Cisco Systems ISA550

VPN

Configuring Teleworker VPN Client

Cisco ISA500 Series Integrated Security Appliances Administration Guide 370

•IKE Authentication Method: The VPN client must be properly authenticated

before it can access the remote network. Choose one of the following

authentication methods:

-Pre-shared Key: Choose this option if the IPsec VPN server uses a

simple, password-based key to authenticate and then enter the following

information:

Group Name: Enter the name of the IPsec Remote Access group policy

that is defined on the IPsec VPN server. The security appliance will use

this group policy to establish the VPN connection with the IPsec VPN

server. The IPsec VPN server pushes the security settings over the VPN

tunnel to the security appliance.

Password: Enter the pre-shared key specified in the selected group

policy to establish a VPN connection. The pre-shared key must be

entered exactly the same here and on the IPsec VPN server.

-Certificate: Choose this option if the IPsec VPN server uses the digital

certificate from a third party Certificate Authority (CA) to authenticate.

Select a CA certificate as your local certificate from the Local Certific ate

drop-down list and select the CA certificate used on the remote IPsec

VPN server as the remote certificate from the Peer Certificate

drop-down list for authentication.

NOTE: You must have valid CA certificates imported on your security

appliance before choosing this option. Go to the Device Management >

Certificate Management page to import the CA certificates. See

Managing Certificates for Authentication, page 418.

•Mode: The operation mode determines whether the inside hosts relative to

the Cisco VPN hardware client are accessible from the corporate network

over the VPN tunnel. Specifying an operation mode is mandatory before

making a VPN connection because the Cisco VPN hardware client does not

have a default mode. For more information about the operation mode, see

Modes of Operation, page 365.

- Choose Client if you want the PCs and other device s on the security

appliance’s inside networks to form a private network with private IP

addresses. Network Address Translation (NAT) and Port Address

Translation (PAT) will be used. Devices outside the LAN will not be able to

ping devices on the LAN, or reach them directly.

- Choose NEM (Network Extension Mode) if you want the devices

connected to the inside interfaces to have IP addresses that are routable

and reachable by the destination network. The devices at both ends of