Considerations For Using Third-Party Clients - Nortel NN46110-602 Troubleshooting Manual

Considerations for using third-party clients

There are several considerations regarding the use of third-party clients with VPN
Router:
• Client Dynamic Addressing—Many third-party clients now support the
Aggressive mode method of establishing a security association. The
advantage of Aggressive mode for remote user access is that, unlike Main
mode, the VPN server does not authenticate the security association based on
prior knowledge of the IP address of the user. Therefore, the remote user can
be dynamically assigned an address by their ISP.
• Client Address Advertisement—When connecting to the Nortel VPN client,
the VPN Router assigns the client-side inner address of the IPsec tunnel from
the enterprise address space. This is the address that devices on the private
network send data to in response to requests from the client. The VPN Router
captures packets destined for those addresses and sends them through the
public interface encapsulated within IPsec, addressed to the ISP-assigned
outer address of the client.
In the case of third-party clients, the VPN Router does not have a mechanism
to assign the inner address of the client. The inner address of the client tunnel
is normally set the same as the ISP-assigned outer address. Servers in the
enterprise need to find a route back to these clients. You must configure the
VPN Router as the default VPN Router on the network. The VPN Router can
then forward tunneled traffic to served clients and forward other traffic to the
Internet or other default VPN Routers. This option is not always desirable
because of the impact on the customer network infrastructure.
• Authentication—Various authentication services supported with the Nortel
VPN Client are not supported with third-party clients. RADIUS, RSA
SecurID*, and other RADIUS-based services do not work with the VPN
Router, even if the third-party client has the support available. LDAP with
preshared key and unmanaged certificates are the only authentication services
supported by the VPN Router with third-party clients.
• Client Customization—This capability allows a service provider to customize
the look of the client with their branding. In addition, it allows the service
provider to preconfigure the service profiles (VPN Router destination and
authentication options) and lock down the client configuration for the
end-user so that they cannot modify or change these attributes.
Appendix D Configuring for interoperability 217
Nortel VPN Router Troubleshooting