Foundry/configure# system licenses advance_vpn, Securing remote access using ipsec vpn, Access methods – Foundry Networks AR3202-CL User Manual

Foundry AR-Series Router User Guide

15 - 2

© 2004 Foundry Networks, Inc.

June 2004

Securing Remote Access Using IPSec VPN

The features allow administrators to form a security tunnel to join two private networks over the Internet. The
following examples show how to set up an end-to-end tunnel with a single proposal and pre-shared key
authentication, with multiple proposals and pre-shared key authentication, and with an SA Bundle, and pre-shared
key authentication.

The corporate network no longer has a clearly defined perimeter inside secure building and locked equipment
closets. Increasingly, companies have a need to provide remote access to their corporate resources for the
employees on the move.

Traditionally, remote users could access the corporate LAN through dial-up and ISDN lines which were terminated
in the corporate remote access servers. However, these point-to-point connection technologies do not scale well
to the growing number of remote users and the corresponding increase in the infrastructure investments and
maintenance costs.

A solution to meeting the needs of increasing numbers of remote users and for controlling access costs is to
provide remote access through the Internet using firewalls and a Virtual Private Network (VPN). Internet Protocol
Security (IPSec) keeps the connection safe from unauthorized users.

In a typical IPSec remote access scenario, the mobile user has connectivity to Internet and an IPSec VPN client
loaded on their PC. The remote user connects to the Internet through their Internet service provider and then
initiates a VPN connection to the IPSec security gateway (the VPN server) of the corporate office, which is
typically an always-on Internet connection.

One of the main limitations in providing remote access is the typical remote user connects with a dynamically
assigned IP address provided by the ISP. IPSec uses the IP address of users as an index to apply the Internet Key
Exchange (IKE) and IPSec policies to be used for negotiation with each peer. When the VPN client has a dynamic
IP address, the VPN server cannot access the policies based on the IP address of the client. Instead, the VPN
server uses the identity of the VPN client to access the policies.

Access Methods

Foundry supports two types of IPSec remote access using VPNs.

Remote Access: User Group

One of the methods to achieve IPSec remote access in Foundry is the user group method. In this method, the
administrator creates an IKE policy for a logical group of users such as a department in an organization. Each
user in the group is identified with unique information that is uniquely configured in the IKE policy. Also, an IPSec
template is attached to the user group.

Once the VPN user is authenticated using IKE, the users dynamically-assigned IP address is added to the
destination address field in the IPSec template attached to the user group. The VPN user now has the required
IPSec policy that allows access through the gateway to the corporate LAN.

Remote Access: Mode Configuration

The other method to achieve IPSec remote access in Foundry is the mode configuration method.

This method makes the VPN client an extension of the LAN being accessed by the VPN client. The remote client
appears as a network accessing some resource behind the VPN server.

The VPN client is allocated a private IP address by the VPN server and the client uses this as the source IP
address in the inner IP header in tunnel mode.

Foundry/configure# system licenses advance_vpn

Enter Security Upgrade License key: 024f3bc296b4ea7265