Cisco CVPN3002-K9 - Fast Ethernet VPN Gateway, 3002 Getting Started

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

VPN 3002 Hardware Client Getting Started

Release 3.6 August 2002

Text Part Number: OL-2854-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS M ANUAL ARE SUBJECT TO CHA NGE WITHOUT NO TICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSI BILITY FOR THEIR APPLICA TION OF ANY PRODUCT S.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORT H IN THE INFORMATION PACKET T HAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP head er compressi on is an adap tation of a program developed by the Universi ty of Ca lifornia, Berk eley (UCB) as part of UCB ’s public domain version of the UNIX operatin g system. All rights reserved . Copyri ght © 1981 , Rege nts of the Uni versity of Calif ornia.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THE SE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAI M ALL WARRANTIE S, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NO NINFRINGEM ENT OR ARISING FROM A COURS E OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING , WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE S.

VPN 3002 Hardware Client Getting Started

CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0203R)

iii

VPN 3002 Hardware Client Getting Started

OL-2854-01

CONTENTS

Preface ix

Audience ix Organization ix Related Documentation x

VPN 3002 Hardware Client Documentation x VPN 3000 Series Concentrator Documentatio n x VPN Client Docu m e ntation xi Documentation on VPN Software Distribution CDs xi Other References xi

Conventions xii

Data Formats xiii

Obtaining Documentation xiv

World Wide Web xiv Documentation CD-ROM xiv Ordering Documentation xiv Documentation Feedback xiv

Obtaining Technical Assistance xv

Cisco.com xv Technical Assistance Center xv

Cisco TAC Web Site xvi Cisco TAC Escalation Center xvi

CHAPTER

1 Understanding the VPN 3002 Hardware Client 1-1

VPN 3002 Hardware Client or VPN Client Software? 1-1 Hardware Features 1-1 Client Mode and Networ k Extension Mode 1-2

Online Technical Snapshot Explains PAT and Network Extension Modes 1-2 Client Mode (PAT) 1-2 Client Mode with Split Tunneling 1-3 Network Extension Mode 1-3

Network Extension Mode per Group 1-3

Network Extension Mode with Split Tunneling 1-3

IPSec 1-4

IPSec over TCP 1-4

Contents

VPN 3002 Hardware Client Getting Started

OL-2854-01

IPSec over NAT-T 1-4 IPSec over UDP 1-5

Additional Software Features 1-5

Interactive Hardware Client Authentication 1-5 Individual User Authentication 1-6 IPSec Backup Servers 1-7 H.323 in PAT Mode 1-9

Notes on H.323 GateKeepers 1-11 RADIUS with Pa ss w o rd Ex pir y 1-11 Load Balancing 1-12 Simple Certificate Enrollment Protocol (SCEP) 1-12 Reset/Restore Monitoring Statistics 1-12 XML Management 1-12 Reverse Route Injection (RRI) 1-12 AES with Diffie-Hellman Group 5 1-13

Management Interf aces 1-13 VPN Software Features Summary 1-14 Physical Specifications 1-15

CHAPTER

2 Installing and Poweri ng Up the VPN 3002 2-1

Preparing to Install 2-1 Configuring and Managing the VPN 3002 2-1

Browser Requirements 2-1

JavaScript and Cookies 2-2

Navigation Toolbar 2-2

Recommended PC Monitor / Display Settings 2-2

Unpacking 2-2 Installing the VPN 3002 2-3

Connecting the PC/Console 2-3 Connecting Network Cables 2-3

Powering Up 2-3 Beginning Quick Configuration 2-4

Quick Configuration Using Default Values 2-5

PAT Mode 2-5

Network Extension Mode 2-5 Quick Configuration Using Nondefault Values 2-6

Contents

VPN 3002 Hardware Client Getting Started

OL-2854-01

CHAPTER

3 Using the VPN 3002 Hardware Client Manager for Quick Configuration 3-1

Logging into the VPN 3002 Hardware Client Manager 3-1 Starting Quick Configuration 3-3

About Quick Configuration 3-3 Setting the Time and Date 3-4 Uploading an Existing Configuration File 3-5 Configuring the Private Interface 3-6

Configuring the Public Interface 3-9

DHCP 3-10 PPPoE 3-10

Specify an IP address 3-10 Configuring IPSec 3-11 Configuring PAT or Network Extension Mode 3-13

Online Technical Snapshot Explains PAT and Network Extension Modes 3-13

Client Mode (PAT) 3-13

Client Mode with Split Tunneling 3-14

VPN Concentrator Settings Required for PAT 3-14

Network Extension Mode 3-14

Network Extension Mode per Group 3-15 Network Extension Mode with Split Tunneling 3-15 VPN Concentrator Se ttings Required for Network Extension Mode 3-15 Tunnel Initiation 3-16

Tunnel Initiation with Interactive Unit Authentication 3-16

Data Initiation 3-16

Configuring DNS 3-17 Configuring Static Routes 3-18

Adding a Static Route 3-19

Changing admin Password 3-20 Finishing Quick Configuration 3-21 What Next? 3-21

Using Other VPN 3002 Har dware Client Manager Functions 3-22

Understanding the VPN 3002 Hardware Client Mana ger Window 3-23

CHAPTER

4 Using the Command-Line Interface for Quick Configuration 4-1

About Quick Configuration 4-1

Starting Quick Configuration 4-2

Contents

VPN 3002 Hardware Client Getting Started

OL-2854-01

Setting the Time and Date 4-3 Uploading Configuration 4-4 Configuring the Private Interface 4-4 Configuring the Public Interface 4-7

Configuring a System Name 4-8 Configuring DHCP 4-8 Configuring PPPoE 4-9

Configuring a Static IP Address 4-10 Configuring IPSec 4-12 Configuring PAT or Network Extension mode 4-13

Client Mode (PAT) 4-13

VPN 3000 Concentrator Settings Required for PAT 4-13

Network Extension Mode 4-14

VPN 3000 Concentrat or Settings Required for Network Extension Mode 4-14

Enabling or Dis a bling PAT 4-14 Configuring DNS 4-15 Configuring Static Routes 4-15

Adding a Static Route 4-15

Deleting a Static Route 4-17 Changing admin Password 4-17 Completing Quick Configuration 4-18 What Next? 4-18

APPENDIX

A Troubleshooting and Sys tem Errors A-1

Files for Troub le sh oo t ing A-1

Event Logs A-1

Crash Dump File A-2

Configuration Files A-2 LED Indicators A-2

VPN 3002 Front LE D s A-2

VPN 3002 Rear LEDs A-3 System Errors A-3 Settings on the VPN Con centrator A-4 VPN 3002 Hardware Client Manager Errors A-5

Invalid Login or Ses sion Timeout A-5

Manager Logs Out A-6

Incorrect Display A-7

Error Message A-7

Contents

vii

VPN 3002 Hardware Client Getting Started

OL-2854-01

Not Allowed Message A-8 Not Found A-9 Microsoft Inte rnet Explorer Scr ipt Error: No such in te rf ac e supported A-10

Command-Line Interface Errors A-10

A-10

INDEX

Contents

viii

VPN 3002 Hardware Client Getting Started

OL-2854-01

VPN 3002 Hardware Client Getting Started

OL-2854-01

Preface

VPN 3002 Hardware Client Getting Start ed provides i nform ation to take you from unpacki ng and installing the VPN 3002, through configuring the minimal parameters to make it operational (called Quick Configuration ). You can do Quick Configuratio n fr om a con sol e with the m enu -bas ed Command-Li ne In t er face, or you can us e the HTML-based VP N 3002 Hardwar e C l ien t Manager with a browser. This manual describes bot h me thod s, an d we r ecom me nd t he l atte r fo r ea se of us e.

Audience

We assume you are an experienced system administrator or network administrator with appropriate education and training, who knows how to install, configure, and manage internetworking systems. However, virtual private networks and VPN devices might be new to you. You should be familiar with Windows system configuration and management, and you should be familia r with Mi crosoft Internet Explorer or Ne tsca pe N avigator or Co mmu nic ator browsers.

Organization

This guide is organized as follows:

Chapter Title Description

Chapter 1 Understanding the VPN 3002

Hardware Client

Summarizes th e hardwa re an d soft wa re fe a ture s and operation.

Chapter 2 Installing and Powering Up

the VPN 3002

Explains how to prepare for, unpack, install, an d power up the VPN 3002 Hardware Client, and how to begin quick co nfigurati on. O n ce y ou have completed the steps in this chapter, you can use either Chapter 3 or Chapter 4 to complete quick configuration.

Chapter 3 Using the VPN 3002

Hardware Client Manager for Quick Configuration

Explains how to compl ete q ui ck c on figurat ion of the system using the VP N 3 002 Har dware C lient Manager with a br owser. We recommend this method.

VPN 3002 Hardware Client Getting Started

OL-2854-01

Preface

Related Documentation

VPN Client Documentation

The VPN Client User Guide explains how to install, configure, and use the VPN Client, which lets a remote client us e th e IPSec tunn eli ng p rotoc ol for sec ure c on ne ction t o a pr ivate network th rou gh the VPN Concentrator.

The VPN Client Administrator Guide tells how to configure a VPN Concentrator for remote user connections using t he V PN Clie nt, how to a utom ate r emot e us er pr ofiles, how t o use th e V PN C lie nt command-line in terface, a nd how to get troublesho oting i nform ation.

Documentation on VPN Software Dis trib ution CDs

The VPN 3000 Series Concentrator and VPN 3002 Hardware Client documentation are provided on the VPN 3000 Concentrator software distribution CD-ROM in PDF format. The VPN Client documentation is included on the VPN Client software distribution CD-ROM, also in PDF format. To view the latest versions on the Cisco web site, click the Support icon on the toolbar at the top of the VPN Concentrator Manager, Hardware Client Mana ger, or Clie nt wi ndow. To open the docu ment atio n, you n eed Acro ba t Reader 3.0 or late r; versi on 4. 5 is inclu de d o n t he Ci sco V PN 3 000 Co ncen trat o r s oftwa re d istr ibution CD-ROM and on the VPN C lient s oft ware d istr ibution CD -ROM.

Other References

Other useful references include:

• Cisco Systems, Dictionary of Interne tworking Terms and Acronyms. Cisco Press: 2001.

• V irtual Private Networking: An Overview. Microsoft Corporation: 1999. (Av ailable from Microsoft

website.)

• www.ietf.org for Internet Engineering Task Force (IETF) Working Group drafts on IP Sec urity

Protocol (IPSec).

• www.whatis.com, a web refer ence sit e w it h d efinitions fo r c omput er, networki ng, and dat a

communication terms.

xii

VPN 3002 Hardware Client Getting Started

OL-2854-01

Preface

Conventions

This docume nt u s es the f ol lowing conventions:

Notes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not

covered in the publication.

Cautions use the following conventions:

Caution Means reader be careful. Cautions alert you to actions or conditions that could result in

equipment damage or lo ss of data.

Convention Description

boldface font Commands and keywords a re in boldface.

italic font Arguments for which you supply values are in ita li cs.

screen font Terminal sessions and information the system displays

are in

screen font.

boldface screen

font

Information you must enter is in boldface screen font.

^ The symbol ^ r epre se nts t he key labe led Con trol —for

example, the key combination ^D in a screen display means hold down the Control key while you press the D key.

xiii

VPN 3002 Hardware Client Getting Started

OL-2854-01

Preface

Conventions

Data Formats

As you configure and manage the system, enter dat a in the following format s unless the instr uctions indicate otherwise:

Type of Data Format

IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34);

as the example indicates, you ca n omit lea ding zeros in a byte position.

Subnet Masks and Wildcard Masks

Subnet masks use 4-byte dotted de cimal not ation (for example,

255.255.255.0). Wildcard masks use the sam e notati on (for exampl e,

0.0.0.255); as the example illustrates, you can omit leading zeros in a byte position.

MAC Addresses MAC addresses use 6-byte hexadecimal no tati on (f or exampl e,

00.10.5A.1F.4F.07).

Hostnames Hostnames use legitimate network hostname or end-system name notation (for

example, VPN01). Spaces are not allowed. A hostname must uniquely identify a specific system on a network.

Text Strings Text strings use upper- and lower-case al phanu meri c cha racte rs. M ost text

strings are case-sensitive (for example, simon and Simon repre sent different usernames). In most cases, the max imum length of text strings is 48 characters.

Filenames File names on th e VPN 3002 fol low the DOS 8.3 naming co nvention: a

maximum of eight chara cters fo r the name , plus a maxim um of three characters for an extension. For example, LOG00007.TXT is a legitimate filename. The VPN 3002 always stores filenam es in upper case.

Port Numbers Port numbers use decimal numbers from 0 to 65535. No commas or spaces are

permitted in a number.

xiv

VPN 3002 Hardware Client Getting Started

OL-2854-01

Preface

Obtaining Docume ntation

Obtaining Documentation

These sections explain how to obtain docu mentation from Cisco Syste ms.

World Wide Web

You can access the most c ur rent Cisc o doc um ent ation on the World Wide Web at this URL:

http://www.cisco.com

Translated documentation is available at this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Networking Produ cts Market Pla ce:

http://www.cisco.com/cgi-bin/order/order_root.pl

• Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription

Store:

http://www.cisco.com/go/subscription

• Nonregistered Cisco.co m u ser s can o rd er docum en tati on th rou gh a l oc al ac count r epre sen tative by

calling Cisco Systems Corpo rate Headqu arter s (Califo rnia, U.S.A. ) at 408 526-7208 or, elsewhere in North America, by calli ng 800 55 3-NE TS (6387).

Documentation Feedback

You can submit commen ts e lec tron i call y o n C is co.c om. I n the Ci sco D o cume ntat ion ho me p age, cl ick the Fax or Email option in the “Leave Feedback” section at the bottom of th e page.

You can e-mail your comments t o bug-doc@c isco.com. You can submit your comments by mail by using the response ca rd beh ind the fr ont cover of your

document or by wri ting t o the fo llowing a ddress: Cisco Systems

Attn: Document Resour ce Connec tion 170 West Tasman Drive San Jose, CA 95134- 988 3

VPN 3002 Hardware Client Getting Started

OL-2854-01

Preface

Obtaining Technical Assistance

We appreciate yo ur comm ents .

Obtaining Technical Assistanc e

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco T ech nical Assistance Center (TA C) Web Site. Cisco.com re gistered us ers hav e complete ac cess to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, service s, pr ogram s, a nd resour ce s at any time , from anywhere in the wor ld.

Cisco.com is a highly int egrated In ternet a pplicat ion and a powerful , easy- to-use t ool that provi des a broad range of f eat ures an d s er vices to hel p you w it h th ese tasks:

• Streamline business processes and improve productivity

• Resolve technical issues with online support

• Download and te st so ft war e pa ck ag es

• Order Cisco learning m ateri als and me rcha ndise

• Register for online skill assessment, training, and certification programs

If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco Technical Assistance Center ( TAC) is av ailab le to all c ustomers who need techni cal assistan ce with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site an d t h e C is co TAC Escalation Cen ter.

Cisco TAC inquiries are ca tegorized acc ording to th e urgency of the issue:

• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,

product installation, or basi c product configuration.

• Priority level 3 (P3)—Your network perform ance is degrade d. Network fu nctiona lity is not iceabl y

impaired, but most business operations continue.

• Priority level 2 (P2)—Your production ne twork is severely degraded, affect ing significant asp ects

of business operations. No workar oun d is available.

• Priority leve l 1 (P1)—Your production network is down, and a critical impact to business operations

will occur if se rv ice is n ot r esto re d qui ck ly. No workaround i s available.

The Cisco TAC resource that you choose is based on the prio rity of th e proble m and the co nditions of service cont rac ts , w h en appl ic ab le .

xvi

VPN 3002 Hardware Client Getting Started

OL-2854-01

Preface

Obtaining Technical As sistance

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving bot h cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Si te, go to t his URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login I D a nd passwor d. If yo u have a valid servi ce con tra ct but do no t have a login ID or password, go to this URL to register:

http://www.cisco.com/register/

If you are a Cisco.com registere d user, and you cannot resol ve your tech ni cal issues by using the Cisco TAC Web Site, you can open a case online by using the TAC Case Open tool at this URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, we recommend that you open P3 and P4 cases through t he Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a dir ect or y o f t oll- free C isco TAC telephone numbers for yo ur co unt r y, go to this UR L:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the le v el of Cisco suppor t services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Netwo rk Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product se rial numbe r.

CHAPTER

1-1

VPN 3002 Hardware Client Getting Started

OL-2854-01

Understanding the VPN 3002 Hardware Client

The Cisco VPN 3002 Hardware Client communicates with a VPN 3000 Series Concentrator to create a virtual private network across a TCP/IP network (such as the Internet). The VPN 3002 requires minimal configuration, and you can monitor, configure, and upgrade multiple hardware clients at multiple sites from a central location.

The secure connecti on betwee n the VPN 300 2 and the V PN Concent rator is call ed a tunnel ; it uses the IP Security (I PSec) pr otoc ol t o negoti ate sec uri ty pa r amete rs, cre ate a nd m anag e tunn els, e ncap sulat e packets, trans mit or receive th em thr o ugh the tunnel, and unenca ps u late them. It can support a single IP network.

VPN 3002 Hardware Client or VPN Client Software?

The VPN 3002 Hardware Client provides an alternative to deploying the VPN client softwar e to PCs at remote locations. Like the software client, the VPN 3002 is located at a remote site, and provides a secure connection to a VPN Concentrator at a central site. It is important to understand that it is a hardware client, and th at you configur e i t a s a cl ien t of t he c en tra l-sit e VP N Co nc entr ator, not a s a site-to-site connection.

Reasons to us e th e V P N 30 02 ra th er t h an th e s o ftwa re c lie nt in cl u de :

• The computers at the re mote site have operating syst ems other th an Windows.

• You do not own, control , or want to support th e PCs at the remo te site. U sing the VPN 3002

eliminates the need to install and maintain software on those computers.

• You have a large number of remote sites to which you connect using VPNs, and you want to manage

those VPNs from a centr al loca tion.

• The VPN 3002 requires mini mal co nfiguration.

Hardware Features

There are two versions of this VPN 3002 Hardware Client:

• The VPN 3002 has one public and one private 10/100BASE-T Ether net inter face.

• The VPN 3002-8E has one public interface and a b ui lt- in 8-port 10/1 00BASE-T Ethernet switch as

its private interface.

1-2

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Client Mode and Network Extension Mode

All systems feature:

• Motorola PowerPC CPU

• SDRAM memory for nor mal oper ation

• Nonvolatile memory for critical system parameters

• Flash memory for file management

• Software-based en crypt ion

• Single power supply

Client Mode and Network Extension Mode

The VPN 3002 works in either of two modes: Client mode or Network Extension mode. Client mode is the default.

Online Technical Snapshot Explains PAT and Network Extension Modes

A new interactive multimedia piece explains the differences between Client (PAT) mode and Network Extension mode. To view it, go to this url:

http://www.cisco.com/mm/techsnap/VPN3002_techsnap.html

Your web browser must be equipped with a current version of the Mac romedia Flash Player to view the content. If you are unsure whether your browser has the most recent version, you may want to download and install a f ree copy f rom :

http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash

Client Mode (PAT)

Client mode, also called Port Address Translation (PAT) mode, isolates al l devices on the VPN 30 02 private network from those on th e c orpor ate n etwork. I n PAT mode:

• IPSec encapsulates al l traffic going from the private network of the VP N 3002 to the ne twork(s)

behind the Internet Key Exchange (IKE) peer, that is, the central-site VPN Concentrator.

• PAT mode employs NAT (Network Address Translation). NAT translates the network addresses of

the devices connected to the VPN 3002 private interface to the IP addre ss of the VPN 3 002 public interface. The central-site VPN Concentrator assigns this address. NAT also keeps track of these mappings so that it can forwar d repli es to the co rrect device.

All traffic from the private network appears on the network behind the central-si te VPN Con centrator (the IKE peer) with a single source IP address. This IP address is the one the central-site VPN Concentrator assigns to the VPN 300 2. The IP addresse s of the comput ers on the VPN 3002 private network are hidden. You cannot ping or access a d evice on the VPN 3002 private network from outside of that private network, or directly fro m a device on the pr ivate network at the centr al site.

1-3

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Client Mode and Network Extension Mode

Client Mode with Split Tunneling

You always assig n t he VPN 3002 to a tunnel group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec and PAT are applied to all traffic that travels t hrough the VPN 3002 to networks within the network list for that group b ehind the c entral-si te VPN Concentra tor.

Traffic from the VPN 3002 to any destination other than those within the network list for that group on the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices connected to the VPN 3002 private interface to the assigned IP address of the public interface and also keeps trac k of these mappings so that it ca n forward replie s to the correct device.

The network and addresses on the private side of the VPN 3002 ar e hidd en, an d cannot be ac cessed directly.

Network Extension Mode

Network Extension mode all ows the VPN 3002 to prese nt a single , routab le netwo rk to the remo te private network over the VPN tunnel. IPSec encapsulates all traffic from the VPN 3002 private network to networks behind the central -site VPN Con centrat or. PAT does not apply. Therefore, devices behind the VPN Concentr ato r h ave direct a cce ss to devices on the VP N 3 002 private network over the tu nnel , and only over the tunnel, and vice versa. The VPN 3002 must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.

In this mode, the central-site VPN Concentrator does not assign an IP address for tunneled traffic (as it does in Client/PAT mode). The tunnel is terminated with the VPN 3002 private IP address (the assigned IP address). To use Network Extension mode, you must configure an IP address other than the default of

192.168.10.1 an d d isable PAT.

Network Extension Mode per Group

Software versions 3.6 and later let a network admi nistrat or restric t the use of network extensio n mode. On the VPN Con cent rat or, you enab le net work extensi on m ode f or V PN 30 02 ha rd ware cli ents o n a group basis.

Note If you disallow network extension mode, whi ch is the defaul t setting on the VPN Conc ent rator, the

VPN 3002 can conn ec t t o that VP N C onc e ntra tor in PAT mode onl y. In this case, be c are ful th at a ll VPN 3002s in the group are configur ed for PAT mode. If a VPN 3002 is configur ed to use network extension mode and the VPN Con cent rat or to whic h it conn ec ts di sall ows network exten sion mo de , the VPN 3002 will attempt to connect every 4 seconds, and every attempt will be rejected; this is the equivalent of denial of serv ice at tack.

Network Extension Mode with Split Tunneling

You always assig n t he VPN 3002 to a tunnel group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec opera tes on all traf fic that tra vels thro ugh the VPN 3002 to networ ks within the network list for that group behi nd the central- site VPN Conc entrator. PAT doe s not apply.

