Software Requirements - Cisco 800
Series Router: Cisco IOS Release 12.2(15)T, 12.3(2)T,
12.3(4)T, 12.3(7)T, or 12.3(7)XR2 configured as a Cisco Easy
VPN remote.
- Cisco 1700 Series Router: Cisco
IOS Release 12.2(15)T, 12.3(2)T, 12.3(4)T, 12.3(7)T, or
12.3(7)XR, configured as a Cisco Easy VPN remote.
-
Cisco 1800 Series fixed configuration router: Cisco IOS
Release 12.3(8)YI.
- Cisco uBR905 or Cisco uBR925
cable access router: Cisco IOS Release 12.2(15)T,
configured as a Cisco Easy VPN remote.
- Any other
Cisco router or VPN concentrator: Supports the Cisco Easy
VPN Server feature and is configured as a Cisco IOS Easy VPN
server. See the list of required servers below.
Required Easy VPN Servers
The Cisco Easy VPN Remote
feature requires that the destination peer on the network is a
Cisco IOS Easy VPN Server or VPN concentrator that supports the
Cisco Easy VPN Server feature. At the time of publication, the
available servers and concentrators include the following
platforms when running the indicated software releases:
- Cisco 806, Cisco 826, Cisco 827, Cisco 828, Cisco 831,
Cisco 836, and Cisco 837 Routers: Cisco IOS Release
12.2(8)T or later release. Cisco 800 series routers are not
supported in Cisco IOS Release 12.3(7)XR, but they are
supported in Cisco IOS Release 12.3(7)XR2.
- Cisco
870 Series Routers: Cisco IOS Release 12.3(8)YI1.
- Cisco 1700 Series Routers: Cisco IOS Release
12.2(8)T or later release.
- Cisco 1800 series fixed
configuration router: Cisco IOS Release 12.3(8)YI.
- Cisco 1812 Router: Cisco IOS Release
12.3(8)YH.
- Cisco 2600 Series Routers: Cisco
IOS Release 12.2(8)T or later release.
- Cisco 3620
Router: Cisco IOS Release 12.2(8)T or later release.
- Cisco 3640 Router: Cisco IOS Release 12.2(8)T or
later release.
- Cisco 3660 Router: Cisco IOS
Release 12.2(8)T or later release.
- Cisco 7100
Series VPN Routers: Cisco IOS Release 12.2(8)T or later
release.
- Cisco 7200 Series Routers: Cisco IOS
Release 12.2(8)T or later release.
- Cisco 7500
Series Routers: Cisco IOS Release 12.2(8)T or later
release.
- Cisco PIX 500 Series Routers:
Software Release 6.2 or later release.
- Cisco VPN
3000 Series Routers: Software Release 3.11 or later
release. Only ISAKMP Policy Group 2 Supported on Easy VPN
Servers
- Cisco ASA 5500 Series Routers:
Software Release 7.0(4).
The Cisco Unity Client
protocol supports only Internet Security Association and Key
Management Protocol (ISAKMP) policies that use DH Group 2
(1024-bit Diffie-Hellman) IKE negotiation. Therefore, the Cisco
Easy VPN Server being used with the Cisco Easy VPN Remote
feature must be configured for a Group 2 ISAKMP policy.
Note
The Easy VPN Server cannot be configured for
ISAKMP Group 1 or Group 5 when the server is being used with a
Cisco Easy VPN client. Transform Sets Supported
To
ensure a secure tunnel connection, the Cisco Easy VPN Remote
feature does not support transform sets that provide encryption
without authentication (esp-des and esp-3des) or transform sets
that provide authentication without encryption (esp-null
esp-sha-hmac and esp-null esp-md5-hmac). Note
The
Cisco Unity Client protocol does not support Authentication
Header (AH) authentication but does support Encapsulating
Security Payload (ESP). Dial Backup for Easy VPN
Remotes
Line status-based backup is not supported in
this feature. NAT Interoperability Support
NAT
interoperability is not supported in client mode with split
tunneling.
