Cisco Router and Security Device Manager 2.5 User Guide
Enhanced Easy VPN
Downloads: This chapterpdf (PDF - 388.0KB) The complete bookPDF (PDF - 7.45MB) | Feedback

Enhanced Easy VPN

Table Of Contents

Enhanced Easy VPN

Interface and Authentication

RADIUS Servers

Group Authorization and Group User Policies

Add or Edit Easy VPN Server: General Tab

Add or Edit Easy VPN Server: IKE Tab

Add or Edit Easy VPN Server: IPSec Tab

Create Virtual Tunnel Interface


Enhanced Easy VPN


The following sections describe the Cisco Router and Security Device Manager configuration screens for Enhanced Easy VPN.

Interface and Authentication

Specify the router interface to which the virtual template interface is to be unnumbered, and specify the method to use for authentication in this window.

Interface

A virtual template interface must be unnumbered to a router interface to obtain an IP address.

Cisco recommends that you unnumber the virtual template interface to a loopback address for greatest flexibility. To do this, click Unnumbered to new loopback interface and enter an IP address and subnet mask for the loopback interface. A sample loopback IP address and subnet mask is 127.0.0.1, 255.255.255.0.

To unnumber the virtual template interface to another interface, click Unnumbered to and choose the interface. You should choose the interface that terminates the tunnel on the router. Click Details to view IP address, authentication, policy, and other information about the interface that you are choosing.

Authentication

Select the method that Easy VPN clients are to use to authenticate themselves to the Easy VPN Server configured on the router. Pre-shared keys require that you communicate the key to administrators of Easy VPN clients. Digital certificates do not require this, but each client must enroll for and receive a digital certificate.

RADIUS Servers

Identify the RADIUS servers that the router will use for authorization and group policy lookup and the VPN groups configured on the RADIUS servers in the RADIUS Servers window.

Field Reference

Table 14-1 describes the fields in this screen.

Table 14-1 RADIUS Servers Fields

Element
Description

RADIUS Client Source

Configuring the RADIUS source allows you to specify the source IP address to be sent in packets bound for the RADIUS server. To view the IP address and other information about an interface, select the interface and click the Details button. This option can have the following values:

 

Router chooses source—Choose Router chooses source if you want the source IP address in the RADIUS packets to be the address of the interface through which the RADIUS packets exit the router.

 

Interface name—If you choose a specific router interface, the source IP address in the RADIUS packets will be the address of that interface.

 

The source IP address in the RADIUS packets sent from the router must be configured as the NAD IP address in the Cisco Access Control Server (ACS) version 3.3 or later.

 

Note Cisco IOS software allows a single RADIUS source interface to be configured on the router. If the router already has a configured RADIUS source and you choose a different source, the source IP address placed in the packets sent to the RADIUS server changes to the IP address of the new source, and may not match the NAD IP address configured on the Cisco ACS.


RADIUS Server List

Server IP

The Server IP column lists the IP addresses of each configured server, for example, 192.168.108.14

Parameters

The Parameters column lists the authorization and accounting ports for each server. For example, the column might contain the following entry for a RADIUS server:

Authorization Port 1645; Accounting Port 1646

Select

The Select column contains a checkbox for each configured server. Check the box next to each server that you want to be used. The router does not contact a RADIUS server if the box next to it is not checked.

Add

Click Add to create an entry for a RADIUS server.

Edit

Select a server entry and click Edit to change the information the router has for that server.

Ping

Select a server entry and click Ping to test the connection between the router and the RADIUS server.

VPN Groups in RADIUS Server

Enter the VPN groups configured on the RADIUS server that you want this connection to give access to. Use a comma to separate entries. A sample set of entries follows:

WGP-1, WGP-2, ACCTG, CSVC

These names must match the group names configured on the RADIUS server. For easy administration, they should also match the group names you configure for the easy VPN clients.

PKI-based user policy download

Check PKI-based user policy download if you want the Easy VPN server to download user-specific attributes from the RADIUS server and push them to the client during mode configuration. The Easy VPN server obtains the username from the client's digital certificate.

This option is displayed under the following conditions:

The router runs a Cisco IOS 12.4(4)T or later image.

You choose digital certificate authentication in the IKE policy configuration.

You choose RADIUS or RADIUS and Local group authorization.


Group Authorization and Group User Policies

You can create user groups that each have their own IP address pool, client update configuration, split tunneling configuration, and other custom settings, These group attributes are downloaded to the client in that group when they connect to the Easy VPN server. The same group name must be configured on the clients who are members of the group to ensure that the correct group attributes are downloaded.

If group polices have already been configured, they appear in the list in this window, and you can select them for this connection by checking the Select box to the left of the group name.

The group name, IP address pool name, DNS and WINS server names, and domain name of each configured group is shown in the list. When you click Add to configure settings for a new group or click Edit to change settings, the changes appear in this list. To use settings for an existing group as a basis for a new group configuration, select the existing group and click Clone. The Add, Edit, and Clone buttons display dialogs that enable you to configure group settings.

Configure Idle Timer

Check Configure Idle Timer if you want to specify how long a connection is to be maintained for idle clients in the Idle Timer fields. Enter time values in HH:MM:SS format. For example, to enter 3 hours, 20 minutes, and 32 seconds, enter the following values in the fields:

03:20:32

The timeout value will apply to all groups configured for this connection.

Add or Edit Easy VPN Server: General Tab

Enter general information for the Easy VPN Server connection in this dialog.

Name for this connection

Enter a name to identify this connection the name that you enter is displayed in the Edit Easy VPN Server window.

IP Address of Virtual Tunnel Interface

Click Interface and Authentication for a description of the IP Address of Virtual Tunnel fields.

Tunnel Mode

Choose IPSec-IPV4 in the Tunnel Mode field. The IPSec-IPV4 option enables the creation of a IP version 4 IPSec tunnel.

Description

You can enter a description that administrators in you network will find useful when changing configurations or troubleshooting the network.

Add or Edit Easy VPN Server: IKE Tab

The IKE dialog in the Add Easy VPN Server dialogs enables you to create an IKE profile for this connection.

Field Reference

xref describes the fields in this tab.

Table 14-2 Add or Edit Easy VPN Server Connection: IKE Tab

Element
Description

Match Identity Type

The IKE profile includes match criteria that allow the router to identify the incoming and outgoing connections to which the IKE connection parameters are to apply. Match criteria can currently be applied to VPN groups. Group is automatically chosen in the Match Identity Type field.

Add VPN groups to be associated with this IKE profile.

Build a list of groups that you want to be included in the match criteria. The groups you add are listed.

Add—Click Add to display a menu with the following options:

Add External Group Name—Choose Add External Group Name to add the name of a group that is not configured on the router, and enter the name in the dialog displayed.

Select From Local Groups—Choose Select From Local Groups to add the name of a group that is configured on the router. In the displayed dialog, check the box next to the group that you want to add. If all the local groups are used in other IKE profiles, SDM informs you that all groups have been selected.

Delete—Choose a group and click Delete to remove it from the list.

Mode Configuration

Choose one of the followingoptions to specify how the Easy VPN server is to handle mode configuration requests:

Respond—Choose Respond in the Mode Configuration field if the Easy VPN server is to respond to mode configuration requests.

Initiate—Choose Initiate if the Easy VPN server is to initiate mode configuration requests.

Both—Choose Both if the Easy VPN server is to both initiate and respond to mode configuration requests.

Group Policy Lookup Authorization Policy

Specify an authorization policy that controls access to group policy information on the AAA server.

default—Choose default if you want to grant access to group policy lookup information.

Policyname—To specify a policy, choose an existing policy in the list.

Add—Click Add to create a policy in the displayed dialog.

User Authentication Policy

Check User Authentication Policy if you want to allow XAuth logins, or if you want to specify a user authentication policy to use for XAuth logins. Choose one of the following options:

default—Choose default if you want to allow XAuth logins.

Policyname—If policies have been configured on the router, they are displayed in this list and you can select a policy to use.

Click Add to create a policy in the displayed dialog and use it in this IKE policy.

Dead Peer Discovery

Click Dead Peer Discovery to enable the router to send dead peer detection (DPD) messages to Easy VPN Remote clients. If a client does not respond to DPD messages, the connection with it is dropped.

Keepalive Interval—Specify the number of seconds between DPD messages in the Keepalive Interval field. The range is from 10 to 3600 seconds.

Retry Interval—Specify the number of seconds between retries if DPD messages fail in the Retry Interval field. The range is from 2 to 60 seconds.

Dead peer discovery helps manage connections without administrator intervention, but it generates additional packets that both peers must process in order to maintain the connection.

Download user attributes from RADIUS server based on PKI certificate fields.

Check this option if you want the Easy VPN server to download user-specific attributes from the RADIUS server and push them to the client during mode configuration. The Easy VPN server obtains the username from the client's digital certificate.

This option is displayed under the following conditions:

The router runs a Cisco IOS 12.4(4)T or later image.

You choose digital certificate authentication in the IKE policy configuration.

You choose RADIUS or RADIUS and Local group authorization.


Add or Edit Easy VPN Server: IPSec Tab

Enter the information to create an IPSec profile in this dialog. An IPSec profile specifies the transform sets to be used, how the Security Association (SA) lifetime is to be determined, and other information.

Transform Set Columns

Use the two columns at the top of the dialog to specify the transform sets that you want to include in the profile. The left-hand column contains the transform sets configured on the router. To add a configured tranform set to the profile, select it and click the >> button. If there are no tranform sets in the left-hand column, or if you need a transform set that has not been created, click Add and create the transform set in the displayed dialog.

Time Based IPSec SA Lifetime

Click Time Based IPSec SA Lifetime if you want a new SA to be established after a set period of time has elapsed. Enter the time period in the HH:MM:SS fields to the right. The range is from 0:2:0 (2 minutes) to 24:0:0 (24 hours).

Traffic Volume Based IPSec SA Lifetime

Click Traffic Volume Based IPSec SA Lifetime if you want a new SA to be established after a specified amount of traffic has passed through the IPSec tunnel. Enter the number of kilobytes that should pass through the tunnel before an existing SA is taken down and a new one is established. The range is from 2560 KB to 536870912 KB.

IPSec SA Idle Time

Click IPSec SA Idle Time if you want a new SA to be established after the peer has been idle for a specified amount of time. Enter the idle time period in the HH:MM:SS fields to the right. The range is from 0:1:0 (one minute) to 24:0:0 (24 hours).

Perfect Forwarding Secrecy

Click Perfect Forwarding Secrecy if IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for this virtual template interface, or should require PFS in requests received from the peer. You can specify the following values:

group1—The 768-bit Diffie-Hellman prime modulus group is used to encrypt the PFS request.

group2—The 1024-bit Diffie-Hellman prime modulus group is used to encrypt the PFS request.

group5—The 1536-bit Diffie-Hellman prime modulus group is used to encrypt the PFS request.

Create Virtual Tunnel Interface

Enter the information for a virtual tunnel interface in this dialog.

Interface Type

Choose default, or tunnel as the interface type. If you are editing a virtual tunnel interface, the configured value is displayed and the field is read only.

Configure the interface IP address

The IP address of the virtual tunnel interface can be unnumbered to another interface, or it can have no IP address. Choose IP Unnumbered and choose an interface name in the Unnumbered to field, or choose No IP address.

Tunnel Mode

Cisco SDM currently supports the IPSec-IPv4 tunnel mode and it is selected.

Select Zone

This field appears when the router runs a Cisco IOS image that supports Zone-Policy Based Firewall (ZPF), and a zone has been configured on the router. If you want this virtual tunnel interface to be a zone member, click the button to the right of this field. Click Select a Zone and select the zone that you want the interface to be a member of, or click Create a Zone to create a new zone for this interface.


Note It is not required that the virtual tunnel interface be a member of a zone. However, the router does not forward traffic between zone-member interfaces and non zone-member interfaces.