|
|
The Cisco VPN 3002 Hardware Client communicates with a VPN 3000 Series Concentrator to create a virtual private network across a TCP/IP network (such as the Internet). The VPN 3002 requires minimal configuration, and you can monitor, configure, and upgrade multiple hardware clients at multiple sites from a central location.
The secure connection between the VPN 3002 and the VPN Concentrator is called a tunnel; it uses the IP Security (IPSec) protocol to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. It can support a single IP network.
The VPN 3002 Hardware Client provides an alternative to deploying the VPN client software to PCs at remote locations. Like the software client, the VPN 3002 is located at a remote site, and provides a secure connection to a VPN Concentrator at a central site. It is important to understand that it is a hardware client, and that you configure it as a client of the central-site VPN Concentrator, not as a site-to-site connection.
Reasons to use the VPN 3002 rather than the software client include:
There are two versions of this VPN 3002 Hardware Client:
The VPN 3002 works in either of two modes: Client mode or Network Extension mode. Client mode is the default.
A new interactive multimedia piece explains the differences between Client (PAT) mode and Network Extension mode. To view it, go to this url:
http://www.cisco.com/mm/techsnap/VPN3002_techsnap.html
Your web browser must be equipped with a current version of the Macromedia Flash Player to view the content. If you are unsure whether your browser has the most recent version, you may want to download and install a free copy from:
http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash
Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the VPN 3002 private network from those on the corporate network. In PAT mode:
All traffic from the private network appears on the network behind the central-site VPN Concentrator (the IKE peer) with a single source IP address. This IP address is the one the central-site VPN Concentrator assigns to the VPN 3002. The IP addresses of the computers on the VPN 3002 private network are hidden. You cannot ping or access a device on the VPN 3002 private network from outside of that private network, or directly from a device on the private network at the central site.
You always assign the VPN 3002 to a tunnel group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec and PAT are applied to all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator.
Traffic from the VPN 3002 to any destination other than those within the network list for that group on the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices connected to the VPN 3002 private interface to the assigned IP address of the public interface and also keeps track of these mappings so that it can forward replies to the correct device.
The network and addresses on the private side of the VPN 3002 are hidden, and cannot be accessed directly.
Network Extension mode allows the VPN 3002 to present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the VPN 3002 private network to networks behind the central-site VPN Concentrator. PAT does not apply. Therefore, devices behind the VPN Concentrator have direct access to devices on the VPN 3002 private network over the tunnel, and only over the tunnel, and vice versa. The VPN 3002 must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
In this mode, the central-site VPN Concentrator does not assign an IP address for tunneled traffic (as it does in Client/PAT mode). The tunnel is terminated with the VPN 3002 private IP address (the assigned IP address). To use Network Extension mode, you must configure an IP address other than the default of 192.168.10.1 and disable PAT.
Software versions 3.6 and later let a network administrator restrict the use of network extension mode. On the VPN Concentrator, you enable network extension mode for VPN 3002 hardware clients on a group basis.
 |
Note If you disallow network extension mode, which is the default setting on the VPN Concentrator, the VPN 3002 can connect to that VPN Concentrator in PAT mode only. In this case, be careful that all VPN 3002s in the group are configured for PAT mode. If a VPN 3002 is configured to use network extension mode and the VPN Concentrator to which it connects disallows network extension mode, the VPN 3002 attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the VPN 3002 puts an unnecessary processing load on the VPN Concentrator to which it connects; if large numbers of VPN 3002s are misconfigured in this way, the VPN Concentrator has a reduced ability to provide service. |
You always assign the VPN 3002 to a tunnel group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec operates on all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator. PAT does not apply.
Traffic from the VPN 3002 to any destination other than those within the network list on the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices on the VPN 3002 private network to the address of the VPN 3002 public interface. Thus the network and addresses on the private side of the VPN 3002 are accessible over the tunnel, but are protected from the Internet, that is, they cannot be accessed directly.
IPSec is the set of standards that enables the VPN 3002 to connect to a central-site VPN Concentrator over a secure VPN tunnel. Its security measures address data privacy, integrity, authentication, and key management, as well as tunneling.
The VPN 3002 supports IPSec over TCP, which encapsulates encrypted data traffic within TCP packets. IPSec over TCP enables the VPN 3002 to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices and firewalls.
|
Note This feature does not work with proxy-based firewalls. |
The VPN 3002 Hardware Client, which supports one tunnel at a time, can connect using standard IPSec, IPSec over NAT-T, IPSec over TCP, or IPSec over UDP, but only one for the same tunnel.
To use IPSec over TCP, both the VPN 3002 and the VPN Concentrator to which it connects must
NAT-T (NAT Traversal) lets IPSec peers establish a connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary.
The VPN 3002 hardware client supports NAT-T in software version 3.6 and later. It uses NAT-T by default, and requires no configuration. The VPN 3002 first attempts NAT-T, and then IPSec/UDP (if enabled) if a NAT device is not auto-detected, allowing IPSec traffic to pass through firewalls that disallow IPSec.
The VPN 3002 supports User Datagram Protocol (UDP) Network Address Translation/Firewall (NAT) Transparent IPSec, which encapsulates encrypted data traffic within UDP packets. IPSec over UDP enables secure transmission between the VPN 3002 Hardware Client and the VPN Concentrator at the central site through a device, such as a firewall, that is performing Network Address Translation (NAT). The VPN 3002 sends keepalives frequently, ensuring that the mappings on the NAT device are kept active.
You do not have to configure this feature on the VPN 3002, but the following requirements do apply:
|
Note We do not currently support a topology with multiple VPN 3002 Hardware Clients behind one NAT device. |
The VPN 3002 software includes these features.
Interactive hardware client authentication prevents users on the VPN 3002 private LAN from accessing the central site until the VPN 3002 authenticates.
When you enable interactive hardware client authentication, the VPN 3002 does not use a saved username and password. Instead you must manually enter a valid username and password for the VPN 3002 each time you connect. When the VPN 3002 initiates the tunnel, it sends the username and password to the VPN Concentrator to which it connects. The VPN Concentrator facilitates authentication, on either the internal or an external server. If the username and password are valid, the tunnel is established.
You configure interactive hardware client authentication on the VPN Concentrator, which pushes the policy to the VPN 3002. For more information and configuration instructions, refer to the "User Management" chapter of the VPN 300 Series Concentrator Reference Volume 1: Configuration.
When you enable interactive hardware client authentication for a group, the VPN Concentrator pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password.
If, on the VPN Concentrator, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the VPN Concentrator has disabled interactive hardware client authentication.
If you subsequently configure a username and password (in the VPN 3002 Configuration | System | Tunneling Protocols | IPSec screen), the feature is disabled, and the prompt no longer displays. The VPN 3002 connects to the VPN Concentrator using the saved username and password.
Individual user authentication protects the central site from access by unauthorized persons on the private network of the VPN 3002.
When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the VPN Concentrator, even though the tunnel already exists. The VPN 3002 directs the browser to the proper pages for login. When the user successfully logs in, the browser displays your default home page.
|
Note You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser. |
You configure individual user authentication on the VPN Concentrator, which pushes the policy to the VPN 3002. For more information and configuration instructions, refer to the "User Management" chapter of the VPN 3000 Series Concentrator Reference Volume 1: Configuration.
LEAP (Lightweight Extensible Authentication Protocol) Bypass lets LEAP packets from devices behind a VPN 3002 travel across a VPN tunnel prior to individual user authentication. This lets workstations using wireless access point devices establish LEAP authentication. Then they authenticate again per individual user authentication (if enabled).
Administrators enable LEAP Bypass on a group basis at the central site, via a checkbox on the VPN Concentrator HW Client tab on the Group configuration page.
IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per-session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys.
Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.
LEAP users behind a VPN 3002 have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason why they can't send credentials over the tunnel is because they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication.
LEAP Bypass works as intended under the following conditions:
 |
Caution There may be security risks in allowing any unauthenticated traffic to traverse the tunnel. |
Table 1-1 summarizes how authentication of the VPN 3002 works by default, and how it works with interactive hardware client authentication and individual user authentication enabled. Be aware that you can use both interactive hardware client authentication or individual user authentication simultaneously, or either one and not the other.
