Establishing an Easy VPN IPsec Session
The steps in establishing an IPsec session differ slightly when using Easy
VPN. They are as follows:
Step 1. The remote client contacts the server and begins IKE Phase 1. If
preshared keys are used, the client initiates Aggressive mode. If
digital certificates are used, the client initiates Main mode.
Step 2. The remote client attempts to establish an ISAKMP SA with the
server. It sends proposals with various combinations of hashes,
authentication types, and Diffie-Hellman groups.
Step 3. The server finds a match to one of the client’s proposals, accepts
it, and establishes an ISAKMP SA. The device is now authenticated.
Step 4. When using Extended Authentication (XAuth), the server issues a
username and password challenge. It checks the remote client’s
response against a RADIUS or TACACS+ authentication, authorization,
and accounting (AAA) server, or uses tokens. The user is
now authenticated.
Step 5. The server pushes configuration parameters to the device. At a
minimum, this must include an IP address.
Step 6. RRI creates a static route to the remote client.
Step 7. IPsec Quick mode is used to negotiate an IPsec SA. When this is
complete, the VPN is established.