Table Of Contents
Easy VPN Server
Creating an Easy VPN Server Connection
Create an Easy VPN Server Reference
Create an Easy VPN Server
Welcome to the Easy VPN Server Wizard
Interface and Authentication
Group Authorization and Group Policy Lookup
User Authentication (XAuth)
User Accounts for XAuth
Add RADIUS Server
Group Authorization: User Group Policies
General Group Information
DNS and WINS Configuration
Split Tunneling
Client Settings
Choose Browser Proxy Settings
Add or Edit Browser Proxy Settings
User Authentication (XAuth)
Client Update
Add or Edit Client Update Entry
Cisco Tunneling Control Protocol
Summary
Browser Proxy Settings
Editing Easy VPN Server Connections
Edit Easy VPN Server Reference
Edit Easy VPN Server
Add or Edit Easy VPN Server Connection
Restrict Access
Group Policies Configuration
IP Pools
Add or Edit IP Local Pool
Add IP Address Range
Easy VPN Server
The Easy VPN Server feature introduces server support for the Cisco VPN Client Release 3.x and later software clients and Cisco VPN hardware clients. The feature allows a remote end user to communicate using IP Security (IPSec) with anyCisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPSec policies are "pushed" to the client by the server, minimizing configuration by the end user.
The following link provides general information on the Cisco Easy VPN solution, and other links for more specific information:
http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html
This chapter contains the following sections:
•
Creating an Easy VPN Server Connection
•Editing Easy VPN Server Connections
Creating an Easy VPN Server Connection
Use theCisco SDM Easy VPN Server wizard to create an Easy VPN Server connection on the router.
Complete these steps to configure an Easy VPN Server connection using the Easy VPN Server wizard:
Step 1 If you want to review the Cisco IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.
Step 2 In the Cisco SDM toolbar, click Configure.
Step 3 In the Cisco SDM taskbar, click VPN.
Step 4 In the VPN tree, click Easy VPN Server.
Step 5 In the Create Easy VPN Server tab, complete any recommended tasks that are displayed by clicking the link for the task. Cisco SDM either completes the task for you, or displays the necessary configuration screens for you to make settings in.
Step 6 Click Launch Easy VPN Server Wizard to begin configuring the connection.
Step 7 Make configuration settings in the wizard screens. Click Next to go from the current screen to the next screen. Click Back to return to a screen you have previously visited.
Step 8 Cisco SDM displays the Summary screen when you have completed the configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen.
Step 9 If you want to test the connection after sending the configuration to the router, check Test the connectivity after configuring. After you click Finish, Cisco SDM tests the connection and displays the test results in another screen.
Step 10 To send the configuration to the router, click Finish.
Step 11 If you checked Preview commands before delivering to router in the Edit Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click OK to send the configuration to the router, or click Cancel to discard it. If you did not make this setting, clicking Finish sends the configuration to the router.
Create an Easy VPN Server Reference describes the configuration screens you use to create an Easy VPN server connection.
Create an Easy VPN Server Reference
The topics in this section describe the configuration screens:
•Create an Easy VPN Server
•Welcome to the Easy VPN Server Wizard
•Interface and Authentication
•Group Authorization and Group Policy Lookup
•User Authentication (XAuth)
•User Accounts for XAuth
•Add RADIUS Server
•Group Authorization: User Group Policies
•General Group Information
•DNS and WINS Configuration
•Split Tunneling
•Client Settings
•Choose Browser Proxy Settings
•Add or Edit Browser Proxy Settings
•User Authentication (XAuth)
•Client Update
•Add or Edit Client Update Entry
•Cisco Tunneling Control Protocol
•Summary
•Browser Proxy Settings
Create an Easy VPN Server
This wizard will guide you through the necessary steps to configure an Easy VPN Server on this router.
Field Reference
Table 13-1 describes the fields in this screen.
Table 13-1 Create an Easy VPN Server Fields
Element
|
Description
|
Launch the Easy VPN Server Wizard
|
Click this button to start the wizard.
|
Welcome to the Easy VPN Server Wizard
This wizard will guide you in performing the following tasks to successfully configure an Easy VPN Server on this router.
•Choosing the interface on which the client connections will terminate, and the authentication method used for the server and Easy VPN clients
•Configuring IKE policies
•Configuring an IPSec transform set
•Configuring group authorization and the group policy lookup method
•Configuring user authentication
•Configuring external RADIUS servers
•Configuring policies for remote users connecting to Easy VPN clients
Interface and Authentication
This window lets you choose the interface on which you want to configure the Easy VPN Server.
If you choose an interface that is already configured with a site-to-site IPSec policy, Cisco SDM displays a message that an IPSec policy already exists on the interface. Cisco SDM uses the existing IPSec policy to configure the Easy VPN Server.
If the chosen interface is part of an Easy VPN Remote, GREoIPSec, or DMVPN interface, Cisco SDM displays a message to choose another interface.
Field Reference
Table 13-2 describes the fields in this screen.
Table 13-2 Interface and Authentication Fields
Element
|
Description
|
Details
|
Click this button to obtain details about the interface you choose. The details window shows any access rules, IPSec policies, NAT rules, or inspection rules associated with the interface.
This button is dimmed when no interface is chosen.
|
Authentication
|
Choose one of the following:
Pre-shared Keys—If you click Pre-shared Keys, you must enter a key value when you configure the Add Group Policy general setup window.
Digital Certificates—If you click Digital Certificates, the preshared keys fields does not appear in the Add Group Policy general setup window.
Both—If you Both, entering a key value in the Add Group Policy general setup window is optional.
|
Group Authorization and Group Policy Lookup
This windowallows you to define a new AAA authorization network method list for group policy lookup or to choose an existing network method list.
Field Reference
Table 13-3 describes the fields in this screen.
Table 13-3 Group Authorization and Policy Lookup Fields
Element
|
Description
|
Local Only
|
This option allows you to create a method list for the local database only.
When you define an AAA method list for the local database, the router looks at the local database for group authentication.
|
RADIUS Only
|
This option allows you to create a method list for a RADIUS database.
|
RADIUS and Local
|
This option allows you to create a method list for both RADIUS and local database.
When you define method lists for both a RADIUS and local database, the router first looks at the RADIUS server and then the local database for group authentication.
|
Select an existing AAA method list
|
This option lets you choose an existing AAA method list on the router to use for group authentication.
|
User Authentication (XAuth)
You can configure user authentication on Easy VPN Server. You can store user authentication details on an external server such as a RADIUS server or a local database or on both. An AAA login authentication method list is used to decide the order in which user authentication details should be searched.
Field Reference
Table 13-4 describes the fields in this screen.
Table 13-4 User Authentication Fields
Element
|
Description
|
Local
|
Click Local to add user authentication details to the local database.
|
RADIUS
|
Click RADIUS if you want to add user authentication details to the database on the RADIUS server.
|
RADIUS and Local
|
Click RADIUS and Local to add user authentication details for both a RADIUS and local database.
|
Select an existing AAA Method List
|
Click Select an existing AAA Method List to choose a method list from a list of all method lists configured on the router.
The chosen method list is used for extended authentication.
|
Add User Credentials
|
Click Add User Credentials to add a user account.
|
Summary
|
If you choose RADIUS, the Summary box is displayed. It explains how the RADIUS and local databases are used, and that the Easy VPN remote user can be notified when their password has expired.
•Notify remote user of password expiration—This option is checked by default. When enabled, the Easy VPN Server notifies the user when their password has expired and prompts them to enter a new password.
|
User Accounts for XAuth
Add an account for a user you want to authenticate after IKE has authenticated the device.
Field Reference
Table 13-5 describes the fields in this screen.
Table 13-5 User Accounts for XAuth Fields
Element
|
Description
|
User Accounts
|
The user accounts that XAuth will authenticate are listed in this box. The account name and privilege level are visible.
|
Add
Edit
|
Use these buttons to add and edit user accounts. User accounts can be deleted in the Additional Tasks > Router Access > User Accounts/View window.
Note Existing CLI view user accounts cannot be edited from this window. If you need to edit user accounts, go to Additional Tasks > Router Access >User Accounts/CLI View.
|
Add RADIUS Server
This window lets you add a new RADIUS server or edit or ping an already existing RADIUS server.
Field Reference
Table 13-6 describes the fields in this screen.
Table 13-6 Add a RADIUS Server Fields
Element
|
Description
|
Add
|
Add a new RADIUS server.
|
Edit
|
Edit an already exiting RADIUS server configuration.
|
Ping
|
Ping an already existing RADIUS server or newly configured RADIUS server.
|
Group Authorization: User Group Policies
This window allows you to add, edit, clone or delete user group policies on the local database.
Field Reference
Table 13-7 describes the fields in this screen.
Table 13-7 User Group Policies Fields
Element
|
Description
|
Group Policy List area
|
Select
|
Check the box in this column next to the groups that you want this Easy VPN server connection to serve.
|
Group Name
|
Name given to the user group.
|
Pool
|
Name of the IP address pool from which an IP address is assigned to a user connecting from this group.
|
DNS
|
Domain Name System (DNS) address of the group.
This DNS address is "pushed" to the users connecting to this group.
|
WINS
|
Windows Internet Naming Service (WINS) address of the group.
This WINS address is "pushed" to the users connecting to this group.
|
Domain Name
|
Domain name of the group.
This domain name is "pushed" to the users connecting to this group.
|
Split ACL
|
The access control list (ACL) that represents protected subnets for split tunneling purposes.
|
Configure Idle Timer
|
Idle Timer
|
Click the Configure Idle Timer check box and enter a value for the maximum time that a VPN tunnel can remain idle before being disconnected. Enter hours in the left field, minutes in the middle field, and seconds in the right field. The minimum time allowed is 1 minute.
Disconnecting idle VPN tunnels can help the Easy VPN Server run more efficiently by reclaiming unused resources.
|
General Group Information
This window allows you to configure, edit and clone group polices.
Field Reference
Table 13-8 describes the fields in this screen.
Table 13-8 General Group Information Fields
Element
|
Description
|
Please Enter a Name for This Group
|
Enter the group name in the field provided. If this group policy is being edited, this field is disabled. If you are cloning a group policy, you must enter a new value in this field.
|
Preshared Key
|
Enter the preshared key in the fields provided.
The Current key field cannot be changed.
Note You do not have to enter a preshared key if you are using digital certificates for group authentication. Digital certificates are also used for user authentication.
|
Pool Information
|
Specifies a local pool of IP addresses that are used to allocate IP addresses to clients.
Create a New Pool—Enter the range of IP addresses for the local IP address pool in the IP Address Range field.
Select from an Existing Pool—Choose the range of IP addresses from the existing pool of IP addresses.
Note This field cannot be edited if there are no predefined IP address pools.
|
Subnet Mask (Optional)
|
Enter a subnet mask to send with the IP addresses allocated to clients in this group.
|
Maximum Connections Allowed
|
Specify the maximum number of client connections to the Easy VPN Server from this group. Cisco SDM supports a maximum of 5000 connections per group.
|
DNS and WINS Configuration
This window allows you to specify the Domain Name Service (DNS) and Windows Internet Naming Service (WINS) information.
Field Reference
Table 13-9 describes the fields in this screen.
Table 13-9 DNS and WINS Fields
Element
|
Description
|
DNS
|
Enter the primary and secondary DNS server IP address in the fields provided. Entering a secondary DNS server address is optional.
|
WINS
|
Enter the primary and secondary WINS server IP address in the fields provided. Entering a secondary WINS server address is optional.
|
Domain Name
|
Specify the domain name that should be pushed to the Easy VPN client.
|
Split Tunneling
This window allows you to enable split tunneling for the user group you are adding.
Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. For example, all traffic sourced from the client is sent to the destination subnet through the VPN tunnel.
You can also specify which groups of ACLs represent protected subnets for split tunneling.
Field Reference
Table 13-10 describes the fields in this screen.
Table 13-10 Split Tunneling Fields
Element
|
Description
|
Enable Split Tunneling
|
This box allows you to add protected subnets and ACLs for split tunneling.
•Enter the Protected Subnets—Add or remove the subnets for which the packets are tunneled from the VPN clients.
•Choose the Split Tunneling ACL—Choose the ACL to use for split tunneling.
|
Split DNS
|
Enter the Internet domain names that should be resolved by your network's DNS server. The following restrictions apply:
•A maximum of 10 entries is allowed.
•Entries must be separated with a comma.
•Do not use spaces anywhere in the list of entries.
•Duplicate entries or entries with invalid formats are not accepted.
Note This feature appears only if supported by your Cisco server's IOS release.
|
Client Settings
This window allows you to configure additional attributes for security policy such as adding or removing a backup server, Firewall Are-U-There, and Include-Local-LAN.
Note Some of the features described below appear only if supported by your Cisco server's IOS release.
Field Reference
Table 13-11 describes the fields in this screen.
Table 13-11 Client Setting Fields
Element
|
Description
|
Backup Servers
|
You can specify up to ten servers by IP address or hostname as backup for the Easy VPN server, and order the list to control which servers the router will attempt to connect to first if the primary connection to the Easy VPN server fails.
•Add—Click Add to specify the name or the IP address of an Easy VPN server for the router to connect to when the primary connection fails, and then enter the address or hostname in the window displayed.
•Delete—Click Delete to remove a specified IP address or hostname.
|
Configuration Push
|
You can specify an Easy VPN client configuration file using a URL and version number. The Easy VPN Server sends the URL and version number to Easy VPN hardware clients requesting that information. Only Easy VPN hardware clients belonging to the group policy you are configuring can request the URL and version number you enter in this window.
Enter the URL of the configuration file in the URL field. The URL should begin with an appropriate protocol, and can include usernames and passwords. The following are URL examples for downloading an upgrade file called sdm.exe:
|
| |
•http://username:password@www.cisco.com/go/vpn/sdm.exe
•https://username:password@www.cisco.com/go/vpn/sdm.exe
•ftp://username:password@www.cisco.com/go/vpn/sdm.exe
•tftp://username:password@www.cisco.com/go/vpn/sdm.exe
•scp://username:password@www.cisco.com/go/vpn/sdm.exe
•rcp://username:password@www.cisco.com/go/vpn/sdm.exe
|
Configuration Push
|
•cns:
•xmodem:
•ymodem:
•null:
• flash:sdm.exe
• nvram:sdm.exe
|
| |
•usbtoken[0-9]:sdm.exe
The USB token port number range is 0-9. For example, for a USB token attached to USB port 0, the URL is usbtoken0:sdm.exe.
|
| |
• usbflash[0-9]:sdm.exe
The USB flash port number range is 0-9. For example, for a USB flash attached to USB port 0, the URL is usbflash0:sdm.exe.
|
| |
• disk[0-1]:sdm.exe
The disk number is 0 or 1. For example, for disk number 0, the URL is disk0:sdm.exe.
•archive:sdm.exe
•tar:sdm.exe
•system:sdm.exe
In these examples, username is the site username and password is the site password.
Enter the version number of the file in the Version field. The version number must be in the range 1 to 32767.
|
Browser Proxy
|
You can specify browser proxy settings for Easy VPN software clients. The Easy VPN Server sends the browser proxy settings to Easy VPN software clients requesting that information. Only Easy VPN software clients belonging to the group policy you are configuring can request the browser proxy settings you enter in this window.
