184 Chapter 10: Virtual Private Networks
Example 10-9 displays the output from debug crypto ipsec for the same firewall. Notice that this debug command actually depicts the real address of the node behind the firewall that is initiating the VPN connection.
Example 10-9 debug crypto ipsec Command Output
IPSec(key_engine): got a queue event...
IPSec(spi_response): getting spi 0xd532efbd(3576885181) for SA
from 192.168.2.1 |
to 192.168.1.1 |
for prot 3 |
|
||||
return status is IKMP_NO_ERROR |
|
|
|
|
|||
crypto_isakmp_process_block: src 192.168.2.1, dest 192.168.1.1 |
|||||||
OAK_QM exchange |
|
|
|
|
|
|
|
oakley_process_quick_mode: |
|
|
|
|
|||
OAK_QM_AUTH_AWAIT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ISAKMP (0): |
Creating IPSec SAs |
|
|
|
|
|
|
|
|
|
|
|
|||
inbound SA from |
192.168.2.1 |
to |
192.168.1.1 |
(proxy 10.10.10.3 to |
|||
192.168.1.1.) |
|
|
|
|
|
|
|
has spi 3576885181 and conn_id |
2 and flags 4 |
|
|
||||
outbound SA from |
192.168.1.1 |
to |
192.168.2.1 |
(proxy 192.168.1.1 to |
|||
10.10.10.3) |
|
|
|
|
|
|
|
has spi 2749108168 and conn_id 1 and flags 4IPSec(key_engine): got a queue |
|||||||
event... |
|
|
|
|
|
|
|
IPSec(initialize_sas): , |
|
|
|
|
|
|
|
(key eng. msg.) dest= 192.168.1.1, src= 192.168.2.1, |
|
||||||
dest_proxy= 192.168.1.1/0.0.0.0/0/0 (type=1), |
|
|
|||||
src_proxy= 10.10.10.3/0.0.0.0/0/0 (type=1), |
|
|
|||||
protocol= ESP, transform= esp-3des esp-md5-hmac , |
|
||||||
lifedur= 0s and 0kb, |
|
|
|
|
|
|
|
spi= 0xd532efbd(3576885181), conn_id= 2, |
keysize= 0, flags= 0x4 |
||||||
IPSec(initialize_sas): , |
|
|
|
|
|
|
|
(key eng. msg.) src= 192.168.1.1, dest= 192.168.2.1, src_proxy= 192.168.1.1/0.0.0.0/0/0 (type=1), dest_proxy= 10.10.10.3/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb,
spi= 0xa3dc0fc8(2749108168), conn_id= 1, keysize= 0, flags= 0x4 return status is IKMP_NO_ERROR
Cisco VPN Client
The VPN client is used to connect to access VPNs because one of the peers is mobile and the VPN does not remain up at all times. Cisco VPN Client for Windows is a package that is installed on a remote system to create VPN connections from remote locations. Sales personnel and executives who spend time traveling but still need access to the corporate network commonly use this package. It is possible to use the VPN client after connecting to the Internet using the following connections:
•
•
•
•
•
Dialup
Cable modem
Digital Subscriber Line (DSL)
Integrated Services Digital Network (ISDN)
Local-area network (LAN)
Cisco VPN Client 185
After connecting to the Internet, you open the VPN client and initiate the connection to your peer (corporate network). The VPN client negotiates the connection using IKE and secures the connection with IPSec. After it is established, the VPN connection functions the same way as the intranet or extranet VPN. The main difference is that one peer is remote and the VPN client handles the connection negotiation and the encryption. Usually the only thing left for the user to do is to input his or her password.
VPN Groups
Cisco VPN 3000 clients can be combined into a single group or multiple groups that have like policies applied using the vpn group command. Table 10-8 lists the commands and options available when configuring VPN groups.
Table 10-8 VPN Group Commands and Options
Command |
Description |
vpngroup group_name |
Assigns a name of up to 128 ASCII characters to a specific |
|
VPN group. |
|
|
address-pool ip pool name |
Specifies a pool of local addresses to be assigned to VPN |
|
clients as they connect to the network. |
|
|
default-domain domain_name |
Assigns a default domain name to all VPN clients. |
|
|
dns-server dns_ip_prim/sec |
Assigns primary and secondary DNS server information that |
|
is given to the VPN clients as they negotiate the connection. |
|
|
wins-server wins_ip_prim/sec |
Assigns primary and secondary WINS server information that |
|
is passed to the VPN clients as they negotiate the connection. |
|
|
idle-time idle_seconds |
Sets the inactivity timeout. |
|
|
max-time max seconds |
Sets the maximum time for a VPN connection to remain up. |
|
|
password preshared_key |
Specifies a group preshared key. |
|
|
split-tunnel acl_name |
Specifies an ACL that allows the user to maintain an encrypted |
|
tunnel into the network and a clear tunnel out to the Internet. |
|
|
Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling
Protocol (L2TP)
The PIX Firewall can be configured for VPN connections to Microsoft products using either PPTP or L2TP. The command necessary to implement this feature is vpdn. After vpdn is enabled on a specific interface with vpdn enable if_name, all other vpdn commands are grouped into vpdn group, which is specified using the command group group_name (where group_name can be an ASCII string of up to 128 characters). Table 10-9 lists the configuration options that can be set for VPDN groups.
186 Chapter 10: Virtual Private Networks
Table 10-9 VPDN Configuration Commands and Options
Command |
Description |
accept {dialin pptp | l2tp} |
Configures the PIX Firewall to |
|
accept dial-in PPTP or L2TP |
|
requests. |
|
|
ppp authentication {PAP | CHAP | MSCHAP} |
Configures the firewall to |
|
authenticate connections using |
|
either Point-to-Point Protocol |
|
(PPP), Challenge Handshake |
|
Authentication Protocol (CHAP), |
|
or Microsoft CHAP (MS-CHAP). |
|
The default setting is PPP. |
|
|
ppp encryption mppe {40 | 128 | auto | required} |
Specifies the bit value for |
|
Microsoft Point-to-Point |
|
Encryption, whether |
|
autonegotiation is allowed, and |
|
whether a negotiation is required. |
|
|
client configuration address local address_pool_name |
Identifies the pool of addresses to |
|
be assigned to dial-in users. |
|
|
client configuration dns dns_server_ip1 [dns_server_ip2] |
Specifies primary and secondary |
|
Domain Name Servers for dial-in |
|
users. |
|
|
client configuration wins wins_server_ip1 |
Specifies primary and secondary |
[wins_server_ip2] |
Windows Internet Naming Service |
|
servers for dial-in users. |
|
|
client authentication aaa aaa_server_group |
Specifies a AAA server group for |
|
user authentication. |
|
|
client authentication local |
Authenticates users from a local |
|
user database (on the PIX). |
|
|
client accounting aaa aaa_server_group |
Specifies a AAA server group for |
|
accounting. (This can be different |
|
from the authentication group.) |
|
|
password |
Specifies a local user password. |
|
|
pptp echo echo_timeout |
Specifies a PPTP timeout value in |
|
seconds. The PIX terminates the |
|
connection if this value is |
|
exceeded. |
|
|
l2tp tunnel hello hello_timeout |
Specifies an L2TP timeout value in |
|
seconds. The PIX terminates the |
|
connection if this value is |
|
exceeded. |
|
|
Configuring PIX Firewalls for Scalable VPNs 187
Table 10-10 lists and describes the show commands associated with VPDNs.
Table 10-10 VPDN show Commands and Options
Command |
Description |
show vpdn tunnel |
Displays tunnel information. |
|
|
show vpdn session |
Displays session information to include the interface ID used for the |
|
show pppinterface id command. |
|
|
l2tp | pptp |
Selects the protocol used (L2TP or PPTP). |
|
|
id |
Identifies a tunnel or session. |
|
|
id tunnel_id |
Indicates the unique tunnel ID. |
|
|
id session_id |
Indicates the unique session ID. |
|
|
pppinterface id intf_id |
Shows the virtual interface created for the tunnel. |
|
|
username |
Enters or displays the local username. |
|
|
packets |
Displays the packet and byte count. |
|
|
state |
Displays the session state. |
|
|
summary |
Displays tunnel summary information. |
|
|
transport |
Displays tunnel transport information. |
|
|
window |
Displays window information. |
|
|
The clear command is also available to allow you to reset certain portions of the configuration. Table 10-11 lists the available clear command options.
Table 10-11 VPDN clear Commands and Options
Command |
Description |
username |
Removes VPDN username commands from the configuration. |
|
|
tunnel |
Removes one or more tunnels from the configuration. |
|
|
id tunnel_id |
Removes a specific tunnel (based on tunnel_id) from the configuration. |
|
|
all |
Removes all tunnels from the configuration. |
|
|
Configuring PIX Firewalls for Scalable VPNs
Earlier in this chapter, you learned about the different methods of negotiating an IPSec connection: