Cisco Concentrator

  • Article

This topic describes how to configure Cisco Concentrator to work in a VPN site-to-site solution with ISA Server.

Cisco Concentrator: Preshared Secret Configuration Overview

The following IPSec settings will be used in this section of this configuration document:

  • Phase I
    • Main mode
    • 3DES
    • SHA-1
    • MODP Group 2 (1024 bits) for DH
    • SA lifetime of 28,800 seconds
    • Preshared Secret
  • Phase II
    • 3DES
    • SHA-1
    • PFS & MODP Group 2 (1024 bits) for DH
    • SA lifetime of 3600 seconds

Preshared Secret Checklist

Use the following checklist for preshared secrets.

____

Install and configure Cisco Concentrator 3005 VPN Concentrator

____

Determine remote gateway external IP address

____

Determine remote networks protected by the remote gateway

____

Set preshared secrets

____

Configure network list

____

Configure IKE proposal

____

Configure LAN-to-LAN connection

____

Modify security association

____

Test IPSec tunnel

For installation and configuration information and documentation, refer to the documents found on the Cisco website (www.cisco.com).

Cisco Concentrator Configuration Walk-through Procedure 1: Configuring the Preshared Secret Solution

This topic describes in detail the process to configure the Cisco Concentrator 3000 series VPN device to successfully establish a site-to-site IPSec tunnel with the ISA Server computer using the settings specified in Cisco Concentrator: Preshared Secret Configuration Overview. This section includes tips that can be used to improve the functionality of the IPSec tunnel, performance of the device, or the security of the device.

Note

The step-by-step instructions in the following sections assume that you have a working knowledge of Cisco Concentrator, and only the parameters directly related to the scenarios are described in detail.
We recommend that you apply your changes after each step.

Create a Network List

Use the following steps to create a network list.

  1. Browse to the Web based VPN 3000 Concentrator Series Manager and log on.

  2. From the left menu navigate to and select Network Lists by expanding the Configuration, Policy Management, and Traffic Management menus.

  3. Select Add to display the screen to create the network list.

  4. In the Add Network Lists screen:

    • Enter ISAServer-Remote as the network List Name.
    • Enter 10.4.5.0/0.0.0.255 and 10.5.6.0/0.0.0.255 as the unique networks and corresponding wildcard masks, one per line, using the format: n.n.n.n/n.n.n.n for the network list.

    Note

    The Wildcard mask is the reverse of a subnet in which the 1s in bit positions are to ignore and the 0s in bit positions are to match.

  5. After all the networks have been defined, select Add to create the network list.

Configure IKE Proposal

Use the following steps to configure the IKE proposal.

  1. From the left menu navigate to and select IKE Proposals by expanding the Configuration, System, Tunnel Protocols, and IPSec menus.

  2. Select Add to display the screen to create the IKE proposal.

  3. In the Add IKE Proposal screen:

    • Enter IKE-3DES-SHA as the IKE Proposal Name.
    • Select Preshared Keys as the Authentication Mode from the drop-down list.
    • Select SHA/HMAC-160 as the Authentication Algorithm from the drop-down list.
    • Select 3DES-168 as the Encryption Algorithm from the drop-down list.
    • Select Group 2 (1024-bits) as the Diffie-Hellman Group from the drop-down list.
    • Select Time as the Lifetime Measurement from the drop-down list.
    • Enter 28800 as the Time Lifetime.

    Note

    Even though the Data Lifetime field is displayed, the value will have no effect on the IPSec tunnel unless Data is selected as the Lifetime Measurement.

  4. In the IKE Proposals screen:

    • Highlight the created IKE proposal.
    • Select Activate to move the created IKE proposal from the Inactive Proposals column to the Active Proposals column.

After the newly created IKE proposal has been activated, it will appear at the bottom of the column, which will not be the default IKE proposal.

Configure LAN-to-LAN Connection

Use the following steps to configure a LAN-to-LAN connection.

  1. From the left menu navigate to and select LAN-to-LAN by expanding the Configuration, System, Tunnel Protocols, and IPSec menus.

  2. Select Add to display the screen to create the LAN-to-LAN connection.

  3. In the Add a new IPSec LAN-to-LAN connection screen:

    • Enter Site-to-Site as the LAN-to-LAN connection Name.
    • Select Ethernet 2 (Public) (22.23.24.2) as the Interface from the drop-down list. The selected interface is the interface of the Cisco VPN Concentrator that will be the IPSec tunnel endpoint.
    • Enter 14.15.16.17 as the Peer, which is the external IP address of the remote gateway participating in the IPSec tunnel
    • Select None (Use Preshared Keys) as the Digital Certificate from the drop-down list.
    • Enter Cool-Dude! as the Preshared Key.
    • Select ESP/SHA/HMAC-160 as the Authentication from the drop-down list.
    • Select 3DES-168 as the Encryption from the drop-down list.
    • Select IKE-3DES-SHA as the IKE Proposal from the drop-down list.
    • Select Use IP Address/Wildcard-mask below as the network list from the drop-down list under Local Network.
    • Enter 172.23.9.0 as the IP Address.
    • Enter 0.0.0.255 as the Wildcard Mask.

    Note

    When configuring an IPSec tunnel with more than one network as the local or remote network, a network list must be used. If only one network is either the local or remote network, it can be defined on this screen.

  4. Select ISAServer-Remote as the network list from the drop-down list under Remote Network.

  5. Review the changes that have been made to the Cisco VPN Concentrator which include:

    • Authentication server
    • Group
    • Security association
    • Filter rules

    Note

    These modifications may need to be further modified to successfully establish the IPSec tunnel or to enhance the security of the IPSec tunnel by limiting the allowed protocols, limiting the allowed ports, limiting the allowed hosts, and enhancing the key exchange mechanisms.

Modify Security Association

Use the following steps to modify the security association.

  1. From the left menu navigate to and select SAs by expanding the Configuration, Policy Management, and Traffic Management menus.
  2. In the Security Association screen:
    • Highlight the newly configured security association L2L: Site-to-Site.
    • Select Modify.
  3. In the Modify a configured Security Association screen:
    • Review the currently selected parameters to ensure the accuracy.
    • Select Group 2 (1024-bit) for Perfect Forward Secrecy from the drop-down list.
  4. Test the IPSec tunnel after the third-party gateway peer has been configured by sending icmp traffic to the remote internal network through the IPSec tunnel using the ping utility.

Cisco Concentrator: Certificate Configuration Overview

This section outlines the IPSec settings and the specific settings required for this device to perform certificate authentication.

The following IPSec settings will be used in this section of this configuration document:

  • Phase I
    • Main mode
    • 3DES
    • SHA-1
    • MODP Group 2 (1024 bits) for DH
    • SA lifetime of 28,800 seconds
    • Certificate Authentication
  • Phase II
    • 3DES
    • SHA-1
    • PFS & MODP Group 2 (1024 bits) for DH
    • SA lifetime of 3600 seconds
    • ESP tunnel mode

Certificate Checklist

Use the following checklist for certificates.

____

Install and configure Cisco Concentrator 3005 VPN Concentrator

____

Determine remote gateway external IP address

____

Determine remote networks protected by the remote gateway

____

Determine certification authority to use

____

Configure network list

____

Configure local certificate

____

Configure IKE proposal

____

Configure LAN-to-LAN connection

____

Modify security association

____

Test IPSec tunnel

For installation and configuration information and documentation, refer to the documents found on the Cisco website (www.cisco.com).

Cisco Concentrator Configuration Walk-through Procedure 2: Configuring the Certificate Solution

This topic describes in detail the process to configure the Cisco Concentrator 3000 series virtual private network (VPN) device to successfully establish a site-to-site IPSec tunnel with the ISA Server computer using the settings specified in Cisco Concentrator: Certificate Configuration Overview. This section includes tips that can be used to improve the functionality of the IPSec tunnel, performance of the device, or the security of the device.

Note

The step-by-step instructions in the following sections assume that you have a working knowledge of Cisco Concentrator, and only the parameters directly related to the scenarios are described in detail.
We recommend that you apply your changes after each step.

Configure Network List

Use the following steps to configure the network list.

  1. Browse to the Web-based VPN 3000 Concentrator Manager and log on.

  2. From the left menu, navigate to and select Network Lists by expanding the Configuration, Policy Management, and Traffic Management menus.

  3. Select Add to display the screen to create the network list.

  4. In the Add Network Lists screen:

    • Enter ISAServer-Remote as the network List Name.
    • Enter 10.4.5.0/0.0.0.255 and 10.5.6.0/0.0.0.255 as the unique networks and corresponding wildcard masks, one per line, using the format: n.n.n.n/n.n.n.n for the network list.

    Note

    The Wildcard mask is the reverse of a subnet in which the 1s in bit positions are to ignore and the 0s in bit positions are to match.

  5. After all the networks have been defined, select Add to create the network list.

Certificate Configuration

Use the following steps to configure the certificate.

  1. From the left menu, navigate to and select Certificate Management by expanding the Administration menu.
  2. Select Click here to install a CA certificate.
  3. Select SCEP (Simple Certificate Enrollment Protocol).
  4. In the SCEP screen:
  5. Select Click here to enroll with a Certificate Authority.
  6. Select Identity certificate.
  7. Select Enroll via SCEP at Testlab.
  8. In the SCEP**:**
    • Enter Cisco as the Common Name (CN).
    • Enter TestLab as the Organizational Unit (OU).
    • Enter Fabrikam as the Organization (O).
    • Enter Timonium as the Locality (L).
    • Enter MD as the State/Providence (SP).
    • Enter US as the Country (C).
    • Enter test@fabrikam.com as the Subject Alternative Name (E-Mail Address).
    • Select RSA 1024 bits as the Key Size from the drop-down list.

The Certificate Request will automatically enroll and transfer the created certificate to the Cisco Concentrator.

Configure IKE Proposal

Use the following steps to configure the IKE proposal.

  1. From the left menu, navigate to and select IKE Proposals by expanding the Configuration, System, Tunnel Protocols, and IPSec menus.

  2. Select Add to display the screen to create the IKE proposal.

  3. In the Add IKE Proposal screen:

    • Enter IKE-3DES-SHA-RSA as the IKE Proposal Name.
    • Select RSA Digital Certificate as the Authentication Mode from the drop-down list.
    • Select SHA/HMAC-160 as the Authentication Algorithm from the drop-down list.
    • Select 3DES-168 as the Encryption Algorithm from the drop-down list.
    • Select Group 2 (1024-bits) as the Diffie-Hellman Group from the drop-down list.
    • Select Time as the Lifetime Measurement from the drop-down list.
    • Enter 28800 as the Time Lifetime.

    Note

    Even though the Data Lifetime field is displayed, the value will have no effect on the IPSec tunnel unless Data is selected as the Lifetime Measurement.

  4. In the IKE Proposals screen:

    • Highlight the created IKE proposal.
    • Select Activate to move the created IKE Proposal from the Inactive Proposals column to the Active Proposals column.

After the newly created IKE proposal has been activated, it will appear at the bottom of the column, which will not be the default IKE proposal.

Configure LAN-to-LAN Connection

Use the following steps to configure a LAN-to-LAN connection.

  1. From the left menu, navigate to and select LAN-to-LAN by expanding the Configuration, System, Tunnel Protocols, and IPSec menus.

  2. Select Add to display the screen to create the LAN-to-LAN connection.

  3. In the Add a New IPSec LAN-to-LAN Connection screen:

    • .Enter Site-to-Site as the LAN-to-LAN connection Name.
    • Select Ethernet 2 (Public) (22.23.24.2) as the Interface from the drop-down list. The selected interface is the interface of the Cisco VPN Concentrator that will be the IPSec tunnel endpoint.
    • Enter 14.15.16.17 as the Peer, which is the external IP address of the remote gateway participating in the IPSec tunnel.
    • Select cisco as the Digital Certificate form the drop-down list.
    • Select ESP/SHA/HMAC-160 as the Authentication from the drop-down list.
    • Select 3DES-168 as the Encryption from the drop-down list.
    • Select IKE-3DES-SHA-RSA as the IKE Proposal from the drop-down list.
    • Select Use IP Address/Wildcard-mask below as the network list from the drop-down list under Local Network.
    • Enter 172.23.9.0 as the IP Address.
    • Enter 0.0.0.255 as the Wildcard Mask.

    Note

    When configuring an IPSec tunnel with more than one network as the local or remote network, a network list must be used. If only one network is either the local or remote network, it can be defined on this screen.

  4. Select ISAServer-Remote as the network list from the drop-down list under Remote Network.

  5. Review the changes that have been made to the Cisco VPN Concentrator, which include:

    • Authentication Server
    • Group
    • Security Association
    • Filter Rules

    Note

    These modifications may need to be further modified to successfully establish the IPSec tunnel or to enhance the security of the IPSec tunnel by limiting the allowed protocols, limiting the allowed ports, limiting the allowed hosts, and enhancing the key exchange mechanisms.

Modify Security Association

Use the following steps to modify security association.

