Cisco Systems VPN 3000 Tunnel Type, Remote Access Parameters, Group Lock, Mode Configuration

12 User Management

12-26 VPN 3000 Concentrator Series User Guide

Tunnel Type

Click the drop-down menu button and select the type of IPSec tunnel that this group’s clients use:

LAN-to-LAN = IPSec LAN-to-LAN connections between two VPN Concent rators (or between a VPN

Concentrator and another protocol-compliant security gateway). See Configuration | System | Tunneling

Protocols | IPSec LAN-to-LAN. If you select this type, ignore the rest of the parameters on this tab.

Remote Access = Remote IPSec client connections to the VPN Concentrator. If you select this type,

configure Remote Access Parameters below.

Remote Access Parameters

These group parameters apply to remote-access IPSec client connections only. If you select Remote

Access for Tunnel Type, configure these parameters.

Group Lock

Check the box to restrict users to remote access through this group only. The IPSec client connects to

the VPN Concentrator via a group name and password, and then the system authenticates a user via a

username and password. If this box is not checked, the system a uthenticates a user without regard to the

user’s assigned group.

Authentication

Click the drop-down menu button and select the user authentication method (authentication server type)

to use with this group’s remote-access IPSec clients. This selection identifies the authentication method,

not the specific server. Configure authentication servers on the Configuration | System | Servers |

Authentication screens.

Selecting any authentication method (other than None) enables ISAKMP Extended Authentication, also

known as XAuth.

None = No IPSec user authentication method. If you checked L2TP over IPSec under Tunneling

Protocols, use this selection.

RADIUS = Authenticate users via external Remote Authentication Dial-In User Service.

NT Domain = Authenticate users via external Windows NT D omain system.

SDI = Authenticate users via external RSA Security Inc. SecureID system.

Internal = Authenticate users via internal VPN Concentrator authentication server.

Mode Configuration

Check the box to use Mode Configuration with this group’s IPSec clients (also known as the ISAKMP

Configuration Method or Configuration Transaction). This option exchanges configura tion parameters

with the client while negotiating Security Associations. If you che ck this box, configure the desired

Mode Configuration Parameters below; otherwise, ignore them.

To use split tunneling, you must check this box.

If you checked L2TP over IPSec under Tunneling Protocols, do not check this box.