Cisco Security Appliance Command Line Configuration Guide, Version 7.2
Configuring Tunnel Groups, Group Policies, and Users
Download this chapter
Configuring Tunnel Groups, Group Policies, and UsersConfiguring Tunnel Groups, Group Policies, and Users
Download the complete book
Full Book PDF--Cisco Security Appliance Command Line Configuration Guide, 7.2Full Book PDF--Cisco Security Appliance Command Line Configuration Guide, 7.2 (PDF - 12 MB)
give_us_feedback

Table Of Contents

Configuring Tunnel Groups, Group Policies, and Users

Overview of Tunnel Groups, Group Policies, and Users

Tunnel Groups

General Tunnel-Group Connection Parameters

IPSec Tunnel-Group Connection Parameters

WebVPN Tunnel-Group Connection Parameters

Configuring Tunnel Groups

Default IPSec Remote Access Tunnel Group Configuration

Configuring IPSec Tunnel-Group General Attributes

Configuring IPSec Remote-Access Tunnel Groups

Specifying a Name and Type for the IPSec Remote Access Tunnel Group

Configuring IPSec Remote-Access Tunnel Group General Attributes

Configuring IPSec Remote-Access Tunnel Group IPSec Attributes

Configuring IPSec Remote-Access Tunnel Group PPP Attributes

Configuring LAN-to-LAN Tunnel Groups

Default LAN-to-LAN Tunnel Group Configuration

Specifying a Name and Type for a LAN-to-LAN Tunnel Group

Configuring LAN-to-LAN Tunnel Group General Attributes

Configuring LAN-to-LAN IPSec Attributes

Configuring WebVPN Tunnel Groups

Specifying a Name and Type for a WebVPN Tunnel Group

Configuring WebVPN Tunnel-Group General Attributes

Configuring WebVPN Tunnel-Group WebVPN Attributes

Customizing Login Windows for WebVPN Users

Configuring Microsoft Active Directory Settings for Password Management

Using Active Directory to Force the User to Change Password at Next Logon

Using Active Directory to Specify Maximum Password Age

Using Active Directory to Override an Account Disabled AAA Indicator

Using Active Directory to Enforce Minimum Password Length

Using Active Directory to Enforce Password Complexity

Group Policies

Default Group Policy

Configuring Group Policies

Configuring an External Group Policy

Configuring an Internal Group Policy

Configuring Group Policy Attributes

Configuring WINS and DNS Servers

Configuring VPN-Specific Attributes

Configuring Security Attributes

Configuring the Banner Message

Configuring IPSec-UDP Attributes

Configuring Split-Tunneling Attributes

Configuring Domain Attributes for Tunneling

Configuring Attributes for VPN Hardware Clients

Configuring Backup Server Attributes

Configuring Microsoft Internet Explorer Client Parameters

Configuring Network Admission Control Parameters

Configuring Address Pools

Configuring Firewall Policies

Configuring Client Access Rules

Configuring Group-Policy WebVPN Attributes

Configuring User Attributes

Viewing the Username Configuration

Configuring Attributes for Specific Users

Setting a User Password and Privilege Level

Configuring User Attributes

Configuring VPN User Attributes

Configuring WebVPN for Specific Users


Configuring Tunnel Groups, Group Policies, and Users

This chapter describes how to configure VPN tunnel groups, group policies, and users. This chapter includes the following sections.

Overview of Tunnel Groups, Group Policies, and Users

Configuring Tunnel Groups

Group Policies

Configuring User Attributes

In summary, you first configure tunnel groups to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure these entities.

Overview of Tunnel Groups, Group Policies, and Users

Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the security appliance. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. Tunnel groups identify the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies.

Tunnel groups and group policies simplify system management. To streamline the configuration task, the security appliance provides a default LAN-to-LAN tunnel group, a default remote access tunnel group, a default WebVPN tunnel group, and a default group policy (DfltGrpPolicy). The default tunnel groups and group policy provide settings that are likely to be common for many users. As you add users, you can specify that they "inherit" parameters from a group policy. Thus you can quickly configure VPN access for large numbers of users.

If you decide to grant identical rights to all VPN users, then you do not need to configure specific tunnel groups or group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Tunnel groups and group policies provide the flexibility to do so securely.

Note The security appliance also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group policies and tunnel groups. For more information about using object groups, see Chapter 16, "Identifying Traffic with Access Lists."

Tunnel Groups

A tunnel group consists of a set of records that determines tunnel connection policies. These records identify the servers to which the tunnel user is authenticated, as well as the accounting servers, if any, to which connection information is sent. They also identify a default group policy for the connection, and they contain protocol-specific connection parameters. Tunnel groups include a small number of attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that defines user-oriented attributes.

