Configure Easy VPN Remote for the Cisco VPN Client 4.x
Task 4 – configure transparent tunneling

Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing NAT or PAT. Transparent tunneling encapsulates ESP traffic within UDP packets and can allow for both ISAKMP ISAKMP and ESP to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.

The VPN Client also sends keepalives frequently, ensuring that the mappings on the devices are kept active.

Not all devices support multiple simultaneous connections behind them. Some cannot map additional sessions to unique source ports. Be sure to check with the device vendor to verify whether this limitation exists. Some vendors support ESP PAT, also known as IPSec passthrough, which might let the VPN Client operate without enabling transparent tunneling.

To use transparent tunneling, the central-site VPN device must be configured to support it.

This parameter is enabled on the VPN Client by default. To disable this parameter, uncheck the check box . It is recommended to always keep this parameter checked.

Transparent tunneling can be done over UDP or over TCP. The mode used must match that used by the secure gateway to which the VPN Client is connecting. Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if the VPN Client is in an extranet environment, then in general, TCP mode is preferable. UDP does not operate with statefull firewalls, so in this case, TCP should be used.

Using IPSec over UDP (NAT/PAT)
To enable IPSec over UDP (NAT/PAT), click the radio button. With UDP, the port number is negotiated. UDP is the default mode.

Using IPSec over TCP (NAT/PAT/Firewall)
To enable IPSec over TCP, click the radio button. When using TCP, the port number for TCP must also be enteredin the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10000.

Allowing Local LAN Access
In a multiple-NIC configuration, Local LAN access pertains only to network traffic on the interface on which the tunnel was established. The Allow Local LAN Access parameter gives the remote user access to the resources on their local LAN when they are connected through a secure gateway to a central-site VPN device The resources could include printers, fax machines, shared files, or other systems, When this parameter is enabled and the central site is configured to permit it, remote users can access local resources while connected. When this parameter is disabled, all traffic from the Client system goes through the IPSec connection to the secure gateway.

To enable this feature, check Allow Local LAN Access. To disable it, uncheck the check box. If the local LAN that the remote user is on is not secure, this feature should be disabled. For example, this feature would be disabled when the local LAN is in a hotel or airport.

A network administrator at the central site configures a list of networks at the Client side that that the remote users can access. Remote users can access up to 10 networks when this feature is enabled. When Allow Local LAN Access is enabled and the VPN Client is connected to a central site, all traffic from the remote system goes through the IPSec tunnel except traffic to the networks excluded from doing so, as configured in the network list.

When this feature is enabled and configured on the VPN Client and permitted on the central-site VPN device, the remote user can see a list of the local LANs available by looking at the Routes table in the VPN Client statistics.

To display the Routes table, use the following procedure:

Step 1 Display the Status menu and choose Statistics.
Step 2 Choose Route Details from the Statistics dialog box.

The routes table shows local LAN routes, which do not traverse the IPSec tunnel, and secured routes, which do traverse an IPSec tunnel to a central-site device. The routes in the local LAN routes column are for locally available resources.

NOTE:

This feature works only on one NIC card, the same NIC card as the tunnel.