VPN Configuration Considerations

This section covers selected configuration features of the Cisco VPN 3000 Series Concentrator running v3.5.2, which is used as the core device that terminates remote access VPN tunnels for the following clients: Cisco Unity VPN Client, VPN 3002 HW Client, Easy VPN, and the PIX 501 and 506 Clients.

Configuration of the VPN 3000 Concentrator

As indicated, this section does not attempt to cover all aspects of configuring the Cisco VPN 3000 Series Concentrators. Instead, selected features are explored and actual configurations of these features are discussed by using v3.5.2 as the reference.

The concentrator offers a quick configuration menu that allows you to configure it in a matter of minutes, after you determine the values and settings for the unit. The steps required to configure the concentrator are outlined in Table 20-6.^[7] The minimum required settings offered by the Quick Configuration option are listed in Table 20-7.^[8]

System Configuration Highlights

Details of each facet of the concentrator configuration for v3.5 can be found at www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/rel3_5_1/configcfg.pdf.

The following section highlights some of the parameters that can be configured on the VPN 3000 Series Concentrator, under the Configuration, System menu.

Filters and Rules

Filters are assigned to the private (interface 1), public (interface 2), and external (interface 3) interfaces of the concentrator, and to groups or users. The filters provide a means to control traffic that passes through the concentrator.

Three filters can be set (Private, Public and External), besides the option to not set a filter. The filter is configured by assigning rules to it under the Configuration, Policy Management, Traffic Management, Filters menu, as shown in Figure 20-3. This menu also offers the option to modify the existing filter settings, or to create your own filter.

Rules consist of either one of two actions, forward or drop, which you assign to the filter for various types of TCP/IP traffic. The concept is similar to that of access-lists on an IOS router, in which you use permit/deny instead of forward/drop.

A substantial number of rules are preconfigured on the concentrator for various types of TCP/IP traffic that is specific to whether the traffic is incoming or outgoing. Rules are configured under Configuration, System Management, Policy Management, Traffic Management, Rules, as shown in Figure 20-4. The figure comprises two images. To modify existing rules or to configure your own, you must decide on the following parameters:

• Protocol or port (source and destination)

• Direction (inbound or outbound)

• Action for traffic received over established connections

• Source and destination address information (network and subnet mask)

Redundancy

Using VRRP,^[9] you can configure redundant concentrators in case the primary concentrator fails. Using this configuration, there are one or more Backup units, and there is one active concentrator, referred to as the Master.

The Backup units behave as hot standby concentrators, by not terminating any tunnels unless the primary concentrator fails. The Master constantly communicates its status to the Backup concentrators, and if the Master concentrator fails, VRRP tries the Backup concentrator(s) in order of precedence.^[10]

The Backup concentrators must be configured identically to the Master unit. The IP addresses of the Master concentrators are the virtual IP addresses that must be configured on the Backup units. Further, the Backup and Master concentrators' public interfaces should be on the same subnet. Similarly, the private interfaces should be on the same subnet.

The Backup units do not respond to pings to the virtual IP address; however, if the Master fails, the highest priority Backup unit assumes the role of Master and terminates the IPSec tunnels. From the client perspective, the transfer from the Master to the Backup unit is transparent, and the client session continues without the need to re-establish the IPSec tunnel. Redundancy is configured under the menu Configuration, System, IP Routing, Redundancy, as shown in Figure 20-5.

Load Balancing

Load balancing occurs when multiple concentrators are configured to appear as one virtual cluster instead of multiple concentrators. Client connections are established on a round-robin basis, based on the session load on each concentrator. This session load per concentrator is the total number of active connections, divided by the maximum number of sessions configured on the concentrator. As a result, when you first implement load balancing, you might have to reduce the maximum number of sessions per concentrator in the cluster, until the number of active clients approaches a predetermined threshold, when the maximum session count on each concentrator should be re-evaluated. The maximum session count is configured under the Configuration, System, General, Sessions menu.

Each concentrator in the cluster is configured with the IP address of the virtual cluster, which clients use to establish their IPSec tunnels. To configure load balancing, go to Configuration, System, Load Balancing, as shown in Figure 20-6. If you use the default public or private filters, you might be required to change the filter rules to permit the protocol used for the Virtual Cluster Agent (VCA). The default for this protocol is UDP, port 9023.

You must set the priority of each concentrator in the virtual cluster, which determines the concentrator that will act as the Master of the cluster. Default priority values are assigned to concentrators that are based on the HW platform, as shown in Table 20-8. Generally, the first concentrator configured and deployed in a cluster is the Master, and if it fails, or if two concentrators are deployed at the same time, the concentrator with the highest priority takes precedence. If the concentrators boot at the same time and have the same priority, the concentrator with the lowest IP is elected Master. After the Master is determined, a new Master is not elected until the current Master fails.^[11]

Unlike the redundancy configuration, if the concentrators are configured for load balancing, a client connection is terminated if their VPN terminating concentrator fails. Clients must re-establish their IPSec tunnel; however, they can still point to the cluster address instead of a specific concentrator.

Reverse Route Injection

The VPN 3000 Concentrators offer reverse route injection, when the concentrator is configured to announce routes on the private interface using OSPF or RIP. Under reverse route injection, the concentrator announces the route of the client. If the Client Reverse Route Injection feature is activated, and if the connection is from a Unity VPN SW Client or a VPN 3002 HW Client configured for PAT mode, the concentrator announces the host route for that specific client. To activate this feature, go to Configuration, System, IP Routing, Reverse Route Injection, as shown in Figure 20-7.

Similarly, if the tunnel between the VPN 3000 Concentrator and the VPN 3002 HW Client is configured for network extension mode, the Network Extension Reverse Route Injection must be configured on the same concentrator menu. The VPN 3000 concentrators can be configured with hold down routes for client addresses. You can use the Generate Hold Down Routes feature to automatically create the routes for all the address pools that are configured on the concentrator.

IKE Proposals and Security Associations for IKE and IPSec

IKE proposals are the settings that negotiate the IKE and IPSec Security Associations (SA). As discussed in Chapter 19, IKE SAs negotiate the parameters to establish a secure tunnel, so that the IPSec SAs can negotiate how traffic is managed in the tunnel. The VPN 3000 Concentrator responds to IPSec requests from remote access clients, and checks all active IKE proposals in priority order, to determine if one matches the parameters in the initiator's proposed SA. Some IKE proposals and IKE and IPSec SAs that are compatible with the Cisco VPN Unity Client and VPN 3002 HW Client, are preconfigured on the concentrator, but you can add your own or modify the existing proposals. After you configure the IKE proposals, configure the IPSec SAs and apply them to the specific user or group.

The IKE proposal contains the information required for the Phase 1 IPSec negotiation. IKE proposals are configured under the Configuration, System, Tunneling Protocols, IKE Proposals menu, and the modification menu for a specific IKE proposal is shown in Figure 20-8. Specific attributes for active and inactive preconfigured IKE proposals are listed in Table 20-9.^[12]

The various alternatives for the IKE proposal parameters are described in detail in Chapter 19. The minimum and maximum lifetimes for the IKE proposals are 60 and 2,147,483,647 seconds (about 68 years). The minimum and maximum lifetimes for the IKE proposals, if measured by data, are 10 and 2,147,483,647 KB.

DH Group 2 is the default for the 3DES-168 bit encryption algorithm. The Cisco VPN Unity SW Client v3.x is only compatible with DH Group 2. To use DH Group 1 or Group 7 with the VPN 3002 HW client, digital certificates must be used in the Authentication Mode.

SAs

SAs are configured under the Configuration, Policy Management, Traffic Management, SAs menu. The SA modification menu is shown in Figure 20-9. Similar to the IKE proposals, the concentrators are preconfigured with default SAs that are listed in Table 20-10. These SAs were discussed in detail in Chapter 19.

The IPSec parameters negotiate the Phase 2 SAs, and the IKE parameters apply to the Phase 1 SA negotiations. All parameters must be configured on the remote access client and the core, except where noted. However, clients often do not have the same flexibility to support various possibilities for a given parameter. For the remaining parameters, the default settings are usually the best suited for the Cisco VPN Unity SW Client and the VPN 3002 HW Client.^[13]

Inheritance specifies the number of tunnels that should be built for each connection. It is more applicable for LAN-to-LAN VPN connections than for remote access VPN connections, as the alternatives are From Rule, one tunnel for each rule in the connection, or From Data, one tunnel for every address pair within the address range specified in the rule.

IPSec and IKE SA Parameters

Most parameter options are discussed in detail in Chapter 19; however, the following additional information might be required. The IKE peer is applicable only for LAN-to-LAN VPNs. Configure the digital certificate option only if you are using PKI certificates, and then you must determine if you will send just the identity certificate, or the entire certificate chain. The IKE proposal parameter is applicable for LAN-to-LAN VPN environments, where the concentrator can be the initiator of the IPSec negotiations. In this scenario, the IKE proposal that is entered is the only proposal negotiated by the concentrator. This is opposite to when the concentrator responds to the IPSec negotiations.

User Configuration Highlights

This section highlights selected parameters that can be configured on the VPN 3000 Concentrator under the Configuration, User Management menus. The following specific menus refer to the Configuration, User Management, Groups menu, but the IPSec SA can also be configured for individual users under the Configuration, User Management, Users menu.

IPSec SA

In the previous section of this chapter, the parameters of the IPSec SA were covered. This section provides information when you select the IPSec SA under the IPSec tab of the specific user or group, as shown in Figure 20-10.

IKE Peer Identity Validation

IKE peer identity validation applies only to tunnel negotiations based on certificates. When configured, it provides an extra measure of security because the concentrator verifies the identity of the client with information in the digital certificate, such as the hostname or IP address. If you want to implement this additional validation for clients, select this feature, as shown in Figure 20-10.

Group Lock

By setting the Group Lock parameter, you can configure the concentrator to authenticate users only if they are members of the group configured on an external RADIUS server. So the VPN client can be configured with an active group name and group password to provide a user prompt, and then be authenticated by a RADIUS server. However, if the server returns information that the user is a member of another group, the user fails authentication.^[14] Furthermore, by using this feature, VPN clients who authenticate as members of one group are restricted to use the features of the group that are authenticated, even if the client is a member of another group with different feature sets.

Configuration Mode

Configuration mode refers to the process and communications when the concentrator exchanges certain configuration parameters with the client, such as the DNS and Windows Internet Naming Service (WINS) server addresses, during the SA negotiation. Configuration mode must be configured if you want to implement split tunneling, local LAN access, or UDP encapsulation of IPSec traffic. Third-party VPN clients might not support Configuration mode and its parameters.

Client Firewall

The VPN 3000 Series Concentrators now support interaction with PC-based firewalls. Depending on your preference, you can require clients to use a firewall to allow them to establish a VPN tunnel, to push the firewall policy from the concentrator upon tunnel establishment, or to push the policy from a Zone Labs Integrity Server. Supported personal firewalls include these or later versions: Cisco Integrated Firewall (CIC), ZoneAlarm Pro 2.6, ZoneAlarm 2.6, BlackICE 2.5, and BlackICE Agent 2.5.

Cisco Remote Access VPN Clients

Client features and availability are constantly being updated. As a result, the focus in this section is limited to configuration information for only the following Cisco VPN clients:

• Cisco VPN Unity SW Client (v3.5.1b)

• Cisco VPN 3002 HW Client (v3.5)

• Cisco Easy VPN Client (v12.2(4)YA+)

• Cisco PIX501 and PIX506 configured as a VPN client (v6.2)

NOTE

Information on Cisco VPN products is constantly evolving. It is recommended to track Cisco.com for the most recent announcements.

Cisco VPN Unity Client

The Cisco VPN Unity Client is available for Windows, Linux, Solaris, and Macintosh OS platforms. Table 20-11 indicates the specific requirements for each platform.

The focus of this section is on the Windows compatible client. Clients for other operating systems have similar parameters that you must configure to negotiate, establish, and send data over an IPSec VPN tunnel.

Items you must configure on the VPN Client include the following:

• Connection name

• Host name or IP address of remote server

• Authentication parameters of Group Access Information (group name and group password) or Certificate

Options include the following:

• Enabling transparent tunneling of IPSec over the following:

  - UDP To allow IPSec data transmission in NAT/PAT environments
  
  

  - TCP Including the specific port enabled on the VPN concentrator (besides UDP encapsulation advantages, it also allows data transmission when you do not have access to the local firewall to permit the UDP encapsulation port, ISAKMP port, and protocol 50 ESP)
  
  

• Allow local LAN access If enabled in the VPN concentrators

• Peer response timeout 30-480 seconds, and the default is 90 seconds

• Configuration of backup servers (concentrators)

Before configuring your clients, you must decide on all these parameters. The configuration information is stored in a profile, which is represented by a ConnectionName.pcf file, with the ConnectionName representing the connection name that you enter in the client.

The ConnectionName.pcf file is stored in the Profiles folder, under the Cisco VPN Unity Client program folder. The actual number of profiles that you need to configure depends on how you identify the concentrators or clusters to your clients. You can use a product, such as Cisco's DistributedDirector, to enable one DNS entry to represent all of your concentrators or cluster environments. You also might elect to use a different profile for each cluster or concentrator.

The configuration of the backup clusters or concentrators depends on how you configure clients to connect to the primary cluster or concentrator. For example, if you cannot use one entry that relies upon DistributedDirector to redirect clients to the closest cluster, you might want to list each of your specific clusters. However, if you point clients to a specific cluster, you might want to add clusters in order of anticipated latency from the primary cluster.

When users launch the VPN Unity Client (ipsecdialer.exe), they can scroll to their preferred profile. The profiles are listed in alphabetical order and the last profile that is selected by a client is normally the profile that the ipsecdialer.exe uses by default the next time that the client is started.

Upon installation, the Windows VPN Unity Client automatically installs the following utilities to be used with the client:

• Set MTU Changes the maximum transmission unit (MTU) of a network interface

• Certificate Manager Allows clients to install certificates

• Log Viewer Helpful for troubleshooting connectivity issues (refer to Chapter 21, "Remote Access VPN Troubleshooting," and Chapter 22, "Remote Access VPN Troubleshooting Scenarios.")

• Help Browser-based utility that points to a local file on a PC

NOTE

One caveat worth mentioning is that after you have established an IPSec tunnel, the user cannot see the intermediate hops when running the traceroute (TRACERT.exe) command. However, if you have enabled and configured split tunneling, traceroutes function correctly over the unencrypted data path.

Cisco VPN 3002 HW Client

The VPN 3002 HW client provides the same functionality as the VPN Unity SW Client; however, it is platform independent because it provides an Ethernet interface for hosts. Actually, two versions of the 3002 existone with one port for the private interface and the other with an 8-port switch. Both models have one public interface. The IPSec VPN tunnel is established between the core concentrator and the 3002, so that any device connected to the private interface of the 3002 can access the central network.

The VPN 3002 HW Client does offer two modes of client configurationNetwork Extension and PAT. As the name suggests, Network Extension mode is when the private interface is configured with an IP address that is routable in the network and connected to the concentrator that is terminating the VPN tunnel. In PAT mode, the 3002 performs address translation of addresses that are assigned to clients on the private interface. Currently, the advantage of Network Extension mode is that it provides support for a Cisco IP HW Telephone, and hosts on the public interface side can access resources that are connected to the private interface.

The browser and CLI interfaces of the VPN 3002 HW Client are similar to the interface on the VPN 3000 Series Concentrators. The 3002 HW Client has a Quick Configuration feature that allows users to configure the client right out of the box, without requiring a console connection. However, configurable options are different between the HW client and the concentrators.

The Quick Configuration menu has the following options:

• Time Sets date and time on the client.

• Upload Config Allows you to upload the configuration file to the client.

• Private Interface Sets the IP address and subnet mask on the interface, with the option to set the 3002 as a DHCP server with an address pool.

• Public Interface Allows you to configure the 3002 HW client as a DHCP client (default), Point-to-Point Protocol over Ethernet (PPPoE) client, or with a static IP address.

• IPSec Similar to the Unity SW Client; configures preshared secret information or certificates besides tunneling in TCP.

• PAT Configures a client to perform PAT or Network Extension (see next section).

• DNS The IP address of the service provider's DNS server, which can be learned through DHCP or PPPoE.

• Static Routes Normally learned through DHCP or PPPoE; only required if the IP address is statically configured on the 3002.

