The VPN Client

Cisco offers two types of VPN client: hardware and software. The hardware client is quite well suited to supporting a small branch office as well as individual users. The software client is especially useful for hosts (such as laptops) that might not always be connecting from a protected environment. We talk about each in turn .

The 3002 VPN Hardware Client

As with the concentrator, the 3002 VPN Hardware Client is primarily administered via a Web browser using HTTP or HTTPS. It not only offers the branch secured communications upstream, but it also can act as the local DHCP server (although a rather simple one, with only one scope and no exceptions).

The hardware client is specifically designed to interface with the Cisco 3000 series VPN concentrator, but it also works well with the PIX, IOS, and third-party IPSec devices. The 3002 acts as the initiator in all tunnels with the concentrator; its encryption, authentication, extended authentication, and mode-configuration capabilities line up with those of the concentrator. Therefore, when the hardware client initiates a tunnel, it offers its IKE proposals, and it is quite likely that the concentrator will either accept or offer counterproposals that the 3002 can accept.

In the VMS GUI, navigate through to ConfigurationSystemTunneling ProtocolsIPSec. Here you can designate the following:

• The remote peers (a primary Remote Easy VPN Server and Backup Remote Easy VPN Servers)

• IPSec over TCP, and the port (if desired)

• A certificate (if desired)

• The group name and password, and the username and password

The IKE proposals themselves are preconfigured on the 3002 Hardware Client.

The address of the public interface to which the VPN client connects (at the far end) is referred to in the 3002 documentation as the Easy VPN Server. This is actually a software package available for the IOS (1700, 7100, 7200), PIX, and 3000 series VPN concentrators . The Easy VPN Client is available for low-end routers, the PIX 501, and VPN clients . The Easy VPN Solution is not limited to the VPN-specific devices.

After an IPSec connection is created, users can access resources at the far end as though they were located in the LANthat is, according to whatever permissions and authorizations have been set.

The VPN Software Client

The Cisco VPN Software Client is available for Windows (both 9 x and NT/2K/XP OS), Mac OS X, and Linux and Solaris. Details of the GUI differ from one host OS to another, of course, and the configuration steps are user -oriented rather than administrator-oriented . The software client acts like the hardware client in terms of connecting to the headend of the tunnel. It initiates the connection, offering its preset IKE proposals. An acceptable parameter set is agreed upon (or the connection fails, of course), and the client communicates with the headend as though locally present (always subject to bandwidth limitations or connectivity problems between the two physical locations).

The software client is capable of handling tunnels over any of the following connections:

• POTS (dialup service)

• ISDN

• Cable modem service

• DSL

• LAN connection

The software client does support split tunneling. Related to the prospect of connecting to the Internet over a nontunnel connection, the client also supports a number of personal firewalls from Cisco, ZoneAlarm, ZoneLabs, BlackIce, and Sygate. It also includes an integrated firewall called the Stateful Firewall (Always On).