C H A P T E R Configuring VPN Client Remote Access This chapter describes PIX Firewall configuration procedures that are specific to implementing remote access VPNs It also provides configuration examples using the VPN software clients supported by PIX Firewall PIX Firewall can function as an Easy VPN Server in relation to an Easy VPN Remote device, such as a PIX 501 or PIX 506/506E, or in relation to Cisco VPN software clients When used as an Easy VPN Remote device, the PIX Firewall can push VPN configuration to the VPN client or Easy VPN Remote device, which greatly simplifies configuration and administration For information about configuring a PIX 501 or PIX 506/506E as an Easy VPN Remote device, refer to Chapter 5, “Using PIX Firewall in SOHO Networks.” This chapter includes the following sections: • Supporting Clients with Dynamic Addresses • Configuring Extended Authentication (Xauth) • Assigning IP Addresses to VPN Clients with IKE Mode Config • Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x • Cisco Secure VPN Client Version 1.1 • Xauth with RSA Ace/Server and RSA SecurID • Configuring L2TP with IPSec in Transport Mode • Windows 2000 Client with IPSec and L2TP • Using PPTP for Remote Access Supporting Clients with Dynamic Addresses Dynamic crypto maps are frequently used with Internet Key Exchange (IKE) to negotiate SAs with remote access VPN clients Dynamic crypto maps are used to negotiate SAs for connections initiated from an external network for peers that not have a known IP address After successful IKE authentication, the client connection request is processed using a dynamic crypto map that is configured to set up SAs without requiring a known IP address A dynamic crypto map entry is essentially a crypto map entry that does not specify the identity of the remote peer It acts as a template where the missing parameters are dynamically assigned based on the IKE negotiation Only the transform set is required to configure a dynamic crypto map entry Cisco PIX Firewall and VPN Configuration Guide 78-13943-01 8-1 Chapter Configuring VPN Client Remote Access Configuring Extended Authentication (Xauth) Note Use care when using the any keyword in permit command entries in dynamic crypto maps If it is possible for the traffic covered by such a permit command entry to include multicast or broadcast traffic, the access list should include deny command entries for the appropriate address range Access lists should also include deny command entries for network and subnet broadcast traffic, and for any other traffic that should not be IPSec protected For more information about configuring dynamic crypto maps, see “Using Dynamic Crypto Maps” in Chapter 6, “Configuring IPSec and Certification Authorities.” Configuring Extended Authentication (Xauth) This section describes how to implement extended authentication (Xauth) with PIX Firewall It includes the following topics: • Overview • Making an Exception to Xauth for a Site-to-Site VPN Peer • Extended Authentication Configuration Overview The PIX Firewall supports the Extended Authentication (Xauth) feature within the IKE protocol Xauth lets you deploy IPSec VPNs using TACACS+ or RADIUS as your user authentication method This feature, which is designed for VPN clients, provides user authentication by prompting the user for username and password and verifies them with the information stored in your TACACS+ or RADIUS database Xauth is negotiated between IKE Phase (IKE device authentication phase) and IKE Phase (IPSec SA negotiation phase) If the Xauth fails, the IPSec security association will not be established and the IKE security association will be deleted Note The IKE Mode Config feature also is negotiated between these IKE Phase and If both features are configured, Xauth is performed first The Xauth feature is optional and is enabled using the crypto map map-name client authentication aaa-group-tag command AAA must be configured on the PIX Firewall using the aaa-server group_tag (if_name) host server_ip key timeout seconds command before Xauth is enabled Use the same AAA server name within the aaa-server and crypto map client authentication command statements See the aaa-server command and the crypto map command in the Cisco PIX Firewall Command Reference for more information Note The VPN client remote user should be running the Cisco Secure VPN Client version 1.1, Cisco VPN 3000 Client version 2.5/2.6, or Cisco VPN Client version 3.x We recommend Cisco VPN Client version 3.x Cisco PIX Firewall and VPN Configuration Guide 8-2 78-13943-01 Chapter Configuring VPN Client Remote Access Configuring Extended Authentication (Xauth) Making