![](/user_photo/1438_p9ksI.png)
Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ401x1.jpg)
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ402x1.jpg)
Unit and User Authentication for the VPN 3002 Hardware Client 379
Figure 8-12 Configuration | User Management | Groups | Modify > Client Config
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ403x1.jpg)
380 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access
Configuring Unit and User Authentication
Clicking the HW Client tab brings up the screen for configuring both interactive hardware client authentication and individual user authentication for VPN 3002 Hardware Clients (see Figure 8-13). Recall that interactive hardware client authentication will prompt the user for a specific username and password that must be authenticated by the head-end concentrator before the VPN tunnel will be established. IPSec tunnels are usually only maintained for specified periods of time. When SA lifetimes expire or tunnel time out values are reached, the IPSec tunnels are terminated. When a VPN tunnel does not exist between the VPN 3002 Hardware Client and the head-end concentrator, the first user that requires VPN services through the VPN 3002 Hardware Client will cause the VPN devices to begin establishing the
tunnel. If interactive hardware client authentication has been specified, this initial user will be required to enter the username and password for hardware authentication.
Individual user authentication forces the users connecting through a VPN 3002 Hardware Client to use a web browser for initial VPN access in order to authenticate through the headend concentrator. VPN 3002 Hardware Clients can support many users across a single IPSec tunnel. When individual user authentication is enabled, each user will need to establish their credentials through a web browser. In the case where both interactive hardware client authentication and individual user authentication are required, the initial user that brings up the VPN tunnel will need to enter two different username and password combinations: one for the hardware client, and one for themselves.
On the screen shown in Figure 8-13, checking the Require Individual User Authentication forces the VPN 3002 Hardware Client to prompt the end user for the username and password. This is also the screen that determines the length of time that a tunnel in PAT mode will remain active without any data being passed over the connection. The User Idle Timeout box is used to enter the time in minutes before a connection is dropped for the individual user or the remote site when using PAT mode.
Note the bottom button, which is labeled Cisco IP Phone Bypass. It is imperative that this box be checked if you want to use IP Telephony over your tunnels and you have chosen to require individual user authentication. Failure to check this box will cause the VPN 3002 Hardware Client to attempt to display a web page on the phone, which will fail anytime a user attempts to place a call over the tunnel. Click Add.
You have one more task to accomplish on the VPN Concentrator. That task is to set up your user with a valid name, password, and group assignment. Go to the Configuration | User Management | Users | Add screen and add a user (see Figure 8-14). Set the username and password. Ensure that the group is the same as the group that was just modified.
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ404x1.jpg)
Unit and User Authentication for the VPN 3002 Hardware Client 381
Figure 8-13 Configuration | User Management | Groups | Modify > HW Client
Figure 8-14 Configuration | User Management | Users | Add
Interactive Hardware Client and Individual User Authentication
After you enable interactive hardware client authentication and/or individual user authentication, the next step is to test the system. From the private side of the VPN 3002 Hardware Client, open a web browser and point it to either the inside IP address of the VPN 3002 Hardware Client or to any IP address reachable through the tunnel. You will be redirected to the VPN 3002 Hardware Client Manager screen.
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ405x1.jpg)
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ406x1.jpg)
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ407x1.jpg)
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ408x1.jpg)
Unit and User Authentication for the VPN 3002 Hardware Client 385
Figure 8-20 Monitoring | System Status
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ409x1.jpg)
386 Chapter 8: Configuring Cisco 3002 Hardware Client for Remote Access
Foundation Summary
The Foundation Summary is a collection of tables and figures that provides a convenient review of many key concepts in this chapter. For those aho are already comfortable with the topics in this chapter, this summary could help you recall a few details. For those who just read this chapter, this review should help solidify some key facts. For anyone doing final preparation before the exam, these tables and figures are a convenient way to review the day before the exam.
Configure Preshared Keys
To configure preshared keys, follow these steps:
Step 1 On the concentrator, go to the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Modify screen.
Step 2 Set the IP address of the peer.
Step 3 Set the preshared key.
Step 4 On the VPN 3002 Hardware Client, go to the Configuration | System |
Tunneling Protocols | IPSec screen.
Step 5 Make sure that the Use Certificate box is not checked.
Step 6 Enter the group and password.
Step 7 Enter the user, username, and password.
Troubleshooting IPSec
Follow these steps to troubleshoot IPSec:
Step 1 Ping the private interface of the remote concentrator. If you can get there, IPSec works. If your ping fails, you should proceed to Steps 2 and 3.
Step 2 Set the debug levels for 1–13 on both sides (IKE, IKEDBG, IPSEC,
IPSECDBG).
Step 3 Read and understand the log. It will tell you where the problem lies.
![](/html/1438/356/html_uqhjx5Doc9.FGL5/htmlconvd-L1JQVQ410x1.jpg)
|
|
Split Tunnel 387 |
|
|
|
Client and LAN Extension Modes |
||
|
Table 8-3 compares Client mode and LAN Extension mode. |
|
Table 8-3 |
Client Versus LAN Extension Mode |
|
|
|
|
|
Client (PAT) Mode |
LAN Extension Mode |
|
|
|
|
All devices appear at the head-end as one device |
Each device is seen at the head-end with its |
|
with the IP address of the outside interface of the |
individual IP address. |
|
VPN 3002 Hardware Client. |
|
|
|
|
|
This is the default on the head-end concentrator. |
This must be configured at the head-end and on |
|
|
the VPN 3002 Hardware Client. |
|
|
|
|
Tunnel is initiated by the administrator or when a |
Tunnel is always active. |
|
device attempts to connect to the head-end. |
|
|
|
|
|
Remote site must send initial data. |
When not using split tunnel, head-end may send |
|
|
initial data. |
|
|
|
|
Table 8-4 describes the requirements for PAT mode and LAN Extension mode. |
|
Table 8-4 |
Requirements for Client and LAN Extension Modes |
|
|
|
|
|
Client (PAT) Mode |
Network Extension Mode |
|
|
|
|
The head-end concentrator must be running |
The head-end concentrator must be running |
|
version 3.x or later. |
version 3.x or later. |
|
|
|
|
You must configure a group, user, and password |
You must configure a group, user, and password |
|
on the head-end concentrator. |
on the head-end concentrator. |
|
|
|
|
You must enable addresses consistent with the |
A static route or default route to the head-end |
|
head-end concentrator. For example, if one side |
concentrator must be configured. |
|
runs DHCP, the other side must also run DHCP. |
|
|
|
|
Split Tunnel
Remember the following key points about split tunneling:
•Configured on the head-end VPN 3000 Series Concentrator.
•Permits specific traffic to bypass the VPN tunnel.
•Options for split tunneling are
—Tunnel all traffic.
—Tunnel only traffic contained within a specified network list.
—Do not tunnel traffic contained within a specified network list.