IPSec on the VPN 3002 Hardware Client

39 Configuring IPSec over UDP

40 Configuring IPSec over TCP

Internet Protocol Security (IPSec) is the standard that enables the VPN 3002 Hardware Client to connect securely to the centralized VPN concentrator. IPSec security methods include address data privacy, authentication, integrity, key management, and tunneling.

With the VPN 3002 Hardware Client, two IPSec options are available to you: IPSec over TCP/IP and IPSec over UDP. You may choose one of these, which will automatically disable the other option. The next sections describe both options in more detail.

IPSec Over TCP/IP

The Cisco VPN Client and the Cisco VPN 3002 Hardware Client both fully support IPSec over TCP, encapsulating the encrypted data within the TCP packet. In this mode, the VPN 3002 Hardware Client is able to work where standard Encapsulating Security Payload (ESP) (protocol 50) or Internet Key Exchange (IKE) (UDP 500) cannot operate because of factors such as PAT. IPSec over TCP encapsulates both the IKE and IPSec protocols within the TCP packet, enabling the new packet to pass through NAT and PAT devices. This feature, however, will not work if the VPN termination on the other end is proxy based, such as in Microsoft Proxy Server.

There are three requirements for both the VPN concentrator and the VPN 3002 Hardware Client when using IPSec over TCP:

• Run version 3.5 or later software.

• IPSec over TCP must be enabled.

• The VPN concentrator and the VPN 3002 Hardware Client must use the same port.

To enable IPSec over TCP/IP, you must make configuration changes on both the VPN concentrator and the VPN 3002 Hardware Client. IPSec over TCP/IP is configured on the VPN 3002 Hardware Client under the Configuration | System | Tunneling Protocols | IPSec screen. On the VPN concentrator, configuration settings for IPSec over TCP/IP are made on the Configuration | System | Tunneling Protocols | IPSec | IPSec over TCP screen, as shown in Figure 9-10.

Figure 9-10 Configuration | System | Tunneling Protocols | IPSec | IPSec over TCP

Figure 9-10 Configuration | System | Tunneling Protocols | IPSec | IPSec over TCP

On either hardware client or concentrator, you simply check the box to enable IPSec over TCP and then select the TCP port to use between the devices. The default port is 10,000, but you can select any port between 1 and 65,635. If you select a well-known port, such as 80 for HTTP, the system will present a warning telling you that the protocol associated with the well-known port number will no longer be available on the public interface. On the VPN concentrator, you can enter up to 10 ports, separated by commas, so that you can use a different port for each hardware client that connects to the concentrator. The configuration screen for the VPN 3002 Hardware Client only permits you to enter one TCP port number.

UDP NAT Transparent IPSec (IPSec Over UDP)

The VPN 3002 Hardware Client fully supports User Datagram Protocol Network Address Translation Transparent IPSec (UDP NAT Transparent IPSec). In this mode, the VPN 3002 Hardware Client encapsulates the data traffic within new UDP packets, bypassing the effects of NAT and PAT. This method sends keepalives on a regular basis to ensure the NAT mappings remain active. While this method does slightly increase the amount of bandwidth overhead, it is necessary because UDP is a connectionless protocol. There is a limitation on using UDP NAT Transparent IPSec; only a single VPN device may be behind the NAT device. In other words, you may have only a single VPN 3002 Hardware Client behind a PIX firewall.

Some of the workings of IPSec transparent mode are not readily visible to the administrator. For example, the VPN concentrator creates a filter rule, applying it to the public filter and passes this along to the VPN 3002 Hardware Client transparently. From the inbound side, the UDP traffic goes directly to the IPSec processing for decryption and deencapsulation before being routed. On the outbound side, the IPSec process encrypts, encapsulates, and then adds a new UDP header if required. These rules may be removed from the filter under one of three conditions:

• When a group is deleted

• When the last active IPSec over UDP Security Association (SA) for that group is deleted

• When IPSec over UDP is disabled for the group

UDP NAT Transparent IPSec, which disables IPSec over UDP, is the default configuration for the VPN 3002 Hardware Client, so no configuration is necessary. However, there are three requirements for running UDP NAT Transparent IPSec:

• Run version 3.0.3 or later software.

• The concentrator and the VPN 3002 Hardware Client must use the same port.

• You must configure IPSec over UDP for the group on the VPN concentrator through the Configuration | User Management | Groups | Modify screen, as shown in Figure 9-11. Clicking the IPSec over UDP box causes the VPN concentrator to expect IPSec over UDP (UDP NAT Transparent IPSec) instead of IPSec over TCP. The administrator may optionally change the default port of 10,000. Allowable port numbers for IPSec over UDP configurations are 4001 through 49,151. Be sure that IPSec over TCP has been disabled on the VPN 3002 Hardware Client's Configuration | System | Tunneling Protocols | IPSec screen.

Figure 9-11 Configuration | User Management | Groups | Modify

IliUitflial Ir-i • i pLlitrLihr tnJ . lit ' tv, ,: >;- |■ .:i: ■■ m dtfajJrmflRh»« . j] * I'ubittlta ¿1 liJi'll"- Ixrt -t> '111 . ■ - ■ « ' I ' *¡IM'* librriHC vtlurt.

Made Concur.!boil I'aranittcn

AtlrOnale

Value

JnbrrlL?

DrMrfpLhm

HwiBrr

il

»

FMef tfct hamr for *i« Only anfiwarB f 11 Mi I Kt (he banner.

Slant» » CHapt

r

P

Check, ta dim* the TPSec clieal Id «ion ll* paimcnl

SfUl 1UMil*tillfl l'*biO

* Tiaaw] evnyihattfi r Allow die Uiiwurt-T in IÍ4 to b)jina¡

die UlDt-1 f Onlj tlmcl nctworka h die l»l

Silrci die method aid «(work liil Id Ik ined for Splil Tunneling

Tunnel K vrniliiui): S«ad all IraJtii tlamcfi ihc Iwl.

VUdw tbr DolHaii.1 In lie lUt m bjp*H I lie 1 uium-I:

He VPN Clieal llmj (hwii to »end traffic lo ■Uiihi k dlia lul Id dw slita'i LAN. Send nil nthrr frill lit Ihrt'itli Sir luinrl NOTE: Thii ultinc

Sflh lumrlln«

NM»«rti 1 Jv

-Nm«- ¿J

V

Tanm-l u»4"i nek* ill» la 111: Send IrallK Id adAi-M j in dlia lilt ¡lauWi iW UiimL Stud all olliu rrallu In llinlitiiTi L.VM

irs« «»ti toe

Cbcft to *llir.v (be JTSeC t lirbt to upcTrir drnuih a liimall iuio.tMA.Tvji UDP

irsn aver irDr Pari

«

Tut t die CDP pari Id be lord lor IPS« liiaueh NAT (4001 -491SU

IPS« DacVap 5rr»m

Iha CS.nl ConUjuipd Lia J

J J

• St led D inedxxl fof VW JWtt1« ill* Of diitbtt backup »en'en.

. Frterivu ID IPNet hnch^» wrver atkVcuti ranc-i lUrling turn high priority to

• Enter tnrli IPSerWtj^i -rr.tr fcUrentauiK

Troubleshooting a VPN 3002 Hardware Client IPSec Connection

Testing the IPSec tunnel is fairly easy. The first step is to ping the private interface of the VPN concentrator from the Administration | Ping screen. If this is successful, but you are unable to ping anything else, the issue is internal routing. In this case, make sure that the device you are attempting to ping knows how to reach your private network. In other words, if you are not able to ping the inside interface of the VPN concentrator, the issue is probably within IPSec.

Setting Debug Levels

The next action to be accomplished in debugging IPSec is to turn on debugging on both the VPN concentrator and the VPN 3002 Hardware Client. Set the severity log to 1-13 on both devices for the following:

NOTE The debugging levels may be set starting with Level 1-1 (Severe Error) through any of the levels up to Level 1-13 (Debugging Information). As with any Cisco logging, higher logging numbers give more detail than lower logging numbers. The reason you choose to log debugging information (Level 1-13) is that this level shows the most information available.

Try to reestablish the VPN tunnel and then look at the logs. Here are a few of the items worth noting:

• IKE failures on Phase 1

• Incorrect password

• Incorrect work name

• Incorrect username

• Incorrect password on the concentrator

• Unable to ping with an established tunnel

The following sections elaborate on each of these points.

Errors on Phase 1

If you are experiencing failures during Phase 1, check these issues:

• XAUTH is required, but the proposal does not support XAUTH

• The priorities of IKE XAUTH proposals in the IKE proposal list

• The group on the VPN concentrator

• All SA proposals are acceptable

Identifying an Incorrect Password at the VPN 3002 Hardware Client

On the VPN 3002 Hardware Client, you will see an error similar to the following if the password is incorrect:

Group [192.168.100.1]

Rxed Hash is incorrect:Preshared key or Digital Signature mismatch

Identifying an Incorrect Work Group Name

If the work group name is incorrect, the VPN concentrator logs will show a message similar to the following:

No Group found 3002group for Preshared key peer 192.168.100.1

Identifying an Incorrect Username

If the username given by the client is incorrect, the VPN concentrator log will show a message similar to the following:

Authentication rejected: Reason = User was not found

Incorrect Password on the Concentrator

If the password is incorrect, the VPN concentrator log will show a message similar to the following:

Authentication rejected: Reason = Invalid password

Unable to Ping with an Established Tunnel

If you have an established tunnel and you are still unable to ping the private interface on the VPN concentrator, there are two possibilities: overlapping SA or IPSec filtering. In the VPN 3002 Hardware Client, go to the Monitoring | System Status screen and note the Octets Out field. Next, go to the Monitoring | Sessions screen and note the Bytes Receiving counter. Attempt to ping the VPN concentrator's inside interface again and recheck these counters. Based on this information, you will be able to see which of two issues is causing the problem.

The first issue may be that there is an overlapping SA configured. An overlapping SA is where two or more VPN clients have the same network on the private side. For example, you may have a VPN 3002 Hardware Client with the 192.168.100.0/24 network and a VPN Software Client with an IP address of 192.168.100.4. If both of these counters are incrementing, this is the case.

If only the Octets Out counter is incrementing on the VPN 3002 Hardware Client, but the Bytes Received is not, then IPSec is being filtered. If UDP is enabled, make sure that the UDP port chosen, a default value of 10,000, is not being blocked. If the VPN 3002 Hardware Client is behind a PAT device, make sure to enable IPSec through NAT.

+1 0

Post a comment