Cisco Router and Security Device Manager 2.5 User Guide
Easy VPN Remote
Downloads: This chapterpdf (PDF - 603.0KB) The complete bookPDF (PDF - 7.45MB) | Feedback

Easy VPN Remote

Table Of Contents

Easy VPN Remote

Creating an Easy VPN Remote Connection

Create Easy VPN Remote Reference

Create Easy VPN Remote

Configure an Easy VPN Remote Client

Easy VPN Remote Wizard: Network Information

Easy VPN Remote Wizard: Identical Address Configuration

Easy VPN Remote Wizard: Interfaces and Connection Settings

Easy VPN Remote Wizard: Server Information

Easy VPN Remote Wizard: Authentication

Easy VPN Remote Wizard: Summary of Configuration

Administering Easy VPN Remote Connections

Editing an Existing Easy VPN Remote Connection

Creating a New Easy VPN Remote Connection

Deleting an Easy VPN Remote Connection

Resetting an Established Easy VPN Remote Connection

Connecting to an Easy VPN Server

Connecting other Subnets to the VPN Tunnel

Administering Easy VPN Remote Reference

Edit Easy VPN Remote

Add or Edit Easy VPN Remote

Add or Edit Easy VPN Remote: General Settings

Network Extension Options

Add or Edit Easy VPN Remote: Easy VPN Settings

Add or Edit Easy VPN Remote: Authentication Information

Add or Edit Easy VPN Remote: Easy VPN Client Phase III Authentication

Add or Edit Easy VPN Remote: Interfaces and Connections

Add or Edit Easy VPN Remote: Identical Addressing

Easy VPN Remote: Add a Device

Enter SSH Credentials

XAuth Login Window

Other Procedures

How Do I Edit an Existing Easy VPN Connection?

How Do I Configure a Backup for an Easy VPN Connection?


Easy VPN Remote


Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated and typically requires tedious coordination between network administrators to configure the VPN parameters of the two routers.

The Cisco Easy VPN Remote feature eliminates much of this tedious work by implementing Cisco Unity Client Protocol, which allows most VPN parameters to be defined at a Cisco IOS Easy VPN server. This server can be a dedicated VPN device, such as a Cisco VPN 3000 concentrator or a Cisco PIX Firewall or a Cisco IOS router that supports the Cisco Unity Client Protocol.

After the Cisco Easy VPN server has been configured, a VPN connection can be created with minimal configuration on an Easy VPN remote, such as a Cisco 800 series router or a Cisco 2800 series router. When the Easy VPN remote initiates the VPN tunnel connection, the Cisco Easy VPN server pushes the IPsec policies to the Easy VPN remote and creates the corresponding VPN tunnel connection.

The Cisco Easy VPN Remote feature provides for automatic management of the following details:

Negotiating tunnel parameters, such as addresses, algorithms, and lifetime.

Establishing tunnels according to the parameters that were set.

Automatically creating the NAT or Port Address Translation (PAT) and associated access lists that are needed, if any.

Authenticating users, that is, ensuring that users are who they say they are by way of usernames, group names, and passwords.

Managing security keys for encryption and decryption.

Cisco SDM provides a wizard that guides you through Easy VPN Remote configuration. You can also edit an existing configuration using Easy VPN Remote edit screens.

This chapter contains the following sections:

Creating an Easy VPN Remote Connection

Administering Easy VPN Remote Connections

Other Procedures

Creating an Easy VPN Remote Connection

Create an Easy VPN Remote connection by using the Easy VPN Remote wizard. Complete these steps:


Step 1 If you want to review the IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.

Step 2 On the Cisco SDM toolbar, click Configure.

Step 3 On the Cisco SDM category bar, click VPN.

Step 4 In the VPN tree, choose Easy VPN Remote.

Step 5 In the Create Easy VPN Remote tab, complete any recommended tasks that are displayed by clicking the link for the task. Cisco SDM either completes the task for you, or displays the necessary configuration screens for you to make settings in.

Step 6 Click Launch Easy VPN Remote Wizard to begin configuring the connection.

Step 7 Make configuration settings in the wizard screens. Click Next to go from the current screen to the next screen. Click Back to return to a screen you have previously visited.

Step 8 Cisco SDM displays the Summary screen when you have completed the configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen.

Step 9 If you want to test the connection after sending the configuration to the router, check Test the connectivity after configuring. After you click Finish, Cisco SDM tests the connection and displays the test results in another screen.

Step 10 To send the configuration to the router, click Finish.

Step 11 If you checked Preview commands before delivering to router in the Edit Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click OK to send the configuration to the router, or click Cancel to discard it. If you did not make this setting, clicking Finish sends the configuration to the router.


The section Create Easy VPN Remote Reference contains detailed information about the screens you use.

Create Easy VPN Remote Reference

The following topics describe the Create Easy VPN Remote screens:

Create Easy VPN Remote

Configure an Easy VPN Remote Client

Easy VPN Remote Wizard: Network Information

Easy VPN Remote Wizard: Identical Address Configuration

Easy VPN Remote Wizard: Interfaces and Connection Settings

Easy VPN Remote Wizard: Server Information

Easy VPN Remote Wizard: Authentication

Easy VPN Remote Wizard: Summary of Configuration

Create Easy VPN Remote

Cisco SDM allows you to configure your router as a client to an Easy VPN server or concentrator. Your router must be running a Cisco IOS software image that supports Easy VPN Phase II. The Create Easy VPN Remote tab enables you to launch the Easy VPN Remote wizard.

To be able to complete the configuration, you must have the following information ready.

Easy VPN server's IP address or hostname

IPSec group name

Key

Whether or not there are devices on the local network with IP addresses that conflict with addresses used in networks that the Easy VPN Remote client will connect to.

Field Reference

Table 12-1 describes the fields in this screen.

Table 12-1 Create Easy VPN Remote Tab Felds

Element
Description

Use Case Scenario

This area displays a network diagram that depicts the type of connection that the wizard enables you to configure.

Recommended Tasks

This area describes recommended tasks to complete before beginning the Easy VPN Remote configuration. Click the link for a particular task to complete it.

If the Cisco IOS image on the router is version 12.4(9)T or later, Cisco SDM displays the recommended task Enable DNS if DNS is not enabled on the router so that a Split DNS configuration, if pushed by the server, will work.

