Step 3 The Cisco Easy VPN server accepts the SA proposal, and device group level authentication is complete.. Step 4 If user authentication using IKE Extended Authentication XAUTH is c
Trang 1Configuring Remote-Access VPNs via ASDM
Created by Bob Eckhoff
This white paper discusses the Cisco Easy Virtual Private Network (VPN) components, modes of operation, and how it works This document also gives an overview of the Cisco VPN Client and explains how it is configured for Cisco Easy VPN In addition, this white paper explains how to configure remote-access VPNs via the Cisco Adaptive Security Device Manager (ASDM)
Introduction to Cisco Easy VPN
This topic discusses Cisco Easy VPN, its two components, and its modes of operation
© 2008 Cisco Systems, Inc All rights reserved 1
Cisco 1700 and 1800 Series Router
Cisco 2800 and 3800 Series Router
Cisco ASA 5505 Security Appliance Cisco PIX 501 and 506E Security Appliance
Cisco Easy VPN Servers Cisco Easy VPN Clients
Cisco Easy VPN greatly simplifies virtual private network (VPN) deployment for remote offices and teleworkers Based on the Cisco Unified Client Framework, Cisco Easy VPN centralizes VPN management across all Cisco VPN devices, greatly reducing the complexity of VPN deployments Cisco Easy VPN consists of two components: the Cisco Easy VPN server and the Cisco Easy VPN client
Trang 2The Cisco Easy VPN Remote feature enables Cisco security appliances and Cisco IOS routers to act as Cisco Easy VPN clients As such, these devices can receive security policies from a Cisco Easy VPN server, minimizing VPN configuration requirements at the remote location This cost-effective solution is ideal for remote offices with little IT support or large customer premises equipment (CPE) deployments where it is impractical to individually configure multiple remote devices This feature makes VPN configuration as easy as entering a password, which increases productivity and lowers costs as the need for local IT support is minimized
© 2008 Cisco Systems, Inc All rights reserved 2
Cisco Easy VPN Connection Process
Step 1: The Easy VPN client initiates the IKE Phase 1 process.
Step 2: The Easy VPN client proposes IKE SAs.
Step 3: The Easy VPN server accepts the SA proposal.
Step 4: The Easy VPN server initiates a username/password
challenge.
Step 5: The mode configuration process is initiated.
Step 6: IKE quick mode completes the connection.
The Cisco Easy VPN connection process consists of the following steps:
Step 1 The Cisco Easy VPN client initiates the Internet Key Exchange (IKE) Phase
1 process
Step 2 The Cisco Easy VPN client proposes IKE security associations (SAs)
Step 3 The Cisco Easy VPN server accepts the SA proposal, and device (group
level) authentication is complete
Step 4 If user authentication using IKE Extended Authentication (XAUTH) is
configured, the Cisco Easy VPN Server initiates a username and password challenge
Step 5 The IKE Mode Configuration process, which enables a VPN gateway to
download an IP address and other network configuration parameters to the client, is initiated
Step 1 An IPsec SA is created, and IKE quick mode completes the connection
Trang 3© 2008 Cisco Systems, Inc All rights reserved 3
Step 1: Cisco Easy VPN Client Initiates IKE Phase 1 Process
Using Pre-shared Keys (PSKs)? Initiate aggressive mode.
Using digital certificates? Initiate main mode.
Remote PC with Cisco VPN Client (Easy VPN client)
Cisco ASA (Easy VPN server)
The Cisco Easy VPN Remote feature supports a two-stage process for authenticating to the Cisco Easy VPN Server The first step is Group Level Authentication and is part of the control channel creation In this first stage, two types of authentication credentials can be used: either preshared keys (PSK) or digital certificates
The second authentication step is called Extended Authentication or XAUTH In this step, the remote side (in this case, the Cisco VPN software client) submits a username and password to the Cisco Easy VPN Server
Because there are two ways to perform the group level authentication, the Cisco Easy VPN client must consider the following when initiating this phase:
If a PSK is to be used for authentication, the Cisco Easy VPN client initiates aggressive mode
If digital certificates are to be used for authentication, the Cisco Easy VPN client initiates main mode
Trang 4© 2008 Cisco Systems, Inc All rights reserved 4
Step 2: Cisco Easy VPN Client Proposes IKE SAs
The Cisco Easy VPN client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Cisco Easy VPN server.
To reduce manual configuration on the Cisco Easy VPN client, these IKE proposals include several combinations of the following:
– Encryption and hash algorithms – Authentication methods
– DH group sizes
Remote PC with Cisco VPN Client (Easy VPN client)
Cisco ASA (Easy VPN server)
Proposal 1, Proposal 2, Proposal 3
To reduce the amount of manual configuration on the Cisco Easy VPN client, a fixed combination
of encryption, hash algorithms, authentication methods (preshared key or digital certificate), and Diffie-Hellman (DH) group sizes is proposed by the Cisco Easy VPN client
Trang 5© 2008 Cisco Systems, Inc All rights reserved 5
Step 3: Cisco Easy VPN Server Accepts
SA Proposal
The Cisco Easy VPN server searches for a match:
– Starting with its highest priority policy and continuing in order
of priority, the server compares its own policies to the policies received from the client until a match is found.
– The first proposal to match the server list is accepted.
The IKE SA is successfully established
Device authentication ends and user authentication begins.
Remote PC with Cisco VPN Client (Easy VPN client)
checking finds proposal 1 match.
Cisco ASA (Easy VPN server)
IKE policy is global for the Cisco Easy VPN server and can consist of several proposals Starting with its highest priority policy and continuing in order of priority, the server compares its own
policies to the policies received from the client until it finds a match The server accepts the first proposal that matches one of its own After an IKE proposal is accepted, the IKE SA is established
At that point, device (group level) authentication ends and user authentication begins
Note Because the Cisco Easy VPN server uses the first match, you should always assign the
highest priorities to your most secure IKE policies
Trang 6© 2008 Cisco Systems, Inc All rights reserved 6
Step 4: Cisco Easy VPN Server Initiates a Username/Password Challenge
If the Cisco Easy VPN server is configured for XAUTH, the Easy VPN client waits for a username/password challenge:
– The user enters a username/password combination.
– The username/password information is checked against authentication entities.
All Cisco Easy VPN servers should be configured to enforce user authentication.
Remote PC with Cisco VPN Client (Easy VPN client)
Username/Password
Username/Password Challenge
Cisco ASA (Easy VPN server)
After the IKE SA is successfully established, and if the Cisco Easy VPN server is configured for XAUTH, the client waits for a username and password challenge When prompted, the user must enter a valid username and password pair The Cisco Easy VPN server checks the username and password pair against authentication entities using authentication, authorization, and accounting (AAA) protocols such as RADIUS and TACACS+ Token cards may also be used via AAA proxy
Note VPN devices that are configured to handle remote Cisco VPN Clients should always be
configured to enforce user authentication
Trang 7© 2008 Cisco Systems, Inc All rights reserved 7
Step 5: Mode Configuration Process Is Initiated
If the Cisco Easy VPN server indicates successful authentication, the Cisco Easy VPN client requests the remaining configuration parameters from the Cisco Easy VPN server:
– Mode configuration starts.
– The remaining system parameters, such as IP address, DNS, split tunneling information, are downloaded to the
Cisco Easy VPN client.
The IP address is the only parameter that must be downloaded to the Cisco Easy VPN client from the Cisco Easy VPN server; all other parameters are optional.
Remote PC with Cisco VPN Client (Easy VPN client)
Client Requests Parameters
System Parameters via Mode Configuration
Cisco ASA (Easy VPN server)
If the Cisco Easy VPN server indicates that authentication was successful, the client requests further configuration parameters from the Cisco Easy VPN server The remaining system
parameters, such as IP address, Domain Name System (DNS), and split tunnel attributes, are pushed to the client at this time using mode configuration The IP address is the only required parameter; all other parameters are optional
Trang 8© 2008 Cisco Systems, Inc All rights reserved 8
Step 6: IKE Quick Mode Completes Connection
After the configuration parameters have been successfully received by the Cisco Easy VPN client, IKE quick mode is initiated
to negotiate IPsec SA establishment.
After IPsec SA establishment, the VPN connection is complete.
Remote PC with Cisco VPN Client
IPsec SA Establishment
VPN Tunnel
Cisco ASA (Easy VPN server)
After IPsec SAs are created, the connection is complete
Trang 9Overview of Cisco VPN Client
This topic introduces you to Cisco VPN Client, software that enables customers to establish
secure, end-to-end encrypted tunnels to any Cisco Easy VPN server This thin client design, which
is an IPsec-compliant implementation, is available at Cisco.com
© 2008 Cisco Systems, Inc All rights reserved 10
Cisco VPN Software Client for Windows
This figure displays the Cisco VPN Client window You can preconfigure the connection entry (name of connection) and hostname or IP address of remote Cisco VPN device such as the Cisco
ASA Adaptive Security Appliance Clicking Connect initiates IKE Phase 1
The Cisco VPN Client can be preconfigured for mass deployments, and initial logins require very little user intervention VPN access policies and configurations are downloaded from the Cisco Easy VPN Server and pushed to the Cisco VPN Client when a connection is established, allowing simple deployment and management
The Cisco VPN Client provides support for the following operating systems:
Microsoft Windows 2000, XP, and Vista (x86/32-bit only)
Linux (Intel)
Solaris UltraSPARC 32-bit and -64 bit
Trang 10© 2008 Cisco Systems, Inc All rights reserved 12
Cisco VPN Client as Cisco Easy VPN Client
The following general tasks are used to configure Cisco VPN Client as Cisco Easy VPN client:
Task 1: Install Cisco VPN Client.
Task 2: Create a new connection entry.
Task 3: (Optional) Configure Cisco VPN Client transport properties.
Task 4: (Optional) Configure Cisco VPN Client backup servers
properties.
Task 5: (Optional) Configure dialup properties.
Complete the following tasks to install and configure the Cisco VPN Client:
Task 1 Install Cisco VPN Client
Task 2 Create a new connection entry
Task 3 (Optional) Configure Cisco VPN Client transport properties
Task 4 (Optional) Configure properties of Cisco VPN Client backup servers
Task 5 (Optional) Configure dialup properties
Trang 11© 2008 Cisco Systems, Inc All rights reserved 13
Task 1: Install Cisco VPN Client
Installation of the Cisco VPN Client varies slightly based on the type of operating system Always review the installation instructions that come with the Cisco VPN Client before attempting any installation Generally, installation of the Cisco VPN Client involves the following steps (This example is based on using the Microsoft Installer [MSI) to install the Cisco VPN Client on a
Windows 2000 PC.)
Step 1 Double-click the vpnclient_setup.msi file The Welcome window opens
Step 2 Read the Welcome window and click Next The License Agreement page is
displayed
Step 3 Read the license agreement, click the I Accept the License Agreement
radio button, and click Next The Destination Folder page is displayed Step 4 Click Next to accept the default destination folder The Ready to Install the
Application page is displayed
Step 5 Click Next After the files are copied to the hard disk drive of the PC, a new
page displays the message "Cisco Systems VPN Client 5.0 has been successfully installed.”
Step 6 Click Finish
Trang 12© 2008 Cisco Systems, Inc All rights reserved 14
Task 2: Create New Connection Entry
Connection Entry
Host Authentication
The Cisco VPN Client enables users to configure multiple connection entries Multiple connection entries enable the user to build a list of possible network connection points For example, a
corporate telecommuter may want to connect to the sales office in Boston for sales data (the first connection entry), and then the telecommuter and the sales office may want to connect to the Austin factory for inventory data (a second connection entry) Each connection contains a specific entry name and remote server hostname or IP address
Generally, creating a new connection entry involves the following steps (This example is based on creating new connection entries on a Windows 2000 PC.):
Step 1 Choose Start > Programs > Cisco Systems VPN Client > VPN Client The
VPN Client window opens (not shown)
Step 2 Click New The VPN Client | Create New VPN Connection Entry window
opens
Step 3 Enter a name for the new connection entry in the Connection Entry field In
the figure, CorpNet is entered
Step 4 (Optional) Enter a description for the new connection entry in the
Description field In the figure, Corporate Network is entered
Step 5 Enter the public interface IP address or hostname of the remote Cisco Easy
VPN server in the Host field In the figure, 192.168.1.2 is entered
Trang 13Step 6 In the Authentication tab, click the radio button for the authentication method
you want to use You can connect as part of a group (which must be configured on the Cisco Easy VPN server) or by supplying an identity digital certificate For this example, group authentication is used Complete the following substeps to configure group authentication:
In the Name field, enter a group name that matches a group on the
Cisco Easy VPN server The group name and its password must match what is configured within the Cisco Easy VPN server Entries are case sensitive In the figure, TRAINING is entered
In the Password field, enter the group password that matches the group
password (key) on the Cisco Easy VPN server Entries are case sensitive In the figure, cisco123 is entered; however, only asterisks are displayed
Enter the password again in the Confirm Password field In the figure,
cisco123 is entered again
Step 7 Click Save
Trang 14© 2008 Cisco Systems, Inc All rights reserved 15
Task 3: (Optional) Configure Cisco VPN Client Transport Properties
Connection Entry
Host Transport
From the Transport tab, you can configure the following Cisco VPN Client options:
Transparent tunneling
Local LAN access
Peer response timeout
packets before it is sent through the NAT or PAT devices or firewalls The most common
application for transparent tunneling is behind a home router performing PAT To use transparent tunneling, the central-site group in the Cisco Easy VPN server must also be configured to support
it This parameter is enabled by default To disable this parameter, deselect the Enable
Transparent Tunneling check box under the Transport tab It is recommended that you leave this
parameter enabled
Note Not all devices support multiple simultaneous connections behind them Some cannot map
additional sessions to unique source ports Be sure to check with the vendor of your device
to verify whether this limitation exists Some vendors support Protocol 50 (ESP) PAT (IPsec pass-through), which might let you operate without enabling transparent tunneling
You must choose a mode of transparent tunneling, over UDP or over TCP The mode you use must match that used by the secure gateway to which you are connecting Either mode operates properly through a PAT device Multiple simultaneous connections might work better with TCP If you are in an extranet environment, then in general, TCP mode is preferable UDP does not operate with stateful firewalls, so in that case, you should use TCP
Trang 15The following transport tunneling options are available:
IPsec over UDP (NAT/PAT): Select this radio button to enable IPsec over UDP
(using NAT or PAT) With UDP, the port number is negotiated UDP is the default mode
IPsec over TCP: Select this radio button to enable IPsec over TCP When using
TCP, you must also enter the port number for TCP in the TCP port field This port number must match the port number configured on the secure gateway The default port number is 10000
Allowing Local LAN Access
In a multiple-network-interface-card (NIC) configuration, local LAN access pertains only to network
traffic on the interface on which the tunnel was established Allow Local LAN Access gives you
access to the resources on your local LAN (printer, fax, shared files, and other systems) when you are connected through a secure gateway to a central-site VPN device When this parameter is enabled and your central site is configured to permit it, you can access local resources while connected When this parameter is disabled, all traffic from your Cisco VPN Client system goes through the IPsec connection to the secure gateway
To enable this feature, select the Allow Local LAN Access check box; to disable it, deselect the
check box If the local LAN you are using is not secure, you should disable this feature For
example, you would disable this feature when you are using a local LAN in a hotel or airport
A network administrator at the central site configures a list of networks at the Cisco VPN Client side that you can access You can access up to ten networks when this feature is enabled When local LAN access is allowed and you are connected to a central site, all traffic from your system goes through the IPsec tunnel except traffic to the networks excluded from doing so (in the network list)
When this feature is enabled and configured on the Cisco VPN Client and permitted on the site VPN device, you can see a list of the local LANs available by looking at the Routes table
central-Adjusting the Peer Response Timeout Value
The Cisco VPN Client uses a keepalive mechanism, dead peer detect (DPD), to check the
availability of the VPN device on the other side of an IPsec tunnel If the network is unusually busy
or unreliable, you might need to increase the number of seconds to wait before the Cisco VPN Client decides that the peer is no longer active The default number of seconds to wait before terminating a connection is 90 seconds The minimum number you can configure is 30 seconds, and the maximum is 480 seconds To adjust the setting, enter the number of seconds in the Peer Response Timeout (Seconds) field The Cisco VPN Client continues to send DPD requests every 5 seconds until it reaches the number of seconds specified by the peer response timeout value
Trang 16© 2008 Cisco Systems, Inc All rights reserved 16
Task 4: (Optional) Configure Cisco VPN Client Backup Servers Properties
Connection Entry
Host
Backup Servers
The private network may include one or more backup servers to use if the primary VPN server is not available Information on backup servers can download automatically from a VPN server, or you can manually enter this information
To enable backup servers from the VPN Client, complete the following steps:
Step 1 Check the Enable Backup Servers check box in the Backup Servers tab
Step 2 Click Add The VPN Client | Enter Backup Server window opens
Step 3 Enter the host name or IP address of a backup server in the Enter Backup
Server Hostname or IP Address field (not shown) You can use a
maximum of 255 characters
Step 4 Click OK The hostname or IP address is displayed in the Enable Backup
Servers list
Step 5 Click Save
You can add more backup servers by repeating Steps 2, 3, 4, and 5 To remove a server from the
backup list, select the server in the list, click Remove, and then click Save
When necessary, the Cisco VPN Client tries the backup servers in the order in which they appear
in the backup servers list, starting at the top To reorder the servers in the list, select a server and click the up arrow to increase the server's priority or the down arrow to decrease the server's priority
Trang 17© 2008 Cisco Systems, Inc All rights reserved 21
Cisco VPN Client Statistics
The Statistics window provides information about the VPN connection, routing information, and
firewall parameters information in three tabs To access the Statistics window, click Status in the menu bar and choose Statistics (not shown) The Tunnel Details tab displays the following
statistics for the VPN tunnel:
— Entry: The name of the profile you are using to establish the connection
— Time: The length of time the connection has been up
Trang 18 Packets
— Encrypted: The total number of secured data packets transmitted out the
port
— Decrypted: The total number of data packets received on the port
— Discarded: The total number of data packets that the VPN Client rejected
because they did not come from the secure VPN device gateway
— Bypassed: The total number of data packets that the VPN Client did not
process because they did not need to be encrypted Local ARPs and DHCP
fall into this category
Transport
— Transparent Tunneling: The status of tunnel transparent mode in the VPN
Client, either active or inactive
— Local LAN: Whether access to your local area network while the tunnel is
active is enabled or disabled
— Compression: Whether data compression is in effect as well as the type of
compression in use Currently, LZS is the only type of compression that the VPN Client supports
The next tab is the Route Details tab, which displays routing information This tab enables you to view the network addresses of the networks you can access on your local LAN while you are connected to your organization's private network through an IPsec tunnel A network administrator
at the central site must configure the networks you can access from the client side
The last tab is the Firewall tab The Firewall tab displays information about the firewall
configuration of the Cisco VPN Client
Trang 19Configuring Remote-Access VPNs
This topic explains how to use the Cisco Adaptive Security Device Manager (ASDM) IPsec VPN Wizard to configure remote-access VPNs
© 2008 Cisco Systems, Inc All rights reserved 18
Company XYZ Need: Secure Connectivity for Remote Workers
Internet
Corporate DMZ
Headquarters
Web FTP
Home Office
10.0.1.0/24
Company XYZ employs remote workers in various locations who need access to resources at corporate headquarters The network security administrator for Company XYZ configures the corporate Cisco ASA security appliance to accept remote-access VPN connections to give these remote workers secure connectivity to headquarters
Trang 20© 2008 Cisco Systems, Inc All rights reserved 19
Specifying the Tunnel Type
VPN Tunnel Type
VPN Tunnel Interface
VPN Tunnel Type:
Remote Access
Remote access IPsec VPN
Use the IPsec VPN Wizard to create a remote access to the Cisco VPN Client On this wizard page, configure the VPN tunnel type:
Step 1 Click Wizards in the Cisco ASDM menu bar (not shown)
Step 2 Choose IPsec VPN Wizard The VPN Wizard window opens
Step 3 Choose the Remote Access radio button from the VPN Tunnel Type
options
Step 4 Verify that outside is displayed in the VPN Tunnel Interface drop-down list
Step 5 Verify that the Enable Inbound IPsec Sessions to Bypass Interface
Access Lists check box is checked
Step 6 Click Next The Remote Access Client page is displayed
Trang 21© 2008 Cisco Systems, Inc All rights reserved 20
Specifying the Remote Access Client Type
Remote Access Client VPN Client Type: Cisco VPN Client, Release 3.x
or Higher
Cisco VPN Client
On this VPN Wizard page, configure the Cisco VPN client type
Step 7 From the Cisco VPN Client Type radio buttons, choose Cisco VPN Client,
Release 3.x or Higher, or Other Easy VPN Remote Product
Step 8 Click Next The Cisco VPN Client Authentication Method and Tunnel Group
Name page is displayed
Trang 22© 2008 Cisco Systems, Inc All rights reserved 21
Specifying the VPN Client Authentication Method and Tunnel Group Name
Cisco VPN Client
VPN Client Authentication Method and Tunnel Group Name
Tunnel Group Name
Authentication Method: Pre- Shared Key
Tunnel group:
TRAINING pre-shared key:
cisco123
On this VPN Wizard page, configure the VPN tunnel authentication type and tunnel group
Step 9 From the Authentication Method options, choose the Pre-Shared Key radio
button
Step 10 Enter the preshared key in the Pre-Shared Key field In the figure, cisco123
is entered
Step 11 Enter a name for the tunnel group in the Tunnel Group Name field In the
figure, the name TRAINING is entered A tunnel group/connection profile consists of a small number of attributes applicable to creating the tunnel itself, for example, the AAA server to contact for authentication and authorization Tunnel groups include a pointer to a group policy that defines further connection parameters A group policy is a set of user-oriented attribute value pairs for the IPsec connection The tunnel group refers to a group policy to set terms for users’ connections once the tunnel is
established An example of a group policy is a spilt tunnel policy for access users or groups
remote-Step 12 Click Next The Client Authentication page is displayed