27-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 27 Easy VPN
Understanding Easy VPN
Easy VPN Configuration Modes, page 27-3
Easy VPN and IKE Extended Authentication (Xauth), page 27-4
Overview of Configuring Easy VPN, page 27-5
Important Notes About Easy VPN Configuration, page 27-6
Easy VPN with Dial Backup
Dial backup for Easy VPN allows you to configure a dial backup tunnel connection on your remote client
device. The backup feature is activated only when real traffic is ready to be sent, eliminating the need
for expensive dialup or ISDN links that must be created and maintained even when there is no traffic.
Note Easy VPN dial backup can be configured only on remote clients that are routers running IOS version
12.3(14)T or later.
In an Easy VPN configuration, when a remote device attempts to connect to the server and the tracked
IP is no longer accessible, the primary connection is torn down and a new connection is established over
the Easy VPN backup tunnel to the server. If the primary hub cannot be reached, the primary
configuration switches to the failover hub with the same primary configuration and not to the backup
configuration.
Only one backup configuration is supported for each primary Easy VPN configuration. Each inside
interface must specify the primary and backup Easy VPN configuration. IP static route tracking must be
configured for dial backup to work on an Easy VPN remote device. The object tracking configuration is
independent of the Easy VPN remote dial backup configuration. The object tracking details are specified
in the spoke’s Edit Endpoints dialog box.
For more information about dial backup, see Configuring Dial Backup, page 24-39.
Easy VPN with High Availability
You can configure High Availability (HA) on devices in an Easy VPN topology. High Availability
provides automatic device backup when configured on Cisco IOS routers or Catalyst 6500/7600 devices
that run IP over LANs. You can create an HA group made up of two or more hub devices in your Easy
VPN that use Hot Standby Routing Protocol (HSRP) to provide transparent, automatic device failover.
For more information, see Configuring High Availability in Your VPN Topology, page24-49.
Easy VPN with Dynamic Virtual Tunnel Interfaces
The IPsec virtual tunnel interface (VTI) feature simplifies the configuration of GRE tunnels that need to
be protected by IPsec for remote access links. A VTI is an interface that supports IPsec tunneling, and
allows you to apply interface commands directly to the IPsec tunnels. The configuration of a virtual
tunnel interface reduces overhead as it does not require a static mapping of IPsec sessions to a particular
physical interface where the crypto map is applied.
IPsec VTIs support both unicast and multicast encrypted traffic on any physical interface, such as in the
case of multiple paths. Traffic is encrypted or decrypted when it is forwarded from or to the tunnel
interface and is managed by the IP routing table. Dynamic or static IP routing can be used to route the
traffic to the virtual interface. Using IP routing to forward traffic to the tunnel interface simplifies IPsec