Cisco Easy VPN Q&A [Cisco IOS Easy VPN]

General Overview

Q. What is Cisco® Easy VPN?

A. Cisco Easy VPN is an IP Security (IPsec) virtual private network (VPN) solution supported by Cisco routers and security appliances. It greatly simplifies VPN deployment for remote offices and mobile workers. Cisco Easy VPN is based on the Cisco Unity® Client Framework, which centralizes VPN management across all Cisco VPN devices, thus reducing the management complexity of VPN deployments. There are three components of the Cisco Easy VPN solution: Easy VPN Client, Easy VPN Remote, and Easy VPN Server.

Q. What is Cisco Easy VPN Client?

A. The Cisco Easy VPN Client enables mobile workers to create a remote-access VPN connection to a Cisco Easy VPN Server. Cisco Easy VPN Client refers to the Cisco VPN Client, which is also commonly referred to as the Cisco Software VPN Client. For more information, please visit http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html.

Q. What is Cisco Easy VPN Remote?

A. The Cisco Easy VPN Remote enables Cisco routers and security appliances to establish a site-to-site VPN connection to a Cisco Easy VPN Server without complex remote-side configuration. Cisco Easy VPN Remote is also commonly referred to as a hardware client. For more information, please visit http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftezvpnr.html.

Q. What is Cisco Easy VPN Server?

A. The Cisco Easy VPN Server accepts connections from Cisco Easy VPN Client and Remote, ensures that those connections have up-to-date policies in place before the connections are established. All Cisco Easy VPN Servers are interoperable with all Cisco Easy VPN Client and Remote. For more information, please visit http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a008055c37a.html.

Q. How does the Cisco Easy VPN solution reduce the management complexity in deploying IPsec VPNs?

A. The Cisco Easy VPN solution uses the Mode-Configuration (Mode-Config) mechanism within the Internet Key Exchange (IKE) to push policy (attributes) from the Easy VPN Server to the Easy VPN Client or Remote. Since this policy is pushed to the client or the remote every time a new tunnel is created, it makes it easier to propagate new policy changes. Mode-Config also enables the Client or the Remote to have minimal configuration in order to establish the tunnel.

Q. What types of attributes can be pushed to the Cisco Easy VPN Client or Remote through Mode-Config?

A. The attributes that can be pushed down through Mode-Config include: internal IP address, internal subnet mask, Domain Name Server (DNS) addresses, Windows Internet Name Service (WINS) addresses, backup server list, domain name, client firewall policy, Cisco IOS® Software configuration, login banner, and Split Tunneling Include List. For a complete list of Cisco Easy VPN attributes, refer to the appendix.

Q. Who can benefit from a Cisco Easy VPN solution?

A. Customers that need to deploy and manage large-scale site-to-site and remote-access VPNs should consider a Cisco Easy VPN solution because of its simplification of VPN management and configuration. Cisco Easy VPN supports quality of service (QoS) and multicast, but if there is a requirement to support dynamic routing protocols or direct spoke-to-spoke communications, Cisco recommends Dynamic Multipoint VPN (DMVPN) as the preferred site-to-site VPN solution. For more information on DMVPN, please visit http://www.cisco.com/go/dmvpn.

Q. What is Cisco Enhanced Easy VPN?

A. Cisco Enhanced Easy VPN is a new method for configuring Easy VPN using Dynamic Virtual Tunnel Interface (DVTI) instead of a crypto map, which is used by traditional Easy VPN. DVTI can be used on both the Easy VPN Server and Easy VPN Remote routers. DVTI relies on the virtual tunnel interface to create a virtual access interface for every new Easy VPN tunnel. The configuration of the virtual access interface is cloned from a virtual template configuration. The cloned configuration includes the IPsec configuration and any Cisco IOS Software feature configured on the virtual template interface, such as QoS, Network Address Translation (NAT), Context-Based Access Control (CBAC) firewall, NetFlow, or access control lists (ACLs).

Q. What benefits does DVTI bring to the Cisco Easy VPN solution?

A. Benefits are listed in Table 1.

Table 1. Benefits of DVTI

DVTI Features	Customer Benefits
Simplified VPN Configuration
• Eliminates crypto maps, crypto ACLs, and generic routing encapsulation (GRE) • Requires minimal router configuration	• Ease of management • Allows rapid deployment of VPNs
Supports per-Session Features
• Per-user attributes such as QoS	• Empowers the administrator to set proactive policies in delivering the desired application performance, which results in increased user satisfaction and productivity
Integrated with Cisco Easy VPN Solution
• Hardware client has a separate interface context; tunnel-specific features can be applied • Cisco Easy VPN Server has DVTI; tunnel-specific features can be applied	• Integration of features and investment protection results in lower TCO • Flexibility to customize configuration and security based on site-specific needs
Virtual routing and Forwarding (VRF) Configured on the Interface
• Multiple VRFs can be terminated in multiple interfaces	• Simplifies large-scale service provider and enterprise Multiprotocol Label Switching (MPLS) deployments

For more information on DVTI, please visit http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hipsctm.html.

Q. How does Cisco Enhanced Easy VPN improve scalability?

A. Based on DVTIs, Cisco Enhanced Easy VPN improves scaling by providing a single Security Association (SA) per remote site. This improves the overall scalability of deploying split tunneling and multiple routed subnet features under Cisco Easy VPN. Depending on the extent that these features were configured under Easy VPN based on crypto maps, the penalty on the available IPsec SA pool could be severe. This penalty is removed with Easy VPN based on DVTI, and platform tunnel limits are no longer reduced when customers deploy split tunneling and/or multiple routed subnet features.

Q. Is QoS supported with Cisco Enhanced Easy VPN?

A. Cisco Enhanced Easy VPN supports QoS per tunnel since 12.4(11)T2. QoS per tunnel can be turned on at the server and/or remote. At the Server, there are performance issues when enabling shaping or queuing with a large number of VTI tunnels (up to 100). Performance improvement is available since 12.4(15)T3. Other QoS policies, such as policing or marking, can be easily supported on both hub and spoke. Weighted Random Early Detection (WRED) is not supported.

Q. What is VRF-Aware IPsec? Does Cisco Easy VPN support this?

A. The VRF-Aware IPsec feature introduces IPsec tunnel mapping to MPLS VPNs. Using the VRF-Aware IPsec feature, you can map IPsec tunnels to VRF instances using a single public-facing address. VRF-Aware IPsec was introduced to Cisco Easy VPN Server in Cisco IOS Software Release 12.2(15)T. Note: VRF is supported only on the server, not the remote. For generic VRF-Aware IPsec configuration information, please visit http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a0080455b65.html.

Q. Can I deploy standard Easy VPN and Enhanced Easy VPN on the same router?

A. Yes, Standard Easy VPN and Enhanced Easy VPN can coexist on the same router.

Availability

Q. Which Cisco products support Cisco Easy VPN Remote?

A. Cisco Easy VPN Remote is available on Cisco 800, 1800, and 2800 Series Integrated Service Routers; Cisco ASA 5505 Adaptive Security Appliances, Cisco PIX® 500 Series Security Appliances, and Cisco VPN 3002 Hardware Clients.

Q. Which Cisco products support Cisco Easy VPN Server?

A. Cisco Easy VPN Server is available on numerous Cisco IOS Software-based routers, including Cisco 1800, 2600, 2800, 3600, 3700, 3800, 7100, 7200 Series Routers and Cisco 7301 Router. It is also available on Cisco VPN 3000 Series Concentrators; all Cisco PIX Security Appliances; and Cisco ASA 5505 Adaptive Security Appliances.

Q. Which Cisco IOS Software release initially supports DVTI? Which Cisco products support DVTI?

A. DVTI is supported on Cisco IOS Software Release 12.4(4)T and higher; on Cisco 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers; and on the Cisco 871 Integrated Services Router. The Cisco 831 and 851 Integrated Services Routers should have at least 64 MB of DRAM to run this image.

Q. Does Cisco Easy VPN Remote support Network Admission Control?

A. Yes. Network Admission Control (NAC) has worked with Cisco Easy VPN since Cisco IOS Software Release 12.3(8)T and with Cisco Enhanced Easy VPN since 12.4(4)T to query the client posture after the IPSec connection has been established. NAC uses Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) to query the Cisco Trust Agent on the PC, and allows a PC to access the network after it has passed the validation. For more information, please visit http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd805092e0.shtml

Q. What is Cisco IOS Secure Multicast?

A. Cisco IOS Secure Multicast is a set of hardware and software features necessary to secure IP Multicast group traffic originating on or flowing through a Cisco IOS device. It combines the Group Domain of Interpretation (GDOI) with hardware-based IPsec encryption to provide users with an efficient way to secure IP Multicast group traffic. With Cisco IOS Secure Multicast, a router can apply encryption to IP Multicast traffic without having to configure tunnels.

Q. Does Cisco Easy VPN support Cisco IOS Secure Multicast?

A. No. Cisco Easy VPN does not support Cisco IOS Secure Multicast.

Q. Does Cisco Easy VPN carry secure multicast traffic?

A. Cisco Enhanced Easy VPN carries secure multicast traffic.

Q. What are the Cisco Easy VPN features in the Cisco IOS Software 12.4T release train?

A. The specific Easy VPN features are as follows:

Table 2. Easy VPN Features

Feature	Description
Easy VPN DVTI	12.4(2)T
Login Banner to Easy VPN Hardware	12.4(2)T
Auto Update for Software Clients	12.4(2)T
Browser Proxy Configuration	12.4(2)T
Auto Configuration Update	12.4(4)T
Dial Backup Reactivate Primary Peer	12.4(4)T
Easy VPN Remote Dual Tunnel Support	12.4(4)T
PKI AAA Integration	12.4(4)T
Easy VPN Password Aging via AAA	12.4(6)T
Easy VPN Firewall Policy Push	12.4(6)T
IPsec over TCP on Easy VPN Server	12.4(9)T
Firewall Traversal	12.4(9)T
NAT Transparency	12.4(9)T
DHCP Client Proxy and Dynamic DNS Registration	12.4(9)T
Split DNS	12.4(9)T
VTI Enhancements-per User Policy Taken from RADIUS	12.4(9)T
TI Manageability-Debug Show Commands	12.4(11)T
One-to-One NAT	12.4(11)T
QoS per tunnel on Enhanced Easy VPN	12.4(11)T
Easy VPN Remote Identical Addressing	12.4(15)T
Reverse Route INJECTION Enhancement	12.4(15)T
cTCP on Eas yVPN Remote	12.4(20)T

Q. What's the feature disparity between standard EasyVPN and Enhanced Easy VPN?

A. Table 3 lists the major feature disparity. For those features that are not listed in the table, they are supported on both.

Table 3. Standard Easy VPN and Enhanced Easy VPN Feature Disparity

Feature	Standard Easy VPN	Enhanced Easy VPN
Stateful Failover	Y	N
VRF-aware IPsec	Y	Y
NAC Integration	Y	Y
Dynamic Routing	N	N
Auto Config Update	Y	Y
Dial Backup - Reactivate Primary Peer	Y	Y
Secure Multicast	N	Y
Qos per Tunnel	N	Y
Remote Dual Tunnel	Y	Y
Remote Identical IP Addressing	N	Y
RRI Distance Metric Enhancement	Y	Y

Q. Where can I get more information about Easy VPN?

A. For more information about Cisco Easy VPN, visit http://www.cisco.com/go/easyvpn or send an e-mail to ask-stg-ios-pm@cisco.com

Positioning

Q. Are there any standard guidelines that customers can use when deciding on a Cisco Easy VPN solution?

A. Yes. Usually, customers meeting the following standards should choose Cisco Easy VPN.

1. A VPN connection from the corporate office to a branch office, extranet, reseller, or partner.

2. Capable of doing QoS and services (firewall/ACL) per tunnel if desired.

3. No non-IP traffic will be flowing.

4. Uses Route Injection to inject routes rather than running a dynamic routing protocol.

5. Able to push configuration changes to Easy VPN hardware clients; this can be done on a per-host level.

Q. When would customers be interested in an alternate Cisco VPN solution?

A. If a customer is interested in multicast and routing protocols, it is recommended to deploy:

• IPsec with GRE

• IPsec with Static VTI

If a customer is interested in multicast, routing, and direct spoke-to-spoke communication, DMVPN is recommended.

If a customer is interested in secure multicast, Dynamic Group VPN (DGVPN) is recommended.

If a customer requires clientless VPN, SSL VPN is recommended.

Q. What are the differences between Enhanced Easy VPN and DMVPN?

A. Please see table 4 for the comparison.

Table 4. Cisco Enhanced Easy VPN and DMVPN Comparison

Service/Feature Name	Enhanced Easy VPN	DMVPN
Scalability per Hub	Large number of spokes can be supported per hub	Depends on routing protocol chosen
Identical Configuration for All Spokes	Yes	No
Cross-Platform Support	Yes	No
Support for Software/Hardware Client	Yes	No software client support
Stateful Failover	No; but available with legacy Easy VPN	Depends on routing protocol for recovery
Always up Tunnel to Hub	Not required	Yes
Support for Multicast Traffic	Yes	Yes
Spoke-to-Spoke Direct Communication	No	Yes
Support for QoS	Yes	Yes
Support for Routing Protocols	No	Yes
Support for Certificates	Yes	Yes

Q. What are the differences between Easy VPN and other Site-to-Site VPN solutions?

A. Please refer to the following table 5 for the comparison.

Table 5. Cisco Site-to-Site VPN Solution Comparison

	Cisco GET-VPN	Cisco DMVPN	Cisco GRE-Based VPN	Cisco Easy VPN	Standard IPsec VPN
	Tunnel-less VPN	Tunnel-based VPN
Customer Benefits	• Simplifies encryption integration on IP and Multiprotocol Label Switching (MPLS) WANs • Simplifies encryption management through use of "group laying" instead of point-to-point key pairs • Enables scalable and manageable any-to-any connectivitiy between sites • Supports quality of services (QoS) multicase and routing	• Simplifies encryption of configuration and management for point-to-point GRE tunnels • Supports QoS, multicast, and routing	• Enable transport of multicast and routing traffic across an IPsec VPN • Support non-IP protocols • Supports QoS	• Simplifies IPsec and remote-site device management through dynamic configuration policy-push • Supports QoS	• Provides encryption between sites • Supports QoS
When to Use	• Add encryption to MPLS or IP WANs while preserving any-to-any connectivity and networking features • Other scalable, full-time meshing for IPsec VPNS • Enables participation of smaller routers in meshed networks • Simplifies encryption key management while supporting routing, QoS, and multicast	• Simplifies configuration for hub-and-spoke VPNs while supporting routing, QoS, and multicast • Provides low-scale, on-demand meshing	• Use when routing must be supported across the VPN • Use for same functions as hub-and-spoke DMVPN, but it requires more detailed configuration	• Use when simplifying overall VPN • Configuration and management is the primary goal but only limited networking features are required • Use to provide simple, unified configuration framework for mix of Cisco VPN products	• Use when multivendor interoperability is required
Product Interoperability	Cisco routers only	Cisco routers only	Cisco routers only	Cisco ASA 5500 Series, Cisco VPN 3000 Series, and Cisco PIX® Firewall	Mutlivendor
Scale	Thousands	Thousands hub and spoke; hundreds partially meshed spoke-to-spoke connections	Thousands	Thousands	Thousands
Provisioning and Management	CLI Cisco Security Manager	Cisco Security Manager and Cisco Router and Security Device Manager	Cisco Security Manager and Cisco Router and Security Device Manager	Configuration automatically pushed to remote sites from headend; headend policies defined in Cisco Security Manager or Cisco Router and Security Device Manager	Cisco Security Manager and Cisco Router and Security Device Manager
Topology	Hub and spoke; any-to-any	Hub and spoke on-demand spoke-to-spoke partial mesh; spoke-to-spoke connections automatically terminated when no traffic present	Hub and spoke; small-scale meshing as manageability allows	Hub and spoke	Hub and spoke; small-scale meshing as manageability allows
Routing	Supported; Cisco GET-VPN any-to-any connectivity capability can also be used to provide secure routing across any entire router backbone	Supported	Supported	Not Supported	Not Supported
QoS	Supported	Supported	Supported	Supported but QoS policy is not dynamically pushed to the remote sites	Supported
Multicast	Natively supported across MPLS and private IP networks, tunneled across Internet-based WANs	Tunneled	Tunneled	Not Supported	Not Supported
Non-IP Protocols	Not Supported	Not Supported	Supported	Not Supported	Not Supported
Private IP Addressing	Requires use of GRE or DMVPN with Cisco GET-VPN to support private addresses across public Internet backbones	Supported	Supported	Supported	Supported
High Availability	Routing	Routing	Routing	Stateless failover	Stateless failover

Operation

Q. What operation modes does Cisco Easy VPN Remote support?

A. The Cisco Easy VPN Remote feature supports three modes of operation: Client, Network Extension, and Network Extension Plus.

• Client mode-Specifies that Network or Port Address Translation (NAT or PAT) be done so that the PCs and other hosts at the remote end of the VPN tunnel form a private network that does not use any IP addresses in the IP address space of the destination server. The server pushes down an IP address to the Easy VPN Client, and all traffic from the client will be internally translated to this address before being encrypted to the Cisco Easy VPN Server.

• Network Extension mode-Specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network.

• Network Extension Plus mode-Identical to Network Extension mode with the additional capability of being able to request an IP address through Mode-Config and automatically assign it to an available loopback interface. This can typically be used for management purposes.

Q. How does load balancing work for Cisco Easy VPN Server?

A. Currently, the Cisco Easy VPN Server does not support load balancing. The load balancing of Easy VPN connections is done by inserting an external load balancer, such as the Content Services Module on the Cisco Catalyst® 6500 Series, or using the Cisco IOS Software server load balancing feature on the Cisco 7200 or 6500 Series, in front of Cisco Easy VPN Servers. For more information, please visit http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8045b552.shtml

Q. Is NAT transparency supported by Cisco Easy VPN Remote?

A. Yes. Cisco Easy VPN Remote supports NAT transparency under UDP port 4500 (RFC 3947). It is also called Cisco IOS/IPsec NAT traversal, and addresses the issue of known incompatibilities between IPsec and NAT. Cisco does not support the proprietary VPN 3000 Series-only method for NAT transparency.

Q. What is the IPsec Stateful Failover (HA) feature? Does Cisco Easy VPN support high availability?

A. IPsec Stateful Failover (HA) is a way of increasing IPsec VPN network uptime through redundancy. This feature was brought to Easy VPN in the Cisco IOS Software 12.3T release train, and enables the sharing of IPsec state information that cannot be reconstructed, on a standby device. However, IPsec Stateful Failover is not yet available with Cisco Enhanced Easy VPN.

Q. How many IPsec tunnels does Cisco Easy VPN Server support?

A. Cisco Easy VPN Server supports as many tunnels as are supported by the platform on which it is running. Table 6 shows some typical numbers tested with VPN and minimum other functions enabled.

Table 6. IPsec Tunnels Supported by Cisco Easy VPN Server

Cisco Router Platform	Maximum Number of IPsec Tunnels Supported
800 Series	20
1800 Series	Fixed Platform: 50; Modular Platform: 800
2800 Series	1500
3800 Series (using the AIM2)	3825: 2000; 3845: 2500
6500 Series	8000
7200 Series (using the VAM2+)	5000 per chassis
7301	5000

For more information, please send e-mail to: ask-stg-ios-pm@cisco.com.

Q. How many concurrent VPN tunnels does Cisco Easy VPN Remote support?

A. If using a virtual interface, Cisco Easy VPN Remote can support as many concurrent tunnels as are supported by the platform resource on which it is running. Cisco recommends using at most two tunnels, but Cisco Easy VPN Remote can support more.

Q. Which Cisco VPN clients does Cisco Easy VPN Server support?

A. Cisco Easy VPN Server supports Cisco Easy VPN Remote clients, Cisco VPN (software) Clients, Cisco ASA 5505 Adaptive Security Appliances, Cisco PIX 501 and PIX 506E Security Appliances, and Cisco VPN 3002 Hardware Clients.

Hierarchical Navigation

Cisco IOS Easy VPN

Cisco Easy VPN Q&A

Downloads