![]() First thing you need to do – enable AAA and create AAA lists tailored for ezVPN purposes. This is more similar to classic IPsec VPN tunnel, with added functionality - such as user authentication, DNS servers auto-configuration (could be imported in DHCP pools), etc. Using this mode, client does not request a new IP address, but rather uses it’s inside interface network to build the Phase 2 IPsec SA (proxy ID). The second mode of operations is known as “Network-Extension”. If the client is a router (feature known as ezVPN Remote), then a special NAT rule is installed automatically to translate “inside” users traffic into the VPN IP address using PAT. The first is known as “Client-mode”: Server allocates new IP address and pushes it’s down to a client. As connection is established, server may create a static route, corresponding to the client VPN IP address using process know as Reverse Route Injection (RRI).ĮzVPN has two general modes of operation. Essentially, split-tunnel ACL is used to create Proxy-Identifiers for Phase 2. Phase 2: Client obtains it’s new IP address and other additional information and then tries to establish IPsec SA based on Split-Tunnel ACL (which specifies traffic to be encrypted) and new VPN IP address. RADIUS) for configuration information, which usually includes client VPN IP address, Split-Tunnel ACL, DNS/WINS servers etc. With group and authenticated username on hand, server may then query local database or remote AAA server (e.g. ![]() After successful authentication, client sends a Configuration Request. Phase 1.5: Based on group configuration, server may initiate additional authentication process (called Xauth) to verify user identity. Phase 1: Client contacts server, sends it’s identifier (group name) either using ISAKMP Aggressive Mode, or certificate exchange With ezVPN, secure connection establishment looks like following: The purpose of this phase is to push configuration information to the client and perform additional name-based authentication (Xauth – extended authentication). In order to avoid excessive configuration on client side, additional ISAKMP SA Phase has been introduced – Phase 1.5. To recap, recall that IPsec utilizes two phases secures “connection” establishment process: Phase 1 – ISAKMP SA (management channel) and Phase 2 – IPsec SA (protect user data). The idea of ezVPN is to make client configuration as simple as possible, while putting additional configuration on the server. Originally, IPsec was a peer-to-peer technology, where configurations are basically symmetrical on both ends of an IPsec tunnel. “Sales” and “Customer Support”.Įasy VPN (ezVPN) is well known Client-Server VPN technology based on IPsec. The real power of VRF-lite comes to hand when you need to share the same device between isolated groups of users - e.g. ![]() Inside a router you need to configure interfaces belonging to particular VRF and enable VRF-specific routing processes. Essentially, each virtual router has it’s own routing table, distinguished from others by using a special Routing Distinguisher (RD) which is a 64bit integer, usually represented as “X:Y”. In short, it allows separating a physical router into a number of virtual routers. The first technology is known as “VRF-lite”. In this post we are going to combine two powerful technologies in order to provide an effective security solution, particularly suitable for large enterprises. Specifically, for our purposes we will utilize the feature known as VTI (Virtual Tunnel Interface) to simplify IPsec configurations a great deal of times. Although the CCIE Security lab still has old IOS 12.2T installed on all routers, it’s more convenient to discuss ezVPN technology using the approach prompted by recent IOS releases. ![]()
0 Comments
Leave a Reply. |