IPSec client features

The gateway supports the following IPSec client features:

• Split tunneling
• Third-party IPSec clients
• Forced logout
• Client fail-over
• Client auto connect
• Banner
• Password storage
• Client screen saver
• Client Keepalive
• Domain name
• Client policy

All IPSec client traffic is tunneled through the gateway by default. Split tunneling allows you to configure specific network routes that are downloaded to the client. Only these network routes are then tunneled; any other traffic goes to the local PC interface. Split tunneling allows you to print locally, for example, even while you are tunneled into the gateway. Figure 1 shows a sample split tunneling environment.

The previous figure shows split tunneling enabled and split tunnel network IP addresses 10.2.3.4 and 10.10.0.5. When a client establishes an IPSec tunnel, these addresses are loaded into the client application.

The remote user, for example, then downloads his email from the mail server at 10.10.0.5, and downloads a document from the Archive at 10.2.3.4. Next, without exiting the tunnel, the remote user can print the document through the PC's local network interface 192.19.2.32 to the printer at 192.19.2.33. You can enable split tunneling through the ProfilesGroupsIPSecEdit screen split tunneling field.

You designate which network routes to tunnel through the gateway from the ProfileNetworks screen. Next, you associate specific network routes to specific groups through the ProfilesGroupsIPSecEdit screen by configuring the Split Tunnel Networks field.

The gateway takes precautions against violators potentially hacking tunneled information when the gateway is operating in split tunneling mode. The primary precaution is to drop packets that do not have the IP address that is assigned to the tunnel connection as its source address. For example, if you have a PPP dial-up connection to the Internet with an IP address of 192.168.21.3, and then you set up a tunneled connection to a gateway and you are assigned a tunnel IP address of 192.192.192.192, then any packets that attempt to pass through the tunnel connection with a source IP address of 192.168.21.3 (or any address other than 192.192.192.192) are dropped.

Furthermore, you can enable filters on the gateway to limit the protocol types that can pass through a tunneled connection.

The Client Selection feature enables you to configure your gateway to accept tunnel connections from third-party clients, in addition to the Nortel Networks Contivity VPN Client.

To completely eliminate security risks, you should not use the split tunneling feature.

The client selection feature enables you to configure your gateway to accept tunnel connections from third-party clients, in addition to the Contivity VPN Client.

The Client Selection feature provides more flexibility and mobility than was previously available to remote users who want to connect to your gateway using a client other than the Contivity VPN Client. The alternate method of connecting third-party clients requires you to set up a branch office connection and configure the remote client's IP address as the connection's remote gateway address. This branch office method binds a client machine to a fixed IP address. This can be limiting if a user needs to be able to create tunnels from multiple systems, for example, a work desktop system and a mobile laptop.

With the client selection feature, you establish an account for a remote user, rather than for a remote machine. You set up the account within the realm of remote access users, as has always been done for the Contivity VPN Client users. This gives the remote user the freedom to create tunnels to your gateway from different machines, and from different locations.

When configuring for Contivity VPN Clients, the gateway ignores the "Allow undefined networks for non-Contivity clients" field for clients that are not Contivity clients. The gateway never allows Contivity VPN Clients to connect to undefined networks. All reachable networks must be defined on the ProfilesNetworks screen.

When configuring for clients that are not Contivity VPN Clients, the fields that are preceded by an asterisk are not supported. You must select either the Split Tunneling or "Allow undefined networks field for non-Contivity clients" field for clients that are not Contivity VPN Clients. If you select both, the gateway uses the Split Tunneling feature and ignores the "Allow undefined networks" selection.

The gateway supports both preshared key and RSA digital signature authentication methods. For clients that are not Contivity VPN Clients, you must specify at least one of these authentication methods on the ServicesIPSec screen.

RADIUS authentication is not supported. Also, you can configure a static address for the tunnel from a client other than a Contivity VPN Client, or you can allow the client to use its own IP address as the address used within the tunnel.

To configure the client selection:

1. Go to the ProfilesGroupsEditIPSec screen.
2. Under Forced logout, you can specify a time after which all active users are automatically logged off for IPSec tunneling. The default is 0, which means the option is turned off. The possible range is 00:00:01 to 23:59:59.
3. Client keepalive uses small packets to check and maintain, or keep alive, the connection between the client and the gateway. Use the Contivity VPN Client to disable keepalives between the gateway and the client. This option allows you to disable keepalives when tunneling over an ISDN link, since the link is not always active. If an idle time-out has been set on the gateway, and keepalives have been disabled on the client, the client might not receive notice that the connection has been closed (due to the Idle Time-out), when the physical ISDN connection is not active.
   
   

   Note: If the idle time-out on the gateway logs off the client, and the client has client fail-over configured on the ServicesIPSec screen, that client then fails over to the defined failover server, rather than being disconnected as desired.

   
   

When the Keep Alive parameter is disabled on the client it prevents the gateway and client from exchanging keep alive messages. Therefore, if the connection is lost, the gateway does not realize that the client is no longer connected until the idle time is reached. If the idle time-out can be set to Never, the resulting connection could remain established for a long time, which wastes gateway resources.

If the number of Logins is set to 1, which is the default, the client cannot reconnect until the rekey happens, which by default is in 8 hours. If the user has the Disable Keep Alive parameter set on the client, and the connection goes down, the user could be prohibited from reconnecting for 8 hours or more, depending on the rekey value.

Also, do not set the idle time-out to 0. If you lose the connection in this situation, you must delete the session from the gateway to reconnect.

4. When a static branch office tunnel fails, all packets flowing through the tunnel are dropped. The static tunnel failover feature provides a means to detect and recover from these failures. Static tunnel failover interacts with static route API directly to remove and add static routes associated with a remote network. When a tunneling protocol detects a network failure, the static tunnel API removes static routes associated with the remote network from the route table manager.
   
   

   Note: When setting up static tunnel failover, you need to configure the primary tunnel as nailed up from the ProfilesBranch OfficeEditConnectivity screen. It should also have less cost than any secondary tunnels.

   
   
5. The client auto connect feature enables remote clients to connect their IPSec tunnel sessions in a single step. This is similar to the way Microsoft Dial-Up Networking automatically connects to an ISP when a Web browser is launched. With auto connect, client users simply click on the desired destination, for example, a Web page on the private internal network. This first starts their dialup connection, then makes the tunnel connection to the gateway, and finally makes the connection to the requested destination. What has, in the past, taken three distinct user operations is now accomplished by a single action.

The client auto connect settings specify those network connections that trigger the client's autoconnect feature. For example, you can specify that whenever a remote client attempts to connect to a site in the xyz.com domain, the client auto connect feature is started.

You must make sure that the gateway is configured to allow connections to potential destinations. If the gateway is not configured properly, the remote user might be able to make the connection to the gateway, but cannot access the requested destination. For example, the gateway's filters might be set up to deny access to finance.xyz.com, while the client auto connect is configured to start when connections to the xyz.com domain are received. With this configuration, when a remote client tries to access finance.xyz.com, their connection to their ISP and then to the gateway is automatically started. However, because of the filters, access to finance.xyz.com is denied. Note: After you enable client auto connect, you must reboot the PC on which the client is running and manually make sure the client can connect to the gateway.

When the client successfully connects to the gateway, the gateway downloads the list of networks and domains that trigger the autoconnect feature. This list, which is stored in the client's registry, is used to determine whether a tunnel connection should automatically be started when one is not already active.

The following client features apply only to the Contivity VPN Client:

• Banner--You can customize an enterprise login banner for the Contivity VPN Client by entering text into the space provided. This banner appears at the top of the IPSec client upon login.
• Password storage on client--You can allow client systems to save the login password in this password list, or you can require that a remote user enter the password with each request for authentication and access to an IPSec tunnel. Click on Enable to allow client systems to save the login password. When using certificates, saving the password on the client is not allowed.
• Client policy--Client policy helps prevent potential security violations that could occur when you are using the split tunneling feature. Split tunneling allows client data to travel either through a tunnel to the enterprise network or directly to the Internet.
• Client screen saver--Setting this security feature forces the client to use a password in association with the screen saver. When it is enabled, if the user leaves the system while connected to a tunnel, the system then gets locked out of the tunnel when the screen saver kicks in.
• Domain name--This setting enables you to specify the name of the domain used while an IPSec tunnel is connected. Specifying the domain name in this field ensures that domain lookup operations point to the correct domain. This is particularly important for clients that use Microsoft Outlook or Exchange, to ensure that the mail server is mapped to the correct domain. When a tunnel is connected, the remote client's registry is updated to use the specified domain. When the client disconnects the tunnel, the remote client's original domain is again used.