ClienttoLAN

^-Csco.com

© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—5-4

Consider the following scenario. Remote users need to dial into the corporate office and access e-mail, corporate presentations, order entry, and engineering. In addition, Corporate Information Services wants remote users to access corporate resources fast, inexpensively, and as securely as possible.

Implementing a remote-access virtual private network (VPN) with the Cisco VPN 3000 Series Concentrator and the Cisco VPN Software Client is the right choice. It enables remote users to access the corporate resources they require. Corporate Information Services meets their speed, expense, and security requirements.

Telecommuter with the Cisco VPN 3000 Series Concentrator Client

IPSec tunnel or session

Telecommuter with the Cisco VPN 3000 Series Concentrator Client

IPSec tunnel or session

• IPSec standards

• VPN Concentrator

© 2003, Cisco Systems, Inc. All rights reserved.

The Client-to-LAN VPN consists of four components: IPSec client software, Point-to-Point Protocol (PPP), IPSec standards, and the Concentrator.

■ IPSec client software—The IPSec client software is not native to the Microsoft Windows operating system and must be loaded on the PC. It is used to encrypt, authenticate, and encapsulate data. It also terminates one end of the tunnel.

PPP—For remote access applications, the PC relies on PPP to establish a physical connection to the local ISP or the Internet.

IPSec standards—After the ISP authenticates the remote user, the user launches the IPSec client. IPSec establishes a secure tunnel or session through the Internet to the Concentrator.

Concentrator—The Concentrator terminates the opposite end of the tunnel. The Concentrator decrypts, authenticates, and de-encapsulates the data.

VPN private IP address 10.0.1.5

VPN private IP address 10.0.1.5

Telecommuter with the Cisco VPN 3000 Series Concentrator

Client

Client IP address 10.0.1.20

Telecommuter with the Cisco VPN 3000 Series Concentrator

Client

Adapter (NIC) IP address 172.26.26.1

Client IP address 10.0.1.20

© 2003, Cisco Systems, Inc. All rights reserved.

In the example in the figure, a telecommuter needs to access information on the corporate server, 10.0.1.10. The source address is the virtual IP address of the Software Client, 10.0.1.20. The Concentrator or the Dynamic Host Configuration Protocol (DHCP) server usually supplies it to the Software Client, which gives the Software Client the appearance of being resident on the VPN.

Any data flowing from the server to the Software Client must be protected as it traverses the Internet. Therefore, information flowing between the server and the Software Client is encrypted, authenticated, and encapsulated using the Encapsulating Security Payload (ESP) header to maintain confidentiality and data integrity.

However, this practice presents an issue. If the payload is encapsulated and encrypted, the routers in the Internet are unable to read the source and destination addresses of the packet. The routers are thus unable to route the packet. To solve this problem, an additional IP header is added to the ESP-encapsulated data. The outside IP header is used to route the information through the network using a routable address. The source address is the network interface card (NIC) of the Software Client. The destination address is the public interface of the Concentrator. The Software Client-to-server data is sent over the network using an IP-in-IP encapsulation. Upon receipt, the Concentrator strips the outer IP header, decrypts the data, and forwards the packet according to the inside IP address.

Was this article helpful?

0 0

Post a comment