CCNP Security VPN FAQ: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys

CCNP Security VPN FAQ: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys

Question. What methods can you use for user authentication on the Cisco VPN 3000 Series Concentrators?

Answer: You can configure the VPN concentrators to use RADIUS, NT Domain, Security Dynamics International (SDI), and internal user authentication.

Question. What methods can you use for device authentication between VPN peers?

Answer: You can accomplish device authentication between VPN peers by using either preshared keys or dig

Question. What are the three types of preshared keys?

Answer: Preshared keys can be unique, group, or wildcard.

Question. What is a unique preshared key?

Answer: A unique preshared key is one that is associated with a specific IP address.

Question. When you boot up a Cisco VPN 3000 Concentrator with the default factory configuration, what happens?

Answer: The default factory configuration causes the VPN concentrator to boot up into Quick Configuration mode.

Question. What information do you need to supply in the command-line interface (CLI) portion of Quick Configuration?

Answer: The CLI portion of the Quick Configuration requests system time, date, and time zone as well as the private interface IP address, subnet mask, speed, and duplex mode.

Question. Which interface do you need to configure using the browser-based VPN Manager?

Answer: You need to configure the Public interface with the VPN Manager. If you have other interfaces, you also need to configure those. The Private interface was configured using the CLI portion of Quick Configuration.

Question. What is the default administrator name and password for VPN concentrators?

Answer: The default VPN concentrator administrator name and password is admin/admin

Question. How do you get your web browser to connect to the VPN concentrator’s Manager
application?

Answer: To connect to the VPN Manager, enter the IP address of the concentrator’s Private interface in the Address box of the browser.

Question. What is the default administrator name and password for the GUI VPN Manager?

Answer: The administrator name and password are the same for the CLI and the GUI systems: admin/admin.

Question. What are the three major sections of the VPN Manager system?

Answer: The three major sections of the VPN Manager system are Configuration, Administration, and Monitoring.

Question. What hot keys are available in the standard toolbar of the VPN Manager?

Answer: The standard hot keys are Main, Help, Support, Logout, Configuration, Administration, and Monitoring

Question. From where do users inherit attributes on the VPN concentrator?

Answer: VPN concentrator users inherit their attributes from their groups. If a user is not a member of a group, the user inherits attributes from the Base Group.

Question. How many groups can a user belong to in the VPN concentrator’s internal database?

Answer: A VPN concentrator user can belong to only one group

Question. What is an external group in the VPN Manager system?

Answer: An external group is a group from an external authentication server such as RADIUS or NT Domain.

Question. When reviewing the list of attributes for a group, what does it mean when an attribute’s Inherit? box is checked?

Answer: Checking the Inherit? box for an attribute means that the attribute is always inherited from the Base Group.

Question. What are the nine subcategories under the Configuration | System option in the VPN Manager’s table of contents?

Answer: The Configuration | System subcategories are Servers, Address Management, Tunneling Protocols, IP Routing, Management Protocols, Events, General, Client Update, and Load Balancing Cisco VPN Clients.

Question. Where would you configure information for Network Time Protocol (NTP) and Dynamic Host Configuration Protocol (DHCP) servers within the VPN Manager?

Answer: NTP, DHCP, and other servers are configured in the Configuration | System | Servers section of the VPN Manager.

Question. What tunneling protocol can you configure on the VPN concentrator to support the Microsoft Windows 2000 VPN Client?

Answer: L2TP over IPSec is the protocol required to support Microsoft Windows 2000 VPN clients. This option is available on the VPN concentrators.

Question. What dynamic routing protocols are available on the VPN 3000 Concentrators?

Answer: The Cisco VPN 3000 Concentrators support RIP and OSPF routing protocols. RIP is configured on the interface.

Question. What Microsoft Windows operating systems can support the Cisco VPN Client?

Answer: The Cisco VPN Client can operate on Microsoft Windows 95, 98, 98 SE, Me, NT, 2000, and XP operating systems.

Question. How do you start the Cisco VPN Client on a Windows system?

Answer: From the Windows Desktop, choose Start, Programs, Cisco Systems VPN Client, VPN Dialer.

Question. How do you start the Cisco VPN Client installation process?

Answer: You start the Cisco VPN Client installation process by inserting the CD-ROM into the PC and allowing Autorun to bring up the CD’s menu. Select Install Cisco VPN Client from the menu.

Question. What variables can you supply during the installation process of the Cisco VPN Client?

Answer: The only options, other than when to reboot the system, are to select the location in which to store files and the location in which to place the application.

Question. Where would you normally use unique preshared keys?

Answer: You would normally use unique preshared keys in site-to-site VPNs

Question. To use a web browser to access the VPN Manager application on VPN concentrators, what features must you enable on the browser?

Answer: You must enable both JavaScript and cookies on the browser to access the VPN Manager.

Question. What information is required to configure a LAN interface on the VPN concentrator?

Answer: You must supply the IP address, subnet mask, speed, and duplex mode to configure a VPN concentrator LAN interface.

Question. What is the default administrator name and password for the GUI VPN Manager?

Answer: The administrator name and password are the same for the CLI and the GUI systems: admin/admin.

Question. What options are available for addressing an IP interface on the IP Interfaces screen?

Answer: The IP Interfaces screen gives you the option to disable the interface, obtain an address from DHCP, or assign a static IP address.

Question. What is the maximum number of combined groups and users that can be supported on a VPN 3015 Concentrator?

Answer: The 3015 Concentrator can support a maximum of 100 combined groups and users

Question. What are the four subcategories under the Configuration option of the VPN Manager’s TOC?

Answer: The four subcategories under the Configuration option are Interfaces, System, User Management, and Policy Management.

Question. On the General tab of a group’s Add screen, what options can you select for Access Hours?

Answer: On the General tab of the Group Add screen, you can select No Restrictions, Never, or Business Hours as the access hours for the system.

Question. What IPSec protocols are available from the default IPSec SA settings on the IPSec tab of the Group Add screen?

Answer: The only IPSec protocol available by default on the IPSec tab of the Group Add screen is the ESP Protocol. Authentication Header (AH) is not an option. ESP provides encryption and authentication, whereas AH provides only authentication.

Question. What are the nine subcategories under the Configuration | System option in the VPN Manager’s table of contents?

Answer: The Configuration | System subcategories are Servers, Address Management, Tunneling Protocols, IP Routing, Management Protocols, Events, General, Client Update, and Load Balancing Cisco VPN Clients.

Question. Where does the VPN concentrator store system events?

Answer: The VPN concentrator stores system events in nonvolatile memory

Question. What areas can be configured under the Traffic Management section of the Configuration | Policy Management section?

Answer: Under the Configuration | Policy Management | Traffic Management section of the VPN Manager, you can configure Network Lists, Rules, SAs, Filters, and NAT.

Question. Where do you enter the preshared key so that a VPN Client can connect to a VPN concentrator?

Answer: During the creation of a connection in the VPN Client, you are presented with a screen that allows you to enter Group Access Information. Enter the group name and the group’s password in that screen. The group’s password is the preshared key.

Question. What are the three types of preshared keys?

Answer: Preshared keys can be unique, group, or wildcard.

Question. What types of interfaces are the Public and Private VPN interfaces?

Answer: On the VPN concentrators, the Public and Private interfaces are each 10/100-Mbps Ethernet interfaces.

Question. Which interface do you need to configure using the browser-based VPN Manager?

Answer: You need to configure the Public interface with the VPN Manager. If you have other interfaces, you need to configure those as well. The Private interface was configured using the CLI portion of Quick Configuration.

Question. What would you do if you needed to re-enter the Quick Configuration mode after you have completed the initial configuration of the VPN concentrator?

Answer: To re-enter the Quick Configuration mode, you need to select the system reboot option to Reboot with Factory/Default Configuration.

Question. When the VPN Manager’s Main window is displayed, how do you continue with the Quick Configuration that was started at the CLI?

Answer: To start the VPN Manager’s version of Quick Configuration, select Click here to start Quick Configuration. This option is only available the first time the VPN Manager opens.

Question. What methods can be selected for assigning IP addresses to the tunnel endpoints from the Quick Configuration Address Assignment screen?

Answer: The Quick Configuration Address Assignment screen allows you to select from Client Specified, Per User, DHCP, or Configured Pool as the method used to assign IP addresses for the tunnel endpoint. You can select multiple methods.

Question. When using the VPN Manager, how can you tell that you have made changes to the active configuration?

Answer: You can tell that changes have been made to the active configuration when the Save Needed icon appears in the upper-right corner of the main window.

Question. What is an external group in the VPN Manager system?

Answer: An external group is a group from an external authentication server such as RADIUS or NT Domain.

Question. What is the purpose of the SEP card assignment attribute on the General tab of the Group Add screen?

Answer: The SEP card assignment attribute of the Group Add screen’s General tab is used to manage load sharing across the SEP devices within a VPN concentrator.

Question. You would like to be able to pass DNS and WINS information from the VPN concentrator to the VPN Client. What Group option can you use to accomplish this?

Answer: You would need to enable Mode Configuration to permit the concentrator to share this information with the client.

Question. What dynamic routing protocols are available on the VPN 3000 Concentrators?

Answer: The Cisco VPN 3000 Concentrators support RIP and OSPF routing protocols. RIP is configured on the interface.

Question. What protocol does the VPN concentrator use to update software versions on Cisco VPN 3002 Hardware Clients?

Answer: The VPN concentrator uses TFTP to update the operating system of VPN 3002 Hardware Clients.

Question. How do you start the Cisco VPN Client installation process?

Answer: You start the Cisco VPN Client installation process by inserting the CD-ROM into the PC and allowing Autorun to bring up the CD’s menu. Select Install Cisco VPN Client from the menu.

Question. What methods can you use for user authentication on the Cisco VPN 3000 Series
Concentrators?

Answer: You can configure the VPN concentrators to use RADIUS, NT Domain, SDI, and internal user authentication.

Question. What is a group preshared key?

Answer: A group preshared key is one that is associated with a specific user group

Question. When you boot up a Cisco VPN 3000 Concentrator with the default factory configuration, what happens?

Answer: The default factory configuration causes the VPN concentrator to boot up into Quick Configuration mode.

Question. If you supply an address of 144.50.30.24 and want to use a 24-bit subnet mask for the Private interface on a VPN concentrator, are you able to accept the default subnet mask
offered by the VPN Manager?

Answer: The VPN Manager offers the default subnet mask for the class of address you assign. Because this is a Class B address and the default mask for that class is 16 bits, you would not be able to accept the mask offered by the VPN Manager

Question. What are the three major sections of the VPN Manager system?

Answer: The three major sections of the VPN Manager system are Configuration, Administration, and Monitoring.

Question. The Quick Configuration system has displayed the System Info screen. What information, other than system date and time, can you enter on this screen?

Answer: Other than system date and time, the System Info screen allows you to enter a system name, DNS server, domain name, and default gateway.
4-1

Question. What is the maximum number of combined groups and users that can be supported on a VPN 3060 Concentrator?

Answer: The 3060 Concentrator can support a maximum of 1000 combined groups and users.

Question. From where do users inherit attributes on the VPN concentrator?

Answer: VPN concentrator users inherit their attributes from their groups. If a user is not a member of a group, the user inherits attributes from the Base Group

Question. What is the default number of simultaneous logins available to group members?

Answer: Group members are allowed three simultaneous logins by default.

Question. What is the purpose of IKE keepalives?

Answer: IKE keepalives keep tabs on peers. If a peer does not respond to IKE keepalives, then the VPN concentrator drops the connection. This helps to prevent hung connections.

Question. Where would you configure information for NTP and DHCP servers within the VPN Manager?

Answer: NTP, DHCP, and other servers are configured in the Configuration | System | Servers section of the VPN Manager.

Question. What is the most significant event severity level?

Answer: Level 1 is the most significant event severity level on the Cisco VPN 3000 Concentrator.

Question. What Microsoft Windows operating systems can support the Cisco VPN Client?

Answer: The Cisco VPN Client can operate on Microsoft Windows 95, 98, 98 SE, Me, NT, 2000, and XP operating systems.

Question. What programs are available within the VPN Client installation?

Answer: The VPN Client installs the following applications: Certificate Manager, Help, Log Viewer, Set MTU, Uninstall VPN Client, and VPN Dialer.

Question. What is a unique preshared key?

Answer: A unique preshared key is one that is associated with a specific IP address.

Question. What type of cable does the console port require on VPN concentrators?

Answer: VPN concentrator console cables are straight-through RS-232 serial cables with a female DB-9 connector.

Question. What is the default administrator name and password for VPN concentrators?

Answer: The default VPN concentrator administrator name and password is admin/admin.

Question. How do you get your web browser to connect to the VPN concentrator’s manager
application?

Answer: To connect to the VPN Manager, simply enter the IP address of the concentrator’s Private interface in the Address box of the browser.

Question. What is the first screen that appears when you click the Click here to start Quick Configuration option in the VPN Manager?

Answer: The first screen of the VPN Manager’s Quick Configuration is the IP Interfaces screen.

Question. If you select Internal Server as the method of user authentication, what additional screen does the Quick Configuration system give you?

Answer: When you select Internal Server as the method of user authentication, you must then configure the users and their passwords, so the VPN Manager provides the User Database screen.

Question. When do configuration changes become active on the Cisco VPN 3000 Series Concentrators?

Answer: Configuration changes take effect immediately on the VPN concentrators.

Question. When reviewing the list of attributes for a group, what does it mean when an attribute’s Inherit? box is checked?

Answer: Checking the Inherit? box for an attribute means that the attribute will always be
inherited from the Base Group.

Question. What is a realm in relation to user authentication?

Answer: The Internal authentication server can use a qualified username for authentication. The qualified name takes the form of username@group. The @group portion is called the realm. You can set a group’s attribute to not use the realm portion for authentication.

Question. What is split tunneling?

Answer: Split tunneling allows some traffic to pass over the connection to the concentrator that is unprotected by IPSec.

Question. What management protocols can you configure on the VPN concentrator?

Answer: VPN Manager allows you to configure FTP, HTTP/HTTPS, TFTP, Telnet, SNMP, SNMP Community Strings, SSL, SSH, and XML.

Question. What is the process a VPN Client uses to connect to a VPN concentrator when load
balancing is used between two or more VPN concentrators?

Answer: The VPN Client initially tries to connect to the virtual IP address of the cluster. The cluster master intercepts the call and sends the client the public IP address of the least-loaded available concentrator. The client then uses that address to negotiate an IPSec session.

Question. What variables can you supply during the installation process of the Cisco VPN Client?

Answer: The only options, other than when to reboot the system, are to select the location to store files and the location to place the application.

Question. What methods can be used for device authentication between VPN peers?

Answer: Device authentication can be accomplished between VPN peers by using either preshared keys or digital certificates.

Question. What is a wildcard preshared key?

Answer: A wildcard preshared key is one that is not associated with either an IP address or user group. These keys can be used by any device holding the key.

Question. What information do you need to supply in the CLI portion of Quick Configuration?

Answer: The CLI portion of the Quick Configuration requests system time, date, and time zone as well as the Private interface IP address, subnet mask, speed, and duplex mode.

Question. What is the last step you must take before moving from the CLI Quick Configuration mode to the browser-based Quick Configuration mode?

Answer: Before leaving the CLI Quick Configuration mode, select the option to Save changes to Config file.

Question. What hot keys are available in the standard toolbar of the VPN Manager?

Answer: The standard hot keys are Main, Help, Support, Logout, Configuration, Administration, and Monitoring.

Question. What tunneling protocols does the VPN concentrator support?

Answer: The VPN concentrator supports L2TP, PPTP, IPSec, and L2TP over IPSec.

Question. When you select IPSec as the tunneling protocol, what screen does Quick Configuration present?

Answer: When you select IPSec as the tunneling protocol, Quick Configuration provides the IPSec Group screen so that you can supply a group name and password to be used by those devices connecting through preshared keys.

Question. How many groups can a user belong to in the VPN concentrator’s internal database?

Answer: A VPN concentrator user can belong to only one group.

Question. What is the size range for user authentication passwords for internal users?

Answer: Internal user passwords can range from 1 to 32 characters. The allowable length is controlled by the group that the users belong to.

Question. What does the Authentication option RADIUS with Expiry provide?

Answer: RADIUS with Expiry lets the user know that his password has expired and permits the user to select a new password.

Question. What tunneling protocol can be configured on the VPN concentrator to support the Microsoft Windows 2000 VPN client?

Answer: L2TP over IPSec is the protocol that is required to support Microsoft Windows 2000 VPN clients. This option is available on the VPN concentrators.

Question. How does the VPN 3000 Concentrator handle software updates for VPN Software
Clients?

Answer: The VPN 3000 Concentrator provides a message to the clients during login. The message provides a location for downloading the updated software version.

Question. How do you start the VPN Client on a Windows system?

Answer: From the Windows Desktop, choose Start, Programs, Cisco Systems VPN Client, VPN Dialer.

About the author

Scott

Leave a Comment