© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1

Network Security 2

Module 6 – Configure Remote Access VPN


Lesson 6.1 An Introduction to Cisco Easy VPN

Module 6 – Configure Remote Access VPN


Module Introduction

Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet

Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation

This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods


Cisco Easy VPN

Eliminates tedious work by implementing the Cisco Unity Client protocol to allow administrators to define most VPN parameters at a Cisco IOS Easy VPN Server

Cisco Easy VPN Remote allows devices to act as remote VPN clients

– Routers running IOS Release 12.2(4)YA (or later)

– PIX firewalls

– Cisco hardware clients

Cisco IOS Easy VPN Server can be these devices that supports the Cisco Unity Client protocol

– VPN 3000 Concentrator

– PIX Firewall

– IOS router


Cisco Easy VPN

Cisco Easy VPN simplifies deployment.

When the Easy VPN Remote initiates the VPN tunnel connection, the Cisco Easy VPN Server pushes the IPsec policies to the Cisco Easy VPN Remote client and creates the corresponding VPN tunnel connection

Cisco Easy VPN Remote provides for automatic management of:

The negotiation of tunnel parameters

Establishment of tunnels

NAT or PAT and ACLs creation as needed

Authentication of users by usernames, group names, and passwords

Security keys for encryption and decryption

Authenticating, encrypting, and decrypting data through the tunnel


Easy VPN Components

Cisco Easy VPN Server

The Cisco Easy VPN Server pushes security policies that are defined at the headend to the remote VPN device

Cisco Easy VPN Server-enabled device can terminate IPsec tunnels that are initiated by mobile remote workers running VPN Client software on PCs.


Easy VPN Components

Cisco Easy VPN Remote

These devices can receive security policies from a Cisco Easy VPN Server, minimizing VPN configuration requirements at the remote location

This cost-effective solution is ideal for remote offices with little IT support


Requirements and Restrictions for Cisco Easy VPN Server


Limitations

DH Group

The Cisco Unity Client protocol supports only ISAKMP policies that use DH Group 2 (1024-bit)

Transform Sets SupportedThe Cisco Unity Client protocol does not support Authentication Header (AH) authentication but does support Encapsulating Security Payload (ESP)


Easy VPN Server and Easy VPN Remote Operation

Step 1The VPN client initiates the IKE Phase 1 process

Step 2The VPN client establishes an SA

Step 3The Easy VPN Server accepts the SA proposal

Step 4The Easy VPN Server initiates a username and password challenge

Step 5The mode configuration process is initiated

Step 6The RRI process is initiated

Step 7IPsec quick mode completes the connection


Step 1: The VPN Client Initiates the IKE Phase 1 Process


Step 2: The VPN Client Establishes an ISAKMP SA

The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server.

To reduce manual configuration on the VPN client, these ISAKMP proposals include several combinations of the following:

Encryption and hash algorithms

Authentication methods

Diffie-Hellman group sizes


Step 3: The Cisco Easy VPN Server Accepts the SA Proposal

The Easy VPN Server searches for a match:

The first proposal to match the server list is accepted (highest-priority match).

The ISAKMP SA is successfully established.

Device authentication ends and user authentication begins.


Step 4: The Cisco Easy VPN Server Initiates a Username and Password Challenge

If the Easy VPN Server is configured for Xauth, the VPN client waits for a username and password challenge:

The username and password information is checked against authentication entities using AAA.


Step 5: The Mode Configuration Process Is Initiated

If the Easy VPN Server indicates successful authentication, the VPN client requests the remaining configuration parameters from the Easy VPN Server:

Mode configuration starts.

The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN client.

IP address is the only required parameter in a group profile. All other parameters are optional


Step 6: The RRI Process Is Initiated

RRI ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client

RRI is used

• when per-user IP addresses are used

• when more than one Easy VPN Server is used

Redistributing static routes into an IGP allows the server site routers to find the appropriate Easy VPN Server to use for return traffic to clients.


Step 7: IPsec Quick ModeCompletes the Connection

After the configuration parameters have been successfully received by the VPN client, IPsec quick mode is initiated to negotiate IPsec SA establishment.

After IPsec SA establishment, the VPN connection is complete.


© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Documents

cisco easy vpn cisco

cisco easy vpn module

cisco easy vpn remote

cisco easy vpn server

cisco systems

vpn parameters

vpn solutions

internet cisco