Summary

A typical IPSec tunnel entails four components: a remote client, VPN Concentrator, PPP or equivalent Layer 2 protocol, and the IPSec protocol. When the client initiates the IPSec connection to the VPN Concentrator, it typically uses a public IP assigned from the ISP and PPP for a Layer 2 WAN protocol. A new ESP header contains the public IP address of the workstation adapter as the source address, and the IP address of the public interface of the concentrator for the destination. When the concentrator receives the IPSec packet, it decrypts the payload and routes the IP packet to the inside destination address of the original IP header.

To initialize the VPN 3000 Concentrator, a preliminary CLI configuration is necessary via the 9-pin console port. After you log in to the concentrator with the default login and password of admin, you begin the Quick Configuration sequence, which enables you to configure the minimal parameters necessary to initialize the concentrator. These parameters initially include time and date settings, followed by the configuration of the private Ethernet interface. After this interface has been configured, you can use the HTML-based Concentrator Manager for any further configurations.

In the Concentrator Manager, you can configure the remainder of the Quick Configuration components, such as the Ethernet interfaces, system information, tunneling protocols, and client IP assignment. The Quick Configuration also implements user authentication by means of its internal server or by utilizing a RADIUS, SDI, Kerberos, Active Directory, and NT Domain server. The final task in the Quick Configuration setup routine is to change the default password for admin concentrator access.

Most remote access configurations lie within the User Management Configuration screens. Here we can define base group attributes in which individually created groups and users can inherit various defined parameters in the configuration tabs. Cisco recommends that the base group be defined first, followed by any individual groups whose configurations differ from the base groups. Users are added to the individual or the base group (if a group is not specified), and they inherit properties from that specific group.

The base group General tab is used to define access rights and privileges, including connection times and password restrictions. Furthermore, you can also define IKE and DNS servers, which are assigned during IKE SA establishment. This configuration page also enables you to choose the SEP card assignment and tunneling protocol to implement for users contained in this group. Lastly, the General tab contains options with which you can strip the realm for authenticating users, in addition to a DHCP scope definition parameter that indicates the IP range that will be leased from a DHCP server.

In instances where IPSec was chosen as a tunneling protocol, the IPSec tab enables you to define IPSec parameters and remote access parameters. Particularly, you can choose the IPSec security association that will be negotiated during IKE, enforce IKE certificate validation, and enable IKE keepalives (Dead Peer Detection). Notably, this configuration tab is where you can specify whether the IPSec tunnel is a LAN-to-LAN or remote access tunnel. In instances where the group will be utilized for remote access, you can configure additional parameters, such as group lock, AAA services, compression, and re-authentication for IKE phase 1 rekeys.

The Client config or Mode Config tab enables you to define the IKE mode configuration extensions for parameters, such as banners, IPSec over NAT via UDP, backup concentrator server lists, and password storage policies for clients. In this configuration tab, you can also allow split tunneling for IP and DNS traffic, in which the concentrator can define network lists that specify what traffic is allowed to be sent in the clear to the Internet and which traffic is to be encrypted and sent over the IPSec tunnel.

The PPTP/L2TP tab is useful for altering any encryption and authentication policies for clients that are using PPTP or L2TP for remote access connectivity.

After the base group is defined, you can create individual groups and users in which you can select the Inherit check box, which will, in turn, inherit the parent group's parameters. The individual groups and users that you create have an additional tab that entails parameters for that group or user's identity. Specifically, the Group Identity tab has a field designated for a password, which serves as the preshared key for connecting clients within that group.

The User Identity tab also has a password field that is utilized for individual user authentication in instances where you are using the internal user server of the concentrator.

In certain instances, you may need to create custom parameters that entail more in-depth configuration. Some examples of these configurations are custom IKE proposals and security associations, network lists, and access hour policies.



CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net