Document ID: 47480 |
FeedbackCisco has announced the end of sales for the Cisco VPN 5000 Series Concentrators. For more information, please see the End-of-Sales Announcement
Introduction
This guide provides the initial configuration for the Cisco VPN 5001/5002/5008 IPSec VPN Appliance. It also more specifically provides the configuration of the appliance to connect to the network via IP and to offer LAN-to-LAN VPN connectivity.
The Cisco VPN 500x VPN Appliance can be installed with either of two configurations, depending on where it is connected to the network in relation to a firewall. The Cisco VPN 500x has two Ethernet ports, one of which (Ethernet 1) passes IPSec traffic only. The other (Ethernet 0) freely routes all IP traffic. If the Cisco VPN 500x is to be installed in parallel with the firewall, both ports must be used so that Ethernet 0 faces the protected LAN, and Ethernet 1 faces the Internet via the network's Internet gateway router. The Cisco VPN 500x can also be installed behind the firewall on the protected LAN and connected via only the Ethernet 0 port. This is so that the IPSec traffic that passes between the Internet and the Cisco VPN 500x is passed through the firewall.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on the software and hardware versions:
-
Cisco VPN 500x Concentrator
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Basic Connectivity Configuration
The easiest way to establish basic network connectivity on the Cisco VPN 500x is to connect a serial cable to the console port on the appliance and use terminal software to configure the IP address on the Ethernet 0 port. After configuring the IP address on the Ethernet 0 port, it is possible to connect to the Cisco VPN 500x via Telnet to complete the configuration. Alternatively, a configuration file that is generated in an appropriate text editor can be pushed to the device via TFTP. When you use terminal software through the console port, you are initially prompted to enter a password. For the time, the password on the command line interface is letmein. After you respond with the password, issue these commands:
config ip Ethernet 0 ipaddress=192.168.233.1 subnetmask=255.255.255.0 ipbroadcast=192.168.233.255 mode=routed
The entire sequence appears here:
*[ IP Ethernet 0 ]# configure ip ethernet 0
Section 'ip ethernet 0' not found in the config.
Do you want to add it to the config? y
Configure parameters in this section by entering:
<Keyword> = <Value>
To find a list of valid keywords and additional help enter "?"
*[ IP Ethernet 0 ]# ipaddress=192.168.233.1
*[ IP Ethernet 0 ]# subnetmask=255.255.255.0
*[ IP Ethernet 0 ]# ipbroadcast=192.168.233.255
*[ IP Ethernet 0 ]# mode=routed
*[ IP Ethernet 0 ]#
Note: Remember that the TCP/IP addresses and the user information are examples only. Your values will be different.
Ethernet 1
You are now ready to configure the IPSec Ethernet port. The TCP/IP addressing information on this port is the external, internet routable TCP/IP address you assigned for the Cisco VPN 500x.
Note: This address must not be in the same TCP/IP network as Ethernet 0 or you will disable TCP/IP in the Cisco VPN 500x.
Enter these commands:
configure ip ethernet 1 y ipaddress=206.45.55.1 subnetmask=255.255.255.0 ipbroadcast=206.45.55.255 mode=routed
The entire sequence appears here:
* IntraPort2+_A56CB700# configure ip ethernet 1 Section 'ip ethernet 1' not found in the config. Do you want to add it to the config? y Configure parameters in this section by entering: <Keyword> = <Value> To find a list of valid keywords and additional help enter "?" *[ IP Ethernet 1 ]# ipaddress=206.45.55.1 *[ IP Ethernet 1 ]# subnetmask=255.255.255.0 *[ IP Ethernet 1 ]# ipbroadcast=206.45.55.255 *[ IP Ethernet 1 ]# mode=routed *[ IP Ethernet 1 ]#
IPSec Gateway
Tell the Cisco VPN 500x where to send all the IPSec, or tunneled traffic. In the 5.2.x code, this is called the IPSec Gateway and in the 6.x code, this is called VPN Gateway. This configuration is independent of the default route you just configured. Enter these commands.
configure general ipsecgateway=206.45.55.2 exit
or
configure general vpngateway=206.45.55.2 exit
The entire sequence appears here:
* IntraPort2+_A56CB700# configure general Section 'general' not found in the config. Do you want to add it to the config?y Configure parameters in this section by entering: <Keyword> = <Value> To find a list of valid keywords and additional help enter "?" *[ General ]# ipsecgateway=206.45.55.2 *[ General ]# exit Leaving section editor. * IntraPort2+_A56CB700#
IKE Policy Configuration
This section is used to set Internet Security Association Key Management Protocol/Internet Key Exchange (ISAKMP/IKE) parameters for a VPN Access Server. These settings control how the server and VPN Client identify and authenticate each other so that tunnel sessions can be established. This initial negotiation is referred to as Phase 1. These parameters are global to the device and are not associated with a particular interface. Keywords recognized in this section are described later in this document. Phase 1 negotiation parameters for LAN-to-LAN tunnels may be set in the [ Tunnel Partner ] section. Phase 2 IKE negotiation sets how the Cisco VPN 500x and the VPN Client handle individual tunnel sessions. Phase 2 IKE negotiation parameters for the VPN Client and server are set in the [ VPN Group ] device. The Syntax for IKE Policy is:
Protection = [ MD5_DES_G1 | MD5_DES_G2 | SHA_DES_G1 | SHA_DES_G2 |
The Protection keyword specifies a protection suite for the ISAKMP/IKE negotiation between the Cisco VPN 500x and the VPN Client. This keyword may appear multiple times within this section, in which case the Cisco VPN 500x proposes all of the specified protection suites. The Cisco VPN 500x Client accepts one of the options for the negotiation. The first piece of each option is the authentication algorithm to be used for the negotiation. MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. The second piece is the encryption algorithm. Data Encryption Standard (DES) uses a 56-bit key to scramble the data. The third piece is the Diffie-Hellman group to be used for key exchange. Because larger numbers are used by the Group 2 (G2) algorithm, it is more secure than Group 1 (G1).
