|
|
A connection entry is a set of parameters that the VPN client uses to identify and connect to a specific private network.
Connection entry parameters include:
This chapter describes how to configure the parameters for a VPN client connection entry.
To use the VPN client, you must create at least one connection entry, which identifies the following information:
You can create multiple connection entries if you use your VPN client to connect to multiple networks (though not simultaneously) or if you belong to more than one IPSec group.
Step 2 Click the Connection Entries tab.
Step 3 Click New at the top of the VPN client window. The Create New VPN Connection Entry dialog box appears (Figure 4-2).
Step 4 Enter a unique connection entry name. You can use any name to identify this connection. This name can contain spaces, and it is not case-sensitive.
Step 5 Enter a description of this connection. This field is optional, but it helps to further identify this connection. For example, Connection to Engineering remote server.
Step 6 Enter the Host name or IP address of the remote VPN device that is providing access to the private network.
Step 7 Use the Authentication tab to select an authentication method. You can connect as part of a group, which is configured on the VPN device, or by supplying an identity digital certificate. See the "Authentication Methods" section for more information.
Step 8 Use the Transport tab to set transport parameters. See the "Transport Parameters" section for more information.
Step 9 Use the Backup Servers tab to view the current list of backup servers or to manually add a backup server. See the "Backup Servers" section for more information.
Step 10 The Erase User Password button at the bottom of this dialog box erases the user password that is saved on the VPN client workstation, forcing the VPN client to prompt you for a password each time you establish a connection.
Step 11 Click Save. The Connection Entry dialog box closes and you return to the Connection Entries tab.
You can configure a connection entry to authenticate itself as part of a group, which is configured on the VPN device, or by supplying an identity digital certificate. The Authentication tab on the Connection Entry Settings dialog box must be forward to select an authentication method for a connection entry.
Use this procedure if you plan to use group authentication for this connection entry.
To configure group authentication:
Step 2 Enter the name of the IPSec group you belong to.
Step 3 Enter the password for your IPSec group. The field displays only asterisks.
Step 4 Confirm the password by entering it again.
Step 5 Click Save. The Connection Entry dialog box closes and you return to the Connection Entries tab.
Use this procedure if you plan to use digital certificates for authenticating for this connection entry.
You can obtain a digital certificate for use with the VPN client by enrolling with a Public Key Infrastructure (PKI) or by importing a certificate from a file.
To configure this connection entry for a digital certificate:
Step 2 Select a certificate from the Name drop-down menu.
If the Name field displays No Certificates Installed, you must first enroll or import a certificate before you can use this feature. See the "Enrolling Certificates" section or "Importing a Certificate" section for more information.
Step 3 To send CA certificate chains, check the Send CA Certificate Chain check box. This parameter is disabled by default.
A CA certificate chain includes all CA certificates in the certificate hierarchy from the root certificate. This must be installed on the VPN client to identify each certificate. This feature enables a peer VPN concentrator to trust the VPN client's identity certificate given the same root certificate, without having the same subordinate CA certificates actually installed.
The following is an example of a certificate chain:
Though the identity certificates are issued by different CA certificates, the VPN device can still trust the VPN client's identity certificate, because it has received the chain of certificates installed on the VPN client PC.
This feature provides flexibility because the intermediate CA certificates do not need to be installed on the peer.
Step 4 Click Save. The Connection Entry dialog box closes and you return to the Connection Entries tab.
This section describes transport parameters you can configure for a connection entry.
The transport parameters include:
To configure transport parameters:
Step 2 Select a connection entry.
Step 3 Click Modify at the top of the VPN client window to access the VPN client Properties dialog box.
Step 4 Click the Transport tab (Figure 4-5) to display the existing transport parameters configured for this connection entry.
Step 5 Select your transport settings. Refer to the following sections for more information on transport settings.
Step 6 Click Save. The VPN client Properties dialog box closes and you return to the Connection Entries tab.
Transparent tunneling allows secure transmission between the VPN client and a secure gateway through a router serving as a firewall. The router might also be configured for Network Address Translation (NAT) or Port Address Translations (PAT).
Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets. It allows for both IKE (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.
Not all devices support multiple simultaneous connections behind them. Some cannot map additional sessions to unique source ports. Check with your device's vendor to see if this limitation exists. Some vendors support Protocol 50 (ESP) PAT, which might let you operate without enabling transparent tunneling.
The Transparent Tunneling mode you select must match the mode used by the VPN device providing your connection to the private network.
The Allow Local LAN Access parameter gives you access to resources on your local LAN when you are connected through a secure gateway to a central-site VPN device.
If the local LAN you are using is not secure, you should not enable local LAN access. For example, do not enable this feature when you are using a local LAN in a hotel or airport.
To enable this feature, check the Allow Local LAN Access check box.
The VPN client uses dead peer detection (DPD) to check the availability of the VPN device on the other side of an IPSec tunnel. The VPN client continues to send DPD requests every 5 seconds, until it reaches the number of seconds specified by the peer response timeout value.
If the network is unusually busy or unreliable, you might need to increase the number of seconds to wait before the VPN client decides that the peer is no longer active.
To adjust the setting, enter the number of seconds in the Peer response timeout field. The configuration range for this parameter is 30 to 480 seconds. The default number of seconds the VPN client waits before terminating a connection is 90.
The private network you are connecting to might include one or more backup VPN devices (servers) to use if the primary server is not available. The list of available backup servers is pushed to the VPN client when the connection is established, or you can manually add a backup server to the list.
The list of existing backup servers is located on the Backup Servers tab for each connection entry. Your network administrator can provide information regarding backup servers.
To use backup servers, you must enable the backup servers parameter.
Step 2 Select a connection entry.
Step 3 Click Modify at the top of the VPN client window. The VPN Client Properties dialog box appears.
Step 4 Click the Backup Servers tab (Figure 4-6).
Step 5 Check the Enable Backup Servers check box. This parameter is not enabled by default. The list of available backup servers appears.
Backup servers are used in the order presented in the list. To change the order in which the backup servers are used, select a backup server and use the arrow buttons to move the server up or down in the list.
Step 6 Click Save. The VPN Client Properties dialog box closes and you return to the Connection Entries tab.
If there are no backup servers listed, or if you want to manually add a server to the list, use the following procedure.
Step 2 Enter the host name or IP address of the backup server to add.
Step 3 Click OK. The backup server is added to the list of available backup servers.
To remove a backup server, go to the Backup Server tab, select a server from the list, and click Remove.
Posted: Mon Dec 23 16:30:07 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
