Guest

Cisco VPN 5000 Series Concentrators

Cisco VPN 5001/5002/5008 Aggressive-Mode Site-to-Site Setup Guide: Command-Line Version

Cisco - Cisco VPN 5001/5002/5008 Aggressive-Mode Site-to-Site Setup Guide: Command-Line Version

Document ID: 47480

Updated: Apr 04, 2008

   Print

Introduction

This guide provides the initial configuration for the Cisco VPN 5001/5002/5008 IPSec VPN Appliance. It also more specifically provides the configuration of the appliance to connect to the network via IP and to offer LAN-to-LAN VPN connectivity.

The Cisco VPN 500x VPN Appliance can be installed with either of two configurations, depending on where it is connected to the network in relation to a firewall. The Cisco VPN 500x has two Ethernet ports, one of which (Ethernet 1) passes IPSec traffic only. The other (Ethernet 0) freely routes all IP traffic. If the Cisco VPN 500x is to be installed in parallel with the firewall, both ports must be used so that Ethernet 0 faces the protected LAN, and Ethernet 1 faces the Internet via the network's Internet gateway router. The Cisco VPN 500x can also be installed behind the firewall on the protected LAN and connected via only the Ethernet 0 port. This is so that the IPSec traffic that passes between the Internet and the Cisco VPN 500x is passed through the firewall.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the software and hardware versions:

  • Cisco VPN 500x Concentrator

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Basic Connectivity Configuration

The easiest way to establish basic network connectivity on the Cisco VPN 500x is to connect a serial cable to the console port on the appliance and use terminal software to configure the IP address on the Ethernet 0 port. After configuring the IP address on the Ethernet 0 port, it is possible to connect to the Cisco VPN 500x via Telnet to complete the configuration. Alternatively, a configuration file that is generated in an appropriate text editor can be pushed to the device via TFTP. When you use terminal software through the console port, you are initially prompted to enter a password. For the time, the password on the command line interface is letmein. After you respond with the password, issue these commands:

config ip Ethernet 0
	ipaddress=192.168.233.1 
	subnetmask=255.255.255.0
	ipbroadcast=192.168.233.255
	mode=routed

The entire sequence appears here:

*[ IP Ethernet 0 ]# configure ip ethernet 0
	  Section 'ip ethernet 0' not found in the config.
	  Do you want to add it to the config? y
	  Configure parameters in this section by entering:
	  <Keyword> = <Value>
	  To find a list of valid keywords and additional help enter "?" 
 	  *[ IP Ethernet 0 ]# ipaddress=192.168.233.1
	  *[ IP Ethernet 0 ]# subnetmask=255.255.255.0 
	  *[ IP Ethernet 0 ]# ipbroadcast=192.168.233.255
      *[ IP Ethernet 0 ]# mode=routed
	  *[ IP Ethernet 0 ]#

Note: Remember that the TCP/IP addresses and the user information are examples only. Your values will be different.

Ethernet 1

You are now ready to configure the IPSec Ethernet port. The TCP/IP addressing information on this port is the external, internet routable TCP/IP address you assigned for the Cisco VPN 500x.

Note: This address must not be in the same TCP/IP network as Ethernet 0 or you will disable TCP/IP in the Cisco VPN 500x.

Enter these commands:

configure ip ethernet 1
	  y
	  ipaddress=206.45.55.1
	  subnetmask=255.255.255.0
	  ipbroadcast=206.45.55.255
	  mode=routed

The entire sequence appears here:

* IntraPort2+_A56CB700# configure ip ethernet 1 
	  Section 'ip ethernet 1' not found in the config. 
 	  Do you want to add it to the config? y 
	  Configure parameters in this section by entering: 
	  <Keyword> = <Value>
	  To find a list of valid keywords and additional help enter "?" 
	  *[ IP Ethernet 1 ]# ipaddress=206.45.55.1 
	  *[ IP Ethernet 1 ]# subnetmask=255.255.255.0 
	  *[ IP Ethernet 1 ]# ipbroadcast=206.45.55.255 
	  *[ IP Ethernet 1 ]# mode=routed 
	  *[ IP Ethernet 1 ]# 

IPSec Gateway

Tell the Cisco VPN 500x where to send all the IPSec, or tunneled traffic. In the 5.2.x code, this is called the IPSec Gateway and in the 6.x code, this is called VPN Gateway. This configuration is independent of the default route you just configured. Enter these commands.

configure general
		ipsecgateway=206.45.55.2		
		exit

or

configure general
		vpngateway=206.45.55.2		
		exit

The entire sequence appears here:

* IntraPort2+_A56CB700# configure general 
		Section 'general' not found in the config. 
		Do you want to add it to the config?y 
		Configure parameters in this section by entering:
		<Keyword> = <Value> 
		To find a list of valid keywords and additional help enter "?" 
		*[ General ]# ipsecgateway=206.45.55.2 
		*[ General ]# exit 
		Leaving section editor. 
		* IntraPort2+_A56CB700# 

IKE Policy Configuration

This section is used to set Internet Security Association Key Management Protocol/Internet Key Exchange (ISAKMP/IKE) parameters for a VPN Access Server. These settings control how the server and VPN Client identify and authenticate each other so that tunnel sessions can be established. This initial negotiation is referred to as Phase 1. These parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described later in this document. Phase 1 negotiation parameters for LAN-to-LAN tunnels may be set in the [ Tunnel Partner ] section. Phase 2 IKE negotiation sets how the Cisco VPN 500x and the VPN Client handle individual tunnel sessions. Phase 2 IKE negotiation parameters for the VPN Client and server are set in the [ VPN Group ] device. The Syntax for IKE Policy is:

Protection = [ MD5_DES_G1 | MD5_DES_G2 | SHA_DES_G1 | SHA_DES_G2 |

The Protection keyword specifies a protection suite for the ISAKMP/IKE negotiation between the Cisco VPN 500x and the VPN Client. This keyword may appear multiple times within this section, in which case the Cisco VPN 500x proposes all of the specified protection suites. The Cisco VPN 500x Client accepts one of the options for the negotiation. The first piece of each option is the authentication algorithm to be used for the negotiation. MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. The second piece is the encryption algorithm. Data Encryption Standard (DES) uses a 56-bit key to scramble the data. The third piece is the Diffie-Hellman group to be used for key exchange. Because larger numbers are used by the Group 2 (G2) algorithm, it is more secure than Group 1 (G1).

Examples

 [ IKE Policy ]
     Protection = MD5_DES_G1
     Protection = SHA_DES_G2
	 config IKE Policy
	 Protection = MD5_DES_G1
	 exit

The entire sequence appears here:

* IntraPort2+_A56CB700# configure IKE Policy
	  Section 'IKE Policy' was not found in the config.
	  Do you want to add it to the config? y
	  Configure parameters in this section by entering:
	  <Keyword> = <Value> 
	  To find a list of valid keywords and additional help enter "?"
	  *[ IKE Policy ] Protection = MD5_DES_G1 
	  *[ IKE Policy ] exit
	  Leaving section editor.
	  * IntraPort2+_A56CB700#

Aggressive-Mode Site-to-Site Configuration

To configure the Cisco VPN 500x to support LAN-to-LAN connections, it is necessary to define the tunnel configuration, as well as the IP communication parameters that are used in the tunnel. This is accomplished in two sections, the [Tunnel Partner VPN x] section, and the [IP VPN x] section. For any given site-to-site configuration, the (x) defined in these two sections must match, so that the tunnel configurations are properly associated with the protocol configuration.

