27-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 27 Easy VPN
Understanding Easy VPN
Note All modes of operation can also support split tunneling, which allows secure access to corporate
resources through the VPN tunnel while also allowing Internet access through a connection to an ISP or
other service (thereby eliminating the corporate network from the path for web access).
You configure the mode in the Client Connection Characteristics policy as described in Configuring
Client Connection Characteristics for Easy VPN, page 27-7.
Related Topics
Important Notes About Easy VPN Configuration, page 27-6
Understanding Easy VPN, page 27-1
Easy VPN and IKE Extended Authentication (Xauth)
When negotiating tunnel parameters for establishing IPsec tunnels in an Easy VPN configuration, IKE
Extended Authentication (Xauth) adds another level of authentication that identifies the user who
requests the IPsec connection. If the VPN server is configured for Xauth, the client waits for a
username/password challenge after the IKE security association (SA) has been established. When the
end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level
of authentication.
The information that is entered is checked against authentication entities using authentication,
authorization, and accounting (AAA) protocols such as RADIUS and TACACS+. Token cards may also
be used via AAA proxy. During Xauth, a user-specific attribute can be retrieved if the credentials of that
user are validated via RADIUS.
Note VPN servers that are configured to handle remote clients should always be configured to enforce user
authentication.
Security Manager allows you to save the Xauth username and password on the device itself so you do
not need to enter these credentials manually each time the Easy VPN tunnel is established. The
information is saved in the device’s configuration file and used each time the tunnel is established.
Saving the credentials in the device’s configuration file is typically used if the device is shared between
several PCs and you want to keep the VPN tunnel up all the time, or if you want the device to
automatically bring up the tunnel whenever there is traffic to be sent.
Saving the credentials in the device’s configuration file, however, could create a security risk, because
anyone who has access to the device configuration can obtain this information. An alternative method
for Xauth authentication is to manually enter the username and password each time Xauth is requested.
You can select whether to use a web browser window or the router console to enter the credentials. Using
web-based interaction, a login page is returned, in which you can enter the credentials to authenticate
the VPN tunnel. After the VPN tunnel comes up, all users behind this remote site can access the
corporate LAN without being prompted again for the username and password. Alternatively, you can
choose to bypass the VPN tunnel and connect only to the Internet, in which case a password is not
required.
Easy VPN Tunnel Activation
If the device credentials (Xauth username and password) are stored on the device itself, you must select
a tunnel activation method for IOS router clients. Two options are available: