SSL VPN

The Secure Sockets Layer Virtual Private Network (SSLVPN) allows users to remotely access restricted networks, using a secure and authenticated pathway by encrypting the network traffic. The router supports Cisco AnyConnect VPN client which can be downloaded at [http:/​/​www.cisco.com/​go/​anyconnect/]. The router supports 2 SSL VPN tunnels by default, and the user can register a license to support up to 50 tunnels. Once installed and activated, the SSL VPN will establish a secure, remote-access VPN tunnel.


Note
In addition, a Cisco AnyConnect Secure Mobility Client license is required to install and use the Cisco AnyConnect Secure Mobility Client on your device. Information on how to order the Cisco AnyConnect Secure Mobility User Licenses can be found here http:/​/​www.cisco.com/​c/​dam/​en/​us/​products/​collateral/​security/​anyconnect-og.pdf. We do recommend the AnyConnect Plus License for 25-99 users.

To configure the SSL VPN, follow these steps:

Procedure
    Step 1   Click VPN>SSL VPN.
    Step 2   On the General Configuration Server tab, provide the following information:
    Cisco SSL VPN Server Select On or Off to enable or disable the server.

    Mandatory Gateway Settings

    Gateway Interface Select the gateway interface (WAN1, WAN2, USB1 or USB2) from the drop-down list.
    Gateway Port Enter the port number of the gateway (Range 1 to 65535).
    Certificate File Default.
    Client Address Pool Enter the IP address of the client address pool.
    Client Netmask Enter the client netmask.
    Client Domain Enter the client domain name.
    Login Banner Enter the text to appear as login banner.

    Optional Gateway Settings

    Idle Timeout Enter the idle timeout in seconds (Range 60 to 86,400).
    Session Timeout Time it takes for the TCP or UDP session to time out after a period of idleness. Enter the session timeout in seconds (Range 60 to 1,209,600).
    Client DPD Timeout Sends periodic HELLO/ACK messages to check the status of the VPN tunnel. This feature must be enabled on both ends of the VPN tunnel. Specify the interval between HELLO/ACK messages in the Interval field. Enter the client DPD timeout in seconds (Range 0 to 3600).
    Gateway DPD Timeout Sends periodic HELLO/ACK messages to check the status of the VPN tunnel. This feature must be enabled on both ends of the VPN tunnel. Specify the interval between HELLO/ACK messages in the Interval field. Enter the gateway DPD timeout in seconds (Range 0 to 3600).
    Keep Alive Ensures that your router is always connected to the Internet. Attempts to re-establish the VPN connection if it is dropped. Enter the Keep Alive time in seconds (Range 0 to 600).
    Lease Duration Enter the time in seconds during the tunnel to be connected (Range 600 to 1,209,600).
    Max MTU Enter the size in bytes of a packet that can be sent over the network (Range 576 to 1406).
    Relay Interval Enter the relay interval time in seconds (Range 0 to 43,200).
    Step 3   Click Apply.
    Step 4   On the Group Policies Server tab, click Add and provide the following information.

    Basic Settings

    Policy Name Enter the policy name. Group policies that apply whole sets of attributes to a group of users, rather than having to specify each attribute individually for each user.
    Primary DNS Enter the IP address of the primary DNS server.
    Secondary DNS Enter the IP address of the secondary DNS server.
    Primary WINS Enter the IP address of the primary WINS.
    Secondary WINS Enter the IP address of the secondary WINS.
    Description Enter a description.

    IE Proxy Settings

    IE Proxy Policy Internet Explorer proxy settings to establish VPN tunnel. Select the IE Proxy Policy (None, Auto, Bypass-Local, or Disabled) from the drop-down list.

    If you select Auto or Bypass-Local enter the following:

    • Address — IP address or domain name.

    • Port — Enter a port number (Range 1 to 65,535).
    Step 5   In the IE Exception Proxy Table, click Add, Edit or Delete to add, edit or delete IE exceptions.

    Split Tunneling Settings

    Enable Split Tunneling Check Enable Split Tunneling to allow Internet destined traffic to be sent unencrypted directly to the Internet. Full Tunneling sends all traffic to the end device where it is then routed to destination resources (eliminating the corporate network from the path for web access).
    Split Selection Select Include Traffic to include traffic or Exclude Traffic when applying the split tunneling.
    Step 6   In the Split Network Table, click Add, Edit or Delete to add, edit or delete split DNS exceptions.
    Step 7   Configure the IP and Netmask.
    Step 8   Click Apply.