Cisco Systems VPN 3000

12 User Management

12-38 VPN 3000 Concentrator Series User Guide

Maximum Connect Time

Enter this user’s maximum connection time in minutes. At the end of this time, the system terminates

the connection. The minimum is 1, and the maximum is 2147483647 minutes (over 4000 years). To

allow unlimited connection time, enter 0.

Filter

Filters consist of rules that determine whether to allow or reject tunneled data packets coming through

the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco

supplies three default filters, which you can modify. To configure filters and rules, see the Configuration

| Policy Management | Traffic Management screens.

Click the drop-down menu button and select the filter to apply to this user:

--None-- = No filter applied, which means there are no restrictions on tunneled data traffic.

Private (Default) = Allow all packets except source-routed IP packets. (This is the default filter for the

private Ethernet interface.)

Public (Default) = Allow inbound and outbound tunneling protocols plus ICMP and VRRP. Allow

fragmented IP packets. Drop everything else, including source-route d packets. (This is the default

filter for the public Ethernet interface.)

External (Default) = No rules applied to this filter. Drop all packets. (This is the default filter for the

external Ethernet interface.)

Additional filters that you have configured also appear on the list.

SEP Card Assignment

The VPN Concentrator can contain up to four SEP (Scalable Encryption Processing) mo dules that handle

encryption functions, which are compute-intensive. Two SEP modules handle up to 5000 sessions

(users)—the system maximum. Two additional modules can provide automatic failover for the first two.

This parameter lets you configure the load on each SEP module.

Check the box to assign this user to a given SEP module. If your system does not have a given SEP

module, the parameter is ignored.

Tunneling Protocols

Check the desired boxes to select the VPN tunneling protocols that this user can use. Configure

parameters on the IPSec or PPTP/L2TP tabs as appropriate. Users can use only the selected protocols.

You cannot check both IPSec and L2TP over IPsec. The IPSec parameters differ for these two protocols,

and you cannot configure a single user for both.

PPTP = Point-to-Point Tunneling Protocol. PPTP is a client-server protocol, and it is popular with

Microsoft clients. Microsoft Dial-Up Networking (DUN) 1.2 and 1.3 under Windows 95/98 support

it, as do versions of Windows NT 4.0 and Windows 2000.

L2TP = Layer 2 Tunneling Protocol. L2TP is a client-server protocol. I t combines many features

from PPTP and L2F (Layer 2 Forwarding).

IPSec = IP Security Protocol. IPSec provides the most complete architecture for VPN tunnels, and it

is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and

client-to-LAN connections can use IPSec. The Cisco VPN 3000 Client is an IPSec client