Configuring IPSec VPN--IPAQ with Movian client, Easy VPN Server

Configuration Guide

Configuring IPSec VPN between IPAQ with Movian client and Cisco IOS Easy VPN Server

Figure 1
Network Diagram

Introduction

This document describes how to configure a handheld computer and Cisco IOS router for IPsec VPN connectivity. With VPN connectivity, the handheld computer can connect to Intranet servers privately over the public Internet. The sample configuration presented in this document uses the Movian VPN client software application, the Cisco IOS Easy VPN Server, the IPAQ handheld computer at the remote end, and Cisco 7200 as the server.

Prerequisites

The handheld computer-to-Cisco Easy VPN router sample configuration is based on the following assumptions::

The IP address at the Cisco Easy VPN Server is static.
The IP address at the handheld computer is static or dynamic.
All traffic, including Internet traffic, from the Easy VPN Client is forwarded to the hub.
Traffic from the remote host is forwarded after applying Network Address Translation/Port Address Translation (NAT/PAT).

Components Used

The sample configuration uses the following releases of the software and hardware:

Compaq IPAQ 3630 PDA with Movian VPN Version 3.0.0
Cisco 7200V with Cisco IOS^® Software, Version 12.2(11)T

Figure 1 illustrates the network for the sample configuration.

The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to understand the potential impact of any command before implementing it.

Movian Client Configuration Options

The Cisco Easy VPN implements the Cisco Unity Client protocol, which simplifies configuring the detailed information on the client router because most VPN parameters are defined at the VPN remote access server. The server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol. The sample configuration uses the Cisco 1751 for the Easy VPN Server.

This sample configuration uses client mode with the Movian VPN Client. In Client mode, the entire Movian VPN client address undergoes NAT to the mode config ip address that the Easy VPN Server provides.

The Movian VPN Client forwards the Internet traffic to the Easy VPN Server. Direct access to the Cisco 806 Easy VPN Client by traffic other than the encrypted traffic from the Easy VPN Server is denied. An alternative configuration of the Cisco Easy VPN Server called split tunneling forwards the Internet traffic directly without encryption.

For additional information about configuring Easy VPN Server, refer to Cisco IOS Easy VPN Server feature .

Movian VPN Client Configuration

 Policy type: Cisco Unified client

 Gateway address: 172.19.202.23

 Same authentication configuration

 Use Perfect Forward Secrecy Disabled

 IKE Suite:

 GRP2_DH-1024

 Cipher: 3DES_CBC

 Hash: SHA

 IPSec Suite: ESPIP_3DES_SHA-96

 Soft Client Initial Configuration:

 IP address of remote server: 172.19.202.23

 Group Access Information:

 Name: groupname

 Password: test1234

 During Connection:

 Username: user

 Password: test1234

Cisco 7200 VPN Router Configuration

The following commands show how to configure the router for this sample configuration.

 version 12.2

 service timestamps debug datetime

 service timestamps log datetime

 no service password-encryption

 service internal

!

 hostname 7200-3

!

 logging buffered 16000 debugging

 aaa new-model

!

!

 aaa authentication login groupname local

 aaa authorization network groupname local 

 aaa session-id common

 enable password lab

!

 username user password 0 test1234

 ip subnet-zero

 no ip cef

!

!

 ip domain name cisco.com

 ip name-server 171.68.1.1

!

!

 crypto isakmp policy 1

  encr 3des

  authentication pre-share

  group 2

 crypto isakmp key test1234 address 0.0.0.0 0.0.0.0

!

 crypto isakmp client configuration group groupname

  key test1234

  dns 171.68.1.1

  wins 171.68.1.2

  domain cisco.com

  pool poolname

!

 crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 

!

 crypto dynamic-map vpn-test 1

  set transform-set vpn-test 

  reverse-route

!

 crypto map ws client authentication list local

 crypto map ws isakmp authorization list groupname

 crypto map ws client configuration address respond

 crypto map ws 1 ipsec-isakmp dynamic vpn-test 

!

!

 interface Ethernet3/0

  ip address 10.0.149.203 255.255.255.128

  duplex half

!

 interface Ethernet3/4

  ip address 10.0.149.23 255.255.255.128

  duplex half

  crypto map ws

!

!

 ip local pool poolname 10.0.149.230 10.0.149.235

 ip default-gateway 10.0.149.1

 ip classless

 ip route 0.0.0.0 0.0.0.0 10.0.149.1

 ip route 10.0.149.1 255.255.255.255 Ethernet3/0

 ip http server

!

!

 line con 0

  exec-timeout 0 0

 line aux 0

 line vty 0 4

!

!

end

Verifying the Results

This section provides information you can use to confirm that your configuration is working properly.

To verify the VPN connectivity, follow these steps.

Step 1. Login to the Hub router.

Step 2. Using the Movian tools menu, ping www.cisco.com and other intranet hosts.

Step 3. Using Internet Explorer, connect to the intranet and Internet servers.

Step 4. Make sure to reload the web page to avoid redisplay from the cache memory.

Troubleshooting the Configuration

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which analyzes show command output.

Note: Before issuing debug commands, see Important Information about Debug Commands .

debug crypto isakmp—Displays errors during Phase 1.
debug crypto ipsec—Displays errors during Phase 2.
debug crypto engine—Displays information from the crypto engine.
debug ip your routing protocol—Displays information about routing transactions of your routing protocol.
clear crypto connection connection-id [slot | rsm | vip]—Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. Use the show crypto cisco connections command to see the connection-id value.
clear crypto isakmp—Clears the Phase 1 security associations.
clear crypto sa—Clears the Phase 2 security associations.