Remote Worker VPN configuration

Greg Dickinson · ‎02-09-2016

Hi everyone,

I've got what I consider to be an interesting problem and want to see if someone else has run across this and might have some feedback.

We have a number of "work at home" users, actually around 15% of our total workforce all told. For our users that need a corporate phone number we provide them a low-end router (an 871) and a 7942 handset along with their workstation, and set up a VPN tunnel between our router and the ASA 5520 back at the datacenter. Right now we are using the default "dynamic" crypto-map, since these are on home internet connections that for the most part don't have static IP addresses.

The issue arises when one of these users leaves the company, especially if it's "not voluntary", shall we say :) We would like to be able to terminate their VPN tunnel without killing *all* the connections. Right now since they're all using the "default" crypto-map this isn't possible. Is there a configuration that would allow me to uniquely identify a specific tunnel and block it from connecting?

Philip D'Ath · ‎02-09-2016

You could use EasyVPN. The ASA would be the server, and the 871s would be the clients.

Authenticated each client using a username and password. You can use a local username/password on the ASA, or a RADIUS server.

Either way when the person leaves delete/disable the account.

Another option is to enable the ASA certificate server. Issue a certificate to each remote device, and use RSA/certificate authentication. If a person leaves then revoke the certificate on the ASA.