|
This chapter tells you how to complete quick configuration of the system using the VPN 3000 Series command-line interface (CLI).
Quick configuration supplies the minimal parameters needed to make the VPN Concentrator operational. For example, a configured remote user with a PC and modem can use Microsoft PPTP and a local ISP to connect securelyin a VPN tunnel through the Internetwith resources on a private, internal corporate network.
The CLI is a menu-based configuration, administration, and monitoring system built into the VPN Concentrator. You can use it from the console or in a Telnet session. To use a Telnet session, connect to the IP address of the private Ethernet interface.
Before beginning the procedures in this section, you should have completed Steps 1 through 11 in the "Using the Console" section. As you proceed, refer to the data you recorded in Table 2-2.
The CLI has the following characteristics:
This section describes how to configure the VPN Concentrator Ethernet interfaces.
For the VPN Concentrator to become fully operational, you must configure the two interfaces you physically connected to your network in the "Connecting Network Cables" section.
To configure the VPN Concentrator Ethernet Interfaces, follow these steps:
You entered values for Ethernet 1 under "Using the Console" section. You can change them now if you want; to do so, enter 1 at the cursor. To configure another interface, enter its number at the cursor.
Step 2 We assume you enter 2 to configure Ethernet 2. The CLI displays a table with the current IP addresses and subnet masks for all three Ethernet interfaces.
At the cursor, enter the IP address for the VPN Concentrator Ethernet 2 (Public) interface, using dotted decimal notation; for example, 192.168.12.34. Be sure no other device is using this address on the network. (Note that Ethernet 3 appears on models 3015-3080 only.)
Step 3 The system prompts you for the subnet mask for the Ethernet 2 (Public) interface. The entry in brackets is the standard subnet mask for the IP address you entered above. For example, an IP address of 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0.
At the cursor, enter the subnet mask for Ethernet 2, using dotted decimal notation; for example, 255.255.255.0. To accept the default, press Enter.
Step 4 The system prompts with a menu to set the speed for the Ethernet 2 interface. You can let the VPN Concentrator automatically detect and set the appropriate speed (the default), or you can set fixed speeds of 10 or 100 Mbps per second (for 10BASE-T or 100BASE-T networks). If you accept the default, be sure that the port on the active network device (hub, switch, or router) to which you connect this interface is also set to automatically negotiate the speed. Otherwise, select the appropriate fixed speed.
At the cursor, enter the menu number for your selection; for example, 1. To accept the default (3), press Enter.
Step 5 The system prompts with a menu to set the transmission mode for the Ethernet 2 interface. You can let the VPN Concentrator automatically detect and set the appropriate mode (the default), or you can configure the interface for full duplex (transmission in both directions at the same time) or half duplex (transmission in only one direction at a time). If you accept the default, be sure that the port on the active network device (hub, switch, or router) to which you connect this interface is also set to automatically negotiate the transmission mode. Otherwise, select the appropriate fixed mode.
At the cursor, enter the menu number for your selection; for example, 2. To accept the default (1), press Enter.
Step 6 The system prompts with a menu giving choices for proceeding. You can configure other interfaces, save your current entries, continue on to other quick configuration parameters, or exit the CLI. We recommend that you save first.
Model 3005 Menu Model 3015-3080 MenuAt the cursor, enter the number for Save changes to Config file.
To configure basic information that identifies your VPN Concentrator on the network, follow these steps:
At the cursor, enter a name such as VPN01. This name must uniquely identify this device on your network.
Step 2 The system prompts you to specify a local DNS (Domain Name System) server, which lets you enter Internet hostnames (for example, mail01) rather than IP addresses for servers as you configure and manage the VPN Concentrator. While hostnames are easier to remember, using IP addresses avoids problems that might arise with the DNS server offline, congested, or otherwise indisposed.
At the cursor, enter the IP address of your local DNS server in dotted decimal notation; for example, 10.10.0.11.
Step 3 The system prompts you to enter the registered Internet domain name in which the VPN Concentrator is located (sometimes called the domain name suffix or subdomain).
At the cursor, enter your domain name; for example, cisco.com.
