GNS3: IOS EzVPN Remote (Hardware Client Mode)

Posted by

This video demonstrates on how to configure your router as an EzVPN Remote Server using dynamic virtual-tunnel interface (VTI). Client initiates a VPN connection through HTTP traffic then challenge by the hardware client to authenticate. The client is also presented with options to active the VPN connection or direct Internet access.

Easy VPN VTI differs from DMVPN and site-to-site VTI in that instead of using an “interface tunnel [number]” configuration, an “interface virtual-template type tunnel [number]” configuration is used to apply IP attributes for IPsec Easy VPN clients. Network Address Translation (NAT), quality of service (QoS), intrusion prevention, and other IP policy applications may be applied to the virtual-template interface, as well as classic or Zone-Based Policy Firewall.

These are the steps on how to configure IOS EzVPN Server.
1. Enable AAA (aaa new-model).
2. Create a local database for user authentication and authorization.
3. Create user account.
4. Create an ISAKMP Phase 1.
5. Create a local pool and split-tunnel access-list (if required).
6. Create an ISAKMP Phase 1.5 (For Xauth).
7. Create an IPsec Phase 2.
8. Create an ISAKMP profile. Bind authentication and authorization list, ISAKMP client configuration group and virtual-template interface.
9. Create an IPsec profile. Bind IPsec transform set and ISAKMP profile.
10. Create a virtual-template interface that has tunnel type. Assign an IP address or use IP unnumbered, set IPsec protection profile and tunnel mode (IPsec IPv4).
Apply the dynamic crypto-map to the interface where EzVPN terminates.


  1. I like your videos on Cisco simulation with the use of GNS/QEMU. Please post more videos.


    Shawn from Thailand

  2. Hello.

    I would like seconecta the browbser saver (ie) to IP,

    The configured through a loopback interface configured on your windows?

    If so as what route?

Leave a Reply

Your email address will not be published. Required fields are marked *