cc/td/doc/product/aggr/vpn5000/5000sw/conc52x/ref52x
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Tunnel Partner

Tunnel Partner

The Tunnel Partner section configures VPN tunnel parameters and defines a virtual port for LAN-to-LAN tunnel traffic. Tunneling of IP, IPX, AppleTalk or bridging protocols can then be configured using the appropriate protocol-specific section for the configured VPN port. All tunnel traffic sent between Tunnel Partners is processed according to the rules specified in this section. These parameters must be set for both ends of the tunnel.

configure Tunnel Partner VPN [slot:]Number

Syntax Description

VPN [slot:]Number

  • number is a unique identifier for this tunnel, between 0 and one less than the maximum tunnels per module, for example, 4999.

  • For modular platforms, specify a slot to load-balance the VPN processing. The slot you enter here is not related to the slot at which the tunnel terminates; rather, you specify the slot to identify the module processor that handles the VPN processing for this tunnel. If you have many tunnels, you should divide them evenly among the slots, making sure not to exceed the maximum tunnels supported by a module. By default, the slot is 0.

You can reuse the number for each slot. For example, 0:1 and 1:1 are allowed.

Usage Guidelines

Products shipped to certain nations or organizations which are subject to restrictions by U.S. encryption export laws may not support the 3DES encryption algorithm. You may contact your Cisco Systems retailer for more information if your product does not support 3DES.

Keywords

After entering the configure command for the section, enter one or more of the following keywords.

General Keywords

Partner = IP_Address

The Partner keyword specifies the IP address of the interface at the remote end of the tunnel. All tunnel traffic is sent to the Partner address for processing.

BindTo = {Ethernet | WAN} slot:port[.subinterface]

The BindTo keyword specifies which interface on this device will act as the end point for the tunnels defined by this configuration. Packets sent from this device to the partner will use the selected interface's IP address as a source address.

Note   When configuring the remote end of the tunnel, the Partner keyword will be this interface's IP address. The BindTo keyword will be the remote device's tunneling interface (which was used as the Partner for this end of the tunnel).
Note   If both Ethernet ports are being used on a VPN 5001 concentrator, then the BindTo port must be set to Ethernet 1.
Note   All packets sent through the VPN tunnel are IP-encapsulated packets. If IP packet filtering is enabled for the configured VPN interface, then GRE (General Router Encapsulation) and AH (Authentication Header) packets must specifically be permitted through the filter. See the IP Filter section for more information.

KeyManage = {Auto | Manual | Initiate | Respond}

The KeyManage keyword specifies how the tunnel will be set up.

  • Auto specifies that IKE (Internet Key Exchange) will be used and that this device can both initiate tunnels and respond to tunnel establishment requests from other devices. Which partner is the tunnel initiator is determined by the partner IP addresses. Auto is the default setting and requires that the SharedKey keyword be set to the same value for both Tunnel Partners. This allows the two devices to negotiate between themselves what type of encryption and authentication to use for the tunnel, based on the options specified by the Transform keyword. The Auto setting should only be used when the Tunnel Partner is another Cisco Systems VPN device.

  • Initiate specifies that this Tunnel Partner will use IKE, but will only initiate tunnel establishment. It will not respond to tunnel establishment attempts from other devices.

  • Respond specifies that this Tunnel Partner will use IKE, but will only respond to tunnel establishment attempts which have been initiated by other devices. It will not initiate tunnel establishment.

  • Manual specifies that this Tunnel Partner will not use IKE, so the tunnel's encryption and authentication parameters must be manually set. Therefore, you must set the Authentication, Encryption, EncryptMethod, AuthSecret, and EncryptSecret keywords for both Tunnel Partners, and the values selected for them must match.

Transform = {ESP (SHA,DES) | ESP (SHA,3DES) | ESP (MD5,DES) | ESP (MD5,3DES) | ESP (MD5) | ESP (SHA) | AH (MD5) | AH (SHA) | AH (MD5) + ESP (DES) | AH (MD5 ) + ESP (3DES) | AH (SHA) + ESP (DES) | AH (SHA) + ESP (3DES)}

Specifies the protection types and algorithms used for IKE sessions. You can enter this command multiple times within this section, in which case the concentrator proposes all of the specified protection suites. In most cases, only one Transform keyword is needed. The client or tunnel peer accepts one of the options for the negotiation. This keyword controls IKE Phase 2 negotiation. IKE Phase 1 negotiation security settings are set in the IKE Policy section.

The mode setting for the Phase 1negotioation is automatic unless the remote tunnel partner is another vendor's device, in which case the Mode keyword should be set (see the "Interoperability Keywords" section for more information).

The header type:

  • ESP uses the Encapsulating Security Payload (ESP) header.

  • AH uses the Authentication Header (AH).

The authentication algorithm used for the negotiation:

  • MD5 is the message-digest 5 hash algorithm.

  • SHA is the Secure Hash Algorithm, which is considered to be more secure than MD5.

The encryption algorithm:

  • DES (Data Encryption Standard) uses a 56-bit key to scramble the data.

  • 3DES (Triple DES) uses three different keys and three applications of the DES algorithm to scramble the data.

ESP(MD5,DES) is the default setting and is recommended for most setups.

AH(xxx)+ESP(xxx) uses the Authentication Header to authenticate packets and the ESP header to encrypt packets.

The Mac OS VPN 5000 Client does not support AH, so specify at least one ESP option.

SharedKey = Pass_Phrase

The SharedKey keyword is used to generate session keys which are then used to authenticate and/or encrypt each packet received or sent through the tunnel. The same key must be entered into the remote Tunnel Partner for the tunnel session to be successfully established.

The Pass_Phrase may be between 1-255 characters long.

PFS = {G1 | G2 | On | Off}

The PFS keyword specifies whether "perfect forward secrecy" will be used during client sessions. PFS means that every time encryption and /or authentication keys are computed, a new Diffie-Hellman Key Exchange is included. This greatly increases the difficulty of finding the session keys used to encrypt a VPN session. It also means that even if the keys are somehow cracked, only a portion of the traffic is recoverable.

  • G1 specifies that the Group 1 algorithm will be used.

  • G2 specifies that the Group 2 algorithm will be used. Because larger numbers are used by the Group 2 algorithm, it is more secure than Group 1.

  • On specifies that the group used in Phase 1 of the IKE negotiation will be used as the group for the PFS Diffie-Hellman Key Exchange. This Phase 1 group setting is configured in the IKE Policy section.

  • The default is Off.

MaxKeyKBytes = KB

Sets the maximum number of kilobytes of traffic, between 2560 and 536870912, that can pass over the tunnel before the tunnel initiator rekeys the tunnel. The default is 1048576. When the concentrator first establishes the tunnel, it encrypts and authenticates packets using keys determined by IKE. Rekeying provides added security by limiting the amount of time available to break a particular key. If you also set KeyLifeSecs, the concentrator uses whichever value occurs first. Only the tunnel initiator's MaxKeyKBytes value is used.

KeyLifeSecs = seconds

Sets the maximum number of seconds, between 600 and 86400, before the tunnel initiator rekeys the tunnel. The default is 86400. When the concentrator first establishes the tunnel, it encrypts and authenticates packets using keys determined by IKE. Rekeying provides added security by limiting the amount of time available to break a particular key. If you also set MaxKeyKBytes, the concentrator uses whichever value occurs first. Only the tunnel initiator's KeyLifeSecs value is used.

Authentication = {On | Off}

The Authentication keyword allows authentication of all tunnel traffic. This keyword is used when the KeyManage keyword is set to Manual. Each packet is digitally signed before sending. The receiving end of the tunnel checks the signature before allowing the traffic onto its local network.

Encryption = {On | Off}

The Encryption keyword specifies whether encryption of all tunnel traffic will be enabled. This keyword is used when the KeyManage keyword is set to Manual.

EncryptMethod = {Fixed | None | PLE | DES | 3DES}

The EncryptMethod keyword selects the encryption algorithm for this tunnel. This keyword is used when the KeyManage keyword is set to Manual. The default value is either Fixed (for export releases) or PLE (for North American releases).

  • If None is entered, then the tunnel session will be sent in the clear in both directions.

  • If Fixed is entered, then Personal Level Encryption will be used to scramble the data in both directions using a fixed key in the software.

  • If PLE is entered, then Personal Level Encryption will be used to scramble the data in both directions using a key generated from the encryption secret.

  • If DES is entered, then the DES algorithm will be used. DES provides better security than PLE, but also requires more time to operate.

  • If DES3 is entered, then triple DES encryption will be used.

AuthSecret = Authentication_Secret

The AuthSecret keyword is used to generate session keys which are used to authenticate each packet received from or sent through the tunnel. This keyword is used when the KeyManage keyword is set to Manual. If AuthSecret is omitted, then packets sent through this tunnel are not authenticated. The authentication secret may be between 1-255 characters long.

EncryptSecret = Encryption_Secret

The EncryptSecret keyword is used to generate session keys which are used to encrypt each packet received from or sent through the tunnel. This keyword is used when the KeyManage keyword is set to Manual. If EncryptSecret is omitted, then packets sent through this tunnel are not encrypted. The encryption secret may be between 1-255 characters long.

