Using Remote Access VPN

This section explains how to use a VPN tunnel to connect a client-based remote computer to an internal network. For more about using Mobile Access to connect remote devices to internal resources, see Remote Access to the Network.

Note - For each VPN gateway, you must configure an existing gateway as a default gateway.

VPN Connectivity Modes

The IPsec VPN Software Blade lets the Firewall overcome connectivity challenges for remote clients. Use VPN connectivity modes to make sure that remote users can connect to the VPN tunnels. These are some examples of connectivity challenges:

• The IP addresses of a remote access client might be unknown
• The remote access client can be connected to a hotel LAN with internal IP addresses
• It is necessary for the remote client to use protocols that are not supported

Office Mode

Remote users can be assigned the same or non-routable IP addresses from the local ISP. Office Mode solves these routing problems and encapsulates the IP packets with an available IP address from the internal network. Remote users can send traffic as if they are in the office and do not have VPN routing problems.

Visitor Mode

Remote users can be restricted to use HTTP and HTTPS traffic only. Visitor Mode lets these users tunnel all protocols with a regular TCP connection on port 443.

Sample Remote Access VPN Workflow

Use SmartDashboard to enable and configure the Security Gateway for remote access VPN connections. Then add the remote user information to the Security Management Server: create and configure an LDAP Account Unit or enter the information in the SmartDashboard user database. You can also configure the Firewall to authenticate the remote users. Define the Firewall access control and encryption rules. Create the LDAP group or user group object that is used for the Firewall rules. Then create and configure the encryption settings for the VPN community object. Add the access rules to the Firewall Rule Base to allow VPN traffic to the internal networks.

		Enable remote access VPN
Configure LDAP Account Unit	LDAP	Manage Users?	Smart Dashboard	Configure users in SmartDashboard database
Configure user authentication				Configure user authentication
Create LDAP user group object		Create VPN Community		Create user group object
		Configure rules for VPN access in Firewall Rule Base
		Install policy

IPv6 Support and Limitations

This release includes limited IPv6 support for IPsec VPN communities:

• IPv6 is supported for Site to Site VPN only (Main IP to Main IP). The Main IP address for both Security Gateways must be defined as an IPv6 Address. You can define other IP addresses that are IPv4 or IPv6.
• IPv6 supports IKEv2 encryption only. IKEv2 is automatically always used for IPv6 traffic. The encryption method configuration applies to IPv4 traffic only.
• VPN tunneling only supports IPv4 inside an IPv4 tunnel, and IPv6 inside an IPv6 tunnel. IPv4 traffic inside an IPv6 tunnel is not supported.

These VPN features are not supported for IPv6:

• VSX
• Remote Access VPN
• CRL fetch for the internal Certificate Authority
• Multiple Entry Points (MEP)
• Route-based VPN (VTI)
• Wire Mode VPN
• Gateways with a dynamic IP address.
• Route Injection Mechanism (RIM)
• Traditional mode Firewall Policies
• IKE Denial of Service protection
• IKE Aggressive Mode
• Gateways with Dynamic IP addresses
• Traditional Mode VPN
• Migration from Traditional mode to Simplified mode
• Tunnel Management (permanent tunnels)
• Directional VPN Enforcement
• Link Selection
• GRE Tunnels
• Tunnel View in SmartView Monitor
• VPN Overview page
• vpn_route.conf configuration file