Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss IPSec VPN with the Cisco expert Lei Chen. Lei Chen is a Technical Assistance Center (TAC) software engineer at Cisco Systems, Inc. Lei joined Cisco in 2000. His main responsibilities include, troubleshooting complex IPSec VPN issues, working on escalation cases and training new team members. Lei has a CCIE (# 6399) on Routing/Switching and Security. Remember to use the rating system to let Lei know if you have received an adequate response.
Lei might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 23. Visit this forum often to view responses to your questions and the questions of other community members.
We just upgraded all our routers to Cisco and went to private IP Addresses. Another campus we are trying to connect to uses a Cisco firewall and we use a Cisco VPN. My firewall guy created a login for the other campus using the Cisco VPN. Using the VPN they connect fine. The problem is that they are trying to connect at my campus via Netmeeting. (After connecting via the VPN) This connection is not successful and of course they cannot ping my ip address. I can connect to Netmeeting here on campus from home using the same VPN. They do indicated they did open all their ports on their firewall. Hence, my question is...is there a problem on their end or could it be a tunnelling issue on my end?
Thanks for any and all help.
It's pretty hard to determine at this point. Troubleshooting is needed. I suggest you open a case with Cisco TAC to have an Cisco engineer take a look.
I was wondering if we can expect to see support for Multicast traffic on the 3000 series Concentrators any time soon?
Thanks in advance!
I'm new in this area and confused by the number of different Cisco VPN clients.
1) What is the best client for remote access IPSec VPN with PIX in the central site and Windows 2000/XP running on the remote PC?
What's the difference between Cisco VPN client and Cisco Secure VPN client?
2) Does Cisco VPN client ver. 4.0.3 (F) support Diffie-Hellmann group 5? If yes, how to configure it?
Use the latest Cisco VPN client posted on CCO, currently 4.0.3.F
Cisco Secure VPN Client was an obselete version of vpn client. It was the VPN client software before cisco aquired Altiga (vpn3000)
Yes. 4.0.3.F does support DH5. This is controlled by the headend VPN Server. You need to configure the pix to use DH5:
isakmp policy 10 group 5
Thanks for your responses.
I've made some tests in my lab and recognized:
It's necessary to configure
isakmp policy 10 group 5
force the VPN client to offer DH5 by importing .pcf file including "DHGroup = 5" line to a new profile (it's not configurable via the client GUI).
But still no success in ISAKMP negotiation.
But finally I found a list of valid IKE proposals that the VPN client supports (in VPN client administrator guide, chapter 6) and DH group 5 can't be combined with preshared keys!!!
This explains why I wasn't successful.
thanks for the response confirming my VPN client choose.
I'm trying to configure remote access VPN with PIX in the central site.
I've got a question regarding VPN client firewall features:
Is it possible to tune the integrated Cisco firewall some way?
I understand that when I enable Firewall Always On on the client PC, the integrated firewall blocks all incoming connections even when there is no VPN connection active.
But I'd like to be able to Ping the client PC, e.g.
I'm just reading the admin manual (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/index.htm) but it describes firewall tuning only via VPN concentrator - which I don't use. Are there any possibilities with PIX or directly on the client?
If not, is my understanding correct that when I don't use vpngroup ... split tunnel command on the PIX, all the traffic outgoing from the client PC is sent to the IPSec tunnel (when established) even if I allow local LAN access on the client (with no relation to Firewall Always On enabled/disabled)?
The client integrated firewall can be tuned only via vpn3000, not on pix, routers or the client itself.
The "Allow local Lan access" option on the client only works with vpn3000. It doesn't work with either pix or routers. If you want local lan access while the client is connected to the pix or router, you have to use the vpn group split tunnel command.
Keep in mind that the vpn client was originally desigend to work with vpn3000. The support on pix and router was added later on and is limited.
Every entry in the crypto ACL is a IPSec SA. So this is limited by the how many ipsec sa tunnels this platform supports, specially on lowend routers. For instance, the 831 router, if I remember correctly, supports up to 10 tunnels, which means that crypto ACL can't have more than 10 entries.
Well, the DH itself can't prevent man-in-the-middle attack since it doesn't provide ID authentication for peers.
The purpose of using pre-shared key authentication is we can use the keyed hashing algrithm to ID each other, therefore avoid the man-in-middle attack.
I understand it may not be the appropriate forum to ask but am eager to know. Is it in the IOS roadmap for the support of ssl vpn? Basically I am looking for an ipsec like tunneling mechanim that uses https.
I haven't heard anything on IOS for ssl vpn yet. But if it's getting more and more popular, the product team will definitely consider it.
My 3000 VPN concentrator suddenly doesn't allow me to web access to it (invalid login or session time). I knew for sure that I use the right user name and password. The last thing I did was: set up idle session timeout and restart the service. After that I could not access to the VPN by the web or telnet. I consoles in the VPN and enable/disable HTTP/HTTPS many time but NO LUCK. Do you know what is the cause of that problem ??? Thanks for your help
Console in, reset the admin password and make sure,
Administration | Access Rights | Access Constrol List
is empty. If the problem persists, open a TAC case.
I have my client PIX firewall 506e configured with global fixed IP,provided by ISP.
I want to avoid doing site to site tunnelling with my H.Q and I plan to configure it acting as Easy remote vpn client.
Can it be done?
Yes and here is the sample configs:
But you need to make sure the HQ side had the VPN Server setup already.
Will it means all my workstations on my remote branch site running on easy remote vpn client obtaining IP addreses from the IP local pool at the VPN server.
No. Only the pix506 will obtain the ip address from the ip local pool at the vpn server. After the pix506 connects to the vpn server, it will do the PAT for all the workstations sitting behind it.
thks for the link.
BTW if I would like to implement easy remote vpn client on my branch site(5 PCs),is it means my VPN server IP local pool will allocate 5 IP to the branch site computers.
nope. The vpn server assigns only one ip address to the easy remote vpn client. The client will take care of the workstations sitting behind it by using PAT.
My question is a little bit out of discussion.I have a router Cisco 3640 with a single card NM-4E1-IMA for ATM use.Somebody else made the order by error, trying to create an access server dialing from a simple PSTN number, and the main connection with 4 E1 straight to the switching center.What do you suggest in this case to buy(except AS5300)?I was thinking about a NM-12D digital modems together with mica.
Thank's in advance!
We have Cisco PIX 515E FW with ver 6.3 .We are running around 7-8 site-to-site VPN tunnels with remote locations/customers.The customers are having different vendor Firewalls viz. Checkpoint, Nortel Contivity, WatchGuard etc.
Since last week we are facing problems with the site-to site VPNs.
With a couple of customers the problem is when we try to initiate a traffic for the vpn the tunnel does not come up but whenever the custore tries to ping the VPN tunnel gets established.
So whenever the PIX end tries to establish a tunnel it does not work ,but when the reote end tries the vpn tunnel commes up.
Is there any specific setting that needs to be done either on PIX or checkpoint or any other FW for that matter.
All the VPN tunnels were working fine till now.This problem has croped up all of a sudden.
We've seen this kind of cases. Usually it's because of mismatching of phase1 and 2 policies. Make sure the phase1 and 2 lifetime, and phase 2 proxy IDs are matching. For example, if on the pix side, the proxies are configured as:
While the remote vpn gateway is configured as:
(which is a subset of the pix side)
In this case, the tunnel won't come up if the pix initiates the connection but it will if the remote side initiates the connection.
Is this the only cause for this problem, I ask this because till last week the vpn connection was working fine for almost a year now.
With Ciscos IPSec VPN's how do you determine the throughput various devices are capable of? I remember reading that the 3002 Hardware client was capable of approximately 1Mbps throughput with 3DES. How would this throughput translate to an encryption algorithm like AES 128 or 256?
On the other side of this how do you determine the concentrators throughput with a number of AES IPSec clients connecting to it?