User Guide for Cisco Security Manager 4.0.1
Easy VPN
Downloads: This chapterpdf (PDF - 218.0KB) The complete bookPDF (PDF - 24.15MB) | Feedback

Easy VPN

Table Of Contents

Easy VPN

Understanding Easy VPN

Easy VPN with Dial Backup

Easy VPN with High Availability

Easy VPN with Dynamic Virtual Tunnel Interfaces

Overview of Configuring Easy VPN

Important Notes About Easy VPN Configuration

Configuring an IPsec Proposal for Easy VPN

Easy VPN IPsec Proposal Page

Easy VPN IPsec Proposal Tab

Dynamic VTI Tab

Configuring a User Group Policy for Easy VPN

User Group Policy Page

Configuring a Connection Profile Policy for Easy VPN

Configuring Client Connection Characteristics for Easy VPN

Client Connection Characteristics Page


Easy VPN


Easy VPN is a hub-and-spoke VPN topology that can be used with a variety of routers, PIX, and ASA devices. Policies are defined mostly on the hub and pushed to remote spoke VPN devices, ensuring that clients have up-to-date policies in place before establishing a secure connection.

This chapter contains the following topics:

Understanding Easy VPN

Configuring an IPsec Proposal for Easy VPN

Configuring a User Group Policy for Easy VPN

Configuring a Connection Profile Policy for Easy VPN

Configuring Client Connection Characteristics for Easy VPN

Understanding Easy VPN

Easy VPN simplifies VPN deployment for remote offices. With Easy VPN, security policies defined at the head end are pushed to remote VPN devices, ensuring that clients have up-to-date policies in place before establishing a secure connection.

Security Manager supports the configuration of Easy VPN policies on hub-and-spoke VPN topologies. In such a configuration, most VPN parameters are defined on the Easy VPN server, which acts as the hub device. The centrally managed IPsec policies are pushed to the Easy VPN client devices by the server, minimizing the remote (spoke) devices configuration.

The Easy VPN Server can be a Cisco IOS router, a PIX Firewall, or an ASA device. The Easy VPN client is supported on PIX 501, 506, 506E Firewalls running PIX 6.3, Cisco 800-3900 Series routers, and ASA 5505 devices running OS version 7.2 or later.


Note You can also configure remote access policies in remote access VPNs. In remote access VPNs, policies are configured between servers and mobile remote PCs running Cisco VPN client software, whereas, in site-to-site Easy VPN topologies, the clients are hardware devices. For information about configuring remote access VPNs, see Chapter 26, "Managing Remote Access VPNs".


This section contains the following topics:

Easy VPN with Dial Backup

Easy VPN with High Availability

Easy VPN with Dynamic Virtual Tunnel Interfaces

Overview of Configuring Easy VPN

Important Notes About Easy VPN Configuration

Easy VPN with Dial Backup

Dial backup for Easy VPN allows you to configure a dial backup tunnel connection on your remote client device. The backup feature is activated only when real traffic is ready to be sent, eliminating the need for expensive dialup or ISDN links that must be created and maintained even when there is no traffic.


Note Easy VPN dial backup can be configured only on remote clients that are routers running IOS version 12.3(14)T or later.


In an Easy VPN configuration, when a remote device attempts to connect to the server and the tracked IP is no longer accessible, the primary connection is torn down and a new connection is established over the Easy VPN backup tunnel to the server. If the primary hub cannot be reached, the primary configuration switches to the failover hub with the same primary configuration and not to the backup configuration.

Only one backup configuration is supported for each primary Easy VPN configuration. Each inside interface must specify the primary and backup Easy VPN configuration. IP static route tracking must be configured for dial backup to work on an Easy VPN remote device. The object tracking configuration is independent of the Easy VPN remote dial backup configuration. The object tracking details are specified in the spoke's Edit EndPoints dialog box.

For more information about dial backup, see Configuring Dial Backup, page 21-36.

Easy VPN with High Availability

You can configure High Availability (HA) on devices in an Easy VPN topology. High Availability provides automatic device backup when configured on Cisco IOS routers or Catalyst 6500/7600 devices that run IP over LANs. You can create an HA group made up of two or more hub devices in your Easy VPN that use Hot Standby Routing Protocol (HSRP) to provide transparent, automatic device failover. For more information, see Configuring High Availability in Your VPN Topology, page 21-46.

Easy VPN with Dynamic Virtual Tunnel Interfaces

The IPsec virtual tunnel interface (VTI) feature simplifies the configuration of GRE tunnels that need to be protected by IPsec for remote access links. A VTI is an interface that supports IPsec tunneling, and allows you to apply interface commands directly to the IPsec tunnels. The configuration of a virtual tunnel interface reduces overhead as it does not require a static mapping of IPsec sessions to a particular physical interface, where the crypto map is applied.

IPsec VTIs support both unicast and multicast encrypted traffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted or decrypted when it is forwarded from or to the tunnel interface and is managed by the IP routing table. Dynamic or static IP routing can be used to route the traffic to the virtual interface. Using IP routing to forward traffic to the tunnel interface simplifies IPsec VPN configuration compared to the more complex process of using access control lists (ACLs) with a crypto map. Dynamic VTIs function like any other real interface so that you can apply quality of service (QoS), firewall, and other security services as soon as the tunnel is active.

Dynamic VTIs use a virtual template infrastructure for dynamic instantiation and management of IPsec interfaces. In an Easy VPN topology, Security Manager implicitly creates the virtual template interface for the device. If the device is a hub, the user must provide the IP address on the hub that will be used as the virtual template interface—this can be a subnet (pool of addresses) or an existing loopback or physical interface. On a spoke, the virtual template interface is created without an IP address.

Notes

Dynamic VTI can be configured only in a hub-and-spoke Easy VPN topology on routers running IOS version 12.4(2)T and later, except 7600 devices. It is not supported on PIX Firewalls, ASA devices, or Catalyst 6000 series switches.

Not all the hubs/spokes require Dynamic VTI configuration during discovery or provision. You can extend the existing EzVPN topology (including routers not supporting DVTI) to add routers which support DVTI.

Dynamic VTI is supported on only servers, only clients (if server does not support DVTI), or both clients and servers.

Dynamic VTI can be configured with or without VRF-Aware IPsec.

You cannot configure High Availability on hubs/servers that have been configured with DVTI.

You can also configure Dynamic VTI in remote access VPNs. For more information, see PVC Dialog Box—QoS Tab, page 52-60.

In Security Manager, you configure Dynamic VTI in the Easy VPN IPsec Proposal page. See Configuring an IPsec Proposal for Easy VPN.

Overview of Configuring Easy VPN

When a remote client initiates a connection to a VPN server, device authentication between the peers occurs using IKE, followed by user authentication using IKE Extended Authentication (Xauth), VPN policy push (in Client, Network Extension, or Network Extension Plus mode), and IPsec security association (SA) creation.

The following provides an overview of this process:

1. The client initiates IKE Phase 1 via aggressive mode if a preshared key is to be used for authentication, or main mode if digital certificates are used. If the client identifies itself with a preshared key, the accompanying user group name (defined during configuration) is used to identify the group profile associated with this client. If digital certificates are used, the organizational unit (OU) field of a distinguished name (DN) is used to identify the user group name. See PKI Enrollment Dialog Box—Certificate Subject Name Tab, page 28-40.


Note Because the client may be configured for preshared key authentication, which initiates IKE aggressive mode, the administrator should change the identity of the VPN device via the crypto isakmp identity hostname command. This will not affect certificate authentication via IKE main mode.


2. The client attempts to establish an IKE SA between its public IP address and the public IP address of the VPN server. To reduce the amount of manual configuration on the client, every combination of encryption and hash algorithms, in addition to authentication methods and D-H group sizes, is proposed.

3. Depending on its IKE policy configuration, the VPN server determines which proposal is acceptable to continue negotiating Phase 1.


Note Device authentication ends and user authentication begins at this point.


4. After the IKE SA is successfully established, and if the VPN server is configured for Xauth, the client waits for a "username/password" challenge and then responds to the challenge of the peer. The information that is entered is checked against authentication entities using authentication, authorization, and accounting (AAA) protocols such as RADIUS and TACACS+. Token cards may also be used via AAA proxy. During Xauth, a user-specific attribute can be retrieved if the credentials of that user are validated via RADIUS.


Note VPN servers that are configured to handle remote clients should always be configured to enforce user authentication.


5. If the server indicates that authentication was successful, the client requests further configuration parameters from the peer. The remaining system parameters (for example, IP address, DNS, and split tunnel attributes) are pushed to the client using client or network extension mode configuration.


Note The IP address pool and group preshared key (if Rivest, Shamir, and Adelman [RSA] signatures are not being used) are the only required parameter in a group profile. All other parameters are optional.


6. After each client is assigned an internal IP address via mode configuration, Reverse Route Injection (RRI), if configured, ensures that a static route is created on the device for each client internal IP address.

7. IKE quick mode is initiated to negotiate and create IPsec SAs.

The connection is complete.

Important Notes About Easy VPN Configuration

Before you configure an Easy VPN policy in your topology, you should know the following:

In an Easy VPN topology configuration, deployment fails if a 72xx series router is used as a remote client device. The Easy VPN client is supported on PIX Firewalls, Cisco 800-3900 Series routers, and ASA 5505 devices running OS version 7.2 or later.

If you try to configure a Public Key Infrastructure (PKI) policy on a PIX 6.3 remote client in an Easy VPN topology configuration, deployment fails. For successful deployment on this device, you must first issue the PKI certificate on the CA server, and then try again to deploy the device. For more information about PKI policies, see Understanding Public Key Infrastructure Policies, page 22-26.

In some cases, deployment fails on a device that serves as an Easy VPN client if the crypto map is configured on the NAT (or PAT) internal interface instead of the external interface. On some platforms, the inside and outside interfaces are fixed. For example, on a Cisco 1700 series router the VPN interface must be the device's FastEthernet0 interface. On a Cisco 800 series router the VPN interface could be either the device's Ethernet0 or Dialer1 interface, depending on the configuration. On a Cisco uBR905/uBR925 cable access router, the VPN interface must be the Ethernet0 interface.

Configuring an IPsec Proposal for Easy VPN

Configuring an IPsec proposal on an Easy VPN server device enables you to:

Select the transform sets to use to secure the traffic that enters your VPN tunnel. For more information, see About Transform Sets, page 22-7.

Configure a dynamic virtual interface on a device in your Easy VPN topology. For more information, see Understanding Easy VPN.

Configure Reverse Route Injection (RRI) on the crypto map (on a PIX 7.0, ASA, or IOS router except 7600 device). For more information, see About Reverse Route Injection, page 22-8.

Configure NAT traversal on an ASA device. Use NAT traversal when there is a device between a VPN-connected hub and spoke, and that performs Network Address Translation (NAT) on the IPsec traffic.

Specify a group authorization (Group Policy Lookup) method that defines the order in which the group policies are searched on the local server or on external AAA servers. Remote users are grouped, so that when the remote client establishes a successful connection to the VPN server, the group policies for that particular user group are pushed to all clients belonging to the user group.

Specify a user authentication (Xauth) method list that defines the order in which user accounts are searched. After the IKE SA is successfully established, and if the device is configured for Xauth, the client waits for a "username/password" challenge and then responds to the challenge of the peer. The information that is entered is checked against authentication entities using authentication, authorization, and accounting (AAA) protocols such as RADIUS and TACACS+.

In Security Manager, an IPsec proposal is a mandatory policy that is already configured on the Easy VPN server with predefined default values.

This procedure describes how to edit these IPsec policy definitions, if required.

Related Topics

Understanding Easy VPN

Easy VPN IPsec Proposal Page


Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager window opens.

Step 2 In the VPNs selector, select the required VPN topology.

Step 3 Select Easy VPN IPsec Proposal in the Policies selector.

The Easy VPN IPsec Proposal page appears, displaying the IPsec Proposal tab with the defined parameters for configuring an IPsec proposal on an Easy VPN server device. For a description of the elements on this tab, see Table 24-1.

Step 4 Specify the transform sets to be used for your tunnel policy. If you want to use a different transform set to the displayed default one, or select additional transform sets, click Select to open a dialog box that lists all available transform sets, and in which you can create your own transform set object. For more information, see Add or Edit IPSec Transform Set Dialog Box, page 28-28.

Step 5 Select an option to configure a Reverse Route on the crypto map (on a PIX 7.0, ASA, or IOS router except 7600 device).

Step 6 If required, select the Enable Network Address Translation check box to configure NAT, if the selected device is a PIX 7.0 or ASA device.

Step 7 Specify an AAA authorization (Group Policy Lookup) method list that defines the order in which the group policies are searched on the local server or on external AAA servers.

Step 8 Specify the AAA or Xauth user authentication method used to define the order in which user accounts are searched.

Step 9 If you are configuring Dynamic VTI on a hub in the topology, specify either the subnet address or interface role:

Subnet —To use the IP address taken from a pool of addresses. Then, in the Subnet field, enter the private IP address including the unique subnet mask, for example 10.1.1.0/24.

Interface Role—If required, click Select to open the Interface selector in which you can select or add an interface.

If you are configuring Dynamic VTI on a spoke in the topology, select None.

For a description of the elements on this tab, see Table 24-2.


Easy VPN IPsec Proposal Page

Use the Easy VPN IPsec Proposal page to create or edit the IPsec policy definitions for your Easy VPN server, including the configuration of Dynamic VTI. For more information, see Configuring an IPsec Proposal for Easy VPN.


Note This topic describes the IPsec Proposal page when the assigned technology is Easy VPN. For a description of the IPsec Proposal page when the assigned technology is Regular IPsec, IPsec/GRE, GRE Dynamic IP, or DMVPN, see IPsec Proposal Page, page 22-9.


The following tabs are available on the Easy VPN IPsec Proposal page:

Easy VPN IPsec Proposal Tab

Dynamic VTI Tab

Navigation Path

(Site-to-Site VPN Manager Window, page 21-17) Select an EasyVPN topology in the VPNs selector, then select Easy VPN IPsec Proposal in the Policies selector.

(Policy view) Select Site-to-Site VPN > Easy VPN IPsec Proposal from the Policy Types selector. Select an existing shared policy or create a new one.

Easy VPN IPsec Proposal Tab

Use the Easy VPN IPsec Proposal tab to create or edit the IPsec policy definitions for your Easy VPN server.

Navigation Path

The Easy VPN IPsec Proposal tab appears when you open the Easy VPN IPsec Proposal Page.

Related Topics

Understanding Easy VPN

Configuring an IPsec Proposal for Easy VPN

Understanding AAA Server and Server Group Objects, page 6-20

Field Reference

Table 24-1 Easy VPN IPsec Proposal Tab 

Element
Description

Transform Sets

The transform sets to be used for your tunnel policy. Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. You can select up to six transform sets.

Transform sets may use only tunnel mode IPsec operation.

Note If more than one of your selected transform sets is supported by both peers, the transform set that provides the highest security will be used.

A default transform set is displayed. If you want to use a different transform set, or select additional transform sets, click Select to open a dialog box that lists all available transform sets, and in which you can create transform set objects. For more information, see Add or Edit IPSec Transform Set Dialog Box, page 28-28.

For more information, see About Transform Sets, page 22-7.

Reverse Route

Supported on ASA devices, PIX 7.0+ devices, and Cisco IOS routers except 7600 devices.

Reverse Route Injection (RRI) enables static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. For more information, see About Reverse Route Injection, page 22-8.

Select one of the following options to configure RRI on the crypto map:

None—To disable the configuration of RRI on the crypto map.

Standard—To create routes based on the destination information defined in the crypto map access control list (ACL). This is the default option.

Remote Peer—To create two routes, one for the remote endpoint and one for route recursion to the remote endpoint via the interface to which the crypto map is applied.

Remote Peer IP—To specify an interface or address as the explicit next hop to the remote VPN device. Then, click Select to open the Network/Hosts Selector, from which you can select the IP address of the remote peer to be used as the next hop.

Note You can select the Allow Value Override per Device check box to override the default route, if required.

Enable Network Address Translation

Supported on PIX 7.0+ and ASA devices.

When selected, enables you to configure Network Address Translation (NAT) on a device.

NAT enables devices that use internal IP addresses to send and receive data through the Internet. Private NAT addresses are converted to globally routable IP addresses when they try to access data on the Internet.

For more information, see Understanding NAT, page 22-13.

Group Policy Lookup/AAA Authorization Method

Supported on Cisco IOS routers only.

The AAA authorization method list that will be used to define the order in which the group policies are searched. Group policies can be configured on both the local server or on an external AAA server.

You can click Select to open a dialog box that lists all available AAA group servers, and in which you can create AAA group server objects.

User Authentication (Xauth)/AAA Authentication Method

Supported on Cisco IOS routers only.

The AAA or Xauth user authentication method used to define the order in which user accounts are searched.

Xauth allows all Cisco IOS software AAA authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. The AAA configuration list-name must match the Xauth configuration list-name for user authentication to occur.

For more information about defining user accounts, see Defining Accounts and Credential Policies, page 53-14.

You can click Select to open a dialog box that lists all available AAA group servers from which you can make your selection, and in which you can create additional AAA group server objects.


Dynamic VTI Tab

Use the Dynamic VTI tab to configure a dynamic virtual interface on a device in a hub-and-spoke Easy VPN topology. For more information, see the section on Easy VPN with Dynamic Virtual Tunnel Interfaces.


Note Dynamic VTI can be configured only on IOS routers running IOS version 12.4(2)T and later, except 7600 devices.


Navigation Path

Open the Easy VPN IPsec Proposal Page, then click the Dynamic VTI tab.

Related Topics

Understanding Easy VPN

Configuring an IPsec Proposal for Easy VPN

Field Reference

Table 24-2 Dynamic VTI Tab 

Element
Description

Enable Dynamic VTI

When selected, enables Security Manager to implicitly create a dynamic virtual template interface on the device.

Note If the device is a hub server that does not support Dynamic VTI, a warning message is displayed, and a crypto map is deployed without dynamic VTI. In the case of a client device, an error message is displayed.

Virtual Template IP

If you are configuring Dynamic VTI on a hub in the topology, specify either the subnet address or interface role:

Subnet—To use the IP address taken from a pool of addresses. Then, in the Subnet field, enter the private IP address including the unique subnet mask, for example 10.1.1.0/24.

Interface Role—To use a physical or loopback interface on the device. If required, click Select to open the Interface selector in which you can select or add an interface.

If you are configuring Dynamic VTI on a spoke in the topology, select None.


Configuring a User Group Policy for Easy VPN

When you configure an Easy VPN server, you can create user groups for remote clients to belong to. As you add remote clients, you can specify that they inherit parameters from the user group policy. Thus you can quickly configure VPN access for large numbers of users.

Remote clients must have the same group name as the user group configured on the server in order to connect to the device, otherwise no connection is established. When the remote client establishes a successful connection to the VPN server, the group policies for that particular user group are pushed to all clients belonging to the user group.


Note An Easy VPN user group policy can be configured on a Cisco IOS security router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device.


This procedure describes how to specify the user group you want to assign to your Easy VPN server.

Related Topics

Understanding Easy VPN


Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager window opens.

Step 2 In the VPNs selector, select the required VPN topology.

Step 3 Select User Group Policy in the Policies selector.

The User Group Policy page appears, displaying the currently selected user group. For a description of the elements on this page, see User Group Policy Page.

Step 4 If you want to select a different user group, select it in the Available User Groups list. The user group replaces the selected one.

User groups are predefined objects. If the required user group is not included in the list, click Create to open a dialog box that displays all the user group objects, and enables you to create a user group. For more information, see Add or Edit User Group Dialog Box, page 28-68.


Note You can modify an existing user group's properties by selecting it and clicking Edit.



User Group Policy Page

Use the User Group Policy page to create or edit a user group policy on your Easy VPN server. An Easy VPN user group policy can be configured on a Cisco IOS security router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device.

Select the user group policy object that you want to use in the policy from the Available User Groups list. You can create a new user group object by clicking the Create (+) button, or edit an existing group by selecting it and clicking the Edit (pencil icon) button.


Note You can also configure user group policies in remote access VPNs.


Navigation Path

(Site-to-Site VPN Manager Window, page 21-17) Select an Easy VPN topology in the VPNs selector, then select User Group Policy in the Policies selector.

(Policy view) Select Site-to-Site VPN > User Group Policy from the Policy Types selector. Select an existing shared policy or create a new one.

Related Topics

Understanding Easy VPN

Configuring a User Group Policy for Easy VPN

Configuring a Connection Profile Policy for Easy VPN

A tunnel group consists of a set of records that contain IPsec tunnel connection policies. Tunnel groups identify the group policy for a specific connection, and include user-oriented attributes. If you do not assign a particular group policy to a user, the default group policy for the connection applies. For a successful connection, the username of the remote client must exist in the database, otherwise the connection is denied.

In site-to site VPNs, you configure tunnel group policies on an Easy VPN server, which can be a PIX Firewall version 7.0+ or an ASA device.


Note In remote access VPNs, you can configure tunnel group policies on a remote access VPN server.


Creating a tunnel group policy involves specifying:

The group policy—A collection of user-oriented attributes stored either internally on the device or externally on RADIUS/LDAP server.

Global AAA settings—Authentication, Authorization, and Accounting servers.

The DHCP servers to be used for client address assignment, and the address pools from which the IP addresses will be assigned.

Settings for Internet Key Exchange (IKE) and IPsec (such as, preshared key).

(Optional) Interface-specific information (for authentication server groups and client address pools).

Client VPN software information.

On the PIX7.0+/ASA Connection Profiles page, you can create tunnel group policies or edit the parameters defined for existing tunnel group policies on your Easy VPN server.

Related Topics

Creating or Editing VPN Topologies, page 21-26

Understanding IPsec Technologies and Policies, page 21-5

Understanding Easy VPN


Step 1 Click the Site-To-Site VPN Manager button on the toolbar to open the Site-to-Site VPN Manager Window, page 21-17.


Note To edit a shared policy, in Policy view, select Site-to-Site VPN > Connection Profiles (PIX 7.0/ASA) from the Policy Type selector. Select an existing policy or create a new one.


Step 2 In the VPNs selector, select the Easy VPN topology you want to change.

Step 3 Select Connection Profiles (PIX 7.0/ASA) in the Policies selector to open the Connection Profiles Page, page 27-18.

Step 4 On the General tab, specify the connection profile name and group policies and select which method (or methods) of address assignment to use. For a description of the available properties, see General Tab (Connection Profiles), page 27-19.

Step 5 Click the AAA tab and specify the AAA authentication parameters for an the connection profile. For a description of the elements on the tab, see AAA Tab (Connection Profiles), page 27-21.

Step 6 Click the IPsec tab and specify IPsec and IKE parameters for the connection profile. For a description of the elements on the tab, see IPSec Tab (Connection Profiles), page 27-27.


Configuring Client Connection Characteristics for Easy VPN

Easy VPN connection characteristics specify how traffic will be routed in the VPN and how the VPN tunnel will be established, as described in these sections:

Easy VPN Configuration Modes

Easy VPN and IKE Extended Authentication (Xauth)

Easy VPN Tunnel Activation

Easy VPN Configuration Modes

Easy VPN can be configured in three modes—Client, Network Extension, and Network Extension Plus.

Client mode—The default configuration that allows devices at the client site to access resources at the central site, but disallows access to the central site for resources at the client site. In client mode, a single IP address is pushed to the remote client from the server when the VPN connection is established. This address is typically a routable address in the private address space of the customer network. All traffic passing across the Easy VPN tunnel undergoes Port Address Translation (PAT) to that single pushed IP address.

Network Extension mode—Allows users at the central site to access the network resources at the client site, and allows the client PCs and hosts direct access to the PCs and hosts at the central site. Network Extension mode specifies that the hosts at the client end of the VPN tunnel should be given IP addresses that are fully routable and reachable by the destination network. The devices at both ends of the connection will form one logical network. PAT is not used, so the hosts at the client end have direct access to the hosts at the destination network. In other words, the Easy VPN server (the hub) gives routable addresses to the Easy VPN client (the spoke), while the whole LAN behind the client will not undergo PAT.

Network Extension Plus mode—An enhancement to Network Extension mode, which can be configured only on IOS routers. It enables an IP address that is received via mode configuration to be automatically assigned to an available loopback interface. This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure Shell).


Note All modes of operation can also support split tunneling, which allows secure access to corporate resources through the VPN tunnel while also allowing Internet access through a connection to an ISP or other service (thereby eliminating the corporate network from the path for web access).


Easy VPN and IKE Extended Authentication (Xauth)

When negotiating tunnel parameters for establishing IPsec tunnels in an Easy VPN configuration, IKE Extended Authentication (Xauth) adds another level of authentication that identifies the user who requests the IPsec connection. If the VPN server is configured for Xauth, the client waits for a "username/password" challenge after the IKE SA has been established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication.

The information that is entered is checked against authentication entities using authentication, authorization, and accounting (AAA) protocols such as RADIUS and TACACS+. Token cards may also be used via AAA proxy. During Xauth, a user-specific attribute can be retrieved if the credentials of that user are validated via RADIUS.


Note VPN servers that are configured to handle remote clients should always be configured to enforce user authentication.


Security Manager allows you to save the Xauth username and password on the device itself so you do not need to enter these credentials manually each time the Easy VPN tunnel is established. The information is saved in the device's configuration file and used each time the tunnel is established. Saving the credentials in the device's configuration file is typically used if the device is shared between several PCs and you want to keep the VPN tunnel up all the time, or if you want the device to automatically bring up the tunnel whenever there is traffic to be sent.

Saving the credentials in the device's configuration file, however, could create a security risk, because anyone who has access to the device configuration can obtain this information. An alternative method for Xauth authentication is to manually enter the username and password each time Xauth is requested. Security Manager enables you to do this interactively in a web browser window or from the command line interface. Using web-based interaction, a login page is returned, in which you can enter the credentials to authenticate the VPN tunnel. After the VPN tunnel comes up, all users behind this remote site can access the corporate LAN without being prompted again for the username and password. Alternatively, you can choose to bypass the VPN tunnel and connect only to the Internet, in which case a password is not required.

Easy VPN Tunnel Activation

If the device credentials (Xauth username and password) are stored on the device itself, you must select a tunnel activation method. Two options are available:

Auto—The Easy VPN tunnel is established automatically when the Easy VPN configuration is delivered to the device configuration file. If the tunnel times out or fails, the tunnel automatically reconnects and retries indefinitely. This is the default option.

Traffic Triggered Activation—The Easy VPN tunnel is established whenever outbound local (LAN side) traffic is detected. Traffic Triggered Activation is recommended for use with the Easy VPN dial backup configuration so that backup is activated only when there is traffic to send across the tunnel. When using this option, you must specify the Access Control List (ACL) that defines the "interesting" traffic.


Note Manual tunnel activation is configured implicitly if you select to configure the Xauth password interactively. In this case, the device waits for a command before attempting to establish the Easy VPN remote connection. When the tunnel times out or fails, subsequent connections will also have to wait for the command.


This procedure describes how to configure the client connection characteristics for Easy VPN.

Related Topics

Important Notes About Easy VPN Configuration

Understanding Easy VPN

Client Connection Characteristics Page


Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager window opens.

Step 2 In the VPNs selector, select the Easy VPN topology you want to modify.

Step 3 Select Client Connection Characteristics in the Policies selector. The Client Connection Characteristics page opens. For a description of the elements on this page, see Table 24-3.

Step 4 Select Client, Network Extension, or Network Extension Plus from the Mode list.


Note Network Extension Plus mode can be configured only on IOS routers.


Step 5 Select Device Stored Credentials or Interactive Entered Credentials depending on how you want to enter the Xauth credentials for user authentication when you establish a VPN connection with the server.

Step 6 If you selected Device Stored Credentials, select the Xauth credentials.

Step 7 If the device is an IOS router, and if you selected Interactive Entered Credentials for the Xauth credentials source, select Web Browser or Router Console depending on how you want to enter the Xauth credentials interactively.

Step 8 If the device is an IOS router, and if you selected Device Stored Credentials for the Xauth password source, select the Auto or Traffic Triggered Activation tunnel activation method.

Step 9 If you selected the Traffic Triggered Activation option for Tunnel Activation, specify the Access Control List (ACL) that defines the "interesting" traffic.


Client Connection Characteristics Page

Use the Client Connection Characteristics page to specify how traffic will be routed in the VPN and how the VPN tunnel will be established. You configure these characteristics on a remote client, which can be a PIX Firewall, a Cisco 800-3900 Series router, or an ASA 5505 running OS version 7.2(1) or later.

Navigation Path

(Site-to-Site VPN Manager Window, page 21-17) Select an Easy VPN topology in the VPNs selector, then select Client Connection Characteristics in the Policies selector.

(Policy view) Select Site-to-Site VPN > Client Connection Characteristics and create a new policy or edit an existing policy.

Related Topics

Understanding Easy VPN

Configuring Client Connection Characteristics for Easy VPN

Creating Access Control List Objects, page 6-40

Field Reference

Table 24-3 Easy VPN Client Connection Characteristics Page 

Element
Description

Mode

Select the required configuration mode for your remote device, as follows:

Client—Specifies that all traffic from the remote client's inside network will undergo Port Address Translation (PAT) to a single IP address which was assigned for the device by the head end server at connect time.

Network Extension—Specifies that PCs and other hosts at the client end of the VPN tunnel should be given IP addresses that are fully routable and reachable by destination network. PAT is not used, allowing the client PCs and hosts to have direct access to the PCs and hosts at the destination network.

Network Extension Plus—An enhancement to Network Extension mode, that enables an IP address that is received via mode configuration to be automatically assigned to an available loopback interface. The IPsec SAs for this IP address are automatically created by the Easy VPN client. The IP address is typically used for troubleshooting (using ping, Telnet, and Secure Shell).

Note Network Extension Plus mode can be configured only on IOS routers. If the selected client device is a PIX 6.3 or ASA 5505 running OS version 7.2(1), Network Extension mode will be configured.

For more information, see Configuring Client Connection Characteristics for Easy VPN.

Xauth Credentials Source

Select how you want to enter the Xauth credentials for user authentication when you establish a VPN connection with the server, as follows:

Device Stored Credentials (default)—The username and password are saved on the device itself in the device's configuration file to be used each time the tunnel is established.

Interactive Entered Credentials—Enables you to manually enter the username and password each time Xauth is requested, in a web browser window or from the command line interface.

For more information, see Configuring Client Connection Characteristics for Easy VPN.

Xauth Credentials

Available only if you selected Device Stored Credentials as the Xauth Credentials Source.

The credentials policy object that defines the default Xauth credentials. Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Credentials Dialog Box, page 28-23.

Note If you want to configure different Xauth credentials on your remote client, you must configure the credentials policy object to allow overrides (select Allow Value Override per Device in the object definition).

User Authentication Method (IOS)

Available only if the remote device is an IOS router, and if you selected the Interactive Entered Credentials option for the Xauth credentials source.

Select one of these ways to enter the Xauth username and password interactively each time Xauth authentication is requested:

Web Browser (default)—Manually in a web browser window (http page).

Router Console—Manually from the command line interface (CLI).

Tunnel Activation (IOS)

If the remote device is an IOS router, and if you selected the Device Stored Credentials option for the Xauth password source, you must select a tunnel activation method, as follows:

Auto (default)—The Easy VPN tunnel is established automatically when the Easy VPN configuration is delivered to the device configuration file. If the tunnel times out or fails, the tunnel automatically reconnects and retries indefinitely.

Traffic Triggered Activation—The Easy VPN tunnel is established whenever outbound local (LAN side) traffic is detected. When using this option, you must specify the Access Control List (ACL) that defines the "interesting" traffic.

Traffic Triggered Activation is recommended for use when Easy VPN dial backup is configured so that backup is activated only when there is traffic to send across the tunnel.

Note Manual tunnel activation is configured implicitly when you select to configure the Xauth password interactively.

ACL (IOS)

If you selected the Traffic Triggered Activation option for Tunnel Activation, you must configure an ACL-triggered tunnel by specifying the Access Control List (ACL) that defines the "interesting" traffic.

Click Select to open the Access Control Lists Selector from which you can select the required ACL, or create or edit an ACL object.