Table Of Contents
Introduction to the VPN Client
VPN Client Overview
VPN Client Features
Main Features
Program Features
IPSec Features
Authentication Features
Introduction to the VPN Client
The Cisco VPN Client is a software application that runs on computers using any of the following operating systems:
•
Linux for Intel—RedHat Version 6.2 or later, or compatible libraries with glibc Version 2.1.1-6 or later, using kernel Versions 2.2.12 or later.
•Solaris UltraSPARC—32-bit or 64-bit Solaris kernel OS Version 2.6 or later.
The VPN client on a remote PC, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. This connection allows you to access a private network as if you were an on-site user, creating a virtual private network (VPN).
The following VPN devices can terminate VPN connections from VPN clients:
•Cisco IOS devices that support Easy VPN server functionality
•VPN 3000 Series Concentrators
•Cisco PIX Firewall Series
Use the VPN client command-line interface to establish a VPN connection to a private network, manage connection entries, certificates, and events logging.
This chapter contains the following sections:
• VPN Client Overview
• VPN Client Features
VPN Client Overview
The VPN client works with a Cisco VPN device to create a secure connection, called a tunnel, between your computer and a private network. It uses Internet Key Exchange (IKE) and IP Security (IPSec) tunneling protocols to establish and manage the secure connection.
The steps used to establish a VPN connection can include:
•Negotiating tunnel parameters (addresses, algorithms, lifetime)
•Establishing VPN tunnels according to the parameters
•Authenticating users (from usernames, group names and passwords, and X.509 digital certificates)
•Establishing user access rights (hours of access, connection time, allowed destinations, allowed protocols)
•Managing security keys for encryption and decryption
•Authenticating, encrypting, and decrypting data through the tunnel
For example, to use a remote PC to read e-mail at your organization, the connection process might be similar to the following:
1. Connect to the Internet.
2. Start the VPN client.
3. Establish a secure connection through the Internet to your organization's private network.
4. When you open your e-mail
The Cisco VPN device
–Uses IPSec to encrypt the e-mail message
–Transmits the message through the tunnel to your VPN client
The VPN client
–Decrypts the message so you can read it on your remote PC
–Uses IPSec to process and return the message to the private network through the Cisco VPN device
VPN Client Features
The tables in the following sections describe the VPN client features.
Main Features
This section describes the main features of the VPN client. Table 1-1 lists the VPN client main features.
Table 1-1 Main Features
Features
|
Description
|
Operating Systems
|
•Linux (Intel)
•Solaris (UltraSPARC-32 and 64 bit)
|
Connection types
|
•async serial PPP
•Internet-attached Ethernet
Note The VPN client supports only one PPP and one Ethernet adapter.
|
Protocol
|
IP
|
Tunnel protocol
|
IPSec
|
User Authentication
|
•RADIUS
•RSA SecurID
•VPN server internal user list
•PKI digital certificates
•NT Domain (Windows NT)
|
Program Features
The VPN client supports the program features listed in Table 1-2.
Table 1-2 Program Features
Program Feature
|
Description
|
Servers Supported
|
•Cisco IOS devices that support Easy VPN server functionality
•VPN 3000 Series Concentrators
•Cisco PIX Firewall Series
|
Local LAN access
|
The ability to access resources on a local LAN while connected through a secure gateway to a central-site VPN server (if the central site grants permission).
|
Automatic VPN client configuration option
|
The ability to import a configuration file.
|
Event logging
|
The VPN client log collects events for viewing and analysis.
|
NAT Transparency (NAT-T)
|
Enables the VPN client and the VPN device to automatically detect when to use IPSec over UDP to work properly in port address translation (PAT) environments.
|
Update of centrally controlled backup server list
|
The VPN client learns the backup VPN server list when the connection is established. This feature is configured on the VPN device and pushed to the VPN client. The backup servers for each connection entry are listed on the Backup Servers tab.
|
Set MTU size
|
The VPN client automatically sets a size that is optimal for your environment. However, you can also set the MTU size manually. For information on adjusting the MTU size, see the Cisco VPN Client Administrator Guide.
|
Support for Dynamic DNS (DDNS host name population)
|
The VPN client sends its host name to the VPN device when the connection is established. If this occurs, the VPN device can send the host name in a DHCP request. This causes the DNS server to update its database to include the new host name and VPN client address.
|
IPSec Features
The VPN client supports the IPSec features listed in Table 1-3.
Table 1-3 IPSec Features
IPSec Feature
|
Description
|
Tunnel Protocol
|
IPSec
|
Transparent tunneling
|
•IPSec over UDP for NAT and PAT
•IPSec over TCP for NAT and PAT
|
Key Management protocol
|
Internet Key Exchange (IKE)
|
IKE Keepalives
|
A tool for monitoring the continued presence of a peer and reporting the VPN client's continued presence to the peer. This lets the VPN client notify you when the peer is no longer present. Another type of keepalives keeps NAT ports alive.
|
Split tunneling
|
The ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel. The VPN device supplies a list of networks to the VPN client for tunneled traffic. You enable split tunneling on the VPN client and configure the network list on the VPN device.
|
Support for Split DNS
|
The ability to direct DNS packets in clear text over the Internet to domains served through an external DNS (serving your ISP) or through an IPSec tunnel to domains served by the corporate DNS. The VPN server supplies a list of domains to the VPN client for tunneling packets to destinations in the private network. For example, a query for a packet destined for corporate.com would go through the tunnel to the DNS that serves the private network, while a query for a packet destined for myfavoritesearch.com would be handled by the ISP's DNS. This feature is configured on the VPN server (VPN concentrator) and enabled on the VPN client by default. To use Split DNS, you must also have split tunneling configured.
|
IPSec Attributes
The VPN client supports the IPSec attributes listed in Table 1-4.
Table 1-4 IPSec Attributes
IPSec Attribute
|
Description
|
Main Mode and Aggressive Mode
|
Ways to negotiate phase 1 of establishing ISAKMP Security Associations (SAs)
|
Authentication algorithms
|
•HMAC (Hashed Message Authentication Coding) with MD5 (Message Digest 5) hash function
•HMAC with SHA-1 (Secure Hash Algorithm) hash function
|
Authentication Modes
|
•Preshared Keys
•X.509 Digital Certificates
|
Diffie-Hellman Groups
|
•1
•2
|
Encryption algorithms
|
•56-bit DES (Data Encryption Standard)
•168-bit Triple-DES
•AES 128-bit and 256-bit
|
Extended Authentication (XAUTH)
|
The capability of authenticating a user within IKE. This authentication is in addition to the normal IKE phase 1 authentication, where the IPSec devices authenticate each other. The extended authentication exchange within IKE does not replace the existing IKE authentication.
|
Mode Configuration
|
Also known as ISAKMP Configuration Method
|
Tunnel Encapsulation Modes
|
•IPSec over UDP (NAT/PAT)
•IPSec over TCP (NAT/PAT)
|
IP compression (IPCOMP) using LZS
|
Data compression algorithm
|
Authentication Features
The VPN client supports the authentication features listed in Table 1-5.
Table 1-5 Authentication Features
Authentication Feature
|
Description
|
User authentication through VPN central-site device
|
•Internal through the VPN device's database
•RADIUS
•NT Domain (Windows NT)
•RSA (formerly SDI) SecurID or SoftID
|
Certificate Management
|
Allows you to manage the certificates in the certificate stores.
|
Certificate Authorities (CAs)
|
CAs that support PKI SCEP enrollment.
|
Ability to authenticate using smart cards
|
Physical SecurID cards or keychain fobs for passcode generation.
|
Peer Certificate Distinguished Name Verification
|
Prevents a VPN client from connecting to an invalid gateway by using a stolen but valid certificate and a hijacked IP address. If the attempt to verify the domain name of the peer certificate fails, the VPN client connection also fails.
|
