27-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 27 Easy VPN
Configuring an IPsec Proposal for Easy VPN
Configuring Dynamic VTI for Easy VPN
Use the Dynamic VTI tab of the Easy VPN IPSec Proposal policy to configure a dynamic virtual tunnel
interface on a device in a hub-and-spoke Easy VPN topology. For more information, see Easy VPN with
Dynamic Virtual Tunnel Interfaces, page 27-2.
Note Dynamic VTI can be configured only on IOS routers running IOS version 12.4(2)T and later, except
7600 devices.
Navigation Path
(Site-to-Site VPN Manager Window, page24-18) Select an Easy VPN topology in the VPNs
selector, then select Easy VPN IPsec Proposal in the Policies selector. Click the Dynamic VTI tab.
(Policy view) Select Site-to-Site VPN > Easy VPN IPsec Proposal from the Policy Types selector.
Select an existing shared policy or create a new one. Click the Dynamic VTI tab.
Group Policy Lookup/AAA
Authorization Method
Supported on Cisco IOS routers only.
The AAA authorization method list that will be used to define the order
in which the group policies are searched. Group policies can be
configured on both the local server or on an external AAA server.
Remote users are grouped, so that when the remote client establishes a
successful connection to the VPN server, the group policies for that
particular user group are pushed to all clients belonging to the user
group.
Click Select to open a dialog box that lists all available AAA group
servers, and in which you can create AAA group server objects. Select
all that apply and use the up and down arrow buttons to put them in
priority order.
User Authentication
(Xauth)/AAA Authentication
Method
Supported on Cisco IOS routers and PIX 6.3 firewalls only.
The AAA or Xauth user authentication method used to define the order
in which user accounts are searched.
Xauth allows all AAA authentication methods to perform user
authentication in a separate phase after the IKE authentication phase 1
exchange. The AAA configuration list-name must match the Xauth
configuration list-name for user authentication to occur.
After the IKE SA is successfully established, and if the device is
configured for Xauth, the client waits for a username/password
challenge and then responds to the challenge of the peer. The
information that is entered is checked against authentication entities
using authentication, authorization, and accounting (AAA) protocols
such as RADIUS and TACACS+.
Click Select to open a dialog box that lists all available AAA group
servers, and in which you can create AAA group server objects. Select
all that apply and use the up and down arrow buttons to put them in
priority order.
Table27-3 Easy VPN IPsec Proposal Tab (Continued)
Element Description