Table 1-1 Authenticating the VPN 3002 Hardware Client and Users
IPSec backup servers let a VPN 3002 hardware client connect to the central site when its primary central-site VPN Concentrator is unavailable. You configure backup servers for a VPN 3002 either on the VPN 3002, or on a group basis at the central-site VPN Concentrator. If you configure backup servers on the central-site VPN Concentrator, that VPN Concentrator pushes the backup server policy to the VPN 3002 hardware clients in the group.
Figure 1-1 illustrates how the backup server feature works.
XYZ corporation has large sites in three cities: San Jose, California; Austin, Texas; and Boston, Massachusetts. They just opened a regional sales office in Fargo, North Dakota. To provide access to the corporate network from Fargo, they use a VPN 3002 that connects to a VPN 3080 in San Jose (1). If the VPN 3002 is unable to contact the corporate network, Fargo cannot place orders. The IPSec backup server feature lets the VPN 3002 connect to one of several sites, in this case using Austin (2) and Boston (3) as backup servers, in that order.
The VPN 3002 in Fargo first tries to reach San Jose. If the initial IKE packet for that connection (1) times out (8 seconds), it tries to connect to Austin (2). Should this negotiation also time out, it tries to connect to Boston (3). These attempts continue until the VPN 3002 has tried all servers on its backup server list, to a maximum of 10.
Be aware of the following characteristics of the backup server feature:
You can configure the backup server feature from the primary VPN Concentrator or the VPN 3002. From the VPN Concentrator configure backup servers on either of the Configuration | User Management | Base Group or Groups | Mode Configuration screens. On the VPN 3002, configure backup servers on the Configuration | System | Tunneling Protocols | IPSec screen.
The list you configure on the VPN 3002 applies only if the option, Use Client Configured List, is set. To set this option, go to the IPSec Backup Servers parameter on the Mode Configuration tab of the Configuration | User Management | Groups | Add/Modify screen of the primary VPN Concentrator to which the VPN 3002 connects.
|
Note The group name, username, and passwords that you configure for the VPN 3002 must be identical for the primary VPN Concentrator and all backup servers. Also, if you require interactive hardware client authentication and/or individual user authentication for the VPN 3002 on the primary VPN Concentrator, be sure to configure it on backup servers as well. |
H.323 is the packet-based multimedia communications standard written by the ITU. A variety of applications use this standard to effect real-time audio, video and data communications. It lets the VPN 3002 support Microsoft NetMeeting. Figure 1-2 is a network diagram that illustrates H.323 services the VPN 3002 supports. H.323 requires no configuration on the VPN 3002.
The following sections describe H.323 features, referring to Figure 1-2.
Be aware of the following characteristics of NetMeeting GateKeepers.
When an H.323 call is disconnected, the NetMeeting application still displays the names of the meeting callers in the Call window. Before you place a new call, perform a Hangup operation to remove these names.
When a VPN tunnel disconnects without the PC behind the VPN 3002 logging off from the GateKeeper, problems may occur. This is so whether the VPN session terminates gracefully, or because of a network failure (NetMeeting PC reboots or VPN 3002 reboots).
Because of the failure to log off, a registration mismatch may occur between the GateKeeper and the NetMeeting application. The GateKeeper maintains a NetMeeting registration based on a configurable inactivity timeout period, with the default being one hour. If a PC attempts registration after a disconnect and before the timeout period has expired, the GateKeeper rejects the request.
1. Log off from the GateKeeper before disconnecting the tunnel.
2. Set the GateKeeper registration timeout value to a shorter time period. We recommend 15 minutes. Use the `endpoint ttl' command on the Cisco GateKeeper to set this value.
RADIUS with password expiry is an IPSec authentication method that you configure for a VPN 3002 on on the VPN Concentrator to which it connects. This option lets the VPN Concentrator that is attempting to authenticate an IPSec client to an external RADIUS server (acting as a proxy to an NT server) determine when a user's password has expired and prompt for a new password. By default, this option is disabled.
Enabling this option allows the VPN Concentrator to use MS-CHAP-v2 when authenticating an IPSec client to an external RADIUS server. That RADIUS server must support both MS-CHAP-v2 and the Microsoft Vendor Specific Attributes. Refer to the documentation for your RADIUS server to verify that it supports these capabilities.
Because of the use of MS-CHAP-v2, when this option is enabled, the VPN Concentrator can provide enhanced login failure messages that describe specific error conditions. These conditions are:
The "password expired" message appears when the user whose password has expired first attempts to log in. The other messages appear only after three unsuccessful login attempts.
|
Note To use RADIUS password expiry with a VPN 3002, you must enable interactive hardware client authentication. This feature does not work for individual user authentication. |
Load balancing lets you distribute sessions among two or more VPN Concentrators connected on the same network to handle remote sessions. Load balancing directs sessions to the least loaded device, thus distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability. Load balancing requires no configuration on the VPN 3002.
You can enroll and install digital certificates on the VPN 3002 automatically or manually. The automatic method is a new feature that uses the Simple Certificate Enrollment Protocol (SCEP) to streamline enrollment and installation. SCEP is a secure messaging protocol that requires minimal user intervention. This method is quicker than enrolling and installing digital certificates manually, but it is available only if you are both enrolling with a CA that supports SCEP and enrolling via the web. If your CA does not support SCEP, or if you enroll with digital certificates by a means other than the web (such as through email or by a diskette), then you cannot use the automatic method; you must use the manual method.
You can now reset and restore statistical data to better note changes in that data. When you click Reset on a monitoring or administration screen, the system temporarily resets a counter for the chosen statistics without affecting the operation of the VPN 3002. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer. Click Restore to return to the actual statistical values.
The VPN 3002 now supports an XML-based interface that lets you use an external management application.
Cisco management applications, third-party applications that manage our products, and customers who want to manage their devices using their own infrastructure can use this interface. This feature is enabled by default; you do not have to configure it.
The XML data can be sent to or uploaded from the VPN Concentrator using HTTPS, SSH, or standard file transfer mechanisms such as FTP or TFTP.
You can configure the VPN Concentrator to add routes to its routing table for remote hardware or software clients. The VPN Concentrator can then advertise these routes to its private network via RIP or OSPF. This feature is called reverse route injection (RRI).
For example, with a VPN 3002 in network extension mode, network extension RRI automatically adds hosts on the VPN 3002 private network to the VPN Concentrator's routing table for distribution by either RIP or OSPF.
RRI requires no configuration on the VPN 3002.
Software version 3.6 adds support for Advanced Encryption Standard (AES), which is more secure than DES and more efficient than triple DES. AES has 128-, 192-, and 256-bit key strengths. This software version also adds support for Diffie-Hellman Group 5. You select an encryption algorithm as part of IPSec configuration on the VPN Concentrator.
An administrator can create a banner on the VPN 3000 Concentrator and push it to the VPN 3002. This lets an organization provide information to users about their network, terms for use, liability, and other issues. The banner displays only when individual user authentication is enabled.
The VPN Concentrator sends reasons for VPN Concentrator-initiated disconnects to both software clients and VPN 3002 hardware clients. The client decodes the reason, and displays it in the event log.
The VPN 3002 sends reasons for VPN3002-initiated disconnects to the VPN Concentrator at the central site. The VPN Concentrator decodes the reason, and displays it in the event log.
This feature does not work with the Cisco PIX Firewall.
This feature is active by default, but an administrator can disable it.
The VPN 3002 hardware client lets you monitor memory usage in terms of block size and free and used blocks.
The VPN 3002 offers multiple management interfaces. You can use each of these interfaces to fully configure, administer, and monitor the device.
The VPN 3002 incorporates the following software features:
Normal operating environment, 32o to 104oF (0o to 40oC), convection only |
|
Approximately 328 feet (100 meters) from an active network device |
|
The VPN 3002 has the following physical specifications:
Posted: Sat Apr 5 08:30:43 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
