Easy VPN Server

Published on January 2017 | Categories: Documents | Downloads: 34 | Comments: 0 | Views: 191
of 28
Download PDF   Embed   Report

Comments

Content


11-1
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
CH A P T E R

11
Easy VPN Server
The Easy VPN Server feature introduces server support for the Cisco VPN Client
Release 3.x and later software clients and Cisco VPN hardware clients. The
feature allows a remote end user to communicate using IP Security (IPSec) with
any Cisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPSec
policies are “pushed” to the client by the server, minimizing configuration by the
end user.
The following link provides general information on the Cisco Easy VPN solution,
and other links for more specific information:
http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html
Create an Easy VPN Server
This wizard will guide you through the necessary steps to configure an Easy VPN
Server on this router.
This wizard will guide you in performing the following tasks to successfully
configure an Easy VPN Server on this router.
• Choosing the interface on which the client connections will terminate, and the
authentication method used for the server and Easy VPN clients
• Configuring IKE policies
• Configuring an IPSec transform set
• Configuring group authorization and the group policy lookup method
• Configuring user authentication

Chapter 11 Easy VPN Server
Create an Easy VPN Server
11-2
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
• Configuring external RADIUS servers
• Configuring policies for remote users connecting to Easy VPN clients
Create an Easy VPN Server
Click to Create an Easy VPN server configuration on your router.
Launch the Easy VPN Server Wizard Button
Click to start the wizard.
Welcome to the Easy VPN Server Wizard
This window summarizes the tasks you will perform when using the wizard.
Interface and Authentication
This window lets you choose the interface on which you want to configure the
Easy VPN Server.
If you choose an interface that is already configured with a site-to-site IPSec
policy, Cisco SDM displays a message that an IPSec policy already exists on the
interface. Cisco SDM uses the existing IPSec policy to configure the Easy VPN
Server.
If the chosen interface is part of an Easy VPN Remote, GREoIPSec, or DMVPN
interface, Cisco SDM displays a message to choose another interface.
Details
Click this button to obtain details about the interface you choose. The details
window shows any access rules, IPSec policies, NAT rules, or inspection rules
associated with the interface.
This button is dimmed when no interface has been chosen.
Authentication
Choose preshared keys, digital certificates, or both.

11-3
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Create an Easy VPN Server
If you choose preshared keys, you must enter a key value when you configure the
Add Group Policy general setup window.
If you choose digital certificates, the preshared keys fields does not appear in the
Add Group Policy general setup window.
If you choose both preshared keys and digital certificates, entering a key value in
the Add Group Policy general setup window is optional.
Group Authorization and Group Policy Lookup
This windowallows you to define a new AAA authorization network method list
for group policy lookup or to choose an existing network method list.
Local Only
This option allows you to create a method list for the local database only.
RADIUS Only
This option allows you to create a method list for a RADIUS database.
RADIUS and Local Only
This option allows you to create a method list for both RADIUS and local
database.

Chapter 11 Easy VPN Server
Create an Easy VPN Server
11-4
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
What Do You Want to Do?
User Authentication (XAuth)
You can configure user authentication on Easy VPN Server. You can store user
authentication details on an external server such as a RADIUS server or a local
database or on both. An AAA login authentication method list is used to decide
the order in which user authentication details should be searched.
Local Only
This option allows you to add user authentication details for the local database
only.
If you want to: Do this:
Define an AAA method list for both RADIUS and
the local database.
When you define method lists for both a RADIUS
and local database, the router first looks at the
RADIUS server and then the local database for
group authentication.
Choose RADIUS and Local Only. Then click
Next.
Define an AAA method list for the local database
only.
When you define an AAA method list for the local
database, the router looks at the local database for
group authentication.
Choose Local only. Then click Next.
Choose any of the existing method lists for group
authentication.
When you want to define AAA method lists, you
might consider choosing an already existing method
list.
Choose Choose an existing AAA method list.
Then click Next.

11-5
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Create an Easy VPN Server
RADIUS and Local Only
This option allows you to add user authentication details for both a RADIUS and
local database.
Choose an existing AAA Method List
This option allows you to choose a method list from a list of all method lists
configured on the router.
The chosen method list is used for extended authentication.
Add User Credentials Button
Click to add a user account.
User Accounts for XAuth
Add an account for a user you want to authenticate after IKE has authenticated the
device.
User Accounts
The user accounts that XAuth will authenticate are listed in this box. The account
name and privilege level are visible.
Add or Edit Buttons
Use these buttons to add and edit user accounts. User accounts can be deleted in
the Additional Tasks > Router Access > User Accounts/View window.
Note Existing CLI view user accounts cannot be edited from this window. If you need
to edit user accounts, go to Additional Tasks > Router Access >User
Accounts/CLI View.
Add RADIUS Server
This window lets you add a new RADIUS server or edit or ping an already
existing RADIUS server.

Chapter 11 Easy VPN Server
Create an Easy VPN Server
11-6
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Add
Add a new RADIUS server.
Edit
Edit an already exiting RADIUS server configuration.
Ping
Ping an already existing RADIUS server or newly configured RADIUS server.
Group Authorization: User Group Policies
This window allows you to add, edit, clone or delete user group policies on the
local database.
This lists already configured group policies.
Group Name
Name given to the user group.
Pool
Name of the IP address pool from which an IP address is assigned to a user
connecting from this group.
DNS
Domain Name System (DNS) address of the group.
This DNS address is “pushed” to the users connecting to this group.
WINS
Windows Internet Naming Service (WINS) address of the group.
This WINS address is “pushed” to the users connecting to this group.

11-7
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Create an Easy VPN Server
Domain Name
Domain name of the group.
This domain name is “pushed” to the users connecting to this group.
Split ACL
The access control list (ACL) that represents protected subnets for split tunneling
purposes.
Idle Timer
Disconnecting idle VPN tunnels can help the Easy VPN Server run more
efficiently by reclaiming unused resources.
Click the Configure Idle Timer check box and enter a value for the maximum
time that a VPN tunnel can remain idle before being disconnected. Enter hours in
the left field, minutes in the middle field, and seconds in the right field. The
minimum time allowed is 1 minute.
General Group Information
This window allows you to configure, edit and clone group polices.
Please Enter a Name for This Group
Enter the group name in the field provided. If this group policy is being edited,
this field is disabled. If you are cloning a group policy, you must enter a new value
in this field.
Preshared Key
Enter the preshared key in the fields provided.
The Current key field cannot be changed.
Note You do not have to enter a preshared key if you are using digital certificates for
group authentication. Digital certificates are also used for user authentication.

Chapter 11 Easy VPN Server
Create an Easy VPN Server
11-8
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Pool Information
Specifies a local pool of IP addresses that are used to allocate IP addresses to
clients.
Create a New Pool
Enter the range of IP addresses for the local IP address pool in the IP Address
Range field.
Select from an Existing Pool
Choose the range of IP addresses from the existing pool of IP addresses.
Note This field cannot be edited if there are no predefined IP address pools.
Subnet Mask (Optional)
Enter a subnet mask to send with the IP addresses allocated to clients in this
group.
Maximum Connections Allowed
Specify the maximum number of client connections to the Easy VPN Server from
this group.
Cisco SDM supports a maximum of 5000 connections per group.
What Do You Want to Do?
If you want to: Do this:
Authenticate the clients associated with the group. Enter the key in the Preshared Key field.
Create a local pool of IP addresses to be allocated to
clients.
Enter the IP address range in the Create a new
pool field under the Pool Information area.
Choose a range of IP address from the existing pool
to be allocated to clients.
Choose the IP address range from the Select
From An Existing Pool field under Pool
Information area.

11-9
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Create an Easy VPN Server
DNS and WINS Configuration
This window allows you to specify the Domain Name Service (DNS) and
Windows Internet Naming Service (WINS) information.
DNS
Enter the primary and secondary DNS server IP address in the fields provided.
Entering a secondary DNS server address is optional.
WINS
Enter the primary and secondary WINS server IP address in the fields provided.
Entering a secondary WINS server address is optional.
Domain Name
Specify the domain name that should be pushed to the Easy VPN client.
What Do You Want to Do?
Split Tunneling
This window allows you to enable split tunneling for the user group you are
adding.
If you want to: Do this:
Configure a DNS server. Check the DNS option. Then enter the primary
and secondary DNS server IP addresses in the
fields provided.
Configure a WINS server. Check the WINS option. Enter the primary and
secondary WINS server IP addresses in the
fields provided.
Specify a name to be pushed to the Easy VPN client. Enter the domain name in the Domain Name
field.

Chapter 11 Easy VPN Server
Create an Easy VPN Server
11-10
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Split tunneling is the ability to have a secure tunnel to the central site and
simultaneous clear text tunnels to the Internet. For example, all traffic sourced
from the client is sent to the destination subnet through the VPN tunnel.
You can also specify which groups of ACLs represent protected subnets for split
tunneling.
Enable Split Tunneling
This box allows you to add protected subnets and ACLs for split tunneling.
Enter the Protected Subnets
Add or remove the subnets for which the packets are tunneled from the VPN
clients.
Choose the Split Tunneling ACL
Choose the ACL to use for split tunneling.
Split DNS
Enter the Internet domain names that should be resolved by your network’s DNS
server. The following restrictions apply:
• A maximum of 10 entries is allowed.
• Entries must be separated with a comma.
• Do not use spaces anywhere in the list of entries.
• Duplicate entries or entries with invalid formats are not accepted.
Note This feature appears only if supported by your Cisco server’s IOS release.
What Do You Want to Do?
If you want to: Do this:
Enable split tunneling. Check the Enable Split Tunneling option.
Add a protected subnet. Choose Enter the Protected Subnets, and then
click Add.

11-11
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Create an Easy VPN Server
Client Settings
This window allows you to configure additional attributes for security policy such
as adding or removing a backup server, Firewall Are-U-There, and
Include-Local-LAN.
Note Some of the features described below appear only if supported by your Cisco
server’s IOS release.
Backup Servers
You can specify up to ten servers by IP address or hostname as backup for the Easy
VPN server, and order the list to control which servers the router will attempt to
connect to first if the primary connection to the Easy VPN server fails.
Add
Click to specify the name or the IP address of an Easy VPN server for the router
to connect to when the primary connection fails, and then enter the address or
hostname in the window displayed.
Delete
Click to delete a specified IP address or hostname.
Delete a protected subnet. Choose Enter the Protected Subnets, and then
click Delete.
Choose the ACL to be used for split tunneling. Choose Choose the Split Tunneling ACL, and
choose the ACL from the available options.
Use your network’s DNS server to resolve certain
domain names.
Check the Enable Split Tunneling option and
enter the domain names in the field provided.
You must also set up subnets or choose an ACL.
If you want to: Do this:

Chapter 11 Easy VPN Server
Create an Easy VPN Server
11-12
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Configuration Push
You can specify an Easy VPN client configuration file using a URL and version
number. The Easy VPN Server sends the URL and version number to Easy VPN
hardware clients requesting that information. Only Easy VPN hardware clients
belonging to the group policy you are configuring can request the URL and
version number you enter in this window.
Enter the URL of the configuration file in the URL field. The URL should begin
with an appropriate protocol, and can include usernames and passwords. The
following are URL examples for downloading an upgrade file called sdm.exe:
• http://username:[email protected]/go/vpn/sdm.exe
• https://username:[email protected]/go/vpn/sdm.exe
• ftp://username:[email protected]/go/vpn/sdm.exe
• tftp://username:[email protected]/go/vpn/sdm.exe
• scp://username:[email protected]/go/vpn/sdm.exe
• rcp://username:[email protected]/go/vpn/sdm.exe
• cns:
• xmodem:
• ymodem:
• null:
• flash:sdm.exe
• nvram:sdm.exe
• usbtoken[0-9]:sdm.exe
The USB token port number range is 0-9. For example, for a USB token
attached to USB port 0, the URL is usbtoken0:sdm.exe.
• usbflash[0-9]:sdm.exe
The USB flash port number range is 0-9. For example, for a USB flash
attached to USB port 0, the URL is usbflash0:sdm.exe.
• disk[0-1]:sdm.exe
The disk number is 0 or 1. For example, for disk number 0, the URL is
disk0:sdm.exe.
• archive:sdm.exe

11-13
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Create an Easy VPN Server
• tar:sdm.exe
• system:sdm.exe
In these examples, username is the site username and password is the site
password.
Enter the version number of the file in the Version field. The version number must
be in the range 1 to 32767.
Browser Proxy
You can specify browser proxy settings for Easy VPN software clients. The Easy
VPN Server sends the browser proxy settings to Easy VPN software clients
requesting that information. Only Easy VPN software clients belonging to the
group policy you are configuring can request the browser proxy settings you enter
in this window.
Enter the name under which the browser proxy settings were saved, or choose one
of the following from the drop-down menu:
• Choose an existing setting...
Opens a window with a list of existing browser proxy settings.
• Create a new setting and choose...
Opens a window where you can create new browser proxy settings.
• None
Clears any browser proxy settings assigned to the group.
Firewall Are-U-There
You can restrict VPN connections to clients running Black Ice or Zone Alarm
personal firewalls.
Include Local LAN
You can allow a non–split tunneling connection to access the local subnetwork at
the same time as the client.
Perfect Forward Secrecy (PFS)
Enable PFS if it is required by the IPSec security association you are using.

Chapter 11 Easy VPN Server
Create an Easy VPN Server
11-14
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
What Do You Want to Do?
Choose Browser Proxy Settings
From the drop-down list, choose the browser proxy settings you want to associate
with the group.
Note To add new settings, choose Add Browser Settings from the browser settings
drop-down menu in the Client Settings window, or go to VPN Components >
Easy VPN Server > Browser Proxy Settings and click Add. To delete settings,
go to VPN Components > Easy VPN Server > Browser Proxy Settings and
click Delete.
Add or Edit Browser Proxy Settings
This window allows you to add or edit browser proxy settings.
If you want to: Do this:
Add a backup server. Click Add in the Backup Servers area. Then add
the backup server IP address or host name in the
window displayed.
Delete a backup server. Choose the backup server to be deleted from the
Backup Server area and click Delete.
Reorder backup servers. Delete backup servers and recreate them in the
order you want.
Enable Firewall Are-U-There. Check the Firewall Are-U-There option.
Enable Include Local LAN. Check the Include-Local-LAN option.
Specify the maximum number of client connections
allowed for the group that you are creating.
Enter the number in the Maximum
Connections Allowed in This Group field.

11-15
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Create an Easy VPN Server
Browser Proxy Settings Name
If you are adding browser proxy settings, enter a name that will appear in
drop-down menus listing browser proxy settings. If you are editing browser proxy
settings, the name field is read-only.
Proxy Settings
Choose one of the following:
• No Proxy Server
You do not want clients in this group to use a proxy server when they use the
VPN tunnel.
• Automatically Detect Settings
You want clients in this group to automatically detect a proxy server when
they use the VPN tunnel.
• Manual Proxy Configuration
You want to manually configure a proxy server for clients in this group.
If you choose Manual Proxy Configuration, follow these steps to manually
configure a proxy server:
Step 1 Enter the proxy server IP address in the Server IP Address field.
Step 2 Enter the port number that proxy server uses for receiving proxy requests in the
Port field.
Step 3 Enter a list of IP addresses for which you do not want clients to use the proxy
server.
Separate the addresses with commas, and do not enter any spaces.
Step 4 If you want to prevent clients from using the proxy server for local (LAN)
addresses, check the Bypass proxy server for local address check box.
Step 5 Click OK to save the browser proxy settings.

Chapter 11 Easy VPN Server
Create an Easy VPN Server
11-16
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
User Authentication (XAuth)
This allows you to configure additional attributes for user authentication, such as
Group Lock and save Password Attributes.
XAuth Banner
Enter the text for a banner that is shown to users during XAuth requests.
Note This feature appears only if supported by your Cisco server’s IOS release.
Maximum Logins Allowed Per User:
Specify the maximum number of connections a user can establish at a time.
Cisco SDM supports a maximum of ten logins per user.
Group Lock
You can restrict a client to connect to the Easy VPN Server only from the specified
user group.
Save Password
You can save extended authentication user name and password locally on the Easy
VPN Client.
What Do You Want to Do?
If you want to: Do this:
Restrict user connection from the specific user
group.
Check the Enable group-lock option.
Save user name and password. Check the Enable save password option.
Specify maximum number of simultaneous
connection a user can make to the Easy VPN Server.
Enter the number in the Maximum Logins
Allowed Per User field.

11-17
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Create an Easy VPN Server
Client Update
This window allows you to set up client software or firmware update notifications,
and displays existing client update entries. Existing client update entries can be
selected for editing or deletion.
Notifications are sent automatically to clients which connect to the server after a
new or edited client update configuration is saved. Clients already connected
require manual notification. To send a manual IKE notification of update
availability, choose a group policy in the group policies window and click the
Send Update button. Group clients meeting the client update criteria are sent the
notification.
Note The client update window is available only if supported by your Cisco server’s
IOS release.
Client Type Column
Shows the type of client for which the revision is intended.
Revisions Column
Shows which revisions are available.
URL Column
Gives the location of the revisions.
Add Button
Click to configure a new client update entry.
Edit Button
Click to edit the specified client update entry.
Delete Button
Click to delete the specified client update entry.

Chapter 11 Easy VPN Server
Create an Easy VPN Server
11-18
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Add or Edit Client Update Entry
This window allows you to configure a new client update entry.
Client Type
Enter a client type or choose one from the drop-down menu. Client type names
are case sensitive.
For software clients, the client type is usually the operating system, for example,
Windows. For hardware clients, the client type is usually the model number, for
example, vpn3002.
If you are editing the client update entry, the client type is read-only.
URL
Enter the URL that leads to the latest software or firmware revision. The URL
should begin with an appropriate protocol, and can include usernames and
passwords.
The following are URL examples for downloading an upgrade file called
vpnclient-4-6.exe:
• http://username:[email protected]/go/vpn/vpnclient-4.6.exe
• https://username:[email protected]/go/vpn/vpnclient-4.6.exe
• ftp://username:[email protected]/go/vpn/vpnclient-4.6.exe
• tftp://username:[email protected]/go/vpn/vpnclient-4.6.exe
• scp://username:[email protected]/go/vpn/vpnclient-4.6.exe
• rcp://username:[email protected]/go/vpn/vpnclient-4.6.exe
• cns:
• xmodem:
• ymodem:
• null:
• flash:vpnclient-4.6.exe
• nvram:vpnclient-4.6.exe
• usbtoken[0-9]:vpnclient-4.6.exe

11-19
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Create an Easy VPN Server
The USB token port number range is 0-9. For example, for a USB token
attached to USB port 0, the URL is usbtoken0:vpnclient-4.6.exe.
• usbflash[0-9]:vpnclient-4.6.exe
The USB flash port number range is 0-9. For example, for a USB flash
attached to USB port 0, the URL is usbflash0:vpnclient-4.6.exe.
• disk[0-1]:vpnclient-4.6.exe
The disk number is 0 or 1. For example, for disk number 0, the URL is
disk0:vpnclient-4.6.exe.
• archive:vpnclient-4.6.exe
• tar:vpnclient-4.6.exe
• system:vpnclient-4.6.exe
In these examples, username is the site username and password is the site
password.
Revisions
Enter the revision number of the latest update. You can enter multiple revision
numbers by separating them with commas, for example, 4.3,4.4,4.5. Do not use
any spaces.
Summary
This window shows you the Easy VPN Server configuration that you have created,
and it allows you to save the configuration. You can review the configuration in
this window and click the Back button to change any items.
Clicking the Finish button writes the information to the router running
configuration. If the tunnel has been configured to operate in Auto mode, the
router also attempts to contact the VPN concentrator or server.
If you want to change the Easy VPN Server configuration at a later time, you can
make the changes in the Add or Edit Easy VPN Server panel.
To save this configuration to the router running configuration and leave this
wizard, click Finish. Changes will take effect immediately.