The security appliance provides the following default tunnel groups: DefaultL2Lgroup for LAN-to-LAN connections, DefaultRAgroup for remote access connections, and DefaultWEBVPNGroup for WebVPN connections. You can modify these default tunnel groups, but you cannot delete them. You can also create one or more tunnel groups specific to your environment. Tunnel groups are local to the security appliance and are not configurable on external servers.

Tunnel groups specify the following attributes:

General Tunnel-Group Connection Parameters

IPSec Tunnel-Group Connection Parameters

WebVPN Tunnel-Group Connection Parameters

General Tunnel-Group Connection Parameters

General parameters are common to both IPSec and WebVPN connections. The general parameters include the following:

Tunnel group name—You specify a tunnel-group name when you add or edit a tunnel group. The following considerations apply:

For clients that use preshared keys to authenticate, the tunnel group name is the same as the group name that an IPSec client passes to the security appliance.

Clients that use certificates to authenticate pass this name as part of the certificate, and the security appliance extracts the name from the certificate.

Connection type—Connection types include IPSec remote access, IPSec LAN-to-LAN, and WebVPN. A tunnel group can have only one connection type.

Authentication, Authorization, and Accounting servers—These parameters identify the server groups or lists that the security appliance uses for the following purposes:

Authenticating users

Obtaining information about services users are authorized to access

Storing accounting records

A server group can consist of one or more servers.

Default group policy for the connection—A group policy is a set of user-oriented attributes. The default group policy is the group policy whose attributes the security appliance uses as defaults when authenticating or authorizing a tunnel user.

Client address assignment method—This method includes values for one or more DHCP servers or address pools that the security appliance assigns to clients.

Override account disabled—This parameter lets you override the "account-disabled" indicator received from a AAA server.

Password management—This parameter lets you warn a user that the current password is due to expire in a specified number of days (the default is 14 days), then offer the user the opportunity to change the password.

Strip group and strip realm—These parameters direct the way the security appliance processes the usernames it receives. They apply only to usernames received in the form user@realm. A realm is an administrative domain appended to a username with the @ delimiter (user@abc).

When you specify the strip-group command, the security appliance selects the tunnel group for user connections by obtaining the group name from the username presented by the VPN client. The security appliance then sends only the user part of the username for authorization/authentication. Otherwise (if disabled), the security appliance sends the entire username, including the realm.

Strip-realm processing removes the realm from the username when sending the username to the authentication or authorization server. If the command is enabled, the security appliance sends only the user part of the username authorization/authentication. Otherwise, the security appliance sends the entire username.

Authorization required—This parameter lets you require authorization before a user can connect, or turn off that requirement.

Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use when performing authorization.

IPSec Tunnel-Group Connection Parameters

IPSec parameters include the following:

A client authentication method: preshared keys, certificates, or both.

For IKE connections based on preshared keys, the alphanumeric key itself (up to 128 characters long), associated with the connection policy.

Peer-ID validation requirement—This parameter specifies whether to require validating the identity of the peer using the peer's certificate.

An extended hybrid authentication method: XAUTH and hybrid XAUTH.

You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for security appliance authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID.

ISAKMP (IKE) keepalive settings. This feature lets the security appliance monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the security appliance removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity.

There are various forms of IKE keepalives. For this feature to work, both the security appliance and its remote peer must support a common form. This feature works with the following peers:

Cisco VPN client (Release 3.0 and above)

Cisco VPN 3000 Client (Release 2.x)

Cisco VPN 3002 Hardware Client

Cisco VPN 3000 Series Concentrators

Cisco IOS software

Cisco Secure PIX Firewall

Non-Cisco VPN clients do not support IKE keepalives.

If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.

If you disable IKE keepalives, connections with unresponsive peers remain active until they time out, so we recommend that you keep your idle timeout short. To change your idle timeout, see "Configuring Group Policies" section.

Note To reduce connectivity costs, disable IKE keepalives if this group includes any clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE keepalive mechanism prevents connections from idling and therefore from disconnecting.

If you do disable IKE keepalives, the client disconnects only when either its IKE or IPSec keys expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it does when IKE keepalives are enabled.

Note If you have a LAN-to-LAN configuration using IKE main mode, make sure that the two peers have the same IKE keepalive configuration. Both peers must have IKE keepalives enabled or both peers must have it disabled.

If you configure authentication using digital certificates, you can specify whether to send the entire certificate chain (which sends the peer the identity certificate and all issuing certificates) or just the issuing certificates (including the root certificate and any subordinate CA certificates).

