Task 6: Configuring a Remote Access VPN to HQ
Similar to the remote sites, the remote users must also have a secure mechanism to connect to the Reston location. The remote users, however, do not use fixed VPN tunnels. Instead, the remote users use Easy VPN remote to connect to the headquarters location and dynamically establish a VPN tunnel. The configuration process involves performing the following tasks: Create an IP address pool Define a group policy for mode configuration push Enable IKE dead peer detection (DPD)
Create an IP Address Pool
For instance, suppose that you want to assign the remote clients addresses in the range from 10.20.100.1 through 10.20.100.254. Using a pool name of vpn-pool , the command line would be as follows:
ip local pool vpn-pool 10.10.10.154-10.10.10.200
Define a Group Policy for Mode Configuration Push
When remote VPN clients connect to HQ-PIX, the firewall must push certain configuration information to them. You configure these parameters using the vpngroup command.
vpngroup remote-users password B#!42Dd
vpngroup remote-users dns-server 10.200.10.35
vpngroup remote-users wins-server 10.100.10.25
vpngroup remote-users default-domain dukem.com
vpngroup remote-users address-pool vpn-pool
vpngroup remote-users idle-time 10
Note You also need to configure the VPN client software on the remote user PCs. This configuration involves identifying the IP address of HQ-PIX and indicating the VPN group name (remote-users) and group password (B#!42Dd).
Enable IKE Dead Peer Detection
You need to specify the number of seconds between DPD messages and the number of seconds between retries (if a DPD message does not receive a response). The syntax for this command is as follows:
isakmp keepalive seconds [ retry-seconds ]
|