Ipsec Over Udp; Additional Software Features; Interactive Hardware Client Authentication - Cisco CVPN3002-K9 - Fast Ethernet VPN Gateway Getting Started

Chapter 1 Understanding the VPN 3002 Hardware Client
•

IPSec over UDP

The VPN 3002 supports User Datagram Protocol (UDP) Network Address Translation/Firewall (NAT)
Transparent IPSec, which encapsulates encrypted data traffic within UDP packets. IPSec over UDP
enables secure transmission between the VPN 3002 Hardware Client and the VPN Concentrator at the
central site through a device, such as a firewall, that is performing Network Address Translation (NAT).
The VPN 3002 sends keepalives frequently, ensuring that the mappings on the NAT device are kept
active.
You do not have to configure this feature on the VPN 3002, but the following requirements do apply:
•
•
We do not currently support a topology with multiple VPN 3002 Hardware Clients behind one NAT
Note
device.

Additional Software Features

The VPN 3002 software includes these features.

Interactive Hardware Client Authentication

Interactive hardware client authentication prevents users on the VPN 3002 private LAN from accessing
the central site until the VPN 3002 authenticates.
When you enable interactive hardware client authentication, the VPN 3002 does not use a saved
username and password. Instead you must manually enter a valid username and password for the VPN
3002 each time you connect. When the VPN 3002 initiates the tunnel, it sends the username and
password to the VPN Concentrator to which it connects. The VPN Concentrator facilitates
authentication, on either the internal or an external server. If the username and password are valid, the
tunnel is established.
You configure interactive hardware client authentication on the VPN Concentrator, which pushes the
policy to the VPN 3002. For more information and configuration instructions, refer to the "User
Management" chapter of the VPN 300 Series Concentrator Reference Volume 1: Configuration.
OL-2854-01
Select the second or third options for the Fragmentation Policy parameter in the Configuration |
Interfaces | Public screen. These options let traffic travel across NAT devices that do not support IP
fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.
Both the VPN Concentrator and the VPN 3002 must be running Release 3.0.3 or higher software.
You must configure IPSec over UDP for the group on the VPN Concentrator to which the VPN 3002
belongs. For an example, refer to the VPN 3000 Concentrator Manager, Configuration | User
Management | Groups | IPSec tab (use the VPN Concentrator Manager Help, or refer to VPN 3000
Concentrator Series Reference Volume I: Configuration).
Additional Software Features
VPN 3002 Hardware Client Getting Started
1-5