Now that you have configured the Microsoft client(s) and VPN 3000 concentrator, the client can now establish a connection to the concentrator. The following sections will discuss how to establish a connection from the client to the concentrator. The network shown in Figure 13-21 illustrates the process.
Figure 13-21. L2TP/IPsec Client and VPN 3000 Concentrator Example
Connecting to a VPN Gateway
On the Microsoft computer, open the Network Connections window in one of the following ways:
In this window there should be a section entitled Virtual Private Network, listing the VPN connections you have set up from the "Creating a Microsoft VPN Connection" section earlier in the chapter. Their statuses should say "Disconnected." Either double-click the name of the VPN connection profile or right-click the name and choose Connect. You should see the Connection window, shown in Figure 13-22.
Figure 13-22. Microsoft VPN Client Connection Window
Enter your username and password and click the Connect button. Assuming that you enabled the Display progress while connecting parameter for the connection profile, a window will pop up displaying the status of the building of the connection. Likewise, if you enabled the Show icon in the notification area when connected, you should see a PC icon in the taskbar once the connection is completed.
Verifying the Connection on the PC
To see status information about the connection, right-click the PC icon in the taskbar or right-click the connection profile name in the Network Connections window and choose Status. There are two tabs at the top of the screen: General and Details. The General tab displays how long the session has been up, how many bytes were sent and received, how many packets were compressed, and how many errors were sent and received. Clicking the Details tab, you can see how the connection is configured, as shown in Figure 13-23.
Figure 13-23. Microsoft VPN Client Status Detail Window
In this example, MS-CHAPv2 was used for authentication and MPPE RC-128 bit encryption for L2TP. For the IPsec data SA, 3DES is used for encryption. The address assigned to the client by the VPN gateway is 192.168.101.120. At this point, the client should be able to ping anything behind the concentrator, like 192.168.101.99, 192.168.101.66, and 192.168.101.77.
To disconnect the VPN session, right-click the PC icon in the taskbar or right-click the connection profile name in the Network Connections window and choose Disconnect.
Verifying the Connection on the Concentrator
Once the PPTP, L2TP, or L2TP/IPsec client makes a connection to the concentrator, you should be able to see the connection status on the concentrator by going to Monitor > Sessions, shown in Figure 13-24. As you can see from this figure, the user called "l2tp" has terminated a VPN connection on the concentrator and was assigned an IP address of 192.168.101.120. This connection is associated with the Base Group and is protected by L2TP/IPsec 3DES.
Figure 13-24. Session Overview Screen
Clicking the name of the user takes you to the screen in Figure 13-25. Here you can see how the connection is protected by IKE (DES, SHA, pre-shared keys, and DH group 1), IPsec (3DES, SHA, and transport mode), and L2TP (RC4-128 and MS-CHAPv2).
Figure 13-25. Session Detail Screen
Part I: VPNs
Overview of VPNs
PPTP and L2TP
Part II: Concentrators
Concentrator Product Information
Concentrator Remote Access Connections with IPsec
Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN
Concentrator Site-to-Site Connections
Verifying and Troubleshooting Concentrator Connections
Part III: Clients
Cisco VPN Software Client
Windows Software Client
3002 Hardware Client
Part IV: IOS Routers
Router Product Information
Router ISAKMP/IKE Phase 1 Connectivity
Router Site-to-Site Connections
Router Remote Access Connections
Troubleshooting Router Connections
Part V: PIX Firewalls
PIX and ASA Product Information
PIX and ASA Site-to-Site Connections
PIX and ASA Remote Access Connections
Troubleshooting PIX and ASA Connections
Part VI: Case Study