Transparent tunneling allows secure transmission between the VPN
Client and a secure gateway through a router serving as a firewall, which may
also be performing NAT or PAT. Transparent tunneling encapsulates ESP traffic
within UDP packets and can allow for both ISAKMP ISAKMP and ESP to be
encapsulated in TCP packets before they are sent through the NAT or PAT devices
and/or firewalls. The most common application for transparent tunneling is
behind a home router performing PAT.
The VPN Client also sends
keepalives frequently, ensuring that the mappings on the devices are kept
active.
Not all devices support multiple simultaneous connections behind them. Some
cannot map additional sessions to unique source ports. Be sure to check with
the device vendor to verify whether this limitation exists. Some vendors
support ESP PAT, also known as IPSec passthrough, which might let the VPN
Client operate without enabling transparent tunneling.
To use
transparent tunneling, the central-site VPN device must be configured to
support it.
This parameter is enabled on the VPN Client by default. To
disable this parameter, uncheck the check box
. It is
recommended to always keep this parameter checked.
Transparent tunneling
can be done over UDP or over TCP. The mode used must match that used by the
secure gateway to which the VPN Client is connecting. Either mode operates
properly through a PAT device. Multiple simultaneous connections might work
better with TCP, and if the VPN Client is in an extranet environment, then in
general, TCP mode is preferable. UDP does not operate with statefull firewalls,
so in this case, TCP should be used.
Using IPSec over UDP
(NAT/PAT)
To enable IPSec over UDP (NAT/PAT), click the radio
button. With UDP, the port number is negotiated. UDP is the default mode.
Using IPSec over TCP (NAT/PAT/Firewall)
To enable IPSec over
TCP, click the radio button. When using TCP, the port number for TCP must
also be enteredin the TCP port field. This port number must match the port
number configured on the secure gateway. The default port number is 10000.
Allowing Local LAN Access
In a multiple-NIC configuration, Local
LAN access pertains only to network traffic on the interface on which the
tunnel was established. The Allow Local LAN Access parameter gives the remote
user access to the resources on their local LAN when they are connected through
a secure gateway to a central-site VPN device The resources could include
printers, fax machines, shared files, or other systems, When this parameter is
enabled and the central site is configured to permit it, remote users can
access local resources while connected. When this parameter is disabled, all
traffic from the Client system goes through the IPSec connection to the secure
gateway.
To enable this feature, check Allow Local LAN Access. To
disable it, uncheck the check box. If the local LAN that the remote user is on
is not secure, this feature should be disabled. For example, this feature would
be disabled when the local LAN is in a hotel or airport.
A network
administrator at the central site configures a list of networks at the Client
side that that the remote users can access. Remote users can access up to 10
networks when this feature is enabled. When Allow Local LAN Access is
enabled and the VPN Client is connected to a central site, all traffic from the
remote system goes through the IPSec tunnel except traffic to the networks
excluded from doing so, as configured in the network list.
When this
feature is enabled and configured on the VPN Client and permitted on the
central-site VPN device, the remote user can see a list of the local LANs
available by looking at the Routes table in the VPN Client statistics.
To
display the Routes table, use the following procedure:
Step 1
Display the Status menu and choose Statistics.
Step 2 Choose Route Details from the Statistics
dialog box.
The routes table shows local LAN routes, which do
not traverse the IPSec tunnel, and secured routes, which do traverse an IPSec
tunnel to a central-site device. The routes in the local LAN routes column are
for locally available resources.
 |
NOTE:
This feature works only on one NIC card, the same NIC card as the
tunnel.
|