Launch Easy VPN Remote Wizard

Click Launch Easy VPN Remote Wizard to start the wizard.


Configure an Easy VPN Remote Client

This wizard guides you through the configuration of an Easy VPN Remote Phase II Client.


Note If the router is not running a Cisco IOS image that supports Easy VPN Remote Phase II or later, you will not be able to configure an Easy VPN client.


Easy VPN Remote Wizard: Network Information

Indicate whether or not there are IP addresses in the local network that overlap with IP addresses in networks that the router connects to through the Easy VPN server in this screen. Also, indicate if there are devices on the local network that must be reached from those networks.


Note This screen is displayed when the Cisco IOS image on the router is version 12.4(11)T or later.


Field Reference

Table 12-2 describes the fields in th is screen.

Table 12-2 Network Information Fields 

Element
Description
Client IP Addressing

Does your client location have an addressing scheme that might overlap with other client locations?

Yes—Click Yes if devices on your local network use IP addresses that are also used by devices in other networks that the router will connect to through the Easy VPN Server. For example, printers on the local network may use IP addresses that are used by devices in the peer network. If you click Yes, Cisco SDM displays the Device Reachability fields.

No—Click No if devices on the local network do not use IP addresses that are also used in networks that the router connects to through the Easy VPN server.

Device Reachability

Do you have devices at your client location that must be reached from the server-side networks or other client locations?

Yes—Click Yes if there are devices on the local network, such as printers, that must be reached from networks that the router connects to through the Easy VPN server.

No—Click No if there are no devices that must be reached from networks that the router connects to through the Easy VPN server.


Easy VPN Remote Wizard: Identical Address Configuration

Enter the local and global IP addresses of the devices that must be reached from networks that the router connects to through the Easy VPN server in this screen.

Field Reference

Table 12-3 describes the fields in th is screen.

Table 12-3 Identical Address Configuration Fields 

Element
Description
Accessible Devices

Device Local IP

The local IP address of a device that is identified as a device that must be reached by other networks.

Device Global IP

The global IP address given to a device that is identified as a device that must be reached by other networks. Because the global IP address for each device must be routable from the Easy VPN server, you must obtain these addresses from the Easy VPN server administrator. Each IP address must be on the same subnet, and one address must be reserved for use by non accessible devices on the local network.

Add

To add the local IP address and global IP address of a device, click Add.

Edit

To change the IP address information for a device, choose an entry and click Edit.

Delete

To remove an entry for an accessible device, choose the entry and click Delete.

Non Accessible Devices

IP Address

Enter the IP address that you reserved for non accessible devices in this field. This IP address must be in the same subnet as the device global IP addresses. Cisco SDM creates a NAT rule to translate IP addresses of devices that do not need to be reached from other networks to this IP address, and assigns this IP address to a new loopback interface.

Subnet Mask

Enter the subnet mask in decimal format; for example, 255.255.255.0. Or, choose the number of subnet bits; for example, 24. Entering values in one field updates the other. For example, if you enter 255.255.255.0, the subnet bits field is automatically updated to display 24.


Warning Messages

Cisco SDM displays a warning message when you click Next if it detects any of the following problems:

There are no devices added.

If you enter an IP address for the non accessible devices that is already used by a router interface.

If you enter an IP address for the non accessible devices that is already used as a global IP address for an accessible device.

If you enter local IP address for a device that falls outside the subnet for the LAN interface it connects to.

Easy VPN Remote Wizard: Interfaces and Connection Settings

In this window, you specify the interfaces that will be used in the Easy VPN configuration.

Field Reference

Table 12-4 describes the fields in th is screen.

Table 12-4 Interfaces and Connection Settings Fields

Element
Description
Interfaces

Choose the inside and outside interfaces in this box.

Check boxes

Check the inside (LAN) interfaces that serve the local networks that you want to include in this Easy VPN configuration. You can choose multiple inside interfaces, with the following restrictions:

 

If you choose an interface that is already used in another Easy VPN configuration, you are told that an interface cannot be part of two Easy VPN configurations.

 

If you choose interfaces that are already used in a VPN configuration, you are informed that the Easy VPN configuration you are creating cannot coexist with the existing VPN configuration. You will be asked if you want to remove the existing VPN tunnels from those interfaces and apply the Easy VPN configuration to them.

 

An existing interface does not appear in the list of interfaces if it cannot be used in an Easy VPN configuration. For example, loopback interfaces configured on the router do not appear in this list.

 

An interface cannot be designated as both an inside and an outside interface.

 

Up to three inside interfaces are supported on Cisco 800 and Cisco 1700 series routers. You can remove interfaces from an Easy VPN configuration in the Edit Easy VPN Remote window.

Interface List

In the Interfaces list, choose the outside interface that connects to the Easy VPN server or concentrator.


Note Cisco 800 routers do not support the use of interface E 0 as the outside interface.


Connection Settings

Automatically

With the automatic setting, the VPN tunnel is established automatically when the Easy VPN configuration is delivered to the router configuration file. However, you will not be able to control the tunnel manually in the VPN Connections window. The Connect or Disconnect button is disabled when this Easy VPN connection is chosen.

Manually

With the manual setting, you must click the Connect or Disconnect button in the Edit Easy VPN Remote window to establish or take down the tunnel, but you will have full manual control over the tunnel in the Edit Easy VPN Remote window. Additionally, if a security association (SA) timeout is set for the router, you will have to manually reestablish the VPN tunnel whenever a timeout occurs. You can change SA timeout settings in the VPN Components VPN Global Settings window.

When there is traffic from local networks (interesting traffic)

With the traffic-based setting, the VPN tunnel is established whenever outbound local (LAN side) traffic is detected.


Note The option for traffic-based activation appears only if supported by the Cisco IOS image on your router.



Easy VPN Remote Wizard: Server Information

The information entered in this window identifies the Easy VPN tunnel, the Easy VPN server or concentrator that the router will connect to, and the way you want traffic to be routed in the VPN.

Field Reference

Table 12-5 describes the fields in this screen.

Table 12-5 Server Information Fields 

Element
Description
Easy VPN Servers

Easy VPN Server 1

Enter the IP address or the hostname of the primary Easy VPN server or concentrator to which the router will connect. If you enter a hostname, there must be a Domain Name System (DNS) server on the network that can resolve the hostname to the correct IP address for the peer device.

Easy VPN Server 2

The Easy VPN Server 2 field appears when the Cisco IOS image on the router supports Easy VPN Remote Phase III. This field does not appear when the Cisco IOS image does not support Easy VPN Remote Phase III.

Enter the IP address or the hostname of the secondary Easy VPN server or concentrator to which the router will connect. If you enter a hostname, there must be a DNS server on the network that can resolve the hostname to the correct IP address for the peer device.

Mode of operation with no identical addressing

Client

Choose Client if you want the PCs and other devices on the router's inside networks to form a private network with private IP addresses. Network Address Translation (NAT) and Port Address Translation (PAT) will be used. Devices outside the LAN will not be able to ping devices on the LAN, or reach them directly.

Network Extension

Choose Network Extension if you want the devices connected to the inside interfaces to have IP addresses that are routable and reachable by the destination network. The devices at both ends of the connection will form one logical network. PAT will be automatically disabled, allowing the PCs and hosts at both ends of the connection to have direct access to one another.

 

Consult with the administrator of the Easy VPN server or concentrator before choosing this setting.

 

If you choose Network Extension, you can enable remote management of the router by checking the box to request a server-assigned IP address for your router. This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure Shell). This mode is known as Network Extension Plus

 

Note If the router is not running a Cisco IOS image that supports Easy VPN Remote Phase IV or later, you will not be able to set Network Extension Plus.


Mode of operation with overlapping address space and local devices needing to be reached

If you clicked Yes in the Client IP Addressing section of the Network Information screen, and also clicked Yes in the Device Reachability section, the router is automatically configured for Network Extension mode.

Have the server assign an IP address to manage my router remotely

Check this box if you want the Easy VPN server to assign an IP address to the router so that it can manage the router Easy VPN operation remotely.

Mode of operation with overlapping address space but no devices needing to be reached

If you clicked Yes in the Client IP Addressing section of the Network Information screen, but clicked No in the Device Reachability section, the router is automatically configured for Client mode. The Easy VPN server automatically assigns the router an IP address so that it can manage the router Easy VPN operation remotely. All devices on the local network will share this IP address when communicating with other devices on the corporate network.


Easy VPN Remote Wizard: Authentication

Use this window to specify security for the Easy VPN Remote tunnel.

Field Reference

Table 12-6 describes the fields in this screen.

Table 12-6 Authentication Screen Fields

Element
Description
Device Authentication

Authentication

Choose Digital Certificate or Preshared Key.

Digital Certificate

If you choose digital certificate, a digital certificate must be configured on the router to use.


Note The Digital Certificates option is available only if supported by the Cisco IOS image on your router.


Preshared Key

If you choose Preshared Key in the authentication field, you must supply a user group name as well as the preshared key.

User Group

Enter the IPSec group name. The group name must match the group name defined on the VPN concentrator or server. Obtain this information from your network administrator.

Key

Enter the IPSec group key. The group key must match the group key defined on the VPN concentrator or server. Obtain this information from your network administrator.

Reenter key

Reenter the key to confirm its accuracy.

User Authentication

User authentication (XAuth) appears in this window if the Cisco IOS image on the router supports Easy VPN Remote Phase III. If user authentication does not appear, it must be configured from the router command-line interface.

From PC browser when browsing

User authentication will be performed in the web browser. This option appears only if supported by the Cisco IOS image on your router.

From router console or SDM

User authentication will be performed from the router console, or from Cisco SDM.

Save XAuth Credentials to this router

The Easy VPN server may use XAuth to authenticate the router. If the server allows the save password option, you can eliminate the need to enter the username and password each time the Easy VPN tunnel is established by this option. Enter the username and password provided by the Easy VPN server administrator, and then reenter the password to confirm its accuracy. The information is saved in the router configuration file and used each time the tunnel is established.


Caution Storing the XAuth username and password in router memory creates a security risk, because anyone who has access to the router configuration can obtain this information. If you do not want this information stored on the router, do not enter it here. The Easy VPN server will simply challenge the router for the username and password each time the connection is established. Additionally, Cisco SDM cannot itself determine whether the Easy VPN server allows the save password option. You must determine whether the server allows this option. If the server does not allow this option, you should not create a security risk by entering the information here.

Username

Enter the username required for authentication.

Password

Enter the password required for authentication.

Reenter password

Reenter the password to confirm accuracy.


Easy VPN Remote Wizard: Summary of Configuration

This window shows you the Easy VPN configuration that you have created, and it allows you to save the configuration. A summary similar to the following appears:

Easy VPN tunnel name:test1
Easy VPN server: 222.28.54.7
Group: myCompany
Key: 1234
Control: Auto
Mode: Client
Outside Interface: BVI222
Inside Interfaces: Dialer0

You can review the configuration in this window and click the Back button to change any items.

Clicking the Finish button writes the information to the router's running configuration, and, if the tunnel has been configured to operate in automatic mode, the router attempts to contact the VPN concentrator or server.

If you want to change the Easy VPN configuration at a later time, you can make the changes in the Edit Easy VPN Remote window.


Note In many cases, your router establishes communication with the Easy VPN server or concentrator after you click Finish, or after you click Connect in the Edit Easy VPN Remote window or VPN Connections windows. However, if the device has been configured to use XAuth, it challenges the router for a username and password. When this happens, you must first supply a Secure Shell (SSH) login ID and password to log on to the router and then provide the XAuth login and password for the Easy VPN server or concentrator. You must follow this process when you click Finish and the configuration is delivered to the router, and when you disconnect and then reconnect the tunnel in the Edit Easy VPN Remote window. Find out whether XAuth is used, and determine the required username and password.


Test VPN Connectivity

If you choose to test the VPN connection you have just configured, the results of the test are shown in another window.

Administering Easy VPN Remote Connections

Use Cisco SDM to edit Easy VPN Remote connection settings, reset connections, and delete connections. You can use the Easy VPN Remote Edit screens to create an Easy VPN Remote connection, but it is recommended that you use the wizard to do so.

This section contains the followint topics:

Editing an Existing Easy VPN Remote Connection

Creating a New Easy VPN Remote Connection

Deleting an Easy VPN Remote Connection

Resetting an Established Easy VPN Remote Connection

Connecting to an Easy VPN Server

Connecting other Subnets to the VPN Tunnel

Administering Easy VPN Remote Reference

Editing an Existing Easy VPN Remote Connection

Follow these steps to edit an existing Easy VPN Remote connection:


Step 1 On the Cisco SDM toolbar, click Configure.

Step 2 On the Cisco SDM category bar, click VPN.

Step 3 In the VPN tree, choose Easy VPN Remote.

Step 4 Click the Edit Easy VPN Remote tab.

Step 5 Select the Easy VPN Remote connection that you want to edit.

Step 6 Click Edit.

Step 7 Modify settings in the Edit Easy VPN Remote dialog tabs.

Step 8 Click OK to send the changes to the router and close the dialog.


Creating a New Easy VPN Remote Connection

You can create a new Easy VPN Remote connection using the Easy VPN Remote Edit screens.

Follow these steps to create a new Easy VPN Remote connection:


Step 1 On the Cisco SDM toolbar, click Configure.

Step 2 On the Cisco SDM category bar, click VPN.

Step 3 In the VPN tree, choose Easy VPN Remote.

Step 4 Click the Edit Easy VPN Remote tab.

Step 5 Click Add.

Step 6 Make settings in the Add Easy VPN Remote dialog tabs.

Step 7 Click OK to send the changes to the router and close the dialog.


Deleting an Easy VPN Remote Connection

Follow these steps to delete an Easy VPN Remote connection:


Step 1 On the Cisco SDM toolbar, click Configure.

Step 2 On the Cisco SDM category bar, click VPN.

Step 3 In the VPN tree, choose Easy VPN Remote.

Step 4 Click the Edit Easy VPN Remote tab.

Step 5 Select the Easy VPN Remote connection that you want to delete.

Step 6 Click Delete.

Step 7 Confirm the deletion by clicking OK in the displayed message screen.


Resetting an Established Easy VPN Remote Connection

Follow these steps to reset an established Easy VPN Remote connection:


Step 1 On the Cisco SDM toolbar, click Configure.

Step 2 On the Cisco SDM category bar, click VPN.

Step 3 In the VPN tree, choose Easy VPN Remote.

Step 4 Click the Edit Easy VPN Remote tab.

Step 5 Select the Easy VPN Remote connection that you want to reset.

Step 6 Click Reset Connection. The status window that is displayed reports the success or failure of the reset.


Connecting to an Easy VPN Server

Follow these steps to connect to an Easy VPN Remote server:


Step 1 On the Cisco SDM toolbar, click Configure.

Step 2 On the Cisco SDM category bar, click VPN.

Step 3 In the VPN tree, choose Easy VPN Remote.

Step 4 Click the Edit Easy VPN Remote tab.

Step 5 Select an Easy VPN Remote connection.

Step 6 Click Connect to complete the connection to the configured Easy VPN Server.

Connecting other Subnets to the VPN Tunnel

To allow subnets not directly connected to your router to use the tunnel, follow these steps:


Step 1 In the Network Extensions Options window, check Configure Multiple Subnets.

Step 2 Choose Enter the subnets and add the subnets and network masks to the list, or choose Select an ACL.

Step 3 To enter the subnets manually, click the Add button and enter the subnet address and mask. Cisco SDM will generate an ACL automatically.


Note The subnets you enter must not be directly connected to the router.


Step 4 To add an existing ACL, enter its name or choose it from the drop-down list.

Step 5 Click OK to close the dialog.


Administering Easy VPN Remote Reference

The following topics describe the Edit Easy VPN Remote screens:

Edit Easy VPN Remote

Add or Edit Easy VPN Remote

Add or Edit Easy VPN Remote: General Settings

Network Extension Options

Add or Edit Easy VPN Remote: Easy VPN Settings

Add or Edit Easy VPN Remote: Authentication Information

Add or Edit Easy VPN Remote: Easy VPN Client Phase III Authentication

Add or Edit Easy VPN Remote: Interfaces and Connections

Add or Edit Easy VPN Remote: Identical Addressing

Easy VPN Remote: Add a Device

Enter SSH Credentials

XAuth Login Window

Edit Easy VPN Remote

Easy VPN connections are managed from this window. An Easy VPN connection is a connection configured between an Easy VPN client and an Easy VPN server or concentrator to provide for secure communications with other networks that the server or concentrator supports.

The list of connections displays information about the configured Easy VPN Remote connections.

Field Reference

Table 12-7 describes the fields and buttons in this screen.

Table 12-7 Edit Easy VPN Remote Fields

Element
Description

Add

Click Add to create a new Easy VPN Remote connection.

Edit

Choose an Easy VPN Remote connection, and click Edit to modify connection settings.

Delete

Choose an Easy VPN Remote connection, and click Delete to delete the connection.

Reset Connection

Choose an Easy VPN Remote connection, and click Reset Connection to clear the current security association (SA) and create a new one to reset the connection.

Test Tunnel

Choose an Easy VPN Remote connection, and click Test Tunnel to send data through the VPN tunnel. Cisco SDM displays a message indicating the results of the test.

Connect or Disconnect or Login

The name of this button changes based on the status of the chosen Easy VPN Remote connection.

 

This button is labeled Connect if all of the following are true:

The connection uses manual tunnel control.

The tunnel is down.

The XAuth response is not set to be requested from a PC browser session.

Click Connect to establish the connection.

 

This button is labeled Disconnect if all of the following are true:

The connection uses manual tunnel control.

The tunnel is up.

The XAuth response is not set to be requested from a PC browser session.

Click Disconnect to terminate the connection.

 

This button is labeled Login if all of the following are true:

The Easy VPN server or concentrator being connected to uses XAuth.

The XAuth response is set to be requested from Cisco SDM or the router console.

The tunnel is waiting for XAuth credentials (the connection has been initiated).

Click Login to login to the Easy VPN server and establish the connection.

 

If the connection is set to automatic or traffic-based tunnel control, this button is disabled.

Status

The connection is up. When an Easy VPN connection is up, the Disconnect button enables you to deactivate the connection if manual tunnel control is used.