Chapter 11 Easy VPN Server
Browser Proxy Settings
11-20
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Test VPN Connectivity After Configuring
Click to test the VPN connection you have just configured. The results of the test
appear in a separate window.
Browser Proxy Settings
This window lists browser proxy settings, showing how they are configured. You
can add, edit, or delete browser proxy settings. Use the group policies
configuration to associate browser proxy settings with client groups.
Name
The name of the browser proxy settings.
Settings
Displays one of the following:
• No Proxy Server
No proxy server can be used by clients when they connect through the VPN
tunnel.
• Automatically Detect Settings
Clients attempt to automatically detect a proxy server.
• Manual Proxy Configuration
Settings are manually configured.
Server Details
Displays the proxy server IP address and port number used.
Bypass Local Addresses
If set, prevents clients from using the proxy server for local (LAN) addresses.

11-21
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Add or Edit Easy VPN Server
Exceptions List
A list of IP addresses for which you do not want clients to use the proxy server.
Add Button
Configure new browser proxy settings.
Edit Button
Edit the specified browser proxy settings.
Delete Button
Delete the specified browser proxy settings. Browser proxy settings associated
with one or more group policies can not be deleted before those associations are
removed.
Add or Edit Easy VPN Server
This window lets you view and manage Easy VPN server connections.
Add
Click Add to add a new Easy VPN Server.
Edit
Click Edit to edit an existing Easy VPN Server configuration.
Delete
Click Delete to delete a specified configuration.
Name Column
The name of the IPSec policy associated with this connection.

Chapter 11 Easy VPN Server
Add or Edit Easy VPN Server
11-22
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Interface Column
The name of the interface used for this connection.
Group Authorization Column
The name of the method list used for group policy lookup.
User Authentication Column
The name of the method list used for user authentication lookup.
Mode Configuration
Displays one of the following:
• Initiate
The router is configured to initiate connections with Easy VPN Remote
clients.
• Respond
The router is configured to wait for requests from Easy VPN Remote clients
before establishing connections.
Test VPN Server Button
Click to test the chosen VPN tunnel. The results of the test appear in a separate
window.
Restrict Access Button
Click this button to restrict group access to the specified Easy VPN Server
connection.
This button is enabled only if both of the following conditions are met:
• There is more than one Easy VPN Server connection using the local database
for user authentication.
• There is at least one local group policy configured.

11-23
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Add or Edit Easy VPN Server
Add or Edit Easy VPN Server Connection
This window lets you add or edit an Easy VPN Server connection.
Choose an Interface
If you are adding a connection, choose the interface to use from this list. If you
are editing the connection, this list is disabled.
Choose an IPSec Policy
If you are adding a connection, choose the IPSec policy to use from this list. If
you are editing the connection, this list is disabled.
Method List for Group Policy Lookup
Choose the method list to use for group policy lookup from this list. Method lists
are configured by clicking Additional Tasks on the Cisco SDM taskbar, and then
clicking the AAA node.
Enable User Authentication
Check this checkbox if you want to require users to authenticate themselves.
Method List for User Authentication
Choose the method list to use for user authentication from this list. Method lists
are configured by clicking Additional tasks on the Cisco SDM taskbar, and then
clicking the AAA node.
Mode Configuration
Check Initiate if you want the router to initiate connections with Easy VPN
Remote clients.
Check Respond if you want the router to wait for requests from Easy VPN
Remote clients before establishing connections.

Chapter 11 Easy VPN Server
Group Policies Configuration
11-24
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Restrict Access
This window allows you to specify which group policies are allowed to use the
Easy VPN connection.
Allow a group access to the Easy VPN Server connection by checking its check
box. Deny a group access to the Easy VPN Server connection by unchecking its
check box.
What Do You Want to Do?
Group Policies Configuration
This window lets you view, add, clone, and choose group policies for editing or
deletion. Group policies are used to identify resources for Easy VPN Remote
clients.
Common Pool Button
Click to designate an existing pool as a common pool for all group policies to use.
If no local pools have been configured, this button is disabled. Pools can be
configured by clicking Additional Tasks > Local Pools, or when you configure
Easy VPN Server connections.
If you want to: Do this:
Restrict a group policy to a specific Easy VPN
Server connection while denying all other group
policies use of that connection.
Choose the specific Easy VPN Server
connection and click the Restrict Access
button. Check the target group’s check box and
uncheck those of all other groups. Deny the
target group access in all other Easy VPN Server
connections by unchecking its check box in the
Restrict Access window belonging to each of
those connections.

