The VPN Concentrator

Previous page
Table of content
Next page

Cisco has a wide range of capabilities in the VPN Concentrator 3000 series of devices. They can support from 100 simultaneous users (on the 3005) to 10,000 (on the 3080), with a commensurate range of hardware on board. The concentrator is primarily managed through the VPN Concentrator Manager (a GUI-based manager running in a browseryou need only be on the same private network as the concentrator). You can also manage it through a CLI. Browser management can be via HTTP or HTTPS (after installing the certificateremember that HTTPS uses SSL for authentication and encryption).

A major advantage of the VPN concentrator compared to a PIX to terminate many tunnels is that the former handles connections between tunnel clients (such as branch offices connecting to each other through the corporate system rather than directly). The concentrator also began offering AES before the PIX (with the new VAC+ and PIX OS 6.3(1), the PIX now offers 128-, 192-, and 256-bit AES). Without the recent software, however, the PIX is limited to DES, 3DES, and ESP-NULL (no payload encryption). The concentrator offers the following:

  • DES

  • 3DES

  • ESP-NULL

  • AES-128, -192, and -256

As you learned when configuring tunnels with a router and a PIX, IKE must be completed before the SA is established. Thus, it makes sense that, on a VPN concentrator, you should configure the IKE proposal parameters before configuring the rest of your IPSec parameters. All parameters are configurable via the GUI.

graphics/note_icon.gif

The VPN concentrator can act as the initiator of a connection or as a responder to another device's request in a site-to-site connection, which is also known as a LAN-to-LAN connection. However, for a connection to an IPSec client, the VPN concentrator can act as only a responder ; it cannot initiate the connection.


Whether acting as an initiator or a responder, the concentrator offers its configured IKE proposals, the other party does the same, and they agree on a common configuration. The VPN concentrator offers more possibilities than the IOS or PIX: In addition to adding AES to the DES and 3DES encryptions, the concentrator supports DH Group 7 (for use with the movianVPN client and others capable of handling Elliptic Curve Cryptography, ECC).

Between preconfigured proposals and those that you have created (custom proposals), the concentrator can handle up to 150 IKE proposals; any number of them can be active (usable) at a given time. When IKE is complete, the SA is established according to the parameters that you entered in that portion of the GUI. If your IPSec connection must pass through intervening devices that might filter it out, you should add the configuration for NAT transparency. The concentrator supports this, with a customizable higher-numbered TCP port (so that you can configure any intervening firewalls or ACLs to pass traffic on your specified port).

To create your active proposal list, navigate through the GUI to ConfigurationSystemTunneling ProtocolsIPSecIKE Proposals. There you can move proposals between the active and inactive lists. You can also use the Add, Modify, and Copy buttons to create custom proposals (for instance, copy an existing proposal and then modify it). You can also delete proposals from either list, but delete with cautionif no SA is using this proposal, it is gone , without confirmation or undo capability.

If you want to use NAT transparency, you can invoke that by selecting ConfigurationSystemTunneling ProtocolsIPSecNAT Transparency. Here you turn it on and specify the TCP port to use.

Because you likely will be using the VPN concentrator when you have many VPNs, it becomes important to be able to manage updates to the many clients. You manage this via ConfigurationSystemClient Update, and click on Enable to access the check box to turn it on. The concentrator can push the updates to clients, although there are differences in how this works between the software and hardware clients. With the software client, the concentrator sends an IKE packet upon connection specifying the acceptable versions of the client software. The message also contains the location from which the client can obtain an update, which the client's administrator can retrieve and install. With the hardware client, an IKE packet is sent containing a list of acceptable software and firmware versions. If the hardware client is not running an acceptable version, it is automatically updated via TFTP and reboots when the update is complete.

There is much more than this to the VPN concentrator, of course, but that is covered in the CSVPN exam.


Previous page
Table of content
Next page
CSI Exam Cram 2 (Exam 642-541)
CCSP CSI Exam Cram 2 (Exam Cram 642-541)
ISBN: 0789730243
EAN: 2147483647
Year: 2002
Pages: 177
Authors: Annlee Hines
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
SQL Tips & Techniques (Miscellaneous)
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
PMP Practice Questions Exam Cram 2
Web Systems Design and Online Consumer Behavior
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy