Cisco CCNP ISCW Exam Tutorial
An Introduction To Easy VPN Server And Client
By Chris Bryant, CCIE #12933
During your CCNP studies, you're going to run into something called "Easy VPN" - and your first thought may well be "Easy as compared to what?"
Then again, if you've configured VPNs from the command-line interface before, your first thought may well be "Anything's easy when compared to the CLI!"
In today's Cisco CCNP ISCW exam tutorial, we'll take a look at the theory and operation of Easy VPN, then we'll see it in action both from the Server side (via Security Device Manager) and the Client side (via VPN Client).
 
Speaking of the Client, Easy VPN consists of the following:
-
Easy VPN Server
-
Easy VPN Remote
Sounds easy enough! Seriously, the real benefit of Easy VPN is that security policies written at the Server level can then be pushed out to Clients. As a result, the Clients have the most up-to-date policies without the network admins - that's you and me - having to visit them individually.
Quite a few different Cisco devices can act as Easy VPN Servers. I will not list each here, but here are the more common ones:
- VPN 3000 concentrators
- Cisco 7500,7200,7100,3600,2600,1700 routers w/ 12.2(8)T IOS
- Many Cisco 800 series routers running 12.2(8)T or later
As always, do your homework on Cisco's website to determine if Easy VPN will run on your particular hardware.
The Easy VPN Remote device can be a Cisco router, PIX, or VPN concentrator as well. "Easy VPN Remote" devices are often referred to as "Easy VPN Clients", and that's how I'll refer to them for the rest of this video. For your exam and when reading Cisco documentation, remember that "Remote" and "Client" refer to the same device.
The basics of the VPN construction will look familiar at this point! First, the Client will send ISAKMP proposals to the Server, and the Server responds with the acceptance of a matching proposal. After the policy acceptance, the ISAKMP SA is in place.
The next step is a little different from what we've seen in other VPNs. The Server will now send a challenge to the Client, prompting the Client to send a username and password to the Server.
We can use several methods to set up this authentication:
- Local (using the username/password command)
- RADIUS
- TACACS
- Xauth (Extended Authentication)
We'll take a closer look at RADIUS and TACACS in another section, but keep in mind that we can use these security protocols in addition to local authentication.
Once the Client has successfully authenticated, the process enters Mode configuration. At this stage, the Client requests the necessary configuration details from the Server.
This information can include:
- IP address information (required)
- internal DNS and WINS server addresses
- split tunneling configuration information
Split tunneling allows the Client to have a secure tunnel to the Server, but non-secure connections to other networks.
Once Mode configuration is completed, the Reverse Route Injection stage begins. According to Cisco's website, "Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint".
After RRI, we're almost there! IPSec Quick Mode then negotiates the IPSec SA, and we're all set.
Now that we know the basics of Easy VPN, we'll configure Easy VPN Server via SDM on a Cisco router, then configure a workstation with VPN Client.
We'll continue our discussion of Easy VPN in the next installment of my CCNP ISCW exam tutorial series -- and to master all the details necessary to pass the ISCW and earn your CCNP certification and prosper in today's real-world networks, click these images to use these proven methods of passing this difficult exam!
To your success,
Chris Bryant
CCIE #12933
chris@thebryantadvantage.com
|