an Exception to Xauth for a Site-to-Site VPN Peer If you have both a site-to-site VPN peer and VPN client peers terminating on the same interface, and have the Xauth feature configured, configure the PIX Firewall to make an exception to this feature for the site-to-site VPN peer With this exception, the PIX Firewall will not challenge the site-to-site peer for a username and password The command that you employ to make an exception to the Xauth feature depends on the authentication method you are using within your IKE policies Table 8-1 summarizes the guidelines to follow Table 8-1 Configuring no-xauth IKE Authentication Method no-xauth Related Command to Use pre-shared key isakmp key keystring address ip-address [netmask] [no-xauth] [no-config-mode] See the isakmp command page within the Cisco PIX Firewall Command Reference for more information See Step within “Extended Authentication Configuration” in this chapter for the no-xauth configuration step rsa signatures isakmp peer fqdn fqdn [no-xauth] [no-config-mode] See the isakmp command page within the Cisco PIX Firewall Command Reference for more information See Step within “Extended Authentication Configuration” in this chapter for the no-xauth configuration step Extended Authentication Configuration Follow these steps to configure Xauth on your PIX Firewall: Step Set up your basic AAA Server: aaa-server group_tag (if_name) host server_ip key For example: aaa-server TACACS+ (outside) host 10.0.0.2 secret123 This example specifies that the authentication server with the IP address 10.0.0.2 resides on the outside interface and is in the default TACACS+ server group The key “secret123” is used between the PIX Firewall and the TACACS+ server for encrypting data between them Step Enable Xauth Be sure to specify the same AAA server group tag within the crypto map client authentication command statement as was specified in the aaa-server command statement crypto map map-name client authentication aaa-group-tag For example: crypto map mymap client authentication TACACS+ In this example, Xauth is enabled at the crypto map “mymap” and the server specified in the TACACS+ group will be used for user authentication Cisco PIX Firewall and VPN Configuration Guide 78-13943-01 8-3 Chapter Configuring VPN Client Remote Access Assigning IP Addresses to VPN Clients with IKE Mode Config Step (Optional) Perform this step for each site-to-site VPN peer that shares the same interface as the VPN client(s) and is configured to use a pre-shared key This step allows the PIX Firewall to make an exception to the Xauth feature for the given site-to-site VPN peer isakmp key keystring address ip-address [netmask mask] [no-xauth] [no-config-mode] For example: isakmp key secretkey1234 address 10.2.2.2 netmask 255.255.255.255 no-xauth Step (Optional) To make an exception to the Xauth feature for the given site-to-site VPN peer, enter the following command: isakmp peer fqdn fqdn [no-xauth] [no-config-mode] Perform this step for each site-to-site VPN peer that shares the same interface as the VPN client(s) and is configured to use RSA-signatures For example: isakmp peer fqdn hostname1.example.com no-xauth Assigning IP Addresses to VPN Clients with IKE Mode Config This section describes how to use IKE Mode Config to assign IP addresses dynamically to VPN clients It includes the following topics: • Overview • Making an Exception to IKE Mode Config for Site-to-Site VPN Peers • Configuring IKE Mode Config Overview The IKE Mode Configuration (Config) feature allows a security gateway (in this case a PIX Firewall) to download an IP address (and other network level configuration) to a VPN client peer as part of an IKE negotiation Using this exchange, the PIX Firewall gives an IP address to the VPN client to be used as an “inner” IP address encapsulated under IPSec This provides a known IP address for a VPN client, which can be matched against the IPSec policy Note If you use IKE Mode Config on the PIX Firewall, the routers handling the IPSec traffic must also support IKE Mode Config Cisco IOS Release 12.0(7)T and higher supports IKE Mode Config To implement IPSec VPNs between remote access VPN clients with dynamic (or virtual) IP addresses and a corporate gateway, you must dynamically administer scalable IPSec policy on the gateway once each client is authenticated With IKE Mode Config, the gateway can set up scalable policy for a very large set of clients irrespective of the IP addresses of those clients Cisco PIX Firewall and VPN Configuration Guide 8-4 78-13943-01 Chapter Configuring VPN Client Remote Access Assigning IP Addresses to VPN Clients with IKE Mode Config There are two types of IKE Mode Config for a VPN: • Gateway initiation—Gateway initiates the configuration mode with the client Once the client responds, the IKE modifies the sender’s identity, the message is processed, and the client receives a response • Client initiation—Client initiates the configuration mode with the gateway The gateway responds with an IP address it has allocated for the client The following is a summary of the major steps to perform when configuring IKE Mode Config on your PIX Firewall See the “Configuring IKE Mode Config” section for the complete configuration steps • Define the pool of IP addresses Use the ip local pool command to define a local address pool See the ip local pool command page within the Cisco PIX Firewall Command Reference for more information about this command • Reference the pool of IP addresses in the IKE configuration Use the isakmp client configuration address-pool local command to configure the IP address local pool you defined to reference IKE See the isakmkp command page within the Cisco PIX Firewall Command Reference for more information about this command • Define which crypto maps should attempt to configure clients, and whether the PIX Firewall or the client initiates the IKE Mode Config Use the crypto map client-configuration address command to configure IKE Mode Config See the crypto map command in the Cisco PIX Firewall Command Reference for more information Making an Exception to IKE Mode Config for Site-to-Site VPN Peers If you have both a site-to-site VPN peer and VPN clients terminating on the same interface, and have the IKE Mode Config feature configured, configure the PIX Firewall to make an exception to this feature for the site-to-site VPN peer With this exception, the PIX Firewall will not attempt to download an IP address to the peer for dynamic IP address assignment The command that you employ to bypass the IKE Mode Config feature depends on the authentication method you are using within your IKE policies See Table 8-2 for the guidelines to follow Table 8-2 Configuring no-config-mode IKE Authentication Method no-config-mode Related Command to Use pre-shared key isakmp key keystring address ip-address [netmask] [no-xauth] [no-config-mode] See the isakmp command page in the Cisco PIX Firewall Command Reference for more information See Step in “Configuring Extended Authentication (Xauth)” for the no-config-mode configuration step rsa signatures isakmp peer fqdn fqdn [no-xauth] [no-config-mode] See the isakmp command page in the Cisco PIX Firewall Command Reference for more information See Step in the “Configuring Extended Authentication (Xauth)” for the no-config-mode configuration step Cisco PIX Firewall and VPN Configuration Guide 78-13943-01 8-5 Chapter Configuring VPN Client Remote Access Assigning IP Addresses to VPN Clients with IKE Mode Config Configuring IKE Mode Config To configure IKE Mode Config on your PIX Firewall, perform the following steps: Step Define the pool of IP addresses: ip local pool pool-name start-address-[end-address] For example: ip local pool ire 172.16.1.1-172.16.1.254 Step Reference the defined pool of IP addresses in the IKE configuration: isakmp client configuration address-pool local pool-name [interface-name] For example: isakmp client configuration address-pool local csvc outside Step Define which crypto maps should attempt to configure clients: crypto map map-name client configuration address initiate | respond For example: crypto map mymap client configuration address initiate Step (Optional) Perform this step for each site-to-site VPN peer that shares the same interface as the VPN client(s) and is configured to use a pre-shared key This step allows the PIX Firewall to make an exception to the IKE Mode Config feature for the given site-to-site VPN peer isakmp key keystring address ip-address [no-xauth] [no-config-mode] For example: isakmp key secretkey1234 address 10.2.2.2 255.255.255.255 no-config-mode Step (Optional) Perform this step for each site-to-site VPN peer that shares the same interface as the VPN client(s) and is configured to use RSA-signatures This step allows the PIX Firewall to make an exception to the IKE Mode Config feature for the given site-to-site VPN peer isakmp peer fqdn fqdn [no-xauth] [no-config-mode] For example: isakmp peer fqdn hostname1.example.com no-config-mode Example 8-1 shows a PIX Firewall that has been configured to both set IP addresses to clients and to respond to IP address requests from clients whose packets arrive on the outside interface using dynamic crypto map without explicitly specifying the peer Example 8-1 IKE Mode Config : define the ip address pool ip local pool csvc 172.16.1.1-172.16.1.254 : reference the defined pool of IP addresses in IKE crypto isakmp client configuration address-pool local csvc outside : access-list 103 permit ip host 172.21.230.34 172.21.1.0 255.255.255.0 Cisco PIX Firewall and VPN Configuration Guide 8-6 78-13943-01 Chapter Configuring VPN Client Remote Access Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x : crypto ipsec transform-set pc esp-des esp-md5-hmac : crypto dynamic-map dyn 10 set transform-set pc : enable address assignment in crypto map crypto map dyn client configuration address initiate crypto map dyn client configuration address respond : crypto map dyn 10 ipsec-isakmp dynamic dyn crypto map dyn interface outside Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x This section provides examples for configuring the PIX Firewall and Cisco VPN 3000 Client version 2.5/2.6 or the Cisco VPN Client version 3.x It includes the following topics: • Cisco VPN Client Overview • Xauth, RADIUS, IKE Mode Config, and Wildcard, Pre-Shared Key • Xauth, IKE Mode Config, and Digital Certificates Cisco VPN Client Overview Remote access VPN users employing the Cisco VPN 3000 Client version 2.5/2.6, or the Cisco VPN Client version 3.x, can now securely access their private enterprise network through the PIX Firewall Unlike the Cisco Secure VPN Client version 1.1, the Cisco VPN Client requires the Easy VPN Server to push policy information to it To support the Cisco VPN Client, the IKE Mode Config feature within the PIX Firewall has been extended to include the downloading of DNS, WINS, default domain, and split tunnel mode attributes to the Cisco VPN 3000 Client The split tunnel mode allows the PIX Firewall to define the policy that determines the traffic to be encrypted and the traffic to be transmitted in clear text This policy will be pushed to the VPN client during the mode config With split tunnelling enabled, the VPN client PC can still access Internet while the VPN client is running The vpngroup command set lets you configure Cisco VPN 3000 Client policy attributes to be associated with a VPN group name and downloaded to the Cisco VPN 3000 client(s) that are part of the given group The purpose of these new commands is to configure the Cisco VPN Client policy groups See the vpngroup command in the Cisco PIX Firewall Command Reference for more information This section provides two examples of how to configure the PIX Firewall and the Cisco VPN 3000 Client for interoperability The steps for configuring the Cisco VPN 3000 Client version 2.5/2.6 and the Cisco VPN Client version 3.x are the same, except where noted The first example shows use of the following supported features: • Extended Authentication (Xauth) for user authentication • RADIUS authorization for user services authorization • IKE Mode Config for VPN IP address assignment • Wildcard pre-shared key for IKE authentication Cisco PIX Firewall and VPN Configuration Guide 78-13943-01 8-7 Chapter Configuring VPN Client Remote Access Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x The second example shows use of the following supported features: Note • Extended Authentication (Xauth) for user authentication • IKE Mode Config for VPN IP address assignment • Digital certificate for IKE authentication If the Cisco Secure VPN Client version 1.1 is already installed on the computer, uninstall it from your computer and ensure all directories containing this VPN client application are cleared of it before you install the Cisco VPN 3000 Client version 2.5/2.6 or the Cisco VPN Client version 3.x Xauth, RADIUS, IKE Mode Config, and Wildcard, Pre-Shared Key This section shows use of extended authentication (Xauth), RADIUS authorization, IKE Mode Config, and a wildcard, pre-shared key for IKE authentication between a PIX Firewall and a Cisco VPN 3000 Client It includes the following topics: • Scenario Description • Configuring the PIX Firewall • Configuring the Cisco VPN 3000 Client Scenario Description With the vpngroup command set, you configure the PIX Firewall for a specified group of Cisco VPN 3000 Client users, using the following parameters: • Group name for a given group of Cisco VPN 3000 Client users • Pre-shared key or group password used to authenticate your VPN access to the remote server (PIX Firewall) Note This pre-shared key is equivalent to the password that you enter in the Group Password box of the Cisco VPN 3000 Client while configuring your group access information for a connection entry • Pool of local addresses to be assigned to the VPN group • (Optional) IP address of a DNS server to download to the Cisco VPN 3000 Client • (Optional) IP address of a WINS server to download to the Cisco VPN 3000 Client • (Optional) Default domain name to download to the Cisco VPN 3000 Client • (Optional) Split tunneling enabled on the PIX Firewall allowing both encrypted and clear traffic between the Cisco VPN 3000 Client and the PIX Firewall Note • If split tunneling is not enabled, all traffic between the Cisco VPN 3000 Client and the PIX Firewall will be encrypted (Optional) Inactivity timeout setting for the Cisco VPN 3000 Client The default is 30 minutes Cisco PIX Firewall and VPN Configuration Guide 8-8 78-13943-01 Chapter Configuring VPN Client Remote Access Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x On the Cisco VPN 3000 Client, you would configure the vpngroup name and group password to match that which you configured on the PIX Firewall When the Cisco VPN 3000 Client initiates ISAKMP with the PIX Firewall, the VPN group name and pre-shared key are sent to the PIX Firewall The PIX Firewall then uses the group name to look up the configured client policy attributes for the given Cisco VPN 3000 Client and downloads the matching policy attributes to the client during the IKE negotiation Figure 8-1 illustrates the example network Figure 8-1 Cisco VPN 3000 Client Access VPN Client user Internet Router 209.165.200.227 209.165.200.229 PIX Firewall 192.168.101.1 10.0.0.1 192.168.101.2 AAA Server partnerauth San Jose Office 44311 10.0.0.15 DNS/WINS Server 10.0.0.14 Configuring the PIX Firewall Follow these steps to configure the PIX Firewall to interoperate with the Cisco VPN 3000 Client using Xauth, IKE Mode Config, AAA authorization with RADIUS, and a wildcard, pre-shared key: Step Define AAA related parameters: aaa-server radius protocol radius aaa-server partnerauth protocol radius aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout Step Configure the IKE policy: isakmp isakmp isakmp isakmp enable policy policy policy outside encr 3des hash md5 authentication pre-share Cisco PIX Firewall and VPN Configuration Guide 78-13943-01 8-9 Chapter Configuring VPN Client Remote Access Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x Note Step To configure the Cisco VPN Client version 3.x, include the isakmp policy group command in this step Configure a wildcard, pre-shared key: isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0 Step Create an access list that defines the PIX Firewall local network(s) requiring IPSec protection: access-list 80 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0 Step Create access lists that define the services the VPN clients are authorized to use with the RADIUS server: access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq http Note Step Configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID In this example, the access-list ID is 100 Your entry in the authentication server would then be acl=100 Configure NAT 0: nat (inside) access-list 80 Step Configure a transform set that defines how the traffic will be protected: crypto ipsec transform-set strong-des esp-3des esp-sha-hmac Step Create a dynamic crypto map: crypto dynamic-map cisco set transform-set strong-des Specify which transform sets are allowed for this dynamic crypto map entry Step Add the dynamic crypto map set into a static crypto map set: crypto map partner-map 20 ipsec-isakmp dynamic cisco Step 10 Apply the crypto map to the outside interface: crypto map partner-map interface outside Step 11 Enable Xauth: crypto map partner-map client authentication partnerauth Step 12 Configure IKE Mode Config related parameters: ip local pool dealer 10.1.1.1-10.1.1.254 Note Step 13 To configure the Cisco VPN 3000 Client version 2.5/2.6, include the crypto map partner-map client configuration address initiate command in this step Configure Cisco VPN 3000 Client policy attributes to download to the Cisco VPN Client: vpngroup superteam address-pool dealer vpngroup superteam dns-server 10.0.0.15 vpngroup superteam wins-server 10.0.0.15 Cisco PIX Firewall and VPN Configuration Guide 8-10 78-13943-01 ... Cisco PIX Firewall and VPN Configuration Guide 78-13943-01 8-19 Chapter Configuring VPN Client Remote Access Cisco Secure VPN Client Version 1.1 Figure 8-3 VPN Client Access VPN Client user Internet... 78-13943-01 Chapter Configuring VPN Client Remote Access Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x On the Cisco VPN 3000 Client, you would configure the vpngroup name and... PIX Firewall and VPN Configuration Guide 8-14 78-13943-01 Chapter Configuring VPN Client Remote Access Cisco VPN 3000 Client Version 2.5/2.6 and Cisco VPN Client Version 3.x Configuring the PIX