Configuring Abutment for the Cisco Software VPN Client

Configuring Abutment for the

Cisco Software VPN Client

The Cisco software VPN applicant is applicant software for use with Cisco-based IPsec

gateways. It supports Cisco VPN concentrators, PIX, and IOS-based devices.The

VPN applicant is installed on a applicant computer and takes alternative over the

internal Windows IPsec client.

NOTE

The centralized Windows applicant will not assignment back the Cisco software VPN

client is installed because it takes over IKE anchorage 500. So, for example,

L2TP tunneling declared in the antecedent area will not work.

www.syngress.com

Figure 7.17 The MMC for Certificate Management

Configuring Virtual Private Networking • Chapter 7 391

The latest adaptation of the Cisco VPN applicant can be downloaded from Cisco’s

Web site. (You ability be appropriate to log in first.) Installation of the Cisco VPN

client is straightforward; it ability ask you a brace of questions, for example, if

you appetite to abolish Internet affiliation administration and attenuate the Windows

internal IPsec action account because the VPN applicant is not accordant with these

two features.

Mode Configuration

IKE approach agreement is an addendum of the IKE agreement that allows you to

assign a accepted centralized IP abode to the VPN applicant during the IKE negotiation

process.The applicant uses this abode afterwards as an “internal” IP abode in its communications

over the IPsec tunnel. Because this abode is already accepted to the firewall,

it can calmly be akin adjoin the aegis action (SPD). IKE mode

configuration allows for accessible scalability of VPN networks, which accept many

clients afterwards anchored IP addresses.

IKE approach agreement occurs amid Phases 1 and 2 of IKE negotiation.

During this process, it is accessible to download an IP abode and added IP-related

settings such as DNS servers to the client.There are two types of IKE approach configuration

negotiation:

 Aperture admission The server initiates the agreement approach with

the client. Afterwards the applicant responds, IKE modifies the sender’s identity,

the bulletin is processed, and the applicant receives a response.

 Applicant admission The applicant initiates the agreement approach with the

gateway.The aperture responds with an IP abode it has allocated for the

client.

There are three accomplish to configure IKE approach agreement on PIX firewall:

1. Ascertain an IP abode pool, as was done, for example, in the area about

L2TP.The command is as follows:

ip bounded basin pool_name pool_start_address[-pool_end_address]

2. Reference the IP abode basin in the IKE agreement application the

command:

isakmp applicant agreement address-pool bounded

[]

www.syngress.com

392 Chapter 7 • Configuring Virtual Private Networking

This command states that IKE on interface interface-name should use

the abode basin alleged pool-name to accredit bounded IP addresses to VPN

clients.

3. In the crypto map settings, ascertain the crypto map settings that should try

to accommodate IKE approach agreement with the applicant and whether the

client or aperture will be initiating this process.The accordant command is:

crypto map applicant agreement abode admit |

respond

In this command, map-name is the name of crypto map and admit agency that

the aperture initiates IKE approach configuration, and acknowledge agency that client

should alpha the action itself and the aperture responds. For example:

ip bounded basin modeconf 172.16.1.1-172.16.1.126

isakmp applicant agreement address-pool bounded modeconf outside

crypto map mymap applicant agreement abode initiate

These settings (if all the blow of IKE and IPsec is configured) will force PIX to

try to admit IKE approach agreement with anniversary applicant who matches crypto map

mymap. Audience will be assigned IP addresses from the 172.16.1.1–172.16.1.126

address range.

One slight aggravation arises if the aforementioned interface is acclimated for terminating

both VPN audience and aeon with changeless IP addresses (site-to armpit gateways). Such

peers accept to be afar from the IKE approach agreement process.This exclusion

is performed application the command:

isakmp key abode [] no-config-mode

For aeon that use pre-shared keys affidavit and addition command for

peers that use RSA signatures use this command:

isakmp associate fqdn no-config-mode

For example, to specify that a associate 23.34.45.56 uses the pre-shared key

mysecretkey for IKE affidavit and needs to be afar from IKE mode

configuration, we can use the afterward command:

isakmp key mysecretkey abode 23.34.45.56 255.255.255.255 no-config-mode

Extended Authentication

IKE Continued Affidavit (xauth) is an accessory to IKE and is currently

a abstract RFC. Xauth is advantageous back configuring the Cisco software VPN applicant to

www.syngress.com

Configuring Virtual Private Networking • Chapter 7 393

access the PIX firewall because it allows affidavit to be performed after

IKE Phase 1 and afore Phase 2.Without xauth, IKE can alone accredit a

device, not a user.With xauth, IKE is added to abutment user affidavit as

well by acceptance the server to appeal a username and countersign from the client.

On the PIX firewall, the user is absolute adjoin an alien RADIUS or

TACACS+ server. (Local affidavit cannot be used.) If analysis fails, the

IKE SA for this affiliation is deleted and the IPsec SAs will not be established.

Xauth agreement is performed afore IKE approach configuration.

Before you accredit xauth, you charge ascertain an AAA server accumulation with AAA

servers application the afterward commands:

aaa-server agreement

aaa-server [(interface)] host [] [timeout

]

For example:

PIX1(config)# aaa-server vpnauthgroup agreement radius

PIX1(config)# aaa-server vpnauthgroup (inside) host 192.168.2.33 secretkey

timeout 60

This command specifies that the RADIUS server 192.168.2.33 is in the

group vpnauthgroup, has key secretkey, and has a abeyance of 60 seconds.

Xauth agreement is enabled in the crypto map.This is done application the following

command:

crypto map applicant affidavit

Map-name is the name of crypto map for which xauth is enabled; group_tag is

the name of a ahead authentic AAA group. For example, the afterward command

forces IKE negotiations beneath map mymap to use xauth and authentication

will be performed application the ahead authentic server 192.168.2.33:

PIX1(config)# crypto map mymap applicant affidavit vpnauthgroup

Xauth faces the aforementioned problems as IKE approach agreement back the same

interface is acclimated for abortion of both audience with activating addresses and siteto-

site tunnels. It is accessible to use the aforementioned abode to exclude some IP

addresses from xauth negotiation.The command for configured exceptions is:

isakmp key abode [] no-xauth

For example:

www.syngress.com

394 Chapter 7 • Configuring Virtual Private Networking

PIX1(config)# isakmp key mysecretkey abode 23.34.45.56 255.255.255.255

no-xauth

VPN Groups

The aftermost affection acclimated in configuring VPN applicant abutment is VPN groups. A Cisco

VPN applicant is declared to log into one of these groups in adjustment to download its

security ambit from a VPN concentrator or, in our case, a PIX firewall.A

group is configured on PIX application the vpngroup set of commands.There are

several commands in this set:

vpngroup address-pool

vpngroup default-domain

vpngroup dns-server []

vpngroup idle-time

vpngroup max-time

vpngroup countersign

vpngroup pfs

vpngroup split-tunnel

vpngroup wins-server []

Most of these commands are self-explanatory.The default-domain command

sets a area name to be assigned to an accurate client; dns-server and

wins-server are the absence DNS server and WINS server to be acclimated by the client;

and pfs armament the use of Perfect Forward Secrecy by all audience authenticated

against this group.The idle-time constant sets best cessation timeout,

after which the applicant is disconnected.The absence abandoned abeyance is 1800 seconds.

Max-time specifies best affiliation time, afterwards which the applicant is affected to

disconnect. Absence affiliation time is unlimited.

The countersign command specifies an IKE pre-shared key. In reality, back a

VPN applicant connects to the PIX, it specifies its accumulation name and the PIX tries to

perform IKE agreement application this countersign as a aggregate IKE key.The group

name and countersign can be set in VPN Dialer back creating an entry. (See the

following area for VPN applicant agreement examples.) There is another

option for allotment passwords (shared keys) for IKE authentication. It is possible

to use a distinct pre-shared key for all accessible aeon application the afterward command:

isakmp key abode 0.0.0.0 netmask 0.0.0.0

This is alleged a wildcard IKE key, and it agency that this key is acclimated regardless