Phase Two Features-Manual Tunnel Control

Manual Tunnel Control

With the original Cisco Easy VPN Remote, the VPN tunnel connects automatically on configuration. If the tunnel times out or fails, it automatically reconnects or retries indefinitely. Phase Two implements manual control over IPSec VPN tunnels, making it possible to establish and terminate the tunnel on demand. The manual feature is implemented with a new subcommand under the crypto ipsec client ezvpn command. The syntax is as follows:

Rtr1(config)#crypto ipsec client ezvpn name
Rtr1(config-crypto-ezvpn)#connect [auto | manual]

Automatic is the default setting, compatible with Phase One functionality. As such, the subcommand with the autoparameter is only needed to reverse the manual option.

With the manual option, the Easy VPN Client waits for the following command to attempt to establish the connection or to reestablish a timed out or failed session:

Rtr1#crypto ipsec client ezvpn connect name

Use the following clear command to disconnect an established tunnel.

Rtr1#clear crypto ipsec client ezvpn [name]

Multiple Outside Interfaces Support

Phase One supports only one outside interface on the remote client router. The crypto ipsec client ezvpn name outside command option allows designating up to four outside interfaces. The default option is outside. The syntax is as follows:

Rtr1(config-if)#interface interface-id
Rtr1(config-if)#crypto ipsec client ezvpn name [outside | inside]

This feature is applicable only to platforms, such as the Cisco 1700 series routers, that support multiple outside interfaces.

While each inside or outside interface supports only one tunnel, multiple inside interfaces can be mapped to one outside interface.

The following example shows configuring an outside interface using the designation outside. As the default, the outside didn’t need to be included:

Rtr1(config)#interface serial 0/0
Rtr1(config-if)#crypto ipsec client ezvpn vpn1 outside