Now that I've explained how to configure the Microsoft client, I'll focus on things you need to configure on Cisco VPN 3000 concentrators to support Windows client access. I covered many of these screens in Chapter 8, "Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN," so I'll briefly explain the items that you must create or change to support Microsoft connections in the following sections. Here are the basic items you need to configure or add to your concentrator's configuration:
First, on your concentrator you need to ensure that you either have created or activated an IKE proposal that will work with the Microsoft L2TP/IPsec client (assuming that you're not using plain L2TP or PPTP). On the concentrator, go to Configuration > Tunneling and Security > IPsec > IKE Proposals.
Proposal names beginning with "CiscoVPNClient" will not work with Microsoft's L2TP/ IPsec clientthe Microsoft client doesn't understand the concept of groups and XAUTH. Therefore, you need to choose a proposal that doesn't do XAUTH authentication, like those beginning with "IKE."
IKE proposals that will work include these properties:
If you'll be using pre-shared keys, two of the included concentrator proposals that will work are IKE-DES-MD5 and IKE-3DES-MD5just make sure you haven't deactivated these security policies for your L2TP/IPsec client (see the "Creating a Security Policy" section earlier in the chapter). Refer to Figures 7-18 and 7-19 in Chapter 7, "Concentrator Remote Access Connections with IPsec" for examples of these screens.
I've experienced a lot of headaches with customizing Microsoft's L2TP/IPsec client. In many instances, I've had to use an IKE Policy that had only DES for encryption, DH group 1 keys, and either MD5 or SHA for an HMAC function because of the quirks in Microsoft's software.
Next, on the VPN 3000 concentrator, create an IPsec SA transform that will be used to protect the ISAKMP/IKE Phase 2 data connections for the Windows client. To do this, go to Configuration > Policy Management > Traffic Management > SAs. Click the Add button to add a new SA, and then enter the following for the SA parameters:
Click the Add button to add your new SA. Figures 13-19 and 13-20 show an example IPsec SA that is used by L2TP/IPsec clients.
Figure 13-19. SA Configuration: Top of Screen
Figure 13-20. SA Configuration: Bottom of Screen
I'd like to point out two important pieces of information regarding the setup of your data SA for L2TP/IPsec clients. First, the encapsulation mode must be set to transport mode, not tunnel. Second, I've experienced with some Windows platforms that in some cases, no matter what IKE Proposal you choose from this screen, the only one that the L2TP/IPsec client will use is one with DES and either MD5 or SHA. Even if you don't specify it here, this IKE Proposal must be activated in the IKE Proposal screen on the concentratorthis never made any sense to me because the concentrator basically ignores what you have configured on this screen for the IKE Proposal!
If your L2TP/IPsec clients are using pre-shared keys, the concept of a group is nonexistent; therefore, you'll need to configure these clients' remote access properties in the concentrator's Base Group. Otherwise, if the clients are using certificates, whatever name appears in the OU (Organizational Unit) field is the name of the group you'll need to configure on the concentrator; then configure this group for these users.
You can also use the certificate/group matching feature of the concentrator to examine other certificate fields, and based on the matching rules you create, put a user into a specific, or even a default, group.
In this section, assume that pre-shared keys are being used and that you'll need to configure the Base Group (the configuration is the same for the Base Group versus a specific group). To configure the Base Group, go to Configuration > User Management > Base Group and then perform the following:
Click the General Tab and choose the Tunneling Protocols you want these users to use, such as L2TP over IPsec, L2TP, or PPTP, depending on the security protocol(s) your Microsoft clients will be using. Deselect the ones you won't be using. If the clients will be sending the Windows domain name with their authentication, and the concentrator will be performing internal authentication, select the check box for Strip Realm.
Click the IPsec tab. For the IPsec SA parameter, use the pull-down selector and choose the name of the SA you created in the last section, such as "ESP-L2TP-Transport." If you'll be defining the users on the concentrator, then select "Internal" for the Authentication parameter. In most cases, you'll probably use "NT Domain" or "Kerberos Active Directory," because these are Microsoft users; if this is the case, then you'll need to add these servers to the concentrator by going to Configuration > System > Servers > Authentication. If you're using pre-shared keys for device authentication, set the Default Preshared Key parameter under the IPsec tab to match the pre-shared key the L2TP/IPsec clients will use.
Click the PPTP/L2TP tab. If clients will be using their own internally assigned address (which I wouldn't recommend), click the Use Client Address check box. If you'll be using PPTP, select the correct protocols for the PPTP Authentication Protocols parameter. To ensure that encryption is used for PTTP, select "Required" for PPTP Encryption and both 40-bit and 128-bit encryption if you're not sure which of the two clients will use. By using encryption, PPTP will only use MS-CHAPv1 or v2 for authentication (this is also true of L2TP). For L2TP or L2TP/IPsec clients, choose the correct L2TP Authentication Protocols and the correct L2TP Encryption algorithms.
The screens and their contents discussed above are found throughout Chapter 7, "Concentrator Remote Access Connections with IPsec," and Chapter 8, "Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN."
If you are using pre-shared keys, then because all clients are placed in the Base Group, they all must use the same pre-shared key, which might introduce security risks. A better approach would be to use certificates for authentication. Your IPsec SA and IKE proposal would have to reflect this configuration, though.
If the concentrator will be assigning addresses to the Windows client for the VPN connection, you'll need to create an address pool. For the Base Group (pre-shared key authentication), go to Configuration > System > Address Management > Address Pools. Click the Add button to add a new address pool. In the Range Start text box, enter the beginning IP address in the pool; in the Range End text box, enter the ending address in the pool; and in the Subnet Mask text box, enter the subnet mask associated with the pool of addresses. Click the Add button when done.
For certificate authentication, if you choose to use specific groups, you can create an address pool per group. First, create the group from the Configuration > User Management > Groups screen and configure the group. Once you have configured it (as discussed in the last section), from the specific group listing screen, click the name of the group, and then click the Address Pools button. Click the Add button to add a new address pool for the group, and follow the instructions in the last paragraph.
Please note that you can also use an external DHCP or AAA server to assign addresses to the Windows clients, as discussed in Chapter 7. If clients always need to have the same IP address assigned to them, instead of manually assigning it on the client, I would use AAA RADIUS for authentication and have the AAA server assign the address to the client.
If you'll be defining the PPTP, L2TP, or L2TP/IPsec users locally on the concentrator, go to Configuration > User Management > Users and click the Add button. Refer to Chapters 7 and 8, for snapshots of the following screens. Under the Identity tab, enter the name of the users along with their passwords. For the Group parameter, specify the name of the group the users belong to (for pre-shared key authentication, this must be the Base Group). If you always want to assign the same IP address to a user, enter the IP address and subnet mask under this tab (I recommend not letting the users assign their own addresses on the client). There are also General, IPsec, and PPTP/L2TP tabs, where you can override the properties of group the users belong to: otherwise, the users' accounts will inherit the configuration properties from the group name you specified under the Identity tab. Click the Add button at the bottom of the screen to add the users.