PDF(30.6 KB) View with Adobe Reader on a variety of devices
ePub(105.5 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(141.0 KB) View on Kindle device or Kindle app on multiple devices
Updated:December 24, 2015
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to set up a Easy VPN tunnel between a Cisco Adaptive Security Appliance (ASA) and a router that runs Cisco IOS® software using main mode with self signed certificate.
The sample configuration of the router-to-router Easy VPN Solution is based on the assumptions that the IP address at the Cisco Easy VPN Server is static and that the IP address at the Cisco Easy VPN Client is static.
Cisco recommends that you have knowledge of these topics:
Internet Key Exchange (IKE)
Certificates and Public Key Infrastructure (PKI)
The information in this document is based on these software and hardware versions:
Cisco ASA 5510 Adaptive Security Appliance that runs software version 8.4(7)
Cisco 2821 Series Integrated Services Router (ISR) that runs Cisco IOS software version 15.2(4)M2
This document can also be used with these hardware and software versions:
Cisco ASA that runs software version 8.4 or later
Cisco ISR Generation router that runs Cisco IOS software version 15.0 or later
The document talks about using EzVPN on main mode which is not supported with pre-shared key. However, we can use main mode with Certificate authentication to overcome the vulnerabilities associated with aggressive mode: CVE-2002-1623.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Certificate authentication requires that the clocks on all participating devices be synchronized to a common source. While the clock can be set manually on each device, this is not very accurate and can be cumbersome. The easiest method to synchronize the clocks on all devices is to use NTP. NTP synchronizes timekeeping among a set of distributed time servers and clients. This synchronization allows events to be correlated when system logs are created and when other time-specific events occur. For more information on how to configure NTP, refer to Network Time Protocol: Best Practices White Paper.