Transcript Cisco VPN Client

Implementing Secure
Converged Wide
Area Networks
(ISCW)
ISCW-Mod9_L8
© 2007 Cisco Systems, Inc. All rights reserved.
1
Implementing the
Cisco VPN Client
Module 3 – Lesson 9
ISCW-Mod9_L8
© 2007 Cisco Systems, Inc. All rights reserved.
2
Module Introduction
 Virtual private networks (VPNs) use advanced encryption
techniques and tunneling to permit organisations to establish
secure, end-to-end, private network connections over third-party
networks such as the Internet
 Cisco offers a wide range of VPN products, including VPNoptimised routers, PIX security and Adaptive Security Appliances
(ASA), and dedicated VPN concentrators. These infrastructure
devices are used to create VPN solutions that meet the security
requirements of any organisation
 This module explains fundamental terms associated with VPNs,
including the IP Security protocol, and Internet Key Exchange. It
then details how to configure various types of VPN, using various
currently available methods
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
3
Objectives
 At the completion of this ninth lesson, you will be able
to:
Describe how, when and where the Cisco VPN client
software is used
Install and configure Cisco VPN client software on a PC
running Windows
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
4
Cisco VPN Client
 The Cisco VPN Client is simple to deploy and operate
 It allows organisations to establish end-to-end,
encrypted VPN tunnels for secure connectivity for
mobile employees or teleworkers
 The ‘thin design’ IPsec-implementation is compatible
with all Cisco VPN products
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
5
Cisco VPN Client
 When the Cisco VPN Client is preconfigured for mass
deployments, initial logins require little user intervention. Cisco
VPN Client supports the innovative Cisco Easy VPN capabilities,
delivering a uniquely scalable, cost-effective, and easy-to-manage
remote access VPN architecture that eliminates the operational
costs associated with maintaining a consistent policy and key
management method
 The Cisco Easy VPN feature allows the Cisco VPN Client to
receive security policies on a VPN tunnel connection from the
central site VPN device (Cisco Easy VPN Server), minimising
configuration requirements at the remote location
 This simple and highly scalable solution is ideal for large remote
access deployments where it is impractical to configure policies
individually for multiple remote PCs
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
6
Cisco VPN Client Configuration Tasks
1. Install Cisco VPN Client
2. Create a new client connection entry
3. Configure the client authentication properties
4. Configure transparent tunneling
5. Enable and add backup servers
6. Configure a connection to the Internet through dialup networking
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
7
Install Cisco VPN Client

The Cisco VPN Client can be installed on a Windows
system by using either of two applications:
InstallShield
Microsoft Windows Installer (MSI).

Both applications use installation wizards to proceed
through the installation.

This task includes the following activities:
1. Verifying system requirements
2. Gathering the information needed
3. Installing the VPN Client through InstallShield or through
MSI
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
8
Uninstall old Cisco VPN Client
 If a previously installed VPN Client has not been
uninstalled, when the vpnclient_en.exe command or
vpnclient_en.msi command is executed, an error
message appears
 The previously installed VPN Client must be uninstalled
before proceeding with the new installation
To remove a Cisco VPN Client that was installed with MSI, use
the Windows Add or Remove Programs feature that is located
in the control panel
To remove a Cisco VPN Client that was installed with
InstallShield, choose Start > Programs > Cisco Systems VPN
Client > Uninstall Client
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
9
Install Cisco VPN Client (Task 1)
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
10
Create a New Client Connection Entry
 To use the Cisco VPN Client, at least one connection entry that
includes this information must be created:
VPN device: The remote server to access
Pre-shared keys: Pre-shared keys are secret passwords or encryption
keys entered into both sides of the message exchange ahead of time.
The entry is the IPsec group assigned by the system administrator. The
group determines how the remote network is accessed and used.
For example, the group specifies access hours, number of
simultaneous logins, user authentication method, and the IPsec
algorithms that the Cisco VPN Client uses
Certificates: The name of the certificate that being used for
authentication
Optional parameters that govern VPN Client operation and connection
to the remote network can also be assigned
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
11
Create a New Client Connection Entry

To add a new entry, follow these steps (next two slides):
1. The VPN Client application starts and displays the advanced mode
main window. If the advanced mode window does not appear and
the simple mode window is displayed, choose Options >
Advanced Mode or press Ctrl-M
2. Click the New icon in the toolbar. Alternatively, choose New in the
Connection Entries menu
3. Enter a unique name for this new connection in the Connection
Entry field. Any name can be used to identify this connection; for
example, Engineering. This name can contain spaces and is not
case sensitive.
4. Enter a description of this connection in the Description field. This
field is optional, but a description helps further identify this
connection. For example, ‘Connection to Engineering remote
server’
5. Enter the host name or IP address of the remote VPN device to be
accessed in the Host field
6. Save the connection entry by clicking the Save button
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
12
Create a New Client Connection Entry—Main
Window (Task 2)
1.
2.
VPN Client Main Window
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
13
Creating a New Connection Entry (Task 2)
3.
4.
5.
6.
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
14
Configure Client Authentication properties
 In Task 3, client authentication properties are
configured in the same form as Task 2, except using a
different tab.
 Under the Authentication tab, enter the information for
the method to be used
 This can be connect as part of a group (configured on a
VPN device) or by supplying an identity digital
certificate
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
15
Group Authentication

The network administrator usually configures group
authentication. However, if group authentication has
not been configured complete this procedure shown :
1. Select the Group Authentication radio button
2. In the Name field, enter the name of the IPsec group
belonged to. This entry is case sensitive.
3. In the Password field, enter the password (which is also
case sensitive) for the IPsec group. The field displays only
asterisks
4. Verify the password in the Confirm Password field
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
16
Configuring Client
Authentication Properties (Task 3)
1.
2.
3.
4.
Authentication options:
Group preshared secrets (group name and group secret)
Mutual authentication (import CA certificate first; group name and secret)
Digital certificates (enroll with the CA first; select the certificate)
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
17
Mutual Group Authentication

Another group authentication option is to use mutual group
authentication

To use mutual group authentication, a root certificate is required
that is compatible with the central-site VPN that is installed on the
system:
1. The network administrator can load a root certificate on the system
during installation. When Mutual Group Authentication radio
button is selected, the VPN Client software verifies whether or not a
root certificate is installed.
2. If a root certificate is NOT installed, the VPN Client prompts for one
to be installed. Before continuing, a root certificate must be
imported

ISCW-Mod3_L9
When a root certificate has been installed (if required), follow the
steps as for group authentication
© 2007 Cisco Systems, Inc. All rights reserved.
18
Mutual Group Authentication (Task 3)
1.
2.
Mutual authentication should be used instead of group preshared secrets.
Group preshared secrets are vulnerable to man-in-the-middle attacks if the
attacker knows the group preshared secret.
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
19
Transparent Tunneling
 Transparent tunneling allows secure transmission
between the Cisco VPN Client and a secure gateway
through a router that is serving as a firewall. The
firewall may also perform NAT or PAT
 Transparent tunneling encapsulates Protocol 50 (ESP)
traffic within UDP packets and can allow both ISAKMP
and Protocol 50 to be encapsulated in TCP packets
before the packets are sent through the NAT or PAT
devices or firewalls
The most common application for transparent tunneling is
behind a home router performing PAT
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
20
Transparent Tunneling
 The Cisco VPN Client also sends keepalives frequently, ensuring
that the mappings on the devices are kept active
 Not all devices support multiple simultaneous connections. Some
devices cannot map additional sessions to unique source ports. Be
sure to check with your vendor to verify whether or not this
limitation exists on your device. Some vendors support Protocol 50
PAT (IPsec pass through), which might allow operation without
enabling transparent tunneling.
 To use transparent tunneling, the central-site group must configure
the Cisco VPN device to support transparent tunneling
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
21
Transparent Tunneling
 Follow this procedure to use transparent tunneling:
1. The transparent tunneling parameter is enabled by default.
To disable this parameter, uncheck the Enable Transparent
tunneling check box. It is recommended that this parameter
is always checked / ticked
2. Select a mode of transparent tunneling, over User Datagram
Protocol (UDP) or over TCP. The mode used must match the
mode used by the secure gateway being connected to.
Either mode operates properly through a PAT device.
Multiple simultaneous connections might work better with
TCP, and if in an extranet environment, TCP mode is
preferable. UDP does not operate with stateful firewalls, so if
stateful firewalls in use, choose TCP
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
22
Transparent Tunneling
 Options for transparent tunneling include:
Using IPsec over UDP (NAT/PAT): To enable IPsec over UDP
(NAT or PAT), click the IPsec over UDP (NAT/PAT) radio
button. With UDP, the port number is negotiated. UDP is the
default mode.
Using IPsec over TCP (NAT/PAT/Firewall): To enable IPsec
over TCP, click the IPsec over TCP radio button. When using
TCP, the port number for TCP must be entered in the TCP Port
field. This port number must match the port number that is
configured on the secure gateway. The default port number is
10000
Allowing Local LAN Access: In a multiple-network interface
card (NIC) configuration, local LAN access pertains only to
network traffic on the interface that the tunnel is established on
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
23
Allow Local LAN Access
 The Allow Local LAN Access parameter gives access to the
resources on the local LAN (printer, fax, shared files, or other
systems) when the computer is connected through a secure
gateway to a central-site VPN device.
When this parameter is enabled and the central site is configured to
permit access, local resource access is allowed while the host is
connected. When this parameter is disabled, all traffic from the client
system goes through the IPsec connection to the secure gateway
 To enable this feature, check the Allow Local LAN Access check
box in the Transport tab of the VPN Client Properties window. To
disable the feature, uncheck the check box. If the local LAN is not
secure, this feature should be disabled.
For example, disable this feature when using a local LAN in a hotel or
airport
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
24
Configuring Transparent Tunneling (Task 4)
1.
2.
Transparent tunneling is on by default.
NAT-T enables IPsec and IKE over a standard UDP port 4500, allowing the
VPN Client to be behind a NAT or PAT device.
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
25
Statistics

The Statistics window provides information about the following:
Tunnel details
Routing table
Personal firewall

To display the routing table:
1. From the VPN Client page, choose Status > Statistics.
2. Select the Route Details tab from the Statistics dialog box.

The routing table shows local LAN routes that do not traverse the
IPsec tunnel, and secured routes that do traverse the IPsec
tunnel to a central-site device

The routes in the local LAN routes column are for locally available
resources
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
26
Status > Statistics > Route Details
2.
1.
The Statistics window provides information about tunnel details, the routing
table, and personal firewall.
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
27
Enable Backup Servers
 To enable backup servers from the VPN Client, click the
Backup Servers tab in the VPN Client Properties form:
 Check the Enable Backup Servers check box.
This box is unchecked by default.
 Click Add to enter the backup server address. A new
window appears
 Enter the host name or IP address of the backup
server, using a maximum of 255 characters. Click OK
when done
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
28
Enable and Add Backup Servers (Task 5)
1.
2.
3.
List backup VPN servers that are to be used in case the primary
VPN server is not reachable.
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
29
Configuring the Dialup Connection
 The final task is configuring the dialup connection to
the Internet.
 To connect to a private network using a dialup
connection, perform the following:
1. Use a dialup connection to your Internet service provider
(ISP) to connect to the Internet.
2. Use the VPN Client to connect to the private network through
the Internet.
 To enable and configure this feature, check the
Connect to Internet via dial-up check box in the DialUp tab of the VPN Client Properties form. This box is
unchecked by default.
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
30
Configuring the Dialup Connection
 Connection can be made to the Internet using the VPN
Client application in one of two ways. Click the
appropriate button in the Dial-Up tab based on which
option is chosen:
Microsoft Dial-Up Networking
Third-party dial-up application
 Once this connection is made, the configuration of the
Cisco VPN Client is complete
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
31
Configure Connection to the Internet Through
Dial-Up Networking (Task 6)
Optionally, tie a VPN connection to a dialup connection defined in
the Networking section of Windows.
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
32
ISCW-Mod3_L9
© 2007 Cisco Systems, Inc. All rights reserved.
33