Cisco PIX Firewall and VPN Configuration Guide, Version 6.2
Configuring VPN Client Remote Access
Downloads: This chapterpdf (PDF - 620.0KB) The complete bookPDF (PDF - 4.38MB) | Feedback

Configuring VPN Client Remote Access

Table Of Contents

Configuring VPN Client Remote Access

Supporting Clients with Dynamic Addresses

Configuring Extended Authentication (Xauth)

Overview

Making an Exception to Xauth for a Site-to-Site VPN Peer

Extended Authentication Configuration

Assigning IP Addresses to VPN Clients with IKE Mode Config

Overview

Making an Exception to IKE Mode Config for Site-to-Site VPN Peers

Configuring IKE Mode Config

Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x

Cisco VPN Client Overview

Xauth, RADIUS, IKE Mode Config, and Wildcard, Pre-Shared Key

Scenario Description

Configuring the PIX Firewall

Configuring the Cisco VPN 3000 Client

Xauth, IKE Mode Config, and Digital Certificates

Scenario Description

Configuring the PIX Firewall

Configuring the Cisco VPN 3000 Client

Cisco Secure VPN Client Version 1.1

Configuring the PIX Firewall

Configuring the Cisco Secure VPN Client Version 1.1

Xauth with RSA Ace/Server and RSA SecurID

Terminology

Introduction

PIX Firewall Configuration

SecurID with Cisco VPN Client Version 3.x

Token Enabled

Next Tokencode Mode

New PIN Mode

SecurID with Cisco VPN 3000 Client Version 2.5/2.6

Token Enabled

Next Tokencode Mode

New PIN Mode

SecurID with Cisco Secure VPN Client Version 1.1 (3DES)

Token Enabled

Next Tokencode Mode

New PIN Mode

Configuring L2TP with IPSec in Transport Mode

L2TP Overview

IPSec Transport and Tunnel Modes

Configuring L2TP with IPSec in Transport Mode

Windows 2000 Client with IPSec and L2TP

Overview

Configuring the PIX Firewall

Enabling IPSec Debug

Getting Additional Information

Using PPTP for Remote Access

Overview

PPTP Configuration

PPTP Configuration Example


Configuring VPN Client Remote Access


This chapter describes PIX Firewall configuration procedures that are specific to implementing remote access VPNs. It also provides configuration examples using the VPN software clients supported by PIX Firewall.

PIX Firewall can function as an Easy VPN Server in relation to an Easy VPN Remote device, such as a PIX 501 or PIX 506/506E, or in relation to Cisco VPN software clients. When used as an Easy VPN Remote device, the PIX Firewall can push VPN configuration to the VPN client or Easy VPN Remote device, which greatly simplifies configuration and administration. For information about configuring a PIX 501 or PIX 506/506E as an Easy VPN Remote device, refer to Chapter 5, "Using PIX Firewall in SOHO Networks."

This chapter includes the following sections:

Supporting Clients with Dynamic Addresses

Configuring Extended Authentication (Xauth)

Assigning IP Addresses to VPN Clients with IKE Mode Config

Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x

Cisco Secure VPN Client Version 1.1

Xauth with RSA Ace/Server and RSA SecurID

Configuring L2TP with IPSec in Transport Mode

Windows 2000 Client with IPSec and L2TP

Using PPTP for Remote Access

Supporting Clients with Dynamic Addresses

Dynamic crypto maps are frequently used with Internet Key Exchange (IKE) to negotiate SAs with remote access VPN clients. Dynamic crypto maps are used to negotiate SAs for connections initiated from an external network for peers that do not have a known IP address. After successful IKE authentication, the client connection request is processed using a dynamic crypto map that is configured to set up SAs without requiring a known IP address.

A dynamic crypto map entry is essentially a crypto map entry that does not specify the identity of the remote peer. It acts as a template where the missing parameters are dynamically assigned based on the IKE negotiation. Only the transform set is required to configure a dynamic crypto map entry.


Note Use care when using the any keyword in permit command entries in dynamic crypto maps. If it is possible for the traffic covered by such a permit command entry to include multicast or broadcast traffic, the access list should include deny command entries for the appropriate address range. Access lists should also include deny command entries for network and subnet broadcast traffic, and for any other traffic that should not be IPSec protected.


For more information about configuring dynamic crypto maps, see "Using Dynamic Crypto Maps" in Chapter 6, "Configuring IPSec and Certification Authorities."

Configuring Extended Authentication (Xauth)

This section describes how to implement extended authentication (Xauth) with PIX Firewall. It includes the following topics:

Overview

Making an Exception to Xauth for a Site-to-Site VPN Peer

Extended Authentication Configuration

Overview

The PIX Firewall supports the Extended Authentication (Xauth) feature within the IKE protocol. Xauth lets you deploy IPSec VPNs using TACACS+ or RADIUS as your user authentication method.

This feature, which is designed for VPN clients, provides user authentication by prompting the user for username and password and verifies them with the information stored in your TACACS+ or RADIUS database. Xauth is negotiated between IKE Phase 1 (IKE device authentication phase) and IKE
Phase 2 (IPSec SA negotiation phase). If the Xauth fails, the IPSec security association will not be established and the IKE security association will be deleted.


Note The IKE Mode Config feature also is negotiated between these IKE Phase 1 and 2. If both features are configured, Xauth is performed first.


The Xauth feature is optional and is enabled using the crypto map map-name client authentication aaa-group-tag command. AAA must be configured on the PIX Firewall using the aaa-server group_tag (if_name) host server_ip key timeout seconds command before Xauth is enabled. Use the same AAA server name within the aaa-server and crypto map client authentication command statements. See the aaa-server command and the crypto map command in the Cisco PIX Firewall Command Reference for more information.


Note The VPN client remote user should be running the Cisco Secure VPN Client version 1.1, Cisco VPN 3000 Client version 2.5/2.6, or Cisco VPN Client version 3.x. We recommend Cisco VPN Client version 3.x.


Making an Exception to Xauth for a Site-to-Site VPN Peer

If you have both a site-to-site VPN peer and VPN client peers terminating on the same interface, and have the Xauth feature configured, configure the PIX Firewall to make an exception to this feature for the site-to-site VPN peer. With this exception, the PIX Firewall will not challenge the site-to-site peer for a username and password. The command that you employ to make an exception to the Xauth feature depends on the authentication method you are using within your IKE policies.

Table 8-1 summarizes the guidelines to follow.

Table 8-1 Configuring no-xauth

IKE Authentication Method
no-xauth Related Command to Use

pre-shared key

isakmp key keystring address ip-address [netmask] [no-xauth] [no-config-mode]

See the isakmp command page within the Cisco PIX Firewall Command Reference for more information. See Step 3 within "Extended Authentication Configuration" in this chapter for the no-xauth configuration step.

rsa signatures

isakmp peer fqdn fqdn [no-xauth] [no-config-mode]

See the isakmp command page within the Cisco PIX Firewall Command Reference for more information. See Step 4 within "Extended Authentication Configuration" in this chapter for the no-xauth configuration step.


Extended Authentication Configuration

Follow these steps to configure Xauth on your PIX Firewall:


Step 1 Set up your basic AAA Server:

aaa-server group_tag (if_name) host server_ip key

For example:

aaa-server TACACS+ (outside) host 10.0.0.2 secret123 

This example specifies that the authentication server with the IP address 10.0.0.2 resides on the outside interface and is in the default TACACS+ server group. The key "secret123" is used between the PIX Firewall and the TACACS+ server for encrypting data between them.

Step 2 Enable Xauth. Be sure to specify the same AAA server group tag within the crypto map client authentication command statement as was specified in the aaa-server command statement.

crypto map map-name client authentication aaa-group-tag

For example:

crypto map mymap client authentication TACACS+ 

In this example, Xauth is enabled at the crypto map "mymap" and the server specified in the TACACS+ group will be used for user authentication.

Step 3 (Optional) Perform this step for each site-to-site VPN peer that shares the same interface as the VPN client(s) and is configured to use a pre-shared key. This step allows the PIX Firewall to make an exception to the Xauth feature for the given site-to-site VPN peer.

isakmp key keystring address ip-address [netmask mask] [no-xauth] [no-config-mode]

For example:

isakmp key secretkey1234 address 10.2.2.2 netmask 255.255.255.255 no-xauth

Step 4 (Optional) To make an exception to the Xauth feature for the given site-to-site VPN peer, enter the following command:

isakmp peer fqdn fqdn [no-xauth] [no-config-mode]

Perform this step for each site-to-site VPN peer that shares the same interface as the VPN client(s) and is configured to use RSA-signatures.

For example:

isakmp peer fqdn hostname1.example.com no-xauth


Assigning IP Addresses to VPN Clients with IKE Mode Config

This section describes how to use IKE Mode Config to assign IP addresses dynamically to VPN clients. It includes the following topics:

Overview

Making an Exception to IKE Mode Config for Site-to-Site VPN Peers

Configuring IKE Mode Config

Overview

The IKE Mode Configuration (Config) feature allows a security gateway (in this case a PIX Firewall) to download an IP address (and other network level configuration) to a VPN client peer as part of an IKE negotiation. Using this exchange, the PIX Firewall gives an IP address to the VPN client to be used as an "inner" IP address encapsulated under IPSec. This provides a known IP address for a VPN client, which can be matched against the IPSec policy.


Note If you use IKE Mode Config on the PIX Firewall, the routers handling the IPSec traffic must also support IKE Mode Config. Cisco IOS Release 12.0(7)T and higher supports IKE Mode Config.


To implement IPSec VPNs between remote access VPN clients with dynamic (or virtual) IP addresses and a corporate gateway, you must dynamically administer scalable IPSec policy on the gateway once each client is authenticated. With IKE Mode Config, the gateway can set up scalable policy for a very large set of clients irrespective of the IP addresses of those clients.

There are two types of IKE Mode Config for a VPN:

Gateway initiation—Gateway initiates the configuration mode with the client. Once the client responds, the IKE modifies the sender's identity, the message is processed, and the client receives a response.

Client initiation—Client initiates the configuration mode with the gateway. The gateway responds with an IP address it has allocated for the client.

The following is a summary of the major steps to perform when configuring IKE Mode Config on your PIX Firewall. See the "Configuring IKE Mode Config" section for the complete configuration steps.

Define the pool of IP addresses. Use the ip local pool command to define a local address pool. See the ip local pool command page within the Cisco PIX Firewall Command Reference for more information about this command.

Reference the pool of IP addresses in the IKE configuration. Use the isakmp client configuration address-pool local command to configure the IP address local pool you defined to reference IKE. See the isakmkp command page within the Cisco PIX Firewall Command Reference for more information about this command.

Define which crypto maps should attempt to configure clients, and whether the PIX Firewall or the client initiates the IKE Mode Config. Use the crypto map client-configuration address command to configure IKE Mode Config. See the crypto map command in the Cisco PIX Firewall Command Reference for more information.

Making an Exception to IKE Mode Config for Site-to-Site VPN Peers

If you have both a site-to-site VPN peer and VPN clients terminating on the same interface, and have the IKE Mode Config feature configured, configure the PIX Firewall to make an exception to this feature for the site-to-site VPN peer. With this exception, the PIX Firewall will not attempt to download an IP address to the peer for dynamic IP address assignment. The command that you employ to bypass the IKE Mode Config feature depends on the authentication method you are using within your IKE policies. See Table 8-2 for the guidelines to follow.

Table 8-2 Configuring no-config-mode 

IKE Authentication Method
no-config-mode Related Command to Use

pre-shared key

isakmp key keystring address ip-address [netmask] [no-xauth] [no-config-mode]

See the isakmp command page in the Cisco PIX Firewall Command Reference for more information. See Step 4 in "Configuring Extended Authentication (Xauth)" for the no-config-mode configuration step.

rsa signatures

isakmp peer fqdn fqdn [no-xauth] [no-config-mode]

See the isakmp command page in the Cisco PIX Firewall Command Reference for more information. See Step 5 in the "Configuring Extended Authentication (Xauth)" for the no-config-mode configuration step.


Configuring IKE Mode Config

To configure IKE Mode Config on your PIX Firewall, perform the following steps:


Step 1 Define the pool of IP addresses:

ip local pool pool-name start-address-[end-address]

For example:

ip local pool ire 172.16.1.1-172.16.1.254

Step 2 Reference the defined pool of IP addresses in the IKE configuration:

isakmp client configuration address-pool local pool-name [interface-name]

For example:

isakmp client configuration address-pool local csvc outside

Step 3 Define which crypto maps should attempt to configure clients:

crypto map map-name client configuration address initiate | respond

For example:

crypto map mymap client configuration address initiate

Step 4 (Optional) Perform this step for each site-to-site VPN peer that shares the same interface as the VPN client(s) and is configured to use a pre-shared key. This step allows the PIX Firewall to make an exception to the IKE Mode Config feature for the given site-to-site VPN peer.

isakmp key keystring address ip-address [no-xauth] [no-config-mode]

For example:

isakmp key secretkey1234 address 10.2.2.2 255.255.255.255 no-config-mode

Step 5 (Optional) Perform this step for each site-to-site VPN peer that shares the same interface as the VPN client(s) and is configured to use RSA-signatures. This step allows the PIX Firewall to make an exception to the IKE Mode Config feature for the given site-to-site VPN peer.

isakmp peer fqdn fqdn [no-xauth] [no-config-mode]

For example:

isakmp peer fqdn hostname1.example.com no-config-mode


Example 8-1 shows a PIX Firewall that has been configured to both set IP addresses to clients and to respond to IP address requests from clients whose packets arrive on the outside interface using dynamic crypto map without explicitly specifying the peer.

Example 8-1 IKE Mode Config

: define the ip address pool
ip local pool csvc 172.16.1.1-172.16.1.254
: reference the defined pool of IP addresses in IKE
crypto isakmp client configuration address-pool local csvc outside
:
access-list 103 permit ip host 172.21.230.34 172.21.1.0 255.255.255.0
:
crypto ipsec transform-set pc esp-des esp-md5-hmac
:
crypto dynamic-map dyn 10 set transform-set pc 
: enable address assignment in crypto map
crypto map dyn client configuration address initiate
crypto map dyn client configuration address respond
:
crypto map dyn 10 ipsec-isakmp dynamic dyn
crypto map dyn interface outside

Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x

This section provides examples for configuring the PIX Firewall and Cisco VPN 3000 Client version 2.5/2.6 or the Cisco VPN Client version 3.x. It includes the following topics:

Cisco VPN Client Overview

Xauth, RADIUS, IKE Mode Config, and Wildcard, Pre-Shared Key

Xauth, IKE Mode Config, and Digital Certificates

Cisco VPN Client Overview

Remote access VPN users employing the Cisco VPN 3000 Client version 2.5/2.6, or the Cisco VPN Client version 3.x, can now securely access their private enterprise network through the PIX Firewall.

Unlike the Cisco Secure VPN Client version 1.1, the Cisco VPN Client requires the Easy VPN Server to push policy information to it. To support the Cisco VPN Client, the IKE Mode Config feature within the PIX Firewall has been extended to include the downloading of DNS, WINS, default domain, and split tunnel mode attributes to the Cisco VPN 3000 Client. The split tunnel mode allows the PIX Firewall to define the policy that determines the traffic to be encrypted and the traffic to be transmitted in clear text. This policy will be pushed to the VPN client during the mode config. With split tunnelling enabled, the VPN client PC can still access Internet while the VPN client is running.

The vpngroup command set lets you configure Cisco VPN 3000 Client policy attributes to be associated with a VPN group name and downloaded to the Cisco VPN 3000 client(s) that are part of the given group. The purpose of these new commands is to configure the Cisco VPN Client policy groups. See the vpngroup command in the Cisco PIX Firewall Command Reference for more information.


Note Earlier versions of PIX Firewall cannot establish a VPN tunnel to a client behind a device that performs address translation. The NAT Traversal feature, introduced in PIX Firewall version 6.3, removes this restriction when used with Cisco VPN clients version 3.6 or later.


This section provides two examples of how to configure the PIX Firewall and the Cisco VPN 3000 Client for interoperability. The steps for configuring the Cisco VPN 3000 Client version 2.5/2.6 and the Cisco VPN Client version 3.x are the same, except where noted.

The first example shows use of the following supported features:

Extended Authentication (Xauth) for user authentication

RADIUS authorization for user services authorization

IKE Mode Config for VPN IP address assignment

Wildcard pre-shared key for IKE authentication

The second example shows use of the following supported features:

Extended Authentication (Xauth) for user authentication

IKE Mode Config for VPN IP address assignment

Digital certificate for IKE authentication


Note If the Cisco Secure VPN Client version 1.1 is already installed on the computer, uninstall it from your computer and ensure all directories containing this VPN client application are cleared of it before you install the Cisco VPN 3000 Client version 2.5/2.6 or the Cisco VPN Client version 3.x.


Xauth, RADIUS, IKE Mode Config, and Wildcard, Pre-Shared Key

This section shows use of extended authentication (Xauth), RADIUS authorization, IKE Mode Config, and a wildcard, pre-shared key for IKE authentication between a PIX Firewall and a Cisco VPN 3000 Client. It includes the following topics:

Scenario Description

Configuring the PIX Firewall

Configuring the Cisco VPN 3000 Client

Scenario Description

With the vpngroup command set, you configure the PIX Firewall for a specified group of Cisco VPN 3000 Client users, using the following parameters:

Group name for a given group of Cisco VPN 3000 Client users.

Pre-shared key or group password used to authenticate your VPN access to the remote server
(PIX Firewall).


Note This pre-shared key is equivalent to the password that you enter in the Group Password box of the Cisco VPN 3000 Client while configuring your group access information for a connection entry.


Pool of local addresses to be assigned to the VPN group.

(Optional) IP address of a DNS server to download to the Cisco VPN 3000 Client.

(Optional) IP address of a WINS server to download to the Cisco VPN 3000 Client.

(Optional) Default domain name to download to the Cisco VPN 3000 Client.

(Optional) Split tunneling enabled on the PIX Firewall allowing both encrypted and clear traffic between the Cisco VPN 3000 Client and the PIX Firewall.


Note If split tunneling is not enabled, all traffic between the Cisco VPN 3000 Client and the PIX Firewall will be encrypted.


(Optional) Inactivity timeout setting for the Cisco VPN 3000 Client. The default is 30 minutes.

On the Cisco VPN 3000 Client, you would configure the vpngroup name and group password to match that which you configured on the PIX Firewall.

When the Cisco VPN 3000 Client initiates ISAKMP with the PIX Firewall, the VPN group name and pre-shared key are sent to the PIX Firewall. The PIX Firewall then uses the group name to look up the configured client policy attributes for the given Cisco VPN 3000 Client and downloads the matching policy attributes to the client during the IKE negotiation.

Figure 8-1 illustrates the example network.

Figure 8-1 Cisco VPN 3000 Client Access

Configuring the PIX Firewall

Follow these steps to configure the PIX Firewall to interoperate with the Cisco VPN 3000 Client using Xauth, IKE Mode Config, AAA authorization with RADIUS, and a wildcard, pre-shared key:


Step 1 Define AAA related parameters:

aaa-server radius protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5

Step 2 Configure the IKE policy:

isakmp enable outside
isakmp policy 8 encr 3des
isakmp policy 8 hash md5
isakmp policy 8 authentication pre-share


Note To configure the Cisco VPN Client version 3.x, include the isakmp policy 8 group 2 command in this step.


Step 3 Configure a wildcard, pre-shared key:

isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0

Step 4 Create an access list that defines the PIX Firewall local network(s) requiring IPSec protection:

access-list 80 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

Step 5 Create access lists that define the services the VPN clients are authorized to use with the RADIUS server:

access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq http


Note Configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID. In this example, the access-list ID is 100. Your entry in the authentication server would then be acl=100.


Step 6 Configure NAT 0:

nat (inside) 0 access-list 80

Step 7 Configure a transform set that defines how the traffic will be protected:

crypto ipsec transform-set strong-des esp-3des esp-sha-hmac

Step 8 Create a dynamic crypto map:

crypto dynamic-map cisco 4 set transform-set strong-des

Specify which transform sets are allowed for this dynamic crypto map entry.

Step 9 Add the dynamic crypto map set into a static crypto map set:

crypto map partner-map 20 ipsec-isakmp dynamic cisco

Step 10 Apply the crypto map to the outside interface:

crypto map partner-map interface outside

Step 11 Enable Xauth:

crypto map partner-map client authentication partnerauth

Step 12 Configure IKE Mode Config related parameters:

ip local pool dealer 10.1.1.1-10.1.1.254


Note To configure the Cisco VPN 3000 Client version 2.5/2.6, include the crypto map partner-map client configuration address initiate command in this step.


Step 13 Configure Cisco VPN 3000 Client policy attributes to download to the Cisco VPN Client:

vpngroup superteam address-pool dealer
vpngroup superteam dns-server 10.0.0.15
vpngroup superteam wins-server 10.0.0.15
vpngroup superteam default-domain example.com
vpngroup superteam split-tunnel 80
vpngroup superteam idle-time 1800 

The keyword "superteam" is the name of a VPN group. You will enter this VPN group name within the Cisco VPN 3000 Client as part of the group access information. See Step 9 within "Configuring the Cisco VPN 3000 Client."

Step 14 Tell PIX Firewall to implicitly permit IPSec traffic:

sysopt connection permit-ipsec


Example 8-2 provides the complete PIX Firewall configuration.

Example 8-2 VPN Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Wildcard Pre-Shared Key

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SanJose
domain-name example.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 24
no logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
no failover
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq http
nat (inside) 0 access-list 80
global (outside) 1 209.165.200.45-209.165.200.50 netmask 255.255.255.224
route outside 0.0.0.0 0.0.0.0 209.165.200.227 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
ip local pool dealer 10.1.1.1-10.1.1.254
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto map partner-map client configuration address initiate;
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client authentication partnerauth 
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
vpngroup superteam address-pool dealer
vpngroup superteam dns-server 10.0.0.15
vpngroup superteam wins-server 10.0.0.15
vpngroup superteam default-domain example.com
vpngroup superteam split-tunnel 80
vpngroup superteam idle-time 1800 
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80


Note The crypto map partner-map client configuration address initiate command is only required to configure the Cisco VPN 3000 Client version 2.5/2.6. The isakmp policy 8 group 2 command is only required to configure the Cisco VPN Client version 3.x.


Configuring the Cisco VPN 3000 Client

This section describes how to configure the Cisco VPN 3000 Client to match the configurations in "Configuring the PIX Firewall." It is assumed the Cisco VPN 3000 Client is already installed on your system and is configured for general use. You can find the Cisco VPN 3000 Client documentation online at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm

To allow the Cisco VPN 3000 Client to gain VPN access to the PIX Firewall using a pre-shared key, create one connection entry for the Cisco VPN 3000 Client that identifies the following:

Host name or IP address of the remote server you want to access, which in this case is a PIX Firewall

Name of the VPN group you belong to

Pre-shared key or password of the VPN group you belong to

Refer to the chapter "Configuring the VPN Client" in the VPN 3000 Client User Guide for the detailed steps to follow when configuring the Cisco VPN 3000 Client.

Follow these steps to configure the Cisco VPN 3000 Client to interoperate with the PIX Firewall:


Step 1 Click Start>Programs>Cisco Systems VPN 3000 Client>VPN Dialer.

Step 2 At the VPN Client main dialog box, click New.

The first New Connection Entry Wizard dialog box appears.

Step 3 Enter a unique name for the connection.

Step 4 (Optional) Enter a description of this connection.

Step 5 Click Next.

The second New Connection Entry Wizard dialog box appears.

Step 6 Enter the host name or IP address of the remote PIX Firewall you want to access.

Step 7 Click Next.

The third New Connection Entry Wizard dialog box appears.

Step 8 Click Group Access Information.

Step 9 Enter the name of the VPN group to which you belong and the password for you VPN group.

The password displays in asterisks.

Step 10 Click Next.

The fourth New Connection Entry Wizard dialog box appears.

Step 11 Review the connection entry name.

Step 12 Click Finish.


Xauth, IKE Mode Config, and Digital Certificates

This section shows use of Xauth, IKE Mode Config, and digital certificates for IKE authentication between a PIX Firewall and a Cisco VPN 3000 Client.

It includes the following topics:

Scenario Description

Configuring the PIX Firewall

Configuring the Cisco VPN 3000 Client


Note Both the PIX Firewall and the Cisco VPN 3000 Client are required to obtain digital certificates from the same CA server so that both are certified by the same root CA server. The PIX Firewall only supports use of one root CA server per VPN peer.


Scenario Description

For example purposes, the PIX Firewall is shown to interoperate with the Entrust CA server. The specific CA-related commands you enter depend on the CA you are using.


Note The PIX Firewall supports CA servers developed by VeriSign, Entrust, Baltimore Technologies, and Microsoft. See "Using Certification Authorities" in Chapter 6, "Configuring IPSec and Certification Authorities." for general configuration procedures. See Chapter 7, "Site-to-Site VPN Configuration Examples," for examples showing how to interoperate with different PIX Firewall-supported CA servers.


On the PIX Firewall, configure the unit to interoperate with the CA server to obtain a digital certificate. With the vpngroup command set, configure the PIX Firewall for a specified group of Cisco VPN 3000 Client users, using the following parameters:

Pool of local addresses to be assigned to the VPN group

(Optional) IP address of a DNS server to download to the Cisco VPN 3000 Client

(Optional) IP address of a WINS server to download to the Cisco VPN 3000 Client

(Optional) Default domain name to download to the Cisco VPN 3000 Client

(Optional) Split tunneling on the PIX Firewall, which allows both encrypted and clear traffic between the Cisco VPN 3000 Client and the PIX Firewall.


