08-15-2014 06:25 AM
I am working in the lab on a small scale setup in which client PC establishes a IPSEC VPN with a Cisco 1921 Router, i have two questions in this regard.
(1) For Wireless clients PC's, Is using an IPSEC VPN Client the best possible option or should i prefer other options. the wireless clients also use Radius server for authentication.
(2) i want to ensure that no other traffic can access or pass the LAN interface other than the Client VPN traffic, what do i need to configure on the Router to ensure that no other traffic can pass other than the VPB traffic.
Solved! Go to Solution.
08-16-2014 12:13 AM
First: The actual IPsec VPN client is the AnyConnect. The VPN gateway-config for AnyConnect (especially for IPsec) on the IOS-router is much harder then it is on the ASA. If you still have the possibility to change the gateways, then go for an ASA.It's also much cheaper from a license perspective as there is no AnyConnect Essentials License for the router. The traditional Cisco VPN Client is EOL and you shouldn't start a new deployment based on that.
Your questions:
(1) All VPN-Users have to be authenticated somehow. Sending the authentication-request to a central directory is a best-practice and usually done with RADIUS. Additionally to the authentication you can also perform an authorization to control which rights a VPN-user gets.
(2) If you only want to allow IPsec-traffic, you need to configure an access-list, with permits for UDP/500, UDP/4500 and IP/50 to your router-IP. With that config, all other traffic will be dropped.
08-16-2014 12:13 AM
First: The actual IPsec VPN client is the AnyConnect. The VPN gateway-config for AnyConnect (especially for IPsec) on the IOS-router is much harder then it is on the ASA. If you still have the possibility to change the gateways, then go for an ASA.It's also much cheaper from a license perspective as there is no AnyConnect Essentials License for the router. The traditional Cisco VPN Client is EOL and you shouldn't start a new deployment based on that.
Your questions:
(1) All VPN-Users have to be authenticated somehow. Sending the authentication-request to a central directory is a best-practice and usually done with RADIUS. Additionally to the authentication you can also perform an authorization to control which rights a VPN-user gets.
(2) If you only want to allow IPsec-traffic, you need to configure an access-list, with permits for UDP/500, UDP/4500 and IP/50 to your router-IP. With that config, all other traffic will be dropped.
08-17-2014 02:46 AM
Thank you for your comprehensive response.
08-17-2014 03:22 AM
Some add-ons:
(1) Instead of a VPN, a strong WLAN-authentication with WPA2-Enterprise could also be deployed. From a security-perspective that is also very strong and probably easier to deploy.
(2) Before your clients can start an IPsec-VPN, they need to get an IP-address. If the DHCP-server is located behind or on the router, the ACL also needs to allow the DHCP-traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide