Cisco Systems CL-28826-01 Important Notes About Easy VPN Configuration

27-6

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 27 Easy VPN

Understanding Easy VPN

Note Device authentication ends and user authentication begins at this point.

4. After the IKE SA is successfully established, and if the VPN server is configured for Xauth, the

client waits for a “username/password” challenge and then responds to the challenge of the peer. The

information that is entered is checked against authentication entities using authentication,

authorization, and accounting (AAA) protocols such as RADIUS and TACACS+. Token cards may

also be used via AAA proxy. During Xauth, a user-specific attribute can be retrieved if the

credentials of that user are validated via RADIUS.

Note VPN servers that are configured to handle remote clients should always be configured to

enforce user authentication.

5. If the server indicates that authentication was successful, the client requests further configuration

parameters from the peer. The remaining system parameters (for example, IP address, DNS, and

split tunnel attributes) are pushed to the client using client or network extension mode configuration.

Note The IP address pool and group preshared key (if Rivest, Shamir, and Adelman [RSA]

signatures are not being used) are the only required parameter in a group profile. All other

parameters are optional.

6. After each client is assigned an internal IP address via mode configuration, Reverse Route Injection

(RRI), if configured, ensures that a static route is created on the device for each client internal IP

address.

7. IKE quick mode is initiated to negotiate and create IPsec SAs.

The connection is complete.

Important Notes About Easy VPN Configuration

Before you configure an Easy VPN policy in your topology, you should know the following:

•In an Easy VPN topology configuration, deployment fails if a 72xx series router is used as a remote

client device. The Easy VPN client is supported on PIX 501, 506, 506E Firewalls running PIX 6.3,

Cisco 800-3900 Series routers, and ASA 5505 devices running ASA Software release 7.2 or later.

•If you try to configure a Public Key Infrastructure (PKI) policy on a PIX 6.3 remote client in an Easy

VPN topology configuration, deployment fails. For successful deployment on this device, you must

first issue the PKI certificate on the CA server, and then try again to deploy the device. For more

information about PKI policies, see Understanding Public Key Infrastructure Policies, page 25-47.

•In some cases, deployment fails on a device that serves as an Easy VPN client if the crypto map is

configured on the NAT (or PAT) internal interface instead of the external interface. On some

platforms, the inside and outside interfaces are fixed. For example, on a Cisco 1700 series router the

VPN interface must be the device’s FastEthernet0 interface. On a Cisco 800 series router the VPN

interface could be either the device’s Ethernet0 or Dialer1 interface, depending on the configuration.

On a Cisco uBR905/uBR925 cable access router, the VPN interface must be the Ethernet0 interface.