330 likes | 475 Vues
Implementing Secure Converged Wide Area Networks (ISCW). Implementing the Cisco VPN Client. Module 3 – Lesson 9. Module Introduction.
E N D
Implementing the Cisco VPN Client Module 3 – Lesson 9
Module Introduction • Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet • Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation • This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods
Objectives • At the completion of this ninth lesson, you will be able to: • Describe how, when and where the Cisco VPN client software is used • Install and configure Cisco VPN client software on a PC running Windows
Cisco VPN Client • The Cisco VPN Client is simple to deploy and operate • It allows organisations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers • The ‘thin design’ IPsec-implementation is compatible with all Cisco VPN products
Cisco VPN Client • When the Cisco VPN Client is preconfigured for mass deployments, initial logins require little user intervention. Cisco VPN Client supports the innovative Cisco Easy VPN capabilities, delivering a uniquely scalable, cost-effective, and easy-to-manage remote access VPN architecture that eliminates the operational costs associated with maintaining a consistent policy and key management method • The Cisco Easy VPN feature allows the Cisco VPN Client to receive security policies on a VPN tunnel connection from the central site VPN device (Cisco Easy VPN Server), minimising configuration requirements at the remote location • This simple and highly scalable solution is ideal for large remote access deployments where it is impractical to configure policies individually for multiple remote PCs
Cisco VPN Client Configuration Tasks • Install Cisco VPN Client • Create a new client connection entry • Configure the client authentication properties • Configure transparent tunneling • Enable and add backup servers • Configure a connection to the Internet through dialup networking
Install Cisco VPN Client • The Cisco VPN Client can be installed on a Windows system by using either of two applications: • InstallShield • Microsoft Windows Installer (MSI). • Both applications use installation wizards to proceed through the installation. • This task includes the following activities: • Verifying system requirements • Gathering the information needed • Installing the VPN Client through InstallShield or through MSI
Uninstall old Cisco VPN Client • If a previously installed VPN Client has not been uninstalled, when the vpnclient_en.exe command or vpnclient_en.msi command is executed, an error message appears • The previously installed VPN Client must be uninstalled before proceeding with the new installation • To remove a Cisco VPN Client that was installed with MSI, use the Windows Add or Remove Programs feature that is located in the control panel • To remove a Cisco VPN Client that was installed with InstallShield, choose Start > Programs > Cisco Systems VPN Client > Uninstall Client
Create a New Client Connection Entry • To use the Cisco VPN Client, at least one connection entry that includes this information must be created: • VPN device: The remote server to access • Pre-shared keys: Pre-shared keys are secret passwords or encryption keys entered into both sides of the message exchange ahead of time. The entry is the IPsec group assigned by the system administrator. The group determines how the remote network is accessed and used. • For example, the group specifies access hours, number of simultaneous logins, user authentication method, and the IPsec algorithms that the Cisco VPN Client uses • Certificates: The name of the certificate that being used for authentication • Optional parameters that govern VPN Client operation and connection to the remote network can also be assigned
Create a New Client Connection Entry • To add a new entry, follow these steps (next two slides): • The VPN Client application starts and displays the advanced mode main window. If the advanced mode window does not appear and the simple mode window is displayed, choose Options > Advanced Mode or press Ctrl-M • Click the New icon in the toolbar. Alternatively, choose New in the Connection Entries menu • Enter a unique name for this new connection in the Connection Entry field. Any name can be used to identify this connection; for example, Engineering. This name can contain spaces and is not case sensitive. • Enter a description of this connection in the Description field. This field is optional, but a description helps further identify this connection. For example, ‘Connection to Engineeringremote server’ • Enter the host name or IP address of the remote VPN device to be accessed in the Host field • Save the connection entry by clicking the Save button
Create a New Client Connection Entry—Main Window (Task 2) 1. 2. VPN Client Main Window
Creating a New Connection Entry (Task 2) 3. 4. 5. 6.
Configure Client Authentication properties • In Task 3, client authentication properties are configured in the same form as Task 2, except using a different tab. • Under the Authentication tab, enter the information for the method to be used • This can be connect as part of a group (configured on a VPN device) or by supplying an identity digital certificate
Group Authentication • The network administrator usually configures group authentication. However, if group authentication has not been configured complete this procedure shown : • Select the Group Authentication radio button • In the Name field, enter the name of the IPsec group belonged to. This entry is case sensitive. • In the Password field, enter the password (which is also case sensitive) for the IPsec group. The field displays only asterisks • Verify the password in the Confirm Password field
Configuring ClientAuthentication Properties (Task 3) • Authentication options: • Group preshared secrets (group name and group secret) • Mutual authentication (import CA certificate first; group name and secret) • Digital certificates (enroll with the CA first; select the certificate) 1. 2. 3. 4.
Mutual Group Authentication • Another group authentication option is to use mutual group authentication • To use mutual group authentication, a root certificate is required that is compatible with the central-site VPN that is installed on the system: • The network administrator can load a root certificate on the system during installation. When Mutual Group Authentication radio button is selected, the VPN Client software verifies whether or not a root certificate is installed. • If a root certificate is NOT installed, the VPN Client prompts for one to be installed. Before continuing, a root certificate must be imported • When a root certificate has been installed (if required), follow the steps as for group authentication
Mutual Group Authentication (Task 3) • Mutual authentication should be used instead of group preshared secrets. • Group preshared secrets are vulnerable to man-in-the-middle attacks if the attacker knows the group preshared secret. 1. 2.
Transparent Tunneling • Transparent tunneling allows secure transmission between the Cisco VPN Client and a secure gateway through a router that is serving as a firewall. The firewall may also perform NAT or PAT • Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets and can allow both ISAKMP and Protocol 50 to be encapsulated in TCP packets before the packets are sent through the NAT or PAT devices or firewalls • The most common application for transparent tunneling is behind a home router performing PAT
Transparent Tunneling • The Cisco VPN Client also sends keepalives frequently, ensuring that the mappings on the devices are kept active • Not all devices support multiple simultaneous connections. Some devices cannot map additional sessions to unique source ports. Be sure to check with your vendor to verify whether or not this limitation exists on your device. Some vendors support Protocol 50 PAT (IPsec pass through), which might allow operation without enabling transparent tunneling. • To use transparent tunneling, the central-site group must configure the Cisco VPN device to support transparent tunneling
Transparent Tunneling • Follow this procedure to use transparent tunneling: • The transparent tunneling parameter is enabled by default. To disable this parameter, uncheck the Enable Transparent tunneling check box. It is recommended that this parameter is always checked / ticked • Select a mode of transparent tunneling, over User Datagram Protocol (UDP) or over TCP. The mode used must match the mode used by the secure gateway being connected to. Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if in an extranet environment, TCP mode is preferable. UDP does not operate with stateful firewalls, so if stateful firewalls in use, choose TCP
Transparent Tunneling • Options for transparent tunneling include: • Using IPsec over UDP (NAT/PAT):To enable IPsec over UDP (NAT or PAT), click the IPsec over UDP (NAT/PAT) radio button. With UDP, the port number is negotiated. UDP is the default mode. • Using IPsec over TCP (NAT/PAT/Firewall): To enable IPsec over TCP, click the IPsec over TCP radio button. When using TCP, the port number for TCP must be entered in the TCP Port field. This port number must match the port number that is configured on the secure gateway. The default port number is 10000 • Allowing Local LAN Access: In a multiple-network interface card (NIC) configuration, local LAN access pertains only to network traffic on the interface that the tunnel is established on
Allow Local LAN Access • The Allow Local LAN Access parameter gives access to the resources on the local LAN (printer, fax, shared files, or other systems) when the computer is connected through a secure gateway to a central-site VPN device. • When this parameter is enabled and the central site is configured to permit access, local resource access is allowed while the host is connected. When this parameter is disabled, all traffic from the client system goes through the IPsec connection to the secure gateway • To enable this feature, check the Allow Local LAN Access check box in the Transport tab of the VPN Client Properties window. To disable the feature, uncheck the check box. If the local LAN is not secure, this feature should be disabled. • For example, disable this feature when using a local LAN in a hotel or airport
Configuring Transparent Tunneling (Task 4) • Transparent tunneling is on by default. • NAT-T enables IPsec and IKE over a standard UDP port 4500, allowing the VPN Client to be behind a NAT or PAT device. 1. 2.
Statistics • The Statistics window provides information about the following: • Tunnel details • Routing table • Personal firewall • To display the routing table: • From the VPN Client page, choose Status > Statistics. • Select the Route Details tab from the Statistics dialog box. • The routing table shows local LAN routes that do not traverse the IPsec tunnel, and secured routes that do traverse the IPsec tunnel to a central-site device • The routes in the local LAN routes column are for locally available resources
Status > Statistics > Route Details 2. • The Statistics window provides information about tunnel details, the routing table, and personal firewall. 1.
Enable Backup Servers • To enable backup servers from the VPN Client, click the Backup Servers tab in the VPN Client Properties form: • Check the Enable Backup Servers check box. • This box is unchecked by default. • Click Add to enter the backup server address. A new window appears • Enter the host name or IP address of the backup server, using a maximum of 255 characters. Click OK when done
Enable and Add Backup Servers (Task 5) • List backup VPN servers that are to be used in case the primary VPN server is not reachable. 1. 2. 3.
Configuring the Dialup Connection • The final task is configuring the dialup connection to the Internet. • To connect to a private network using a dialup connection, perform the following: • Use a dialup connection to your Internet service provider (ISP) to connect to the Internet. • Use the VPN Client to connect to the private network through the Internet. • To enable and configure this feature, check the Connect to Internet via dial-up check box in the Dial-Up tab of the VPN Client Properties form. This box is unchecked by default.
Configuring the Dialup Connection • Connection can be made to the Internet using the VPN Client application in one of two ways. Click the appropriate button in the Dial-Up tab based on which option is chosen: • Microsoft Dial-Up Networking • Third-party dial-up application • Once this connection is made, the configuration of the Cisco VPN Client is complete
Configure Connection to the Internet Through Dial-Up Networking (Task 6) • Optionally, tie a VPN connection to a dialup connection defined in the Networking section of Windows.