Enter the name under which the browser proxy settings were saved, or choose one of the following from the drop-down menu:
•Choose an existing setting...
Opens a window with a list of existing browser proxy settings.
•Create a new setting and choose...
Opens a window where you can create new browser proxy settings.
•None
Clears any browser proxy settings assigned to the group.
|
Firewall Are-U-There
|
You can restrict VPN connections to clients running Black Ice or Zone Alarm personal firewalls.
|
Include Local LAN
|
You can allow a non-split tunneling connection to access the local subnetwork at the same time as the client.
|
Perfect Forward Secrecy (PFS)
|
Enable PFS if it is required by the IPSec security association you are using.
|
Choose Browser Proxy Settings
From the drop-down list, choose the browser proxy settings you want to associate with the group.
Field Reference
Table 13-12 describes the fields in this screen.
Table 13-12 Choose Browser Proxy Settings
Element
|
Description
|
Proxy Settings
|
Choose the settings that you want to associate with the group.
|
Add or Edit Browser Proxy Settings
This window allows you to add or edit browser proxy settings.
Field Reference
Table 13-13 describes the fields in this screen.
Table 13-13 Browser Proxy Settings Fields
Element
|
Description
|
Browser Proxy Settings Name
|
If you are adding browser proxy settings, enter a name that will appear in drop-down menus listing browser proxy settings. If you are editing browser proxy settings, the name field is read-only.
|
Proxy Settings
|
Choose one of the following:
•No Proxy Server
You do not want clients in this group to use a proxy server when they use the VPN tunnel.
•Automatically Detect Settings
You want clients in this group to automatically detect a proxy server when they use the VPN tunnel.
•Manual Proxy Configuration
You want to manually configure a proxy server for clients in this group. If you choose this option, complete the procedure for manually configuring a proxy server in this help topic.
|
Manually Configuring a Proxy Server
If you choose Manual Proxy Configuration, follow these steps to manually configure a proxy server:
Step 1 Enter the proxy server IP address in the Server IP Address field.
Step 2 Enter the port number that proxy server uses for receiving proxy requests in the Port field.
Step 3 Enter a list of IP addresses for which you do not want clients to use the proxy server.
Separate the addresses with commas, and do not enter any spaces.
Step 4 If you want to prevent clients from using the proxy server for local (LAN) addresses, check the Bypass proxy server for local address check box.
Step 5 Click OK to save the browser proxy settings.
User Authentication (XAuth)
This allows you to configure additional attributes for user authentication, such as Group Lock and save Password Attributes.
Field Reference
Table 13-14 describes the fields in this screen.
Table 13-14 User Authentication (XAuth) Fields
Element
|
Description
|
XAuth Banner
|
Enter the text for a banner that is shown to users during XAuth requests.
Note This feature appears only if supported by your Cisco server's IOS release.
|
Maximum Logins Allowed Per User
|
Specify the maximum number of connections a user can establish at a time. Cisco SDM supports a maximum of ten logins per user.
|
Group Lock
|
You can restrict a client to connect to the Easy VPN Server only from the specified user group.
|
Save Password
|
You can save extended authentication user name and password locally on the Easy VPN Client.
|
Client Update
This window allows you to set up client software or firmware update notifications, and displays existing client update entries. Existing client update entries can be selected for editing or deletion.
Notifications are sent automatically to clients which connect to the server after a new or edited client update configuration is saved. Clients already connected require manual notification. To send a manual IKE notification of update availability, choose a group policy in the group policies window and click the Send Update button. Group clients meeting the client update criteria are sent the notification.
Note The client update window is available only if supported by your Cisco server's IOS release.
Field Reference
Table 13-6 describes the fields in this screen.
Table 13-15 Add a RADIUS Server Fields
Element
|
Description
|
Client Type
|
Displays the type of client for which the revision is intended.
|
Revisions
|
Displays which revisions are available.
|
URL Column
|
Displays the location of the revisions.
|
Add Button
|
Click to configure a new client update entry.
|
Edit Button
|
Click to edit the specified client update entry.
|
Delete Button
|
Click to delete the specified client update entry.
|
Add or Edit Client Update Entry
This window allows you to configure a new client update entry.
Field Reference
Table 13-6 describes the fields in this screen.
Table 13-16 Add a RADIUS Server Fields
Element
|
Description
|
Client Type
|
Enter a client type or choose one from the drop-down menu. Client type names are case sensitive.
For software clients, the client type is usually the operating system, for example, Windows. For hardware clients, the client type is usually the model number, for example, vpn3002.
If you are editing the client update entry, the client type is read-only.
|
URL
|
Enter the URL that leads to the latest software or firmware revision. The URL should begin with an appropriate protocol, and can include usernames and passwords.
The following are URL examples for downloading an upgrade file called vpnclient-4-6.exe:
|
| |
•http://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe
•https://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe
•ftp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe
•tftp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe
•scp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe
•rcp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe
|
| |
•cns:
•xmodem:
•ymodem:
•null:
|
| |
• flash:vpnclient-4.6.exe
• nvram:vpnclient-4.6.exe
• usbtoken[0-9]:vpnclient-4.6.exe
The USB token port number range is 0-9. For example, for a USB token attached to USB port 0, the URL is usbtoken0:vpnclient-4.6.exe.
|
| |
• usbflash[0-9]:vpnclient-4.6.exe
The USB flash port number range is 0-9. For example, for a USB flash attached to USB port 0, the URL is usbflash0:vpnclient-4.6.exe.
|
| |
• disk[0-1]:vpnclient-4.6.exe
The disk number is 0 or 1. For example, for disk number 0, the URL is disk0:vpnclient-4.6.exe.
|
| |
•archive:vpnclient-4.6.exe
•tar:vpnclient-4.6.exe
•system:vpnclient-4.6.exe
In these examples, username is the site username and password is the site password.
|
Revisions
|
Enter the revision number of the latest update. You can enter multiple revision numbers by separating them with commas, for example, 4.3,4.4,4.5. Do not use any spaces.
|
Cisco Tunneling Control Protocol
Cisco Tunneling Control Protocol (cTCP) enables VPN clients to operate in environments where standard ESP protocol (port 50) or IKE protocol (UDP port 500) are not permitted. For a variety of reasons, firewalls may not permit ESP or IKE traffic, thus blocking VPN communication. cTCP solves this problem by encapsulating ESP and IKE traffic in the TCP header so that firewalls do not see it.
Field Reference
Table 13-17 describes the fields in this screen.
Table 13-17 Cisco Tunneling Control Protocol
Element
|
Description
|
Enable cTCP
|
Check Enable cTCP to enable this protocol on the Easy VPN server.
|
Specify the port numbers
|
Specify the port numbers on which the Easy VPN server must listen for cTCP requests from clients, You can add a maximum of 10 port numbers. Use a comma to separate entries. Here is an example of 3 port entries: 1000,3000,4000.
|
Summary
This window shows you the Easy VPN Server configuration that you have created, and it allows you to save the configuration. You can review the configuration in this window and click the Back button to change any items.
Clicking the Finish button writes the information to the router running configuration. If the tunnel has been configured to operate in Auto mode, the router also attempts to contact the VPN concentrator or server.
If you want to change the Easy VPN Server configuration at a later time, you can make the changes in the Edit Easy VPN Server panel.
To save this configuration to the router running configuration and leave this wizard, click Finish. Changes will take effect immediately.
Table 13-18 Summary Buttons
Element
|
Description
|
Test VPN Connectivity After Configuring
|
Click to test the VPN connection you have just configured. The results of the test appear in a separate window.
|
Browser Proxy Settings
This window lists browser proxy settings, showing how they are configured. You can add, edit, or delete browser proxy settings. Use the group policies configuration to associate browser proxy settings with client groups.
