VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 3.6 - Tunneling Protocols\r\n [Cisco VPN 3000 Series Concentrators]

Tunneling protocols are the heart of virtual private networking. The tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network.

The secure connection is called a tunnel, and the VPN 3000 Concentrator Series uses tunneling protocols to:

Negotiate tunnel parameters.
Establish tunnels.
Authenticate users and data.
Manage security keys.
Encrypt and decrypt data.
Manage data transfer across the tunnel.
Manage data transfer inbound and outbound as a tunnel endpoint or router.

The VPN Concentrator functions as a bidirectional tunnel endpoint: it can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination; or it can receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.

The VPN Concentrator supports the three most popular VPN tunneling protocols:

PPTP: Point-to-Point Tunneling Protocol.
L2TP: Layer 2 Tunneling Protocol.
IPSec: IP Security Protocol.

It also supports L2TP over IPSec, which provides interoperability with the Windows 2000 VPN client. The VPN Concentrator is also interoperable with other clients that conform to L2TP/IPSec standards, but it does not formally support those clients.

This section explains how to configure the system-wide parameters for PPTP and L2TP, how to configure IPSec LAN-to-LAN connections, how to configure IKE proposals for IPSec Security Associations and LAN-to-LAN connections, and how to configure NAT Transparency, which includes IPSec over TCP and NAT Traversal (NAT-T).

Configuration | System | Tunneling Protocols

This section of the Manager lets you configure system-wide parameters for tunneling protocols.

PPTP: Configure PPTP parameters.
L2TP: Configure L2TP parameters.
IPSec: Configure IPSec parameters and connections.
- LAN-to-LAN: IPSec LAN-to-LAN connections between two VPN Concentrators (or between the VPN Concentrator and another secure gateway).
- IKE Proposals: IKE proposals for IPSec Security Associations and LAN-to-LAN connections.
- NAT Transparency: IPSec over TCP and IPSec over NAT-T

Figure 7-1 Configuration | System | Tunneling Protocols Screen

Configuration | System | Tunneling Protocols | PPTP

This screen lets you configure system-wide PPTP (Point-to-Point Tunneling Protocol) parameters.

The PPTP protocol defines mechanisms for establishing and controlling the tunnel, but uses Generic Routing Encapsulation (GRE) for data transfer.

PPTP is a client-server protocol. The VPN Concentrator always functions as a PPTP Network Server (PNS) and supports remote PC clients. The PPTP tunnel extends all the way from the PC to the VPN Concentrator.

PPTP is popular with Microsoft clients. Microsoft Dial-Up Networking (DUN) 1.2 and 1.3 under Windows 95/98 support it, as do versions of Windows NT 4.0, Windows 2000, and Windows XP. PPTP is typically used with Microsoft encryption (MPPE).

You can configure PPTP on rules in filters; see Configuration | Policy Management | Traffic Management. Groups and users also have PPTP parameters; see Configuration | User Management.

Figure 7-2 Configuration | System | Tunneling Protocols | PPTP Screen

Note Cisco supplies default settings for PPTP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel.

Enabled

Check the Enabled check box to enable PPTP system-wide functions on the VPN Concentrator, or uncheck it to disable. The box is checked by default.

Caution Disabling PPTP terminates any active PPTP sessions.

Maximum Tunnel Idle Time

Enter the time, in seconds, to wait before disconnecting an established PPTP tunnel with no active sessions. An open tunnel consumes system resources. Enter 0 to disconnect the tunnel immediately after the last session terminates (no idle time). The maximum idle time is 86400 seconds (24 hours). The default is 5 seconds.

Packet Window Size

Enter the maximum number of received but unacknowledged PPTP packets that the system can buffer. The system must queue unacknowledged PPTP packets until it can process them. The minimum number of packets is 0. The maximum number is 32. The default is 16 packets.

Limit Transmit to Window

Check the Limit Transmit to Window check box to limit the number of transmitted PPTP packets to the client's packet window size. Ignoring the window improves performance, provided that the client can ignore the window violation. The box is unchecked by default.

Max. Tunnels

Enter the maximum allowed number of simultaneously active PPTP tunnels. The minimum number of tunnels is 0. The maximum number of tunnels depends on the VPN Concentrator model, for example: model 3060 = 5000. Enter 0 for unlimited tunnels (the default).

Max. Sessions/Tunnel

Enter the maximum number of sessions allowed per PPTP tunnel. The minimum number of sessions is 0. The maximum number of sessions depends on the VPN Concentrator model, for example, model 3060 = 5000. Enter 0 for unlimited sessions (the default).

Packet Processing Delay

Enter the packet processing delay for PPTP flow control. This parameter is sent to the client in a PPTP control packet. Entries are in units of 100 milliseconds (0.1 second). The maximum delay is 65535; The default delay is 1 (0.1 second).

Acknowledgement Delay

Enter the number of milliseconds that the VPN Concentrator will wait to send an acknowledgement to the client when there is no data packet on which to piggyback an acknowledgement. Enter 0 to send an immediate acknowledgement. The minimum delay is 50 milliseconds. The maximum delay is 5000 milliseconds. The default delay is 500 milliseconds.

Acknowledgement Timeout

Enter the number of seconds to wait before determining that an acknowledgement has been lost, in other words, before resuming transmission to the client even though the transmit window is closed. The minimum is number of seconds is 1. The maximum number of seconds is 10. The default value is 3 seconds.

Apply / Cancel

To apply your PPTP settings and to include them in the active configuration, click Apply. The Manager returns to the Configuration | System | Tunneling Protocols screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Tunneling Protocols screen.

