The VPN 3002 in the Network

The VPN 3002 Hardware Client fits into the network anytime a relatively small group of users need secure VPN connections to the corporate network. Figure 15-3 shows both an overall view of the small branch connecting to the corporate network via a VPN 3002 and a more detailed view of the possible local connection using cable or DSL services.

Figure 15-3: VPN 3002 connection overview and detail view

VPN Modes

The Cisco VPN 3002 supports two modes of operation to offer implementation choices based on flexibility, security, and easy configuration. Those modes are as follows:

Client mode
Network Extension mode

A large VPN implementation might frequently have both types of operation.

Client Mode

In Client mode (also called PAT mode), the VPN 3002 emulates the VPN client software appearing to the main network like a single remote user, isolating all devices on the VPN 3002 private network from the corporate network. The private hosts protected behind the VPN 3002 are a separate network that remains invisible and can’t be routed to by the central site hosts. The local hosts are assigned their IP addresses from the VPN 3002 private interface configured as a DHCP server, while the public network port can be configured to use DHCP client feature to acquire its IP address from an Internet service provider (ISP).

The 3002 device uses Port Address Translation (PAT) on the public interface to help secure (hide) the local network and to allow local hosts to travel out of the network in Client mode. Because all traffic to the central network will have the Public interface IP address, PAT supplies and manages unique port number mappings to be used in combination with the IP address.

Because the VPN 3002 configured for Client mode can only create outbound connections, there’s no way for an outside source—even from the corporate network—to initiate a connection with the 3002 unit or through it to the workstations behind.

Client Mode and Split Tunneling

Split tunneling provides the capability to have a secure tunnel to the central site, while simultaneously maintaining an unsecured clear-text tunnel to the Internet through the ISP. PAT is used to protect the local workstations during split tunneling to the Internet. The network and addresses on the private side of the VPN 3002 remain hidden and can’t be accessed directly from the Internet. If the organization security policy prohibits split tunneling, it can be blocked by creating a policy on the central site device, which is then pushed down to the 3002 Client.

Network Extension Mode

In Network Extension mode, the VPN 3002 establishes a secure, site-to-site connection with the central site device. The local stations behind the VPN 3002 are fully routable and the local network is visible to the central site. As the name implies, the local network becomes part of the organization’s intranet. VPN and device configuration and security policies are pushed from the central site. The VPN 3002 must initiate the tunnel to the central site but, after the tunnel is up, either side can initiate data exchange.

In Network Extension mode, the private address can be assigned using the DHCP server. Any shared resources in the protected network that must be accessed by the central area hosts should be assigned manually to allow central site hosts and applications to reliably reach any local server, printer, POS terminal, IP phone, or other device critical to the business.

Network Extension Mode and Split Tunneling

PAT provides security for local host traffic heading to the Internet through split tunneling. The network and addresses on the private side of the VPN 3002 are accessible over the tunnel, but are protected from the Internet because they can’t be accessed directly. This outbound PAT on the VPN 3002 provides centralized security control because no configuration parameters exist for local users to adjust, which might cause the central site to be compromised.

Network Extension Mode per Group

VPN software versions 3.6 and later let a network administrator restrict the use of Network Extension mode. The administrator can now enable/disable Network Extension mode on the VPN Concentrator for VPN 3002 hardware clients on a per-group basis.

Network Extension mode is the default setting on the VPN Concentrator. If the concentrator is configured to disallow Network Extension mode for a group, all VPN 3002s in the group must be configured for Client (PAT) mode.

IPSec VPNs

The VPN 3002 Hardware Client supports IPSec for secure connections to a central-site VPN Concentrator over a VPN tunnel. The VPN 3002 Hardware Client, which supports one tunnel at a time, running software release 3.6 or higher, supports the following IPSec implementations, but only one for each tunnel.

IPSec over TCP
IPSec over NAT-T
IPSec over UDP

IPSec over TCP

IPSec over TCP encapsulates encrypted data traffic within TCP packets. This allows the VPN 3002 to operate in networks where standard ESP (Protocol 50) or IKE (UDP 500) can’t function, or they can only function by modifying existing firewall rules. IPSec over TCP enables secure tunneling through NAT and PAT devices, and through firewalls by encapsulating both the IKE and IPSec protocols within TCP packets.

To use IPSec over TCP, both the VPN 3002 and the VPN Concentrator must meet the following requirements:

Run version 3.5 or later software.
Enable IPSec over TCP.
Configure both the VPN 3002 and the VPN Concentrator to use the same port for IPSec over TCP.

Note?
IPSec over TCP doesn’t work with proxy-based firewalls.

IPSec over NAT-T

NAT Traversal (NAT-T) allows IPSec peers to establish a connection through a device using NAT. NAT-T accomplishes this by encapsulating IPSec traffic in UDP datagrams (port 4500), thereby providing NAT devices with needed port information. NAT-T technology auto-detects any NAT devices and only encapsulates IPSec traffic when necessary.

The VPN 3002 hardware client uses NAT-T by default and requires no special configuration. The VPN 3002 first attempts NAT-T, and then uses IPSec over UDP if a NAT device isn’t autodetected. The UDP packets allow IPSec traffic to pass through firewalls, which would normally reject and discard it.

To use NAT-T, the VPN 3002 must meet the following requirements:

Run version 3.6 or later software.
Port 4500 on any firewall between the VPN 3002 and the VPN peer must be open.
Reconfigure any existing IPSec over UDP using port 4500 to a different port.
Use the Configuration | Interfaces | Public screen to select the second or third options for the Fragmentation Policy parameter. These options let traffic travel across NAT devices that don’t support IP fragmentation, while not impeding NAT devices that do support IP fragmentation.

IPSec over UDP

The VPN 3002 supports UDP NAT/Firewall Transparent IPSec. This technology encapsulates encrypted data traffic within UDP packets to provide secure connections between a VPN 3002 and a VPN Concentrator through a device, such as a firewall performing NAT.

The VPN 3002 uses frequent keepalives to ensure the mappings on the NAT device remain active. The VPN 3002 doesn’t require special configuration for this feature, but the following minimum requirements must be met.

Both the VPN 3002 and the VPN Concentrator must be running Release 3.0.3 or higher.
IPSec over UDP must be enabled on the VPN Concentrator for the group to which the VPN 3002 belongs.

Note?
Cisco technology doesn’t currently support a topology with multiple VPN 3002 Hardware Clients behind a single NAT device.