Table Of Contents
Tunneling and Security
Configuration | Tunneling and Security
PPTP
Screen Elements
L2TP
Screen Elements
IPSec
IPSec | LAN-to-LAN
Backup LAN-to-LANs
Screen Elements
IPSec | LAN-to-LAN | No Public Interfaces
IPSec | LAN-to-LAN | Add or Modify
Screen Elements
IPSec | LAN-to-LAN | Add | Local or Remote Network List
Screen Elements
IPSec| LAN-to-LAN | Add | Done
IPSec | IKE Proposals
Screen Elements
IPSec | IKE Proposals | Add, Modify, or Copy
Screen Elements
IPSec | NAT Transparency
About IPSec Over TCP
About IPSec over NAT-T
Screen Elements
IPSec | Alerts
Qualified Clients and Peers
Screen Elements
SSH
Screen Elements
SSL
Screen Elements
SSL | HTTPS
Screen Elements
Configuring a RADIUS or LDAP Server
Setting Authentication and Authorization Values
SSL | Protocols
Screen Elements
WebVPN
WebVPN | HTTP/HTTPS Proxy
Screen Elements
WebVPN | Home Page
Screen Elements
WebVPN | Logo
Screen Elements
WebVPN | E-Mail Proxy
Screen Elements
Piggyback HTTPS and IMAP Sessions
How to Request and Install Certificates
WebVPN | Servers and URLs
Screen Elements
WebVPN | Servers and URLs | Add or Modify
Screen Elements
WebVPN | Port Forwarding
Screen Elements
WebVPN | Port Forwarding | Add or Modify
Screen Elements
Using Hostnames vs. IP Addresses
The WebVPN Application Access Window
Application Access Window Fields
About the Hosts File
WebVPN | Cisco SSL VPN Client
SSL VPN Client Privilege Requirements
SSL VPN Client Screen
Screen Elements
Additional Configuration
WebVPN | Secure Desktop
WebVPN | Secure Desktop | Setup
Screen Elements
WebVPN | Secure Desktop | Manager
Tunneling and Security
Tunneling protocols are the heart of virtual private networking. The tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network.
The secure connection is called a tunnel. The VPN 3000 Concentrator Series uses tunneling protocols to:
•
Negotiate tunnel parameters
•Establish tunnels
•Authenticate users and data
•Manage security keys
•Encrypt and decrypt data
•Manage data transfer across the tunnel
•Manage data transfer inbound and outbound as a tunnel endpoint or router
The VPN Concentrator functions as a bidirectional tunnel endpoint: it can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination; or it can receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.
The VPN Concentrator supports the most popular VPN tunneling protocols:
•PPTP: Point-to-Point Tunneling Protocol
•L2TP: Layer 2 Tunneling Protocol
•IPSec: IP Security Protocol
•WebVPN: SSL VPN, which provides VPN services to remote users via an HTTPS-enabled Web browser, and does not require a client
It also supports L2TP over IPSec, which provides interoperability with the VPN Client provided by Microsoft. The VPN Concentrator is also interoperable with other clients that conform to L2TP/IPSec standards, but it does not formally support those clients.
This section explains how to configure:
•System-wide parameters for PPTP and L2TP
•IPSec LAN-to-LAN connections
•IKE proposals for IPSec Security Associations and LAN-to-LAN connections
•NAT Transparency, which includes IPSec over TCP and NAT Traversal (NAT-T)
•WebVPN connections
To configure L2TP over IPSec, see Configuration | Tunneling and Security | IPSec | IKE Proposals, and Configuration | User Management.
Configuration | Tunneling and Security
This section of the Manager lets you configure system-wide parameters for tunneling protocols.
•PPTP: Configure PPTP parameters
•L2TP: Configure L2TP parameters
•IPSec: Configure IPSec parameters and connections
–LAN-to-LAN: IPSec LAN-to-LAN connections between two VPN Concentrators (or between the VPN Concentrator and another secure gateway)
–IKE Proposals: IKE proposals for IPSec Security Associations and LAN-to-LAN connections
–NAT Transparency: IPSec over TCP and IPSec over NAT-T
–Alerts: Disconnect notifications to clients and peers
•SSH: Configure a Secure Shell protocol server
•SSL: Configure Secure Socket Layer parameters for management and for WebVPN sessions
–HTTPS: Enable, port, and client authentication
–Protocols: Encryption protocols and SSL version
•WebVPN: Configure parameters for SSL VPN connections
Figure 15-1 Configuration | Tunneling and Security Screen
PPTP
This screen lets you configure system-wide PPTP (Point-to-Point Tunneling Protocol) parameters.
The PPTP protocol defines mechanisms for establishing and controlling the tunnel, but uses Generic Routing Encapsulation (GRE) for data transfer.
PPTP is a client-server protocol. The VPN Concentrator always functions as a PPTP Network Server (PNS) and supports remote PC clients. The PPTP tunnel extends all the way from the PC to the VPN Concentrator.
PPTP is popular with Microsoft clients. Microsoft Dial-Up Networking (DUN) 1.2 and 1.3 under Windows 95/98 support it, as do versions of Windows NT 4.0, Windows 2000, and Windows XP. PPTP is typically used with Microsoft encryption (MPPE).
You can configure PPTP on rules in filters; see Configuration | Policy Management | Traffic Management. Groups and users also have PPTP parameters; see Configuration | User Management.
Figure 15-2 Configuration | Tunneling and Security | PPTP Screen
Note Cisco supplies default settings for PPTP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel.
