Table Of Contents
Tunneling and Security
Configuration | Tunneling and Security
PPTP
Screen Elements
L2TP
Screen Elements
IPSec
IPSec | LAN-to-LAN
Backup LAN-to-LANs
Screen Elements
IPSec | LAN-to-LAN | No Public Interfaces
IPSec | LAN-to-LAN | Add or Modify
Screen Elements
IPSec | LAN-to-LAN | Add | Local or Remote Network List
Screen Elements
IPSec| LAN-to-LAN | Add | Done
IPSec | IKE Proposals
Screen Elements
IPSec | IKE Proposals | Add, Modify, or Copy
Screen Elements
IPSec | NAT Transparency
About IPSec Over TCP
About IPSec over NAT-T
Screen Elements
IPSec | Alerts
Qualified Clients and Peers
Screen Elements
SSH
Screen Elements
SSL
Screen Elements
SSL | HTTPS
Screen Elements
Configuring a RADIUS or LDAP Server
Setting Authentication and Authorization Values
SSL | Protocols
Screen Elements
WebVPN
WebVPN | HTTP/HTTPS Proxy
Screen Elements
WebVPN | Home Page
Screen Elements
WebVPN | Logo
Screen Elements
WebVPN | E-Mail Proxy
Screen Elements
Piggyback HTTPS and IMAP Sessions
How to Request and Install Certificates
WebVPN | Servers and URLs
Screen Elements
WebVPN | Servers and URLs | Add or Modify
Screen Elements
WebVPN | Port Forwarding
Screen Elements
WebVPN | Port Forwarding | Add or Modify
Screen Elements
Using Hostnames vs. IP Addresses
The WebVPN Application Access Window
Application Access Window Fields
About the Hosts File
WebVPN | Cisco SSL VPN Client
SSL VPN Client Privilege Requirements
SSL VPN Client Screen
Screen Elements
Additional Configuration
WebVPN | Secure Desktop
WebVPN | Secure Desktop | Setup
Screen Elements
WebVPN | Secure Desktop | Manager
Tunneling and Security
Tunneling protocols are the heart of virtual private networking. The tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network.
The secure connection is called a tunnel. The VPN 3000 Concentrator Series uses tunneling protocols to:
•
Negotiate tunnel parameters
•Establish tunnels
•Authenticate users and data
•Manage security keys
•Encrypt and decrypt data
•Manage data transfer across the tunnel
•Manage data transfer inbound and outbound as a tunnel endpoint or router
The VPN Concentrator functions as a bidirectional tunnel endpoint: it can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination; or it can receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.
The VPN Concentrator supports the most popular VPN tunneling protocols:
•PPTP: Point-to-Point Tunneling Protocol
•L2TP: Layer 2 Tunneling Protocol
•IPSec: IP Security Protocol
•WebVPN: SSL VPN, which provides VPN services to remote users via an HTTPS-enabled Web browser, and does not require a client
It also supports L2TP over IPSec, which provides interoperability with the VPN Client provided by Microsoft. The VPN Concentrator is also interoperable with other clients that conform to L2TP/IPSec standards, but it does not formally support those clients.
This section explains how to configure:
•System-wide parameters for PPTP and L2TP
•IPSec LAN-to-LAN connections
•IKE proposals for IPSec Security Associations and LAN-to-LAN connections
•NAT Transparency, which includes IPSec over TCP and NAT Traversal (NAT-T)
•WebVPN connections
To configure L2TP over IPSec, see Configuration | Tunneling and Security | IPSec | IKE Proposals, and Configuration | User Management.
Configuration | Tunneling and Security
This section of the Manager lets you configure system-wide parameters for tunneling protocols.
•PPTP: Configure PPTP parameters
•L2TP: Configure L2TP parameters
•IPSec: Configure IPSec parameters and connections
–LAN-to-LAN: IPSec LAN-to-LAN connections between two VPN Concentrators (or between the VPN Concentrator and another secure gateway)
–IKE Proposals: IKE proposals for IPSec Security Associations and LAN-to-LAN connections
–NAT Transparency: IPSec over TCP and IPSec over NAT-T
–Alerts: Disconnect notifications to clients and peers
•SSH: Configure a Secure Shell protocol server
•SSL: Configure Secure Socket Layer parameters for management and for WebVPN sessions
–HTTPS: Enable, port, and client authentication
–Protocols: Encryption protocols and SSL version
•WebVPN: Configure parameters for SSL VPN connections
Figure 15-1 Configuration | Tunneling and Security Screen
PPTP
This screen lets you configure system-wide PPTP (Point-to-Point Tunneling Protocol) parameters.
The PPTP protocol defines mechanisms for establishing and controlling the tunnel, but uses Generic Routing Encapsulation (GRE) for data transfer.
PPTP is a client-server protocol. The VPN Concentrator always functions as a PPTP Network Server (PNS) and supports remote PC clients. The PPTP tunnel extends all the way from the PC to the VPN Concentrator.
PPTP is popular with Microsoft clients. Microsoft Dial-Up Networking (DUN) 1.2 and 1.3 under Windows 95/98 support it, as do versions of Windows NT 4.0, Windows 2000, and Windows XP. PPTP is typically used with Microsoft encryption (MPPE).
You can configure PPTP on rules in filters; see Configuration | Policy Management | Traffic Management. Groups and users also have PPTP parameters; see Configuration | User Management.
Figure 15-2 Configuration | Tunneling and Security | PPTP Screen
Note Cisco supplies default settings for PPTP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel.
Screen Elements
•Enabled — Check this box to enable PPTP system-wide functions on the VPN Concentrator, or uncheck it to disable. The box is checked by default.
Caution Disabling PPTP terminates any active PPTP sessions.
•Maximum Tunnel Idle Time — Enter the time, in seconds, to wait before disconnecting an established PPTP tunnel with no active sessions. An open tunnel consumes system resources. Enter 0 to disconnect the tunnel immediately after the last session terminates (no idle time). The maximum idle time is 86400 seconds (24 hours). The default is 5 seconds.
•Packet Window Size — Enter the maximum number of received but unacknowledged PPTP packets that the system can buffer. The system must queue unacknowledged PPTP packets until it can process them. The minimum number of packets is 0. The maximum number is 32. The default is 16 packets.
•Limit Transmit to Window — Check this box to limit the number of transmitted PPTP packets to the client's packet window size. Ignoring the window improves performance, provided that the client can ignore the window violation. The box is unchecked by default.
•Max. Tunnels — Enter the maximum allowed number of simultaneously active PPTP tunnels. The minimum number of tunnels is 0. The maximum number of tunnels depends on the VPN Concentrator model, for example: model 3060 = 5000. Enter 0 for unlimited tunnels (the default).
•Max. Sessions/Tunnel — Enter the maximum number of sessions allowed per PPTP tunnel. The minimum number of sessions is 0. The maximum number of sessions depends on the VPN Concentrator model, for example, model 3060 = 5000. Enter 0 for unlimited sessions (the default).
•Packet Processing Delay — Enter the packet processing delay for PPTP flow control. This parameter is sent to the client in a PPTP control packet. Entries are in units of 100 milliseconds (0.1 second). The maximum delay is 65535; The default delay is 1 (0.1 second).
•Acknowledgement Delay — Enter the number of milliseconds that the VPN Concentrator will wait to send an acknowledgement to the client when there is no data packet on which to piggyback an acknowledgement. Enter 0 to send an immediate acknowledgement. The minimum delay is 50 milliseconds. The maximum delay is 5000 milliseconds. The default delay is 500 milliseconds.
•Acknowledgement Timeout — Enter the number of seconds to wait before determining that an acknowledgement has been lost, in other words, before resuming transmission to the client even though the transmit window is closed. The minimum number of seconds is 1. The maximum number of seconds is 10. The default value is 3 seconds.
•Apply — Click to apply your PPTP settings and to include them in the active configuration. The Manager returns to the Configuration | Tunneling and Security screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
L2TP
This screen lets you configure system-wide L2TP (Layer 2 Tunneling Protocol) parameters.
L2TP is a client-server protocol. It combines many features from PPTP and L2F (Layer 2 Forwarding), and is regarded as a successor to both. The L2TP protocol defines mechanisms both for establishing and controlling the tunnel and for transferring data.
The VPN Concentrator always functions as a L2TP Network Server (LNS) and supports remote PC clients. The L2TP tunnel extends all the way from the PC to the VPN Concentrator. When the client PC is running Windows 2000, the L2TP tunnel is typically layered over an IPSec transport connection.
You can configure L2TP on rules in filters; see Configuration | Policy Management | Traffic Management. Groups and users also have L2TP parameters; see Configuration | User Management.
Figure 15-3 Configuration | Tunneling and Security | L2TP Screen
Note Cisco supplies default settings for L2TP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel.
Screen Elements
•Enabled — Check this box to enable L2TP system-wide functions on the VPN Concentrator, or uncheck it to disable. The box is checked by default.
Caution Disabling L2TP terminates any active L2TP sessions.
•Maximum Tunnel Idle Time — Enter the time in seconds to wait before disconnecting an established L2TP tunnel with no active sessions. An open tunnel consumes system resources. Enter 0 to disconnect the tunnel immediately after the last session terminates (no idle time). Maximum is 86400 seconds (24 hours). The default is 60 seconds.
•Control Window Size — Enter the maximum number of unacknowledged L2TP control channel packets that the system can receive and buffer. The minimum number of packets is 1. The maximum number is 16. The default number is 4.
•Control Retransmit Interval — Enter the time in seconds to wait before retransmitting an unacknowledged L2TP tunnel control message to the remote client. Minimum is 1 (the default), and maximum is 10 seconds.
•Control Retransmit Limit — Enter the number of times to retransmit L2TP tunnel control packets before assuming that the remote client is no longer responding. The minimum number of times is 1. The maximum number of times is 32. The default is 4 times.
•Max. Tunnels — Enter the maximum allowed number of simultaneously active L2TP tunnels. The minimum value is 0 tunnels. The maximum value depends on the VPN Concentrator model; for example, model 3060 can have a maximum of 5000 tunnels. Enter 0 for unlimited tunnels. The default value is 0.
•Max. Sessions/Tunnel — Enter the maximum number of sessions allowed per L2TP tunnel. The minimum number of sessions is 0. The maximum number depends on the VPN Concentrator model, for example: model 3060 = 5000. Enter 0 for unlimited sessions (the default).
•Hello Interval — Enter the time in seconds to wait when the L2TP tunnel is idle (no control or payload packets received) before sending a Hello (or "keepalive") packet to the remote client. The minimum wait time is 1 second. The maximum wait time is 3600 seconds. The default wait time is 60 seconds.
•Apply — Click to apply your L2TP settings and to include them in the active configuration. The Manager returns to the Configuration | Tunneling and Security screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec
This section of the Manager lets you configure IPSec LAN-to-LAN connections, IKE (Internet Key Exchange) parameters for IPSec security associations (SAs) and LAN-to-LAN connections, and NAT Transparency.
IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN connections and client-to-LAN connections can use IPSec.
In IPSec terminology, a "peer" is a remote-access client or another secure gateway. During tunnel establishment under IPSec, the two peers negotiate SAs that govern authentication, encryption, encapsulation, key management, etc. These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPSec SA).
In IPSec LAN-to-LAN connections, the VPN Concentrator can function as initiator or responder. In IPSec client-to-LAN connections, the VPN Concentrator functions only as responder. Initiators propose SAs; responders accept, reject, or make counter-proposals—all in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs.
The VPN Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. Likewise, the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN devices (often called "secure gateways").
The Cisco VPN Client supports these IPSec attributes:
•Main mode for negotiating phase one ISAKMP SAs when using digital certificates for authentication
•Aggressive mode for negotiating phase one ISAKMP SAs when using preshared keys for authentication
•Authentication Algorithms:
–ESP-MD5-HMAC-128
–ESP-SHA1-HMAC-160
•Authentication Modes:
–Preshared Keys
–X.509 Digital Certificates
•Diffie-Hellman Groups 1, 2, 5, and 7
•Encryption Algorithms:
–AES-128, -192, and -256
–3DES-168
–DES-56
–ESP-NULL
•Extended Authentication (XAUTH)
•Mode Configuration (also known as ISAKMP Configuration Method)
•Tunnel Encapsulation Mode
•IP compression (IPCOMP) using LZS
You configure IKE proposals (parameters for the IKE SA) here. You apply them to IPSec LAN-to-LAN connections in this section, and to IPSec SAs on the Configuration | Policy Management | Traffic Management | Security Associations screens. Therefore, you should configure IKE proposals before configuring other IPSec parameters. Cisco supplies default IKE proposals that you can use or modify.
Figure 15-4 Configuration | Tunneling and Security | IPSec Screen
IPSec | LAN-to-LAN
This section of the Manager lets you configure, add, modify, and delete IPSec LAN-to-LAN connections between two VPN Concentrators.
While the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN secure gateways, these instructions assume VPN Concentrators on both sides. And here, the "peer" is the other VPN Concentrator or secure gateway.
In a LAN-to-LAN connection, IPSec creates a tunnel between the public interfaces of two VPN Concentrators, which correspondingly route secure traffic to and from many hosts on their private LANs. There is no user configuration or authentication in a LAN-to-LAN connection; all hosts configured on the private networks can access hosts on the other side of the connection, at any time.
You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer. You must configure identical basic IPSec parameters on both VPN Concentrators and configure mirror-image private network addresses or network lists.
The VPN Concentrator also provides a network autodiscovery feature that dynamically discovers and updates the private network addresses on each side of the LAN-to-LAN connection, so you do not have to explicitly configure them. This feature works only when both devices are VPN Concentrators and both VPN Concentrators have routing enabled on the private interface.
You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens.
You must also configure IKE proposals before configuring LAN-to-LAN connections. See the Configuration | Tunneling and Security | IPSec | IKE Proposals screens.
If you are using a network list to specify the local or remote network, you must create the network list before you configure the LAN-to-LAN connection. See the Configuration | Policy Management | Traffic Management | Network Lists screen.
Backup LAN-to-LANs
The Backup LAN-to-LAN feature allows you to establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the entire VPN Concentrator, Backup LAN-to-LAN provides a failover for a particular LAN-to-LAN connection only. Although VRRP and Backup LAN-to-LAN are both means of establishing continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN provides certain advantages that VRRP does not. Whereas you cannot configure VRRP and load balancing on the same VPN Concentrator, you can configure Backup LAN-to-LAN and load balancing on the same device. Whereas VRRP backup peers cannot be geographically dispersed, redundant backup LAN-to-LAN peers do not have to be located at the same site.
Note This feature does not work with VRRP. If you are setting up a backup LAN-to-LAN configuration, disable VRRP.
A backup LAN-to-LAN configuration has two sides: a central side and a remote side. The central side is the endpoint of the connection where the backup VPN Concentrators reside. (If the backup VPN Concentrators reside in different geographic places, there may be more than one central side.) The endpoint of its LAN-to-LAN peer is the remote side. (See Figure 15-5.)
Figure 15-5 The Two Endpoints of the Connection
The remote side VPN Concentrator has a peer list of all (up to ten) of the central side VPN Concentrators. The peers appear on the list in their order of priority. Each central side VPN Concentrator has a peer list of the (one) remote side peer.
In a backup LAN-to-LAN setup, the remote peer always initiates the connection. It tries to connect to the first VPN Concentrator on its peer list. If that VPN Concentrator is unavailable, then it tries to connect to the second peer on the list. It continues in this way until it connects to one of the peers on the list. Once the connection is established, if it later fails, the remote side peer again tries to connect to the first peer on its list. If that VPN Concentrator is unavailable, it tries the second--and so on. In this way, the remote VPN Concentrator reestablishes the LAN-to-LAN connection with only a brief interruption of service.
In a non-redundant LAN-to-LAN connection, the first data to travel from one peer to another brings up the IKE tunnel. The tunnel exists for the duration of the data transmission only. When the data stops transmitting, the tunnel goes down. In a backup LAN-to-LAN configuration, the peers establish the tunnel in a different manner. During IKE tunnel establishment, the VPN Concentrator at each endpoint of the LAN has a unique role. It can either originate or accept IKE tunnels. In most cases, you configure the remote side VPN Concentrator to originate the tunnel and the central side VPN Concentrator to accept it. Once the IPSec tunnel is established, data travels in both directions; each side can both receive and send data. The tunnel remains up at all times, even if data transmission stops.
The unique role of the VPN Concentrator in establishing the IKE tunnel is called its connection type. There are three connection types:
•Originate- Only: This VPN Concentrator originates the IKE tunnel. An originate-only endpoint is analogous to a telephone that only makes outgoing phone calls; it cannot receive calls.
•Answer-Only: This VPN Concentrator accepts the IKE tunnel. An answer-only connection is analogous to a telephone that only receives incoming calls; it cannot make calls.
•Bi-directional: This VPN Concentrator can either originate or accept the IKE tunnel. It is like a telephone that can both make calls and receive calls.
For Backup LAN-to-LAN, configure the remote side VPN Concentrator with a connection type of Originate-Only; configure the central side VPN Concentrator with a connection type of Answer-Only.
Configure the LAN-to-LAN parameters of all the central side VPN Concentrators in the Backup LAN-to-LAN setup identically. Except for the Connection Type and Peer List, configure the LAN-to-LAN parameters identically for the remote and central side peers as well.
It is a good idea to configure Reverse Route Injection on both the remote and central side peers. If you do not use RRI, you will have to configure the routes manually. Keep in mind that the VPN Concentrators do not send out routes until they establish the IKE connection and thus know the IP addresses of the tunnel endpoints.
Figure 15-6 shows an example Backup LAN-to-LAN configuration.
Figure 15-6 An Example Backup LAN-to-LAN Configuration
Figure 15-7 Configuration | Tunneling and Security | IPSec LAN-to-LAN Screen
Screen Elements
•LAN-to-LAN Connection — This list shows connections that have been configured. The connections are listed in alphabetical order. Entries have the following formats:
–If the LAN-to-LAN Connection is Bi-Directional or Answer-Only, its entry appears in the format: Name (Peer IP Address) on Interface (Interface Type). For example:
Branch 1 (192.168.34.56) on Ethernet 2 (Public)
–If the LAN-to-LAN Connection is Originate-Only, it appears in the format: Name on Interface (Interface Type). For example:
Branch 1 on Ethernet 2 (Public)
Disabled LAN-to-LAN connections are marked (D). If no connections have been configured, the list shows --Empty--.
•Add — Click to configure and add a new connection. See the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add or Modify screen. If you have not configured a public interface, the Manager displays the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | No Public Interfaces screen.
•Modify — To change the parameters of a configured connection, select the connection from the list and click Modify. See the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add or Modify screen.
•Delete — To remove a configured connection, select the connection from the list and click Delete.
Note There is no confirmation or undo.
The Manager deletes the connection, its LAN-to-LAN filter rules, SAs, and group. The Manager then refreshes the screen and shows the remaining connections in the list.
Caution Deleting a connection immediately deletes any tunnels (and user sessions) using that connection.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec | LAN-to-LAN | No Public Interfaces
The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add an IPSec LAN-to-LAN connection. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled.
You should designate only one VPN Concentrator interface as a public interface.
Figure 15-8 Configuration | Tunneling and Security | IPSec LAN-to-LAN | No Public Interfaces Screen
Click the highlighted link to configure the desired public interface. The Manager opens the appropriate Configuration | Interfaces screen.
IPSec | LAN-to-LAN | Add or Modify
These screens let you configure and add a new IPSec LAN-to-LAN connection or modify parameters of a configured IPSec LAN-to-LAN connection. You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens.
You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer. The maximum number of LAN-to-LAN connections supported is determined by the hardware and is model-dependent.
Table 15-1 Maximum LAN-to-LAN Connections for Each VPN Concentrator Model
VPN Concentrator Model
|
Maximum Number of Sessions
|
3005 & 3015
|
100
|
3020 & 3030
|
500
|
3060 & 3080
|
1000
|
When you Add or Modify a connection on these screens, the VPN Concentrator automatically:
•Creates or modifies two filter rules with the Apply IPSec action: one inbound, one outbound, named L2L:<Name> In and L2L:<Name> Out.
•Creates or modifies an IPSec SA named L2L:<Name>.
•Applies these rules to the filter on the public interface and applies the SA to the rules. If the public interface does not have a filter, it applies the Public (default) filter with the preceding rules.
•Creates or modifies a group named with the Peer IP address. If the VPN Concentrator internal authentication server has not been configured, it does so, and adds the group to the database.
All of the rules, SAs, filters, and group have default parameters or those specified on this screen. You can modify the rules and SA on the Configuration | Policy Management | Traffic Management screens, the group on the Configuration | User Management | Groups screens, and the interface on the Configuration | Interfaces screens. However, we recommend that you keep the configured defaults. You cannot delete these rules, SAs, or group individually; the system automatically deletes them when you delete the LAN-to-LAN connection.
To fully configure a LAN-to-LAN connection, you must configure identical IPSec LAN-to-LAN parameters on both VPN Concentrators, and configure mirror-image local and remote private network addresses. For example:
Configure
|
On this VPN Concentrator
|
On Peer VPN Concentrator
|
Local Network
|
10.10.0.0/0.0.255.255
|
11.0.0.0/0.255.255.255
|
Remote Network
|
11.0.0.0/0.255.255.255
|
10.10.0.0/0.0.255.255
|
If you use network lists, you must also configure and apply them as mirror images on the two VPN Concentrators. If you use network autodiscovery, you must use it on both VPN Concentrators.
Caution On the
Modify screen, any changes take effect as soon as you click
Apply. If client sessions are using this connection, changes delete the tunnel (and the sessions) without warning.
Figure 15-9 Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add or Modify Screen
Screen Elements
•Enable — Check this box to enable this LAN-to-LAN connection. To disable this connection, uncheck the check box. By default, this option is enabled.
This option can be useful for debugging, as it allows you to disable a LAN-to-LAN configuration without deleting it.
To disable a LAN-to-LAN connection, it is sufficient to uncheck this option on either the central site or the remote peer VPN Concentrator. You do not have to uncheck it on both.
•Name — Enter a unique descriptive name for this connection. The maximum name length is 32 characters. Since the created rules and SA use this name, we recommend that you keep it short.
•Interface — Click this drop-down menu button and select the configured public interface on this VPN Concentrator for this end of the LAN-to-LAN connection. The list shows all interfaces that have the Public Interface parameter enabled. See Configuration | Interfaces.
On the Modify screen, this shows the configured public interface on this VPN Concentrator for this end of the LAN-to-LAN connection. You cannot change the interface. To move the connection to another interface, you must delete this connection and add a new one for the other interface.
•Connection Type — Select the role of this VPN Concentrator in IKE tunnel establishment. For a non-redundant LAN-to-LAN configuration, use Bi-directional. If this VPN Concentrator is a remote side peer in a backup LAN-to-LAN setup, choose Originate Only; if it is a central side peer, choose Answer-Only. For more information on configuring LAN-to-LAN redundancy, see the "Backup LAN-to-LANs" section.
–Bi-directional: This VPN Concentrator can either initiate or accept IKE tunnels.
–Answer-only: This VPN Concentrator only accepts IKE tunnels; it does not initiate them.
–Originate-only: This VPN Concentrator only initiates IKE tunnels; it does not accept them.
Note You cannot use XML to modify either the Connection Type or the Peers fields. The XML request reports success, but the configuration file remains unchanged.
•Peers — Enter the IP address of the public interface of this VPN Concentrator's LAN-to-LAN peer. If this is a remote side VPN Concentrator in a backup LAN-to-LAN configuration, you may configure up to ten peers. List the peers from top to bottom in order of their priority. For more information on configuring LAN-to-LAN redundancy, see the "Backup LAN-to-LANs" section.
•Digital Certificate — Click this drop-down menu button and choose a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. The list shows any digital certificates that have been installed, plus None (Use Preshared Keys). The latter uses only preshared keys to authenticate the peer during Phase 1 IKE negotiations. This is the default choice.
See the discussion under Administration | Certificate Management.
•Certificate Transmission — If you configured authentication using digital certificates, choose the type of certificate transmission.
–Entire certificate chain = Send the peer the identity certificate and all issuing certificates. Issuing certificates include the root certificate and any subordinate CA certificates.
–Identity certificate only = Send the peer only the identity certificate.
•Preshared Key — Enter a preshared key for this connection. Use a minimum of 4, a maximum of 32, alphanumeric characters; for example: bW16j65m4. The system displays your entry in clear text.
This key becomes the password for the IPSec LAN-to-LAN group that is created, and you must enter the same key on the peer VPN Concentrator. (This is not a manual encryption or authentication key. The system automatically generates those session keys.)
•Authentication — Click this drop-down menu button and choose the algorithm:
–None = No data authentication.
–ESP/MD5/HMAC-128 = ESP protocol using HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default choice.
–ESP/SHA/HMAC-160 = ESP protocol using HMAC with the SHA-1 hash function using a 160-bit key. This choice is more secure but requires more processing overhead.
This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as "data integrity" in VPN literature. The IPSec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication.
•Encryption — Click this drop-down menu button and choose the algorithm:
–Null = Use ESP without encryption; no packet encryption.
–DES-56 = Use DES encryption with a 56-bit key.
–3DES-168 = Use Triple-DES encryption with a 168-bit key. This is the default.
–AES-128 = Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.
–AES-192 = AES encryption with a 192-bit key.
–AES-256 = AES encryption with a 256-bit key.
This parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.
•IKE Proposal — This parameter specifies the set of attributes for Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | Tunneling and Security | IPSec | IKE Proposals screen. You must configure, activate, and prioritize IKE proposals before configuring LAN-to-LAN connections.
Click this drop-down menu button and choose the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are listed in the table below. The DH column refers to the Diffie-Hellman group used for SA key generation.
Note The IKE-3DES-MD5-DH7 proposal is intended for use with the movianVPN client; it can also be used with any peer that supports ECC groups for Diffie-Hellman key generation.
Table 15-2 Default IKE Proposals
Proposal
|
Encryption
|
Authentication
|
DH
|
IKE-3DES-MD5
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys
|
2
|
IKE-3DES-MD5-DH1
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys
|
1
|
IKE-DES-MD5
|
DES 56-bit
|
MD5/HMAC-128
|
pre-shared keys
|
1
|
IKE-3DES-MD5-DH7
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys
|
7
|
IKE-3DES-MD5-RSA
|
3DES 168-bit
|
MD5/HMAC-128
|
RSA signatures
|
2
|
IKE-AES128-SHA
|
AES 128-bit
|
SHA/HMAC-160
|
pre-shared keys
|
2
|
•Filter — Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies default filters, which you can modify. To configure filters and rules, see the Configuration | Policy Management | Traffic Management screens.
Click this drop-down menu button and select the filter:
–--None-- = No filter applied, which means there are no restrictions on tunneled data traffic. This is the default selection.
–Private (Default) = Allow all packets except source-routed IP packets. (This is the default filter for the private Ethernet interface.)
–Public (Default) = Allow inbound and outbound tunneling protocols plus ICMP and VRRP. Allow fragmented IP packets. Drop everything else, including source-routed packets. (This is the default filter for the public Ethernet interface.)
–External (Default) = No rules applied to this filter. Drop all packets. (This is the default filter for the external Ethernet interface.)
Additional filters that you have configured also appear on the list.
•IPSec NAT-T — Check the box to enable NAT Traversal (NAT-T) for this LAN-to-LAN connection.
NAT-T lets IPSec peers establish a LAN-to-LAN connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary.
The VPN Concentrator implementation of NAT-T supports IPSec peers behind a single NAT/PAT device as follows:
–One Microsoft L2TP/IPSec client (can support other remote access clients and one L2TP/IPSec client).
–One LAN-to-LAN connection.
–Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.
To use NAT-T you must:
–Open port 4500 on any firewall you have configured in front of a VPN Concentrator.
–Reconfigure previous IPSec/UDP settings using port 4500 to a different port.
–Enable IPSec over NAT-T globally in the Configuration | Tunneling and Security | IPSec | NAT Transparency screen.
–Select the second or third option for the Fragmentation Policy parameter in the Configuration | Interfaces | Ethernet screen. These options let traffic travel across NAT devices that do not support IP fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.
•Bandwidth Policy — Select a bandwidth policy to apply to this IPSec LAN-to-LAN connection from the drop-down list. If there are no policies in this list, you must go to Configuration | Policy Management | Traffic Management | Bandwidth Policies and define one or more policies. If you do not want to select a policy here, then select None. For more information on the Bandwidth Management feature, see the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen.
•Routing — The VPN Concentrator provides two ways to advertise static LAN-to-LAN routes.
–Reverse Route Injection = The local VPN Concentrator adds the addresses of one or more remote networks to its routing table and advertises these entries to specified networks on the local LAN. If you choose this option, specify the Local and Remote Network parameters that follow. Then, enable RIP or OSPF on the private interface.
–Network Autodiscovery = This feature dynamically discovers and continuously updates the private network addresses on each side of the LAN-to-LAN connection. This feature uses RIP. You must enable Inbound RIP RIPv2/v1 on the Ethernet 1 (Private) interface of both VPN Concentrators. (See the "Configuration | Interfaces" section.) If you choose this option, skip the Local and Remote Network parameters; they are ignored.
–None = Do not advertise static LAN-to-LAN routes.
•Local Network — These entries identify the private network on this VPN Concentrator, the hosts of which can use the LAN-to-LAN connection. These entries must match those in the Remote Network section on the peer VPN Concentrator. If you are using a LAN-to-LAN NAT rule, this is the translated network address.
•Local Network List — Click this drop-down menu button and choose the configured network list that specifies the local network addresses. A network list is a list of network addresses that are treated as a single object. (See the Configuration | Policy Management | Traffic Management | Network Lists screens.)
To enter a network address, choose Use IP Address/Wildcard-mask below.
If you want to use a network list that you have not yet configured, choose Create New Network List. The VPN Concentrator displays the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add | Local or Remote Network List window.
If you choose a network list, the Manager ignores entries in the IP Address and Wildcard Mask fields.
•Local Network IP Address — Enter the IP address of the private local network on this VPN Concentrator.
•Local Network Wildcard Mask — Enter the wildcard mask for the private local network. For example: 0.0.255.255. The system supplies a default wildcard mask appropriate to the IP address class.
Note An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask. In other words, the wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:
0.0.0.0/255.255.255.255 = any address
10.10.1.35/0.0.0.0 = only 10.10.1.35
10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses
•Remote Network — These entries identify the private network on the remote peer VPN Concentrator whose hosts can use the LAN-to-LAN connection. These entries must match those in the Local Network section on the peer VPN Concentrator. If you are using a LAN-to-LAN NAT rule, this is the remote network address.
Use the Network List, IP Address, and Wildcard Mask fields as described above for the Local Network.
•Add — Click to add this connection to the list of configured LAN-to-LAN connections. If you are creating new network lists, the Manager automatically displays the appropriate Local or Remote Network List screens. Otherwise, the Manager displays the Configuration | Tunneling and Security | IPSec| LAN-to-LAN | Add | Done screen.
•Apply — Click to apply your changes to this LAN-to-LAN connection. The Manager returns to the Configuration | Tunneling and Security | IPSec | LAN-to-LAN screen.
Caution Any changes take effect as soon as you click Apply. If client sessions are using this connection, changes delete the tunnel (and the sessions) without warning.
•Cancel — Click to discard your entries. The Manager returns to the Configuration | Tunneling and Security | IPSec | LAN-to-LAN screen, and the LAN-to-LAN Connection list is unchanged.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec | LAN-to-LAN | Add | Local or Remote Network List
These screens let you configure and add network lists for the Local Network or Remote Network of a new IPSec LAN-to-LAN connection. The Manager automatically opens these screens if you choose Create new Network List under Network List on the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add or Modify screen.
A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens also.
On the Local Network List screen, the Manager can automatically generate a network list using the valid network routes in the routing table for the Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table.)
A single network list can contain a maximum of 10 network entries.
Figure 15-10 Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add | Local or Remote Network List Screen
Screen Elements
•List Name — The Manager supplies a default name that identifies the list as a LAN-to-LAN local or remote list, which we recommend you keep. Otherwise, enter a unique name for this network list. The maximum name length is 48 characters. Entries are case-sensitive. Spaces are allowed.
If you use the Generate Local List feature on the Local Network List screen, edit this name after the system generates the network list.
•Network List — Enter the networks in this text box. Enter each network on a single line using the format n.n.n.n/w.w.w.w, where n.n.n.n is the network IP address and w.w.w.w is the wildcard mask.
Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example, 10.10.1.0/0.0.0.255 = all 10.10.1.nnn addresses.
If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255.
You can enter a maximum of 200 networks in a single network list.
•Generate Local List (IPSec LAN to LAN | Add | Local Network List only) — Click to have the Manager automatically generate a network list using the first 200 valid network routes in the routing table for the Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table.) The Manager refreshes the screen after it generates the list, and you can then edit the Network List and the List Name.
•Apply — Click to add this network list to the configured network lists. The Manager displays either the Remote Network List screen or the Configuration | System | Tunneling Protocols | IPSec| LAN-to-LAN | Add | Done screen.
IPSec| LAN-to-LAN | Add | Done
The Manager displays this screen when you have finished configuring all parameters for a new IPSec LAN-to-LAN connection. It documents the added configuration entities.
The Manager displays this screen only once. We suggest you print a copy of the screen to save it for your records.
To examine or modify an entity, see the appropriate screen:
•Group: See Configuration | User Management | Groups.
•Security Association: See Configuration | Policy Management | Traffic Management | Security Associations.
•Filter Rules: See Configuration | Policy Management | Traffic Management | Rules.
You cannot delete the group, SA, or rules individually, nor can you remove the rules from their filter. The system automatically deletes them when you delete the LAN-to-LAN connection.
Figure 15-11 Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add | Done Screen
•OK — Click to close this screen and return to the Configuration | Tunneling and Security | IPSec | LAN-to-LAN screen. The LAN-to-LAN Connection list shows the new connection, and the Manager includes all the new settings in the active configuration.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec | IKE Proposals
This section of the Manager lets you configure, add, modify, activate, deactivate, delete, and prioritize IKE proposals, which are sets of parameters for Phase 1 IPSec negotiations. During Phase 1, the two peers establish a secure tunnel within which they then negotiate the Phase 2 parameters.
The VPN Concentrator uses IKE proposals both as initiator and responder in IPSec negotiations. In LAN-to-LAN connections, the VPN Concentrator can function as initiator or responder. In client-to-LAN connections, the VPN Concentrator functions only as responder.
You must configure, activate, and prioritize IKE proposals before you configure IPSec Security Associations. See Configuration | Policy Management | Traffic Management | Security Associations, or click the Security Associations link on this screen.
You must also configure and activate IKE proposals before configuring IPSec LAN-to-LAN connections. See Configuration | Tunneling and Security | IPSec | LAN-to-LAN.
You can configure a maximum of 150 IKE proposals total (active and inactive).
Figure 15-12 Configuration | Tunneling and Security | IPSec | IKE Proposals Screen
Cisco supplies default IKE proposals that you can use or modify; see Table 15-3. All of the default IKE proposals have a Data Lifetime value of 10000 KB and a Time Lifetime value of 86400 seconds. All use time for Lifetime Measurement.
The documentation for the VPN Client and for the VPN 3002 Hardware Client each include a table of all valid IKE proposals for remote access connections. See Configuration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy for explanations of the parameters.
Table 15-3 Cisco-Supplied Default IKE Proposals: Proposals Active by Default
Proposal Name
|
Authentication Mode
|
Authentication
Algorithm
|
Encryption Algorithm
|
Diffie-Hellman
Group
|
CiscoVPNClient-3DES-MD5
|
Preshared Keys (XAUTH)
|
MD5/HMAC-128
|
3DES-168
|
2 (1024-bits)
|
IKE-3DES-MD5
|
Preshared Keys
|
MD5/HMAC-128
|
3DES-168
|
2
|
IKE-3DES-MD5-DH1
|
Preshared Keys
|
MD5/HMAC-128
|
3DES-168
|
1 (768-bits)
|
IKE-DES-MD5
|
Preshared Keys
|
MD5/HMAC-128
|
DES-56
|
1
|
IKE-3DES-MD5-DH7
|
Preshared Keys
|
MD5/HMAC-128
|
3DES-168
|
7 (ECC)
|
IKE-3DES-MD5-RSA
|
RSA Digital Certificate
|
MD5/HMAC-128
|
3DES-168
|
2 (1024-bits)
|
IKE-AES128-SHA
|
Preshared Keys
|
SHA/HMAC-160
|
AES-128
|
2
|
CiscoVPNClient-AES128- SHA
|
Preshared Keys
|
SHA/HMAC-160
|
AES-128
|
2
|
CiscoVPNClient-3DES-MD5-DH5
|
3DES-168
|
MD5/HMAC-128
|
3DES-168
|
5 (1536-bits)
|
HYBRID_AES256_SHA_RSA_DH5
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
AES-256
|
5
|
HYBRID_AES256_SHA_RSA_DH2
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
AES-256
|
2
|
HYBRID_AES192_SHA_RSA_DH2
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
AES-192
|
2
|
HYBRID_3DES_SHA_RSA_DH5
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
3DES-168
|
5
|
HYBRID_3DES_SHA_RSA_DH2
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
3DES-168
|
2
|
HYBRID_AES128_SHA_RSA_DH2
|
RSA Cert (HYBRID)
|
SHA/HMAC-160
|
AES-128
|
2
|
Table 15-4 Cisco-Supplied Default IKE Proposals: Proposals Inactive by Default
Proposal Name
|
Authentication Mode
|
Authentication Algorithm
|
Encryption Algorithm
|
Diffie-Hellman
Group
|
IKE-3DES-SHA-DSA
|
RSA Digital Certificate
|
SHA/HMAC-160
|
3DES-168
|
2 (1024-bits)
|
IKE-3DES-MD5-RSA-DH1
|
RSA Digital Certificate
|
MD5/HMAC-128
|
3DES-168
|
1 (768-bits)
|
IKE-DES-MD5-DH7
|
Preshared Keys
|
MD5/HMAC-128
|
DES-56
|
7 (ECC)
|
CiscoVPNClient-3DES-MD5-RSA
|
RSA Certificate (XAUTH)
|
MD5/HMAC-128
|
3DES-168
|
2
|
CiscoVPNClient-3DES-SHA-DSA
|
DSA Certificate (XAUTH)
|
SHA/HMAC-160
|
3DES-168
|
2
|
CiscoVPNClient-AES256-SHA
|
Preshared Keys
|
SHA/HMAC-160
|
AES-256
|
2
|
IKE-AES256-SHA
|
Preshared Keys
|
SHA/HMAC-160
|
AES-256
|
2
|
HYBRID_3DES_MD5_DH5
|
RSA Cert (HYBRID)
|
MD5/HMAC-128
|
3DES-168
|
5
|
HYBRID_3DES_MD5_DH2
|
RSA Cert (HYBRID)
|
MD5/HMAC-128
|
3DES-168
|
2
|
Screen Elements
•Active Proposals — The field shows the names of IKE proposals that have been configured, activated, and prioritized. As an IPSec responder, the VPN Concentrator checks these proposals in priority order, to see if it can find one that agrees with parameters in the initiator's proposed SA.
Activating a proposal also makes it available for use wherever the Manager displays an IKE Proposal list, and the first active proposal appears as the default selection.
•Inactive Proposals — The field shows the names of IKE proposals that have been configured but are inactive. New proposals appear in this list when you first configure and add them. The VPN Concentrator does not use these proposals in any IPSec negotiations, nor do they appear in IKE Proposal lists.
Note To configure L2TP over IPSec, you must activate IKE-3DES-MD5-RSA. Also see the Configuration | User Management screens.
•Activate — To activate an inactive IKE proposal, select it from the Inactive Proposals list and click the Activate button. The Manager moves the proposal to the Active Proposals list and refreshes the screen.
•Deactivate — To deactivate an active IKE proposal, select it from the Active Proposals list and click the Deactivate button. If the active proposal is configured on an SA, the Manager displays an error message; and you must remove it from the SA before you can deactivate it. Otherwise, the Manager moves the proposal to the Inactive Proposals list and refreshes the screen.
•Move Up / Move Down — To change the priority order of an active IKE proposal, select it from the Active Proposals list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Active Proposals list. These actions move the proposal up or down one position.
•Add — Click to configure and add a new IKE proposal to the list of Inactive Proposals. See Configuration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy.
•Modify — To modify a configured IKE proposal, select it from either Active Proposals or Inactive Proposals and click the Modify button. See Configuration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy. Modifying an active proposal does not affect connections currently using it, but changes do affect subsequent connections.
•Copy — To use a configured IKE proposal as the basis for configuring and adding a new one, select it from either Active Proposals or Inactive Proposals and click the Copy button. See Configuration | Tunneling and Security| IPSec | IKE Proposals | Add, Modify, or Copy. The new proposal appears in the Inactive Proposals list.
•Delete — To delete a configured IKE proposal, select it from either Active Proposals or Inactive Proposals and click the Delete button. If an active proposal is configured on an SA, the Manager displays an error message; and you must remove it from the SA before you can delete it. Otherwise, there is no confirmation or undo. The Manager refreshes the screen and shows the remaining IKE proposals in the list.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec | IKE Proposals | Add, Modify, or Copy
These screens let you:
•Add: Configure and add a new inactive IKE proposal.
•Modify: Modify a previously configured IKE proposal.
•Copy: Copy a configured IKE proposal, modify its parameters, save it with a new name, and add it to the configured inactive IKE proposals.
You can configure a maximum of 150 IKE proposals total (active and inactive), and you can make any number of them active.
Figure 15-13 Configuration | Tunneling and Security | IPSec | IKE Proposals |
Add Screen
.
Screen Elements
•Proposal Name — Enter a unique name for this IKE proposal. The maximum name length is 48 characters. Entries are case-sensitive. Spaces are allowed.
•Authentication Mode — This parameter specifies how to authenticate the remote client or peer. Authentication proves that the connecting entity is the one you think it is. If you select one of the digital certificate modes, an appropriate digital certificate must be installed on this VPN Concentrator and the remote client or peer. See the discussion under Administration | Certificate Management.
Click this drop-down menu button and choose the method:
–Preshared Keys = Use preshared keys (the default). The keys are derived from the password of the user's or peer's group.
–RSA Digital Certificate = Use a digital certificate with keys generated by the RSA algorithm.
–DSA Digital Certificate = Use a digital certificate with keys generated by the DSA algorithm.
–Preshared Keys (XAUTH) = Use preshared keys (the default). The keys are derived from the password of the user's or peer's group. Require user-based authentication via XAUTH.
–RSA Digital Certificate (XAUTH) = Use a digital certificate with keys generated by the RSA algorithm. Require user-based authentication via XAUTH.
–DSA Digital Certificate (XAUTH) = Use a digital certificate with keys generated by the DSA algorithm. Require user-based authentication via XAUTH.
–RSA Digital Certificate (HYBRID) = Asymmetric authentication. Concentrator authenticates using a digital signature while the user authenticates via XAUTH. The keys are generated by the RSA algorithm (mutual group authentication).
–DSA Digital Certificate (HYBRID) = Asymmetric authentication. Concentrator authenticates using a digital signature while the user authenticates via XAUTH. The keys are generated by the DSA algorithm (mutual group authentication).
•Authentication Algorithm — This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from the source you think it comes from.
Click this drop-down menu button and choose one of the following algorithms:
–MD5/HMAC-128 = HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default choice.
–SHA/HMAC-160 = HMAC with the SHA-1 hash function using a 160-bit key. This choice is more secure but requires more processing overhead.
•Encryption Algorithm — This parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.
Click this drop-down menu button and choose the algorithm:
–DES-56 = Data Encryption Standard (DES) encryption with a 56-bit key.
–3DES-168 = Triple-DES encryption with a 168-bit key. This is the default.
–AES-128 = Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.
–AES-192 = AES encryption with a 192-bit key.
–AES-256 = AES encryption with a 256-bit key.
When you select an encryption algorithm, the Manager selects and displays the default Diffie-Hellman group for that encryption algorithm.
•Diffie-Hellman Group — This parameter specifies the Diffie-Hellman group used to generate IPSec SA keys. The Diffie-Hellman technique generates keys using prime numbers and "generator" numbers in a mathematical relationship. When you choose an encryption algorithm, the Manager automatically selects the default Diffie-Hellman group for that algorithm; you can change the group here if you want, subject to the constraints noted below.
Note For the VPN 3002 Hardware Client: To use Groups 1 or 5, you must be using digital certificates. Otherwise, only Group 2 is available. To use Groups 1 or 5, make sure there is a digital certificate installed on the VPN 3002; and on the VPN Concentrator, choose one of the digital certificate authentication options under Authentication Mode.
Click this drop-down menu button and choose the group:
–Group 1 (768-bits) = Use Diffie-Hellman Group 1 to generate IPSec SA keys, where the prime and generator numbers are 768 bits. Choose this option if you select DES-56 under Encryption Algorithm.
–Group 2 (1024-bits) = Use Diffie-Hellman Group 2 to generate IPSec SA keys, where the prime and generator numbers are 1024 bits. This is the default choice for use with the 3DES-168 encryption algorithm.
–Group 5 (1536-bits) = Use Diffie-Hellman Group 5 to generate IPSec SA keys, where the prime and generator numbers are 1536 bits. This is the default choice for use with the AES encryption algorithms. It works only for LAN-to-LAN connections, and for clients using certificates.
–Group 7 (ECC) = Use Diffie-Hellman Group 7 to generate IPSec SA keys, where the elliptical curve field size is 163 bits. You can use this option with any encryption algorithm. This option is intended for use with the movianVPN client, but you can use it with any peers that support Group 7 (ECC).
•Lifetime Measurement — This parameter specifies how to measure the lifetime of the IKE SA keys, which is how long the IKE SA lasts until it expires and must be renegotiated with new keys. It is used with the Data Lifetime or Time Lifetime parameters.
Note If the peer proposes a shorter lifetime measurement, the VPN Concentrator uses that lifetime measurement instead.
Click this drop-down menu button and choose the measurement method:
–Time = Use time (seconds) to measure the lifetime of the SA (the default). Configure the Time Lifetime parameter below.
–Data = Use data (number of kilobytes) to measure the lifetime of the SA. Configure the Data Lifetime parameter below.
–Both = Use both time and data, whichever occurs first, to measure the lifetime. Configure both Time Lifetime and Data Lifetime parameters.
–None = No lifetime measurement. The SA lasts until terminated for other reasons. It lasts a maximum of 86400 seconds (24 hours).
•Data Lifetime — If you choose Data or Both under Lifetime Measurement, enter the number of kilobytes of payload data after which the IKE SA expires. The minimum number is 10 KB. The default number is 10000 KB. The maximum number is 2147483647 KB.
•Time Lifetime — If you choose Time or Both under Lifetime Measurement, enter the number of seconds after which the IKE SA expires. The minimum number is 60 seconds. The default number is 86400 seconds (24 hours). The maximum number is 2147483647 seconds (about 68 years).
