Tunneling

Tunneling is the heart of virtual private networking. Tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network.

The secure connection is called a tunnel, and the VPN 3002 uses the IPSec tunneling protocol to:

•

It can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination

•

It can receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.

Configuration | System | Tunneling Protocols

Configuration | System | Tunneling Protocols | IPSec

The VPN 3002 complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. It can also establish IPSec tunnels to other IPSec security gateways, including the Cisco PIX firewall, and Cisco IOS routers. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol.

In IPSec terminology, a "peer" is a remote-access client or another secure gateway. During tunnel establishment under IPSec, the two peers negotiate Security Associations (SAs) that govern authentication, encryption, encapsulation, key management, etc. These negotiations involve two phases: the first phase establishes the tunnel (the IKE SA); the second phase governs traffic within the tunnel (the IPSec SA).

The VPN 3002 initiates all tunnels with the VPN Concentrator; the VPN Concentrator functions only as responder. The VPN 3002 as initiator proposes SAs; the responder accepts, rejects, or makes counter-proposals—all in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs.

The Cisco VPN 3002 supports these IPSec attributes, but they are configurable on the central-site VPN Concentrator, not on the VPN 3002:

•

Main mode for negotiating phase one of establishing ISAKMP Secure Associations (SAs) (automatic if you are using certificates)

–

AES-128 = Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.

Remote Easy VPN Server

Enter the IP address or hostname of the remote server. This is the IP address or hostname of the public interface on the VPN Concentrator to which this VPN 3002 connects. Use dotted decimal notation; for example, 192.168.34.56. To enter a hostname, a DNS server must be configured.

Backup Easy VPN Servers

To configure IPSec backup servers on the VPN 3002, enter up to 10 backup servers, using either IP address or hostname. Enter each backup server on a separate line. To enter a hostname, a DNS server must be configured. Further, if you use hostnames and the DNS server is unavailable, significant delays can occur.

Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind the VPN 3002 obtain DNS and WINS information from the VPN 3002 through DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires.

About Backup Servers

IPSec backup servers let a VPN 3002 connect to the central site when its primary central-site VPN Concentrator is unavailable. You configure backup servers for a VPN 3002 either on the VPN 3002, or on a group basis at the central-site VPN Concentrator. If you configure backup servers on the primary central-site VPN Concentrator, that VPN Concentrator pushes the backup server policy to the VPN 3002 hardware clients in the group. By default, the policy is to use the backup server list configured on the VPN 3002. Alternatively, the VPN Concentrator can push a policy that supplies a list of backup servers in order of priority, replacing the backup server list on the VPN 3002 if one is configured. It can also disable the feature and clear the backup server list on the VPN 3002 if one is configured.

XYZ corporation has large sites in three cities: San Jose, California; Austin, Texas; and Boston, Massachusetts. They just opened a regional sales office in Fargo, North Dakota. To provide access to the corporate network from Fargo, they use a VPN 3002 that connects to a VPN 3080 in San Jose (1). If the VPN 3002 is unable to contact the corporate network, Fargo cannot place orders. The IPSec backup server feature lets the VPN 3002 connect to one of several sites, in this case using Austin (2) and Boston (3) as backup servers, in that order.

The VPN 3002 in Fargo first tries to reach San Jose. If the initial IKE packet for that connection (1) times out (8 seconds), it tries to connect to Austin (2). Should this negotiation also time out, it tries to connect to Boston (3). These attempts continue until the VPN 3002 has tried all servers on its backup server list, to a maximum of 10.

•

If the VPN 3002 cannot connect after trying all backup servers on the list, it does not automatically retry.

–

In Network Extension mode, the VPN 3002 attempts a new connection after 4 seconds.

–

In Client mode, the VPN 3002 attempts a new connection when the user clicks the Connect Now button on the Monitoring | System Status screen, or when data passes from the VPN 3002 to the VPN Concentrator.

•

A VPN 3002 must connect to the primary VPN Concentrator to download a backup server list configured on the primary VPN Concentrator. If that VPN Concentrator is unavailable, and if the VPN 3002 has a previously configured backup server list, it can connect to the servers on that list.

•

It can download a backup server list only from the primary VPN Concentrator. The VPN 3002 cannot download a backup server list from a backup server.

•

The VPN Concentrators that you configure as backup servers do not have to be aware of each other.

•

If you change the configuration of backup servers, or delete a backup server during an active session between a VPN 3002 and a backup server, the session continues without adopting that change. New settings take effect the next time the VPN 3002 connects to its primary VPN Concentrator.

You can configure the backup server feature from the primary VPN Concentrator or the VPN 3002.

•

From the VPN Concentrator configure backup servers on either of the Configuration | User Management | Base Group or Groups | Mode Configuration screens.

•

On the VPN 3002, configure backup servers on the Configuration | System | Tunneling Protocols | IPSec screen.

The list you configure on the VPN 3002 applies only if the option, Use Client Configured List, is set in the IPSec Backup Servers parameter. To set this option, go to the Mode Configuration tab on the Configuration | User Management | Groups | Add/Modify screen of the primary VPN Concentrator to which the VPN 3002 connects.

Note The group name, username, and passwords that you configure for the VPN 3002 must be identical for the primary VPN Concentrator and all backup servers. Also, if you require interactive hardware client authentication and/or individual user authentication for the VPN 3002 on the primary VPN Concentrator, be sure to configure it on backup servers as well.

Alert when disconnecting

The VPN 3002 notifies the VPN Concentrator at the central site of sessions that are about to be disconnected from its side of the connection, and conveys the reason. The VPN Concentrator decodes the reason, and displays it in the event log or in a pop-up screen. The feature is enabled by default. This screen lets you disable the feature so that the VPN 3002 does not send or receive alerts.

•

The VPN 3002 does not receive alerts when the VPN Concentrator at the central site disconnects sessions.

Note To send and receive alerts, the VPN 3002 and the VPN Concentrator to which the VPN 3002 connects must be running software version 4.0 or greater, and must have the feature enabled.

IPSec over TCP

Check IPSec over TCP if you want to connect using IPSec over TCP. This feature must also be enabled on the VPN Concentrator to which this VPN 3002 connects. See the explanation that follows.

IPSec over TCP Port

Enter the IPSec over TCP port number. You can enter one port. The port that you configure on the VPN 3002 must also match that configured on the VPN Concentrator to which this VPN 3002 connects.

About IPSec over TCP

IPSec over TCP encapsulates encrypted data traffic within TCP packets. This feature enables the VPN 3002 to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices and firewalls.

The VPN 3002 Hardware Client, which supports one tunnel at a time, can connect using either standard IPSec, IPSec over TCP, or IPSec over UDP or IPSec over NAT-T.

To use IPSec over TCP, both the VPN 3002 and the VPN Concentrator to which it connects must be running version 3.5 software.

Use Certificate

This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management, which is where you install digital certificates on the VPN 3002.

Certificate Transmission

If you configured authentication using digital certificates, choose the type of certificate transmission.

•

Entire certificate chain = Send the peer the identity certificate and all issuing certificates. Issuing certificates include the root certificate and any subordinate CA certificates.

Group

The VPN 3002 connects to the VPN Concentrator using this Group name and password, which must be configured on the central-site VPN Concentrator. Group and usernames and passwords must be identical on the VPN 3002 and on the VPN Concentrator to which it connects.

Name

In the Group Name field, enter a unique name for the group to which this VPN 3002 belongs. This is the group name configured on the central-site VPN Concentrator to which this VPN 3002 connects. Maximum is 32 characters, case-sensitive.

Password

In the Group Password field, enter a unique password for this group. This is the group password configured on the VPN Concentrator to which this VPN 3002 connects. Minimum is 4, maximum is 32 characters, case-sensitive. The field displays only asterisks.

Verify

In the Group Verify field, re-enter the group password to verify it. The field displays only asterisks.

User

You must also enter a username and password, and they must match the username and password configured on the central-site VPN Concentrator to which this VPN 3002 connects.

Name

In the User Name field, enter a unique name for the user in this group. Maximum is 32 characters, case-sensitive.This is the username configured on the central-site VPN Concentrator to which this
VPN 3002 connects. Maximum is 32 characters, case-sensitive.

Password

In the User Password field, enter the password for this user. This is the user password configured on the central-site VPN Concentrator to which this VPN 3002 connects. Minimum is 4, maximum is 32 characters, case-sensitive.

Verify

In the User Verify field, re-enter the user password to verify it. The field displays only asterisks.

Table Of Contents

Tunneling

Configuration | System | Tunneling Protocols

Configuration | System | Tunneling Protocols | IPSec

Remote Easy VPN Server

Backup Easy VPN Servers

About Backup Servers

Alert when disconnecting

IPSec over TCP

IPSec over TCP Port

About IPSec over TCP

Use Certificate

Certificate Transmission

Group

Name

Password

Verify

User

Name

Password

Verify