Remote Access VPNs with Preshared Keys

This section discusses configuring VPN 3000 Concentrators to support remote access implementations. Remote access VPN clients can use any of the four following common connectivity technologies:

VPN client software installed on PCs or workstations
VPN 3002 Hardware Client
Router supporting VPN
Firewall supporting VPN

The proliferation of low-cost small routers and firewall devices is making this an attractive and more secure option for many remote users. Cisco’s small routers and firewall all support remote access options. For this example, we assume the remote users are using VPN client software. In any case, two levels of authentication need to occur. First, the device must authenticate itself to the concentrator or peer device, and then the user typically must authenticate on the network to gain access.

Cisco Easy VPN is a software enhancement that enables all three types of remote access clients to connect easily to the central site with minimal end user involvement. This is most important with large implementations and sites with limited local support. Chapter 12 covered the VPN client software, Chapter 15 covers the VPN 3002 Hardware Client, and Chapter 21 covers the PIX VPN connections, including Easy VPN. In this chapter, we focus on the VPN Concentrator that would connect to each of these technologies.

Figure 14-12 shows a scenario to use in the VPN remote-access configuration example. The Internet was simplified, in case someone wants to configure the scenario as a lab exercise. The network behind Rtr1 could be the central site for a large number of remote clients and could contain multiple LANs.

Figure 14-12: VPN Concentrator remote access scenario

Note?

THE CONCENTRATOR MANAGER IS USED WHENEVER POSSIBLE IN THIS EXAMPLE, but all steps could be accomplished using the CLI by following the same menu selections.

Preshared Keys

As Chapter 9 explained, VPN peer devices can authenticate each other using preshared keys or with digital certificates and certificate authorities. This section discusses using preshared keys and the section “Digital Certificates” looks at the changes required to use digital certificates. Three types of preshared keys exist.

Unique keys—Each IP address has a unique key associated with it, providing a high level of security, but requiring much greater administrative overhead. While manageable for LAN-to-LAN implementations, it doesn’t scale well for remote access networks with many users or a growing pool of users.
Group keys—In this implementation, preshared keys are assigned to one or more groups. Managing new users becomes easier and more scalable by requiring only that the user be made a group member and given the appropriate passwords. This concept of groups has many other benefits, including the capability to separate different types of users based on access method (router vs. software client) for autoupdate features or even based on Security Policy access limitation differences. By default, the VPN Concentrator has one group: the Base Group. Additional groups can be added as needed, using the Base Group setting as defaults that can be modified as necessary.
Wildcard keys—With a wildcard preshared key, it’s possible to allow one or more clients to use a shared secret key to authenticate encrypted tunnels to the gateway. To be configured on the Concentrator, all devices must be using preshared keys. This option can be more prone to security problems, such as man-in-the-middle attacks, if a key is compromised. In that case, all keys must be changed.

Initial Configuration

The following example assumes either the Quick Configuration wasn’t used or the related features should be changed. At a minimum, the private interface must be configured for the VPN 3000 Concentrator using the CLI. While the CLI can also be used to configure the Public Interface and any default routes, this exercise performs those tasks using the Manager interface. The following lists the correct addresses for the scenario:

VPN Concentrator: 192.168.1.1/24.

 ???????????????Welcome to
 ??????????????Cisco Systems
 ??????VPN 3000 Concentrator Series
 ?????????Command Line Interface
Copyright (C) 1998-2003 Cisco Systems, Inc.

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

Main ->1

1) Interface Configuration
2) System Management
3) User Management
4) Policy Management
5) Back

Config -> 1 ?????????????????????????????(shows the current settings)

This table shows current IP addresses.
 ?Intf ????????Status ??????IP Address/Subnet Mask ?????????MAC Address
-------------------------------------------------------------------------
Ether1-Pri| ?????UP ?????| 192.168.10.1/255.255.255.0 | 00.03.A0.88.CE.AC
Ether2-Pub|Not Configured| ?????0.0.0.0/0.0.0.0 ??????|
-------------------------------------------------------------------------
DNS Server(s): DNS Server Not Configured
DNS Domain Name:
Default Gateway: Default Gateway Not Configured

1) Configure Ethernet #1 (Private)
2) Configure Ethernet #2 (Public)
3) Configure Power Supplies
4) Back

Interfaces -> 1 ???????????????????????(to set the Private interface)

1) Interface Setting (Disable, DHCP or Static IP)
2) Set Public Interface
3) Select IP Filter
4) Select Ethernet Speed
5) Select Duplex
6) Set MTU
7) Set Port Routing Config
8) Set Bandwidth Management
9) Set Public Interface IPSec Fragmentation Policy
10) Back

Ethernet Interface 1 -> 1 ?????????????????(to set a Static IP address)

1) Disable
2) Enable using DHCP Client
3) Enable using Static IP Addressing

Ethernet Interface 1 -> [ 3 ] 3

> Enter IP Address ?????????????????(current value appears in brackets)
Ethernet Interface 1 -> [ 192.168.10.1 ] 192.168.1.1

> Enter Subnet Mask
Ethernet Interface 1 -> [ 255.255.255.0 ]
Ethernet Interface 1 -> h ????????????????????????(return to Main menu)

Basic Browser Configuration

Once the CLI is used to configure the private interface, you can use a browser on a PC on the same network to complete the configuration. The following steps assume the private interface was configured and a successful web session was established using a client on the LAN attached to that interface.

Setting the Public Interface

Use the Configuration | Interfaces | Ethernet 2 menu options to get to the screen, as shown in Figure 14-13. Select Static IP Addressing, and then enter the IP address and the appropriate mask. This same screen allows making choices on interface speed, full- or half-duplex, MTU size, fragmentation preferences, and whether the interface can be a DHCP client.

Figure 14-13: Configuring the public interface

Check the DHCP Client check box if it’s necessary to obtain the IP address, the subnet mask, and the default gateway for this interface via DHCP from an ISP. This would be more common at a branch location or any small client that doesn’t require permanent static IP addresses for shared servers. If this check box is selected, don’t make entries in the IP address and subnet mask fields that follow.

To make this interface a public interface, check the Public Interface check box designating the interface is part of a public network, such as the Internet. A public interface must be configured before you can configure NAT and IPSec LAN-to-LAN. Designate only one VPN Concentrator interface as a public interface.

Notice the tabs on this screen would allow configuring RIP, OSPF, and Bandwidth Management features. While static routes are common with Concentrators, some LAN-to-LAN features, such as Network Autodiscovery, require or can take advantage of this support.

Clicking the Apply button applies the choices and returns to the Configuration | Interfaces screen, which confirms the new IP address and mask.

Defining the Default Gateway (Optional)

Default routes or default gateways are used to forward packets addressed to unknown networks to avoid having to discard the packet. The not-too-practical alternative is that all routers, firewalls, and VPN devices would have to know all the routes in the world.

The default route for the Concentrator to which you forward all outside bound packets can be defined either by choosing the Default Gateway link on the Configuration | Interfaces screen or by using the Configuration | System | IP Routing | Default Gateways menu to add these special forms of static routes. Figure 14-14 shows the resulting screen with the appropriate entries to use Rtr1 as the default gateway for the network.

Figure 14-14: Setting the default gateway for the Concentrator

In the example scenario, if no additional routers are in the LAN, the PCs in the LAN would use the Concentrator private address for their default gateways.

Verifying Configuration

Returning to the Configuration | Interfaces screen, as shown in Figure 14-15, confirms the default gateway was defined and provides a reminder icon to save the configuration. This same screen confirms the interface configurations and whether the two interfaces are up or down. If either interface is down, this could be caused by any of the following:

Figure 14-15: Using the Configuration | Interfaces screen to confirm configuration

You might need to click the Refresh icon.
You might have used the wrong cable. Use straight through to the hub or the switch; otherwise, use a crossover.
The device on the other end might be misconfigured or unconfigured.

At this point, you should be able to use the Administration | Ping screen to ping other devices on the network to verify connectivity. As with the IOS Routers and PIX Firewalls, a good idea is always to verify connectivity before configuring encryption and access control measures. While pinging the Concentrator public interface is possible, it won’t be possible to ping through to the LAN or the private interface. Also, opening Telnet or browser sessions with the Concentrator from the outside network won’t be possible.

