Understanding the VPN Client

The VPN Client is a software program that runs on a Microsoft^® Windows^®-based PC. The VPN Client on a remote PC, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. Through this connection you can access a private network as if you were an on-site user. Thus you have a Virtual Private Network (VPN).

As a remote user (low speed or high speed), you first connect to the Internet. Then you use the VPN Client to securely access the private enterprise network through a Cisco VPN device that supports the VPN Client.

The VPN Client comprises the following applications, which you select from the Program menu:

Figure 1-1: VPN Client Applications

In logical order of use, the applications are as follows:

Help—Displays an online manual with instructions on using the applications.

VPN Dialer—Lets you configure connections to a VPN device and lets you then start your connections.

Certificate Manager—Lets you enroll for certificates to authenticate your connections to VPN devices.

Log Viewer—Lets you display events from the log .
Uninstall VPN Client—Lets you safely remove the VPN Client software from your system and retain your connection and certificate configurations.
SetMTU—Lets you manually change the size of the maximum transmission unit (see the VPN Client Administrator Guide, Chapter 5.)

How the VPN Client Works

The VPN Client works with a Cisco VPN device to create a secure connection, called a tunnel, between your computer and the private network. It uses Internet Key Exchange (IKE) and Internet Protocol Security (IPSec) tunneling protocols to make and manage the secure connection. Some of the steps include:

Negotiating tunnel parameters—Addresses, algorithms, lifetime, and so on.
Establishing tunnels according to the parameters.
Authenticating users—Making sure users are who they say they are, by way of usernames, group names and passwords, and X.509 digital certificates.
Establishing user access rights—Hours of access, connection time, allowed destinations, allowed protocols, and so on.
Managing security keys for encryption and decryption.
Authenticating, encrypting, and decrypting data through the tunnel.

For example, to use a remote PC to read e-mail at your organization, you connect to the Internet, then start the VPN Client and establish a secure connection through the Internet to your organization's private network. When you open your e-mail, the Cisco VPN device uses IPSec to encrypt the e-mail message. It then transmits the message through the tunnel to your VPN Client, which decrypts the message so you can read it on your remote PC. If you reply to the e-mail message, the VPN Client uses IPSec to process and return the message to the private network through the Cisco VPN device.

Connection Technologies

The VPN Client lets you use any of the following technologies to connect to the Internet:

POTS (Plain Old Telephone Service)—Uses a dial-up modem to connect.

ISDN (Integrated Services Digital Network)—May use a dial-up modem to connect.

Cable—Uses a cable modem; always connected.

DSL (Digital Subscriber Line)—Uses a DSL modem; always connected.

You can also use the VPN Client on a PC with a direct LAN connection.

VPN Client Features

The VPN Client includes the following features:

Program Features

Complete browser-based context-sensitive HTML Help
Support for VPN 3000 Series Concentrator platforms that run Release 3.0 and above. (VPN Client Release 3.0 and above will not work with Releases 2.x of the VPN 3000 Concentrator.)
Command-line interface to the VPN Dialer
Local LAN access—The ability to access resources on a local LAN while connected through a secure gateway to a central-site VPN device (if the central site grants permission)
Automatic VPN Client configuration option—the ability to import a configuration file
Log Viewer—An application that collects events for viewing and analysis
Set MTU size—The VPN Client automatically sets a size that is optimal for your environment. However, you can set the MTU size manually as well. (For instructions on adjusting the MTU size, see the VPN Client Administrator Guide).
Application Launcher—The ability to launch an application or a third-party dialer from the VPN Client.
Automatic uninstall of the Nortel Networks Extranet Access Client and the 5000 VPN Client software
Automatic connection by way of Microsoft Dial-Up Networking or any other third-party remote access dialer

Software update notifications from the VPN device upon connection

Ability to launch a location site containing upgrade software from a VPN device notification

NT Features

Password expiration information when authenticating through a RADIUS server that references an NT user database. When you log in, the VPN Concentrator sends a message that your password has expired and asks you to enter a new one and then confirm it. On pre-Release 3.5 VPN Clients, the prompt asks you to supply a PIN and to verify it. On a 3.5 VPN Client, the prompt asks you to enter and verify a password.
Start Before Logon—The ability to establish a VPN connection before logging on to a Windows NT platform, which includes Windows NT 4.0, Windows 2000, and Windows XP systems.
Ability to disable automatic disconnect when logging off of a Windows NT platform. This allows for roaming profile synchronization.

IPSec Features

IPSec tunneling protocol
Transparent tunneling—IPSec over UDP for NAT and PAT, and IPSec over TCP for NAT, PAT, and firewalls
IKE key management protocol
IKE Keepalives—Monitoring the continued presence of a peer and reporting the VPN Client's continued presence to the peer. This lets the VPN Client notify you when the peer is no longer present. Another type of keepalives keeps NAT ports alive.
Split tunneling—The ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel
LZS data compression, which can benefit modem users