Click OK to complete. The Group Authentication information should correspond to that used in step 9. Click Save when you are finished. Enter a username and password for extended authentication Xauth. This information is determined by the Xauth parameters in step 7. Once the connection is successfully established select Statistics from the Status menu to verify the details of the tunnel.
Contents Introduction. Different policies can be applied on the server to deny or limit access of PCs that are infected. The authentication server is configured inside the trusted network, behind the IPsec aggregator. Router config aaa authentication password-prompt "Enter your password now:".
Router config aaa authentication username-prompt "Enter your name here:". Optional Changes the text displayed when users are prompted to enter a username. Note This command must be enabled to enforce Xauth. Router config aaa authorization network grouplist local group radius. Note Use this command only if no external validation repository will be used. Although users can belong to only one group per connection, they may belong to specific groups with different policy requirements. Thus, users may decide to connect to the client using a different group ID by changing their client profile on the VPN device.
To define the policy attributes that are pushed to the client via Mode Configuration, perform the following steps. Note This command must be enabled if the client identifies itself with a preshared key.
Note This command must be defined and refer to a valid IP local pool address or the client connection will fail. Specifies a domain name that must be tunneled or resolved to the private network.
Optional Adds the firewall are-u-there attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls. Optional Configures the Include-Local-LAN attribute to allow a nonsplit-tunneling connection to access the local subnetwork at the same time as the client.
Optional Rather than have backup gateways added to client configurations manually, it is possible to have the server "push down" a list of backup gateways to the client device. The gateways may be specified using IP addresses or host names. Router config-isakmp-group pfs. If you wish to set restrictions on the maximum number of connections to the router per VPN group and the maximum number of simultaneous logins per user, add the following attributes to the VPN group.
Optional Limits the number of simultaneous logins for users in a specific server group. Router config-isakmp-group exit. Displays groups that are currently active on the VPN device. Displays groups that are currently active on the VPN device and the users that are connected for each of those groups. Mode Configuration and Xauth must be applied to a crypto map to be enforced.
To apply Mode Configuration and Xauth to a crypto map, perform the following steps. Router config crypto map ikessaaamap isakmp authorization list ikessaaalist. Router config crypto map xauthmap client authentication list xauthlist.
Adds a dynamic crypto map set to a static crypto map set and enters crypto map configuration mode. Note This list is the only configuration statement required in dynamic crypto map entries. Router config radius server host Router config crypto isakmp client configuration group Group1. Router config-isakmp-group banner c The quick brown fox jumped over the lazy dog c. To configure an Easy VPN server to provide an automated mechanism to make software and firmware upgrades automatically available to an Easy VPN remote device, perform the following steps.
Router config crypto isakmp client configuration group Group2. Router config-isakmp-group auto-update client Win url http:www. With this configuration, the user does not have to manually modify the proxy settings of his or her web browser when connecting and does not have to manually revert the proxy settings when disconnecting. Router config crypto isakmp client configuration browser-proxy bproxy. Specifies the URL the remote device must use to get the configuration from the server.
To configure a AAA server to push user attributes to a remote device, perform the following steps. The crypto PKI trustpoint must also be configured see the first configuration task below. It is preferable that the trustpoint configuration contain the authorization username command. Router config crypto pki trustpoint ca-server. Declares the trustpoint that your router should use and enters ca-trustpoint configuration mode.
Router config-ca-trustpoint rsakeypair rsa-pair. Specifies the parameters for the different certificate fields that are used to build the AAA username. Router config crypto isakmp policy Router config-isakmp-policy exit. Specifies the authorization list of AAA servers that will be used for obtaining per-user AAA attributes on the basis of the username constructed from the certificate.
Router config-isakmp-profile client configuration address respond. Router config-isakmp-profile virtual-template 2. Specifies which virtual template will be used to clone virtual access interfaces. Router config crypto ipsec transform-set trans2 esp-3des esp-sha-hmac1. Defines a transform set—an acceptable combination of security protocols and algorithms.
Router config set transform-set trans2. Router config crypto logging ezvpn group group1. If a group name is not provided, syslog messages are enabled for all Easy VPN connections to the server.
If a group name is provided, syslog messages are enabled for that particular group only. Router config crypto dynamic-map dynmap 1. Router config-crypto-map set transform-set vpn1. Router config-crypto-map reverse-route. Router config-crypto-map exit.
Router config crypto map static-map 1 ipsec-isakmp dynamic dynmap. Router config interface fastethernet 4. Router config-if crypto map static-map. Router config crypto ipsec client ezvpn ezvpnclient. Router config-crypto-ezvpn group ezvpnclient key secret-password. Router config-crypto-ezvpn peer Router config-crypto-ezvpn mode client. Router config-crypto-ezvpn exit. Router config-if crypto ipsec client ezvpn ezvpnclient outside. Router show crypto ipsec client ezvpn.
Contacts Feedback Help Site Map. VPN client—Cisco series access router. Router—Providing the corporate office network access. Corporate office with a network address of Specifies the encryption algorithm used in the IKE policy. The example specifies bit data encryption standard DES. Specifies the hash algorithm used in the IKE policy. Specifies the authentication method used in the IKE policy. The example specifies a pre-shared key.
Exits IKE policy configuration mode, and enters global configuration mode. Specifies the IKE pre-shared key for the group policy. The table below outlines supported IPsec protocol options and attributes that can be configured for this feature.
Mode Configuration version 6 is supported for more attributes as described in an IETF draft submission. Xauth for user authentication is based on an IETF draft submission.
DPD is useful because a host may reboot, or the dialup link of a remote user may disconnect without notifying the peer that the VPN connection is terminated. When an IPsec host determines that a VPN connection no longer exists, the host can notify a user, attempt to switch to another IPsec host, or clean up valuable resources that were allocated for the peer that no longer exists.
The crypto isakmp keepalive seconds [ retries ] command allows the gateway to send DPD messages to the router. The seconds argument specifies the number of seconds between DPD messages the range is from 1 to seconds ; the retries argument specifies the number of seconds between retries if DPD messages fail the range is from 2 to 60 seconds.
Remote clients can support split tunneling, which enables a client to have intranet and Internet access at the same time. If split tunneling is not configured, the client will direct all traffic through the tunnel, even traffic destined for the Internet. If a client is suddenly disconnected, the gateway may not be notified.
If the client attempts to reconnect to the gateway again, the gateway will refuse the connection because the previous connection information is still valid. To avoid such a scenario, a new capability called initial contact has been introduced; it is supported by all Cisco VPN products.
If a client or router is connecting to another Cisco gateway for the first time, an initial contact message is sent that tells the receiver to ignore and delete any old connection information that has been maintained for the newly connecting peer. Initial contact ensures that connection attempts are not refused because of SA synchronization problems, which are often identified via invalid security parameter index SPI messages and which require devices to have their connections cleared.
Policy attributes such as IP addresses, DNS, and split tunnel access can be provided on a per-group or per-user basis. You can override a group attribute value with an individual user attribute. The attributes are retrieved at the time when user authentication via Xauth occurs. They are then combined with group attributes and applied during Mode Configuration.
Attributes can be applied on a per-user basis after the user has been authenticated. These attributes can override any similar group attributes. If a framed IP address is present, and there is also a local pool address configured for the group that the user belongs to, the framed IP address will override the local pool setting. The IP address is pushed to the remote device using Mode Configuration.
As per the group description, the User-Save-Password attribute can be received in addition to the group variant Save-Password , but if it is received, it will override the value asserted by the group. As per the group description, the User-Include-Local-LAN attribute can be received in addition to the group variant Include-Local-LAN , but if it is received, it will override the value asserted by the group.
It allows support for both preshared key and RSA signature authentication mechanisms such as certificates. If you need to check that the group a user is attempting to connect to is indeed the group the user belongs to, use the User-VPN-Group attribute. The administrator sets this attribute to a string, which is the group that the user belongs to.
If the groups do not match, the client connection is terminated. Local Xauth authentication must still use the Group-Lock attribute. The group lock feature allows you to perform an extra authentication check during Xauth.
With this feature enabled, the user must enter a username, group name, and user password during Xauth to authenticate. If they do not match, the server denies the connection. To enable this feature, use the group-lock command for the group. Do not use the Group-Lock attribute if you are using RSA signature authentication mechanisms such as certificates.
It is possible to mimic the functionality provided by some RADIUS servers for limiting the maximum number of connections to a specific server group and also for limiting the number of simultaneous logins for users in that group.
After user-defined thresholds are defined in each VPN group, connections will be denied until counts drop below these thresholds.
In this way, usage can be controlled across a number of servers by one central repository. When enabling this feature on the router itself, only connections to groups on that specific device are monitored.
Load-sharing scenarios are not accurately accounted for. To configure session monitoring, use the crypto isakmp client configuration group command in global configuration mode and the max-users and max-logins commands in crypto ISAKMP group configuration mode. With the Virtual IPsec Interface Support on a Server feature, the tunnel-up configuration can be applied to separate interfaces, making it easier to support separate features at tunnel-up.
Features that are applied to the traffic going into the tunnel can be separate from the features that are applied to traffic that is not going through the tunnel for example, split-tunnel traffic and traffic leaving the device when the tunnel is not up.
When the Easy VPN negotiation is successful, the line protocol state of the virtual-access interface gets changed to up. When the Easy VPN tunnel goes down because the SA expires or is deleted, the line protocol state of the virtual-access interfaces changes to down. The following features provide support for attributes that aid in the management of the Cisco Easy VPN remote device.
A banner is needed for the web-based activation feature. Use the crypto isakmp client configuration group command to specify the group to which a policy profile should be defined and to enter crypto ISAKMP group configuration mode.
Using this feature, you do not have to manually modify the proxy settings of the web browser when connecting to the corporate network using Cisco VPN Client or manually revert the proxy settings upon disconnecting.
Use the crypto isakmp client configuration browser-proxy command in global configuration mode to configure browser-proxy parameters for an Easy VPN remote device.
When remote devices connect to a corporate gateway for creating an IPsec VPN tunnel, some policy and configuration information has to be applied to the remote device when the VPN tunnel is active to allow the remote device to become a part of the corporate VPN.
The CLI for this feature is configured on the concentrator. The configuration that is pushed to the remote device is persistent by default. There are no restrictions on where the configuration distribution server is physically located.
The configuration server can be located in the corporate network and because the transfer happens through the IPsec tunnel, insecure access protocols HTTP can be used. There is no built-in restriction to push the configuration. The notification contains several manageability information messages about the client remote device. The Easy VPN server takes two actions when this information is received:. The Easy VPN server caches the information in its peer database.
The information can be displayed by using the show crypto isakmp peer config command. This command output displays all manageability information that is sent by the client remote device. If accounting is enabled, the Easy VPN server sends an accounting update record that contains the manageability information messages about the remote device to the accounting RADIUS server.
The username that is used to get the attributes is retrieved from the remote device certificate. These attributes are applied on the virtual access interface. Incorrect firewall record being sent by Client incorrect vendor product capability. To enable Easy VPN syslog messages on a server, use the crypto logging ezvpn [ group group-name ] command. If a group name is not provided, syslog messages are enabled for all Easy VPN connections to the server. If a group name is provided, syslog messages are enabled for that particular group only.
Different policies can be applied on the server to deny or limit access of PCs that are infected.
0コメント