SLAEnablePartner = {On | Off}

The SLAEnablePartner keyword specifies that Service Level Agreement (SLA) information will be gathered for tunnel sessions. SLA measures the speed of traffic across the tunnel and can be used to ensure that service guarantees are met.

SNMP is used to display the gathered information. This requires that SNMP be enabled using the SNMP section and that Cisco's private Enterprise MIB be used.

The default is Off.

Interoperability Keywords

The following keywords allow the VPN 5000 concentrator to interoperate with other vendors' devices. If the remote Tunnel Partner is a Cisco Systems device, it is not necessary to configure these keywords.

As part of their interoperability function, the following keywords specify access from one area behind a VPN device to another area behind a VPN device. The local settings specify what local subnets, hosts, ports and/or protocols will be reachable via the tunnel. The peer settings specify what remote subnets, hosts, ports and/or protocols will be reachable via the tunnel. The remote tunnel partner (i.e., peer) must have a matching policy in order for traffic to be successfully tunneled.

Mode = {Main | Aggressive}

The Mode keyword sets the IKE Phase 1 negotiation mode between the devices. Phase 1 controls how the two devices identify and authenticate each other so that tunnel sessions can be established. Security settings for the IKE Phase 1 negotiation are set in the IKE Policy section.

Main and Aggressive are the two IPSec standard methods for performing the Phase 1 negotiation. This setting must match the Phase 1 negotiation mode of the remote peer. Other vendors may support only the Main mode. It is only necessary to set this keyword if the KeyManage keyword is set to Auto or Initiate.

LocalAccess = IP_Address/bits

The LocalAccess keyword is used to specify a local host or subnet which will be reachable by the tunnel.

The LocalAccess keyword is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address. The bits can be between 8 and 32. To allow access to only a single host, specify 32 in the bits portion.

Note   In order to specify more than one reachable host or subnet for a LAN-to-LAN tunnel, multiple Tunnel Partner sections would have to be configured.

Peer = IP_Address/bits

The Peer keyword is used to specify a host or subnet behind the remote tunnel partner which will be reachable via the tunnel.

The Peer keyword is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address. The bits can be between 8 and 32. To tunnel to only a single host, specify 32 in the bits portion.

Any communications with an address which is part of one of the networks defined by a Peer keyword will be tunneled.

Note   In order to specify more than one reachable host or subnet for a LAN-to-LAN tunnel, multiple Tunnel Partner sections would have to be configured.

Examples

This example shows a VPN tunnel configuration which uses Manual key management. The VPN Tunnel Server at 192.168.169.170 would also need a Tunnel Partner section where the Partner keyword has the IP address of this device's Ethernet 0. Because it uses manual key management, all of the authentication and encryption parameters have to be entered. The KeyManagement, Authentication, Encryption, EncryptMethod, AuthSecret, and EncryptSecret keywords for the remote Tunnel Partner would have to match the ones listed below. There would also have to be [ IP VPN 0 ], [ IPX VPN 0 ], [ AppleTalk VPN 0 ], and/or, [ Bridging VPN 0 ] sections for those protocols to be tunneled. 

[ Tunnel Partner VPN 0 ]
Partner                  = 192.168.169.170
BindTo                   = Ethernet0
KeyManagement            = Manual
Authentication           = On
Encryption               = On
AuthSecret               = "No Fakes"
EncryptSecret            = "No Peeking"

This example shows a VPN Tunnel configuration which uses IKE. The VPN Tunnel Server at 192.168.117.18 would also need a Tunnel Partner section where the Partner keyword has the IP address of this device's Ethernet 1. The Transform and SharedKey keywords would have to match the ones listed below. There would also have to be [ IP VPN 1 ], [ IPX VPN 1 ], [ AppleTalk VPN 1 ], and/or, [ Bridging VPN 1 ] sections for those protocols to be tunneled. 

[ Tunnel Partner VPN 1 ]
Partner                  = 192.168.117.18
BindTo                   = Ethernet1
KeyManagement            = Auto
Transform                = ESP(DES,SHA)
SharedKey                = Pebbles02

Related Commands

Command Description

configure AppleTalk

Configures AppleTalk parameters for an interface

configure Bridging

Configures bridging parameters for an interface

configure IP

Configures IP parameters for an interface

configure IPX

Configures IPX parameters for an interface

configure SNMP

Configures SNMP parameters

edit config IP Filter

Creates IP packet filters

show vpn

Shows VPN configuration and statistics


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Sep 27 10:53:19 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.