Client Entry Configuration

After the client is installed, you can open the client configuration by clicking on the VPN Dialer icon that is located in the installation directory. This brings up the Cisco VPN Client window depicted in Figure 10.1.

Figure 10.1. Cisco VPN Client opening window.

graphics/10fig01.jpg

To begin the configuration process, you must click on the New button, which initiates the New Connection Entry Wizard. This wizard walks you through the necessary steps to create a VPN connection profile. Specifically, the wizard prompts you to name the new connection and associate it with a description. This is immediately followed by a prompt requesting the hostname or the IP address of the device to which the client will connect. This IP address is going to be a public IP that is assigned to an interface (such as the VPN 3000 Concentrator's public interface) that is reachable from the Internet. The final input required entails the authentication parameters you want to utilize to authenticate to the remote device. You have the option of using preshared keys by specifying a group name and password that must match the concentrator's group and password. An alternative to using preshared keys is to choose a digital certificate that is installed on the local workstation.

As soon as your profile entry has been created, you can further manipulate specific parameters by clicking on the Options button and selecting Properties.

This brings up a screen with three tabs, labeled General, Authentication, and Connections. Some of the fields on these tabs will already be populated from the New Connection Entry Wizard.

graphics/alert_icon.gif

The exam expects you to recognize and identify the options listed on these three tabs. It is imperative that you know the three properties tabs (General, Authentication, and Connections) and the options each one presents to you.


The General Tab

In this first tab illustrated in Figure 10.2, you can change the description that you specified in the New Connection Entry Wizard. The remainder of the fields closely coincide to the IPSec and Client Config tab's options on the Configuration | User Management | Groups | Add or Modify menu. Namely, you can determine whether you want to use transparent tunneling if your client is behind a NAT- or PAT-capable device. You can choose to keep the default value of utilizing IPSec over UDP, or you can choose to use TCP instead, followed by the specification of a port number. IPSec over UDP NAT Transparency includes autodiscovery of the ratified NAT Traversal (NAT-T) using UDP port 4500. IPSec over TCP might be necessary when the intermediary NAT or PAT device is a stateful firewall. Whether you choose IPSec over UDP or IPSec over TCP, be sure these options are enabled in the IPSec gateway to which you are connecting. For example, if the gateway is a VPN 3000 Concentrator, be sure to enable IPSec over TCP or NAT-T at the Configuration | System | Tunneling Protocols | IPSec | NAT Transparency configuration page. Furthermore, if you are implementing IPSec over UDP, enable this feature in the Client Config tab located in the Configuration | User Management configuration pages for individual groups or the base group.

Figure 10.2. Unity Client connection properties General tab.

graphics/10fig02.jpg

Recall from Chapter 4, "Cisco VPN 3000 Remote Access Preshared Key Configuration," when split tunneling is enabled on the concentrator, you have the option of letting the clients bypass the tunnel to send local traffic on their local LAN if you so specify in the network list. The Allow Local LAN Access check box lets the clients turn this feature on and off when they deem their local LAN to be secure (for example, work office versus hotel wireless).

The last field in this property tab specifies the Dead Peer Detection time. Recall that DPD is a timer that is used to detect inactivity on the tunnel. After so many seconds of inactivity, the tunnel is torn down. The default value for the Unity Client is 90 seconds.

The Authentication Tab

As the name states, the Authentication tab (Figure 10.3) is concerned with authentication parameters. These configurations are already defined with the wizard; however, you can change these parameters in instances where your group or preshared key password is changed. Furthermore, you can change your authentication to entail digital certificates. With this method, you have the option to have the client validate the chosen certificate, as well as to send the entire chain when authenticating. You might want to send the entire chain in instances where the remote peer that you are connecting to shares the same root CA, but different subordinate CAs. If you send the entire chain, the remote peer can still validate your identity to the root certificate included in the chain. By default, it sends only the issuing subordinate CA's certificate.

Figure 10.3. Unity Client connection properties Authentication tab.

graphics/10fig03.jpg

The Connections Tab

As shown in Figure 10.4, this tab deals with client connectivity to the Internet, as well as to backup concentrators. Specifically, you can define a list of up to ten backup servers (concentrators) that are running in parallel. This concept is similar to popular dial-up ISPs. You typically have several phone numbers to connect to the ISP's network in case one is busy or not working. Such is the case with backup servers. You also can prioritize certain concentrators by moving them up and down. This list can be pushed from the central concentrator. When this occurs, the pushed configuration overrides any manual settings in the client window.

Figure 10.4. Unity Client connection properties Connections tab.

graphics/10fig04.jpg

In the bottom two fields of this page, you can specify to dial out to the Internet before establishing the VPN. These are useful in instances where you are not connecting to the Internet over the LAN and you need to dial an ISP to gain connectivity to the Internet. The Unity Client interoperates efficiently with Windows Dial-Up Networking (DUN) or third-party dialing clients. In addition, using the Unity Client offers a considerable number of options and a great deal of control over the standard Windows VPN dialers that only support PPTP and L2TP.



CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net