Configuring EasyVPN Between Cisco Routers

---

• Configuring EasyVPN Between Cisco Routers
• NSA wants bulletproof smartphone, tablet security
• IT admins gone wild: 5 rogues to watch out for
• Ready or not, they're already in your enterprise
• A new security architecture for the cloud
• Mesh networks may make SQL injection attacks more persistent
• Attackers exploit latest Flash bug on large scale, says researcher
• An update on security threats

Configuring EasyVPN Between Cisco Routers Posted: 20 Jun 2011 11:35 AM PDT Basically Cisco Easy VPN is usually used for Cisco easy VPN Client termination. In this post however, let's consider the configuration of Cisco Easy VPN between two Cisco routers. Just keep in mind that an EasyVPN scenario involves an EasyVPN Server and EasyVPN Remote Clients. The basic configuration is performed on the Cisco Easy VPN Server and the configuration done on Cisco Easy VPN Remote is almost similar to the configuration done on Cisco easy VPN client. Let's consider an example as shown on diagram below: configure R1 as an easy VPN Remote and configure R2 as an easy VPN Server and force the traffic to flow via the VPN Tunnel between the Loopback interfaces. Before starting the Easy VPN configuration, check the connectivity between the Loopback interfaces. For simplicity I configured default route on both routers to each other. Now let's start configuration. First of all configure R2 as Easy VPN Server. R2 Configuration !enable AAA  new-model aaa new-model ! enable local authentication method list  with name userauthen for X-AUTH aaa authentication login userauthen local ! enable local authorization  method  list  with name groupauthor for X-AUTH aaa authorization network groupauthor local !create username, by which authorization of Easy VPN Remote will occur later. username cisco password 0 cisco123 !create ISAKMP PHASE #1 Negotiation crypto isakmp policy 3 encr 3des authentication pre-share group 2 !Create group with pre-shared key for IKE authentication. Save-password Feature allows Remote to save password. crypto isakmp client configuration group vpngrp key cisco123 save-password !create IPSEC Transform-set for DATA Encryption crypto ipsec transform-set TS esp-3des esp-sha-hmac !Create Dynamic-map , which will be used to crypto-map later. crypto dynamic-map dynmap 10 set transform-set myset ! Create crypto map, which will be used to AAA authentication, authorization lists and also in dynamic-crypto map. crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap 10 ipsec-isakmp dynamic dynmap !Now attach the crypto-map to outside interface. interface FastEthernet0/0crypto map clientmap By this, easy vpn server configuration is completed. Now let's start Remote configuration. Configuration is almost similar to the Cisco Easy VPN Client configuration. R1 Configuration ! Create VPN Profile. crypto ipsec client ezvpn ez ! Connect automatically to Easy VPN Server. If we don't do this, then we'll have to connect manually to Easy VPN server every time the network is down. connect auto ! Easy VPN group username and password, which are created on server. group vpngrp key cisco123 !Indicate Mode as network-extension. mode network-extension !Indicate the IP address of Easy VPN Server. peer 192.168.2.2 ! Use Username and password saved in profile for connecting to Easy VPN Server. xauth userid mode local ! Save user and password in Profile. username cisco password cisco123 ! Determine Inside interface. Inside and outside interfaces must be determined on Easy VPN Remote. interface Loopback0 ip address 10.12.130.1 255.255.255.255 crypto ipsec client ezvpn ez inside ! interface FastEthernet0/0 ip address 192.168.2.1 255.255.255.0 crypto ipsec client ezvpn ez outside Both sites are completed now, so let's do some testing: R2#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst             src             state          conn-id slot status 192.168.2.1 192.168.2.2   QM_IDLE           1008    0 ACTIVE R2#show crypto ipsec sa interface: Fastethernet 0/0 Crypto map tag: clientmap, local addr 192.168.2.2 protected vrf: (none) local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.12.130.1/255.255.255.255/0/0) current_peer 192.168.2.1 port 500 PERMIT, flags={} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

NSA wants bulletproof smartphone, tablet security Posted: 20 Jun 2011 08:41 AM PDT The National Security Agency, America's high-tech spy agency which also plays a key role in approving hardware and software for use by the Department of Defense, wants to be able to outfit military personnel with commercial smartphones and tablets -- but based on a NSA security design.

IT admins gone wild: 5 rogues to watch out for Posted: 20 Jun 2011 07:51 AM PDT You can't survive without them. They wield enormous power over your systems, networks, and data -- the very lifeblood of your organization. Few people outside IT have any understanding of what they do, and fewer still exercise any oversight over their actions.

Ready or not, they're already in your enterprise Posted: 20 Jun 2011 05:36 AM PDT Organizations are being overrun by users bringing their own devices to work. The paradox is that organizations trying hardest to ban workers from using their devices may be increasing their risk rather than mitigating it.

A new security architecture for the cloud Posted: 20 Jun 2011 05:35 AM PDT The Open Group's Security for the Cloud and SOA Project publishes "An Architectural View of Security for Cloud."

Mesh networks may make SQL injection attacks more persistent Posted: 20 Jun 2011 05:32 AM PDT Mass web compromises have typically redirected visitors to a handful of central malware sites, but a peer-to-peer approach will make mass attack more pernicious.

Attackers exploit latest Flash bug on large scale, says researcher Posted: 20 Jun 2011 02:55 AM PDT Hackers are aggressively exploiting a just-patched Flash vulnerability "on a fairly large scale," according to a Shadowserver Foundation researcher.

An update on security threats Posted: 20 Jun 2011 09:00 AM PDT Each year several vendors and organizations publish updates on the state of the art in security threats. Most of these updates could be entitled "Be nervous, be very very nervous." While it is never fun to read these reports, they do provide helpful insight into vulnerabilities that we should be aware of. With that in mind, we will use this newsletter to highlight some of the findings of a recent IBM report on security threats.

You are subscribed to email updates from "Cisco" via Ehsan in Google Reader To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google Inc., 20 West Kinzie, Chicago IL USA 60610