|
|
"Name" | A unique name for the VPN group, up to 15 characters. |
Products shipped to certain nations or organizations subject to restrictions by U.S. encryption export laws may not support the 3DES encryption algorithm. You may contact your Cisco Systems retailer for more information if your product does not support 3DES.
 |
Note This section of the configuration was previously called STEP Client. STEP is Cisco Systems' older, proprietary tunnel establishment protocol. STEP parameters are not recommended for new configurations, but if they have already been set in the device, they are supported as aliases to VPN Group sections. |
After entering the configure command for the section, enter one or more of the following keywords.
MaxConnections = Number | Limits the number of client connections which use this VPN Group configuration. This is useful to reserve tunnel connections for users using other VPN Group configurations. MaxConnections may not exceed the maximum number of tunnel connections supported by the device. If the sum of the MaxConnections entries of all VPN Group sections exceeds the maximum number of tunnel connections supported by the device, tunnel connections will be served on a first-come, first-served basis. | ||
KeepaliveInterval = Number | Specifies the number of seconds between keepalive packets sent to each connected client by the device. The range is 1 to 65535 seconds. The default is 60 seconds. Clients which do not answer these packets and/or generate other traffic within several keepalive intervals will have their connections shut down. Keepalive packets are only sent in the case where no other traffic has been received from the client in the specified number of seconds. | ||
InactivityTimeout = Number | Specifies the number of seconds the device will wait without receiving any traffic from a client belonging to this VPN Group configuration before ending the tunnel session. Keepalive packets and ICMP (ping) traffic do not affect this timeout. This prevents users from using ping to keep their tunnels up. The range is 0 to 65535 seconds. The default of 0 seconds means there is no timeout. | ||
MinimumVersion = String | Places a limit on the VPN Client Software version number which will be allowed. A value of 0 or 1 will allow any software version number. A value of 2 will prevent Cisco's older STAMP Clients from having access. A value of 3 will prevent both older STAMP Clients and any other Clients with version numbers less than 3.0. A vlaue of 4 allows only v4.x VPN clients. A value greater than 4 will prevent all clients from having access. | ||
Transform = {ESP (SHA,DES) | ESP (SHA,3DES) | ESP (MD5,DES) | ESP (MD5,3DES) | ESP (MD5) | ESP (SHA) | AH (MD5) | AH (SHA) | AH (MD5) + ESP (DES) | AH (MD5 ) + ESP (3DES) | AH (SHA) + ESP (DES) | AH (SHA) + ESP (3DES)} | Specifies the protection types and algorithms used for IKE sessions. You can enter this command multiple times within this section, in which case the concentrator proposes all of the specified protection suites. In most cases, only one Transform keyword is needed. The client or tunnel peer accepts one of the options for the negotiation. This keyword controls IKE Phase 2 negotiation. IKE Phase 1 negotiation security settings are set in the IKE Policy section. The header type:
The authentication algorithm used for the negotiation:
The encryption algorithm:
ESP(MD5,DES) is the default setting and is recommended for most setups. AH(xxx)+ESP(xxx) uses the Authentication Header to authenticate packets and the ESP header to encrypt packets. The Mac OS VPN 5000 Client does not support AH, so specify at least one ESP option. If you use NAT Transparency in the VPN 5000 Client, you must use an ESP transform in the VPN group configuration, and it must be listed before any AH transforms. | ||
ExcludeLocalLAN = {On | Off} | Specifies that remote client LAN traffic will not be tunneled. When set to On, this can be used to exclude LAN traffic from tunneling when a wildcard of 0.0.0.0/0 has been used as the IPNet. In order for this to work, the user login in the VPN Client software must also have the Exclude Local LAN from Tunnel checkbox checked. The default is Off. | ||
EncryptMethod = {Fixed | None | PLE | DES | 3DES} | Selects the encryption algorithm which will be used for non-IKE client sessions.