  1. From the left menu, navigate to and select SAs by expanding the Configuration, Policy Management, and Traffic Management menus.
  2. In the Security Association screen:
    • Highlight the newly configured IPSec SA: L2L: Site-to-Site.
    • Select Modify.
  3. In the Modify a Configured Security Association screen:
    • Review the currently selected parameters to ensure the accuracy.
    • Select Group 2 (1024-bit) for Perfect Forward Secrecy from the drop-down list.
  4. Test the IPSec tunnel after the third-party gateway peer has been configured by sending icmp traffic to the remote internal network through the IPSec tunnel using the ping utility.

Troubleshooting the Cisco Concentrator Solution

The following section contains troubleshooting tips. This section contains information found at www.vpnc.org in the Cisco-3000.pdf. For additional troubleshooting information, refer to the Cisco Knowledge Base articles on the Cisco website (www.cisco.com).

IP Addressing

Be sure that the IP addresses and subnet masks you have configured accurately represent your network.

Local and Remote Network Addresses

When you configure a LAN-to-LAN connection:

  • Do not confuse the local network with the remote network.
  • In the IPSec | LAN-to-LAN | Add screen be sure to enter network addresses, and not host addresses, in the Local Network IP Address and Remote Network IP Address fields.
  • In the IPSec | LAN-to-LAN | Add screen be sure to enter wildcard masks, and not subnet masks, in the Local Network IP Address and Remote Network IP Address fields. A wildcard mask is the reverse of a subnet mask: it has ones in bit positions to ignore, and zeros in bit positions to match. For example, a subnet mask of 255.255.255.0 converts to a wildcard mask of 0.0.0.255.

Testing Internet Connectivity

Use ping from the public (WAN) interface of the origin gateway to the public interface of the destination gateway to test whether there is a problem on the Internet. In the Concentrator Manager drop-down table of contents, click Administration, and then click Ping. The Ping screen appears.

Enter the IP address of the public interface for the destination gateway and click Ping. The VPN Concentrator returns a Success message if it can contact the IP address you entered. If it cannot, it displays an error screen.

Testing SA Connectivity

Ping from the private (inside) interface of the origin gateway to the inside interface of the destination gateway to test whether there is a problem setting up the SAs. Do this from a PC behind the private interface of the VPN Concentrator.

Mismatches of Preshared Keys

It is easy to mistype a preshared key at one end or the other of a LAN-to-LAN connection. If you are sure your IP addresses are correct, but are unsuccessful in bringing up a tunnel, make sure the preshared keys on either side of the connection match exactly. Entries are case-sensitive.

Mismatches of Parameters for IPSec SAs

If you cannot ping from the private interface of the local gateway to the private interface of the destination or remote gateway, there is likely a problem with the security associations. Check that the values for all parameters for the SA on the local network match those values on the remote network exactly.

Configuring Event Classes

You can configure specific event classes and severities for special handling. For troubleshooting a LAN-to-LAN IPSec connection, add the following event classes, all severities (1-13), to have the Manager send these events to the log or to the console. Use the following steps to configure event classes.

  1. In the Concentrator Manager drop-down table of contents, click Configuration, click System, click Events, and then click Classes. The screen of that names appears.
  2. Click Add. The Configuration | System | Events | Classes | Add screen appears.
  3. In the Class Name field, from the drop-down list, choose IKE.
  4. In the Severity to Log field, from the drop-down list, choose 1-13. The Manager now sends all IKE events to the log. You can set the severity level to a lower range if you want a less verbose log.
  5. In the Severity to Console field, from the drop-down list, choose 1-13. The Manager now sends all IKE events to the console.
  6. If you are using a syslog server, set the Severity to Syslog field to 1-13.
  7. Repeat the steps for the following event classes.
Event class Description

Auth (AUTH)

Auth Debug (AUTH DEBG)

Auth Decode (AUTHDECODE)

Authentication issues

IKE (IKE)

IKE Decode (IKEDECODE)

IKE Debug (IKEDBG)

Phase One IPSec negotiations

IPSec (IPSEC) – Issues in Phase Two IPSec negotiations

IPSec Decode (IPSECDECODE

IPSec DeBug (IPSECDBG)

Phase Two IPSec negotiations

Viewing the Event Log

There are several ways to view events. The following section describes one useful way to study logged events.

  1. To view the event log, in the Concentrator Manager drop-down table of contents, click Administration, click Monitoring, and then click Filterable Event Log. The screen of that name appears.
  2. You can scroll through events on this screen, or you can click Get Log to scroll through all the log events on one page.
  3. Read closely. The log gives detailed information about IPSec Phase 1 and Phase 2negotiations, and the status of SAs.