An IPsec Remote Access group policy is used by remote VPN clients to establish the VPN connections.
Note Up to 16 IPsec Remote Access group policies can be configured on the security appliance.
1. Click VPN > IPsec Remote Access.
2. To add an IPsec Remote Access group policy, click Add.
Other Options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click the Delete (x) icon. To delete multiple entries, check them and click Delete.
The IPsec Remote Access - Add/Edit window opens.
3. In the Basic Settings tab, enter the following information:
• Group Name: Enter the name for the group policy.
• WAN Interface: Choose the WAN port that traffic passes through over the VPN tunnel.
• IKE Authentication Method: Choose the authentication method.
– Pre-shared Key: Uses a simple, password-based key to authenticate. If you choose this option, enter the desired value that remote VPN clients must provide to establish the VPN connections in the Password field. The pre-shared key must be entered exactly the same here and on the remote clients.
– Certificate: Uses the digital certificate from a third party Certificate Authority (CA) to authenticate. If you choose this option, select a CA certificate as the local certificate from the Local Certificate drop-down list and select a CA certificate as the remote certificate from the Peer Certificate drop-down list for authentication. The selected remote certificate on the IPsec VPN server must be set as the local certificate on remote VPN clients.
NOTE: You must have valid CA certificates imported on your security appliance before choosing this option. Go to the Device Management > Certificate Management page to import the CA certificates. See Managing Certificates for Authentication, page 350.
• Mode: The Cisco VPN hardware client supports NEM (Network Extension Mode) and Client mode. The IPsec Remote Access group policy must be configured with the corresponding mode to allow only the Cisco VPN hardware clients in the same operation mode to be connected. For example, if you choose the Client mode for the group policy, only the Cisco VPN hardware clients in Client mode can be connected by using this group policy. For more information about the operation mode, see Modes of Operation.
– Choose Client for the group policy that is used for both the PC running the Cisco VPN Client software and the Cisco device acting as a Cisco VPN hardware client in Client mode. In Client mode, the IPsec VPN server can assign the IP addresses to the outside interfaces of remote VPN clients. To define the pool range for remote VPN clients, enter the starting and ending IP addresses in the Start IP and End IP fields.
– Choose NEM for the group policy that is only used for the Cisco device acting as a Cisco VPN hardware client in NEM mode.
• Client Internet Access: Check this box to automatically create advanced NAT rules to allow remote VPN clients to access the Internet over the VPN tunnels. If you uncheck this box, you can manually create advanced NAT rules. See Allowing IPsec Remote VPN Clients to Access the Internet.
• WAN Failover: Click On to enable WAN Failover, or click Off to disable it. If you enable WAN Failover, traffic is automatically redirected to the secondary link when the primary link is down.
NOTE: To enable WAN Failover for IPsec Remote Access, make sure that the secondary WAN port was configured and the WAN redundancy was set as the Load Balancing or Failover mode.
NOTE: The security appliance will automatically update the local WAN gateway for the VPN tunnel based on the configurations of the backup WAN link. For this purpose, Dynamic DNS has to be configured because the IP address will change due to failover and remote VPN clients must use the domain name of the IPsec VPN server to establish the VPN connections.
4. In the Zone Access Control tab, you can control access from the PC running the Cisco VPN Client software or the private network of the Cisco VPN hardware client to the zones over the VPN tunnels. Click Permit to permit access, or click Deny to deny access.
NOTE: The VPN firewall rules that are automatically generated by the zone access control settings will be added to the list of firewall rules with the priority higher than the default firewall rules, but lower than the custom firewall rules.
5. In the Mode Configuration Settings tab, enter the following information:
• Primary DNS Server: Enter the IP address of the primary DNS server.
• Secondary DNS Server: Enter the IP address of the secondary DNS server.
• Primary WINS Server: Enter the IP address of the primary WINS server.
• Secondary WINS Server: Enter the IP address of the secondary WINS server.
• Default Domain: Enter the default domain name that should be pushed to remote VPN clients.
• Backup Server 1/2/3: Enter the IP address or hostname for the backup server. You can specify up to three IPsec VPN servers as backup. When the connection to the primary server fails, the VPN clients can attempt to connect to the backup servers. The backup server 1 has the highest priority and the backup server 3 has the lowest priority.
NOTE: The backup servers that you specified on the IPsec VPN server will be sent to remote VPN clients when initiating the VPN connections. The remote VPN clients will cache them.
• Split Tunnel: Click On to enable the split tunneling feature, or click Off to disable it. Split tunneling allows only traffic that is specified by the VPN client routes to corporate resources through the VPN tunnel. If you enable split tunneling, you need to define the split subnets. To add a subnet, enter the IP address and netmask in the Protected Network and Netmask fields and click Add. To delete a subnet, select it from the list and click Delete.
• Split DNS: Split DNS directs DNS packets in clear text through the VPN tunnel to domains served by the corporate DNS. To add a domain, enter the Domain name that should be resolved by your network’s DNS server, and then click Add. To delete a domain, select it from the list and click Delete.
NOTE: To use Split DNS, you must also enable the split tunneling feature and specify the domains. The Split DNS feature supports up to 10 domains.
6. Click OK to save your settings.