route uses a crypto map to capture and encrypt the
traffic. Figure illustrates a partial example configuration in
which GRE over IPsec tunnels enable the use of the WAN IGP
across the VPN links. The VPN links in this example, however,
are configured with higher interface delay to influence the
EIGRP process to prefer the primary WAN link as long as the
link is functional.
Content 3.7 Introducing
Cisco Easy VPN 3.7.1 Introducing Cisco Easy
VPN Cable modems, xDSL routers, and other forms of
broadband access provide high-performance connections to the
Internet, but many applications also require the security of
VPN connections to perform a high level of authentication and
to encrypt data between any two endpoints. Establishing a VPN
connection between two routers can be complicated and typically
requires tedious coordination between network administrators to
configure the VPN parameters of the two routers. When deploying
VPNs for teleworkers and small branch offices, ease of
deployment is critical if technical resources are not available
for VPN configuration on remote site routers. The Cisco Easy
VPN Remote feature and the Cisco Easy VPN Server feature offer
flexibility, scalability, and ease of use for site-to-site and
remote-access VPNs. It eliminates tedious work by implementing
the Cisco Unity Client protocol to allow administrators to
define most VPN parameters at a Cisco IOS Easy VPN Server. The
Cisco Easy VPN Remote feature allows Cisco routers running
Cisco IOS Release 12.2(4)YA (or later releases), Cisco PIX
firewalls, and Cisco hardware clients to act as remote VPN
clients. A Cisco IOS Easy VPN Server can be a dedicated VPN
device, such as a Cisco VPN 3000 Concentrator, a Cisco PIX
Firewall, or a Cisco IOS router that supports the Cisco Unity
Client protocol. Cisco Easy VPN simplifies deployment. When the
Easy VPN Remote initiates the VPN tunnel connection, the Cisco
Easy VPN Server pushes the IPsec policies to the Cisco Easy VPN
Remote client and creates the corresponding VPN tunnel
connection. Cisco Easy VPN Remote provides for automatic
management of these details: - Negotiating tunnel
parameters, such as addresses, algorithms, and lifetime
- Establishing tunnels according to the parameters that are
set
- Automatically creating any Network Address
Translation (NAT) or Port Address Translation (PAT) and
associated access control lists (ACLs) that are needed
- Authenticating users (that is, ensuring that users are who
they say they are) by usernames, group names, and
passwords
- Managing security keys for encryption and
decryption
- Authenticating, encrypting, and decrypting
data through the tunnel
Content 3.7
Introducing Cisco Easy VPN 3.7.2 Cisco Easy VPN
Components Cisco Easy VPN consists of two components as
follows: - Cisco Easy VPN Server: Cisco Easy VPN
Server enables Cisco IOS routers, Cisco PIX Firewalls, and
Cisco VPN 3000 Series Concentrators to act as VPN headend
devices in site-to-site or remote-access VPNs where the remote
office devices use the Cisco Easy VPN Remote feature. Using
this feature, the Cisco Easy VPN Server pushes security
policies that are defined at the headend to the remote VPN
device, ensuring that those connections have up-to-date
policies in place before the connection is established.
In
addition, a Cisco Easy VPN Server-enabled device can terminate
IPsec tunnels that are initiated by mobile remote workers
running VPN Client software on PCs. This flexibility makes it
possible for mobile and remote workers, such as sales staff on
the road or telecommuters, to access their headquarters
intranet where critical data and applications exist. -
Cisco Easy VPN Remote: Cisco Easy VPN Remote enables
Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3002
Hardware Clients or Software Clients to act as remote VPN
clients. These devices can receive security policies from a
Cisco Easy VPN Server, minimizing VPN configuration
requirements at the remote location. This cost-effective
solution is ideal for remote offices with little information
technology (IT) support or for large customer premises
equipment (CPE) deployments where it is impractical to
individually configure multiple remote devices. This feature
makes VPN configuration with Cisco Easy VPN Remote as easy as
entering a password, which increases productivity and lowers
costs by minimizing the need for local IT support.
Content 3.7 Introducing Cisco Easy VPN
3.7.3 Deployment Models Small or Medium Business
Deployment
A small or medium business (SMB) using a
Cisco Easy VPN Server-enabled Cisco router or Cisco security
appliance at the main site, or head-end, can securely connect
small branch offices, teleworkers, and mobile workers. The
head-end router must have security policies configured. These
security policies determine which VPN parameters, such as
encryption algorithms and authentication algorithms, to use to
communicate with remote devices. When the head-end security
policies are defined, Cisco devices running the Cisco Easy VPN
Remote feature can be deployed to small branch offices. During
VPN initialization, the head-end router is prompted to push the
security policies to the small branch office devices,
eliminating the need for remote users to perform ongoing
configuration updates. Once the VPNs are established, voice,
video, and data can be safely exchanged over reliable secure
connections, and individuals at the small branch offices no
longer need to run VPN client software on their PCs.
Teleworkers using Cisco Easy VPN Remote-enabled Cisco routers
or Cisco security appliances can also access the Cisco Easy VPN
Server-enabled router at the head-end through secure VPN
connections. As with the small branch office scenario, the
head-end security policies are pushed to the remote devices
with minimal configuration. Mobile workers running VPN client
software on PCs can easily establish VPN connections with the
Cisco Easy VPN Server-enabled device through their Internet
service provider (ISP). This connectivity allows business
travelers to securely access critical data and applications at
almost any time from their ISP's points of presence (PoPs).
Large Enterprise Deployment
A large enterprise can
connect branch offices, remote offices, and teleworkers to the
enterprise network using a Cisco Easy VPN Server-enabled Cisco
router or Cisco security appliance. The head-end router must
have security policies configured that determine which VPN
parameters, such as encryption algorithms and authentication
algorithms, will be used to communicate with remote devices.
When the head-end security policies have been defined, branch
offices can deploy Cisco Easy VPN Remote-enabled devices.
During VPN initialization, the head-end device is prompted to
push security policies to the small branch offices, eliminating
the need for extensive local configuration. Voice, video, and
data can be safely exchanged over reliable secure connections,
and individuals at the branch offices no longer need to run VPN
client software on their PCs. Remote office workers and
teleworkers using Cisco Easy VPN Remote-enabled devices can
also access the Cisco Easy VPN Server-enabled enterprise
head-end through secure VPN connections. As with the small
branch office scenario, the head-end security policies are
pushed to the remote devices with minimal configuration.
Additionally, nontechnical users in remote sites can easily set
up the VPN connections without an on-site technician. The net
effect of using the Cisco Easy VPN Remote and Server is
increased productivity, as remote workers spend less time
configuring network devices.
Content 3.7
Introducing Cisco Easy VPN 3.7.4 Requirements
and Restrictions for Cisco Easy VPN Remote Cisco Easy VPN
Remote saves a company time and resources when certain
requirements and restrictions are met. It can be enabled on a
variety of platforms including the following: Cisco IOS