LAN-to-LAN Networks with Preshared Keys
LAN-to-LAN Networks with Preshared Keys
This section assumes basic Quick Configuration features were set. You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to- LAN connection. Use the Configuration | Interfaces screen to set the interface IP Addresses and default gateway. Figure 16-3 shows the Configuration | Interfaces screen for the Main Office Concentrator.
|
Device |
Private Interface |
Subnet Mask |
Public Interface |
Subnet Mask |
|---|---|---|---|---|
|
Main Office Concentrator |
192.168.1.1 |
255.255.255.0 |
1.1.1.1 |
255.255.255.0 |
|
Branch Office Concentrator |
192.168.144.1 |
255.255.255.0 |
1.10.1.1 |
255.255.255.0 |
Figure 16-3: Main Office interfaces configuration
Configure Network Lists
The Configuration | Policy Management | Traffic Management screens let you configure network lists, rules, filters, security associations (SA), Network Address Translation (NAT), and bandwidth policies. Together, these features let you control the data traffic through the VPN Concentrator, including what is or isn’t protected. The six feature links on this screen include the following:
-
Network lists—Enable you to create and name lists of network addresses that can be treated as single objects. This can simplify configuring features and filters. Network lists are often a requirement of features like LAN-to-LAN VPNs and IPSec SA filtering.
-
Rules—Let you filter interface data or limit the data to be protected by IPSec. These named rules enable you to specify protocol, source, and destination addresses (or network lists), port numbers, and what specified action you want to happen to any traffic that meets all criteria. If even one parameter doesn’t match, the system ignores the rest of this rule and examines the packet in accordance with the next rule, and so forth. This is similar to each line in router or firewall ACLs.
-
Filters—Can be used to limit interface traffic, limit groups and user access, and limit application of IPSec security associations.
-
SAs—Enable you to add, configure, modify, and delete security associations (SAs) to be applied during IPSec tunnel establishment.
-
NAT—Translates private network addresses into “real world” public network addresses, allowing traffic routing between networks with overlapping private network addresses.
-
Bandwidth—Defines policies to reserve a minimum amount of bandwidth per session, as well as to limit users within groups to a maximum amount of bandwidth. Once configured, bandwidth policies can be applied to an interface, a group, or both. A policy applied to an interface only applies to each user on the interface. A policy to a group applies only to the users in that group.
Configuring Network Lists
Clicking the Network Lists link brings up the Configuration | Policy Management | Traffic Management | Network Lists screen, as shown in Figure 16-4. In this section, you can define and name lists of networks to be treated as single objects. Network lists can be used for the following common activities:
-
Configure IPSec LAN-to-LAN connections (Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN)
-
Configure filter rules (Configuration | Policy Management | Traffic Management | Rules)
-
Configure split tunneling (Configuration | User Management) for groups and users in remote access network implementations
Figure 16-4: Network List creation and management screen
While a single network list can contain a maximum of 200 network entries, no limit exists to the number of network lists that can be created.
The Network List box displays the names of any existing network lists. If no lists were defined, the field shows “--Empty--”. The Add/Modify/Copy/Delete buttons are used to create and manage existing lists. As with everything on the Concentrator, any changes are made live to the active configuration with no Confirmation or Undo options. Click the Save Needed icon in the upper-right corner of the Manager window to save the active configuration to the boot configuration.
LAN-to-LAN Network Lists
VPN LAN-to-LAN implementations need a list of the LANs secured behind each endpoint device. In this example, the Main Office would have a list for each LAN-to-LAN connection, plus one for its local LANs. The peer Concentrator would have its own LAN(s) list and Main Office list. These should be reverse images of each other. Any networks not included on the list are invisible to the peer and unable to communicate with the peer network.
Clicking the Add button brings up the Configuration | Policy Management | Traffic Management | Network Lists | Add screen, as shown in Figure 16-5. The screens associated with the other buttons are similar.
Figure 16-5: Screen to create a new network list
-
In the List Name box, type the name for the network list. The name must be unique on this device and is limited to a maximum of 48 case-sensitive characters. Spaces are allowed. For example, you might use local LANs for the networks attached to this device.
Note? If the Generate Local List feature (next section) is used, wait to enter this name until after the system generates the network list.
-
In the Network List box, type the networks to be included in this network list. Each entry must be a single line using the format n.n.n.n/w.w.w.w, where w.w.w.w is the wildcard mask (example: 192.168.1.0/0.0.0.255). If the mask is omitted, the Manager will supply the default classful mask. The maximum number of network/wildcard entries in a single network list is 200. The entries for this scenario would be the following:
Name: Main Office
? 192.168.0.0 /0.0.127.255
(mask couldn’t have been omitted)
Name: Tacoma Office
? 192.168.144.1/0.0.0.255
(mask could have been omitted)
Generate Local List
The VPN Concentrator has a Generate Local List feature button on the Add or Modify screen, so you needn’t explicitly define the entries. Clicking the Generate Local List button causes the Manager to generate a network list automatically, containing the first 200 private networks reachable from the Ethernet 1 (Private) interface. The list is created by reading the routing table (Monitoring | Routing Table). For the feature to work, both devices must be VPN Concentrators and both Concentrators must have inbound RIP routing enabled on the Ethernet 1 (Private) interface (Configuration | Interfaces | Ethernet 1), as shown in Figure 16-6.
Figure 16-6: Enabling inbound RIP on Ethernet 1
After the Manager refreshes the screen after creating the list, you can edit the Network List entries and enter a name in the List Name box.
Define the IKE Proposals (Optional)
You must also configure any new IKE proposals before you attempt to configure the LAN-to-LAN connections. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screens. If the Cisco defaults are adequate or if any new proposals were defined as part of setting the initial defaults, this process is unnecessary.
If an IKE proposal needs to be added or modified, such as to use digital certificates, you must change settings for IKE negotiation.
IKE Configuration
Use the Manager navigation to locate the Configuration | System | Tunneling Protocols IPSec | IKE Proposals screen, as shown in Figure 16-7. This screen displays both the Active and Inactive IKE options available on the Concentrator.
Figure 16-7: IKE Proposal Options
You can change an existing active proposal or create a new one using the Modify or Add buttons, respectively. Either way, a screen similar to the one shown in Figure 16-8 will appear. Make any needed changes, and then click the Apply button.
Figure 16-8: IKE Proposal option to be modified
The resulting IKE proposal will be available in a drop-down list in the next section when it’s time to establish the LAN-to-LAN connection.
Create the Tunnel
The Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN screen lets you configure, add, modify, and delete IPSec LAN-to-LAN connections between two VPN Concentrators. While the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN secure gateways, this section assumes VPN Concentrators on both sides.
The following configurations must be done before the tunnel can be implemented.
-
Configure the public interfaces.
-
Configure identical basic IPSec parameters on both VPN Concentrators.
-
Configure mirror-image private network addresses or network lists on both VPN Concentrators.
You can only configure one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer. The maximum total number of LAN-to-LAN connections supported is determined by the VPN Concentrator model, as shown in the following table.
|
VPN Concentrator Model |
Maximum Sessions |
|---|---|
|
3005 & 3015 |
100 |
|
3030 |
500 |
|
3060 & 3080 |
1,000 |
Adding a Tunnel
Clicking the Add button brings up the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add screen, as shown in Figures 16-9 and 16-10. Any feature or rule with a default setting will be displayed on the Add screen. The Modify screen is similar and is used to make a change to an existing tunnel definition.
Figure 16-9: Top half of the Tunnel | Add screen
Figure 16-10: Bottom half of the Tunnel | Add screen
| Note? |
Version 4.0 added an Enable check box above the Name box. Check this box to enable this LAN-to-LAN connection. This debugging feature enables you to disable a LAN-to-LAN configuration without deleting it. To disable this connection, uncheck the check box on either end of the connection. By default, this option is enabled. |
The key features and options are as follows:
|
Name |
A unique name up to 32 characters long identifying the tunnel. Because rules and SAs use this name, keep it short and descriptive. |
|
Interface |
The drop-down menu to select the public interface from all interfaces with the Public Interface parameter enabled.Note: In Modify mode, you can’t change the interface. This requires deleting the current connection and adding a new one for the new interface. |
|
Connection Type |
Defines the Concentrator role in IKE tunnel establishment:Bidirectional—The device can either initiate or accept IKE tunnels.Answer-only—The device only accepts IKE tunnels; it can’t initiate them.Originate-only—The device only initiates IKE tunnels; it can’t accept them. |
|
Peers |
The IP address of the LAN-to-LAN peer public interface.Backup Peers: If this device is the remote-side peer in a backup LAN-to-LAN implementation, you can enter up to ten peers. List the peers from top to bottom, in order of their priority. |
|
Digital Certificate |
The drop-down menu to choose preshared keys or a PKI digital certificate to authenticate the peer during Phase 1 IKE negotiations.None (Use Preshared Keys)—Use preshared keys (default) orthe drop-down list displays any digital certificates that were installed |
|
Certificate Transmission |
Digital certificates only, choose the type of certificate transmission.Entire certificate chain—Send the identity certificate and all issuing certificates, including the root and any subordinate CA certificates.Identity certificate only—Send the peer only the identity certificate. |
|
Preshared Key |
Type the preshared key for this connection. (4 to 32 alphanumeric characters) The system displays your entry in Cleartext. This key becomes the password for the IPSec LAN-to-LAN group created. The same key must be entered on the peer VPN Concentrator.This is not a manual encryption or authentication key. The system automatically generates those session keys. |
|
Authentication |
Specify the data, or packet, authentication algorithm. IPSec Encapsulating Security Payload (ESP) protocol provides both encryption and authentication. Use the Authentication drop-down list to choose the following: None—No data authenticationESP/MD5/HMAC-128—ESP using HMAC with the MD5 hash function using a 128-bit key. (Default)ESP/SHA/HMAC-160—ESP using HMAC with the SHA-1 hash function using a 160-bit key. More secure, but high processing overhead. |
|
Encryption |
NULL—Use ESP without packet encryption.DES-56—DES encryption with a 56-bit key.3DES-168—Triple-DES encryption with a 168-bit key. (Default) AES-128—Advanced Encryption Standard (AES) encryption with a 128-bit key. Greater security than DES and more efficient than triple DES. AES-192—AES encryption with a 192-bit key. AES-256—AES encryption with a 256-bit key. |
|
IKE Proposal |
Use the drop-down menu to choose an IKE proposal. The list shows only active IKE proposals in priority order. Default active proposals are CiscoVPNClient-3DES-MD5—Preshared keys (XAUTH) and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 2 to generate SA keys. Allows XAUTH user-based authentication. (Default) IKE-3DES-MD5—Preshared keys and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 2 to generate SA keys. IKE-3DES-MD5-DH1—Preshared keys and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 1 to generate SA keys. Compatible with the Cisco VPN 3000 Client.IKE-DES-MD5—Preshared keys and MD5/HMAC-128 authentication. DES-56 encryption. D-H Group 1 to generate SA keys. Compatible with the Cisco VPN 3000 Client.IKE-3DES-MD5-DH7—Preshared keys and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 7 (ECC) to generate SA keys. Intended for use with the Movian VPN client. This can also be used with any peer that supports ECC groups for D-H. IKE-3DES-MD5-RSA—RSA digital certificate and MD5/HMAC-128 authentication. 3DES-168 encryption. D-H Group 2 to generate SA keys. IKE-AES128-SHA—Preshared keys and SHA/HMAC-160 authentication. AES-128 encryption. D-H Group 2 or Group 5 to generate SA keys. |
|
Filter |
Use the drop-down menu to select a filter: --None--—No filter applied, no restrictions. (Default)Private (Default) —Allows all packets, except source-routed IP packets. (Default filter for the private Ethernet interface.) Public (Default) —Allow inbound and outbound tunneling protocols, plus ICMP and VRRP. Allow fragmented IP packets. Drop everything else, including source-routed packets. (Default filter for the public Ethernet interface.) External (Default) —No rules applied to this filter. Drop all packets. (Default filter for the external Ethernet interface.) Any user-defined filters also appear on the list. |
|
IPSec NAT-T |
Check the box to enable NAT-T for this LAN-to-LAN connection. See the LAN-to-LAN Networks with the NAT section for more details. |
For the purposes of the scenario, the default settings are okay, but a descriptive connection name must be entered. For the Main Office, this might be as simple as toTacoma, while the branch office might use toMainOffice or TakeMeHome.
Peer addresses must be added to define the peer public interface. On the Main Office, this would be 1.10.1.1, while the branch office would enter 1.1.1.1.
The same Preshared Key must be entered on both sides. The longer and more complex, the less likely it will be compromised. An example might be cZ987hgy943.
The remaining choices: Authentication, Encryption, IKE Proposal, Filter, and IPSec NAT-T must be the same on both peers.
|
Bandwidth Policy |
Use the drop-down list to select a bandwidth policy for this IPSec LAN-to-LAN connection. Select None for no bandwidth policy. |
|
Routing |
VPN Concentrator offers two ways to share static LAN-to-LAN routes. Reverse Route Injection (RRI) = The local VPN Concentrator adds the addresses of one or more remote networks to its route table and advertises these routes to networks on the local LAN. To use this option, specify the following Local and Remote Network parameters and enable RIP or OSPF routing on the private interface. Network Autodiscovery = This feature dynamically discovers and continuously updates the private network addresses on each side of the LAN-to-LAN link. This feature uses RIP by enabling Inbound RIP RIPv2/v1 on the Ethernet 1 (Private) interface of both Concentrators. To use this option, skip the following Local and Remote Network parameters. None = Don’t advertise static LAN-to-LAN routes. |
|
Local Network |
Entries in this section identify the private network(s) on this device. The hosts of these LANs can use the LAN-to-LAN connection. The entries must match the Remote Network section on the peer Concentrator. With LAN-to-LAN NAT rule, these are the translated network addresses. |
|
Network List |
Use the drop-down list to choose a configured network list that specifies the local network addresses. If you choose a network list, the Manager ignores entries in the IP Address and Wildcard Mask fields. |
|
IP Address |
The IP address of the private local network on this VPN Concentrator. |
|
Wildcard Mask |
The wildcard mask for the private local network, that is, 0.0.255.255. The system supplies the default wildcard mask for the IP address class. |
|
Remote Network |
Entries in this section identify the private network(s) on this device. The hosts of these LANs can use the LAN-to-LAN connection. The entries must match the Local Network section on the peer Concentrator. With LAN-to-LAN NAT rule, these are the translated network addresses. |
|
Network List |
Use the drop-down list to choose a configured network list that specifies the remote network addresses. If you choose a network list, the Manager ignores entries in the IP Address and Wildcard Mask fields. |
|
IP Address |
The IP address of the private remote network on this VPN Concentrator. |
|
Wildcard Mask |
The wildcard mask for the private remote network, that is, 0.0.255.255. The system supplies the default wildcard mask for the IP address class. |
In the scenario, you would choose the appropriate named lists for the Local (Main Office) and Remote (Tacoma Office) networks.
Once the Apply button is pressed, the Configuration | Policy Management | Traffic Management | Security Associations screen can be used to see a list of the defined IPSec SAs. In the scenario, toTacoma would appear in the list for the Main Office.
No Public Interfaces
The Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | No Public Interfaces screen is displayed if a public interface isn’t configured on the VPN Concentrator and you try to add an IPSec LAN-to-LAN connection. The public interface needn’t be enabled, but it must have an IP address and the Public Interface parameter enabled. Only one VPN Concentrator interface should designate as a public interface.
