27-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 7 Easy VPN
Understanding Easy VPN
Auto—The Easy VPN tunnel is established automatically when the Easy VPN configuration is
delivered to the device configuration file. If the tunnel times out or fails, the tunnel automatically
reconnects and retries indefinitely. This is the default option.
Traffic Triggered Activation—The Easy VPN tunnel is established whenever outbound local (LAN
side) traffic is detected. Traffic Triggered Activation is recommended for use with the Easy VPN
dial backup configuration so that backup is activated only when there is traffic to send across the
tunnel. When using this option, you must specify the Access Control List (ACL) that defines the
“interesting” traffic.
Note Manual tunnel activation is configured implicitly if you select to configure the Xauth password
interactively. In this case, the device waits for a command before attempting to establish the Easy VPN
remote connection. When the tunnel times out or fails, subsequent connections will also have to wait for
the command.
You configure the xauth and tunnel activation mode in the Client Connection Characteristics policy as
described in Configuring Client Connection Characteristics for Easy VPN, page 27-7.
Related Topics
Important Notes About Easy VPN Configuration, page 27-6
Understanding Easy VPN, page 27-1
Configuring Credentials Policy Objects, page 27-9
Overview of Configuring Easy VPN
When a remote client initiates a connection to a VPN server, device authentication between the peers
occurs using IKE, followed by user authentication using IKE Extended Authentication (Xauth), VPN
policy push (in Client, Network Extension, or Network Extension Plus mode), and IPsec security
association (SA) creation.
The following provides an overview of this process:
1. The client initiates IKE Phase 1 via aggressive mode if a preshared key is to be used for
authentication, or main mode if digital certificates are used. If the client identifies itself with a
preshared key, the accompanying user group name (defined during configuration) is used to identify
the group profile associated with this client. If digital certificates are used, the organizational unit
(OU) field of a distinguished name (DN) is used to identify the user group name. See PKI
Enrollment Dialog Box—Certificate Subject Name Tab, page25-61.
Note Because the client may be configured for preshared key authentication, which initiates IKE
aggressive mode, the administrator should change the identity of the VPN device via the
crypto isakmp identity hostname command. This will not affect certificate authentication via
IKE main mode.
2. The client attempts to establish an IKE SA between its public IP address and the public IP address
of the VPN server. To reduce the amount of manual configuration on the client, every combination
of encryption and hash algorithms, in addition to authentication methods and D-H group sizes, is
proposed.
3. Depending on its IKE policy configuration, the VPN server determines which proposal is acceptable
to continue negotiating Phase 1.