Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
840
Views
0
Helpful
1
Replies

How to Authenticate Easy VPN Client Devices

tounkara
Level 1
Level 1

‎11-11-2004 03:58 AM - edited ‎02-21-2020 10:11 AM

I use :

- Cisco 837 as Easy VPN Client devices on remote sites

- Cisco PIX 515E as Easy VPN Server on central site

- CiscoSecure ACS as TACACS+ Server on internal LAN of Central Site

The remotes sites connect to central site by ADSL with 3DES VPN Tunnels, pre-shared key. It is working OK right now.

How to add authentication so that :

- Cisco 837 Easy VPN Devices are authenticated before IPSEC tunnel is up (during negociation)?

and/or

- Users of remotes sites are authenticated individually, after the VPN tunnel is up before accessing to central sites resources (mainly telnet to a IBM AS400 server)

Please find below copy of the PIX Firewall and Cisco 837 IPSEC config.

Regards.

Fatou.

FIREWALL CONFIG

---------------

access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 80 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

ip local pool vpn-client 192.168.1.200-192.168.1.240

nat (inside) 0 access-list 80

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 192.168.1.1 <**key**>

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set strong-des esp-3des esp-sha-hmac

crypto dynamic-map MYMAP 4 set transform-set strong-des

crypto map agence-map 20 ipsec-isakmp dynamic MYMAP

crypto map agence-map interface outside

isakmp enable outside

isakmp key **pre-shared key** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

vpngroup vpn-client address-pool vpn-client

vpngroup vpn-client dns-server ***********

vpngroup vpn-client default-domain *****

vpngroup vpn-client split-tunnel 80

vpngroup vpn-client idle-time 1800

vpngroup vpn-client password **pre-shared key**

CISCO 837 CONFIG

----------------

!

!

crypto ipsec client ezvpn hw-client

connect auto

group vpn-client key **pre-shared key**

mode client

peer <***** @ outside PIX ****>

!

!

!

!

!

!

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

ip tcp adjust-mss 1452

crypto ipsec client ezvpn hw-client inside

hold-queue 100 out

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

dsl power-cutback 0

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip inspect myfw out

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname ***************

ppp chap password 7 *************

ppp pap sent-username ********* password 7 **********

ppp ipcp dns request

ppp ipcp wins request

crypto ipsec client ezvpn hw-client

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎11-14-2004 02:11 PM

Because the 837 router is in client mode, I believe that all user's on the backside of the 837 will have their ip address nat/pat'ed by the 837 before the traffic crosses the tunnel. Thus you need to allow the 837 to be an AAA client to a server located behind the pix at the central site.

Accroding to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_i1g.htm#wp1069870

You can configure ip http server and then ip http ezvpn to allow the user to submit credentials prio to accessing the remote servers located at the other end of the vpn connection. However if your 837 is not used as a SOHO router with only one user behind it, this may not work as traffic for all users will be allowed once the 1st user completes authentication.

You may need to config the proxy telnet or proxy http commandsof IOS on the 837 to allow each user to submit their own credentials. I don't know if the 837 can run an IOS that provides those commands - in earlier releases of IOS, those were only available in the firewall feature set.

Is there a LAN with multiple users behind the 837, or are they deployed in a SOHO environment (with one or two users at each site)?

0 Helpful
Customers Also Viewed These Support Documents