Filter
Top Products
14
R
EMOTE
A
CCESS
VPN
S
14.1 Secure Remote Access Using IPSec VPN
The corporate network no longer has a clearly defined perimeter inside secure building and locked equipment closets.
Increasingly, companies have a need to provide remote access to their corporate resources for the employees on the move.
Traditionally, remote users could access the corporate LAN through dial-up and ISDN lines which were terminated in
the corporate remote access servers. However, these point-to-point connection technologies do not scale well to the
growing number of remote users and the corresponding increase in the infrastructure investments and maintenance
costs.
A solution to meeting the needs of increasing numbers of remote users and for controlling access costs is to provide
remote access through the Internet using firewalls and a Virtual Private Network (VPN). Internet Protocol Security
(IPSec) keeps the connection safe from unauthorized users.
In a typical IPSec remote access scenario, the mobile user has connectivity to Internet and an IPSec VPN client loaded
on their PC. The remote user connects to the Internet through their Internet service provider and then initiates a VPN
connection to the IPSec security gateway (the VPN server) of the corporate office, which is typically an always-on
Internet connection.
One of the main limitations in providing remote access is the typical remote user connects with a dynamically assigned
IP address provided by the ISP. IPSec uses the IP address of users as an index to apply the Internet Key Exchange (IKE)
and IPSec policies to be used for negotiation with each peer. When the VPN client has a dynamic IP address, the VPN
server cannot access the policies based on the IP address of the client. Instead, the VPN server uses the identity of the
VPN client to access the policies.
14.2 Access Methods
Black Box supports two types of IPSec remote access using VPNs.
14.2.1 Remote Access: User Group
One of the methods to achieve IPSec remote access in Black Box is the user group method. In this method, the
administrator creates an IKE policy for a logical group of users such as a department in an organization. Each user in
the group is identified with unique information that is uniquely configured in the IKE policy. Also, an IPSec template is
attached to the user group.
Once the VPN user is authenticated using IKE, the users dynamically-assigned IP address is added to the destination
address field in the IPSec template attached to the user group. The VPN user now has the required IPSec policy that
allows access through the gateway to the corporate LAN.