You can notify users who are using outdated versions of Windows client software that they need to update their client, and you can provide a mechanism for them to get the updated client version. For VPN 3002 hardware client users, you can trigger an automatic update. You can configure and change the client-update, either for all tunnel groups or for particular tunnel groups.

If you configure authentication using digital certificates, you can specify the name of the trustpoint that identifies the certificate to send to the IKE peer.

WebVPN Tunnel-Group Connection Parameters

The following attributes are specific to WebVPN connections:

The authentication method, either AAA or certificate.

The name of the customization to apply. Customizations determine the appearance of the windows that the user sees upon login. You configure the customization parameters as part of configuring WebVPN.

The DNS server-group name. The DNS server group specifies the DNS server name, domain name, name server, number of retries, and timeout values for a DNS server to use for a tunnel group.

One or more group aliases; these are alternate names by which the server can refer to a tunnel group. At login, the user selects the group name from a dropdown menu.

One or more group URLs. If you configure this parameter, users coming in on a specified URL need not select a group at login.

A group policy that grants a WebVPN user access rights that are different from the default group policy.

The name of the NetBIOS Name Service server (nbns-server) to use for CIFS name resolution.

Configuring Tunnel Groups

The following sections describe the contents and configuration of tunnel groups:

Default IPSec Remote Access Tunnel Group Configuration

Specifying a Name and Type for the IPSec Remote Access Tunnel Group

Configuring IPSec Remote-Access Tunnel Groups

Configuring LAN-to-LAN Tunnel Groups

Configuring WebVPN Tunnel Groups

Customizing Login Windows for WebVPN Users

You can modify the default tunnel groups, and you can configure a new tunnel group as any of the three tunnel-group types. If you don't explicitly configure an attribute in a tunnel group, that attribute gets its value from the default tunnel group. The default tunnel-group type is ipsec-ra. The subsequent parameters depend upon your choice of tunnel type. To see the current configured and default configuration of all your tunnel groups, including the default tunnel group, enter the show running-config all tunnel-group command.

Default IPSec Remote Access Tunnel Group Configuration

The contents of the default remote-access tunnel group are as follows: 

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup general-attributes

 no address-pool

 authentication-server-group LOCAL

 no authorization-server-group

 no accounting-server-group

 default-group-policy DfltGrpPolicy

 no dhcp-server

 no nac-authentication-server-group

 no strip-realm

 no password-management

 no override-account-disable

 no strip-group

 no authorization-required

 authorization-dn-attributes CN OU

tunnel-group DefaultRAGroup ipsec-attributes

 no pre-shared-key

 peer-id-validate req

 no chain

 no trust-point

 isakmp keepalive threshold 100 retry 2

 isakmp ikev1-user-authentication xauth

tunnel-group DefaultRAGroup ppp-attributes

 no authentication pap

 authentication chap

 authentication ms-chap-v1

 no authentication ms-chap-v2

 no authentication eap-proxy

Configuring IPSec Tunnel-Group General Attributes

The general attributes are common across more than one tunnel-group type. IPSec remote access and WebVPN tunnels share most of the same general attributes. IPSec LAN-to-LAN tunnels use a subset. Refer to the Cisco Security Appliance Command Reference for complete descriptions of all commands. The following sections describe, in order, how to configure IPSec remote-access tunnel groups, IPSec LAN-to-LAN tunnel groups, and WebVPN tunnel groups.

Configuring IPSec Remote-Access Tunnel Groups

Use an IPSec remote-access tunnel group when setting up a connection between a remote client and a central-site security appliance, using a hardware or software client.To configure an IPSec remote-access tunnel group, first configure the tunnel-group general attributes, then the IPSec remote-access attributes. An IPSec Remote Access VPN tunnel group applies only to remote-access IPSec client connections. To configure an IPSec remote-access tunnel group, see the following sections:

Specifying a Name and Type for the IPSec Remote Access Tunnel Group.

Configuring IPSec Remote-Access Tunnel Group General Attributes.

Configuring IPSec Remote-Access Tunnel Group IPSec Attributes.

Specifying a Name and Type for the IPSec Remote Access Tunnel Group

Create the tunnel group, specifying its name and type, by entering the tunnel-group command. For an IPSec remote-access tunnel, the type is ipsec-ra 

hostname(config)# tunnel-group tunnel_group_name type ipsec-ra

hostname(config)#

For example, to create an IPSec remote-access tunnel-group named TunnelGroup1, enter the following command: 

hostname(config)# tunnel-group TunnelGroup1 type ipsec-ra

hostname(config)#

Configuring IPSec Remote-Access Tunnel Group General Attributes

To configure or change the tunnel group general attributes, specify the parameters in the following steps.

