Cisco IP Solution Center Security User Guide, 3.0
Remote Access VPN Services
Downloads: This chapterpdf (PDF - 767.0KB) The complete bookPDF (PDF - 3.65MB) | Feedback

Remote Access VPN Services

Table Of Contents

Remote Access VPN Services

Remote Access VPN Provisioning Setup

Creating AAA Server Devices

Creating Remote Access VPN Policies

Creating an Encryption Policy

Customizing IKE Proposals (Optional)

Customizing IPsec Proposals (Optional)

Creating a Remote Access VPN Policy

Defining Address Pools

Defining Split Tunneling Networks (Optional)

Defining the Remote Access User List (Optional)

Defining Cisco IOS Software-Specific Parameters

Defining PIX Firewall-Specific Parameters

Defining VPN 3000-Specific Parameters

Defining the VPN 3000 Access Hours

Defining the VPN 3000 L2TP Parameters

The Remote Access VPN Policy Summary Page

Creating Remote Access VPN Service Requests


Remote Access VPN Services


This chapter contains the following sections:

Remote Access VPN Provisioning Setup

Creating AAA Server Devices

Creating Remote Access VPN Policies

Creating Remote Access VPN Service Requests

Remote Access VPN Provisioning Setup

Remote Access VPN tunnels are initiated by a VPN Client and terminated at the secure network edge.

To begin the remote access provisioning process, the network administrator defines an encryption policy, a remote access VPN policy, and (optionally) configures a AAA server. The remote access policy is then applied to CPE devices in the network through deploying a remote access service request that uses the remote access policy.


Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each device as a CPE.

CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you must define at least one public and one private interface on each device.

For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.


Creating AAA Server Devices

An AAA server is required when the user authentication method is external or the group policy information is stored on an external AAA server. If user profiles or group attributes are to be obtained from a AAA Server (as opposed to having them stored on the CPE device itself), then a AAA Server entry must be created in Inventory and Connection Manager.

To create an AAA server device, perform the following steps:


Step 1 Click Home > Service Inventory > Inventory and Connection Manager > AAA Servers. The AAA Servers page appears as shown in Figure 4-1.

Figure 4-1 The AAA Servers Page

Step 2 Click Create. The Create AAA Server page appears as shown in Figure 4-2.

Figure 4-2 The Create AAA Servers Page

Step 3 Follow the instructions in Table 4-1 to enter the AAA server attributes.

Table 4-1 Create AAA Server Fields

Field Name
Type
Instructions

Name

text box

Enter a name for the AAA server.

Owner

Select button

Specify whether the policy is global by clicking Global, or customer owned by clicking Customer.

If you select Customer, you are required to specify the owner. Choose the customer with which you want to associate the AAA server. To do this, click Customer > Select. The Customer for IPsec Policy dialog box appears. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.

IP Address

text box

Enter the IP address of the AAA server.

Server Type

drop-down list

Click the drop-down list and select the type of the AAA server. The type can be RADIUS, TACACS+, NTDOMAIN, or SDI.

Server Role

drop-down list

Click the drop-down list and select the server role. It can be AUTHENTICATION server only, ACCOUNTING server only, or BOTH authentication server and accounting server.

Port

text box

Enter the server port number.

Accounting Server Port

text box

Enter the accounting port number if the server acts as an accounting server.

Timeout

text box

Enter the timeout in seconds for how long to wait after sending a query to the server and receiving no response before trying again. The default is 4 seconds.

Retries

text box

Enter the number of times to retry sending a query to the server after the timeout period. The default is 2.

Secret

text box

Enter the AAA server secret (also called the shared secret). The field shows only asterisks.

Verify Secret

text box

Verify the AAA server's secret.


Step 4 Click Save when done. The AAA Servers page appears with the newly created AAA server displayed in the AAA server list, as shown in Figure 4-3.

Figure 4-3 The AAA Servers Page After Adding A New Server

Creating Remote Access VPN Policies

In the Remote Access VPN policy, the network administrator performs the following tasks:

Configures the encryption policy (which contains IKE and IPsec proposal parameters) that defines the network layer encryption and authentication control.

Specifies the IKE XAuth parameters for user authentication.

Sets the Mode Configuration parameters for policy push and dynamic IPsec features such as dynamically assigned client IP addresses.

Defines the group policy parameters.

The group policy information is stored in a profile that can be used locally in the VPN device configuration or on an AAA server (for example, a RADIUS server). When the user or group information is stored on AAA servers, you must also configure access to the AAA servers and allow the VPN device to send requests to the AAA servers.

Once created, the remote access policies can be applied to multiple service requests.

To define an remote access VPN policy, use the following sections:

Creating an Encryption Policy

Creating a Remote Access VPN Policy

Creating Remote Access VPN Service Requests

Creating an Encryption Policy

The encryption policy defines the security parameters for protecting data traveling through the VPN tunnels. It consists of one or more IKE proposals, one or more IPsec proposals, and some global attributes. For example, the IKE proposal portion of the encryption policy could consist of selecting the 3DES, SHA, certificates, and Diffie-Hellman Group 2 options, and the IPsec proposal portion of the encryption policy could consist of selecting the ESP-AES, ESP-SHA, no authentication header (AH), no compression, and no PFS options.

You must have an encryption policy for your remote access policy. However, the same encryption policy used in a site-to-site VPN policy may also be used for a remote access policy. So, if you have already created an encryption policy in ISC that you would like to use, you can proceed to the "Creating a Remote Access VPN Policy" section.

To define an encryption policy, perform the following steps:


Step 1 Click Home > Service Design > Policy Manager. The Policies page appears as shown in Figure 4-4.

Figure 4-4 The Policies Page

Step 2 From the Create drop-down list, choose IPsec Policy. The IPsec Policy Creation page appears as shown in Figure 4-5.

Figure 4-5 The IPsec Policy Creation Page

Step 3 Click Encryption Policy in the TOC on the left of the page. The IPsec Encryption Policy appears as shown in Figure 4-6.

Figure 4-6 The IPsec Encryption Policy Page

Step 4 Follow the instructions in Table 4-2 to enter values in the IPsec Encryption Policy page fields.

Table 4-2 IPsec Encryption Policy Fields for Remote Access

Field Name
Type
Instructions

Policy Name

text box

Enter the name of the encryption policy.

Owner

drop-down list

Select whether the policy is global by clicking Global, or customer owned by clicking Customer.

If you select Customer, you are required to specify the owner. To do this, click Customer > Select. The Customer for IPsec Policy dialog box appears as shown in Figure 4-7. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.

IPsec Lifetime

text box

Enter the IPsec lifetime in seconds.

IPsec Lifetime

text box

Enter the IPsec lifetime in kilobytes.

IKE Keepalive Interval

text box

Enter the keepalive interval in seconds. This is the time interval between each keepalive packet.

IKE Keepalive Retry Interval

text box

Enter the keepalive retry interval in seconds. If there is no response from the peer, this value determines when to send the next keepalive packet to peer.

PFS

drop-down list

Select a Diffie-Hellman group to enable Perfect Forward Secrecy (PFS). Select None if you do not want to use PFS.


Figure 4-7 Customer for IPsec Policy Dialog Box

Step 5 No further steps are needed if you want to use the default IKE and IPsec proposals. To accept the defaults, click Save. This returns you to the Policies page. Otherwise, if you would like to customize the IKE or IPsec proposals, do not click Save. Continue on to the "Customizing IKE Proposals (Optional)" section or the "Customizing IPsec Proposals (Optional)" section.


Customizing IKE Proposals (Optional)

You can create or delete IKE proposal parameter sets by following the instructions in this section.


Step 1 Select IKE Proposals from the IPsec Encryption Policy page TOC. The IKE Proposals page appears as shown in Figure 4-7.


Note If you are not on the IPsec Encryption Policy page, you can navigate to the IKE Proposals page by clicking Service Design > Policy Manager > Create > IPsec Policy > Encryption Policy > IKE Proposals.


Figure 4-8 The IKE Proposals Page

Step 2 To add a new IKE proposal parameter set, click Create. The IKE Proposals dialog box appears as shown in Figure 4-9.


Note To delete a parameter set, check the box next to it and click Delete. This deletes the parameter set immediately.


Figure 4-9 IKE Proposals Dialog Box

Step 3 Follow the instructions in Table 4-3 to select IKE proposal parameters.

Table 4-3 IKE Proposal Fields 

Field Name
Type
Instructions

Authentication

drop-down list

Select one of the following options:

IKE_PRESHARED_KEY - (Default.) Available on all ISC supported platforms. Specify to use preshared keys for authentication. The preshared keys are derived from the password of the user or peer group.

IKE_RSA_SIGNATURES - Cisco IOS and PIX Firewall devices only. Specify to use a Certificate Authority (CA) for authentication, based on RSA signatures, and can be used only when all participating peers recognize the certificate authority (CA) as the authenticating authority.

IKE_RSA_ENCRYPTION - Specify to use RSA encryption for authentication.

IKE_DSA_CERTIFICATE - VPN 3000 only. Specify to use digital certificates with keys generated by the DSA algorithm for authentication.

Encryption

drop-down list

Select one of the following encryption options:

DES - Specify to use Data Encryption Standard (DES) for encryption.

3DES - Specify to use Triple Data Encryption Standard (3DES) for encryption.

AES - Specify to use Advanced Encryption Standard (AES) with a 128-bit key for encryption.

AES-192 - Specify to use AES with a 192-bit key for encryption.

AES-256 - Specify to use AES with a 256-bit key for encryption.

Hash Algorithm

drop-down list

Select one of the following hash algorithm options:

SHA - Specify to use Secure Hash Algorithm (SHA) as the hash algorithm. SHA produces 160-bit hash values, which are longer than MD5. SHA is generally considered more secure and is the recommended hash algorithm.

MD5 - Specify to use Message Digest 5 (MD5) as the hash algorithm. MD5 produces a 128-bit hash values.

DH Group ID

drop-down list

Diffie-Hellman (DH) is a public key cryptography protocol that enables two parties to establish a shared secret over insecure communications channels. Select one of the following DH groups to use in Internet Key Exchange (IKE) to establish session keys:

DH_GROUP_1 - Available on all ISC supported platforms. Specify to use 768-bit Diffie-Hellman Group 1 cryptography.

DH_GROUP_2 - Cisco IOS and PIX Firewall devices only. Specify to use 1024-bit Diffie-Hellman Group 2 cryptography.

DH_GROUP_5 - Available on all ISC supported platforms if the software system requirements for the platform are met. Specify to use 1536-bit Diffie-Hellman (DH) Group 5 cryptography.

DH_GROUP_7 - VPN 3000 only. Specify to use DH Group 7 Elliptic Curve Cryptography (ECC), the 163-character Elliptic Curve Diffie-Hellman (ECDH) group.

Lifetime

text box

Enter the duration for the IKE lifetime (session length) in seconds.


Step 4 Click OK when done. This returns you to the IKE Proposals page.

Step 5 Click OK again to return to the IPsec Encryption Policy page.

Step 6 Continue to the "Customizing IPsec Proposals (Optional)" section, or click Save to complete your encryption policy and continue to the "Creating a Remote Access VPN Policy" section.


Customizing IPsec Proposals (Optional)

You can create or delete IPsec proposal parameter sets by following the instructions in this section.


Step 1 Select IPsec Proposals from the IPsec Encryption Policy page TOC. The IPsec Proposals page appears as shown in Figure 4-10. The IPsec Proposals page is similar in functionality to the IKE Proposals page.


Note If you are not on the IPsec Encryption Policy page, you can navigate to the IKE Proposals page by clicking Service Design > Policy Manager > Create > IPsec Policy > Encryption Policy > IPsec Proposals.


Figure 4-10 The IPsec Proposals Page

Step 2 Click Create. The IPsec Proposals dialog box appears as shown in Figure 4-11.

Figure 4-11 IPsec Proposals Dialog Box

Step 3 Follow the instructions Table 4-4 to select the IPsec Proposal parameters.

Table 4-4 IPsec Proposal Fields for Remote Access VPN

Field Name
Type
Instructions

AH

drop-down list

Select one of the following authentication header (AH) options:

NOTSET - Disables AH. ("Not set" means that the feature is not used.)

SHA - Specify to use Secure Hash Algorithm (SHA) as the hash algorithm. SHA produces 160-bit hash values, which are longer than MD5. SHA is generally considered more secure and is the recommended hash algorithm.

MD5 - Specify to use Message Digest 5 (MD5) as the hash algorithm. MD5 produces a 128-bit hash values.

