Cisco Systems OL-5490-01 VPN Client IPSec Attributes

1-6

VPN Client User Guide for Mac OS X

OL-5490-01

Chapter1 Understanding the VPN Client

VPN Client Features

VPN Client IPSec Attributes

The VPN Client supports the IPSec attributes listed in Table 1- 5.

Split tunneling The ability to simultaneously direct packets over the Internet in

clear text and encrypted through an IPSec tunnel. The VPN device

supplies a list of networks to the VPN Client for tunneled traffic.

You enable split tunneling on the VPN Client and configure the

network list on the VPN device.

Support for Split DNS The ability to direct DNS packets in clear text over the Internet to

domains served through an external DNS (serving your ISP) or

through an IPSec tunnel to domains served by the corporate DNS.

The VPN server supplies a list of domains to the VPN Client for

tunneling packets to destinations in the private network. For

example, a query for a packet destined for corporate.com would go

through the tunnel to the DNS that serves the private network, while

a query for a packet destined for myfavoritesearch.com would be

handled by the ISP's DNS. This feature is configured on the VPN

server (VPN Concentrator) and enabled on the VPN Client by

default. To use Split DNS, you must also have split tunneling

configured.

Table1-4 IPSec Features (continued)

IPSec Feature Description

Table1-5 IPSec Attributes

IPSec Attribute Description

Main Mode and Aggressive

Mode

Ways to negotiate phase one of establishing ISAKMP Security

Associations (SAs)

Authentication algorithms •HMAC (Hashed Message Authentication Coding) with MD5

(Message Digest 5) hash function

•HMAC with SHA-1 (Secure Hash Algorithm) hash function

Authentication Modes •Preshared Keys

•Mutual Group Authentication

•X.509 Digital Certificates

Diffie-Hellman Groups •Group 1 = 768-bit prime modulus

•Group 2 = 1024-bit prime modulus

•Group 5 = 1536 prime modulus

Note See the Cisco VPN Client Administrator Guide for more

information about DH Group 5.

Encryption algorithms •56-bit DES (Data Encryption Standard)

•168-bit Triple-DES

•AES 128-bit and 256-bit

Contents

Main VPN Client User Guide for Mac OS X Page CONTENTS Page Page Page About This Guide Audience Contents Related Documentation Terminology Document Conventions Data Formats Obtaining Documentation Cisco.com Documentation CD-ROM Ordering Documentation Documentation Feedback Obtaining Technical Assistance Cisco.com Technical Assistance Center Cisco TAC Website Cisco TAC Escalation Center Obtaining Additional Publications and Information Understanding the VPN Client Connection Technologies VPN Client Overview VPN Client Features Program Features Page Authentication Features IPSec Features VPN Client IPSec Attributes Page Page Installing the VPN Client Verifying System Requirements Gathering Information You Need Obtaining the VPN Client Software Preconfiguring the VPN Client Preconfiguring the User Profile Preconfiguring the Global Profile Bundling a Root Certificate with the Installation Package for Darwin Installing the VPN Client Authentication Page VPN Client Installation Process Introduction Accepting the License Agreement Selecting the Application Destination Choosing the Installation Type Page Page Page CLI Version Install Script Notes Uninstalling the VPN Client Page Page Navigating the User Interface VPN Client Menu Choosing a Run Mode Operating in Simple Mode VPN Client WindowSimple Mode Main MenusSimple Mode Connection Entries Menu Status Menu Operating in Advanced Mode VPN Client WindowAdvanced Mode Toolbar Action ButtonsAdvanced Mode Main TabsAdvanced Mode Main MenusAdvanced Mode Connection Entries Menu Status Menu Certificates Menu Log Menu Right-Click Menus Connection Entries Tab Right-Click Menu Certificates Tab Right-Click Menu Configuring Connection Entries Creating a Connection Entry Page Authentication Methods Group Authentication Mutual Group Authentication Certificate Authentication Page Transport Parameters Enable Transport Tunneling Transparent Tunneling Mode Allow Local LAN Access Peer Response Timeout Backup Servers Page Page Establishing a VPN Connection Checking Prerequisites Establishing a Connection Page Connecting to a Default Connection Entry Choosing Authentication Methods Shared Key Authentication VPN Group Name and Password Authentication RADIUS Server Authentication SecurID Authentication Using Digital Certificates Enrolling and Managing Certificates Using the Certificate Store Enrolling Certificates Page Page Managing Enrollment Requests Viewing the Enrollment Request Deleting an Enrollment Request Changing the Password on an Enrollment Request Retrying an Enrollment Request Importing a Certificate Viewing a Certificate Page Exporting a Certificate Deleting a Certificate Verifying a Certificate Changing the Password on a Personal Certificate Managing the VPN Client Managing Connection Entries Importing a Connection Entry Modifying a Connection Entry Deleting a Connection Entry Event Logging Enable Logging Clear Logging Set Logging Options Page Opening the Log Window Viewing Statistics Tunnel Details Route Details Notifications Page INDEX A B C D E F G H I K L M N O P Q R S T U V W X