Step 1 To configure the general attributes, enter tunnel-group general-attributes command, which enters tunnel-group general-attributes configuration mode. The prompt changes to indicate the change in mode. 

hostname(config)# tunnel-group tunnel_group_name general-attributes

hostname(config-tunnel-general)#

Step 2 Specify the name of the authentication-server group, if any, to use. If you want to use the LOCAL database for authentication if the specified server group fails, append the keyword LOCAL: 

hostname(config-tunnel-general)# authentication-server-group [(interface_name)] groupname 
[LOCAL]

hostname(config-tunnel-general)#

You can optionally configure interface-specific authentication by including the name of an interface after the group name. The interface name, which specifies where the IPSec tunnel terminates, must be enclosed in parentheses. The following command configures interface-specific authentication for the interface named test using the server named servergroup1 for authentication: 

hostname(config-tunnel-general)# authentication-server-group (test) servergroup1

hostname(config-tunnel-general)#

Step 3 Specify the name of the authorization-server group, if any, to use. When you configure this value, users must exist in the authorization database to connect: 

hostname(config-tunnel-general)# authorization-server-group groupname

hostname(config-tunnel-general)#

For example, the following command specifies the use of the authorization-server group FinGroup: 

hostname(config-tunnel-general)# authorization-server-group FinGroup

hostname(config-tunnel-general)#

Step 4 Specify the name of the accounting-server group, if any, to use: 

hostname(config-tunnel-general)# accounting-server-group groupname

hostname(config-tunnel-general)#

For example, the following command specifies the use of the accounting-server group named comptroller: 

hostname(config-tunnel-general)# accounting-server-group comptroller

hostname(config-tunnel-general)#

Step 5 Specify the name of the default group policy: 

hostname(config-tunnel-general)# default-group-policy policyname

hostname(config-tunnel-general)#

The following example sets DfltGrpPolicy as the name of the default group policy: 

hostname(config-tunnel-general)# default-group-policy DfltGrpPolicy

hostname(config-tunnel-general)#

Step 6 Specify the names or IP addresses of the DHCP server (up to 10 servers), and the names of the DHCP address pools (up to 6 pools). The defaults are no DHCP server and no address pool. 

hostname(config-tunnel-general)# dhcp-server server1 [...server10]

hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1 
[...address_pool6]

hostname(config-tunnel-general)#

Note The interface name must be enclosed in parentheses.

You configure address pools with the ip local pool command in global configuration mode.

Step 7 Specify the name of the NAC authentication server group, if you are using Network Admission Control, to identify the group of authentication servers to be used for Network Admission Control posture validation. Configure at least one Access Control Server to support NAC. Use the aaa-server command to name the ACS group. Then use the nac-authentication-server-group command, using the same name for the server group.

The following example identifies acs-group1 as the authentication server group to be used for NAC posture validation: 

hostname(config-group-policy)# nac-authentication-server-group acs-group1

hostname(config-group-policy)

The following example inherits the authentication server group from the default remote access group. 

hostname(config-group-policy)# no nac-authentication-server-group

hostname(config-group-policy)

Note NAC requires a Cisco Trust Agent on the remote host.

Step 8 Specify whether to strip the group or the realm from the username before passing it on to the AAA server. The default is not to strip either the group name or the realm. 

hostname(config-tunnel-general)# strip-group

hostname(config-tunnel-general)# strip-realm

hostname(config-tunnel-general)#

A realm is an administrative domain. If you strip the realm, the security appliance uses the username and the group (if present) authentication. If you strip the group, the security appliance uses the username and the realm (if present) for authentication.Enter the strip-realm command to remove the realm qualifier, and use the strip-group command to remove the group qualilfier from the username during authentication. If you remove both qualifiers, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm or username<delimiter> group string. You must specify strip-realm if your server is unable to parse delimiters.

Step 9 Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password management.

Note If you are using an LDAP directory server for authentication, password management is supported with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and the Microsoft Active Directory.

Sun—The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.

Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory.

See the "Setting the LDAP Server Type" section on page 13-7 for more information.

This feature, which is enabled by default, warns a user when the current password is about to expire. The default is to begin warning the user 14 days before expiration: 

hostname(config-tunnel-general)# password-management

hostname(config-tunnel-general)#

If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration to begin warning the user about the pending expiration: 

hostname(config-tunnel-general)# password-management [password-expire in days n]

hostname(config-tunnel-general)#

Note The password-management command, entered in tunnel-group general-attributes configuration mode replaces the deprecated radius-with-expiry command that was formerly entered in tunnel-group ipsec-attributes mode.

When you configure this command, the security appliance notifies the remote user at login that the user's current password is about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the security appliance starts warning the user that the password is about to expire.

If you do specify the password-expire-in-days keyword, you must also specify the number of days.

Specifying this command with the number of days set to 0 disables this command. The security appliance does not notify the user of the pending expiration, but the user can change the password after it expires.

See Configuring Microsoft Active Directory Settings for Password Management for more information.

Note The radius-with-expiry command, formerly configured as part of tunnel-group ipsec-ra configuration, is deprecated. The password-management command, entered in tunnel-group general-attributes mode, replaces it.

Step 10 Optionally, configure the ability to override an account-disabled indicator from a AAA server, by entering the override-account-disable command: 

hostname(config-tunnel-general)# override-account-disable

hostname(config-tunnel-general)#

Note Allowing override-account-disable is a potential security risk.

Step 11 Specify the attribute or attributes to use in deriving a name for an authorization query from a certificate. This attribute specifies what part of the subject DN field to use as the username for authorization: 

hostname(config-tunnel-general)# authorization-dn-attributes {primary-attribute 
[secondary-attribute] | use-entire-name}

For example, the following command specifies the use of the CN attribute as the username for authorization: 

hostname(config-tunnel-general)# authorization-dn-attributes CN

hostname(config-tunnel-general)#

The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname), SP (State/Province), T (Title), UID (User ID), and UPN (User Principal Name).

Step 12 Specify whether to require a successful authorization before allowing a user to connect. The default is not to require authorization. 

hostname(config-tunnel-general)# authorization-required

hostname(config-tunnel-general)#

Configuring IPSec Remote-Access Tunnel Group IPSec Attributes

To configure the IPSec attributes for a remote-access tunnel group, do the following steps. The following description assumes that you have already created the IPSec remote-access tunnel group. IPSec remote-access tunnel groups have more attributes than IPSec LAN-to-LAN tunnel groups:

Step 1 To specify the attributes of an IPSec remote-access tunnel-group, enter tunnel-group ipsec-attributes mode by entering the following command. The prompt changes to indicate the mode change: 

hostname(config)# tunnel-group tunnel-group-name ipsec-attributes

hostname(config-tunnel-ipsec)#

This command enters tunnel-group ipsec-attributes configuration mode, in which you configure the remote-access tunnel-group IPSec attributes.

For example, the following command designates that the tunnel-group ipsec-attributes mode commands that follow pertain to the tunnel group named TG1. Notice that the prompt changes to indicate that you are now in tunnel-group ipsec-attributes mode: 

hostname(config)# tunnel-group TG1 type ipsec-ra

hostname(config)# tunnel-group TG1 ipsec-attributes

hostname(config-tunnel-ipsec)#

Step 2 Specify the preshared key to support IKE connections based on preshared keys. For example, the following command specifies the preshared key xyzx to support IKE connections for an IPSec remote access tunnel group: 

hostname(config-tunnel-ipsec)# pre-shared-key xyzx

hostname(config-tunnel-ipsec)#

Step 3 Specify whether to validate the identity of the peer using the peer's certificate: 

hostname(config-tunnel-ipsec)# peer-id-validate option

hostname(config-tunnel-ipsec)#

The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req.

For example, the following command specifies that peer-id validation is required: 

hostname(config-tunnel-ipsec)# peer-id-validate req

hostname(config-tunnel-ipsec)#

Step 4 Specify whether to

Step 5 Specify whether to enable sending of a certificate chain. The following command includes the root certificate and any subordinate CA certificates in the transmission: 

hostname(config-tunnel-ipsec)# chain

hostname(config-tunnel-ipsec)#

This attribute applies to all IPSec tunnel-group types.

Step 6 Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer: 

hostname(config-tunnel-ipsec)# trust-point trust-point-name

hostname(config-tunnel-ipsec)#

The following command specifies mytrustpoint as the name of the certificate to be sent to the IKE peer: 

hostname(config-ipsec)# trust-point mytrustpoint

Step 7 Specify the ISAKMP (IKE) keepalive threshold and the number of retries allowed. 

hostname(config-tunnel-ipsec)# isakmp keepalive threshold <number> retry <number>

hostname(config-tunnel-ipsec)#

The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command:

For example, the following command sets the IKE keepalive threshold value to 15 seconds and sets the retry interval to 10 seconds: 

hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10

hostname(config-tunnel-ipsec)#

The default value for the threshold parameter is 300 for remote-access and 10 for LAN-to-LAN, and the default value for the retry parameter is 2.

To specify that the central site ("head end") should never initiate ISAKMP monitoring, enter the following command: 

hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite

hostname(config-tunnel-ipsec)#

Step 8 Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH.

You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for security appliance authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. Hybrid XAUTH breaks phase 1 of IKE down into the following two steps, together called hybrid authentication:

a. The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

b. An XAUTH exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.

Note Before the authentication type can be set to hybrid, you must configure the authentication server, create a preshared key, and configure a trustpoint.

You can use the isakmp ikev1-user-authentication command with the optional interface parameter to specify a particular interface. When you omit the interface parameter, the command applies to all the interfaces and serves as a back-up when the per-interface command is not specified. When there are two isakmp ikev1-user-authentication commands specified for a tunnel group, and one uses the interface parameter and one does not, the one specifying the interface takes precedence for that particular interface.

For example, the following commands enable hybrid XAUTH on the inside interface for a tunnel group called example-group: 

hostname(config)# tunnel-group example-group type ipsec-ra

hostname(config)# tunnel-group example-group ipsec-attributes

hostname(config-tunnel-ipsec)# isakmp ikev1-user-authentication (inside) hybrid

hostname(config-tunnel-ipsec)#

Configuring IPSec Remote-Access Tunnel Group PPP Attributes

To configure the Point-to-Point Protocol attributes for a remote-access tunnel group, do the following steps. PPP attributes apply only to IPSec remote-access tunnel groups. The following description assumes that you have already created the IPSec remote-access tunnel group.

Step 1 Enter tunnel-group ppp-attributes configuration mode, in which you configure the remote-access tunnel-group PPP attributes, by entering the following command. The prompt changes to indicate the mode change: 

hostname(config)# tunnel-group tunnel-group-name type ipsec-ra

hostname(config)# tunnel-group tunnel-group-name ppp-attributes

hostname(config-tunnel-ppp)#

For example, the following command designates that the tunnel-group ppp-attributes mode commands that follow pertain to the tunnel group named TG1. Notice that the prompt changes to indicate that you are now in tunnel-group ppp-attributes mode: 

hostname(config)# tunnel-group TG1 type ipsec-ra

hostname(config)# tunnel-group TG1 ppp-attributes

hostname(config-tunnel-ppp)#

Step 2 Specify whether to enable authentication using specific protocols for the PPP connection. The protocol value can be:

pap—Enables the use of Password Authentication Protocol for the PPP connection.

chap—Enables the use of Challenge Handshake Authentication Protocol for the PPP connection.

ms-chap-v1 or ms-chap-v2—Enables the use of Microsoft Challenge Handshake Authentication Protocol, version 1 or version 2 for the PPP connection.

eap—Enables the use of Extensible Authentication protocol for the PPP connection.

CHAP and MSCHAPv1 are enabled by default.

The syntax of this command is: 

hostname(config-tunnel-ppp)# authentication protocol

hostname(config-tunnel-ppp)#

To disable authentication for a specific protocol, use the no form of the command: 

hostname(config-tunnel-ppp)# no authentication protocol

hostname(config-tunnel-ppp)#

For example, the following command enables the use of the PAP protocol for a PPP connection. 

hostname(config-tunnel-ppp)# authentication pap

hostname(config-tunnel-ppp)#

The following command enables the use of the MS-CHAP, version 2 protocol for a PPP connection: 

hostname(config-tunnel-ppp)# authentication ms-chap-v2

hostname(config-tunnel-ppp)#

The following command enables the use of the EAP-PROXY protocol for a PPP connection: 

hostname(config-tunnel-ppp)# authentication pap

hostname(config-tunnel-ppp)#

The following command disables the use of the MS-CHAP, version 1 protocol for a PPP connection: 

hostname(config-tunnel-ppp)# no authentication ms-chap-v1

hostname(config-tunnel-ppp)#

Configuring LAN-to-LAN Tunnel Groups

An IPSec LAN-to-LAN VPN tunnel group applies only to LAN-to-LAN IPSec client connections. While many of the parameters that you configure are the same as for IPSec remote-access tunnel groups, LAN-to-LAN tunnels have fewer parameters. To configure a LAN-to-LAN tunnel group, follow the steps in this section.

Default LAN-to-LAN Tunnel Group Configuration

The contents of the default LAN-to-LAN tunnel group are as follows: 

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

 no accounting-server-group

 default-group-policy DfltGrpPolicy

tunnel-group DefaultL2LGroup ipsec-attributes

 no pre-shared-key

 peer-id-validate req

 no chain

 no trust-point

 isakmp keepalive threshold 10 retry 2

LAN-to-LAN tunnel groups have fewer parameters than remote-access tunnel groups, and most of these are the same for both groups. For your convenience in configuring the connection, they are listed separately here. Any parameters that you do not explicitly configure inherit their values from the default tunnel group.

Specifying a Name and Type for a LAN-to-LAN Tunnel Group

To specify a name and a type for a tunnel group, enter the tunnel-group command, as follows: 

hostname(config)# tunnel-group tunnel_group_name type tunnel_type

For a LAN-to-LAN tunnel, the type is ipsec-l2l.; for example, to create the LAN-to-LAN tunnel group named docs, enter the following command: 

hostname(config)# tunnel-group docs type ipsec-l2l

hostname(config)#

Configuring LAN-to-LAN Tunnel Group General Attributes

To configure the tunnel group general attributes, do the following steps:

Step 1 Enter tunnel-group general-attributes mode by specifying the general-attributes keyword: 

hostname(config)# tunnel-group_tunnel-group-name general-attributes

hostname(config-tunnel-general)#

The prompt changes to indicate that you are now in config-general mode, in which you configure the tunnel-group general attributes.

For example, for the tunnel group named docs, enter the following command: 

hostname(config)# tunnel-group_docs general-attributes

hostname(config-tunnel-general)#

Step 2 Specify the name of the accounting-server group, if any, to use: 

hostname(config-tunnel-general)# accounting-server-group groupname

hostname(config-tunnel-general)#

For example, the following command specifies the use of the accounting-server group acctgserv1: 

hostname(config-tunnel-general)# accounting-server-group acctgserv1

hostname(config-tunnel-general)#

Step 3 Specify the name of the default group policy: 

hostname(config-tunnel-general)# default-group-policy policyname

hostname(config-tunnel-general)#

For example, the following command specifies that the name of the default group policy is MyPolicy: 

hostname(config-tunnel-general)# default-group-policy MyPolicy

hostname(config-tunnel-general)#

Configuring LAN-to-LAN IPSec Attributes

To configure the IPSec attributes, do the following steps:

Step 1 To configure the tunnel-group IPSec attributes, enter tunnel-group ipsec-attributes configuration mode by entering the tunnel-group command with the IPSec-attributes keyword. 

hostname(config)# tunnel-group tunnel-group-name ipsec-attributes

hostname(config-tunnel-ipsec)#

For example, the following command enters config-ipsec mode so you can configure the parameters for the tunnel group named TG1: 

hostname(config)# tunnel-group TG1 ipsec-attributes

hostname(config-tunnel-ipsec)#

The prompt changes to indicate that you are now in tunnel-group ipsec-attributes configuration mode.

Step 2 Specify the preshared key to support IKE connections based on preshared keys. 

hostname(config-tunnel-ipsec)# pre-shared-key key

hostname(config-tunnel-ipsec)#

For example, the following command specifies the preshared key XYZX to support IKE connections for an IPSec LAN-to-LAN tunnel group: 

hostname(config-tunnel-ipsec)# pre-shared-key xyzx

hostname(config-tunnel-general)#

Step 3 Specify whether to validate the identity of the peer using the peer's certificate: 

hostname(config-tunnel-ipsec)# peer-id-validate option

hostname(config-tunnel-ipsec)#

The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req. For example, the following command sets the peer-id-validate option to nocheck: 

hostname(config-tunnel-ipsec)# peer-id-validate nocheck

hostname(config-tunnel-ipsec)#

Step 4 Specify whether to enable sending of a certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission: 

hostname(config-tunnel-ipsec)# chain

hostname(config-tunnel-ipsec)#

You can apply this attribute to all tunnel-group types.

Step 5 Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer: 

hostname(config-tunnel-ipsec)# trust-point trust-point-name

hostname(config-tunnel-ipsec)#

For example, the following command sets the trustpoint name to mytrustpoint: 

hostname(config-tunnel-ipsec)# trust-point mytrustpoint

hostname(config-tunnel-ipsec)#

You can apply this attribute to all tunnel-group types.

Step 6 Specify the ISAKMP(IKE) keepalive threshold and the number of retries allowed. The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command: 

hostname(config)# isakmp keepalive threshold <number> retry <number>

hostname(config-tunnel-ipsec)#

For example, the following command sets the ISAKMP keepalive threshold to 15 seconds and sets the retry interval to 10 seconds.: 

hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10

hostname(config-tunnel-ipsec)#

The default value for the threshold parameter for LAN-to-LAN is 10, and the default value for the retry parameter is 2.

To specify that the central site ("head end") should never initiate ISAKMP monitoring, enter the following command: 

hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite

hostname(config-tunnel-ipsec)#

Step 7 Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH.

You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for security appliance authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. Hybrid XAUTH breaks phase 1 of IKE down into the following two steps, together called hybrid authentication:

a. The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

b. An XAUTH exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.

Note Before the authentication type can be set to hybrid, you must configure the authentication server, create a preshared key, and configure a trustpoint.

You can use the isakmp ikev1-user-authentication command with the optional interface parameter to specify a particular interface. When you omit the interface parameter, the command applies to all the interfaces and serves as a back-up when the per-interface command is not specified. When there are two isakmp ikev1-user-authentication commands specified for a tunnel group, and one uses the interface parameter and one does not, the one specifying the interface takes precedence for that particular interface.

For example, the following commands enable hybrid XAUTH on the inside interface for a tunnel group called example-group: 

hostname(config)# tunnel-group example-group type ipsec-ra

hostname(config)# tunnel-group example-group ipsec-attributes

hostname(config-tunnel-ipsec)# isakmp ikev1-user-authentication (inside) hybrid

hostname(config-tunnel-ipsec)#

Configuring WebVPN Tunnel Groups

A WebVPN tunnel group applies only to WebVPN connections. The tunnel-group general attributes for WebVPN tunnel groups are the same as those of IPSec remote-access tunnel groups, except that the tunnel-group type is webvpn and the strip-group and strip-realm commands do not apply. You define the WebVPN-specific attributes separately. The following sections describe how to configure WebVPN tunnel groups.

Specifying a Name and Type for a WebVPN Tunnel Group

Create the tunnel group, specifying its name and type by entering the tunnel-group command in global configuration mode. For an IPSec remote-access tunnel, the type is webvpn 

hostname(config)# tunnel-group tunnel_group_name type webvpn

hostname(config)#

For example, to create a WebVPN tunnel-group named TunnelGroup3, enter the following command: 

hostname(config)# tunnel-group TunnelGroup3 type webvpn

hostname(config)#

Configuring WebVPN Tunnel-Group General Attributes

To configure or change the tunnel group general attributes, specify the parameters in the following steps.

Step 1 To configure the general attributes, enter tunnel-group general-attributes command, which enters tunnel-group general-attributes configuration mode. Note that the prompt changes: 

hostname(config)# tunnel-group tunnel_group_name general-attributes

hostname(config-tunnel-general)#

To configure the general attributes for TunnelGroup3, created in the previous section, enter the following command: 

hostname(config)# tunnel-group TunnelGroup3 general-attributes

hostname(config-tunnel-general)#

Step 2 Specify the name of the authentication-server group, if any, to use. If you want to use the LOCAL database for authentication if the specified server group fails, append the keyword LOCAL: 

hostname(config-tunnel-general)# authentication-server-group groupname [LOCAL]

hostname(config-tunnel-general)#

For example, to configure the authentication server group named test, and to provide fallback to the LOCAL server if the authentication server group fails, enter the following command: 

hostname(config-tunnel-general)# authentication-server-group test LOCAL

hostname(config-tunnel-general)#

The authentication-server-group name identifies a previously configured authentication server or group of servers. Use the aaa-server command to configure authentication servers. The maximum length of the group tag is 16 characters.

You can also configure interface-specific authentication by including the name of an interface in parentheses before the group name. The following interfaces are available by default:

inside—Name of interface GigabitEthernet0/1

outside— Name of interface GigabitEthernet0/0

Other interfaces you have configured (using the interface command) are also available. The following command configures interface-specific authentication for the interface named outside using the server servergroup1 for authentication: 

hostname(config-tunnel-general)# authentication-server-group (outside) servergroup1

hostname(config-tunnel-general)#

Step 3 Optionally, specify the name of the authorization-server group, if any, to use. If you are not using authorization, go to Step 6. When you configure this value, users must exist in the authorization database to connect: 

hostname(config-tunnel-general)# authorization-server-group groupname

hostname(config-tunnel-general)#

Use the aaa-server command to configure authorization servers. The maximum length of the group tag is 16 characters.

For example, the following command specifies the use of the authorization-server group FinGroup: 

hostname(config-tunnel-general)# authorization-server-group FinGroup

hostname(config-tunnel-general)#

Step 4 Specify whether to require a successful authorization before allowing a user to connect. The default is not to require authorization. 

hostname(config-tunnel-general)# authorization-required

hostname(config-tunnel-general)#

Step 5 Specify the attribute or attributes to use in deriving a name for an authorization query from a certificate. This attribute specifies what part of the subject DN field to use as the username for authorization: 

hostname(config-tunnel-general)# authorization-dn-attributes {primary-attribute 
[secondary-attribute] | use-entire-name}

For example, the following command specifies the use of the CN attribute as the username for authorization: 

hostname(config-tunnel-general)# authorization-dn-attributes CN

hostname(config-tunnel-general)#

The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname), SP (State/Province), T (Title), UID (User ID), and