Ipsec over tcp, Ipsec over tcp port – Cisco VPN 3002 User Manual

Page 65

Advertising
background image

6-5

VPN 3002 Hardware Client Reference

OL-1893-01

Chapter 6 Tunneling

Configuration | System | Tunneling Protocols | IPSec

The VPN 3002 in Fargo first tries to reach San Jose. If the initial IKE packet for that connection (1) times
out (8 seconds), it tries to connect to Austin (2). Should this negotiation also time out, it tries to connect
to Boston (3). These attempts continue until the VPN 3002 has tried all servers on its backup server list,
to a maximum of 10.

Be aware of the following characteristics of the backup server feature:

If the VPN 3002 cannot connect after trying all backup servers on the list, it does not automatically
retry.

In Network Extension mode, the VPN 3002 attempts a new connection after 4 seconds.

In Client mode, the VPN 3002 attempts a new connection when the user clicks the Connect Now
button on the Monitoring | System Status screen, or when data passes from the VPN 3002 to the
VPN Concentrator.

A VPN 3002 must connect to the primary VPN Concentrator to download a backup server list
configured on the primary VPN Concentrator. If that VPN Concentrator is unavailable, and if the
VPN 3002 has a previously configured backup server list, it can connect to the servers on that list.

It can download a backup server list only from the primary VPN Concentrator. The VPN 3002
cannot download a backup server list from a backup server.

The VPN Concentrators that you configure as backup servers do not have to be aware of each other.

If you change the configuration of backup servers, or delete a backup server during an active session
between a VPN 3002 and a backup server, the session continues without adopting that change. New
settings take effect the next time the VPN 3002 connects to its primary VPN Concentrator.

You can configure the backup server feature from the primary VPN Concentrator or the VPN 3002.

From the VPN Concentrator configure backup servers on either of the Configuration | User
Management | Base Group or Groups | Mode Configuration screens.

On the VPN 3002, configure backup servers on the Configuration | System | Tunneling Protocols |
IPSec screen.

The list you configure on the VPN 3002 applies only if the option, Use Client Configured List, is set in
the IPSec Backup Servers parameter. To set this option, go to the Mode Configuration tab on the
Configuration | User Management | Groups | Add/Modify screen of the primary VPN Concentrator to
which the VPN 3002 connects.

Note

The group name, username, and passwords that you configure for the VPN 3002 must be identical
for the primary VPN Concentrator and all backup servers. Also, if you require interactive hardware
client authentication and/or individual user authentication for the VPN 3002 on the primary VPN
Concentrator, be sure to configure it on backup servers as well.

IPSec over TCP

Check IPSec over TCP if you want to connect using IPSec over TCP. This feature must also be enabled
on the VPN Concentrator to which this VPN 3002 connects. See the explanation that follows.

IPSec over TCP Port

Enter the IPSec over TCP port number. You can enter one port. The port that you configure on the VPN
3002 must also match that configured on the VPN Concentrator to which this VPN 3002 connects.

Advertising