How it Works
Cisco
Loading...
OL-5532-02
User Manual
32 pgs673.6 Kb0
Table of contents
Loading...

Cisco OL-5532-02 User Manual

Remote Access VPN Services
This chapter contains the following sections:
Adding AAA Server Devices to Your Repository, page 4-2
Creating Encryption Policies, page 4-5
Creating Remote Access VPN Policies, page 4-5
Creating Remote Access VPN Service Requests, page 4-25

Creating Remote Access VPN Services

Remote Access VPN tunnels are initiated by a VPN Client and terminated at the secure network edge, as illustrated in Figure 4-1. (The blue lines represent the Remote Access VPN tunnels.)
CHA PTER
4
Figure 4-1 Remote Access VPNs
To begin the remote access provisioning process, the network administrator defines an encryption policy, a remote access VPN policy, and (optionally) configures a AAA server (pronounced “Triple A server”). The remote access policy is then applied to CPE devices in the network through deployment of a remote access service request that uses the remote access policy.
OL-5532-02
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
4-1

Adding AAA Server Devices to Your Repository

Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository
with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each device as a CPE.
CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you must define at least one public and one private interface on each device.
For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Integrated VPN Management Suite Infrastructure Guide, 3.2.
In the Remote Access VPN policy, the network administrator performs the following tasks:
Configures the encryption policy (which contains IKE and IPsec proposal parameters) that defines
the network layer encryption and authentication control.
Specifies the IKE XAuth parameters for user authentication.
Sets the Mode Configuration parameters for policy push and features such as dynamically assigned
client IP addresses.
Chapter 4 Remote Access VPN Services
Defines the remote access user group. (Because each remote access policy defines a user group, you
can use multiple remote access policies in the same service request. This enables you to configure multiple user groups on the same CPE device.)
Defines remote access parameters.
The group policy information is stored in a profile that can be used locally in the VPN device configuration. When the user or group information is stored on AAA servers, you must also configure access to the AAA servers and allow the VPN device to send requests to the AAA servers.
Once created, the remote access policies can also be applied to multiple service requests.
To define an remote access VPN service, use the following sections:
Adding AAA Server Devices to Your Repository, page 4-2
Creating Encryption Policies, page 4-5
Creating Remote Access VPN Policies, page 4-5
Creating Remote Access VPN Service Requests, page 4-25
Adding AAA Server Devices to Your Repository
A AAA server (pronounced “Triple A” server) is required when the user authentication method is external or the group policy information is stored on an external AAA server. If user profiles or group attributes are to be obtained from a AAA Server (as opposed to having them stored on the CPE device itself), then a AAA Server entry must be created and added to your ISC repository.
To create a AAA server entry in ISC, perform the following steps:
4-2
Step 1 Click Home > Service Inventory > Inventory and Connection Manager > AAA Servers. The AAA
Servers page appears as shown in Figure 4-2.
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
OL-5532-02
Chapter 4 Remote Access VPN Services
Figure 4-2 The AAA Servers Page
Adding AAA Server Devices to Your Repository
Step 2 Click Create. The Create AAA Server page appears as shown in Figure 4-3.
Figure 4-3 The Create AAA Server Page
OL-5532-02
Step 3
Follow the instructions in Table 4-1 to enter the AAA server attributes.
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
4-3
Chapter 4 Remote Access VPN Services
Adding AAA Server Devices to Your Repository
Table 4-1 Create AAA Server Fields
Field Name Type Instructions
Name text box Enter a name for the AAA server.
Owner Select button Specify whether the policy is global by clicking Global, or customer owned by
clicking Customer.
If you select Customer, you are required to specify the owner. Choose the customer with which you want to associate the AAA server. To do this, click Customer > Select. The Customer for IPsec Policy dialog box appears. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.
IP Address text box Enter the IP address of the AAA server.
Server Type drop-down
list
Server Role drop-down
list
Port text box Enter the authentication port number if the AAA server acts as an authentication
Accounting Server
text box Enter the accounting port number if the AAA server acts as an accounting server. The
Port
Timeout text box Enter the timeout in seconds for how long to wait after sending a query to the server
Retries text box Enter the number of times to retry sending a query to the server after the timeout
Secret text box Enter the AAA server secret (also called the shared secret). The field displays only
Verify Secret text box Retype the AAA server secret. It must match what you entered in the Secret field
Click the drop-down list and select the type of the AAA server. The type can be RADIUS, NTDOMAIN, SDI, or TACACS+. The NTDOMAIN and SDI options are supported for the VPN 3000 only.
Click the drop-down list and select the server role for this AAA server:
AUTHENTICATION – Use as an authentication server only.
ACCOUNTING – Use as an accounting server only.
BOTH – Use as an authentication and accounting server.
server. The default authentication port is 1645 for a RADIUS server.
default accounting port is 1646 for a RADIUS server.
and receiving no response before trying again. The default is 4 seconds.
period. The default is 2.
asterisks.
exactly.
4-4
Step 4 Click Save when done. The AAA Servers page appears with the newly created AAA server displayed in
the AAA server list, as shown in Figure 4-4.
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
OL-5532-02
Chapter 4 Remote Access VPN Services
Figure 4-4 The AAA Servers Page After Adding A New Server

Creating Encryption Policies

Creating Encryption Policies
The encryption policy defines the security parameters for protecting data traveling through the VPN tunnels. It consists of one or more IKE proposals, one or more IPsec proposals, and global attributes. For example, the IKE proposal portion of the encryption policy could consist of selecting the 3DES, SHA, certificates, and Diffie-Hellman Group 2 options, and the IPsec proposal portion of the encryption policy could consist of selecting the ESP-AES, ESP-SHA, no authentication header (AH), no compression, and no PFS options.
You must have an encryption policy for your remote access policy. However, the same encryption policy defined for a site-to-site VPN policy may also be used for a remote access policy. So, if you have already created an encryption policy in ISC that you would like to use, proceed to the “Creating Remote Access
VPN Policies” section on page 4-5. Otherwise, follow the instructions in “Creating an Encryption Policy” section on page 3-5 and create an encryption policy before continuing.

Creating Remote Access VPN Policies

The remote access VPN policy defines the characteristics of the IPsec tunnel between the customer site and the remote user. Its attributes include the VPN group name and password, IP address pools, and split tunneling subnets. Additionally, the policy defines what VPN features are enabled and which are not. For example, the policy enables (or disables) reverse route injection and NAT transparency.
OL-5532-02
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
4-5
Creating Remote Access VPN Policies
To create a remote access VPN policy, perform the following steps:
Step 1 Click Service Design > Policies. The Policies page appears as shown in Figure 4-5, with previously
created policies displayed.
Figure 4-5 The Policies Page
Chapter 4 Remote Access VPN Services
Step 2 Click Create > IPsec Policy. The IPsec Policy Creation page appears as shown in Figure 4-6.
Figure 4-6 The IPsec Policy Creation Page
Step 3
Click Remote Access VPN Policy.
4-6
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
OL-5532-02
Chapter 4 Remote Access VPN Services
Step 4 The Remote Access VPN Policy – General Editor page appears as shown in Figure 4-7. Look at the list
of steps in the table of contents (TOC) on the left of the page. These are the steps for creating a remote access VPN policy.
Figure 4-7 The Remote Access VPN Policy – General Editor Page
Creating Remote Access VPN Policies
OL-5532-02
Step 5
Follow the instructions in Table 4-2 to enter values for the Remote Access VPN Policy – General Editor.
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
4-7
Chapter 4 Remote Access VPN Services
Creating Remote Access VPN Policies
Table 4-2 Remote Access VPN Policy – General Editor Fields
Field Name Type Instructions
Name text box Enter a name for the policy. However, the name cannot contain spaces because it is
used as the VPN group name.
Owner radio button
and Select button
Encryption Policy Select button Choose the name of an encryption policy you created in previous steps by clicking
Group Type drop-down
list
Click Customer > Select and choose the customer for which the remote access VPN is intended. When you click Customer > Select, the Customer for IPsec Policy dialog box appears. Click the button next to the customer you want to select and click Select (to choose that customer), or click Cancel to exit the dialog box without saving changes. Both return you to the main page.
Do not select Global. It is important to associate remote access policies with a specific customer because many remote access VPN parameters are customer-specific.
Select. The encryption policy specifies the IKE and IPsec proposal parameters for the IPsec VPN and determines the level of encryption used in the IPsec VPN tunnels.
Select the policy type. An internal group is configured on the VPN device while an external group is configured on an external AAA server.
Internal – Group attributes are on the target device. If the user profiles and group
attributes are maintained on the CPE device itself, select Internal.
External – Group attributes are obtained from a AAA Server. If the user profiles
and group attributes are maintained on a AAA Server, select External.
Group Password text box Required when you select Internal for the Group Type field. Enter the password
(IKE preshared key) for the group. The policy name and password are very important because they are the group name and password that remote users must use when connecting through the Cisco VPN Client.
Confirm Password text box Re-enter the group password to verify it.
XAuth checkbox Check to enable IKE Extended Authentication (XAuth).
XAuth Timeout text box Enter the idle timeout value for XAuth. The range is from 5 to 90 seconds. The default
value is 5 seconds.
Use Mode Configuration
checkbox Mode Configuration is also known as the ISAKMP Configuration Method or
Configuration Transaction. Specifically, when enabled, this option exchanges configuration parameters with the client while negotiating Security Associations (SAs).
Check the Mode Configuration checkbox to use Mode Configuration with the IPsec clients in this group. You must enable Mode Configuration for IPsec clients because IPsec uses Mode Configuration to pass all configuration parameters to the client. Otherwise, these parameters are not passed to the client. Also, you must check this box to use split tunneling.
Uncheck the box if you are using L2TP over IPsec as your tunneling protocol.
Note The Cisco VPN Client supports Mode Configuration, but other IPsec clients
may not. For example, the Microsoft Windows 2000 IPsec client does not support Mode Configuration. (The Windows 2000 client uses the PPP layer above L2TP to receive its IP address from the VPN Concentrator.) If you are using other client software packages, check for compatibility in the documentation for your client software before using this option.
4-8
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
OL-5532-02
Chapter 4 Remote Access VPN Services
Creating Remote Access VPN Policies
Table 4-2 Remote Access VPN Policy – General Editor Fields (continued)
Field Name Type Instructions
NAT Traversal checkbox Also called NAT transparency. NAT traversal enables IPsec VPN tunnels to span
multiple Network Address Translation (NAT) and Port Address Translation (PAT) domains. Without NAT traversal, IPsec VPN tunnels cannot span NAT or PAT domains due to incompatibilities between IPsec packet header requirements and address translation mechanisms.
When ON, this option allows IPsec traffic to travel through a NAT or PAT point in the network. Requires Cisco IOS Software Release 12.2(13)T or above.
IKE NAT Keepalive (in seconds)
Tunneling Protocol drop-down
Authentication Server
text box Available only when NAT Traversal is enabled. The default value is 20 seconds and
the range is from 10 to 3600 seconds.
Select the tunneling protocol with which this group can connect. Select IPSec or
list
L2TP over IPsec. The L2TP over IPsec option is supported for the VPN 3000 only. Consequently, if you select L2TP over IPsec, only VPN 3000 devices will be available for use in any IPsec RA service request that uses this remote access policy.
drop-down list
Select the authentication method for members of this user group. (The name of the Remote Access Policy becomes the user group name.) The following options are supported:
None – Select this option if you selected L2TP over IPsec as the tunnelling
protocol option. If you select this option, remote users will not be authenticated by an authentication server. This option is supported for the VPN 3000 only.
RADIUS – Authenticate users using Remote Authentication Dial In User Service
(RADIUS). The RADIUS specification is described in RFC 2865.
Internal – Authenticate users against a database internal to the device.
NT Domain – Authenticate users using an external Windows NT Domain
system.
SDI – Authenticate users using Security Dynamics International (SDI)
authentication.
TACACS+ – Authenticate users using Terminal Access Controller Access
Control System Plus (TACACS+).
Default Domain
text box Enter the default domain name given to users of this group.
Name
DNS Primary Server text box Enter the IP address of the primary Domain Name System (DNS) server. This option
is for use with all authentication methods.
DNS Secondary Server
WINS Primary Server
WINS Secondary Server
Step 6 Click Next to continue to the Address Pools page as described in the “Defining Address Pools” section
text box Enter the IP address of the secondary DNS server. This option is for use with all
authentication methods.
text box Enter the IP address of the primary Windows Internet Name System (WINS) server.
This option is for use with all authentication methods.
text box Enter the IP address of the secondary WINS server. This option is for use with all
authentication methods.
on page 4-10.
OL-5532-02
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
4-9
Creating Remote Access VPN Policies
Note You can click Finish on any of the Remote Access VPN Policy pages. When you click Finish, the
unedited policy parameters take the default settings provided by ISC, and ISC saves the policy to your repository.

Defining Address Pools

In this section, you create the IP address pools that remote clients use to establish IPsec tunnels to the private site. Remote clients are assigned an inside IP address from these pools.
Step 1 From the Remote Access VPN Policy – General Editor page click Address Pools. The Remote Access
VPN Policy – Address Pools page appears as shown in Figure 4-8.
Note From the ISC home page, you can navigate to this page by clicking Service Design > Policies > Create
> IPsec Policy > Remote Access VPN Policy, entering values in the Remote Access VPN Policy – General Editor, and then clicking Next.
Chapter 4 Remote Access VPN Services
Step 2
Figure 4-8 The Remote Access VPN Policy – Address Pools Page
Click Create to add the remote access IP address pool. The Address Pools dialog box appears as shown in Figure 4-9.
4-10
Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2
OL-5532-02
Loading...
+ 22 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use