Table of Contents
Advertisement
12
User Management
Allow Password Storage on Client
Check the box to allow IPSec clients to store their login passwords on their local client systems. If you
do not allow password storage (the default), IPSec users must enter their password each time they seek
access to the VPN. For maximum security, we recommend that you not allow password storage.
Split Tunneling Network List
Click the drop-down menu button and select the Network List to use for split tunneling. If no Network
Lists have been configured, the list shows --None-- , which means that split tunneling is disabled (the
default). Selecting a configured Network List enables split tunneling. Configure Network Lists on the
Configuration | Policy Management | Traffic Management | Network Lists
We recommend that you keep the base-group default, and that you enable and configure split tunneling
selectively for each group.
You can apply only one Network List to a group, but one Network List can contain up to 200 network
entries.
About split
Split tunneling lets an IPSec client conditionally direct packets over an IPSec tunnel in encrypted form,
tunneling and
or to a network interface in cleartext form. Packets not bound for destinations across the IPSec tunnel
Network Lists
don't have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. Split
tunneling thus eases the processing load, simplifies traffic management, and speeds up untunneled
traffic.
Split tunneling applies only to single-user remote-access IPSec tunnels, not to LAN-to-LAN
connections.
Split tunneling decisions depend on the destination network address; hence the use of Network Lists. A
Network List is a list of addresses on the private network. The IPSec client uses the Network List as an
inclusion list: a list of networks for which traffic should be sent over the IPSec tunnel. All other traffic
is routed as normal cleartext traffic.
The IPSec client establishes an IPSec Security Association (SA) for each network specified in the list.
Outbound packets with destination addresses that match one of the SAs are sent over the tunnel;
everything else is sent as clear text to the locally connected network.
Split tunneling can act as a packet filter at the client. If a Network List defines only a subset of the private
network address space, then a client can access only that subset of network addresses. The client cannot
access other addresses because packets to those addresses are sent to the public Internet, from which they
are not accessible.
Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum
security, we recommend that you not enable split tunneling. However, since only the VPN
Concentrator—and not the IPSec client—can enable split tunneling, you can control implementation
here and thus protect security. Split tunneling is disabled by default on both the VPN Concentrator and
the client. You enable and configure the feature here, and then the VPN Concentrator uses Mode
Configuration to push it to, and enable it on, the IPSec client.
You must create a Network List before you can enable split tunneling. See the Configuration | Policy
Management | Traffic Management | Network Lists
12-10
screens.
screens.
VPN 3000 Concentrator Series User Guide
Hide quick links:
Advertisement
Table of Contents
