Dec
23
2008

How to create a VPN server using SDM

As I explained in the article “Security Device Manager aka SDM“, SDM is a Web-based device-management tool for Cisco routers that can improve the productivity of network managers, simplify router deployments, and help troubleshoot complex network and VPN connectivity issues.

What is a virtual private network?
A virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet) instead of by physical wires. The link-layer protocols of the virtual network are said to be tunneled through the larger network when this is the case. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.

Using this wizard, it is possible create a Layer3 VPN through IPSEC protocol. Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host.

IPsec is an end-to-end security solution and operates at the Internet Layer of the Internet Protocol Suite, comparable to Layer 3 in the OSI model. Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate in the upper layers of these models. This makes IPsec more flexible, as it can be used for protecting all the higher level protocols, because applications don’t need to be designed to use IPsec, whereas the use of TLS/SSL or other higher-layer protocols must be incorporated into the design of an application.

Ok, and how can I create a VPN using SDM?
There are few steps to create a VPN server on our Cisco Router:

  • Log in your SDM
  • Click the Configure icon in the toolbar at the top of the window
  • Click the VPN icon in the Tasks toolbar on the left side of the window
  • Choose the Easy VPN Server option in the middle part of the window

 

sdm_vpn_1

 

If you have not configured AAA, the wizard asks you to configure it. Click on “Enable AAA” and click “OK” to close the popup.

 

sdm_vpn_2

 

After enabling AAA, you can start the VPN wizard:

 

sdm_vpn_3

 

Click on next button (in this screenshot I will click on “avanti” tab… italian language hihihi), select the interface that will receive the VPN request from the VPN client (in my case fastethernet 0/0) and select the preshared keys authentication. Click on next button.

 

sdm_vpn_4

 

In this step you can configure the IKE proposals: IKE proposal priority, DH group (1, 2, or 5), Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC (SHA-1 or MD5), IKE lifetime. If you prefer, you can change the default settings. Click on next button.

 

sdm_vpn_5

 

You can use the default or create a new IPsec transform set configuration using these parameters: Transform set name, Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC (SHA-1 or MD5), Optional compression, Mode of operation (tunnel or transport). Click on next button.

 

sdm_vpn_6

 

In this step you you can choose from three options for the location where Easy VPN group policies can be stored:

  • Local: All the groups will be in the router configuration in NVRAM
  • RADIUS: The router will use RADIUS server for group authorization
  • RADIUS and local: The router will also be able to look up policies stored in an AAA server database that can be reached via RADIUS

The local databse is recommended if you do not have RADIUS or TACACAS+ server in your network. Click on next button.

 

sdm_vpn_7

 

Now define the group authorization and user group policies.

 

sdm_vpn_8

 

When you click “Add…” button, you can define: General parameters, DNS/WINS, Split tunneling, Advanced options and Xauth Options. In our case it is sufficient configure the “General parameters” tab. The group name is “test”, the password is “ciscozine” and the IP pool is from 192.168.10.1 to 192.168.10.10. Click on “OK” button to save the Add Group Policy.

 

sdm_vpn_9

 

Click next.

 

sdm_vpn_10

 

Once you have finished all the steps to configuring the Easy VPN Server, the Easy VPN Server wizard presents a summary of the configured parameters. 

 

sdm_vpn_11

 

Click Back to correct any errors in the configuration. Otherwise, click Finish to apply the configuration to the router.

The final configuration will be:

!This is the running config of the router: 192.168.1.12
!----------------------------------------------------------------------------
!version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Ciscozine
!
boot-start-marker
boot-end-marker
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username ciscozine privilege 15 secret 5 $1$uZAG$n7SP/bF1Y2UEfepGjtblH.
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group test
 key ciscozine
 pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.12 255.255.255.0
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.10.1 192.168.10.10
ip http server
ip http authentication local
ip http secure-server
ip classless
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

Remember to save the configuration!

To change VPN server settings:

  1. Click the Configure icon in the toolbar at the top of the window
  2. Click the VPN icon in the Tasks toolbar on the left side of the window

If you would view the VPN status:

  1. Click the Monitor icon in the toolbar at the top of the window
  2. Click the VPN icon in the Tasks toolbar on the left side of the window

 

References: