Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

1. In the Cloud Services Portal, click Manage > Service Edge > Policies > RA VPN Policies.

2. Click Create.

3. On the Add RA VPN Policy page, specify the following:

  • Name: Enter a name for the policy. Start and end with alphanumeric characters, and use only lowercase alphanumeric characters, periods (.), and hyphens (-).
  • Description: Enter a description for the policy. 
  • MFA: Enable this field to turn on multi-factor authentication. When multi-factor authentication is turned on, Service Edge can be accessed only after your user credentials are authenticated by both the Cisco AnyConnect Secure Mobility Client and the RADIUS proxy server (DUO authentication).
  • DHCP Subnet: Enter the IP address range that clients can use to connect to Service Edge. For example, if you enter 192.168.100.0/24, then clients that want to connect to Service Edge will be assigned a subnet address that falls within the range you specify. That is, 192.168.100.11 might be assigned to one client and 192.168.100.17 to another.
  • Max Remote Clients: Enter the maximum number of clients that can connect to Service Edge through remote access VPN.
  • MTU: Enter the maximum transmission unit of the packet size that you want to send. 
  • Server CertificateClick Select file to upload a self-signed or a CA-signed server certificate. You can generate a server certificate and key using any trusted certificate tool such as certtool from GnuTLS. You can also reuse a certificate that has already been uploaded for another policy. 
  • Server Key: Click Select file to upload the key generated for the server certificate.
  • Banner: Enter a welcome message that will be displayed to clients after they connect to Service Edge through remote access VPN. This is an optional field.
  • Authentication Server: This section contains details of user configuration. As of now, only RADIUS authentication is supported.
    • Server IP: Enter the IP address of the RADIUS authentication server used to authenticate requests.
    • Server Port: Enter the port number of the RADIUS server on which the remote RADIUS listens.
    • Server Secret: Enter a secret code (any string or integer value) that the RADIUS server will use to connect to the Infoblox server. The secret code acts as a handshake between the two servers.
    • Accounting Server: Enter the RADIUS server’s IP address that will be used for accounting-related requests. This IP address is the same as the IP address of the authentication server or the RADIUS server.
    • Server Timeout: Enter the amount of time, in seconds, that the client will wait for a reply from the RADIUS server. For example, if you enter 5, and if there is no response from the RADIUS server within 5 seconds, then the connection request will time out.
    • Retries: Enter the number of times a connection request will be resent before it is attempted on the next server.
  • Client Timer: This section contains the timer-related details of the clients connecting to Service Edge through remote access VPN.
    • Auth Timeout: Enter the amount of time, in seconds, that the client is allowed to stay connected to Service Edge prior to authentication. For example, if you enter 11, then the client will be connected for 11 seconds and will stay connected only if the authentication is successful. 
    • Min Reauth Time: Enter the amount of time, in seconds, the client is not allowed to reconnect after a failed attempt to authenticate.
    • Cookie Timeout: Enter the amount of time, in seconds, after which the connection cookie must time out.
    • Rekey Time: Enter the amount of time, in seconds, after which the VPN server requires the client to refresh the keys.
  • Advanced Client Options: This section contains the options for setting persistent cookies and managing DHCP conflicts:
    • Persistent Cookies: Enable this option for the cookies to stay valid even after a client disconnects manually. The cookies stay valid until they expire. 
    • Rekey Method: Select a method for efficiently performing a handshake on the channel and for allowing a seamless connection during rekeying.
    • DHCP Conflict Detection: Enable this option to allow occupied IP addresses in an IP range for leases. Before being leased from a pool, an IP address is pinged to verify that it is not being used by another host.

4. Click Next

The VPN Groups tab is displayed. The tab allows you to create VPN groups to which clients can choose to belong. You can create any number of VPN groups, and clients can choose to join any one group at a time. When you log on to the VPN server, the drop-down list Groups displays the list of all groups that you have created; the client must choose the group to which to connect. Client users’ credentials are stored in the RADIUS server. When a client chooses a group to log on to remote access VPN, the client inherits the group’s settings.

5. Click Add Group to create a VPN group. In the dialog box Create a VPN Group, specify the following:

  • In Name, enter a name for the VPN group.
  • In Description, enter a description for the VPN group.
  • Expand the DNS section, and do the following:
    • In the DNS SERVERS section, enable the Tunnel All DNS option to tunnel all DNS queries through VPN. By default, this option is enabled when you set a default route.
    • Click Add to add the IP address of the DNS resolver that must resolve all the domain queries. You can add more than one DNS resolver.
  • In the SPLIT DNS section, add the domains on which the DNS resolver must be used. You can add more than one domain.
  • Expand the Routes section, and click Add to add a router through which a request or ping is serviced and forwarded to clients. If you enter default, the VPN server will be considered the default router and all queries will be routed through the Service Edge on-prem host.
  • Expand the Advanced Options section, and specify the following:
    • Max Sessions Per User: Enter the maximum number of devices that one client or user can be connected to at any one time. 
    • Dead Peer Detection: Enter the number of seconds after which to detect whether a client session is active. 
    • Mobile Dead Peer Detection: Enter the number of seconds after which to detect whether a mobile client session is active. A mobile client is a client that tries to connect to Service Edge by using a mobile device.
    • Deny Roaming: Enable this option to block a client from accessing Service Edge on a roaming network. The client is restricted to a single IP address and cannot reuse from a different IP address.
    • Keep Alive: Enter the amount of time, in seconds, a client session can be active and alive.
    • Idle Timeout: Enter the amount of time, in seconds, a client is allowed to stay idle before being disconnected.
    • Session Timeout: Enter the amount of time, in seconds, a client is allowed to stay connected. A client will be disconnected after being continuously connected for this amount of time; to reconnect, the client would have to be reauthenticated.
    • Mobile Idle Timeout: Enter the amount of time, in seconds, a mobile client is allowed to stay idle before being disconnected.
  • Click Save.
  • Click Expand All to view additional details of the rules and Collapse All to hide them.

6. Click Next to move to the Summary tab, to ensure the policy is accurate.

7. Click Save & Close.

























  • No labels