Guest

Cisco VPN 3000 Series Concentrators

Configuring a Connection Between the VPN 3002 Hardware Client and a VPN 3000 Concentrator in Network Extension Mode

Cisco - Configuring a Connection Between the VPN 3002 Hardware Client and a VPN 3000 Concentrator in Network Extension Mode

Document ID: 5402

Updated: Feb 06, 2007

   Print

Introduction

The VPN 3002 Hardware Client provides an alternative to deploying the VPN Client software to PCs at remote locations. Like the software client, the VPN 3002 Hardware Client is located at a remote site and provides a secure connection to a VPN Concentrator at a central site. It is important to understand that the VPN 3002 is a hardware client and you configure it as a client of the central site VPN Concentrator, not as a site-to-site connection. The VPN 3002 Hardware Client features include these features:

  • It is easy to install.

  • It is independent of the application and platform used by the PCs at the remote site.

  • It reduces support costs.

The VPN 3002 Hardware Client functions in either of two modes:

  • Client mode (also called Port Address Translation [PAT] mode)

  • Network Extension mode (NEM)

Client mode is the default mode. Client mode isolates all devices on the private network of the VPN 3002 Hardware Client from those on the corporate network. When the devices behind the VPN 3002 Hardware Client initiate connections to the network behind the central site VPN 3000 Concentrator, the VPN Concentrator assigns IP addresses as the connections come up.

NEM allows the VPN 3002 Hardware Client to present a full, routable network to the tunneled network. IPsec encapsulates all traffic from the VPN 3002 Hardware Client private network to networks behind the central-site VPN 3000 Concentrator. Either side can initiate data exchange. Devices on either side know each other by their actual addresses.

Refer to Configuring the VPN 3002 Hardware Client to PIX 6.x in order to learn more about the same scenario where the VPN server is the PIX 6.x.

Refer to Configuring Cisco VPN 3002 Hardware Client to Cisco IOS Router with EzVPN in Network Extension Mode in order to learn more about the same scenario where the VPN server is the Cisco IOS router.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • VPN 3002 Hardware Client Software Release 3.1 (Any release 3.0 or later should work. The latest code is always recommended.)

  • VPN 3000 Concentrator Software Release 3.1 (Any release 3.0 or later should work. The latest code is always recommended.)

Note: NEM per group, is available from the Cisco VPN 3000 Concentrator running software version 3.6 or later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Network Diagram

This document uses this network setup:

vpn_3002_nem_5402_01.gif

IP Addresses

VPN 3000 Concentrator

  • Private Interface: 10.32.24.131

  • Subnet Mask: 255.255.128.0

  • Public Interface: 172.18.124.130

  • Subnet Mask: 255.255.255.0

VPN 3002 Hardware Client

  • Private Interface: 172.16.1.1

  • Subnet Mask: 255.255.255.0

  • Public Interface: 172.18.124.218

  • Subnet Mask: 255.255.255.0

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

WINS and DNS in the VPN 3002 Hardware Client

When the VPN 3002 Hardware Client brings up a tunnel, the headend concentrator sends its Domain Name System (DNS) and Windows Internet Naming Service (WINS) servers information. The VPN 3002 Hardware Client stores the information, and then passes it to the local PCs, using Dynamic Host Configuration Protocol (DHCP). This information enables the local PCs to send DNS and WINS packets to the correct enterprise DNS/WINS servers. When a PC is configured with a short lease period, it forces the PC to request its DHCP options every five minutes from the VPN 3002 Hardware Client until the tunnel is established.

Note: If the VPN 3002 Hardware Client is initially configured at the remote site, the PC used to configure it does not get the WINS/DNS server information because a tunnel was not established at the time of the configuration. You have to reboot the PC and obtain the DNS/WINS servers information by renewing the DHCP lease or by acquiring it manually.

Configure the VPN 3000 Concentrator

Use this procedure to configure the VPN 3000 Concentrator.

  1. Select Configuration > Interfaces, and make sure that the IP addresses are configured on the public and private interfaces.

