![](/user_photo/1438_p9ksI.png)
Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ391x1.jpg)
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ392x1.jpg)
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ393x1.jpg)
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ394x1.jpg)
Configure Preshared Keys 371
Incorrect User Password
If the password is incorrect, the VPN Concentrator log will show a message similar to the following:
Authentication rejected: Reason = Invalid password
Unable to ping with an Established Tunnel
If you have an established tunnel and you are still unable to ping the private interface on the VPN Concentrator, you could have overlapping Security Associations (SAs) or you could be incorrectly filtering out the IPSec packets. In the VPN 3002 Hardware Client Manager, go to the Monitoring | System Status screen and note the Octets Out field. Next, go to the Monitoring | Statistics | IPSec screen shown in Figure 8-4 and note the Received Bytes counter. Attempt to ping the VPN Concentrator’s inside interface again and recheck these counters. Based on this information, you will be able to see which of the two issues is causing the problem.
The first issue might be that there is an overlapping SA configured. An overlapping SA is where two or more VPN clients have the same network on the private side. For example, you might have a VPN 3002 Hardware Client with the 192.168.100.0/24 network and a VPN Software Client with an IP address of 192.168.100.4. If both of these counters are incrementing, this is the case. If only the Octets Out counter is incrementing on the VPN 3002 Hardware Client, but the Received Bytes is not, IPSec is being filtered. If UDP is enabled, make sure that the UDP port chosen, a default value of 10000, is not being blocked. If the VPN 3002 Hardware Client is behind a PAT device, make sure to enable IPSec through NAT.
Configuring VPN 3002 Hardware Client and LAN Extension Modes
You can configure two different modes for the VPN 3002 Hardware Client to use. Client mode, also called Port Address Translation (PAT) mode, and LAN Extension mode (also called Network Extension mode) are useful depending upon what you are attempting to accomplish.
PAT mode, the default, is used to isolate all the clients behind the VPN 3002 Hardware Client (on the private side) from the corporate network. Enabling PAT mode disables LAN Extension mode. Disabling PAT mode enables LAN Extension mode. The mechanism used to select either of the two modes ensures that only one mode is enabled at any given time.
When using PAT mode, IPSec encapsulates all traffic traveling between the private network of the VPN 3002 Hardware Client to the network behind the IKE peer, usually a central-site VPN Concentrator. Utilizing NAT, the client’s IP addresses on the private network are translated to the VPN 3002 Hardware Client’s public interface IP address. Therefore, all traffic from the private network is seen at the head-end network with a single IP address. Because the VPN 3002 Hardware Client keeps track of the translations without advertising what these translations are, devices at the head-end cannot directly access the devices on the VPN 3002 Hardware Client’s
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ395x1.jpg)
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ396x1.jpg)
Configure Preshared Keys 373
Figure 8-7 Configuration | Policy Management | Traffic Management | PAT
You are brought to the Configuration | Policy Management | Traffic Management | PAT | Enable screen, as shown in Figure 8-8. On this screen, checking the PAT Enabled box causes PAT to become enabled, whereas removing the check from the box causes your VPN 3002 Hardware Client to enter into Network Extension mode.
Figure 8-8 Configuration | Policy Management | Traffic Management | PAT | Enable
By default, a VPN Concentrator allows PAT connections only. If you choose to use Network Extension mode on the VPN 3002 Hardware Client, ensure that the head-end VPN Concentrator is configured to allow Network Extension mode. Failure to do so will cause the VPN 3002 Hardware Client to fail to connect. Because the VPN 3002 Hardware Client will attempt to connect every four seconds and be rejected every time, you will actually launch a minor form of a denial of service (DoS) attack on your own network.
There are some requirements for using both PAT and Network Extension modes. Table 8-2 outlines the requirements.
Table 8-2 |
Requirements for PAT and LAN Extension Modes |
|
|
|
|
|
PAT Mode |
Network Extension Mode |
|
|
|
|
The head-end concentrator must be running |
The head-end concentrator must be running |
|
version 3.x or later. |
version 3.x or later. |
|
|
|
|
You must configure a group, user, and password |
You must configure a group, user, and password |
|
on the head-end concentrator. |
on the head-end concentrator. |
|
|
|
|
You must enable addresses consistent with the |
A static route or default route to the head-end |
|
head-end concentrator. For example, if one side |
concentrator must be configured. |
|
runs DHCP, the other side must also run DHCP. |
|
|
|
|
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ397x1.jpg)
374 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access
The Network Extension mode allows the VPN 3002 Hardware Client to present a single encrypted network over the tunnel to the head-end concentrator. In addition to removing the checkmark from the PAT Enabled box, the default IP address of the inside interface must also be changed from 192.168.10.1. Any other IP address will work.
Unlike PAT mode, the devices do not have NAT applied, and are, therefore, directly accessible from devices at the head-end with utilities such as ping. Only when you have not enabled split tunneling and are in Network Extension mode can the head-end concentrator send initial data. In all other circumstances, the VPN 3002 Hardware Client’s network must send the initial data. These can be crucial considerations when deciding whether to use Network Extension or PAT mode.
In PAT mode, the VPN tunnel is created when data tries to travel to the IKE peer. The tunnel is dropped after the timeout period expires with no traffic over the tunnel. In Network Extension mode, the tunnel is always active.
Split Tunneling
Split tunneling is where some traffic becomes encrypted while other traffic does not become encrypted. Specifically, the traffic headed for any destination other than those within the network lists is not encrypted while traffic destined for networks within the network lists is encrypted.
NOTE Split tunneling creates a potential security issue if the client is not behind a firewall or does not support its own firewall. Because traffic is allowed outside of the secure VPN tunnel during split tunneling, that unsecured traffic path could be used to access client systems.
If you are in PAT mode, all devices on the private side have their addresses translated. In LAN Extension mode, NAT is applied only to those destinations not in the network lists.
Split tunneling is configured at the head-end concentrator. If the group to which the VPN 3002 Hardware Client belongs has split tunneling enabled, then split tunneling will be used. The following section gives you more information regarding how to set up split tunneling.
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ398x1.jpg)
Unit and User Authentication for the VPN 3002 Hardware Client 375
Unit and User Authentication for the VPN 3002 Hardware Client
28Overview of VPN 3002 interactive unit and user authentication feature
29Configuring VPN 3002 integrated unit authentication feature
30Configuring VPN 3002 user authentication
When two devices begin negotiations to establish an IPSec VPN connection between them, they must perform an authentication process during IKE Phase 1. This authentication process is structured around preshared keys or digital signatures. Additionally, the Cisco VPN 3000 Series Concentrators and the VPN 3002 Hardware Client require a unique username and password with the preshared key or digital signature as further security for the setup process. This username and password might be statically configured on the devices or you can choose to setup interactive hardware client authentication.
With interactive hardware client authentication, when a VPN 3002 Hardware Client tries to set up an IPSec tunnel with a VPN 3000 Concentrator, the user who initiated the request for VPN services will be prompted to enter a unique unit username and password. After the VPN 3002 Hardware Client is authenticated with this username and password, other users of the VPN 3002 Hardware Client can use the IPSec tunnel without being prompted for the username and password. You can choose to use internal authentication or external server authentication when you configure interactive hardware client authentication on the VPN 3000 Concentrator. This interactive process provides an extra layer of security when establishing VPN tunnels.
After the hardware devices have authenticated one another, the individual users must be authenticated before they will be permitted to access network resources. You can choose to set up individual user authentication when users enter the network through a VPN 3002 Hardware Client. With individual user authentication enabled, each user must open a web browser to enter a valid username and password. You can use the browser in two different ways to utilize this individual user authentication:
•Point the browser at a uniform resource locator (URL) on the private network of the headend concentrator. The VPN 3002 Hardware Client will present the interactive individual user authentication screen requesting the user’s username and password. After authentication is successfully accomplished, the browser will be directed to the original URL.
•Point the browser at the private interface of the head-end concentrator using the IP address of that interface. The user will be prompted to enter their username and password and, once authenticated, can utilize other network applications across the secure VPN tunnel.
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ399x1.jpg)
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ400x1.jpg)
Unit and User Authentication for the VPN 3002 Hardware Client 377
Figure 8-10 Configuration | User Management | Groups | Modify > General
Figure 8-11 shows the IPSec tab screen. For this configuration, use ESP-3DES-MD5 for the IPSec Security Association. 3DES encryption is preferred when your data will be traversing the Internet. Ensure that the tunnel type is set to Remote Access and that the Mode Configuration box is checked. In this example, use the internal server. You could have used a RADIUS or other external server. If you choose to use an external server, you must also ensure that this external server contains the user’s name and password.
Click Add and choose the Mode Config tab.