Table of Contents

Policy Management

Managing a VPN, and protecting the integrity and security of network resources, includes carefully designing and implementing policies that govern who can use the VPN, when, and what data traffic can flow through it. User management deals with "who can use it"; see "User Management" for that discussion. Policy management deals with "when" and "what data traffic can flow through it"; this section covers those topics.

You configure when remote users access the VPN under Access Hours.

You configure "what data traffic can flow through it" under Traffic Management. The Cisco VPN 3000 Concentrator hierarchy is straightforward: you use filters that consist of rules; and for IPSec rules, you apply Security Associations (SAs). Therefore, you first configure rules and SAs, then use them to construct filters.

Basically, a filter determines whether to forward or drop a data packet traversing the system. It examines the data packet in accordance with one or more rules—direction, source address, destination address, ports, and protocol—which determine whether to forward, apply IPSec and forward, or drop. And it examines the rules in the order they are arranged on the filter.

You apply filters to Ethernet interfaces, and thus govern all traffic through an interface. You also apply filters to groups and users, and thus govern tunneled traffic through an interface.

If you are applying different filters to a large number of groups or users, you might find it more convenient to configure filters on an external RADIUS server. For more information on configuring the VPN Concentrator to use external filters, see Monitoring | Dynamic Filters in VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.

With IPSec, the VPN Concentrator negotiates Security Associations during tunnel establishment that govern authentication, key management, encryption, encapsulation, etc. Thus IPSec also determines how to transform a data packet before forwarding it. You apply Security Associations to IPSec rules when you include those rules in a filter, and you apply SAs to groups and users.

The VPN Concentrator also lets you create network lists, which are lists of network addresses that are treated as a single object. These lists simplify the configuration of rules for complex networks. You can also use them to configure split tunneling for groups and users, and to configure IPSec LAN-to-LAN connections.

To fully configure the VPN Concentrator, you should first develop policies (network lists, rules, SAs, and filters), since they affect Ethernet interfaces, groups, and users. And once you have developed policies, we recommend that you configure and apply filters to interfaces before you configure groups and users.

Traffic management on the VPN Concentrator also includes NAT (Network Address Translation) functions that translate private network addresses into legitimate public network addresses. Again, you develop rules to configure and use NAT.

Configuration | Policy Management

This section of the Manager lets you configure policies that apply to groups, users, and VPN Concentrator Ethernet interfaces.

Policies govern:

Configuration | Policy Management | Access Hours

This section of the Manager lets you configure access times, to control when remote-access groups and users can access the VPN Concentrator. You assign access hours to groups and users under Configuration | User Management. Access hours do not apply to LAN-to-LAN connections.

Current Access Hours

The Current Access Hours list shows the names of configured access times. The Cisco-supplied default access times are:

Additional access times that you configure appear in the list.

Add / Modify / Delete

To configure and add a new access time to the list, click Add. The Manager opens the Configuration | Policy management | Access Hours | Add screen.

To modify a configured access time, select the entry from the list and click Modify. The Manager opens the Configuration | Policy management | Access Hours | Modify screen.

To remove a configured access time, select the entry from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the Current Access Hours list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Access Hours | Add or Modify

These Manager screens let you:

Name

Enter a unique name for this set of access hours. Maximum is 48 characters.

Sunday - Saturday

For each day of the week, click the Sunday - Saturday drop-down menu button and choose:

Enter or edit hours in the range fields. Times are inclusive: starting time through ending time. Enter times as HH:MM:SS and use 24-hour notation, for example: enter 5:30 p.m. as 17:30. By default, all ranges are 00:00:00 to 23:59:59.

Add or Apply / Cancel

To add this access time to the list, click Add. Or to apply your changes for this access time, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Access Hours screen. Any new entry appears in the Current Access Times list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Access Hours screen, and the Current Access Times list is unchanged.

Configuration | Policy Management | Traffic Management

This section of the Manager lets you configure network lists, rules, filters, and security associations, as well as network address translation and bandwidth policies. These features let you control the data traffic through the VPN Concentrator.

A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a packet matches all the parameters specified in the rule, the system takes the action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the default action specified in the filter.

You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for security since they apply to all traffic. You also apply filters to groups and users under Configuration | User Management; these filters apply to tunneled traffic only.

Configuration | Policy Management | Traffic Management | Network Lists

This section of the Manager lets you configure network lists, which are lists of networks that are grouped as single objects. Network lists make configuration easier: for example, you can use a network list to configure one filter rule for a set of networks rather than configuring separate rules for each network.

You can use network lists in configuring filter rules (see Configuration | Policy Management | Traffic Management | Rules). You can also use them to configure split tunneling for groups and users (see Configuration | User Management), and to configure IPSec LAN-to-LAN connections (see Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN).

The Manager can automatically generate a network list containing the private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface.

A single network list can contain a maximum of 10 network entries. The Manager does not limit the number of network lists you can configure.

Network List

The Network List field shows the names of the network lists you have configured. If no lists have been configured, the field shows --Empty--.

Add / Modify / Copy / Delete

To configure and add a new network list, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Network Lists | Add screen.

To modify a configured network list, select the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Network Lists | Modify screen.

To copy a configured network list, modify it, and save it with a new name, select the list and click Copy. See the Configuration | Policy Management | Traffic Management | Network Lists | Copy screen.

To delete a configured network list, select the list and click Delete. If the network list is configured on a filter rule or an IPSec LAN-to-LAN connection, the Manager displays an error message indicating the action to take before you can delete the list. Otherwise, there is no confirmation or undo. The Manager deletes the list, refreshes the screen, and shows the remaining network lists.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy

These screens let you:

On the Add and Modify screens, the Manager can automatically generate a network list containing the private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface.

List Name

Enter a unique name for this network list. Maximum 48 characters, case-sensitive. Spaces are allowed.

If you use the Generate Local List feature on the Add screen, enter this name after the system generates the network list.

Network List

Enter the networks in this network list. Enter each network on a single line using the format n.n.n.n/w.w.w.w, where n.n.n.n is a network IP address and w.w.w.w is a wildcard mask.

Note   Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example, 10.10.1.0/0.0.0.255 = all 10.10.1.nnn addresses.

If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255.

You can include a maximum of 200 network/wildcard entries in a single network list.

Generate Local List

On the Add or Modify screen, click the Generate Local List button to have the Manager automatically generate a network list containing the first 200 private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table (see Monitoring | Routing Table), and Inbound RIP must be enabled on that interface (see Configuration | Interfaces). The Manager refreshes the screen after it generates the list, and you can then edit the Network List and enter a List Name.

Note   If you click Apply, the generated list replaces any existing entries in the Network List.

Add or Apply / Cancel

To add this network list to the configured network lists, click Add. Or to apply your changes to this network list, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | Network Lists screen. Any new entry appears at the bottom of the Network List field.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Network Lists screen, and the Network Lists field is unchanged.

Configuration | Policy Management | Traffic Management | Rules

This section of the Manager lets you add, configure, modify, copy, and delete filter rules. You use rules to construct filters.

Caution   The Cisco-supplied default rules are intended as templates that you should examine and modify to fit your network and security needs. Unmodified, or incorrectly applied, they could present security risks. You should also be especially careful about adding rules to the Public (Default) filter. For example, the default Incoming HTTP rules are intended to allow an administrator outside the private network to manage the VPN Concentrator with a browser. Unmodified, they could allow browser connections to any system on the private network. If you apply these rules to a filter, you should at least change the Source and Destination Address to limit the connections.

Filter Rules

The Filter Rules list shows the configured rules that are available to apply to filters. The list shows the rule name and the action/direction in parentheses. The rules are listed in the order they are configured.

Cisco supplies several default rules that you can modify and use. See Table 15-1 for their parameters, and see Configuration | Policy Management | Traffic Management | Rules | Add for explanations of the parameters.

For all the default rules except VRRP In and Out, these parameters are identical:

For maximum security and control, we recommend that you change the Source Address and Destination Address to fit your network addressing and security scheme.

Add / Modify / Copy / Delete

To configure a new rule, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Rules | Add screen.

To modify a rule that has been configured, select the rule from the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Rules | Modify screen.

To copy a configured rule, modify it, and save it with a new name, select the rule from the list and click Copy. See the Configuration | Policy Management | Traffic Management | Rules | Copy screen.

To delete a configured rule, select the rule from the list and click Delete.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy

These Manager screens let you:

The VPN Concentrator applies rule parameters to data traffic (packets) in the order presented on this screen (from Protocol down) to see if they match. If all parameters match, the system takes the specified Action. If at least one parameter does not match, the system ignores the rest of this rule and examines the packet in accordance with the next rule, and so forth.

Note   On the Modify screen, any changes take effect as soon as you click Apply. Changes affect all filters that use this rule. If this rule is being used by an active filter, changes might affect tunnel traffic.

Creating Rules for a Firewall Filter

If you are creating rules for a VPN Client firewall filter:

For more information on configuring rules for VPN Client firewall filters, refer to the VPN Client Administrator Guide.

Rule Name

Enter a unique name for this rule. Maximum is 48 characters.

Direction

Click the Direction drop-down menu button and choose the data direction to which this rule applies:

Action

Click the Action drop-down menu button and choose the action to take if the data traffic (packet) matches all parameters that follow.

Note   If you are configuring this rule to use for a VPN Client firewall filter, you must choose either Drop or Forward.

The choices are:

Protocol or Other

This parameter refers to the IANA (Internet Assigned Numbers Authority) assigned protocol number in an IP packet. The descriptions include the IANA number, in brackets, for reference.

Click the Protocol or Other drop-down menu button and choose the protocol to which this rule applies.

TCP Connection

Note   Do not configure this field if you are using this rule for a client firewall filter.

Click the TCP Connection drop-down menu button and choose whether this rule applies to packets from established TCP connections. For example, you might want a rule to forward only those TCP packets that originate from established connections on the public network interface, to provide maximum protection against "spoofing."

The choices are:

Source Address

Specify the packet source address that this rule checks (the address of the sender).

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the source addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose:

If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields.

Note   An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask. The wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example: 0.0.0.0/255.255.255.255 = any address 10.10.1.35/0.0.0.0 = only 10.10.1.35 10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses

IP Address

Enter the source IP address in dotted decimal notation. Default is 0.0.0.0.

Wildcard-mask

Enter the source address wildcard mask in dotted decimal notation. Default is 255.255.255.255.

Destination Address

Specify the packet destination address that this rule checks (the address of the recipient).

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the destination addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose Use IP Address/Wildcard-mask, which lets you enter a network address.

If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields. See the preceding wildcard mask note.

IP Address

Enter the destination IP address in dotted decimal notation. The default value is 0.0.0.0.

Wildcard-mask

Enter the destination address wildcard mask in dotted decimal notation. The default value is 255.255.255.255.

TCP/UDP Source Port

If you chose TCP or UDP under Protocol, choose the source port number that this rule checks.

Many different protocols or processes run in TCP or UDP environments, and each TCP or UDP process running on a network host is assigned a port number. Thus an IP address plus a port number uniquely identifies a process on a network host. Only TCP and UDP protocols use port numbers. The Internet Assigned Numbers Authority (IANA) manages port numbers and classifies them as Well Known, Registered, and Dynamic (or Private). The Well Known ports are those from 0 through 1023; the Registered Ports are those from 1024 through 49151; and the Dynamic ports are those from 49152 through 65535.

Port or Range

Click the Port or Range drop-down menu button and choose the process (port number):

TCP/UDP Destination Port

If you chose TCP or UDP under Protocol, choose the destination port number that this rule checks. See the preceding explanation of port numbers under TCP/UDP Source Port.

Port or Range

Click the Port or Range drop-down menu button and choose the process (port number). The choices are the same as listed under TCP/UDP Source Port, Port or Range.

ICMP Packet Type

Note   Do not configure this field if you are using this rule for a client firewall filter.

The ICMP protocol has many messages that are identified by a type number. For example:

0 = Echo Reply

8 = Echo

13 = Timestamp

14 = Timestamp Reply

17 = Address Mask Request

18 = Address Mask Reply

The Internet Assigned Numbers Authority (IANA) manages these ICMP type numbers.

If you selected ICMP under Protocol, enter the range of ICMP packet type numbers to which this rule applies. To specify a single packet type, enter the same number in both fields. Defaults are 0 to 255 (all packet types). For example, to specify the Timestamp and Timestamp Reply types only, enter 13 to 14.

Add or Apply / Cancel

To add this rule to the list of configured filter rules, click Add. Or to apply your changes to this rule, click Apply. On the Modify screen, any changes take effect as soon as you click Apply. If the rule is being used by an active filter, changes might affect tunnel traffic. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen. Any new rule appears in the Filter Rules list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entries, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen, and the Filter Rules list is unchanged.

Configuration | Policy Management | Traffic Management | Rules | Delete

This screen asks you to confirm deletion of a rule that is being used in a filter. Doing so deletes the rule from all filters that use it, and deletes it from the VPN Concentrator active configuration. To remove a rule from a filter but retain it in the active configuration, see the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen.

Note   The Manager deletes the rule from the filter as soon as you click Yes. If this rule is being used by an active filter, deletion might affect data traffic.

Yes / No

To delete this rule from all filters that use it, and delete it from the active configuration, click Yes. There is no undo. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen and shows the remaining rules in the Filter Rules list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To not delete this rule, click No. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen, and the Filter Rules list is unchanged.

Configuration | Policy Management | Traffic Management | Security Associations

This section of the Manager lets you add, configure, modify, and delete Security Associations (SAs). SAs apply only to IPSec tunnels. During tunnel establishment the two parties negotiate Security Associations that govern authentication, encryption, encapsulation, key management, etc. In other words, while rules and filters specify what traffic to manage, SAs tell how to do it.

IPSec configurations actually involve two SA negotiation phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within—the use of—the tunnel (the IPSec SA). You must configure IKE proposals before configuring Security Associations. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals, or click the IKE Proposals link on this screen.

You apply SAs to filter rules that are configured with an Apply IPSec action, for LAN-to-LAN traffic. See Configuration | Policy Management | Traffic Management | Rules. The VPN Concentrator automatically creates and applies appropriate rules when you create a LAN-to-LAN connection; see Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN. You also apply SAs to groups and users, for remote-access traffic, under the IPSec Parameters section on the appropriate Configuration | User Management screens.

You can use IPSec in both client-to-LAN (remote-access) configurations and LAN-to-LAN configurations. The Cisco VPN Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. Likewise, the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN devices (often called "secure gateways"). The instructions in this section, however, assume peer VPN Concentrators.

The Cisco VPN Client supports these IPSec attributes:

IPSec SAs

The IPSec SAs list shows the configured SAs that are available. The SAs are listed in alphabetical order.

Cisco supplies default SAs that you can use or modify; see Table 15-2 and Table 15-3. See the Configuration | Policy Management | Traffic Management | Security Associations | Add section for explanations of the parameters.

Add / Modify / Delete

To configure a new SA, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Security Associations | Add screen.

To modify an SA that has been configured, select the SA from the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Security Associations | Modify screen.

To delete a configured SA, select the SA from the list and click Delete.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify

These screens let you:

SA Name

Enter a unique name for this Security Association. Maximum is 48 characters.

Inheritance

This parameter specifies the granularity, or how many tunnels to build for this connection. Each tunnel uses a unique key.

Click the Inheritance drop-down menu button and choose:

IPSec Parameters

These parameters apply to IPSec SAs, which are Phase 2 SAs negotiated under IPSec, where the two parties establish conditions for use of the tunnel.

Authentication Algorithm

This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as "data integrity" in VPN literature. The IPSec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication.

Click the Authentication Algorithm drop-down menu button and choose the algorithm:

Encryption Algorithm

This parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.

Click the Encryption Algorithm drop-down menu button and choose the algorithm:

Encapsulation Mode

This parameter specifies the mode for applying ESP encryption and authentication; in other words, what part of the original IP packet has ESP applied.

Click the Encapsulation Mode drop-down menu button and choose the mode:

Perfect Forward Secrecy

This parameter specifies whether to use Perfect Forward Secrecy, and the size of the numbers to use, in generating Phase 2 IPSec keys. Perfect Forward Secrecy is a cryptographic concept where each new key is unrelated to any previous key. In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless Perfect Forward Secrecy is specified. Perfect Forward Secrecy uses Diffie-Hellman techniques to generate the keys.

Click the Perfect Forward Secrecy drop-down menu button and choose the Perfect Forward Secrecy option:

Lifetime Measurement

This parameter specifies how to measure the lifetime of the IPSec SA keys, which is how long the IPSec SA lasts until it expires and must be renegotiated with new keys. It is used with the Data Lifetime or Time Lifetime parameters.

Note   If the peer proposes a shorter lifetime measurement, the VPN Concentrator uses that lifetime measurement instead.

Click the Lifetime Measurement drop-down menu button and choose the measurement method:

Data Lifetime

If you chose Data or Both under Lifetime Measurement, enter the number of kilobytes of payload data after which the IPSec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.

Time Lifetime

If you chose Time or Both under Lifetime Measurement, enter the number of seconds after which the IPSec SA expires. Minimum is 60 seconds, default is 28800 seconds (8 hours), maximum is 2147483647 seconds (about 68 years).

IKE Parameters

These parameters govern IKE SAs, which are Phase 1 SAs negotiated under IPSec, where the two parties establish a secure tunnel within which they then negotiate the IPSec SAs. In this IKE SA they exchange automated key management information under the IKE (Internet Key Exchange) protocol (formerly called ISAKMP/Oakley).

All these parameters (except IKE Peer) must be configured the same on both parties; the IKE Peer entries must mirror each other. If you create multiple IPSec SAs for use between two IKE peers, the IKE SA parameters must be the same on all SAs.

For best performance and interoperability, we strongly recommend that you use the default parameters where appropriate.

Connection Type

(This field appears only when this Security Association is used in a LAN-to-LAN connection, and it appears only on the Security Associations | Modify page, not on the Security Associations | Add page.) View this field to determine the role of this VPN Concentrator in establishing the IKE tunnel of the LAN-to-LAN connection that uses this SA. This field is read-only.

To configure the Connection Type, see "Connection Type" on the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN Add/Modify screen.

IKE Peer(s)

This parameter applies only to IPSec LAN-to-LAN configurations. It is ignored for IPSec client-to-LAN configurations.

On the Configuration | Policy Management | Traffic Management | Security Associations | Modify page, this field is read-only.

Enter the IP address of the remote peer VPN Concentrator. Use dotted decimal notation. This must be the IP address of the public interface on the peer VPN Concentrator.

This IP address must also match the Peer IP Address on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify screen. It must also match the Group Name for the LAN-to-LAN connection. When you configure the connection on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add screen, the Manager automatically creates a group with the Peer IP address as the Group Name. See Configuration | User Management for information on groups.

When you configure this parameter on the remote peer, enter the IP address of this VPN Concentrator. The entries must mirror each other.

Negotiation Mode

This parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode that the initiator of the negotiation uses; the responder auto-negotiates.

Click the Negotiation Mode drop-down menu button and choose the mode:

Digital Certificate

This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management.

Click the Digital Certificate drop-down menu button and choose the option. The list shows any digital certificates that have been installed, plus the following option:

Certificate Transmission

If you configured authentication using digital certificates, choose the type of certificate transmission.

IKE Proposal

This parameter specifies the set of attributes that govern Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. When the VPN Concentrator is acting as an IPSec initiator, this is the only IKE proposal it negotiates. As an IPSec responder, the VPN Concentrator checks all active IKE proposals in priority order, to see if it can find one that agrees with parameters in the initiator's proposed SA. You must configure, activate, and prioritize IKE proposals before configuring Security Associations.

Click the IKE Proposal drop-down menu button and choose the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are:

Add or Apply / Cancel

To add this Security Association to the list of configured SAs, click Add. Or to apply your changes to this Security Association, click Apply. On the Modify screen, any changes take effect as soon as you click Apply. If this SA is being used by an active filter rule or group, changes might affect tunnel traffic. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen. Any new SA appears at the bottom of the IPSec SAs list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entries, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen, and the IPSec SAs list is unchanged.

Configuration | Policy Management | Traffic Management | Security Associations | Delete

This screen asks you to confirm deletion of a Security Association that is assigned to a rule in a filter. Doing so deletes the SA from the VPN Concentrator active configuration, deletes the SA from all rules that use it, and removes those rules from filters.

Note   The Manager deletes the SA as soon as you click Yes. If this SA is being used by an active filter, deletion might affect tunnel traffic.

Yes / No

To delete this SA from all rules that use it, and delete it from the active configuration, click Yes. There is no undo. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen and shows the remaining SAs in the IPSec SAs list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To not delete this SA, click No. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen, and the IPSec SAs list is unchanged.

Configuration | Policy Management | Traffic Management | Filters

This section of the Manager lets you add, configure, modify, copy, and delete filters, and assign rules to filters.

Filters consist of rules. A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a packet matches all the parameters specified in the rule, the system takes the Action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter.

Configuring a filter involves two steps:

Step 2   Assign rules to a filter by clicking Assign Rules to Filter.

You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for security since they govern all traffic through an interface. You also apply filters to groups and users under Configuration | User Management, and thus govern tunneled traffic through an interface.

Caution   The Cisco-supplied default filters and rules are intended as templates that you should examine and configure to fit your network and security needs. If left in their default configuration or if incorrectly configured, they could present security risks. You should also be especially careful about adding rules to the Public (Default) filter, which allows only tunneled and ICMP traffic.

This screen allows you only to configure filters on the VPN Concentrator. You can also configure filters on an external RADIUS server for use on the VPN Concentrator. For more information on configuring external filters, see Monitoring | Dynamic Filters in VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.

Filter List

The Filter List shows configured filters, listed in alphabetical order.

Cisco supplies default filters that you can use and modify; see Table 15-4.

Add Filter

To configure and add a new filter, click Add Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Add screen. The Manager then automatically lets you assign rules to the filter.

Assign Rules to Filter

To assign or change rules in a configured filter, select the filter from the list and click Assign Rules to Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen, which lets you assign and order the rules that apply to this filter.

Modify Filter

To modify the basic parameters—but not the rules—for a filter that has been configured, click Modify Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Modify screen.

Copy Filter

To create a new filter by copying the basic parameters and rules from a filter that has been configured, click Copy Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Copy screen.

Delete Filter

To delete a configured filter, select the filter from the list and click Delete Filter. See the following notes. The Manager refreshes the screen and shows the remaining entries in the Filter List.

Note   You cannot delete a filter that has been applied to an interface. If you try to do so, the Manager displays an error message.

Note   You can delete a filter that has been applied to a group or user, and there is no confirmation or undo. Doing so might affect their use of the VPN.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy

These screens let you:

You configure the rules in a filter on the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen.

Note   On the Modify screen, any changes take effect as soon as you click Apply. If this filter is being used by an interface or group, changes might affect data traffic.

Filter Name

Enter a unique name for this filter. Maximum is 48 characters.

Default Action

Click the Default Action drop-down menu button and choose the action that this filter takes if a data packet does not match any of the rules on this filter. The choices are:

Source Routing

Check the Source Routing check box to allow IP source routed packets to pass. A source routed packet specifies its own route through the network and does not rely on the system to control forwarding. This box is unchecked by default, because source-routed packets can present a security risk.

Fragments

Check the Fragments check box to allow fragmented IP packets to pass. Large data packets might be fragmented on their journey through networks, and the destination system reassembles them. While you would normally allow fragmented packets to pass, you might disallow them if you suspect a security problem. This box is checked by default.

Description

Enter a description of this filter. This optional field is a convenience for you or other administrators; use it to describe the purpose or use of the filter. Maximum is 255 characters.

Add or Apply / Cancel

Add screen:

Modify screen:

Copy screen:

To discard your changes, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen, and the Filter List is unchanged.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Assign Rules to Filter

This section of the Manager lets you add, remove, and prioritize the rules in a filter, and assign Security Associations to rules that are configured with an Apply IPSec action.

A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a rule matches, the system takes the Action specified in the rule. If not, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter.

The Manager groups applied rules by direction (inbound or outbound), with inbound rules first. You can prioritize rules only within a direction.

You configure rules on the Configuration | Policy Management | Traffic Management | Rules screens.

Note   Rules affect the operation of the filter as soon as you add, remove, or prioritize them. If the filter is being used by an active interface or group, changes might affect data traffic.

Note   Be careful about adding or changing rules on the Public (Default) filter. You could compromise security.

Filter Name

The name of the filter for which you are configuring the rules. You cannot change this name here. (See Configuration | Policy Management | Traffic Management | Filters | Modify.)

Current Rules in Filter

This list shows the rules currently assigned to the filter. Use the scroll controls (if present) to see all the rules in the list. If no rules have been assigned, the list shows --Empty--. Each entry shows the rule name and the action/direction in parentheses; Apply IPSec rules include their Security Association.

Available Rules

This list shows all the rules currently configured on the system (all the rules in the active configuration) that have not been assigned to this filter. Use the scroll controls (if present) to see all the rules in the list. Each entry shows the rule name and the action/direction in parentheses. (Since Security Associations are added to Apply IPSec rules only when those rules are assigned to a filter, this list does not show SAs.)

<< Add

To add a rule to the filter, select the rule from the Available Rules list and click << Add. The Manager moves the rule to the Current Rules in Filter list, modifies the active configuration, refreshes the screen, and by default orders the current rules with all inbound rules preceding all outbound rules.

If you add a rule that has an Apply IPSec action configured, the Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule screen, which lets you add a Security Association to the rule. The Manager also, by default, adds Apply IPSec rules to the top of the group of rules with the same direction (inbound or outbound).

<< Insert Above

To add an available rule above a current rule, select the rule from the Available Rules list, then select a target rule in the Current Rules in Filter list, and click Insert Above. The Manager moves the rule to the Current Rules in Filter list, modifies the active configuration, refreshes the screen, and orders the new rule above the current rule. Both selected rules must have the same direction (inbound or outbound).

If you add a rule that has an Apply IPSec action configured, the Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule screen, which lets you add a Security Association to the rule.

>> Remove

To remove a rule from the filter, select the rule from the Current Rules in Filter list and click >> Remove. The Manager moves the rule to the Available Rules list, modifies the active configuration, refreshes the screen, and shows the remaining current rules in the filter.

You cannot remove a rule that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen.

Move Up / Move Down

To change the order in which a rule is applied within the filter, select the rule from the Current Rules in Filter list and click Move Up or Move Down. The Manager reorders the current rules, modifies the active configuration, refreshes the screen, and shows the reordered list. If you try to move a rule out of its direction group (inbound or outbound), the Manager displays an error message.

Assign SA to Rule

To modify the Security Association applied to a current rule that has an Apply IPSec action configured, select the rule from the Current Rules in Filter list and click Assign SA to Rule. The Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule screen.

Done

When you are finished configuring the rules in this filter, click Done. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen and refreshes the Filter List.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule

This screen lets you add a configured Security Association to a rule that has an Apply IPSec action configured. You can assign only one SA to a rule.

You configure Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens.

Add SA to Rule on Filter:

The Manager shows the name of filter to which you are adding a rule that has an Apply IPSec action configured. You cannot change this name here. See Configuration | Policy Management | Traffic Management | Filters | Modify.

IPSec SAs

The IPSec SAs list shows the configured SAs that are available, that is, all the SAs in the active configuration.

Apply

To add an SA to the rule, select the SA from the list and click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, modifies the active configuration, and updates the Current Rules in Filter list to show the rule with its SA.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule

This screen lets you change the configured Security Association that is applied to a rule that has an Apply IPSec action configured. You can assign only one SA to a rule.

On this screen, you change which SA is applied. You configure SAs themselves on the Configuration | Policy Management | Traffic Management | Security Associations screens.

Note   The change takes effect as soon as you click Apply. If this filter is being used by an interface or group, the change might affect tunnel traffic.

Change SA on Rule in Filter

The Manager shows the name of the filter to which the IPSec rule is assigned. You cannot change this name here. See Configuration | Policy Management | Traffic Management | Filters | Modify.

IPSec SAs

The IPSec SAs list shows the configured SAs that are available (all the SAs in the active configuration). By default, the SA that is currently applied to the rule is selected.

Apply / Cancel

To apply a different SA to this rule, select the SA from the list and click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, modifies the active configuration, and updates the Current Rules in Filter list to show the rule with its new SA. The change takes effect as soon as you click Apply. If this filter is being used by an active interface or group, the change might affect tunnel traffic.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard the change and keep the current SA on the rule, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, and the Current Rules in Filter list is unchanged.

Configuration | Policy Management | Traffic Management | NAT

This section of the Manager lets you configure and enable NAT (Network Address Translation). NAT translates private network addresses into an IANA-assigned public network address, and vice versa, and thus allows traffic routing between the networks.

A NAT session is a translation instance. When a packet passing through the VPN Concentrator matches a NAT rule and is translated, a NAT session begins. The NAT session records details of the translation, including the source IP address and port, the destination IP address and port, and the translated, or mapped, address and port.

A NAT rule defines the criteria that a packet must meet to be translated. For interface NAT rules, criteria include the protocol: portless, UDP, or TCP. For LAN-to-LAN connections, the criteria are the source, translated and destination IP addresses.

To use NAT, we recommend that you first configure NAT rules, then enable the function.

You can change NAT rules while NAT is enabled. Doing so affects subsequent sessions, but not current sessions, as long as the changed rule still allows the current session; if it doesn't traffic will stop.

For inbound packets, the destination address and port are mapped. For outbound traffic, the source address and port are mapped.

As packets pass through the VPN Concentrator, NAT sessions are searched for a match prior to applying NAT rules. If a match exists, the packet is translated in the same way as the packet that caused the session to initiate, and the session continues, allowing the VPN Concentrator to maintain address and port continuity within a session. NAT sessions expire and are deleted if they are unused for a certain time period, which varies depending on the protocol. Therefore, unless the NAT rule is a static rule, NAT sessions between the same clients may have different translated addresses for different NAT sessions.

For a detailed explanation of NAT and PAT, see http://www.cisco.com/warp/public/556/nat-cisco.shtml.

Configuration | Policy Management | Traffic Management | NAT | Enable

This screen lets you enable NAT operation for Interfaces, which applies NAT to all non-tunneled traffic flowing through the public interface, and for LAN-to-LAN tunnels. We recommend that you configure NAT rules before you enable the function.

Interface NAT Rules Enabled

Check the Interface NAT Rules Enabled check box to enable NAT rules for interfaces, or uncheck it to disable these NAT rules. By default, the box is unchecked.

LAN-to-LAN Tunnel NAT Rule Enabled

Check the LAN-to-LAN Tunnel NAT Rule Enabled check box to enable NAT rules for LAN-to-LAN connections, or uncheck it to disable these NAT rules. By default, the box is unchecked.

Apply / Cancel

To enable or disable NAT rules, and include your setting in the active configuration, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entry and leave the active configuration unchanged, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT screen.

Configuration | Policy Management | Traffic Management | NAT | Interface Rules

This section of the Manager lets you add, configure, modify, and delete Interface NAT rules. We recommend that you first configure and add rules, then enable the function. To configure Interface NAT rules, you must first configure a VPN Concentrator public interface; see Configuration | Interfaces.

You need at least one rule for each private network that the VPN Concentrator connects to, and that uses NAT.

Interface NAT Rules

The Interface NAT Rules list shows NAT rules that have been configured. If no rules have been configured, the list shows --Empty--. The format of each rule is: Private Address/Subnet-Mask-on Interface (Action); for example, 10.0.0.0/8 on Ethernet 2 (Public) (TCP).

Add / Modify / Delete

To configure and add a new Interface NAT rule to the list of configured rules, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add screen. If you have not configured a public interface, the Manager displays the Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces screen.

To modify a configured NAT rule, select the rule from the NAT Rules list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Modify screen.

To delete a configured NAT rule, select the rule from the NAT Rules list and click Delete.

Note   There is no confirmation or undo.

The Manager refreshes the screen and shows the remaining rules in the list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces

The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add a NAT rule. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled.

You should designate only one VPN Concentrator interface as a public interface.

Click the highlighted link to configure the desired public interface. The Manager opens the appropriate Configuration | Interfaces screen.

Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify

These screens let you:

You must configure a public interface on the VPN Concentrator before you can add an Interface NAT rule. See the Configuration | Interfaces screens.

Interface

Add screen:

Modify screen:

Private Address

Specify the private network (subnet) addresses that NAT translates to and from the public address.

IP Address

Enter the private IP address in dotted decimal notation, for example: 10.0.0.1.

Subnet Mask

Enter the subnet mask appropriate for the private IP address range. Use dotted decimal notation; the default is 255.255.255.255. For example, to translate all private addresses in class A network 10, enter 255.0.0.0.

In the NAT Rules list, the subnet mask is shown as the number of ones; for example, 255.255.0.0 is shown as /16.

Action

Check the box(es) to choose the translation action(s) for this NAT rule:

Add or Apply / Cancel

To add this rule to the list of configured Interface NAT rules, click Add. Or to apply your changes to this Interface NAT rule, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | Interface Rules screen. Any new rule appears at the bottom of the Interface NAT Rules list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | Rules screen, and the Interface NAT Rules list is unchanged.

Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules

This section of the Manager lets you add, configure, modify, and delete LAN-to-LAN NAT rules that apply only to traffic that passes over LAN-to-LAN tunnels. We recommend that you first configure and add rules, then enable the function.

About LAN-to-LAN NAT

Private networks often use the same private address spaces. For connecting VPN networks, this duplication of IP addresses can prevent communication, because traffic from one private network to another using the same address space is perceived as local, and therefore does not travel to the second network. You can use NAT to solve this problem, translating private network addresses to legitimate public network addresses as packets enter the tunnel, rather than assigning new IP addresses to the networks.

Mapping rules that you configure determine how LAN-to-LAN NAT translates network addresses. There are three types of mapping rules:

Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.

Figure 15-23 is an example of a network topology that has complete overlap in the address spaces for the networks behind VPN Concentrators A and B.

The LAN-to-LAN NAT mapping rules for these VPN Concentrators are as follows:

The VPN Concentrators are configured as follows:

A client with the IP address of 10.10.10.2 on network A sends a message to a server on network B with an IP address of 10.10.10.4. The clients on Network A already know the static address translation of the servers on Network B. Table Table 15-5 describes the message flow and the NAT translations that occur.

Table 15-5  

LAN-to-LAN NAT Message Flow for LAN-to-LAN Tunnel Networks 20.20.20.0/24 and 30.30.30.0/24.

You configure LAN-to-LAN NAT rules in the Configuration | Policy Management | NAT | LAN-to-LAN Rules screen.

LAN-to-LAN NAT Rules

The LAN-to-LAN NAT Rules list show rules that have been configured. The format is
[Source : Translated] -> Remote (Type). If no LAN-to-LAN NAT rules have been configured, the list shows --Empty--.

Source

This is the host IP address and wildcard mask on the private network.

Translated

This is the translated IP address and wildcard mask for the local address of this LAN-to-LAN connection. This is also the translated address space.

Remote

This is the destination IP address and wildcard mask for this LAN-to-LAN connection. The rule is applied only to packets bound for this address space. The address space must be part of the destination address space of a LAN-to-LAN connection.

Type

This identifies the type of LAN-to-LAN NAT Rule:

Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.

Add / Modify / Delete

To configure and add a new LAN-to-LAN NAT rule, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add screen.

To modify a configured NAT rule, select the rule from the NAT Rules list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Modify screen.

To delete a configured NAT rule, select the rule from the LAN-to-LAN NAT Rules list and click Delete.

Note   There is no confirmation or undo.

The Manager refreshes the screen and shows the remaining rules in the list.

Move Up / Move Down

You can use the Move Up and Move Down buttons to sort LAN-to-LAN NAT rules in priority order, except

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify

This screen lets you add or modify NAT LAN-to-LAN rules.

NAT Type

This identifies the type of LAN-to-LAN NAT Rule:

Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.

Guideline for Defining NAT Rules and Types

Understand this caveat as you define NAT rules for LAN-to-LAN connections:

If you expect inbound traffic, you need to define a static LAN-to-LAN NAT rule. This is because with any other type of NAT rule, the translated address is impossible to predict, leaving the sender no way of identifying the IP address to which it should send packets.

Source Network

This is the network IP address and wildcard mask the rule translates.

Translated Network

This is the translated IP address and wildcard mask for the local network of this LAN-to-LAN connection.

Remote Network

This is the destination IP network and wildcard mask for this LAN-to-LAN connection.

Note   If you have a network with any remote access clients, you must specifically define the remote network, and not accept the default values of 0.0.0.0/255.255.255.255. If you were to accept these default values, and the source network and wildcard mask of the rule overlaps or is the same as the network addresses assigned to remote access clients, the VPN Concentrator attempts to NAT traffic intended for the remote access clients for the LAN-to-LAN connection instead, and that traffic never reaches the remote access clients. The only exception to this is for remote access clients that get their IP addresses from a third network, in which case you can use default values for this parameter.

IP Address

Enter the source IP address in dotted decimal notation. Default is 0.0.0.0.

Wildcard Mask

Enter the wildcard mask in dotted decimal notation. Default is 255.255.255.255.

