Cisco Secure VPN Exam Certification Guide - Cisco press

438 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client

29Your VPN 3002 Hardware Client attempts to auto-update. The system appears to “hang” and eventually times out on the download portion of the process. What are two likely causes?

30In Network Extension Mode, how long will the VPN 3002 Hardware Client wait before attempting to connect to a backup server if a connection to the primary server fails?

31Will a VPN 3002 Hardware Client connected to a backup server recognize that the primary server has added a new backup server?

32Does the VPN 3002 Hardware Client send keepalives to other VPN 3002 Hardware Clients connected to the same primary or backup server?

33Where are hold-down routes configured?

34What protocols may be used with LAN-to-LAN Autodiscovery?

Q&A 439

35When using IPSec over TCP, how are IKE and IPSec protocols handled in relation to NAT?

36You are planning on terminating your VPN 3002 Hardware Client’s VPN tunnel on a Microsoft Proxy Server. Should you use UDP NAT Transparent IPSec (IPSec over UDP) or IPSec over TCP?

440 Chapter 9: Configuring Scalability Features of the VPN 3002 Hardware Client

Scenarios

Scenario 9-1

Your task in this scenario is to set up a VPN concentrator and a VPN 3002 Hardware Client, as shown in Figure 9-16. Enable communications between the concentrators and the VPN 3002 Hardware Client using IPSec over TCP/IP.

Figure 9-16 Enabling RRI

IBM Compatible

VPN 3002

Hardware Client

Once this is accomplished, you have four steps:

Step 1 Set up the VPN concentrator B as a backup and test.

Step 2 Update the VPN 3002 Hardware Client from the VPN concentrator A.

Step 3 Inject a route using OSPF from the VPN 3002 Hardware Client into the VPN concentrator.

Step 4 Configure the VPN concentrators to use IPSec over UDP

Scenario 9-1 Answers 441

Scenario Answers

Scenario 9-1 Answers

The following answers pertain to the tasks presented in the previous section:

Step 1 On the VPN 3002 Hardware Client, use the Configuration | System | Tunneling Protocols | IPSec screen and add the second concentrator. Ensure that Use Client Configured List is set.

To test, unplug the outside Ethernet interface on Concentrator A. Check that a VPN tunnel is established to Concentrator B.

Step 2 On the VPN concentrator:

(a)Go to Configuration | User Management | Groups.

(b)Select the group.

(c)Choose Modify Client Update.

(d)Choose Add from the Client Update screen.

(e)On the next screen, enter vpn3002 as the client type, enter the tftp address/filename, and enter the revision number.

(f)Apply.

(g)Go to Administration | Software Update | Clients.

(h)Choose the group.

(i)Select Upgrade Client Now.

Step 3 Reverse Route Injection is configured on the VPN concentrator. To do this, go to the Configuration | System | IP Routing | Reverse Route Injection screen. Check the Client Reverse Route Injection button.

Step 4 On the VPN 3002 Hardware Client, go to Configuration | System | Tunneling Protocols | IPSec | IPSec over TCP. The concentrator must also be configured using the Configuration | System | Tunneling Protocols | IPSec | NAT Transparency | Enable IPSec over TCP screen. Enable IPSec over TCP/IP.

Exam Topics Discussed in This Chapter

This chapter covers the following topics, which you need to master in your pursuit of certification as a Cisco Certified Security Professional:

41Cisco VPN 3000 IPSec LAN-to-LAN

42LAN-to-LAN configuration

43SCEP support overview

44Root certificate installation

45Identity certificate installation

C H A P T E R 10

Cisco VPN 3000 LAN-to-LAN with Preshared Keys

One of the great benefits to using a VPN Concentrator is the ability to connect disparate LANs in a secure manner. For example, having your LAN in New York appear to be directly connected to the LAN in London makes administration of domains and user rights much easier for the systems administrator.

You accomplish this by creating a secure VPN from your concentrator to another concentrator, router, or PIX firewall at the remote site. Although it is certainly permissible—and sometimes advisable—to encrypt data through a VPN on a private frame network, it is much more common to use a VPN to reduce the need for dedicated connections by using the Internet as your long haul provider. One example of encrypting data over a private network occurs when you have a payroll department that is split between locations at two remote sites. Because you do not generally want the average administrator on your network to be able to find out salaries of other workers, you might want to encrypt this data between the two networks.

When you add the benefit of reducing the cost of these long distance connections through the use of VPNs over the Internet, the real benefits begin to show. This chapter deals with issues associated with connecting geographically separate LANs in a secure manner. Such connections will appear to the end user as if the network were next door, with one exception: latency. Because your VPN connections generally operate over the Internet, you will not be able to control how long it takes for a packet from one site to travel to the remote site.

You, as an administrator of private networks, have no real control over the Internet. You can control items such as your bandwidth to your ISP and are able to prioritize data within your own networks, but once your data reaches your ISP, you lose the ability to determine the priority of the data. When relying on the Internet for connectivity, you need to be aware that certain applications that are extremely time sensitive might lose connectivity even when your VPN connections are not directly affected. Always remember that using the Internet means that you rely upon a technology over which you have no control, and therefore, results cannot be guaranteed.

“Do I Know This Already?” Quiz 445

“Do I Know This Already?” Quiz

The purpose of the “Do I Know This Already?” quiz is to help you decide what parts of the chapter to use. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

This 15-question quiz helps you determine how to spend your limited study time. The quiz is sectioned into five smaller “quizlets,” which correspond to the five major topic headings in the chapter. Figure 10-1 outlines suggestions on how to spend your time in this chapter based on your quiz score. Use Table 10-1 to record your scores.

Table 10-1 Score Sheet for Quiz and Quizlets

1What is a LAN-to-LAN connection?

2What equipment is required for a LAN-to-LAN connection?

3Where can a LAN-to-LAN connection be used?

446 Chapter 10: Cisco VPN 3000 LAN-to-LAN with Preshared Keys

4When setting up network lists, how should the lists at each side of the LAN-to-LAN connection relate to each other?

5You attempted to configure a LAN-to-LAN connection, but cannot see a specific network on one side of the connection. What is the most likely problem?

6What routing protocol is used for Autodiscovery?

7What is an identity certificate?

8What is the advantage of using SCEP?

9What are critical items when using any certificates?

“Do I Know This Already?” Quiz 447

10Order the steps for using a certificate:

1.Issue an enrollment request.

2.Enroll with the CA.

3.The enrollment request is accepted.

4.Install the certificate.

5.Configure the concentrator to use the certificate.

11You want to use SCEP to enroll an identity certificate. How must the associated CA certificate be obtained?

12What are the default directory and file name for the DLL used with SCEP?

13What are the three major steps involved in using digital certificates for a LAN-to-LAN connection?

14When using an identity certificate, what is the affect of entering an incorrect name in the OU field?