This case study translates some of the material covered in this chapter into a real-life scenario. The same Company XYZ is used for this scenario as in previous chapters, and the topology of that company is shown in Figure 12-15.
The whole topology from Figure 12-15 is not used in this scenarioonly a small part. The part that is useful for this case study is shown in Figure 12-16.
Chapter 13. Using preshared keys, the client needs to know only the address of the concentrator and the shared secret key. Although VPN configuration is relatively easy with preshared keys, this manual process does not scale well for large implementations. For now, try to configure the concentrator to use preshared keys.
For the initial part of the configuration, you need to attach a console cable to configure the private address of this device. Once the private interface is configured, you can access the concentrator from a workstation using a web browser. The concentrator enters into quick configuration mode the first time it is powered up. After the system has performed the boot functions, you should see the login prompt. When prompted, supply the default login name of
admin and the default password, which is also
admin . After you run through the menus and you have configured the private interface (in this case, with address 10.0.0.20), you can access the concentrator from the server (10.0.0.100).
When the browser connects to the concentrator, you see the initial login screen, as shown in Figure 12-17.
To continue with the configuration that you started from the command-line interface (CLI), you have to log in with the same login and password you used before. After the VPN Concentrator has accepted your administration login, the screen shown in Figure 12-18 is displayed in your browser window.
Figure 12-18 shows Configuration, Administration, and Monitoring in the upper-left corner. These three keys are the primary navigation tools for the daily VPN manager functions. To proceed with the case study, you have to click the word
Interfaces that appears under
Configuration . On the screen that displays, select
Interface 2 . This is the public interface, which brings you to the screen shown in Figure 12-19.
On this screen, you can disable the interface, make it a Dynamic Host Configuration Protocol (DHCP) client, or give it a static IP address. For this example, you are using a static IP address (131.108.1.2). You can also set the speed and the mode of the interface on that screen. They are left to default for this example. As a filter, select the default public filter, which is all you have to configure for the public interface. Now you have to perform the same steps for the private interface.
Once the interfaces are configured, you have to add a group and a user to the concentrator. To do this, click
User Management under
Configuration . Select
Groups because you have to define a group before you can add users to that group. This is shown in Figure 12-20.
As you can see, the
Identity
General
IPSec
Mode Config
Client FW
HW Client
PPTP/L2TP
For this case study, you are concerned only with Identity, General, and IPSec. On the Identity screen, you have to enter a group name (in this case, the name is vpngroup12) and a password.
That password is also the shared key that the client uses to log in to the concentrator. You also have to define the type of authentication that is used for this group. Users can be authenticated via the following methods:
RADIUS servers
NT domain controllers
Concentrator internal server
In this case study, you use the internal server, so the next step is adding a user to the concentrator internal server. This is done later in the case study. Now that you have defined a group, you can go to the next tab (General) that is shown in Figure 12-21.
On this screen, the following information is available:
Access Hours Selected from the drop-down menu, this attribute determines when the concentrator is open for business for this group. It is currently set to
No Restrictions, but you could also select
Never, Business Hours (9 a.m. to 5 p.m., Monday through Friday), or a named access hour range that you created elsewhere in the VPN Manager.
Simultaneous Logins The default is 3, and the minimum is 0. There is no upper limit, but security and prudence would suggest that you limit this value to 1.
Minimum Password Length The allowable range is 1 to 32 characters. A value of 8 provides a good level of security for most applications.
Allow Alphabetic-Only Passwords Notice that the
Inherit? box has been unchecked. The default is to allow alphabetic-only passwords, which is a security risk. This value has been modified.
Idle Timeout 30 minutes is a good value here. The minimum allowable value is 1, and the maximum is a value that equates to more than 4000 years. Zero disables idle timeout.
Maximum Connect Time Zero disables maximum connect time. The range here is again 1 minute to more than 4000 years.
Filter Filters determine the "interesting traffic" that uses IPSec. There are three default filters: Public, Private, and External. You can select from those or from any that you may define in the drop-down box. The option
None permits all traffic to be handled by IPSec.
Primary/Secondary DNS/WINS These have been modified from the base groups default settings.
SEP Card Assignment Some models of the VPN Concentrator can contain up to four Scalable Encryption Processing (SEP) modules that handle encryption functions. This attribute allows you to steer the IPSec traffic for this group to specific SEPs in order to perform your own load balancing. SEP Card Assignment is only visible when there is a SEP card in the concentrator.
Tunneling Protocols IPSec has been selected, but you could allow the group to use PPTP, L2TP, and L2TP over IPSec as well.
Strip Realm The default operation of the VPN Concentrator verifies users against the internal database using a combination of the username and realm qualifier, as in
username@group . The
@group portion is called the realm. You can have the VPN Concentrator use the name only by checking the value for this attribute.
When you have completed these steps, you can move on to the next screen, shown in Figure 12-22, where all IPSec parameters can be configured.
On this screen, the following attributes can be configured:
IPSec SA For remote access clients, you must select an IPSec Security Association (SA) from this list of available combinations. The client and server negotiate an SA that governs authentication, encryption, encapsulation, key management, and so on based on your selection here.
These are the default selections supplied by the VPN Concentrator:
-
None No SA assigned.
-
ESP-DES-MD5 This SA uses DES 56-bit data encryption for both the IKE tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the IKE tunnel.
-
ESP-3DES-MD5 This SA uses 3DES 168-bit data encryption and ESP/MD5/HMAC-128 authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.
-
ESP/IKE-3DES-MD5 This SA uses 3DES 168-bit data encryption for both the IKE tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the IKE tunnel.
-
ESP-3DES-NONE This SA uses 3DES 168-bit data encryption and no authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.
-
ESP-L2TP-TRANSPORT This SA uses DES 56-bit data encryption and ESP/MD5/HMAC-128 authentication for IPSec traffic (with ESP applied only to the transport layer segment), and it uses 3DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the L2TP over IPSec tunneling protocol.
-
ESP-3DES-MD5-DH7 This SA uses 3DES 168-bit data encryption and ESP/MD5/HMAC-128 authentication for both IPSec traffic and the IKE tunnel. It uses Diffie-Hellman Group 7 (ECC) to negotiate Perfect Forward Secrecy. This option is intended for use with the movianVPN client, but you can use it with other clients that support Diffie-Hellman Group 7 (ECC).
IKE Peer Identity Validation This option applies only to VPN tunnel negotiation based on certificates. This field enables you to hold clients to tighter security requirements.
IKE Keepalives This monitors the continued presence of a remote peer and notifies the remote peer that the concentrator is still active. If a peer no longer responds to the keepalives, the concentrator drops the connection, preventing hung connections that could clutter up the concentrator.
Tunnel Type You can select either LAN-to-LAN or Remote Access as the tunnel type. If you select LAN-to-LAN, you do not need to complete the remainder of this screen. For this case study, you need to select Remote Access.
Group Lock Checking this field forces the user to be a member of this group when authenticating to the concentrator.
Authentication This field selects the method of user authentication to use. The available options are as follows:
-
None No user authentication occurs. Use this with L2TP over IPSec.
-
RADIUS Uses an external RADIUS server for authentication. The server address is configured elsewhere.
-
RADIUS with Expiry Uses an external RADIUS server for authentication. If the user's password has expired, this method gives the user the opportunity to create a new password.
-
NT Domain Uses an external Windows NT Domain system for user authentication.
-
SDI Uses an external RSA Security Inc. SecurID system for user authentication.
-
Internal Uses the internal VPN Concentrator authentication server for user authentication.
IPComp This option permits the use of the LZS compression algorithm for IP traffic. This could speed up connections for users connecting through low-speed dialup circuits.
NOTE
For more info on the LZS compression algorithm, go to the following URL: http://www.ietf.org/internet-drafts/draft-friend-tls-lzs-compression-04.txt.
Reauthentication on Rekey During IKE Phase 1, the VPN Concentrator prompts the user to enter an ID and password. When you enable reauthentication, the concentrator prompts for user authentication whenever a rekey occurs, such as when the IKE SA lifetime expires. If the SA lifetime is set too short, this could be an annoyance to your users, but it does provide an additional layer of security.
Mode Configuration During SA negotiations, this option permits the exchange of configuration parameters with the client. If you want to pass any configuration information to the client, such as Domain Name System (DNS) or Windows Internet Naming Service (WINS) addresses, you need to enable this option. If you check this box, you need to continue on to the Mode Config tab to complete the selection of attributes there.
If these settings are completed as shown in Figure 12-22, the only thing left is to add a user to the concentrator internal server user database. This can be done by clicking
Users under
User Management . This screen is shown in Figure 12-23.
On this screen, add a user
gschauwe and a password, and assign that user to the group you previously made. Then click
Apply . At that point, the concentrator is ready for use.
The next step in this case study is setting up the VPN client on the telecommuter PC. To do this, start the VPN client by clicking
Start > Programs > Cisco Systems
VPN
Client >
VPN
Dialer . This brings you to the screen shown in Figure 12-24.
On this screen, click
New to add a new connection. On the first screen of the wizard, supply a name and a brief description. After you have entered a name and a description, click
Next . Figure 12-25 displays the screen that you see.
This screen asks you to identify the VPN server to which you will be connecting. The public address of the VPN concentrator is required, so enter
131.108.1.2 to reach the concentrator you configured earlier. Click
Next after you have identified the host server. Figure 12-26 shows the next screen.
To configure the client to use preshared keys for the IPSec connection, enter the IPSec group name and password in the appropriate fields of the Group Access Information section. The group name you established earlier was vpngroup12. Click
Next and
Finish to quit this wizard. Now you are able to connect to the concentrator by clicking
Connect on the screen shown in Figure 12-24. This connects you to the VPN Concentrator. After you have established a connection, the concentrator asks you to log in to verify that the correct user is now using the VPN client. After you have entered your username and password, you can access to network behind the VPN concentrator.
![[View full size image]](/image/library/english/13756_12fig15_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_12fig17_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_12fig18_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_12fig19_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_12fig20_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_12fig21_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_12fig22_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_12fig23_alt.jpg;380136){kind=link}