Note If split tunnelling is not enabled, all traffic between the Cisco VPN 3000 Client and the PIX Firewall will be encrypted.


(Optional) Inactivity timeout for the Cisco VPN 3000 Client. The default is 30 minutes.

On the Cisco VPN 3000 Client, configure the client to obtain a digital certificate. After obtaining the certificate, set up your Cisco VPN 3000 Client connection entry to use the digital certificate.

When the Cisco VPN 3000 Client initiates ISAKMP with the PIX Firewall, the digital certificate is sent to the PIX Firewall. The PIX Firewall uses the digital certificate to look up the configured client policy attributes for the given Cisco VPN 3000 Client and downloads the matching policy attributes to the client during the IKE negotiation.

Figure 8-2 illustrates the example network.

Figure 8-2 Cisco VPN 3000 Client Access

Configuring the PIX Firewall

Follow these steps to configure the PIX Firewall to interoperate with the Cisco VPN 3000 Client:


Step 1 Define AAA related parameters:

aaa-server TACACS+ protocol tacacs+
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5

Step 2 Define a host name:

hostname SanJose

Step 3 Define the domain name:

domain-name example.com

Step 4 Generate the PIX Firewall RSA key pair:

ca generate rsa key 512

This command is entered at the command line and does not get stored in the configuration.

Step 5 Declare a CA:

ca identity abcd 209.165.200.228 209.165.200.228

This command is stored in the configuration.

Step 6 Configure the parameters of communication between the PIX Firewall and the CA:

ca configure abcd ra 1 20 crloptional

This command is stored in the configuration. 1 is the retry period, 20 is the retry count, and the crloptional option disables CRL checking.

Step 7 Authenticate the CA by obtaining its public key and its certificate:

ca authenticate abcd

This command is entered at the command line and does not get stored in the configuration:

Step 8 Request signed certificates from your CA for your PIX Firewall's RSA key pair:

ca enroll abcd cisco

Before entering this command, contact your CA administrator because they will have to authenticate your PIX Firewall manually before granting its certificate(s):

"cisco" is a challenge password. This can be anything. This command is entered at the command line and does not get stored in the configuration.

Step 9 Verify that the enrollment process was successful using the show ca certificate command:

show ca certificate

Step 10 Save keys and certificates, and the CA commands (except those indicated) in Flash memory:

ca save all
write memory


Note Use the ca save all command any time you add, change, or delete ca commands in the configuration. This command is not stored in the configuration.


Step 11 Set the PIX Firewall system clock.

The PIX Firewall clock must be accurate if you are using certificates. Enter the following command to update the system clock.

clock set

Step 12 Configure the IKE policy:

isakmp enable outside
isakmp policy 8 encr 3des
isakmp policy 8 hash md5
isakmp policy 8 authentication rsa-sig

Step 13 Create an access list that defines the PIX Firewall local network(s) requiring IPSec protection:

access-list 90 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

Step 14 Configure NAT 0:

nat (inside) 0 access-list 90

Step 15 Configure a transform set that defines how the traffic will be protected:

crypto ipsec transform-set strong-des esp-3des esp-sha-hmac

Step 16 Create a dynamic crypto map. Specify which transform sets are allowed for this dynamic crypto map entry:

crypto dynamic-map cisco 4 set transform-set strong-des

Step 17 Add the dynamic crypto map into a static crypto map:

crypto map partner-map 20 ipsec-isakmp dynamic cisco

Step 18 Apply the crypto map to the outside interface:

crypto map partner-map interface outside

Step 19 Tell PIX Firewall to implicitly permit IPSec traffic:

sysopt connection permit-ipsec

Step 20 Enable Xauth:

crypto map partner-map client authentication partnerauth

Step 21 Configure IKE Mode Config-related parameters:

ip local pool dealer 10.1.1.1-10.1.1.254
crypto map partner-map client configuration address initiate

Step 22 Configure Cisco VPN 3000 Client policy attributes to download to the Cisco VPN 3000 Client:

vpngroup superteam address-pool dealer
vpngroup superteam dns-server 10.0.0.15
vpngroup superteam wins-server 10.0.0.15
vpngroup superteam default-domain example.com
vpngroup superteam split-tunnel 90 
vpngroup superteam idle-time 1800  


Note When configuring the VPN group name, make sure it matches the Organization Unit (OU) field in the Cisco VPN 3000 Client certificate. The PIX Firewall uses the VPN group name to match a given VPN client policy. For example, you would use the VPN group "superteam" if the OU field is "superteam."



Example 8-3 shows the command listing. PIX Firewall default configuration and certain CA commands do not appear in configuration listings.

Example 8-3 VPN Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Digital Certificates

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SanJose
domain-name example.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 24
no logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
no failover
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 90 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq http
nat (inside) 0 access-list 90
global (outside) 1 209.165.200.45-209.165.200.50 netmask 255.255.255.224
route outside 0.0.0.0 0.0.0.0 209.165.200.227 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
ip local pool dealer 10.1.1.1-10.1.1.254
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client authentication partnerauth 
crypto map partner-map interface outside
isakmp enable outside
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 authentication rsa-sig
vpngroup superteam address-pool dealer
vpngroup superteam dns-server 10.0.0.15
vpngroup superteam wins-server 10.0.0.15
vpngroup superteam default-domain example.com
vpngroup superteam split-tunnel 90
vpngroup superteam idle-time 1800 
ca identity abcd 209.165.200.228 209.165.200.228
ca configure abcd ra 1 100 crloptional
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80


Note The crypto map partner-map client configuration address initiate command is only required to configure the Cisco VPN 3000 Client version 2.5/2.6.


Configuring the Cisco VPN 3000 Client

This section describes how to configure the Cisco VPN 3000 Client to match the configurations in "Configuring the PIX Firewall." It is assumed the Cisco VPN 3000 Client is already installed on your system and is configured for general use. You can find the Cisco VPN 3000 Client documentation online at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm

For the Cisco VPN 3000 Client to gain VPN access to the PIX Firewall using a digital certificate, obtain a digital certificate from a CA server. Once you have this certificate, create a VPN client connection entry that identifies the following:

Host name or IP address of the remote server you want to access, which in this case is a PIX Firewall.

Certificate name. (This should already be installed on your Cisco VPN 3000 Client.)

This section does not cover how to obtain a digital certificate for the Cisco VPN 3000 Client. For information about obtaining a certificate for the Cisco VPN 3000 Client, refer to the chapter "Obtaining a Certificate" within the VPN 3000 Client User Guide.

To obtain the detailed steps to follow when configuring the Cisco VPN 3000 Client, refer to the chapter "Configuring the VPN 3000 Client" in the VPN 3000 Client User Guide.

Follow these steps to configure the Cisco VPN 3000 Client:


Step 1 Click Start>Programs>Cisco Systems VPN 3000 Client>VPN Dialer.

Step 2 At the Cisco VPN 3000 Client main dialog box, click New.

The first New Connection Entry Wizard dialog box appears.

Step 3 Enter a unique name for the connection.

Step 4 (Optional) Enter a description of this connection.

Step 5 Click Next.

The second New Connection Entry Wizard dialog box appears.

Step 6 Enter the host name or IP address of the remote PIX Firewall you want to access.

Step 7 Click Next.

The third New Connection Entry Wizard dialog box appears.

Step 8 Click Certificate.

Step 9 Click the name of the certificate you are using.

Step 10 Click Next.

The fourth New Connection Entry Wizard dialog box appears.

Step 11 Review the connection entry name.

Step 12 Click Finish.


Cisco Secure VPN Client Version 1.1

The example in this section shows use of Extended Authentication (Xauth), IKE Mode Config and a wildcard, pre-shared key for IKE authentication between a PIX Firewall and a Cisco Secure VPN Client.

This section includes the following topics:

Configuring the PIX Firewall

Configuring the Cisco Secure VPN Client Version 1.1

Figure 8-3 illustrates the example network.

