Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
418 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client
IPSec on the VPN 3002 Hardware Client
39Configuring IPSec over UDP
40Configuring IPSec over TCP
Internet Protocol Security (IPSec) is the standard that enables the VPN 3002 Hardware Client to connect securely to the centralized VPN concentrator. IPSec security methods include address data privacy, authentication, integrity, key management, and tunneling.
With the VPN 3002 Hardware Client, two IPSec options are available to you: IPSec over TCP/IP and IPSec over UDP. You may choose one of these, which will automatically disable the other option. The next sections describe both options in more detail.
IPSec Over TCP/IP
The Cisco VPN Client and the Cisco VPN 3002 Hardware Client both fully support IPSec over TCP, encapsulating the encrypted data within the TCP packet. In this mode, the VPN 3002 Hardware Client is able to work where standard Encapsulating Security Payload (ESP) (protocol 50) or Internet Key Exchange (IKE) (UDP 500) cannot operate because of factors such as PAT. IPSec over TCP encapsulates both the IKE and IPSec protocols within the TCP packet, enabling the new packet to pass through NAT and PAT devices. This feature, however, will not work if the VPN termination on the other end is proxy based, such as in Microsoft Proxy Server.
There are three requirements for both the VPN concentrator and the VPN 3002 Hardware Client when using IPSec over TCP:
•Run version 3.5 or later software.
•IPSec over TCP must be enabled.
•The VPN concentrator and the VPN 3002 Hardware Client must use the same port.
To enable IPSec over TCP/IP, you must make configuration changes on both the VPN concentrator and the VPN 3002 Hardware Client. IPSec over TCP/IP is configured on the VPN 3002 Hardware Client under the Configuration | System | Tunneling Protocols | IPSec screen. On the VPN concentrator, configuration settings for IPSec over TCP/IP are made on the Configuration | System | Tunneling Protocols | IPSec | IPSec over TCP screen, as shown in Figure 9-10.
IPSec on the VPN 3002 Hardware Client 419
Figure 9-10 Configuration | System | Tunneling Protocols | IPSec | IPSec over TCP
On either hardware client or concentrator, you simply check the box to enable IPSec over TCP and then select the TCP port to use between the devices. The default port is 10,000, but you can select any port between 1 and 65,635. If you select a well-known port, such as 80 for HTTP, the system will present a warning telling you that the protocol associated with the well-known port number will no longer be available on the public interface. On the VPN concentrator, you can enter up to 10 ports, separated by commas, so that you can use a different port for each hardware client that connects to the concentrator. The configuration screen for the VPN 3002 Hardware Client only permits you to enter one TCP port number.
UDP NAT Transparent IPSec (IPSec Over UDP)
The VPN 3002 Hardware Client fully supports User Datagram Protocol Network Address Translation Transparent IPSec (UDP NAT Transparent IPSec). In this mode, the VPN 3002 Hardware Client encapsulates the data traffic within new UDP packets, bypassing the effects of NAT and PAT. This method sends keepalives on a regular basis to ensure the NAT mappings remain active. While this method does slightly increase the amount of bandwidth overhead, it is necessary because UDP is a connectionless protocol. There is a limitation on using UDP NAT Transparent IPSec; only a single VPN device may be behind the NAT device. In other words, you may have only a single VPN 3002 Hardware Client behind a PIX firewall.
Some of the workings of IPSec transparent mode are not readily visible to the administrator. For example, the VPN concentrator creates a filter rule, applying it to the public filter and passes this along to the VPN 3002 Hardware Client transparently. From the inbound side, the UDP traffic goes directly to the IPSec processing for decryption and deencapsulation before being routed. On the outbound side, the IPSec process encrypts, encapsulates, and then adds a new UDP header if required. These rules may be removed from the filter under one of three conditions:
•When a group is deleted
•When the last active IPSec over UDP Security Association (SA) for that group is deleted
•When IPSec over UDP is disabled for the group
422 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client
Identifying an Incorrect Password at the VPN 3002 Hardware Client
On the VPN 3002 Hardware Client, you will see an error similar to the following if the password is incorrect:
Group [192.168.100.1]
Rxed Hash is incorrect:Preshared key or Digital Signature mismatch
Identifying an Incorrect Work Group Name
If the work group name is incorrect, the VPN concentrator logs will show a message similar to the following:
No Group found 3002group for Preshared key peer 192.168.100.1
Identifying an Incorrect Username
If the username given by the client is incorrect, the VPN concentrator log will show a message similar to the following:
Authentication rejected: Reason = User was not found
Incorrect Password on the Concentrator
If the password is incorrect, the VPN concentrator log will show a message similar to the following:
Authentication rejected: Reason = Invalid password
Unable to Ping with an Established Tunnel
If you have an established tunnel and you are still unable to ping the private interface on the VPN concentrator, there are two possibilities: overlapping SA or IPSec filtering. In the VPN 3002 Hardware Client, go to the Monitoring | System Status screen and note the Octets Out field. Next, go to the Monitoring | Sessions screen and note the Bytes Receiving counter. Attempt to ping the VPN concentrator’s inside interface again and recheck these counters. Based on this information, you will be able to see which of two issues is causing the problem.
The first issue may be that there is an overlapping SA configured. An overlapping SA is where two or more VPN clients have the same network on the private side. For example, you may have a VPN 3002 Hardware Client with the 192.168.100.0/24 network and a VPN Software Client with an IP address of 192.168.100.4. If both of these counters are incrementing, this is the case.
If only the Octets Out counter is incrementing on the VPN 3002 Hardware Client, but the Bytes Received is not, then IPSec is being filtered. If UDP is enabled, make sure that the UDP port chosen, a default value of 10,000, is not being blocked. If the VPN 3002 Hardware Client is behind a PAT device, make sure to enable IPSec through NAT.
Configuring Auto-Update for the VPN 3002 Hardware Client 423
Configuring Auto-Update for the VPN 3002
Hardware Client
35Overview of the VPN 3002 Auto-Update Feature
36Configuring the VPN 3002 Auto-Update Feature
Auto-update is a process by which the VPN concentrator requires that the connecting clients use a specific version of software. A client attempting to connect to the VPN concentrator with an incorrect software version will be denied access until after the software version becomes current. The VPN concentrator provides VPN Client users a link to the download server where the software can be obtained. Once the clients have the correct software version, they may once again connect in a normal fashion.
The VPN 3002 Hardware Client software can be upgraded automatically once the administrator copies the new version of the operating system to a TFTP server. The head-end VPN concentrator notifies the hardware client of the upgrade availability. Once the secure VPN tunnel has been established, the VPN 3002 Hardware Client copies the upgrade from the TFTP server and then performs a reload to activate the new version. This means that the administrator only needs to make changes at the head-end VPN concentrator instead of manually upgrading each individual VPN 3002 Hardware Client from the graphical user interface (GUI). This is especially efficient on large installations.
NOTE |
The VPN 3000 Concentrator series client auto-update feature works only with the Windows- |
|
based VPN Client or with the VPN 3002 Hardware Client, not with any of the other VPN |
|
Clients, such as Linux or Macintosh. |
|
|
The VPN 3002 Hardware Client is sent ISAKMP messages when it connects to the head-end concentrator, delivering notification that a software upgrade is pending. These ISAKMP messages contain the IP address of a TFTP server and filename to download, and they are sent in batches of 10 identical ISAKMP messages every 5 minutes. The VPN concentrator continues to send these messages until upgrade notification is disabled on the concentrator. VPN 3002 Hardware Clients that are already operating at the correct version level ignore the update messages.
VPN 3002 Hardware Clients store software images in two different locations, backup storage and active storage. During initial bootup, the hardware client copies the software image from backup storage into active storage. When the VPN 3002 Hardware Client copies the upgrade file from the TFTP server, it stores the file in backup storage. The update process then performs
Configuring Auto-Update for the VPN 3002 Hardware Client 425
Figure 9-13 Modifying Client Update Information
The Client Type has specific acceptable options and is case sensitive. The following list shows the available options:
•Windows—Provides update service to all Windows-based clients.
•Win9X—Provides update service to all Windows 95, Windows 98, and Windows ME clients.
•WinNT—Provides update service to Windows NT, Windows 2000, and Windows XP clients.
•vpn3002—Provides update service to VPN 3002 Hardware Clients.
The TFTP server must be located within the private network of the head-end VPN concentrator. The VPN 3002 Hardware Client reaches the TFTP server through the secure tunnel. In other words, the TFTP server IP address cannot be on the outside network of the public interface or routed in such a way that it needs to pull the image through the outside interface of the VPN concentrator without encryption.
The version number is derived from the filename you have specified to be downloaded. In this example, you used the file name vpn3002-3.0.3.A-k9.bin. The revision (3.0.3.A) is the part between the two dashes. Be sure you have entered the correct revision number. An incorrect or missing revision number will cause the VPN 3002 Hardware Client to enter an infinite cycle of attempting and failing to upgrade.
You may enter more than one revision number into the Revisions field, separating the entries by commas to indicate that you will support more than one client software release. The entry that you include in the URL field must be represented in the list of acceptable revisions. If the attaching client already operates with one of the versions listed in the revisions list, no action will be taken.
426 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client
The next configuration step you need to do is to set up notification to VPN 3002 Hardware Clients (and software clients) about the upgrade. There are only three steps:
Step 1 Using the VPN 3000 Concentrator Series Manager, go to Administration | Software Update | Clients.
Step 2 Choose the group. In this example, the group is rtpvpnl.
Step 3 Select Upgrade Clients Now (see Figure 9-14).
Figure 9-14 Updating Client Software
Monitoring Auto-Update Events
37 Monitoring VPN 3002 Auto-Update Events
In case the upgrade is not successful, debugging may be enabled to help determine the cause of failure. You should check the log file first to see if it contains any information on why the upgrade was unsuccessful. In the event that the log file does not provide enough information, configure debugging by following these steps:
Step 1 Go to the Configuration | System | Events | Classes | Add screen, shown in Figure 9-15.
Step 2 Choose the class named AUTOUPDATE.
Step 3 Set the severity of the log to 1-13.
Step 4 Retrieve the log by going to the Monitoring | Live Event Log screen.
Monitoring Auto-Update Events 427
Step 5 If you are also attached to the console, the console severity may also be set to 1-13.
Step 6 Likewise, the Syslog and Trap severities may be set if you are using a Syslog Server or an SNMP server such as CiscoWorks.
Figure 9-15 Configuration | System | Events | Classes | Add
A sample output from the log is shown in Example 9-1. Table 9-2 explains the fields in the logs after this example.
Example 9-1 Sample Debugging Output
12 08/21/2002 11:19:23.225 SEV=4 AUTOUPDATE/6 RPT=1 Current version 3.0.2 does not match 3.0.3.A
13 08/21/2002 11:19:23.225 SEV=4 AUTOUPDATE/7 RPT=1 Updating firmware to 3.0.3.A from 3.0.2
14 08/21/2002 11:19:23.225 SEV=4 AUTOUPDATE/12 RPT=1 Update firmware will now begin using file
vpn3002-3.0.3.A-k9.bin on server 192.268.101.3 [0A204964] 15 08/21/2002 11:35:00.700 SEV=4 AUTOUPDATE/5 RPT=1
Current version 3.0.3.A is up to date
Table 9-2 |
Field Descriptions |
|
|
|
|
|
Field |
Definition |
|
|
|
|
12 |
The first number in the list is the log number. |
|
|
|
|
08/21/2002 |
The date is defined by the system date of the VPN 3002 Hardware Client. |
|
|
|
|
11:19:23.225 |
The time of the log. |
|
|
|
|
SEV=4 |
The severity of the log. |
|
|
|
|
AUTO-UPDATE/6 |
The name of the event class. |
|
|
|
|
RPT=1 |
The description of the event. |
|
|
|