|
|
Tunneling is the heart of virtual private networking. Tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network.
The secure connection is called a tunnel, and the VPN 3002 uses the IPSec tunneling protocol to:
The VPN 3002 functions as a bidirectional tunnel endpoint:
This section explains how to configure the IPSec tunneling protocol.
This section lets you configure the IPSec tunneling protocol.
Click IPSec on the Tunneling Protocols screen.
The VPN 3002 complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. It can also establish IPSec tunnels to other IPSec security gateways, including the Cisco PIX firewall, and Cisco IOS routers. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol.
In IPSec terminology, a "peer" is a remote-access client or another secure gateway. During tunnel establishment under IPSec, the two peers negotiate Security Associations (SAs) that govern authentication, encryption, encapsulation, key management, etc. These negotiations involve two phases: the first phase establishes the tunnel (the IKE SA); the second phase governs traffic within the tunnel (the IPSec SA).
The VPN 3002 initiates all tunnels with the VPN Concentrator; the VPN Concentrator functions only as responder. The VPN 3002 as initiator proposes SAs; the responder accepts, rejects, or makes counter-proposals—all in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs.
The Cisco VPN 3002 supports these IPSec attributes, but they are configurable on the central-site VPN Concentrator, not on the VPN 3002:
Enter the IP address or hostname of the remote server. This is the IP address or hostname of the public interface on the VPN Concentrator to which this VPN 3002 connects. Use dotted decimal notation; for example, 192.168.34.56. To enter a hostname, a DNS server must be configured.
To configure IPSec backup servers on the VPN 3002, enter up to 10 backup servers, using either IP address or hostname. Enter each backup server on a separate line. To enter a hostname, a DNS server must be configured. Further, if you use hostnames and the DNS server is unavailable, significant delays can occur.
IPSec backup servers let a VPN 3002 connect to the central site when its primary central-site VPN Concentrator is unavailable. You configure backup servers for a VPN 3002 either on the VPN 3002, or on a group basis at the central-site VPN Concentrator. If you configure backup servers on the primary central-site VPN Concentrator, that VPN Concentrator pushes the backup server policy to the VPN 3002 hardware clients in the group. By default, the policy is to use the backup server list configured on the VPN 3002. Alternatively, the VPN Concentrator can push a policy that supplies a list of backup servers in order of priority, replacing the backup server list on the VPN 3002 if one is configured. It can also disable the feature and clear the backup server list on the VPN 3002 if one is configured.
Figure 6-3 illustrates how the backup server feature works.
XYZ corporation has large sites in three cities: San Jose, California; Austin, Texas; and Boston, Massachusetts. They just opened a regional sales office in Fargo, North Dakota. To provide access to the corporate network from Fargo, they use a VPN 3002 that connects to a VPN 3080 in San Jose (1). If the VPN 3002 is unable to contact the corporate network, Fargo cannot place orders. The IPSec backup server feature lets the VPN 3002 connect to one of several sites, in this case using Austin (2) and Boston (3) as backup servers, in that order.
The VPN 3002 in Fargo first tries to reach San Jose. If the initial IKE packet for that connection (1) times out (8 seconds), it tries to connect to Austin (2). Should this negotiation also time out, it tries to connect to Boston (3). These attempts continue until the VPN 3002 has tried all servers on its backup server list, to a maximum of 10.
Be aware of the following characteristics of the backup server feature:
You can configure the backup server feature from the primary VPN Concentrator or the VPN 3002.
The list you configure on the VPN 3002 applies only if the option, Use Client Configured List, is set in the IPSec Backup Servers parameter. To set this option, go to the Mode Configuration tab on the Configuration | User Management | Groups | Add/Modify screen of the primary VPN Concentrator to which the VPN 3002 connects.
 |
Note The group name, username, and passwords that you configure for the VPN 3002 must be identical for the primary VPN Concentrator and all backup servers. Also, if you require interactive hardware client authentication and/or individual user authentication for the VPN 3002 on the primary VPN Concentrator, be sure to configure it on backup servers as well. |
The VPN 3002 notifies the VPN Concentrator at the central site of sessions that are about to be disconnected from its side of the connection, and conveys the reason. The VPN Concentrator decodes the reason, and displays it in the event log or in a pop-up screen. The feature is enabled by default. This screen lets you disable the feature so that the VPN 3002 does not send or receive alerts.
Uncheck the box to disable alerts.
|
Note To send and receive alerts, the VPN 3002 and the VPN Concentrator to which the VPN 3002 connects must be running software version 4.0 or greater, and must have the feature enabled. |
Check IPSec over TCP if you want to connect using IPSec over TCP. This feature must also be enabled on the VPN Concentrator to which this VPN 3002 connects. See the explanation that follows.
Enter the IPSec over TCP port number. You can enter one port. The port that you configure on the VPN 3002 must also match that configured on the VPN Concentrator to which this VPN 3002 connects.
IPSec over TCP encapsulates encrypted data traffic within TCP packets. This feature enables the VPN 3002 to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices and firewalls.
|
Note This feature does not work with proxy-based firewalls. |
The VPN 3002 Hardware Client, which supports one tunnel at a time, can connect using either standard IPSec, IPSec over TCP, or IPSec over UDP or IPSec over NAT-T.
To use IPSec over TCP, both the VPN 3002 and the VPN Concentrator to which it connects must be running version 3.5 software.
This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management, which is where you install digital certificates on the VPN 3002.
Check the box to use digital certificates.
If you configured authentication using digital certificates, choose the type of certificate transmission.
The VPN 3002 connects to the VPN Concentrator using this Group name and password, which must be configured on the central-site VPN Concentrator. Group and usernames and passwords must be identical on the VPN 3002 and on the VPN Concentrator to which it connects.
In the Group Name field, enter a unique name for the group to which this VPN 3002 belongs. This is the group name configured on the central-site VPN Concentrator to which this VPN 3002 connects. Maximum is 32 characters, case-sensitive.
In the Group Password field, enter a unique password for this group. This is the group password configured on the VPN Concentrator to which this VPN 3002 connects. Minimum is 4, maximum is 32 characters, case-sensitive. The field displays only asterisks.
In the Group Verify field, re-enter the group password to verify it. The field displays only asterisks.
You must also enter a username and password, and they must match the username and password configured on the central-site VPN Concentrator to which this VPN 3002 connects.
In the User Name field, enter a unique name for the user in this group. Maximum is 32 characters, case-sensitive.This is the username configured on the central-site VPN Concentrator to which this
VPN 3002 connects. Maximum is 32 characters, case-sensitive.
In the User Password field, enter the password for this user. This is the user password configured on the central-site VPN Concentrator to which this VPN 3002 connects. Minimum is 4, maximum is 32 characters, case-sensitive.
In the User Verify field, re-enter the user password to verify it. The field displays only asterisks.
Posted: Wed Feb 4 10:57:53 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
