VPN Client

Overview

The IKE Mode Config feature within the firewall downloads DNS, WINS, default domain, and split tunnel mode attributes to the VPN Client. The split tunnel mode allows the firewall to direct packets to a network interface in clear text form or over an IPSec tunnel in encrypted form.

The vpngroup command set allows you to configure VPN Client policy attributes to be associated with a VPN group name and downloaded to the VPN Client(s) that are part of the given group. The purpose of these new commands is to configure the VPN Client policy groups.

This section shows two examples of how to configure the firewall and the VPN client for interoperability. The steps for configuring the VPN client version 2.5 and the Cisco VPN Client version 3.0, are the same, except where noted.

The first example shows use of the following supported features:

The second example shows use of the following supported features:

If the Cisco Secure VPN Client is already installed on the computer, uninstall it from the computer and ensure all directories containing this VPN client application are cleared of it before you install the VPN client or the Cisco VPN Client version 3.0.

Xauth, RADIUS, IKE Mode Config, and Wildcard Pre-Shared Key

With the vpngroup command set, you configure the firewall for a specified group of Cisco VPN 30e0 Client users, using the following parameters:

  • Group name for a given group of VPN client users.

  • Pre-shared key or group password used to authenticate the VPN access to the remote server
    (firewall).

    This pre-share key is equivalent to the password that you enter within the Group Password field of the VPN client while configuring the group access information for a connection entry.

  • Pool of local addresses to be assigned to the VPN group.

  • (Optional) IP address of a DNS server to download to the VPN client.

  • (Optional) IP address of a WINS server to download to the VPN client.

  • (Optional) Default domain name to download to the VPN client.

  • (Optional) Split tunneling enabled on the firewall allowing both encrypted and clear traffic between the VPN client and the firewall.

    If split tunneling is not enabled, all traffic between the VPN client and the firewall will be encrypted.

  • (Optional) Inactivity timeout setting for the VPN client. The default is 30 minutes.

On the VPN client, you would configure the vpngroup name and group password to match that which you configured on the firewall.

When the VPN client initiates ISAKMP with the firewall, the VPN group name and pre-share key are sent to the firewall. The firewall then uses the group name to look up the configured client policy attributes for the given VPN client and downloads the matching policy attributes to the client during the IKE negotiation.

Configuring the firewall

Follow these steps to configure the firewall to interoperate with the VPN client using Xauth, IKE Mode Configuration, AAA Authorization with RADIUS, and Wildcard Pre-Shared Key:

  1. Define AAA related parameters:
    aaa-server radius protocol radius
    aaa-server partnerauth protocol radius
    aaa-server partnerauth ( dmz) host 192.168.101.2 abcdef timeout 5

  2. To configure the IKE policy:
    isakmp enable outside isakmp policy 8 encr 3des isakmp policy 8 hash md5 isakmp policy 8 authentication pre-share

    To configure the VPN client version 3.0 or above, include the following step: isakmp policy 8 group 2

  3. To configure a wildcard, pre-shared key:
    isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0

  4. Create an access list that defines the firewall local network(s) requiring IPSec protection:
    access-list 80 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

  5. Create access lists that define the services the VPN clients are authorized to use with the RADIUS server:
    access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet
    access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp
    access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq http

    To configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID. In this example, the access-list ID is 100. a entry in the authentication server would then be acl=100.

  6. To configure NAT 0:
    nat (inside) 0 access-list 80

  7. To configure a transform set that defines how the traffic will be protected:
    crypto ipsec transform-set strong-des esp-3des esp-sha-hmac

  8. Create a dynamic crypto map:
    crypto dynamic-map cisco 4 set transform-set strong-des

    Specify which transform sets are allowed for this dynamic crypto map entry.

  9. Add the dynamic crypto map set into a static crypto map set:
    crypto map partner-map 20 ipsec-isakmp dynamic cisco

  10. Apply the crypto map to the outside interface:
    crypto map partner-map interface outside

  11. Enable Xauth:
    crypto map partner-map client authentication partnerauth

  12. To configure IKE Mode Configuration related parameters:
    ip local pool dealer 10.1.1.1-10.1.1.254

    To configure the VPN client version 2.5, include the following command in this step: crypto map partner-map client configuration address initiate

  13. To configure VPN client policy attributes to download to the VPN client:
    vpngroup superteam address-pool dealer
    vpngroup superteam dns-server 10.0.0.15
    vpngroup superteam wins-server 10.0.0.15
    vpngroup superteam default-domain example.com
    vpngroup superteam split-tunnel 80
    vpngroup superteam idle-time 1800

    The keyword "superteam" is the name of a VPN group. You will enter this VPN group name within the VPN client as part of the Group access information.

  14. Tell firewall to implicitly permit IPSec traffic:
    sysopt connection permit-ipsec

Example 6-2: VPN Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Wildcard Pre-Shared Key 

 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2  dmz security10
 enable password 8Ry2YjIyt7RRXU24 encrypted
 passwd 2KFQnbNIdI.2KYOU encrypted
 hostname SanJose
 domain-name example.com
 fixup protocol ftp 21
 fixup protocol http 80
 fixup protocol smtp 25
 fixup protocol h323 1720
 fixup protocol rsh 514
 fixup protocol sqlnet 1521
 names
 pager lines 24
 no logging on
 interface ethernet0 auto
 interface ethernet1 auto
 interface ethernet2 auto
 mtu outside 1500
 mtu inside 1500
 mtu  dmz 1500
 ip address outside 209.165.200.229 255.255.255.224
 ip address inside 10.0.0.1 255.255.255.0
 ip address  dmz 192.168.101.1 255.255.255.0
 no failover
 failover ip address outside 0.0.0.0
 failover ip address inside 0.0.0.0
 failover ip address  dmz 0.0.0.0
 arp timeout 14400
 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 access-list 80 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
 access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet
 access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp

 access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq http
 nat (inside) 0 access-list 80
 global (outside) 1 209.165.200.45-209.165.200.50 netmask 255.255.255.224
 route outside 0.0.0.0 0.0.0.0 209.165.200.227 1
 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
 timeout rpc 0:10:00 h323 0:05:00
 timeout uauth 0:05:00 absolute
 ip local pool dealer 10.1.1.1-10.1.1.254
 aaa-server TACACS+ protocol tacacs+
 aaa-server RADIUS protocol radius
 aaa-server partnerauth protocol tacacs+
 aaa-server partnerauth ( dmz) host 192.168.101.2 abcdef timeout 5
 no snmp-server location
 no snmp-server contact
 snmp-server community public
 no snmp-server enable traps
 crypto map partner-map client configuration address initiate;
 crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
 crypto dynamic-map cisco 4 set transform-set strong-des
 crypto map partner-map 20 ipsec-isakmp dynamic cisco
 crypto map partner-map client authentication partnerauth 
 crypto map partner-map interface outside
 isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
 isakmp enable outside
 isakmp policy 8 authentication pre-share
 isakmp policy 8 encryption 3des
 isakmp policy 8 hash md5
 isakmp policy 8 group 2
 vpngroup superteam address-pool dealer
 vpngroup superteam dns-server 10.0.0.15
 vpngroup superteam wins-server 10.0.0.15
 vpngroup superteam default-domain example.com
 vpngroup superteam split-tunnel 80
 vpngroup superteam idle-time 1800 
 sysopt connection permit-ipsec
 telnet timeout 5
 terminal width 80

The command crypto map partner-map client configuration address initiate is only required to configure the VPN client version 2.5. The command isakmp policy 8 group 2 is only required to configure the Cisco VPN Client version 3.0.

Configuring the VPN client

This section describes how to configure the VPN client to match the configurations in "Configuring the firewall." It is assumed the VPN client is already installed on the system and is configured for general use. You can find the VPN client documentation online at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm

To allow the VPN client to gain VPN access to the firewall using a pre-share key, create one connection entry for the VPN client that identifies the following:

  • Host name or IP address of the remote server you want to access, which in this case is a firewall

  • Name of the VPN group you belong to

  • Pre-shared key or password of the VPN group you belong to

Follow these steps to configure the VPN client to interoperate with the firewall:

  1. Click Start>Programs>Cisco Systems VPN 3000 Client>VPN Dialer.

  2. At the VPN Client main dialog box, click New.

  3. Enter a unique name for the connection.

  4. (Optional) Enter a description of this connection.

  5. Click Next.

    The second New Connection Entry Wizard dialog box appears.

  6. Enter the host name or IP address of the remote firewall you want to access.

  7. Click Next.

    The third New Connection Entry Wizard dialog box appears.

  8. Click Group Access Information.

  9. Enter the name of the VPN group to which you belong and the password for you VPN group.

    The password displays in asterisks.

  10. Click Next.

    The fourth New Connection Entry Wizard dialog box appears.

  11. Review the connection entry name.

  12. Click Finish.

Xauth, IKE Mode Config, and Digital Certificates

For example purposes, the firewall is shown to interoperate with the Entrust CA server. The specific CA-related commands you enter depend on the CA you are using.

Both the firewall and the VPN client are required to obtain digital certificates from the same CA server so that both are certified by the same root CA server. The firewall only supports use of one root CA server per VPN peer.

The firewall supports CA servers developed by VeriSign, Entrust, Baltimore Technologies, and Microsoft. See "Using Certification Authorities" in "Basic VPN Configuration," for general configuration procedures.

On the firewall, configure the unit to interoperate with the CA server to obtain a digital certificate. With the vpngroup command set, configure the firewall for a specified group of VPN client users, using the following parameters:

  • Pool of local addresses to be assigned to the VPN group

  • (Optional) IP address of a DNS server to download to the VPN client

  • (Optional) IP address of a WINS server to download to the VPN client

  • (Optional) Default domain name to download to the VPN client

  • (Optional) Split tunneling on the firewall, which allows both encrypted and clear traffic between the VPN client and the firewall.

    If split tunnelling is not enabled, all traffic between the VPN client and the firewall will be encrypted.

  • (Optional) Inactivity timeout for the VPN client. The default is 30 minutes.

On the VPN client, configure the client to obtain a digital certificate. After obtaining the certificate, set up the VPN client connection entry to use the digital certificate.

When the VPN client initiates ISAKMP with the firewall, the digital certificate is sent to the firewall. The firewall uses the digital certificate to look up the configured client policy attributes for the given VPN client and downloads the matching policy attributes to the client during the IKE negotiation.

Configuring the firewall

Follow these steps to configure the firewall to interoperate with the VPN client:

  1. Define AAA related parameters:
    aaa-server TACACS+ protocol tacacs+
    aaa-server partnerauth protocol tacacs+
    aaa-server partnerauth ( dmz) host 192.168.101.2 abcdef timeout 5

  2. Define a host name:
    hostname SanJose

  3. Define the domain name:
    domain-name example.com

  4. Generate the firewall RSA key pair:
    ca generate rsa key 512

    This command is entered at the command line and does not get stored in the configuration.

  5. Declare a CA:
    ca identity abcd 209.165.200.228 209.165.200.228

    This command is stored in the configuration.

  6. To configure the parameters of communication between the firewall and the CA:
    ca configure abcd ra 1 20 crloptional

    This command is stored in the configuration. 1 is the retry period, 20 is the retry count, and the crloptional option disables CRL checking.

  7. Authenticate the CA by obtaining its public key and its certificate:
    ca authenticate abcd

    This command is entered at the command line and does not get stored in the configuration:

  8. Request signed certificates from the CA for the firewall's RSA key pair:
    ca enroll abcd cisco

    Before entering this command, contact the CA administrator because they will have to authenticate the firewall manually before granting its certificate(s):

    "cisco" is a challenge password. This can be anything. This command is entered at the command line and does not get stored in the configuration.

  9. Verify that the enrollment process was successful using the show ca certificate command:
    show ca certificate

  10. Save keys and certificates, and the CA commands (except those indicated) in Flash memory:
    ca save all
    write memory

  11. To configure the IKE policy:
    isakmp enable outside
    isakmp policy 8 encr 3des
    isakmp policy 8 hash md5
    isakmp policy 8 authentication rsa-sig

  12. Create an access list that defines the firewall local network(s) requiring IPSec protection:
    access-list 90 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

  13. To configure NAT 0:
    nat (inside) 0 access-list 90

  14. To configure a transform set that defines how the traffic will be protected:
    crypto ipsec transform-set strong-des esp-3des esp-sha-hmac

  15. Create a dynamic crypto map. Specify which transform sets are allowed for this dynamic crypto map entry:
    crypto dynamic-map cisco 4 set transform-set strong-des

  16. Add the dynamic crypto map set into a static crypto map set:
    crypto map partner-map 20 ipsec-isakmp dynamic cisco

  17. Apply the crypto map to the outside interface:
    crypto map partner-map interface outside

  18. Tell firewall to implicitly permit IPSec traffic:
    sysopt connection permit-ipsec

  19. Enable Xauth:
    crypto map partner-map client authentication partnerauth

  20. To configure IKE Mode Configuration related parameters:
    ip local pool dealer 10.1.1.1-10.1.1.254
    crypto map partner-map client configuration address initiate

  21. To configure VPN client policy attributes to download to the VPN client:
    vpngroup superteam address-pool dealer
    vpngroup superteam dns-server 10.0.0.15
    vpngroup superteam wins-server 10.0.0.15
    vpngroup superteam default-domain example.com
    vpngroup superteam access-list 90
    vpngroup superteam idle-time 1800

Example 6-3: VPN Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Digital Certificates 

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2  dmz security10
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname SanJose
    domain-name example.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol smtp 25
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol sqlnet 1521
    names
    pager lines 24
    no logging on
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    mtu outside 1500
    mtu inside 1500
    mtu  dmz 1500
    ip address outside 209.165.200.229 255.255.255.224
    ip address inside 10.0.0.1 255.255.255.0
    ip address  dmz 192.168.101.1 255.255.255.0
    no failover
    failover ip address outside 0.0.0.0
    failover ip address inside 0.0.0.0
    failover ip address  dmz 0.0.0.0
    arp timeout 14400
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-list 90 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet
    access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp
    access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq http
    nat (inside) 0 access-list 90
    global (outside) 1 209.165.200.45-209.165.200.50 netmask 255.255.255.224
    route outside 0.0.0.0 0.0.0.0 209.165.200.227 1
    timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    timeout rpc 0:10:00 h323 0:05:00
    timeout uauth 0:05:00 absolute
    ip local pool dealer 10.1.1.1-10.1.1.254
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server partnerauth protocol tacacs+
    aaa-server partnerauth ( dmz) host 192.168.101.2 abcdef timeout 5
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
    crypto dynamic-map cisco 4 set transform-set strong-des
    crypto map partner-map 20 ipsec-isakmp dynamic cisco
    crypto map partner-map client authentication partnerauth 
    crypto map partner-map interface outside
    isakmp enable outside
    isakmp policy 8 encryption 3des
    isakmp policy 8 hash md5
    isakmp policy 8 authentication rsa-sig
    vpngroup superteam address-pool dealer
    vpngroup superteam dns-server 10.0.0.15
    vpngroup superteam wins-server 10.0.0.15
    vpngroup superteam default-domain example.com
    vpngroup superteam split-tunnel 90
    vpngroup superteam idle->ime 1800 
    ca identity abcd 209.165.200.228 209.165.200.228
    ca configure abcd ra 1 100 crloptional
    sysopt connection permit-ipsec
    telnet timeout 5
    terminal width 80

The command crypto map partner-map client configuration address initiate is only required to configure the VPN client, version 2.5.

Configuring the VPN client

This section describes how to configure the VPN client to match the configurations in "Configuring the firewall." It is assumed the VPN client is already installed on the system and is configured for general use. You can find the VPN client documentation online at the following website:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm

For the VPN client to gain VPN access to the firewall using a digital certificate, obtain a digital certificate from a CA server. Once you have this certificate, create a VPN client connection entry that identifies the following: