Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Securing Cisco IOS Networks Study Guide - Carl Timm.pdf
Скачиваний:
73
Добавлен:
24.05.2014
Размер:
9.74 Mб
Скачать

Configuring IOS Remote Access Using Cisco Easy VPN

303

Introduction to Cisco Easy VPN

Cisco Easy VPN consists of two primary components: the Easy VPN Server and the Easy VPN Remote. The Easy VPN Server can be any of the following devices:

IOS router

PIX Firewall

VPN Concentrator device

The Easy VPN Server acts as a head-end device for either site-to-site or remote access VPN clients. It has the ability to push security policies to Easy VPN Remote clients before connections are actually established, ensuring that those clients always have current policies in place. Remember, anything that helps you to manage multiple remote devices is a very good thing. Easy VPN Server definitely goes a long way toward helping Cisco Easy VPN earn the moniker “easy.”

The Easy VPN Remote can be either a site-to-site device or the remote access VPN Client. In fact, it can be anything on the following list of devices:

IOS router (800, 900, and 1700 series)

PIX Firewall

VPN 3002 Hardware Client device

VPN 3.5 Client Software

As I said, the Easy VPN Remote can receive security policies from the Easy VPN Server, which minimizes the amount of configuration and maintenance required on remote devices and cuts your aggravation dramatically—especially if you have an ever-growing number of them.

You can see that there are quite a few possible combinations of Easy VPN Server and Easy VPN Remote options. The remainder of this chapter focuses specifically on how the Easy VPN Server becomes an IOS router, as well as how the Easy VPN Client becomes the VPN 3.5 Client Software.

The option of using the IOS router as the Easy VPN Server is a fairly recent development. The ability to use an IOS router instead of a PIX Firewall or VPN Concentrator as the head-end to Easy VPN Clients offers a world of possibilities when establishing VPN connections throughout your existing, installed infrastructure. This flexibility is great, and adding VPN server capabilities to IOS can really deliver the goods for you.

So, limiting our talk to this combination of server and remote, let’s take a deeper look into the Easy VPN Server and VPN 3.5 Client.

The Easy VPN Server

As of IOS release 12.2(8)T, the Cisco Easy VPN Server is available on an IOS router to support either the hardware Easy VPN Remote devices or the VPN 3.x Client.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

304 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN

End users have the capability to establish IPSec communications with these IOS routers, and the IOS routers acting as Easy VPN Servers have the ability to push security policies to these remote devices. The 12.2(8)T Easy VPN Server release of IOS adds support for the following VPN functions:

Mode configuration version 6 support

Xauth version 6 support

IKE Dead Peer Detection (DPD)

Split Tunneling control

Initial contact

Group-based policy control

The IKE DPD is a form of keepalive for VPN connections. There are a number of problems that could cause a VPN remote device to “disappear” or lose connectivity without being able to inform the VPN server. Ever had a dial-in line die? That’s only one example. IKE Dead Peer Detection (DPD) from the VPN server will send “R-U-THERE?” messages to idle VPN remote devices. If the idle devices fail to respond, the VPN server assumes the connection has been broken and responds by recovering the resources dedicated to maintaining that particular connection.

Split Tunneling control gives the VPN remote the ability to maintain intranet and Internet access at the same time. Without Split Tunneling enabled, the remote will send all traffic—intranet and Internet—across the tunnel. If the VPN remote device is already Internet connected, it may not be necessary to have Internet traffic filled through the tunnel.

Initial contact solves this particular problem. Imagine that a VPN remote device is attached to a VPN server, and the connection is broken for some reason. The VPN remote device attempts to re-establish the VPN connection, only to find that its connection attempts are denied because it supposedly already has an established connection! “But,” you sputter, “I’m not there anymore, I’m here! What’s up with this?” In the formerly unforgiving world of VPN, those tortured cries would simply have been ignored—or they would have flooded Help Desks—until now, that is!

Initial contact is supported by all Cisco VPN devices, meaning that whenever a new VPN connection is to be established, any previous connection information is reset.

But the Easy VPN Server does not support all possible IPSec options. Table 9.1 illustrates the options that are and are not supported.

T A B L E 9 . 1 Easy VPN Supported and Unsupported Options

Options

Supported

Unsupported

 

 

 

Authentication algorithm

HMAC-MD5

 

 

HMAC-SHA1

 

Authentication types

Pre-shared keys

Digital Signature Standard (DSS)

 

RSA digital signatures

 

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com