Perform the following task to configure a CPP firewall policy push using a local AAA server.

Perform the following task to configure a CPP firewall policy push using a remote AAA server.

To verify and monitor your DHCP client proxy configuration, perform the following task.

Note	You can use the show and debugcommands in any order.

The following example shows how to define group policy information locally for Mode Configuration. In this example, a group is named “cisco” and another group is named “default.” The policy is enforced for all users who do not offer a group name that matches “cisco.”

! Enable policy look-up via AAA. For authentication and authorization, send requests to
! RADIUS first, then try local policy.
aaa new-model
aaa authentication login userlist group radius local
aaa authorization network grouplist group radius local
enable password XXXX
!
username cisco password 0 cisco
clock timezone PST -8
ip subnet-zero
! Configure IKE policies, which are assessed in order so that the first policy that
matches the proposal of the client will be used.
crypto isakmp policy 1
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp identity hostname
!
! Define “cisco” group policy information for mode config push.
crypto isakmp client configuration group cisco
 key cisco
 dns 10.2.2.2 10.2.2.3
 wins 10.6.6.6
 domain cisco.com
 pool pool1
 acl 199
! Define default group policy for mode config push.
crypto isakmp client configuration group default
 key cisco
 dns 10.2.2.2 10.3.2.3
 pool pool1
 acl 199
!
!
crypto ipsec transform-set set1 esp-des esp-sha-hmac 
!
crypto dynamic-map mode 1
 set transform-set set1 
!
! Apply mode config and xauth to crypto map “mode.” The list names that are defined here
! must match the list names that are defined in the AAA section of the config.
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode 
!
!
controller ISA 1/1
!
!         
interface GigabitEthernet0/0
 ip address 10.6.1.8 255.255.0.0
 ip route-cache
 ip mroute-cache
 duplex auto
 speed auto
 crypto map mode
!
interface GigabitEthernet0/1
 ip address 192.168.1.28 255.255.255.0
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
! Specify IP address pools for internal IP address allocation to clients.
ip local pool pool1 192.168.2.1 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 10.6.0.1
!
! Define access lists for each subnet that should be protected.
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip 192.168.3.0 0.0.0.255 any
!
! Specify a RADIUS server host and configure access to the server.
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key XXXXX
radius-server retransmit 3
!
!
line con 0
 exec-timeout 0 0
 length 25
 transport input none
line aux 0
line vty 5 15
!

The following example shows a standard RADIUS group profile that includes RADIUS IPsec AV pairs. To get the group authorization attributes, “cisco” must be used as the password.

client_r Password = "cisco"
 Service-Type = Outbound
       
 cisco-avpair = "ipsec:tunnel-type*ESP"
 cisco-avpair = "ipsec:key-exchange=ike"
 cisco-avpair = "ipsec:tunnel-password=lab"
 cisco-avpair = "ipsec:addr-pool=pool1"
 cisco-avpair = "ipsec:default-domain=cisco"
 cisco-avpair = "ipsec:inacl=101"
 cisco-avpair = "ipsec:access-restrict=fastethernet 0/0"
 cisco-avpair = "ipsec:group-lock=1"
 cisco-avpair = "ipsec:dns-servers=10.1.1.1 10.2.2.2"
 cisco-avpair = "ipsec:firewall=1"
 cisco-avpair = "ipsec:include-local-lan=1"
 cisco-avpair = "ipsec:save-password=1"
 cisco-avpair = "ipsec:wins-servers=10.3.3.3 10.4.4.4"
 cisco-avpair = "ipsec:split-dns=green.com"
 cisoc-avpair = "ipsec:ipsec-backup-gateway=10.1.1.1"
 cisoc-av5pair = "ipsec:ipsec-backup-gateway=10.1.1.2"
 cisoc-avpair = "ipsec:pfs=1"
 cisco-avpair = "ipsec:cpp-policy="Enterprise Firewall"
 cisco-avpair = “ipsec:auto-update=”Win http://example.com 4.0.1”
 cisco-avpair = “ipsec:browser-proxy=bproxy_profile_A”
 cisco-avpair = "ipsec:banner=Xauth banner text here"

The following example shows a RADIUS user profile that is set up for a group that has group-lock configured. The user name is entered in the same format as the user@domain format.

abc@example.com Password = "abcll1111"
cisco-avpair = "ipsec:user-include-local-lan=1"
cisco-avpair = "ipsec:user-save-password=1"
Framed-IP-Address = 10.10.10.10

The following example shows a standard RADIUS user profile that includes RADIUS IPsec AV pairs. These user attributes will be obtained during Xauth.

ualluall Password = "uall1234"
        cisco-avpair = "ipsec:user-vpn-group=unity"
        cisco-avpair = "ipsec:user-include-local-lan=1"
        cisco-avpair = "ipsec:user-save-password=1"
        Framed-IP-Address = 10.10.10.10

The following example shows that five backup gateways have been configured, that the maximum users have been set to 250, and that maximum logins have been set to 2:

crypto isakmp client configuration group sdm
 key 6 RMZPPMRQMSdiZNJg`EBbCWTKSTi\d[
 pool POOL1
 acl 150
 backup-gateway 172.16.12.12
 backup-gateway 172.16.12.13
 backup-gateway 172.16.12.14
 backup-gateway 172.16.12.130
 backup-gateway 172.16.12.131
 max-users 250
 max-logins 2

The following example shows that Easy VPN has been configured with an IPsec virtual tunnel interface.

!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local 
!
aaa session-id common
!
resource policy
!         
clock timezone IST 0
ip subnet-zero
ip cef
no ip domain lookup
no ip dhcp use vrf connected
!
username lab password 0 lab
!
crypto isakmp policy 3
 authentication pre-share
 group 2
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group easy
 key cisco
 domain foo.com
 pool dpool
 acl 101
crypto isakmp profile vi
   match identity group easy
   isakmp authorization list default
   client configuration address respond
   client configuration group easy
   virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac 
!
crypto ipsec profile vi
 set transform-set set 
 set isakmp-profile vi
!
!
interface Loopback0
 ip address 10.4.0.1 255.255.255.0
!
interface GigabitEthernet0/0
 ip address 10.3.0.2 255.255.255.0
 no keepalive
 no cdp enable
interface GigabitEthernet1/0
 no ip address
 no keepalive
 no cdp enable
!
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vi
!
ip local pool dpool 10.5.0.1 10.5.0.10
!
ip classless
ip route 10.2.0.0 255.255.255.0 10.3.0.1
no ip http server
no ip http secure-server
!         
!
access-list 101 permit ip 10.4.0.0 0.0.0.255 any
no cdp run
!
!
line con 0
line aux 0
line vty 0 4
!
end

The following show crypto ipsec client ezvpn command output displays the Mode Configuration URL location and version:

Router# show crypto ipsec client ezvpn
Easy VPN Remote Phase: 5
Tunnel name : branch
Inside interface list: Vlan1
Outside interface: FastEthernet0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.209
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Allowed
Configuration URL [version]: tftp://172.16.30.2/branch.cfg [11]
Config status: applied, Last successfully applied version: 11
Current EzVPN Peer: 192.168.10.1

The following show crypto isakmp peers config command output displays all manageability information that is sent by the remote device.

Router# show crypto isakmp peers config
Client-Public-Addr=192.168.10.2:500; Client-Assigned-Addr=172.16.1.209; Client-Group=branch; Client-User=branch; Client-Hostname=branch.; Client-Platform=Cisco 1711; Client-Serial=FOC080210E2 (412454448); Client-Config-Version=11; Client-Flash=33292284; Client-Available-Flash=10202680; Client-Memory=95969280; Client-Free-Memory=14992140; Client-Image=flash:c1700-advipservicesk9-mz.ef90241;
Client-Public-Addr=192.168.10.3:500; Client-Assigned-Addr=172.16.1.121; Client-Group=store; Client-User=store; Client-Hostname=831-storerouter.; Client-Platform=Cisco C831; Client-Serial=FOC08472UXR (1908379618); Client-Config-Version=2; Client-Flash=24903676; Client-Available-Flash=5875028; Client-Memory=45298688; Client-Free-Memory=6295596; Client-Image=flash:c831-k9o3y6-mz.ef90241

The following example shows that the Per User AAA Download with PKI feature has been configured on the Easy VPN server.

