Limitations of Easy VPN Remote Phase 2

Remember that the Easy VPN features are a work in progress for Cisco. As such, Easy VPN Servers and Easy VPN Remotes do not support specific IPSec features. We discussed earlier in this chapter the features that the Easy VPN Server does not support. Now let's look at the features that the Easy VPN Remote does not support.

For authentication methods , an Easy VPN Remote device only supports preshared keys and XAUTH. Therefore, RSA encrypted nonces and RSA signatures (digital certificates) are not supported. Unlike the Easy VPN Server, D-H group 2 is the only supported D-H algorithm by an Easy VPN Remote device.

As with the Easy VPN Server, PFS is not supported.

Further, subinterfaces are not supported, and you can define only one destination peer on an Easy VPN Remote device.

The only transform sets that are supported by the Easy VPN Remote are those transform combinations that provide encryption with authentication. For example, you must use ESP-DES, an encryption transform, with an authentication transform, such as ESP-SHA-HMAC or ESP-MD5-HMAC.

Easy VPN Remote devices do not support subinterfaces, PFS, and multiple peers. Only D-H group 2 is supported.

One additional quirk of the Easy VPN Remote is that the Cisco Cable Monitor Web interface does not work with the Cisco Easy VPN Remote Web Manager. To use the Cable Monitor Web interface, you need to disable the Easy VPN Remote Web Manager.

Disable the Easy VPN Remote Web Manager by using the command no ip http ezvpn . Enable the Cable Monitor Web interface with the command ip http cable-monitor .