Configuring a VPN for Clients with User Passwords

This section describes how to configure a remote access VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. on the managed device for L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. clients with user passwords. L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. requires two levels of authentication, IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication. authentication and user-level authentication with the PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. authentication protocol. IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication. is authenticated with a preshared key, which you must configure as an IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. shared secret. User-level authentication is performed by the internal database of the managed device.

Configure the following:

AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. database entries for username and passwords

VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication profile, which defines the internal server group and the default role assigned to authenticated clients

L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. as the PPP Point-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression. authentication (IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. only).

(For IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. clients) An IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy for preshared key authentication of the SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication..

(For IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. clients) A server certificate to authenticate the managed device to clients and a CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate to authenticate VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients.

The following procedure describes how to configure L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for username and password clients:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Authentication > Auth Servers tab.

a. Select Internal from the Server Groups table, and then select Internal from the Server Group > Internal table to display entries for the internal database.

b. Under Server Group > Internal > Internal > Users tab, click + to add a new user to the internal server group.

c. Enter the User Name and Password information for the client.

d. Select the Enabled check box to activate this entry on creation.

e. Click Submit.

f. Click Pending Changes.

g. In the Pending Changes window, select the check box and click Deploy changes.

2. In the Managed Network node hierarchy, navigate to the Configuration > Authentication > L3 Authentication tab.

a. From the L3 Authentication List, select VPN Authentication > default > Server Group .

b. Select the internal server group from the drop-down list.

c. Click Submit.

d. Click Pending Changes.

e. In the Pending Changes window, select the check box and click Deploy changes.

3. Navigate to the Configuration > Services > VPN tab.

a. Expand IKEv1.

b. Select the L2TP check box to enable L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. .

c. Select the PAP check box for Auth Protocols.

d. Click Submit.

e. Click Pending Changes.

f. In the Pending Changes window, select the check box and click Deploy changes.

4. Configure other VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. settings as described in Configuring a VPN for L2TP/IPsec with IKEv2, while ensuring that the following settings are selected:

In the Configuration > Services > VPN page, select the L2TP check box.

In the Configuration > Services > VPN page, select the PAP check box as the authentication protocol.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for username and password clients using IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.:

(host) [mynode] (config) #vpdn group l2tp

enable

ppp authentication pap

client dns 101.1.1.245

 

(host) [mynode] (config) #ip local pool pw-clients 10.1.1.1 10.1.1.250

(host) [mynode] (config) #crypto isakmp key <key> address 0.0.0.0 netmask 0.0.00

(host) [mynode] (config) #crypto isakmp policy 1

authentication pre-share

Next, issue the following command to configure client entries in the internal database:

(host) [mynode] #local-userdb add username <name> password <password>