Client Connection Process

The client attempts to negotiate an IKE SA with the Easy VPN Server. To reduce client configuration policies weren’t defined, so all supported combinations of encryption and hash algorithms for authentication, plus supported Diffie-Hellman (DH) group sizes, are proposed.The Easy VPN Server Device accepts the first proposal received that matches its configured policies. Assuming a policy match is achieved, device authentication is completed and user authentication can begin.

If the Easy VPN Server is configured for Xauth, the server issues a user name/ password challenge to the client. The resulting entries are verified against using AAA supported protocols, such as TACACS+, RADIUS, or one-time password token cards using AAA proxy. This step is particularly important if the peer is a remote client or a remote device is configured as a remote client.

The system parameters are pushed from the server to the client. These parameters can be configured to include an IP address (required) and the following optional information: DNS address(es), domain name, WINS address(es), local NAT pool name, access list, split tunnel attributes, and so forth. The access list defines the traffic to be protected through the VPN tunnel.

The Easy VPN Server can use reverse route injection (RRI) to create static routes and inject them into any dynamic routing protocols for distribution to surrounding devices. With dynamic crypto maps, a static route is created for each subnet or host protected by the remote peer when the peer establishes its IPSec security association. With static crypto maps, a static route is created for each destination using an extended access-list rule.

Once all parameters are transferred to the client, IKE Phase Two Quick mode is used to negotiate IPSec SAs to complete the connection. cp12Cisco Easy