27-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 7 Easy VPN
Understanding Easy VPN
VPN configuration compared to the more complex process of using access control lists (ACLs) with a
crypto map. Dynamic VTIs function like any other real interface so that you can apply quality of service
(QoS), firewall, and other security services as soon as the tunnel is active.
Dynamic VTIs use a virtual template infrastructure for dynamic instantiation and management of IPsec
interfaces. In an Easy VPN topology, Security Manager implicitly creates the virtual template interface
for the device. If the device is a hub, the user must provide the IP address on the hub that will be used
as the virtual template interface—this can be a subnet (pool of addresses) or an existing loopback or
physical interface. On a spoke, the virtual template interface is created without an IP address.
In Security Manager, you configure Dynamic VTI in the Easy VPN IPsec Proposal page. See
Configuring Dynamic VTI for Easy VPN, page 27-12.
Notes
Dynamic VTI can be configured only in a hub-and-spoke Easy VPN topology on routers running
IOS version 12.4(2)T and later, except 7600 devices. It is not supported on PIX Firewalls, ASA
devices, or Catalyst 6000 series switches.
Not all the hubs/spokes require Dynamic VTI configuration during discovery or provision. You can
extend the existing Easy VPN topology (including routers not supporting dVTI) to add routers that
support dVTI.
Dynamic VTI is supported on only servers, only clients (if server does not support dVTI), or both
clients and servers.
You cannot configure High Availability on hubs/servers that have been configured with dVTI.
You can also configure Dynamic VTI in remote access VPNs. For more information, see
Configuring Dynamic VTI/VRF Aware IPsec in Remote Access VPNs (IOS Devices), page 32-7.
Easy VPN Configuration Modes
Easy VPN can be configured in three modes—Client, Network Extension, and Network Extension Plus.
Client mode—The default configuration that allows devices at the client site to access resources at
the central site, but disallows access to the central site for resources at the client site. In client mode,
a single IP address is pushed to the remote client from the server when the VPN connection is
established. This address is typically a routable address in the private address space of the customer
network. All traffic passing across the Easy VPN tunnel undergoes Port Address Translation (PAT)
to that single pushed IP address.
Network Extension mode—Allows users at the central site to access the network resources at the
client site, and allows the client PCs and hosts direct access to the PCs and hosts at the central site.
Network Extension mode specifies that the hosts at the client end of the VPN tunnel should be given
IP addresses that are fully routable and reachable by the destination network. The devices at both
ends of the connection will form one logical network. PAT is not used, so the hosts at the client end
have direct access to the hosts at the destination network. In other words, the Easy VPN server (the
hub) gives routable addresses to the Easy VPN client (the spoke), while the whole LAN behind the
client will not undergo PAT.
Network Extension Plus mode—An enhancement to Network Extension mode, which can be
configured only on IOS routers. It enables an IP address that is received via mode configuration to
be automatically assigned to an available loopback interface. This IP address can be used for
connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure
Shell). If you select this option an some clients are not IOS routers, those clients are configured in
Network Extension mode.