Screen Elements
•Enabled — Check this box to enable PPTP system-wide functions on the VPN Concentrator, or uncheck it to disable. The box is checked by default.
Caution Disabling PPTP terminates any active PPTP sessions.
•Maximum Tunnel Idle Time — Enter the time, in seconds, to wait before disconnecting an established PPTP tunnel with no active sessions. An open tunnel consumes system resources. Enter 0 to disconnect the tunnel immediately after the last session terminates (no idle time). The maximum idle time is 86400 seconds (24 hours). The default is 5 seconds.
•Packet Window Size — Enter the maximum number of received but unacknowledged PPTP packets that the system can buffer. The system must queue unacknowledged PPTP packets until it can process them. The minimum number of packets is 0. The maximum number is 32. The default is 16 packets.
•Limit Transmit to Window — Check this box to limit the number of transmitted PPTP packets to the client's packet window size. Ignoring the window improves performance, provided that the client can ignore the window violation. The box is unchecked by default.
•Max. Tunnels — Enter the maximum allowed number of simultaneously active PPTP tunnels. The minimum number of tunnels is 0. The maximum number of tunnels depends on the VPN Concentrator model, for example: model 3060 = 5000. Enter 0 for unlimited tunnels (the default).
•Max. Sessions/Tunnel — Enter the maximum number of sessions allowed per PPTP tunnel. The minimum number of sessions is 0. The maximum number of sessions depends on the VPN Concentrator model, for example, model 3060 = 5000. Enter 0 for unlimited sessions (the default).
•Packet Processing Delay — Enter the packet processing delay for PPTP flow control. This parameter is sent to the client in a PPTP control packet. Entries are in units of 100 milliseconds (0.1 second). The maximum delay is 65535; The default delay is 1 (0.1 second).
•Acknowledgement Delay — Enter the number of milliseconds that the VPN Concentrator will wait to send an acknowledgement to the client when there is no data packet on which to piggyback an acknowledgement. Enter 0 to send an immediate acknowledgement. The minimum delay is 50 milliseconds. The maximum delay is 5000 milliseconds. The default delay is 500 milliseconds.
•Acknowledgement Timeout — Enter the number of seconds to wait before determining that an acknowledgement has been lost, in other words, before resuming transmission to the client even though the transmit window is closed. The minimum number of seconds is 1. The maximum number of seconds is 10. The default value is 3 seconds.
•Apply — Click to apply your PPTP settings and to include them in the active configuration. The Manager returns to the Configuration | Tunneling and Security screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
L2TP
This screen lets you configure system-wide L2TP (Layer 2 Tunneling Protocol) parameters.
L2TP is a client-server protocol. It combines many features from PPTP and L2F (Layer 2 Forwarding), and is regarded as a successor to both. The L2TP protocol defines mechanisms both for establishing and controlling the tunnel and for transferring data.
The VPN Concentrator always functions as a L2TP Network Server (LNS) and supports remote PC clients. The L2TP tunnel extends all the way from the PC to the VPN Concentrator. When the client PC is running Windows 2000, the L2TP tunnel is typically layered over an IPSec transport connection.
You can configure L2TP on rules in filters; see Configuration | Policy Management | Traffic Management. Groups and users also have L2TP parameters; see Configuration | User Management.
Figure 15-3 Configuration | Tunneling and Security | L2TP Screen
Note Cisco supplies default settings for L2TP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel.
Screen Elements
•Enabled — Check this box to enable L2TP system-wide functions on the VPN Concentrator, or uncheck it to disable. The box is checked by default.
Caution Disabling L2TP terminates any active L2TP sessions.
•Maximum Tunnel Idle Time — Enter the time in seconds to wait before disconnecting an established L2TP tunnel with no active sessions. An open tunnel consumes system resources. Enter 0 to disconnect the tunnel immediately after the last session terminates (no idle time). Maximum is 86400 seconds (24 hours). The default is 60 seconds.
•Control Window Size — Enter the maximum number of unacknowledged L2TP control channel packets that the system can receive and buffer. The minimum number of packets is 1. The maximum number is 16. The default number is 4.
•Control Retransmit Interval — Enter the time in seconds to wait before retransmitting an unacknowledged L2TP tunnel control message to the remote client. Minimum is 1 (the default), and maximum is 10 seconds.
•Control Retransmit Limit — Enter the number of times to retransmit L2TP tunnel control packets before assuming that the remote client is no longer responding. The minimum number of times is 1. The maximum number of times is 32. The default is 4 times.
•Max. Tunnels — Enter the maximum allowed number of simultaneously active L2TP tunnels. The minimum value is 0 tunnels. The maximum value depends on the VPN Concentrator model; for example, model 3060 can have a maximum of 5000 tunnels. Enter 0 for unlimited tunnels. The default value is 0.
•Max. Sessions/Tunnel — Enter the maximum number of sessions allowed per L2TP tunnel. The minimum number of sessions is 0. The maximum number depends on the VPN Concentrator model, for example: model 3060 = 5000. Enter 0 for unlimited sessions (the default).
•Hello Interval — Enter the time in seconds to wait when the L2TP tunnel is idle (no control or payload packets received) before sending a Hello (or "keepalive") packet to the remote client. The minimum wait time is 1 second. The maximum wait time is 3600 seconds. The default wait time is 60 seconds.
•Apply — Click to apply your L2TP settings and to include them in the active configuration. The Manager returns to the Configuration | Tunneling and Security screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec
This section of the Manager lets you configure IPSec LAN-to-LAN connections, IKE (Internet Key Exchange) parameters for IPSec security associations (SAs) and LAN-to-LAN connections, and NAT Transparency.
IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN connections and client-to-LAN connections can use IPSec.
In IPSec terminology, a "peer" is a remote-access client or another secure gateway. During tunnel establishment under IPSec, the two peers negotiate SAs that govern authentication, encryption, encapsulation, key management, etc. These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPSec SA).
In IPSec LAN-to-LAN connections, the VPN Concentrator can function as initiator or responder. In IPSec client-to-LAN connections, the VPN Concentrator functions only as responder. Initiators propose SAs; responders accept, reject, or make counter-proposals—all in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs.
The VPN Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. Likewise, the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN devices (often called "secure gateways").
The Cisco VPN Client supports these IPSec attributes:
•Main mode for negotiating phase one ISAKMP SAs when using digital certificates for authentication
•Aggressive mode for negotiating phase one ISAKMP SAs when using preshared keys for authentication
•Authentication Algorithms:
–ESP-MD5-HMAC-128
–ESP-SHA1-HMAC-160
•Authentication Modes:
–Preshared Keys
–X.509 Digital Certificates
•Diffie-Hellman Groups 1, 2, 5, and 7
•Encryption Algorithms:
–AES-128, -192, and -256
–3DES-168
–DES-56
–ESP-NULL
•Extended Authentication (XAUTH)
•Mode Configuration (also known as ISAKMP Configuration Method)
•Tunnel Encapsulation Mode
•IP compression (IPCOMP) using LZS
You configure IKE proposals (parameters for the IKE SA) here. You apply them to IPSec LAN-to-LAN connections in this section, and to IPSec SAs on the Configuration | Policy Management | Traffic Management | Security Associations screens. Therefore, you should configure IKE proposals before configuring other IPSec parameters. Cisco supplies default IKE proposals that you can use or modify.
Figure 15-4 Configuration | Tunneling and Security | IPSec Screen
IPSec | LAN-to-LAN
This section of the Manager lets you configure, add, modify, and delete IPSec LAN-to-LAN connections between two VPN Concentrators.
While the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN secure gateways, these instructions assume VPN Concentrators on both sides. And here, the "peer" is the other VPN Concentrator or secure gateway.
In a LAN-to-LAN connection, IPSec creates a tunnel between the public interfaces of two VPN Concentrators, which correspondingly route secure traffic to and from many hosts on their private LANs. There is no user configuration or authentication in a LAN-to-LAN connection; all hosts configured on the private networks can access hosts on the other side of the connection, at any time.
You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer. You must configure identical basic IPSec parameters on both VPN Concentrators and configure mirror-image private network addresses or network lists.
The VPN Concentrator also provides a network autodiscovery feature that dynamically discovers and updates the private network addresses on each side of the LAN-to-LAN connection, so you do not have to explicitly configure them. This feature works only when both devices are VPN Concentrators and both VPN Concentrators have routing enabled on the private interface.
You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens.
You must also configure IKE proposals before configuring LAN-to-LAN connections. See the Configuration | Tunneling and Security | IPSec | IKE Proposals screens.
If you are using a network list to specify the local or remote network, you must create the network list before you configure the LAN-to-LAN connection. See the Configuration | Policy Management | Traffic Management | Network Lists screen.
Backup LAN-to-LANs
The Backup LAN-to-LAN feature allows you to establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the entire VPN Concentrator, Backup LAN-to-LAN provides a failover for a particular LAN-to-LAN connection only. Although VRRP and Backup LAN-to-LAN are both means of establishing continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN provides certain advantages that VRRP does not. Whereas you cannot configure VRRP and load balancing on the same VPN Concentrator, you can configure Backup LAN-to-LAN and load balancing on the same device. Whereas VRRP backup peers cannot be geographically dispersed, redundant backup LAN-to-LAN peers do not have to be located at the same site.
Note This feature does not work with VRRP. If you are setting up a backup LAN-to-LAN configuration, disable VRRP.
A backup LAN-to-LAN configuration has two sides: a central side and a remote side. The central side is the endpoint of the connection where the backup VPN Concentrators reside. (If the backup VPN Concentrators reside in different geographic places, there may be more than one central side.) The endpoint of its LAN-to-LAN peer is the remote side. (See Figure 15-5.)
Figure 15-5 The Two Endpoints of the Connection
The remote side VPN Concentrator has a peer list of all (up to ten) of the central side VPN Concentrators. The peers appear on the list in their order of priority. Each central side VPN Concentrator has a peer list of the (one) remote side peer.
In a backup LAN-to-LAN setup, the remote peer always initiates the connection. It tries to connect to the first VPN Concentrator on its peer list. If that VPN Concentrator is unavailable, then it tries to connect to the second peer on the list. It continues in this way until it connects to one of the peers on the list. Once the connection is established, if it later fails, the remote side peer again tries to connect to the first peer on its list. If that VPN Concentrator is unavailable, it tries the second--and so on. In this way, the remote VPN Concentrator reestablishes the LAN-to-LAN connection with only a brief interruption of service.
In a non-redundant LAN-to-LAN connection, the first data to travel from one peer to another brings up the IKE tunnel. The tunnel exists for the duration of the data transmission only. When the data stops transmitting, the tunnel goes down. In a backup LAN-to-LAN configuration, the peers establish the tunnel in a different manner. During IKE tunnel establishment, the VPN Concentrator at each endpoint of the LAN has a unique role. It can either originate or accept IKE tunnels. In most cases, you configure the remote side VPN Concentrator to originate the tunnel and the central side VPN Concentrator to accept it. Once the IPSec tunnel is established, data travels in both directions; each side can both receive and send data. The tunnel remains up at all times, even if data transmission stops.
