Mastering IPSec Remote Access VPN - Your Ultimate Guide to Setting Up Remote Access VPN on Your Cisco IOS Router

CISCO IOS REMOTE ACCESS VPN STEP-BY-STEP CONFIGURATION WITH DETAIL

Introduction

The concept of a Remote Access Virtual Private Network (VPN) has become more relevant than ever. As businesses continue to grow with a rising reliance on remote work and global collaboration, the need for secure and reliable remote network access is paramount. A Remote Access VPN provides a secure tunnel between a remote user and the corporate office network, ensuring that data will remain encrypted and protected from potential cyber threats. For businesses seeking to protect their data and give their employees flexibility, this technology has become essential.

Focusing on the technical implementation of this solution, one of the most robust and widely used tools is the Cisco router. Known for its reliability and advanced features.

Understanding Remote Access VPN: What is Remote Access VPN?

A Remote Access Virtual Private Network (VPN) is a technology that allows remote users to securely establish a connection to a remote office network over the less secure internet. Unlike traditional on-premises network access, users can securely access corporate resources virtually from any geographical location using Remote Access VPN, as long as they have an internet connection. In contrast with site-to-site VPNs, which are primarily used to connect entire networks of different branches of the same organization, allowing them to share resources as if they were in the same physical location, a Remote Access VPN focuses on individual users and their internet-connected devices, offering a more private, secure and flexible approach to network access.

The advantages of Remote Access VPNs are numerous, particularly in the context of today's dynamic work environments:

Enhanced Security Remote Access VPN offers a significant level of security by encrypting data transmitted over the internet, it protects sensitive information from hacking and eavesdropping, this is crucial, especially when employees need to access corporate network resources from a public place or unsecured Wi-Fi networks.

The Authentication process validates that the data was sent from the actual sender.

Limit the unauthorized users from accessing the network by applying Access control.

Confidentiality prevents the data from being read or copied as the data is being transported.

Data Integrity guarantees that the data has not been reformed.

Flexibility and Convenience: Remote Access VPN provides the necessary flexibility for employees to work from anywhere. Whether they are working from home, a coffee shop, or while traveling. They can easily access their corporate office resource like files, applications, and systems necessary to perform their jobs more precisely.

Scalability: As remote access VPNs are readily expandable to support more users as an organization grows, they are scalable. Because of its scalability, it's a cost-effective choice for companies of all kinds.

Remote Access VPN

How to set up a Remote Access VPN for the Cisco Router IOS platform?

Configuring an IPsec Remote Access VPN on a Cisco IOS router involves several steps and commands. Here's a breakdown:

Step – 1:

Define the authentication and authorization methods:

Defining a new AAA model with the name REMOTEUSER for user authentication and REMOTEUSER-AUTH-LIST for group authorization, this group will use the local database for authentication and authorization of the remote user. We also have other options like TACACS+ and RADIUS but here we will use local.

aaa new-model

aaa authentication login REMOTEUSER local

aaa authorization network REMOTEUSER-AUTH-LIST local

Configure local user admin and password admin123 I am using the simple one but make sure you have to the choose more secure.

username admin password admin123


Step – 2:

Configure ISAKMP (Internet Security Association and Key Management Protocol) Policy for phase 1 negotiation:

The available range of isakmp priority for protection suit is 1-10000, in this example, we are going to use 10. set encryption algorithm for protection suit here we have three options 3des, aes, des in our example we are using AES - Advance Encryption Standard with 256-bit keys. set authentication method for protection suit for authentication we have three options pre-share key, rsa-encr, rsa-sig in our example we will be using pre-share. set hashing algorithm has two options md5 which is more secure and the second one is sha. And lastly for this set Diffie-Hellman group.

crypto isakmp policy 10

encryption aes 256

authentication pre-share

hash md5

Group 2

Step – 3:

Create IP Pool and Access List:

Create IP addresses pool which will be assigned to Remote Users when they connect their VPN and the access-list used for filtering the traffic go through VPN for simplicity we define any any in ACL

ip local pool VPNPOOL 172.16.10.50 172.16.10.60

ip access-list extended VPN_SPLIT

permit ip any any

Step – 4:

Define the VPN client group profile:

Name the group cisco (you can choose as per your choice) this group name will be entered in the VPN client setting at the remote client device then define the secret key for this group, make sure it should be more secure, define DNS sever IP which will be specify to remote VPN client, define pool name as we created in step 3 which defines the range IP addresses that will be assigned to remote users, define ACL as we created earlier which will be used split tunneling of VPN client. Set the number of maximum users and exit from here.

crypto isakmp client configuration group cisco

key cisco123

dns 8.8.8.8

pool VPNPOOL

acl VPN_SPLIT

max-user 5

exit

Step – 5:

Define encryption parameters for phase-2 which will used for actual data encryption and assign it to crypto dynamic map:

Define the transform set, specify a dynamic crypto map template, and name it map1 you can choose as per your choice, and then set the sequence number from the available range 1-65535 and apply the transform set.

Make sure to put in the reverse route entry so that a static route is inserted into the router.

crypto ipsec transform-set set1 esp-3des esp-md5-hmac

crypto dynamic-map map1 10

set transform-set set1

reverse-route

exit



Step – 6:

Create a crypto map and apply AAA lists that were created in Step-1:

crypto map map1 client configuration address respond

crypto map map1 client authentication list REMOTEUSER

crypto map map1 isakmp authorization list REMOTEUSER-AUTH-LIST

crypto map map1 10 ipsec-isakmp dynamic map1

Step – 7:

Apply crypto map to the internet interface (outbound interface):

Interface serial 1/0

crypto map map1

How to verify the isakmp association and ipsec association?

This command will show Isakmp Security Associations:

show crypto isakmp sa

This command will show IPsec Security Associations:

show crypto ipsec sa

Verification and troubleshooting can also be done by enabling the debug messages for IKE negotiation and IPsec negotiation:

debug crypto isakmp

debug crypto ipsec