Cisco | VPN 3000 | Cisco VPN 3000 Series Concentrators Interoperability Profile

Cisco VPN 3000 Series Concentrators
Interoperability Profile
Overview
This document describes how to configure VPN 3000 Series Concentrators to implement Scenario 1 that
the VPN Consortium specifies in “Documentation Profiles for IPSec Interoperability,”
http://www.vpnc.org/InteropProfiles/Interop-01.html.
Scenario 1 is a gateway-to-gateway configuration with pre-shared secrets for authentication.
A Gateway-to-Gateway VPN Configuration
Figure 1 depicts a typical gateway-to-gateway VPN, also called a LAN-to-LAN VPN. The sections that
follow explain how to configure Gateway A using preshared secrets.
Figure 1
Gateway-to-Gateway VPN Configuration
10.5.6.0/24
172.23.9.0/24
14.15.16.17
10.5.6.1
Internet
22.23.24.25
Gateway B
83065
Gateway A
172.23.9.1
•
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A’s LAN or Private
interface has the address 10.5.6.1, and its WAN (Internet) or Public interface has the address
14.15.16.17.
•
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B’s WAN (Internet)
or Public interface has the address 22.23.24.25. Gateway B’s LAN or Private interface address,
172.23.9.1, can be used for testing IPSec, but is not needed for configuring Gateway A.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
A printed version of this document is an uncontrolled copy.
Company Confidential
Configuring the Gateway A VPN Concentrator
The IKE Phase I parameters used in Scenario 1 are:
•
Main mode
•
Triple DES
•
SHA-1
•
MODP group 2 (1024 bits)
•
pre-shared secret of hr5xb8416aa9r6
•
SA lifetime of 28800 seconds (8 hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
•
Triple DES
•
SHA-1
•
MODP group 2 (1024 bits)
•
Perfect forward secrecy for rekeying
•
SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets.
Configuring the Gateway A VPN Concentrator
See the VPN 3000 Series Concentrator Getting Started guide, Chapter 2, for instructions on installing
and powering up the VPN Concentrator. Then you are ready to configure the VPN Concentrator,
accepting default values when possible.
Using the Console to Configure the Private Interface
You must use the console for the first configuration steps—setting the system time and date, and
configuring the private Ethernet interface (to the internal LAN), as described in the following steps. Then
you can use the HTML-based VPN Concentrator Manager from a browser to complete configuration.
Step 1
You started the terminal emulator window on the console in the “Powering Up” section of the VPN
3000 Series Getting Started guide; if not, start it now and press Enter on the console keyboard until you
see the login prompt. (You may see a password prompt and other messages as you press Enter. Ignore
them and stop at the login prompt.)
Login: _
Step 2
At the cursor, enter the default login name: admin. At the password prompt, enter the default password:
admin.
Login: admin
Password: admin
Cisco VPN 3000 Series Concentrators Interoperability Profile
2
Configuring the Gateway A VPN Concentrator
Step 3
The system displays the opening message and prompts you to set the time on the VPN Concentrator.
The correct time is very important, so that logging and accounting entries are accurate, and so that the
system can create a valid security certificate. The time in brackets is the current device time.
Welcome to
Cisco Systems
VPN 3000 Concentrator Series
Command Line Interface
Copyright (C) 1998-2001 Cisco Systems, Inc.
-- : Set the time on your device. ...
> Time
Quick -> [ 15:46:41 ] _
At the cursor, enter the correct device time in the format HH:MM:SS, using 24-hour notation. For
example, enter 4:24 p.m. as 16:24:00.
For this and subsequent parameters, to accept the value that displays in brackets, press Enter.
Step 4
The system prompts you to set the date. The number in brackets is the current device date.
-- : Enter the date ...
> Date
Quick -> [ 11/15/2002 ] _
At the cursor, enter the correct date in the format MM/DD/YYYY. Use four digits to enter the year. For
example, enter November 15, 2002 as 11/15/2002.