Router# show running-config
Building configuration...
Current configuration : 7040 bytes
!
! Last configuration change at 21:06:51 UTC Tue Jun 28 2005
!
version 15.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname GEN
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius usrgrppki
 server 10.76.248.201 auth-port 1645 acct-port 1646
!
aaa authentication login xauth group usrgrppki
aaa authentication login usrgrp group usrgrppki
aaa authorization network usrgrp group usrgrppki 
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip address-pool local
!
!
crypto pki trustpoint ca-server
 enrollment url http://10.7.7.2:80
 revocation-check none
 rsakeypair rsa-pair
 ! Specify the field within the certificate that will be used as a username to do a per-user AAA lookup into the RADIUS database. In this example, the contents of the  commonname will be used to do a AAA lookup. In the absence of this statement, by default  the contents of the “unstructured name” field in the certificate is used for AAA lookup.
 authorization username subjectname commonname
!
!
crypto pki certificate map CERT-MAP 1
 subject-name co yourname
 name co yourname
!
crypto pki certificate chain ca-server
 certificate 02
  308201EE 30820157 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 
  14311230 10060355 04031309 63612D73 65727665 72301E17 0D303530 36323832 
  30303731 345A170D 30363036 32383230 30373134 5A301531 13301106 092A8648 
  86F70D01 09021604 47454E2E 30819F30 0D06092A 864886F7 0D010101 05000381 
  8D003081 89028181 00ABF8F0 FDFFDF8D F22098D6 A48EE0C3 F505DD96 C0022EA4 
  EAB95EE8 1F97F450 990BB0E6 F2B7151F C5C79391 93822FE4 DEE5B00C A03412BB 
  9B715AAD D6C31F93 D8802658 AF9A8866 63811942 913D0C02 C3E328CC 1C046E94 
  F73B7C1A 4497F86E 74A627BC B809A3ED 293C15F2 8DCFA217 5160F9A4 09D52044 
  350F85AF 08B357F5 D7020301 0001A34F 304D300B 0603551D 0F040403 0205A030 
  1F060355 1D230418 30168014 F9BC4498 3DA4D51D 451EFEFD 5B1F5F73 8D7B1C9B 
  301D0603 551D0E04 1604146B F6B2DFD1 1FE237FF 23294129 E55D9C48 CCB04630 
  0D06092A 864886F7 0D010104 05000381 81004AFF 2BE300C1 15D0B191 C20D06E0 
  260305A6 9DF610BB 24211516 5AE73B62 78E01FE4 0785776D 3ADFA3E2 CE064432 
  1C93E82D 93B5F2AB 9661EDD3 499C49A8 F87CA553 9132F239 1D50187D 21CC3148 
  681F5043 2F2685BC F544F4FF 8DF535CB E55B5F36 31FFF025 8969D9F8 418C8AB7 
  C569B022 46C3C63A 22DD6516 C503D6C8 3D81
  quit
 certificate ca 01
  30820201 3082016A A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  14311230 10060355 04031309 63612D73 65727665 72301E17 0D303530 36323832 
  30303535 375A170D 30383036 32373230 30353537 5A301431 12301006 03550403 
  13096361 2D736572 76657230 819F300D 06092A86 4886F70D 01010105 0003818D 
  00308189 02818100 BA1A4413 96339C6B D36BD720 D25C9A44 E0627A29 97E06F2A 
  69B268ED 08C7144E 7058948D BEA512D4 40588B87 322C5D79 689427CA 5C54B3BA 
  82FAEC53 F6AC0B5C 615D032C 910CA203 AC6AB681 290D9EED D31EB185 8D98E1E7 
  FF73613C 32290FD6 A0CBDC40 6E4D6B39 DE1D86BA DE77A55E F15299FF 97D7C185 
  919F81C1 30027E0F 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 
  01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 168014F9 
  BC44983D A4D51D45 1EFEFD5B 1F5F738D 7B1C9B30 1D060355 1D0E0416 0414F9BC 
  44983DA4 D51D451E FEFD5B1F 5F738D7B 1C9B300D 06092A86 4886F70D 01010405 
  00038181 003EF397 F4D98BDE A4322FAF 4737800F 1671F77E BD6C45AE FB91B28C 
  F04C98F0 135A40C6 635FDC29 63C73373 5D5BBC9A F1BBD235 F66CE1AD 6B4BFC7A 
  AB18C8CC 1AB93AF3 7AC67436 930E9C81 F43F7570 A8FE09AE 3DEA01D1 DA6BD0CB 
  83F9A77F 1DFAFE5E 2F1F206B F1FDD8BE 6BB57A3C 8D03115D B1F64A3F 7A7557C1 
  09B0A34A DB
  quit
!
!
crypto isakmp policy 10
 group 2
crypto isakmp keepalive 10
crypto isakmp profile ISA-PROF
   match certificate CERT-MAP
   isakmp authorization list usrgrp
   client pki authorization list usrgrp
   client configuration address respond
   client configuration group pkiuser
   virtual-template 2
!
!
crypto ipsec transform-set trans2 esp-3des esp-sha-hmac 
!
crypto ipsec profile IPSEC_PROF
 set transform-set trans2 
!
crypto ipsec profile ISC_IPSEC_PROFILE_1
 set transform-set trans2 
!         
!
crypto call admission limit ike sa 40
!
!
interface Loopback0
 ip address 10.3.0.1 255.255.255.255
 no ip route-cache cef
 no ip route-cache
!
interface Loopback1
 ip address 10.76.0.1 255.255.255.255
 no ip route-cache cef
 no ip route-cache
!
interface GigabitEthernet3/0
 ip address 10.76.248.209 255.255.255.255
 no ip route-cache cef
 no ip route-cache
 duplex half
!
!
interface GigabitEthernet3/2
 ip address 10.2.0.1 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 duplex half
!
!
interface Serial4/0
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 serial restart-delay 0
!
interface Serial4/1
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 serial restart-delay 0
!
interface Serial4/2
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 serial restart-delay 0
!         
interface Serial4/3
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 serial restart-delay 0
!
interface FastEthernet5/0
 ip address 10.9.4.77 255.255.255.255
 no ip route-cache cef
 no ip route-cache
 duplex half
!
interface FastEthernet6/0
 ip address 10.7.7.1 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 duplex full
!
interface Virtual-Template1 
 no ip address
!
interface Virtual-Template2 type tunnel
 ip unnumbered Loopback0
 tunnel source Ethernet3/2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROF
!
router eigrp 20
 network 172.16.0.0
 auto-summary
!
ip local pool ourpool 10.6.6.6
ip default-gateway 10.9.4.1
ip classless
ip route 10.1.0.1 255.255.255.255 10.0.0.2
ip route 10.2.3.0 255.255.0.0 10.2.4.4
ip route 10.9.1.0 255.255.0.0 10.4.0.1
ip route 10.76.0.0 255.255.0.0 10.76.248.129
ip route 10.11.1.1 255.255.255.0 10.7.7.2
!
no ip http server
no ip http secure-server
!
!
logging alarm informational
arp 10.9.4.1 0011.bcb4.d40a ARPA
!
!
radius-server host 10.76.248.201 auth-port 1645 acct-port 1646 key cisco
!
control-plane
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!         
!
end

The following example shows that per-user attributes have been configured on an Easy VPN server.

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login noAAA none
aaa authorization network default local 
!
aaa attribute list per-group
 attribute type inacl "per-group-acl" service ike protocol ip mandatory
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
username example password 0 example
!
!
crypto isakmp policy 3
 authentication pre-share
 group 2
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group PerUserAAA
 key cisco
 pool dpool
 crypto aaa attribute list per-group
!
crypto isakmp profile vi
 match identity group PerUserAAA
 isakmp authorization list default
 client configuration address respond
 client configuration group PerUserAAA
 virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac 
!
crypto ipsec profile vi
 set transform-set set 
 set isakmp-profile vi
!
!
interface GigabitEthernet0/0
 description 'EzVPN Peer'
 ip address 192.168.1.1 255.255.255.128
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vi
!
ip local pool dpool 10.5.0.1 10.5.0.10
ip classless
!
no ip http server
no ip http secure-server
!
!
ip access-list extended per-group-acl
 permit tcp any any
 deny   icmp any any
logging alarm informational
logging trap debugging
!
control-plane
!
gatekeeper
 shutdown
!
line con 0
line aux 0
 stopbits 1
line vty 0 4
!
!
end

The following example shows that an Easy VPN server that has been enabled with Network Admission Control.

Note	Network Admission Control is supported on an Easy VPN server only when the server uses IPsec virtual interfaces. Network Admission Control is enabled on the virtual template interface and applies to all PC clients that use this virtual template interface.

Router# show running-config
Building configuration...
Current configuration : 5091 bytes
!
version 15.0
!
hostname Router
!
aaa new-model
!
!
aaa authentication login userlist local
!
aaa authentication eou default group radius
aaa authorization network hw-client-groupname local
aaa accounting update newinfo
aaa accounting network acclist start-stop broadcast group radius
aaa session-id common
!
!
! Note 1: EAPoUDP packets will use the IP address of the loopback interface when sending the EAPoUDP hello to the Easy VPN client. Using the IP address ensures that the returning EAPoUDP packets come back encrypted and are associated with the correct virtual access interface. The ip admission (ip admission source-interface Loopback10) command is optional. Instead of using this command, you can specify the IP address of the virtual template to be an address in the inside network space as shown in the configuration of the virtual template below in Note 2.
ip admission source-interface Loopback10
ip admission name test eapoudp inactivity-time 60
!
!
eou clientless username cisco
eou clientless password cisco
eou allow ip-station-id
eou logging
!
username lab password 0 lab
username lab@easy password 0 lab
!
!
crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2
!
!
crypto isakmp key 0 cisco address 10.53.0.1
crypto isakmp client configuration group easy
  key cisco
  domain cisco.com
  pool dynpool
  acl split-acl
  group-lock
  configuration url tftp://10.13.0.9/Config-URL_TFTP.cfg
  configuration version 111
!
crypto isakmp profile vi
    match identity group easy
    client authentication list userlist
    isakmp authorization list hw-client-groupname
    client configuration address respond
    client configuration group easy
    accounting acclist
    virtual-template 2
!
crypto ipsec security-association lifetime seconds 120
crypto ipsec transform-set set esp-3des esp-sha-hmac
crypto ipsec transform-set aes-trans esp-aes esp-sha-hmac
crypto ipsec transform-set transform-1 esp-des esp-sha-hmac
crypto ipsec profile vi
  set security-association lifetime seconds 3600
  set transform-set set aes-trans transform-1
  set isakmp-profile vi
!
!
crypto dynamic-map dynmap 1
  set transform-set aes-trans transform-1
  reverse-route
!
interface Loopback10
  ip address 10.61.0.1 255.255.255.255
!
interface FastEthernet0/0
  ip address 10.13.11.173 255.255.255.255
  duplex auto
  speed auto
!
interface FastEthernet0/1
  ip address 10.55.0.1 255.255.255.255
  duplex auto
  speed auto
!
!
interface Virtual-Template2 type tunnel
! Note2: Use the IP address of the loopback10. This ensures that the EAPoUDP packets that are attached to virtual-access interfaces that are cloned from this virtual template carry the source address of the loopback address and that response packets from the VPN client come back encrypted.
!
  ip unnumbered Loopback10
! Enable Network Admission Control for remote VPN clients.
  ip admission test
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile vi
!
!
ip local pool dynpool 172.16.2.65 172.16.2.70
ip classless
ip access-list extended ClientException
  permit ip any host 10.61.0.1
ip access-list extended split-acl
  permit ip host 10.13.11.185 any
  permit ip 10.61.0.0 255.255.255.255 any
  permit ip 10.71.0.0 255.255.255.255 any
  permit ip 10.71.0.0 255.255.255.255 10.52.0.0 0.255.255.255
  permit ip 10.55.0.0 255.255.255.255 any
!
ip radius source-interface FastEthernet0/0
access-list 102 permit esp any any
access-list 102 permit ahp any any
access-list 102 permit udp any any eq 21862
access-list 102 permit ospf any any
access-list 102 deny ip any any
access-list 195 deny ospf any any
access-list 195 permit ip 10.61.0.0 255.255.255.255 10.51.0.0 255.255.255.255
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server host 10.13.11.185 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send accounting
radius-server vsa send authentication
!
end

The following example shows that password aging has been configured so that if the password expires, the Easy VPN client is notified.

Current configuration : 4455 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
!
!
aaa new-model
!
!
aaa authentication login USERAUTH passwd-expiry group radius aaa authorization network branch local !
aaa session-id common
!
ip cef
username cisco privilege 15 secret 5 $1$A3HU$bCWjlkrEztDJx6JJzSnMV1 !
!
crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
crypto isakmp client configuration address-pool local dynpool !
crypto isakmp client configuration group branch
  key cisco
  domain cisco.com
  pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac !
crypto isakmp profile profile2
   client authentication list USERAUTH
   match identity group branch
   isakmp authorization list branch
   client configuration address respond
   virtual-template 1
crypto ipsec profile vi
  set transform-set transform-1
interface GigabitEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
  ip address 192.168.1.100 255.255.255.0
  duplex auto
  speed auto
  crypto map dynmap
!
interface GigabitEthernet0/1
  description $ES_LAN$
  ip address 172.19.217.96 255.255.255.0
  duplex auto
  speed auto
!
!interface Virtual-Template1 type tunnel
  ip unnumbered GigabitEthernet0/2
  no clns route-cache
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile vi
!
ip local pool dpool 10.0.0.1 10.0.0.3
!
radius-server host 172.19.220.149 auth-port 1645 acct-port 1646 key cisco radius-server vsa send authentication !
control-plane
!
!
end

In the following example, the split tunnel list named “101” contains the 10.168.0.0/16 network. It is necessary to include this network information so that the DNS requests to the internal DNS server of 10.168.1.1 are encrypted.

crypto isakmp client configuration group home
  key abcd
  acl 101
  dns 10.168.1.1. 10.168.1.2

show Output

The following exampleshows that www.ciscoexample1.com and www.ciscoexample2.com have been added to the policy group:

Router# show running-config
 | security group
 crypto isakmp client configuration group 831server
 key abcd
 dns 10.104.128.248
 split-dns www.ciscoexample1.com
 split-dns www.ciscoexample2.com
 group home2 key abcd

The following sample output from the show ip dns view command displays currently configured DNS views:

Router# show ip dns view
DNS View default parameters:
Logging is off
DNS Resolver settings:
  Domain lookup is enabled
  Default domain name: cisco.com
  Domain search list:
  Lookup timeout: 3 seconds
  Lookup retries: 2
  Domain name-servers:
    172.16.168.183
DNS Server settings:
  Forwarding of queries is enabled
  Forwarder addresses:
DNS View ezvpn-internal-view parameters:
Logging is off
DNS Resolver settings:
  Domain lookup is enabled
  Default domain name: 
  Domain search list:
  Lookup timeout: 3 seconds
  Lookup retries: 2
  Domain name-servers:
    10.104.128.248
DNS Server settings:
  Forwarding of queries is enabled
  Forwarder addresses:

The following sample output from the show ip dns view-list command displays currently configured DNS view lists.

Router# show ip dns view-list
View-list ezvpn-internal-viewlist:
  View ezvpn-internal-view:
    Evaluation order: 10
    Restrict to ip dns name-list: 1
  View default:
    Evaluation order: 20

The following sample output from the show ip dns name-list command displays DNS name lists.

Router# show ip dns name-list
ip dns name-list 1
    permit www.ciscoexample1.com
    permit www.ciscoexample2.com

The following examples display DHCP client proxy output information using show and debug commands.

show Output

Note	To use the show ip dhcpcommand, the DHCP server must be a Cisco IOS XE server.

The following sample output from the show ip dhcp poolcommand provides information about the DHCP parameters:

Router# show ip dhcp pool
Pool dynpool :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0
 Total addresses                : 254
 Leased addresses               : 1
 Pending event                  : none
 1 subnet is currently in the pool:
 Current index    IP address range          Leased addresses
                  10.3.3.1 - 10.3.3.254     1
 No relay targets associated with class aclass

The following sample output from the show ip dhcp command provides information about the DHCP bindings:

Router# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/                       Lease expiration      Type
                    Hardware address/User name
                    10.3.3.5  0065.7a76.706e.2d63.   Apr 04 2006 06:01 AM  Automatic                     6c69.656e.74

debug Output

The following example shows how the debug crypto isakmp and debug ip dhcp server events commands can be used to troubleshoot your DHCP client proxy support configuration:

*Apr  3 06:01:32.047: ISAKMP: Config payload REQUEST *Apr  3 06:01:32.047: ISAKMP:(1002):checking request:
*Apr  3 06:01:32.047: ISAKMP:    IP4_ADDRESS
*Apr  3 06:01:32.047: ISAKMP:    IP4_NETMASK
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_CONFIG_URL
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_CONFIG_VERSION
*Apr  3 06:01:32.047: ISAKMP:    IP4_DNS
*Apr  3 06:01:32.047: ISAKMP:    IP4_DNS
*Apr  3 06:01:32.047: ISAKMP:    IP4_NBNS
*Apr  3 06:01:32.047: ISAKMP:    IP4_NBNS
*Apr  3 06:01:32.047: ISAKMP:    SPLIT_INCLUDE
*Apr  3 06:01:32.047: ISAKMP:    SPLIT_DNS
*Apr  3 06:01:32.047: ISAKMP:    DEFAULT_DOMAIN
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_SAVEPWD
*Apr  3 06:01:32.047: ISAKMP:    INCLUDE_LOCAL_LAN
*Apr  3 06:01:32.047: ISAKMP:    PFS
*Apr  3 06:01:32.047: ISAKMP:    BACKUP_SERVER
*Apr  3 06:01:32.047: ISAKMP:    APPLICATION_VERSION
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_BANNER
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_IPSEC_INT_CONF
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_HOSTNAME
*Apr  3 06:01:32.047: ISAKMP/author: Author request for group homesuccessfully sent to AAA *Apr  3 06:01:32.047: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Apr  3 06:01:32.047: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
*Apr  3 06:01:32.047: ISAKMP:(1002):attributes sent in message:
*Apr  3 06:01:32.047:         Address: 10.2.0.0
*Apr  3 06:01:32.047: Requesting DHCP Server0 address 10.3.3.3 *Apr  3 06:01:32.047: DHCPD: Sending notification of DISCOVER:
*Apr  3 06:01:32.047:   DHCPD: htype 1 chaddr aabb.cc00.6600
*Apr  3 06:01:32.047:   DHCPD: circuit id 00000000
*Apr  3 06:01:32.047: DHCPD: Seeing if there is an internally specified pool class:
*Apr  3 06:01:32.047:   DHCPD: htype 1 chaddr aabb.cc00.6600
*Apr  3 06:01:32.047:   DHCPD: circuit id 00000000
*Apr  3 06:01:34.063: DHCPD: Adding binding to radix tree (10.3.3.5) *Apr  3 06:01:34.063: DHCPD: Adding binding to hash tree *Apr  3 06:01:34.063: DHCPD: assigned IP address 10.3.3.5 to client 0065.7a76.706e.2d63.6c69.656e.74.
*Apr  3 06:01:34.071: DHCPD: Sending notification of ASSIGNMENT:
*Apr  3 06:01:34.071:  DHCPD: address 10.3.3.5 mask 255.255.255.0
*Apr  3 06:01:34.071:   DHCPD: htype 1 chaddr aabb.cc00.6600
*Apr  3 06:01:34.071:   DHCPD: lease time remaining (secs) = 86400
*Apr  3 06:01:34.183: Obtained DHCP address 10.3.3.5 *Apr  3 06:01:34.183: ISAKMP:(1002):allocating address 10.3.3.5 *Apr  3 06:01:34.183: ISAKMP: Sending private address: 10.3.3.5 *Apr  3 06:01:34.183: ISAKMP: Sending subnet mask: 255.255.255.0

The following example displays that neither a VRF nor an IP address has been defined:

aaa new-model
aaa authentication login VPN group radius
aaa authorization network VPN group radius 
!
ip vrf example1
 rd 1:1
!
crypto isakmp profile example1
 match identity group example1group
 client authentication list VPN
 isakmp authorization list VPN
 client configuration address respond
 virtual-template 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
!
crypto ipsec profile example1
 set transform-set TS 
 set isakmp-profile example1
!
interface Virtual-Template10 type tunnel
! The next line shows that neither VRF nor an IP address has been defined.
 no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile example1

Glossary

AAA--authentication, authorization, and accounting. Framework of security services that provides the method for identifying users (authentication), for remote access control (authorization), and for collecting and sending security server information used for billing, auditing, and reporting (accounting).

aggressive mode (AM)--Mode during Internet Key Exchange negotiation. Compared to main mode (MM), AM eliminates several steps, which makes it faster but less secure than MM. Cisco IOS XE software will respond in aggressive mode to an IKE peer that initiates aggressive mode.

AV pair--attribute-value pair. Additional authentication and authorization information in the following format: Cisco:AVPair=“protocol:attribute=value”.

IKE--Internet Key Exchange. Hybrid protocol that implements Oakley key exchange and Skeme key exchange inside the ISAKMP framework. Although IKE can be used with other protocols, its initial implementation is with IPsec. IKE provides authentication of the IPsec peers, negotiates IPsec keys, and negotiates IPsec security associations.

IPsec--IP Security Protocol. Framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec. IPsec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

ISAKMP--Internet Security Association Key Management Protocol. Protocol framework that defines payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security association.

MM--main mode. Mode that is slower than aggressive mode but more secure and more flexible than aggressive mode because it can offer an IKE peer more security proposals. The default action for IKE authentication (Rivest, Shamir, and Adelman signature (rsa-sig), RSA encryption (rsa-encr), or preshared) is to initiate main mode.

policy push --Allows administrators to push policies that enforce security to the Cisco Easy VPN (software) Client and related firewall software.

reverse route injection (RRI)--Simplified network design for VPNs on which there is a requirement for redundancy or load balancing. RRI works with both dynamic and static crypto maps.

In the dynamic case, as remote peers establish IPsec security associations with an RRI enabled router, a static route is created for each subnet or host protected by that remote peer. For static crypto maps, a static route is created for each destination of an extended access-list rule.

SA--security association. Description of how two or more entities will utilize security services to communicate securely. For example, an IPsec SA defines the encryption algorithm (if used), the authentication algorithm, and the shared session key to be used during the IPsec connection.

Both IPsec and IKE require and use SAs to identify the parameters of their connections. IKE can negotiate and establish its own SA. The IPsec SA is established either by IKE or by manual user configuration.

VPN --Virtual Private Network. Framework that consists of multiple peers transmitting private data securely to one another over an otherwise public infrastructure. In this framework, inbound and outbound network traffic is protected using protocols that tunnel and encrypt all data. This framework permits networks to extend beyond their local topology, while remote users are provided with the appearance and functionality of a direct network connection.