Dimante Computer Services LLC: Forums / NCP Software Support/Questions / Cisco 3000 / PIX NCP Client Configuration

Dimante Computer Services LLC :: Forums :: General :: NCP Software Support/Questions		<< Previous thread \| Next thread >>
Cisco 3000 / PIX NCP Client Configuration


Moderators: dimante	This thread is now closed

Author

Post

dimante

Sun Nov 25 2007, 02:14PM

dimante

Registered Member #1

Joined: Sun Nov 04 2007, 06:22PM

Posts: 11

NCP Secure Client and Cisco (3000series & PIX)
ID: 10127
Operating Systems: Keines / None,
Typ: Information
NCP Secure Enterprise Client 8.10
NCP Secure Enterprise CE Client 2.0x
NCP Secure Entry Client 8.12

Some important things to be sure of before starting:

1). the NCP Client (or derivative thereof, also referred to as NCP Client in this document) cannot co-exist with another VPN Client, so it is imperative that other VPN clients have been removed before proceeding. You will be able to use the NCP VPN Client to establish connections to many other VPN Gateways, and are by no means locked down to only using specific vendor's VPN gateways.

In the case of the integrated VPN functionality of the PocketPC operating system, this is not to be activated, seeing as it cannot be removed.

2). in this scenario, the NCP Client will emulate a Cisco Unity Client, so you do not need to enable special "Movian" options- some users had this enabled, thinking it would be necessary in order to let the NCP CE Client function seeing it too is a PDA VPN client. The NCP Client strictly uses IPsec standards and drafts; such as XAUTH, IKE-ConfigMode and NAT-T, and so there is no need to enable options specifically for the Movian, some of which are not even supported, such as Diffie-Hellman Group 7.

3). The NCP client does NOT support the TCP encapsulation with a static/variable port number. The Cisco MUST BE configured to support NAT-T (IPSec over NAT-T). This requires configuration on the server side. This 'mode' works in parallel with existing configurations (does not influence existing connections) using TCP-encapsulation and is a standard defined by Cisco to replace the TCP encapsulation. The newer versions of the clients (v2.2x onwards) do support variable UDP (default:10000) encapsulation though. (see important note below)

Cisco 3000: Configuration | System | Tunneling Protocols | IPSec | NAT Transparency
Enable the IPSec over NAT-T.
See for more information:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/tunnel.htm#1029463

Cisco PIX: isakmp nat-traversal [natkeepalive]
See for more information:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312

IMPORTANT NOTE: It may occur that the connection is succesfully negotiated, but no traffic is passing through the tunnel; that is to say; the symbols all indicate that a connection has been established, but the Rx (receive) counter remains on 0. Upon inspecting the log, you will see that NAT-T is supported but has not been negotiated, because no NAT devices were detected between the concentrator and the client. However, the Cisco will still expect the packets to be encapsulated within UDP(default:10000), and therefore not respond. This is automatically negotiated with the v2.2x and newer clients; and will adapt to the UDP port set on the Cisco. If
however a connection is used where NAT devices are detected, the frames will be encapsulated within UDP4500, which then will work.

Configuration:
For some tips in how to configure a connection to the ISP using a PDA please refer to http://www.ncp.de/english/services/cekompat/

IPSec General Settings:
you may want to define both the IKE and IPsec policies and lifetimes manually, but using Automatic Mode will normally work fine. If you do choose to manually define them; make sure these match the configuration as defined in the Cisco. Please note, the Automatic Mode will NOT negotiate proposals using DES, seeing as this is not considered secure. AES is a suitable replacement, as it is faster and more secure.
Exchange Mode: Depending on whether you are using pre-shared keys or certificates you want to select either:
Pre-shared keys (PSK): select Aggressive Mode or
X509 Certificates (RSA): select Main Mode.

NOTE: Please also select the correct DH-Group for the PFS (Perfect Forward Secrecy).

Identities:
When using Pre-shared keys: select Free string used to identify groups as (IKE-)Type and enter in the group name as the (IKE-)ID. Enable the use of Pre-shared keys, and enter in the group password there.

When using certificates: select ASN1 Distinguished name, as (IKE-)Type and then the information will be extracted from the certificate. Remember also to define which certificates are to be used (and in the case of PDAs, upload the certificates to the PDA)!

Also enable the use of XAUTH, and enter in the XAUTH username and password.

IP Address Assignment:
The NCP client supports Cisco's IKE-Config Mode, which you'll want to enable as well, this saves a lot of trouble configuring IP addresses that the client is going to use.

Disclaimer
Considerable care has been taken in the preparation of this document, errors in content, typographical or otherwise may occur. If you have any comments or recommendations concerning the accuracy, then please contact NCP as desired.
NCP makes no representations or warranties with respect to the contents or use of this document, and explicitly disclaims all expressed or implied warranties of merchantability or use for any particular purpose. Furthermore, NCP reserves the right to revise this publication and to make amendments to the content, at any time, without obligation to notify any person or entity of such revisions and changes.

Trademarks
All trademarks or registered trademarks appearing in this manual belong to their respective owners.

© 2005 NCP Engineering GmbH. All rights reserved.


Jump: Back to top