Cisco 3005 - VPN Concentrator - Gateway Technical Information

Exam Topics Discussed in This Chapter This chapter covers the following topics, which you need to master in your pursuit of certification as a Cisco C

Using VPNs for Remote Access with Preshared Keys 133 While this type of preshared key is the most secure of the three types, it is not practical

134 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys VPN Concentrator Configuration Three major categories of activi

VPN Concentrator Configuration 135 Cisco VPN 3000 Concentrator Configuration Requirements Figure 4-2 shows a typical VPN concentrator configuration

136 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys following is a list of the data values you need to obtain to c

VPN Concentrator Configuration 137The Quick Configuration can be accomplished from the CLI, but the HTML version of the concentrator manager provide

138 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysOnce you have entered the correct login name and password, the co

VPN Concentrator Configuration 139Configuring the Private LAN InterfaceThe next phase of the CLI Quick Configuration steps is to configure the Private

140 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysIn Example 4-3, the administrator wanted to use a 24-bit subnet m

VPN Concentrator Configuration 141The concentrator only presents the Quick Configuration process upon initial bootup using the default configuration.

142 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysFigure 4-3 HTTP Addressing for VPN 3000 Concentrator Series Manag

C H A P T E R 4 Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys From a procedural perspective, it is easier to configure t

VPN Concentrator Configuration 143Clicking the Install SSL Certificate hotlink takes you to the browser’s certificate installation wizard. Netscape a

144 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysThe top portion of the screen is the application toolbar, and it

VPN Concentrator Configuration 145Figure 4-6 3005 Concentrator—Configuration | Quick | IP InterfacesFigure 4-7 shows the IP Interfaces screen for th

146 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysFigure 4-8 Configuration | Quick | IP Interfaces | Ethernet 1NOTE

VPN Concentrator Configuration 147Figure 4-9 Configuration | Quick | System InfoConfiguring the Tunneling ProtocolClicking the Continue button takes

148 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysFigure 4-11 Configuration | Quick | Address AssignmentConfiguring U

VPN Concentrator Configuration 149Figure 4-13 Configuration | Quick | User DatabaseThere is a maximum combined number of groups and users that you c

150 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysFigure 4-14 Configuration | Quick | IPSec GroupConfiguring the Admi

VPN Concentrator Configuration 151Figure 4-16 Configuration | Quick | DoneNotice the Save Needed icon in the upper-right corner of the main screen.

152 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keysthe plus sign indicates that the indicated function has subfuncti

126 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Figure 4-1 How to Use This Chapter “Do I Know This Already?” Q

VPN Concentrator Configuration 153Figure 4-18 IPSec ConfigurationThe interfaces have already been configured using the Quick Configuration option. If

154 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysBecause the Base Group had not been modified before Quick Configura

VPN Concentrator Configuration 155Modify Groups—Identity TabTo modify the group, click the group to highlight it, and then click the Modify Group b

156 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys• Maximum Connect Time—0 disables maximum connect time. The range

VPN Concentrator Configuration 157Modify Groups—IPSec TabClicking the IPSec tab brings up the screen shown in Figure 4-22. The attributes on this s

158 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys• IKE Keepalives—Monitors the continued presence of a remote peer

VPN Concentrator Configuration 159Figure 4-22 Configuration | User Management | Groups | Modify > IPSecModify Groups—Client Config TabThe Client C

160 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys• IPSec Backup Servers—This attribute is used on Cisco VPN 3002 H

VPN Concentrator Configuration 161Figure 4-23 Configuration | User Management | Groups | Modify > Client Configchpt_04.fm Page 161 Friday, April

162 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysThat is all that you need to configure on the VPN concentrator. Cl

“Do I Know This Already?” Quiz 1271 What methods can you use for user authentication on the Cisco VPN 3000 Series Concentrators? 2 What methods

VPN Concentrator Configuration 163• Firewall—Select the firewall that members of the group are to use. The available options are as follows:— Cisco

164 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys• Firewall Policy—You can select from three different methods for

VPN Concentrator Configuration 165Figure 4-24 Configuration | User Management | Groups | Modify > Client FWWhen you configure the VPN 3002 Hardwar

166 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys• Require Individual User Authentication—You can also require all

VPN Concentrator Configuration 167enabling this capability. The default mode for this attribute is disabled, forcing the VPN concentrator to supply

168 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys— 40-bit—Clients can use the RSA RC4 encryption algorithm using a

VPN Concentrator Configuration 169Advanced Configuration of the VPN ConcentratorThe previous sections of this chapter looked at a small part of the

170 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys• NTP Servers—Network Time Protocol to ensure that all systems us

VPN Concentrator Configuration 171• Redundancy—Virtual Router Redundancy Protocol parameters• Reverse Route Injection—Reverse Route Injection globa

172 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysConfiguration | System | GeneralThe General section of the VPN Man

128 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys 5 When you boot up a Cisco VPN 3000 Concentrator with the defa

VPN Concentrator Configuration 173Configuration | User ManagementConfiguration | User Management is the section that you used in the “Configuring IPSe

174 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysInstalling and Configuring the VPN ClientThe Cisco VPN Client is p

Installing and Configuring the VPN Client 175• Uninstall VPN Client—Uninstall the application. You can choose to retain connection and certificate i

176 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys• IKE keepalives• Split tunneling• LZS data compressionAuthentica

Installing and Configuring the VPN Client 177• Encryption algorithms:— 56-bit DES— 168-bit Triple-DES• Extended Authentication (XAUTH)• Mode Configu

178 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysThe Welcome screen appears, as shown in Figure 4-29. Click Next t

Installing and Configuring the VPN Client 179The file location screen is displayed, as shown in Figure 4-31. To accept the default location, click N

180 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysThe installation wizard then copies the files from the CD to your

Installing and Configuring the VPN Client 181Figure 4-35 VPN Client Installation CompleteVPN Client ConfigurationThe configuration process is almost

182 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysFigure 4-37 Connection Entry ScreenThe first screen of the creatio

“Do I Know This Already?” Quiz 12911 What are the three major sections of the VPN Manager system? 12 What hot keys are available in the standard

Installing and Configuring the VPN Client 183VPN 3000 Concentrator Series Manager” section of this chapter. Enter either the IP address of the devi

184 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysThe group name that you established earlier was vpngroup02. Enter

Installing and Configuring the VPN Client 185Figure 4-42 Using the New VPN ConnectionTo connect to the VPN 3000 Concentrator, simply click the Conn

186 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysFoundation SummaryThe Foundation Summary is a collection of table

VPN Client Installation Steps 187VPN 3000 Concentrator Browser-Based Manager Quick Configuration StepsThe steps to the VPN 3000 Concentrator browse

188 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysStep 4Click Ye s to permit disabling IPSec Policy Agent (if asked

Complete Configuration Table of Contents 189Limits for Number of Groups and UsersTable 4-4 shows the maximum number of groups and users.Complete Co

190 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysConfiguration (Continued)>System (Continued)>Tunneling Proto

Complete Configuration Table of Contents 191Configuration (Continued)>System (Continued)>Events>General>FTP Backup>Classes>Trap De

192 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysComplete Administration Table of ContentsTable 4-6 shows the comp

130 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys 18 Where would you configure information for Network Time Proto

Complete Monitoring Table of Contents 193Complete Monitoring Table of ContentsTable 4-7 shows the complete monitoring table of contents (TOC).Admi

194 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysMonitoring (Continued)>Statistics (Continued)>VRRP>SSL&g

Chapter Glossary 195Chapter GlossaryThe following terms were introduced in this chapter or have special significance to the topics within this chap

196 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysQ&AAs mentioned in Chapter 1, “All About the Cisco Certified S

Q&A 1975What options are available for addressing an IP interface on the IP Interfaces screen?6 What is the maximum number of combined groups

198 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys11Where does the VPN concentrator store system events?12 What are

Q&A 19917What would you do if you needed to re-enter the Quick Configuration mode after you have completed the initial configuration of the VPN

200 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys23You would like to be able to pass DNS and WINS information from

Q&A 20129When you boot up a Cisco VPN 3000 Concentrator with the default factory configuration, what happens?30 If you supply an address of 144

202 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys35What is the default number of simultaneous logins available to

“Do I Know This Already?” Quiz 131 The answers to this quiz are listed in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and Q&am

Q&A 20342What type of cable does the console port require on VPN concentrators?43 What is the default administrator name and password for VPN

204 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys48When reviewing the list of attributes for a group, what does it

Q&A 20554What methods can be used for device authentication between VPN peers?55 What is a wildcard preshared key?56 What information do you n

206 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys60When you select IPSec as the tunneling protocol, what screen do

Scenario 4-1 207ScenariosThe following scenarios and questions are designed to draw together the content of the chapter and exercise your understa

208 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysScenario 4-2Your company sells donuts and has 60 shops located in

Scenario 4-2 209• Reauthentication on Rekey• Tunnel Type• Group Lock• Authentication• IPComp• Mode Configurationchpt_04.fm Page 209 Friday, April

210 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared KeysScenario AnswersThe answers provided in this section are not nece

Scenario 4-2 Answers 2119Unlimited access? This would be a group-by-group decision. Does the R&D team work around the clock or just during bus

212 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys• Tunnel Type—Remote access• Group Lock—Disabled• Authentication—

132 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys Foundation Topics Using VPNs for Remote Access with Preshared

chpt_04.fm Page 213 Friday, April 4, 2003 9:19 AM