Configuration | System | Tunneling Protocols | L2TP

This screen lets you configure system-wide L2TP (Layer 2 Tunneling Protocol) parameters.

L2TP is a client-server protocol. It combines many features from PPTP and L2F (Layer 2 Forwarding), and is regarded as a successor to both. The L2TP protocol defines mechanisms both for establishing and controlling the tunnel and for transferring data.

The VPN Concentrator always functions as a L2TP Network Server (LNS) and supports remote PC clients. The L2TP tunnel extends all the way from the PC to the VPN Concentrator. When the client PC is running Windows 2000, the L2TP tunnel is typically layered over an IPSec transport connection.

You can configure L2TP on rules in filters; see Configuration | Policy Management | Traffic Management. Groups and users also have L2TP parameters; see Configuration | User Management.

Figure 7-3 Configuration | System | Tunneling Protocols | L2TP Screen

Note Cisco supplies default settings for L2TP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel.

Enabled

Check the Enabled check box to enable L2TP system-wide functions on the VPN Concentrator, or uncheck it to disable. The box is checked by default.

Caution Disabling L2TP terminates any active L2TP sessions.

Maximum Tunnel Idle Time

Enter the time in seconds to wait before disconnecting an established L2TP tunnel with no active sessions. An open tunnel consumes system resources. Enter 0 to disconnect the tunnel immediately after the last session terminates (no idle time). Maximum is 86400 seconds (24 hours). The default is 60 seconds.

Control Window Size

Enter the maximum number of unacknowledged L2TP control channel packets that the system can receive and buffer. The minimum number of packets is 1. The maximum number is 16. The default number is 4.

Control Retransmit Interval

Enter the time in seconds to wait before retransmitting an unacknowledged L2TP tunnel control message to the remote client. Minimum is 1 (the default), and maximum is 10 seconds.

Control Retransmit Limit

Enter the number of times to retransmit L2TP tunnel control packets before assuming that the remote client is no longer responding. The minimum number of times is 1. The maximum number of times is 32. The default is 4 times.

Max. Tunnels

Enter the maximum allowed number of simultaneously active L2TP tunnels. The minimum value is 0 tunnels. The maximum value depends on the VPN Concentrator model; for example, model 3060 can have a maximum of 5000 tunnels. Enter 0 for unlimited tunnels. The default value is 0.

Max. Sessions/Tunnel

Enter the maximum number of sessions allowed per L2TP tunnel. The minimum number of sessions is 0. The maximum number depends on the VPN Concentrator model, for example: model 3060 = 5000. Enter 0 for unlimited sessions (the default).

Hello Interval

Enter the time in seconds to wait when the L2TP tunnel is idle (no control or payload packets received) before sending a Hello (or "keepalive") packet to the remote client. The minimum wait time is 1 second. The maximum wait time is 3600 seconds. The default wait time is 60 seconds.

Apply / Cancel

To apply your L2TP settings and to include them in the active configuration, click Apply. The Manager returns to the Configuration | System | Tunneling Protocols screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Tunneling Protocols screen.

Configuration | System | Tunneling Protocols | IPSec

This section of the Manager lets you configure IPSec LAN-to-LAN connections, IKE (Internet Key Exchange) parameters for IPSec Security Associations and LAN-to-LAN connections, and NAT Transparency.

IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN connections and client-to-LAN connections can use IPSec.

In IPSec terminology, a "peer" is a remote-access client or another secure gateway. During tunnel establishment under IPSec, the two peers negotiate Security Associations that govern authentication, encryption, encapsulation, key management, etc. These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPSec SA).

In IPSec LAN-to-LAN connections, the VPN Concentrator can function as initiator or responder. In IPSec client-to-LAN connections, the VPN Concentrator functions only as responder. Initiators propose SAs; responders accept, reject, or make counter-proposals—all in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs.

The Cisco VPN Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. Likewise, the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN devices (often called "secure gateways").

The Cisco VPN Client supports these IPSec attributes:

Main mode for negotiating phase one ISAKMP Security Associations (SAs) when using digital certificates for authentication
Aggressive mode for negotiating phase one ISAKMP Security Associations (SAs) when using preshared keys for authentication
Authentication Algorithms:
- ESP-MD5-HMAC-128
- ESP-SHA1-HMAC-160
Authentication Modes:
- Preshared Keys
- X.509 Digital Certificates
Diffie-Hellman Groups 1, 2, and 5
Encryption Algorithms:
- AES-128, -192, and -256
- DES-56
- 3DES-168
- ESP-NULL
Extended Authentication (XAuth)
Mode Configuration (also known as ISAKMP Configuration Method)
Tunnel Encapsulation Mode
IP compression (IPCOMP) using LZS

You configure IKE proposals (parameters for the IKE SA) here. You apply them to IPSec LAN-to-LAN connections in this section, and to IPSec SAs on the Configuration | Policy Management | Traffic Management | Security Associations screens. Therefore, you should configure IKE proposals before configuring other IPSec parameters. Cisco supplies default IKE proposals that you can use or modify.

Figure 7-4 Configuration | System | Tunneling Protocols | IPSec Screen

Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN

This section of the Manager lets you configure, add, modify, and delete IPSec LAN-to-LAN connections between two VPN Concentrators.

While the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN secure gateways, these instructions assume VPN Concentrators on both sides. And here, the "peer" is the other VPN Concentrator or secure gateway.

In a LAN-to-LAN connection, IPSec creates a tunnel between the public interfaces of two VPN Concentrators, which correspondingly route secure traffic to and from many hosts on their private LANs. There is no user configuration or authentication in a LAN-to-LAN connection; all hosts configured on the private networks can access hosts on the other side of the connection, at any time.

To fully configure a LAN-to-LAN connection, you must configure identical basic IPSec parameters on both VPN Concentrators, and configure mirror-image private network addresses or network lists.

The VPN Concentrator also provides a network autodiscovery feature that dynamically discovers and updates the private network addresses on each side of the LAN-to-LAN connection, so you do not have to explicitly configure them. This feature works only when both devices are VPN Concentrators and both VPN Concentrators have routing enabled on the private interface.

You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens. You must also configure IKE proposals before configuring LAN-to-LAN connections. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screens.

You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer.

Figure 7-5 Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN Screen

LAN-to-LAN Connection

The LAN-to-LAN Connection list shows connections that have been configured. The connections are listed in the order you configure them, in the format Name (Peer IP Address) on Interface, for example: Branch 1 (192.168.34.56) on Ethernet 2 (Public). If no connections have been configured, the list shows --Empty--.

Add / Modify / Delete

To modify the parameters of a configured connection, select the connection from the list and click Modify. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify screen.

To delete a configured connection, select the connection from the list and click Delete.

Note There is no confirmation or undo.

The Manager deletes the connection, its LAN-to-LAN filter rules, SAs, and group. The Manager then refreshes the screen and shows the remaining connections in the list.

Caution Deleting a connection immediately deletes any tunnels (and user sessions) using that connection.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | No Public Interfaces

The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add an IPSec LAN-to-LAN connection. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled.

You should designate only one VPN Concentrator interface as a public interface.

Figure 7-6 Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | No Public Interfaces Screen

Click the highlighted link to configure the desired public interface. The Manager opens the appropriate Configuration | Interfaces screen.

Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add or Modify

These screens let you:

Add: Configure and add a new IPSec LAN-to-LAN connection.
Modify: Modify parameters of a configured IPSec LAN-to-LAN connection.

You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens.

You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer.

The maximum number of LAN-to-LAN connections supported is determined by the hardware and is model-dependent.

Table 7-1 Maximum LAN-to-LAN Connections for Each VPN Concentrator Model

VPN Concentrator Model	Maximum Number of Sessions
3005 & 3015	100
3030	500
3060 & 3080	1000

Figure 7-7 Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify Screen

When you Add or Modify a connection on these screens, the VPN Concentrator automatically:

Creates or modifies two filter rules with the Apply IPSec action: one inbound, one outbound, named L2L:<Name> In and L2L:<Name> Out.
Creates or modifies an IPSec Security Association named L2L:<Name>.
Applies these rules to the filter on the public interface and applies the SA to the rules. If the public interface does not have a filter, it applies the Public (default) filter with the preceding rules.
Creates or modifies a group named with the Peer IP address. If the VPN Concentrator internal authentication server has not been configured, it does so, and adds the group to the database.

All of the rules, SAs, filters, and group have default parameters or those specified on this screen. You can modify the rules and SA on the Configuration | Policy Management | Traffic Management screens, the group on the Configuration | User Management | Groups screens, and the interface on the Configuration | Interfaces screens. However, we recommend that you keep the configured defaults. You cannot delete these rules, SAs, or group individually; the system automatically deletes them when you delete the LAN-to-LAN connection.

To fully configure a LAN-to-LAN connection, you must configure identical IPSec LAN-to-LAN parameters on both VPN Concentrators, and configure mirror-image local and remote private network addresses. For example:

Configure	On this VPN Concentrator	On Peer VPN Concentrator
Local Network	10.10.0.0/0.0.255.255	11.0.0.0/0.255.255.255
Remote Network	11.0.0.0/0.255.255.255	10.10.0.0/0.0.255.255

If you use network lists, you must also configure and apply them as mirror images on the two VPN Concentrators. If you use network autodiscovery, you must use it on both VPN Concentrators.

Caution On the Modify screen, any changes take effect as soon as you click Apply. If client sessions are using this connection, changes delete the tunnel (and the sessions) without warning.

Name

Enter a unique descriptive name for this connection. The maximum name length is 32 characters. Since the created rules and SA use this name, we recommend that you keep it short.

Interface

Add screen:

Click the Interface drop-down menu button and select the configured public interface on this VPN Concentrator for this end of the LAN-to-LAN connection. The list shows all interfaces that have the Public Interface parameter enabled. See Configuration | Interfaces.

Modify screen:

The screen shows the configured public interface on this VPN Concentrator for this end of the LAN-to-LAN connection. You cannot change the interface. To move the connection to another interface, you must delete this connection and add a new one for the other interface.

Peer

Enter the IP address of the remote peer in the LAN-to-LAN connection. This must be the IP address of the public interface on the peer VPN Concentrator. Use dotted decimal notation, for example: 192.168.34.56.

Digital Certificate

This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management.

Click the Digital Certificate drop-down menu button and choose the option. The list shows any digital certificates that have been installed, plus:

None (Use Preshared Keys) = Use only preshared keys to authenticate the peer during Phase 1 IKE negotiations. This is the default choice.

Certificate Transmission

If you configured authentication using digital certificates, choose the type of certificate transmission.

Entire certificate chain = Send the peer the identity certificate and all issuing certificates. Issuing certificates include the root certificate and any subordinate CA certificates.
Identity certificate only = Send the peer only the identity certificate.

Preshared Key

Enter a preshared key for this connection. Use a minimum of 4, a maximum of 32, alphanumeric characters, for example: sZ9s14ep7. The system displays your entry in clear text.

This key becomes the password for the IPSec LAN-to-LAN group that is created, and you must enter the same key on the peer VPN Concentrator. (This is not a manual encryption or authentication key. The system automatically generates those session keys.)

Authentication

This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as "data integrity" in VPN literature. The IPSec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication.

Click the Authentication drop-down menu button and choose the algorithm:

None = No data authentication.
ESP/MD5/HMAC-128 = ESP protocol using HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default choice.
ESP/SHA/HMAC-160 = ESP protocol using HMAC with the SHA-1 hash function using a 160-bit key. This choice is more secure but requires more processing overhead.

Encryption

This parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.

Click the Encryption drop-down menu button and choose the algorithm:

Null = Use ESP without encryption; no packet encryption.
DES-56 = Use DES encryption with a 56-bit key.
3DES-168 = Use Triple-DES encryption with a 168-bit key. This is the default.
AES-128 = Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.
AES-192 = AES encryption with a 192-bit key.
AES-256 = AES encryption with a 256-bit key.

IKE Proposal

This parameter specifies the set of attributes for Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. You must configure, activate, and prioritize IKE proposals before configuring LAN-to-LAN connections.

Click the IKE Proposal drop-down menu button and choose the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are:

CiscoVPNClient-3DES-MD5 = Use preshared keys (XAUTH) and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 2 to generate SA keys. This choice allows XAUTH user-based authentication and is the default.
IKE-3DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 2 to generate SA keys.
IKE-3DES-MD5-DH1 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 1 to generate SA keys. This choice is compatible with the Cisco VPN 3000 Client.
IKE-DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use DES-56 encryption. Use D-H Group 1 to generate SA keys. This choice is compatible with the Cisco VPN 3000 Client.
IKE-3DES-MD5-DH7 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 7 (ECC) to generate SA keys. This IKE proposal is intended for use with the movianVPN client; it can also be used with any peer that supports ECC groups for D-H.
IKE-3DES-MD5-RSA = Use RSA digital certificate and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 2 to generate SA keys.
IKE-AES128-SHA = Use Preshared keys and SHA/HMAC-160 for authentication. Use AES-128 for encryption. Use D-H Group 2 or Group 5 to generate SA keys.

Filter

Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies three default filters, which you can modify. To configure filters and rules, see the Configuration | Policy Management | Traffic Management screens.

Click the Filter drop-down menu button and select the filter:

--None-- = No filter applied, which means there are no restrictions on tunneled data traffic. This is the default selection.
Private (Default) = Allow all packets except source-routed IP packets. (This is the default filter for the private Ethernet interface.)
Public (Default) = Allow inbound and outbound tunneling protocols plus ICMP and VRRP. Allow fragmented IP packets. Drop everything else, including source-routed packets. (This is the default filter for the public Ethernet interface.)
External (Default) = No rules applied to this filter. Drop all packets. (This is the default filter for the external Ethernet interface.)

Additional filters that you have configured also appear on the list.

IPSec NAT-T

NAT-T (NAT Traversal) lets IPSec peers establish a LAN-to-LAN connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary.

The VPN Concentrator implementation of NAT-T supports IPSec peers behind a single NAT/PAT device as follows:

One Microsoft L2TP/IPSec client (can support other remote access clients and one L2TP/IPSec client).
One LAN-to-LAN connection.
Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.

To use NAT-T you must:

Open port 4500 on any firewall you have configured in front of a VPN Concentrator.
Reconfigure previous IPSec/UDP settings using port 4500 to a different port.
Enable IPSec over NAT-T globally in the Configuration | System | Tunneling Protocols | IPSec | NAT Transparency screen.
Select the second or third option for the Fragmentation Policy parameter in the Configuration | Interfaces | Ethernet screen. These options let traffic travel across NAT devices that do not support IP fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.

Check the box to enable NAT-T for this LAN-to-LAN connection.

Bandwidth Policy

Select a bandwidth policy to apply to this IPSec LAN-to-LAN connection from the drop-down list. If there are no policies in this list, you must go to Configuration | Policy Management | Traffic Management | Bandwidth Policies and define one or more policies. If you do not want to select a policy here, then select None. For more information on the Bandwidth Management feature, see the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen.

Routing

The VPN Concentrator provides two ways to advertise static LAN-to-LAN routes.

Reverse Route Injection = The local VPN Concentrator adds the addresses of one or more remote networks to its routing table and advertises these entries to specified networks on the local LAN. If you choose this option, specify the Local and Remote Network parameters that follow. Then, enable RIP or OSPF on the private interface.
Network Autodiscovery = This feature dynamically discovers and continuously updates the private network addresses on each side of the LAN-to-LAN connection. This feature uses RIP. You must enable Inbound RIP RIPv2/v1 on the Ethernet 1 (Private) interface of both VPN Concentrators. (See the "Configuration | Interfaces" section.) If you choose this option, skip the Local and Remote Network parameters; they are ignored.
None = Do not advertise static LAN-to-LAN routes.

Local Network

These entries identify the private network on this VPN Concentrator, the hosts of which can use the LAN-to-LAN connection.

These entries must match those in the Remote Network section on the peer VPN Concentrator.
If you are using a LAN-to-LAN NAT rule, this is the translated network address.

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the local network addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose:

Use IP Address/Wildcard-mask below, which lets you enter a network address.
Create new Network List (on Add screen only), which lets you create a network list of local network addresses. The Manager automatically opens the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Local Network List screen when you click Add; see description below.

If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard Mask fields.

Note An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask. In other words, the wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:
0.0.0.0/255.255.255.255 = any address
10.10.1.35/0.0.0.0 = only 10.10.1.35
10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses

IP Address

Enter the IP address of the private local network on this VPN Concentrator. Use dotted decimal notation, for example: 10.10.0.0.

Wildcard Mask

Enter the wildcard mask for the private local network. Use dotted decimal notation, for example: 0.0.255.255. The system supplies a default wildcard mask appropriate to the IP address class.

Remote Network

These entries identify the private network on the remote peer VPN Concentrator whose hosts can use the LAN-to-LAN connection.

These entries must match those in the Local Network section on the peer VPN Concentrator.
If you are using a LAN-to-LAN NAT rule, this is the remote network address.

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the remote network addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose:

Use IP Address/Wildcard-mask, which lets you enter a network address.
Create new Network List (on Add screen only), which lets you create a network list of remote network addresses. The Manager automatically opens the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Remote Network List screen when you click Add; see description below.

If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields.

See the preceding wildcard mask note.

IP Address

Enter the IP address of the private network on the remote peer VPN Concentrator. Use dotted decimal notation, for example: 11.0.0.1.

Wildcard Mask

Enter the wildcard mask for the private remote network. Use dotted decimal notation, for example: 0.255.255.255. The system supplies a default wildcard mask appropriate to the IP address class.

Add or Apply / Cancel

Add screen: To add this connection to the list of configured LAN-to-LAN connections, click Add. If you are creating new network lists, the Manager automatically displays the appropriate Local or Remote Network List screens. Otherwise, the Manager displays the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen.
Modify screen: To apply your changes to this LAN-to-LAN connection, click Apply. The Manager returns to the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen.

Caution Any changes take effect as soon as you click Apply. If client sessions are using this connection, changes delete the tunnel (and the sessions) without warning.

Reminder:

To discard your entries, click Cancel. The Manager returns to the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen, and the LAN-to-LAN Connection list is unchanged.

Configuration | System | Tunneling Protocols | IPSec| LAN-to-LAN | Add | Local or Remote Network List

These screens let you configure and add network lists for the Local Network or Remote Network of a new IPSec LAN-to-LAN connection. The Manager automatically opens these screens if you choose Create new Network List under Network List on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add screen.

A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens also.

On the Local Network List screen, the Manager can automatically generate a network list using the valid network routes in the routing table for the Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table.)

A single network list can contain a maximum of 10 network entries.

List Name

The Manager supplies a default name that identifies the list as a LAN-to-LAN local or remote list, which we recommend you keep. Otherwise, enter a unique name for this network list. The maximum name length is 48 characters. Entries are case-sensitive. Spaces are allowed.

If you use the Generate Local List feature on the Local Network List screen, edit this name after the system generates the network list.

Network List

Enter the networks in this network list. Enter each network on a single line using the format n.n.n.n/w.w.w.w, where n.n.n.n is the network IP address and w.w.w.w is the wildcard mask.

Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example, 10.10.1.0/0.0.0.255 = all 10.10.1.nnn addresses.

If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255.

You can enter a maximum of 200 networks in a single network list.

Generate Local List

On the Local Network List screen, click the Generate Local List button to have the Manager automatically generate a network list using the first 200 valid network routes in the routing table for the Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table.) The Manager refreshes the screen after it generates the list, and you can then edit the Network List and the List Name.

Add

Configuration | System | Tunneling Protocols | IPSec| LAN-to-LAN | Add | Done

The Manager displays this screen when you have finished configuring all parameters for a new IPSec LAN-to-LAN connection. It documents the added configuration entities.

The Manager displays this screen only once. We suggest you print a copy of the screen to save it for your records.

To examine or modify an entity, see the appropriate screen:

Group: See Configuration | User Management | Groups.
Security Association: See Configuration | Policy Management | Traffic Management | Security Associations.
Filter Rules: See Configuration | Policy Management | Traffic Management | Rules.

You cannot delete the group, SA, or rules individually, nor can you remove the rules from their filter. The system automatically deletes them when you delete the LAN-to-LAN connection.

OK

To close this screen and return to the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen, click OK. The LAN-to-LAN Connection list shows the new connection, and the Manager includes all the new settings in the active configuration.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | System | Tunneling Protocols | IPSec | IKE Proposals

This section of the Manager lets you configure, add, modify, activate, deactivate, delete, and prioritize IKE proposals, which are sets of parameters for Phase 1 IPSec negotiations. During Phase 1, the two peers establish a secure tunnel within which they then negotiate the Phase 2 parameters.

The VPN Concentrator uses IKE proposals both as initiator and responder in IPSec negotiations. In LAN-to-LAN connections, the VPN Concentrator can function as initiator or responder. In client-to-LAN connections, the VPN Concentrator functions only as responder.

You must configure, activate, and prioritize IKE proposals before you configure IPSec Security Associations. See Configuration | Policy Management | Traffic Management | Security Associations, or click the Security Associations link on this screen.

You must also configure and activate IKE proposals before configuring IPSec LAN-to-LAN connections. See Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN.

You can configure a maximum of 150 IKE proposals total (active and inactive).

Figure 7-10 Configuration | System | Tunneling Protocols | IPSec | IKE Proposals Screen

Cisco supplies default IKE proposals that you can use or modify; see Table 7-2. The documentation for the Cisco VPN Client and for the VPN 3002 Hardware Client each include a table of all valid IKE proposals for remote access connections. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add for explanations of the parameters.

Table 7-2 Cisco-Supplied Default IKE Proposals: Proposals Active by Default

Proposal Name	Authen- tication Mode	Authen- tication Algorithm	Encryption Algorithm	Diffie- Hellman Group	Lifetime Measure- ments	Data Lifetime	Time Lifetime
CiscoVPNClient- 3DES-MD5	Preshared Keys (XAUTH)	MD5/ HMAC-128	3DES-168	Group 2 (1024-bits)	Time	10000 KB	86400 sec
IKE-3DES-MD5	Preshared Keys	MD5/ HMAC-128	3DES-168	Group 2 (1024-bits)	Time	10000 KB	86400 sec
IKE-3DES-MD5- DH1	Preshared Keys	MD5/ HMAC-128	3DES-168	Group 1 (768-bits)	Time	10000 KB	86400 sec
IKE-DES-MD5	Preshared Keys	MD5/ HMAC-128	DES-56	Group 1 (768-bits)	Time	10000 KB	86400 sec
IKE-3DES-MD5- DH7	Preshared Keys	MD5/ HMAC-128	3DES-168	Group 7 (ECC) (163-bits)	Time	10000 KB	86400 sec
IKE-3DES-MD5- RSA	RSA Digital Certificate	MD5/ HMAC-128	3DES-168	Group 2 (1024-bits)	Time	10000 KB	86400 sec
IKE-AES128-SHA	Preshared Keys	SHA/HMAC-160	AES-128	Group 2 (1024-bits)	Time	10000 KB	86400 sec
CiscoVPNClient- AES128- SHA	Preshared Keys	SHA/HMAC-160	AES-128	Group 2 (1024-bits)	Time	10000 KB	86400 sec
CiscoVPNClient- 3DES-MD5-DH5	3DES-168	MD5/ HMAC-128	3DES-168	Group 5 1536-bits	Time	10000 KB	86400 sec

Table 7-3 Cisco-Supplied Default IKE Proposals: Proposals Inactive by Default

Proposal Name	Authen. Mode	Authen. Algorithm	Encryption Algorithm	Diffie- Hellman Group	Lifetime Measure- ments	Data Lifetime	Time Lifetime
IKE-3DES-SHA- DSA	RSA Digital Certificate	SHA/HMAC-160	3DES-168	Group 2 (1024-bits)	Time	10000 KB	86400 sec
IKE-3DES-MD5- RSA-DH1	RSA Digital Certificate	MD5/HMAC-128	3DES-168	Group 1 (768-bits)	Time	10000 KB	86400 sec
IKE-DES-MD5- DH7	Preshared Keys	MD5/HMAC-128	DES-56	Group 7 (ECC) (163-bits)	Time	10000 KB	86400 sec
CiscoVPNClient- 3DES-MD5-RSA	RSA Digital Certificate (XAUTH)	MD5/ HMAC-128	3DES-168	Group 2 (1024-bits)	Time	10000 KB	86400 sec
CiscoVPNClient- 3DES-SHA-DSA	DSA Digital Certificate (XAUTH)	SHA/HMAC-160	3DES-168	Group 2 (1024-bits)	Time	10000 KB	86400 sec
CiscoVPNClient- AES256-SHA	Preshared Keys	SHA/HMAC-160	AES-256	Group 2 (1024-bits)	Time	10000 KB	86400 sec
IKE-AES256-SHA	Preshared Keys	SHA/HMAC-160	AES-256	Group 2 (1024-bits)	Time	10000 KB	86400 sec

Active Proposals

The field shows the names of IKE proposals that have been configured, activated, and prioritized. As an IPSec responder, the VPN Concentrator checks these proposals in priority order, to see if it can find one that agrees with parameters in the initiator's proposed SA.

Activating a proposal also makes it available for use wherever the Manager displays an IKE Proposal list, and the first active proposal appears as the default selection.

Inactive Proposals

The field shows the names of IKE proposals that have been configured but are inactive. New proposals appear in this list when you first configure and add them. The VPN Concentrator does not use these proposals in any IPSec negotiations, nor do they appear in IKE Proposal lists.

Note To configure L2TP over IPSec, you must activate IKE-3DES-MD5-RSA. Also see the Configuration | User Management screens.

<< Activate

To activate an inactive IKE proposal, select it from the Inactive Proposals list and click the <<Activate button. The Manager moves the proposal to the Active Proposals list and refreshes the screen.

>> Deactivate

To deactivate an active IKE proposal, select it from the Active Proposals list and click the >>Deactivate button. If the active proposal is configured on a Security Association, the Manager displays an error message; and you must remove it from the SA before you can deactivate it. Otherwise, the Manager moves the proposal to the Inactive Proposals list and refreshes the screen.

Move Up / Move Down

To change the priority order of an active IKE proposal, select it from the Active Proposals list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Active Proposals list. These actions move the proposal up or down one position.

Add

Modify

To modify a configured IKE proposal, select it from either Active Proposals or Inactive Proposals and click the Modify button. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Modify. Modifying an active proposal does not affect connections currently using it, but changes do affect subsequent connections.

Copy

To use a configured IKE proposal as the basis for configuring and adding a new one, select it from either Active Proposals or Inactive Proposals and click the Copy button. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Copy. The new proposal appears in the Inactive Proposals list.

Delete

To delete a configured IKE proposal, select it from either Active Proposals or Inactive Proposals and click the Delete button. If an active proposal is configured on a Security Association, the Manager displays an error message; and you must remove it from the SA before you can delete it. Otherwise, there is no confirmation or undo. The Manager refreshes the screen and shows the remaining IKE proposals in the list.

