Virtual private networks provide for the establishment of a secure connection, known as a tunnel, which exists on and sends traffic over a public network such as the Internet. Traffic sent through the tunnel is encrypted and only those with access to the tunnel are able to use it to send encrypted traffic. An end-user of the virtual private network may access the virtual private network remotely by logging on to the network through a computer. The computer may include the software needed to access the virtual private network, in which case the computer is referred to as a software client. Alternatively, the user may log on to the network by first establishing a connection between a computer and a hardware client, and then using the hardware client to log on to the network. A hardware client is a type of network hardware device that operates as a client in a virtual private network environment and is used an alternative to a software client. A hardware client is capable of providing access to many computers, while a software client typically provides access to only one user. When a user logs onto a network remotely, the user is generally logging on through a device called a concentrator. A concentrator is a type of multiplexor that combines multiple channels onto a single transmission medium in such a way that all the individual channels may be simultaneously active. For example, Internet Service Providers (ISPs) use concentrators to combine their dial-up modem connections onto fast T-1 lines that connect to the Internet. Concentrators are also used in local area networks (LANs) to combine transmissions from a cluster of nodes. In this case, the concentrator is often called a hub. Typically, a concentrator contains a routing table, which lists the different possible routes for network traffic to travel. When a virtual private network session is started, typically a component of the routing table that is used to route traffic on the virtual private network is also established at this time. Similarly, the client, whether a software client or a hardware client, may also include a routing table that contains routes over the virtual private network.
One type of conventional virtual private network uses a secure protocol such as the IP Security (IPSec) protocol along with the Internet Key Exchange (IKE) protocol and Internet Security Association and Key Management Protocol (ISAKMP) protocol, to establish a tunnel between two peers on the network, such as a software client and a concentrator or a hardware client and a concentrator. The peers first establish a secure, encrypted management connection between themselves using IKE/ISAKMP, and then establish an IPSec session with Security Associations (SAs), resulting in the secure tunnel over which the network traffic travels. A Security Association is an association that specifies security properties from one peer to another peer. Once the tunnel has been established, either peer is able to send encrypted traffic over the tunnel using IPSec,
For an IPSec tunnel to be established between two peers, there is a significant amount of configuration required at both peers. This includes IPSec policies, Diffie-Hellman parameters, encryption algorithms, and so on. In a large corporate environment with hundreds of sites, managing the IPSec configuration may get quite tedious. The Cisco Easy virtual private network feature, also known as EzVPN, eases IPSec configuration by allowing an almost no-touch configuration of the IPSec client.
EzVPN uses the Unity client protocol, which allows most IPSec virtual private network parameters to be defined at an IPSec gateway, which is also the EzVPN server. When an EzVPN client, either hardware or software, initiates an IPSec tunnel connection, the EzVPN server, such as a concentrator, pushes the IPSec policies and other attributes required to form the IPSec tunnel to the EzVPN client and creates the corresponding IPSec tunnel connection. The tunnel on the EzVPN client may be initiated automatically, manually, or it could be traffic triggered, depending on the configuration or type of EzVPN client used. Minimal configuration is required at the EzVPN client. EzVPN provides the following general functions in order to simplify the configuration process: negotiating tunnel parameters with encryption algorithms, Security Association (SA) lifetimes, and so on; user authentication by validating user credentials by use of Extended Authentication (XAUTH); and automatic configuration by pushing attributes such as Internet Protocol (IP) address, Domain Name System (DNS), Windows Internet Naming Service (WINS), and so on, using Mode-Configuration (MODECFG).
The term EzVPN client is used for both Cisco Unity virtual private network clients, called EzVPN software clients, and the Unity client protocol running on smaller Cisco routers like the 800, 1700, and 2600 series, commonly referred to as EzVPN hardware clients. The Cisco Easy virtual private network feature supports two modes of operation: Client Mode and Network Extension Mode.
EzVPN Client Mode is also known as Network/Port Address Translation (NAT/PAT) Mode. In this mode, all traffic from the client side uses a single IP address for all hosts on the private network. For example, all traffic from the hosts on the FastEthernet interface on the EzVPN client may be translated by NAT to a source IP address of 10.0.68.5, which is assigned by the EzVPN server as an attribute using MODECFG. The client keeps track of the mappings so that the traffic may be forwarded to the correct host on the private network.
EzVPN Network Extension Mode allows the EzVPN client to present a full, routable network to the tunneled network. IPSec encapsulates all traffic from the EzVPN client's private network, which is marked as ‘inside’ to networks behind the IPSec gateway. Therefore, devices behind the gateway have direct access to devices on the EzVPN client's private network via the tunnel and vice versa without the need for NAT or PAT. As there is no reason for NAT or PAT, the EzVPN server does not push down an IP address for tunneled traffic, but all other attributes like Access Control Lists (ACLs), DNS, and WINS, may be pushed down. For example, an ACL under the mode network-extension in the configuration may permit networks behind the “inside” network and allows traffic to and from subnets to be encrypted. Without the access list, only traffic to and from the “inside” subnet is encrypted.
The EzVPN server configuration is the same for both Client Extension Mode and Network Extension Mode. The client configuration determines which mode is being used.
Redundancy is always an integral part of any IPSec design and, in the case of EzVPN dead peer detection along with backup peer list, makes such a design possible. An alternate mechanism to provide EzVPN server redundancy is to push the backup server's address list down to the client as an attribute. Dead peer detection is on by default on the EzVPN clients.
EzVPN may be combined with XAUTH and MODECFG to provide extended authentication and thereby push all MODECFG attributes to the client. The attributes to be pushed may be defined locally on the EzVPN server or defined on an authentication, authorization, and accounting (AAA) server and defined either on a per-group or per-user basis. When AAA is used for pushing the attributes, AAA between EzVPN server and the AAA server requires a hard-coded password.
Two useful attributes for telecommuter scenarios are max-logins and include-local-lan. The max-logins attribute allows the administrator to restrict the number of simultaneous IPSec connections from the same user to the gateway. The include-local-lan attribute is very useful in scenarios in which the telecommuter's LAN has resources, such as printers, attached to the LAN and access to these resources is required when the VPN tunnel is up. The attributes may also be applied on a per-user basis. A user attribute overrides a group attribute value. These attributes are retrieved at the time user authentication occurs using XAUTH, and are then combined with group attributes and applied during Mode-Configuration.