Introduction to Cisco Easy VPN

Cisco Easy VPN consists of two primary components: the Easy VPN Server and the Easy VPN Remote. The Easy VPN Server can be any of the following devices:

The Easy VPN Server acts as a head-end device for either site-to-site or remote access VPN clients. It has the ability to push security policies to Easy VPN Remote clients before connections are actually established, ensuring that those clients always have current policies in place. Remember, anything that helps you to manage multiple remote devices is a very good thing. Easy VPN Server definitely goes a long way toward helping Cisco Easy VPN earn the moniker “easy.”

The Easy VPN Remote can be either a site-to-site device or the remote access VPN Client. In fact, it can be anything on the following list of devices:

As I said, the Easy VPN Remote can receive security policies from the Easy VPN Server, which minimizes the amount of configuration and maintenance required on remote devices and cuts your aggravation dramatically—especially if you have an ever-growing number of them.

You can see that there are quite a few possible combinations of Easy VPN Server and Easy VPN Remote options. The remainder of this chapter focuses specifically on how the Easy VPN Server becomes an IOS router, as well as how the Easy VPN Client becomes the VPN 3.5 Client Software.

The option of using the IOS router as the Easy VPN Server is a fairly recent development. The ability to use an IOS router instead of a PIX Firewall or VPN Concentrator as the head-end to Easy VPN Clients offers a world of possibilities when establishing VPN connections throughout your existing, installed infrastructure. This flexibility is great, and adding VPN server capabilities to IOS can really deliver the goods for you.

So, limiting our talk to this combination of server and remote, let’s take a deeper look into the Easy VPN Server and VPN 3.5 Client.

The Easy VPN Server

As of IOS release 12.2(8)T, the Cisco Easy VPN Server is available on an IOS router to support either the hardware Easy VPN Remote devices or the VPN 3.x Client.

304 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN

End users have the capability to establish IPSec communications with these IOS routers, and the IOS routers acting as Easy VPN Servers have the ability to push security policies to these remote devices. The 12.2(8)T Easy VPN Server release of IOS adds support for the following VPN functions:

The IKE DPD is a form of keepalive for VPN connections. There are a number of problems that could cause a VPN remote device to “disappear” or lose connectivity without being able to inform the VPN server. Ever had a dial-in line die? That’s only one example. IKE Dead Peer Detection (DPD) from the VPN server will send “R-U-THERE?” messages to idle VPN remote devices. If the idle devices fail to respond, the VPN server assumes the connection has been broken and responds by recovering the resources dedicated to maintaining that particular connection.

Split Tunneling control gives the VPN remote the ability to maintain intranet and Internet access at the same time. Without Split Tunneling enabled, the remote will send all traffic—intranet and Internet—across the tunnel. If the VPN remote device is already Internet connected, it may not be necessary to have Internet traffic filled through the tunnel.

Initial contact solves this particular problem. Imagine that a VPN remote device is attached to a VPN server, and the connection is broken for some reason. The VPN remote device attempts to re-establish the VPN connection, only to find that its connection attempts are denied because it supposedly already has an established connection! “But,” you sputter, “I’m not there anymore, I’m here! What’s up with this?” In the formerly unforgiving world of VPN, those tortured cries would simply have been ignored—or they would have flooded Help Desks—until now, that is!

Initial contact is supported by all Cisco VPN devices, meaning that whenever a new VPN connection is to be established, any previous connection information is reset.

But the Easy VPN Server does not support all possible IPSec options. Table 9.1 illustrates the options that are and are not supported.

T A B L E 9 . 1 Easy VPN Supported and Unsupported Options