• Admin Changes password facility.

Additional settings for these parameters can be configured under the Configuration, System menu with the exception of the PAT/Network Extension, which is enabled under the Configuration, Policy Management, Traffic Management menu.

You cannot configure the following DHCP options on the 3002 HW client when it's configured as a DHCP client:

• Subnet mask

• Router

• DNS

• Domain name

• NetBios Name Server(s)/WINS

These DHCP options are configured on the central-site concentrator for the group that is specified for the VPN 3002 Hardware Client. As is the case for all group configuration parameters, the central-site concentrator pushes these values to the VPN 3002 over the tunnel.^[17]

Similar to a VPN 3000 Concentrator, the 3002 HW Client offers features to limit access, and to collect operational data under the Configuration, System, Management Protocols and Configuration, System, Events menus.

Cisco Easy VPN IOS Client

The Cisco Easy VPN Client offers most of the functionality of the Cisco VPN 3002 HW client in specific IOS platforms. The Cisco Easy VPN Client feature was first released in Cisco IOS 12.2(4)YA for the following Cisco routers:

• The Cisco 806, 826, 827, and 828 from the 800 series routers

• The Cisco 1700 series routers

• The Cisco uBR905 and uBR925 cable access routers^[18]

Similar to the 3002, the Easy VPN Client supports two modes of operationClient mode and Network Extension mode.

In Client mode, the Easy VPN Client uses NAT/PAT to provide network connectivity to devices that are connected to the Ethernet interface(s). The NAT/PAT feature is automatically created by the router when the VPN tunnel is established. A configuration for a Cisco 806 router, configured as an Easy VPN Client in Client mode, is shown in Example 20-1.

Example 20-1. Configuration of a Cisco 806 Router That Is Configured as an Easy VPN Client in Client Mode

 version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! ip subnet-zero ip name-server 192.168.168.183 ip name-server 192.168.226.120 ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool CLIENT    import all    network 10.10.10.0 255.255.255.0    default-router 10.10.10.1    dns-server 192.168.226.120 192.168.168.183    lease infinite ! ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto ipsec client ezvpn test ! The command is crypto ipsec client <name>  groupname testgroup key grouppw ! The command is group <groupname> key <group-password>  mode client ! Set for Client mode (change to mode network-extension for ! Network Extension mode)  peer 192.168.192.81 ! Address on the tunnel terminating device (DNS name can also be entered) ! interface Ethernet0  ip address 10.10.10.1 255.255.255.0  hold-queue 100 out ! interface Ethernet1  ip address 192.168.87.252 255.255.255.254  crypto ipsec client ezvpn test  Assigns the Easy VPN configuration to the interface. ! ip classless ip route 0.0.0.0 0.0.0.0 Ethernet1 ip http server ip pim bidir-enable ! line con 0  stopbits 1 line vty 0 4  login ! scheduler max-task-time 5000 end 

NOTE

If NAT/PAT is already configured on the CPE and you start to configure it as an Easy VPN Client, the original NAT/PAT configuration information is automatically overwritten upon establishing the VPN tunnel by using the Easy VPN Client. The ip nat inside or the ip nat outside commands, under the private and public interfaces for the IOS device, are eliminated from the configuration.

You cannot view the NAT/PAT configurations as you normally do with the show run command. Instead, after the connection is established, you can view this information by using the show access-list and show ip nat statistics commands.

In Network Extension mode, after the tunnel is established, devices behind the Easy VPN Client appear as entities on your organization's network. The Easy VPN Client also supports split tunneling in either Client or Network Extension mode, if the tunnel terminating device is configured to permit this feature.

After configuration of the router as an Easy VPN Client is complete, you can start the Extended Authentication (XAUTH) login sequence by using the crypto ipsec client ezvpn xauth command. This command prompts the user to enter their username and password. The user can use the show crypto ipsec client ezvpn command to determine if the tunnel has been successfully established. If the VPN tunnel is successfully established, the results of this command are shown in Example 20-2. If the tunnel is not established, the user is prompted with the following response on the Easy VPN router:

 EZVPN: Pending XAuth Request, Please enter the following command: EZVPN: crypto ipsec client ezvpn xauth 

Example 20-2. Results of Running the show crypto ipsec client ezvpn Command on an Easy VPN Client Configured for Client Mode, After Establishing a Successful VPN Tunnel

 Router#show crypto ipsec client ezvpn Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 10.25.254.1 ! Note this address and the following mask are assigned by the VPN ! tunnel terminating device upon authentication for Client Mode only; ! it is not assigned in Network Extension mode. Mask: 255.255.255.255 DNS Primary: 192.168.226.120 DNS Secondary: 192.168.168.183 NBMS/WINS Primary: 192.168.2.87 NBMS/WINS Secondary: 192.168.235.228 Default Domain: abc.com 

NOTE

At the time of writing, the Easy VPN Client does not support digital certificates and the PFS feature on the VPN 3000 Concentrators. Similar to the Cisco VPN Unity SW Client, the Easy VPN Client only supports ISAKMP Group 2 policies (DH 1024-bit key). For the latest product information, see Cisco.com.

Cisco PIX 501 and 506 VPN Client

With the release of v6.2 for the PIX operating system (OS), the PIX 501 and PIX 506 provide the functional equivalent to the Cisco VPN 3002 HW Client. Similar to the VPN 3002 HW Client and the Easy VPN IOS Client, the PIX 501 and PIX 506 support both Client and Network Extension modes. Digital certificate support in Client mode is not available at this time.

The commands to configure the PIX as a remote access VPN HW client starts with the keyword vpnclient. This feature makes it easier for you to differentiate between commands that are required to configure the PIX as a HW client, as opposed to configuring the PIX as a core device that terminates the remote access VPN tunnels. The commands required to configure the VPN client features on the PIX v6.2OS are shown in Table 20-12.

On the PIX 501 console, after establishment of the VPN tunnel, you should see results for Client and Network Extension mode as shown in Example 20-3 and Example 20-4. The PIX client that is configured for Client mode operation includes many parameters that are not pushed down to the client that is configured for Network Extension mode upon establishment of the VPN tunnel.

Example 20-3. Results of show vpnclient Command After Establishing a VPN Tunnel in Client Mode

 pixfirewall# show vpnclient Local Configuration vpnclient vpngroup pix password ******** vpnclient username test password ******** vpnclient peer 192.168.192.81 vpnclient mode client-mode vpnclient enable Downloaded Dynamic Policy ! IP address assigned by the VPN tunnel terminating device: NAT addr       : 10.25.254.1 ! Pushed down from tunnel terminating device: Primary DNS    : 192.168.226.120 ! Pushed down from tunnel terminating device: Secondary DNS  : 192.168.168.183 ! Pushed down from tunnel terminating device: Primary WINS   : 192.168.2.87 ! Pushed down from tunnel terminating device: Secondary WINS : 192.168.235.228 ! Pushed down from tunnel terminating device: Default Domain : abc.com ! Note that terminating device did not require PFS: PFS Enabled    : Current Peer   : 192.168.192.81 ! DNS configured on the PIX, and active if split-tunneling is ! enabled on the VPN tunnel terminating device Split DNS      : def.com_ 

Example 20-4. Results of show vpnclient Command After Establishing a VPN Tunnel in Network Extension Mode

 pixfirewall# show vpnclient Local Configuration vpnclient vpngroup pix password ******** vpnclient username test password ******** vpnclient peer 192.168.192.81 vpnclient mode network-extension-mode vpnclient enable Downloaded Dynamic Policy PFS Enabled    : No Current Peer   : 192.168.192.81 Split DNS      : def.com_ 

By default, the PIX 501 with v6.2 is configured as a DHCP server with PAT to enable hosts that are connected to the inside interface to access external hosts. You can configure the VPN client parameters when you attempt to enable the VPN client by using the command vpnclient enable. You must remove any access-lists and PAT address pools that support PAT/NAT. If you attempt to enable the VPN client feature while PAT/NAT rules or global pools are in effect, you receive a notice indicating that you must attempt to enable the VPN client only after removing those items.

Similar to the VPN 3002 and most of the routers that support the Easy VPN IOS Clients, the PIX 501 can be configured as either a DHCP client on the public interface (default), a PPPoE client, or with a static IP address.