VPN 3000 Concentrator Client Support

Cisco Easy VPN

The Cisco Easy VPN is a software enhancement for existing Cisco routers and security appliances that can simplify VPN deployment for remote offices and telecommuters. Easy VPN is based on the Cisco Unified Client Framework using a centrally located Easy VPN Server, which is configured with all parameters required of remote device. The remote Easy VPN client can be preconfigured for mass deployments and initial logins require little user intervention. The full client configuration is “pushed” down from the Easy VPN Server when the client connects.

Cisco Easy VPN centralizes VPN configuration and management, thereby reducing the complexity of VPN deployments. The Cisco Easy VPN strategy incorporates all Cisco VPN client implementations into a single deployment, including IOS routers, PIX Firewalls, the VPN 3002 Hardware Client, and software VPN clients. This system offers consistent policy and key management methods, thus simplifying remote side setup and administration.

Using this feature, security policies defined and updated at the head-end are pushed to the remote VPN client, ensuring those connections have current policies in place before any connection is established. In addition, a Cisco Easy VPN Server-enabled device can terminate VPN tunnels initiated by mobile remote workers running Cisco VPN client software on PCs. This flexibility makes it possible for traveling workers or telecommuters to access the corporate intranet for critical data and applications.

The Cisco Easy VPN client on a hardware device supports both the VPN Client and Network Extension modes discussed earlier.

The Cisco Easy VPN client feature currently supports the following hardware platforms. It might be necessary to upgrade the IOS on older devices to have the feature. Be sure to check the Cisco web site to see if other models have been added.

• Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers

• Cisco uBR905 and Cisco uBR925 cable access routers

• Cisco 1700 series routers

• PIX 500 Series Firewalls

• Cisco VPN 3002 Hardware Client

The Cisco Easy VPN Server feature supports the following hardware platforms. As with the client, it might be necessary to upgrade the IOS have the feature. Be sure to check the Cisco web site to see if other models have been added.

• Cisco VPN 3000 Concentrators

• PIX 500 Series Firewalls

• Most Cisco IOS routers

The Cisco Easy VPN Remote feature provides for automatic management of the following details:

• Negotiating tunnel parameters�"Addresses, algorithms, lifetimes, and so on

• Establishing tunnels according to the defined parameters

• Automatically creating the NAT/PAT translation and any associated access lists

• Authenticating users�"Making sure users are who they say they are, by way of user names, group names, and passwords

• Managing security keys for encryption and decryption

• Authenticating, encrypting, and decrypting data through the tunnel

• Client software upgrades for the VPN 3002

The Cisco VPN Client provides support for Windows 95, 98, Me, NT 4.0, 2000, XP, Linux (Intel), Solaris (UltraSparc-32bit), and MAC OS X 10.1, including centralized split-tunneling control and data compression. VPN client configuration was covered in Chapter 12.

Cisco VPN 3002 Hardware Client

The Cisco VPN 3002 Hardware Client was designed for organizations with many remote office environments. The 3002 combines the ease of use and scalability of a software client with the reliability and stability of a hardware platform. The 3002 client supports Easy VPN Remote, allowing it to connect to any Easy VPN server site concentrator. The VPN 3002 Hardware Client works invisibly with any OS supporting IP, including Solaris, Mac, and Linux.

The VPN 3002 is available with or without a built-in 8-port switch and allows up to 253 station connections in a single network.

Release 3.6 included two significant feature enhancements for the VPN 3002 Hardware Client device:

• Software-based AES providing an enhanced security option through stronger encryption capabilities. As with the Cisco VPN Client, enhanced remote access performance also exists on the Cisco VPN 3002 Hardware Client.

• H.323 Fixup feature allows remote access users�"in Client mode�"behind the Cisco VPN 3002 Hardware Client, to use NetMeeting or other H.323 applications. H.323 requires no configuration on either the VPN Concentrator or the VPN 3002.

Wireless Client Support

With release 3.0, all Cisco VPN 3000 Concentrators support ECC. This is a new Diffie�"Hellman Group, which allows for much faster processing of keying information by devices with limited processing power, such as PDAs and smart phones. Cisco VPN 3000 Concentrators can now securely terminate tunnels from IP-enabled wireless devices, allowing a whole new class of users to access enterprise information securely, while preserving the investment in VPN termination equipment in the enterprise data center.

Cisco Internet Mobile Office

The Cisco VPN 3000 Series Concentrator, Cisco VPN 3002 Hardware Client, and the Cisco VPN Client work together with the Cisco Internet Mobile Office to provide mobile professionals with secure, high-speed broadband connectivity to their networks in airports, convention centers, hotels, and a growing number of other public spaces. 13 son