Figure 8-3 VPN Client Access

Configuring the PIX Firewall

Follow these steps to configure the PIX Firewall to interoperate with the Cisco Secure VPN Client:


Step 1 Define AAA related parameters:

aaa-server TACACS+ protocol tacacs+
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5

Step 2 Configure the IKE policy:

isakmp enable outside
isakmp policy 8 encr 3des
isakmp policy 8 hash md5
isakmp policy 8 authentication pre-share

Step 3 Configure a wildcard, pre-shared key:

isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0

Step 4 Create access lists that define the virtual IP addresses for VPN clients:

access-list 80 permit ip host 10.0.0.14 host 192.168.15.1
access-list 80 permit ip host 10.0.0.14 host 192.168.15.2
access-list 80 permit ip host 10.0.0.14 host 192.168.15.3
access-list 80 permit ip host 10.0.0.14 host 192.168.15.4
access-list 80 permit ip host 10.0.0.14 host 192.168.15.5

Step 5 Configure NAT 0:

nat 0 access-list 80

Step 6 Configure a transform set that defines how the traffic will be protected:

crypto ipsec transform-set strong-des esp-3des esp-sha-hmac

Step 7 Create a dynamic crypto map. Specify which transform sets are allowed for this dynamic crypto map entry:

crypto dynamic-map cisco 4 set transform-set strong-des

Step 8 Add the dynamic crypto map into a static crypto map:

crypto map partner-map 20 ipsec-isakmp dynamic cisco

Step 9 Apply the crypto map to the outside interface:

crypto map partner-map interface outside

Step 10 Enable Xauth:

crypto map partner-map client authentication partnerauth

Step 11 Configure IKE Mode Config related parameters:

ip local pool dealer 192.168.15.1-192.168.15.5
isakmp client configuration address-pool local dealer outside
crypto map partner-map client configuration address initiate

Step 12 Tell PIX Firewall to implicitly permit IPSec traffic:

sysopt connection permit-ipsec


Example 8-4 provides the complete PIX Firewall configuration.

Example 8-4 PIX Firewall with VPN Client and Manual IP Address

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SanJose
domain-name example.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 24
no logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
no failover
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 80 permit ip host 10.0.0.14 host 192.168.15.1
access-list 80 permit ip host 10.0.0.14 host 192.168.15.2
access-list 80 permit ip host 10.0.0.14 host 192.168.15.3
access-list 80 permit ip host 10.0.0.14 host 192.168.15.4
access-list 80 permit ip host 10.0.0.14 host 192.168.15.5
nat 0 access-list 80
global (outside) 1 209.165.200.45-209.165.200.50 netmask 255.255.255.224
route outside 0.0.0.0 0.0.0.0 209.165.200.227 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
ip local pool dealer 192.168.15.1-192.168.15.5
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto map partner-map client configuration address initiate
isakmp client configuration address-pool local dealer outside
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client authentication partnerauth 
crypto map partner-map interface outside
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80

Configuring the Cisco Secure VPN Client Version 1.1

This section describes how to configure the Cisco Secure VPN Client for use with the PIX Firewall. Refer to the Release Notes for the Cisco Secure VPN Client Version 1.1 or later for the most current information. Before performing the information in this section, install the VPN client as described in the Cisco Secure VPN Client release notes. You can find the Cisco Secure VPN Client release notes online at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/index.htm

Follow these steps to configure the Cisco Secure VPN Client version 1.1:


Step 1 Click Start>Programs>Cisco Secure VPN Client>Security Policy Editor.

Step 2 Click Options>Secure>Specified Connections.

Step 3 In the Network Security Policy window, click Other Connection and then click Non-Secure in the panel on the right.

Step 4 Click File>New Connection. Rename New Connection. For example, ToSanJose.

Step 5 Under Connection Security, click Secure.

Step 6 Under Remote Party Identity and Addressing, set the following preferences in the panel on the right:

a. ID Type—Click IP address.

b. Enter the IP address of the internal host within the PIX Firewall unit's internal network to which the VPN client will have access. Enter 10.0.0.14.

c. Click Connect using Secure Gateway Tunnel.

d. ID Type—Click IP address.

e. Enter the IP address of the outside interface of the PIX Firewall. Enter 209.165.200.229.

Step 7 In the Network Security Policy window, click the plus sign beside the ToSanJose entry to expand the selection, and click My Identity. Set the following preferences in the panel on the right:

a. Select Certificate—Click None.

b. ID Type—Click IP address.

c. Port—Click All.

d. Local Network Interface—Click Any.

e. Click Pre-Shared Key. When the Pre-Shared Key dialog box appears, click Enter Key to make the key field editable. Enter cisco1234 and click OK.

Step 8 In the Network Security Policy window, expand Security Policy and set the following preferences in the panel on the right:

a. Under Select Phase 1 Negotiation Mode, click Main Mode.

b. Select the Enable Replay Detection check box.

Leave any other values as they were in the panel.

Step 9 Click Security Policy>Authentication (Phase 1)>Proposal 1 and set the following preferences in the panel on the right:

a. Authentication Method—Click Pre-shared Key.

b. Encrypt Alg—Click Triple DES.

c. Hash Alg—Click MD5.

d. SA Life—Click Unspecified to accept the default values.

e. Key Group—Click Diffie-Hellman Group 1.

Step 10 Click Security Policy>Key Exchange (Phase 2)>Proposal 1 and select the following values in the panel on the right:

a. Select the Encapsulation Protocol (ESP) check box.

b. Encryption Alg—Click Triple DES.

c. Hash Alg—Click SHA-1.

d. Encapsulation—Click Tunnel.

Step 11 Click File>Save Changes.

The VPN client is now activated.


You can view connection process by right-clicking the SafeNet/Soft-PK icon in the Windows taskbar. Unless the taskbar is changed, this icon appears in lower right of the screen. Click Log Viewer to display the View Log feature.

Example 8-5 shows a typical View Log session.

Example 8-5 View Log Session

time_stamp ToSanJose - Deleting IKE SA
time_stamp ToSanJose - SENDING>>>>ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
time_stamp ToSanJose - RECEIVED<<<ISAKMP OAK TRANS *(HASH. ATTR)
time_stamp ToSanJose - Received Private IP Address = 192.168.15.3
time_stamp ToSanJose - SENDING>>>>ISAKMP OAK TRANS *(HASH, ATTR)
time_stamp ToSanJose - RECEIVED<<<ISAKMP OAK QM *(HASH, SA, NON, ID, ID, 
NOTIFY:STATUS_RESP_LIFETIME)
time_stamp ToSanJose - SENDING>>>> ISAKMP OAK QM *(HASH)
time_stamp ToSanJose - Loading IPSec SA keys...
time_stamp

Xauth with RSA Ace/Server and RSA SecurID

This section contains the following topics:

Terminology

Introduction

PIX Firewall Configuration

SecurID with Cisco VPN Client Version 3.x

SecurID with Cisco VPN 3000 Client Version 2.5/2.6

SecurID with Cisco Secure VPN Client Version 1.1 (3DES)

Terminology

ACE/Server: AAA server from RSA security.

ACE/Agent: A software program that makes it possible for workstations and third-party devices such as communication servers and firewalls to be clients of an ACE/Server.

RSA SecurID: Provides strong, two-factor authentication using tokens in conjunction with the RSA ACE/Server.

Token: Usually refers to a handheld device, such as an RSA SercurID Standard Card, Key Fob, or Pinpad Card that display a value called tokencode. User password, RSA SecurID Smart Cards, and Software Tokens are token types with individual characteristics. The token is one of the factors in the RSA SecurID authentication system. The other factor is the user's PIN.

Tokencode: The code displayed by the token. The tokencode along with the PIN make up the RSA SecurID authentication system.

PIN: The user's personal identification number.

Two-Factor authentication: The authentication method used by the RSA ACE/Server system in which the user enters a secret PIN (personal identification number) and the current code generated by the user's assigned SecurID token.

PASSCODE: The PIN and the tokencode make up the PASSCODE.

Token Mode: The state the token is in. The token can be Enabled, Disabled, or be in the New PIN Mode, Next Tokencode Mode.

New PIN mode: When the server puts a token in this mode, the user is required to receive or create a new PIN to gain access to an RSA SecurID-protected system.

Next Tokencode mode: When the user attempts authentication with a series of incorrect PASSCODEs, the server puts the token in this mode so that the user, after finally entering the correct code, is prompted for another tokencode before being allowed access.

Pinpads: A SecurID hardware token that allows entering the PIN via a Pinpad and displays the tokencode in an LCD display.

Key Fobs: Another form of SecurID hardware token, that displays the current tokencode.

Software Token: A software token is similar to the Pinpad, which can be installed on the user's machine.

Introduction

The RSA Ace/Server and RSA SecurID combination can be used to provide authentication for the Cisco VPN Client version 3.x, the Cisco VPN 3000 Client version 2.5/2.6, and the Cisco Secure VPN Client version 1.1, which are supported by PIX Firewall. SecurId provides a token-based authentication method in the form of Software Tokens, Pinpads, or Key Fobs. The user is assigned a token and uses that value from the token, called the tokencode, for authentication. A PIN is used along with the tokencode to obtain the Passcode.

The different modes that a token can use are:

Enabled.

Next Tokencode mode.

New PIN mode.

The PIN length and type are as defined in the system parameters of the ACE/Server, and some parameters can also be set on a per-user basis. When a token is assigned, it is enabled and is in a New PIN mode. The PIN could be pre-assigned, or the RSA ACE/Server configuration can decide who can create that PIN. The options for PINs are as follows:

User-created PINs allowed

User-created PINs required

These options can also be decided on a per user basis by selecting the appropriate check box on the Edit User panel provided by the ACE/Server master database administration tool.

The "User-created PINs allowed" option provides a choice between the system generating the PIN, and then providing it to the user, or the user selecting the PIN.

The "User-created PINs required" option requires the user to select the PIN.

PIX Firewall Configuration

Following is a sample configuration that is necessary for using token-based Xauth by the PIX Firewall for the VPN clients using RSA ACE/Server and RSA SecurId as the AAA server to establish a secure connection.


Step 1 Create a pool of IP addresses for your clients to use:

ip local pool mypool  3.3.48.100-3.3.48.200

Step 2 Create the RADIUS servers:

aaa-server partner-auth protocol radius
aaa-server partner-auth (inside) host 10.100.48.43 MYSECRET timeout 20


Note The word "partner-auth" in the aaa-server command in Step 2 is a keyword that needs to match the keyword in the following crypto map command.


Step 3 Create an ISAKMP policy and define hash algorithm:

crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto dynamic-map mydynmap 10 set transform-set myset
crypto map newmap 10 ipsec-isakmp dynamic mydynmap
crypto map newmap client configuration address initiate
crypto map newmap client configuration address respond
crypto map newmap client token authentication partner-auth


Note The word "token" in the crypto map newmap client token authentication partner-auth command is optional for the Cisco VPN Client version 3.x, and the Cisco Secure VPN Client version 1.1.


crypto map newmap interface outside
isakmp enable outside
isakmp key mysecretkey address 0.0.0.0 netmask 0.0.0.0
isakmp identity hostname
isakmp client configuration address-pool local mypool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

Step 4 For the Cisco VPN Client version 3.x, you may need to change the existing IKE/ISAKMP policy or add another policy depending on the requirements, using the following command:

isakmp policy policy number vpngroup 2

Step 5 For the Cisco VPN 3000 Client version 2.5/2.6 and the Cisco VPN Client version 3.x, the vpngroup command configuration is also required:

vpngroup Cisco address-pool mypool
vpngroup Cisco  dns-server 10.100.48.44
vpngroup Cisco  wins-server 10.100.48.45
vpngroup Cisco default-domain Cisco.com
vpngroup Cisco split-tunnel myaccesslist
vpngroup Cisco password mysecretkey


SecurID with Cisco VPN Client Version 3.x

This section describes how to use the Cisco VPN Client version 3.x in the three token modes. It contains the following topics:

Token Enabled

Next Tokencode Mode

New PIN Mode

Token Enabled

When a connection is being established to the PIX Firewall with the Cisco VPN Client version 3.x, the user is prompted to enter the username and the password.

Enter the PIN in the Software Token dialog box or on the Pinpad, and enter the password in the box indicated for the password entry (see Figure 8-4).

Figure 8-4 Software Token Dialog Box—Cisco VPN Client Version 3

Next Tokencode Mode

If the user enters an incorrect password, then the token status is changed to the Next Tokencode mode. In this case, when the user tries to connect the next time, and enters a correct password in the first Software Token dialog box, and then another Software Token dialog box appears, prompting the user to enter the next tokencode.

New PIN Mode

This mode is seen when the user is first assigned a token and needs to connect before a PIN can be assigned or created by the user (Case 1), or if for some reason the administrator puts the token in the New PIN Mode (Case 2).

Case1: User has no previous PIN or the PIN has been cleared.

In this case, enter the value that is currently being displayed on the token in the prompt that requests the username and password.

Case 2: User has an existing PIN and needs to change it.

In this case, enter the PIN in the Software Token dialog box or on the Pinpad, and use the value thus obtained as the password in the User Authentication dialog box that requests the username and password.

The next prompt, in either case, is for the New PIN. If the user is configured for user-created PIN allowed, enter y if the user wants the system to generate the PIN. In this case, the system sends the PIN in the next prompt to the client. If n is entered, the user is prompted to select the PIN. If the user is configured for user-created PIN required, then the prompt requests that the user select the PIN.

The next prompt requires the user to enter the password using the new PIN. Enter the newly created PIN in the Software Token dialog box or Pinpad and use the value thus obtained.

For a system generated PIN:

A y should be entered at this point. The server then sends a PIN message to the user. Enter the next tokencode using the new PIN.

The user creates the PIN, or the user is required to create the PIN if the user enters n in the prompt that asks whether the system should generate the PIN or when the user is required to create the PIN.

After the PIN is entered, and is accepted by the server, another Software Token dialog box appears.

Enter the next tokencode, using the new PIN, in the Software Token dialog box.

SecurID with Cisco VPN 3000 Client Version 2.5/2.6

This section describes how to use the Cisco VPN 3000 Client version 2.5/2.6 in the three token modes. It includes the following topics:

Token Enabled

Next Tokencode Mode

New PIN Mode

Token Enabled

When a connection is being established to the PIX Firewall, the user is prompted to enter the username and passcode. The client can recognize that a Software Token has been installed on Windows NT systems (provided the Token Software is installed), such that if the PIN is entered, then the passcode is automatically obtained by the client Software Token, and is sent to the AAA server through the PIX Firewall. With a Pinpad, or on operating systems other than Windows NT, the prompt requests a username and passcode. Enter the PIN on the Pinpad or in the Software Token dialog box and use the passcode displayed on the token (See Figure 8-5).

Figure 8-5 Software Token Dialog Box—Cisco VPN 3000 Client Version 2.5/2.6

Next Tokencode Mode

If the user enters an incorrect passcode or PIN, the token status is changed to the Next Tokencode mode. In this case, when the user tries to connect the next time, and enters a correct passcode in the first prompt, another prompt requests the user to enter the next tokencode.

New PIN Mode

This mode is seen when the user is first assigned a token and needs to connect before a PIN can be assigned or created by the user (Case 1), or if, for some reason, the administrator puts the token in the New PIN Mode (Case 2).

Case1: User has no PIN's previously assigned or the PIN has been cleared.

In this case, enter the value that is currently being displayed in the SecurID message box.

Case 2: User has an existing PIN and needs to change it.

In this case, enter the PIN in the Software Token dialog box or on the Pinpad and use the value thus obtained as the passcode when prompted for username and passcode. On a Windows NT operating system, enter the username and PIN instead of passcode.

The next prompt, in either case, is for the new PIN. If the user is configured for user-created PIN required, the prompt requests that the user select the PIN.

The prompt following thereafter requires the user to enter the passcode using the new PIN. Use the newly created PIN on the Software Token dialog box or on the Pinpad and use the value thus obtained. On a Windows NT operating system, enter the new PIN in the SecurID New Pin Mode dialog box.


Note Only the user-created PIN required option works on the Cisco VPN 3000 Client.


The next prompt requests that the user enter the next tokencode using the new PIN.

SecurID with Cisco Secure VPN Client Version 1.1 (3DES)

This section provides a reference for using the Cisco Secure VPN Client version 1.1 in the three token modes. It includes the following topics:

Token Enabled

Next Tokencode Mode

New PIN Mode

Token Enabled

When a connection is being established to the PIX Firewall with the Cisco Secure VPN Client version 1.1, the user is prompted to enter the username and the password. Enter the PIN in the Software Token dialog box or on the Pinpad, and enter the password in the box indicated for the password entry (see Figure 8-6).

Figure 8-6 Software Token Dialog Box—Cisco Secure VPN Client Version 1.1

Next Tokencode Mode

If the user enters an incorrect passcode, then the token status is changed to the Next Tokencode mode. In this case, when the user tries to connect the next time, and enters a correct password in the first Software Token dialog box, another Software Token dialog box appears, prompting the user to enter the next tokencode.

New PIN Mode

This mode is seen when the user is first assigned a token and needs to connect before a PIN can be assigned or created by the user (Case 1), or if for some reason the administrator puts the token in the New PIN Mode (Case 2).

Case1: User has no PINs previously assigned, or the PIN has been cleared.

In this case, enter the value that is currently being displayed in the Software Token dialog box that requests a username and password.

Case 2: User has an existing PIN and needs to change it.

In this case, enter the PIN in the Software Token dialog box or on the Pinpad, and use the value thus obtained as the password.

The next prompt, in either case, is for the new PIN. If the user is configured for user-created PIN allowed, enter y if the user wants the system to generate the PIN. The system sends the PIN in the next prompt to the client. If n is entered, the user is prompted to select the PIN. If the user is configured for user-created PIN required, then the prompt requests the user to select the PIN.

