The Cisco Secure VPN Client is a software component in either an extranet Virtual Private Network
(VPN) or a client-initiated access VPN. VPNs allow for
... [Show More] private data to be encrypted and transmitted
securely over a public network. With the Cisco Secure VPN Client, you can establish an encrypted
tunnel between a client and a router using static or dynamic IP addresses.
This technology overview contains the following sections:
2 What is a Virtual Private Network?
2 Types of Virtual Private Networks
2 What is the Cisco Secure VPN Client?
2 Interoperability with Cisco Routers
2 System Requirements
2 Benefits
;(
<
A Virtual Private Network (VPN) is a network that extends remote access to users over a shared
infrastructure. VPNs maintain the same security, prioritizing, manageability, and reliability as a private
network. They are the most cost-effective method of establishing a point-to-point connection between
remote users and an enterprise customer's network. VPNs based on IP meet business customers'
requirements to extend intranets to remote offices, mobile users, and telecommuters. Further, they can
enable extranet links to business partners, suppliers, and key customers for greater customer satisfaction
and reduced business costs.
5*6
5*6
The three basic types of VPNs, discussed in this section, are access VPNs, intranet VPNs, and extranet
VPNs.
2 Access VPNs—Provide secure connections for remote access for individuals (for example, mobile
users or telecommuters), a corporate intranet, or an extranet over a shared service provider network
with the same policies as a private network. For more information, refer to “Access VPNs.”
2 Intranet VPNs—Connect corporate headquarters, remote offices, and branch offices over a shared
infrastructure using dedicated connections. Businesses enjoy the same policies as a private
network, including security, quality of service (QoS), manageability, and reliability. For more
information, refer to “Intranet VPN.”
2 Extranet VPNs—Link customers, suppliers, partners, or communities of interest to a corporate
intranet over a shared infrastructure using dedicated connections. For more information, refer to
“Extranet VPN.”
,
There are two types of access VPNs, network access server (NAS)-initiated and client-initiated.
2 Client-initiated—Remote users use clients to establish an encrypted IP tunnel across the Internet
service provider’s (ISP) shared network to the enterprise customer's network. The main advantage
of client-initiated VPNs over NAS-initiated VPNs is that they use encrypted tunneling to secure the
connection between the client and the ISP over the PSTN.
Figure 1-1 shows the Cisco Secure VPN Client in a client-initiated access VPN topology. The client
establishes a PPP connection with the ISP’s NAS, an IKE Mode Configuration session occurs, then
an encrypted tunnel is established over the PSTN. Client-initiated access VPNs with the Cisco
Secure VPN Client are covered in Chapter 6, “Using Internet Key Exchange Mode Configuration:
A Business Case.”
2 NAS-initiated—Remote users dial in to the ISP’s NAS. The NAS establishes an encrypted tunnel
to the enterprise's private network. NAS-initiated VPNs allow users to connect to multiple networks
by using multiple tunnels, and do not require the client to maintain the tunnel-creating software.
NAS-initiated VPNs do not encrypt the connection between the client and the ISP, but rely on the
security of the PSTN.
Figure 1-2 shows a NAS-initiated access VPN topology. Because the Cisco Secure VPN Client is
not required for a NAS-initiated access VPN solution, it is not a component of this network. The
disadvantage of NAS-initiated access VPNs is that the PSTN is not secured.
28491
= encrypted tunnel
= serial line
PSTN Internet
PPP
Remote user with
Cisco Secure VPN client
NAS ISP Enterprise
PPP
5*6
/
An intranet is a network for business that is internal to a company. It delivers the most current
information and services available to a company’s networked employees. Intranets offer a common,
platform-independent interface, which is less costly to implement than a client/server application.
Intranets also increase employees’ productivity by allowing for a reliable connection to consistent
information. Intranet VPNs are used to allow the the same security and connectivity for a corporate
headquarters, a remote office, and a branch office as you would have with a private network.
Figure 1-3 shows an intranet VPN topology. Because the Cisco Secure VPN Client acts as the client
component in a client/server application, with the router functioning as a server, it is not commonly used
in an intranet VPN scenario. Also, the Cisco Secure VPN Client is not necessary for secure encryption
over an intranet between two routers–an IPSec tunnel will suffice. It is, however, possible for the client
to negotiate a more strict transform set than the router-to-router transform set, depending on the level
of security required between the host and destination.
For information on creating an intranet VPN, refer to the “Intranet VPN Scenario” chapter of the
Cisco 7100 VPN Configuration Guide.
0
An extranet is an intranet that extends limited access to customers, suppliers, and partners. Extranets
differ from intranets in that they allow access to users outside of the enterprise. By allowing greater
access to the resources that are available to customers, suppliers, and partners, companies with extranet
VPNs can actually improve their customer satisfaction and reduce business costs at the same time.
28492
= encrypted tunnel
= serial line
PSTN Internet
PPP
Remote user NAS ISP Enterprise
PPP
28493
Internet
Corporate
headquarters
Remote office
= encrypted tunnel
= serial line
;((
<
Figure 1-4 shows the Cisco Secure VPN Client in an extranet VPN topology. Using digital certificates,
clients establish a secure tunnel over the Internet to the enterprise. A certification authority (CA) issues
a digital certificate to each client for device authentication. Telecommuters, remote users, extranet
partners, and remote offices are checked for authentication, then authorized to access information
relevant to their function. While the telecommuters might use static IP addresses, the remote users
might use dynamic IP addresses. Extranet VPNs with the Cisco Secure VPN Client begin coverage in
Chapter 3, “Using Digital Certificates: Business Case Introduction.”
While this solutions guide uses digital certificates to describe an extranet VPN scenario,
it is possible to use digital certificates for device authentication in all types of VPNs.
Client-initiated access VPNs, intranet VPNs, and extranet VPNs all support digital [Show Less]