2.9 IOS EAZY - DVTI  Enhanced Eazy VPN)


  With Cisco AVVID (Architecture for Voice, Video and Integrated Data) to deliver converged voice, video, and data over IP networks

  • reduce complexity
  • support multicast encryption
  • routable interface
  • more scalable
  • flexibility for defining feature
  • QOS can be configured
  • no need to map IPSEC session to physical interface, it allow secured traffic on any interface
  • routing table define which traffic to be route to tunnel

  

DVTI can be used on both the Easy VPN Server and Easy VPN Remote routers.

DVTI relies on the virtual tunnel interface to create a virtual access interface for every new Easy VPN tunnel.

on-demand separate virtual access interface for each Easy VPN connection

configuration of virtual access interfaces is cloned from a virtual template configuration

Cloned configuration of   IPsec configuration & IOS feature such as QoS, NAT, CBAC, NetFlow, or access control lists (ACLs).



  • Dynamic Virtual Tunnel Interface are created from which virtual access interfaces are formed whenever a client connects and obtains an ip Address
  • It can be used with both software and hardware clients
  • Reverse route injections occurs without the need of reverse route commands
  • DVTI uses ISAKMP profiles as a dynamic way of referencing the configurations
  • QOS and dynamic routing protocols are supported

Configurations on Server
Step1: Enable AAA services
Step2: Define username and password in the local database
Step3: Configure ISAKMP Policy
Step4: Configure transform Set
Step5: Define ACL for split tunneling
Step6: Define the pool for the client
Step7: Configure ISAKMP client config
Step8: Configure ISAKMP Profile
  • (config)# crypto isakmp profile <isakmp-profile-name>
    • (config-isakmp-profile)#   match identity group
    • (config-isakmp-profile)#    client authentication list
    • (config-isakmp-profile)#    client authorization network
    • (config-isakmp-profile)#    client configuration address respond
    • (config-isakmp-profile)#    virtual-template <#>

Step9: Configure IPSec profile
  • (config)# crypto ipsec-profile <ipsec-profile-name>
    • (config-ipsec-profile)# set transform-set TSET
    • (config-ipsec-profile)# set isakmp-profile <isakmp-profile-name>
Step10: Configure Virtual Template
  • (config)# interface virtual-tepmplate <#> type tunnel
    • (config-if)# ip unnumbered f0/0
    • (config-if)# tunnel source f0/0
    • (config-if)# tunnel mode ipsec ipv4
    • (config-if)# tunnel protection ipsec profile <ipsec-profile-name>
Task:
1) Configure Enhanced Easy VPN between HQ and Sales and Admin Departments, such that HQ is server with the following details:
  • POOL: 40.1.1.1 to 40.1.1.4
  • Phase 1 = 3des, md5, group2, pre-shared
  • Phase 2 should be protected using the same algorithms used in Phase 1
  • Username Sales password Sales
  • Username Admin password Admin
2) Configure Sales Dept. in NEM mode such that the user present should access only 11.11.11.0/24 subnets of the HQ
3) Configure Admin Dept. in NEM mode such that the users present should access all the subnets in the HQ
4) Configure Admin to restablish the VPN tunnel automatically when the connection goes down
5) Configure Sales department to establish the connection manually

Solution
Initialization Step 1: Configure all the IP addresses as shown above
Initialization Step 2: Configure STATIC routes
  • HQ(config)#ip route 11.1.3.0 255.255.255.0 11.1.2.102
  • HQ(config)#ip route 11.1.4.0 255.255.255.0 11.1.2.102
  • SALES_DEPT(config)#ip route 11.1.2.0 255.255.255.0 11.1.3.102
  • ADMIN_DEPT(config)#ip route 11.1.2.0 255.255.255.0 11.1.4.102
Configuration on HQ (DVTI Server):
Step 1: AAA Configurations
  • HQ(config)#aaa new-model  
  • HQ(config)#aaa authentication login AUTHC local
  • HQ(config)#aaa authorization network AUTHZ local  
Step 2: Username Configurations
  • HQ(config)#username Sales password Sales
  • HQ(config)#username Admin password Admin
Step 3: ISAKMP Policy
  • HQ(config)#crypto isakmp policy 10
    • HQ(config-isakmp)#authentication pre-share  
    • HQ(config-isakmp)#encryption 3des  
    • HQ(config-isakmp)#hash md5  
    • HQ(config-isakmp)#group 2
Step 4: IPSec Transform Set
  • HQ(config)#crypto ipsec transform-set TSET esp-3des esp-md5-hmac  
Step 5: ACL for Split Tunneling
  • HQ(config)#access-list  101  permit ip host 11.11.11.11 any  // For Sales Dept.
  • HQ(config)#access-list  102  permit ip host 1.1.1.1 any  // For Admin Dept.
  • HQ(config)#access-list  102  permit ip host 11.11.11.11 any  // For Admin Dept.
Step 6: Configure IP POOL
  • HQ(config)#ip local pool POOL 40.1.1.1 40.1.1.4
Step 7: ISAKMP Client Configuration
  • HQ(config)#crypto isakmp client configuration group SALES
    • HQ(config-isakmp-group)#key SALES
    • HQ(config-isakmp-group)#pool POOL
    • HQ(config-isakmp-group)#acl 101
  • HQ(config)#crypto isakmp client configuration group ADMIN
    • HQ(config-isakmp-group)#key ADMIN
    • HQ(config-isakmp-group)#pool POOL
    • HQ(config-isakmp-group)#acl 102
Step 8: ISAKMP Profile
  • HQ(config)#crypto isakmp profile ISAKMP_PRO
    • HQ(conf-isa-prof)#match identity group SALES
    • HQ(conf-isa-prof)#match identity group ADMIN
    • HQ(conf-isa-prof)#client authentication list AUTHC
    • HQ(conf-isa-prof)#client configuration address respond  
    • HQ(conf-isa-prof)#isakmp authorization list AUTHZ
    • HQ(conf-isa-prof)#virtual-template 1
Step 9: IPSec Profile
  • HQ(config)#crypto ipsec profile IPSEC_PRO
    • HQ(ipsec-profile)#set transform-set TSET
    • HQ(ipsec-profile)#set isakmp-profile ISAKMP_PRO
Step 10: Create Virtual Access from Template
  • HQ(config)#interface virtual-template 1 type tunnel  
    • HQ(config-if)#ip unnumbered f0/0
    • HQ(config-if)#tunnel mode ipsec ipv4
    • HQ(config-if)#tunnel protection ipsec profile IPSEC_PRO
Configuration on SALES Branch:
Step 1: ISAKMP Policy
  • SALES_DEPT(config)#crypto isakmp policy 10
    • SALES_DEPT(config-isakmp)#authentication pre-share
    • SALES_DEPT(config-isakmp)#encryption 3
    • SALES_DEPT(config-isakmp)#hash md5
    • SALES_DEPT(config-isakmp)#group 2
Step 2: Create Virtual Interface from Virtual Template
  • SALES_DEPT(config)#int virtual-template 1 type tunnel  
    • SALES_DEPT(config-if)#ip unnumbered f0/0

Step 3: IPSec Client Configuration
  • SALES_DEPT(config)#crypto ipsec client ezvpn CLIENT
    • SALES_DEPT(config-crypto-ezvpn)#conn manual
    • SALES_DEPT(config-crypto-ezvpn)#mode network-extension  
    • SALES_DEPT(config-crypto-ezvpn)#group SALES key SALES
    • SALES_DEPT(config-crypto-ezvpn)#peer 11.1.2.101
    • SALES_DEPT(config-crypto-ezvpn)#virtual-interface 1  // Critical!
Step 4: Mark the INSIDE and OUTSIDE
  • SALES_DEPT(config)#int lo 0
    • SALES_DEPT(config-if)#crypto ipsec client ezvpn CLIENT inside
  • SALES_DEPT(config-if)#int lo 1                             
    • SALES_DEPT(config-if)#crypto ipsec client ezvpn CLIENT inside
  • SALES_DEPT(config-if)#in f0/0
    • SALES_DEPT(config-if)#crypto ipsec client ezvpn CLIENT outside
PLEASE NOTE:  Since it is in  MANUAL CONNECT  mode, we have to manually connect using the following commands:
  • SALES_DEPT#  crypto ipsec client ezvpn connect
  • SALES_DEPT#  crypto ipsec client ezvpn xauth

Configuration on ADMIN Branch:
Step 1: ISAKMP Policy
  • ADMIN_DEPT(config)#crypto isakmp policy 10
    • ADMIN_DEPT  (config-isakmp)#authentication pre-share
    • ADMIN_DEPT  (config-isakmp)#encryption 3
    • ADMIN_DEPT  (config-isakmp)#hash md5
    • ADMIN_DEPT  (config-isakmp)#group 2
Step 2: Create Virtual Interface from Virtual Template
  • ADMIN_DEPT  (config)#int virtual-template 1 type tunnel  
    • ADMIN_DEPT  (config-if)#ip unnumbered f0/0

Step 3: IPSec Client Configuration
  • ADMIN_DEPT  (config)#crypto ipsec client ezvpn CLIENT
    • ADMIN_DEPT  (config-crypto-ezvpn)#conn auto
    • ADMIN_DEPT  (config-crypto-ezvpn)#mode network-extension  
    • ADMIN_DEPT  T(config-crypto-ezvpn)#group ADMIN key ADMIN
    • ADMIN_DEPT  (config-crypto-ezvpn)#peer 11.1.2.101
    • ADMIN_DEPT  (config-crypto-ezvpn)#username Admin password Admin
    • ADMIN_DEPT  (config-crypto-ezvpn)#xauth userid mode local
    • ADMIN_DEPT  (config-crypto-ezvpn)#virtual-interface 1    // Critical!
Step 4: Mark the INSIDE and OUTSIDE
  • ADMIN_DEPT  (config)#int lo 0
    • ADMIN_DEPT  (config-if)#crypto ipsec client ezvpn CLIENT inside
  • ADMIN_DEPT  (config-if)#int lo 1                             
    • ADMIN_DEPT  (config-if)#crypto ipsec client ezvpn CLIENT inside
  • ADMIN_DEPT  (config-if)#in f0/0
    • ADMIN_DEPT  (config-if)#crypto ipsec client ezvpn CLIENT outside
Verifications
HQ#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst                  src                  state                   conn-id slot   status
11.1.2.101           11.1.4.101           QM_IDLE       1005       0    ACTIVE
11.1.2.101           11.1.3.101           QM_IDLE       1010       0    ACTIVE

HQ#sh ip int br
Interface                      IP-Address        OK? Method Status       Protocol
FastEthernet0/0            11.1.2.101        YES NVRAM   up               up          
Virtual-Access1                       unassigned           YES unset      down          down      
Virtual-Template1         11.1.2.101        YES TFTP      down          down       
Virtual-Access2                       11.1.2.101        YES TFTP      up               up          
Virtual-Access3                       11.1.2.101        YES TFTP      up               up          
Loopback0                     1.1.1.1            YES NVRAM   up               up          
Loopback1                    11.11.11.11         YES NVRAM   up               up  

// The Virtual Template was cloned to create 2 Virtual-Access Interfaces for each client!

HQ#sh cry ipsec sa

interface: Virtual-Access2
       Crypto map tag: Virtual-Access2-head-0, local addr 11.1.2.101

     protected vrf: (none)
     local   ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     current_peer 11.1.4.101 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
       #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 0, #pkts compr. failed: 0
       #pkts not decompressed: 0, #pkts decompress failed: 0
       #send errors 0, #recv errors 0

          local crypto endpt.: 11.1.2.101, remote crypto endpt.: 11.1.4.101  // Admin Department
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0x5C6DEE96(1550708374)

************ Some Output Omitted ***************

interface: Virtual-Access3
       Crypto map tag: Virtual-Access3-head-0, local addr 11.1.2.101

     protected vrf: (none)
     local   ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     current_peer 11.1.3.101 port 500
         PERMIT, flags={origin_is_acl,}
       #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
       #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 0, #pkts compr. failed: 0
       #pkts not decompressed: 0, #pkts decompress failed: 0
       #send errors 0, #recv errors 0

         local crypto endpt.: 11.1.2.101, remote crypto endpt.: 11.1.3.101  // Sales Department
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0xDA72C12D(3664953645)

************ Some Output Omitted ***************
// Unlike regular EASY VPN, there exists only one IPSec SA per pair inspite of the number of LOOPBACKS on each peers!

HQ#sh ip route
Gateway of last resort is not set

         1.0.0.0/24 is subnetted, 1 subnets
C             1.1.1.0 is directly connected, Loopback0
         2.0.0.0/24 is subnetted, 1 subnets
S             2.2.2.0 [1/0] via 0.0.0.0,  Virtual-Access3
         33.0.0.0/24 is subnetted, 1 subnets
S             33.33.33.0 [1/0] via 0.0.0.0,  Virtual-Access2
         3.0.0.0/24 is subnetted, 1 subnets
S             3.3.3.0 [1/0] via 0.0.0.0,  Virtual-Access2
         22.0.0.0/24 is subnetted, 1 subnets
S             22.22.22.0 [1/0] via 0.0.0.0,  Virtual-Access3
         11.0.0.0/24 is subnetted, 4 subnets
C             11.1.2.0 is directly connected, FastEthernet0/0
S             11.1.3.0 [1/0] via 11.1.2.102

// Static routes are automatically injected in to the routing table. They also show which Virtual Access it uses!

// All the above verifications can be done on the CLIENTs as well.

SALES_DEPT#sh ip route

Gateway of last resort is not set

         2.0.0.0/24 is subnetted, 1 subnets
C             2.2.2.0 is directly connected, Loopback0
         22.0.0.0/24 is subnetted, 1 subnets
C             22.22.22.0 is directly connected, Loopback1
         11.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S             11.11.11.11/32 [1/0] via 0.0.0.0, Virtual-Access2
S             11.1.2.0/24 [1/0] via 11.1.3.102
C             11.1.3.0/24 is directly connected, FastEthernet0/0

// Since we have allowed SALES only access to 11.11.11.11, only that loopback of server has been added to the routing table AUTOMATICALLY!

ADMIN_DEPT#sh ip route

Gateway of last resort is not set

         1.0.0.0/32 is subnetted, 1 subnets
S             1.1.1.1 [1/0] via 0.0.0.0, Virtual-Access2
         33.0.0.0/24 is subnetted, 1 subnets
C             33.33.33.0 is directly connected, Loopback1
         3.0.0.0/24 is subnetted, 1 subnets
C             3.3.3.0 is directly connected, Loopback0
         11.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S             11.11.11.11/32 [1/0] via 0.0.0.0, Virtual-Access2
S             11.1.2.0/24 [1/0] via 11.1.4.102
C             11.1.4.0/24 is directly connected, FastEthernet0/0

// Since we have allowed ADMIN access to both loopbacks, both 1.1.1.1 and 11.11.11.11 are added to the routing table AUTOMATICALLY!

http://www.cisco.com/c/en/us/td/docs/ios/12_2/dial/configuration/guide/fdial_c/dafvrtmp.html