29-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 29 Managing Remote Access VPNs: The Basics
Understanding Remote Access VPNs
Understanding Remote Access IPSec VPNs
Remote access IPSec VPNs permit secure, encrypted connections between a company’s private network
and remote users, by establishing an encrypted IPSec tunnel across the Internet using broadband cable,
DSL, dial-up, or other connections.
A remote access IPSec VPN consists of a VPN client and a VPN headend device, or VPN gateway. The
VPN client software resides on a user’s workstation and initiates the VPN tunnel access to the corporate
network. At the other end of the VPN tunnel is the VPN gateway at the edge of the corporate site.
When a VPN client initiates a connection to the VPN gateway device, negotiation consists of
authenticating the device through Internet Key Exchange (IKE), followed by user authentication using
IKE Extended Authentication (Xauth). Next the group profile is pushed to the VPN client using mode
configuration, and an IPsec security association (SA) is created to complete the VPN connection.
Tip For a remote access IPsec VPN hosted on an ASA 8.4(x) device, you have the option of configuring IKE
version 2 (IKEv2). If you decide to use IKEv2, you must configure several SSL VPN policies in addition
to the regular IPSec policies. The user also must use the AnyConnect 3.0+ VPN client to make an IKEv2
connection. For more information, see Creating IPSec VPNs Using the Remote Access VPN
Configuration Wizard (ASA and PIX 7.0+ Devices), page29-24.
For remote access IPSec VPNs, AAA (authentication, authorization, and accounting) is used for secure
access. With user authentication, a valid user name and password must be entered before the connection
is completed. User names and passwords can be stored on the VPN device itself, or on an external AAA
server that can provide authentication to numerous other databases. For more information on using AAA
servers, see Understanding AAA Server and Server Group Objects, page6-24.
Note Site-to-site Easy VPN topologies use some of the same policies and policy objects that are used in
remote access IPsec VPNs, but the policies are kept distinct from the remote access policies. In Easy
VPN, the remote clients are hardware clients, such as routers, whereas in remote access IPSec VPNs,
remote clients are workstations or other devices that use VPN client software. For more information, see
Understanding Easy VPN, page 27-1.
Related Topics
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (ASA and PIX 7.0+
Devices), page 29-24
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS and PIX 6.3
Devices), page 29-35
Overview of Remote Access VPN Policies, page 29-9
Discovering Remote Access VPN Policies, page 29-12
Understanding Remote Access SSL VPNs
An SSL VPN lets users access enterprise networks from any Internet-enabled location. Users can make
clientless connections, which use only a Web browser that natively supports Secure Socket Layer (SSL)
encryption, or they can make connections using a full client (such as AnyConnect) or a thin client.