|
|
 |
Note Before you begin, we highly recommend that you read "SAFE: Wireless LAN Security in Depth," which
you can access at http://www.cisco.com/go/safe This document analyzes the best practices of implementing security for wireless LANs using VPNs. For a sample configuration demonstrating complete step-by-step instructions covering the group/user configuration on the VPN Concentrator, auto initiation configuration on the VPN Client, and wireless configuration in the Aironet, refer to the TAC technical note "Configuring Automatic VPN Initiation on a Cisco VPN Client in a Wireless LAN Environment." |
Automatic VPN initiation (auto initiation) provides secure connections within an on-site wireless LAN (WLAN) environment through a VPN Concentrator. When auto initiation is configured on the VPN Client, the VPN Client:
It is worth mentioning that although auto initiation was designed for wireless environments, you can use it in any networking environment. Auto initiation provides a generic way for the VPN Client to auto initiate a connection whether the VPN Client PC is based on specific networks or not.
Figure 3-1 depicts a simple network configuration that employs VPN for securing on-site WLANs. The VPN 3000 Concentrators, which may or may not be using load balancing, provide the gateway between the untrusted and the trusted networks. The DHCP Server can be on either side of the VPN 3000 Concentrator. VPN Client users with laptops that have wireless NIC cards can connect through access points (APs) throughout the campus or building and tunnel to the trusted 30.30.30.x network from the untrusted 10.10.10.x network. The network administrator can set this type of scenario up to be largely transparent to the VPN Client user.
|
Note You can set up auto initiation configurations that both include and exclude networks for auto initiation. |
In Figure 3-1 the trusted (wired) network, numbered 30.30.30, is at the top of the diagram with a VPN Concentrator separating it from other networks considered untrusted. The untrusted networks contain wireless subnets, such as 20.20.A.x and 20.20.B.x. Every device on the untrusted network must use a VPN tunnel to access resources on the trusted network. Access to a DHCP server must be available to provide the devices on the untrusted network with initial IP connectivity to the VPN Concentrator. The figure shows the placement of the DHCP server as optional, since it can be placed either on the untrusted network or on the trusted network with DHCP Relay enabled in the VPN Concentrator.
To configure auto initiation for users on the network, you add parameters to the VPN Client's global profile (vpnclient.ini). For information on how to create or use a global profile, see "Creating a Global Profile."
Using the VPN Client GUI, users can only enable/disable auto initiation and change the retry interval. These features are available through the Options menu when auto initiation has been configured through the global profile. If auto initiation is not configured, these options do not appear in the Options menu. For a complete explanation of how auto initiation appears to the VPN Client user, see Cisco VPN Client User Guide for Windows, "Using Automatic VPN Initiation."
The auto initiation feature can be used in WLAN environments containing NIC cards and access points from any vendor.
This section shows how to create or edit the vpnclient.ini file to activate auto initiation on a VPN Client.
Before you begin, you should gather the information you need to configure auto initiation:
To configure auto initiation, you must add the following keywords and values in the [Main] section of the vpnclient.ini global profile file:
In general, when configuring exceptions with the Connect parameter, you might want to place the network ranges you are excluding before those that should auto initiate. More importantly, the software processes the list in the order specified in the vpnclient.ini file. When it matches an entry in the list, the software stops searching and the Connect setting of that entry determines whether to auto initiate or do nothing. So if you put the Connect = 1 entries first, the software never reaches the Connect=0 entries.
It is also important to order the entries in the list by the uniqueness of the network and subnet mask. You should list the more unique entries first. For example, an entry with a network/mask that specifies a match on 10.10.200.* should come before a network/mask that specifies a match on 10.10.*.*. If not, the software matches 10.10.*.* and never reaches 10.10.200.*
Here is an example of an entry in an auto initiation list that excludes the network from auto initiating:
[Franklin]
Network=10.10.200.0
Subnet=255.255.255.0
ConnectionEntry=robron
Connect=0
Suppose a sales manager travels among three locations (Chicago, Denver, and Laramie) within a corporation, attending sales meetings, and wants to securely and easily initiate a wireless connection at these locations. The vpnclient.ini contains the entries shown in this example. The connection entry named in each network section points to the individual's profile (.pcf) for that on-site wireless LAN network.
In this example, the exceptions (more specific) network addresses appear first in the vpnclient.ini file followed by the connection entries for auto initiation. The connection entries for auto initiation do not need to include the Connect parameter.
To verify that you have configured auto initiation correctly, open the VPN Client GUI application and perform the following steps:
Step 2 On the Automatic VPN Initiation dialog, verify that Enable automatic VPN initiation is selected. If not, then click to select it.
Step 3 Click Apply to close the window.
Alternatively you can verify the auto initiation configuration from the command line by executing the following command:
vpnclient verify autoinitconfig
This display shows configuration information for each setting plus a list of your network entries.
Posted: Mon Jun 30 14:05:25 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