| ||
StartIPAddress = IP_Address | Specifies the first IP address to be assigned to client sessions under this VPN Group. This start address will be incremented by one for each new client session, until the MaxConnections limit is reached. The IP address is freed when the client session is finished. Each of the addresses thus generated must be a valid, unique, and unused IP address. Also, these addresses must not conflict with addresses specified in other VPN Group configurations or with any other IP address within the server. These addresses must be on the internal TCP/IP network and would typically be on the same network as the BindTo interface (e.g., for a VPn 50001 concentrator, on the same network as Ethernet 0 or a subinterface thereof). There is no default value for the StartIPAddress keyword. In order for IP-in-IP tunneling to operate with this VPN Group configuration, a group of local IP addresses must be set using either the LocalIPNet or the StartIPAddress keywords, or a RADIUS server must be configured to serve the addresses and the AssignIPRADIUS keyword must be enabled. | ||
StartSubnetMask = IP_Address | Specifies the subnet mask for the IP subnet used by the addresses specified by the StartIPAddress keyword. | ||
LocalIPNet = IP_Address/bits | Specifies the local network or subnet to be assigned to client sessions under this VPN Group. For each new client session, an available IP address from this network or subnet is assigned to that session, until the MaxConnections limit is reached. The IP address is freed when the client session is finished. This network or subnet must be unused and completely unique in the IP network to which the VPN 5000 concentrator is connected (i.e., not part of any Class C network in use) and may not conflict with address ranges specified in other group configurations. The mask may be between 8 and 30 bits. There is no default value for the LocalIPNet keyword. In order for IP-in-IP tunneling to operate with this VPN Group configuration, a group of local IP addresses must be set using either the LocalIPNet or the StartIPAddress keywords, or a RADIUS server must be configured to serve the addresses and the AssignIPRADIUS keyword must be enabled. If a LocalIPNet is used, then either a dynamic routing protocol or static routes must be configured into the controlling router (e.g., the firewall) in order for traffic to find the LocalIPNet network. | ||
AssignIPRADIUS = {On | Off} | Specifies whether a RADIUS server can be used to assign addresses to VPN users. Be sure to configure communication with the RADIUS server accordingto the Radius section and to configure the RADIUS server to serve the IP addresses using the built-in RADIUS authentication attribute number 8. You can assign addresses from a unique subnet or from a set-aside range on the destination network. See the description for StartIPAddress for a description of how a set-aside range works. If you assign a unique IP subnet, you might want to assign a matching LocalIPNet in the VPN group to:
If you use LocalIPNet, set the RADIUS server to assign addresses only from the LocalIPNet.
| ||
IPNet = IP_Address/bits | Specifies a range of IP addresses which will be reachable by clients using this configuration. The IPNet keyword is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address. For example, an IPNet keyword entered as 192.168.32.0/19 would specify that traffic with all IP addresses from 192.168.32.1 through 192.168.63.255 will be tunneled. As a special case, the entry, 0.0.0.0/0, specifies that all IP traffic should be tunneled. If you do not enter an IPNet, the default is 0.0.0.0/0. To tunnel to only a single host, specify 32 in the bits portion. This keyword may occur upt to 64 times in a section. All of the indicated address ranges will be tunneled. Any communications with an address which is part of one of the networks defined by an IPNet keyword will be tunneled. Communications with any other addresses will occur normally, without tunneling. | ||
LocalIPXNet = Number | Specifies the first local IPX network to be assigned to client sessions under this configuration. This address will be incremented by one for each new client session, until the MaxConnections limit is reached. When a client is connected to the device, the first available IPX address from this range is assigned to that session. The IPX address is freed when the client session is finished. There is no default value for the LocalIPXNet keyword. Each of the addresses thus generated must be a valid, unique, and unused IPX address. Also, these addresses must not conflict with networks specified in other VPN Group configurations or with any other IPX address within the server. In order for IPX-in-IP tunneling to operate with this VPN Group configuration, a group of local IPX addresses must be set using either the LocalIPXNet or a RADIUS server must be configured to serve the addresses and the AssignIPXRADIUS keyword must be enabled. This keyword replaces the StartIPXAddress keyword. | ||
AssignIPXRADIUS = {On | Off} | Specifies whether a RADIUS server can be used to assign IPX addresses to VPN users. If set to Off, then IPX addresses will be assigned using the address pool specified by the LocalIPXNet keyword. If set to On, then communication with a RADIUS server must be configured using the RADIUS section and the RADIUS server must be set up to serve the IPX addresses. This can be done using the built-in RADIUS authentication attribute number 23. If the attribute has not been defined, then the IPX address will be assigned using the address pool specified by the LocalIPXNet keyword. | ||
BlockType20 = {On | Off} | Specifies how IPX Packet Type 20 is handled for tunnel sessions connected using this VPN Group configuration. In order for certain protocol implementations, like NetBIOS, to function in the NetWare environment, routers must allow a broadcast packet to be propagated throughout an internet. The IPX Packet Type 20 is designated to perform broadcast propagation for these protocols. On prevents these packets from being rebroadcast. This is useful for reducing the bandwidth load on the tunnel. Off allows these propagated packets to be rebroadcast through the tunnel. | ||
SaveSecrets = {On | Off} | Specifies that all users assigned to this VPN Group configuration will be able to save their shared secret to disk, once it has been entered. This means these users will not be prompted for their secret after their first session. The default is Off. | ||
SLAEnableClient = {On | Off} | The SLAEnableClient keyword specifies that Service Level Agreement (SLA) information will be gathered for tunnel sessions using this VPN Group configuration. SLA measures the speed of traffic across the tunnel and can be used to ensure that service guarantees are met. SNMP is used to display the gathered information. This requires that SNMP be enabled using the SNMP section and that Cisco's private Enterprise MIB be used. The default is Off. | ||
VPNGroupDLCI = Number | Maps all tunnel traffic using this VPN Group configuration to a Frame Relay PVC. This can be used as an alternative to using routing to get packets to their destination once they have been received from the tunnel. The number must be between 16 and 991. | ||
SecurIDRequired = {On | Off} | Specifies that all users assigned to this VPN Group configuration will undergo SecurID authentication. SecurID is Security Dynamic's proprietary system which requires ACE/Server software and SecurID tokens to perform dynamic two-factor authentication. See the SecurID section for more information. | ||
SecurIDUserName = {On | Off} | Specifies whether the users assigned to this VPN Group configuration will have SecurID user names which are different from their VPN User names.
| ||
BackupServer = {IP_Address | Domain_Name} | Specifies the IP address or domain name of an alternate concentrator. If the concentrator cannot support any more tunnel connections, but you have not used the maximum connections for this VPN Group, the concentrator can send additional connections to the backup concentrator.
| ||
DNSPrimaryServer = IP_Address | Specifies the IP address of a DNS server. If this keyword has been set, then the VPN Group will tunnel all DNS queries to the concentrator. The concentrator will take all DNS queries bound for the client's primary DNS server and send them to the specified address. The IP address should be in standard dotted-decimal notation. | ||
DNSSecondaryServer = IP_Address | Specifies the IP address of a backup DNS server. A DNSPrimaryServer must also be set in order for this keyword to work. If this keyword has been set, then the VPN Group will tunnel all DNS queries to the concentrator. The concentrator will then send all DNS queries destined for the client's backup DNS server (i.e., one that has a different IP address than the DNSPrimaryServer) to the specified server address. The IP address should be in standard dotted-decimal notation. | ||
DNSSplitServer = IP_Address | Specifies the IP address of a "split" DNS server. This is useful for setups where queries for internal names are handled by one server (the primary server) while queries for external names are handled by another server (the "split" server). In order for the concentrator to know which server to send the query to, at least one LocalDomainName keyword must be set. A DNSPrimaryServer must also be set in order for this keyword to work. Queries for a secondary server will be handled as usual. The IP address should be in standard dotted-decimal notation. | ||
LocalDomainName = String | Specifies a domain name that will be compared to the name in DNS queries to the DNSPrimaryServer in order to determine whether the query is for an internal or external domain. This keyword may appear multiple times within a section in order to specify multiple domains. The string can be between 1 and 255 characters in length. | ||
WINSPrimaryServer = IP_Address | Specifies the IP address of a WINS server. If this keyword has been set, then the VPN Group will tunnel all WINS queries to the concentrator. The concentrator will take all WINS queries bound for the client's primary WINS server and send them to the specified address. The IP address should be in standard dotted-decimal notation.
| ||
WINSSecondaryServer = IP Address | Specifies the IP address of a backup WINS server. A WINSPrimaryServer must also be set in order for this keyword to work. If this keyword has been set, then the VPN Group will tunnel all WINS queries to the concentrator. The concentrator will then send all WINS queries destined for the client's backup WINS server (i.e., one that has a different IP address than the WINSPrimaryServer) to the specified server address. If queries are received for a third server address, they will be discarded. The IP address should be in standard dotted-decimal notation.
| ||
TunnelNetBT= {On | Off} | Specifies whether Windows NetBT traffic will be tunneled. NetBT is Microsoft's networking protocol. The default is Off. | ||
IPOutFilters = "filter_name" ["filter_name"] ["filter_name"] ["filter_name"] | Allows a named set of IP packet filtering rules to be applied to packets to be sent to a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped. Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes. See the IP Filter section for a definition of the rules that may be included in an IP packet filter. | ||
IPInFilters = "filter_name" ["filter_name"] ["filter_name"] ["filter_name"] | Allows a named set of IP packet filtering rules to be applied to packets received from a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped. Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes. See the IP Filter section for a definition of the rules that may be included in an IP packet filter. | ||
IPXOutFilters = "filter_name" ["filter_name"] ["filter_name"] ["filter_name"] | Allows a named set of IPX packet filtering rules to be applied to packets to be sent to a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped. Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes. See the IPX Filter section for a definition of the rules that may be included in an IPX packet filter. | ||
IPXInFilters = "filter_name" ["filter_name"] ["filter_name"] ["filter_name"] | Allows a named set of IPX packet filtering rules to be applied to packets received from a client connected using this configuration. Any packet not explicitly allowed by the rule set is dropped. Up to four separate filters may be selected. If a filter name contains spaces or other special characters, it must be enclosed in quotes. |
This example shows a VPN Group configuration for a concentrator. The [ IP Ethernet 0 ] section for this device would have an IPAddress keyword and the [ General ] section would have a GatewayAddress keyword which specify addresses on the 192.168.13.0 IP network.
[ VPN Group "Bedrock" ] BindTo = Ether0 MaxConnections = 8 LocalIPNet = 192.168.12.0/24 LocalIPXNet = F00D0 IPNet = 192.168.13.0/24 IPNet = 192.168.14.0/24 Transform = ESP(DES,SHA) Transform = AH(MD5) Transform = AH(SHA)+ESP(3DES)
This example shows a VPN Group configuration with DNS servers configured. In this case, DNS queries bound for the primary server, 192.168.9.30, will be examined to see which domain name is contained in the query. If the name is faceplant.Cisco.com or foo.bar.tape.stortek.com, the query will be forwarded to the primary DNS server as originally intended. But queries for disk.stortek.com or monkey.wrench.com will be redirected to the split server, 192.168.9.60. Queries bound for the secondary DNS server, 192.168.11.50, will be forwarded to that server unconditionally.
[ VPN Group "Cobblestone County" ] BindTo = Ether0 MaxConnections = 4 LocalIPNet = 192.168.16.0/24 IPNet = 192.168.13.0/24 IPNet = 192.168.14.0/24 Transform = ESP(DES,SHA) DNSPrimaryServer = 192.168.9.30 DNSSecondaryServer = 192.168.11.50 DNSSplitServer = 192.168.9.60 LocalDomainName = "Cisco.com" LocalDomainName = "tape.stortek.com"
| Command | Description |
|---|---|
configure IKE Policy | Configures the initial tunnel authentication |
configure SecurID | Configures the concentrator for communication with a SecurID server for user authentication |
configure SNMP | Configures SNMP parameters |
edit config IP Filter | Creates IP packet filters |
edit config IPX Filter | Creates IPX packet filters |
edit config VPN Users | Creates a user list for VPN authentication |
Posted: Wed Sep 27 10:53:22 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.