298 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

Answers to Hands-On Labs

Here are the answers to the hands-on labs.

Answer to Lab 8.1

Lab_A#conf t

Enter configuration commands, one per line. End with CNTL/Z. Lab_A(config)#crypto isakmp enable

Lab_A(config)#crypto isakmp policy 2

Lab_A(config-isakmp)#encryption 3des

Lab_A(config-isakmp)#hash md5

Lab_A(config-isakmp)#authentication pre-share

Lab_A(config-isakmp)#exit

Lab_A(config)#crypto isakmp key cisco address 10.1.1.2

Lab_A(config)#^Z

Lab_A#

Lab_B#conf t

Enter configuration commands, one per line. End with CNTL/Z. Lab_B(config)#crypto isakmp enable

Lab_B(config)#crypto isakmp policy 2

Lab_B(config-isakmp)#encryption 3des

Lab_B(config-isakmp)#hash md5

Lab_B(config-isakmp)#authentication pre-share

Lab_B(config-isakmp)#exit

Lab_B(config)#crypto isakmp key cisco address 10.1.1.1

Lab_B(config)#^Z

Lab_B#

Answer to Lab 8.2

Lab_A#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Lab_A(config)#crypto ipsec tramsform-set test esp-des

Lab_A(cfg-crypto-trans)#exit

Lab_A(config)#access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0

0.0.0.255

Lab_A(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0

0.0.0.255

Lab_A(config)#cryto map test1 100 ipsec-isakmp

Lab_A(config-crypto-map)#match address 100

Lab_A(config-crypto-map)#set transform-set test

Lab_A(config-crypto-map)#set peer 10.1.1.2

Lab_A(config-crypto-map)#exit

Lab_A(config)#interface s0/0

Lab_A(config-if)#crypto map test1

Lab_A(config-if)#^Z

Lab_A#

Lab_B#conf t

Enter configuration commands, one per line. End with CNTL/Z. Lab_B(config)#crypto ipsec tramsform-set test esp-des

Lab_B(cfg-crypto-trans)#exit

Lab_B(config)#access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0

0.0.0.255

Lab_B(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0

0.0.0.255

Lab_B(config)#cryto map test1 100 ipsec-isakmp

Lab_B(config-crypto-map)#match address 100

Lab_B(config-crypto-map)#set transform-set test

Lab_B(config-crypto-map)#set peer 10.1.1.1

Lab_B(config-crypto-map)#exit

Lab_B(config)#interface s1/0

Lab_B(config-if)#crypto map test1

Lab_B(config-if)#^Z

Lab_B#

This short (yes, I really did say short) chapter introduces a very cool development in VPN technology: Cisco Easy VPN. While it really can cut down considerably on labor, Cisco’s Easy VPN

won’t work for you in every situation. I’ll list which VPN features are supported and which are not, and I’ll include an overview of Cisco VPN 3.5 Client Software.

I’m also going to present a sweet configuration example that will focus on how you can make the Easy VPN Server into an IOS router (a relatively new feature) and make the Easy VPN Remote into the VPN 3.5 Client.

In addition, I’ll explain some great tools you can use to eliminate unnecessary user interference when installing the VPN 3.5 Client Software. This chapter wraps up with a hands-on lab where you’ll get to install the Cisco VPN 3.5 Client on a Windows machine. Nice, huh? Let’s get going!

Configuring IOS Remote Access Using

Cisco Easy VPN

“Easy is as easy does,” so the saying goes. Are you ready for something that’s really as easy as its name implies? After eight pretty intense chapters—especially that last one—you’re probably thinking, “Uh huh, yeah, sure. He said, ‘Easy.’ Ha ha ha!” Well, I tell you no lie. Look no further, because Cisco has become your genie—ready and waiting to grant your wish by bringing you the aptly named Cisco Easy VPN!

Now, you’re right. Virtual private networks (VPNs) have been around for some time, and you know there are many ways to configure them because we also covered some VPN configurations in Chapter 7, “Understanding Cisco IOS IPSec Support.” VPNs can be as simple as two fixed IOS routers establishing a VPN between them, or they can be more complex, with multiple, mobile PC users and VPN Concentrators. Management in the first scenario is typically a snap, but in the second scenario, it’s a lot more complicated—more like handling a snapping turtle!

This section focuses on a new feature in IOS that allows any capable IOS router to act as a VPN server, permitting your remote clients to establish VPN connections to the IOS router acting as a VPN server. So kick back, relax, and let me guide you through this cool technology.