Configuring VPN Groups

Configu ring VPN Groups

A VPN group is a set of parameters applied to related VPN users when they connect to the concentrator. Parameters include the IP addresses assigned to the clients, the networks a client can reach, and the encryption method for tunnels. For initial tunnel authentication, see "Configuring VPN Tunnel Authentication." This chapter describes how to configure VPN groups for the VPN 5000 Client. For LAN-to-LAN tunnels between concentrators, see "Configuring VPN LAN-to-LAN Tunnels."

You can create up to 100 VPN groups.

Follow these steps to create a VPN group:

Command Purpose

Step 1

configure VPN Group name
name is up to 15 characters long and unique on the concentrator.

Step 2

MaxConnections = Number
Specifies the maximum number of client connections for this VPN group. If you do not specify a number, connections are allowed on a first-come, first-serve basis until the maximum connections for the concentrator is reached. If you use LocalIPNet with fewer addresses than the available maximum connections, the mask determines the MaxConnections. For example, a 24-bit mask makes the MaxConnections 254 by default.

Step 3

Assign IP addresses to clients using one of the following methods:

LocalIPNet = IP_Address/bits

StartIPAddress = IP_Address

Use a RADIUS server to assign IP addresses. See the "Configuring the RADIUS Server" section.

LocalIPNet specifies the network from which the concentrator assigns an IP address to remote clients. This network must be different from the destination network and routable on the destination network. See the "Subnet Masks" section for a description of /bits.

StartIPAddress specifies the first IP address in a range from which the concentrator assigns IP addresses to remote clients. The number of addresses in the range is the same as the MaxConnections value. The IP addresses in the range must be on the destination network attached to the concentrator. For example, the concentrator allows remote access to the directly connected 10.1.1.0/24 network. Using StartIPAddress, for example, you can assign remote users 10.1.1.225 to 10.1.1.254. Be sure not to use these addresses on the destination network. The concentrator uses ProxyARP to answer ARP requests with its own Ethernet address for the remote user addresses. Do not set the IP section keyword ProxyArp = On.

The value of using LocalIPNet over StartIPAddress is that the concentrator can use a single route for the remote user network, instead of a route for each remote user, which can make the routing table very large. Moreover, you can keep track of remote networks more easily than set-aside address groups.

The value of using StartIPAddress over LocalIPNet is that remote users appear to be on the same network as the destination network, and the concentrator does not have to advertise the remote users' network using routing protocols.

These addresses cannot be shared with other VPN groups. At the end of the client session, the concentrator returns a client's IP address to the pool.

Step 4

IPNet = IP_Address/bits
Specifies the network that remote clients can reach through the tunnel; the client tunnels any traffic destined for this network. To reach multiple networks, enter this command for up to 64 networks. To allow access to a single host, specify the bits as 32. See the "Subnet Masks" section for a description of /bits. If you do not enter an IPNet, the default is 0.0.0.0/0, which tunnels all traffic.

Step 5

If you are using IPX, assign IPX addresses to clients using one of the following methods:

LocalIPXNet = Number

Use a RADIUS se rver to assign IP addresses. See the "Using a RADIUS or Axent Defender System" section.

LocalIPXNet specifies the first IPX network in a range from which the concentrator assigns IPX networks to remote clients. The number of networks in the range is the same as the MaxConnections value. The IPX networks in the range must be different from the destination network.

Step 6

DNSPri_(_IREFOBJ:1050612_ )_maryServer = IP_Address
(Optional) Specifies the IP address of a DNS on the destination network for this VPN group. When the connected user sends a DNS request, the VPN 5000 Client intercepts the request and forwards it to the DNS on the destination network rather than letting the local ISP DNS answer.

Step 7

Transform = {ESP(SHA,DES)
| ESP(SHA,3DES) |
ESP(MD5,DES) |
ESP(MD5,3DES) | ESP(MD5)
| ESP(SHA) | AH(MD5) |
AH(SHA) |
AH(MD5)+ESP(DES) |
AH(MD5)+ESP(3DES) |
AH(SHA)+ESP(DES) |
AH(SHA)+ESP(3DES)}
Specifies the protection types and algorithms used for IKE sessions. You can enter this command multiple times within this section, in which case the concentrator proposes all of the specified transforms. The tunnel peer accepts one of the options for negotiation. The transform comprises the following elements:

The header type:

ESP uses the Encapsulating Security Payload (ESP) header. ESP encrypts the data but not the header.

AH uses the Authentication Header (AH), which authenticates the entire IP packet including the header. AH provides stronger end-to-end authentication than ESP.

The authentication algorithm used for the negotiation:

MD5 is the message-digest 5 hash algorithm.

SHA is the Secure Hash Algorithm, which is considered to be more secure than MD5.

The encryption algorithm:

DES (Data Encryption Standard) uses a 56-bit key to scramble the data.

3DES (Triple DES) uses three different keys and three applications of the DES algorithm to scramble the data. 3DES is subject to restrictions by U.S. encryption export laws, and might not be available outside the U.S.

ESP(MD5,DES) is the default setting if you do not specify a Transform, and is recommended for most setups.

AH(xxx)+ESP(xxx) uses the Authentication Header to authenticate packets and the ESP header to encrypt packets.

The Mac OS VPN 5000 Client does not support AH, so specify at least one ESP-only option if you have Mac OS users.

If you use NAT Transparency in the VPN 5000 Client, you must use an ESP transform in the VPN group configuration, and it must be listed before any AH transforms.

	Command	Purpose
Step 1	configure VPN Group name	name is up to 15 characters long and unique on the concentrator.
Step 2	MaxConnections = Number	Specifies the maximum number of client connections for this VPN group. If you do not specify a number, connections are allowed on a first-come, first-serve basis until the maximum connections for the concentrator is reached. If you use LocalIPNet with fewer addresses than the available maximum connections, the mask determines the MaxConnections. For example, a 24-bit mask makes the MaxConnections 254 by default.
Step 3	Assign IP addresses to clients using one of the following methods: LocalIPNet = IP_Address/bits StartIPAddress = IP_Address Use a RADIUS server to assign IP addresses. See the "Configuring the RADIUS Server" section.	LocalIPNet specifies the network from which the concentrator assigns an IP address to remote clients. This network must be different from the destination network and routable on the destination network. See the "Subnet Masks" section for a description of /bits. StartIPAddress specifies the first IP address in a range from which the concentrator assigns IP addresses to remote clients. The number of addresses in the range is the same as the MaxConnections value. The IP addresses in the range must be on the destination network attached to the concentrator. For example, the concentrator allows remote access to the directly connected 10.1.1.0/24 network. Using StartIPAddress, for example, you can assign remote users 10.1.1.225 to 10.1.1.254. Be sure not to use these addresses on the destination network. The concentrator uses ProxyARP to answer ARP requests with its own Ethernet address for the remote user addresses. Do not set the IP section keyword ProxyArp = On. The value of using LocalIPNet over StartIPAddress is that the concentrator can use a single route for the remote user network, instead of a route for each remote user, which can make the routing table very large. Moreover, you can keep track of remote networks more easily than set-aside address groups. The value of using StartIPAddress over LocalIPNet is that remote users appear to be on the same network as the destination network, and the concentrator does not have to advertise the remote users' network using routing protocols. These addresses cannot be shared with other VPN groups. At the end of the client session, the concentrator returns a client's IP address to the pool.
Step 4	IPNet = IP_Address/bits	Specifies the network that remote clients can reach through the tunnel; the client tunnels any traffic destined for this network. To reach multiple networks, enter this command for up to 64 networks. To allow access to a single host, specify the bits as 32. See the "Subnet Masks" section for a description of /bits. If you do not enter an IPNet, the default is 0.0.0.0/0, which tunnels all traffic.
Step 5	If you are using IPX, assign IPX addresses to clients using one of the following methods: LocalIPXNet = Number Use a RADIUS se rver to assign IP addresses. See the "Using a RADIUS or Axent Defender System" section.	LocalIPXNet specifies the first IPX network in a range from which the concentrator assigns IPX networks to remote clients. The number of networks in the range is the same as the MaxConnections value. The IPX networks in the range must be different from the destination network.
Step 6	DNSPri_(_IREFOBJ:1050612_ )_maryServer = IP_Address	(Optional) Specifies the IP address of a DNS on the destination network for this VPN group. When the connected user sends a DNS request, the VPN 5000 Client intercepts the request and forwards it to the DNS on the destination network rather than letting the local ISP DNS answer.
Step 7	Transform = {ESP(SHA,DES) \| ESP(SHA,3DES) \| ESP(MD5,DES) \| ESP(MD5,3DES) \| ESP(MD5) \| ESP(SHA) \| AH(MD5) \| AH(SHA) \| AH(MD5)+ESP(DES) \| AH(MD5)+ESP(3DES) \| AH(SHA)+ESP(DES) \| AH(SHA)+ESP(3DES)}	Specifies the protection types and algorithms used for IKE sessions. You can enter this command multiple times within this section, in which case the concentrator proposes all of the specified transforms. The tunnel peer accepts one of the options for negotiation. The transform comprises the following elements: The header type: ESP uses the Encapsulating Security Payload (ESP) header. ESP encrypts the data but not the header. AH uses the Authentication Header (AH), which authenticates the entire IP packet including the header. AH provides stronger end-to-end authentication than ESP. The authentication algorithm used for the negotiation: MD5 is the message-digest 5 hash algorithm. SHA is the Secure Hash Algorithm, which is considered to be more secure than MD5. The encryption algorithm: DES (Data Encryption Standard) uses a 56-bit key to scramble the data. 3DES (Triple DES) uses three different keys and three applications of the DES algorithm to scramble the data. 3DES is subject to restrictions by U.S. encryption export laws, and might not be available outside the U.S. ESP(MD5,DES) is the default setting if you do not specify a Transform, and is recommended for most setups. AH(xxx)+ESP(xxx) uses the Authentication Header to authenticate packets and the ESP header to encrypt packets. The Mac OS VPN 5000 Client does not support AH, so specify at least one ESP-only option if you have Mac OS users. If you use NAT Transparency in the VPN 5000 Client, you must use an ESP transform in the VPN group configuration, and it must be listed before any AH transforms.

To learn more about these and other settings, see the VPN Group section in the Cisco VPN 5000 Concentrator Series Command Reference Guide.

Table of Contents