1-4

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

IPSec

Traf f ic fro m the VPN 3002 to an y destinatio n other than those wit hin the netwo rk list on the central- site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices on the VPN 3002 private network to the address of the VPN 3002 public interface. Thus the network and addresses on the pr ivate side of the VPN 3002 are a ccessibl e over the tunnel, but are protected from the Internet, that is, they cannot be accessed directly.

IPSec

IPSec is the set of standards tha t enables the VPN 3002 to co nnect t o a central -site VPN Concen trator over a secure VPN tunnel. Its sec ur ity measur es add ress dat a privacy, integrity, authentication , and key management, as w e ll as t unn eli ng.

IPSec over TC P

The VPN 3002 supports IPSec over TCP, which encapsulates encrypted data traffic within TCP packets. IPSec over TCP enables the VPN 3002 to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enable s secure tu nnel ing thro ugh both NAT and PAT devices and firewalls.

Note This feature does not work with proxy-based firewalls.

The VPN 3002 Hardware Client, which supports one tunnel at a time, can connect using standard IPSec, IPSec over NAT-T, IPSec over TCP, or IPSec over UDP, but only one for the same tunnel.

To use IPSec over TCP, both the VPN 3002 and the VPN Concentrator to which it connects must

• Be running version 3.5 or later software. A VPN 3002 running software earlier than version 3.5 can

connect to a VPN Concentra tor runni ng version 3.5 software and usi ng IPSec over TCP, with the VPN 3002 using either IPSec or IPSec over UDP.

• Enable IPSe c over TCP.

• Configure the same port for IPSec over TCP on both the VPN 3002 and the VPN Concentrator.

IPSec over NAT- T

NAT-T (NAT Traversal) lets IPSec peers establish a connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary.

The VPN 3002 hardware clien t suppor ts NAT-T in software version 3.6 and later. It uses NAT-T by default, and requires no configuration . The VPN 300 2 first attempts NAT-T, a nd then IPSec/ UDP (if enabled) if a NAT device is not au to -det e cted, a llowing I PSec tr affic to pass th rou gh firewalls tha t disallow IPSec.

To use NAT-T you must:

• Open port 4500 o n any firewall you have configured in f ron t of a V PN 3 002 .

• Reconfigure any previous IPSec/UDP configura tion using por t 4500 to a differen t port.

1-5

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Additional Software Features

• Select the second or third options for the Fragmentation Policy parameter in the Configuration |

Interfaces | Public screen. These options let traffic travel across NAT devices that do not support IP fragmentation; they d o n ot i mpe de the op era tion o f NAT devices that do suppor t I P fr a gment at ion.

IPSec over UDP

The VPN 3002 support s User D atagr am Prot ocol (U DP) Ne twork A ddr ess Translatio n/Firewall (NAT) Transparent IPSec, which encapsulates encrypted data traffic within UDP packets. IPSec over UDP enables secure transm ission be tween the VPN 3002 Hardwa re Client an d the VPN Conce ntrator at the central site through a device, such as a firewall, that is performing Network Address Translation (NAT). The VPN 3002 sen ds ke epal ives freq uent ly, ensuring tha t the ma pping s o n th e NAT device are kept active.

You do not have to configure thi s feature on th e VPN 3002, but the following requ ireme nts do app ly:

• Both the VPN Concentra tor and th e VPN 3002 m ust be runni ng Release 3.0.3 or hig her software .

• You must configure IPSec over UDP for the group on the VPN Concentrator to which the VPN 3002

belongs. For an example, refer to the VPN 3000 Concentra tor Mana ger, Configuration | User Management | Groups | IPSec tab (use the VPN Conce ntrat or Manage r Help, or refe r to VPN 3000 Concentrator Series Reference Volume I: Configuration).

Note We do not currently support a topology with multiple VPN 3002 Hardware Clients behind one NAT

device.

Additional Software Features

The VPN 3002 softwa re incl udes t hese fe atu res.

Interactive Hardware Client Authentication

Interactive hardware client authentication prevents users on the VPN 3002 private LAN from accessing the central site until the VPN 3002 authenticates.

When you enable i nte ract ive hardware clie nt au then tica tio n, the VPN 30 02 does not use a saved username and password. Instead you must manu ally en ter a valid userna me and password for the VPN 3002 each time you conn ect. When the VPN 3002 initia tes the tunnel, it sends the use rnam e and password to the VPN Concentra tor to which it co nnects . The VPN Conc entrat or facilita tes authentication, on either the internal or an external server. If the username and password are valid, the tunnel is established.

You configure interac tive hardware client aut hentica tion on the VPN Concen trato r, which pushes the policy to the VPN 3002. For m or e info rma tion an d co nfigurati on instru ct ions , r e fer t o t he “User Management” chapter of the VPN 300 Series Concentrator Reference Volume 1: Configuration.

1-6

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Additional Software Features

Enabling and Later Disabling Interacti ve Hardwar e Client Aut henti cation

When you enable interactive hardware client authentication for a group, the VPN Concentrator pushes that policy to the VPN 3002s in the group . If you have previously set a userna me and pass word on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a us erna me a nd passwor d.

If, on the VPN Concentrator, you subsequently disable interactive hardware authentication for the group, it is enabled lo ca lly o n t h e V PN 300 2, a nd the soft ware cont inue s to pr ompt f or a use rnam e and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the VPN Concent r ator h as di sa bled i nt e ract ive har dwar e c lie nt au th en tic a tio n.

If you subsequently configur e a usern am e a nd pa ssword ( in t he VPN 300 2 C onfigura tion | Syst em | Tunneling Protocols | IPSec screen), the feature is disabled, and the prompt no longer displays. The VPN 3002 connects to the VPN Con centrat or using the saved userna me and password.

Individual User Authentication

Individual user authentication protects the central site from access by unauthorized persons on the same private LAN as the VPN 3002.

