The Easy VPN Remote feature enables Cisco IOS routers, PIX Security
Appliances, and Cisco VPN 3002 Hardware Clients or Software Clients to act as
remote VPN Clients. These devices can receive security policies from an Easy
VPN Server, minimizing VPN configuration requirements at the remote location.
This cost-effective solution is ideal for remote offices with little IT support
or for large customer premises equipment (CPE) deployments where it is
impractical to individually configure multiple remote devices. This feature
makes VPN configuration as easy as entering a password, which increases
productivity and lowers costs because the need for local IT support is
minimized.
In the example in Figure
, the VPN gateway
is a Cisco IOS router running the Easy VPN Server feature. Remote Cisco IOS
routers and VPN Software Clients connect to the Cisco IOS router Easy VPN
Server for access to the corporate intranet.
Restrictions for VPN
Remote
The Cisco Easy VPN Remote feature requires that the destination
peer be a Cisco IOS Easy VPN server or VPN concentrator that supports the Cisco
Easy VPN Server feature. At the time of publication, this includes the
platforms when running the indicated software releases that are shown in Figure
.
Only ISAKMP Policy Group 2 Supported on Easy VPN Servers
The
Unity Protocol supports only Internet Security Association Key Management
Protocol (ISAKMP) policies that use group 2 (1024-bit Diffie-Hellman) Internet
Key Exchange (IKE) negotiation, so the Easy VPN server being used with the
Cisco Easy VPN Remote feature must be configured for a group 2 ISAKMP policy.
The Easy VPN server cannot be configured for ISAKMP group 1 or group 5 when
being used with a Cisco Easy VPN client.
Transform Sets Supported
To ensure a secure tunnel connection,
the Cisco Easy VPN Remote feature does not support transform sets that provide
encryption without authentication, such as ESP-DES and ESP-3DES. Transform sets
that provide authentication without encryption, such as ESP-NULL ESP-SHA-HMAC
and ESP-NULL ESP-MD5-HMAC, are also not supported.
 |
NOTE:
The Cisco Unity Client Protocol does not support Authentication Header
(AH) authentication, but Encapsulation Security Protocol (ESP) is
supported.
|
Dial Backup for Easy VPN Remotes
Line-status-based backup is not
supported in this feature.
NAT interoperability Support
NAT
interoperability is not supported in client mode with split tunneling.