•Add / Apply (Add or Copy screen) — To add this IKE proposal to the list of Inactive Proposals, click Add or Apply. The Manager returns to the Configuration | Tunneling and Security | IPSec | IKE Proposals screen. To use the new proposal, you must activate and prioritize it as explained for that screen.
•Apply (Modify screen) — To apply your changes to this IKE proposal, click Apply. The Manager returns to the Configuration | Tunneling and Security | IPSec | IKE Proposals screen. If you modify an active proposal, changes do not affect connections currently using it, but they do affect subsequent connections.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security | IPSec | IKE Proposals screen, and the IKE proposals lists are unchanged.
IPSec | NAT Transparency
This screen lets you configure NAT Transparency, which consists of IPSec over TCP and IPSec over NAT Traversal (NAT-T).
About IPSec Over TCP
IPSec over TCP enables a VPN client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices and firewalls.
Note This feature does not work with proxy-based firewalls.
IPSec over TCP works with both the VPN software client and the VPN 3002 hardware client. It works only on the public interface. It is a client to Concentrator feature only. It does not work for LAN-to-LAN connections.
•The VPN Concentrator can simultaneously support standard IPSec, IPSec over TCP, NAT-Traversal, and IPSec over UDP, depending on the client with which it is exchanging data.
•The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard IPSec, IPSec over TCP, NAT-Traversal, or IPSec over UDP.
•When enabled, IPSec over TCP takes precedence over all other methods.
•When both NAT-T and IPSec over UDP are enabled, NAT-T takes precedence.
To use IPSec over TCP, both the VPN Concentrator and the client must:
•Be running version 3.5 or later software.
•Enable IPSec over TCP.
•Configure the same port for IPSec over TCP on both the Concentrator and the client.
You enable IPSec over TCP on both the Concentrator and the client to which it connects. For software clients, refer to the VPN Client User Guide for configuration instructions. For the VPN 3002 hardware client, refer to the VPN 3002 Hardware Client Getting Started guide, and to the VPN 3002 Hardware Client Reference.
If you enter a well-known port, for example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated with that port will no longer work on the public interface. The consequence is that you can no longer use a browser to manage the VPN Concentrator through the public interface. To solve this problem, reconfigure the HTTP/HTTPS management to different ports.
You must configure TCP port(s) on the client as well as on the VPN Concentrator. The client configuration must include at least one of the ports you set for the VPN Concentrator here.
About IPSec over NAT-T
NAT-T (NAT Traversal) lets IPSec peers establish a connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary.
Both the VPN Client and the VPN 3002 Hardware Client support NAT-T in software version 3.6 and later.
•To enable NAT-T on the VPN Client, see the VPN Client Administrator Guide.
•The VPN 3002 uses NAT-T by default, and requires no configuration.
Remote access clients that support both NAT-T and IPSec/UDP methods first attempt NAT-T, and then IPSec/UDP (if enabled) if a NAT device is not auto-detected, allowing IPSec traffic to pass through firewalls that disallow IPSec.
The VPN Concentrator implementation of NAT-T supports IPSec peers behind a single NAT/PAT device as follows:
•One Microsoft L2TP/IPSec client.
•One LAN-to-LAN connection.
•Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.
To use NAT-T you must:
•Open port 4500 on any firewall you have configured in front of a VPN Concentrator.
•Reconfigure previous IPSec/UDP configurations using port 4500 to a different port.
•Select the second or third options for the Fragmentation Policy parameter in the Configuration | Interfaces | Ethernet screen.These options let traffic travel across NAT devices that do not support IP fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.
•Check the box in this screen to Enable IPSec over NAT-T.
Note IPSec over TCP is a TCP encapsulation rather than a full TCP connection. In software versions prior to 3.6.7.B, the VPN Concentrator did not limit data transmission by window size, so sometimes stateful firewalls shut down the TCP session. In software versions 3.6.7.B and later, the VPN Concentrator enforces a 64K window size on the connection to avoid connection shutdown. As a result, large data transfers might result in packet loss of end-to-end data. The VPN Concentrator does not retransmit dropped packets; the peer application must detect the dropping and recover from it. If you are running UDP streaming applications such as video or voice, you might notice choppy transmission.
Figure 15-14 Configuration | Tunneling and Security | IPSec | NAT Transparency Screen
Screen Elements
•IPSec over TCP — Check the box to enable IPSec over TCP.
•TCP Port(s) — Enter up to 10 ports, using a comma to separate the ports. You do not need to use spaces. The default port is 10,000. The range is 1 to 65,635.
•IPSec over NAT-T — Check the box to enable IPSec over NAT Traversal.
•Apply — Click to apply your IPSec over TCP and NAT-T settings. The Manager returns to the Configuration | Tunneling and Security | IPSec screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security | IPSec screen, and your configuration is unchanged.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
IPSec | Alerts
The VPN Concentrator notifies qualified VPN Concentrator peers (in LAN-to-LAN configurations), VPN Clients and VPN 3002 Hardware Clients of sessions that are about to be disconnected, and it conveys to them the reason. The Concentrator or client receiving the alert decodes the reason and displays it in the event log or in a pop-up screen. This feature is enabled by default.
This screen lets you disable the feature so that the VPN Concentrator does not send or receive these alerts.
Qualified Clients and Peers
IPSec clients and VPN Concentrators receive alerts about impending disconnects according to the following qualifications:
•VPN Clients running 4.0 or greater software (no configuration required).
•VPN 3002 Hardware Clients running 4.0 or greater software, with Alerts enabled.
•VPN Concentrators running 4.0 or greater software, with Alerts enabled.
Figure 15-15 Configuration | Tunneling and Security | IPSec | Alerts Screen
Screen Elements
•Alert when disconnecting — By default alerts are enabled. Uncheck the box to disable alerts. When you disable alerts:
–The VPN Concentrator does not notify clients or peer VPN Concentrators when it disconnects a session.
–The VPN Concentrator does not receive alerts from VPN 3002 Hardware Clients, software clients, or peer VPN Concentrators when they disconnect a session.
•Apply — Click to apply your Alert setting, and to include your setting in the active configuration. The Manager returns to the Configuration | Tunneling and Security | IPSec screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security | IPSec screen.
SSH
This screen lets you configure the VPN Concentrator SSH (Secure Shell) protocol server. SSH is a secure Telnet-like terminal emulator protocol that you can use to manage the VPN Concentrator, using the Command Line Interface, over a remote connection. The VPN Concentrator supports SSH1 (protocol version 1.5), which uses two RSA keys for security. All communication over the connection is encrypted.
At the start of an SSH session, the VPN Concentrator sends both a host key and a server key to the client, which responds with a session key that it generates and encrypts using the host and server keys. The RSA key of the SSL certificate is used as the host key, which uniquely identifies the VPN Concentrator. See the next section, Configuration | Tunneling and Security | SSL.
Figure 15-16 Configuration | Tunneling and Security | SSH Screen
Screen Elements
•Enable SSH — Check this box to enable the SSH server. The box is checked by default. Disabling the SSH server provides additional security by preventing SSH access.
•SSH Port — Enter the port number that the SSH server uses. The default value is 22.
•Maximum Sessions — Enter the maximum number of concurrent SSH sessions allowed. The minimum number is 1. The default number is 4. The maximum number is 10. The maximum number of concurrent SSH sessions is also limited by the maximum number of Telnet connections configured on the Configuration | System | Management Protocols | Telnet screen.
•Key Regeneration Period — Enter the server key regeneration period in minutes. If the server key has been used for an SSH session, the VPN Concentrator regenerates the key at the end of this period. The minimum is 0 minutes (which disables key regeneration), the default is 60 minutes, and the maximum is 10080 minutes (1 week). Use 0 (disable key regeneration) only for testing, since it lessens security.
•Encryption Protocols — Check the boxes for the encryption algorithms that the VPN Concentrator SSH server can negotiate with a client and use for session encryption. You must check at least one encryption algorithm to enable a secure session. Unchecking all algorithms disables SSH.
•3DES-168 — Triple-DES encryption with a 168-bit key. This option is the most secure but requires the greatest processing overhead.
•RC4-128 — RC4 encryption with a 128-bit key. This option provides adequate performance and security.
•DES-56 — DES encryption with a 56-bit key. This option is least secure but provides the greatest export flexibility.
•No Encryption — Connect without encryption. This option provides no security and is for testing only. It is unchecked by default.
Note The VPN Concentrator does not support the IDEA or Blowfish algorithms.
•Enable SCP — Check this box to enable file transfers using secure copy (SCP) over SSH.
•Apply — Click to apply your SSH settings, and to include your settings in the active configuration. The Manager returns to the Configuration | Tunneling and Security screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
SSL
This screen lets you set Secure Socket Layer (SSL) options for management and for WebVPN remote access sessions.
SSL creates a secure session between the remote access user, also called a client, and the VPN Concentrator. The user first authenticates the Concentrator, they negotiate session security parameters, and then they encrypt all data passing during the session. If, during negotiation, they cannot agree on security parameters, the session terminates.
SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots; or you can install in the VPN Concentrator an SSL certificate that has been issued in a PKI context. This certificate must then be installed in the client. You need to install the certificate from a given VPN Concentrator only once.
Note If you have the Cisco SSL VPN Client loaded with a secure tunnel is established, and you attempt to manage the VPN Concentrator's public interface (over HTTPS), the management traffic does not use the SSL VPN Client tunnel. The client establishes a separate secure SSL tunnel for the management traffic.
Figure 15-17 Configuration | Tunneling and Security | SSL Screen
Screen Elements
•HTTPS — Click to disable or enable HTTPS and configure the HTTPS port and client authentication.
HTTPS, also known as HTTP over SSL, lets you use a web browser over a secure, encrypted connection to communicate with and manage the VPN Concentrator.
To use WebVPN, you must enable HTTPS.
•Protocols — Click to configure:
–The encryption algorithms that the VPN Concentrator SSL server can negotiate with a client to use for session encryption
–The SSL version to use
SSL | HTTPS
This screen lets you configure HTTPS (HTTP over SSL). HTTPS lets you use a web browser over a secure, encrypted connection to manage the VPN Concentrator.
SSL creates a secure session between the client and the VPN Concentrator server. The client first authenticates the server, they negotiate session security parameters, and then they encrypt all data passed during the session. If, during negotiation, the server and client cannot agree on security parameters, the session terminates.
SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots; or you can install in the VPN Concentrator an SSL certificate that has been issued in a PKI context. For HTTPS, this certificate must then be installed in the client. You need to install the certificate from a given VPN Concentrator only once.
Note To ensure the security of your connection to the VPN Concentrator Manager, clicking Apply on this screen—even if you have made no changes—breaks your connection to the Manager and you must restart the Manager session from the login screen.
Related information:
•For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see "Using the VPN Concentrator Manager".
•To manage SSL digital certificates, see the Administration | Certificate Management screens.
Using digital certificates to authenticate clients requires several steps. See the option that follows, Client Authentication, for instructions.
Figure 15-18 Configuration | Tunneling and Security | SSL | HTTPS Screen
Screen Elements
•Enable HTTPS — Check this box to enable the HTTPS server. The box is checked by default. HTTPS lets you use the VPN Concentrator Manager over an encrypted connection. WebVPN connections require HTTPS.
•HTTPS Port — Enter the port number that the HTTPS server uses. The default value is 443.
Note The VPN Concentrator Manager requires either the HTTP or HTTPS server. Clicking Apply, even if you have made no changes on this screen, breaks your HTTP/HTTPS connection and you must restart the Manager session from the login screen.
If you disable either HTTP or HTTPS, and that is the protocol you are currently using, you can reconnect with the other protocol if it is enabled and configured.
If you disable both HTTP and HTTPS, you cannot use a web browser to connect to the VPN Concentrator. Use the Cisco VPN Concentrator Command Line Interface from the console or a Telnet session.
•Client Authentication — Check this box to enable SSL client authentication with digital certificates. The box is unchecked by default. In the most common SSL connection, the client authenticates the server, not vice-versa.
Client authentication requires a personal certificate installed in the browser, and a trusted certificate installed in the server. Specifically, the VPN Concentrator must have a root CA certificate installed; and a certificate signed by one of the VPN Concentrator's trusted CAs must be installed in the web browser on the PC you are using to manage the VPN Concentrator. See Administration | Certificate Management for instructions on enrolling with a CA and installing digital certificates.
You must also configure a RADIUS authorization server, and set values for several parameters in the Configuration | User Management | Base Group/Groups screens.
•Apply — Click to apply your HTTPS settings, and to include your settings in the active configuration. The Manager returns to the Configuration | Tunneling and Security screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security screen.
Configuring a RADIUS or LDAP Server
To authenticate WebVPN users with digital certificates, you must configure an external RADIUS or LDAP authorization server and identify it on the VPN Concentrator. See Configuration | System | Servers | Authorization | Add or Modify.
Setting Authentication and Authorization Values
To authenticate WebVPN users with digital certificates, you must configure four parameters on the Configuration | User Management | Base Group | IPSec Tab or Groups | IPSec Tab. These parameters are:
•Authentication: Set the value to None.
•Authorization Type: Set the value to RADIUS or LDAP.
•Authorization Required: Check the box.
•DN Field: Users authenticate according to the value in the field you select. For example, if the DN field on the VPN Concentrator is CN, and the CN field on the client certificate is John Doe, the VPN Concentrator sends the entire string, "CN=John Doe" to the authorization server.
Note When users authenticate using digital certificates, the Port Forwarding Java applet does not work. Java does not have the ability to access the web browser's keystore; therefore Java can not use the certificates that the browser used for user authentication, and the application cannot start.
SSL | Protocols
This screen lets you configure the encryption algorithms and SSL versions that the VPN Concentrator SSL server can negotiate with a client and use for session encryption.
Figure 15-19 Configuration | Tunneling and Security | SSL | Protocols Screen
Screen Elements
•Encryption Protocols — Check the boxes for the encryption algorithms that the VPN Concentrator SSL server can negotiate with a client and use for session encryption. All are checked by default. You must check at least one algorithm to enable SSL. Unchecking all algorithms disables SSL.
The algorithms are negotiated in the order shown. You cannot change the order, but you can enable or disable selected algorithms.
•3DES-168/SHA — Triple-DES encryption with a 168-bit key and the SHA-1 hash function. This is the strongest (most secure) option.
•RC4-128/MD5 — RC4 encryption with a 128-bit key and the MD5 hash function. This option is available in most SSL clients.
Note For WebVPN connections, RC4 encryption reduces performance dramatically.
•DES-56/SHA — DES encryption with a 56-bit key and the SHA-1 hash function.
•SSL Version — Click the drop-down menu button and choose the SSL version to use. The versions used must match on both sides of the connection.
SSL Version 3 has more security options than Version 2, and TLS (Transport Layer Security) Version 1 has more security options than SSL Version 3. Some clients that send an SSL Version 2 "Hello" (initial negotiation), can actually use a more secure version during the session.
Choices are:
–Negotiate SSL V3/TLS V1 = The server tries to use SSL Version 3 but accepts TLS V1 if the client cannot use Version 3. It works with most browsers and Telnet/SSL clients. This is the default choice.
–Negotiate SSL V3 = The server tries to use SSL Version 3, but can accept a less secure option.
–SSL V3 Only = The server insists on SSL Version 3 only, which means that the client or browser must be configured for SSL V3 or the session cannot occur.
–TLS V1 Only = The server insists on TLS Version 1 only, which means that the client or browser must be configured for TLS V1 or the session cannot occur. At present, only Microsoft Internet Explorer 5.0 supports this option.
–Negotiate TLS V1 = The server tries to use TLS V,1 but can accept a less secure option.
Note TCP Port Forwarding does not work when a WebVPN user connects with some SSL versions, as follows:
Negotiate SSLv3
|
Java downloads
|
Negotiate SSLv3/TLSv1
|
Java downloads
|
Negotiate TLSv1
|
Java does NOT download
|
TLSv1Only
|
Java does NOT download
|
SSLv3Only
|
Java does NOT download
|
The issue is that Java only negotiates SSLv3 in the Client Hello packet when you launch the Port Forwarding application.
•SSL Re-Key Interval — Specify the number of seconds between renegotiations of the SSL connection. This value applies to Cisco SSL VPN Clients. Range 300 (5 minutes) to 604,800 (one week). Default 86,400 (one day). A value of 0 disables SSL Re-Key.
•Apply — Click to apply your Encryption settings, and to include your settings in the active configuration. The Manager returns to the Configuration | Tunneling and Security screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
WebVPN
This screen lets you configure access to resources for WebVPN users, and the appearance of WebVPN remote access sessions.
In the left frame, or in the list below, click the function you want to configure.
•HTTPS Proxy (WebVPN | HTTP/HTTPS Proxy): the external proxy addresses to which all HTTP and HTTPS WebVPN addresses should be redirected.
•Home Page (WebVPN | Home Page): the appearance of the home page for all WebVPN sessions.
•Logo (WebVPN | Logo): the logo to display for WebVPN sessions.
•E-mail Proxy (WebVPN | E-Mail Proxy): protocols and parameters for e-mail proxy sessions.
•Servers and URLs (WebVPN | Servers and URLs): file servers, e-mail servers, e-mail proxy servers, and URLs accessible over a WebVPN connection.
•Port Forwarding (WebVPN | Port Forwarding): access for remote users to client/server applications that communicate over fixed TCP ports.
•SSL VPN Client (WebVPN | Cisco SSL VPN Client): install, enable, or disable SSL VPN Client software images.
•Secure Desktop (WebVPN | Secure Desktop): install, enable, or disable Cisco Secure Desktop client software images.
Figure 15-20 Configuration | Tunneling and Security | WebVPN Screen
WebVPN | HTTP/HTTPS Proxy
The VPN Concentrator can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. These servers act as an intermediary between users and the Internet. Requiring all Internet access via a server the organization controls provides another opportunity for filtering to assure secure Internet access and administrative control.
Figure 15-21 Configuration | Tunneling and Security | WebVPN | HTTPS Proxy Screen
Screen Elements
•HTTP Proxy — Enter the external HTTP proxy server IP address to which all WebVPN HTTP requests should be directed. Accept the default value, 0.0.0.0, if you do not want to configure an external HTTP proxy server.
•HTTP Proxy Port — Enter the port for the external HTTP proxy to use. The default is port 80.
•HTTPS Proxy — Enter the external HTTPS proxy server IP address to which all WebVPN HTTPS requests should be directed. Accept the default value, 0.0.0.0, if you do not want to configure an external HTTPS proxy server.
•HTTPS Proxy Port — Enter the port for the external HTTP proxy to use. The default is port 443.
•Default Idle Timeout — Enter the amount of time, in minutes, that a WebVPN session can be idle before the system terminates it. This idle timeout applies only if the Idle Timeout value in the user's group is set to zero (0); otherwise the group Idle Timeout value takes precedence over the timeout you configure here. The minimum value you can enter is 1 minute. The default is 30 minutes.
We recommend that you set this parameter to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the Administration | Administer Sessions database. If the Maximum Sessions parameters is set to one, the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again.
WebVPN | Home Page
This screen lets you customize the appearance of the WebVPN user interface. By default the user interface displays the Cisco Systems logo and the title, "VPN 3000 Concentrator." You can change the logo at the Tunneling and Security | WebVPN | Logo page. In this screen you can change the title, login and logout messages, login prompts, and screen and text colors. The Sample Display screen previews your color changes.
Figure 15-22 Configuration | Tunneling and Security | WebVPN | Home Page Screen
Screen Elements
•Title — Enter a title for the WebVPN user interface by overwriting the default title. The title can have a maximum of 255 characters, including spaces. You can use ASCII characters, including new line (the Enter key, which counts as two characters).
•Login Message — You can create a message that users see on their screen when they enter their username and password to enter the site.
–To accept the default message, "Please enter your username and password," skip this field.
–To create your own message, overwrite the existing text. Your message can be up to 255 characters.
•Logout Message — You can create a message that users see on their screen when they terminate their WebVPN session.
–To accept the default message, "Your session has been terminated," skip this field.
–To create your own message, overwrite the existing text. Your message can be up to 255 characters.
•Login Prompt — You can create a custom login prompt, maximum 16 characters. To change the prompt, overwrite the default text, "Username."
•Password Prompt — You can create a custom password prompt, maximum 16 characters. To change the prompt, overwrite the default text, "Password."
•Title Bar Color — To change the color of the title bar, enter a new color in one of the following formats:
–Name = the word that identifies the color. The name you enter must match exactly an RGB (red, green, blue) name.
–RGB (0,0,0) = range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.
–HTML(#000000) = the RGB value expressed with six digits in hexadecimal format. The first and second represent red; the third and fourth green; and the fifth and sixth represent blue.
Note The number of RGB values recommended for use is 216, many fewer than the mathematical possibilities. Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best results, check published RGB tables. To find RGB tables online, enter RGB in a search engine.
•Title Bar Text — Choose a color for title bar text. the options are Black, White, and Auto. Auto displays black or white, depending on the Title Bar color.
•Secondary Bar Color — To change the color of the secondary bar, enter the color name or RGB or HTML value for the new color.
•Secondary Bar Text — Choose a color for secondary bar text. the options are Black, White, and Auto. Auto displays black or white, depending on the Secondary Bar color.
•Sample Display — This field displays the current color choices for WebVPN screens and text. It is dynamic, changing automatically after you have changed a value in any field.
Note The Sample Display does not work properly with Netscape 4.x.
•Apply — Click to apply your Home Page settings, and to include your settings in the active configuration. The Manager returns to the Tunneling and Security | WebVPN screen.
•Cancel — Click to discard your settings. The Manager returns to the Tunneling and Security | WebVPN screen.
WebVPN | Logo
The Cisco Systems logo displays by default on WebVPN user screens. You can customize your end-user interface by uploading a new logo, or by using no logo.
Figure 15-23 Configuration | Tunneling and Security | WebVPN | Logo Screen
Screen Elements
•No Logo — Select No Logo if you don't want the end-user WebVPN screens to display a logo.
•Use Cisco's logo — Accept the default, Use Cisco's logo, to display the Cisco logo on the end-user WebVPN screens.
•Upload a new logo — To customize the end-user WebVPN screens with a new logo, follow these steps:
Step 1 Add the desired logo file to the computer you are using to manage the VPN Concentrator. The size of the logo should be less than 100 x 100 pixels. Valid filetypes are JPEG, GIF, and PNG.
Step 2 Select Upload a new logo, and click the Browse button to locate and select the logo.
Step 3 Click Apply.
The Manager displays a Success message (Figure 15-24).
Figure 15-24 Logo Upload Success Screen
Step 4 Click on Click here to see the logos.
Step 5 The Manager displays the Configuration | Tunneling and Security | WebVPN | Logo screen, which now shows the new, uploaded logo (Figure 15-25).
Figure 15-25 Configuration | Tunneling and Security | WebVPN | Logo Screen with Uploaded Logo
Step 6 To display the new logo on the end-user WebVPN home page, select Use uploaded logo, and click Apply.
Note If you later want to change to another logo, you can upload a new logo, which overwrites the current uploaded logo.
•Apply — Click to apply your logo settings, and to include your settings in the active configuration. If you have uploaded a new logo, the Manager displays a success message, the uploaded logo, and returns to the Tunneling and Security | WebVPN screen.
•Cancel — Click to discard your settings. The Manager returns to the Tunneling and Security | WebVPN screen.
If the upload does not succeed, the Manager displays a Logo Upload Error screen.
Figure 15-26 Logo Upload Error Screen
WebVPN | E-Mail Proxy
This screen lets you configure e-mail proxies for WebVPN. They include IMAP4S, POP3S, and SMTPS. WebVPN e-mail proxy has requirements in addition to the configuration parameters on this screen. These include:
•Users who access e-mail from both local and remote locations via e-mail proxy require separate e-mail accounts on their e-mail program for local and remote access.
•When users attempt an e-mail session via e-mail proxy, the e-mail client establishes a tunnel using the SSL protocol, and then requires that the user authenticate.
Figure 15-27 Configuration | Tunneling and Security | WebVPN | E-Mail Screen
Screen Elements
•VPN Name Delimiter — Use the drop-down menu to select a delimiter that separates the VPN username from the e-mail username. Users need both usernames when using Concentrator authentication for e-mail proxy and the VPN username and e-mail username are different. Users enter both usernames, separated by the delimiter you configure here, and also the e-mail server name, when they log in to an e-mail proxy session.
Note Passwords for WebVPN e-mail proxy users cannot contain characters that are used as delimiters.
•Server Delimiter — Use the drop-down menu to select a delimiter that separates the username from the name of the e-mail server. It must be different from the VPN Name Delimiter. Users enter both their username and server in the username field when they log in to an e-mail proxy session.
For example, using : as the VPN Name Delimiter and @ as the Server Delimiter, when logging in to an e-mail program via e-mail proxy, the user would enter their username in the format vpn_name:e-mail_name@server.
•E-Mail Protocol — WebVPN supports three e-mail proxies: POP3S and IMAP4S for receiving e-mail, and SMPTS for sending e-mail.
Note To use these e-mail proxies, you must also allow these session types on the appropriate VPN Concentrator interface (Configuration | Interfaces | Ethernet | WebVPN Tab).
–POP3S — POP3S is one of the e-mail proxies WebVPN supports. By default the VPN Concentrator listens to port 995, and connection are automatically allowed to port 995 or to the configured port. The POP3 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the POP3 protocol starts, and then authentication occurs.
–IMAP4S — IMAP4S is one of the e-mail proxies WebVPN supports. By default the VPN Concentrator listens to port 993, and connection are automatically allowed to port 993 or to the configured port. The IMAP4 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the IMAP4 protocol starts, and then authentication occurs.
–SMTPS — SMTPS is one of the e-mail proxies WebVPN supports. By default the VPN Concentrator listens to port 988, and connection are automatically allowed to port 988 or to the configured port. The SMTPS proxy allows only SSL connections on that port. After the SSL tunnel establishes, the SMTPS protocol starts, and then authentication occurs.
SMTPS is the only one of these e-mail proxies that lets you send e-mail.
•VPN Concentrator Port — Identifies the port on the VPN Concentrator that each e-mail proxy uses. You can change the port for any or all of the e-mail proxies. Be aware that the remote PC in a WebVPN connection may be using different ports for e-mail proxy traffic than the ports you configure for the VPN Concentrator.
Note The Eudora e-mail client does not work with SMTPS configured for port 988. Configure the VPN Concentrator and your Eudora e-mail clients to use SMTPS port 465.
•Default E-Mail Server — Enter the name or IP address of the default server for the e-mail proxy you are configuring.
•Authentication Required — Each e-mail proxy has several different method that you can use to authenticate users. You can require them either singly or in combination, but you must configure at least one authentication method for an e-mail protocol.
•E-Mail Server — Mail server authentication requires only the user's e-mail username, server and password. IMAP4S and POP3S both require mail server authentication; you cannot uncheck these boxes.
•Concentrator — Concentrator authentication authenticates the e-mail session by using its configured authentication servers. The user presents a username, server and password. Users must present both the VPN username and the e-mail username, separated by the VPN Name Delimiter, only if the usernames are different from each other.
•Piggyback HTTPS — This authentication scheme requires a user to have already established a WebVPN session before the e-mail client is initiated. The username for both WebVPN and e-mail must be the same, although the passwords can differ.
SMPTS e-mail most often uses piggyback authentication because most SMTP servers do not allow users to log in.
See Piggyback HTTPS and IMAP Sessions below.
•Certificate — Certificate authentication requires that users have a certificate that the VPN Concentrator can validate during SSL negotiation. You can use certificate authentication as the only method of authentication, for SMTPS proxy. Other e-mail proxies require two authentication methods.
Certificate authentication requires three certificates, all from the same CA:
–A CA certificate on the VPN Concentrator
–A CA certificate on the client PC
–A Web Browser certificate on the client PC, sometimes called a Personal certificate or a Web Browser certificate.
E-mail proxy with certificate authentication does not work with Eudora, Internet Explorer (IE), or Outlook. It does work with Netscape (Cisco tested using version 7.1), and with Mozilla (Cisco tested using version 1.7).
See How to Request and Install Certificates below.
•Apply — Click to apply your E-mail settings, and to include your settings in the active configuration. The Manager returns to the Configuration | Tunneling and Security | WebVPN screen.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Tunneling and Security | WebVPN screen.
Piggyback HTTPS and IMAP Sessions
IMAP generates a number of sessions that are not limited by the simultaneous user count but do count against the number of simultaneous logins allowed for a username. If the number of IMAP sessions exceeds this maximum and the WebVPN connection expires, a user cannot subsequently establish a new connection.
There are several solutions:
•The user can close the IMAP application to clear the sessions with the VPN Concentrator, and then establish a new WebVPN connection.
•The administrator can increase the simultaneous logins for IMAP users (Configuration | User Management | Base Group/Groups/Users | General Tab.
•Disable HTTPS/Piggyback authentication for e-mail proxy.
How to Request and Install Certificates
The following steps show you how to request and install certificates. For complete instructions on enrolling and installing CA certificates, see the Certificate Management chapter in Volume II: Administration and Monitoring.
Step 1 If the VPN Concentrator does not already have a CA certificate installed, install a CA certificate.
•The CA must be the same one that you are using to issue the CA and Web Browser certificates on the client PC.
•The certificate must be base-64 encoded.
•Use a Netscape or Mozilla browser to install the CA certificate, If you use IE, the certificate downloads to the IE Crypto Application Program Interface (CAPI); it must be in the CAPI for the browser you are actually using.
Step 2 Open the certificate using the Netscape or Mozilla Certificate Manager before importing it onto the VPN Concentrator.
Step 3 In the Downloading Certificates screen, make sure that the CA is trusted to identify websites and e-mail users (trusting software developers is optional). Alternatively, when the CA certificate has been loaded onto the concentrator, check the details of the certificate to ensure these trusted attributes are enabled.
Step 4 On the client PC, use a Netscape or Mozilla browser to request a CA certificate from the same certificate authority.
Step 5 On the client PC, request a Personal or Web Browser certificate from the same certificate authority. Complete the fields on the request form as follows:
•The certificate request must be for a Web Browser or Personal Certificate, not an E-mail Protection Certificate.
E-mail protection certificates are not for SSL connections; they are for encrypting and sending e-mail. Web Browser certificates protect the e-mail session over SSL.
•Name = account name, for example, JohnDoe.
•E-Mail = e-mail address being authenticated, for example, JohnDoe@myMail.com.
•Key strength Cisco tested = 1024; any of the choices should work.
•Password is optional, and applies only to the certificate for export purposes.
Step 6 When the certificate is generated, choose Install Certificate. In some cases, the CAs installs it automatically.
Step 7 To verify that the certificate is installed, use the Netscape Certificate Management application. The path is Edit > Preferences > Privacy and Security > Certificates > Manage Certificates > Your Certificates.
Step 8 On the Configuration | Tunneling and Security | WebVPN | E-Mail Proxy screen, for Authentication Required, select E-Mail Server and Certificate.
WebVPN | Servers and URLs
This screen lets you configure access to network resources for WebVPN users who are not in a group. Values you set here apply globally, and are the equivalent of base group parameters. The HTML interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.
Note To enable WebVPN, you must also check the WebVPN checkbox in the Tunneling Protocols field of the User Management | Base Group | General Tab.
Figure 15-28 Configuration | Tunneling and Security | WebVPN | Servers and URLs Screen
Screen Elements
•Servers and URLs — This box lists all the servers and URLs that are accessible to users in the Base Group. The types of servers you configure here include HTTP and file servers; these are for file shares, internal websites, e-mail proxies, and e-mail servers. The user home page displays all servers and URLs that you configure here as hotlinks.
•Add — Click to configure and add a new Server and URL to the list of Servers and URLs. See Tunneling and Security | WebVPN | Servers and URLs | Add or Modify.
•Modify — To modify a configured Server and URL, select it and click the Modify button. See Tunneling and Security | WebVPN | Servers and URLs | Add or Modify. Modifying a server does not affect connections currently using it, but changes do affect subsequent connections.
•Delete — To delete a configured Server or URL, select it and click the Delete button.The Manager refreshes the screen and shows the remaining servers and URLs in the list. Otherwise, there is no confirmation or undo. Servers or URLs that you delete remain visible to current end users; they refresh when the user next logs in.
WebVPN | Servers and URLs | Add or Modify
This screen lets you configure servers and URLs that users in the Base Group can access through a WebVPN connection. The types of servers you configure here include web servers and file servers which provide the following resources:
•file shares
•internal websites
•e-mail proxies
•e-mail servers
The home page for users who are not members of a group displays all servers that you configure here. If you configure no servers or URLs, none are available to these users.
Figure 15-29 Configuration | Tunneling and Security | WebVPN | Servers and URLs | Add Screen
Screen Elements
•Name — Enter a short name or description that identifies this resource to end users.
•Server Type — Select the type of server you are configuring.
–CIFS servers are file servers using NETBIOS names
–HTTP servers are web servers.
–HTTPS servers are SSL encrypted web servers.
•Remote Server — Enter the URL, DNS name, or network path of the remote server for end users to access.
•Add / Apply — Click to add this server to the Servers and URLs list or to save your modifications. The Manager returns to the Tunneling and Security | WebVPN | Servers and URLs screen. The server and URL you configured now displays in the list.
•Cancel — To discard your settings, click Cancel. The Manager returns to the Tunneling and Security | WebVPN | Servers and URLs screen.
WebVPN | Port Forwarding
WebVPN Port Forwarding provides access for remote users to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access remote servers that support those applications.
Cisco has tested the following applications:
•Windows Terminal Services
•Telnet
•SSH
•Secure FTP (FTP over SSH)
•Perforce
•Outlook/Outlook Express
•Lotus Notes
•XDDTS
•Sametime Instant Messaging
Other TCP-based applications may also work, but Cisco has not tested them.
This feature requires installing Sun Microsystems Java™ Runtime Environment and configuring applications on the end user's PC. Both require administrator permissions. It is therefore unlikely that users will be able to use applications when they connect from public remote systems, such as Internet kiosks or web cafes.
Note When users authenticate using digital certificates, the TCP Port Forwarding Java applet does not work. Java cannot access the web browser's keystore; therefore Java cannot use the certificates that the browser used for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.
Note Port Forwarding does not work with some SSL/TLS versions. See the SSL Version field on the Configuration | Tunneling and Security | SSL | Protocols screen for more information.
Figure 15-30 Configuration | Tunneling and Security | WebVPN | Port Forwarding Screen
Screen Elements
•Forwarded Ports — This box lists all the applications that users in this group can access over a WebVPN connection. The format is:
Application name (Local TCP port -> Remote application server name or IP address:Remote TCP port).
•Add — Click to configure and add a new forwarded port. See Tunneling and Security | WebVPN | Port Forwarding | Add or Modify.
•Modify — To modify a configured forwarded port, select it and click the Modify button. See Tunneling and Security | WebVPN | Port Forwarding | Add or Modify.
•Delete — To delete a configured forwarded port, select it and click the Delete button. The Manager refreshes the screen and shows the remaining forwarded ports in the list.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
WebVPN | Port Forwarding | Add or Modify
These screens let you add or modify global access to TCP-based applications for WebVPN users. You provide mapping information that the VPN Concentrator adds to the Hosts file on a user's PC as the application opens. This mapping information lets the PC connect to the server at the central site that supports the desired application.