Adding the Static Routes

Use the Configuration | System | IP Routing | Static Routes menu to add any necessary static routes. Unless configured earlier using the CLI, the Static Routes box should be empty or show only any configure default gateway. Use the Add button to bring up the screen, shown in Figure 14-16, to add any static routes required. The figure shows configuring a route specifically to the network the remote host is on. Because the default gateway would accomplish the same result, this static rout is included only as an example.

Figure 14-16: Creating a new static route

On the static route screen, you can specify the Destination Router Address (next-hop) or the Interface (Concentrator Public). Clicking the Add button returns to the Configuration | System | IP Routing | Static Routes screen. Figure 14-17 shows the Static Routes screen with a default gateway, a static route pointing to a next-hop router and another one pointing at the Concentrator public interface. The last entry shows a possible configuration if the LAN protected by the Concentrator included the 192.168.0.0 to 192.168.127.0 networks built around additional routers and/or Layer 3 switches.

Figure 14-17: Defined default and static routes

General System Information

Use the Configuration | System | General menu to add or modify any of the following. The time and date settings are critical to the proper operation of IPSec, especially when working with certificate authorities. Each related screen is self-explanatory.

Identification—system name, contact person, device location
Time and Date—device time and date
Sessions—maximum simultaneous sessions
Authentication—global authentication parameters

Define Inside Address Assignment Method

Remote users have network addresses associated with their local network or, more likely, their ISP network. To function within the private network (LAN), it’s necessary to assign suitable “inside” addresses to these users. Conceptually, this is similar to a reverse NAT.

Use the Configuration | System | Address Management | Assignment menu to define how the remote users are assigned addresses within the private network. The screen shown in Figure 14-18 is used to select prioritized methods for assigning IP addresses to clients as a tunnel is established. The Concentrator tries the selected methods in the order listed, until it finds a valid IP address to assign. A minimum of one method must be selected or any combination of choices will be evaluated. There is no default method. The figure shows using an address pool defined on the VPN Concentrator.

Figure 14-18: Selecting an inside address assignment method for remote users

Four possible methods exist for assigning addresses to the remote users:

Use Client Address—enables the client to specify its own IP address. This isn’t a good security strategy. Don’t use this option for IPSec because IPSec doesn’t allow client-specified IP addresses.
Use Address from Authentication Server—used to assign IP addresses retrieved from an authentication server (AAA) on a per-user basis. This is the preferred and most secure method, if an authentication server (external or internal) is being used.
Use DHCP—used to obtain IP addresses from a DHCP server. This is the most manageable and the most scalable of the two remaining options available to IPSec networks.
Use Address Pools—used to have the VPN Concentrator assign IP addresses from an internally configured pool. Internally configured address pools are the easiest method of address pool assignment to configure. Use the Configuration | System | Address Management | Pools screens covered in the next section to define and prioritize the address pools.

If the assignment method uses addresses that aren’t from the local subnet on the private interface, then it’s necessary to add routing for those subnets.

Define Inside Address Pool for Remote Users

Use the Configuration | System | Address Management | Pools menu to add or modify the inside address pool to be used by remote users, making them part of the inside network. Initially, the IP Pool Entry box is empty. Click the Add button to bring up the screen shown in Figure 14-19, which shows it is using the last 54 addresses in the inside network. Note, these addresses shouldn’t be assigned to inside hosts or included in any DHCP pools used in the network.

Figure 14-19: Defining a pool of addresses for remote users to use

Clicking the Add button implements the pool and returns to the Configuration | System | Address Management | Pools screen, as shown in Figure 14-20, to confirm the pool was added. The Add, Modify, and Delete buttons can be used to create new, to edit existing, or to remove existing pools. The Move Up/Move Down buttons are used to change the priority of the address pools: the higher a pool is in the list, the more likely the addresses are to be used. No Undo option exists yet on any of the configuration options.

Figure 14-20: Managing IP address pools for remote users

Configuring Groups and Users

VPN features and configurations are assigned and “pushed” down to clients on the basis of group and user assignment and configuration. As with basic network-resource sharing, this is always most scalable and easier to administer if features are assigned to defined groups. Individual users are then put in groups to assign features to them. Then, if a person leaves or changes his or her job role, that person only needs to be removed from the group.

The Configuration | User Management screen is used to configure VPN 3000 Concentrator group and user parameters for IPSec, PPTP, and L2TP. The following are the three configuration options:

Base Group—default group and user parameters
Groups—add and modify groups and group parameters
Users—add and modify users and user parameters

Setting Group and User Defaults

While modifying the Base Group default settings isn’t absolutely necessary, Cisco’s default setting might not match the network or company security policy. The Configuration | User Management | Base Group screen shows a series of tabs—currently six—that can be used to define default settings for the various users (clients). Figure 14-21 shows the default settings for the General tab, which applies to all groups and users.

Figure 14-21: General Default Settings tab

Most of the options are self-explanatory and the Help system provides enough information, including default values, in most cases to make intelligent choices. Remember, most of these options might be moot because of specific group and user settings, as well as limitations imposed by the local client device. The following options are included as examples or to show interesting features:

Access Hours—Drop-down menu button to select the hours remote access users can access the VPN Concentrator. The default entries are as follows:
- No Restrictions—No restrictions on access hours.
- Never—No access at any time.
- Business Hours—Access 9 A.M. to 5 P.M., Monday through Friday. To configure access hours, use the Configuration | Policy Management | Access Hours screen. Any additional named access hours you create will appear on the list.
Simultaneous Logins—For a single internal user. Default is 3. Minimum is 0, which disables login and prevents user access. No maximum limit.
Minimum Password Length—Default is 8. Minimum is 1. Maximum is 32.
Idle Timeout—Default is 30 minutes. Minimum is one minute. Maximum is 2,147,483,647 minutes (4,000+ years). Use 0 to disable timeout and allow an unlimited idle period.
Maximum Connect Time—Default is 0 minutes, which allows unlimited connection time. Minimum is one minute. Maximum is 2,147,483,647 minutes (4,000+ years).
SEP Card Assignment—The VPN Concentrator models 3015 and above can contain up to four SEP modules to handle encryption. This parameter allows configuring the load on each SEP module.
Tunneling Protocols—Protocols to be supported. Clients can use only the selected protocols. The choices include the following:
- PPTP—Point-to-Point Tunneling Protocol. Checked by default. A client-server protocol popular with Microsoft clients, especially older OS versions.
- L2TP—Layer 2 Tunneling Protocol. Checked by default. A client-server protocol that combines many features from PPTP and L2F (Layer 2 Forwarding).
- IPSec—IP Security Protocol. Checked by default. Used by both LAN-to-LAN (peer-to-peer) connections and client-to-LAN (remote access) connections. Cisco VPN Client is an IPSec client specifically designed to work with the VPN Concentrator.
- L2TP over IPSec—L2TP using IPSec for security. Unchecked by default. A client-server protocol providing interoperability with Windows 2000 VPN clients. L2TP packets are encapsulated within IPSec, thus providing an additional authentication and encryption layer.

Setting IPSec Defaults

The Configuration | User Management | Base Group screen with the IPSec tab selected is used to configure IP Security Protocol parameters that apply to the base group. This section would apply if IPSec or L2TP over IPSec were selected on the General Parameters tab. Figure 14-22 shows the default settings. The options are self-explanatory and the Help system provides enough information, including default values, to make appropriate choices.

Figure 14-22: Setting IPSec defaults

The IPSec SA option contains a drop-down menu button to select the default IPSec security association (SA) assigned to IPSec clients during tunnel negotiation. Remote-access clients must have a default SA defined, while LAN-to-LAN connections ignore this selection and use parameters from the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens.

The Default Preshared Key option (the third option from the bottom) is used to define the preshared secret key. Use a minimum of four options and a maximum of 32 alphanumeric characters. This option allows the following VPN clients to connect to the VPN Concentrator:

VPN clients that use preshared secrets, but don’t support “groups,” such as the Microsoft Windows XP L2TP/IPSec client
VPN router devices that are creating inbound connections from nonfixed IP addresses using preshared secrets

Setting Client Defaults

The remaining four tabs are used to configure client-specific default settings. These are the configuration features that are pushed down to the appropriate client the next time the device connects to the Concentrator. The Client Config tab is used to set general client features that might apply to all Cisco VPN Clients. The remaining three tabs are for setting those defaults features unique to that type of client.

Figure 14-23 shows the Cisco Client parameters such as login banners, choosing IPSec over UDP, and defining up to ten IPSec Backup Servers.

Figure 14-23: Setting Cisco Client default parameters

Figure 14-24 shows the rest of the previous screen, which includes setting two Microsoft Client parameters and three Common Client parameters. This is the screen where split tunneling is allowed by default for VPN Clients.

Figure 14-24: Setting Microsoft Client parameters and Common Client parameters

Split Tunneling Policy

Split tunneling allows the IPSec client to go directly to the Internet in Cleartext form for those destinations that don’t require encryption. Split tunneling applies only to remote- access IPSec tunnels, not to LAN-to-LAN connections.

Split tunneling eases the device-processing load, simplifies traffic management, and speeds untunneled traffic. Split tunneling is a traffic management feature, not a security feature. In fact, for optimum security, split tunneling isn’t recommended. Because only the VPN Concentrator, not the IPSec client, can enable split tunneling, it’s possible to control implementation and minimize security vulnerabilities.

Split tunneling is disabled by default on both the VPN Concentrator and the client. To enable and configure the feature, all entries are made on the VPN Concentrator, and then pushed down to the IPSec client. The default split-tunneling policy is Tunnel Everything, which disables split tunneling. No traffic goes in clear text or to any destination other than the VPN Concentrator. Remote users in this group reach Internet networks through the corporate network and don’t have access to local networks.

The Allow Networks in List to Bypass Tunnel allows the administrator to define a list of networks to which traffic can go without passing through the tunnel. This allows remote users to access devices on their local networks, such as printers, while still connected to the corporate network through a tunnel.

Only Tunnel Networks in List allows remote users to access Internet networks without tunneling through the corporate network.

Client Firewall Requirements

The Client FW Parameters tab, as shown in Figure 14-25, is used to configure firewall parameters for VPN Clients running Microsoft Windows. The features are currently unavailable for hardware clients or other non-Windows software clients. If the Firewall Required option is selected, the client won’t be allowed to connect to the protected network without meeting the defined requirements. The firewall feature protects the user PC and, thereby, the corporate network, from intrusions originating from the Internet or the user LAN.

Figure 14-25: Defining client firewall default requirements

VPN 3002 Hardware Client Defaults

The HW Client Parameters tab, shown in Figure 14-26, is used to enable and configure interactive hardware client authentication and individual user authentication. These features are covered in the next chapter when the VPN 3002 Hardware Client is covered in greater detail.

Figure 14-26: Defining VPN 3002 Hardware Client defaults

Creating or Modifying Other Groups

The Base Group features set in the last sections automatically apply to all users accessing the VPN Concentrator. If the security policy requires defining multiple groups with unique features and/or requirements, the Configuration | User Management | Groups screen, shown in Figure 14-27, can be used to configure access and usage parameters. A group is a collection of users treated as a single entity. Groups inherit parameters from the Base Group. The figure includes a group created in the next section.

Figure 14-27: Screen to create and manage user groups

To create and use groups beyond the Base Group requires using an internal authentication server. The authentication server must be one of the following:

RADIUS—An external RADIUS server is the default.
NT Domain—An external Windows NT Domain server.
SDI—An external RSA Security Inc. SecurID server.
Internal Server—The internal VPN Concentrator authentication server. With this server, you can configure a maximum of 100, 500, or 1000 groups and users (combined) in the internal database depending on the model number.
Kerberos/Active Directory – Windows 2000/XP and Linux/Unix authentication server.

If no external server was defined, a link appears on the Groups or Users screen to create an internal server. Creating the internal server is simply a matter of clicking the link and choosing the Internal Server option.

Adding a Group

The Configuration | User Management | Groups | Add screen, shown in Figure 14-28, shows the seven tabs used to define the configuration parameters for a new group. The Identity Parameters tab is used to configure the name, password, and authentication server type for this group.

Figure 14-28: Creating a group and defining a password

Group Name	Unique case-sensitive name for this specific group. Maximum length is 64 characters. Changing a group name automatically updates the group name for all users in the group. For remote access users connecting with digital certificates, this name must match exactly the Organizational Unit (OU) field of the user’s identity certificate.
Password	Unique case-sensitive password for this group. Minimum length is four characters. Maximum is 32 characters. The field displays only asterisks.
Verify	Reenter the group password to verify it. The field displays only asterisks.
Type	Use the Type drop-down menu button to select the authentication server type.

The six remaining tabs are used to change any options that either weren’t defined in the Base Group tabs with the same names or when the Base Group options need to be overridden. Figure 14-29 shows the parameter screens have a column to inherit the feature settings from the Base Group. A check mark in the Inherit? column indicates to inherit the default setting.

Figure 14-29: Group parameters screen showing the Inherit option

Creating or Modifying Users

The Configuration | User Management | Users screen, shown in Figure 14-30, allows configuring access, usage, and authentication parameters for users. Users inherit the feature parameters from the specific group to which they belong. Configuring users in this section requires configuring them in the VPN Concentrator internal authentication server. The authentication server is a properly configured RADIUS, NT Domain, SDI server, Internal Server, or Keberos/Active Directory server.

Figure 14-30: User management screen for adding users

Using the Add button brings up the Identity Parameters tab, as shown in Figure 14-31, used to configure the name, password, group, and IP address for this user.

Figure 14-31: Defining a VPN user

User Name	Unique, case-sensitive name for this user. Maximum length is 64 characters. If the name is changed, this user profile replaces the existing profile.
Password	Unique, case-sensitive password for this user. Minimum length must satisfy the minimum for the group to which the user is assigned. Maximum length is 32 characters. The field displays only asterisks.
Verify	Reenter the user password to verify it. The field displays only asterisks.
Group	Drop-down menu used to select the group to assign this user. The list shows all defined groups plus the Base Group.
IP Address	Only if Use Address from Authentication Server on the Configuration \| System \| Address Management \| Assignment screen. Otherwise, leave this field blank.
Subnet Mask	Same as IP address field.

The other three tabs are used to specify parameters for this user that vary from the group. Each feature has an Inherit check box, selected by default, which is used to override the group feature settings.

Other Configuration Options

This section covers some additional and useful configuration options that are available. Note, other options related to backup servers, load balancing, client update features, and so forth for remote client devices are included at the end of Chapter 15.

These configuration options are accessed from the Configuration menu. Figure 14-32 shows the variety of the configurable settings. The following examples represent the process and the level of granularity attainable.

Figure 14-32: Configuration menu options

Configuration | Policy Management | Access Hours

This menu option makes it possible to configure the hours that remote-access groups and users can access the VPN Concentrator. These hours don’t apply to LAN-to-LAN connections. Figure 14-33 shows the default screen with the default settings. Never is self-explanatory. Business Hours include Monday through Friday, 9 A.M. to 5 P.M.

Figure 14-33: Default access definitions

Figure 14-34 shows the screen (Configuration | Policy Management | Access Hours | Modify) used either to modify the Business Hours settings or to create another definition based on these settings. To modify existing settings, select the choice on the initial screen and click the Modify button. Note, the first column drop-downs allow defining whether to include (during) or exclude the row in the access hours. The Name box at the top could be used to create a second range East Coast Hours for any groups in another time zone. The Apply button saves the changes, while the Cancel button abandons them.

Figure 14-34: Modify or add a new access definition

Figure 14-35 shows the screen (Configuration | User Management | Groups | Modify grp-name) used to apply the previous access setting to a specific group. This is a common process in working with group settings where the feature needs to be configured, and then applied to the specific group. The first drop-down allows selecting any defined access time. Note, changing an existing access time definition will impact any groups or users who have that definition assigned to them.

Figure 14-35: Change access hours for a specific group

Configuration | System | IP Routing

The VPN Concentrator can be configured to support RIP routing, plus the following routing features to communicate with other routers within the private network and to determine network connectivity, status, and optimum paths for sending data traffic.

Static Routes—Manually configured route table entries.
Default Gateways—Routes of last resort for otherwise unroutable traffic.
OSPF—Open Shortest Path First routing protocol, including Area support.
DHCP—Define global parameters for DHCP features.
Redundancy—Virtual Router Redundancy Protocol parameters.
Reverse Route Injection (RRI) —VPN Concentrator can add routes to its routing table for remote hardware or software clients.

Configuration | System | Management Protocols

The VPN 3000 Concentrator Series offers the following common built-in servers, supporting a variety of useful protocols used to manage devices and the network: