VPN Client Autoinitiation (Automatic VPN initiation) is a new feature that provides secure connections to hosts using a wireless LAN (WLAN) environment by connecting through a VPN 3000 Series Concentrator. With autoinitiation configured on the VPN Client, the Client becomes active immediately after the PC boots up, or after exiting Standby or Hibernation mode. The client establishes a VPN tunnel to the Concentrator defined for its network, prompts the user to authenticate, and allows that user network access.
In the WLAN network, the wireless client first associates itself to a wireless Access Point (AP). The installed VPN Client uses the IP address range it receives from the wireless connection to launch a VPN connection request automatically to the corresponding VPN Concentrator on site. The resulting IPSec VPN connection provides secure wireless 802.11x traffic for the wireless host. Without a successful VPN connection, the wireless host won’t have access to the network resources.
Currently, no wizard exists to perform this configuration, so it’s necessary to edit the vpnclient.ini file manually for the VPN Client to activate autoinitiation. This file is located in the VPN Client folder, under Program Files in the Windows environment. The file created previously in Chapter 12 looks like the following:
[main]
StatefulFirewall=1
EnableLog=1
[LOG.IKE]
LogLevel=1
[LOG.CM]
LogLevel=1
[LOG.PPP]
The changes can be made to the [Main] section by double clicking the file name. The file will then open in Notepad. Saving a copy before you begin might be a good idea.
As with any configuration, gathering the needed information before you begin makes sense. The following information is needed to configure autoinitiation.
The network IP addresses for the client network
The subnet mask for the client network
The names for all connection entries users are using for their connections
To configure autoinitiation, you need to add the following three keywords and appropriate values in the [Main] section of the vpnclient.ini file:
AutoInitiationEnable—enables or disables autoinitiation. 1 = enable, 0 = disable.
AutoInitiationRetryInterval—defines the number of minutes to wait before retrying the autoinitiation connection. Range is one to ten minutes. The default is one minute.
AutoInitiationList—defines a series of section names that follow this entry. Each one contains the network details needed to autoinitiate. Entries include network address, subnet mask, and a connection entry name, specifying a connection entry profile (.pcf file). You can have a maximum of 64 section (network) entries.
Next, you need to define the networks listed that are associated with the section names in the AutoInitiationList section. While the following is a simple example, it shows enabling autoinitiation for two networks. This feature could represent a significant advantage in a corporate environment, where some personnel frequently work in multiple locations.
[main] | ? |
AutoInitiationEnable=1 |
(turns the feature on) |
AutoInitiationRetryInterval=3 |
(sets a 3 minute wait) |
AutoInitiationList=TacomaWLAN, | ? |
ViennaWLAN |
(identifies 2 WLANs) |
[TacomaWLAN] |
(config info for Tacoma) |
Network=10.95.254.0 | ? |
Mask=255.255.255.0 | ? |
ConnectionEntry=TacProf |
(connection profile named TacProf.pcf) |
[ViennaWLAN] |
(config info for Vienna) |
Network=192.168.1.0 | ? |
Mask=255.255.255.0 | ? |
ConnectionEntry=VieProf |
(connection profile named VieProf.pcf) |
StatefulFirewall=1 | ? |
EnableLog=1 | ? |
[LOG.IKE] | ? |
LogLevel=1 | ? |
[LOG.CM] | ? |
LogLevel=1 | ? |
[LOG.PPP] | ? |
The configuration steps for this feature required on the 3000 Concentrator are the same as any other VPN Client group. Defining a new group and confirming that all Security Policy issues are addressed and enabled might be wise. This can also make administering and monitoring these users easier, as well as providing autoupdate configurations, if necessary.