The unique role of the VPN Concentrator in establishing the IKE tunnel is called its connection type. There are three connection types:
•Originate- Only: This VPN Concentrator originates the IKE tunnel. An originate-only endpoint is analogous to a telephone that only makes outgoing phone calls; it cannot receive calls.
•Answer-Only: This VPN Concentrator accepts the IKE tunnel. An answer-only connection is analogous to a telephone that only receives incoming calls; it cannot make calls.
•Bi-directional: This VPN Concentrator can either originate or accept the IKE tunnel. It is like a telephone that can both make calls and receive calls.
For Backup LAN-to-LAN, configure the remote side VPN Concentrator with a connection type of Originate-Only; configure the central side VPN Concentrator with a connection type of Answer-Only.
Configure the LAN-to-LAN parameters of all the central side VPN Concentrators in the Backup LAN-to-LAN setup identically. Except for the Connection Type and Peer List, configure the LAN-to-LAN parameters identically for the remote and central side peers as well.
It is a good idea to configure Reverse Route Injection on both the remote and central side peers. If you do not use RRI, you will have to configure the routes manually. Keep in mind that the VPN Concentrators do not send out routes until they establish the IKE connection and thus know the IP addresses of the tunnel endpoints.
Figure 15-6 shows an example Backup LAN-to-LAN configuration.
Figure 15-6 An Example Backup LAN-to-LAN Configuration
Figure 15-7 Configuration | Tunneling and Security | IPSec LAN-to-LAN Screen
Screen Elements
•LAN-to-LAN Connection — This list shows connections that have been configured. The connections are listed in alphabetical order. Entries have the following formats:
–If the LAN-to-LAN Connection is Bi-Directional or Answer-Only, its entry appears in the format: Name (Peer IP Address) on Interface (Interface Type). For example:
Branch 1 (192.168.34.56) on Ethernet 2 (Public)
–If the LAN-to-LAN Connection is Originate-Only, it appears in the format: Name on Interface (Interface Type). For example:
Branch 1 on Ethernet 2 (Public)
Disabled LAN-to-LAN connections are marked (D). If no connections have been configured, the list shows --Empty--.
•Add — Click to configure and add a new connection. See the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add or Modify screen. If you have not configured a public interface, the Manager displays the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | No Public Interfaces screen.
•Modify — To change the parameters of a configured connection, select the connection from the list and click Modify. See the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add or Modify screen.
•Delete — To remove a configured connection, select the connection from the list and click Delete.
Note There is no confirmation or undo.
The Manager deletes the connection, its LAN-to-LAN filter rules, SAs, and group. The Manager then refreshes the screen and shows the remaining connections in the list.
Caution Deleting a connection immediately deletes any tunnels (and user sessions) using that connection.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec | LAN-to-LAN | No Public Interfaces
The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add an IPSec LAN-to-LAN connection. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled.
You should designate only one VPN Concentrator interface as a public interface.
Figure 15-8 Configuration | Tunneling and Security | IPSec LAN-to-LAN | No Public Interfaces Screen
Click the highlighted link to configure the desired public interface. The Manager opens the appropriate Configuration | Interfaces screen.
IPSec | LAN-to-LAN | Add or Modify
These screens let you configure and add a new IPSec LAN-to-LAN connection or modify parameters of a configured IPSec LAN-to-LAN connection. You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens.
You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer. The maximum number of LAN-to-LAN connections supported is determined by the hardware and is model-dependent.
Table 15-1 Maximum LAN-to-LAN Connections for Each VPN Concentrator Model
VPN Concentrator Model
|
Maximum Number of Sessions
|
3005 & 3015
|
100
|
3020 & 3030
|
500
|
3060 & 3080
|
1000
|
When you Add or Modify a connection on these screens, the VPN Concentrator automatically:
•Creates or modifies two filter rules with the Apply IPSec action: one inbound, one outbound, named L2L:<Name> In and L2L:<Name> Out.
•Creates or modifies an IPSec SA named L2L:<Name>.
•Applies these rules to the filter on the public interface and applies the SA to the rules. If the public interface does not have a filter, it applies the Public (default) filter with the preceding rules.
•Creates or modifies a group named with the Peer IP address. If the VPN Concentrator internal authentication server has not been configured, it does so, and adds the group to the database.
All of the rules, SAs, filters, and group have default parameters or those specified on this screen. You can modify the rules and SA on the Configuration | Policy Management | Traffic Management screens, the group on the Configuration | User Management | Groups screens, and the interface on the Configuration | Interfaces screens. However, we recommend that you keep the configured defaults. You cannot delete these rules, SAs, or group individually; the system automatically deletes them when you delete the LAN-to-LAN connection.
To fully configure a LAN-to-LAN connection, you must configure identical IPSec LAN-to-LAN parameters on both VPN Concentrators, and configure mirror-image local and remote private network addresses. For example:
Configure
|
On this VPN Concentrator
|
On Peer VPN Concentrator
|
Local Network
|
10.10.0.0/0.0.255.255
|
11.0.0.0/0.255.255.255
|
Remote Network
|
11.0.0.0/0.255.255.255
|
10.10.0.0/0.0.255.255
|
If you use network lists, you must also configure and apply them as mirror images on the two VPN Concentrators. If you use network autodiscovery, you must use it on both VPN Concentrators.
Caution On the
Modify screen, any changes take effect as soon as you click
Apply. If client sessions are using this connection, changes delete the tunnel (and the sessions) without warning.
