The objective of this document is to give an overview of Virtual Private Network (VPN) best practices to anyone new to Cisco RV series routers.
It seems so long ago that the only place you could work was at the office. You may remember, back in the day, having to head into the office on the weekend to get a work matter settled. There was no other way to obtain data from company resources unless you were physically in your office. Those days are over. In today’s times, you are able to be on the go; conducting business from home, another office, a coffee shop, or even another country. The downside is that hackers are always looking to grab your sensitive data. Just using the public Internet is not safe. What can you do to get flexibility as well as security? Set up a VPN!
A VPN connection allows users to access, send, and receive data to and from a private network by means of going through a public or shared network such as the Internet but still ensuring a secure connection to an underlying network infrastructure to protect the private network and its resources.
A VPN tunnel establishes a private network that can send data securely using encryption to encode the data, and authentication to ensure the identity of the client. Corporate offices often use a VPN connection since it is both useful and necessary to allow their employees to have access to their private network even if they are outside the office.
Normally, site-to-site VPNs connect entire networks to each other. They extend a network and allow computer resources from one location to be available at other locations. Through the use of a VPN capable router, a company can connect multiple fixed sites over a public network such as the Internet.
The client-to-site set up for a VPN allows a remote host, or client, to act as if they were located on the same local network. A VPN connection can be set up between the router and an endpoint after the router has been configured for Internet connection. The VPN client is dependent on the settings of the VPN router in addition to the requirement of matched settings in order to establish a connection. Also, some of the VPN client applications are platform specific, they are dependent on the Operating system (OS) version as well. The settings must be exactly the same or they cannot communicate.
A VPN can be set up with any of the following:
If you have never set up a VPN before, you will receive a lot of new information throughout this article. This is not a step-by-step guide, but more of an overview for reference. Therefore, it would be beneficial to read this article in its entirety before moving on and attempting to set up a VPN on your network. Links for specific steps are provided throughout this article.
Third-party, non-Cisco products, including TheGreenBow, OpenVPN, Shrew Soft, and EZ VPN are not supported by Cisco. They are included strictly for guidance purposes. If you need support on these beyond the article, you should contact the third-party for support.
For more information on how VPNs work, click here.
Cisco RV34x series routers supports an SSL VPN, using AnyConnect. The RV160 and RV260 have the option to use OpenVPN, which is another SSL VPN. The SSL VPN server allows remote users to establish a secure VPN tunnel using a web browser. This feature allows easy access to a wide range of web resources and web-enabled applications using native Hypertext Transfer Protocol (HTTP) over SSL Hypertext Transfer Protocol Secure (HTTPS) browser support.
The SSL VPN allows users to remotely access restricted networks, using a secure and authenticated pathway by encrypting the network traffic.
There are two options to set up access in SSL:
There are links to articles on AnyConnect within this document. For an overview of AnyConnect, click here.
Easy VPN (EZVPN), TheGreenBow, and Shrew Soft are Internet Protocol Security (IPSec) VPNs. IPSec VPNs provide secure tunnels between two peers or from a client-to-site. Packets that are considered sensitive should be sent through these secure tunnels. Parameters including hash algorithm, encryption algorithm, key lifetime, and mode must be used to protect these sensitive packets should be defined by specifying the characteristics of these tunnels. Then, when the IPsec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through this tunnel to the remote peer.
When IPsec is implemented in a firewall or a router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing.
In order for the two ends of a VPN tunnel to be successfully encrypted and established, they both need to agree on the methods of encryption, decryption, and authentication. IPsec profile is the central configuration in IPsec that defines the algorithms such as encryption, authentication, and Diffie-Hellman (DH) group for Phase I and II negotiation in auto mode as well as manual keying mode.
Important components of IPsec include Internet Key Exchange (IKE) Phase 1 and Phase 2.
The basic purpose of IKE phase one is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase one performs the following functions:
The purpose of IKE phase two is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase two performs the following functions:
If Perfect Forward Secrecy (PFS) is specified in the IPSec policy, a new DH exchange is performed with each quick mode, providing keying material that has greater entropy (key material life) and thereby greater resistance to cryptographic attacks. Each DH exchange requires large exponentiations, thereby increasing CPU use and exacting a performance cost.
PPTP is a network protocol used to create VPN tunnels between public networks. PPTP servers are also known as Virtual Private Dialup Network (VPDN) servers. PPTP is sometimes used over other protocols because it is faster and has ability to work on mobile devices. However, it is important to note that it is not as secure as other types of VPNs. There are multiple methods to connect with PPTP type accounts. Click the links to learn more:
Generic Routing Encapsulation (GRE) is a tunneling protocol that provides a simple generic approach to transport packets of one protocol over another protocol by means of encapsulation.
GRE encapsulates a payload, that is, an inner packet that needs to be delivered to a destination network inside an outer IP packet. The GRE tunnel behaves as virtual point-to-point link that has two endpoints identified by the tunnel source and tunnel destination address.
The tunnel endpoints send payloads through GRE tunnels by routing encapsulated packets through intervening IP networks. Other IP routers along the way do not parse the payload (the inner packet); they only parse the outer IP packet as they forward it towards the GRE tunnel endpoint. Upon reaching the tunnel endpoint, GRE encapsulation is removed, and the payload is forwarded to the packet's ultimate destination.
Encapsulation of datagrams in a network is done for multiple reasons, such as when a source server wants to influence the route that a packet takes to reach the destination host. The source server is also known as the encapsulation server.
IP-in-IP encapsulation involves the insertion of an outer IP header over the existing IP header. The source and destination address in the outer IP header point to the end points of the IP-in-IP tunnel. The stack of IP headers is used to direct the packet over a predetermined path to the destination, provided the network administrator knows the loopback addresses of the routers transporting the packet.
This tunneling mechanism can be used for determining availability and latency for most network architectures. It is to be noted that the entire path from source to the destination does not have to be included in the headers, but a segment of the network can be chosen for directing the packets.
L2TP does not provide encryption mechanisms for the traffic it tunnels. Instead it relies on other security protocols, such as IPSec, to encrypt the data.
A L2TP tunnel is established between the L2TP Access Concentrator (LAC) and the L2TP Network Server (LNS). An IPSec tunnel is also established between these devices and all L2TP tunnel traffic is encrypted using IPSec.
Some key terms with L2TP:
If you would like more information on L2TP click on the following links:
| RV34X | RV32X | RV160X/RV260X | |
|---|---|---|---|
| IPSec (IKEv1) | |||
| ShrewSoft | Yes | Yes | Yes |
| Greenbow | Yes | Yes | Yes |
| Mac built-in client | Yes | Yes | No |
| iPhone/iPad | Yes | Yes | No |
| Android | Yes | Yes | Yes |
| L2TP/IPSec | Yes (PAP) | No | No |
| PPTP | Yes (PAP) | Yes* | Yes (PAP) |
| Other | |||
| AnyConnect | Yes | No | No |
| Openvpn | No | Yes | Yes |
| IKEv2 | |||
| Windows | Yes* | No | Yes* |
| Mac | Yes | No | Yes |
| iPhone | Yes | No | Yes |
| Android | Yes | No | Yes |
|
VPN Technology |
Devices Supported |
Clients Supported* |
Details & Caveats |
|---|---|---|---|
|
IPSec (IKEv1) |
RV34X, RV32X, RV160X/RV260X |
Native: Mac, iPhone, iPad, Android Other: EasyVPN (Cisco VPN Client), ShrewSoft, Greenbow |
Easiest to setup, troubleshoot and support. It is available on all routers, is simple to setup (for the most part), has the best logging to troubleshoot. And includes the most devices. This is why we typically recommend ShrewSoft (free and works) and Greenbow (not free, but works). For Windows, we have ShrewSoft and Greenbow clients as options, since Windows doesn’t have a pure IPSec native VPN client. For ShrewSoft and Greenbow, it’s a little more involved, but not difficult. Once setup the first time, client profiles can be exported and then imported on other clients. For RV160X/RV260X routers, since we don’t have the Easy VPN option, we have to use the 3rd Party Client option, which doesn’t work with Mac, iPhone, or iPad. We can setup ShrewSoft, Greeenbow, and Android clients to connect, though. For Mac, iPhone, and iPad clients, I recommend IKEv2 (see below). |
|
AnyConnect |
RV34X |
Windows, Mac, iPhone, iPad, Android |
Some customers request a full Cisco solution and this is it. It is simple to setup, has logging, but can be challenging to understand the logs. Requires client licensing requirement incuring cost. It’s a full Cisco solution and is updated. Troubleshooting isn’t as easy as IPSec, but better than the other VPN options. |
|
L2TP/IPSec |
RV34X |
Native: Windows |
This is what I will recommend for customers that need to use the built-in VPN client in
Windows. Two caveats with this are:
|
|
IPSec (IKEv2) |
RV34X, RV160X/RV260X |
Native: Windows, Mac, iPhone, iPad, Android |
Windows native client for IKEv2 requires certificate authentication, which requires a PKI infrastructure since both the router and all the clients need to have certificates from the same CA (or another trusted CA). For those that want to use IKEv2, we set that up for their Mac, iPhone,iPad, and Android devices and we usually setup IKEv1 for their Windows machines (ShrewSoft, Greenbow, or L2TP/IPSec). |
|
Open VPN |
RV32X, RV160X/RV260X |
Open VPN is the client |
Harder to setup, difficult to troubleshoot and support. Supported on RV160X/RV260X and RV320. Setting up is more complex than IPSec or AnyConnect, especially if they use certificates, which most do. Troubleshooting is harder since we don’t have any useful logs on the router and rely on the client logs. Also, OpenVPN client version updates have without warning changed which certificates they accepted. Also, we found this doesn’t work on Chromebooks and had to go to an IPSec solution. |
* We test as many combinations as we can, if there's a specific hardware/software combination please reach out here. Otherwise, see the related configuration guide by device for most recent version tested.
Have you ever visited a website and were given a warning that it isn’t secure? It doesn’t fill you with confidence that your private information is secure, and it isn’t! If a site is secure you will see a closed lock icon before the name of the site. This is a symbol that the site has been verified safe. You want to be sure to see that lock icon closed. The same is true for your VPN.
