Step 1 The VPN Client Initiates the IKE Phase 1 Process.
Because
there are two ways to perform authentication, the VPN Client must consider the
following when initiating this phase
.
If a
pre-shared key is to be used for authentication, the VPN Client initiates
aggressive mode (AM). When pre-shared keys are used, the accompanying group
name entered in the configuration GUI, ID_KEY_ID, is used to identify the group
profile associated with this VPN Client.
If digital certificates are to
be used for authentication, the VPN Client initiates main mode (MM). When
digital certificates are used, the organizational unit (OU) field of a
distinguished name (DN) is used to identify the group profile.
Because
the VPN Client may be configured for pre-shared key authentication, which
initiates IKE AM, it is recommended that the administrator change the identity
of the Cisco IOS VPN device via the crypto isakmp identity
hostname command. This action does not affect certificate
authentication via IKE MM.
Step 2 The VPN Client Establishes an ISAKMP
SA.
To reduce the amount of manual configuration on the VPN Client,
every combination of encryption and hash algorithms, in addition to
authentication methods and Diffie-Hellman (DH) group sizes, is proposed
.
Step 3 The Easy VPN Server Accepts the SA Proposal.
ISAKMP policy
is global for the Easy VPN Server and can consist of several proposals
. In the case of
multiple proposals, the Easy VPN Server will use the first match. The most
secure policies should always be listed first.
Device authentication ends
and user authentication begins at this point.
Step 4 The Easy VPN
Server Initiates a Username/password Challenge.
The information that is
entered is checked against authentication entities using AAA protocols such as
RADIUS and TACACS+
. Token cards may
also be used via AAA proxy.
VPN devices that are configured to handle
remote VPN Clients should always be configured to enforce user
authentication.
Step 5 The Mode Configuration Process is
Initiated.
The remaining system parameters, such as IP address, DNS,
split tunnel attributes, are pushed to the VPN Client at this time using mode
configuration
. The IP address
is the only required parameter in a group profile. All other parameters are
optional.
Step 6 The Reverse Route Injection (RRI) Process is
Initiated.
Reverse Route Injection (RRI) ensures that a static route is
created on the Easy VPN Server for the internal IP address of each VPN Client
.
It is
recommended that RRI is enabled on the crypto map, either static or dynamic,
for the support of VPN Clients, unless the crypto map is being applied to a
Generic Routing Encapsulation (GRE) tunnel that is already being used to
distribute routing information.
Step 7 IPSec Quick Mode Completes the
Connection.
After IPSec SAs have been created, the connection is
complete
.