Figure 15-9 Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add or Modify Screen
Screen Elements
•Enable — Check this box to enable this LAN-to-LAN connection. To disable this connection, uncheck the check box. By default, this option is enabled.
This option can be useful for debugging, as it allows you to disable a LAN-to-LAN configuration without deleting it.
To disable a LAN-to-LAN connection, it is sufficient to uncheck this option on either the central site or the remote peer VPN Concentrator. You do not have to uncheck it on both.
•Name — Enter a unique descriptive name for this connection. The maximum name length is 32 characters. Since the created rules and SA use this name, we recommend that you keep it short.
•Interface — Click this drop-down menu button and select the configured public interface on this VPN Concentrator for this end of the LAN-to-LAN connection. The list shows all interfaces that have the Public Interface parameter enabled. See Configuration | Interfaces.
On the Modify screen, this shows the configured public interface on this VPN Concentrator for this end of the LAN-to-LAN connection. You cannot change the interface. To move the connection to another interface, you must delete this connection and add a new one for the other interface.
•Connection Type — Select the role of this VPN Concentrator in IKE tunnel establishment. For a non-redundant LAN-to-LAN configuration, use Bi-directional. If this VPN Concentrator is a remote side peer in a backup LAN-to-LAN setup, choose Originate Only; if it is a central side peer, choose Answer-Only. For more information on configuring LAN-to-LAN redundancy, see the "Backup LAN-to-LANs" section.
–Bi-directional: This VPN Concentrator can either initiate or accept IKE tunnels.
–Answer-only: This VPN Concentrator only accepts IKE tunnels; it does not initiate them.
–Originate-only: This VPN Concentrator only initiates IKE tunnels; it does not accept them.
Note You cannot use XML to modify either the Connection Type or the Peers fields. The XML request reports success, but the configuration file remains unchanged.
•Peers — Enter the IP address of the public interface of this VPN Concentrator's LAN-to-LAN peer. If this is a remote side VPN Concentrator in a backup LAN-to-LAN configuration, you may configure up to ten peers. List the peers from top to bottom in order of their priority. For more information on configuring LAN-to-LAN redundancy, see the "Backup LAN-to-LANs" section.
•Digital Certificate — Click this drop-down menu button and choose a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. The list shows any digital certificates that have been installed, plus None (Use Preshared Keys). The latter uses only preshared keys to authenticate the peer during Phase 1 IKE negotiations. This is the default choice.
See the discussion under Administration | Certificate Management.
•Certificate Transmission — If you configured authentication using digital certificates, choose the type of certificate transmission.
–Entire certificate chain = Send the peer the identity certificate and all issuing certificates. Issuing certificates include the root certificate and any subordinate CA certificates.
–Identity certificate only = Send the peer only the identity certificate.
•Preshared Key — Enter a preshared key for this connection. Use a minimum of 4, a maximum of 32, alphanumeric characters; for example: bW16j65m4. The system displays your entry in clear text.
This key becomes the password for the IPSec LAN-to-LAN group that is created, and you must enter the same key on the peer VPN Concentrator. (This is not a manual encryption or authentication key. The system automatically generates those session keys.)
•Authentication — Click this drop-down menu button and choose the algorithm:
–None = No data authentication.
–ESP/MD5/HMAC-128 = ESP protocol using HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default choice.
–ESP/SHA/HMAC-160 = ESP protocol using HMAC with the SHA-1 hash function using a 160-bit key. This choice is more secure but requires more processing overhead.
This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as "data integrity" in VPN literature. The IPSec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication.
•Encryption — Click this drop-down menu button and choose the algorithm:
–Null = Use ESP without encryption; no packet encryption.
–DES-56 = Use DES encryption with a 56-bit key.
–3DES-168 = Use Triple-DES encryption with a 168-bit key. This is the default.
–AES-128 = Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.
–AES-192 = AES encryption with a 192-bit key.
–AES-256 = AES encryption with a 256-bit key.
This parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.
•IKE Proposal — This parameter specifies the set of attributes for Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | Tunneling and Security | IPSec | IKE Proposals screen. You must configure, activate, and prioritize IKE proposals before configuring LAN-to-LAN connections.
Click this drop-down menu button and choose the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are listed in the table below. The DH column refers to the Diffie-Hellman group used for SA key generation.
Note The IKE-3DES-MD5-DH7 proposal is intended for use with the movianVPN client; it can also be used with any peer that supports ECC groups for Diffie-Hellman key generation.
Table 15-2 Default IKE Proposals
Proposal
|
Encryption
|
Authentication
|
DH
|
IKE-3DES-MD5
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys
|
2
|
IKE-3DES-MD5-DH1
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys
|
1
|
IKE-DES-MD5
|
DES 56-bit
|
MD5/HMAC-128
|
pre-shared keys
|
1
|
IKE-3DES-MD5-DH7
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys
|
7
|
IKE-3DES-MD5-RSA
|
3DES 168-bit
|
MD5/HMAC-128
|
RSA signatures
|
2
|
IKE-AES128-SHA
|
AES 128-bit
|
SHA/HMAC-160
|
pre-shared keys
|
2
|
•Filter — Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies default filters, which you can modify. To configure filters and rules, see the Configuration | Policy Management | Traffic Management screens.
Click this drop-down menu button and select the filter:
–--None-- = No filter applied, which means there are no restrictions on tunneled data traffic. This is the default selection.
–Private (Default) = Allow all packets except source-routed IP packets. (This is the default filter for the private Ethernet interface.)
–Public (Default) = Allow inbound and outbound tunneling protocols plus ICMP and VRRP. Allow fragmented IP packets. Drop everything else, including source-routed packets. (This is the default filter for the public Ethernet interface.)
–External (Default) = No rules applied to this filter. Drop all packets. (This is the default filter for the external Ethernet interface.)
Additional filters that you have configured also appear on the list.
•IPSec NAT-T — Check the box to enable NAT Traversal (NAT-T) for this LAN-to-LAN connection.
NAT-T lets IPSec peers establish a LAN-to-LAN connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary.
The VPN Concentrator implementation of NAT-T supports IPSec peers behind a single NAT/PAT device as follows:
–One Microsoft L2TP/IPSec client (can support other remote access clients and one L2TP/IPSec client).
–One LAN-to-LAN connection.
–Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.
To use NAT-T you must:
–Open port 4500 on any firewall you have configured in front of a VPN Concentrator.
–Reconfigure previous IPSec/UDP settings using port 4500 to a different port.
–Enable IPSec over NAT-T globally in the Configuration | Tunneling and Security | IPSec | NAT Transparency screen.
–Select the second or third option for the Fragmentation Policy parameter in the Configuration | Interfaces | Ethernet screen. These options let traffic travel across NAT devices that do not support IP fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.
•Bandwidth Policy — Select a bandwidth policy to apply to this IPSec LAN-to-LAN connection from the drop-down list. If there are no policies in this list, you must go to Configuration | Policy Management | Traffic Management | Bandwidth Policies and define one or more policies. If you do not want to select a policy here, then select None. For more information on the Bandwidth Management feature, see the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen.
•Routing — The VPN Concentrator provides two ways to advertise static LAN-to-LAN routes.
–Reverse Route Injection = The local VPN Concentrator adds the addresses of one or more remote networks to its routing table and advertises these entries to specified networks on the local LAN. If you choose this option, specify the Local and Remote Network parameters that follow. Then, enable RIP or OSPF on the private interface.
–Network Autodiscovery = This feature dynamically discovers and continuously updates the private network addresses on each side of the LAN-to-LAN connection. This feature uses RIP. You must enable Inbound RIP RIPv2/v1 on the Ethernet 1 (Private) interface of both VPN Concentrators. (See the "Configuration | Interfaces" section.) If you choose this option, skip the Local and Remote Network parameters; they are ignored.
–None = Do not advertise static LAN-to-LAN routes.
•Local Network — These entries identify the private network on this VPN Concentrator, the hosts of which can use the LAN-to-LAN connection. These entries must match those in the Remote Network section on the peer VPN Concentrator. If you are using a LAN-to-LAN NAT rule, this is the translated network address.
•Local Network List — Click this drop-down menu button and choose the configured network list that specifies the local network addresses. A network list is a list of network addresses that are treated as a single object. (See the Configuration | Policy Management | Traffic Management | Network Lists screens.)
To enter a network address, choose Use IP Address/Wildcard-mask below.
If you want to use a network list that you have not yet configured, choose Create New Network List. The VPN Concentrator displays the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add | Local or Remote Network List window.
If you choose a network list, the Manager ignores entries in the IP Address and Wildcard Mask fields.
•Local Network IP Address — Enter the IP address of the private local network on this VPN Concentrator.
•Local Network Wildcard Mask — Enter the wildcard mask for the private local network. For example: 0.0.255.255. The system supplies a default wildcard mask appropriate to the IP address class.
Note An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask. In other words, the wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:
0.0.0.0/255.255.255.255 = any address
10.10.1.35/0.0.0.0 = only 10.10.1.35
10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses
•Remote Network — These entries identify the private network on the remote peer VPN Concentrator whose hosts can use the LAN-to-LAN connection. These entries must match those in the Local Network section on the peer VPN Concentrator. If you are using a LAN-to-LAN NAT rule, this is the remote network address.
Use the Network List, IP Address, and Wildcard Mask fields as described above for the Local Network.
•Add — Click to add this connection to the list of configured LAN-to-LAN connections. If you are creating new network lists, the Manager automatically displays the appropriate Local or Remote Network List screens. Otherwise, the Manager displays the Configuration | Tunneling and Security | IPSec| LAN-to-LAN | Add | Done screen.
•Apply — Click to apply your changes to this LAN-to-LAN connection. The Manager returns to the Configuration | Tunneling and Security | IPSec | LAN-to-LAN screen.
Caution Any changes take effect as soon as you click Apply. If client sessions are using this connection, changes delete the tunnel (and the sessions) without warning.
•Cancel — Click to discard your entries. The Manager returns to the Configuration | Tunneling and Security | IPSec | LAN-to-LAN screen, and the LAN-to-LAN Connection list is unchanged.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec | LAN-to-LAN | Add | Local or Remote Network List
These screens let you configure and add network lists for the Local Network or Remote Network of a new IPSec LAN-to-LAN connection. The Manager automatically opens these screens if you choose Create new Network List under Network List on the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add or Modify screen.
A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens also.
On the Local Network List screen, the Manager can automatically generate a network list using the valid network routes in the routing table for the Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table.)
A single network list can contain a maximum of 10 network entries.
Figure 15-10 Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add | Local or Remote Network List Screen
Screen Elements
•List Name — The Manager supplies a default name that identifies the list as a LAN-to-LAN local or remote list, which we recommend you keep. Otherwise, enter a unique name for this network list. The maximum name length is 48 characters. Entries are case-sensitive. Spaces are allowed.
