Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
12345678910
6
Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.6 Through 3.6.8.B
OL-5637-02
New Features in Release 3.6.1
DHCP Relay for Wireless Operation (Includes Microsoft VPN Client Route List
via DHCP)
The DHCP Relay feature lets wireless clients obtain a network configuration from the corporate network
before creating a VPN tunnel. This may be used with the VPN Client autoinitiation feature to obtain a
network configuration and automatically connect to the secure gateway when a configured wireless LAN
(WLAN) is detected.
To add DHCP, go to Configuration | System | IP Routing.
To configure DHCP Relay, go to Configuration | System | IP Routing | DHCP Relay.
To enable DHCP Relay, you must also assign proper rules to filters in the Configuration | Policy
Management | Traffic Management | Filters screen
DHCP Intercept
DHCP Intercept uses DHCP to provide a Microsoft L2TP/IPSec Client with a Subnet Mask, Domain
Name, and Classless Static Routes.
This feature allows the VPN Concentrator to reply directly to the Microsoft Client DHCP Inform
message. This is useful in environments in which using a DHCP server for this purpose is not
advantageous.
You configure this feature on a per-group basis on the Client Config tab of either the Configuration | User
Management | Base Group screen or the Configuration | User Management | Groups | Add or Modify
screen.
Ratified IPSec/UDP Implementation (NAT Traversal)
Release 3.6.1 adds support for NAT Traversal (NAT-T), the new IPSec over UDP encapsulation IETF
IPSec Working Group draft standard specification (draft-ietf-ipsec-nat-t-ike-02).
NAT-T lets IPSec peers establish a LAN-to-LAN connection through a NAT device. It does this by
encapsulating IPSec traffic in UDP datagrams, thereby providing NAT devices with port information.
Multiple IPSec clients behind a NAT/PAT device can connect to the same VPN Concentrator, except
Microsoft L2TP/IPSec clients (as noted in the following list). NAT-T auto-detects any NAT devices and
encapsulates IPSec traffic only when necessary.
NAT-T has the following limitations and requirements:
NAT-T can support only one Microsoft L2TP/IPSec client behind a NAT/PAT device.
You must open UDP port 4500 on any firewall you have configured in front of a VPN Concentrator.
This is the destination port for the inbound direction from any source port.
Because NAT-T depends on UDP port 4500 being available, if a previous IPSec/UDP configuration
is already using that port, you must reconfigure that earlier IPSec/UDP configuration to use a
different UDP port.
To configure NAT-T globally, go to the Configuration | System | Tunneling Protocols | IPSec | NAT
Transparency screen and check the IPSec over NAT-T check box.