Cisco Router and Security Device Manager 2.5 User Guide
Easy VPN Server
Downloads: This chapterpdf (PDF - 534.0KB) The complete bookPDF (PDF - 7.45MB) | Feedback

Easy VPN Server

Table Of Contents

Easy VPN Server

Creating an Easy VPN Server Connection

Create an Easy VPN Server Reference

Create an Easy VPN Server

Welcome to the Easy VPN Server Wizard

Interface and Authentication

Group Authorization and Group Policy Lookup

User Authentication (XAuth)

User Accounts for XAuth

Add RADIUS Server

Group Authorization: User Group Policies

General Group Information

DNS and WINS Configuration

Split Tunneling

Client Settings

Choose Browser Proxy Settings

Add or Edit Browser Proxy Settings

User Authentication (XAuth)

Client Update

Add or Edit Client Update Entry

Cisco Tunneling Control Protocol

Summary

Browser Proxy Settings

Editing Easy VPN Server Connections

Edit Easy VPN Server Reference

Edit Easy VPN Server

Add or Edit Easy VPN Server Connection

Restrict Access

Group Policies Configuration

IP Pools

Add or Edit IP Local Pool

Add IP Address Range


Easy VPN Server


The Easy VPN Server feature introduces server support for the Cisco VPN Client Release 3.x and later software clients and Cisco VPN hardware clients. The feature allows a remote end user to communicate using IP Security (IPSec) with anyCisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPSec policies are "pushed" to the client by the server, minimizing configuration by the end user.

The following link provides general information on the Cisco Easy VPN solution, and other links for more specific information:

http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html

This chapter contains the following sections:

Creating an Easy VPN Server Connection

Editing Easy VPN Server Connections

Creating an Easy VPN Server Connection

Use theCisco SDM Easy VPN Server wizard to create an Easy VPN Server connection on the router.

Complete these steps to configure an Easy VPN Server connection using the Easy VPN Server wizard:


Step 1 If you want to review the Cisco IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.

Step 2 In the Cisco SDM toolbar, click Configure.

Step 3 In the Cisco SDM taskbar, click VPN.

Step 4 In the VPN tree, click Easy VPN Server.

Step 5 In the Create Easy VPN Server tab, complete any recommended tasks that are displayed by clicking the link for the task. Cisco SDM either completes the task for you, or displays the necessary configuration screens for you to make settings in.

Step 6 Click Launch Easy VPN Server Wizard to begin configuring the connection.

Step 7 Make configuration settings in the wizard screens. Click Next to go from the current screen to the next screen. Click Back to return to a screen you have previously visited.

Step 8 Cisco SDM displays the Summary screen when you have completed the configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen.

Step 9 If you want to test the connection after sending the configuration to the router, check Test the connectivity after configuring. After you click Finish, Cisco SDM tests the connection and displays the test results in another screen.

Step 10 To send the configuration to the router, click Finish.

Step 11 If you checked Preview commands before delivering to router in the Edit Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click OK to send the configuration to the router, or click Cancel to discard it. If you did not make this setting, clicking Finish sends the configuration to the router.


Create an Easy VPN Server Reference describes the configuration screens you use to create an Easy VPN server connection.

Create an Easy VPN Server Reference

The topics in this section describe the configuration screens:

Create an Easy VPN Server

Welcome to the Easy VPN Server Wizard

Interface and Authentication

Group Authorization and Group Policy Lookup

User Authentication (XAuth)

User Accounts for XAuth

Add RADIUS Server

Group Authorization: User Group Policies

General Group Information

DNS and WINS Configuration

Split Tunneling

Client Settings

Choose Browser Proxy Settings

Add or Edit Browser Proxy Settings

User Authentication (XAuth)

Client Update

Add or Edit Client Update Entry

Cisco Tunneling Control Protocol

Summary

Browser Proxy Settings

Create an Easy VPN Server

This wizard will guide you through the necessary steps to configure an Easy VPN Server on this router.

Field Reference

Table 13-1 describes the fields in this screen.

