The following sections provide additional details on the client-to-site VPN server parameter settings.
Group Policy Tab
The VPN Group Policy specifies the network IPsec settings. You can group patterns to require users to meet certain criteria, as provided by the group membership of the external authentication server (e.g., CN=vpnusers*). You can also define conditions to be met by the certificate (e.g., O(Organization) must be the company name).
|Mandatory Client Credentials||
Select Login must match AltName in Certificate if certificate lookup is done by Alternative Name.
|Authentication Scheme||Select an authentication scheme from the list to be used by all client-to-site VPN connections.|
|Server Protocol Key||Certificate used by the VPN server to authenticate to the VPN client.|
|Used Root Certificate||Certificate used to validate client certificates.|
|X509 Login Extraction Field||
Extract the username from the selected client certificate field.
|LDAP Attribute Name||
Set the VPN client IP address to the attribute configured in the LDAP, MSAD, or RADIUS server.
|VPN Group Attribute||
The VPN group policy is pinned to the value returned by the LDAP, MSAD, or RADIUS server.
Attributes from LDAP / MSAD / RADIUS or TACPLUS authentication schemes are used to determine the default authentication scheme for the user:
Group Policy Settings
Enter a name for the policy. For example,
|Statistic Name||Enter a name to better allocate statistics entries.|
Select the VPN client network the group policy applies to.
|DNS||Enter the IP address of the DNS server used for the clients.|
|WINS||If applicable, enter the IP address of the WINS server.|
Add all networks that should be reachable by the VPN clients. Enter
|Access Control List (ACL)||Add an Access Control List.|
|Group Policy Condition||Right-click the Group Policy Condition field and select Create New Policy.|
Group Policy Condition
Right-click the Group Policy Condition field and select New Rule. In the X509 Certificate Conditions section of the Group Policy Condition window, set filters for the certificate. For each certificate condition, select the certificate field from the drop-down list, enter the required value, and click Add/Change.
Define the groups on the authentication server that will be assigned the policy. E.g.,
To let everyone with a valid certificate log on, click Edit/Show and add the following condition to the Subject field:
|Cert Policy / OID||
(Optional) Enter an OID to allow only certificates with a specific key usage. E.g., Client Authentication (188.8.131.52.184.108.40.206.2)
Barracuda Tab - Barracuda Settings
|Enforce Windows Security Settings||
Enforce Windows security features for Network Access Clients to allow VPN connections.
|VPN Client Network||
Configure additional settings for the VPN client network.
Additional client firewall settings and assignment of online/offline firewall rules.
Welcome messages can be used to display customized messages to welcome users to the corporate network, inform them about security policies, or display administrator contact details.
The encryption algorithms that the VPN server will offer. You can select one of the following options:
IPsec IKEv1 Tab - IPsec IKE1 Phase II Settings
|Disable||Clear the check box, and then select Group Policy Name (Create New).|
|Edit Phase 1||Click to edit the Phase 1 settings.|
|Encryption||The data encryption algorithm.|
|Hash Meth||The hash algorithm.|
|DH-Group||The Diffie-Hellman Group that specifies the type of key exchange. DH Group1 to Group18 are supported.|
|Time||The re-keying time in seconds that the server offers to the partner.|
|Minimum||The minimum re-keying time in seconds that the server accepts from its partner.|
|Maximum||The maximum re-keying time in seconds that the server accepts from its partner.|
IPsec IKEv2 Tab - IPsec IKE1 Phase I Settings
Configure the same settings for IPsec Phase I that you selected for IPsec Phase II.
The Rules tab lets you edit the group VPN settings. For parameters, see the Group Policy Tab section above. To create a rule, right-click in the window and select New Rule.
|Assigned VPN Group||Select the VPN group the rule should apply to.|
|Group Pattern||Enter the group pattern, or click Lookup to perform an AD lookup and search for the group pattern.|
Click Edit/Show to open the Certificate Condition window. Configuration may contain patterns (*,?). Equal keys are slash delimited: To match for DC=foo, DC=bar, you have to enter DC=bar/foo. The order of the distinguished name parts is reversed.
|Generic v3 OID||Enter an OID to allow only certificates with a specific key usage. E.g., Client Authentication (220.127.116.11.18.104.22.168.2)|
Select the check boxes for the client types used by the peer.
Click Add to add the IP address of the peer network.
See Common Settings section above.
Enter a name for the Barracuda Client connection.
|Enable VPN Client NAC||
Enables the Barracuda Network Access Client. For more information, see Barracuda Network Access and VPN Client.
Active ENA (Exclusive Network Access) prevents access to networks the client is not directly connected to. Select Split Tunnel On...
Assigns an online ruleset configured in the VPN FW tab.
|Offline Rules||Assigns an offline ruleset configured in the Offline FW tab.|
Welcome messages can be used to display customized messages to welcome users to the corporate network, inform them about security policies, or display administrator contact details. Create a custom welcome message in the Message tab of the Client to Site page, and then select the message in this section.
Upload a 150x80 pixel, 256 color BMP bitmap in the Pictures tab of the Client-to-Site page, and then select the custom bitmap in this section.
|Firewall Always ON||The Network Access Client's firewall needs to be enabled for successful VPN connections.|
|VPN Always ON||If disabled, users cannot disconnect manually from the VPN.|
|Key Time Limit||The period of time after which the re-keying process is started.|
|Key Traffic Limit||The keys of the VPN tunnel are renewed after this amount of traffic.|
|Tunnel Probing||The interval between tunnel probes. If probes are not answered in the time period specified by the Tunnel Timeout setting, the tunnel is terminated.|
|Tunnel Timeout||The length of time in which tunnel probes must be correctly answered before the tunnel is terminated. If, for some reason, the enveloping connection breaks down, the tunnel must be re-initialized. This is extremely important in setups with redundant possibilities to build the enveloping connection.|
The ciphers that can be used to establish the connection.
|Enforce Windows Security Settings||
Enforce Windows security features:
See IPsec IKEv1 Tab - IPsec IKE1 Phase II Settings section above.