Index

index

A

AAA Server, using token-based system 12 -29

access-group command 2 -4

access-list command 9 -1, 9 -4

access lists, IPSec 2 -3, 2 -4

: peer mirror images 2 -6

age command 8 -3

AH 1 -2, 2 -7, 9 -3

assigning remote VPN clients dynamic IP addresses 8 -12

authenticating the CA 12 -4

Authentication Header

: See AH

B

: Baltimore digital certificates 11 -17

C

authenticating the CA 12 -4

CRL 4 -4

declaring the CA 12 -8

deleting RSA keys 12 -8

digital certificates 4 -1

displaying CRL info 12 -10

displaying public keys 12 -9, 12 -11

fingerprint 12 -3

generating RSA key pairs 12 -7

obtaining an updated CRL 12 -6

obtaining certificates 12 -6

peer authentication 4 -4

public key cryptography 4 -1

Registration Authority (RA) mode 12 -4

revoked certificates 4 -4

revoking your certificate 12 -6

RSA public key record 12 -4

saving RSA Key pairs and certificates 12 -8

sending enrollment request 12 -6

serial number included in certificate 12 -7

server

: pkiclient.exe 12 -8

validating signature 4 -1

CBC 1 -3

certificate enrollment protocol 7 -1

Certificate Revocation List

: See CRL

certificates, digital 11 -10, 11 -17, 11 -21

certification authority

: See CA

Cipher Block Chaining

: See CBC

Cisco Secure VPN Client 8 -10, 10 -1

: interoperability with PIX Firewall 10 -2

Cisco VPN 3000 Client

: downloading network parameters to 10 -9
: interoperability with PIX Firewall 10 -8
: split tunnel support 12 -60
: support for 12 -58
: VPN group name 12 -59
: VPN group policy 12 -59

clear crypto ipsec sa command 12 -21

clear isakmp command 12 -54

clear isakmp sa command 12 -54

client, remote VPN 8 -10, 12 -30

command

access-group 2 -4

access-list 9 -1, 9 -4

age 8 -3

clear

: crypto ipsec sa 12 -21
: isakmp 12 -54
: isakmp sa 12 -54

clear crypto ipsec sa 12 -21

clear isakmp 12 -54

clear isakmp sa 12 -54

crypto dynamic-map 12 -13

crypto ipsec 8 -3, 12 -17

crypto map 12 -25

crypto map interface 2 -6

domain-name 12 -42

dynamic-map 12 -43

ip local pool 12 -44

ipsec 12 -46

isakmp 12 -47

link 8 -3

linkpath 8 -3

show

: ca certificate 12 -2
: ca configure 12 -2
: ca identity 12 -2

sysopt 12 -55

sysopt connection permit-ipsec 2 -3, 12 -55

sysopt ipsec pl-compatible 8 -1, 8 -5, 12 -57

sysopt uauth allow http-cache 12 -57

vpngroup 12 -58

configuration example

: IPSec/VPN tunnel using Baltimore digital certificates 11 -17
: IPSec/VPN tunnel using Entrust digital certificates
11 -10
: IPSec/VPN tunnel using Microsoft digital certificates 11 -21
: IPSec/VPN tunnel using VeriSign digital certificates 11 -2
: IPSec/VPN with manual keys 9 -1
: VPN Client access with Extended Authentication, IKE Mode Config, and Digital Certificates 10 -15
: VPN Client access with Extended Authentication, IKE Mode Config, and Wildcard Pre-shared key 10 -2
: VPN Client access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Wildcard Pre-shared key 10 -9

configuring

: CA 7 -2
: dynamic IP addressing assignment 8 -12
: IKE 6 -1
: IKE Extended Authentication (Xauth) 8 -9
: IKE Mode Config 8 -12
: IKE Mode Config (dynamic IP address assignment)
: IKE policies 6 -1
: interoperability with Cisco Secure VPN Client 10 -6
: interoperability with Cisco VPN 3000 Client 10 -14,
10 -20
: IPSec with IKE 5 -1
: IPSec with pre-shared keys 5 -4
: order of IPSec configuration 1 -4

converting from Private Link to IPSec 8 -1

CRL 4 -4, 7 -1, 12 -3

crypto access lists

: 2 -4

crypto dynamic-map command 12 -13

crypto ipsec command 8 -3, 12 -17

crypto map command 12 -25

crypto map interface command 2 -6

crypto maps

: applying to interface 2 -11, 9 -4
: dynamic 2 -10
: entries 2 -8
: load sharing 2 -9
: number to create 2 -9

D

Data Encryption Standard

: See DES

DES 1 -2, 3 -2, 3 -3, 9 -3

Diffie-Hellman 1 -3, 12 -27, 12 -35, 12 -52

digital certificates 4 -1, 11 -2, 11 -10, 11 -17, 11 -21

displaying public keys 12 -9, 12 -11

domain-name command 12 -42

downloading IP address to VPN Client 8 -10

downloading network parameters to Cisco VPN 3000 Client 10 -9

dynamic crypto maps 2 -10

: adding to crypto maps 2 -11
: entries 2 -11
: referencing 2 -11
: sets 2 -11

dynamic IP address assignment 8 -12

dynamic-map command 12 -43

E

enabling IPSec packets to traverse PIX Firewall 2 -3

Encapsulating Security Payload

: See ESP

encrypting Telnet connection to outside interface 8 -7

Entrust digital certificates 11 -10

ESP 1 -2, 2 -7, 9 -3

examples

: IPSec/VPN tunnel using Baltimore digital certificates 11 -17
: IPSec/VPN tunnel using Entrust digital certificates
: 11 -10
: IPSec/VPN tunnel using Microsoft digital certificates 11 -21
: IPSec/VPN tunnel using VeriSign digital certificates 11 -2
: IPSec/VPN with manual keys 9 -1
: VPN client access with Extended Authentication, IKE Mode Config, and Digital Certificates 10 -15
: VPN client access with Extended Authentication, IKE Mode Config, and Wildcard Pre-shared key 10 -2
: VPN client access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Wildcard Pre-shared key 10 -9

Extended Authentication (Xauth), IKE 1 -3, 8 -8, 10 -3,

: configuring 8 -9
: making an exception for security gateways 8 -8

F

fingerprint, CA 12 -3

Flash memory

: persistent data file 12 -7, 12 -8

G

: generating RSA key pair(s) 7 -2
: generating RSA key pairs 12 -7
: global lifetimes 2 -3, 12 -60

I

IKE

authentication methods

: Pre-shared keys 3 -4
: RSA signatures 3 -4

benefits 3 -1

configuring pre-shared keys (authentication method)

creating policies 3 -4

disabling 6 -4

enabling and configuring 6 -1

Extended Authentication (Xauth) 8 -8, 10 -3, 10 -11, 10 -18

policy parameters 3 -2

policy priority numbers 6 -1

remote VPN client 8 -10

IKE Mode Config 1 -3

: client initiation 8 -11
: configuring 8 -12, 12 -30
: Gateway initiation 8 -11
: initiating on security gateway or VPN client 8 -11
: making an exception for security gateways 8 -11
: types 8 -11

IKE Mode Configuration

: See IKE Mode Config

IKE Pre-shared key, configuring 3 -5

Internet Key Exchange

: See IKE

interoperating with Cisco Secure VPN Client 10 -2

interoperating with Cisco VPN 3000 Client 10 -8

ip local pool command 12 -44

IPSec

access-list 2 -3

access lists 2 -3, 2 -4

: keyword "any" 2 -6
: peer mirror images 2 -6

configuring manually using pre-shared keys 5 -4

configuring with IKE 5 -1

crypto maps

: entries 2 -8
: load sharing 2 -9

digital certificates 4 -1

enabling packets to traverse PIX Firewall 2 -3

manual 2 -6

order in which you perform your configuration 1 -4

pre-shared keys 4 -4

security associations

: clearing and reinitializing 2 -12
: global lifetimes 2 -3
: IKE-established 2 -9
: manual using pre-shared keys 2 -9

supported standards 1 -2

transform sets 2 -7

using CAs 4 -3

viewing information 2 -12

without CAs 4 -2

ipsec command 12 -46

ipsec-isakmp option 12 -32

ipsec-manual option 2 -6, 9 -3, 12 -32

IP Security Protocol

: See IPSec

ISAKMP 1 -2, 3 -1

isakmp command 12 -47

ISAKMP identity 3 -5

L

: LDAP (Lightweight Directory Access Protocol) 12 -8
: link command 8 -3
: linkpath command 8 -3

M

Manual IPSec 5 -4

MD5 1 -2, 1 -3, 3 -2, 3 -3, 9 -3

Message Digest 5

: See MD5

Microsoft digital certificates 11 -21

O

: Oakley key exchange protocol 1 -2, 3 -1
: obtaining an updated CRL 12 -6

P

packet trace 12 -40

PKI protocol 7 -1, 12 -8

Pre-shared key (IKE), configuring 3 -5

Pre-shared key, IKE authentication method 3 -4

pre-shared key, VPN group 12 -60

Pre-shared keys 5 -4

Pre-shared keys, IPSec manual 4 -4

Private Link

: conversion to IPSec 8 -1
: example of a network diagram 8 -4

public key cryptography 4 -1

Public-Key Cryptography Standard #10 (PKCS #10) 1 -3

Public-Key Cryptography Standard #7 (PKCS #7) 1 -3

Q

: querying a certificate or CRL 12 -8

R

RA 4 -4

RADIUS 5 -6, 8 -8

Registration Authority

: See RA

remote VPN client 8 -10, 12 -30

revoked certificates 4 -4

RSA key pair(s), generating 7 -2

RSA Keys 1 -3

RSA public key record 12 -4

RSA signatures, IKE authentication method 1 -3, 3 -4, 4 -4

S

Secure Hash Algorithm

: See SHA

securing Telnet connection to outside interface 8 -7

security associations, IPSec

: clearing and reinitializing 2 -12
: global lifetimes 2 -3
: IKE 2 -9
: manual using pre-shared keys 2 -9

security gateway

: initiating IKE Mode Config 8 -11
: making an exception to Extended Authentication 8 -8
: making an exception to IKE Mode Config 8 -11

serial number 12 -7

session key 9 -4

SHA 3 -2, 3 -3

show

: ca certificate 12 -2
: ca configure 12 -2
: ca identity 12 -2

show commands 2 -12

Skeme key exchange protocol 1 -2, 3 -1

SPI 9 -4, 12 -18, 12 -22, 12 -37, Glossary -3

Split tunnel, VPN 12 -60

supported standards, IPSec 1 -2

support for Cisco VPN 3000 Client 12 -58

sysopt command 12 -55

sysopt connection permit-ipsec command 2 -3, 12 -55

sysopt ipsec pl-compatible command 8 -1, 8 -5, 12 -57

sysopt uauth allow http-cache command 12 -57

T

TACACS+ 5 -6, 8 -8

TCP maximum segment size, IPSec 9 -3

Telnet

: encrypting connection to outside interface 8 -7

token- based authentication system 12 -29

transform set 2 -7

: example configuration 9 -3

Triple DES 1 -2, 3 -2, 3 -3

U

: User authentication 8 -8

V

validating a CA's signature 4 -1

VeriSign digital certificates 11 -2

Virtual Private Network

: See VPN

VPN

: client 8 -10
: client initiating IKE Mode Config 8 -11
: configuration example 9 -1
: definition Glossary -3
: group policy 12 -59
: introduction 2 -1
: overview 1 -1
: split tunnel 12 -60

vpngroup command 12 -58

VPN group password 12 -60

VPN peer

: default identity 3 -5
: specifying peer's identity 6 -3

X

X.509v3 certificates 1 -3

Xauth

: See Extended Authentication (Xauth), IKE

Table of Contents

index