IPsec VPN With Cisco EzVPN

Cisco Easy VPN (EzVPN) Overview

What is Cisco EzVPN

• An IPsec VPN solution supported by Cisco routers and Cisco security appliances
  • Simplifies VPN deployment for remote branches and mobile workers
  • Centralizes VPN management across all Cisco VPN devices
• Solution for large-scale “Hub-and-Spokes” Site-to-Site and Remote-Access IPsec VPN
  • Support QoS and multicast
• For Site-to-Site IPsec VPN that requires dynamic routing and direct Spoke-to-Spoke communications
  • Cisco recommends to use DMVPN instead

3 components of Cisco EzVPN solution (Figure 1)

• Cisco EzVPN Client
  • Enable mobile workers to create a RAVPN connection to EzVPN Server
  • Example: Cisco VPN Client (Desktop application)
• Cisco EzVPN Remote
  • Enable network devices to establish a Site-to-Site VPN connection to EzVPN Server
  • Example: Cisco IOS EzVPN Remote, Cisco ASA EzVPN Remote
• Cisco EzVPN Server
  • Listen and accept connections from EzVPN Client and Remote
  • EzVPN Server/Responder doesn’t need to know the Initiator’s IP address in advance
  • Example: Cisco IOS EzVPN Server, Cisco ASA EzVPN Server

Cisco EzVPN Remote supports 3 modes of operation:

• Client Mode
  • Get assigned IP address from EzVPN Server VPN IP Pool via Mode Config
  • Hosts behind this EzVPN Remote are getting NAT/PAT into this assigned VPN IP
  • This IP address is automatically assigned to an available loopback interface
  • This IP address is typically used for troubleshooting (ping, telnet, ssh)
• Network Extension Mode (NEM)
  • There is no VPN IP Address assigned
  • NAT/PAT is not used, which allows bidirectional communication between hosts behind EzVPN Server and EzVPN Remote
• Network Extension Plus Mode (NEM+)
  • Identical to NEM, NAT/PAT is not used
  • But, get assigned VPN IP Address for troubleshooting (ping, telnet, ssh)

Which Cisco products support Cisco Easy VPN Remote or Server? (Figure 3)