This article covers the basics of how to set up VPN for your network. Although VPNs vary greatly in the level of complexity, these are the basic areas you need to configure in order to have your VPN up and running. The following examples refer to a hardware based setup, more specifically for Cisco devices. However, the fundamental principles remain the same for other vendors.
This guide assumes that you have already made the necessary decisions — such as whether to have a site-to-site or remote-access setup — that you have a fixed IP to which to connect, and that this is the first VPN device on your network. (You may use your donated equipment to connect to an existing VPN server.)
The setup of your VPN will depend greatly on the extent to which you need to open up your network to clients outside your premises, the number of clients it will support, and the type clients they are.
Using a graphical user interface (GUI) or command line interface (CLI)
If you are using an ASA security device, like the ASA5510, you can use the Cisco Adaptive Security Device Manager (ASDM) to configure your VPN settings, along with other features like firewall rules and network address translation (NAT) settings. The GUI will depend on the ASA version you are running, and the corresponding version of the ASDM. Check the comprehensive ASA Series Documentation page for complete links. You may also choose to use the CLI if you are familiar with the commands used.
If you are using an Integrated Services Router (ISR), like the 800 Series, you can use the Cisco Configuration Professional (CCP) tool or the CLI.
If you are using a Cisco Smart Business Communications product, such as the SR500 series router, you can use the Cisco Configuration Assistant program to set up your device.
Setting up your VPN server
There are three key aspects of the VPN connection: identity, encryption, and tunneling. Each has a specific set of standards to make it all work together.
- Identity. The identity of a remote user can be verified in a variety of ways, but on the most basic level your users need to be authenticated against a database of authorized users, and given the necessary access privileges and characteristics. A set of authentication, authorizing, and accounting (AAA) policies can be set locally or in a separate server. You may also use certificates instead to establish id.ntity.
- Encryption. The traffic between the server and client is encrypted, and the type and level of encryption can be configured. Higher-level encryption makes data harder to unlock, but it has a higher overhead when decrypting.
- Tunnel. Given that different users may need to access different parts of the internal network, you can set up policies to point users to specific networks within your organization. For access to non-intranet sites, for example, you can set up "split tunneling" to direct only internal traffic through the VPN server. This saves bandwidth in your organization, but if you have sufficient bandwidth it is advisable to disable split tunneling.
To simplify the management of all these aspects, your Cisco donation may have a default setup called "Easy VPN," which is a single group with common characteristics. Users only need a pre-shared key — like you would need when joining a Wi-Fi network, for instance — with the addition of a username and password authentication.
Setting up your VPN clients
Your clients who work away from the office need an application to connect to the server you just set up. Cisco client applications, also called "AnyConnect," are available for all major platforms, including Apple devices. Default operating system VPN client applications may also work, depending on your setup. You can download a Cisco VPN client from the Cisco site. You will need your Cisco.com login to access this download.
Your device may support "SSL VPN" licensing, which allows clients to connect to the VPN using a browser. SSL VPN involves using a standard web browser for authentication and access to your VPN server, without a separate client. This is particularly useful for allowing access to web applications hosted internally, but it can be extended to other applications and servers as well. If your SSL VPN users exceed the number of licenses given, you can upgrade your device using an SSL VPN license pack.
Image: Cable lock, Shutterstock