Step 4 The system prompts you to specify a default gateway, which is the system to which the VPN Concentrator routes packets that are not explicitly routed. In other words, if the VPN Concentrator has no IP routing parameters (RIP, OSPF, static routes) that specify where to send packets, it will send them to this gateway. (And when you first start the VPN Concentrator, it has no IP routing parameters.)
At the cursor, enter the IP address of the default gateway (for example, 10.10.0.1). This address must not be the same as the IP address configured on any VPN Concentrator interface. To specify no default gatewaywhich means the VPN Concentrator drops unrouted packetsleave this entry blank.
This section describes how to enable, disable, and configure virtual private network tunneling protocols and encryption options on the VPN Concentrator. You must enable at least one of the following protocols for the device to function as a VPN device. The protocol choices are PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol), with or without Microsoft encryption required; and IPSec (IP Security protocol). PPTP and L2TP are popular with Microsoft Windows-based clients, and the Cisco VPN Client uses IPSec.
To enable, disable, and configure virtual private network tunneling protocols and encryption options on the VPN Concentrator, follow these steps:
At the cursor, enter 2 to disable PPTP, or press Enter to accept the default (1), which enables PPTP.
Step 2 If you enable PPTP, the system prompts you to select the encryption option.
At the cursor, enter 1 to require encryption, or press Enter to accept the default (2), which does not require encryption. Accept the default if you disabled PPTP.
Step 3 The system prompts you to enable or disable L2TP.
At the cursor, enter 2 to disable L2TP, or press Enter to accept the default (1), which enables L2TP.
Step 4 If you enable L2TP, the system prompts you to select the encryption option.
At the cursor, enter 1 to require encryption, or press Enter to accept the default (2), which does not require encryption.
Step 5 The system prompts you to enable or disable IPSec.
At the cursor, enter 2 to disable IPSec, or press Enter to accept the default (1), which enables IPSec.
Configuring address assignment applies, and its menus appear, only when you enable at least one tunneling protocol. If you disabled all protocols, skip to the "Configuring Authentication" section.
This section lets you configure prioritized methods for assigning IP addresses to clients as a tunnel is established. The methods are configured, and used, in this order:
You must enable at least one method. You can enable any and all methods. By default, no method is enabled.
To configure address assignment, follow these steps:
At the cursor, enter 1 to enable client-specified address assignment, or press Enter to accept the default (2), disabled.
Step 2 The system prompts you to enable or disable per-user address assignment.
At the cursor, enter 1 to enable per-user address assignment, or press Enter to accept the default (2), disabled.
Step 3 The system prompts you to enable or disable DHCP address assignment.
At the cursor, enter 1 to enable DHCP address assignment, or press Enter to accept the default (2), disabled. If you enable DHCP, continue with the next step. If you disable DHCP, skip the next step.
Step 4 If you enable DHCP address assignment, the system prompts for the server address. If you disable DHCP, this prompt does not appear.
At the cursor, enter the IP address or hostname of the DHCP server.
Step 5 The system prompts you to enable or disable configured pool address assignment.
At the cursor, enter 1 to enable configured pool assignment, or press Enter to accept the default (2), disabled. If you enable configured pool, continue with the next two steps; otherwise, skip them.
Step 6 If you enable configured pool address assignment, the system prompts for the starting IP address available in the initial pool.
At the cursor, enter the starting IP address available in the initial configured pool. Use dotted decimal notation; for example, 10.10.1.77.
Step 7 If you enable configured pool address assignment, the system prompts for the ending IP address available in the initial pool.
At the cursor, enter the ending IP address available in the initial configured pool. Use dotted decimal notation; for example, 10.10.1.177.
You can choose and configure one of five types of servers to authenticate users:
You must select one authentication server type; there is no default. You can configure additional authentication servers on regular Configuration menus.
Before you configure an external server here, be sure that the external server you reference is itself properly configured and that you know how to access it (IP address or hostname, TCP/UDP port, secret/password, and so forth.). The VPN Concentrator functions as the client of these servers.
The system prompts you to select an authentication server type.
To bypass this step and continue quick configuration, enter 5. If you enabled IPSec tunneling protocol, skip to the "Configuring the IPSec Group" section; otherwise skip to the "Changing the Admin Password" section.
The VPN Concentrator internal authentication server lets you enter a maximum of 100 groups and users (combined) in its database, which is adequate for a small user base. For larger numbers of users, we recommend using a RADIUS authentication server.
To use the internal server, you must create a database with at least one user, each with a user name and password, andif you specified per-user address assignmentan IP address and subnet mask. To do so, follow these steps:
At the cursor, enter 1 to add a user.
Step 2 The system prompts you to enter the user name. To be authenticated, the user must log in from the client using this name.
At the cursor, enter a unique user name; for example, simonz. The maximum is 32 characters, case-sensitive.
Step 3 The system prompts you to enter the password for this user. To be authenticated, the user must log in from the client using this password. Each user name and password combination must be unique.
At the cursor, enter the user password; for example, 9se7pt14. It must be at least 8 characters long; the maximum is 32 characters, case-sensitive. The system displays only asterisks.
Step 4 The system prompts you to verify the password for this user.
At the cursor, re-enter the user password. The system displays only asterisks.
If you specified per-user address assignment, continue with the next two steps. Otherwise, skip them.
Step 5 If you specified per-user address assignment, the system prompts you to enter the IP address for this user. This is the IP address assigned to this user as a client.
At the cursor, enter the user IP address in dotted decimal notation; for example, 10.10.1.35.
Step 6 If you specified per-user address assignment, the system prompts you to enter the subnet mask for this user. This is the subnet mask assigned to this user as a client.
At the cursor, enter the user subnet mask in dotted decimal notation; for example, 255.255.0.0.
Step 7 The system redisplays the user database with the new user added. You can add more users, delete users, or continue with quick configuration.
At the cursor, enter the menu number for your selection; for example, 1. To add more users, repeat Step 1 through Step 6 in this section. To delete a user (2), see the next step. To continue (3), skip to the "Configuring the IPSec Group" section or the "Changing the Admin Password" section.
Step 8 If you choose to delete a user from the internal database, the system prompts you to enter the name of the user to delete.
At the cursor, enter the name of the existing user you want to delete; for example, simonz. You must enter the name exactly as listed in the table. After deleting the user, the system redisplays the user database as in the previous step, but without the deleted user.
External RADIUS servers can return group and user authentication parameters that match those on the VPN Concentrator; other authentication servers do not. The VPN Concentrator software CD-ROM includes a trial copy of the CiscoSecure ACS RADIUS authentication server and instructions for using it with the VPN Concentrator.
To configure an external RADIUS user authentication server, follow these steps to supply the required server IP address or hostname, server secret, and port number:
At the cursor, enter the RADIUS server hostname or IP address; for example, 192.168.56.78. The maximum length is 32 characters.
Step 2 The system prompts you to enter the RADIUS server secret, also called the shared secret, that allows access to the server.
At the cursor, enter the RADIUS server secret; for example, B8y077E. The maximum length is 64 characters. The system displays only asterisks.
Step 3 The system prompts you to reenter the RADIUS server secret to verify it.
At the cursor, reenter the RADIUS server secret. The system displays only asterisks.
Step 4 The system prompts you to enter the UDP port number by which you access the RADIUS server.
At the cursor, enter the RADIUS port number; for example, 1645. To have the system supply the default port number (1645), press Enter to accept 0 (the default).
To continue quick configuration, skip to the "Configuring the IPSec Group" section or the "Changing the Admin Password" section.
To configure an external Windows NT Domain user authentication server, follow these steps:
At the cursor, enter the NT Domain server IP address in dotted decimal notation; for example, 192.168.56.78.
Step 2 The system prompts you to enter the NT Primary Domain Controller hostname for this server. You must enter this name, and it must be the correct hostname for the server whose IP address you entered in Step 1; if it is incorrect, authentication will fail.
At the cursor, enter the NT Primary Domain Controller hostname for this server; for example, PDC01. The maximum length is 16 characters.
Step 3 The system prompts you to enter the TCP port number by which you access the NT Domain server.
At the cursor, enter the NT Domain port number; for example, 139. To have the system supply the default port number (139), press Enter to accept 0 (the default).
To continue quick configuration, skip to the "Configuring the IPSec Group" section or the "Changing the Admin Password" section.
To configure an external SDI (RSA Security Inc. SecurID) user authentication server, follow these steps:
At the cursor, enter the SDI server hostname or IP address; for example, 192.168.56.78. The maximum length is 32 characters.
Step 2 The system prompts you to enter the UDP port number by which you access the SDI server.
At the cursor, enter the SDI port number; for example, 5500. To have the system supply the default port number (5500), press Enter to accept 0 (the default).
To continue quick configuration, proceed to the next section, "Configuring the IPSec Group," or to the "Changing the Admin Password" section.
To configure an external Kerberos/Active Directory Authentication server, follow these steps:
At the cursor, enter the Kerberos/Active Directory server hostname or IP address; for example, 192.168.56.78.
Step 2 The system prompts you to enter the Kerberos server port number by which you access the server.
At the cursor, enter the Kerberos server port number. To have the system supply the default port number (88), press Enter to accept 0 (the default).
Step 3 The system prompts you to enter the Timeout period. Enter the number of seconds the VPN Concentrator should wait after sending a query to the server and receiving no response, before trying again. The minimum is 1 second. The default is 4 seconds. The maximum is 30 seconds.
Step 4 The system prompts you to enter Retries. Enter the number of times the VPN Concentrator should try sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator considers this server inoperative. The minimum is 0 retries. The default is 2 retries. The maximum is 10 retries.
Step 5 The system prompts you to enter the realm name for this server, for example: US.ACME.COM. You must enter this name, and it must be the correct realm name for the server for which you entered the IP address previously. If it is incorrect, authentication will fail.
The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows .NET. For these types of servers, if the letters are not uppercase, authentication will fail.
To continue quick configuration, proceed to the next section, "Configuring the IPSec Group," or to the "Changing the Admin Password" section.
This section appears only if you enable the IPSec tunneling protocol.
The remote-access IPSec client connects to the VPN Concentrator via this group name and password, which are automatically configured on the internal authentication server. This is the IPSec group that creates the tunnel. Users then log in, and are authenticated, by means of their usernames and passwords.
To configure the IPSec group name and password, follow these steps:
At the cursor, enter a unique name for this group. Maximum is 32 characters, case-sensitive; for example, Group1.
Step 2 The system prompts you to enter the group password.
At the cursor, enter a unique password for this group. The minimum is 4, and the maximum is 32 characters, case-sensitive. The system displays only asterisks.
Step 3 The system prompts you to reenter the group password to verify it.
At the cursor, reenter the group password. The system displays only asterisks.
You can change the password for the admin administrator user. For ease of use during startup, the default admin password supplied with the VPN Concentrator is also admin. Since the admin user has full access to all management and administration functions on the device, we strongly recommend you change this password to improve device security. You can further configure all administrators with the regular Administration menus.
At the cursor, enter a new password for admin. Remember that entries are case sensitive. For maximum security, the password should be at least 8 characters long, a mixture of upper- and lower-case alphabetic and numeric characters, and not easily guessed; for example, W8j9Haq3. The system displays only asterisks. To keep the default, press Enter.
Step 2 The system prompts you to re-enter the password to verify it.
At the cursor, reenter the new password. The system displays only asterisks. To keep the default, press Enter.
You have finished quick configuration, and your entries constitute the active or running configuration. The VPN Concentrator now has enough information, and it is operational. For example, a configured remote user with a PC and modem can use Microsoft PPTP and a local ISP to connect securelyin a VPN tunnel through the Internetwith resources on a private, internal corporate network.
We strongly recommend that you save the active configuration before you exit. Should you need to restart the VPN Concentrator, it will then boot with your configured parameters.
The system displays the final quick configuration menu.
At the cursor, enter 2 to save the active configuration in the system config file.
You are now ready to exit the CLI.
At the cursor, enter 3 to exit the CLI.
Step 2 The system displays:
If you wish to use the CLI for other functions, enter 1 at the cursor in Step 1 above. For information on using the CLI, see the VPN 3000 Concentrator Series User Guide.
Now that the VPN Concentrator is operational, you can do the following:
Posted: Thu May 1 22:15:06 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.