There was a question a few days ago about using the EzVPN solution to connect
to Proctor Labs. I've completed somewhere over 70 eight-hour rack sessions
using that method, and it works great most of the time.
You need a router that can run IOS version 12.4 Mainline, and some sort of
switch that provides inline power for hardware phones. I use a 2821 with an
Ethernet Switch Module (NME-16ES-1G-P) installed in slot 1. I am currently
running IOS version 12.4(21), which contains the fixes for some bugs related to
NAT fragmentation which you need if you want your hardware phones to register
smoothly. (See previous posts in the July 25th-29th time frame if you care
about the details. My advice is just start with 12.4(21) since it is verified
to work well.)
If you can get 7960 phones, I recommend using them since that is what you will
see in the actual lab exam, and they are definitely supported by CME. I've
actually been using two 7960's, one 7961G, and one 7961G-GE. There are some
quirks with the non-7960 phones, but they will work for most things. I think
there have been some previous posts to OSL about non-7960 phones.
When you login to your Proctor Labs session (via a web browser), you will be
given the option to connect via VPN client or via EasyVPN. If you choose the
EasyVPN option, there will be a router config file which you can download. I
will include below the one for Pod 20. You may need to adapt this
configuration for your router. (For example, my Ethernet interfaces are GigE,
not FastE.) Once you have the router configured appropriately, you issue the
two commands shown at the bottom ("crypto ipsec client ezvpn connect", wait for
a response, then enter "crypto ipsec client ezvpn xauth" and you will be
prompted for your Proctor Labs username and password), and it brings up the
tunnel. At that point the devices connected to your switch (usually a PC and
hardware phones) have IP connectivity to the Proctor Labs pod. Note that PAT
(port address translation) is used, s o all the devices will show up with the
same NATted IP address (10.0.1.41 for pod 20), they are just using different
port numbers.
For future sessions for different pods, you need to re-configure the groupname
in the "crypto ipsec client ezvpn IPx-Pod2" block, and change the ip address in
the "option 150 ip" statement for the DHCP pool. My usual procedure was to
just remove and re-add the entire block, but I just realized as I was typing
this that if I would rename the block without the pod number in it (maybe just
"IPx-Pod") then I would not have to remove and re-add the "crypto ipsec client
ezvpn" statements to the inside and outside interfaces every time.
Hope this is helpful as an overview. If you have specific problems, there are
instructions on the web page as you connect about what information to forward
to Proctor Labs support if you need assistance.
Jane Ryer, CCIE # 3333 (R&S)
VPodg2_Config.txt
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging buffered 512000 informational
enable secret ipexperthome
no aaa new-model
!
!
!
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool IPx-Home-DHCP
import all
network 192.168.1.0 255.255.255.0
option 150 ip 10.2.200.21
default-router 192.168.1.1
lease 8
!
!
ip inspect name CBAC-FW tcp timeout 3600
ip inspect name CBAC-FW udp timeout 3600
ip inspect name CBAC-FW http java-list 1 timeout 3600
ip inspect name CBAC-FW https timeout 3600
ip inspect name CBAC-FW icmp
ip inspect name CBAC-FW ddns-v3
ip inspect name CBAC-FW smtp
ip inspect name CBAC-FW pop3
ip inspect name CBAC-FW pop3s
ip inspect name CBAC-FW imap
ip inspect name CBAC-FW ftps
ip inspect nam e CBAC-FW fragment maximum 256 timeout 1
ip inspect name CBAC-FW ntp
ip inspect name CBAC-FW ftp timeout 3600
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key proctorvoice address 209.124.41.250
!
!
!
crypto ipsec client ezvpn IPx-Pod2
connect manual
group vpodg2 key proctorvoice
mode client
peer 209.124.41.250
xauth userid mode http-intercept
!
!
!
interface FastEthernet0/0
description (Outside Public Interface)
ip address dhcp
ip access-group FW-IN in
no ip unreachables
ip nat outside
ip inspect CBAC-FW out
no cdp enable
duplex auto
speed auto
no shut
crypto ipsec client ezvpn IPx-Pod2
!
interface FastEthernet0/1
description (Inside Private Interface)
ip address 192.168.1.1 255.255.255.0
ip nat insi de
crypto ipsec client ezvpn IPx-Pod2 inside
duplex auto
speed auto
no shut
!
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
ip nat inside source list 101 interface f0/0 overload
!
ip access-list extended FW-IN
permit udp any any eq bootpc
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip host 0.0.0.0 any log
deny ip host 255.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
permit icmp 209.124.41.0 0.0.0.255 any eq echo
permit esp host 209.124.41.250 any
permit udp host 209.124.41.250 any eq isakmp
permit udp host 209.124.41.250 any eq n on500-isakmp
deny ip any any log
!
access-list 1 permit any
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 209.124.41.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 162.0.0.0 0.255.255.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
line con 0
line aux 0
line vty 0 15
password ipexperthome
privi level 15
exec-timeout 30 0
access-class 23 in
logging synchronous transport input telnet ssh
!
ntp server time.apple.com
end
wr
crypto ipsec client ezvpn connect
crypto ipsec client ezvpn xauth
