Introduction to Cisco Easy VPN
Overview of the Cisco Easy VPN Remote

The Easy VPN Remote feature enables Cisco IOS routers, PIX Security Appliances, and Cisco VPN 3002 Hardware Clients or Software Clients to act as remote VPN Clients. These devices can receive security policies from an Easy VPN Server, minimizing VPN configuration requirements at the remote location. This cost-effective solution is ideal for remote offices with little IT support or for large customer premises equipment (CPE) deployments where it is impractical to individually configure multiple remote devices. This feature makes VPN configuration as easy as entering a password, which increases productivity and lowers costs because the need for local IT support is minimized.

In the example in Figure , the VPN gateway is a Cisco IOS router running the Easy VPN Server feature. Remote Cisco IOS routers and VPN Software Clients connect to the Cisco IOS router Easy VPN Server for access to the corporate intranet.

Restrictions for VPN Remote
The Cisco Easy VPN Remote feature requires that the destination peer be a Cisco IOS Easy VPN server or VPN concentrator that supports the Cisco Easy VPN Server feature. At the time of publication, this includes the platforms when running the indicated software releases that are shown in Figure .

Only ISAKMP Policy Group 2 Supported on Easy VPN Servers
The Unity Protocol supports only Internet Security Association Key Management Protocol (ISAKMP) policies that use group 2 (1024-bit Diffie-Hellman) Internet Key Exchange (IKE) negotiation, so the Easy VPN server being used with the Cisco Easy VPN Remote feature must be configured for a group 2 ISAKMP policy. The Easy VPN server cannot be configured for ISAKMP group 1 or group 5 when being used with a Cisco Easy VPN client.

Transform Sets Supported
To ensure a secure tunnel connection, the Cisco Easy VPN Remote feature does not support transform sets that provide encryption without authentication, such as ESP-DES and ESP-3DES. Transform sets that provide authentication without encryption, such as ESP-NULL ESP-SHA-HMAC and ESP-NULL ESP-MD5-HMAC, are also not supported.

NOTE:

The Cisco Unity Client Protocol does not support Authentication Header (AH) authentication, but Encapsulation Security Protocol (ESP) is supported.

Dial Backup for Easy VPN Remotes
Line-status-based backup is not supported in this feature.

NAT interoperability Support
NAT interoperability is not supported in client mode with split tunneling.