EzVPN Group-Lock

Hi, this post will help us to understand Group-Lock feature and it’s utility.

Let’s suppose we need to give our users access to internal company resources, but, this users belong to different departments and of course, they don’t need to access “ALL” the resources in the network. With Group-Lock, we can do this in an easy way. We can lock users into groups so, when a user starts a VPN connection, it’s group will be binded to some access-list. This access-list will block traffic to and or from the resources needed.

Following we will configure this amazing feature.

As for example, let’s assume we have 2 groups, engineering and sales. And engineering need access to servers 10.0.0.1 and 10.0.0.3 from our internal network, while sales only need access to server 10.0.0.3.

So we need 2 access-lists to define this traffic.

ip access-list extended engineering
   permit ip host 10.0.0.1 any
   permit ip host 10.0.0.3 any
 ip access-list extended sales
   permit ip host 10.0.0.3 any

Now we must configure 2 vpn groups and bind them to the correct access-list.

crypto isakmp client configuration group engineering
   key *
   domain domain.local
   pool engineering
   acl engineering
   group-lock
 crypto isakmp client configuration group sales
   key *
   domain domain.local
   pool sales
   acl sales
   group-lock

2 ISAKMP Profiles.

crypto isakmp profile engineering
   match identity group engineering
   client authentication list localauth
   isakmp authorization list localauthor
   client configuration address respond
   virtual-template 1
 crypto isakmp profile sales
   match identity group sales
   client authentication list localauth
   isakmp authorization list localauthor
   client configuration address respond
   virtual-template 2

And 2 IPSEC Profiles for the Virtual-Template.

crypto ipsec profile engineering
 set transform-set vpn
 set isakmp-profile engineering
 crypto ipsec profile sales
 set transform-set vpn
 set isakmp-profile sales

The rest of the VPN configuration is standard, so I will omit it. The only thing we have to take care is to configure users with the string @ and the name of the group. If we don’t do this, users will not set up vpn properly.

For example user1@engineering or user2@sales

Also Virtual-Template interfaces will need ipsec profiles according to the configuration exposed. Now we can test the VPN connection with one user for each group to verify the access-list configuration is correct.

Hope this helps.