When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the VPN Concentrator, even though the tunne l a lre ad y exist s. Th e V PN 30 02 dire cts t he browser to t he p rop er pages for login. W hen t h e use r successf ully log s i n, the browser displ ays you r default home p age.

Note You cannot use the command-line interface to log in if user authentication is enabled. You must use

a browser.

• If you have a default home page on t h e remote network behind the VPN Concentrator, or direct the

browser to a website on the remote network behind the VPN Concentrator, the VPN 3002 directs the browser to the proper p ag es for us er login . W he n y ou suc cessfu lly log in, t he br owser disp lays the page you originally en tered.

• If you try to access resources on the network behind the VPN Concentrator th at are not web-based,

for example, email, the connection will fail until you authenticate.

• To authenticate, you must enter the IP address for the private interface of the VPN 3002 in the

browser Location or Address field. The browser then displays th e login scre en for the V PN 3002. To authenticate, clic k the Conne ct/Logi n Status button.

• One user can log in for a maximum of four sessions simultaneously.

1-7

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Additional Software Features

Individual users authe nt ic ate acc or ding to t he orde r of au then tic at ion s er vers tha t y ou co nfigure for a group on the VPN C onc ent rat or.

You co nfigure in dividual u ser a ut hent ic ation on t he V PN Conc e ntrat or, which p ushes th e pol icy to t he VPN 3002. For more i nfor ma tion a nd configura tio n in struct ions, ref er t o t he “User Management” chapter of t he VP N 3 000 Seri es Co nc en trator R eference Volume 1: Configuration.

IPSec Backup Servers

IPSec backup servers let a VPN 3002 har dware clien t connec t to the cen tral site wh en its prima ry central-site VPN C once ntra tor i s un available. You configure backup servers for a VP N 30 02 eit her on the VPN 3002, or on a group basis at the central-site VPN Concentrator. If you configure backup servers on the central-site VPN Concentrator, that VPN Concentrator pushes the backup server policy to the VPN 3002 hardware clients in the group .

Figure 1-1 illustrates how the backup server feature works.

Figure 1-1 Backup Server Implementation

XYZ corporation has large sites in three cities: San Jose, California; Austin, Texas; and Boston, Massachusetts. The y just opened a re gion al sales of f ice in Far go, Nort h Dako ta. To provide access to the corporate network from Fargo, they use a VPN 3002 that connects to a VPN 3080 in San Jose (1). If the VPN 3002 is unable to contac t the corporat e network, Fargo cannot pla ce orders. The IPSec backu p server feature lets the VPN 3002 connect to one of several sites, in this case using Austin (2) and Boston (3) as backup servers, in th at order.

The VPN 3002 in Far go first t ries to reach San Jose. If the init ial IKE packet for that connectio n (1) times out (8 seconds), it t ries to co nnect to Austin (2). Should this negotiation also time out, it tr ies to c onnect to Boston (3). These attem pts c ontin ue until the VPN 3002 has tried al l se rvers on its backup server list, to a maximum of 10.

San Jose

VPN 3080

Concentrator

Austin

VPN 3000

Concentrator

Fargo

VPN 3002

Hardware Client

Boston VPN 3000 Concentrator

68158

1-8

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Additional Software Features

Be aware of the following chara cter isti cs of the ba ckup se rver feat ure:

• If the VPN 3002 cannot connect after trying all backup servers on the list, it does not automatically

retry.

–

In Network Extensio n m ode, t he V PN 3 002 a ttem pt s a n ew co nnecti on aft er 4 se cond s.

–

In Client mode, the VPN 3002 attempts a new connection when the user clicks the Connect Now

button on the Monitoring | System Status screen, or when data passes from the VPN 3002 to the

VPN Concentrator.

• A VPN 3002 mu st c onnec t t o the pr ima ry V PN Co ncent rat or t o download a bac ku p ser ver l ist

configured on the p ri mar y V PN C once ntra t or. If that VPN Co nc entr ato r i s unavailable, and i f t he VPN 3002 has a previously configured backup server list, it can co nnect to the se rvers on that list.

• It can download a backup server list only from the primary VPN Concen trato r. The VPN 3002

cannot download a backup ser ver list fro m a back up server.

• The VPN Concentrators that you configure as backup servers do not have to be aware of each other.

• If you change the configuration of backup servers, or delete a backup server during an active session

between a VPN 3002 and a backup server, the session continues without adopting that change. New settings take effect the next time the VPN 3002 connects to its primary VPN Concentrator.

You can configure th e backup ser ver featu re from the primary V PN Concentr ator or the VPN 3002. Fr om the VPN Concent rator conf igur e backup serv ers on eit her of the Conf igur ation | User Ma nagement | Base Group or Groups | M ode Configu ratio n scr eens. On the VPN 30 02, c onfigure b acku p se rvers on the Configuration | System | Tunneling Protoc ols | IPSec scre en.

The list you configure on the VPN 3002 applies only if the option, Use Client Configured List, is set. T o set this option, go to t he I PSec B ac kup Servers para met er o n the M ode Co nfigurat ion ta b o f th e Configuration | User Management | Groups | Add/Modify screen of the primary VPN Concentrator to which the VPN 3002 c on nec ts.

Note The group name, use rnam e, a nd p asswords tha t yo u con figure f or the VP N 3 002 mu st be id en tica l

for the primary V PN C once ntra tor a nd all back up se rvers. A lso, if you re quire int era ctive hardware client authenticat ion and/ or individual us er authe nticat ion for th e VPN 3002 on t he prima ry VPN Concentrator, be sure to configure it on backup servers as well.

1-9

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Additional Software Features

H.323 in PAT Mode

H.323 is the packet-based multimedia communications standard written by the ITU. A variety of applications use this standard to effect real-time audio, video and data communications. It lets the VPN 3002 support Microsoft NetMeeting. Figure 1- 2 is a network diagram that illustrates H.323 services the VPN 3002 supports. H.323 requ ires no configu ration on th e VPN 3002.