Field Reference
Table 13-6 describes the fields in this screen.
Table 13-19 Add a RADIUS Server Fields
Element
|
Description
|
Name
|
The name of the browser proxy settings.
|
Settings
|
Displays one of the following:
•No Proxy Server
No proxy server can be used by clients when they connect through the VPN tunnel.
•Automatically Detect Settings
Clients attempt to automatically detect a proxy server.
•Manual Proxy Configuration
Settings are manually configured.
|
Server Details
|
Displays the proxy server IP address and port number used.
|
Bypass Local Addresses
|
If set, prevents clients from using the proxy server for local (LAN) addresses.
|
Exceptions List
|
A list of IP addresses for which you do not want clients to use the proxy server.
|
Add Button
|
Configure new browser proxy settings.
|
Edit Button
|
Edit the specified browser proxy settings.
|
Delete Button
|
Delete the specified browser proxy settings. Browser proxy settings associated with one or more group policies can not be deleted before those associations are removed.
|
Editing Easy VPN Server Connections
To edit an Easy VPN Server connection, complete these steps:
Step 1 If you want to review the Cisco IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.
Step 2 In the Cisco SDM toolbar, click Configure.
Step 3 In the Cisco SDM taskbar, click VPN.
Step 4 In the VPN tree, click Easy VPN Server.
Step 5 Click Edit VPN Server.
Step 6 Choose the VPN server connection that you want to edit.
Step 7 Click Edit. Then, make changes to the settings in the displayed dialogs.
Step 8 Click OK to close the dialog and send the changes to the router.
Step 9 If you checked Preview commands before delivering to router in the Edit Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click Deliver to send the configuration to the router, or click Cancel to discard it.
Edit Easy VPN Server Reference describes the configuration screens.
Edit Easy VPN Server Reference
The topics in this section describe the Edit Easy VPN Server screens:
•Edit Easy VPN Server
•Add or Edit Easy VPN Server Connection
•Restrict Access
•Group Policies Configuration
•IP Pools
•Add or Edit IP Local Pool
•Add IP Address Range
Edit Easy VPN Server
This window lets you view and manage Easy VPN server connections.
Field Reference
Table 13-6 describes the fields in this screen.
Table 13-20 Edit Easy VPN Server Fields
Element
|
Description
|
Add
|
Click Add to add a new Easy VPN Server.
|
Edit
|
Click Edit to edit an existing Easy VPN Server configuration.
|
Delete
|
Click Delete to delete a specified configuration.
|
Name
|
The name of the IPSec policy associated with this connection.
|
Interface
|
The name of the interface used for this connection.
|
Group Authorization
|
The name of the method list used for group policy lookup.
|
User Authentication Column
|
The name of the method list used for user authentication lookup.
|
Mode Configuration
|
Displays one of the following:
•Initiate
The router is configured to initiate connections with Easy VPN Remote clients.
•Respond
The router is configured to wait for requests from Easy VPN Remote clients before establishing connections.
|
Test VPN Server Button
|
Click to test the chosen VPN tunnel. The results of the test appear in a separate window.
|
Restrict Access Button
|
Click this button to restrict group access to the specified Easy VPN Server connection.
This button is enabled only if both of the following conditions are met:
•There is more than one Easy VPN Server connection using the local database for user authentication.
•There is at least one local group policy configured.
|
Add or Edit Easy VPN Server Connection
This window lets you add or edit an Easy VPN Server connection.
Field Reference
Table 13-6 describes the fields in this screen.
