The Cisco Easy VPN Server service allows a growing number of Cisco IOS routers, PIX Firewalls, and Cisco VPN 3000 Concentrators to act as VPN head-end devices in site-to-site or remote access VPNs. These head-end devices provide the VPN connections, as well as a configuration source for the Cisco Easy VPN Remote sites. The Cisco Easy VPN Server is available on numerous Cisco VPN routers, including Cisco UBR900, 1700, 2600, 3600, 7100, 7200, and 7500 series routers running Cisco IOS Release 12.2(8)T, Cisco PIX Firewalls, and all Cisco VPN 3000 Concentrators. Use the Cisco online documentation to verify any new platforms supported because new supported platforms have been added with each new release.
Basic feature configuration and security policies defined on the head-end device are pushed to the remote VPN site before the connection is established. This insures those connections have current configurations and policies in place. In the case of the VPN 3002 Hardware Device, firmware updates can be maintained using the same feature.
Cisco Easy VPN Server-enabled devices can provide VPN tunnel termination for mobile remote workers running Cisco VPN client software, allowing them to access the headquarters’ intranet.
Some of the benefits of the Cisco Easy VPN Server implementation for rolling out remote VPN connections include the following:
Centrally stored configurations allow dynamic configuration of end-user VPN connections and require less manual configuration by end users and field technicians, reducing errors and additional service calls.
VPN security policy management can be centralized.
Supports large-scale, rapid deployments with minimal remote user provisioning.
When used with a remote VPN device, such as a router, firewall, or VPN hardware client, this eliminates the need for end-user VPN devices or client software.
In general terms, an Easy VPN Remote device or a VPN Software Client version 3.x/4.x initiates a connection with a Cisco router configured as a Easy VPN Server. During the connection establishment the exchange includes device authentication via IKE, user authentication via IKE Extended Authentication (Xauth), VPN policies that are pushed down to the client, and then the IPSec SA is established.
The following is a more detailed look at the client/server session establishment.
The client initiates IKE Phase One exchange. If a preshared key is to be used for authentication, the exchange is initiated via IKE Aggressive mode. In this case, the group name entered while configuring the client with the web application is used to identify the group profile. If digital certificates are used, the exchange will be via IKE Main mode and the organizational unit field of a distinguished name will be used to identify the appropriate group profile.
The client attempts to negotiate an IKE SA with the Easy VPN Server. To reduce client configuration policies weren’t defined, so all supported combinations of encryption and hash algorithms for authentication, plus supported Diffie-Hellman (DH) group sizes, are proposed.The Easy VPN Server Device accepts the first proposal received that matches its configured policies. Assuming a policy match is achieved, device authentication is completed and user authentication can begin.
If the Easy VPN Server is configured for Xauth, the server issues a user name/ password challenge to the client. The resulting entries are verified against using AAA supported protocols, such as TACACS+, RADIUS, or one-time password token cards using AAA proxy. This step is particularly important if the peer is a remote client or a remote device is configured as a remote client.
The system parameters are pushed from the server to the client. These parameters can be configured to include an IP address (required) and the following optional information: DNS address(es), domain name, WINS address(es), local NAT pool name, access list, split tunnel attributes, and so forth. The access list defines the traffic to be protected through the VPN tunnel.
The Easy VPN Server can use reverse route injection (RRI) to create static routes and inject them into any dynamic routing protocols for distribution to surrounding devices. With dynamic crypto maps, a static route is created for each subnet or host protected by the remote peer when the peer establishes its IPSec security association. With static crypto maps, a static route is created for each destination using an extended access-list rule.
Once all parameters are transferred to the client, IKE Phase Two Quick mode is used to negotiate IPSec SAs to complete the connection.