View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0018 - EZVPN Connect and XAuth Mode Options

Rating: 
0
No votes yet
Difficulty Level: 
2
Lab Document: 
<Please login to see the content>

The video demonstrates various methods of EZVPN hardware client to initiate an IPSec connection. In this lab, the headend router is setup with Easy VPN (EZVPN) with Pre-shared key authentication, while the client is configured to run in Client Mode. We then explore different 'connect' and 'xauth' configuration options on the client side.

Scenario 1:  'connect manual' and 'xauth userid mode interactive'
  • Require user to log into CLI and initiate authentication process. 
  • Usually insecure and impractical to have local user log into the router to enter XAuth credential
  • Tunnel is not always up so remote resources may not always be accessible by the headend user
Scenario 2: 'connect acl <acl-name>' and 'xauth userid mode local'
  • Does not require user intervention to enter XAuth credential
  • IPSec VPN is built only interesting traffic is matched by the defined ACL
  • Any user can cause the tunnel to up as long as the interesting traffic is matched
  • Tunnel is not always up so remote resources may not always be accessible by the headend user
Scenario 3: 'connect manual' and 'xauth userid mode http-intercept'
  • Require user to open a web browser to be prompted for XAuth credential
  • The tunnel is established only when a valid user credential is entered
  • User has option to bypass VPN connection and just access internet
  • Once the tunnel is up, subsequent user can utilize the tunnel
  • Tunnel is not always up so remote resources may not always be accessible by the headend user

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.