All Cisco-Network Study Notes: Sample Configurations of PIX and VPN Clients

Sample Configurations of PIX and VPN Clients

In this section, we accede a abounding agreement archetype of the PIX and a VPN

client. Our archetype uses IKE with pre-shared keys, IKE approach configuration, and

extended affidavit (xauth) of the applicant adjoin an centralized RADIUS server.

After that, we briefly altercate the changes bare in adjustment to use agenda certificates

for IKE authentication.The arrangement bureaucracy is apparent in Figure 7.19.

Clients will be assigned IP addresses from the basin 192.168.10.1–

192.168.10.254, and IKE affidavit will use a wildcard key. Alone the default

VPN accumulation will be configured. Agreement (assuming that PIX IP addresses

are already configured) starts with defining an affidavit server:

PIX1(config)# aaa-server vpnauthgroup agreement radius

PIX1(config)# aaa-server vpnauthgroup (inside) host 192.168.2.33 abcdef

timeout 5

Next an IKE action is configured (3DES encryption and MD5 hashing):

PIX1(config)# isakmp accredit outside

PIX1(config)# isakmp action 10 encryption 3des

PIX1(config)# isakmp action 10 assortment md5

PIX1(config)# isakmp action 10 affidavit pre-share

www.syngress.com

Figure 7.19 Arrangement Bureaucracy for Cisco VPN Applicant Configuration

Network

192.168.2.0/24

192.168.2.1

12.23.34.45

PIX1

Modem

ISP admission server (NAS)

VPN client

RADIUS

server

192.168.2.33

Internet

398 Affiliate 7 • Configuring Virtual Clandestine Networking

Cisco VPN applicant 3.x requires use of Diffie-Hellman Accumulation 2 (1024-bit

keys), not the absence Accumulation 1 (768-bit keys):

PIX1(config)# isakmp action 10 accumulation 2

A wildcard pre-shared key is configured, so all audience will use the aforementioned key:

PIX1(config)# isakmp key mysecretkey abode 0.0.0.0 netmask 0.0.0.0

An admission account for breach tunneling is configured. Alone cartage to or from network

192.168.2.0/24 will be protected:

PIX1(config)# access-list 80 admittance ip 192.168.2.0 255.255.255.0 192.168

.10.0 255.255.255.0

No-NAT is configured for IPsec traffic:

PIX1(config)# nat (inside) 0 access-list 80

Transform sets and crypto maps are configured and applied.This is a simple

crypto map with alone a activating map as a subentry.

PIX1(config)# crypto ipsec transform-set able esp-3des esp-sha-hmac

PIX1(config)# crypto dynamic-map cisco 10 set transform-set strong

PIX1(config)# crypto map partner-map 20 ipsec-isakmp activating cisco

PIX1(config)# crypto map partner-map interface outside

Xauth is enabled for this map:

PIX1(config)# crypto map partner-map applicant affidavit authserver

IKE approach agreement is enabled and an IP basin is created:

PIX1(config)# ip bounded basin banker 192.168.10.1-192.168.10.254

PIX1(config)# isakmp applicant agreement address-pool bounded dealer

outside

PIX1(config)# crypto crypto map partner-map applicant agreement address

initiate

Initiate approach is alternative for VPN applicant 3.x but charge be acclimated with clients

version 2.x.The above-mentioned two curve set all-around IKE approach agreement settings.

They can be commissioned by one command:

PIX1(config)# vpngroup absence address-pool dealer

The aberration is attenuate here, because we configure the absence accumulation and its

setting will be activated for any accumulation name supplied by the VPN client. If you

configure all-around IKE mode, it will additionally be activated to site-to-site tunnel

www.syngress.com

Configuring Virtual Clandestine Networking • Affiliate 7 399

endpoints, so if you accept any, you ability charge to exclude them. If there is none,

there is no aberration at all.A acceptable way to accept a simple agreement in case

you accept both site-to-site tunnels and VPN audience can be to use the absence VPN

group and ascertain IKE approach agreement alone for this group; it will not affect

site-to-site gateways then.

Other VPN accumulation settings are configured:

PIX1(config)# vpngroup absence dns-server 192.168.2.44

PIX1(config)# vpngroup absence wins-server 192.168.2.45

PIX1(config)# vpngroup absence default-domain securecorp.com

PIX1(config)# vpngroup absence split-tunnel 80

PIX1(config)# vpngroup absence idle-time 1800

IPsec admission are around permitted:

PIX1(config)# sysopt affiliation permit-ipsec

Figure 7.20 shows the abounding agreement of PIX1.

Figure 7.20 PIX1 Configuration

nameif ethernet0 alfresco security0

nameif ethernet1 central security100

nameif ethernet2 dmz security10

enable countersign 8Ry2YjIRX7RXXU24 encrypted

passwd 2KFQnbNIdIXZJH.YOU encrypted

hostname PIX1

domain-name securecorp.com

fixup agreement ftp 21

fixup agreement http 80

fixup agreement smtp 25

fixup agreement h323 1720

fixup agreement rsh 514

fixup agreement sqlnet 1521

names

pager curve 24

no logging on

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu alfresco 1500

mtu central 1500

www.syngress.com

Continued

400 Affiliate 7 • Configuring Virtual Clandestine Networking

mtu dmz 1500

ip abode alfresco 12.23.34.54 255.255.255.0

ip abode central 192.168.2.1 255.255.255.0

no failover

failover ip abode alfresco 0.0.0.0

failover ip abode central 0.0.0.0

arp abeyance 14400

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list 80 admittance ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255

.255.0

nat (inside) 0 access-list 80

global (outside) 1 12.23.34.55

route alfresco 0.0.0.0 0.0.0.0 12.23.34.254 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

ip bounded basin banker 192.168.10.1-192.168.10.254

aaa-server TACACS+ agreement tacacs+

aaa-server RADIUS agreement radius

aaa-server authserver agreement radius

aaa-server authserver (inside) host 192.168.2.33 abcdef abeyance 5

no snmp-server location

no snmp-server contact

snmp-server association public

no snmp-server accredit traps

crypto map partner-map applicant agreement abode initiate

crypto ipsec transform-set able esp-3des esp-sha-hmac

crypto dynamic-map cisco 10 set transform-set strong-des

crypto map partner-map 20 ipsec-isakmp activating cisco

crypto map partner-map applicant affidavit authserver

crypto map partner-map interface outside

isakmp key mysecretkey abode 0.0.0.0 netmask 0.0.0.0

isakmp accredit outside

isakmp action 10 affidavit pre-share

isakmp action 10 encryption 3des

isakmp action 10 assortment md5

isakmp action 10 accumulation 2

vpngroup absence address-pool dealer

www.syngress.com

Figure 7.20 Continued

Continued

Configuring Virtual Clandestine Networking • Affiliate 7 401

vpngroup absence dns-server 192.168.2.44

vpngroup absence wins-server 192.168.2.45

vpngroup absence default-domain securecorp.com

vpngroup absence split-tunnel 80

vpngroup absence idle-time 1800

sysopt affiliation permit-ipsec

telnet abeyance 5

terminal amplitude 80

The Cisco VPN applicant is configured as follows. Baddest Start | Programs |

Cisco Systems VPN Applicant | VPN Dialer and baddest New to actualize a new

connection admission (see Figure 7.21).

The New Affiliation Admission astrologer starts. Afterwards allurement you to name this connection

(enter whatever you appetite here), it asks for the IP abode of the server. In

our case, this is the IP abode of the alfresco interface of PIX1, area the tunnel

will be concluded (see Figure 7.22). Admission the IP address, and bang Next.

www.syngress.com

Figure 7.20 Continued

Figure 7.21 Creating a New Affiliation Entry

402 Affiliate 7 • Configuring Virtual Clandestine Networking

Next you charge to admission the name of the accumulation and the aggregate IKE secret. In

our case, because we authentic a absence accumulation on PIX, the accumulation name does not

really matter; any name will bout the absence group. If, on the added hand, we specified

another name in the PIX configuration, we would accept bare to specify

exactly the aforementioned name on this screen.The countersign is the aggregate key mysecretkey

(see Figure 7.23). Again, if were application a abstracted countersign for anniversary VPN group, the

password that corresponds to the group’s name should be entered here.

After beat Next and again Finish, we are done. It is accessible to modify

this entry’s backdrop by beat Options | Backdrop in the capital window of

VPN Dialer. Among added properties, it is accessible to change accumulation name and

password, set timeouts, and baddest the dialup affiliation that charge be dialed

before establishing the tunnel.

Now you charge to baddest the affiliation you aloof created and bang the

Connect button (see Figure 7.24).

If arrangement connectivity is actual (nothing blocks IKE anchorage UDP/500 between

your host and the firewall, for example), IKE agreement starts. It checks for a

shared abstruse first, again xauth starts and the VPN applicant displays a new window

asking you to admission a username and a password. Afterwards you do this, the username

and countersign are arrested adjoin the RADIUS server defined in the PIX configuration.

If aggregate is correct, the adit is accustomed and the PIX downloads

settings such as an centralized IP address, DNS, and WINS settings to the VPN client.

www.syngress.com

Figure 7.22 Entering the Server IP Address

Configuring Virtual Clandestine Networking • Affiliate 7 403

www.syngress.com

Figure 7.24 Abutting to the Server

Figure 7.23 Specifying the VPN Accumulation and the IKE Aggregate Secret

404 Affiliate 7 • Configuring Virtual Clandestine Networking

You can analysis that the affiliation works by pinging some centralized PIX

hosts from the applicant computer. It is additionally accessible to adviser accustomed tunnels

by the accepted PIX alter commands such as alter vpdn event, alter vpdn error, and

debug vpdn packet.You can additionally use all IPsec and IKE-related alter commands.

In adjustment to use agenda certificates, the CA is configured (we will use VeriSign

as before) and IKE is reconfigured correspondingly.The able configuration

changes aloof a few commands. See Figure 7.25 for a advertisement of PIX configurations

with new or afflicted commands in italics.

Figure 7.25 PIX1 Agreement for Use with IKE CA Authentication

nameif ethernet0 alfresco security0

nameif ethernet1 central security100

nameif ethernet2 dmz security10

enable countersign 8Ry2YjIRX7RXXU24 encrypted

passwd 2KFQnbNIdIXZJH.YOU encrypted

hostname PIX1

domain-name securecorp.com

fixup agreement ftp 21

fixup agreement http 80

fixup agreement smtp 25

fixup agreement h323 1720

fixup agreement rsh 514

fixup agreement sqlnet 1521

names

pager curve 24

no logging on

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu alfresco 1500

mtu central 1500

mtu dmz 1500

ip abode alfresco 12.23.34.54 255.255.255.0

ip abode central 192.168.2.1 255.255.255.0

no failover

failover ip abode alfresco 0.0.0.0

failover ip abode central 0.0.0.0

arp abeyance 14400

www.syngress.com

Continued

Configuring Virtual Clandestine Networking • Affiliate 7 405

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list 80 admittance ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255

.255.0

nat (inside) 0 access-list 80

global (outside) 1 12.23.34.55

route alfresco 0.0.0.0 0.0.0.0 12.23.34.254 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

ip bounded basin banker 192.168.10.1-192.168.10.254

aaa-server TACACS+ agreement tacacs+

aaa-server RADIUS agreement radius

aaa-server authserver agreement radius

aaa-server authserver (inside) host 192.168.2.33 abcdef abeyance 5

no snmp-server location

no snmp-server contact

snmp-server association public

no snmp-server accredit traps

crypto map partner-map applicant agreement abode initiate

crypto ipsec transform-set able esp-3des esp-sha-hmac

crypto dynamic-map cisco 10 set transform-set strong-des

crypto map partner-map 20 ipsec-isakmp activating cisco

crypto map partner-map applicant affidavit authserver

crypto map partner-map interface outside

isakmp accredit outside

isakmp action 10 affidavit rsa-sig

isakmp action 10 encryption 3des

isakmp action 10 assortment md5

isakmp action 10 accumulation 2

vpngroup mygroup address-pool dealer

vpngroup mygroup dns-server 192.168.2.44

vpngroup mygroup wins-server 192.168.2.45

vpngroup mygroup default-domain securecorp.com

vpngroup mygroup split-tunnel 80

vpngroup mygroup idle-time 1800

ca character verisign 205.139.94.230

ca configure verisign ca 1 20 crloptional

sysopt affiliation permit-ipsec

www.syngress.com

Figure 7.25 Continued

Continued

406 Affiliate 7 • Configuring Virtual Clandestine Networking

telnet abeyance 5

terminal amplitude 80

The accumulation name was afflicted from the absence because in agenda certificates

the name of the accumulation charge bout the Organizational Unit area of the Cisco

VPN applicant certificate.This affidavit charge be acquired and installed before

configuring the affiliation entry.The action of accepting the affidavit is

described in VPN applicant affidavit at www.cisco.com/univercd/cc/td/doc/

product/vpn/index.htm. Applicant certificates are managed by Affidavit Manager,

which is installed calm with the VPN client.

Client agreement afterwards the affidavit has been acquired does not change

much compared to the case of pre-shared keys. Alone the footfall apparent in Figure

7.23 changes; you charge to baddest your affidavit instead of a name for the group.

See Figure 7.26.

Connectivity can be absolute as before, and troubleshooting uses the same

PIX alter commands.

www.syngress.com

Figure 7.25 Continued

Figure 7.26 Application a Agenda Affidavit for IKE Authentication

Configuring Virtual Clandestine Networking • Affiliate 7 407

Summary

Virtual clandestine networks are acclimated to deeply adit cartage amid two sites over

a accessible arrangement such as the Internet.VPNs are frequently acclimated to connect

branch offices, adaptable users, and business partners.The two accepted types of

VPNs are site-to-site and alien access.The PIX firewall supports both types of

VPN application assorted protocols: IPsec, L2TP, and PPTP.

The best able-bodied tunneling band-aid for IP networks is the IPsec apartment of protocols.

It was developed by IETF as allotment of IPv6. IPsec operates at Layer 3 of the

OSI model, which agency that it can assure communications from the network

layer (IP) and up. IPsec specifies encryption and affidavit algorithms,AH

and ESP protocols acclimated for tunneling itself, and the IKE/ISAKMP key management

protocol. IPsec’s capital goals are abstracts confidentiality, abstracts integrity, data

origin authentication, and antireplay service.

When a site-to-site IPsec adit is configured on a PIX firewall, one of two

main methods of IKE affidavit are used: pre-shared keys or agenda certificates.

The above is simpler to set up, but it lacks scalability offered by the agenda certificate

solution. It is additionally accessible to not use IKE at all. In this configuration, all IPsec

parameters can be configured manually; this is alleged chiral IPsec.There are two

encapsulation modes in IPsec: adit and transport.The PIX about consistently uses

tunnel mode, with the barring of L2TP tunneling, area carriage approach is used.

In the additional blazon of VPN, alien audience affix to a gateway.The PIX

supports assorted protocols for this blazon of VPN. Point-to Point Tunneling

Protocol (PPTP) uses PPP encapsulation for tunneling cartage from the applicant to

PIX and can carriage any Layer 3 agreement accurate by the PPP specification.

PPTP is a Layer 2 tunneling agreement in agreement of ISO/OSI model, admitting IPsec

works with Layer 3 tunnels.

Another blazon of Layer 2 tunneling is Layer 2 Tunneling Agreement (L2TP).The

PIX uses it calm with IPsec in carriage approach in adjustment to encrypt and

authenticate packets. L2TP agreement resembles a aggregate of the configurations

of IPsec and PPTP. Both PPTP and L2TP protocols are accurate by

the centralized Windows 2000 VPN client.

Cisco has its own software VPN applicant that provides abounding IPsec appearance when

working with the PIX firewall. It can accomplish IKE affidavit with both preshared

keys and agenda certificates.The PIX uses two extensions to IKE to

provide VPN audience with an centralized IP abode (IKE approach configuration) and

perform added affidavit of audience during IKE agreement application Extended

Authentication (xauth).

www.syngress.com

408 Affiliate 7 • Configuring Virtual Clandestine Networking

Solutions Fast Track

IPsec Concepts

The capital appearance of IPsec are abstracts confidentiality, abstracts integrity, data

origin authentication, and antireplay service.

IPsec specifies low-level encryption and affidavit algorithms, IP

encapsulation protocols, and key administration tools.

There are two types of VPN: site-to-site and alien access.

IPsec can be acclimated in two modes: carriage and tunnel. All PIX site-tosite

VPNs use adit mode.

Configuring Site-to-Site IPsec Application IKE

Site-to-site tunnels can use IKE in pre-shared keys approach or digital

certificates.The above is simpler to configure, but the closing provides

more scalability.

The PIX has abstracted configurations for IKE ambit and for the rest

of IPsec, such as the set of encryption protocols and aegis behavior for

traffic protection.

It is accessible to around acquiesce all accurate IPsec cartage through a

PIX firewall, appropriately not acute any appropriate conduits for anniversary tunnel.

This is able application the sysopt affiliation permit-ipsec command.

Configuring Point-to-Point Tunneling Protocol

PPTP is an encapsulation of cartage application PPP and again Generic

Routing Encapsulation (GRE). Since it operates at Layer 2, it can also

tunnel protocols added than IP.

PPTP is about acclimated for alien admission networks and is accurate by

the Windows 2000 centralized VPN client.

Affidavit for PPTP admission is provided on the PIX and can

be performed adjoin the bounded database or an alien AAA server.

www.syngress.com

Configuring Virtual Clandestine Networking • Affiliate 7 409

Configuring Layer 2 Tunneling Agreement with IPsec

Layer 2 Tunneling Agreement (L2TP) is addition Layer 2 tunneling

protocol that can adit non-IP protocols. Application L2TP is the alone time

when the PIX can be configured in IPsec carriage mode.

Windows 2000 centralized applicant supports alone agenda certificates

authentication, although Microsoft provides some affidavit on

possible agency to abutment pre-shared keys IKE authentication. L2TP users

are added accurate by PPP agency such as PAP, CHAP, or

MSCHAP.

Encryption, packet authentication, and antireplay casework are provided

by an IPsec tunnel.

Configuring Site-to-Site IPsec Without

IKE (Manual IPsec)

It is accessible to configure IPsec afterwards IKE.This is additionally accepted as

manual IPsec.

Chiral IPsec is difficult to calibration and is not recommended. It is additionally less

secure because there is no SA lifetime and PFS cannot be enabled.

For chiral IPsec to function, an entering affair key and an outbound

session key charge be configured manually.

Configuring Abutment for the Cisco

Software VPN Clients

Cisco VPN applicant 3.x supports all IPsec features, including IKE with preshared

keys or agenda certificates.

The Cisco PIX firewall uses extensions to IKE approach agreement and

Extended Affidavit to accredit alien audience centralized IP addresses,

download agreement settings to them, and accomplish additional

authentication.

User affidavit application xauth can alone be performed by alien AAA

servers.The bounded PIX database cannot be used.

www.syngress.com

410 Affiliate 7 • Configuring Virtual Clandestine Networking

The Cisco VPN client, back installed, takes over the centralized Windows

2000 IPsec applicant so that the closing cannot action correctly.

It is accessible to specify which cartage has to be tunneled through the

IPsec affiliation and which charge be transmitted in bright so that user

Internet and LAN affiliation does not cease afterwards the adit is

established.

Q: Which IKE lifetime ambit are supported?

A: Although there are two parameters, time lifetime and aggregate lifetime, alone the

former is currently supported, so the achievement of appearance isakmp action will always

show a no aggregate absolute setting.

Q: I am accepting agitation abutting a Windows 200 VPN applicant to a PIX L2TP

gateway.What can be wrong?

A: Such problems are frequently acquired by a conflict in either the transform

sets or the IKE or IPsec SA lifetimes.They should be adjourned in theory,

but it is bigger to configure them to bout exactly.

Q: All IPsec admission are alone back I reapply a crypto map to the

interface. Is this accustomed behavior?

A: Yes.When a crypto map is activated to an interface, all centralized IPsec-related

structures such as SPD and SAD are reinitialized, so all SAs are deleted and

all tunnels are dropped. Unfortunately, for any change in a crypto map to

become effective, it has to be reapplied.

www.syngress.com

Frequently Asked Questions

The afterward Frequently Asked Questions, answered by the authors of this book,

are advised to both admeasurement your compassionate of the concepts presented in

this affiliate and to abetment you with real-life accomplishing of these concepts. To

have your questions about this affiliate answered by the author, browse to

www.syngress.com/solutions and bang on the “Ask the Author” form.

Configuring Virtual Clandestine Networking • Affiliate 7 411

Q: My Internet connectivity drops afterwards I authorize a VPN affiliation with PIX

using a VPN client.What is the account of this problem?

A: Best apparently you did not specify breach tunneling in PIX configuration, so all

your cartage is directed to PIX and accordingly you cannot ability the Internet.

Configure breach tunneling in adjustment to adit alone the absorbing cartage and

let aggregate abroad be transmitted in the clear.

Q: What are the specifics for configuring the PIX to abutment VPN applicant 2.x

and 3.x?

A: VPN applicant v3.x requires the use of Diffie-Hellman Accumulation 2 in IKE

exchange.VPN applicant adaptation 2.x requires that IKE approach agreement be

initiated by the PIX because it cannot admit this action by itself.