Examples
[ IKE Policy ]
Protection = MD5_DES_G1
Protection = SHA_DES_G2
config IKE Policy
Protection = MD5_DES_G1
exit
The entire sequence appears here:
* IntraPort2+_A56CB700# configure IKE Policy Section 'IKE Policy' was not found in the config. Do you want to add it to the config? y Configure parameters in this section by entering: <Keyword> = <Value> To find a list of valid keywords and additional help enter "?" *[ IKE Policy ] Protection = MD5_DES_G1 *[ IKE Policy ] exit Leaving section editor. * IntraPort2+_A56CB700#
Aggressive-Mode Site-to-Site Configuration
To configure the Cisco VPN 500x to support LAN-to-LAN connections, it is necessary to define the tunnel configuration, as well as the IP communication parameters that are used in the tunnel. This is accomplished in two sections, the [Tunnel Partner VPN x] section, and the [IP VPN x] section. For any given site-to-site configuration, the (x) defined in these two sections must match, so that the tunnel configurations are properly associated with the protocol configuration.
In the tunnel partner section, there are five parameters that must be defined at the minimum. These parameters are:
Transform
The Transform keyword specifies the protection types and algorithms which are used for IKE Client sessions. Each option is a "protection piece" which specifies authentication and/or encryption parameters. This keyword may appear multiple times within this section. In this case, the Cisco VPN 500x proposes the specified protection pieces in the order they are parsed until a transform is accepted by the Cisco VPN Client for use during the session. In most cases, only one Transform keyword is needed. ESP(SHA,DES), ESP(SHA,3DES), ESP(MD5,DES) and ESP(MD5,3DES) denote using the Encapsulating Security Payload (ESP) header to encrypt and authenticate packets. DES uses a 56-bit key to scramble the data. 3DES uses three different keys and three applications of the DES algorithm to scramble the data. MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be somewhat more secure than MD5. ESP(MD5,DES) is the default setting and is recommended for most setups. ESP(MD5) and ESP(SHA), denote using the (ESP) header to authenticate packets (with no encryption). AH(MD5) and AH(SHA) denote using the Authentication Header (AH) to authenticate packets. AH(MD5)+ESP(DES) , AH(MD5)+ESP(3DES) , AH(SHA)+ESP(DES) and AH(SHA)+ESP(3DES) use the Authentication Header to authenticate packets and the ESP header to encrypt packets.
Transform = [ ESP(SHA,DES) | ESP(SHA,3DES) | ESP(MD5,DES) | ESP(MD5,3DES) | ESP(MD5) | ESP(SHA) | AH(MD5) | AH(SHA) |AH(MD5)+ESP(DES) | AH(MD5)+ESP(3DES) | AH(SHA)+ESP(DES) | AH(SHA)+ESP(3DES) ].
Partner
The Partner keyword defines the IP address of the other tunnel terminator in the tunnel partnership. This number must be a public routable IP address that the local Cisco VPN 500x can create an IPSec connection with.
KeyManage
The KeyManage keyword defines how the two Cisco VPN 500x devices in a tunnel partnership determine which device initiates the tunnel and what type of tunnel establishment procedure is followed. The options are Auto, Initiate, Respond, and Manual. The first three options are used to configure IKE tunnels, whereas the Manual keyword is used for the configuration of fixed-encryption tunnels using a different set of keywords. This discussion does not focus on fixed-encryption tunnels. Auto key management specifies that the tunnel partner is able to both initiate and respond to tunnel setup requests. Initiate specifies that this tunnel partner only sends tunnel setup requests, it does not respond to them. Respond sets the tunnel partner to only respond to tunnel-setup requests, it never attempts to initiate a tunnel setup.
SharedKey
The SharedKey keyword is used as the IKE shared secret. The SharedKey value must be the same on both tunnel partners.
BindTo
The BindTo parameter specifies the local endpoint of the site-to-site connection. If your VPN 500x is configured for two-port operation, the BindTo parameter specifies Ethernet 1. If you deploy the VPN 500x in single-port configuration, the BindTo parameter specifies Ethernet 0.
Enter these commands.
configure Tunnel Partner VPN 1 y transform=ESP(MD5,DES) keymanage=auto sharedkey=letmein partner=208.203.136.10 bindto=ethernet 1
The entire sequence appears here:
*IntraPort2+_A56CB700# configure Tunnel Partner VPN 1 Section 'config Tunnel Partner VPN 1' not found in the config. Do you want to add it to the config? y Configure parameters in this section by entering: <Keyword> = <Value> To find a list of valid keywords and additional help enter "?" *[ Tunnel Partner VPN 1 ]# transform=ESP(MD5,DES) *[ Tunnel Partner VPN 1 ]# keymanage=auto *[ Tunnel Partner VPN 1 ]# sharedkey=letmein *[ Tunnel Partner VPN 1 ]# partner=208.203.136.10 *[ Tunnel Partner VPN 1 ]# bindto=ethernet 1 *[ Tunnel Partner VPN 1 ]# exit Leaving section editor.
In the IP configuration section for each tunnel partnership, configuration is determined similarly to IP configuration on WAN connections, in that the options are to use a numbered or unnumbered connection. Since numbered is the more complex configuration, unnumbered is used for this example. A discussion of numbered-tunnel configuration can be found later in this document. The minimum configuration to run an unnumbered Site-to-Site connection requires two parameters, the Numbered=False and the Mode=Routed statements.
configure ip vpn 1 y mode=routed numbered=false
The entire sequence appears here:
*[ IP Ethernet 0 ]# configure ip vpn 1 Section 'IP VPN 1' not found in the config. Do you want to add it to the config?y Configure parameters in this section by entering: <Keyword> = <Value> To find a list of valid keywords and additional help enter "?" *[ IP VPN 1 ]# mode=routed *[ IP VPN 1 ]# numbered=false
TCP/IP Route Table
The next step is to tell the Cisco VPN 500x where to send all TCP/IP traffic destined for networks other than the network(s) to which it is directly connected or has dynamic routes for. This is also known as the "default route." The default route points back to all networks found on the internal port. The Cisco VPN 500x is configured to send IPSec traffic to and from the Internet with the IPSec Gateway parameter, which is discussed later in this document.
Static routes for site-to-site tunnel-connected networks may also be entered in the IP Static section of the configuration. If using numbered tunnels, routes are entered in the same format as the Static route: [Destination Network][Destination Netmask][Next-Hop-Router][Metric]. When using unnumbered tunnels, routing is set by indicating the VPN tunnel that traffic is forwarded through to the destination network: [Destination Network][Destination Netmask][VPN-Tunnel-Number][Metric].
Enter these commands:
edit config ip static y append 1 0.0.0.0 0.0.0.0 192.168.233.2 1 192.18.210.0 255.255.254.0 VPN 1 1 . exit
The entire sequence appears here:
*IntraPort2+_A56CB700# edit configure ip static Section 'ip static' not found in the config. Do you want to add it to the config? y Configuration lines in this section have the following format: <Destination> <Mask> <Gateway> <Metric> [<Redist=(RIP|none)>] Editing "[ IP Static ]" ... 1: [ IP Static ] End of buffer Edit [ IP Static ]> append 1 Enter lines at the prompt. To terminate input, enter a . on a line all by itself. Append> 0.0.0.0 0.0.0.0 192.168.233.2 1 Append> 192.168.210.0 255.255.254.0 VPN 1 1 Append> . Edit [ IP Static ]> exit Saving section... Checking syntax... Section checked successfully. *IntraPort2+_A56CB700#
Save the configuration. When asked if you are sure that you want to download the configuration and restart the device, type y and <enter>. DO NOT turn the Cisco VPN 500x off during the boot process. After the Cisco VPN 500x has rebooted, users can now connect with the Cisco 500x VPN Client software. Enter these commands.
save y
The entire sequence appears here:
*IntraPort2+_A56CB700# save Save configuration to flash and restart device? y
If you are connected to the Cisco VPN 500x via a Telnet session, that is all that you will see. If you are connected via a console, you will see something which looks like this, plus much more. When the Cisco VPN 500x says "Hello Console..." and asks for a password, you are finished.
Codesize => 0 pfree => 462 Updating Config variables... Adding section '[ General ]' to config Adding -- ConfiguredFrom = Command Line, from Console Adding -- ConfiguredOn = Timeserver not configured Adding -- DeviceType = IntraPort2 Adding -- SoftwareVersion = IntraPort2 V4.5 Adding -- EthernetAddress = 00:00:a5:6c:b7:00 Not starting command loop: restart in progress. Rewriting Flash....
You are done with a basic Cisco VPN 500x configuration. There are many other options beyond the scope of this guide. Please read the other documentation which came with your device and consult the online support options on the Cisco Systems web site for the latest updates.
Cisco Support Community - Featured Conversations
Related Information
- Cisco VPN 5000 Series Concentrators End-of-Sales Announcement
- Cisco VPN 5000 Concentrator Support Page
- Cisco VPN 5000 Client Support Page
- IPsec Support Page
- Technical Support & Documentation - Cisco Systems
| Updated: Apr 04, 2008 | Document ID: 47480 |