I had an interesting request come across my desk, where I needed to configure a site-to-site VPN for some internet connected devices, but the devices were not allowed to connect internally to our network. So basically, I needed to tunnel the internet traffic back to our headend without allowing access to the internal network. The remote location also wouldn’t have a static IP. Having used EZVPN in the past, I figured this would be another great use case. Unfortunately I spent way too many hours trying to find a good example of how to get this setup working, so I figured I’d share my config for anyone else who may be struggling with a similar setup.
IOS Router Config (EZVPN Client)
crypto ipsec client ezvpn ez connect auto group MyTunnelGroup key MySecretKey mode client peer 10.10.10.1 username MyVPNUser password MyPassword xauth userid mode local ! interface Fa0/0 description WAN Interface ip address dhcp crypto ipsec client ezvpn ez ! interface Fa0/1 description LAN Interface ip address 192.168.0.1 255.255.255.0 crypto ipsec client ezvpn ez inside !
The first section defines the properties for the EZVPN connection, and there are 3 items that need special attention:
- The group and key you configure here will match the TunnelGroup name and IKEv1 key you configure on the ASA
- The username and password are also defined on the ASA. This is the actual user that is being authenticated.
- The xauth mode needs to be configured as local so the router doesn’t have to prompt for credentials.
Other items to note:
- There are three modes for EZVPN, Client, Network Extension, and Network Plus. If this were a true L2L VPN, I’d use Network Extension or Network Extension Plus so that there was direct IP-IP connectivity between hosts on either side of the VPN. Since I don’t need that, I’m configuring Client mode which is similar to a PAT for all client traffic.
- The peer IP will be the outside address of your EZVPN server.
ASA Configuration (EZVPN Server)
access-list EZVPN-ACL standard deny 10.0.0.0 255.0.0.0 access-list EZVPN-ACL standard permit any4 ! group-policy MyGroupPolicy internal group-policy MyGroupPolicy attributes dns-server value 18.104.22.168 vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter value EZVPN-ACL vpn-tunnel-protocol ikev1 group-lock none split-tunnel-policy tunnelall split-tunnel-all-dns enable vlan none nac-settings none ! username MyVPNUser password MyPassword username MyVPNUser attributes vpn-group-policy MyGroupPolicy ! tunnel-group MyTunnelGroup type remote-access tunnel-group MyTunnelGroup general-attributes default-group-policy MyGroupPolicy tunnel-group MyTunnelGroup ipsec-attributes ikev1 pre-shared-key MySecretKey
The Tunnel Group defines the preshared key for the connection that was referenced in the group MyTunnelGroup key MySecretKey command on the client. The Tunnel Group config also points to a Group Policy that will control the policy for the tunnel. I created a new policy, but you could also use the default DfltGrpPolicy if it fit your needs.
The beautiful thing about EZVPN is that all of the policy aspects are controlled at the Server side. So while the current requirement is to block access to internal resources, I could easily change that on the server side without worrying about messing up the config on the client and bringing the tunnel down.