Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
SC-29
Cisco IOS XR System Security Configuration Guide
Banner, Auto-Update, and Browser-Proxy
Table 3 describes the features that provide support for attributes that aid in the management of the
Cisco Easy VPN remote device.
After a Cisco Easy VPN connection is up, use the crypto ipsec server send-update command in EXEC
mode to send auto-update notifications at anytime.
Pushing a Configuration URL Through a Mode-Configuration Exchange
When remote devices connect to a corporate gateway for creating an IPsec VPN tunnel, some policy and
configuration information must be applied to the remote device when the VPN tunnel is active to allow
the remote device to become a part of the corporate VPN. The URL contains the configuration
information that the remote device must download and apply to the running configuration.
The configuration that is pushed to the remote device is persistent by default. The configuration is
applied when the IPsec tunnel is “up,” but it is not withdrawn when the IPsec tunnel goes “down.”
However, it is possible to write a section of configuration that is transient in nature, in which case, the
configuration of the section is reverted when the tunnel is disconnected.
There are no restrictions on where the configuration distribution server is physically located. However,
we recommended that a secure protocol such as HTTPS (Secure HTTP) be used to retrieve the
configuration. The configuration server is located in the corporate network, so because the transfer
happens through the IPsec tunnel, insecure access protocols (such as HTTP) are used.
Regarding backward compatibility: the remote device asks for the CONFIGURATION-URL and
CONFIGURATION-VERSION attributes. The server sends the configuration url and version attributes
whether they were on the group or user. The standard attribute priority scheme, which was used for all
the attributes, are also used. There is no built-in restriction to push the configuration, but bootstrap
configurations (such as for the IP address) cannot be sent because those configurations are required to
set up the Cisco Easy VPN tunnel, and the CONFIGURATION-URL comes into effect only after the
Cisco Easy VPN tunnel comes up.
Table 3 Features that Aid in the Management of the Cisco Easy VPN Remote Device
Feature Description
Banner Configures a Cisco Easy VPN server to push a
banner to a Cisco Easy VPN remote device.
Auto-Update Configures a Cisco Easy VPN server to provide an
automated mechanism to make software and
firmware upgrades automatically available to a
Cisco Easy VPN remote device.
Browser-Proxy Configures a Cisco Easy VPN server so that the
Cisco Easy VPN remote device can access
resources on the corporate network. With this
configuration, the user does not have to manually
modify the proxy settings of his or her web
browser when connecting and does not have to
manually revert the proxy settings when
disconnecting.
To Next Page
Loading...
Need help?
General
