310 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN

Summary

You have to admit—this chapter really was easy and truly short. The Cisco Easy VPN solution that Cisco provides can be deployed in various ways, and the new Cisco features allow you to employ the Easy VPN Server to act as an IOS router and employ the Easy VPN Remote as the VPN 3.5 Client.

It is important to understand which features are supported and which features are not supported in the VPN 3.5 Client. For example, the Easy VPN Client supports 3DES, which is important, but it does not support DSS, Diffie-Hellman group 1 (DH1), and Authentication Header (AH).

It is important to understand the process of adding a connection to the VPN 3.5 Client, which was covered in detail in this chapter. If you have to, review the “Introduction to the Cisco VPN 3.5 Client” section until you really understand the process.

By truly understanding the process of adding a connection to the VPN 3.5 Client, you can then streamline the installation of the VPN Client, while ensuring that the ultimate control of your network remains where it should—in your trusty, capable hands!

Exam Essentials

Make sure to know the supported and unsupported IPSec features of the Easy VPN Server (see Table 9.1). DSS, DH group 1, and AH are not supported features.

Know which files are used for which functions when pre-configuring the VPN 3.5 Client.

The oem.ini file is used to install without user prompts, the vpnclient.ini file is used to preconfigure global parameters, and the .pcf files are used to configure connections (one .pcf file per connection).

Know which devices can act as Easy VPN Servers and which devices can act as Easy VPN Remotes. The Easy VPN Server can be an IOS router, PIX Firewall, or VPN Concentrator. The Easy VPN Remote can be an IOS router, PIX Firewall, VPN 3002 Hardware Client, or VPN 3.5 Client Software.

Know the seven tasks for Easy VPN Server configuration. The seven Easy VPN Server configuration tasks are

1.Enable policy lookup via AAA.

2.Define group policy for mode configuration push.

3.Apply mode configuration and Xauth to crypto maps.

4.Enable Reverse Route Injection (RRI) for the VPN Client (optional).

5.Enable IKE Dead Peer Detection (optional).

6.Configure RADIUS server support (optional).

7.Verify the Easy VPN Server.

Key Terms

Before you take the exam, be certain you are familiar with the following terms:

Written Lab

This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.

1.List the two Diffie-Hellman groups supported by the Cisco Easy VPN.

2.Which file do you modify to remove user prompts when installing the Cisco VPN 3.5 Client?

3.List the encryption algorithms supported by the Cisco Easy VPN Server.

4.List the devices that can be an Easy VPN Server.

5.Which IPSec protocol mode is supported by the Cisco Easy VPN Server?

6.Which files do you modify to pre-configure connections when installing the Cisco VPN 3.5 Client?

7.List the IPSec protocol identifiers supported by the Cisco Easy VPN Server.

8.Which IPSec protocol mode is not supported by the Cisco Easy VPN Server?

9.Which operating systems are supported by the Cisco VPN 3.5 Client Software?

10.List the IPSec protocol identifiers not supported by the Cisco Easy VPN Server.

312 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN

Review Questions

1.Which IPSec authentication types are supported by the Cisco Easy VPN Server? (Choose all that apply.)

A.Pre-shared keys

B.RSA digital signatures

C.DSS

D.DES

E.3DES

2.Which IOS is the minimum required in order to run the IOS Easy VPN Server?

A.11.3(18)T

B.12.1(8)T

C.12.2(8)T

D.12.2(12)T

3.Which of the following are supported by the Cisco Easy VPN server? (Choose all that apply.)

A.Authentication using DSS

B.DH1

C.DH2

D.Manual keys

E.Perfect forward secrecy (PFS)

F.DH5

4.Which of the following can be used as a Cisco Easy VPN Server? (Choose all that apply.)

A.VPN 3.5 Client Software

B.IOS router

C.PIX Firewall

D.Cisco VPN Concentrator

E.All of the above

5.Which types of IPSec encryption algorithms are supported by the Cisco Easy VPN? (Choose all that apply.)

A.NULL

B.ESP

C.DES

D.3DES

E.HMAC-MD5

6.You want your remote users to send their Internet requests directly to the Internet and not through the VPN tunnel. Which of the following features enables this?

A.Xauth version 6

B.DPD

C.Split Tunneling

D.Initial contact

7.Suppose that you are going to pre-configure the Cisco VPN 3.5 Client, and you want to remove all user prompts and force the PC to reboot when the installation is finished. Which of the following files would you modify?

A.setup.exe

B.oem.ini

C.vpnclient.ini

D.*.pcf

8.Which of the following is the first task you need to perform when configuring the Easy VPN Server?

A.Verify Easy VPN Server.

B.Configure RADIUS server support (optional).

C.Apply mode configuration and Xauth to crypto maps.

D.Enable Reverse Route Injection for the VPN Client (optional).

E.Enable policy lookup via AAA.

F.Define group policy for mode configuration push.

G.Enable IKE Dead Peer Detection (optional).

9.Which of the following DH groups are supported by the Cisco Easy VPN Server? (Choose all that apply.)

A.DH1

B.DH2

C.DH3

D.DH4

E.DH5

F.DH6

314 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN

10.Suppose that you are going to pre-configure the Cisco VPN 3.5 Client, and you want to add preconfigured connections to the pull-down menu. Which of the following files would you modify?

A.setup.exe

B.oem.ini

C.vpnclient.ini

D.*.pcf

11.Which IPSec protocol modes are supported by the Cisco Easy VPN Server?

A.Tunnel mode

B.Transport mode

C.Both A and B

D.Neither A nor B

12.When users get disconnected and then attempt to reconnect, they are denied because they have existing connections. Which of the following solves this problem?

A.Xauth version 6

B.DPD

C.Split Tunneling

D.Initial contact

13.Suppose that you are going to pre-configure the Cisco VPN 3.5 Client, and you want to preconfigure global profiles. Which of the following files would you modify?

A.setup.exe

B.oem.ini

C.vpnclient.ini

D.*.pcf

14.Which of the following DH groups is not supported by the Cisco Easy VPN Server?

A.DH1

B.DH2

C.DH3

D.DH4

E.DH5

F.DH6

15.Which of the following can be used as a Cisco Easy VPN Remote?

A.VPN 3.5 Client Software

B.IOS router

C.PIX Firewall

D.Cisco VPN 3002 Hardware Client

E.All of the above

16.Which operating systems are supported by the Cisco VPN 3.5 Client Software? (Choose all that apply.)

A.HP-UX

B.OS2

C.Linux (Intel)

D.Mac OS X

E.Palm OS

F.Windows

G.Solaris (Ultra-Sparc 32-bit)

17.Suppose that you are going to pre-configure the Cisco VPN 3.5 Client, and you have already configured the files you want to use for the pre-configuration. Which directory do you place them in for the install?

A./etc

B./windows/system

C.The same directory as the setup.exe for the VPN 3.5 Client

D./windows/bin

18.Which of the following DH groups are supported by the Cisco VPN 3.5 Client? (Choose all that apply.)

A.DH1

B.DH2

C.DH3

D.DH4

E.DH5

F.DH6

316 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN

19.You have devices that lose connection, but their connections never seem to get cleaned up. Which of the following will help solve this problem?

A.Xauth version 6

B.DPD

C.Split Tunneling

D.Initial contact

20.Which IPSec protocol identifiers are supported by the Cisco Easy VPN Server? (Choose all that apply.)

A.DH2

B.DES

C.ESP

D.IPCOMP-LZS

E.IPSEC AH