The connection is down. When an Easy VPN connection is down, the Connect button enables you to activate the connection if manual tunnel control is used.

The connection is being established.

Xauth Required—The Easy VPN server or concentrator requires an XAuth login and password. Use the Login button to enter the login ID and password and establish the connection.

Configuration Changed—The configuration for this connection has been changed, and needs to be delivered to the router. If the connection uses manual tunnel control, use the Connect button to establish the connection.

Name

The name given to this Easy VPN connection.

Mode

Either client or network extension. In client mode, the VPN concentrator or server assigns a single IP address to all traffic coming from the router; devices outside the LAN have no direct access to devices on the LAN. In network extension mode, the VPN concentrator or server does not substitute IP addresses, and it presents a full routable network to the peers on the other end of the VPN connection.

Details

Choose an Easy VPN Remote connection from the list to see the values of the following settings for that connection.

Authentication

Digital certificates or preshared key. The preshared key option shows the user group sharing the key.

Outside Interface

This is the interface that connects to the Easy VPN server or concentrator.

Inside Interfaces

These are the inside interfaces included in this Easy VPN connection. All hosts connected to these interfaces are part of the VPN.

Easy VPN Server

The names or IP addresses of the Easy VPN servers or concentrators. If the Cisco IOS image on your router supports Easy VPN Remote Phase III, you can identify two Easy VPN servers or concentrators during configuration using Cisco SDM.

Multiple Subnet Support

The addresses of subnets which are not directly connected to the router but which are allowed to use the tunnel. An ACL defines the subnets allowed to use the tunnel.

Tunnel Activation

The value is Auto, Manual, or traffic-based.

If the connection is configured with the Manual setting, you must click Connect to establish the tunnel, but you can start or stop the tunnel at any time by clicking Connect or Disconnect.

If the connection is configured with the Auto setting, the VPN tunnel is established automatically when the Easy VPN configuration is delivered to the router configuration file. However, the Connect or Disconnect button is not enabled for this connection.

If the connection is configured with the traffic-based setting, the VPN tunnel is established automatically when inside traffic qualifies for outside routing. However, the Connect or Disconnect button is not enabled for this connection.

Backup Connection

A backup Easy VPN remote connection that has been set up. Backup connections are configured in the Cisco SDM Interfaces and Connections task.

XAuth Response Method

If XAuth is enabled, the Item Value column shows one of the following about how the XAuth credentials are sent:

They must be entered from Cisco SDM or the router console.

They must be entered from a PC browser when browsing.

The credentials are automatically sent because they have been saved on the router.

Identical Addressing Interface

If identical addressing is configured, the Item Value column displays the word Configured," and the name, IP address, and number of subnet bits for the interface, for example, Loopback1 (20.20.20.1/24).

Split DNS

If split DNS is configured, the Item Value column displays the word Enabled, and the following information:

Domain names sent to corporate DNS servers

Corporate DNS servers pushed from Server

Internet DNS servers

Multiple values are separated by commas.


Add or Edit Easy VPN Remote

Use this window to configure your router as an Easy VPN client. Your router must have a connection to an Easy VPN concentrator or server on the network.


Note This window appears if the Cisco IOS image on your router supports Easy VPN Client Phase II.


The Cisco Easy VPN Remote feature implements the Cisco Unity Client protocol, which allows most VPN parameters to be defined at a VPN remote access server. This server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol.


NoteIf the Easy VPN server or concentrator has been configured to use XAuth, it requires a username and password whenever the router establishes the connection, including when you deliver the configuration to the router, and when you disconnect and then reconnect the tunnel. Find out whether XAuth is used and the required username and password.

If the router uses Secure Shell (SSH) you must enter the SSH login and password the first time you establish the connection.


Field Reference

Table 12-8 describes the fields in this screen.

Table 12-8 Add or Edit Easy VPN Remote Fields

Element
Description

Name

Enter a name for the Easy VPN remote configuration.

Mode]

Client

Choose Client if you want the PCs and other devices on the router's inside networks to form a private network with private IP addresses. Network Address Translation (NAT) and Port Address Translation (PAT) will be used. Devices outside the LAN will not be able to ping devices on the LAN or to reach them directly.

Network Extension

Choose Network Extension if you want the devices connected to the inside interfaces to have IP addresses that are routable and reachable by the destination network. The devices at both ends of the connection will form one logical network. PAT will be automatically disabled, allowing the PCs and hosts at both ends of the connection to have direct access to one another.

   
   
Tunnel Control

Auto

Choose Auto if you want the VPN tunnel to be established automatically when the Easy VPN configuration is delivered to the router configuration file. However, you will not be able to control the tunnel manually in the VPN Connections window. The Connect and Disconnect buttons are disabled when this Easy VPN connection is chosen.

Manual

Choose Manual if you want to control when the VPN tunnel is established and terminated. You must click the Connect button in the Edit Easy VPN Remote window to establish the tunnel. The Connect and Disconnect buttons are enabled whenever you choose a VPN connection with the Manual tunnel control setting.

Easy VPN Concentrator or Server

Specify the name or the IP address of the VPN concentrator or server that the router connects to. Choose IP address if you are going to provide an IP address or choose Hostname if you are going to provide the hostname of the concentrator or server. Then specify the appropriate value in the field underneath. If you specify a hostname, there must be a DNS server on the network that can resolve the hostname to the proper IP address. If you enter an IP address, use standard dotted decimal format, for example, 172.16.44.1.

Group

Group Name]

Enter the IPSec group name. The group name must match the group name defined on the VPN concentrator or server. Obtain this information from your network administrator.

Group Key

Enter the IPSec group password. The group password must match the group password defined on the VPN concentrator or server. Obtain this information from your network administrator.

Confirm Key

Reenter the group password to confirm.

   
   
   
   
Interfaces

Outside Interface Toward Server or Concentrator

Choose the interface that has the connection to the Easy VPN server or concentrator.


Note Cisco 800 routers do not support the use of interface E 0 as the outside interface.


Inside Interfaces

Specify the inside interfaces to include in this Easy VPN configuration. All hosts connected to these interfaces will be part of the VPN. As many as three inside interfaces are supported on Cisco 800 series and Cisco 1700 series routers.


Note An interface cannot be designated as both an inside interface and an outside interface.



Add or Edit Easy VPN Remote: General Settings

Use this Window to configure your router as an Easy VPN client. Your router must have a connection to an Easy VPN concentrator or server on the network.


Note This window appears if the Cisco IOS image on your router supports Easy VPN Client Phase IV.


The Cisco Easy VPN Remote feature implements the Cisco Unity Client protocol, which allows most VPN parameters to be defined on a VPN remote access server. This server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol.

Field Reference

Table 12-9 describes the fields in this screen.

Table 12-9 Easy VPN Remote General Settings Fields

Element
Description

Name

Enter a name for the Easy VPN remote configuration.

Servers

You can specify up to ten Easy VPN servers by IP address or hostname, and you can order the list to specify which servers the router will attempt to connect to first.

Click Add to specify the name or the IP address of a VPN concentrator or server for the router to connect to, and then enter the address or hostname in the window displayed.

Click Delete to delete the specified IP address or hostname.

Click Move Up to move the specified server IP address or hostname up in the list. The router attempts to contact routers in the order in which they appear in this list.

Click Move Down to move the specified IP address or hostname down the list.

Mode

Client

Choose Client mode if you want the PCs and other devices on the router's inside networks to form a private network with private IP addresses. Network Address Translation (NAT) and Port Address Translation (PAT) will be used. Devices outside the LAN will not be able to ping devices on the LAN or to reach them directly.

Network Extension

Choose Network Extension if you want the devices connected to the inside interfaces to have IP addresses that are routable and reachable by the destination network. The devices at both ends of the connection will form one logical network. PAT will be automatically disabled, allowing the PCs and hosts at both ends of the connection to have direct access to one another.

Enable remote management and troubleshooting of your router.

You can enable remote management of the router by checking the box to request a server-assigned IP address for you router. This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure Shell). This mode is called Network Extension Plus.

 

Consult the administrator of the Easy VPN server or concentrator before you choose this setting.

 

If you choose Network Extension, you also have the capability to:

Allow subnets not directly connected to the router to use the tunnel.

To allow subnets not directly connected to your router to use the tunnel, click the Options button and configure the network extension options.

 

Enable remote management and troubleshooting of your router.

You can enable remote management of the router by checking the box to request a server-assigned IP address for you router. This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure Shell). This mode is called Network Extension Plus.

Have the server assign an IP address to manage my router remotely.

Check this box to request a server-assigned IP address for you router. This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure Shell). This mode is called Network Extension Plus.


Network Extension Options

To allow subnets not directly connected to your router to use the tunnel, enter the subnets in this screen, or enter an ACL that defines the subnets you want to allow.

Field Reference

Table 12-10 describes the fields in this screen.

Table 12-10 Network Extension Options Fields

Element
Description

Configure Multiple Subnets

Check Configure Multiple Subnets to enable the other fields in this screen.

Enter the subnets. SDM will create the necessary ACL.

Check this option to enter each subnet and subnet mask manually. Click Add to add an entry to the list. Click Delete to remove the selected entry.

Select an ACL

Check Select an ACL to use an ACL to define the subnets. If you know the name or number of the ACL enter it in the field. Or, click the button to the right of the field, and select an existing ACL or create a new ACL. To remove an ACL association in this screen, click the button and choose None (clear rule association).


Add or Edit Easy VPN Remote: Easy VPN Settings

Use this window to configure your router as an Easy VPN client. Your router must have a connection to an Easy VPN concentrator or server on the network.


Note This window appears if the Cisco IOS image on your router supports Easy VPN Client Phase III.


The Cisco Easy VPN Remote feature implements The Cisco Unity Client protocol, which allows most VPN parameters to be defined on a VPN remote access server. This server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol.

Field Reference

Table 12-11 describes the fields in this screen.

Table 12-11 Easy VPN Settings Fields

Element
Description

Name

Enter a name for the Easy VPN remote configuration.

Mode

Client

Choose Client mode if you want the PCs and other devices on the router's inside networks to form a private network with private IP addresses. Network Address Translation (NAT) and Port Address Translation (PAT) will be used. Devices outside the LAN will not be able to ping devices on the LAN or to reach them directly.

Network Extension

Choose Network Extension if you want the devices connected to the inside interfaces to have IP addresses that are routable and reachable by the destination network. The devices at both ends of the connection will form one logical network. PAT will be automatically disabled, allowing the PCs and hosts at both ends of the connection to have direct access to one another.

Consult the administrator of the Easy VPN server or concentrator before you choose this setting.

Tunnel Control

Auto

Choose Auto if you want the VPN tunnel to be established automatically when the Easy VPN configuration is delivered to the router configuration file. However, you will not be able to control the tunnel manually in the VPN Connections window. The Connect and Disconnect buttons are disabled when this Easy VPN connection is chosen.

Manual

Choose Manual if you want to control when the VPN tunnel is established and terminated. You must click the Connect button in the Edit Easy VPN Remote window to establish the tunnel. The Connect and Disconnect buttons are enabled whenever you choose a VPN connection with the Manual tunnel control setting.

Servers

You can specify up to ten Easy VPN servers by IP address or hostname, and you can order the list to specify which servers the router will attempt to connect to first.

Add

Click Add to specify the name or the IP address of a VPN concentrator or server for the router to connect to; then enter the address or hostname in the window displayed.

Delete

Click Delete to delete the chosen server IP address or hostname.

Move Up

Click Move Up to move the specified server IP address or hostname up in the list. The router attempts to contact routers in the order in which they appear in this list.

Move Down

Click Move Down to move the specified IP address or hostname down the list.

Outside Interface Toward Server or Concentrator

Choose the interface that has the connection to the Easy VPN server or concentrator.


Note Cisco 800 routers do not support the use of interface E 0 as the outside interface.


Inside Interfaces

Specify the inside interfaces to include in this Easy VPN configuration. All hosts connected to these interfaces will be part of the VPN. As many as three inside interfaces are supported on Cisco 800 series and Cisco 1700 series routers.


Note An interface cannot be designated as both an inside and an outside interface.



Add or Edit Easy VPN Remote: Authentication Information

Use this window to enter the information required for the router to be authenticated by the Easy VPN server or concentrator.

Field Reference

Table 12-12 describes the fields in this screen.

Table 12-12 Authentication Information Fields

Element
Description
Device Authentication

Digital Certificate.

If you choose digital certificate, a digital certificate must be configured on the router to use.


Note The Digital Certificates option is available only if supported by the Cisco IOS image on your router.


Preshared Key

Choose Preshared Key to use the IKE key value given to you by your network administrator. Obtain the IPSec group name and IKE key value from your network administrator. The group name must match the group name defined on the VPN concentrator or server.

Group Name

Enter the IPSec groupname given to you by your network administrator. The group name must match the group name defined on the VPN concentrator or server. This field only appears if Preshared Key is chosen.

Current Key

The Current Key field displays asterisks (*) if there is a current IKE key value. This field contains the value <None> if no key has been configured. This field only appears if Preshared Key is chosen.

New Key

Enter the new IKE key value given to you by your network administrator. This field only appears if Preshared Key is chosen.

Reenter Key

Reenter the new key to confirm accuracy. If the values in the New Key and Reenter Key fields are not the same, Cisco SDM prompts you to reenter the key values. This field only appears if Preshared Key is chosen

User Authentication

If the Easy VPN server or concentrator has been configured to use XAuth, it requires a username and password whenever the router establishes the connection, including when you deliver the configuration to the router, and when you disconnect and reconnect the tunnel. Find out whether XAuth is used, and obtain the required username and password.

From PC

Choose From PC if you will enter the credentials in a web browser window.


Note This option appears only if supported by the Cisco IOS image on your router.


From this router

Choose From this router if you will enter the credentials from the router command line interface or from Cisco SDM.

Save Credentials

If the server allows passwords to be saved, you can eliminate the need to enter the username and password each time the Easy VPN tunnel is established. The information is saved in the router configuration file and used each time the tunnel is established.

Choose Save Credentials to save the username and password to the router configuration file.


Caution Storing the XAuth username and password in router memory creates a security risk because anyone who has access to the router configuration can obtain this information. If you do not want this information stored on the router, do not enter it here. The Easy VPN server will simply challenge the router for the username and password each time the connection is established. Also, Cisco SDM cannot itself determine whether the server allows passwords to be saved. You must determine whether the server allows this option. If the server does not allow passwords to be saved, you should not create a security risk by entering the information here.

Username

Enter the username you have been given by the server administrator.

Current Password

The Current Password field displays asterisks (*) if there is a configured password. This field contains the value <None> if no password has been configured.

New Password

Enter the new password given to you by the server administrator.

Reenter Password

Reenter the new password to confirm accuracy. If the values in the New Password and Reenter Password fields are not the same, Cisco SDM prompts you to reenter the password values.


Add or Edit Easy VPN Remote: Easy VPN Client Phase III Authentication

This window appears if the Cisco IOS image on your router supports Easy VPN Client Phase III. If the image supports Easy VPN Client Phase II, a different window appears.

Use this window to enter the information required for the router to be authenticated by the Easy VPN server or concentrator.

Field Reference

Table 12-13 describes the fields in this screen.

Table 12-13 Authentication Information Fields

Element
Description
Device Authentication

Group Name

Enter the IPSec groupname given to you by your network administrator. The group name must match the group name defined on the VPN concentrator or server.

Current Key

The Current Key field displays asterisks (*) if there is a current IKE key value. This field contains the value <None> if no key has been configured.

New Key

Enter the new IKE key value given to you by your network administrator.

Reenter Key

Reenter the new key to confirm accuracy. If the values in the New Key and Reenter Key fields are not the same, Cisco SDM prompts you to reenter the key values.

   
User Authentication

If the Easy VPN server or concentrator has been configured to use XAuth, it requires a username and password whenever the router establishes the connection, including when you deliver the configuration to the router, and when you disconnect and reconnect the tunnel. Find out whether XAuth is used, and obtain the required username and password.

From PC

Choose From PC if you will enter the credentials in a web browser window.


Note This option appears only if supported by the Cisco IOS image on your router.


From this router

Choose From this router if you will enter the credentials from the router command line interface or from Cisco SDM.

Save Credentials

If the server allows passwords to be saved, you can eliminate the need to enter the username and password each time the Easy VPN tunnel is established. The information is saved in the router configuration file and used each time the tunnel is established.

Choose Save Credentials to save the username and password to the router configuration file.


Caution Storing the XAuth username and password in router memory creates a security risk because anyone who has access to the router configuration can obtain this information. If you do not want this information stored on the router, do not enter it here. The Easy VPN server will simply challenge the router for the username and password each time the connection is established. Also, Cisco SDM cannot itself determine whether the server allows passwords to be saved. You must determine whether the server allows this option. If the server does not allow passwords to be saved, you should not create a security risk by entering the information here.

Username

Enter the username you have been given by the server administrator.

Current Password

The Current Password field displays asterisks (*) if there is a configured password. This field contains the value <None> if no password has been configured.

New Password

Enter the new password given to you by the server administrator.

Reenter Password

Reenter the new password to confirm accuracy. If the values in the New Password and Reenter Password fields are not the same, Cisco SDM prompts you to reenter the password values.


Add or Edit Easy VPN Remote: Interfaces and Connections

Identify the inside and outside interfaces, and specify how the VPN tunnel is brought up in this screen.

Field Reference

Table 12-14 describes the fields in this screen.

Table 12-14 Interfaces and Connection Settings Fields

Element
Description
Interfaces

Check boxes

Check the inside (LAN) interfaces that serve the local networks that you want to include in this Easy VPN configuration. You can choose multiple inside interfaces, with the following restrictions:

 

If you choose an interface that is already used in another Easy VPN configuration, you are told that an interface cannot be part of two Easy VPN configurations.

 

If you choose interfaces that are already used in a VPN configuration, you are informed that the Easy VPN configuration you are creating cannot coexist with the existing VPN configuration. You will be asked if you want to remove the existing VPN tunnels from those interfaces and apply the Easy VPN configuration to them.

 

An existing interface does not appear in the list of interfaces if it cannot be used in an Easy VPN configuration. For example, loopback interfaces configured on the router do not appear in this list.

 

An interface cannot be designated as both an inside and an outside interface.

 

Up to three inside interfaces are supported on Cisco 800 and Cisco 1700 series routers. You can remove interfaces from an Easy VPN configuration in the Edit Easy VPN Remote window.

Interface list

In the Interfaces list, choose the outside interface that connects to the Easy VPN server or concentrator.


Note Cisco 800 routers do not support the use of interface E 0 as the outside interface


Virtual Tunnel Interface

Check this option if you want to use a Virtual Tunnel Interface (VTI) for this connection. If the VTIs in the list are used by other VPN connections, click Add to create a new one.

Connection Settings

Auto

Choose Auto to have the router establish the VPN tunnel automatically when the Easy VPN configuration is delivered to the router configuration file. You will not be able to control the tunnel manually using the Connect or Disconnect button. These buttons are disabled when this setting is chosen.

Manual

Choose Manual if you want to bring up and shut down the VPN tunnel manually. With the manual setting, you must click the Connect or Disconnect button in the Edit Easy VPN Remote screen to establish or take down the tunnel. Additionally, if a security association (SA) timeout is set for the router, you will have to manually reestablish the VPN tunnel whenever a timeout occurs. You can change SA timeout settings in the VPN Components VPN Global Settings window.

Interesting Traffic

Choose Interesting Traffic to establish the VPN tunnel whenever outbound local (LAN side) traffic is detected. The Connect or Disconnect button is disabled when you choose this Easy VPN connection setting.


Note The Interesting Traffic option appears only if supported by the Cisco IOS image on your router.



Add or Edit Easy VPN Remote: Identical Addressing

In this screen, enter the information needed to configure identical addressing. Identical addressing enables remote networks to reach local devices that have IP addresses that might overlap with addresses in remote networks.

Field Reference

Table 12-15 Identical Addressing Tab Fields 

Element
Description

Configure identical addressing

Check Configure identical addressing if there are devices on the local network with IP addresses that might overlap with addresses in remote networks in your organization. You must check this box to enable the other controls in this screen.

Loopback Interface

Loopback Interface

Click the down arrow to select an existing loopback interface. If no loopback interfaces are configured, click Add.

Add

Clicking Add displays the dialog that enables you to configure a loopback interface.

Enable split tunneling

Split tunneling enables the router to only use the VPN tunnel to send traffic to network addresses given to it by the Easy VPN server and to send other traffic through the Internet. To enable the router to use this feature, click Enable split tunneling.

Accessible Devices

Device Local IP

The local IP address of a device that is identified as a device that must be reached by other networks.

Device Global IP

The global IP address given to a device that is identified as a device that must be reached by other networks. Because the global IP address for each device must be routable from the Easy VPN server, you must obtain these addresses from the Easy VPN server administrator. Each IP address must be on the same subnet, and one address must be reserved for use by non accessible devices on the local network.

Add

To add the local IP address and global IP address of a device, click Add.

Edit

To change the IP address information for a device, choose an entry and click Edit.

Delete

To remove an entry for an accessible device, choose the entry and click Delete.


Warning Messages

Cisco SDM displays a warning message when you click OK if it detects any of the following problems:

There are no devices added.

If you enter an IP address for the non accessible devices that is already used by a router interface.

If you enter an IP address for the non accessible devices that is already used as a global IP address for an accessible device.

If you enter local IP address for a device that falls outside the subnet for the LAN interface it connects to.

If you chose client mode in the General tab. Identical addressing only works with network extension mode.

If you did not choose a virtual tunnel interface in the Interfaces and Connections tab.

Easy VPN Remote: Add a Device

Enter the local IP address and global IP address information for a device in this screen. The global IP address is an IP address that can be used to identify the device to other networks.

Field Reference

Table 12-16 describes the fields in this screen.

Table 12-16 Add a Device Fields 

Element
Description

Local IP Address

Enter the local IP address of the device that must be reached.

Global IP Address

Enter the global IP address that you want to use for this device. The address you use must be routable from the Easy VPN server.


Enter SSH Credentials

If the router uses Secure Shell (SSH), you must to enter the SSH login and password the first time you establish the connection. Use this window to enter SSH or Telnet login information.

Field Reference

Table 12-17 describes the fields in this screen.

Table 12-17 Enter SSH Credentials Fields

Element
Description

Please Enter the Username

Enter the SSH or Telnet account username that you will use to log in to this router.

Please Enter the Password

Enter the password associated with the SSH or Telnet account username that you will use to log in to this router.


XAuth Login Window

This window appears when the Easy VPN server requests extended authentication. Respond to the challenges by entering the information requested, such as the account username, password, or any other information, to successfully establish the Easy VPN tunnel. If you are unsure about the information that should be provided, contact your VPN administrator.

Other Procedures

This section contains procedures for tasks that the wizard does not help you complete.

How Do I Edit an Existing Easy VPN Connection?

To edit an existing Easy VPN remote connection, follow these steps:


Step 1 From the left frame, choose VPN.

Step 2 In the VPN tree, choose Easy VPN Remote.

Step 3 Click the Edit Easy VPN Remote tab and choose the connection that you want to edit.

Step 4 Click Edit.

The Edit Easy VPN Remote window appears.

Step 5 In the Edit Easy VPN Remote window, click the tabs to display the values that you want to change.

Step 6 When you have finished making changes, click OK.


How Do I Configure a Backup for an Easy VPN Connection?

To configure a backup for an Easy VPN Remote connection, your router must have an ISDN, async, or analog modem interface available for the backup.

If the ISDN, async, or analog modem interface has not been configured, follow these steps:


Step 1 From the left frame, click Interfaces and Connections.

Step 2 Click the Create Connection tab.

Step 3 Choose an ISDN, async, or analog modem interface from the list.

Step 4 Click the Create New Connection button and use the wizard to configure the new interface.

Step 5 In the appropriate wizard window, set the new interface as a backup for an Easy VPN Remote connection.


If the ISDN, async, or analog modem interface has been configured, follow these steps:


Step 1 From the left frame, click Interfaces and Connections.

Step 2 Click the Edit Interface/Connection tab.

Step 3 Choose an ISDN, async, or analog modem interface from the list of configured interfaces.

Step 4 Click the Edit button.

Step 5 Click the Backup tab and configure the backup for an Easy VPN Remote connection.

Step 6 When you have finished configuring the backup, click OK.