    Also make sure that you are able to get to the Internet from your VPN 3000 Concentrator.

    vpn_3002_nem_5402_02.gif

  2. Choose Configuration > User Management > Groups > Add in order to create a group to be used for a VPN 3002 Hardware Client IPsec connection.

    In this example, the group name is "3002group" and the password is "cisco123."

    vpn_3002_nem_5402_03.gif

  3. Under the General tab, specify your local DNS and WINS servers, and check IPSec under Tunneling Protocols.

    vpn_3002_nem_5402_04.gif

  4. If your VPN 3002 Hardware Client is behind a Port Address Translation (PAT) device, enable the IPSec through Network Address Translation (NAT) option under the IPSec tab.

    If this option is disabled, then the VPN 3002 Hardware Client and the VPN 3000 Concentrator are not able to communicate with each other. IPsec through NAT uses User Datagram Protocol (UDP) port 10000 by default. You can select any port between 4001 and 49151. Make sure that this UDP port is not blocked anywhere in your topology. Once done, click the Add button to add the group.

    vpn_3002_nem_5402_05.gif

  5. Create a user for the VPN 3002 Hardware Client IPsec connection.

    In this example, the user name is "3002user" and the password is "cisco123" (which also belongs to the "3002group" created earlier). Click Add to add this user.

    vpn_3002_nem_5402_06.gif

Limit Network Extension Mode Per Group

Before this feature, there was no functionality that allowed an administrator to limit only specific authenticated users to have routed network permission. Any user with a valid username and password combination on a VPN Concentrator had the ability to route a network behind their device even though an administrator had configured the group to push an IP address from a pool/DHCP/and so forth down to the user (Client mode) in the group configuration. As a result, any person with a valid username and password for a remote access client (who an administrator assumes can only use the software client or a hardware client that emulates client mode [receives a pushed IP]) can instead use NEM and pick a network of their choice. The result of someone that uses the wrong network is that an entire network can be taken out of service, especially if this route is distributed on the internal network (Reverse Route Injection).

Therefore, starting with version 3.6, you can configure a Group-specific option that limits the use of NEM per group. By default, you cannot use NEM in a group unless you check Check to allow hardware clients using Network Extension Mode to connect as seen in this figure.

vpn_3002_nem_5402_a.gif

Configure the VPN 3002 Hardware Client

Use this procedure to configure the VPN 3002 Hardware Client.

  1. Select Configuration > Interfaces, and make sure that the IP addresses are configured on the public and private interfaces.

    Also make sure that you are able to get to the Internet from your VPN 3002 Hardware Client. Use HTTP to get into the VPN 3002 Hardware Client on the private interface. If HTTPS is enabled on the public interface, you can log into the public interface as well. By default, the private interface has an IP address of 192.168.10.1. You can connect your workstation to the private interface of the VPN 3002 Hardware Client, and use HTTP to get to the 192.168.10.1 IP address. The default user name and password are both "admin."

    vpn_3002_nem_5402_07.gif

  2. Select Configuration > Quick > Time to go through the steps to configure the VPN 3002 Hardware Client. Make sure that you have the correct time configured. Click Continue to go to the next window.

    vpn_3002_nem_5402_08.gif

  3. If you already have a configuration file for the VPN 3002 Hardware Client, then import it. If this is a new configuration, click No to continue with the Quick Configuration.

    vpn_3002_nem_5402_09.gif

  4. The VPN 3002 Hardware Client can be configured as a DHCP server for the private network.

    The DHCP server for the private interface allows IP hosts in its network to automatically obtain IP addresses from a limited pool of addresses for a fixed length of time, or lease period. Before the lease period expires, the VPN 3002 Hardware Client displays a message that offers to renew it. If the lease is not renewed, the connection terminates when the lease expires, and the IP address becomes available for reuse. The use of DHCP simplifies the configuration since you do not need to know what IP addresses are considered valid on a particular network. If you do not want to configure your VPN 3002 Hardware Client as a DHCP server, then select No, do not use the DHCP server to provide addresses.

