Understanding the VPN Client

The Cisco VPN Client for Mac OS X is a software application that runs on any Macintosh computer using operating system Version 10.1.5 or later. The VPN Client on a remote PC, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. This connection allows you to access a private network as if you were an on-site user, creating a Virtual Private Network (VPN).

With the graphical user interface for the VPN Client for Mac OS X, you can establish a VPN connection to a private network; manage connection entries; certificates; events logging; and view tunnel routing data.

You can also manage the VPN Client for Mac OS X using the command-line interface (CLI). If you are running Darwin, or if you prefer to manage the VPN Client from the CLI, refer to the Cisco VPN Client Administration Guide.

Connection Technologies

The VPN Client lets you use any of the following technologies to connect to the Internet:

VPN Client Overview

The VPN Client works with a Cisco VPN device to create a secure connection, called a tunnel, between your computer and a private network. It uses Internet Key Exchange (IKE) and Internet Protocol Security (IPSec) tunneling protocols to establish and manage the secure connection.

For example, to use a remote PC to read e-mail at your organization, the connection process might be similar to the following:

Step 3 Establish a secure connection through the Internet to your organization's private network.

VPN Client Features

Program Features

Table 1-2 Program Features

Program Feature

Description

Servers Supported

Cisco IOS devices that support Easy VPN server functionality
VPN 3000 Series Concentrators
Cisco PIX Firewall Series, Version 6.2 or later

Interfaces supported

Graphical user interface
Command line interface

Online Help

Complete browser-based context-sensitive Help

Note The online help requires MS Internet Explorer.

Local LAN access

The ability to access resources on a local LAN while connected through a secure gateway to a central-site VPN server (if the central site grants permission).

Automatic VPN Client configuration option

The ability to import a configuration file.

Event logging

The VPN Client log collects events for viewing and analysis.

NAT Transparency (NAT-T)

Enables the VPN Client and the VPN device to automatically detect when to use IPSec over UDP to work properly in Port Address Translation (PAT) environments.

Update of centrally controlled backup server list

The VPN Client learns the backup VPN server list when the connection is established. This feature is configured on the VPN device and pushed to the VPN Client. The backup servers for each connection entry are listed on the Backup Servers tab.

Set MTU size

The VPN Client automatically sets a size that is optimal for your environment. However, you can also set the MTU size manually. For information on adjusting the MTU size, see the VPN Client Administrator Guide.

Support for Dynamic DNS (DDNS hostname population)

The VPN Client sends its hostname to the VPN device when the connection is established. If this occurs, the VPN device can send the hostname in a DHCP request. This causes the DNS server to update its database to include the new hostname and VPN Client address.

Notifications

Software update notifications from the VPN server upon connection.

Launching from notification

Ability to launch a location site containing upgrade software from a VPN server notification.

Alerts (Delete with reason)

The VPN Client provides you with a reason code or reason text when a disconnect occurs. The VPN Client supports the delete with reason function for client-initiated disconnects, concentrator-initiated disconnects, and IPSec deletes.

If you are using a GUI VPN Client, a pop-up message appears stating the reason for the disconnect, the message is appended to the Notifications log, and is logged in the IPSec log (Log Viewer window).
If you are using a command-line client, the message appears on your terminal and is logged in the IPSec log.
For IPSec deletes, which do not tear down the connection, an event message appears in the IPSec log file, but no message pops up or appears on the terminal.

Note The VPN concentrator you are connected to must be running software version 4.0 or later.

Single-SA

The ability to support a single security association (SA) per VPN connection. Rather than creating a host-to-network SA pair for each split-tunneling network, this feature provides a host-to-ALL approach, creating one tunnel for all appropriate network traffic apart from whether split-tunneling is in use.

Authentication Features

Table 1-3 Authentication Features

Authentication Feature	Description
User authentication through VPN central-site device	Internal through the VPN device's database RADIUS (Remote Authentication Dial-In User Service) NT Domain (Windows NT) RSA (formerly SDI) SecurID or SoftID
Certificate Management	Allows you to manage the certificates in the certificate stores.
Certificate Authorities (CAs)	CAs that support PKI SCEP enrollment.
Peer Certificate Distinguished Name Verification	Prevents a VPN Client from connecting to an invalid gateway by using a stolen but valid certificate and a hijacked IP address. If the attempt to verify the domain name of the peer certificate fails, the VPN Client connection also fails.

IPSec Features

Table 1-4 IPSec Features

IPSec Feature	Description
Tunnel Protocol	IPSec
Transparent tunneling	IPSec over UDP for NAT and PAT IPSec over TCP for NAT and PAT
Key Management protocol	Internet Key Exchange (IKE)
IKE Keepalives	A tool for monitoring the continued presence of a peer and report the VPN Client's continued presence to the peer. This lets the VPN Client notify you when the peer is no longer present. Another type of keepalives keeps NAT ports alive.
Split tunneling	The ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel. The VPN device supplies a list of networks to the VPN Client for tunneled traffic. You enable split tunneling on the VPN Client and configure the network list on the VPN device.
Support for Split DNS	The ability to direct DNS packets in clear text over the Internet to domains served through an external DNS (serving your ISP) or through an IPSec tunnel to domains served by the corporate DNS. The VPN server supplies a list of domains to the VPN Client for tunneling packets to destinations in the private network. For example, a query for a packet destined for corporate.com would go through the tunnel to the DNS that serves the private network, while a query for a packet destined for myfavoritesearch.com would be handled by the ISP's DNS. This feature is configured on the VPN server (VPN concentrator) and enabled on the VPN Client by default. To use Split DNS, you must also have split tunneling configured.

VPN Client IPSec Attributes

Table 1-5 IPSec Attributes

IPSec Attribute

Description

Main Mode and Aggressive Mode

Ways to negotiate phase one of establishing ISAKMP Security Associations (SAs)

Authentication algorithms

HMAC (Hashed Message Authentication Coding) with MD5 (Message Digest 5) hash function
HMAC with SHA-1 (Secure Hash Algorithm) hash function

Authentication Modes

Preshared Keys
X.509 Digital Certificates

Diffie-Hellman Groups

1 (DES)
2 (DES and 3DES)
5

Note See the Cisco VPN Client Administrator Guide for more information about DH Group 5.

Encryption algorithms

56-bit DES (Data Encryption Standard)
168-bit Triple-DES
AES 128-bit and 256-bit

Extended Authentication (XAUTH)

The capability of authenticating a user within IKE. This authentication is in addition to the normal IKE phase 1 authentication, where the IPSec devices authenticate each other. The extended authentication exchange within IKE does not replace the existing IKE authentication.

Mode Configuration

Also known as ISAKMP Configuration Method

Tunnel Encapsulation Modes

IPSec over UDP (NAT/PAT)
IPSec over TCP (NAT/PAT)

IP compression (IPCOMP) using LZS

Data compression algorithm

Table of Contents