Understanding Cisco Easy VPN
Easy VPN Connection Establishment
Easy VPN connectivity is relatively straightforward. The configuration and connection phases are subject to certain restrictions as listed in the previous section. The Cisco Easy VPN Remote feature supports a two-stage process for client/server authentication:
- Stage 1 is Group Level Authentication, which represents a portion of the channel creation process. During this stage, two types of authentication can be used, either preshared keys or digital certificates.
- Stage 2 of the authentication is known as Extended Authentication, or Xauth. The remote side of the connection submits a username and password to the central site VPN device. This is the same method that is used when a Cisco VPN Software Client is prompted for a username and password to activate a VPN tunnel. However, in this case, a user is not authenticated to the central site. Instead, the Easy VPN Remote Router, itself, is authenticated. Xauth, while optional, is typically used in order to improve security. Once the Xauth is successfully completed and the VPN tunnel is created, all PCs behind the Easy VPN Remote Router can use the connection.
The following list represents a step-by-step method used to establish Easy VPN Remote Client connectivity with an Easy VPN Server gateway:
Step 1 The VPN Client initiates IKE phase 1.
Step 2 The VPN Client establishes an ISAKMP SA.
Step 3 The Easy VPN Server accepts the SA proposal.
Step 4 The Easy VPN Server initiates user authentication.
Step 5 Mode configuration begins.
Step 6 The Reverse Route Injection (RRI) process begins.
Step 7 IPsec quick mode completes the connection.
At each step, decisions are made and/or information is exchanged.