•For the user's PC you configure the Local TCP Port for the application.
•For the server the user needs to access, you configure the Remote Server and Remote TCP Port.
Port forwarding can work only if the applications on remote servers are uniquely identified, and therefore reachable, either by hostname or by IP address and port.
•Hostnames, correctly defined on the VPN Concentrator global DNS servers, are constant, and are by definition unique. We recommend that you use hostnames.
•IP addresses change depending on the end user's location relative to the remote server. If you identify the remote server by IP address, users must reconfigure the application on their PC each time they change location. See the task, "Using Applications," in Table B-2, "WebVPN Remote System Configuration and End User Requirements," for information on reconfiguring client applications when using IP addresses rather than hostnames.
You can have a maximum of 252 port forwarding entries.
Note When you configure the VPN Concentrator global DNS server, use fully qualified domain names.
Figure 15-31 Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add/Modify
Screen Elements
•Name — Enter a name or description by which remote users can readily identify the service or application.
•Local TCP Port — Assign a TCP port on the user's PC for this application to use. In the PC's hosts file, the VPN Concentrator appends this local TCP port to the PC's loopback IP address. This is how it uniquely names an application when the remote server is identified by IP address. If the you use a hostname to identify the remote server, the VPN Concentrator appends the hostname to the loopback address, and ignores the local TCP port value.
Set the port in the range from 1024 to 65535 to avoid conflicts with existing services that may be on the user's workstation.
•Remote Server — Enter the hostname or IP address of the remote server that supports this service or application.
While the VPN Concentrator accepts either IP addresses or hostnames, we recommend using hostnames because it is easier. If you use hostnames, you do not have to change the IP address of the server for client applications depending on whether the user is accessing these application locally or remotely. See Using Hostnames vs. IP Addresses below for an explanation of why this is so.
•Remote TCP Port — Enter the TCP/IP port for the client PC to use for this service or application. This is the real TCP port for the application; for example, the 23 is the well-known port for Telnet.
•Add / Apply — Click to add this port to the list of Forwarded Ports or to save your modifications. The Manager returns to the WebVPN | Port Forwarding screen. The port you configured now displays in the list.
•Cancel — To discard your settings, click Cancel. The Manager returns to the WebVPN | Port Forwarding screen.
Using Hostnames vs. IP Addresses
When you use a hostname to identify a remote server, the Java applet modifies the WebVPN Application Access hosts file (assuming the OS is Windows, and you have administrative privileges on the PC) to create an entry for each application server. For example, when you configure your first Port Forwarding remote server with hostname johndoew2ksrv, the Java applet creates a backup copy of the original hosts file, and then modifies the hosts file to include a WebVPN entry that maps johndoew2ksrv to a loopback IP address of 127.0.0.2. If your second port forwarding entry is NotesServer, the Java applet adds to the hosts file an entry that maps NotesServer to 127.0.0.3. These entries are then associated with the real remote application ports. Each entry is unique by virtue of the loopback address the Java applet assigns.
When you use an IP address to identify the remote server, the Java applet does not back up or modify the hosts file. It assigns each server the loopback IP address of 127.0.0.1 and the TCP port that is configured as the Local TCP Port. Since the assigned IP address is always 127.0.0.1, each entry must have a unique Local TCP Port to differentiate applications.
You configure client applications to communicate to a server address. When you use the hostname and remote TCP port, addressing information for application servers is the same regardless of the user's location. When you use an IP address and local TCP port, addressing information changes as the user changes locations, and you have to reconfigure client applications on users' PCs.
To summarize:
If you use IP addresses, users need to have client applications point to a 127.0.0.1 address and local port that can vary from location to location when connecting over WebVPN. They must reconfigure applications to a real IP address and port when they connect locally.
If you use hostnames, users can set their client applications to connect to the real hostname and TCP port for both remote WebVPN and directly connected sessions.
The WebVPN Application Access Window
To use applications over WebVPN, an end user clicks Application Access on the WebVPN home page. A Java applet opens the Application Access window; see Figure 15-32 for an example. This window displays the port forwarding applications previously configured in the Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add or Modify screens.
Figure 15-32 Example of a WebVPN Application Access Window
Application Access Window Fields
The fields in the Application Access window provide the following information.
•Name — Identifies the application. This is the name that you assign in the Tunneling and Security | WebVPN | Port Forwarding | Add or Modify screen.
•Local — The hostname or IP address and TCP port on the user's PC that this application uses.
•Remote — The hostname or IP address and port of the remote server that supports this service or application.
Note If you use hostnames for the Remote Server parameter in the Tunneling and Security | WebVPN | Port Forwarding | Add or Modify screen, the values in the Local and Remote fields in the Application Access window are identical. See the section, "Using Hostnames vs. IP Addresses" to understand why it is simpler to use hostnames.
•Bytes Out/In — Records data traffic for the application in the current session.
•Sockets — The number of sockets for the application in the current session.
About the Hosts File
WebVPN provides access to TCP-based applications by mapping application-specific ports on the end user's PC to application-specific ports on servers behind the VPN Concentrator. When an end user accesses an application over WebVPN using hostnames to identify the application server, the VPN Concentrator modifies the Hosts file to include a mapping entry for that application.
Figure 15-33 provides an example of what the Hosts file would look like for the applications configured for the WebVPN session in Figure 15-32 above. Notice that the Hosts file has entries for the application servers identified by hostnames. The Hosts file does not record those identified by IP address.
Find the hosts file on your PC in WINDOWS > SYSTEM32 > DRIVERS > ETC.
Figure 15-33 Example of a Hosts File
WebVPN | Cisco SSL VPN Client
This screen lets you install, remove, enable, or disable the Cisco SSL VPN Client (SVC) software image. If the software is uninstalled or disabled, users whose group configuration requires it (the Require Cisco SSL VPN Client option under group WebVPN configuration) will be unable to connect.
SVC provides end users the benefits of an IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection, through the use of an automatically-downloaded, self-installing, self-configuring client software image.
Note Currently available SSL VPN clients support end users running Microsoft Windows XP or Windows 2000, and not Mac OS x users. If you configure the SVC as required for a Mac user, the user will be unable to connect to the 3000 Concentrator.
SSL VPN Client Privilege Requirements
Users must have Administrator privileges on client PCs that use SVC. Clients connecting without Administrator privileges will not bring up an SSL VPN Client connection.
If you do not typically configure client PC users with Administrator privileges, Cisco provides an Install Enabler utility to pre-load a client service that lets nonprivileged users load SVC. This utility, STCIE.EXE, is available on your distribution media or from the VPN 3000 Concentrator download area on Cisco.com.
You must have Administrator privileges on the client PC to run the Install Enabler and install the service. Once the service is installed, it loads at system startup and facilitates SSL VPN Client setup for nonprivileged users.
To set up the client service, run STCIE.EXE on your client PCs. The following command line switches are available:
•STCIE.EXE /? — Displays available command options.
•STCIE.EXE /HELP — Displays available command options.
•STCIE.EXE /NODLG — "Silent mode" installation; suppresses dialog boxes except for errors.
•STCIE.EXE /NODLGNOERROR — Suppresses all dialog boxes, including errors.
SSL VPN Client Screen
There are two versions of this screen, depending upon whether or not an SVC image has already been installed. Only one SVC software image can be installed on the VPN Concentrator at any one time. Changes take effect when you click Apply.
Figure 15-34 Configuration | Tunneling and Security | WebVPN | Cisco SSL VPN Client Screen
Figure 15-35 Configuration | Tunneling and Security | WebVPN | Cisco SSL VPN Client (Installed) Screen
Screen Elements
•Disable the Cisco SSL VPN Client — Choose this button to disable the SVC function on a system-wide basis.
•Enable the Cisco SSL VPN Client — Choose this button to enable the SVC function on a system-wide basis.
•Uninstall the Cisco SSL VPN Client — Choose this button to remove the SVC software image from the VPN Concentrator. The Manager removes the software when you click Apply.
•Install a new Cisco SSL VPN Client — Choose this button to install a new SVC software image on the VPN Concentrator. Type the path and filename in the text box or click the Browse button to select the file.
•Browse — Click on this button to locate the SVC software image.
Additional Configuration
The VPN Concentrator uses several general-use parameters in conjunction with Cisco SSL VPN Client configurations. Configure these parameters for your SVC users:
•Configuration | User Management | Base Group, Group and/or User parameters
General Tab: Access Hours,
General Tab: Simultaneous Logins,
General Tab: Idle Timeout,
General Tab: Maximum Connect Time,
General Tab: Filter,
General Tab: Primary/Secondary DNS,
General Tab: Primary/Secondary WINS,
General Tab: Tunneling Protocols (must include WebVPN),
Client Config Tab: Banner,
Client Config Tab: IE Proxy Server Policy,
Client Config Tab: IE Proxy Server,
Client Config Tab: IE Proxy Server Exception List,
Client Config Tab: Bypass Proxy Server for Local Addresses,
Client Config Tab: Split Tunneling Policy,
Client Config Tab: Split Tunneling Network List,
Client Config Tab: Default Domain Name,
Client Config Tab: Split DNS Names,
WebVPN Tab: Enable Cisco SSL VPN Client,
WebVPN Tab: Require Cisco SSL VPN Client,
WebVPN Tab: Keep Cisco SSL VPN Client,
Default Homepage,
DPD Confidence Interval
•Global parameters:
Default Idle Timeout,
Address Assignment,
Address Pools,
Authentication Servers,
Authorization Servers,
Accounting Servers,
Tunnel Default Gateway,
Enable HTTPS,
HTTPS Port,
HTTPS Client Authentication,
SSL Encryption Protocols,
SSL Version
WebVPN | Secure Desktop
These screens let you install the Cisco Secure Desktop client software image, and configure how this software is used for clients in various locations and with various configurations.
Figure 15-36 Configuration | Tunneling and Security | WebVPN | Secure Desktop Screen
WebVPN | Secure Desktop | Setup
This screen lets you install, remove, enable, or disable the Cisco Secure Desktop client software image.
The Cisco Secure Desktop software ensures the security of client machines that access your network, before they are granted access, while they are connected, and after they disconnect.
Before clients are granted access, Cisco Secure Desktop can verify their operating system, service pack, anti-virus software, personal firewall software, and IP address. Clients are granted or denied access to services and functions based on these verifications.
As client machines work, Cisco Secure Desktop encrypts information and isolates the connected environment in a Secure Desktop space.
After client machines disconnect, Cisco Secure Desktop erases and overwrites all data from the secured session to U.S. Department of Defense standards.
There are two versions of this screen, depending upon whether or not a Cisco Secure Desktop client image has already been installed. Only one Cisco Secure Desktop software image can be installed on the VPN Concentrator at any one time. Changes take effect when you click Apply.
Figure 15-37 Configuration | Tunneling and Security | WebVPN | Secure Desktop | Setup Screen
Figure 15-38 Configuration | Tunneling and Security | WebVPN | Secure Desktop | Setup (Installed) Screen
Screen Elements
•Disable Secure Desktop — Choose this button to disable the Cisco Secure Desktop client function on a system-wide basis.
•Enable Secure Desktop — Choose this button to enable the Cisco Secure Desktop client function on a system-wide basis.
•Uninstall Secure Desktop — Choose this button to remove the Cisco Secure Desktop client software image from the VPN Concentrator. The Manager removes the software when you click Apply.
•Install a new Secure Desktop — Choose this button to install a new Cisco Secure Desktop client software image on the VPN Concentrator. Type the path and filename in the text box or click the Browse button to select the file.
•Browse — Click on this button to locate the Cisco Secure Desktop client software image.
WebVPN | Secure Desktop | Manager
This screen lets you configure the Cisco Secure Desktop client software. Refer to the Cisco Secure Desktop online help for instructions.
Figure 15-39 Configuration | Tunneling and Security | WebVPN | Secure Desktop | Manager Screen