In the tunnel partner section, there are five parameters that must be defined at the minimum. These parameters are:

Transform

The Transform keyword specifies the protection types and algorithms which are used for IKE Client sessions. Each option is a "protection piece" which specifies authentication and/or encryption parameters. This keyword may appear multiple times within this section. In this case, the Cisco VPN 500x proposes the specified protection pieces in the order they are parsed until a transform is accepted by the Cisco VPN Client for use during the session. In most cases, only one Transform keyword is needed. ESP(SHA,DES), ESP(SHA,3DES), ESP(MD5,DES) and ESP(MD5,3DES) denote using the Encapsulating Security Payload (ESP) header to encrypt and authenticate packets. DES uses a 56-bit key to scramble the data. 3DES uses three different keys and three applications of the DES algorithm to scramble the data. MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. ESP(MD5,DES) is the default setting and is recommended for most setups. ESP(MD5) and ESP(SHA), denote using the (ESP) header to authenticate packets (with no encryption). AH(MD5) and AH(SHA) denote using the Authentication Header (AH) to authenticate packets. AH(MD5)+ESP(DES) , AH(MD5)+ESP(3DES) , AH(SHA)+ESP(DES) and AH(SHA)+ESP(3DES) use the Authentication Header to authenticate packets and the ESP header to encrypt packets.

Transform = [ ESP(SHA,DES) | ESP(SHA,3DES) | ESP(MD5,DES) | ESP(MD5,3DES) | ESP(MD5) | ESP(SHA) | AH(MD5) | AH(SHA) |AH(MD5)+ESP(DES) | AH(MD5)+ESP(3DES) | AH(SHA)+ESP(DES) | AH(SHA)+ESP(3DES) ].

Partner

The Partner keyword defines the IP address of the other tunnel terminator in the tunnel partnership. This number must be a public routable IP address that the local Cisco VPN 500x can create an IPSec connection with.

KeyManage

The KeyManage keyword defines how the two Cisco VPN 500x devices in a tunnel partnership determine which device initiates the tunnel and what type of tunnel establishment procedure is followed. The options are Auto, Initiate, Respond, and Manual. The first three options are used to configure IKE tunnels, whereas the Manual keyword is used for the configuration of fixed-encryption tunnels using a different set of keywords. This discussion does not focus on fixed-encryption tunnels. Auto key management specifies that the tunnel partner is able to both initiate and respond to tunnel setup requests. Initiate specifies that this tunnel partner only sends tunnel setup requests, it does not respond to them. Respond sets the tunnel partner to only respond to tunnel-setup requests, it never attempts to initiate a tunnel setup.

SharedKey

The SharedKey keyword is used as the IKE shared secret. The SharedKey value must be the same on both tunnel partners.

BindTo

The BindTo parameter specifies the local endpoint of the site-to-site connection. If your VPN 500x is configured for two-port operation, the BindTo parameter specifies Ethernet 1. If you deploy the VPN 500x in single-port configuration, the BindTo parameter specifies Ethernet 0.

Enter these commands.

configure Tunnel Partner VPN 1 
	    y 
		transform=ESP(MD5,DES) 
		keymanage=auto 
		sharedkey=letmein
		partner=208.203.136.10 
		bindto=ethernet 1 

The entire sequence appears here:

*IntraPort2+_A56CB700# configure Tunnel Partner VPN 1 
	  Section 'config Tunnel Partner VPN 1' not found in the config. 
	  Do you want to add it to the config? y 
	  Configure parameters in this section by entering:
	  <Keyword> = <Value> 
	  To find a list of valid keywords and additional help enter "?" 
	  *[ Tunnel Partner VPN 1 ]# transform=ESP(MD5,DES) 
	  *[ Tunnel Partner VPN 1 ]# keymanage=auto 
	  *[ Tunnel Partner VPN 1 ]# sharedkey=letmein 
	  *[ Tunnel Partner VPN 1 ]# partner=208.203.136.10 
	  *[ Tunnel Partner VPN 1 ]# bindto=ethernet 1 
	  *[ Tunnel Partner VPN 1 ]# exit 
	  Leaving section editor. 

In the IP configuration section for each tunnel partnership, configuration is determined similarly to IP configuration on WAN connections, in that the options are to use a numbered or unnumbered connection. Since numbered is the more complex configuration, unnumbered is used for this example. A discussion of numbered-tunnel configuration can be found later in this document. The minimum configuration to run an unnumbered Site-to-Site connection requires two parameters, the Numbered=False and the Mode=Routed statements.

configure ip vpn 1
		  y 
		  mode=routed 
		  numbered=false 

The entire sequence appears here:

*[ IP Ethernet 0 ]# configure ip vpn 1 
	  Section 'IP VPN 1' not found in the config. 
	  Do you want to add it to the config?y 
	  Configure parameters in this section by entering: 
	  <Keyword> = <Value>  
	  To find a list of valid keywords and additional help enter "?" 
	  *[ IP VPN 1 ]# mode=routed 
	  *[ IP VPN 1 ]# numbered=false 

TCP/IP Route Table

The next step is to tell the Cisco VPN 500x where to send all TCP/IP traffic destined for networks other than the network(s) to which it is directly connected or has dynamic routes for. This is also known as the "default route." The default route points back to all networks found on the internal port. The Cisco VPN 500x is configured to send IPSec traffic to and from the Internet with the IPSec Gateway parameter, which is discussed later in this document.

Static routes for site-to-site tunnel-connected networks may also be entered in the IP Static section of the configuration. If using numbered tunnels, routes are entered in the same format as the Static route: [Destination Network][Destination Netmask][Next-Hop-Router][Metric]. When using unnumbered tunnels, routing is set by indicating the VPN tunnel that traffic is forwarded through to the destination network: [Destination Network][Destination Netmask][VPN-Tunnel-Number][Metric].

Enter these commands:

edit config ip static
	  y
	  append 1
	  0.0.0.0 0.0.0.0 192.168.233.2 1
	  192.18.210.0 255.255.254.0 VPN 1 1
	  .
	  exit

The entire sequence appears here:

*IntraPort2+_A56CB700# edit configure ip static
	  Section 'ip static' not found in the config.
	  Do you want to add it to the config? y
	  Configuration lines in this section have the following format:
	  <Destination> <Mask> <Gateway> <Metric> [<Redist=(RIP|none)>]
	  Editing "[ IP Static ]" ... 
	  1: [ IP Static ]
	  End of buffer
	  Edit [ IP Static ]> append 1
	  Enter lines at the prompt. To terminate input, enter
	  a . on a line all by itself.
	  Append> 0.0.0.0 0.0.0.0 192.168.233.2 1
	  Append> 192.168.210.0 255.255.254.0 VPN 1 1
	  Append> .
	  Edit [ IP Static ]> exit
	  Saving section...
	  Checking syntax...
	  Section checked successfully.
	  *IntraPort2+_A56CB700#

Save the configuration. When asked if you are sure that you want to download the configuration and restart the device, type y and <enter>. DO NOT turn the Cisco VPN 500x off during the boot process. After the Cisco VPN 500x has rebooted, users can now connect with the Cisco 500x VPN Client software. Enter these commands.

save
	  y

The entire sequence appears here:

*IntraPort2+_A56CB700# save
Save configuration to flash and restart device? y

If you are connected to the Cisco VPN 500x via a Telnet session, that is all that you will see. If you are connected via a console, you will see something which looks like this, plus much more. When the Cisco VPN 500x says "Hello Console..." and asks for a password, you are finished.

Codesize => 0 pfree => 462
	  Updating Config variables...
	  Adding section '[ General ]' to config
	  Adding -- ConfiguredFrom = Command Line, from Console
	  Adding -- ConfiguredOn = Timeserver not configured
	  Adding -- DeviceType = IntraPort2
	  Adding -- SoftwareVersion = IntraPort2 V4.5
	  Adding -- EthernetAddress = 00:00:a5:6c:b7:00
	  Not starting command loop: restart in progress.
	  Rewriting Flash....

You are done with a basic Cisco VPN 500x configuration. There are many other options beyond the scope of this guide. Please read the other documentation which came with your device and consult the online support options on the Cisco Systems web site for the latest updates.

Related Information

Updated: Apr 04, 2008
Document ID: 47480