Software Requirements Required Easy VPN Servers
The Cisco Easy VPN Remote feature requires that the destination peer on the network is a Cisco IOS Easy VPN Server or VPN concentrator that supports the Cisco Easy VPN Server feature. At the time of publication, the available servers and concentrators include the following platforms when running the indicated software releases: The Cisco Unity Client protocol supports only Internet Security Association and Key Management Protocol (ISAKMP) policies that use DH Group 2 (1024-bit Diffie-Hellman) IKE negotiation. Therefore, the Cisco Easy VPN Server being used with the Cisco Easy VPN Remote feature must be configured for a Group 2 ISAKMP policy. Note
The Easy VPN Server cannot be configured for ISAKMP Group 1 or Group 5 when the server is being used with a Cisco Easy VPN client. Transform Sets Supported
To ensure a secure tunnel connection, the Cisco Easy VPN Remote feature does not support transform sets that provide encryption without authentication (esp-des and esp-3des) or transform sets that provide authentication without encryption (esp-null esp-sha-hmac and esp-null esp-md5-hmac). Note
The Cisco Unity Client protocol does not support Authentication Header (AH) authentication but does support Encapsulating Security Payload (ESP). Dial Backup for Easy VPN Remotes
Line status-based backup is not supported in this feature. NAT Interoperability Support
NAT interoperability is not supported in client mode with split tunneling.
Content 3.7 Introducing Cisco Easy VPN 3.7.5 Easy VPN Server and Easy VPN Remote Operation When an Easy VPN Remote client initiates a connection with a Cisco Easy VPN Server gateway, the exchange that occurs between peers generally consists of these steps: Step 1 The VPN Client initiates the IKE Phase 1 process. Step 2 The VPN Client establishes an ISAKMP SA. Step 3 The Easy VPN Server accepts the SA proposal. Step 4 The Easy VPN Server initiates a username and password challenge. Step 5 The mode configuration process is initiated. Step 6 The Reverse Route Injection (RRI) process is initiated. Step 7 IPsec quick mode completes the connection. Step 1: The VPN Client Initiates the IKE Phase 1 Process
There are two ways to perform authentication, and the VPN Client must consider the following when initiating IKE Phase 1: Because the VPN Client can be configured for pre-shared key authentication, which initiates IKE aggressive mode, you should change the identity of the Cisco IOS VPN device by using the crypto isakmp identity hostname command. This action does not affect certificate authentication via IKE main mode. Step 2: The VPN Client Establishes an ISAKMP SA
In this step, the VPN Client establishes an ISAKMP SA. To reduce the amount of manual configuration on the VPN Client, EasyVPN ISAKMP proposals include every combination of encryption and hash algorithms, authentication methods, and DH group sizes. Step 3: The Cisco Easy VPN Server Accepts the SA Proposal
In this step, the Cisco Easy VPN Server accepts the SA proposal. ISAKMP policy is global for the Easy VPN Server and can consist of several proposals. In the case of multiple proposals, the Easy VPN Server uses the first match, so you should always have your most secure policies listed first. Device authentication ends and user authentication begins at this point. Step 4: The Cisco Easy VPN Server Initiates a Username and Password Challenge
This step initiates a username and password challenge. The information that is entered is checked against authentication entities using authentication, authorization, and accounting (AAA) protocols such as RADIUS and TACACS+. Token cards can also be used via AAA proxy. VPN devices that are configured to handle remote VPN clients should always be configured to enforce user authentication. Step 5: The Mode Configuration Process Is Initiated
This step initiates the mode configuration process. The remaining system parameters (IP address, Domain Name System [DNS], split tunnel attributes, and so on) are pushed to the VPN client at this time using mode configuration. The IP address is the only required parameter in a group profile; all other parameters are optional. Step 6: The RRI Process Is Initiated
This step initiates the RRI process. RRI ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client. Note
It is recommended that RRI be enabled on the dynamic crypto map when per-user IP addresses are used and when more than one Easy VPN Server is used. Redistributing RRI routes into an IGP allows the server site to properly find the return path to the clients. Step 7: IPsec Quick Mode Completes the Connection
In this step, the IPsec quick mode completes the connection. The connection is complete after IPsec SAs have been created.
Content 3.8 Configuring Easy VPN Server using Cisco SDM 3.8.1 Required Preparation Before you start configuring the Cisco Easy VPN Server, prepare a VPN design for your network. The design requires that you prepare these parameters for your configuration: