Introduction to Cisco Easy VPN
Easy VPN Remote client connection in detail

Step 1 The VPN Client Initiates the IKE Phase 1 Process.
Because there are two ways to perform authentication, the VPN Client must consider the following when initiating this phase .

If a pre-shared key is to be used for authentication, the VPN Client initiates aggressive mode (AM). When pre-shared keys are used, the accompanying group name entered in the configuration GUI, ID_KEY_ID, is used to identify the group profile associated with this VPN Client.

If digital certificates are to be used for authentication, the VPN Client initiates main mode (MM). When digital certificates are used, the organizational unit (OU) field of a distinguished name (DN) is used to identify the group profile.

Because the VPN Client may be configured for pre-shared key authentication, which initiates IKE AM, it is recommended that the administrator change the identity of the Cisco IOS VPN device via the crypto isakmp identity hostname command. This action does not affect certificate authentication via IKE MM.

Step 2 The VPN Client Establishes an ISAKMP SA.
To reduce the amount of manual configuration on the VPN Client, every combination of encryption and hash algorithms, in addition to authentication methods and Diffie-Hellman (DH) group sizes, is proposed .

Step 3 The Easy VPN Server Accepts the SA Proposal.
ISAKMP policy is global for the Easy VPN Server and can consist of several proposals . In the case of multiple proposals, the Easy VPN Server will use the first match. The most secure policies should always be listed first.

Device authentication ends and user authentication begins at this point.

Step 4 The Easy VPN Server Initiates a Username/password Challenge.
The information that is entered is checked against authentication entities using AAA protocols such as RADIUS and TACACS+ . Token cards may also be used via AAA proxy.

VPN devices that are configured to handle remote VPN Clients should always be configured to enforce user authentication.

Step 5 The Mode Configuration Process is Initiated.
The remaining system parameters, such as IP address, DNS, split tunnel attributes, are pushed to the VPN Client at this time using mode configuration . The IP address is the only required parameter in a group profile. All other parameters are optional.

Step 6 The Reverse Route Injection (RRI) Process is Initiated.
Reverse Route Injection (RRI) ensures that a static route is created on the Easy VPN Server for the internal IP address of each VPN Client .

It is recommended that RRI is enabled on the crypto map, either static or dynamic, for the support of VPN Clients, unless the crypto map is being applied to a Generic Routing Encapsulation (GRE) tunnel that is already being used to distribute routing information.

Step 7 IPSec Quick Mode Completes the Connection.
After IPSec SAs have been created, the connection is complete .