Table 13-1 Create an Easy VPN Server Fields

Element
Description

Launch the Easy VPN Server Wizard

Click this button to start the wizard.


Welcome to the Easy VPN Server Wizard

This wizard will guide you in performing the following tasks to successfully configure an Easy VPN Server on this router.

Choosing the interface on which the client connections will terminate, and the authentication method used for the server and Easy VPN clients

Configuring IKE policies

Configuring an IPSec transform set

Configuring group authorization and the group policy lookup method

Configuring user authentication

Configuring external RADIUS servers

Configuring policies for remote users connecting to Easy VPN clients

Interface and Authentication

This window lets you choose the interface on which you want to configure the Easy VPN Server.

If you choose an interface that is already configured with a site-to-site IPSec policy, Cisco SDM displays a message that an IPSec policy already exists on the interface. Cisco SDM uses the existing IPSec policy to configure the Easy VPN Server.

If the chosen interface is part of an Easy VPN Remote, GREoIPSec, or DMVPN interface, Cisco SDM displays a message to choose another interface.

Field Reference

Table 13-2 describes the fields in this screen.

Table 13-2 Interface and Authentication Fields 

Element
Description

IP Address of Virtual Tunnel Interface

These fields allow you to configure an IPsec virtual tunnel interface (VTI). IPsec VTI configuration does not require a static mapping of IPsec sessions to a physical interface. The IPsec tunnel endpoint is associated with an actual (virtual) interface. Because there is a routable interface at the tunnel endpoint, many common interface capabilities can be applied to the IPsec tunnel. You can create a static VTI (SVTI), or a dynamic VTI (DVTI).

Click Unnumbered to New Loopback Interface and provide an IP address and subnet mask to create a SVTI. SVTIs can be used for site-to-site connectivity in which a tunnel provides always-on access between two sites.

Click Unnumbered to and choose an interface from the list to create a DVTI. DVTIs provide highly secure and scalable connectivity for remote-access VPNs. DVTI tunnels provide an on-demand separate virtual access interface for each VPN session. The configuration of the virtual access interfaces is cloned from a virtual template configuration, which includes the IPsec configuration and any Cisco IOS software feature configured on the virtual template interface, such as QoS, NetFlow, or ACLs.

An excellent discussion of VTIs is found at the following link:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1027265

Details

Click this button to obtain details about a physical interface you choose. The details window shows any access rules, IPSec policies, NAT rules, or inspection rules associated with the interface.

This button is dimmed when no interface is chosen.

Authentication

Choose one of the following:

Pre-shared Keys—If you click Pre-shared Keys, you must enter a key value when you configure the Add Group Policy general setup window.

Digital Certificates—If you click Digital Certificates, the preshared keys fields does not appear in the Add Group Policy general setup window.

Both—If you Both, entering a key value in the Add Group Policy general setup window is optional.


Group Authorization and Group Policy Lookup

This windowallows you to define a new AAA authorization network method list for group policy lookup or to choose an existing network method list.

Field Reference

Table 13-3 describes the fields in this screen.

Table 13-3 Group Authorization and Policy Lookup Fields 

Element
Description

Local Only

This option allows you to create a method list for the local database only.

When you define an AAA method list for the local database, the router looks at the local database for group authentication.

RADIUS Only

This option allows you to create a method list for a RADIUS database.

RADIUS and Local

This option allows you to create a method list for both RADIUS and local database.

When you define method lists for both a RADIUS and local database, the router first looks at the RADIUS server and then the local database for group authentication.

Select an existing AAA method list

This option lets you choose an existing AAA method list on the router to use for group authentication.


User Authentication (XAuth)

You can configure user authentication on Easy VPN Server. You can store user authentication details on an external server such as a RADIUS server or a local database or on both. An AAA login authentication method list is used to decide the order in which user authentication details should be searched.

Field Reference

Table 13-4 describes the fields in this screen.

Table 13-4 User Authentication Fields 

Element
Description

Local

Click Local to add user authentication details to the local database.

RADIUS

Click RADIUS if you want to add user authentication details to the database on the RADIUS server.

RADIUS and Local

Click RADIUS and Local to add user authentication details for both a RADIUS and local database.

Select an existing AAA Method List

Click Select an existing AAA Method List to choose a method list from a list of all method lists configured on the router.

The chosen method list is used for extended authentication.

Add User Credentials

Click Add User Credentials to add a user account.

Summary

If you choose RADIUS, the Summary box is displayed. It explains how the RADIUS and local databases are used, and that the Easy VPN remote user can be notified when their password has expired.

Notify remote user of password expiration—This option is checked by default. When enabled, the Easy VPN Server notifies the user when their password has expired and prompts them to enter a new password.


User Accounts for XAuth

Add an account for a user you want to authenticate after IKE has authenticated the device.

Field Reference

Table 13-5 describes the fields in this screen.

Table 13-5 User Accounts for XAuth Fields 

Element
Description

User Accounts

The user accounts that XAuth will authenticate are listed in this box. The account name and privilege level are visible.

Add

Edit

Use these buttons to add and edit user accounts. User accounts can be deleted in the Additional Tasks > Router Access > User Accounts/View window.


Note Existing CLI view user accounts cannot be edited from this window. If you need to edit user accounts, go to Additional Tasks > Router Access >User Accounts/CLI View.



Add RADIUS Server

This window lets you add a new RADIUS server or edit or ping an already existing RADIUS server.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-6 Add a RADIUS Server Fields 

Element
Description

Add

Add a new RADIUS server.

Edit

Edit an already exiting RADIUS server configuration.

Ping

Ping an already existing RADIUS server or newly configured RADIUS server.


Group Authorization: User Group Policies

This window allows you to add, edit, clone or delete user group policies on the local database.

Field Reference

Table 13-7 describes the fields in this screen.

Table 13-7 User Group Policies Fields 

Element
Description
Group Policy List area

Select

Check the box in this column next to the groups that you want this Easy VPN server connection to serve.

Group Name

Name given to the user group.

Pool

Name of the IP address pool from which an IP address is assigned to a user connecting from this group.

DNS

Domain Name System (DNS) address of the group.

This DNS address is "pushed" to the users connecting to this group.

WINS

Windows Internet Naming Service (WINS) address of the group.

This WINS address is "pushed" to the users connecting to this group.

Domain Name

Domain name of the group.

This domain name is "pushed" to the users connecting to this group.

Split ACL

The access control list (ACL) that represents protected subnets for split tunneling purposes.

Configure Idle Timer

Idle Timer

Click the Configure Idle Timer check box and enter a value for the maximum time that a VPN tunnel can remain idle before being disconnected. Enter hours in the left field, minutes in the middle field, and seconds in the right field. The minimum time allowed is 1 minute.

Disconnecting idle VPN tunnels can help the Easy VPN Server run more efficiently by reclaiming unused resources.


General Group Information

This window allows you to configure, edit and clone group polices.

Field Reference

Table 13-8 describes the fields in this screen.

Table 13-8 General Group Information Fields 

Element
Description

Please Enter a Name for This Group

Enter the group name in the field provided. If this group policy is being edited, this field is disabled. If you are cloning a group policy, you must enter a new value in this field.

Preshared Key

Enter the preshared key in the fields provided.

The Current key field cannot be changed.


Note You do not have to enter a preshared key if you are using digital certificates for group authentication. Digital certificates are also used for user authentication.


Pool Information

Specifies a local pool of IP addresses that are used to allocate IP addresses to clients.

Create a New Pool—Enter the range of IP addresses for the local IP address pool in the IP Address Range field.

Select from an Existing Pool—Choose the range of IP addresses from the existing pool of IP addresses.


Note This field cannot be edited if there are no predefined IP address pools.


Subnet Mask (Optional)

Enter a subnet mask to send with the IP addresses allocated to clients in this group.

Maximum Connections Allowed

Specify the maximum number of client connections to the Easy VPN Server from this group. Cisco SDM supports a maximum of 5000 connections per group.


DNS and WINS Configuration

This window allows you to specify the Domain Name Service (DNS) and Windows Internet Naming Service (WINS) information.

Field Reference

Table 13-9 describes the fields in this screen.

Table 13-9 DNS and WINS Fields 

Element
Description

DNS

Enter the primary and secondary DNS server IP address in the fields provided. Entering a secondary DNS server address is optional.

WINS

Enter the primary and secondary WINS server IP address in the fields provided. Entering a secondary WINS server address is optional.

Domain Name

Specify the domain name that should be pushed to the Easy VPN client.


Split Tunneling

This window allows you to enable split tunneling for the user group you are adding.

Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. For example, all traffic sourced from the client is sent to the destination subnet through the VPN tunnel.

You can also specify which groups of ACLs represent protected subnets for split tunneling.

Field Reference

Table 13-10 describes the fields in this screen.

Table 13-10 Split Tunneling Fields 

Element
Description

Enable Split Tunneling

This box allows you to add protected subnets and ACLs for split tunneling.

Enter the Protected Subnets—Add or remove the subnets for which the packets are tunneled from the VPN clients.

Choose the Split Tunneling ACL—Choose the ACL to use for split tunneling.

Split DNS

Enter the Internet domain names that should be resolved by your network's DNS server. The following restrictions apply:

A maximum of 10 entries is allowed.

Entries must be separated with a comma.

Do not use spaces anywhere in the list of entries.

Duplicate entries or entries with invalid formats are not accepted.


Note This feature appears only if supported by your Cisco server's IOS release.



Client Settings

This window allows you to configure additional attributes for security policy such as adding or removing a backup server, Firewall Are-U-There, and Include-Local-LAN.


Note Some of the features described below appear only if supported by your Cisco server's IOS release.


Field Reference

Table 13-11 describes the fields in this screen.

Table 13-11 Client Setting Fields 

Element
Description

Backup Servers

You can specify up to ten servers by IP address or hostname as backup for the Easy VPN server, and order the list to control which servers the router will attempt to connect to first if the primary connection to the Easy VPN server fails.

Add—Click Add to specify the name or the IP address of an Easy VPN server for the router to connect to when the primary connection fails, and then enter the address or hostname in the window displayed.

Delete—Click Delete to remove a specified IP address or hostname.

Configuration Push

You can specify an Easy VPN client configuration file using a URL and version number. The Easy VPN Server sends the URL and version number to Easy VPN hardware clients requesting that information. Only Easy VPN hardware clients belonging to the group policy you are configuring can request the URL and version number you enter in this window.

Enter the URL of the configuration file in the URL field. The URL should begin with an appropriate protocol, and can include usernames and passwords. The following are URL examples for downloading an upgrade file called sdm.exe:

 

http://username:password@www.cisco.com/go/vpn/sdm.exe

https://username:password@www.cisco.com/go/vpn/sdm.exe

ftp://username:password@www.cisco.com/go/vpn/sdm.exe

tftp://username:password@www.cisco.com/go/vpn/sdm.exe

scp://username:password@www.cisco.com/go/vpn/sdm.exe

rcp://username:password@www.cisco.com/go/vpn/sdm.exe

Configuration Push

cns:

xmodem:

ymodem:

null:

flash:sdm.exe

nvram:sdm.exe

 

usbtoken[0-9]:sdm.exe

The USB token port number range is 0-9. For example, for a USB token attached to USB port 0, the URL is usbtoken0:sdm.exe.

 

usbflash[0-9]:sdm.exe

The USB flash port number range is 0-9. For example, for a USB flash attached to USB port 0, the URL is usbflash0:sdm.exe.

 

disk[0-1]:sdm.exe

The disk number is 0 or 1. For example, for disk number 0, the URL is disk0:sdm.exe.

archive:sdm.exe

tar:sdm.exe

system:sdm.exe

In these examples, username is the site username and password is the site password.

Enter the version number of the file in the Version field. The version number must be in the range 1 to 32767.