If you use the Generate Local List feature on the Local Network List screen, edit this name after the system generates the network list.
•Network List — Enter the networks in this text box. Enter each network on a single line using the format n.n.n.n/w.w.w.w, where n.n.n.n is the network IP address and w.w.w.w is the wildcard mask.
Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example, 10.10.1.0/0.0.0.255 = all 10.10.1.nnn addresses.
If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255.
You can enter a maximum of 200 networks in a single network list.
•Generate Local List (IPSec LAN to LAN | Add | Local Network List only) — Click to have the Manager automatically generate a network list using the first 200 valid network routes in the routing table for the Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table.) The Manager refreshes the screen after it generates the list, and you can then edit the Network List and the List Name.
•Apply — Click to add this network list to the configured network lists. The Manager displays either the Remote Network List screen or the Configuration | System | Tunneling Protocols | IPSec| LAN-to-LAN | Add | Done screen.
IPSec| LAN-to-LAN | Add | Done
The Manager displays this screen when you have finished configuring all parameters for a new IPSec LAN-to-LAN connection. It documents the added configuration entities.
The Manager displays this screen only once. We suggest you print a copy of the screen to save it for your records.
To examine or modify an entity, see the appropriate screen:
•Group: See Configuration | User Management | Groups.
•Security Association: See Configuration | Policy Management | Traffic Management | Security Associations.
•Filter Rules: See Configuration | Policy Management | Traffic Management | Rules.
You cannot delete the group, SA, or rules individually, nor can you remove the rules from their filter. The system automatically deletes them when you delete the LAN-to-LAN connection.
Figure 15-11 Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add | Done Screen
•OK — Click to close this screen and return to the Configuration | Tunneling and Security | IPSec | LAN-to-LAN screen. The LAN-to-LAN Connection list shows the new connection, and the Manager includes all the new settings in the active configuration.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec | IKE Proposals
This section of the Manager lets you configure, add, modify, activate, deactivate, delete, and prioritize IKE proposals, which are sets of parameters for Phase 1 IPSec negotiations. During Phase 1, the two peers establish a secure tunnel within which they then negotiate the Phase 2 parameters.
The VPN Concentrator uses IKE proposals both as initiator and responder in IPSec negotiations. In LAN-to-LAN connections, the VPN Concentrator can function as initiator or responder. In client-to-LAN connections, the VPN Concentrator functions only as responder.
You must configure, activate, and prioritize IKE proposals before you configure IPSec Security Associations. See Configuration | Policy Management | Traffic Management | Security Associations, or click the Security Associations link on this screen.
You must also configure and activate IKE proposals before configuring IPSec LAN-to-LAN connections. See Configuration | Tunneling and Security | IPSec | LAN-to-LAN.
You can configure a maximum of 150 IKE proposals total (active and inactive).
Figure 15-12 Configuration | Tunneling and Security | IPSec | IKE Proposals Screen
Cisco supplies default IKE proposals that you can use or modify; see Table 15-3. All of the default IKE proposals have a Data Lifetime value of 10000 KB and a Time Lifetime value of 86400 seconds. All use time for Lifetime Measurement.
The documentation for the VPN Client and for the VPN 3002 Hardware Client each include a table of all valid IKE proposals for remote access connections. See Configuration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy for explanations of the parameters.
Table 15-3 Cisco-Supplied Default IKE Proposals: Proposals Active by Default
Proposal Name
|
Authentication Mode
|
Authentication
Algorithm
|
Encryption Algorithm
|
Diffie-Hellman
Group
|
CiscoVPNClient-3DES-MD5
|
Preshared Keys (XAUTH)
|
MD5/HMAC-128
|
3DES-168
|
2 (1024-bits)
|
IKE-3DES-MD5
|
Preshared Keys
|
MD5/HMAC-128
|
3DES-168
|
2
|
IKE-3DES-MD5-DH1
|
Preshared Keys
|
MD5/HMAC-128
|
3DES-168
|
1 (768-bits)
|
IKE-DES-MD5
|
Preshared Keys
|
MD5/HMAC-128
|
DES-56
|
1
|
IKE-3DES-MD5-DH7
|
Preshared Keys
|
MD5/HMAC-128
|
3DES-168
|
7 (ECC)
|
IKE-3DES-MD5-RSA
|
RSA Digital Certificate
|
MD5/HMAC-128
|
3DES-168
|
2 (1024-bits)
|
IKE-AES128-SHA
|
Preshared Keys
|
SHA/HMAC-160
|
AES-128
|
2
|
CiscoVPNClient-AES128- SHA
|
Preshared Keys
|
SHA/HMAC-160
|
AES-128
|
2
|
CiscoVPNClient-3DES-MD5-DH5
|
3DES-168
|
MD5/HMAC-128
|
3DES-168
|
5 (1536-bits)
|
HYBRID_AES256_SHA_RSA_DH5
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
AES-256
|
5
|
HYBRID_AES256_SHA_RSA_DH2
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
AES-256
|
2
|
HYBRID_AES192_SHA_RSA_DH2
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
AES-192
|
2
|
HYBRID_3DES_SHA_RSA_DH5
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
3DES-168
|
5
|
HYBRID_3DES_SHA_RSA_DH2
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
3DES-168
|
2
|
HYBRID_AES128_SHA_RSA_DH2
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
AES-128
|
2
|
Table 15-4 Cisco-Supplied Default IKE Proposals: Proposals Inactive by Default
Proposal Name
|
Authentication Mode
|
Authentication Algorithm
|
Encryption Algorithm
|
Diffie-Hellman
Group
|
IKE-3DES-SHA-DSA
|
RSA Digital Certificate
|
SHA/HMAC-160
|
3DES-168
|
2 (1024-bits)
|
IKE-3DES-MD5-RSA-DH1
|
RSA Digital Certificate
|
MD5/HMAC-128
|
3DES-168
|
1 (768-bits)
|
IKE-DES-MD5-DH7
|
Preshared Keys
|
MD5/HMAC-128
|
DES-56
|
7 (ECC)
|
CiscoVPNClient-3DES-MD5-RSA
|
RSA Certificate (XAUTH)
|
MD5/HMAC-128
|
3DES-168
|
2
|
CiscoVPNClient-3DES-SHA-DSA
|
DSA Certificate (XAUTH)
|
SHA/HMAC-160
|
3DES-168
|
2
|
CiscoVPNClient-AES256-SHA
|
Preshared Keys
|
SHA/HMAC-160
|
AES-256
|
2
|
IKE-AES256-SHA
|
Preshared Keys
|
SHA/HMAC-160
|
AES-256
|
2
|
HYBRID_3DES_MD5_DH5
|
RSA Cert (HYBRID)
|
MD5/HMAC-128
|
3DES-168
|
5
|
HYBRID_3DES_MD5_DH2
|
RSA Cert (HYBRID)
|
MD5/HMAC-128
|
3DES-168
|
2
|
Screen Elements
•Active Proposals — The field shows the names of IKE proposals that have been configured, activated, and prioritized. As an IPSec responder, the VPN Concentrator checks these proposals in priority order, to see if it can find one that agrees with parameters in the initiator's proposed SA.
Activating a proposal also makes it available for use wherever the Manager displays an IKE Proposal list, and the first active proposal appears as the default selection.
•Inactive Proposals — The field shows the names of IKE proposals that have been configured but are inactive. New proposals appear in this list when you first configure and add them. The VPN Concentrator does not use these proposals in any IPSec negotiations, nor do they appear in IKE Proposal lists.
Note To configure L2TP over IPSec, you must activate IKE-3DES-MD5-RSA. Also see the Configuration | User Management screens.
•Activate — To activate an inactive IKE proposal, select it from the Inactive Proposals list and click the Activate button. The Manager moves the proposal to the Active Proposals list and refreshes the screen.
•Deactivate — To deactivate an active IKE proposal, select it from the Active Proposals list and click the Deactivate button. If the active proposal is configured on an SA, the Manager displays an error message; and you must remove it from the SA before you can deactivate it. Otherwise, the Manager moves the proposal to the Inactive Proposals list and refreshes the screen.
•Move Up / Move Down — To change the priority order of an active IKE proposal, select it from the Active Proposals list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Active Proposals list. These actions move the proposal up or down one position.
•Add — Click to configure and add a new IKE proposal to the list of Inactive Proposals. See Configuration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy.
•Modify — To modify a configured IKE proposal, select it from either Active Proposals or Inactive Proposals and click the Modify button. See Configuration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy. Modifying an active proposal does not affect connections currently using it, but changes do affect subsequent connections.
•Copy — To use a configured IKE proposal as the basis for configuring and adding a new one, select it from either Active Proposals or Inactive Proposals and click the Copy button. See Configuration | Tunneling and Security| IPSec | IKE Proposals | Add, Modify, or Copy. The new proposal appears in the Inactive Proposals list.
•Delete — To delete a configured IKE proposal, select it from either Active Proposals or Inactive Proposals and click the Delete button. If an active proposal is configured on an SA, the Manager displays an error message; and you must remove it from the SA before you can delete it. Otherwise, there is no confirmation or undo. The Manager refreshes the screen and shows the remaining IKE proposals in the list.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec | IKE Proposals | Add, Modify, or Copy
These screens let you:
•Add: Configure and add a new inactive IKE proposal.
•Modify: Modify a previously configured IKE proposal.
•Copy: Copy a configured IKE proposal, modify its parameters, save it with a new name, and add it to the configured inactive IKE proposals.
You can configure a maximum of 150 IKE proposals total (active and inactive), and you can make any number of them active.
Figure 15-13 Configuration | Tunneling and Security | IPSec | IKE Proposals |
Add Screen
.
Screen Elements
•Proposal Name — Enter a unique name for this IKE proposal. The maximum name length is 48 characters. Entries are case-sensitive. Spaces are allowed.
•Authentication Mode — This parameter specifies how to authenticate the remote client or peer. Authentication proves that the connecting entity is the one you think it is. If you select one of the digital certificate modes, an appropriate digital certificate must be installed on this VPN Concentrator and the remote client or peer. See the discussion under Administration | Certificate Management.
Click this drop-down menu button and choose the method:
–Preshared Keys = Use preshared keys (the default). The keys are derived from the password of the user's or peer's group.
–RSA Digital Certificate = Use a digital certificate with keys generated by the RSA algorithm.
–DSA Digital Certificate = Use a digital certificate with keys generated by the DSA algorithm.
–Preshared Keys (XAUTH) = Use preshared keys (the default). The keys are derived from the password of the user's or peer's group. Require user-based authentication via XAUTH.
–RSA Digital Certificate (XAUTH) = Use a digital certificate with keys generated by the RSA algorithm. Require user-based authentication via XAUTH.
–DSA Digital Certificate (XAUTH) = Use a digital certificate with keys generated by the DSA algorithm. Require user-based authentication via XAUTH.
–RSA Digital Certificate (HYBRID) = Asymmetric authentication. Concentrator authen