11-25
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
Group Policies Configuration
Add, Edit, Clone, and Delete Buttons
Use these buttons to manage group policies on the router. Clicking Clone displays
the Group Policy edit tabs.
Send Update Button
Click to send an IKE notification of software or firmware updates to active clients
of the chosen group. If this button is disabled, the chosen group does not have
client update configured.
To set up client update notifications for the chosen group, click the Edit button
and then click the Client Update tab.
Group Name Column
The name of the group policy.
Pool Column
The IP address pool used by the clients in this group.
DNS Column
The DNS servers used by the clients in this group.
WINS Column
The WINS servers used by the clients in this group.
Domain Name Column
The domain name used by the clients in this group.
ACL Column
If split tunneling is specified for this group, this column may contain the name of
an ACL that defines which traffic is to be encrypted.

Chapter 11 Easy VPN Server
Group Policies Configuration
11-26
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Details Window
The Details window is a list of feature settings and their values for the chosen
group policy. Feature settings are displayed only if they are supported by your
Cisco router’s IOS release, and apply only to the chosen group. The following
feature settings may appear in the list:
• Authentication
Values indicate a preshared key if one was configured, or a digital certificate
if a preshared key was not configured.
• Maximum Connections Allowed
Shows the maximum number of simultaneous connections allowed.
Cisco SDM supports a maximum of 5000 simultaneous connections per
group.
• Access Restrict
Shows the outside interface to which the specified group is restricted.
• Backup Servers
Shows the IP address of backup servers that have been configured.
• Firewall Are-U-There
Restricts connections to devices running Black Ice or Zone Alarm firewalls.
• Include Local LAN
Allows a connection not using split tunneling to access the local stub network
at the same time as the client.
• PFS (perfect forward secrecy)
PFS is required for IPSec.
• Configuration Push, URL, and Version
The server sends a configuration file from the specified URL and with the
specified version number to a client.
• Group Lock
Clients are restricted to the group.
• Save Password
XAuth credentials can be saved on the client.
• Maximum Logins

11-27
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Chapter 11 Easy VPN Server
IP Pools
The maximum number of connections a user can establish simultaneously.
Cisco SDM supports a maximum of 10 simultaneous logins per user.
• XAuth Banner
The text message shown to clients during XAuth requests.
IP Pools
This window lists the IP address pools available to group policies configured on
the router. Depending upon the area of Cisco SDM you are working in, Add, Edit,
and Delete buttons may be available, and the name of the window varies
depending on the area of Cisco SDM you are working in. You can use these to
manage local IP pools on the router.
Pool Name Column
The name of the IP address pool.
IP Address Range Column
The IP address range for the selected pool. A range of 2.2.2.0 to 2.2.2.254
provides 255 addresses.
Cache Size Column
The size of the cache for this pool.
Group Name Column
If a local pool is configured with the group option using the CLI, the name of the
group is displayed in the group name column. This column is not displayed in all
Cisco SDM areas.
Note You cannot configure local pools with the group option using Cisco SDM.

Chapter 11 Easy VPN Server
IP Pools
11-28
Cisco Router and Security Device Manager 2.4 User’s Guide
OL-4015-10
Add or Edit IP Local Pool
This window lets you create or edit a local pool of IP addresses.
Pool Name
If you are creating a pool, enter the pool name. If you are editing a pool, this field
is disabled.
IP Address Range
Enter or edit the IP address ranges for the pool in this area. A pool can contain
more than one IP address range. Use the Add, Edit, and Delete buttons to create
additional ranges, edit ranges, and delete IP address ranges.
Cache Size
Enter or edit the cache size for this pool in this field.
Add IP Address Range
This window lets you add an IP address range to an existing pool.
Start IP Address
Enter the lowest IP address in the range.
End IP Address
Enter the highest IP address in the range.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close