Step 5
The system prompts you to set the time zone. The time zone selections are offsets in hours relative to
GMT (Greenwich Mean Time), which is the basis for Internet time synchronization. The number in
brackets is the current time zone offset.
-- : Set the time zone on your device. ...
-- : Enter the time zone using the hour offset from GMT: ...
> Time Zone
Quick -> [ 0 ] _
At the cursor, enter the time zone offset in the format +/–NN. For example, enter -5 for U.S. Eastern
Standard Time.
Step 6
The system prompts you with a menu to enable DST (Daylight-Saving Time) support. Enabling DST
support means that the VPN Concentrator automatically adjusts the time zone for DST or standard time.
If your system is in a time zone that uses DST, you must enable DST support.
1) Enable Daylight Savings Time Support
2) Disable Daylight Savings Time Support
Quick -> [ 2 ] _
At the cursor, enter 2 to disable DST support, or enter 1 to enable DST support.
Step 7
The system prompts you to enter an IP address for Ethernet 1, which is the VPN Concentrator interface
to your private network (internal LAN).
Cisco VPN 3000 Series Concentrators Interoperability Profile
3
Configuring the Gateway A VPN Concentrator
This table shows current IP addresses.
Interface
IP Address/Subnet Mask
MAC Address
--------------------------------------------------------------| Ethernet 1 - Private |
0.0.0.0/0.0.0.0
|
| Ethernet 2 - Public
|
0.0.0.0/0.0.0.0
|
| Ethernet 3 - External |
0.0.0.0/0.0.0.0
|
--------------------------------------------------------------** An address is required for the private interface. **
> Enter IP Address
Quick Ethernet 1 -> [ 0.0.0.0 ] _
At the cursor, enter 10.5.6.1, the IP address of the LAN interface for Gateway A.
Step 8
The system initializes its network subsystems, which takes a few seconds. It then prompts you for the
subnet mask for the Ethernet 1 (private) interface. The entry in brackets is the standard subnet mask for
the IP address you just entered. For example, an IP address of 10.10.4.6 is a Class A address, and the
standard subnet mask is 255.0.0.0.
> Enter Subnet Mask
Quick Ethernet 1 -> [ 255.0.0.0 ] _
At the cursor, enter 255.255.255.0, the subnet mask for this private network addressing scheme.
Step 9
The system prompts you with a menu to set the speed for the Ethernet 1 interface. You can let the VPN
Concentrator automatically detect and set the appropriate speed (the default), or you can set fixed speeds
of 10 or 100 Mbps (for 10BASE-T or 100BASE-T networks). If you accept the default, be sure that the
port on the active network device (hub, switch, or router) to which you connect this interface is also set
to automatically negotiate the speed. Otherwise, select the appropriate fixed speed.
1) Ethernet Speed 10 Mbps
2) Ethernet Speed 100 Mbps
3) Ethernet Speed 10/100 Mbps Auto Detect
Quick -> [ 3 ] _
To accept the default (3), press Enter.
Step 10
The system prompts you with a menu to set the transmission mode for the Ethernet 1 interface. You can
let the VPN Concentrator automatically detect and set the appropriate mode (the default), or you can
configure the interface for full duplex (transmission in both directions at the same time) or half duplex
(transmission in only one direction at a time). If you accept the default, be sure that the port on the active
network device (hub, switch, or router) to which you connect this interface is also set to automatically
negotiate the transmission mode. Otherwise, select the appropriate fixed mode.
1) Enter Duplex - Half/Full/Auto
2) Enter Duplex - Full Duplex
3) Enter Duplex - Half Duplex
Quick -> [ 1 ] _
To accept the default (1), press Enter.
Cisco VPN 3000 Series Concentrators Interoperability Profile
4
Configuring the Gateway A VPN Concentrator
Step 11
The system now has enough information so that you can exit the CLI and continue configuring with a
browser. The system displays one of the following menus, depending on the model of the Concentrator
being configured:
Model 3005 menu
1)
2)
4)
5)
6)
Modify Ethernet 1 IP Address (Private)
Modify Ethernet 2 IP Address (Public)
Save changes to Config file
Continue
Exit
Quick -> _
Model 3015–3080 menu
1)
2)
3)
5)
6)
7)
Modify Ethernet
Modify Ethernet
Modify Ethernet
Save changes to
Continue
Exit
1 IP Address (Private)
2 IP Address (Public)
3 IP Address (External)
Config file
Quick -> _
First, we recommend that you save your entries to the configuration file. At the cursor, enter the number
for Save changes to Config file. The system redisplays the same menu.
•
Step 12
For easiest use, we recommend exiting and using the Manager. To do so, enter the number for Exit
at the cursor and continue with the next step.
We assume you chose Exit. The system displays:
Done
Continue configuration using the VPN Concentrator Manager.
Cisco VPN 3000 Series Concentrators Interoperability Profile
5
Using the VPN Concentrator Manager
Using the VPN Concentrator Manager
You can use a browser to connect directly to the VPN Concentrator.
Step 1
Open a browser.
Step 2
In the browser Address or Location field, enter the VPN Concentrator Ethernet 1 (Private) interface IP
address, 10.5.6.1. This is the Gateway A LAN interface address.
The browser displays the VPN Concentrator Manager login screen. (See Figure 2.)
Figure 2
VPN Concentrator Manager Login Screen
Step 3
Click in the Login field and type admin (do not press Enter).
Step 4
Click in the Password field and type admin (the field shows *****).
Step 5
Click in the Login button.
The VPN Concentrator Manager displays the main welcome screen that offers you a choice of quick
configuration or the main configuration menu.
Cisco VPN 3000 Series Concentrators Interoperability Profile
6
Using the VPN Concentrator Manager
Figure 3
Step 6
Main Welcome Screen: Quick Configuration or Main Menu
Select click here to go to the Main Menu.
The Main Manager Welcome screen displays.
Figure 4
Main Manager Menu Welcome Screen
From here you can navigate the Manager using either the table of contents in the left frame, or the
Manager toolbar in the top frame. This document typically directs you to use the table of contents.
Cisco VPN 3000 Series Concentrators Interoperability Profile
7
Configuring the Public Interface
Configuring the Public Interface
Next configure the WAN interface for Gateway A. This is called the Ethernet 2 Public interface.
Step 1
In the drop-down table of contents, click Configuration > Interfaces. The Configuration | Interfaces
screen displays.
Figure 5
Step 2
Configuration | Interfaces Screen
In the Configuration | Interfaces screen, click Ethernet 2 (Public).
The Configuration | Interfaces | Ethernet 2 screen displays.
Cisco VPN 3000 Series Concentrators Interoperability Profile
8
Configuring the Public Interface
Figure 6
Configuration | Interfaces | Ethernet 2 Screen | General Tab
Step 3
In the General Tab, select Static IP Addressing
Step 4
In the IP Address field, enter the IP address of the Public, or WAN interface for Gateway A,
14.15.16.17.
Step 5
In the Subnet Mask field, enter the subnet mask of the Pubic interface, in this example, 255.255.255.0.
Step 6
In the Public Interface field, verify that the box is checked to make this interface a public interface. You
must configure a public interface and check this box before you can configure a LAN-to-LAN
(Gateway-to-Gateway) connection.
Step 7
In the Filter field, verify that the filter that displays is 2. Public (Default).
Step 8
To apply your settings to the interface and include these settings in the active configuration, click
Apply. The Manager returns to the Configuration | Interfaces screen. It now displays configuration
information for the public interface.
You can accept default values for all other Ethernet interface parameters. You have completed all
required steps to configure the private and public interfaces for Gateway A.
Cisco VPN 3000 Series Concentrators Interoperability Profile
9
Configuring an IKE Proposal
Configuring an IKE Proposal
An IKE proposal contains values for Phase 1 IPSec negotiations. During Phase 1 the two peers establish
a secure tunnel within which they then negotiate the Phase 2 parameters. The VPN Concentrator uses
IKE proposals both as initiator and responder in IPSec negotiations. In LAN-to-LAN connections, the
VPN Concentrator can function as initiator or responder.
You must configure, activate, and prioritize an IKE proposal before you can configure an IPSec
LAN-to-LAN connection or an IPSec Security Association. While Cisco does supply default IKE
proposals, none matches the VPN Consortium requirements.
Table 1 identifies the Cisco IKE parameters you configure to create an IKE proposal to meet the VPN
Consortium requirements.
Table 1
Cisco IKE Parameters
Cisco IKE Parameter
Definition
VPN Consortium Value Required
Proposal Name
A unique name for the IKE proposal.
In this example, the name is
VPNC IKE A to B.
N/A
Authentication Mode
Method of authenticating the remote
peer; either preshared secret or
certificates.
Preshared Secret
Authentication Algorithm
SHA-1
Specifies the data, or packet,
authentication method that proves that
data comes from the source you think it
comes from.
Encryption Algorithm
The data, or packet, encryption
algorithm.
Diffie-Hellman Group
The method used to generate IPSec SA MODP group 2 (1024 bits)
keys.
Lifetime Measurement
Time
Method for measuring the lifetime of
IPSec SA keys, either by time (in
seconds) or by data (number of
kilobytes) that travel across the tunnel.
Time Lifetime
The number of seconds after which an
IKE SA expires.
Cisco VPN 3000 Series Concentrators Interoperability Profile
10
Triple DES
2800 seconds (8 hours)
Configuring an IKE Proposal
Complete the following steps to configure an IKE proposal.
Step 1
In the drop-down table of contents, click Configuration > System > Tunneling Protocols > IPSec >
IKE Proposals to display the screen of that name.
Figure 7
Step 2
Configuration | System | Tunneling Protocols | IPSec | IKE Proposals Screen
Click Add. The Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add screen
displays. In this screen you configure a new, inactive IKE proposal.
Cisco VPN 3000 Series Concentrators Interoperability Profile
11
Configuring an IKE Proposal
Figure 8
Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add Screen
Step 3
In the Proposal Name field, enter a unique name for this IKE proposal. The maximum length is 48
characters. Entries are case-sensitive and spaces are allowed.
Step 4
From the Authentication Mode drop-down menu, choose Preshared Keys to authenticate the remote
peer.
Step 5
From the Authentication Algorithm drop-down menu, choose SHA/HMAC-160 to use SHA-1 for
authenticating the source of the data traveling across the tunnel.
Step 6
From the Encryption Algorithm drop-down menu, choose 3DES-168 to use Triple DES encryption.
Step 7
From the Diffie-Hellman Group drop-down menu, choose Group 2 (1024-bits), which is
MODP group 2.
Step 8
From the Lifetime Measurement drop-down menu, choose Time.
Step 9
In the Time Lifetime box, enter 28800, replacing the default value.
Step 10
Click Add to apply your changes. The Manager returns to the Configuration | System | Tunneling
Protocols | IPSec | IKE Proposals screen.
Activating and Prioritizing the IKE Proposal
The Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen now includes the new
IKE proposal as the last entry in the Inactive Proposals box, shown in Figure 9. You need to activate and
prioritize this IKE proposal.
Cisco VPN 3000 Series Concentrators Interoperability Profile
12
Configuring an IKE Proposal
Figure 9
VPNC IKE A to B as a New, Inactive IKE Proposal
Step 1
Select the new IKE proposal, in this example VPNC IKE A to B, and click <<Activate to move the
IKE proposal to the bottom of the Active Proposals column.
Step 2
Click Move Up as many times as required to move the new IKE proposal to the top of the Active
Proposals Column, as shown in Figure 10. Doing so sets the values of this IKE proposal as the default
values for the LAN-to-LAN connection you create next.
