© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 5 Configure the Cisco VPN 3000 Series Concentrator for Remote Access Using Pre-Shared Keys
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Objectives Upon completion of this lesson, you will be able to perform the following tasks: Configure the Cisco VPN 3000 Series Concentrator LAN interfaces via the CLI. Configure the Cisco VPN 3000 Series Concentrator Client-to-LAN application using the browser. Configure the IPSec Client. Monitor the IPSec Client-to-LAN tunnel.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Overview of Remote Access Using Pre-Shared Keys
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Internet service provider Telecommuter Corporate office Web server File server Client-to-LAN Internet Telecommuter
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Application server ISP Concentrator PPP connectivity Dial access IPSec tunnel or session Telecommuter with the Cisco VPN 3000 Series Concentrator Client Internet IPSec Client-to-LAN Components Client software PPP IPSec standards VPN Concentrator
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec Client-to-LAN Tunneling Application server VPN private IP address VPN public IP Adapter (NIC) IP address Client IP address ESP Data ISP Internet Telecommuter with the Cisco VPN 3000 Series Concentrator Client
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco VPN Software Client for Windows Installed on Windows system
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Initial Configuration of the Cisco VPN 3000 Series Concentrator for Remote Access
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec ServerPhysical Connections Console port VPN private IP address 10.0.P.5 VPN public IP address P.5 Power 10.0.P.10 Server Client PC P Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuration Options Welcome to Cisco Systems VPN 3000 Concentrator Series Command Line Interface 1) Configuration 2) Administration 3) Monitoring 4) Save changes to Config file 5) Help Information
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN GUI Table of contents Toolbar Manager screen
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Quick Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Browser Configuration of the Cisco VPN 3000 Series Concentrator
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IP Interfaces Ethernet 1 (private IP address) 10.0.P.5 Ethernet 2 (public IP address) P.5
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Public IP Interface Ethernet 1 (private IP address) 10.0.P.5 Ethernet 2 (public IP address)
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN System Information
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Protocols IPSec Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN DHCP address Address Assignment DHCP server Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Authentication NT domain User authentication Internet Cisco VPN 3000 Series Concentrator Client Computer Name: BOSTON Domain: Domain_BOSTON
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuration of Users and Groups
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Base group: Corporate Customer Service /Base/Service MIS /Base/Sales Finance /Base/Finance VP of MIS Groups: Departments Users: Individuals VP of Finance Groups and Users
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN User and Group Policies Access rights and privileges
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Group Database Internal server Group: Training Internet Cisco VPN 3000 Series Concentrator Client
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Admin Password
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN In-Depth Configuration Information
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Authentication Cisco VPN Client (2.5) IKE Phase 1 complete Xauth Internal server Group : Training Concentrator authentication Network authentication ( Xauth ) Cisco VPN Client (3.0 or higher) IKE Phase 1 Xauth IKE Phase 1 complete Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Activate IKE Proposal 3002, 3. x or 4. x Client 2.5 Client Certicom client
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Check IKE Proposal
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Group ConfigurationIdentity /Base TrainingService
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Group ConfigurationGeneral Access rights and privileges Tunneling protocol DNS and WINS
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Group ConfigurationIPSec IPSec User authentication NT domain server Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN IKE KeepalivesDPD Application server Client DPD message (Are you there) DPD message (Are you there ACK) Worry timer expires Receive data Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Remote Access Parameters IPSec User authentication NT domain server Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Client Configuration Parameters Cisco Client parameters Microsoft client parameters Common client parameters
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco Client Parameters Push NT domain server Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Tunneling Options Client Encrypt everything Client Clear text Encrypted Client Encrypted Clear text Clear text Tunnel everything Tunnel everything except local LAN traffic Split tunneling
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Split Tunneling Policy Tunnel Everything Tunnel everything Client Encrypt everything X
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Split Tunneling Policy Local LAN Option Client Encrypted Clear text Everything mode with local LAN option
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Local LAN OptionNetwork List X Client Encrypted X
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Split TunnelingBefore and After Before split tunneling After split tunneling Client Encrypted Clear text Client Encrypted Clear text
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Split Tunneling Policy Split Tunneling Encrypted Client Clear text Clear text
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Split TunnelingNetwork List Encrypted Client Clear text Clear text
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Split DNS Match No match Tunneled DNS Client Clear text DNS DNS server
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Split DNS Configuration Tunneled DNS Client Clear text DNS DNS server
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN DDNS DHCP server Client DNS server PC hostname PC hostname
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Mode Configuration Push NT domain server WINS DNS virtual IP address Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Modifying Groups
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Setting Up Group Attributes Global –NT – –60 Engineering –RADIUS 2 – –90 Finance –RADIUS 5 – –80 Engineering group RADIUS 5 RADIUS 2 Finance group HR –NT – Finance –RADIUS 5 – Engineering –RADIUS 2 – Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Types of Authentication Group authentication User authentication
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Testing Authentication Server
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Public Interface IPSec Fragmentation
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuration of the Cisco VPN Software Client for Windows
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco VPN Software Client for Windows
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Cisco VPN Software Client for Windows Run Mode
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Main Tabs Connections Certificates Log
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN MenusConnection Entries
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN MenusStatus
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN MenusCertificates
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN MenusLog
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN MenusOptions
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Creating a New Connection Authentication Concentrator authenticationThe end user never sees this after initial configuration.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Creating a New Connection Transport
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Creating a New ConnectionBackup Servers
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Creating a New ConnectionDial-Up
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Pre-configure Client for Remote Users oem.ini vpnclient.ini.pcf
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN pcf File.pcf fileUser profile
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Silent Mode oem.iniInstalling the Cisco VPN Client without user intervention Name of the destination folder Identifies whether or not to restart the system after the silent installation
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Client Program Menu
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Setting MTU Size
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Virtual Adapter
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Viewing Connected Clients Concentrator Connection Status
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Viewing Connected ClientsStatus Details
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary The initial configuration of the Cisco VPN 3000 Series Concentrator occurs via the CLI. Subsequent configuration of the Cisco VPN 3000 Series Concentrator can be performed using a browser. Groups and users are used to assign access and usage rights. IPSec policies are assigned to groups.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary (cont.) Mode configuration enables the Cisco VPN 3000 Series Concentrator to push the network information to the Cisco VPN Software Client. The Cisco VPN 3000 Series Concentrator can use several different types of authentication servers. The Cisco VPN 3000 Series Concentrator provides extensive monitoring capabilities.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lab Exercise
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lab Visual Objective P.0 Student PC with Cisco VPN Client P P.0 RTS Cisco VPN 3000 DHCP server RBB