8/6/2019 How to Create a VPN Server Using SDM

1/13

How to create a VPN server using SDM

As I explained in the article Security Device Manager aka SDM , SDM is a Web-based device-

management tool for Cisco routers that can improve the productivity of network managers,simplify router deployments, and help troubleshoot complex network and VPN connectivityissues.

What is a virtual private network?A virtual private network (VPN) is a computer network in which some of the links betweennodes are carried by open connections or virtual circuits in some larger network (e.g., theInternet) instead of by physical wires. The link-layer protocols of the virtual network are said tobe tunneled through the larger network when this is the case. One common application is securecommunications through the public Internet, but a VPN need not have explicit security features,such as authentication or content encryption. VPNs, for example, can be used to separate the

traffic of different user communities over an underlying network with strong security features.

Using this wizard, it is possible create a Layer3 VPN through IPSEC protocol. InternetProtocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP)communications by authenticating and encrypting each IP packet of a data stream. IPsec alsoincludes protocols for establishing mutual authentication between agents at the beginning of thesession and negotiation of cryptographic keys to be used during the session. IPsec can be used toprotect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host.

IPsec is an end-to-end security solution and operates at the Internet Layer of the Internet

Protocol Suite, comparable to Layer 3 in the OSI model. Other Internet security protocols inwidespread use, such as SSL, TLS and SSH, operate in the upper layers of these models. Thismakes IPsec more flexible, as it can be used for protecting all the higher level protocols, becauseapplications dont need to be designed to use IPsec, whereas the use of TLS/SSL or other higher -layer protocols must be incorporated into the design of an application.

Ok, and how can I create a VPN using SDM?There are few steps to create a VPN server on our Cisco Router:

Log in your SDM Click the Configure icon in the toolbar at the top of the window

Click the VPN icon in the Tasks toolbar on the left side of the window Choose the Easy VPN Server option in the middle part of the window

http://www.ciscozine.com/2008/11/28/security-device-manager-aka-sdm/http://www.ciscozine.com/2008/11/28/security-device-manager-aka-sdm/

8/6/2019 How to Create a VPN Server Using SDM

2/13

If you have not configured AAA, the wizard asks you to configure it. Click on Enable AAA

and click OK to close the popup.

8/6/2019 How to Create a VPN Server Using SDM

3/13

After enabling AAA, you can start the VPN wizard:

Click on next button (in this screenshot I will click on avanti tab italian language hihihi), select the

interface that will receive the VPN request from the VPN client (in my case fastethernet 0/0) and selectthe preshared keys authentication. Click on next button.

8/6/2019 How to Create a VPN Server Using SDM

4/13

In this step you can configure the IKE proposals : IKE proposal priority, DH group (1, 2, or 5),Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC (SHA-1 or MD5), IKE lifetime. If you prefer, you can change the default settings. Click on next button.

8/6/2019 How to Create a VPN Server Using SDM

5/13

You can use the default or create a new IPsec transform set configuration using theseparameters: Transform set name, Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC(SHA-1 or MD5), Optional compression, Mode of operation (tunnel or transport). Click on nextbutton.

8/6/2019 How to Create a VPN Server Using SDM

6/13

In this step you you can choose from three options for the location where Easy VPN grouppolicies can be stored:

Local: All the groups will be in the router configuration in NVRAM RADIUS: The router will use RADIUS server for group authorization RADIUS and local: The router will also be able to look up policies stored in an AAA

server database that can be reached via RADIUS

The local databse is recommended if you do not have RADIUS or TACACAS+ server in yournetwork. Click on next button.

8/6/2019 How to Create a VPN Server Using SDM

7/13

Now define the group authorization and user group policies .

8/6/2019 How to Create a VPN Server Using SDM

8/13

When you click Add button, you can define: General parameters, DNS/WINS, Split tunneling,Advanced opti ons and Xauth Options. In our case it is sufficient configure the General parameters tab.The group name is test, the password is ciscozine and the IP pool is from 192.168.10.1 to192.168.10.10. Click on OK button to save the Add Group Policy .

8/6/2019 How to Create a VPN Server Using SDM

9/13

Click next.

8/6/2019 How to Create a VPN Server Using SDM

10/13

Once you have finished all the steps to configuring the Easy VPN Server, the Easy VPN Serverwizard presents a summary of the configured parameters.

8/6/2019 How to Create a VPN Server Using SDM

11/13

Click Back to correct any errors in the configuration. Otherwise, click Finish to apply theconfiguration to the router.

The final configuration will be:

!This is the running config of the router: 192.168.1.12!----------------------------------------------------------------------------!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Ciscozine!boot-start-markerboot-end-marker!!clock timezone PCTime 1clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00aaa new-model!

8/6/2019 How to Create a VPN Server Using SDM

12/13

!aaa authentication login default localaaa authentication login sdm_vpn_xauth_ml_1 localaaa authorization exec default localaaa authorization network sdm_vpn_group_ml_1 localaaa session-id commonip subnet-zero!!!ip cefip audit po max-events 100!!!!!!!!

!!!!username ciscozine privilege 15 secret 5 $1$uZAG$n7SP/bF1Y2UEfepGjtblH.!!!!crypto isakmp policy 1

encr 3desauthentication pre-sharegroup 2

crypto isakmp xauth timeout 15

!crypto isakmp client configuration group test

key ciscozinepool SDM_POOL_1

!!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac!crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHAreverse-route

!

!crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1crypto map SDM_CMAP_1 client configuration address respondcrypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1!!!!interface FastEthernet0/0

8/6/2019 How to Create a VPN Server Using SDM

13/13

ip address 192.168.1.12 255.255.255.0duplex autospeed autocrypto map SDM_CMAP_1

!interface FastEthernet0/1

no ip addressshutdownduplex autospeed auto

!ip local pool SDM_POOL_1 192.168.10.1 192.168.10.10ip http serverip http authentication localip http secure-serverip classless!!!!

!!!!!!!!line con 0line aux 0line vty 0 4!end

Remember to save the configuration!

To change VPN server settings:

1. Click the Configure icon in the toolbar at the top of the window2. Click the VPN icon in the Tasks toolbar on the left side of the window

If you would view the VPN status:

1. Click the Monitor icon in the toolbar at the top of the window

2.

Click the VPN icon in the Tasks toolbar on the left side of the window