To implement Easy VPN Remote capabilities, a number of prerequisite guidelines must be met. The Cisco Easy VPN Remote feature requires that the destination peer be a Cisco Easy VPN Server or VPN Concentrator that supports the Cisco Easy VPN Server feature. Essentially, the hardware and software feature sets must be those capable of performing the roles and functions of the Easy VPN solution. To that end, a minimum Cisco IOS version is required as follows:
■ Cisco 831, 836, 837, 851, 857, 871, 876, 877, and 878 Series Routers—Cisco IOS Software Release 12.2(8)T or later (note that 800 series routers are not supported in Cisco IOS 12.3(7)XR but are supported in 12.3(7)XR2
■ Cisco 1700 Series Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 2600 Series Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 3600 Series Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 7100 Series VPN Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 7200 Series Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco 7500 Series Routers—Cisco IOS Software Release 12.2(8)T or later
■ Cisco PIX 500 Series—PIX OS Release 6.2 or later
■ Cisco VPN 3000 Series—Software Release 3.11 or later
Additionally, requirements for Easy VPN Servers include the need for Internet Security Association and Key Management Protocol (ISAKMP) policies using Diffie-Hellman group 2 (1024-bit) IKE negotiation. This is necessary because the Cisco Unity protocol supports only ISAKMP policies using group 2 IKE. The Cisco Unity protocol refers to a methodology VPN clients use to determine the order of events when attempting a connection to a VPN server. The
Cisco Unity protocol operates based on the notion of a client group. A Unity client must identify and authenticate itself by group first and, if XAUTH enabled, by user later. The Easy VPN Server cannot be configured for ISAKMP group 1 or 5 when used with Easy VPN Clients.
To ensure secure tunnel connections, the Cisco Easy VPN Remote feature does not support transform sets providing encryption without authentication or those providing authentication without encryption. Both encryption and authentication must be represented.
The Cisco Unity protocol does not support Authentication Header (AH) authentication but it does support Encapsulation Security Payload (ESP).
Sometimes, a VPN connection might be used as a backup connection meant to be established and used when the primary link is unavailable. Various backup capabilities are available to meet such a need, including, but not limited to, dial backup. When using dial backup scenarios with Easy VPN, it should be understood that any backup method based on line status is not supported. This means that a primary interface in up/down state will not trigger the VPN connection establishment.
Also worthy of mention at this point is the fact that NAT interoperability is not supported in Client mode when split tunneling is enabled. This is because the client will be connected to both the central site and to the local LAN, with routing enabled to both networks per the split tunneling definition. Without split tunneling, the IP address assigned by the central site will become the address of the client interface. This avoids any possibility of address overlapping. When split tunneling is enabled, this cannot always be the case. When the connection is established and a route is injected into the central site network for remote site reachability, the route must be unique. Split tunneling allows the possibility for address overlap.
Was this article helpful?