You are here
SEC0018 - EZVPN Connect and XAuth Mode Options
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video demonstrates various methods of EZVPN hardware client to initiate an IPSec connection. In this lab, the headend router is setup with Easy VPN (EZVPN) with Pre-shared key authentication, while the client is configured to run in Client Mode. We then explore different 'connect' and 'xauth' configuration options on the client side.
Scenario 1: 'connect manual' and 'xauth userid mode interactive'
- Require user to log into CLI and initiate authentication process.
- Usually insecure and impractical to have local user log into the router to enter XAuth credential
- Tunnel is not always up so remote resources may not always be accessible by the headend user
Scenario 2: 'connect acl <acl-name>' and 'xauth userid mode local'
- Does not require user intervention to enter XAuth credential
- IPSec VPN is built only interesting traffic is matched by the defined ACL
- Any user can cause the tunnel to up as long as the interesting traffic is matched
- Tunnel is not always up so remote resources may not always be accessible by the headend user
Scenario 3: 'connect manual' and 'xauth userid mode http-intercept'
- Require user to open a web browser to be prompted for XAuth credential
- The tunnel is established only when a valid user credential is entered
- User has option to bypass VPN connection and just access internet
- Once the tunnel is up, subsequent user can utilize the tunnel
- Tunnel is not always up so remote resources may not always be accessible by the headend user
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.