Re: ASK THE EXPERTS - IP SECURITY VPN - Page 5

ciscomoderator · ‎06-18-2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on IP Security VPN with Cisco experts Syed Ziaullah and Sundar Srinivasaraghavan. Syed is a customer support engineer at Cisco's Technical Assistance Center in the VPN and security domain, where he has worked for more than four years. He helps a variety of Cisco customers in configuring new network setups as well as troubleshooting their existing network issues related to security. Syed holds CCIE certification (CCIE # 19264) in Security. Sundar is a customer support engineer at Cisco in the High Touch Technical Support (HTTS) Security team, providing configuration and troubleshooting assistance to customers through service requests. He has been with Cisco for more than 10 years and has extensive experience in installation, configuration, and troubleshooting of IPsec VPNs. He holds CCIE certification (CCIE # 6415) in both Routing & Switching and Security.

Remember to use the rating system to let Syed and Sundar know if you have received an adequate response.

Syed and Sundar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 2, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

sziaulla · ‎06-28-2010

Hi Roberto,

I don’t know at this point. I will check internally and will respond to you accordingly.

Thanks

-Syed

sziaulla · ‎07-01-2010

H Roberto,

here is the information i got from the concerned department

"In the middle 3rd of the year – between May and august 2011."

thanks for your patience.

-Syed

franpena2008 · ‎06-28-2010

Good afternoon,

For remote vpn users, I would like to configure a dynamic vpn split tunnel depending where are they connected.

For example if a remote user is connected to ASA from italy, auth via acs radius server, a split tunnel list will be applied allowing user to access local resources, if the same user is connecting from germany, apply a split tunnel list allowing the local resources for germany office...

is it possible to achieve this? any link or documentation related?

Thanks for your support

Fran

sziaulla · ‎06-28-2010

Hi Fran,

If your user is connecting to different ASA (regional ASA) and getting authenticated from different ACS (Regional ACS) then you can push different attributes depending on which ACS is authenticating.

If you user is changing location and also changing physical machine to connect to the same ASA then you can use DAP to select different policies. If your user is using same machine from different locations then DAP is not a solution for you.

Thanks

-Syed

franpena2008 · ‎06-28-2010

Thanks for your reply,

Users will create the vpn tunnel from diferent locations to the same ASA and authenticated with the same ACS. I think the machine will be the always the same (his laptop), should I use then DAP? or do you know any solution?

Thnks for your help

Best regards

Fran

sziaulla · ‎06-28-2010

Hi Fran,

DAP need some criteria to differentiate between his machine when coming from different locations. Differentiation based on IP address is not possible. Is there anything you can think off other than IP which we can use as a differentiating factor? if not then i am out of ideas

thanks

-Syed

franpena2008 · ‎07-01-2010

Hello,

I am working with ACS appliance v 5.1 for radius authentication/authorization

All clients are connecting to the same central ASA.

I have found in ACS Policy Elements - End station filters - Where I think I can diffrentiate where are the clients located.

Anybody knows if end station filters refer to the clients network or to the asa?

Regards

Fran

sunsrini · ‎07-01-2010

Hi Fran,

Yes, End station filters refer to the client machines here.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/pol_elem.html#wp1081552

I hope this is regarding the split tunnel networks applied on the basis of location. In ACS 4.x, mode config attributes are pushed per group basis, so its not possible unless the user is assigned different groups.

I didnt have much chance to play around with ACS 5.x, but going by the doc, I think you could directly assign a different authorization profile based on Calling-Station-ID radius attribute. Within authorization profile, you can define appropriate split-tunnel-lists. You may not need to use the filter.

Thanks

Sundar

debra-brown · ‎06-29-2010

Syed,

What is the main difference between IPSEC and SSL? When would you choose one over the other?

Thanks.

Debra

sziaulla · ‎06-30-2010

Hi Debra,

For IPSEC based vpn you cannot use your browser to connect. You have to have a IPSEC client installed on the machine before attempting to make a connection.

The ssl based vpn can make use of your browser therefore you can get connected from any machine by just opening up your browser and put the VPN server IP in the address bar. Ssl based client can get installed on the fly therefore you do not need to install it before attempting to make a connection.

Hope this helps. Feel free to ask any further question you may have on this subject.

Thanks

-Syed

debra-brown · ‎06-30-2010

Syed,

It looks like SSL offers more flexibility. I want to implement disaster recovery for our company with 2000 employees. What would you recommend? IPSEC or SSL. Do you have any documentation regarding to disaster recovery?

Thanks.

Debra

dianewalker · ‎06-29-2010

Syed,

One of the users was trying to connect through Cisco VPN client, ver. 5.0.7. She is trying to connect to Cisco VPN 3005 (rel. 4.7). She kept getting the same error message "Secure VPN connection terminated locally by the client. Reason 412: the Remote Peer is no longer responding" when she double-click on the VPN entry. Do you have any suggestions on how to troubleshoot this type of problem? Please let me know if you need additional information.

Thanks.

Diane

sunsrini · ‎06-30-2010

Hi Diane

Can you give some more details. Is the connection problem intermittent or it never worked ? If the client PC is behind any NAT router or firewall, you need to make sure it allows UDP 500. Is there any logs available in the VPN Client ?

Thanks

Sundar

dianewalker · ‎06-30-2010

Sundar,

The connection never worked. The UDP 500 is allowed. I do not have any logs in the VPN client. By the time, I post the log, your forum is over. What should I be looking in the log? Do you have any other suggestions?

Thanks.

Diane

sunsrini · ‎06-30-2010

Hi Diane

The error message you see in the client is very generic, just indicates the communication is broken between the client and concentrator. It could be a simple routing issue or issues related with firewall or DNS resolution. To the basic, you make sure the concentrator is network reachable and firewall allows ipsec traffic (udp 500, esp 50). If you have windows firewall enabled, make sure you add an exception to allow these ports. Otherwise, logs from both ends indicate at which stage ipsec negotiation is failed and to troubleshoot further.

Thanks

Sundar