How to create a VPN server using SDM

As I explained in the article Security Device Manager aka SDM, SDM is a Web-based devicemanagement tool for Cisco routers that can improve the productivity of network managers, simplify router deployments, and help troubleshoot complex network and VPN connectivity issues. What is a virtual private network? A virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet) instead of by physical wires. The link-layer protocols of the virtual network are said to be tunneled through the larger network when this is the case. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features. Using this wizard, it is possible create a Layer3 VPN through IPSEC protocol. Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host. IPsec is an end-to-end security solution and operates at the Internet Layer of the Internet Protocol Suite, comparable to Layer 3 in the OSI model. Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate in the upper layers of these models. This makes IPsec more flexible, as it can be used for protecting all the higher level protocols, because applications dont need to be designed to use IPsec, whereas the use of TLS/SSL or other higherlayer protocols must be incorporated into the design of an application. Ok, and how can I create a VPN using SDM? There are few steps to create a VPN server on our Cisco Router:

Log in your SDM Click the Configure icon in the toolbar at the top of the window Click the VPN icon in the Tasks toolbar on the left side of the window Choose the Easy VPN Server option in the middle part of the window

If you have not configured AAA, the wizard asks you to configure it. Click on Enable AAA and click OK to close the popup.

After enabling AAA, you can start the VPN wizard:

Click on next button (in this screenshot I will click on avanti tab italian language hihihi), select the interface that will receive the VPN request from the VPN client (in my case fastethernet 0/0) and select the preshared keys authentication. Click on next button.

In this step you can configure the IKE proposals: IKE proposal priority, DH group (1, 2, or 5), Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC (SHA-1 or MD5), IKE lifetime. If you prefer, you can change the default settings. Click on next button.

You can use the default or create a new IPsec transform set configuration using these parameters: Transform set name, Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC (SHA-1 or MD5), Optional compression, Mode of operation (tunnel or transport). Click on next button.

In this step you you can choose from three options for the location where Easy VPN group policies can be stored:

Local: All the groups will be in the router configuration in NVRAM RADIUS: The router will use RADIUS server for group authorization RADIUS and local: The router will also be able to look up policies stored in an AAA server database that can be reached via RADIUS

The local databse is recommended if you do not have RADIUS or TACACAS+ server in your network. Click on next button.

Now define the group authorization and user group policies.

When you click Add button, you can define: General parameters, DNS/WINS, Split tunneling, Advanced options and Xauth Options. In our case it is sufficient configure the General parameters tab. The group name is test, the password is ciscozine and the IP pool is from 192.168.10.1 to 192.168.10.10. Click on OK button to save the Add Group Policy.

Click next.

Once you have finished all the steps to configuring the Easy VPN Server, the Easy VPN Server wizard presents a summary of the configured parameters.

Click Back to correct any errors in the configuration. Otherwise, click Finish to apply the configuration to the router. The final configuration will be:
!This is the running config of the router: 192.168.1.12 !---------------------------------------------------------------------------!version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Ciscozine ! boot-start-marker boot-end-marker ! ! clock timezone PCTime 1 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 aaa new-model !

! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa session-id common ip subnet-zero ! ! ! ip cef ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! username ciscozine privilege 15 secret 5 $1$uZAG$n7SP/bF1Y2UEfepGjtblH. ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 15 ! crypto isakmp client configuration group test key ciscozine pool SDM_POOL_1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface FastEthernet0/0

ip address 192.168.1.12 255.255.255.0 duplex auto speed auto crypto map SDM_CMAP_1 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip local pool SDM_POOL_1 192.168.10.1 192.168.10.10 ip http server ip http authentication local ip http secure-server ip classless ! ! ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! end

Remember to save the configuration! To change VPN server settings: 1. Click the Configure icon in the toolbar at the top of the window 2. Click the VPN icon in the Tasks toolbar on the left side of the window If you would view the VPN status: 1. Click the Monitor icon in the toolbar at the top of the window 2. Click the VPN icon in the Tasks toolbar on the left side of the window