Reminder:

Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add, Modify, or Copy

These screens let you:

Add: Configure and add a new inactive IKE proposal.
Modify: Modify a previously configured IKE proposal.
Copy: Copy a configured IKE proposal, modify its parameters, save it with a new name, and add it to the configured inactive IKE proposals.

You can configure a maximum of 150 IKE proposals total (active and inactive), and you can make any number of them active.

Proposal Name

Enter a unique name for this IKE proposal. The maximum name length is 48 characters. Entries are case-sensitive. Spaces are allowed.

Authentication Mode

This parameter specifies how to authenticate the remote client or peer. Authentication proves that the connecting entity is the one you think it is. If you select one of the digital certificate modes, an appropriate digital certificate must be installed on this VPN Concentrator and the remote client or peer. See the discussion under Administration | Certificate Management.

Click the Authentication Mode drop-down menu button and choose the method:

Preshared Keys = Use preshared keys (the default). The keys are derived from the password of the user's or peer's group.
RSA Digital Certificate = Use a digital certificate with keys generated by the RSA algorithm.
DSA Digital Certificate = Use a digital certificate with keys generated by the DSA algorithm.
Preshared Keys (XAUTH) = Use preshared keys (the default). The keys are derived from the password of the user's or peer's group. Require user-based authentication via XAUTH.
RSA Digital Certificate (XAUTH) = Use a digital certificate with keys generated by the RSA algorithm. Require user-based authentication via XAUTH.
DSA Digital Certificate (XAUTH) = Use a digital certificate with keys generated by the DSA algorithm. Require user-based authentication via XAUTH.

Authentication Algorithm

This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from the source you think it comes from.

Click the Authentication Algorithm drop-down menu button and choose one of the following algorithms:

MD5/HMAC-128 = HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default choice.
SHA/HMAC-160 = HMAC with the SHA-1 hash function using a 160-bit key. This choice is more secure but requires more processing overhead.

Encryption Algorithm

This parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.

Click the Encryption Algorithm drop-down menu button and choose the algorithm:

DES-56 = Data Encryption Standard (DES) encryption with a 56-bit key.
3DES-168 = Triple-DES encryption with a 168-bit key. This is the default.
AES-128 = Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.
AES-192 = AES encryption with a 192-bit key.
AES-256 = AES encryption with a 256-bit key.

When you select an encryption algorithm, the Manager selects and displays the default Diffie-Hellman group for that encryption algorithm. You can

Diffie-Hellman Group

This parameter specifies the Diffie-Hellman group used to generate IPSec SA keys. The Diffie-Hellman technique generates keys using prime numbers and "generator" numbers in a mathematical relationship. When you choose an encryption algorithm, the Manager automatically selects the default Diffie-Hellman group for that algorithm; you can change the group here if you want, subject to the constraints noted below.

Note For the VPN 3002 Hardware Client: In order to use Groups 1 or 5, you must be using digital certificates. Otherwise, only Group 2 is available. To use Groups 1, or 5, make sure there is a digital certificate installed on the VPN 3002; and on the VPN Concentrator, choose one of the digital certificate authentication options under Authentication Mode.

Click the Diffie-Hellman Group drop-down menu button and choose the group:

Group 1 (768-bits) = Use Diffie-Hellman Group 1 to generate IPSec SA keys, where the prime and generator numbers are 768 bits. Choose this option if you select DES-56 under Encryption Algorithm.
Group 2 (1024-bits) = Use Diffie-Hellman Group 2 to generate IPSec SA keys, where the prime and generator numbers are 1024 bits. This is the default choice for use with the 3DES-168 Encryption Algorithm.
Group 5 (1536-bits) = Use Diffie-Hellman Group 5 to generate IPSec SA keys, where the prime and generator numbers are 1536 bits. This is the default choice for use with the AES encryption algorithms. It works only for LAN-to-LAN connections, and for clients using certificates.
Group 7 (ECC) = Use Diffie-Hellman Group 7 to generate IPSec SA keys, where the elliptical curve field size is 163 bits. You can use this option with any encryption algorithm. This option is intended for use with the movianVPN client, but you can use it with any peers that support Group 7 (ECC).

Lifetime Measurement

This parameter specifies how to measure the lifetime of the IKE SA keys, which is how long the IKE SA lasts until it expires and must be renegotiated with new keys. It is used with the Data Lifetime or Time Lifetime parameters.

Note If the peer proposes a shorter lifetime measurement, the VPN Concentrator uses that lifetime measurement instead.

Click the Lifetime Measurement drop-down menu button and choose the measurement method:

Time = Use time (seconds) to measure the lifetime of the SA (the default). Configure the Time Lifetime parameter below.
Data = Use data (number of kilobytes) to measure the lifetime of the SA. Configure the Data Lifetime parameter below.
Both = Use both time and data, whichever occurs first, to measure the lifetime. Configure both Time Lifetime and Data Lifetime parameters.
None = No lifetime measurement. The SA lasts until terminated for other reasons. It lasts a maximum of 86400 seconds (24 hours).

Data Lifetime

If you choose Data or Both under Lifetime Measurement, enter the number of kilobytes of payload data after which the IKE SA expires. The minimum number is 10 KB. The default number is 10000 KB. The maximum number is 2147483647 KB.

Time Lifetime

If you choose Time or Both under Lifetime Measurement, enter the number of seconds after which the IKE SA expires. The minimum number is 60 seconds. The default number is 86400 seconds (24 hours). The maximum number is 2147483647 seconds (about 68 years).

Add or Apply / Cancel

Add or Copy screen:

To add this IKE proposal to the list of Inactive Proposals, click Add or Apply. The Manager returns to the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. To use the new proposal, you must activate and prioritize it as explained for that screen.

Modify screen:

To apply your changes to this IKE proposal, click Apply. The Manager returns to the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. If you modify an active proposal, changes do not affect connections currently using it, but they do affect subsequent connections.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen, and the IKE proposals lists are unchanged.

Configuration | System | Tunneling Protocols | IPSec |
NAT Transparency

This screen lets you configure NAT Transparency, which consists of IPSec over TCP and IPSec over NAT Traversal (NAT-T).

Figure 7-12 Configuration | System | Tunneling Protocols | IPSec | NAT Transparency Screen

IPSec over TCP

IPSec over TCP enables a VPN client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices and firewalls.

Note This feature does not work with proxy-based firewalls.

IPSec over TCP works with both the VPN software client and the VPN 3002 hardware client. It works only on the public interface. It is a client to Concentrator feature only. It does not work for LAN-to-LAN connections.

The VPN Concentrator can simultaneously support standard IPSec, IPSec over TCP, NAT-Traversal, and IPSec over UDP, depending on the client with which it is exchanging data.
The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard IPSec, IPSec over TCP, NAT-Traversal, or IPSec over UDP.
When enabled, IPSec over TCP takes precedence over all other methods.
When both NAT-T and IPSec over UDP are enabled, NAT-T takes precedence.

To use IPSec over TCP, both the VPN Concentrator and the client must:

Be running version 3.5 or later software.
Enable IPSec over TCP.
Configure the same port for IPSec over TCP on both the Concentrator and the client.

You enable IPSec over TCP on both the Concentrator and the client to which it connects. For software clients, refer to the VPN Client User Guide for configuration instructions. For the VPN 3002 hardware client, refer to the VPN 3002 Hardware Client Getting Started guide, and to the VPN 3002 Hardware Client Reference.

If you enter a well-known port, for example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated with that port will no longer work on the public interface. The consequence is that you can no longer use a browser to manage the VPN Concentrator through the public interface. To solve this problem, reconfigure the HTTP/HTTPS management to different ports.

You must configure TCP port(s) on the client as well as on the VPN Concentrator. The client configuration must include at least one of the ports you set for the VPN Concentrator here.

Check the box to enable IPSec over TCP.

TCP Port(s)

Enter up to 10 ports, using a comma to separate the ports. You do not need to use spaces. The default port is 10,000. The range is 1 to 65,635.

IPSec over NAT-T

NAT-T (NAT Traversal) lets IPSec peers establish a connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary.

Both the VPN Client and the VPN 3002 hardware client support NAT-T in software version 3.6 and later.

To enable NAT-T on the VPN Client, see the VPN Client Administrator Guide.
The VPN 3002 uses NAT-T by default, and requires no configuration.

Remote access clients that support both NAT-T and IPSec/UDP methods first attempt NAT-T, and then IPSec/UDP (if enabled) if a NAT device is not auto-detected, allowing IPSec traffic to pass through firewalls that disallow IPSec.

The VPN Concentrator implementation of NAT-T supports IPSec peers behind a single NAT/PAT device as follows:

One Microsoft L2TP/IPSec client.
One LAN-to-LAN connection.
Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.

To use NAT-T you must:

Open port 4500 on any firewall you have configured in front of a VPN Concentrator.
Reconfigure previous IPSec/UDP configurations using port 4500 to a different port.
Select the second or third options for the Fragmentation Policy parameter in the Configuration | Interfaces | Ethernet screen.These options let traffic travel across NAT devices that do not support IP fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.
Check the box in this screen to Enable IPSec over NAT-T.

Check the box to enable IPSec over NAT Traversal.

Table of Contents

Tunneling Protocols

Configuration | System | Tunneling Protocols

Configuration | System | Tunneling Protocols | PPTP

Enabled

Maximum Tunnel Idle Time

Packet Window Size

Limit Transmit to Window

Max. Tunnels

Max. Sessions/Tunnel

Packet Processing Delay

Acknowledgement Delay

Acknowledgement Timeout

Apply / Cancel

Reminder:

Configuration | System | Tunneling Protocols | L2TP

Enabled

Maximum Tunnel Idle Time

Control Window Size

Control Retransmit Interval

Control Retransmit Limit

Max. Tunnels

Max. Sessions/Tunnel

Hello Interval

Apply / Cancel

Reminder:

Configuration | System | Tunneling Protocols | IPSec

Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN

LAN-to-LAN Connection

Add / Modify / Delete

Reminder:

Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | No Public Interfaces

Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add or Modify

Name

Interface

Peer

Digital Certificate

Certificate Transmission

Preshared Key

Authentication

Encryption

IKE Proposal

Filter

IPSec NAT-T

Bandwidth Policy

Routing

Local Network

Network List

IP Address

Wildcard Mask

Remote Network

Network List

IP Address

Wildcard Mask

Add or Apply / Cancel

Reminder:

Configuration | System | Tunneling Protocols | IPSec| LAN-to-LAN | Add | Local or Remote Network List

List Name

Network List

Generate Local List

Add

Configuration | System | Tunneling Protocols | IPSec| LAN-to-LAN | Add | Done

OK

Reminder:

Configuration | System | Tunneling Protocols | IPSec | IKE Proposals

Active Proposals

Inactive Proposals

<< Activate

>> Deactivate

Move Up / Move Down

Add

Modify

Copy

Delete

Reminder:

Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add, Modify, or Copy

Proposal Name

Authentication Mode

Authentication Algorithm

Encryption Algorithm

Configuration | System | Tunneling Protocols | IPSec |
NAT Transparency