Table Of Contents
Understanding the VPN Client
Connection Technologies
VPN Client Overview
VPN Client Features
Program Features
Authentication Features
IPSec Features
VPN Client IPSec Attributes
Understanding the VPN Client
The Cisco VPN Client for Mac OS X is a software application that runs on any Macintosh computer using operating system Version 10.2 or later. The VPN Client on a remote PC, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. This connection allows you to access a private network as if you were an on-site user, creating a Virtual Private Network (VPN).
The following VPN devices can terminate VPN connections from VPN Clients:
•
Cisco IOS devices that support Easy VPN server functionality
•VPN 3000 Series Concentrators
•Cisco PIX Firewall Series, Version 6.2 or later
With the graphical user interface for the VPN Client for Mac OS X, you can establish a VPN connection to a private network; manage connection entries, certificates, events logging; and view tunnel routing data.
You can also manage the VPN Client for Mac OS X using the command-line interface (CLI). If you are running Darwin, or if you prefer to manage the VPN Client from the CLI, refer to the Cisco VPN Client Administration Guide.
Connection Technologies
The VPN Client lets you use any of the following technologies to connect to the Internet:
•POTS (Plain Old Telephone Service)—Uses a dial-up modem to connect.
•ISDN (Integrated Services Digital Network)—May use a dial-up modem to connect.
•Cable—Uses a cable modem; always connected.
•DSL (Digital Subscriber Line)—Uses a DSL modem; always connected.
You can also use the VPN Client on a PC with a direct LAN connection.
VPN Client Overview
The VPN Client works with a Cisco VPN device to create a secure connection, called a tunnel, between your computer and a private network. It uses Internet Key Exchange (IKE) and Internet Protocol Security (IPSec) tunneling protocols to establish and manage the secure connection.
The steps used to establish a VPN connection can include:
•Negotiating tunnel parameters (addresses, algorithms, lifetime)
•Establishing VPN tunnels according to the parameters
•Authenticating users (from usernames, group names and passwords, and X.509 digital certificates.)
•Establishing user access rights (hours of access, connection time, allowed destinations, allowed protocols)
•Managing security keys for encryption and decryption
•Authenticating, encrypting, and decrypting data through the tunnel
For example, to use a remote PC to read e-mail at your organization, the connection process might be similar to the following:
Step 1 Connect to the Internet.
Step 2 Start the VPN Client.
Step 3 Establish a secure connection through the Internet to your organization's private network.
Step 4 When you open your e-mail
•The Cisco VPN device
–Uses IPSec to encrypt the e-mail message
–Transmits the message through the tunnel to your VPN Client
•The VPN Client
–Decrypts the message so you can read it on your remote PC
–Uses IPSec to process and return the message to the private network through the Cisco VPN device.
VPN Client Features
The tables in the following sections describe the VPN Client features.
Table 1-1 lists the VPN Client main features.
Table 1-1 VPN Client Main Features
Features
|
Description
|
Operating System
|
Mac OS Version 10.2 or later
|
Connection types
|
•async serial PPP
•Internet-attached Ethernet
•DSL
Note The VPN Client for Mac OS X does not support Bluetooth wireless technology.
|
Protocol
|
IP
|
Tunnel protocol
|
IPSec
|
User Authentication
|
•RADIUS
•RSA SecurID
•VPN server internal user list
•PKI digital certificates
•NT Domain (Windows NT)
|
Program Features
The VPN Client supports the Program features listed in Table 1-2.
Table 1-2 Program Features
Program Feature
|
Description
|
Servers Supported
|
•Cisco IOS devices that support Easy VPN server functionality
•VPN 3000 Series Concentrators
•Cisco PIX Firewall Series, Version 6.2 or later
|
Interfaces supported
|
•Graphical user interface
•Command line interface
|
Online Help
|
Complete browser-based context-sensitive Help
Note The online help requires MS Internet Explorer.
|
Local LAN access
|
The ability to access resources on a local LAN while connected through a secure gateway to a central-site VPN server (if the central site grants permission).
|
Automatic VPN Client configuration option
|
The ability to import a configuration file.
|
Event logging
|
The VPN Client log collects events for viewing and analysis.
|
NAT Transparency (NAT-T)
|
Enables the VPN Client and the VPN device to automatically detect when to use IPSec over UDP to work properly in Port Address Translation (PAT) environments.
|
Update of a centrally controlled backup server list
|
The VPN Client learns the backup VPN server list when the connection is established. This feature is configured on the VPN device and pushed to the VPN Client. The backup servers for each connection entry are listed on the Backup Servers tab.
|
Set MTU size
|
The VPN Client automatically sets a size that is optimal for your environment. However, you can also set the MTU size manually. For information on adjusting the MTU size, see the VPN Client Administrator Guide.
|
Support for Dynamic DNS (DDNS hostname population)
|
The VPN Client sends its hostname to the VPN device when the connection is established. If this occurs, the VPN device can send the hostname in a DHCP request. This causes the DNS server to update its database to include the new hostname and VPN Client address.
|
Notifications
|
Software update notifications from the VPN server upon connection.
|
Launching from notification
|
Ability to launch a location site containing upgrade software from a VPN server notification.
|
Alerts (Delete with reason)
|
The VPN Client provides you with a reason code or reason text when a disconnect occurs. The VPN Client supports the delete with reason function for client-initiated disconnects, concentrator-initiated disconnects, and IPSec deletes.
•If you are using a GUI VPN Client, a pop-up message appears stating the reason for the disconnect, the message is appended to the Notifications log, and is logged in the IPSec log (Log Viewer window).
•If you are using a command-line client, the message appears on your terminal and is logged in the IPSec log.
•For IPSec deletes, which do not tear down the connection, an event message appears in the IPSec log file, but no message pops up or appears on the terminal.
Note The VPN Concentrator you are connected to must be running software version 4.0 or later.
|
Single-SA
|
The ability to support a single security association (SA) per VPN connection. Rather than creating a host-to-network SA pair for each split-tunneling network, this feature provides a host-to-ALL approach, creating one tunnel for all appropriate network traffic apart from whether split-tunneling is in use.
|
Connect on open
|
This feature lets a user connect to the default user profile when starting the VPN Client. You can enable this feature on the Preferences menu under the VPN Client tab.
|
VPN Client API
|
VPN Client provides an application programming interface for performing VPN Client tasks without using the command-line or graphical interfaces that Cisco provides. This API comes with a user guide for programmers, which is in a format that can be edited.
|
Authentication Features
The VPN Client supports the authentication features listed in Table 1-3.
Table 1-3 Authentication Features
Authentication Feature
|
Description
|
User authentication through VPN central-site device
|
•Internal through the VPN device's database
•RADIUS (Remote Authentication Dial-In User Service)
•NT Domain (Windows NT)
•RSA (formerly SDI) SecurID or SoftID
|
Certificate Management
|
Allows you to manage the certificates in the certificate stores.
|
Certificate Authorities (CAs)
|
CAs that support PKI SCEP enrollment.
|
Peer Certificate Distinguished Name Verification
|
Prevents a VPN Client from connecting to an invalid gateway by using a stolen but valid certificate and a hijacked IP address. If the attempt to verify the domain name of the peer certificate fails, the VPN Client connection also fails.
|
IPSec Features
The VPN Client supports the IPSec features listed in Table 1-4
Table 1-4 IPSec Features
IPSec Feature
|
Description
|
Tunnel Protocol
|
IPSec
|
Transparent tunneling
|
•IPSec over UDP for NAT and PAT
•IPSec over TCP for NAT and PAT
|
Key Management protocol
|
Internet Key Exchange (IKE)
|
IKE Keepalives
|
A tool for monitoring the continued presence of a peer and report the VPN Client's continued presence to the peer. This lets the VPN Client notify you when the peer is no longer present. Another type of keepalives keeps NAT ports alive.
|
Split tunneling
|
The ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel. The VPN device supplies a list of networks to the VPN Client for tunneled traffic. You enable split tunneling on the VPN Client and configure the network list on the VPN device.
|
Support for Split DNS
|
The ability to direct DNS packets in clear text over the Internet to domains served through an external DNS (serving your ISP) or through an IPSec tunnel to domains served by the corporate DNS. The VPN server supplies a list of domains to the VPN Client for tunneling packets to destinations in the private network. For example, a query for a packet destined for corporate.com would go through the tunnel to the DNS that serves the private network, while a query for a packet destined for myfavoritesearch.com would be handled by the ISP's DNS. This feature is configured on the VPN server (VPN Concentrator) and enabled on the VPN Client by default. To use Split DNS, you must also have split tunneling configured.
|
VPN Client IPSec Attributes
The VPN Client supports the IPSec attributes listed in Table 1-5.
Table 1-5 IPSec Attributes
IPSec Attribute
|
Description
|
Main Mode and Aggressive Mode
|
Ways to negotiate phase one of establishing ISAKMP Security Associations (SAs)
|
Authentication algorithms
|
•HMAC (Hashed Message Authentication Coding) with MD5 (Message Digest 5) hash function
•HMAC with SHA-1 (Secure Hash Algorithm) hash function
|
Authentication Modes
|
•Preshared Keys
•Mutual Group Authentication
•X.509 Digital Certificates
|
Diffie-Hellman Groups
|
•Group 1 = 768-bit prime modulus
•Group 2 = 1024-bit prime modulus
•Group 5 = 1536 prime modulus
Note See the Cisco VPN Client Administrator Guide for more information about DH Group 5.
|
Encryption algorithms
|
•56-bit DES (Data Encryption Standard)
•168-bit Triple-DES
•AES 128-bit and 256-bit
|
Extended Authentication (XAUTH)
|
The capability of authenticating a user within IKE. This authentication is in addition to the normal IKE phase 1 authentication, where the IPSec devices authenticate each other. The extended authentication exchange within IKE does not replace the existing IKE authentication.
|
Mode Configuration
|
Also known as ISAKMP Configuration Method
|
Tunnel Encapsulation Modes
|
•IPSec over UDP (NAT/PAT)
•IPSec over TCP (NAT/PAT)
|
IP compression (IPCOMP) using LZS
|
Data compression algorithm
|