    Click Continue to go to the next window.

    vpn_3002_nem_5402_10.gif

  5. On the Public Interface window, make sure that you have an IP addresses configured.

    If your service provider has given you a Point-to-Point Protocol (PPP) over Ethernet (PPPoE)-based digital subscriber line (DSL) connection, make sure that you have the right user name and password for the PPPoE authentication. You can also specify your system name on the Public Interface screen. The system name in this example is "3002."

    vpn_3002_nem_5402_11.gif

  6. The IPSec tab lets you configure the IPsec parameters, which allows the VPN 3002 Hardware Client to connect to the VPN 3000 Concentrator over a secure VPN tunnel. Complete these steps to configure the IPsec parameters:

    1. In the Peer Address field, enter the IP address or hostname of the VPN 3000 Concentrator to which your VPN 3002 Hardware Client connects.

      Note: In order to enter a host name, a DNS server must be configured. The public IP address of the VPN 3000 Concentrator in this example is 172.18.124.130.

    2. Check the Use Certificate box to use digital certificates for authentication. If you use digital certificates, there is no need to enter a group name and group password.

    3. If you do not use digital certificates, enter a unique name for the group in the Group Name field. This example uses "3002group" as the group name. Make sure that the name matches the group name on the VPN Concentrator.

    4. Also, if you do not use digital certificates, enter a unique password for the group in the Group Password field. The field displays only asterisks. This example uses "cisco123" as the password. Make sure that it matches with the group password on the VPN Concentrator.

    5. In the Group Verify field, reenter the group password to verify it. The field displays only asterisks.

    6. If you do not use digital certificates, enter a unique name for the user in the User Name field. This example uses "3002user" as the user name. Make sure that the user name on the VPN Client matches the user name on the VPN Concentrator.

    7. In the User Password field, enter the password for this user. The maximum length is 32 characters. This is the same user password that you configure for the VPN 3002 Hardware Client on the central-site VPN 3000 Concentrator.

    8. In the User Verify field, reenter the user password to verify it. The field displays only asterisks.

    9. Click Continue to apply your changes and proceed.

      vpn_3002_nem_5402_12.gif

  7. Use the next window to configure the VPN 3002 Hardware Client to use either PAT or NEM.

    Accept the default Yes if you want to use PAT. Otherwise, check No, use Network Extension mode.

    Note: You cannot disable PAT if you have not changed the IP address for the private interface.

  8. Click Continue to proceed with Quick Configuration.

    vpn_3002_nem_5402_13.gif

  9. On the next window, in the DNS Server field, enter the IP address of your local DNS server using dotted decimal notation (for example, 10.10.0.11).

    In the Domain field, enter the local ISP domain name. For more information on DNS/WINS issues, see WINS and DNS in the VPN 3002 Hardware Client. Click Continue to proceed.

    vpn_3002_nem_5402_14.gif

  10. Make sure that you have a default route that goes out to the Internet, such as toward the public interface of the VPN 3002 Hardware Client. Click Continue to proceed to the next window.

    vpn_3002_nem_5402_15.gif

  11. This window allows you to change the password for the administrator user.

    The default administrator password supplied with the VPN 3002 Hardware Client is "admin." Since the administrator user has full access to all management and administration functions on the device, you should change this password to improve device security. Click Continue to proceed.

    vpn_3002_nem_5402_16.gif

  12. You have finished the Quick Configuration, and your entries constitute the active or running configuration. This configuration has now been saved as the boot configuration. The VPN 3002 Hardware Client now has enough information, and it is operational. The VPN 3002 Hardware Client can now establish a secure VPN tunnel to the central-site VPN 3000 Concentrator.

Monitor the Configuration

VPN 3002 Hardware Client

In order to monitor the tunnel on the VPN 3002 Hardware Client side, select Monitoring > System Status, and make sure that at least three SAs are established.

vpn_3002_nem_5402_17.gif

VPN 3000 Concentrator

In order to monitor the tunnel on the VPN 3000 Concentrator side, select Monitoring > Sessions, and make sure that your VPN Concentrator receives and transmits traffic. You can click on the user name to get detailed statistics for that particular IPsec session.

vpn_3002_nem_5402_18.gif

Verify

Test the IPsec Tunnel

In order to test the IPsec tunnel, ping from the VPN 3002 Hardware Client to the private IP address of the VPN 3000 Concentrator. The ping utility can be located on the Administration page on the VPN Client. If you are able to ping the IP address of the VPN Concentrator, then your IPsec tunnel works properly. If you are not able to ping anything behind the VPN 3002 Hardware Client, then you have routing issues.

vpn_3002_nem_5402_19.gif

Troubleshoot

Route Behind the VPN 3000 Concentrator

If you are able to test the IPsec tunnel as defined earlier in this document, but unable to test anything else, then you have an internal routing issue. It is important that all your internal devices (firewalls, routers, Layer 3 switches) can reach the private network behind the VPN 3002 Hardware Client.

All packets destined for the private network behind the VPN Client (172.16.1.0/24 in this example) should be routed to the private interface of the VPN Concentrator.

IPsec Tunnel Does Not Come Up

If the IPsec tunnel does not come up, then make sure that you have these debugs enabled on the VPN 3000 Concentrator as well as on the VPN 3002 Hardware Client:

  • IKE - Severity to log : 1-13

  • IKEDBG - Severity to log : 1-13

  • IPSEC - Severity to log : 1-13

  • IPSECDBG - Severity to log : 1-13

Once you have the debugs, try to find out the location where it fails. A few possible locations are here:

  • IKE: Fails on Phase 1 negotiation

    Group [3002group]
    Xauth required but selected Proposal does not support xauth,
    Check priorities of ike xauth proposals in ike proposal list

    or

    Group [3002group]
    All SA proposals found unacceptable
  • Wrong group password

    On the VPN 3002 Hardware Client logs, you would see an entry like this:

    Group [172.18.124.130]
    Rxed Hash is incorrect: Pre-shared key or Digital Signature mismatch
  • Wrong group name

    The VPN 3000 Concentrator logs shows this message:

    No Group found matching 3002grou for Pre-shared key peer 172.18.124.218
  • Wrong user name

    The VPN 3000 Concentrator logs show this message:

    Authentication rejected: Reason = User was not found
    handle = 214, server = Internal, user = 3002use, domain = <not specified>
  • Wrong user-name password

    The VPN 3000 Concentrator logs show this message:

    Authentication rejected: Reason = Invalid password
    handle = 258, server = Internal, user = 3002user, domain = <not specified>
  • VPN tunnel is established but you are not able to ping the private IP address of the concentrator

    Check the counter information on the VPN 3002 Hardware Client and on the VPN 3000 Concentrator. On the VPN Client select Monitoring > System Status, and check the Octets Out counter. Then select Monitoring > Sessions, and check the Bytes Receiving (Rx) counter. There are two possible scenarios that can occur:

    • If these two counters increment, but the Octets In and Bytes Transmitting (Tx) are not, then you have an overlapping SA on the VPN Concentrator. An overlapping SA means that you have some other remote location which also has a private network the same as the one behind the VPN 3002 Hardware Client. Using the example in this document, that would mean you have a 172.16.1.0/24 network somewhere else in your network behind some other remote site.

    • If the Octets Out counter is incrementing on the VPN 3002 Hardware Client side but the Bytes Rx counter is not, then you are filtering the IPsec packets. You can avoid this problem by using these workarounds:

      • If your VPN 3002 Hardware Client is behind a PAT device, then make sure to enable the IPsec through NAT option, as discussed in Configure the VPN 3000 Concentrator.

      • If UDP is enabled, then make sure that you are not blocking the UDP port which is being used for encapsulation. By default, the UDP port number is 10000.

Related Information

Updated: Feb 06, 2007
Document ID: 5402