Figure 1-2 H.323 Network Example

78453

Corporate Network

GateKeeper A

(Zone 2)

GateKeeper B

(Zone 1)

ILS

PC 5

Gateway

POTS_1 POTS_2

VPN 3000 Concentrator

VPN 3002_1VPN 3002_2

PC 3

PC 4

PC 1

PC 2

Internet

1-10

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Additional Software Features

The following sections describe H.323 features, referring to Figure 1-2.

H.323 Element Description

NetMeeting Microsoft conferencing and collaboration software. Features include video and

audio conferencing, whiteboard, chat, file transfer, program sharing, and remote desktop sha ring.

VPN 3002 H.323 servi ce s sup port Ne tMeet ing . PCs 1 , 2, 3, 4 , and 5 a nd POTS_1 and 2 can communicate using NetMeeting applications. This includes PC3 communicating with PC 4, and PC1 comm unicati ng with PC2. Any PC can host a NetMeeting conference.

GateKeeper A Cisco IOS H.323 GateKeeper, for example, a Cisco 2620 router.

GateKeepers provide registratio n, cal l control , and status ma nageme nt for H.323 endpoints an d gateways.

• GateKeeper service s m ust resid e on t he c or porat e n etwor k.

• Multiple NetMeeting PCs be hin d the sa me V PN 3002 c an si mu ltaneou sly

register and plac e H .323 c alls to on e or mo re Ga teKeep er z one s. For example, PC 3 an d PC 4 can bo th r egister t o ei ther Ga teKeeper A or GateKeeper B, and PC3 can r eg iste r to G ateK eep er A a t the sam e ti me th at PC 4 registers to G ateKeeper B.

• Two or more PCs behind a VPN 3002 that register to a Gat eKeeper can

make or receive simultaneous calls betwe en two or more endp oints. For example, PC 1 can call PC3 at the same time that a call from PC 2 to PC 4 and PC 5 is in progress.

ILS (Internet Locator Direct ory Services)

Microsoft software that uses the LDAP protocol to provide registrat ion and status manageme nt f or H.3 23 endpo i nts.

• ILS services must reside on th e corpora te network .

• Multiple PCs behind the same VPN 3002 cannot register to an ILS server.

For example, PC 3 and PC 4 cann ot bot h register t o th e same IL S s erver. PC 1 and PC 4 can both register to the same ILS server.

• ILS registration for NetMeeting on Windows 9x PCs defaults to LDAP port

389, and for Windows 2000 PCs to port 1002. If your ILS server cannot use port 1002, you need to reconfigure Windows 2000 PCs for LDAP port 389.

Note A PC can reg ister wit h either a GateK eep er or with an ILS s erv er , b ut no t both si multane ously.

Gateway A Cisco IOS H.323 Gateway, for example, a Cisco 3620 router. Gateways let

H.323 devices, in thi s case Ne tMeet ing PCs, c om mu nicat e w ith non- H.32 3 devices, such as POTS phones .

POTS Plain old telephone system. Any PC can initiate a NetMeeting call to a POTS

phone and exchange audi o. However, a POTS phone cannot initiat e a call to a NetMeeting PC behin d a VPN 3002.

In this example, PCs 1, 2, 3, 4, or 5 can initiat e calls to POTS_1 or POTS_2, but POTS_1 and POTS_2 can only receive calls.

MCU Multipoint contr ol un i ts. The VP N Conc ent rator H .323 impl eme nta tion doe s

not support MCUs .

H.323 Endpoint A PC running NetMeeting or a n H.323 Gateway.

1-11

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Additional Software Features

Notes on H.323 GateKeepers

Be aware of the following characteristics of NetMeeting GateKeepers.

NetMeeting Displays Names of Previous Meeti ng Caller s

When an H.323 call is disconnecte d, th e Ne tMe etin g ap p lica tion st ill d isplay s th e n ames o f th e m eeti ng callers in the Cal l w indow. Before you plac e a n ew call, p er for m a H angup op er ati on to re move these names.

VPN Tunnel Disconnects or a Network Failure Occurs with NetMeeting Active

When a VPN tunnel disconnects without the PC behind the VPN 3002 logging off from the GateKeeper, problems may occur. This is so whether the VPN session terminates gracefully, or because of a network failure (NetMeeting PC re boots or VPN 3002 reboot s).

Because of the failure to log off, a registration mismatch may occur between the GateKeeper and the NetMeeting application. The GateKeeper maintains a NetMeeting registration based on a configurable inactivity timeout period, with the def ault being one hour . If a PC attempts registr ation after a discon nect and before the timeout peri od has expired, the G ateKeeper rejec ts the request .

The solutions are two:

1. Log off from the Ga teKeep er befo re d iscon ne cti ng the tu nne l.

2. Set the GateKeeper registration timeout value to a shorter time period. We recommend 15 minutes.

Use the ‘endpoint ttl’ command on the Cisco GateKeeper to set this value.

RADIUS with Password Expiry

RADIUS with password expiry is an IPSec authentication method that you configure for a VPN 3002 on on the VPN Concentrator to which it conn ects. This optio n lets the VPN Conc entrato r that is attem pting to authenticate an IPSec client to an external RADIUS server (acting as a proxy to an NT server) determine when a user’s passwor d has expire d an d p rom pt for a n ew password. B y defa ult, thi s op tion is disabled.

Enabling this option allows the VPN Concentrator to use MS-CHAP-v2 when authenticating an IPSec client to an external RADIUS server. That RADIUS server must support both MS-CHAP-v2 and the Microsoft Ve ndor Specific Attributes. Refer to the documentation for your RADIUS server to verify that it supports these capabilities.

Because of the use of MS-CHAP-v2, when this option is enabled, the VPN Concentrator can provide enhanced login failure messages that describe specific error conditions. These conditions are:

• Restricted login hours.

• Account disabled.

• No dialin permission.

• Error changing password.

• Authentication failure.

The “password expi red” message appear s when the user whose password has expired first attempts t o log in. The other messages appea r only after three unsu ccessful logi n attemp ts.

Note To use RADIUS p as sword expiry wi th a V PN 3002 , you m ust e nabl e i nte ra ctive hardware cl ient

authentication. This feature does not work for individual user authentication.

1-12

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Additional Software Features

Load Balancing

Load balancing l et s y ou distri bute se ssions am ong t wo or mo re V PN C once ntra tors co nnec ted on the same network to handle remote sessions. Load balancin g directs sessions to the least lo aded de vice, thus distributin g the load among al l devi ces. It makes ef fici ent use of syste m resources and provides in creased performance and h ig h availability. Load balancing re quir es no configur ation on t he VPN 300 2.

Simple Certificate Enrollment Protocol (SCEP)

You can enroll and install digital certif icates on the VPN 300 2 automatical ly or manu ally. The automatic method is a new feature that uses the Simple Certificate Enrollment Protocol (SCEP) to streamline enrollment and inst allatio n. SCEP is a secure messa ging protoc ol that req uires mi nimal us er intervention. This method is quicker than enrolling and installing digital certificates manually, but it is availab le on ly if you are both enrolling wi th a CA th at su ppo rts SCEP an d en rolling via the web. If your CA does not support SCEP, or if you enroll with digital certificates by a means other than the web (such as through email or by a diskette), then you cannot u se the automat ic method; you must use the manua l method.

Reset/Restore Monitoring Statistics

You can now reset and restore statistical data to better note changes in that data. When you click Reset on a monitoring o r administratio n screen, the sys tem temporarily resets a counte r for the chosen statistics without affecting the operation of the VPN 3002. You can then view statistical information without affecting the actual curren t values of the count ers or othe r manage ment session s. The fu nction is like that of a vehicle’s trip odometer, versus the regular odometer. Click Restore to return to the actual statistical values.

XML Management

The VPN 3002 now supports an XML-b ased inte rface that lets you use an external manage men t application.

Cisco management applications, third-party applications tha t manage our products, and customers who want to manage their de vices using their own inf rastructure can u se this interface. This feature is en abled by default; you do not have to configure it.

The XML data c an be se nt to or up load ed f rom t he V PN Co ncen trat o r us ing HTT PS, SSH , or sta ndard file transfer m e ch an is m s su ch as FTP o r TF TP.

Reverse Route Injection (RRI)

You can co nfigure the V PN Concent rator to add rout es to its rou ting tabl e for remote hardware or software clien ts. Th e VPN Con centrato r can th en a dve rti se these r out es to its private network via RIP or OSPF. This feature is called reverse route injection (RRI).

For example, with a VPN 3 002 i n ne twork ext ens ion m ode, ne twork extension RRI aut om atic all y add s hosts on the VPN 3002 private network to the VPN Concentrator’s routing table for distribution by either RIP or OSPF.

RRI requires no c onfigura tion on the V PN 30 02.

1-13

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

Management Interfaces

AES with Diffie-Hellman Group 5

Software version 3.6 adds support for Advanced Encryption Standard (AES), which is more secure than DES and more efficient than triple DES. AES has 128- , 192-, and 256 -bit key strengths. This software version also adds support for Diffie-Hellman Group 5. You select an encryption algorithm as part of IPSec configuration on the VPN Concent rator.

Management Interfaces

The VPN 3002 offers multipl e manage ment inte rfaces. You can use each of these interface s to fully configure, administ er, and moni tor t he d evice.

• The VPN 3002 Hardware Cl ient Man ager is an HTML -base d interface that let s you mana ge the

system remotely with a standard web browser using one of the following:

–

HTTP connecti ons

–

HTTPS (HTTP over SSL) secure connections

• The VPN 3002 Hardware Cli ent comm and-lin e inter face is a menu- an d comma nd-li ne based

interface that you can use with the local system console or remotely using one of the following:

–

Telnet connections

–

Telnet over SSL secure connecti ons

–

SSH (Secure Shell)

1-14

VPN 3002 Hardware Client Getting Started

OL-2854-01

Chapter 1 Understanding the VPN 3002 Hardware Client

VPN Software Features Summary

The VPN 3002 incorpo rates the following softwa re feature s:

VPN Feature Description

Tunneling protocols IPSec Protocol. The VPN 3002 uses the IKE and XAUTH protocols for secure

key exchange and authentication, and to create secure VPN tunnels. The VPN 3002 can connect to the VPN Concentrator using standard IPSec, NAT-T, IPSec over T CP, or IPSec over UD P.

Encryption algorithms

• 56-bit DES (Data Encryption Stan dard)

• 168-bit Triple DES

• 128-, 192-, and 256-bit AES

Authenti cation algorithms

• HMAC (hashed message au then tic at ion c od ing) wi th M D 5 (me ssa ge

digest 5)

• HMAC with SHA-1 ( sec ur e ha sh al go rit hm )

Key management

• IKE (Internet Key Exchange , formerl y call ed ISAKM P/O akley) with

Diffie-Hellman key technique

Network addressing support

• DNS (Domain Name System)

• DHCP (Dynamic Host Configuration Protocol )

• PPP over Ethernet (PPPoE)

Certificate authorities

• Baltimore

• Entrust

• Microsoft Windows 2000

• Netscape

• RSA Keon

• VeriSign

+ 68 hidden pages

Cisco CVPN3002-K9 - Fast Ethernet VPN Gateway, 3002 Getting Started

Specifications and Main Features

Frequently Asked Questions

User Manual