Browser Proxy

You can specify browser proxy settings for Easy VPN software clients. The Easy VPN Server sends the browser proxy settings to Easy VPN software clients requesting that information. Only Easy VPN software clients belonging to the group policy you are configuring can request the browser proxy settings you enter in this window.

Enter the name under which the browser proxy settings were saved, or choose one of the following from the drop-down menu:

Choose an existing setting...

Opens a window with a list of existing browser proxy settings.

Create a new setting and choose...

Opens a window where you can create new browser proxy settings.

None

Clears any browser proxy settings assigned to the group.

Firewall Are-U-There

You can restrict VPN connections to clients running Black Ice or Zone Alarm personal firewalls.

Include Local LAN

You can allow a non-split tunneling connection to access the local subnetwork at the same time as the client.

Perfect Forward Secrecy (PFS)

Enable PFS if it is required by the IPSec security association you are using.


Choose Browser Proxy Settings

From the drop-down list, choose the browser proxy settings you want to associate with the group.

Field Reference

Table 13-12 describes the fields in this screen.

Table 13-12 Choose Browser Proxy Settings

Element
Description

Proxy Settings

Choose the settings that you want to associate with the group.


Add or Edit Browser Proxy Settings

This window allows you to add or edit browser proxy settings.

Field Reference

Table 13-13 describes the fields in this screen.

Table 13-13 Browser Proxy Settings Fields 

Element
Description

Browser Proxy Settings Name

If you are adding browser proxy settings, enter a name that will appear in drop-down menus listing browser proxy settings. If you are editing browser proxy settings, the name field is read-only.

Proxy Settings

Choose one of the following:

No Proxy Server

You do not want clients in this group to use a proxy server when they use the VPN tunnel.

Automatically Detect Settings

You want clients in this group to automatically detect a proxy server when they use the VPN tunnel.

Manual Proxy Configuration

You want to manually configure a proxy server for clients in this group. If you choose this option, complete the procedure for manually configuring a proxy server in this help topic.


Manually Configuring a Proxy Server

If you choose Manual Proxy Configuration, follow these steps to manually configure a proxy server:


Step 1 Enter the proxy server IP address in the Server IP Address field.

Step 2 Enter the port number that proxy server uses for receiving proxy requests in the Port field.

Step 3 Enter a list of IP addresses for which you do not want clients to use the proxy server.

Separate the addresses with commas, and do not enter any spaces.

Step 4 If you want to prevent clients from using the proxy server for local (LAN) addresses, check the Bypass proxy server for local address check box.

Step 5 Click OK to save the browser proxy settings.


User Authentication (XAuth)

This allows you to configure additional attributes for user authentication, such as Group Lock and save Password Attributes.

Field Reference

Table 13-14 describes the fields in this screen.

Table 13-14 User Authentication (XAuth) Fields 

Element
Description

XAuth Banner

Enter the text for a banner that is shown to users during XAuth requests.


Note This feature appears only if supported by your Cisco server's IOS release.


Maximum Logins Allowed Per User

Specify the maximum number of connections a user can establish at a time. Cisco SDM supports a maximum of ten logins per user.

Group Lock

You can restrict a client to connect to the Easy VPN Server only from the specified user group.

Save Password

You can save extended authentication user name and password locally on the Easy VPN Client.


Client Update

This window allows you to set up client software or firmware update notifications, and displays existing client update entries. Existing client update entries can be selected for editing or deletion.

Notifications are sent automatically to clients which connect to the server after a new or edited client update configuration is saved. Clients already connected require manual notification. To send a manual IKE notification of update availability, choose a group policy in the group policies window and click the Send Update button. Group clients meeting the client update criteria are sent the notification.


Note The client update window is available only if supported by your Cisco server's IOS release.


Field Reference

Table 13-6 describes the fields in this screen.

Table 13-15 Add a RADIUS Server Fields 

Element
Description

Client Type

Displays the type of client for which the revision is intended.

Revisions

Displays which revisions are available.

URL Column

Displays the location of the revisions.

Add Button

Click to configure a new client update entry.

Edit Button

Click to edit the specified client update entry.

Delete Button

Click to delete the specified client update entry.


Add or Edit Client Update Entry

This window allows you to configure a new client update entry.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-16 Add a RADIUS Server Fields 

Element
Description

Client Type

Enter a client type or choose one from the drop-down menu. Client type names are case sensitive.

For software clients, the client type is usually the operating system, for example, Windows. For hardware clients, the client type is usually the model number, for example, vpn3002.

If you are editing the client update entry, the client type is read-only.

URL

Enter the URL that leads to the latest software or firmware revision. The URL should begin with an appropriate protocol, and can include usernames and passwords.

The following are URL examples for downloading an upgrade file called vpnclient-4-6.exe:

 

http://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

https://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

ftp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

tftp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

scp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

rcp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe

 

cns:

xmodem:

ymodem:

null:

 

flash:vpnclient-4.6.exe

nvram:vpnclient-4.6.exe

usbtoken[0-9]:vpnclient-4.6.exe

The USB token port number range is 0-9. For example, for a USB token attached to USB port 0, the URL is usbtoken0:vpnclient-4.6.exe.

 

usbflash[0-9]:vpnclient-4.6.exe

The USB flash port number range is 0-9. For example, for a USB flash attached to USB port 0, the URL is usbflash0:vpnclient-4.6.exe.

 

disk[0-1]:vpnclient-4.6.exe

The disk number is 0 or 1. For example, for disk number 0, the URL is disk0:vpnclient-4.6.exe.

 

archive:vpnclient-4.6.exe

tar:vpnclient-4.6.exe

system:vpnclient-4.6.exe

In these examples, username is the site username and password is the site password.

Revisions

Enter the revision number of the latest update. You can enter multiple revision numbers by separating them with commas, for example, 4.3,4.4,4.5. Do not use any spaces.


Cisco Tunneling Control Protocol

Cisco Tunneling Control Protocol (cTCP) enables VPN clients to operate in environments where standard ESP protocol (port 50) or IKE protocol (UDP port 500) are not permitted. For a variety of reasons, firewalls may not permit ESP or IKE traffic, thus blocking VPN communication. cTCP solves this problem by encapsulating ESP and IKE traffic in the TCP header so that firewalls do not see it.

Field Reference

Table 13-17 describes the fields in this screen.

Table 13-17  Cisco Tunneling Control Protocol 

Element
Description

Enable cTCP

Check Enable cTCP to enable this protocol on the Easy VPN server.

Specify the port numbers

Specify the port numbers on which the Easy VPN server must listen for cTCP requests from clients, You can add a maximum of 10 port numbers. Use a comma to separate entries. Here is an example of 3 port entries: 1000,3000,4000.


Summary

This window shows you the Easy VPN Server configuration that you have created, and it allows you to save the configuration. You can review the configuration in this window and click the Back button to change any items.

Clicking the Finish button writes the information to the router running configuration. If the tunnel has been configured to operate in Auto mode, the router also attempts to contact the VPN concentrator or server.

If you want to change the Easy VPN Server configuration at a later time, you can make the changes in the Edit Easy VPN Server panel.

To save this configuration to the router running configuration and leave this wizard, click Finish. Changes will take effect immediately.

Table 13-18 Summary Buttons

Element
Description

Test VPN Connectivity After Configuring

Click to test the VPN connection you have just configured. The results of the test appear in a separate window.


Browser Proxy Settings

This window lists browser proxy settings, showing how they are configured. You can add, edit, or delete browser proxy settings. Use the group policies configuration to associate browser proxy settings with client groups.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-19 Add a RADIUS Server Fields 

Element
Description

Name

The name of the browser proxy settings.

Settings

Displays one of the following:

No Proxy Server

No proxy server can be used by clients when they connect through the VPN tunnel.

Automatically Detect Settings

Clients attempt to automatically detect a proxy server.

Manual Proxy Configuration

Settings are manually configured.

Server Details

Displays the proxy server IP address and port number used.

Bypass Local Addresses

If set, prevents clients from using the proxy server for local (LAN) addresses.

Exceptions List

A list of IP addresses for which you do not want clients to use the proxy server.

Add Button

Configure new browser proxy settings.

Edit Button

Edit the specified browser proxy settings.

Delete Button

Delete the specified browser proxy settings. Browser proxy settings associated with one or more group policies can not be deleted before those associations are removed.


Editing Easy VPN Server Connections

To edit an Easy VPN Server connection, complete these steps:


Step 1 If you want to review the Cisco IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.

Step 2 In the Cisco SDM toolbar, click Configure.

Step 3 In the Cisco SDM taskbar, click VPN.

Step 4 In the VPN tree, click Easy VPN Server.

Step 5 Click Edit VPN Server.

Step 6 Choose the VPN server connection that you want to edit.

Step 7 Click Edit. Then, make changes to the settings in the displayed dialogs.

Step 8 Click OK to close the dialog and send the changes to the router.

Step 9 If you checked Preview commands before delivering to router in the Edit Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click Deliver to send the configuration to the router, or click Cancel to discard it.


Edit Easy VPN Server Reference describes the configuration screens.

Edit Easy VPN Server Reference

The topics in this section describe the Edit Easy VPN Server screens:

Edit Easy VPN Server

Add or Edit Easy VPN Server Connection

Restrict Access

Group Policies Configuration

IP Pools

Add or Edit IP Local Pool

Add IP Address Range

Edit Easy VPN Server

This window lets you view and manage Easy VPN server connections.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-20 Edit Easy VPN Server Fields 

Element
Description

Add

Click Add to add a new Easy VPN Server.

Edit

Click Edit to edit an existing Easy VPN Server configuration.

Delete

Click Delete to delete a specified configuration.

Name

The name of the IPSec policy associated with this connection.

Interface

The name of the interface used for this connection.

Group Authorization

The name of the method list used for group policy lookup.

User Authentication Column

The name of the method list used for user authentication lookup.

Mode Configuration

Displays one of the following:

Initiate

The router is configured to initiate connections with Easy VPN Remote clients.

Respond

The router is configured to wait for requests from Easy VPN Remote clients before establishing connections.

Test VPN Server Button

Click to test the chosen VPN tunnel. The results of the test appear in a separate window.

Restrict Access Button

Click this button to restrict group access to the specified Easy VPN Server connection.

This button is enabled only if both of the following conditions are met:

There is more than one Easy VPN Server connection using the local database for user authentication.

There is at least one local group policy configured.


Add or Edit Easy VPN Server Connection

This window lets you add or edit an Easy VPN Server connection.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-21 Easy VPN Server Connection Fields 

Element
Description

Choose an Interface

If you are adding a connection, choose the interface to use from this list. If you are editing the connection, this list is disabled.

Choose an IPSec Policy

If you are adding a connection, choose the IPSec policy to use from this list. If you are editing the connection, this list is disabled.

Method List for Group Policy Lookup

Choose the method list to use for group policy lookup from this list. Method lists are configured by clicking Additional Tasks on the Cisco SDM taskbar, and then clicking the AAA node.

Enable User Authentication

Check this checkbox if you want to require users to authenticate themselves.

Method List for User Authentication

Choose the method list to use for user authentication from this list. Method lists are configured by clicking Additional tasks on the Cisco SDM taskbar, and then clicking the AAA node.

Mode Configuration

Check Initiate if you want the router to initiate connections with Easy VPN Remote clients.

Check Respond if you want the router to wait for requests from Easy VPN Remote clients before establishing connections.


Restrict Access

This window allows you to specify which group policies are allowed to use the Easy VPN connection.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-22 Add a RADIUS Server Fields 

Element
Description

Restrict Access

Click Restrict Access to enable restrictive access for this Easy VPN connection.

Check Boxes

Allow a group access to the Easy VPN Server connection by checking its check box. Deny a group access to the Easy VPN Server connection by unchecking its check box.


