FNS10 Mod07

For review only.
Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights

© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—7-11
Module 7
Router Remote Access VPN
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-2

Learning Objectives
Upon completion of this chapter, the
For review only. Please do not distribute

student will be able to perform the following

tasks:
• Describe the Easy VPN Server.
• Describe the Easy VPN Remote.
• Configure Easy VPN Server.
• Configure the Easy VPN Remote using the Cisco
VPN 3.5 Client.

Overview

This module will focus on the Remote Access

VPN. Remote access is targeted to mobile users
and home telecommuters. The module will
discuss the tunneling technologies and
protocols that are necessary to secure any type
of Remote Access VPN.

Key terms

• VPN Client
• Easy VPN

Remote Access VPN

FNS 1.0—7-7
Introduction
© 2003, Cisco Systems, Inc. All rights reserved.

Remote Access Protocols


Cisco Easy VPN

The Cisco Easy VPN

The Cisco Easy VPN is made up of two

components:
• Easy VPN Server—Enables Cisco IOS routers, Cisco PIX
Firewalls, and Cisco VPN 3000 Concentrators to act as
VPN head-end devices in site-to-site or remote-access
VPNs, where the remote office devices are using the
Cisco Easy VPN Remote feature.
• Easy VPN Remote—Enables Cisco IOS routers, Cisco PIX
Firewalls, and Cisco VPN 3002 Hardware or Software
Clients to act as remote VPN Clients.

Remote Access Using
Cisco Easy VPN


Cisco Easy VPN Server Features

• The IOS release 12.2(8)T Easy VPN Server introduces

server support for the Cisco VPN Client release 3.x
software clients and supported Cisco VPN hardware
clients.
• It allows remote end users to communicate using IP
Security (IPSec) with supported Cisco IOS 12.2(8)T VPN
gateways.
• Centrally managed IPSec policies are “pushed” to the
clients by the server, minimizing configuration by the end
users.

New Functions Added
to 12.2(8)T and Easy VPN

• Mode configuration version 6 support

• Xauth version 6 support
• IKE Dead Peer Detection (DPD)
• Split tunneling control
• Initial Contact
• Group-based policy control

Supported IPSec Attributes
Options Attributes

Authentication algorithms • HMAC-MD5

• HMAC-SHA1
Authentication types • Pre-shared keys
• RSA digital signatures
Diffie-Hellman groups •2
•5
Encryption algorithms (IKE) • DES
• 3DES
Encryption algorithms (IPSec) • DES
• 3DES
• NULL
IPSec protocol identifiers • ESP
• IPCOMP-LZS
IPSec protocol mode Tunnel mode

Unsupported IPSec Attributes

Options Attributes
Authentication types Authentication using Digital Signature
Standard (DSS)
Diffie-Hellman group 1
IPSec protocol identifier IPSEC AH
IPSec protocol mode Transport mode
Miscellaneous • Manual keys
• Perfect Forward Secrecy (PFS)

Overview of the
Easy VPN Remote

Supported Easy VPN Remote Clients

• Cisco VPN Client (software) 3.x or later

• Cisco VPN Easy Remote
- Cisco 800 series
- Cisco 900 series
- Cisco 1700 series
- Cisco VPN 3002
- Cisco PIX 501 or 506E

Comparing VPN Client Feature
Support Against Server Type


Overview of the
Cisco VPN 3.5 Client

Cisco VPN Client Release 3.5

192.168.1.5

Cisco VPN Client 3.5 Features and
Benefits
The VPN Client provides the following features and benefits:
• Intelligent peer availability detection

• Simple Certificate Enrollment Protocol (SCEP)

• Data compression (Lempel-Ziv standard [LZS])
• Command-line options for connecting, disconnecting, and connection
status
• Configuration file with option locking
• Support for Microsoft network login (all platforms)
• Domain Name System (DNS), Windows Internet Name Service (WINS),
and IP address assignment
• Load balancing and backup server support
• Centrally controlled policies
• Integrated personal firewall (stateful firewall): Zone Labs technology
(Windows only)
• Personal firewall enforcement: Zone Alarm, BlackIce (Windows only)

Cisco VPN Client 3.5 Specifications
• Supported tunneling protocols

• Supported encryption/authentication
• Supported key management techniques
• Supported data compression technique
• Digital certificate support
• Authentication methodologies
• Profile management
• Policy management

How Easy VPN Works

Easy VPN Remote
Connection Process

• Step 1—The VPN Client initiates the IKE Phase 1 process.

• Step 2—The VPN Client establishes a IKE SA.
• Step 3—The Easy VPN Server accepts the SA proposal.
• Step 4—The Easy VPN Server initiates a
username/password challenge.
• Step 5—The mode configuration process is initiated.
• Step 6—The Reverse Route Injection (RRI) process is
initiated.
• Step 7—IKE quick mode completes the connection.

Step 1—The VPN Client Initiates the
IKE Phase 1 Process

Remote PC with IOS router

Easy Remote 12.2(8)T
VPN Client 3.x Easy VPN
Server
• Using preshared keys? Initiate Aggressive Mode (AM).

• Using digital certificates? Initiate Main Mode (MM).

Step 2—The VPN Client Establishes a
IKE SA


Server
Proposal 1, Proposal 2, Proposal 3
• The VPN Client attempts to establish an SA between peer

IP addresses by sending multiple IKE proposals to the
Easy VPN Server.
• To reduce manual configuration on the VPN Client, these
IKE proposals include several combinations of the
following:
- Encryption and hash algorithms
- Authentication methods
- Diffie-Hellman group sizes

Step 3—The Easy VPN Server Accepts
the SA Proposal


Server Proposal
checking
Proposal 1
finds
proposal 1
match
• The Easy VPN Server searches for a match:
- The first proposal to match the servers list is accepted
(highest priority match).
- The most secure proposals are always listed at the top of
the Easy VPN Server’s proposal list (highest priority).
• IKE SA is successfully established.
• Device authentication ends and user authentication begins.

Step 4—The Easy VPN Server Initiates
a Username/Password Challenge


Server
Username/password challenge AAA

checking
Username/password
• If the Easy VPN Server is configured for Xauth, the VPN

Client waits for a username/password challenge:
- The user enters a username/password combination.
- The username/password information is checked
against authentication entities using AAA.
• All Easy VPN Servers should be configured to enforce
user authentication.

Step 5—The Mode Configuration
Process is Initiated



Server
Client Requests Parameters
System Parameters via Mode Config
• If the Easy VPN Server indicates successful

authentication, the VPN Client requests the remaining
configuration parameters from the Easy VPN Server:
- Mode Configuration starts.
- The remaining system parameters (IP address, DNS,
split tunneling information, and so on) are
downloaded to the VPN Client.
• Remember that the IP address is the only required
parameter in a group profile; all other parameters are
optional.

Step 6—The RRI Process is Initiated


Server
VPN Tunnel RRI
static route
creation
• After the Easy VPN Server knows the VPN Client’s assigned IP
address, it must determine how to route packets through the
appropriate VPN tunnel:
- RRI creates a static route on the Easy VPN Server for each VPN
Client’s internal IP address.
- RRI must be enabled on the crypto maps supporting VPN
Clients.
• RRI need not be enabled on a crypto map applied to a GRE tunnel
that is already being used to distribute routing information.

Step 7—IKE Quick Mode Completes
the Connection


VPN Client 3.x Quick mode Easy VPN
IPSec SA Server
establishment
VPN tunnel
• After the configuration parameters have been successfully

received by the VPN Client, IKE quick mode is initiated to negotiate
IPSec SA establishment.
• After IPSec SA establishment, the VPN connection is complete.

Easy VPN Server
Configuration Tasks

Task 1—Enable Policy
Lookup via AAA

Task 1 contains the following steps:

• Step 1—Enable AAA.
• Step 2—Configure the password prompt (optional).
• Step 3—Configure the username prompt (optional).
• Step 4—Configure AAA authentication at login.
• Step 5—Configure Group Policy Lookup.
• Step 6—Define Local Users for Xauth (optional).

Step 1—Enable AAA

router(config)#
aaa new-model

Step 2—Configure the Password Prompt

router(config)#
aaa authentication password-prompt text-string

Step 3—Configure the Username Prompt

router(config)#
aaa authentication username-prompt text-string

Step 4—Configure AAA Authentication
at Login

router(config)#
aaa authentication login list-name method1
[method2…]

Step 5—Configure Group Policy Lookup

router(config)#
aaa authorization network list-name local group
radius

Step 6—Define Local Users for Xauth

router(config)#
Username name password encryption-type
encrypted-password

Task 2—Define Group Policy for Mode
Configuration Push


• Step 1—Add the group profile to be defined.
• Step 2—Configure the IKE pre-shared key.
• Step 3—Specify the DNS servers.
• Step 4—Specify the WINS servers.
• Step 5—Specify the DNS domain.
• Step 6—Specify the local IP address pool.
• Step 7—Configure split tunneling.

Step 1—Add the Group Profile to be
Defined

router(config)#
crypto isakmp client configuration group
{group-name | default}

Step 2—Configure the IKE Preshared
Key

router(isakmp-group)#
key name

Step 3—Specify the DNS Servers

dns primary-server secondary-server

Step 4—Specify the WINS Servers

wins primary-server secondary-server

Step 5—Specify the DNS Domain

domain name

Step 6—Specify the Local IP Address
Pool

pool name

Step 7—Configure Split Tunneling

acl number

Task 3—Apply Mode Configuration
and Xauth to Crypto Maps


• Step 1—Configure the router to respond
to MC requests.
• Step 2—Enable IKE queries.
• Step 3—Enforce Xauth.

Step 1—Configure Router to Respond to
Mode Configuration Requests

router(config)#
crypto map map-name client configuration
address {initiate | respond}

Step 2—Enable IKE Queries

router(config)#
crypto map map-name isakmp authorization list
list-name

Step 3—Enforce Xauth

router(config)#
crypto map map-name client authentication list
list-name

Task 4—Enable Reverse
Route Injection


• Step 1—Create a dynamic crypto map entry.
• Step 2—Specify IPSec peer IP address.
• Step 3—Specify transform sets.
• Step 4—Create the source proxy.
• Step 5—Specify the extended access list.

Step 1—Create a Dynamic Crypto Map
Entry
router(config)#

crypto dynamic-map dynamic-map-name

dynamic-seq-num
• Creates a dynamic crypto map entry
router(config)#
crypto map map-name seq-num ipsec-isakmp
• Adds a dynamic crypto map to a static crypto map set

Step 2—Specify IPSec Peer IP Address

router(config-crypto-map)#
set peer {hostname | ip-address}

Step 3—Specify Transform Sets

set transform-set transform-set-name
[transform-set-name2…transform-set-name6]

Step 4—Create the Source Proxy

reverse-route

Step 5—Specify the Extended Access
List

match address [access-list-id | name]

Task 5—Enable IKE Dead
Peer Detection

router(config)#
crypto isakmp keepalive secs retries

Task 6—Configure
RADIUS Server Support

router(config)#
radius-server host {hostname | ip-address}
[auth-port port-number] [acct-port port-number]
[timeout seconds] [retransmit retries]
[key string] [alias{hostname | ip-address}]

Task 7—Verify Easy
VPN Server Configuration

router#
show crypto map [interface interface | tag map-
name]

Cisco VPN Client 3.5 Manual
Configuration Tasks

Task 1—Install Cisco VPN Client 3.5


Task 2—Create a
New Connection Entry

Boston Sales
172.30.1.2

Task 3—(Optional)
Modify VPN Client Options


Task 3—Configure VPN Client General
Properties
Win 95/98/ME Win-NT 4/2000/XP


Task 4—Configure VPN Client
Authentication Properties

The end-user never

sees this after the
initial configuration

Task 5—Configure VPN Client
Connections Properties


Pre-Configuring the

Pre-Configuring the Cisco
VPN Client for Remote Users
vpnclient.ini
oem.ini

.pcf

VPN Client .pcf File
.pcf file—User profile


Creating VPN Client oem.ini
File for Silent Mode Install
• oem.ini—Installs the VPN Client without user intervention

Name of the
destination
folder
Identifies
whether or not
to restart the
system after
the silent
installation

Working with the

VPN Client Program Menu


VPN Client Log Viewer
Tool bar

Log
display

FNS 1.0—7-75
Setting MTU Size
© 2003, Cisco Systems, Inc. All rights reserved.

VPN Client Connection Status—
General Tab


Client Connection Status—
Statistics Tab


VPN Enterprise Management

Summary

Summary
• In the local-server AAA, the local router performs AAA

services.

• Administrative and remote LAN access modes can be

secured with AAA.
• Cisco router AAA configuration should follow
an orderly progression.
• Use the aaa new-model command to add AAA to a Cisco
router.
• Use aaa commands to specify authentication,
authorization, and accounting processes and methods.
• Use debug aaa commands selectively to troubleshoot
AAA.

© 2003, Cisco Systems, Inc. All rights reserved. 81

FNS10 Mod07

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FNS10 Mod07

Uploaded by

Copyright:

Available Formats

For review only.

Please do not distribute

© 2003, Cisco Systems, Inc. All rights

Router Remote Access VPN

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-2

Upon completion of this chapter, the

For review only. Please do not distribute

student will be able to perform the following

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-3

For review only. Please do not distribute

This module will focus on the Remote Access

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-4

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-5

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-6

© 2003, Cisco Systems, Inc. All rights reserved.

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-8

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-9

For review only. Please do not distribute

The Cisco Easy VPN is made up of two

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-10

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-11

For review only. Please do not distribute

• The IOS release 12.2(8)T Easy VPN Server introduces

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-12

For review only. Please do not distribute

• Mode configuration version 6 support

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-13

For review only. Please do not distribute

Authentication algorithms • HMAC-MD5

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-14

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-15

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-16

For review only. Please do not distribute

• Cisco VPN Client (software) 3.x or later

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-17

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-18

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-19

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-20

For review only. Please do not distribute

• Simple Certificate Enrollment Protocol (SCEP)

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-21

• Supported tunneling protocols

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-22

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-23

For review only. Please do not distribute

• Step 1—The VPN Client initiates the IKE Phase 1 process.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-24

For review only. Please do not distribute

Remote PC with IOS router

• Using preshared keys? Initiate Aggressive Mode (AM).

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-25

For review only. Please do not distribute

Remote PC with IOS router

• The VPN Client attempts to establish an SA between peer

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—7-26