There was a question a few days ago about using the EzVPN solution to connect to Proctor Labs. I've completed somewhere over 70 eight-hour rack sessions using that method, and it works great most of the time.
You need a router that can run IOS version 12.4 Mainline, and some sort of switch that provides inline power for hardware phones. I use a 2821 with an Ethernet Switch Module (NME-16ES-1G-P) installed in slot 1. I am currently running IOS version 12.4(21), which contains the fixes for some bugs related to NAT fragmentation which you need if you want your hardware phones to register smoothly. (See previous posts in the July 25th-29th time frame if you care about the details. My advice is just start with 12.4(21) since it is verified to work well.) If you can get 7960 phones, I recommend using them since that is what you will see in the actual lab exam, and they are definitely supported by CME. I've actually been using two 7960's, one 7961G, and one 7961G-GE. There are some quirks with the non-7960 phones, but they will work for most things. I think there have been some previous posts to OSL about non-7960 phones. When you login to your Proctor Labs session (via a web browser), you will be given the option to connect via VPN client or via EasyVPN. If you choose the EasyVPN option, there will be a router config file which you can download. I will include below the one for Pod 20. You may need to adapt this configuration for your router. (For example, my Ethernet interfaces are GigE, not FastE.) Once you have the router configured appropriately, you issue the two commands shown at the bottom ("crypto ipsec client ezvpn connect", wait for a response, then enter "crypto ipsec client ezvpn xauth" and you will be prompted for your Proctor Labs username and password), and it brings up the tunnel. At that point the devices connected to your switch (usually a PC and hardware phones) have IP connectivity to the Proctor Labs pod. Note that PAT (port address translation) is used, s o all the devices will show up with the same NATted IP address (10.0.1.41 for pod 20), they are just using different port numbers. For future sessions for different pods, you need to re-configure the groupname in the "crypto ipsec client ezvpn IPx-Pod2" block, and change the ip address in the "option 150 ip" statement for the DHCP pool. My usual procedure was to just remove and re-add the entire block, but I just realized as I was typing this that if I would rename the block without the pod number in it (maybe just "IPx-Pod") then I would not have to remove and re-add the "crypto ipsec client ezvpn" statements to the inside and outside interfaces every time. Hope this is helpful as an overview. If you have specific problems, there are instructions on the web page as you connect about what information to forward to Proctor Labs support if you need assistance. Jane Ryer, CCIE # 3333 (R&S) VPodg2_Config.txt service timestamps debug datetime service timestamps log datetime service password-encryption ! ! boot-start-marker boot-end-marker ! logging buffered 512000 informational enable secret ipexperthome no aaa new-model ! ! ! ip cef ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! ip dhcp pool IPx-Home-DHCP import all network 192.168.1.0 255.255.255.0 option 150 ip 10.2.200.21 default-router 192.168.1.1 lease 8 ! ! ip inspect name CBAC-FW tcp timeout 3600 ip inspect name CBAC-FW udp timeout 3600 ip inspect name CBAC-FW http java-list 1 timeout 3600 ip inspect name CBAC-FW https timeout 3600 ip inspect name CBAC-FW icmp ip inspect name CBAC-FW ddns-v3 ip inspect name CBAC-FW smtp ip inspect name CBAC-FW pop3 ip inspect name CBAC-FW pop3s ip inspect name CBAC-FW imap ip inspect name CBAC-FW ftps ip inspect nam e CBAC-FW fragment maximum 256 timeout 1 ip inspect name CBAC-FW ntp ip inspect name CBAC-FW ftp timeout 3600 ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key proctorvoice address 209.124.41.250 ! ! ! crypto ipsec client ezvpn IPx-Pod2 connect manual group vpodg2 key proctorvoice mode client peer 209.124.41.250 xauth userid mode http-intercept ! ! ! interface FastEthernet0/0 description (Outside Public Interface) ip address dhcp ip access-group FW-IN in no ip unreachables ip nat outside ip inspect CBAC-FW out no cdp enable duplex auto speed auto no shut crypto ipsec client ezvpn IPx-Pod2 ! interface FastEthernet0/1 description (Inside Private Interface) ip address 192.168.1.1 255.255.255.0 ip nat insi de crypto ipsec client ezvpn IPx-Pod2 inside duplex auto speed auto no shut ! ! ip route 0.0.0.0 0.0.0.0 dhcp ! ! no ip http server ip nat inside source list 101 interface f0/0 overload ! ip access-list extended FW-IN permit udp any any eq bootpc deny ip 10.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.168.0.0 0.0.255.255 any log deny ip 224.0.0.0 15.255.255.255 any log deny ip host 0.0.0.0 any log deny ip host 255.255.255.255 any log deny ip 169.254.0.0 0.0.255.255 any log deny ip 127.0.0.0 0.255.255.255 any log permit icmp 209.124.41.0 0.0.0.255 any eq echo permit esp host 209.124.41.250 any permit udp host 209.124.41.250 any eq isakmp permit udp host 209.124.41.250 any eq n on500-isakmp deny ip any any log ! access-list 1 permit any access-list 23 permit 192.168.1.0 0.0.0.255 access-list 23 permit 209.124.41.0 0.0.0.255 access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 101 deny ip 192.168.1.0 0.0.0.255 162.0.0.0 0.255.255.255 access-list 101 deny ip 192.168.1.0 0.0.0.255 172.0.0.0 0.255.255.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 any ! ! ! line con 0 line aux 0 line vty 0 15 password ipexperthome privi level 15 exec-timeout 30 0 access-class 23 in logging synchronous transport input telnet ssh ! ntp server time.apple.com end wr crypto ipsec client ezvpn connect crypto ipsec client ezvpn xauth