Group Policies Configuration

This window lets you view, add, clone, and choose group policies for editing or deletion. Group policies are used to identify resources for Easy VPN Remote clients.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-23 Group Policies Configuration Fields 

Element
Description

Common Pool

Click Common Pool to designate an existing pool as a common pool for all group policies to use. If no local pools have been configured, this button is disabled. Pools can be configured by clicking Additional Tasks > Local Pools, or when you configure Easy VPN Server connections.

Add

Edit

Clone

Delete

Use these buttons to manage group policies on the router. Clicking Clone displays the Group Policy edit tabs.

Send Update

Click to send an IKE notification of software or firmware updates to active clients of the chosen group. If this button is disabled, the chosen group does not have client update configured.

To set up client update notifications for the chosen group, click the Edit button and then click the Client Update tab.

Group Name

The name of the group policy.

Pool

The IP address pool used by the clients in this group.

DNS

The DNS servers used by the clients in this group.

WINS

The WINS servers used by the clients in this group.

Domain Name

The domain name used by the clients in this group.

ACL

If split tunneling is specified for this group, this column may contain the name of an ACL that defines which traffic is to be encrypted.

Details Window

The Details window is a list of feature settings and their values for the chosen group policy. Feature settings are displayed only if they are supported by your Cisco router's IOS release, and apply only to the chosen group. The following feature settings may appear in the list:

 

Authentication—Values indicate a preshared key if one was configured, or a digital certificate if a preshared key was not configured.

 

Maximum Connections Allowed—Shows the maximum number of simultaneous connections allowed. Cisco SDM supports a maximum of 5000 simultaneous connections per group.

 

Access Restrict—Shows the outside interface to which the specified group is restricted.

 

Backup Servers—Shows the IP address of backup servers that have been configured.

 

Firewall Are-U-There—Restricts connections to devices running Black Ice or Zone Alarm firewalls.

 

Include Local LAN—Allows a connection not using split tunneling to access the local stub network at the same time as the client.

 

PFS (perfect forward secrecy)—PFS is required for IPSec.

 

Configuration Push, URL, and Version—The server sends a configuration file from the specified URL and with the specified version number to a client.

 

Group Lock—Clients are restricted to the group.

 

Save Password—XAuth credentials can be saved on the client.

 

Maximum Logins—The maximum number of connections a user can establish simultaneously. Cisco SDM supports a maximum of 10 simultaneous logins per user.

 

XAuth Banner—The text message shown to clients during XAuth requests.


IP Pools

This window lists the IP address pools available to group policies configured on the router. Depending upon the area of Cisco SDM you are working in, Add, Edit, and Delete buttons may be available, and the name of the window varies depending on the area of Cisco SDM you are working in. You can use these to manage local IP pools on the router.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-24 IP Pools Fields 

Element
Description

Pool Name Column

The name of the IP address pool.

IP Address Range

The IP address range for the selected pool. A range of 2.2.2.0 to 2.2.2.254 provides 255 addresses.

Cache Size

The size of the cache for this pool.

Group Name

If a local pool is configured with the group option using the CLI, the name of the group is displayed in the group name column. This column is not displayed in all Cisco SDM areas.


Note You cannot configure local pools with the group option using Cisco SDM.



Add or Edit IP Local Pool

This window lets you create or edit a local pool of IP addresses.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-25 Add or Edit IP Local Pool Fields 

Element
Description

Pool Name

If you are creating a pool, enter the pool name. If you are editing a pool, this field is disabled.

IP Address Range

Enter or edit the IP address ranges for the pool in this area. A pool can contain more than one IP address range. Use the Add, Edit, and Delete buttons to create additional ranges, edit ranges, and delete IP address ranges.

Cache Size

Enter or edit the cache size for this pool in this field.


Add IP Address Range

This window lets you add an IP address range to an existing pool.

Field Reference

Table 13-6 describes the fields in this screen.

Table 13-26 Add IP Address Range Fields 

Element
Description

Start IP Address

Enter the lowest IP address in the range. For example, if you are defining a range between 10.10.10.1 to 10.10.10.254, enter 10.10.10.1.

End IP Address

Enter the highest IP address in the range. For example, if you are defining a range between 10.10.10.1 to 10.10.10.254, enter 10.10.10.254.