لطفا منتظر باشید ...
Case Study: Remote Access VPN
This case study translates some of the material covered in this chapter into a real-life scenario. The same Company XYZ is used for this scenario as in previous chapters, and the topology of that company is shown in Figure 12-15.
Figure 12-15. XYZ Topology
[View full size image]
Figure 12-16. Remote Access VPNs
Chapter 13. Using preshared keys, the client needs to know only the address of the concentrator and the shared secret key. Although VPN configuration is relatively easy with preshared keys, this manual process does not scale well for large implementations. For now, try to configure the concentrator to use preshared keys.For the initial part of the configuration, you need to attach a console cable to configure the private address of this device. Once the private interface is configured, you can access the concentrator from a workstation using a web browser. The concentrator enters into quick configuration mode the first time it is powered up. After the system has performed the boot functions, you should see the login prompt. When prompted, supply the default login name of admin and the default password, which is also admin . After you run through the menus and you have configured the private interface (in this case, with address 10.0.0.20), you can access the concentrator from the server (10.0.0.100).When the browser connects to the concentrator, you see the initial login screen, as shown in Figure 12-17.
Figure 12-17. Concentrator Login Screen
[View full size image]
Figure 12-18. Concentrator Main Screen
[View full size image]
Figure 12-19. Concentrator Interface Screen
[View full size image]
Figure 12-20. Concentrator Group Screen
[View full size image]
- Identity
- General
- IPSec
- Mode Config
- Client FW
- HW Client
- PPTP/L2TP
For this case study, you are concerned only with Identity, General, and IPSec. On the Identity screen, you have to enter a group name (in this case, the name is vpngroup12) and a password.That password is also the shared key that the client uses to log in to the concentrator. You also have to define the type of authentication that is used for this group. Users can be authenticated via the following methods:
- RADIUS servers
- NT domain controllers
- Concentrator internal server
In this case study, you use the internal server, so the next step is adding a user to the concentrator internal server. This is done later in the case study. Now that you have defined a group, you can go to the next tab (General) that is shown in Figure 12-21.
Figure 12-21. Group ScreenGeneral
[View full size image]
- Access Hours
Selected from the drop-down menu, this attribute determines when the concentrator is open for business for this group. It is currently set to No Restrictions, but you could also select Never, Business Hours (9 a.m. to 5 p.m., Monday through Friday), or a named access hour range that you created elsewhere in the VPN Manager. - Simultaneous Logins
The default is 3, and the minimum is 0. There is no upper limit, but security and prudence would suggest that you limit this value to 1. - Minimum Password Length
The allowable range is 1 to 32 characters. A value of 8 provides a good level of security for most applications. - Allow Alphabetic-Only Passwords
Notice that the Inherit? box has been unchecked. The default is to allow alphabetic-only passwords, which is a security risk. This value has been modified. - Idle Timeout
30 minutes is a good value here. The minimum allowable value is 1, and the maximum is a value that equates to more than 4000 years. Zero disables idle timeout. - Maximum Connect Time
Zero disables maximum connect time. The range here is again 1 minute to more than 4000 years. - Filter
Filters determine the "interesting traffic" that uses IPSec. There are three default filters: Public, Private, and External. You can select from those or from any that you may define in the drop-down box. The option None permits all traffic to be handled by IPSec. - Primary/Secondary DNS/WINS
These have been modified from the base groups default settings. - SEP Card Assignment
Some models of the VPN Concentrator can contain up to four Scalable Encryption Processing (SEP) modules that handle encryption functions. This attribute allows you to steer the IPSec traffic for this group to specific SEPs in order to perform your own load balancing. SEP Card Assignment is only visible when there is a SEP card in the concentrator. - Tunneling Protocols
IPSec has been selected, but you could allow the group to use PPTP, L2TP, and L2TP over IPSec as well. - Strip Realm
The default operation of the VPN Concentrator verifies users against the internal database using a combination of the username and realm qualifier, as in username@group . The @group portion is called the realm. You can have the VPN Concentrator use the name only by checking the value for this attribute.
When you have completed these steps, you can move on to the next screen, shown in Figure 12-22, where all IPSec parameters can be configured.
Figure 12-22. Group ScreenIPSec
[View full size image]
- IPSec SA
For remote access clients, you must select an IPSec Security Association (SA) from this list of available combinations. The client and server negotiate an SA that governs authentication, encryption, encapsulation, key management, and so on based on your selection here.These are the default selections supplied by the VPN Concentrator:- -
None
No SA assigned. - -
ESP-DES-MD5
This SA uses DES 56-bit data encryption for both the IKE tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the IKE tunnel. - -
ESP-3DES-MD5
This SA uses 3DES 168-bit data encryption and ESP/MD5/HMAC-128 authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel. - -
ESP/IKE-3DES-MD5
This SA uses 3DES 168-bit data encryption for both the IKE tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the IKE tunnel. - -
ESP-3DES-NONE
This SA uses 3DES 168-bit data encryption and no authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel. - -
ESP-L2TP-TRANSPORT
This SA uses DES 56-bit data encryption and ESP/MD5/HMAC-128 authentication for IPSec traffic (with ESP applied only to the transport layer segment), and it uses 3DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the L2TP over IPSec tunneling protocol. - -
ESP-3DES-MD5-DH7
This SA uses 3DES 168-bit data encryption and ESP/MD5/HMAC-128 authentication for both IPSec traffic and the IKE tunnel. It uses Diffie-Hellman Group 7 (ECC) to negotiate Perfect Forward Secrecy. This option is intended for use with the movianVPN client, but you can use it with other clients that support Diffie-Hellman Group 7 (ECC).
- -
- IKE Peer Identity Validation
This option applies only to VPN tunnel negotiation based on certificates. This field enables you to hold clients to tighter security requirements. - IKE Keepalives
This monitors the continued presence of a remote peer and notifies the remote peer that the concentrator is still active. If a peer no longer responds to the keepalives, the concentrator drops the connection, preventing hung connections that could clutter up the concentrator. - Tunnel Type
You can select either LAN-to-LAN or Remote Access as the tunnel type. If you select LAN-to-LAN, you do not need to complete the remainder of this screen. For this case study, you need to select Remote Access. - Group Lock
Checking this field forces the user to be a member of this group when authenticating to the concentrator. - Authentication
This field selects the method of user authentication to use. The available options are as follows:- -
None
No user authentication occurs. Use this with L2TP over IPSec. - -
RADIUS
Uses an external RADIUS server for authentication. The server address is configured elsewhere. - -
RADIUS with Expiry
Uses an external RADIUS server for authentication. If the user's password has expired, this method gives the user the opportunity to create a new password. - -
NT Domain
Uses an external Windows NT Domain system for user authentication. - -
SDI
Uses an external RSA Security Inc. SecurID system for user authentication. - -
Internal
Uses the internal VPN Concentrator authentication server for user authentication.
- -
- IPComp
This option permits the use of the LZS compression algorithm for IP traffic. This could speed up connections for users connecting through low-speed dialup circuits.NOTEFor more info on the LZS compression algorithm, go to the following URL: http://www.ietf.org/internet-drafts/draft-friend-tls-lzs-compression-04.txt. - Reauthentication on Rekey
During IKE Phase 1, the VPN Concentrator prompts the user to enter an ID and password. When you enable reauthentication, the concentrator prompts for user authentication whenever a rekey occurs, such as when the IKE SA lifetime expires. If the SA lifetime is set too short, this could be an annoyance to your users, but it does provide an additional layer of security. - Mode Configuration
During SA negotiations, this option permits the exchange of configuration parameters with the client. If you want to pass any configuration information to the client, such as Domain Name System (DNS) or Windows Internet Naming Service (WINS) addresses, you need to enable this option. If you check this box, you need to continue on to the Mode Config tab to complete the selection of attributes there.
If these settings are completed as shown in Figure 12-22, the only thing left is to add a user to the concentrator internal server user database. This can be done by clicking Users under User Management . This screen is shown in Figure 12-23.
Figure 12-23. Concentrator User Screen
[View full size image]
Figure 12-24. VPN Client
Figure 12-25. VPN ClientSetup Step 1
Figure 12-26. VPN ClientSetup Step 2
