Client to Site

Clients from the Internet can connect to the server to access the corporate network or a LAN behind the server. This feature creates a new VPN tunnel to allow teleworkers and business travelers to access your network by using third-party VPN client software.

To configure the Client-to-Site, follow these steps:

Procedure
    Step 1   Click VPN > Client-to-Site.
    Step 2   Click Add and the IPsec Client-to-Site Groups table will be displayed.
    Step 3   To add a Client to Site connection, click Add.
    Step 4   In the Add a New Group section, select an option (Cisco VPN Client or 3rd Party Client).
    Step 5   For Cisco VPN Client, configure the following:
    Enable Click Enable to enable the configuration.
    Group Name Enter a group name. This is used as an identifier for all the members of this group during IKE negotiations.
    Interface Select the interface (WAN1, WAN2, USB1, or USB2) from the drop-down list.
    IKE Authentication Method Authentication method to be used in IKE negotiations in IKE-based tunnels.

    • Pre-shared Key: IKE peers authenticate each other by computing and sending a keyed hash of data that includes the Pre-shared Key. If the receiving peer is able to create the same hash independently using its Pre-shared key, it knows that both peers must share the same secret, thus authenticating the other peer. Pre-shared keys do not scale well because each IPSec peer must be configured with the Pre-shared key of every other peer with which it establishes a session. Enter the Pre-shared Key, and click Enable to enable the Minimum Pre-shared Key Complexity.

    • Certificate: The digital certificate is a package that contains information such as a certificate bearer's identity: name or IP address, the certificate's serial number, the certificate's expiration date, and a copy of the certificate bearer's public key. The standard digital certificate format is defined in the X.509 specification. X.509 version 3 defines the data structure for certificates. Select the certificate from the drop-down list.
    User Group Click Group Name and select the user group (admin or guest).Click Add or Delete to modify the User Group.
    Mode Select the mode from the options.

    • Client — Client request for IP address and server supplies the IP addresses from the configured address range. Select Client and enter the start and end IP addresses for client’s LAN.

    • Network Extension Mode (NEM) — Clients propose their subnet for which VPN services need to be applied on traffic between LAN behind server and subnet proposed by client.
    Pool Range for Client LAN Start IP — Enter the start IP address for the pool range.End IP - Enter the end IP address for the pool range.

    For Mode Configuration

    Primary DNS Enter the IP address of the primary DNS server.
    Secondary DNS Enter the IP address of the secondary DNS server.
    Primary Windows Internet Name Service (WINS) Server

    Enter the IP address of the primary WINS.
    Secondary WINS Server Enter the IP address of the secondary WINS.
    Default Domain Enter the name of the default domain to be used in remote network.
    Back Server 1, 2, & 3 Enter the IP address or domain name of the back servers 1, 2 and 3. When the connection to the primary IPSec VPN server fails, the security appliance can start the VPN connection to the backup servers. The backup server 1 has the highest priority and the backup server 3 has the lowest priority.
    Split Tunnel Check to enable split tunnel. Then click Add, to enter an IP address and netmask for the split tunnel. You can add, edit, or delete a split tunnel.
    Split DNS Check to enable split DNS. Then click Add, to enter an domain name for the split DNS. You can add, edit, or delete a split tunnel.

    For a 3rd Party Client

    Step 6   In the Basic Settings tab, configure the following:
    Enable Click Enable to enable the configuration.
    Tunnel Name Name of the VPN tunnel. This description is for your reference. It does not have to match the name used at the other end of the tunnel
    Interface Select the interface (WAN1, WAN2, USB1, or USB2) from the drop-down list.
    IKE Authentication Method Authentication method to be used in IKE negotiations in IKE-based tunnels.

    • Pre-shared Key: IKE peers authenticate each other by computing and sending a keyed hash of data that includes the Pre-shared key. If the receiving peer is able to create the same hash independently using its Pre-shared key, it knows that both peers must share the same secret, thus authenticating the other peer. Pre-shared keys do not scale well because each IPSec peer must be configured with the Pre-shared key of every other peer with which it establishes a session. Enter the Pre-shared Key, and click Enable to enable the Minimum Pre-shared Key Complexity.

    • Certificate: The digital certificate is a package that contains information such as a certificate bearer's identity: name or IP address, the certificate's serial number, the certificate's expiration date, and a copy of the certificate bearer's public key. The standard digital certificate format is defined in the X.509 specification. X.509 version 3 defines the data structure for certificates. Select the certificate from the drop-down list.
    Local Identifier Select the local identifier type (IP Address, FQDN, or User FQDN) from the drop-down list and enter the identifier.
    Remote Identifier Select the remote identifier (Remote IP, FQDN, or User FQDN) from the drop-down list and enter the identifier.
    Extended Authentication Check Extended Authentication to enable. Click Add to add an extended authentication and select admin or guest.
    Pool Range for Client LAN Start IP - Enter the start IP address for the pool range.End IP - Enter the end IP address for the pool range.
    Step 7   In the Advanced Settings tab, configure the following:
    IPSec Profile Set to Default.
    Remote Endpoint Select the remote endpoint (Static IP, FQDN, or Dynamic IP) from the drop-down list.
    For Local Group Setup
    Local IP Type Select the local IP type (IP address or Subnet) from the drop-down list.
    IP Address Enter the IP Address of the device.
    Subnet Mask Enter the subnet mark.

    For Mode Configuration

    Primary DNS Enter the IP address of the primary DNS server.
    Secondary DNS Enter the IP address of the secondary DNS server.
    Primary Windows Internet Name Service (WINS) Server Enter the IP address of the primary WINS.
    Secondary WINS Server Enter the IP address of the secondary WINS.
    Default Domain Enter the name of the default domain to be used in remote network.
    Back Server 1, 2, & 3 Enter the IP address or domain name of the back servers 1, 2 and 3. When the connection to the primary IPSec VPN server fails, the security appliance can start the VPN connection to the backup servers. The backup server 1 has the highest priority and the backup server 3 has the lowest priority.
    Split Tunnel Check to enable split tunnel. Then click Add, to enter an IP address and netmask for the split tunnel. You can add, edit, or delete a split tunnel.
    Split DNS Check to enable split DNS. Then click Add, to enter an domain name for the split DNS. You can add, edit, or delete a split tunnel.

    Additional Settings

    Aggressive Mode Check Aggressive Mode to enable.

    The Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IP security (IPsec) peer and to initiate an Internet Key Exchange (IKE) aggressive mode negotiation with the tunnel attributes.
    Compress (Support IP Payload compression Protocol (IP Comp)) Check Compress to enable the router to propose compression when it starts a connection. If the responder rejects this proposal, then the router does not implement compression. When the router is the responder, it accepts compression, even if compression is not enabled. If you enable this feature for this router, also enable it on the router at the other end of the tunnel.
    Step 8   Click Apply.