Configuring client-to-gateway VPN tunnels
Client-to-gateway VPN tunnels let remote users, running the Symantec Client VPN software (or any IPSec-compliant VPN client software) safely connect over the Internet to a network secured by a Symantec security gateway.

Understanding client-to-gateway VPN tunnels
Symantec Gateway Security 300 Series supports client-to-gateway VPN tunnel configurations. A client-to-gateway tunnel is created when a workstation running Symantec Client VPN software connects to the security gateway from inside of the protected network or from a remote location through the Internet.

---

Note: Wireless clients can use client-to-gateway tunnels to secure their connections. See Symantec Gateway Security 300 Series Wireless Implementation Guide.

---

After establishing the VPN tunnel, remote users can connect to and safely access the resources of the private network, through the Internet, as if the remote workstation was physically located inside of the protected network

You can define network settings for each VPN group for clients to download during the Phase 1 configuration mode. These settings include primary and secondary DNS servers, WINS servers, and primary domain controller addresses. By pushing this information to the clients during configuration mode, clients do not have to configure these settings on their own, saving management time and reducing the possibility of error.

Symantec client-to-gateway VPN tunnels require a client ID and a shared key. You can also apply extended authentication, using a RADIUS server, to client-to-gateway VPN tunnels for additional authentication. See Defining users on page 86 of the Symantec Gateway Security 300 Series Administrator's Guide.

You can configure two types of users when configuring VPN tunnels: dynamic and static. See Identifying users on page 85 of the Symantec Gateway Security 300 Series Administrator's Guide.

Understanding global tunnels
When a client establishes a VPN tunnel on the LAN, a global tunnel (0.0.0.0) is configured for the client. This forces all client traffic through the VPN tunnel terminating at the appliance. This is useful for untrusted networks, such as wireless, to keep traffic secure.

When establishing a tunnel on the WAN, the appliance's subnet (192.168.0.0 by default) is configured for the client. This allows a split tunnel so that the client can still access the Internet directly and only traffic destined for the LAN is sent through the VPN tunnel.

Configuration tasks for client-to-gateway VPN tunnels

Defining client VPN tunnels
This section describes how to define client VPN tunnels. Defining client VPN tunnels requires the following tasks:

• Enabling client tunnels for selected VPN groups for WAN connections and/or LAN/WLAN connections
• Configuring VPN network parameters that are pushed to the Client VPN during tunnel negotiations (optional)
• Configuring RADIUS authentication (optional)

To enable client tunnels

1. In the left pane of the Security Gateway Management Interface (SGMI), click VPN.
2. On the Client Tunnels tab, under Group Tunnel Definition, check one of the following:
   • Enable Client VPNs on WAN side
     This enables client VPN tunnels only for traffic arriving on a WAN port of the appliance.
   • Enable client VPNs on WLAN/LAN side
     This enables client VPN tunnels for traffic on any port of the appliance.
3. Under VPN Network Parameters, in the Primary DNS text box, type the name of the primary DNS server.
   Domain Name System or Service (DNS) is an Internet service that translates domain names into IP addresses.
4. (Optional) In the Secondary DNS text box, type the name of the secondary DNS server.
5. (Optional) In the Primary WINS text box, type the name of the primary WINS server.
   This is an optional step. Windows Internet Naming Service (WINS) is a system that determines the IP address associated with a particular network computer.
6. (Optional) In the Secondary WINS text box, type the name of the secondary WINS server.
7. (Optional) In the Primary Domain Controller text box, type the name of the primary domain controller.
8. (Optional) In the RADIUS Group Binding text box, type the RADIUS Group Binding name.
   If you plan to use RADIUS authentication, you must check Enable Extended User Authentication and provide the RADIUS Group Binding. The RADIUS Group Binding name must match the filter ID parameter returned from the RADIUS server.
9. Click Update.

Selecting an authentication method
Clients can authenticate by using a user name and password defined in the Symantec security gateway, or by using extended authentication with RADIUS. If you use RADIUS authentication, you do not need to define the users on the security gateway. The users are defined on the RADIUS server. When a dynamic user (a user that is not defined on the security gateway) attempts to connect a VPN tunnel, the security gateway checks the defined user list for the provided user name. If the user name does not exist in that list, and extended authentication is enabled and configured, the security gateway verifies that the shared secret matches that which is configured for the tunnel. If the shared secret matches, the security gateway prompts for the information required by the RADIUS server. If the group information returned by the RADIUS server matches the RADIUS Group Binding on the security gateway, the tunnel is allowed to connect. You do not need to define dynamic users on the security gateway.

If you do not use RADIUS authentication, you must define users on the security gateway by creating a VPN User Identity for each user.

To create a VPN User Identity

1. In the SGMI, in the left pane, click VPN.
2. In the right pane, on the Client Users tab, check Enable.
3. In the User Name text box, type the name of the user.
4. In the Pre-Shared Key text box, type the pre-shared key for the user.
   The pre-shared key must be at least 20 characters.
5. Click Add.
6. Repeat steps 1 through 5 for each user that you need to create.

To configure dynamic users for RADIUS authentication

1. If you have not already done so, create the user accounts in the RADIUS system.
2. In the SGMI, in the left pane, click VPN.
3. On the Advanced tab, under Dynamic VPN Client Settings, check Enable Dynamic VPN Client Tunnels.
4. In the Pre-Shared Key text box, type the key that your dynamic users should provide.
   The pre-shared key must be at least 20 characters.
5. Under RADIUS Settings, in the Primary RADIUS Server text box, type the IP address of your RADIUS server.
6. Optionally, in the Secondary RADIUS Settings text box, type the IP address of a second RADIUS server.
7. In the Authentication Port (UDP) text box, type the port used by your RADIUS server for authentication.
   The default setting (1812) should work for most RADIUS implementations.
8. In the Shared Secret or Key text box, type the shared secret for your RADIUS server.
9. Click Save.

Setting global policy settings for client-to-gateway VPN tunnels
Some settings are configurable at a global level for client-to-gateway VPN tunnels. These settings configure the Phase 1 ID type for all client VPN tunnels connecting to the security gateway. These settings are shared by all three VPN groups.

To set global policy settings for client-to-gateway VPN tunnels

1. In the left pane of the SGMI, click VPN.
2. In the right pane, on the Advanced tab, under Global VPN Client Settings, do the following:
   • On the Local Gateway Phase 1 ID Type drop-down list, select an ID type.
   • In the Local Gateway Phase 1 ID text box, type the value that corresponds to the ID type you selected.
   • On the VPN Policy drop-down list, select a VPN policy to apply to all client tunnels.
3. Under Dynamic VPN Client Settings, do the following:
   • To enable dynamic users for all three VPN groups, click Enable Dynamic VPN Client Tunnels.
   • In the Pre-shared Key text box, type a string of characters for the key.
4. Click Save.

Sharing information with your clients
After you have configured the client-to-gateway VPN tunnel, you must disseminate the gateway information to your clients so that they may connect to it. The following list describes the information that your clients will need in order to connect their tunnels:

• Gateway IP address or fully-qualified domain name of the security gateway
• Pre-shared key (user)
• Client ID
• RADIUS user name (if RADIUS is being used for extended authentication)
• RADIUS shared secret (if RADIUS is being used for extended authentication)
• Phase 1 ID (optional)

---

WARNING: Only share this information verbally or by some other secure means.

---

Monitoring VPN tunnel status
The VPN Status tab lets you view the status for each configured dynamic and static Gateway-to-Gateway VPN tunnel. The status for static tunnels is either Enabled or Disabled; the status for dynamic tunnels is Connected, Enabled, or Disabled. The status for static tunnels is never connected because there is no negotiation for static tunnels.

The information that the Status tab displays is current at the time that you click the tab. The connection status may change as you view the information. Click Refresh to update the display.

To monitor VPN tunnel status
Verify that both ends of the tunnel are operational, and then monitor the Status window.

To refresh the information on the Status window

1. In the SGMI, in the left pane, click VPN.
2. In the right pane, on the Status tab, on the bottom of the Status window, click Refresh.

To verify that the tunnel is operational on both ends
From a local host, issue a PING command to a computer on the remote network.