Content 3.7 Introducing Cisco
Easy VPN 3.7.5 Easy VPN Server and Easy VPN
Remote Operation When an Easy VPN Remote client initiates a
connection with a Cisco Easy VPN Server gateway, the exchange
that occurs between peers generally consists of these steps:
Step 1 The VPN Client initiates the IKE Phase 1
process. Step 2 The VPN Client establishes an ISAKMP
SA. Step 3 The Easy VPN Server accepts the SA
proposal. Step 4 The Easy VPN Server initiates a
username and password challenge. Step 5 The mode
configuration process is initiated. Step 6 The Reverse
Route Injection (RRI) process is initiated. Step 7
IPsec quick mode completes the connection. Step 1: The VPN
Client Initiates the IKE Phase 1 Process
There are two
ways to perform authentication, and the VPN Client must
consider the following when initiating IKE Phase 1: - If
a pre-shared key is to be used for authentication, the VPN
Client initiates aggressive mode. When pre-shared keys are
used, the accompanying group name that is entered in the
configuration GUI (ID_KEY_ID) is used to identify the group
profile that is associated with this VPN Client.
- If
digital certificates are to be used for authentication, the VPN
Client initiates main mode. When digital certificates are used,
the organizational unit field of a distinguished name is used
to identify the group profile.
Because the VPN
Client can be configured for pre-shared key authentication,
which initiates IKE aggressive mode, you should change the
identity of the Cisco IOS VPN device by using the crypto
isakmp identity hostname command. This action does not
affect certificate authentication via IKE main mode. Step 2:
The VPN Client Establishes an ISAKMP SA
In this step,
the VPN Client establishes an ISAKMP SA. To reduce the amount
of manual configuration on the VPN Client, EasyVPN ISAKMP
proposals include every combination of encryption and hash
algorithms, authentication methods, and DH group sizes. Step
3: The Cisco Easy VPN Server Accepts the SA Proposal
In this step, the Cisco Easy VPN Server accepts the SA
proposal. ISAKMP policy is global for the Easy VPN Server and
can consist of several proposals. In the case of multiple
proposals, the Easy VPN Server uses the first match, so you
should always have your most secure policies listed first.
Device authentication ends and user authentication begins at
this point. Step 4: The Cisco Easy VPN Server Initiates a
Username and Password Challenge
This step initiates a
username and password challenge. The information that is
entered is checked against authentication entities using
authentication, authorization, and accounting (AAA) protocols
such as RADIUS and TACACS+. Token cards can also be used via
AAA proxy. VPN devices that are configured to handle remote VPN
clients should always be configured to enforce user
authentication. Step 5: The Mode Configuration Process Is
Initiated
This step initiates the mode configuration
process. The remaining system parameters (IP address, Domain
Name System [DNS], split tunnel attributes, and so on) are
pushed to the VPN client at this time using mode configuration.
The IP address is the only required parameter in a group
profile; all other parameters are optional. Step 6: The RRI
Process Is Initiated
This step initiates the RRI
process. RRI ensures that a static route is created on the
Cisco Easy VPN Server for the internal IP address of each VPN
client. Note
It is recommended that RRI be enabled
on the dynamic crypto map when per-user IP addresses are used
and when more than one Easy VPN Server is used. Redistributing
RRI routes into an IGP allows the server site to properly find
the return path to the clients. Step 7: IPsec Quick Mode
Completes the Connection
In this step, the IPsec quick
mode completes the connection. The connection is complete after
IPsec SAs have been created.
Content 3.8
Configuring Easy VPN Server using Cisco SDM 3.8.1
Required Preparation Before you start configuring the
Cisco Easy VPN Server, prepare a VPN design for your network.
The design requires that you prepare these parameters for your
configuration: - IKE authentication method
- User