sure they will still offer the RA VPN with the client software.

Slowhand

They should be able to, depending on the IOS. Most likely, you'll want to be using the AnyConnect client with SSL VPN, since it supports Windows XP/Vista/7, as well as Mac and Linux. I'm not sure if there's an updated client for the IPSec VPN client since Cisco (and every other vendor) has been pushing SSL VPN hard.

mgeorge

yes pash they can do ezvpn server, ezvpn is more ios specific rather then platform. An example configuration is shown below;

aaa new-model
!
aaa authentication login vpn_xauth local
aaa authorization network vpn_glist local
!
username johndoe privilege 15 secret 5 $1$PERg$811ibgV.FoNS7mnwOAP2i0
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 5
!
crypto isakmp policy 30
encr aes
authentication pre-share
group 5
!
crypto isakmp policy 40
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 50
encr aes 192
authentication pre-share
group 2
!
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 70
encr aes 256
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 80
encr aes 192
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 90
encr aes
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 100
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 110
encr aes 192
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 120
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp xauth timeout 30
!
crypto isakmp client configuration group GROUPNAME
key GROUPPRESHAREKEY
dns 1.2.3.4
domain domain.tld
pool VPN_POOL
acl VPN_ACL
!
!
crypto ipsec transform-set AES_MD5 ah-md5-hmac esp-aes
crypto ipsec transform-set AES_SHA1 esp-aes esp-sha-hmac
!
crypto dynamic-map ezvpn 1
set transform-set AES_SHA1
reverse-route
!
!
crypto map ezvpn client authentication list vpn_xauth
crypto map ezvpn isakmp authorization list vpn_glist
crypto map ezvpn client configuration address respond
crypto map ezvpn 1 ipsec-isakmp dynamic ezvpn
!
interface Whatever0
description ##### OUTSIDE INTERFACE #####
crypto map ezvpn
!
ip local pool VPN_POOL 172.16.22.5 172.16.22.245
!
ip nat inside source list NAT_TRAFFIC interface Dialer1 overload
!
ip access-list extended NAT_TRAFFIC
deny ip any 172.16.22.0 0.0.0.255
permit ip 172.16.20.0 0.0.0.255 any
deny ip any any
ip access-list extended VPN_ACL
remark ### SPLIT TUNNEL ACL ###
permit ip 172.16.20.0 0.0.0.255 any

Pash

Hi matt thx for that.

So easy VPN allows "Dial in" VPN users using Cisco VPN client software?

mgeorge

yes, once you have a dynamic crypto map assigned to a public interface, people can connect to the router using the cisco vpn client (version 5 for example)

provide the group and key, then use local authentication for xauth or if you really want you can configure an AAA server group and map it to an aaa authentication statement which is referenced by the xauth mechanism to provide authentication via tacacs or even radius authenticating to an IAS box which in turn authenticates to an active directory security distribution group.

The config example i gave you injects a reverse route into the routing table so when someone connects they'll have a static route in the routing table as shown below;

S 172.16.22.3/32 [1/0] via 67.207.51.208

Of course the example i gave you was pretty simplistic, you can get pretty in depth with security and apply ACL's per group and specific split tunneling per group.

12.4T and 15.0 supports SSL VPN now as well.

Pash

thanks matt, awesome explanation!

Yeh it seems many network vendors are moving towards SSL VPN now, Juniper have flat out said their own netscreen remote software will never be supported in in windows 7

It seems all of our so called Cisco product specialists couldn't answer what u did in one post!

frankophone

please where can i download the ezvpn software.