Note   A wildcard mask is the reverse of a subnet mask. The wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example: 0.0.0.0/255.255.255.255 = any address 10.10.1.35/0.0.0.0 = only 10.10.1.35 10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses

Note   There is no confirmation or undo.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Bandwidth Policies

This section of the Manager lets you configure bandwidth management policies. You can configure a bandwidth policy to do one or all of the following:

Once you configure bandwidth policies, you can apply them either to an interface, or a group, or both. If you apply a policy to an interface only, it applies to each user on the interface. If you apply a policy to a group, it applies only to the users in that group. If you apply one policy to an interface and a different policy to a group, users who are members of that group use the group policy, and all other users use the interface policy.

Add / Modify / Delete

To create a new bandwidth policy, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add screen.

To modify a configured bandwidth policy, select the policy in the Bandwidth Policies list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Modify screen

To delete a configured bandwidth policy, select the policy in the Bandwidth Policies list and click Delete.

Configuration | Policy Management | Traffic Management | Add or Modify

This screen lets you:

Add: Configure and add a bandwidth policy

Modify: Modify a previously configured bandwidth policy

Overview of Bandwidth Management

There are two aspects of bandwidth management: bandwidth policing and bandwidth reservation. Bandwidth policing limits the maximum rate of tunneled traffic. The VPN Concentrator transmits traffic it receives below this rate; it drops traffic above this rate. Bandwidth reservation sets aside a minimum bandwidth rate for tunneled traffic. Using bandwidth management, you can allocate bandwidth to groups and users equitably, thus preventing certain groups or users from consuming a majority of the bandwidth.

Bandwidth management applies only to tunneled traffic (L2TP, PPTP, IPSec) and is most commonly applied to the public interface.

Tip If you receive an error message when you're configuring any bandwidth management feature, check the event log. The event log gives very specific feedback for bandwidth management errors.

Bandwidth Reservation

Bandwidth reservation sets aside a minimum limit of bandwidth per tunnel for tunneled traffic. Each user receives at least a set amount of bandwidth. When there is little traffic on the box, users receive more than their allocated minimum of bandwidth. When the box becomes busy, they receive at least that much. When the combined total of the reserved bandwidth amounts of all active tunnels on an interface approaches the limit of the total bandwidth available on that interface, the VPN Concentrator refuses further connections to users who demand more reserved bandwidth than is available.

You can configure bandwidth reservation on just an interface (usually the public). In this case, every user who connects on the public interface receives the same reserved minimum bandwidth. If, in addition, you configure reserved bandwidth on a particular group, users in that group can claim an amount of reserved bandwidth that differs from that of the other users on the interface. You cannot configure reserved bandwidth on a specific group unless you have first configured reserved bandwidth on the interface.

Example One: A Bandwidth Reservation Policy Applied to an Interface

Suppose the link rate on your public interface is 1,544 kbps. And suppose you apply a reserved bandwidth policy to that interface that sets the reserved bandwidth to the default: 56 kbps per user. With this link rate and policy setting, only a total of 27 users can connect to the VPN Concentrator at one time. (1544 kbps per interface divided by 56 kbps per user equals 27 connections.)

Example Two: Bandwidth Reservation Policies Applied to an Interface and a Group

Add bandwidth reservation on a particular group to the above example. The group "Executives" reserves 112 kbps of the public interface bandwidth for any member of the group.

Keep in mind that there may be many groups using the VPN Concentrator, each with different bandwidth policies.

Bandwidth Aggregation

From Example Two, you can see that configuring bandwidth reservation alone can lead to a scenario in which high priority, high bandwidth users are unable to connect to a congested VPN Concentrator because of their bandwidth requirements. For this case, the VPN Concentrator provides a feature called bandwidth aggregation. Bandwidth aggregation allows a particular group to reserve a fixed portion of the total bandwidth on the interface. (This fixed portion is known as an aggregation.) Then, as users from that group connect, each receives a part of the total bandwidth allocated for the group. Users who are not in that group cannot share this reserved portion, even if no one else is using it. When one group makes a reserved bandwidth aggregation, it does not affect the bandwidth allocated to users who are not in that group; however, those other users are now sharing a smaller amount of total bandwidth. Fewer of them can connect.

Suppose the company president in Example Three wants two top executives to be able to access the VPN Concentrator at any time. In this case, you can configure a bandwidth aggregation of x/2 (or half the bandwidth) for the group "Top Executives." Half the bandwidth of the interface would then be set aside for the use of this group. This means however, that all the other users on the interface compete for the remaining half of the bandwidth.

LAN-to-LANs and Bandwidth Reservation

Configure bandwidth reservation for a LAN-to-LAN connection as you would for a group with one user. In this way, you reserve a set amount of bandwidth for the connection. (The users on the LAN-to-LAN connection are not managed, only the connection.) When you apply a bandwidth reservation policy to a LAN-to-LAN connection, the VPN Concentrator automatically adds bandwidth aggregation.

Bandwidth Policing

Bandwidth policing sets a maximum limit, a cap, on the rate of tunneled traffic. The VPN Concentrator transmits traffic it receives below this rate; it drops traffic above this rate.

Because traffic is bursty, some flexibility is built into policing. Policing involves two thresholds: the policing rate and the burst size. The policing rate is the maximum limit on the rate of sustained tunneled traffic. The burst size indicates the maximum size of an instantaneous burst of bytes allowed before traffic is capped back to the policing rate. The VPN Concentrator allows for instantaneous bursts of traffic greater than the policing rate up to the burst rate. But should traffic bursts consistently exceed the burst rate, the VPN Concentrator enforces the policing rate threshold.

Configuring Bandwidth Management

To configure bandwidth management, follow these steps:

Step 2   On the Configuration | Interfaces | Ethernet 2 screen, Bandwidth Parameters Tab:

Step 3   If you also want to manage bandwidth for a specific group, use the Configuration | User Management | Groups | Bandwidth Policy screen to apply a bandwidth policy to that group.

Step 4   To manage bandwidth for a specific LAN-to-LAN connection, use the Bandwidth Policy parameters on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen to apply a bandwidth policy to that connection.

Note the following dependencies when assigning bandwidth management policies to an interface and a group combined:

Use Table 15-6 as a guide to these dependencies when you configure this feature.

Table 15-6   Conceptual Overview of Bandwidth Management Configuration

Once you know which bandwidth management features you want to apply to which level (interface, group, or LAN-to-LAN), follow the steps in Table 15-7 to configure them.

Table 15-7   Bandwidth Management Configuration Guide

When configuring a bandwidth policy, you must enable (check) either Bandwidth Reservation or Policing. You can enable both policies.

Policy Name

Enter a unique policy name that can help you remember the policy. The maximum length is 32 characters.

Bandwidth Reservation

To reserve a minimum amount of bandwidth for each session, check the Bandwidth Reservation check box.

Minimum Bandwidth

The minimum bandwidth is the amount of bandwidth reserved per user during periods of congestion. Enter a value for the minimum bandwidth and select one of the following units of measurement. The range is between 8000 bps and 100 Mbps. The default is 56000 (bps)

Policing

To enable policing, check the Policing check box.

Policing Rate

Enter a value for Policing Rate and select the unit of measurement. The VPN Concentrator transmits traffic that is moving below the policing rate and drops all traffic that is moving above the policing rate. The range is between 56000 bps and 100 Mbps. The default is 56000 (bps)

Normal Burst Size

The VPN Concentrator drops traffic that are above the normal burst size. The normal burst size is the amount of instantaneous burst that the VPN Concentrator can send at any give time.

To set the burst size, use the following formula: (Policing Rate/8) * 1.5. For example, to limit users to 250 kbps of bandwidth, set the police rate to 250 kbps and set the burst size to 46875, that is: (250000 bps/8) * 1.5.

Enter the Normal Burst Size and select the unit of measurement. The default is 10500 bytes. The minimum is 10500 bytes.

Add/Cancel

To add this policy to the configuration, click Add. To cancel the action, click Cancel.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Bandwidth Policies screen, and the Bandwidth Policies list is unchanged.

Configuration | Policy Management | Certificate Group Matching

This section of the Manager allows you to define rules to match a user's certificate to a permission group based on fields in the distinguished name (DN). In releases previous to 3.6, the VPN Concentrator used the OU field from a user's certificate to assign that user to a permission group. For example, if the OU field of a user's certificate were "Sales," the VPN Concentrator assigned that user to the "Sales" permission group. The certificate group matching feature allows you identify members of a permission group on the basis of other criteria: you can use other fields of the certificate or you can have all certificate users share a permission group.

To match users' permission groups based on other fields of the certificate, you must define rules that specify which fields to match for a group and then enable each rule for that selected group. Rules cannot be longer than 255 characters. A group must already exist in the configuration before you can create a rule for it.

You can assign multiple rules to the same group. When multiple rules are assigned to the same group, a match results for the first rule that tests true.

To match users' permission groups based on multiple fields in the certificate so that all the criteria must match for the user to be assigned to a permission group, create a single rule with multiple matching criteria. To match users' permission groups based on one criterion or another so that successfully matching any of the criteria identifies the member of the group, create multiple rules.

For example, to assign particular permissions to members of the Sales group who are in the division "VPNDIV" and who are located in San Jose, create a single rule and assign it to the group "Sales:"

To assign particular permissions to members the Sales group who are either in the VPN division or located in San Jose, create two rules and apply both to the group "Sales:"

Once you have defined rules, you must configure a certificate group matching policy to define the method you want to use to identify the permission groups of certificate users: match the group from the rules, match the group from the OU field, or use a default group for all certificate users. You can use any or all of these methods.

Rules

Click the Rules link to create certificate group matching rules.

Matching Policy

Click the Matching Policy link to choose a method to identify the permission groups of certificate users.

Configuration | Policy Management | Certificate Group Matching | Rules

This screen lets you:

Add/Modify Rule

To configure and add a new rule, click Add on the Configuration | Policy Management | Certificate Group Matching | Rules screen.

To modify an existing rule, select a rule in the Certificate Matching Rules box and click Modify. When you select a rule, the complete text appears in the box below the Certificate Matching Rules box.

Delete

To delete a configured rule, select the rule from the list in the Certificate Matching Rules box and click Delete. The Manager refreshes the screen and shows the remaining rules in the list.

Move Up

To have the VPN Concentrator check the rule earlier in the order, select the rule and click Move Up.

Move Down

To have the VPN Concentrator check the rule later in the order, select the rule and click Move Down.

Configuration | Policy Management | Certificate Group Matching | Rules | Add or Modify

These screens let you:

Enable

To allow the VPN Concentrator to use the rule you are adding or modifying, click Enable. To disable the rule, clear the Enable field. If the rule is disabled, it is marked with (D) in the Certificate Matching Rules box.

Group

Select the group to assign this rule to from the pull-down menu. You can assign this rule only to groups that are currently defined in the configuration. If the group you want to use is not in the list, you must first go to Configuration | User Management | Groups and define the group.

Distinguished Name Component

Select the type of distinguished name (Subject or Issuer) and the fields you want to use in the rule.

A distinguished name can contain a selection from the following fields:

Operator

Value

The value to be matched against. The VPN Concentrator automatically places text values within double quotes. To enter values manually, follow the rules on the screen. Values are not case-sensitive.

Append

To enter the next part of a rule, click Append. When you click Append, the VPN Concentrator adds on the part you have defined to the rule that appears under Matching Criteria. In this way, you can build a complex rule testing on multiple components. The VPN Concentrator checks the information in the certificate against all parts of the rule. All parts must test true for the rule to match for this group.

Matching Criterion

The matching criterion text box displays the rule. You can create or edit the rule directly in this box. If you create a rule in this way, separate the components with commas. Also, be sure to add double quotes around the value. If the value itself contains double quotes, replace them with two double quotes. For example, enter the value "Tech" Eng as: """Tech"" Eng".

Add/Cancel

After entering all parts of the rule for this group, click Add to complete the action or Cancel to cancel it.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Certificate Group Matching | Rules screen, and the Rules list is unchanged.

Configuration | Policy Management | Certificate Group Matching | Policy

This screen lets you configure a policy for certificate group matching. The VPN Concentrator processes the enabled policies in the order listed until it finds a match.

There are three ways to match a certificate to a group:

By default, the first choice is not checked and the second and third choices are checked.

Match Group from Rules

To use the rules you have defined for certificate group matching, click to select Match Group from Rules.

Obtain Group from OU

To use the organizational unit in the certificate to specify the group to match, click to select Obtain Group from OU. This choice is enabled by default.

Default to Group

To use a default group or the Base Group for certificate users, click to select Default to Group. Then select the group from the drop down box. The group must already exist in the configuration. If the group does not appear in the list, you must define it by using the Configuration | User Management | Groups screen. This choice is enabled for the Base Group by default.

Apply/Cancel

After checking the policies you want to use for certificate group matching, click Apply. Or to cancel, click Cancel.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Certificate Group Matching | Policy screen, and the Policy list is unchanged.