Table 13-21 Easy VPN Server Connection Fields
Element
|
Description
|
Choose an Interface
|
If you are adding a connection, choose the interface to use from this list. If you are editing the connection, this list is disabled.
|
Choose an IPSec Policy
|
If you are adding a connection, choose the IPSec policy to use from this list. If you are editing the connection, this list is disabled.
|
Method List for Group Policy Lookup
|
Choose the method list to use for group policy lookup from this list. Method lists are configured by clicking Additional Tasks on the Cisco SDM taskbar, and then clicking the AAA node.
|
Enable User Authentication
|
Check this checkbox if you want to require users to authenticate themselves.
|
Method List for User Authentication
|
Choose the method list to use for user authentication from this list. Method lists are configured by clicking Additional tasks on the Cisco SDM taskbar, and then clicking the AAA node.
|
Mode Configuration
|
Check Initiate if you want the router to initiate connections with Easy VPN Remote clients.
Check Respond if you want the router to wait for requests from Easy VPN Remote clients before establishing connections.
|
Restrict Access
This window allows you to specify which group policies are allowed to use the Easy VPN connection.
Field Reference
Table 13-6 describes the fields in this screen.
Table 13-22 Add a RADIUS Server Fields
Element
|
Description
|
Restrict Access
|
Click Restrict Access to enable restrictive access for this Easy VPN connection.
|
Check Boxes
|
Allow a group access to the Easy VPN Server connection by checking its check box. Deny a group access to the Easy VPN Server connection by unchecking its check box.
|
Group Policies Configuration
This window lets you view, add, clone, and choose group policies for editing or deletion. Group policies are used to identify resources for Easy VPN Remote clients.
Field Reference
Table 13-6 describes the fields in this screen.
Table 13-23 Group Policies Configuration Fields
Element
|
Description
|
Common Pool
|
Click Common Pool to designate an existing pool as a common pool for all group policies to use. If no local pools have been configured, this button is disabled. Pools can be configured by clicking Additional Tasks > Local Pools, or when you configure Easy VPN Server connections.
|
Add
Edit
Clone
Delete
|
Use these buttons to manage group policies on the router. Clicking Clone displays the Group Policy edit tabs.
|
Send Update
|
Click to send an IKE notification of software or firmware updates to active clients of the chosen group. If this button is disabled, the chosen group does not have client update configured.
To set up client update notifications for the chosen group, click the Edit button and then click the Client Update tab.
|
Group Name
|
The name of the group policy.
|
Pool
|
The IP address pool used by the clients in this group.
|
DNS
|
The DNS servers used by the clients in this group.
|
WINS
|
The WINS servers used by the clients in this group.
|
Domain Name
|
The domain name used by the clients in this group.
|
ACL
|
If split tunneling is specified for this group, this column may contain the name of an ACL that defines which traffic is to be encrypted.
|
Details Window
|
The Details window is a list of feature settings and their values for the chosen group policy. Feature settings are displayed only if they are supported by your Cisco router's IOS release, and apply only to the chosen group. The following feature settings may appear in the list:
|
| |
•Authentication—Values indicate a preshared key if one was configured, or a digital certificate if a preshared key was not configured.
|
| |
•Maximum Connections Allowed—Shows the maximum number of simultaneous connections allowed. Cisco SDM supports a maximum of 5000 simultaneous connections per group.
|
| |
•Access Restrict—Shows the outside interface to which the specified group is restricted.
|
| |
•Backup Servers—Shows the IP address of backup servers that have been configured.
|
| |
•Firewall Are-U-There—Restricts connections to devices running Black Ice or Zone Alarm firewalls.
|
| |
•Include Local LAN—Allows a connection not using split tunneling to access the local stub network at the same time as the client.
|
| |
•PFS (perfect forward secrecy)—PFS is required for IPSec.
|
| |
•Configuration Push, URL, and Version—The server sends a configuration file from the specified URL and with the specified version number to a client.
|
| |
•Group Lock—Clients are restricted to the group.
|
| |
•Save Password—XAuth credentials can be saved on the client.
|
| |
•Maximum Logins—The maximum number of connections a user can establish simultaneously. Cisco SDM supports a maximum of 10 simultaneous logins per user.
|
| |
•XAuth Banner—The text message shown to clients during XAuth requests.
|
