Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
12345678910
132
Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys
Foundation Topics
Using VPNs for Remote Access with Preshared Keys
For site-to-site VPN connections, peer devices must authenticate one another before IPSec
communications can occur. In addition to requiring device authentication, remote access VPN
connections require user authentication to make certain that the user is permitted to use the
applications that are protected by the IPSec connection.
User authentication can be handled in a variety of ways. You can configure Remote Authentication
Dial-In User Service (RADIUS), NT Domain, and Security Dynamics International (SDI)
authentication on most Cisco devices, and the VPN 3000 Concentrators have the additional
ability to authenticate users through an internal database.
If you want to use internal authentication, create a username and password for each user and
assign the users to the group that is to be used for IPSec device authentication. Once the devices
have established the IPSec tunnel, the user is prompted to enter a username and password to
continue. Failure to authenticate causes the tunnel to drop. A similar login prompt is displayed
if you are using RADIUS, NT Domain, or SDI authentication.
You can establish device authentication by using either preshared keys or digital certificates.
(For more information, see Chapter 5, “Configuring Cisco VPN 3000 for Remote Access Using
Digital Certificates.”) With preshared keys, the system administrator chooses the key and then
shares that key with users or other system administrators. Combining a preshared key with
some other metric establishes three different uses for preshared keys, as follows:
Unique
Group
Wildcard
The following sections describe each type of preshared key in more detail.
Unique Preshared Keys
When a preshared key is tied to a specific IP address, the combination makes the preshared
key unique. Only the peer with the correct IP address can establish an IPSec session using this key.
Ideal for site-to-site VPNs where the identity of the peer devices is always known, unique
preshared keys are not recommended for remote access VPNs. Unique preshared keys scale
particularly poorly because each new user requires a new key and the administrative burden
that entails.
9
Overview of remote access using preshared keys
chpt_04.fm Page 132 Friday, April 4, 2003 9:19 AM