Cisco VPN 3000 Series Concentrators Interoperability Profile
13
Configuring an IKE Proposal
Figure 10
VPN C IKE A to B as First-Priority, Active IKE Proposal
Cisco VPN 3000 Series Concentrators Interoperability Profile
14
Configuring a LAN-to-LAN IPSec Connection
Configuring a LAN-to-LAN IPSec Connection
When you create a LAN-to-LAN connection, the VPN Concentrator automatically:
•
Creates two filter rules with the Apply IPSec action: one inbound, one outbound, named
L2L:<Name> In and L2L:<Name> Out, in this example L2L:A to B In and L2L: A to B Out.
•
Creates an IPSec Security Association named L2L:<Name>, in this example L2L: A to B.
•
Applies these rules to the filter on the public interface and applies the SA to the rules. If the public
interface does not have a filter, it applies the Public (default) filter with the preceding rules.
•
Creates a group named with the Peer IP address. If the VPN Concentrator internal authentication
server has not been configured, it does so, and adds the group to the database.
To create a LAN-to-LAN IPSec connection, follow these steps:
Step 1
In the table of contents, click Configuration > System > Tunneling Protocols > IPSec >
LAN-to-LAN. The Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen displays.
Figure 11
Step 2
Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN Screen
Click the Add button.
The Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add screen displays.
Cisco VPN 3000 Series Concentrators Interoperability Profile
15
Configuring a LAN-to-LAN IPSec Connection
Figure 12
Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add Screen
Cisco VPN 3000 Series Concentrators Interoperability Profile
16
Configuring a LAN-to-LAN IPSec Connection
Table 2 explains the fields you must complete on the Configuration | System | Tunneling | IPSec |
LAN-to-LAN | Add screen and where applicable, the VPN Consortium requirements they meet. Accept
default values for all other parameters.
Table 2
IPSec LAN-to-LAN Parameters
Cisco IPSec
Parameter
Definition
Value to Configure
Name
A unique, descriptive name for this
LAN-to-LAN connection.
In this example the name is A to B.
Interface*
The IP address of the public or WAN
interface for this LAN-to-LAN
connection.
14.15.16.17
Peer
The IP address of the WAN interface
for the remote peer in this
LAN-to-LAN connection.
22.23.24.25
Digital Certificate
Determines whether to use a preshared None (Use Preshared Key)
key or a digital certificate for
authentication.
Certificate
Transmission
N/A
N/A
Preshared Key
The key the IPSec peers share that
identifies each to the other.
hr5x8416aa9r6
Authentication
Specifies the data, or packet,
authentication method that proves that
data comes from the source you think it
comes from.
ESP/SHA/HMAC-160, the ESP
protocol using HMAC with the
SHA-1 hash function using a 160-bit
key.
Encryption
Algorithm
The data, or packet, encryption
algorithm.
3DES-168, which is Triple-DES
Encryption with a 168-bit key.
IKE Proposal*
The IKE proposal with first priority.
This should be the IKE proposal you
configured previously.
In this example, VPNC IKE A to B
Local Network IP
Address and
Wildcard Mask
The network IP address and wildcard
mask for the local end of this
LAN-to-LAN connection.
IP address is 10.5.6.0
Remote Network IP The network IP address and wildcard
Address and
mask for the remote end of this
Wildcard Mask
LAN-to-LAN connection.
Wildcard mask is 0.0.0.255
IP address is 172.23.9.0
Wildcard mask is 0.0.0.255
*These fields already contain values derived, respectively, from the IP address of the Public interface
and from the IKE proposal, VPNC IKE A to B, that you configured previously.
Cisco VPN 3000 Series Concentrators Interoperability Profile
17
Configuring a LAN-to-LAN IPSec Connection
Step 1
In the Name field, enter a unique, descriptive name for this LAN-to-LAN connection. The maximum
length is 32 characters. Since the created rules and SA use this name, we recommend that you keep it
short. In this example, the name is A to B.
Step 2
In the Interface field, make sure that the interface that displays is the configured public interface on the
VPN Concentrator for this end of the LAN-to-LAN connection, 14.15.16.17. If not, from the Interfaces
drop-down menu, choose this IP address. The list shows all interfaces that have the Public Interface
parameters enabled.
Step 3
In the Peer field, enter the IP address of the remote peer in the LAN-to-LAN connection, 22.23.24.25.
This is the IP address of the public or WAN interface on the peer IPSec VPN device.
Step 4
In the Preshared Key field, enter the shared secret for this VPN connection, hr5xb8416aa9r6.
Step 5
From the Authentication drop-down menu, select ESP/SHA/HMAC-160.
Step 6
In the Encryption field, verify that the entry is 3DES-168. If not, from the Encryption drop-down menu,
choose this value.
Step 7
In the IKE Proposal field, verify that the entry is VPNC IKE A to B. If not, from the IKE Proposal
drop-down menu choose this value.
Step 8
Skip the following fields:
– Filter
– IPSec NAT-T
– Bandwidth Policy
– Routing
Step 9
In the Local Network section, in the IP Address field, enter 10.5.6.0. In the Wildcard Mask field, enter
0.0.0.255.
Step 10
In the Remote Network section, in the IP Address field, enter 172.23.9.0. In the Wildcard Mask field,
enter 0.0.0.255.
Note
Step 11
You must configure either a default gateway or a static route from Gateway A to Gateway B.
Click Add. The Manager displays the Configuration | System | Tunneling Protocols
IPSec | LAN-to-LAN | Done screen.
Cisco VPN 3000 Series Concentrators Interoperability Profile
18
Configuring a LAN-to-LAN IPSec Connection
Figure 13
Step 12
Configuration | System | Tunneling Protocols IPSec | LAN-to-LAN | Done Screen
Click OK. The Manager returns you to the Configuration | System | Tunneling Protocols | IPSec |
LAN-to-LAN screen. It now displays the new LAN-to-LAN connection, A to B (22.23.24.25) on
Ethernet 2 (Public).
Figure 14
Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN Screen
Cisco VPN 3000 Series Concentrators Interoperability Profile
19
Modifying the New Security Association
Modifying the New Security Association
The VPN Concentrator has created a security association (SA) for the new A to B LAN-to-LAN
connection. You need to modify the Perfect Forward Secrecy and Time Lifetime fields for this SA.
Step 1
In the Concentrator Manager drop-down table of contents, click Configuration > Policy Management
> Traffic Management > Security Associations. The screen of that name displays.
Figure 15
Configuration | Policy Management | Traffic Management | Security Associations Screen
Step 2
In the IPSec SAs box, select L2L A to B, which is the SA for the LAN-to-LAN connection, A to B
(22.23.24.25) on Ethernet 2 (Public).
Step 3
Click Modify.
The Configuration | Policy Management | Traffic Management | Security Associations screen displays.
Cisco VPN 3000 Series Concentrators Interoperability Profile
20
Troubleshooting
Figure 16
Configuration | Policy Management | Traffic Management |
Security Associations | Modify Screen
Step 4
In the Perfect Forward Secrecy field, from the drop-down menu, choose Group 2 (1024 bits).
Step 5
In the Time Lifetime field, change the number of seconds to 3600 (one hour).
Step 6
Confirm that the Negotiation Mode field is set to Main.
Troubleshooting
The following sections contain troubleshooting tips. The most common problems are IP addressing
errors and shared secret mismatches. You can also configure Events that report on IKE and IPSec activity
on the VPN Concentrator.
IP Addressing
Take care that the IP addresses and subnet masks you have configured accurately represent your network.
Local and Remote Network Addresses
When you configure a LAN-to-LAN connection:
•
Do not confuse the local network with the remote network.
Cisco VPN 3000 Series Concentrators Interoperability Profile
21
Troubleshooting
•
In the IPSec | LAN-to-LAN | Add screen (see Figure 12) be sure to enter network addresses, not host
addresses, in the Local Network IP Address and Remote Network IP Address fields.
•
In the IPSec | LAN-to-LAN | Add screen (see Figure 12) be sure to enter wildcard masks, not subnet
masks, in the Local Network IP Address and Remote Network IP Address fields. A wildcard mask
is the reverse of a subnet mask: it has ones in bit positions to ignore, and zeros in bit positions to
match. For example, a subnet mask of 255.255.255.0 converts to a wildcard mask of 0.0.0.255.
Testing Connectivity
Internet Connectivity
PING from the public (WAN) interface of the origin gateway to the public interface of the destination
gateway to test whether there is a problem on the Internet. In the Concentrator Manager drop-down table
of contents, click Administration > Ping. The Ping screen displays.
Figure 17
Administration | Ping Screen
Enter the IP address of the public interface for the destination gateway and press Ping. The VPN
Concentrator returns a Success message if the it can contact the IP address you entered. If it cannot, it
displays an error screen.
Figure 18
Success Screen
SA Connectivity
PING from the private (inside) interface of the origin gateway to the inside interface of the destination
gateway to test whether there is a problem setting up the SAs. Do this from a PC behind the private
interface of the VPN Concentrator.
Cisco VPN 3000 Series Concentrators Interoperability Profile
22
Troubleshooting
Mismatches of Preshared Keys
It is easy to mistype a preshared key at one end or the other of a LAN-to-LAN connection. If you are
sure your IP addresses are correct, but are unsuccessful in bringing up a tunnel, make sure the preshared
keys on either side of the connection match exactly. Entries are case-sensitive.
Mismatches of Parameters for IPSec SAs
If you cannot PING from the private interface of the local gateway to the private interface of the
destination or remote gateway, there is likely a problem with the security associations. Check that the
values for all parameters for the SA on the local network match those values on the remote network
exactly.
Configuring Event Classes
You can configure specific event classes and severities for special handling. For troubleshooting a
LAN-to-LAN IPSec connection, add the following event classes, all severities (1-13), to have the
Manager send these Events to the log or to the console.
In the Concentrator Manager drop-down table of contents, click Configuration > System > Events >
Classes. The screen of that names displays.
Figure 19
Step 1
Configuration | System | Events | Classes Screen
Click Add.
The Configuration | System | Events | Classes | Add screen displays.
Cisco VPN 3000 Series Concentrators Interoperability Profile
23
Troubleshooting
Figure 20
Configuration | System | Events | Classes | Add Screen
Step 2
In Class Name field, from the drop-down menu, choose IKE.
Step 3
In the Severity to Log and field, from the drop-down menu choose 1-13. The Manager now sends all
IKE events to the Log. You can set the severity level to a lower range if you want a less verbose log.
Step 4
In the Severity to Console field, from the drop-down menu choose 1-13. The Manager now sends all
IKE events to the Console.
Step 5
If you are using a a syslog server, set the Severity to Syslog field to 1-13.
Step 6
Repeat steps 2 through 4 for the following event classes:
Auth (AUTH)
Auth Debug (AUTH DEBG)
Authentication issues
Auth Decode (AUTHDECODE)
IKE (IKE)
IKE Decode (IKEDECODE)
Phase One IPSec negotiations
IKE Debug (IKEDBG)
IPSec (IPSEC) - Issues in Phase Two IPSec
negotiations
IPSec Decode (IPSECDECODE
IPSec DeBug (IPSECDBG)
Cisco VPN 3000 Series Concentrators Interoperability Profile
24
Phase Two IPSec negotiations
Troubleshooting
Viewing the Event Log
There are several ways to view events. The following section describes just one very useful way to study
logged events.
Step 1
To view the event log, in the Concentrator Manager drop-down table of contents, click Administration
> Monitoring > Filterable Event Log. The screen of that name displays.
Figure 21
Monitoring | Filterable Event Log Screen
Step 2
You can scroll through events on this screen, or you can click Get Log to scroll through all the log
events on one page.
Step 3
Read closely. The log gives detailed information about IPSec Phase 1 and Phase 2negotiations, and the
status of SAs.
Cisco VPN 3000 Series Concentrators Interoperability Profile
25
Download PDF

advertising