© 2007 cisco systems, inc. all rights reserved.iscw-mod9_l8 1 implementing secure converged wide...
Post on 21-Dec-2015
217 Views
Preview:
TRANSCRIPT
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1
Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 2
Module 3 – Lesson 9
Implementing the Cisco VPN Client
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 3
Module Introduction
Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet
Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation
This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 4
Objectives
At the completion of this ninth lesson, you will be able to:
Describe how, when and where the Cisco VPN client software is used
Install and configure Cisco VPN client software on a PC running Windows
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 5
Cisco VPN Client
The Cisco VPN Client is simple to deploy and operate
It allows organisations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers
The ‘thin design’ IPsec-implementation is compatible with all Cisco VPN products
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 6
Cisco VPN Client
When the Cisco VPN Client is preconfigured for mass deployments, initial logins require little user intervention. Cisco VPN Client supports the innovative Cisco Easy VPN capabilities, delivering a uniquely scalable, cost-effective, and easy-to-manage remote access VPN architecture that eliminates the operational costs associated with maintaining a consistent policy and key management method
The Cisco Easy VPN feature allows the Cisco VPN Client to receive security policies on a VPN tunnel connection from the central site VPN device (Cisco Easy VPN Server), minimising configuration requirements at the remote location
This simple and highly scalable solution is ideal for large remote access deployments where it is impractical to configure policies individually for multiple remote PCs
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 7
Cisco VPN Client Configuration Tasks
1. Install Cisco VPN Client
2. Create a new client connection entry
3. Configure the client authentication properties
4. Configure transparent tunneling
5. Enable and add backup servers
6. Configure a connection to the Internet through dialup networking
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 8
Install Cisco VPN Client
The Cisco VPN Client can be installed on a Windows system by using either of two applications:
InstallShield
Microsoft Windows Installer (MSI).
Both applications use installation wizards to proceed through the installation.
This task includes the following activities:
1. Verifying system requirements
2. Gathering the information needed
3. Installing the VPN Client through InstallShield or through MSI
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 9
Uninstall old Cisco VPN Client
If a previously installed VPN Client has not been uninstalled, when the vpnclient_en.exe command or vpnclient_en.msi command is executed, an error message appears
The previously installed VPN Client must be uninstalled before proceeding with the new installation
To remove a Cisco VPN Client that was installed with MSI, use the Windows Add or Remove Programs feature that is located in the control panel
To remove a Cisco VPN Client that was installed with InstallShield, choose Start > Programs > Cisco Systems VPN Client > Uninstall Client
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 10
Install Cisco VPN Client (Task 1)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 11
Create a New Client Connection Entry
To use the Cisco VPN Client, at least one connection entry that includes this information must be created:
VPN device: The remote server to access
Pre-shared keys: Pre-shared keys are secret passwords or encryption keys entered into both sides of the message exchange ahead of time. The entry is the IPsec group assigned by the system administrator. The group determines how the remote network is accessed and used.
For example, the group specifies access hours, number of simultaneous logins, user authentication method, and the IPsec algorithms that the Cisco VPN Client uses
Certificates: The name of the certificate that being used for authentication
Optional parameters that govern VPN Client operation and connection to the remote network can also be assigned
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 12
Create a New Client Connection Entry
To add a new entry, follow these steps (next two slides):1. The VPN Client application starts and displays the advanced mode
main window. If the advanced mode window does not appear and the simple mode window is displayed, choose Options > Advanced Mode or press Ctrl-M
2. Click the New icon in the toolbar. Alternatively, choose New in the Connection Entries menu
3. Enter a unique name for this new connection in the Connection Entry field. Any name can be used to identify this connection; for example, Engineering. This name can contain spaces and is not case sensitive.
4. Enter a description of this connection in the Description field. This field is optional, but a description helps further identify this connection. For example, ‘Connection to Engineering remote server’
5. Enter the host name or IP address of the remote VPN device to be accessed in the Host field
6. Save the connection entry by clicking the Save button
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 13
Create a New Client Connection Entry—Main Window (Task 2)
2.
1.
VPN Client Main Window
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 14
Creating a New Connection Entry (Task 2)
4.
6.
3.
5.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 15
Configure Client Authentication properties
In Task 3, client authentication properties are configured in the same form as Task 2, except using a different tab.
Under the Authentication tab, enter the information for the method to be used
This can be connect as part of a group (configured on a VPN device) or by supplying an identity digital certificate
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 16
Group Authentication
The network administrator usually configures group authentication. However, if group authentication has not been configured complete this procedure shown :
1. Select the Group Authentication radio button
2. In the Name field, enter the name of the IPsec group belonged to. This entry is case sensitive.
3. In the Password field, enter the password (which is also case sensitive) for the IPsec group. The field displays only asterisks
4. Verify the password in the Confirm Password field
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 17
Configuring ClientAuthentication Properties (Task 3)
Authentication options:
Group preshared secrets (group name and group secret)
Mutual authentication (import CA certificate first; group name and secret)
Digital certificates (enroll with the CA first; select the certificate)
1.
2.
3.
4.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 18
Mutual Group Authentication
Another group authentication option is to use mutual group authentication
To use mutual group authentication, a root certificate is required that is compatible with the central-site VPN that is installed on the system:
1. The network administrator can load a root certificate on the system during installation. When Mutual Group Authentication radio button is selected, the VPN Client software verifies whether or not a root certificate is installed.
2. If a root certificate is NOT installed, the VPN Client prompts for one to be installed. Before continuing, a root certificate must be imported
When a root certificate has been installed (if required), follow the steps as for group authentication
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 19
Mutual Group Authentication (Task 3)
1.
2.
Mutual authentication should be used instead of group preshared secrets.
Group preshared secrets are vulnerable to man-in-the-middle attacks if the attacker knows the group preshared secret.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 20
Transparent Tunneling
Transparent tunneling allows secure transmission between the Cisco VPN Client and a secure gateway through a router that is serving as a firewall. The firewall may also perform NAT or PAT
Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets and can allow both ISAKMP and Protocol 50 to be encapsulated in TCP packets before the packets are sent through the NAT or PAT devices or firewalls
The most common application for transparent tunneling is behind a home router performing PAT
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 21
Transparent Tunneling
The Cisco VPN Client also sends keepalives frequently, ensuring that the mappings on the devices are kept active
Not all devices support multiple simultaneous connections. Some devices cannot map additional sessions to unique source ports. Be sure to check with your vendor to verify whether or not this limitation exists on your device. Some vendors support Protocol 50 PAT (IPsec pass through), which might allow operation without enabling transparent tunneling.
To use transparent tunneling, the central-site group must configure the Cisco VPN device to support transparent tunneling
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 22
Transparent Tunneling
Follow this procedure to use transparent tunneling:
1. The transparent tunneling parameter is enabled by default. To disable this parameter, uncheck the Enable Transparent tunneling check box. It is recommended that this parameter is always checked / ticked
2. Select a mode of transparent tunneling, over User Datagram Protocol (UDP) or over TCP. The mode used must match the mode used by the secure gateway being connected to. Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if in an extranet environment, TCP mode is preferable. UDP does not operate with stateful firewalls, so if stateful firewalls in use, choose TCP
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 23
Transparent Tunneling
Options for transparent tunneling include:
Using IPsec over UDP (NAT/PAT): To enable IPsec over UDP (NAT or PAT), click the IPsec over UDP (NAT/PAT) radio button. With UDP, the port number is negotiated. UDP is the default mode.
Using IPsec over TCP (NAT/PAT/Firewall): To enable IPsec over TCP, click the IPsec over TCP radio button. When using TCP, the port number for TCP must be entered in the TCP Port field. This port number must match the port number that is configured on the secure gateway. The default port number is 10000
Allowing Local LAN Access: In a multiple-network interface card (NIC) configuration, local LAN access pertains only to network traffic on the interface that the tunnel is established on
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 24
Allow Local LAN Access
The Allow Local LAN Access parameter gives access to the resources on the local LAN (printer, fax, shared files, or other systems) when the computer is connected through a secure gateway to a central-site VPN device.
When this parameter is enabled and the central site is configured to permit access, local resource access is allowed while the host is connected. When this parameter is disabled, all traffic from the client system goes through the IPsec connection to the secure gateway
To enable this feature, check the Allow Local LAN Access check box in the Transport tab of the VPN Client Properties window. To disable the feature, uncheck the check box. If the local LAN is not secure, this feature should be disabled.
For example, disable this feature when using a local LAN in a hotel or airport
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 25
Configuring Transparent Tunneling (Task 4)
1.
2.
Transparent tunneling is on by default.
NAT-T enables IPsec and IKE over a standard UDP port 4500, allowing the VPN Client to be behind a NAT or PAT device.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 26
Statistics
The Statistics window provides information about the following:
Tunnel details
Routing table
Personal firewall
To display the routing table:
1. From the VPN Client page, choose Status > Statistics.
2. Select the Route Details tab from the Statistics dialog box.
The routing table shows local LAN routes that do not traverse the IPsec tunnel, and secured routes that do traverse the IPsec tunnel to a central-site device
The routes in the local LAN routes column are for locally available resources
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 27
Status > Statistics > Route Details
The Statistics window provides information about tunnel details, the routing table, and personal firewall.
1.
2.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 28
Enable Backup Servers
To enable backup servers from the VPN Client, click the Backup Servers tab in the VPN Client Properties form:
Check the Enable Backup Servers check box.
This box is unchecked by default.
Click Add to enter the backup server address. A new window appears
Enter the host name or IP address of the backup server, using a maximum of 255 characters. Click OK when done
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 29
Enable and Add Backup Servers (Task 5)
List backup VPN servers that are to be used in case the primary VPN server is not reachable.
1.2.
3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 30
Configuring the Dialup Connection
The final task is configuring the dialup connection to the Internet.
To connect to a private network using a dialup connection, perform the following:
1. Use a dialup connection to your Internet service provider (ISP) to connect to the Internet.
2. Use the VPN Client to connect to the private network through the Internet.
To enable and configure this feature, check the Connect to Internet via dial-up check box in the Dial-Up tab of the VPN Client Properties form. This box is unchecked by default.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 31
Configuring the Dialup Connection
Connection can be made to the Internet using the VPN Client application in one of two ways. Click the appropriate button in the Dial-Up tab based on which option is chosen:
Microsoft Dial-Up Networking
Third-party dial-up application
Once this connection is made, the configuration of the Cisco VPN Client is complete
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 32
Configure Connection to the Internet Through Dial-Up Networking (Task 6)
Optionally, tie a VPN connection to a dialup connection defined in the Networking section of Windows.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L9 33
top related