Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Mode-Configuration (MODECFG)

In remote access scenarios, it is highly desirable to be able to push configuration information such as the private IP address, a DNS server's IP address, and so forth, to the client. The IPSec Mode-configuration (MODECFG) allows this functionality. Configuration for MODECFG using Cisco IOS is shown in Example 4-2.

Example 4-2. Cisco IOS MODECFG Configuration on the IPSec Gateway

hostname vpn-gw1-east
username ezvpn password 0 east
username ezvpn1@vpngroup password 0 ezvpn1east
username ezvpn2@vpngroup password 0 ezvpn2east
aaa new-model
aaa authentication login vpn local
aaa authorization network vpn local
aaa session-id common
ip subnet-zero
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10 10
crypto isakmp client configuration group vpngroup                                     

    key ciscoezvpn                                                                       



    pool vpnpool                                                                         


crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto dynamic-map dynamic 1
 set transform-set vpn
 reverse-route remote-peer
crypto map vpn client authentication list vpn
crypto map vpn isakmp authorization list vpn
crypto map vpn client configuration address respond                                   
crypto map vpn 3 ipsec-isakmp dynamic dynamic

Some of the key attributes that can be pushed to a remote user using MODECFG follow:

  • INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS— Specifies an address within the internal network. The requested address is valid until the expiration of the ISAKMP SA that was used to secure the request. The address may also expire when the IPSec phase 2 SA expires, if the request is associated with a phase 2 negotiation.
  • INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK— The internal network's netmask.
  • INTERNAL_IP4_DNS, INTERNAL_IP6_DNS— Specifies an address of a DNS server or multiple DNS servers within the network. The responder may respond with zero, one, or more DNS server attributes.
  • INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS— Specifies an address of a NetBios Name Server (NBNS) within the network. Multiple NBNSs may be requested. The responder may respond with zero, one, or more NBNS attributes.

Like XAUTH, MODECFG is not a standard of the IPSec working group in the IETF. Although Cisco defined this protocol and most client implementations work with the Cisco implementation, given that this not a standard, there are no guarantees for interoperability.

  • + Share This
  • 🔖 Save To Your Account