This guide describes Cisco-supported configurations for IP-based extranet Virtual Private Networks (VPNs) for an IP Security Protocol (IPSec) tunnel between a Cisco Secure VPN Client (VPN Client) and a Cisco IOS router or Cisco Secure PIX Firewall (gateway). The VPN Client acts as an IPSec peer that uses Internet Key Exchange (IKE) protocol and IPSec to negotiate, then establish an encrypted tunnel to another IPSec peer. Each configuration can consist of various Cisco IOS IPSec features including manual configuration, dynamic IP addressing, pre-shared keys, wildcard pre-shared keys, and digital certification.
This guide does not cover every available feature for the Cisco Secure VPN Client; it is not intended to be a comprehensive VPN configuration guide. Instead, this guide simply describes the Cisco-supported configurations for VPNs using the Cisco Secure VPN Client.
The business scenarios introduced in this guide include specific tasks and configuration examples. The examples are the recommended methods for configuring the specified tasks. Although they are typically the easiest or the most straightforward method, they are not the only methods of configuring the tasks.
This solutions guide often refers to device-specific administrators, which can consist of any combination of the following audiences:
Network administrators who are responsible for defining network security policies and distributing them to the end users within their organization
System administrators who are responsible for installing and configuring internetworking equipment, are familiar with the fundamentals of router-based internetworking, and who are familiar with Cisco IOS software and Cisco products
System administrators who are familiar with the fundamentals of router-based internetworking and who are responsible for installing and configuring internetworking equipment, but who might not be familiar with the specifics of Cisco products or the routing protocols supported by Cisco products
Customers with technical networking background and experience
The following is new or changed information since the last release of the Cisco Secure VPN Client solutions guide:
For the latest system requirements, feature and version specifications, sample VPN configurations, technical tips, and product bulletins for IPSec and the Cisco Secure VPN Client, this information will be maintained ongoing at the following URLs:
or Products & Technologies>Cisco Secure>Security Products and Technologies>Cisco Secure VPN Client>Product Literature
A chapter titled "Case Study for Layer 3 Authentication and Encryption" has been added. This chapter provides a case study overview, a description of encryption and authentication features, site profile characteristics, and basic configuration tasks of IPSec tunneling between a VPN Client and a gateway.
All chapters titled "Using..." have been changed to "Configuring..."
All chapters previously documented as individual business cases are now configuring tasks, which can exist as standalone or combined tasks in the business case, "Case Study for Layer 3 Authentication and Encryption."
A chapter titled "Configuring Manual Configuration" has been added. This chapter describes how to configure a static IP address on your VPN Client.
The chapter titled "Configuring Dynamic IP Addressing" has been modified to include illustrations of how this feature works, and protocol negotiation sequence.
A chapter titled "Configuring a Pre-Shared Key or Wildcard Pre-Shared Key" has been added. This chapter describes how to configure a pre-shared key to authenticate a VPN Client or how to configure a wildcard pre-shared key to authenticate a pool of VPN Clients.
Most chapters in this solutions guide focus on configuring possible features within one business case, "Case Study for Layer 3 Authentication and Encryption." This business case explains the basic tasks for configuring an extranet VPN using a VPN Client to initiate an IPSec tunnel to the gateway of an enterprise network.
The following sections describe the documentation available for the Cisco Secure VPN Client. Documentation is available as printed manuals and/or electronic documents.
Note This document is not a comprehensive guide to all VPNs. The following aspects of VPN configuration are not covered in this guide: NAS-initiated VPNs (Internet service provider VPN solutions), Cisco IOS software configuration, Cisco IOS router or access server installation and configuration.
Product-specific documents in this section include software that is a part of the Cisco Secure product family. These products include, but are not limited to, the following:
or Service & Support>Technical Documents>Documentation Home Page>Internet Services Management Group>Cisco Secure Policy Manager
On the Documentation CD-ROM: Cisco Product Documentation>Internet Services Management Group>Cisco Secure Policy Manager
Note Cisco Secure Policy Manager Version 2.0 is supported on the Cisco Secure VPN Client Version 1.0, but is not interoperable with Cisco Secure VPN Client Version 1.1. To avoid complications, make sure you have the compatible version of the Cisco Secure Policy Manager installed.
Getting Started Representing Your Network Populating the Network Topology Tree Configuring the Device-Specific Settings of Network Objects Configuring Monitoring and Reporting Working With Security Policies Generating, Verifying, and Publishing Command Sets Maintaining Cisco Secure Policy Manager
Understanding the Network Topology Tree Guidelines and Techniques for Defining Your Network Topology Representing Your Network Topology Populating the Network Topology Tree Configuring the Global Policy Override Settings for Policy Enforcement Points Configuring Administrative Control Communications Defining Traffic Flows and Shaping Rules
Introduction Features and Functionality Changes System Requirements Installation Notes Limitations and Restrictions Caveats Related Documentation Obtaining Documentation Obtaining Technical Assistance
Introduction System Requirements Network Requirements Installation Notes Limitations and Restrictions Important Notes Caveats Related Documentation Cisco Connection Online Documentation CD-ROM
Preface Access VPNs and IP Security Protocol Tunneling Technology Overview Case Study for Layer 3 Authentication and Encryption Configuring Manual Configuration Configuring Dynamic IP Addressing Configuring Pre-shared Key or Wildcard Pre-shared Key Configuring Digital Certification Configuring Entrust Digital Certification Configuring Microsoft Certificate Services Configuring VeriSign Digital Certification Glossary
Platform-specific documents include documents that are related to specific hardware platforms. A hardware platform is grouped as a set of models, or a series.
This section includes platform-specific documents, as follows:
Early Deployment Releases System Requirements New and Changed Information Limitations and Restrictions Important Notes Caveats Related Documentation Obtaining Documentation Obtaining Technical Assistance
About This Guide Overview of the Cisco 1700 Router Installing the Cisco 1700 Router Troubleshooting the Cisco 1700 Router Cisco 1700 Technical Specifications Cable Pinouts and Cabling Guidelines Installing and Upgrading Memory in the Cisco 1700 Router Ordering and Configuring an ISDN Line
About This Guide Introduction to Configuring the Cisco 1700 Router Cisco IOS Software Skills Configuring a Leased Line Configuring Frame Relay Configuring ISDN Configuring Asynchronous Connections Configuring X.25 ROM Monitor Software Networking Concepts for the Cisco 1700 Router
Electro-Magnetic Compatibility Compliance Operating Conditions for Canada Operating Conditions for the European Community Operating Conditions for the United Kingdom Agency Approvals Declaration of Conformity Conformit Europenne Marking Directive Translated Safety Warnings
System Requirements New and Changed Information Important Notes Caveats Related Documentation Service and Support Cisco Connection Online Documentation CD-ROM
Preface Cisco 7100 Series Product Overview Preparing for Installation Installing Cisco 7100 Series Routers Performing a Basic Startup Configuration Troubleshooting the Installation Modular Port Adapter Configuration Guidelines System Specifications Cable Specifications
If You Need More Information Cisco 7100 Series Overview Compliance with U.S. Export Laws and Regulations Regarding Encryption Standards Compliance Installation Requirements Safety Information Translated Safety Warnings Cisco Connection Online Documentation CD-ROM
Using the Flash Disk Installing and Removing the Power Supply in Cisco 7100 Series Routers Installing Field-Replaceable Units Installing and Removing the Boot ROM in Cisco 7100 Using the Flash Disk
or Technical Documents>Documentation Home Page>Internet Service Unit>Cisco Secure PIX Firewall
On the Documentation CD-ROM: Cisco Product Documentation>Internet Service Unit>Cisco Secure PIX Firewall
Note Cisco Secure PIX Firewall Version 5.0 is supported on the Cisco Secure VPN Client Version 1.0. Cisco Secure PIX Firewall Versions 5.1 and later are supported on the Cisco Secure VPN Client Version 1.1. To avoid complications, make sure you have the compatible version of the Cisco Secure PIX Firewall installed.
About This Manual Introduction Configuring the PIX Firewall Advanced Configurations Configuring IPSec Configuration Examples Command Reference PIX 515 Configuration Configuration Forms Acronyms and Abbreviations Configuring for MS-Exchange Use Subnet Masking and Addressing
System Requirements New and Changed Information Installation Notes Limitations and Restrictions Important Notes Caveats Related Documentation Cisco Connection Online Documentation CD-ROM
About This Manual Introduction Installing a PIX Firewall Installing Failover Installing the PIX Firewall Syslog Server Opening a PIX Firewall Chassis Installing a Memory Upgrade Installing a Circuit Board Installing a DC Voltage Installing the PIX Firewall Setup Wizard
Technology-specific documents include internetworking solutions guides, data sheets, white papers, design implementation guides, technical tips, and product bulletins. The technology-specific documents in this section are specific to VPN. For additional technology-specific documents, refer to "Cisco IOS Software Documentation Set."
A list of the available Cisco VPN documentation is available at the following site:
Feature modules describe new features and are an update to the Cisco IOS software documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. The feature module information is incorporated in the next printing of the Cisco IOS software documentation set.
or Technical Documents>Documentation Home Page>Internet Service Unit>Cisco Security Features>Cisco IOS Release-Specific Security Features or Cisco IOS Technology-Specific Security Features
On the Documentation CD-ROM: Cisco Product Documentation>Internet Service Unit>Cisco Security Features>Cisco IOS Release-Specific Security Features or Cisco IOS Technology-Specific Security Features
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents that are shipped with your order in electronic form on the Documentation CD-ROM---unless you specifically ordered the printed versions.
Each module in the Cisco IOS software documentation set consists of two books: a configuration guide and a corresponding command reference. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. You can use each configuration guide in conjunction with its corresponding command reference.
On CCO and the Documentation CD-ROM, two master hot-linked documents provide information for the Cisco IOS software documentation set.
or Technical Documents>Documentation Home Page>Cisco IOS Software Configuration>Cisco IOS Release 12.0>Configuration Guides andCommand References
On the Documentation CD-ROM: Cisco Product Documentation>Cisco IOS Software Configuration>Cisco IOS Release 12.0>Configuration Guides andCommand References
Table 7: Cisco IOS Release 12.0 Documentation Set
Document Title
Chapter Topics
Customer Order Number
Configuration Fundamentals Configuration Guide
Configuration Fundamentals Command Reference
Configuration Fundamentals Overview Cisco IOS User Interfaces File Management System Management
DOC-785829
DOC-785830
Bridging and IBM Networking Configuration Guide
Bridging and IBM Networking Command Reference
Transparent Bridging Source-Route Bridging Token Ring Inter-Switch Link Remote Source-Route Bridging DLSw+ STUN and BSTUN LLC2 and SDLC IBM Network Media Translation DSPU and SNA Service Point SNA Frame Relay Access Support APPN Cisco Database Connection NCIA Client/Server Topologies Cisco Mainframe Channel Connection Airline Product Set
DOC-785850
DOC-785851
Dial Solutions Configuration Guide
Dial Solutions Command Reference
X.25 over ISDN Appletalk Remote Access Asynchronous Callback, DDR, PPP, SLIP Bandwidth Allocation Control Protocol ISDN Basic Rate Service ISDN Caller ID Callback PPP Callback for DDR Channelized E1 & T1 Dial Backup for Dialer Profiles Dial Backup Using Dialer Watch Dial Backup for Serial Lines Peer-to-Peer DDR with Dialer Profiles DialOut Dial-In Terminal Services Dial-on-Demand Routing (DDR) Dial Backup Dial-Out Modem Pooling Large-Scale Dial Solutions Cost-Control Solutions Virtual Private Dialup Networks Dial Business Solutions and Examples
DOC-785846
DOC-785847
Cisco IOS Interface Configuration Guide
Cisco IOS Interface Command Reference
Interface Configuration Overview LAN Interfaces Logical Interfaces Serial Interfaces
DOC-785905
DOC-785906
Network Protocols Configuration Guide, Part 1
Network Protocols Command Reference, Part 1
IP Overview IP Addressing and Services IP Routing Protocols
DOC-785831
DOC-785834
Network Protocols Configuration Guide, Part 2
Network Protocols Command Reference, Part 2
AppleTalk Novell IPX
DOC-785832
DOC-785835
Network Protocols Configuration Guide, Part 3
Network Protocols Command Reference, Part 3
Network Protocols Overview Apollo Domain Banyan VINES DECnet ISO CLNS XNS
DOC-785833
DOC-785840
Security Configuration Guide
Security Command Reference
AAA Security Services Security Server Protocols Traffic Filtering and Firewalls IP Security and Encryption Passwords and Privileges Neighbor Router Authentication IP Security Options
DOC-785843
DOC-785845
Cisco IOS Switching Services Configuration Guide
Cisco IOS Switching Services Command Reference
Switching Services Switching Paths for IP Networks Virtual LAN (VLAN) Switching and Routing
DOC-785848
DOC-785849
Wide-Area Networking Configuration Guide
Wide-Area Networking Command Reference
Wide-Area Network Overview ATM Frame Relay SMDS X.25 and LAPB
DOC-785838
DOC-785839
Voice, Video, and Home Applications Configuration Guide
Voice, Video, and Home Applications Command Reference
Voice over IP Voice over Frame Relay Voice over ATM Voice over HDLC Frame Relay-ATM Internetworking Synchronized Clocks Video Support Universal Broadband Features
DOC-785854
DOC-785855
Quality of Service Solutions Configuration Guide
Quality of Service Solutions Command Reference
Policy-Based Routing QoS Policy Propagation via BGP Committed Access Rate Weighted Fair Queueing Custom Queueing Priority Queueing Weighted Random Early Detection Scheduling Signaling RSVP Packet Drop Frame Relay Traffic Shaping Link Fragmentation RTP Header Compression
Configuration Fundamentals Overview Using the Command-Line Interface Using Configuration Tools Configuring Operating Characteristics Managing Connections, Menus, and System Banners Using the Cisco Web Browser Using the Cisco IOS File System Modifying, Downloading, and Maintaining Configuration Files Loading and Maintaining System Images Maintaining Router Memory Rebooting a Router Configuring Additional File Transfer Functions Monitoring the Router and Network Troubleshooting a Router Performing Basic System Management System Management Using System Controllers Web Scaling Using WCCP Managing Dial Shelves
DOC-7810222
DOC-7810223
Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Configuration Guide
Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Command Reference
Overview of Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Configuring Apollo Domain Configuring Banyan VINES Configuring DECnet Configuring ISO CLNS Configuring XNS
DOC-7810241
DOC-7810245
Cisco IOS AppleTalk and Novell IPX Configuration Guide
Cisco IOS AppleTalk and Novell IPX Command Reference
AppleTalk and Novel IPX Overview Configuring AppleTalk Configuring Novell IPX
DOC-7810240
DOC-7810267
Cisco IOS Bridging and IBM Networking Configuration Guide
Cisco IOS Bridging and IBM Networking Command Reference, Volume I
Cisco IOS Bridging and IBM Networking Command Reference, Volume II
Overview of SNA Internetworking Overview of Bridging Configuring Transparent Bridging Configuring Source-Route Bridging Configuring Token Ring Inter-Switch Link Configuring Token Ring Route Switch Module Overview of IBM Networking Configuring Remote Source-Route Bridging Configuring Data-Link Switching Plus+ Configuring Serial Tunnel and Block Serial Tunnel Configuring LLC2 and SDLC Parameters Configuring IBM Network Media Translation Configuring Frame Relay Access Support Configuring NCIA Server Configuring the Airline Product Set Configuring DSPU and SNA Service Point Support Configuring SNA Switching Services Configuring Cisco Transaction Connection Configuring Cisco Mainframe Channel Connection Adapters Configuring CLAW and TCP/IP Offload Support Configuring CMPC and CSNA Configuring CMPC+ Configuring the TN3270 Server
Multiservice Applications Overview Configuring Voice over IP Configuring Gatekeepers (Multimedia Conference Manager) Configuring Voice over Frame Relay Configuring Voice over ATM Configuring Voice over HDLC Configuring Voice-Related Support Features Configuring PBX Signalling Configuring Store and Forward Fax Configuring Video Support Configuring Head-End Broadband Access Router Features Configuring Subscriber-End Broadband Access Router Features Configuring Synchronized Clocking
DOC-7810258
DOC-7810259
Cisco IOS Quality of Service Solutions Configuration Guide
Cisco IOS Quality of Service Solutions Command Reference
Quality of Service Overview Classification Overview Configuring Policy-Based Routing Configuring QoS Policy Propagation via Border Gateway Protocol Configuring Committed Access Rate Congestion Management Overview Configured Weighted Fair Queueing Configuring Custom Queueing Configuring Priority Queueing Congestion Avoidance Overview Configuring Weighted Random Early Detection Policing and Shaping Overview Configuring Generic Traffic Shaping Configuring Frame Relay and Frame Relay Traffic Shaping Signalling Overview Configuring RSVP Configuring Subnetwork Bandwidth Manager Configuring RSVP-ATM Quality of Service Interworking Link Efficiency Mechanisms Overview Configuring Link Fragmentation and Interleaving for Multilink PPP Configuring Compressed Real-Time Protocol IP to ATM CoS Overview Configuring IP to ATM CoS QoS Features for Voice Introduction
DOC-7810260
DOC-7810261
Cisco IOS Security Configuration Guide
Cisco IOS Security Command Reference
Security Overview AAA Overview Configuring Authentication Configuring Authorization Configuring Accounting Configuring RADIUS Configuring TACACS+ Configuring Kerberos RADIUS Commands TACACS+ Commands Access Control Lists: Overview and Guidelines Cisco Secure Integrated Software Firewall Overview Configuring Lock-and-Key Security (Dynamic Access Lists) Configuring IP Session Filtering (Reflexive Access Lists) Configuring TCP Intercept (Prevent Denial-of-Service Attacks) Configuring Context-Based Access Control Configuring Cisco Secure Integrated Software Intrusion Detection System Configuring Authentication Proxy Configuring Port to Application Mapping IP Security and Encryption Overview Configuring IPSec Network Security Configuring Certification Authority Interoperability Configuring Internet Key Exchange Security Protocol Configuring Passwords and Privileges Neighbor Router Authentication: Overview and Guidelines Configuring IP Security Options
DOC-7810248
DOC-7810249
Cisco IOS Switching Services Configuration Guide
Cisco IOS Switching Services Command Reference
Cisco IOS Switching Services Overview Switching Paths Overview Configuring Switching Paths Cisco Express Forwarding Overview Configuring Cisco Express Forwarding NetFlow Switching Overview Configuring NetFlow Switching MPLS Overview Configuring MPLS Configuring IP Multilayer Switching Configuring IP Multicast Multilayer Switching Configuring IPX Multilayer Switching Configuring Multicast Distributed Switching Routing Between VLANs Overview Configuring Routing Between VLANs with ISL Encapsulation Configuring Routing Between VLANs with IEEE 802.10 Encapsulation Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation LAN Emulation Overview Configuring LAN Emulation Configuring Token Ring LANE MPOA Overview Configuring the MPOA Client Configuring the MPOA Server Configuring Token Ring LANE for MPOA
Command descriptions use the following conventions:
Convention
Description
Click Window1>Window2>Window3
The > symbol represents a direction in which you are to navigate from one window to the next, using your mouse to click the windows in the order from first to last.
boldface font
Commands, keywords, menus, menu items, and options are in boldface.
italic font
Arguments or terms for which you supply values are in italics.
[ ]
Elements in square brackets are optional.
{x | y | z}
Alternative keywords are grouped in braces and separated by vertical bars.
[x | y | z]
Optional alternative keywords are grouped in brackets and separated by vertical bars.
string
A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.
screen font
Terminal sessions and information the system displays are in screen font.
boldface screen font
Information you must type is in boldface screen font.Terminal sessions and console screens are in this font.
^
The symbol ^ represents the key labeled Control---for example, the key combination ^D in a screen display means hold down the Control key while you press the D key.
< >
Nonprinting characters, such as passwords, are in angle brackets.
[ ]
Default responses to system prompts are in square brackets.
!, #
An exclamation point ( ! ) or a pound sign ( # ) at the beginning of a line of code indicates a comment line.
Note Means reader take note. Notes contain helpful suggestions or reference to material not contained in this manual.
Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss.
Figure 1: Commonly Used Graphical User Interface Conventions
Figure 2: Commonly Used Images
Note Throughout this guide, there are numerous configuration examples that include unusable IP addresses, passwords, and public key examples. Be sure to use your own IP addresses, passwords, and public keys when configuring your VPN Clients and gateway.
Note The Cisco Secure VPN Client is also referenced as SafeNet/Soft-PK throughout this guide and in the software. Also, the SafeNet icon appears as the graphical user interface icon in the Windows taskbar. Unless the taskbar is changed, this icon appears in lower right corner of the screen.
Note For brevity, the Cisco Secure VPN Client is referred to as the generic term VPN Client throughout this guide. A Cisco IOS router or Cisco Secure PIX Firewall is referred to as the generic term gateway throughout this guide.
Note Throughout this guide, the standard pre-shared key authentication method is called pre-shared keys. Also, the wildcard pre-shared key authentication method is called wildcard pre-shared key. Unless otherwise specified, the single term pre-shared keys may apply to both pre-shared keys and wildcard pre-shared keys.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly. Therefore, it is probably more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Nonregistered CCO users can order documentation through a local account representative by calling Cisco's corporate headquarters (California, USA) at 408 526-4000 or, in North America, call 800 553-NETS (6387).
Cisco provides Cisco Connection Online (CCO) as a starting point for all technical assistance. Warranty or maintenance contract customers can use the Technical Assistance Center. All customers can submit technical feedback on Cisco documentation using the web, e-mail, a self-addressed stamped response card included in many printed docs, or by sending mail to Cisco.
Cisco continues to revolutionize how business is done on the Internet. Cisco Connection Online is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
CCO's broad range of features and services helps customers and partners to streamline business processes and improve productivity. Through CCO, you will find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online support services, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on CCO to obtain additional personalized information and services. Registered users may order products, check on the status of an order and view benefits specific to their relationships with Cisco.
You can access CCO in the following ways:
WWW: www.cisco.com
Telnet: cco.cisco.com
Modem using standard connection rates and the following terminal settings: VT100 emulation; 8 data bits; no parity; and 1 stop bit.
From North America, call 408 526-8070
From Europe, call 33 1 64 46 40 82
You can e-mail questions about using CCO to cco-team@cisco.com.
The Cisco Technical Assistance Center (TAC) is available to warranty or maintenance contract customers who need technical assistance with a Cisco product that is under warranty or covered by a maintenance contract.
To display the TAC web site that includes links to technical support information and software upgrades and for requesting TAC support, use www.cisco.com/techsupport.
If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc. Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883
