|
In a typical installation, the VPN Concentrator is connected to the public network through an external router, which routes data traffic between networks, and it might also be connected to the private network through a router.
The VPN Concentrator itself includes an IP routing subsystem with static routing, RIP (Routing Information Protocol), and OSPF (Open Shortest Path First) functions. RIP and OSPF are routing protocols that routers use for messages to other routers within an internal or private network, to determine network connectivity, status, and optimum paths for sending data traffic.
After the IP routing subsystem establishes the data paths, the routing itself occurs at wire speed. The subsystem looks at the destination IP address in all packets coming through the VPN Concentrator, even tunneled ones, to determine where to send them. If the packets are encrypted, it sends them to the appropriate tunneling protocol subsystem (PPTP, L2TP, IPSec) for processing and subsequent routing. If the packets are not encrypted, it routes them in accordance with the configured IP routing parameters.
To route packets, the subsystem uses learned routes first (learned from RIP and OSPF), then static routes, then uses the default gateway. If you do not configure the default gateway, the subsystem drops packets that it cannot otherwise route. The VPN Concentrator also provides a tunnel default gateway, which is a separate default gateway for tunneled traffic only.
You configure static routes, the default gateways, and system-wide OSPF parameters in this section. This section also includes the system-wide DHCP (Dynamic Host Configuration Protocol) parameters. You configure RIP and interface-specific OSPF parameters on the network interfaces; see Configuration | Interfaces.
This section of the Manager also lets you configure VPN Concentrator redundancy using VRRP (Virtual Router Redundancy Protocol). This feature applies to installations of two or more VPN Concentrators in a parallel, redundant configuration. It provides automatic switchover to a backup system in case the primary system is out of service, thus ensuring user access to the VPN. This feature supports user access via IPSec LAN-to-LAN connections, IPSec client (single-user remote-access) connections, and PPTP client connections.
This section of the Manager lets you configure system-wide IP routing parameters:
You configure RIP and interface-specific OSPF parameters on the network interfaces; click the highlighted link to go to the Configuration | Interfaces screen.
This section of the Manager lets you configure static routes for IP routing. You usually configure static routes for private networks that cannot be learned via RIP or OSPF.
The Static Routes list shows manual IP routes that have been configured. The format is [destination network address/subnet mask -> outbound destination], for example: 192.168.12.0/255.255.255.0 -> 10.10.0.2. If you have configured the default gateway, it appears first in the list as Default -> default router address. If no static routes have been configured, the list shows --Empty--.
Note The following static routing table limitations exist on the various platforms. The ability to populate all
routes will depend on having sufficient system memory. 3002 - 50 routes 3005 - 200 routes 30XX - 10,240 routes When the routing table is full, the following message will appear in the log: 12539 08/30/2001 22:07:55.270 SEV=2 IP/26 RPT=12 Routing Table Full, add new route failed. |
To configure and add a new static route, click Add. The Manager opens the Configuration | System | IP Routing | Static Routes | Add screen.
To modify a configured static route, select the route from the list and click Modify. The Manager opens the Configuration | System | IP Routing | Static Routes | Modify screen. If you select the default gateway, the Manager opens the Configuration | System | IP Routing | Default Gateways screen.
To delete a configured static route, select the route from the list and click Delete.
Note There is no confirmation and no undo. |
The Manager refreshes the screen and shows the remaining static routes in the list. You cannot delete the default gateways here; to do so, see the Configuration | System | IP Routing | Default Gateways screen.
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
These Manager screens let you:
Enter the destination network IP address to which this static route applies. Packets with this destination address will be sent to the destination you enter. Used dotted decimal notation, for example: 192.168.12.0.
Enter the subnet mask for the destination network IP address. Use dotted decimal notation, for example: 255.255.255.0. The subnet mask indicates which part of the IP address represents the network and which part represents hosts. The router subsystem looks at only the network part.
The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.0 is a Class C address, and the standard subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is not allowed here, since that would resolve to the equivalent of a default gateway.
Enter the metric, or cost, for this route. Use a number from 1 to 16, where 1 is the lowest cost. The routing subsystem always tries to use the least costly route. For example, if a route uses a low-speed line, you might assign a high metric so the system will use it only if all high-speed routes are unavailable.
Click a radio button to choose the outbound destination for these packets. You can choose only one destination: either a specific router/gateway, or a VPN Concentrator interface.
Enter the IP address of the specific router or gateway to which to route these packets; that is, the IP address of the next hop between the VPN Concentrator and the ultimate destination of the packet. Use dotted decimal notation, for example: 10.10.0.2.
Click the Interface drop-down menu button and choose a configured VPN Concentrator interface as the outbound destination. The menu lists all interfaces that have been configured. The default interface for a static route is the Ethernet 2 (Public) interface.
For example, in a LAN-to-LAN configuration where remote-access clients are assigned IP addresses that are not on the private network, you could configure a static route with those addresses outbound to the Ethernet 1 (Private) interface. The clients could then access the peer VPN Concentrator and its networks.
To add a new static route to the list of configured routes, click Add. Or to apply your changes to a static route, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | IP Routing | Static Routes screen. Any new route appears at the bottom of the Static Routes list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing | Static Routes screen, and the Static Routes list is unchanged.
This screen lets you configure the default gateway for IP routing, and configure the tunnel default gateway for tunneled traffic. You use this same screen both to initially configure and to change default gateways. You can also configure the default gateway on the Configuration | Quick | System Info screen.
The IP routing subsystem routes data packets first using learned routes, then static routes, then the default gateway. If you do not specify a default gateway, the system drops packets it cannot otherwise route.
For tunneled data, if the system does not know a destination address, it tries to route the packet to the tunnel default gateway first. If that route is not configured, it uses the regular default gateway.
Enter the IP address of the default gateway or router. Use dotted decimal notation, for example: 192.168.12.77. This address must not be the same as the IP address configured on any VPN Concentrator interface. If you do not use a default gateway, enter 0.0.0.0 (the default entry).
To delete a configured default gateway, enter 0.0.0.0.
The default gateway must be reachable from a VPN Concentrator interface, and it is usually on the public network. The Manager displays a warning screen if you enter an IP address that is not on one of its interface networks, and it displays a dialog box if you enter an IP address that is not on the public network.
Enter the metric, or cost, for the route to the default gateway. Use a number from 1 to 16, where 1 is the lowest cost. The routing subsystem always tries to use the least costly route. For example, if this route uses a low-speed line, you might assign a high metric so the system will use it only if all high-speed routes are unavailable.
Enter the IP address of the default gateway for tunneled data. Use dotted decimal notation, for example: 10.10.0.2. If you do not use a tunnel default gateway, enter 0.0.0.0 (the default entry).
To delete a configured tunnel default gateway, enter 0.0.0.0.
This gateway is often a firewall in parallel with the VPN Concentrator and between the public and private networks. The tunnel default gateway applies to all tunneled traffic, including IPSec LAN-to-LAN traffic.
Note If you use an external device instead of the VPN Concentrator for NAT (Network Address Translation), you must configure the tunnel default gateway. |
To allow default gateways learned via RIP or OSPF to override the configured default gateway, check the Override Default Gateway check box (the default). To always use the configured default gateway, uncheck the box.
To apply the settings for default gateways, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen. If you configure a Default Gateway, it also appears in the Static Routes list on the Configuration | System | IP Routing | Static Routes screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing screen.
This screen lets you configure system-wide parameters for the OSPF (Open Shortest Path First) routing protocol. You must also configure interface-specific OSPF parameters on the Configuration | Interfaces screens.
OSPF is a protocol that the IP routing subsystem uses for messages to other OSPF routers within an internal or private network, to determine network connectivity, status, and optimum paths for sending data traffic. The VPN Concentrator supports OSPF version 2 (RFC 2328).
The complete private network is called an OSPF Autonomous System (AS), or domain. The subnets within the AS are called areas. You configure OSPF areas on the Configuration | System | IP Routing | OSPF Areas screens.
To enable the VPN Concentrator OSPF router, check the Enabled check box. (By default it is unchecked.) You must also enter a Router ID. You must check this box for OSPF to work on any interface that uses it.
To change a configured Router ID, you must disable OSPF here.
To enable OSPF routing on an interface, you must also configure and enable OSPF on the appropriate Configuration | Interfaces screen.
The router ID uniquely identifies the VPN Concentrator OSPF router to other OSPF routers in its domain. While the format is that of an IP address, it functions only as an identifier and not an address. By convention, however, this identifier is the same as the IP address of the interface that is connected to the OSPF router network.
Enter the router ID in the field. Use dotted decimal IP address format, for example: 10.10.4.6. The default entry is 0.0.0.0 (no router configured). If you enable the OSPF router, you must enter an ID.
Note Once you configure and apply a router ID, you must disable OSPF before you can change it. You cannot change the ID back to 0.0.0.0. |
An OSPF Autonomous System (AS), or domain, is a complete internal network. An AS boundary router exchanges routing information with routers belonging to other Autonomous Systems, and advertises external AS routing information throughout its AS. If you are using reverse route injection (RRI) with OSPF, you must enable Autonomous System.
Check the Autonomous System check box to indicate that the VPN Concentrator OSPF router is the boundary router for an Autonomous System. If you check this box, the VPN Concentrator also redistributes RIP and static routes into the OSPF areas. By default, the box is unchecked.
To apply your OSPF settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | System | IP Routing screen.
This section of the Manager lets you configure OSPF areas, which are the subnets within an OSPF Autonomous System or domain. You should configure entries for all areas connected to this VPN Concentrator OSPF router.
You can also identify an OSPF area on a VPN Concentrator network interface (see Configuration | Interfaces). Those area identifiers appear in the OSPF Area list on this screen.
The OSPF Area list shows identifiers for all areas that are connected to this VPN Concentrator OSPF router. The format is the same as a dotted decimal IP address, for example: 10.10.0.0. The default entry is 0.0.0.0. This entry identifies a special area known as the backbone that contains all area border routers, which are the routers connected to multiple areas.
To configure and add a new OSPF area, click Add. The Manager opens the Configuration | System | IP Routing | OSPF Areas | Add screen.
To modify a configured OSPF area, select the area from the list and click Modify. The Manager opens the Configuration | System | IP Routing | OSPF Areas | Modify screen.
To delete a configured OSPF area, select the area from the list and click Delete.
Note There is no confirmation or undo. |
The Manager refreshes the screen and shows the remaining entries in the OSPF Area list.
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
These Manager screens let you:
The Area ID identifies the subnet area within the OSPF Autonomous System or domain. While its format is the same as an IP address, it functions only as an identifier and not an address. The 0.0.0.0 area ID identifies a special area—the backbone—that contains all area border routers.
Check the Area Summary check box to have the OSPF router generate and propagate summary LSAs (Link-State Advertisements) into OSPF stub areas. LSAs describe the state of the router's interfaces and routing paths. Stub areas contain only final-destination hosts and do not pass traffic through to other areas. Sending LSAs to them is usually not necessary. By default this box is unchecked.
Click the External LSA Import drop-down menu button and choose whether to bring in LSAs from neighboring Autonomous Systems. LSAs describe the state of the AS router's interfaces and routing paths. Importing those LSAs builds a more complete link-state database, but it requires more processing. The choices are:
To add this OSPF area to the list of configured areas, click Add. Or to apply your changes to this OSPF area, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | IP Routing | OSPF Areas screen. Any new entry appears at the bottom of the OSPF Area list.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing | OSPF Areas screen, and the OSPF Area list is unchanged.
This screen lets you configure DHCP (Dynamic Host Configuration Protocol) Proxy parameters that apply to DHCP functions within the VPN Concentrator. You can use external DHCP servers to assign IP addresses to the VPN tunnel as it is established.
If you check the Use DHCP check box on the Configuration | System | Address Management | Assignment screen, you must configure at least one DHCP server on the Configuration | System | Servers | DHCP screens. You configure global DHCP parameters here.
Check the Enabled check box to enable DHCP Proxy, which allows the VPN tunnel to get its IP address from a DHCP server. The box is checked by default.
Enter the timeout in minutes for addresses that are obtained from a DHCP server. The minimum timeout is 5 minutes. The default is 120 minutes. The maximum is 500000 minutes. DHCP servers "lease" IP addresses for this period of time. Before the lease expires, the VPN Concentrator asks to renew it on behalf of the client. If for some reason the lease is not renewed, the connection terminates when the lease expires. The DHCP server's lease period takes precedence over this setting.
Enter the UDP port number on which DHCP server response messages are accepted. The default is 67, which is the well-known port. To ensure proper communication with DHCP servers, we strongly recommend that you not change this default.
Enter the initial time in seconds to wait for a response to a DHCP request before sending the request to the next configured DHCP server. The minimum time is 1 second. The default time is 2 seconds. The maximum time is 30 seconds. This time doubles with each cycle through the list of configured DHCP servers.
To apply the settings for DHCP parameters, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing screen.
DHCP relay lets VPN clients, particularly wireless clients, obtain a network configuration from a DHCP server on the VPN Concentrator's private network before creating a VPN tunnel. The client sends a DHCP request to the public or external network. The VPN Concentrator receives the DHCP request on its public or external interface, and forwards the request. To respond with a DHCP offer, one or more DHCP servers on the corporate network must have an IP address scope for the public network. When the DHCP server does respond with a DHCP offer, the VPN client and the DHCP server then proceed with DHCP negotiations, with the VPN Concentrator acting as a router, relaying DHCP messages between them.
The primary benefit of DHCP relay is that you do not have to maintain a separate DHCP server for VPN clients. For DHCP relay to work, however, the VPN Concentrator allows unauthenticated DHCP traffic through the VPN Concentrator. This poses a potential security risk, for example, vulnerability to denial of service attacks by requesting all available DHCP addresses, or by exhausting CPU and/or network bandwidth. You should be aware of these security issues.
Note To enable DHCP relay, you must also assign the DHCP In and DHCP Out rules to the interface filter in the Configuration | Policy Management | Traffic Management | Filters screen. |
Check the Enabled check box to enable DHCP relay on the VPN Concentrator.
This parameter determines how the VPN Concentrator transmits DHCP requests. Select one of these options:
To apply the settings for DHCP relay parameters, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
This screen lets you configure parameters for Virtual Router Redundancy Protocol (VRRP), which manages automatic switch over from one VPN Concentrator to another in a redundant installation. Automatic switchover provides user access to the VPN even if the primary VPN Concentrator is out of service.
These functions apply only to installations where two or more VPN Concentrators are in parallel. One VPN Concentrator is the master system, and the other(s) are backup systems. A backup system acts as a virtual master system when a switchover occurs.
This feature supports user access via IPSec LAN-to-LAN connections, IPSec client (single-user remote-access) connections, and PPTP client connections.
Before configuring or enabling VRRP on this screen, you must configure all Ethernet interfaces that apply to your installation, on all redundant VPN Concentrators. See the Configuration | Interfaces screens.
You must also configure identical IPSec LAN-to-LAN parameters on the redundant VPN Concentrators. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens.
Note VRRP cannot be used when DHCP is enabled on the VPN Concentrator's interfaces. Use static IP addressing when VRRP is enabled. |
In a VRRP configuration, if the public or private interface of the master system goes down, the other interfaces shut down automatically and the backup VPN device takes over. The backup VPN device takes over only when it stops receiving VRRP messages on both the public and private interfaces.
Some failure cases are not detected by VRRP. If a forwarding device (router or switch) fails on a network connecting the VRRP master and backup devices, the master might not detect the failure at the link level. For example, if you have a Cisco Catalyst switch between the master and backup devices and you shut that switch port down, this shutdown does not bring down the link layer. As long as the link layer is up, the VPN Concentrator does not detect the interface as "DOWN" (appearing on the Configuration | Interfaces screen), and therefore it does not stop sending messages to the backup device on all its interfaces. In this case, because the backup device is still receiving VRRP messages on at least one interface, it does not take over as the master.
Also, when a Cisco Catalyst switch in a VRRP scenario uses Spanning-Tree Protocol (STP), the inherent delays with STP cause a delay in recognizing that a backup VPN Concentrator has taken over as the master. To reduce this delay to 15 seconds, enable Portfast on switches that use STP. To configure Portfast on Cisco switches, refer to the document:
http://www.cisco.com/warp/public/473/12.html
Check the Enable VRRP check box to enable VRRP functions. The box is unchecked by default.
Enter a number that uniquely identifies this group of redundant VPN Concentrators. This number must be the same on all systems in this group. Use a number from 1 (default) to 255. Since there is rarely more than one virtual group on a LAN, we suggest you accept the default.
Enter a password for additional security in identifying this group of redundant VPN Concentrators. The maximum password length is 8 characters. The Manager shows your entry in clear text, and VRRP advertisements contain this password in clear text. This password must be the same on all systems in this group. Leave this field blank to use no password.
Click the Role drop-down menu button and choose the role of this VPN Concentrator in this redundant group.
Enter the time interval in seconds between VRRP advertisements to other systems in this group. Only the Master system sends advertisements; this field is ignored on Backup systems while they remain Backup. The minimum interval is 1 second. The default interval is 1 second. The maximum is 255 seconds. Since a Backup system can become a Master system, we suggest you accept the default for all systems.
Enter the IP addresses that are treated as configured router addresses by all virtual routers in this group. The Manager displays fields only for the Ethernet interfaces that have been configured.
On the Master system, these entries are the IP addresses configured on its Ethernet interfaces, and the Manager supplies them by default.
On a Backup system, the fields are empty by default, and you must enter the same IP addresses as those on the Master system.
The IP address for the Ethernet 1 (Private) interface shared by the virtual routers in this group.
The IP address for the Ethernet 2 (Public) interface shared by the virtual routers in this group.
The IP address for the Ethernet 3 (External) interface shared by the virtual routers in this group.
To apply the settings for VRRP, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing screen.
The VPN Concentrator can automatically add static routes to the routing table and announce these routes to its private network or border routers using OSPF or RIP. This feature is called reverse route injection (RRI). The RRI options that you can configure vary with the type of connection:
To add routes to the routing table of the VPN Concentrator without advertising them to the private network, disable routing on the private interface.
To advertise the routes, enable OSPF or RIP on the VPN Concentrator's private interface. (See the Configuration | Interfaces | Ethernet 1 2 3 screen, RIP or OSPF tabs.)
Note This option applies to all remote software clients and VPN 3002 Hardware Clients using Client (PAT) Mode. |
Check the Client Reverse Route Injection check box to add host routes for each remote client to the VPN Concentrator routing table. The VPN Concentrator adds a host route when the client connects and deletes it when the client disconnects.
This option adds individual clients; to add address pools, use the Address Pool Hold Down Routes option.
This box is unchecked by default.
Note This option applies only to VPN 3002 Hardware Clients using Network Extension Mode. |
Check the Network Extension Reverse Route Injection check box to add a network route for each network behind a VPN 3002 Hardware Client to the routing table on the VPN Concentrator. The VPN Concentrator adds the route when the VPN 3002 connects and deletes the route when it disconnects.
This box is unchecked by default.
Note This option applies to all remote software clients and VPN 3002 Hardware Clients using Client (PAT) Mode. |
In the Address Pool Hold Down Routes field, enter any hold down routes to add to the VPN Concentrator routing table. You can either enter routes automatically or manually:
If you configure both the Client Reverse Route Injection and the Address Pool Hold Down Routes fields, when a remote client connects to the VPN Concentrator, the VPN Concentrator checks first to see if the client address falls under any of the address pool routes listed here. If not, it adds the client's route to the routing table.
Note If you have typed any entries into the Address Pool Hold Down Routes window, clicking this button will erase them. If you want to keep these previous entries, copy them to a file or clipboard and paste them back in after clicking the Generate Hold Down Routes button. |
Click the Generate Hold Down Routes button to automatically display hold down routes based on configured address pools in the Address Pool Hold Down Routes window.
To apply the settings for Reverse Route Injection, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing screen.
Posted: Wed Jul 16 12:44:42 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.