The VPN 3000 Concentrator (also known as the VPN Concentrator) creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. The VPN Concentrator can create single-user-to-LAN connections and LAN-to-LAN connections.
Figure 1-1 The Cisco VPN 3000 ConcentratorModel 3005
Model 3015 to 3080
Hardware Features
Current VPN Concentrator Models: 3005, 3015, 3030, 3060, and 3080.
Previous VPN Concentrator Models: C10, C20, and C50.
All systems feature:
10/100Base-T Ethernet interfaces (autosensing)
3005: Two interfaces
3015-3080: Three interfaces
Motorola® PowerPC CPU
SDRAM memory for normal operation
Nonvolatile memory for critical system parameters
Flash memory for file management
In addition, individual models have the following hardware features:
VPN Concentrator Model
Hardware Features
Model 3005
Software-based encryption
Single power supply
Model 3015
Software-based encryption
Single power supply
Expansion capabilities:
Up to four Cisco Scalable Encryption Processing modules for maximum system throughput and redundancy
Optional redundant power supply
Model 3030
One Scalable Encryption Processing module for hardware-based encryption
Single power supply
Expansion capabilities:
One additional SEP module for maximum system throughput and redundancy
Optional redundant power supply
Models 3060 and 3080
Two Scalable Encryption Processing modules for hardware-based encryption at maximum system throughput
Dual redundant power supplies
Expansion capabilities:
Up to two additional SEP modules for maximum system redundancy
Software Features
The VPN Concentrator incorporates the following virtual private networking software features:
VPN Feature
Description
Management Interfaces
The VPN Concentrator offers multiple management interfaces. Each interface provides complete capabilities and can be used to fully configure, administer, and monitor the device.
The VPN Concentrator Manager is an HTML-based interface that lets you manage the system remotely with a standard web browser using either of the following:
HTTP connections
HTTPS (HTTP over SSL) secure connections
The VPN Concentrator command-line interface is a menu- and command-line based interface that you can use with the local system console or remotely using any of the following:
Telnet connections
Telnet over SSL secure connections
SSH (Secure Shell), including SCP (Secure Copy)
Tunneling Protocols
IPSec (IP Security) Protocol
Remote access, using Cisco VPN Client or other select IPSec protocol-compliant clients
LAN-to-LAN, between peer VPN Concentrators or between a VPN Concentrator and another IPSec protocol-compliant secure gateway
L2TP over IPSec (for native Windows 2000 and Windows XP client compatibility)
PPTP (Point-to-Point Tunneling Protocol) with encryption
L2TP (Layer 2 Tunneling Protocol)
Encryption Algorithms
56-bit DES (Data Encryption Standard)
168-bit Triple DES
Microsoft Encryption (MPPE): 40- and 128-bit RC4
128-, 192-, and 256-bit AES
Authentication Algorithms
MD5 (Message Digest 5)
SHA-1 (Secure Hash Algorithm)
HMAC (Hashed Message Authentication Coding) with MD5
HMAC with SHA-1
Key Management
IKE (Internet Key Exchange), formerly called ISAKMP/Oakley, with Diffie-Hellman key technique
Diffie-Hellman Group 1, Group 2, Group 5, and Group 7 (ECC)
Perfect Forward Secrecy (PFS)
Network Addressing Support
DNS (Domain Name System)
Client address assignment:
DHCP (Dynamic Host Configuration Protocol), including DDNS host name population
Internally configured client IP address pools
RADIUS
Authentication and Accounting Servers
Internal authentication server
Support for external authentication servers:
RADIUS
RADIUS with Password Expiration (MSCHAPv2)
NT Domain
RSA Security SecurID
TACACS (administrator only)
Authentication server testing
X.509 Digital Certificates
RADIUS accounting
Certificate Authorities
Entrust
VeriSign
Microsoft Windows 2000
RSA Keon
Netscape
Baltimore
Security Management
Group and user profiles
Data traffic management, by means of:
Filters and rules
IPSec Security Associations
NAT (Network Address Translation), many-to-one, also called PAT (Port Address Translation)
Network lists
Routing Protocols
IP
RIP v1, RIP v2
OSPF
Static routes
Private network autodiscovery for LAN-to-LAN connections
Reverse Route Injection (RRI) allows client, LAN-to-LAN, and network extension networks to be announced via RIPv2/OSPF
Clustering
Load Balancing
System redundancy via VRRP
System Administration
Session monitoring and management
Software image update
File upload
System reset and reboot
Ping
Configurable system administrator profiles
File management, including SCP and TFTP transfer
Digital certificate enrollment and management
Session limit setting
Monitoring
Event logging and notification via system console, syslog, SNMP traps, and email
FTP backup of event logs
SNMP MIB-II support
System status
Session data
Extensive statistics
Client Software Compatibility
Cisco VPN Client (IPSec):
Windows® 95 (OSR 2 or greater), Windows 98, and Windows ME
Windows NT® 4.0, Windows 2000, and Windows XP
Linux Intel v2.2/v2.4 kernels, Solaris ULTRASparc 32-bit, MAC OS X (command-line interfaces only)
Microsoft VPN Clients:
Windows 95, Windows 98, and Windows ME (PPTP)
Windows NT 4.0 (PPTP)
Windows® 2000 and Windows XP (PPTP, L2TP over IPSec)
Certicom movianVPN Client (ECC, handheld)
Other Features
Software data compression
Split tunneling
Bandwidth management
How the VPN Concentrator Works
The VPN Concentrator creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections.
The secure connection is called a tunnel, and the VPN Concentrator uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The VPN Concentrator functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination.
The VPN Concentrator performs the following functions:
Establishes tunnels
Negotiates tunnel parameters
Authenticates users
Assigns user addresses
Encrypts and decrypts data
Manages security keys
Manages data transfer across the tunnel
Manages data transfer inbound and outbound as a tunnel endpoint or router
The VPN Concentrator invokes various standard protocols to accomplish these functions.
Where the VPN Concentrator Fits in Your Network
Enterprise network configurations vary widely, but the VPN Concentrator is flexible and functional enough to satisfy most applications. Figure 1-2 shows a typical installation, with the VPN Concentrator configured in parallel with a firewall, and supporting both low-speed and high-speed remote users. In some cases, the VPN Concentrator may be deployed behind the firewall; such a configuration is firewall-vendor dependent and might require additional firewall configuration.
LAN-to-LAN or branch office applications are also supported by placing a second VPN Concentrator, or other IPSec protocol-compliant secure gateway, at the remote office.
Figure 1-2 A Typical VPN Concentrator Network Installation
Physical Specifications
The VPN Concentrator has the following physical specifications: