IPSec Negotiation IKE Protocols

IOS Router : Auth-proxy Authentication Inbound with ACS for IPSec and VPN Client Configuration


The authentication proxy feature allows users to log in to a network or access the Internet via HTTP, with their specific access profiles automatically retrieved and applied from a TACACS+ or RADIUS server. The user profiles are active only when there is active traffic from the authenticated users.

This configuration is designed to bring up the web browser on and aim it at Because the VPN Client is configured to go through tunnel end-point to get to the 10.17.17.x network, the IPSec tunnel is built and the PC gets the IP address out of the pool RTP-POOL (since mode-configuration is performed). Authentication is then requested by the Cisco 3640 Router. After the user enters a username and password (stored on the TACACS+ server at, the access list passed down from the server gets added to access list 118.



Before attempting this configuration, ensure that you meet these requirements:

  • Cisco VPN Client is configured to establish an IPSec tunnel with the Cisco 3640 Router.

  • The TACACS+ server is configured for authentication proxy. See the Related Information