When you set up a VPN, you should obtain a Certificate from a Certificate Authority (CA). Certificates are purchased from third-party sites and used for authentication. It is an official way to prove that your site is secure. Essentially, the CA is a trusted source that verifies that you are a legitimate business and can be trusted. For a VPN you only need a lower level Certificate at a minimal cost. You get checked out by the CA, and once they verify your information, they will issue the Certificate to you. This Certificate can be downloaded as a file on your computer. You can then go into your router (or VPN server) and upload it there.
CA uses Public Key Infrastructure (PKI) when issuing digital certificates, which uses public key or private key encryption to ensure security. CAs are responsible for managing certificate requests and issuing digital certificates. A few third-party CAs include IdenTrust, Comodo, GoDaddy, GlobalSign, GeoTrust, and Verisign.
It is important that all gateways in a VPN use the same algorithm, otherwise they won’t be able to communicate. To keep things simple, it is recommended that all Certificates are purchased from the same trusted third-party. This keeps multiple Certificates easier to manage as they have to be manually renewed.
Note: Clients usually don’t need a Certificate to use a VPN; it is just for verification through the router. An exception to this is OpenVPN, which requires a client Certificate.
Some small businesses choose to use a password or a pre-shared key in place of a Certificate for simplicity. This is less secure but can be set up at no cost.
More information on Certificates can be found in the links below:
For the local and remote router, it is important to make sure the pre-shared key (PSK)/password/Certificate used for the VPN connection, and the security settings all match. If one or more routers use Network Address Translation (NAT), which most of the Cisco RV series routers use, you will need to do firewall exemptions for the VPN connection on the local and remote router.
Check out these site-to-site articles for more information:
Before a VPN can be set up on the client side, an administrator needs to configure it on the router.
Click to view these router configuration articles:
In a Client-to-Site VPN connection, clients from the Internet can connect to the server to access the corporate network or LAN behind the server but still maintain the security of the network and its resources. This feature is very useful since it creates a new VPN tunnel that would allow teleworkers and business travelers to access your network by using a VPN client software without compromising privacy and security. The following articles are specific to the RV34x series routers:
User groups are created on the router for a collection of users that share the same set of services. These user groups include options for the group, like a list of permissions on how they can access the VPN. Depending on the device, PPTP, site-to-site IPSec VPN, and client-to-site IPSec VPN can be allowed. For example, the RV260 has options that include OpenVPN but L2TP is not supported. The RV340 series is equipped with AnyConnect for an SSL VPN, as well as Captive Portal or EZ VPN.
These settings enable administrators to control and filter so that only authorized users can access the network. Shrew Soft and TheGreenBow are two of the most common VPN Clients available for download. They need to be configured based on the VPN settings of the router for them to be able to successfully establish a VPN tunnel. The following article specifically addresses the creation of a user group:
User Accounts are created on the router in order to allow authentication of local users using the local database for various services like PPTP, VPN Client, web Graphical User Interface (GUI) login, and Secure Sockets Layer Virtual Private Network (SSLVPN). This enables the administrators to control and filter authorized users only to access the network. The following article specifically addresses the creation of a user account:
In a Client-to-Site VPN connection, clients from the Internet can connect to the server to access the corporate network or LAN behind the server but still maintains the security of the network and its resources. This feature is very useful since it creates a new VPN tunnel that allows teleworkers and business travelers to access your network by using a VPN client software without compromising privacy and security. The VPN is set up to encrypt and decrypt data as it is sent and received.
The AnyConnect application works with SSL VPN and is used with the RV34x routers specifically. It is not available with other RV series of routers. Starting with version 1.0.3.15, a router license is no longer necessary, but licenses need to be purchased for the client side of the VPN. For more information on Cisco AnyConnect Secure Mobility Client, click here. For directions on installation, select from the following articles:
There are some third-party applications that can be utilized for client-to-site VPN with all RV series routers. As stated previously, Cisco doesn’t support these applications; this information is being provided for guidance purposes.
TheGreenBow VPN Client is a third-party VPN client application that makes it possible for a host device to configure a secure connection for client-to-site IPsec tunnel or SSL. This is a paid application that includes support.
OpenVPN is a free, open-source application that can be set up and used for an SSL VPN. It uses a client-server connection to provide secure communications between a server and a remote client location over the internet.
Shrew Soft is a free, open-source application that can be set up and used for an IPsec VPN as well. It uses a client-server connection to provide secure communications between a server and a remote client location over the internet.
Easy VPN was commonly used on RV32x routers. Here is some information for reference:
The latest Cisco RV series routers come with a VPN Setup Wizard that guides you through the steps for setup. The VPN Setup Wizard lets you configure basic LAN-to-LAN and remote access VPN connections and assign either pre-shared keys or digital certificates for authentication. Check out these articles for more information:
This article has led you to a better understanding of VPNs along with tips to get you on your way. Now you should be ready to configure your own! Take some time to view the links and decide the best way to set up a VPN on your Cisco RV series router.