The next prompt requires the user to enter the password using the new PIN. Enter the newly created PIN in the Software Token dialog box or on the Pinpad, and use the value thus obtained.

1. For the system generated PIN:

When a y is entered, the system sends the PIN and requires the user to use the PIN to enter the next tokencode.

2. The user creates the PIN, or a user-created PIN is required. When n is entered in the Generate PIN dialog box, or if the user is required to generate the PIN, the User Authentication for New Connection dialog box appears.

Once the user enters the PIN and it is accepted by the server, the following Software Token dialog box appears. Enter the next tokencode using the new PIN.

Configuring L2TP with IPSec in Transport Mode

This section describes how to use IPSec in transport mode to enable L2TP. It includes the following topics:

L2TP Overview

IPSec Transport and Tunnel Modes

Configuring L2TP with IPSec in Transport Mode

For an example of configuring L2TP, see "Xauth with RSA Ace/Server and RSA SecurID."

L2TP Overview

PIX Firewall with L2TP/IPSec support provides the capability to deploy and administer an L2TP VPN solution alongside the IPSec VPN and PIX Firewall services in a single platform. To implement L2TP, perform the following steps:

1. Configure IPSec transport mode to enable IPSec with L2TP.

2. Configure L2TP with a virtual private dial-up network VPDN group.

The primary benefit of configuring L2TP with IPSec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, enabling remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required.

The configuration of L2TP with IPSec supports certificates using the pre-shared keys or RSA signature methods, and the use of dynamic (as opposed to static) crypto maps. This summary of tasks assumes completion of IKE, as well as pre-shared keys or RSA signature configuration. See "Xauth with RSA Ace/Server and RSA SecurID" for the steps to configure pre-shared keys, RSA, and dynamic crypto maps.


Note L2TP with IPSec, as introduced with PIX Firewall version 6.0, allows the L2TP LNS to interoperate with the Windows 2000 L2TP client. Interoperability with LACs from Cisco and other vendors is currently not supported. Only L2TP with IPSec is supported, native L2TP itself is not supported on PIX Firewall.



Note If the PIX Firewall IPSec lifetime is set to less than 300 seconds, then the Windows 2000 client ignores it and replaces it with a 300 second lifetime because the minimum IPSec lifetime supported by the Windows 2000 client is 300 seconds. This causes the IKE negotiation to fail.

Specifically, the Windows 2000 L2TP client does not accept a lower ISAKMP lifetime value from the PIX Firewall. If the PIX Firewall has a lower ISAKMP SA (Internet Security Association and Key Management Protocol security association) lifetime, then the Windows 2000 client sends a notify payload of NO_PROPOSAL_CHOSEN and the IKE negotiation fails. To workaround this, specify an ISAKMP SA lifetime value that is greater than or equal to the Windows 2000 ISAKMP SA lifetime value.


IPSec Transport and Tunnel Modes

IPSec can be configured in tunnel mode or transport mode. In IPSec tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPSec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to receive the benefits of IPSec. Tunnel mode also protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

In IPSec transport mode, only the IP payload is encrypted, and the original IP headers are left intact. (See Figure 8-7.) This mode has the advantage of adding only a few bytes to each packet. It also allows devices on the public network to see the final source and destination of the packet. With this capability, you can enable special processing (for example, QoS) on the intermediate network based on the information in the IP header. However, the Layer 4 header will be encrypted, limiting the examination of the packet. Unfortunately, transmitting the IP header in clear text, transport mode allows an attacker to perform some traffic analysis.

Figure 8-7 IPSec in Tunnel and Transport Modes

Windows 2000 uses IPSec transport mode when tunneling L2TP data. Transport mode should be configured on the PIX Firewall to receive the L2TP IPSec transport mode data from a Windows 2000 client.

Configuring L2TP with IPSec in Transport Mode

To configure L2TP with IPSec in transport mode, perform the following steps:


Step 1 Specify IPSec to use transport mode rather than tunnel mode:

crypto ipsec transform-set trans_name mode transport

Step 2 Allow L2TP traffic to bypass conduit/access-list checking:

sysopt connection permit-ipsec
sysopt connection permit-l2tp

Step 3 Instruct the PIX Firewall to accept L2TP dial-in requests:

vpdn group group_name accept dial-in l2tp

Step 4 Specify PPP protocol and authentication protocol (PAP, CHAP, or MS-CHAP):

vpdn group group_name ppp authentication pap/chap/mschap

Step 5 Specify the local address pool used to allocate the IP address to the client:

vpdn group group_name client configuration address local address_pool_name

Step 6 (Optional) Instruct the PIX Firewall to send DNS server IP addresses to the client:

vpdn group group_name client configuration dns dns_server_ip1 dns_server_ ip2

Step 7 (Optional) Instruct the PIX Firewall to send WINS server IP addresses to the client:

vpdn group group_name client configuration wins wins_server_ip1 wins_server_ip2

Step 8 Specify authentication using the PIX Firewall local username/password database. If set to aaa, authenticate using the AAA server.

vpdn group group_name client authentication aaa aaa_server_tag
or
vpdn group group_name client authentication local

Step 9 (Optional) Generate a AAA accounting start and stop record for an L2TP (and PPTP) session:

vpdn group group_name client accounting aaa_server_tag

Step 10 If local authentication is used, the following command specifies username/password entries:

vpdn username username password password

Step 11 (Optional) Specify the L2TP keep-alive/hello timeout value:

vpdn group_name l2tp tunnel hello hello timeout

The default timeout value is 60, and the lower and upper limits are 10 and 300, respectively.

Step 12 Enable vpdn function on a PIX Firewall interface:

vpdn enable ifname


Windows 2000 Client with IPSec and L2TP

This section provides an example of how to configure the PIX Firewall for interoperability with a Windows 2000 client. It includes the following topics:

Overview

Configuring the PIX Firewall

Enabling IPSec Debug

Getting Additional Information

Overview

The example shows the use of IPSec with L2TP, which requires that IPSec be configured in transport mode. Refer to the "Using PPTP for Remote Access" section for IPSec transport mode configuration information. For detailed command reference information, refer to the Cisco PIX Firewall Command Reference.


Note For information on configuring the PIX Firewall for RSA signatures or pre-shared keys as the authentication method, refer to the isakmp command in page within the Cisco PIX Firewall Command Reference. For information on obtaining certificates for RSA signature authentication from a CA, refer to "Using Certification Authorities" in Chapter 6, "Configuring IPSec and Certification Authorities."


Configuring the PIX Firewall

Follow these steps to configure the PIX Firewall to interoperate with the Windows 2000 client:


Note In this example, PIX Firewall uses PAP and AAA authentication. No conduit commands are included, as the sysopt connection permit-l2tp option is set in Step 23. This command also permits L2TP traffic.



Step 1 Define AAA related parameters:

aaa-server radius protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5

Note Steps 2-10 use RSA signatures as the authentication method for ISAKMP negotiation. If you want to use pre-shared keys as the authentication method, skip Steps 2-10 and configure the following: isakmp my secretkey address 0.0.0.0 netmask 0.0.0.0 and isakmp policy 1 authentication pre-share.


Step 2 Define a host name:

hostname SanJose

Step 3 Define the domain name:

domain-name example.com

Step 4 Generate the PIX Firewall RSA key pair:

ca generate rsa key 512

This command is entered at the command line and does not get stored in the configuration.

Step 5 Declare a CA:

ca identity abcd 209.165.200.228 209.165.200.228

The second address is configured if LDAP is used by that CA server. This command is stored in the configuration.

Step 6 Configure the parameters of communication between the PIX Firewall and the CA:

ca configure abcd ra 1 20 crloptional

This command is stored in the configuration. 1 is the retry period, 20 is the retry count, and the crloptional option disables CRL checking.

Step 7 Authenticate the CA by obtaining its public key and its certificate:

ca authenticate abcd

This command is entered at the command line and does not get stored in the configuration.

Step 8 Request signed certificates from your CA for your PIX Firewall's RSA key pair:

ca enroll abcd cisco

Before entering this command, contact your CA administrator because they must authenticate your PIX Firewall manually before granting its certificate(s).

"cisco" is a challenge password. This can be anything. This command is entered at the command line and does not get stored in the configuration.

Step 9 Verify that the enrollment process was successful using the show ca certificate command:

show ca certificate

Step 10 Save keys and certificates, and the CA commands (except those indicated) in Flash memory:

ca save all
write memory


Note Use the ca save all command any time you add, change, or delete ca commands in the configuration. This command is not stored in the configuration.


Step 11 Configure the IKE policy:

isakmp policy 1 authentication rsa-sig
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400


Note Always configure the IKE lifetime on PIX Firewall for the same or more time than the IKE lifetime configured on the Windows 2000 L2TP/IPSec client, or the IKE negotiation will fail (CSCdt 48570).


Step 12 Configure ISAKMP identity:

isakmp identity hostname

Step 13 Enable ISAKMP on the outside interface:

isakmp enable outside

Step 14 Create an access list that defines the PIX Firewall network(s) requiring IPSec protection:

access-list 90 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

Step 15 Bind the access list to NAT 0:

nat (inside) 0 access-list 90

Step 16 Configure a transform-set that defines how the traffic will be protected:

crypto ipsec transform-set basic esp-des esp-md5-hmac
crypto ipsec transform-set basic mode transport

Note The Windows 2000 L2TP/IPSec client uses IPSec transport mode, so transport mode should be selected on the transform set.


Step 17 Create a dynamic crypto map, and specify which transform sets are allowed for this dynamic crypto map entry:

crypto dynamic-map cisco 4 set transform-set basic


Note Specify which transform sets are allowed for this dynamic crypto map entry.


Step 18 Add the dynamic crypto map into a static crypto map:

crypto map partner-map 20 ipsec-isakmp dynamic cisco

Step 19 Apply the crypto map to the outside interface:

crypto map partner-map interface outside

Step 20 Configure the IP local pool:

ip local pool dealer 10.1.1.1-10.1.1.254

Step 21 Configure the VPDN group for L2TP:

vpdn group 1 accept dialin l2tp
vpdn group 1 ppp authentication pap
vpdn group 1 client configuration address local dealer
vpdn group 1 client configuration dns 10.0.0.15
vpdn group 1 client configuration wins 10.0.0.16
vpdn group 1 client authentication aaa partnerauth


Note The AAA server used for accounting does not need to be the same server as the AAA authentication server.


vpdn group 1 l2tp tunnel hello

Step 22 Enable the VPDN function on the outside interface of the PIX Firewall:

vpdn enable outside

Step 23 Configure the PIX Firewall to implicitly permit L2TP traffic and bypass conduit/access list checking:

sysopt connection permit-l2tp

Step 24 (Optional) If AAA authentication is not required, local authentication can be used by configuring the username and password on the PIX Firewall:

vpdn username user1 password test1

Step 25 The following debug commands (some of which can only be used from the console) can be used for troubleshooting:

debug cry isa
debug cry ipsec
debug cry ca
debug vpdn packet
debug vpdn event
debug vpdn error
debug ppp error
debug ppp negotiation

Step 26 Verify/display tunnel configuration:

show vpdn tunnel



Note The PIX Firewall does not establish an L2TP/IPSec tunnel with Windows 2000 if either the Cisco VPN Client version 3.x or the Cisco VPN 3000 Client version 2.5/2.6 is installed. Disable the Cisco VPN Service for the Cisco VPN Client version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client version 2.5/2.6 from the Services panel in Windows 2000 (click Start>Programs>Administrative Tools>Services). Then restart the IPSec Policy Agent Service from the Services panel, and reboot the machine.


Enabling IPSec Debug

IPSec debug information can be added to a Windows 2000 client by adding the following registry:


Step 1 Run the Windows 2000 registry editor: REGEDIT.

Step 2 Locate the following registry entry:

MyComputer\HKEY_LOCAL_MACHINE\CurrentControlSet\Services\PolicyAgent

Step 3 Create the key by entering oakley.

Step 4 Create the DWORD by entering EnableLogging.

Step 5 Set the "EnableLogging" value to "1".

Step 6 Stop and Start the IPSec Policy Agent (click Start>Programs>Administrative Tools>Services). The debug file will be found at "%windir%\debug\oakley.log".


Getting Additional Information

Additional information on various topics can be found at www.microsoft.com:

http://support.microsoft.com/support/kb/articles/Q240/2/62.ASP

How to Configure an L2TP/IPSec Connection Using Pre-Shared Keys Authentication

http://support.microsoft.com/support/kb/articles/Q253/4/98.ASP

How to Install a Certificate for Use with IP Security (IPSec)

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS2000/en/server/help/sag_VPN_us26.htm

How to use a Windows 2000 Machine Certificate for L2TP over IPSec VPN Connections

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp#heading3

How to Create a Custom MMC Console and Enabling Audit Policy for Your Computer

http://support.microsoft.com/support/kb/articles/Q259/3/35.ASP

Using PPTP for Remote Access

This section describes how to implement the Point-to-Point Tunneling Protocol (PPTP) using PIX Firewall. It contains the following topics:

Overview

PPTP Configuration

PPTP Configuration Example

Overview

PIX Firewall provides support for Microsoft PPTP, which is an alternative to IPSec handling for VPN clients. While PPTP is less secure than IPSec, PPTP is easier to implement and maintain.

The vpdn command implements the PPTP feature for inbound connections between the PIX Firewall and a Windows client. Point-to-Point Tunneling Protocol (PPTP) is a layer 2 tunneling protocol which lets a remote client use a public IP network to communicate securely with servers at a private corporate network. PPTP tunnels the IP protocol. RFC 2637 describes the PPTP protocol.

Support is provided for only inbound PPTP and only one PIX Firewall interface can have the vpdn command enabled.

Supported authentication protocols include: PAP, CHAP, and MS-CHAP using external AAA (RADIUS or TACACS+) servers or the PIX Firewall local username and password database. Through the PPP IPCP protocol negotiation, PIX Firewall assigns a dynamic internal IP address to the PPTP client allocated from a locally defined IP address pool.

PIX Firewall PPTP VPN supports standard PPP CCP negotiations with Microsoft Point-To-Point Encryption (MPPE) extensions using RSA/RC4 algorithm. MPPE currently supports 40-bit and 128-bit session keys. MPPE generates an initial key during user authentication and refreshes the key regularly. In this release, compression is not supported.

When you specify MPPE, use the MS-CHAP PPP authentication protocol. If you are using an external AAA server, the protocol should be RADIUS and the external RADIUS server should be able to return the Microsoft MSCHAP_MPPE_KEY attribute to the PIX Firewall in the RADIUS Authentication Accept packet. See RFC 2548, "Microsoft Vendor Specific RADIUS Attributes," for more information on the MSCHAP_MPPE_KEY attribute.

CiscoSecure ACS 2.5/2.6 and higher releases support the MS-CHAP/MPPE encryption.

PIX Firewall PPTP VPN has been tested with the following Microsoft Windows products: Windows 95 with DUN1.3, Windows 98, Windows NT 4.0 with SP6, and Windows 2000.


Note If you configure PIX Firewall for 128-bit encryption and if a Windows 95 or Windows 98 client does not support 128-bit or greater encryption, then the connection to the PIX Firewall is refused. When this occurs, the Windows client moves the dial-up connection menu down to the screen corner while the PPP negotiation is in progress. This gives the appearance that the connection is accepted when it is not. When the PPP negotiation completes, the tunnel terminates and PIX Firewall ends the connection. The Windows client eventually times out and disconnects.


PPTP Configuration

Use the vpdn command with the sysopt connection permit-pptp command to allow PPTP traffic to bypass checking of access-list command statements.

The show vpdn command lists tunnel and session information.

The clear vpdn command removes all vpdn commands from the configurations and stops all the active PPTP tunnels. The clear vpdn all command lets you remove all tunnels, and the clear vpdn id tunnel_id command lets you remove tunnels associated with tunnel_id. (You can view the tunnel_id with the show vpdn command.)

The clear vpdn group command removes all the vpdn group commands from the configuration. The clear vpdn username command removes all the vpdn username commands from the configuration. The clear vpdn command removes all vpdn commands from the configuration.

You can troubleshoot PPTP traffic with the debug ppp and debug vpdn commands.

PPTP Configuration Example

Example 8-6 shows a simple configuration, which lets a Windows PPTP client dial in without any authentication (not recommended). Refer to the vpdn command page in the Cisco PIX Firewall Command Reference for more examples and descriptions of the vpdn commands and the command syntax.

Example 8-6 PPTP Configuration Example

ip local pool my-addr-pool 10.1.1.1-10.1.1.254
vpdn group 1 accept dialin pptp
vpdn group 1 client configuration address local my-addr-pool
vpdn enable outside
static (inside, outside) 209.165.201.2 192.168.0.2 netmask 255.255.255.255
access-list acl_out permit tcp any host 209.165.201.2 eq telnet
access-group acl_out in interface outside

The ip local pool command specifies the IP addresses assigned to each VPN client as they log in to the network. The Windows client can Telnet to host 192.168.0.2 through the global IP address 209.165.201.2 in the static command statement. The access-list command statement permits Telnet access to the host.