ESP Authentication

drop-down list

Select one of the following Encapsulating Security Payload (ESP) authentication options:

NOTSET- Disables ESP. ("Not set" means that the feature is not used.)

SHA - Specify to use Secure Hash Algorithm (SHA) as the hash algorithm. SHA produces 160-bit hash values, which are longer than MD5. SHA is generally considered more secure and is the recommended hash algorithm.

MD5 - Specify to use Message Digest 5 (MD5) as the hash algorithm. MD5 produces a 128-bit hash values.

ESP Encryption

drop-down list

Select one of the following ESP encryption options:

DES - Specify to use Data Encryption Standard (DES) for encryption.

3DES - Specify to use Triple Data Encryption Standard (3DES) for encryption.

AES - Specify to use Advanced Encryption Standard (AES) with a 128-bit key for encryption.

AES-192 - Specify to use AES with a 192-bit key for encryption.

AES-256 - Specify to use AES with a 256-bit key for encryption.

Compression

drop-down list

Select one of the following options:

NOTSET - Disables compression. ("Not set" means that the feature is not used.)

LZS - Specify to use the LZS compression algorithm.


Step 4 Click OK when done. The new IPsec proposal row appears on the IPsec Proposals page.

Step 5 Click OK to return to the IPsec Encryption Policy. Click Save. This returns you to the Policies page.

Step 6 Continue on to the "Creating a Remote Access VPN Policy" section.


Creating a Remote Access VPN Policy

The remote access VPN policy defines the characteristics of the IPsec tunnel between the customer site and the remote user. Its attributes include the VPN group name and password, IP address pools, and split tunneling subnets. Additionally, the policy defines what VPN features are enabled and which are not. For example, the policy enables (or disables) reverse route injection and NAT transparency.

To create a remote access VPN policy, perform the following steps:


Step 1 Click Service Design > Policy Manager. The Policies page appears as shown in Figure 4-4, with previously created policies displayed.

Figure 4-12 The Policies Page

Step 2 Click Create > IPsec Policy. The IPsec Policy Creation page appears as shown in Figure 4-13.

Figure 4-13 The IPsec Policy Creation Page

Step 3 Click Remote Access VPN Policy.

Step 4 The Remote Access VPN Policy - General Editor page appears as shown in Figure 4-14. Look at the list of steps in the table of contents (TOC) on the left of the page. These are the steps for creating a remote access VPN policy.

Figure 4-14 The Remote Access VPN Policy - General Editor Page

Step 5 Follow the instructions in Table 4-5 to enter values for the IPsec Remote Access VPN policy.

Table 4-5 Remote Access VPN Policy - General Editor Fields

Field Name
Type
Instructions

Name

text box

Enter a name for the policy. However, the name cannot contain spaces because it is used as the VPN group name.

Owner

radio button and Select button

Click Customer > Select and choose the customer for which the remote access VPN is intended. When you click Customer > Select, the Customer for IPsec Policy dialog box appears. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.

Do not select Global. It is important to associate remote access policies with a specific customer because many remote access VPN parameters are customer-specific.

Encryption Policy

Select button

Choose the name of an encryption policy you created in previous steps by clicking Select.

Password

text box

Required when you select Internal for the Type field. Enter the password (IKE preshared key) for the group. The policy name and password are very important because they are the group name and password that remote users must use when connecting through the Cisco VPN Client.

Confirm Password

text box

Re-enter the group password to verify it.

Type

drop-down list

Select the policy type. An internal group is configured on the VPN device while an external group is configured on an external AAA server.

Internal - Group attributes are on the router. If the user profiles and group attributes are maintained on the CPE device itself, select Internal.

External - Group attributes are obtained from a AAA Server. If the user profiles and group attributes are maintained on a AAA Server, select External.

XAuth

checkbox

Check to enable IKE Extended Authentication (XAuth).

XAuth Timeout

text box

Enter the idle timeout value for XAuth. The value range is 5 to 90. The default value is 5.

Use Mode Configuration

checkbox

Check the box to use Mode Configuration to push the remote access VPN policy.

Tunneling Protocol

drop-down list

Select the tunneling protocols with which this group can connect. There are two options, IPSec or L2TP over IPSec. L2TP over IPSec is not supported for Cisco IOS software and PIX Firewall provisioning in ISC 3.0.

Authentication

drop-down list

Select the authentication method for members of this group. For authentication server, the following options are supported:

None

RADIUS

Internal

NT Domain

SDI

TACACS+

Default Domain Name

text box

Enter the default domain name given to users of this group.

DNS Primary Server

text box

Enter the IP address of the primary DNS server.

DNS Secondary Server

text box

Enter the IP address of the secondary DNS server.

WINS Primary Server

text box

Enter the IP address of the primary WINS server.

WINS Secondary Server

text box

Enter the IP address of the secondary WINS server.


Step 6 Click Next to continue to the Address Pools page as shown Figure 4-15 in the "Defining Address Pools" section.


Note You can click Finish on any of the Remote Access VPN Policy pages. When you click Finish, the unedited policy parameters take the default settings and the policy is created.



Defining Address Pools

In this section, you create the IP address pools that remote clients use to establish IPsec tunnels to the customer site; the remote clients are assigned an inside IP address from these pools.


Step 1 From the Remote Access VPN Policy - General Editor page click Address Pools. The Remote Access VPN Policy - Address Pools page appears as shown in Figure 4-15.


Note You can navigate to this page by clicking Service Design > Policy Manager > Create > IPsec Policy > Remote Access VPN Policy, entering values in the Remote Access VPN Policy - General Editor, and clicking Next.


Figure 4-15 The Remote Access VPN Policy - Address Pools Page

Step 2 Click Create to add an IP address pool. The Address Pools dialog box appears as shown in Figure 4-16.

Figure 4-16 Address Pools Dialog Box

Step 3 Follow the instructions in Table 4-6 to enter values in the address pool fields.

Table 4-6 Address Pools Fields

Field Name
Type
Instructions

Starting Address

text box

Enter the starting address of the IP address pool.

Ending Address

text box

Enter the ending address of the IP address pool. The address pool range must be within a subnet.


Step 4 Click OK when done.

Step 5 Click Next to continue to the Split Tunneling Network page as shown Figure 4-17 in the "Defining Split Tunneling Networks (Optional)" section.


Defining Split Tunneling Networks (Optional)

You can enable or disable split tunneling for remote users. To set the split tunneling parameters, perform the following steps:


Step 1 The Remote Access VPN Policy - Split Tunneling Network List page appears as shown in Figure 4-17.


Note You can navigate to the Split Tunneling Network page by clicking Service Design > Policy Manager > Create > IPsec Policy > Remote Access VPN Policy, entering values for the General Editor and Address Pools pages, and clicking Split Tunneling.


Figure 4-17 Remote Access VPN Policy - Split Tunneling Network List Page

Step 2 Follow the instructions in Table 4-7 to choose a split tunneling option.

Table 4-7 Split Tunneling Fields

Field Name
Type
Instructions

Split Tunneling Policy

drop-down list

Select one of the following methods for Split Tunneling:

Everything - This option sends all traffic, both VPN-bound traffic and Internet-bound traffic, through the VPN tunnel to the CPE device. If you select Everything there are no further values enter, as shown in Figure 4-18.

In List - This option sends only traffic matching the listed networks through the VPN tunnel to the CPE device. The non-matching traffic is sent to the CPE device unencrypted. If you select this option, you must click Create or Generate to create a list of network addresses whose traffic travels through the IPsec tunnel. All other traffic is sent to the client LAN. The Remote Access VPN Policy - Split Tunneling dialog box appears, as shown in Figure 4-19.

Not In List - This option sends all traffic to addresses in the selected list to the client LAN and sends all other traffic through the VPN tunnel. If you select this option, you must click Create or Generate to create a list of network addresses whose traffic travels through to the client LAN instead of being sent through the VPN tunnel.

Generate

button

Click Generate if you want to automatically get the list of private subnets from an existing site-to-site IPsec VPN. Since a VPN may be represented by one or more service requests, after clicking Generate select all the service requests from which the list of private subnets must be extracted. When you click Generate, the Service Request for Split Tunnel List dialog box appears as shown in Figure 4-19.

Create

button

Click Create and the Subnet Address for Split Tunneling dialog box appears as shown in Figure 4-20. Enter a subnet address for Split Tunneling.



Note Once the list is populated using Create, Generate, or both options, you can edit the list until it contains the desired networks from which traffic must travel through the IPsec tunnel.


Figure 4-18 The Everything Option for Split Tunneling

Figure 4-19 Subnet For Split Tunneling Dialog Box

Figure 4-20 The Service Request for Split Tunnel List Page

Step 3 Click Next to continue to the User List page as shown Figure 4-21 in the "Defining the Remote Access User List (Optional)" section.


Defining the Remote Access User List (Optional)

In this section, you can enter one or more user profiles to store locally on the CPE device (as opposed to storing the user profiles on a AAA Server).


Note You can only use this feature if you chose Internal as the user authentication method for the VPN group in the remote access policy. (This is specified in the Authentication Server field on the Remote Access VPN Policy - General Editor page.)



Step 1 The Remote Access VPN Policy - User List page appears as shown in Figure 4-21.

Figure 4-21 The Remote Access VPN Policy - User List Page

Step 2 Click Create. The User Creation dialog box appears as shown in Figure 4-22.

Figure 4-22 User List Dialog Box

Step 3 Follow the instructions in Table 4-8 to enter values in the User List dialog box fields.

Table 4-8 User List Dialog Box Fields

Field Name
Type
Instructions

User ID

text box

Enter the user id.

Password

text box

Enter the user password.

Confirm Password

text box

Verify the user's password.


Step 4 Click Create again if you would like to add another user. You can enter multiple users.

Step 5 Click OK when done.

Step 6 Click Next to continue to the Cisco IOS Editor page as shown Figure 4-23 in the "Defining Cisco IOS Software-Specific Parameters" section.


Defining Cisco IOS Software-Specific Parameters

In the Cisco IOS Editor page of the Remote Access Policy wizard, select the values for Idle Timeout as well as the Reverse Route Injection (RRI). It is recommended that you select both the RRI and RRI Peer options.


Step 1 The Remote Access VPN Policy - Cisco IOS Editor page appears as shown in Figure 4-23.

Figure 4-23 The Remote Access VPN Policy - Cisco IOS Editor Page

Step 2 Follow the instructions in Table 4-9 to set the Cisco IOS-specific parameters.

Table 4-9 Cisco IOS Editor Fields

Field Name
Type
Instructions

SA Idle Timeout Enabled

checkbox

Check to enable users to enter an security association (SA) idle timeout.

SA Idle Timeout

text box

To enable this option, you must first check SA Idle Timeout Enabled, and then you can enter a timeout value, from 60 to 86,4000 seconds, after which to automatically delete the IPsec security associations.

Reverse Route Injection

checkbox

Check to enable reverse route injection. This allows the creation of a static route for a remote, protected network.

Reverse Route Injection Peer

checkbox

To enable this option, you must first check Reverse Route Injection and then you can check Reverse Route Injection Peer, as shown in Figure 4-24. The Reverse Route Injection Peer option creates a route in the routing table for the remote tunnel endpoint.


Figure 4-24 The Cisco IOS Editor Page with Reverse Route Injection Selected

Step 3 Click Next to continue to the PIX Editor page as shown Figure 4-25 in the "Defining PIX Firewall-Specific Parameters" section.


Defining PIX Firewall-Specific Parameters


Step 1 The Remote Access VPN Policy - PIX Firewall Editor page appears as shown in Figure 4-25.

Figure 4-25 The Remote Access VPN Policy - PIX Firewall Editor Page

Step 2 Use the instructions in Table 4-10 to enter values for the PIX Firewall-specific parameters.

Table 4-10 PIX Firewall Editor Fields

Field Name
Type
Instructions

Idle Timeout

text box

Enter the inactivity timeout for the VPN client. The default is 1800 seconds.

Max Connect Time (in seconds)

text box

Enter maximum connection time between the VPN client and server. The default is 1800 seconds.

Sysopt Connection Permit IPsec

checkbox

Check to implicitly permit IPsec traffic. The default setting is permit.


Step 3 Click Next to continue to the VPN 3003 Editor page as shown Figure 4-26 in the "Defining VPN 3000-Specific Parameters" section.


Defining VPN 3000-Specific Parameters


Step 1 The Remote Access VPN Policy - VPN 3000 Editor page appears as shown in Figure 4-26.

Figure 4-26 The Remote Access VPN Policy - VPN 3000 Editor Page

Step 2 Follow the instructions in Table 4-10 to enter VPN 3000-specific parameters.

Table 4-11 VPN 300 Editor Fields

Field Name
Type
Instructions

Simultaneous Logins

text box

Enter the number of simultaneous logins for this group.

Min Password Length

text box

Enter the minimum password length for users in this group.

Allow Alphabetic Only Passwords

checkbox

Enter whether to allow users with alphabetic-only passwords to be added to this group.

Strip Realm

checkbox

Check to remove the realm qualifier of the user name during authentication.

Idle Timeout

text box

Enter the idle timeout in minutes for this group.

Max Connect Time

text box

Enter the maximum connection time in minutes for this group.

IKE Peer Identity

drop-down list

Select whether or not to validate the identity of the peer using the peer's certificate.

IKE Keepalives

checkbox

Check to enable the use of IKE keepalives for members of this group.

Authentication on Rekey

checkbox

Check to re-authenticate the user on an IKE (Phase-1) rekey.

Allow IPsec Thru NAT

checkbox

Check to allow the IPSec client to operate through a firewall using NAT through UDP.

IPsec Thru NAT Port

text box

Enter the UDP port to be used for IPsec through NAT (4001 - 49151). The default is 10000.

Allow Password Storage on Client

checkbox

Check to allow the IPsec client to store the password locally.

Banner

text box

Enter the banner for this group. The banner cannot exceed 512 characters.


Step 3 Click Next to continue to the VPN 3000 Access Hours page as shown Figure 4-27 in the "Defining the VPN 3000 Access Hours" section.


Defining the VPN 3000 Access Hours


Step 1 The Remote Access VPN Policy - Access Hours page appears as shown in Figure 4-27.

Figure 4-27 The Remote Access VPN Policy - Access Hours Page

Step 2 Follow the instructions in Table 4-12 to enter values for each day of the week.

Table 4-12 Remote Access VPN Policy - Access Hours Fields

Field Name
Type
Instructions

Name

text box

Enter the name which specifies the access hours assigned to this group.

Control

drop-down list

There are two control options:

during - Allow access during the hours in the range (default).

except - Allow access at times except the hours in the range.

Start Time

text box in time format

Enter starting time of the access time range.

End Time

text box in time format

Enter ending time of the access time range.


Step 3 Click Next to continue to the VPN 3000 L2TP page as shown Figure 4-28 in the "Defining the VPN 3000 L2TP Parameters" section.


Defining the VPN 3000 L2TP Parameters


Step 1 The Remote Access VPN Policy - VPN 3000 L2TP Editor page appears as shown in Figure 4-28.

Figure 4-28 The Remote Access VPN Policy - VPN 3000 L2TP Page

Step 2 Follow the instructions in Table 4-13 to select options for VPN 3000 L2TP.

Table 4-13 Remote Access VPN Policy - VPN 3000 L2TP Editor Fields

Field Name
Type
Instructions

Use Client Address

checkbox

Check to accept and use an IP address received from the client.

L2TP Compression

checkbox

Check to enable compression for L2TP connections for this group.

Required

checkbox

Check to require encryption.

Require Stateless

checkbox

Check to require stateless encryption.

40-Bit

checkbox

Check to set 40-bit encryption.

128-Bit

checkbox

Check to set 128-bit encryption.

PAP

checkbox

Select Password Authentication Protocol (PAP).

CHAP

checkbox

Select Challenge-Handshake Authentication Protocol (CHAP).

MSCHAPv1

checkbox

Select Microsoft Challenge-Handshake Authentication Protocol version 1 (MSCHAPv1).

MSCHAPv2

checkbox

Select Microsoft Challenge-Handshake Authentication Protocol version 2 (MSCHAPv2).


Step 3 Click Next to continue to the Remote Access VPN Policy Summary page as shown in Figure 4-29 in the "The Remote Access VPN Policy Summary Page" section.


The Remote Access VPN Policy Summary Page


Step 1 The Remote Access VPN Policy - Summary page appears as shown in Figure 4-29.

Figure 4-29 The Remote Access VPN Policy - Summary Page

Step 2 Click Finish when done reviewing the VPN policy summary, or go back to a previous page within the Remote Access VPN Policy pages to update a parameter.

Step 3 The Polices page appears with the status of the policy displayed in the lower left corner of the page under Status, as shown in Figure 4-30.

Figure 4-30 The Policies Page with Policy Status Displayed

Step 4 Continue on to the "Creating Remote Access VPN Service Requests" section.


Creating Remote Access VPN Service Requests

Once the remote access policy is created, perform the following steps to create a remote access service request:


Step 1 Click Home > Service Inventory > Inventory and Connection Manager > Service Requests. The Service Requests page appears as shown in Figure 4-31.

Figure 4-31 The Service Requests Page

Step 2 Click Create > IPsec RA. The IPsec Remote Access Service Editor page appears as shown in Figure 4-32.

Figure 4-32 IPsec Remote Access Service Editor Page

Step 3 Follow the instructions in Table 4-14 to enter values for the IPsec Remote Access Service Editor fields.

Table 4-14 IPsec Remote Access Service Editor Fields

Field Name
Type
Instructions

VPN

Select button

Click Select. Choose the VPN you defined your remote access policy. Click OK. The IPsec Remote Access Service Editor page appears as shown in Figure 4-33.

Network-based IPsec

drop-down list

Set to None unless you are using IPsec-to-MPLS mapping. For information on IPsec-to-MPLS mapping, refer to the Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0.

Description

text box

(Optional) Enter a description about this particular service request.

Remote Access Policies

list

Specify the remote access policy by clicking Select. The Select Policy page appears as shown in Figure 4-34. Choose the policy and click Select. You can select multiple remote access policies.

AAA Servers

list

Specify the AAA server by clicking Select. The Select AAA Server(s) page appears as shown in Figure 4-35. Choose the AAA server and click Select. You can select multiple AAA servers.

(Optional) AAA Server interface - Specify an IP address of an interface to use for all outgoing RADIUS packets. Choose the AAA server Interface and click Select.

CPEs

row

Continue to Step 4 for instructions on how to add CPE devices to your service request.


Figure 4-33 IPsec Remote Access Service Editor Page with a VPN Selected

Figure 4-34 The Policy for Remote Access Service Page

Figure 4-35 The AAA Server for Remote Access Service Page

Step 4 On the main IPsec Remote Access Service Editor page, click the Select button in the CPEs row. The CPEs Associated with Remote Access Service dialog box appears as shown in Figure 4-36.

Figure 4-36 CPEs Associated with Remote Access Service Dialog Box

Step 5 Check the box next to the CPE devices you want in your remote access service request and click Select. The CPE devices you select will appear in the IPsec Remote Access Service Editor page, as shown in Figure 4-37.

Figure 4-37 The IPsec Remote Access Service Editor Page with CPEs Selected

Step 6 (Optional) Click Add Templates to add a template to the service request. For features not supported by ISC, a template can be added to the service request and ISC will download the additional configuration information contained in the template to the CPE. When you click on Add Templates, the Add/Remove Templates dialog box appears as shown in Figure 4-38.

Figure 4-38 Add/Remove Templates Dialog Box

Step 7 Click Add. The Template DataFile Chooser page appears as shown in Figure 4-39.

Figure 4-39 The Template DataFile Chooser Page

Step 8 The templates are on the left column and the associated data files are on the right. Choose a folder of templates or a single template by highlighting it. The page updates and displays the associated templates on the right side of the page.

Step 9 Check the box next to the templates you want to add to the CPE device configuration. To view the configlets for a template, check the box next to the template and click View.

Step 10 Click Accept to return to the Add/Remove Templates dialog box.

Figure 4-40 Add/Remove Templates Dialog Box

with Template Added

Step 11 For each template, chose the appropriate fields as described in Table 4-15.

Table 4-15 Add/Remove Template Dialog Box Fields 

Field Name
Type
Instructions

Action

drop-down list

Select one of the following options:

APPEND - Appends the template to the configlet generated by the service request (adds it after the other service request configlets).

PREPEND - Prepends the template to the configlet generated by the service request (adds it before the other service request configlets).

Active

checkbox

Unless you check the template Active, the template will not be instantiated. This allows you to temporarily disable the template for this device.


Step 12 Click OK on the Add/Remove Templates dialog box.

Step 13 Click Save when done.

Step 14 Continue to the "Deploying Service Requests" section.