Example: creating a policy-based VPN for mobile users

An example of a policy-based VPN that allows mobile users to authenticate and connect to internal networks.

Company A has service technicians and salespeople who must be able to connect to their office networks to access information when they are on customer visits. The administrators need to add VPN client access to the existing VPN infrastructure. The administrators decide to use Stonesoft VPN Client. As the authentication method, the administrators decide to use passwords stored in the Management Server’s internal database.

The administrators also want to provide only one point of access so that the users do not have to select which gateway to connect to. The central office has site-to-site VPN tunnels to both remote offices that can be used for forwarding traffic to those sites as needed. The existing DHCP server at the central office can be used for assigning IP addresses to the VPN clients’ Virtual Adapter. A Virtual Adapter is required for this type of forwarding.

The administrators:
  1. Edit the central office firewall element, then activate the Virtual Adapter method for VPN client address management.
  2. Edit the VPN Profile to use Hybrid Authentication for authenticating the VPN client users.
  3. Create a Policy-Based VPN element called “Remote User VPN” that includes the central office gateway as a Central Gateway.
  4. Select the Only central Gateways from overall topology option on the Mobile VPN tab.
  5. Create a “Forward Addresses” Site element under the central office gateway.
  6. Populate the site with the remote office networks to route those IP addresses through the “Remote User VPN”.
  7. Disable the “Forward Addresses” Site in the existing “Inter-Office VPN” between the central office and the remote offices. Sites are global for all policy-based VPNs, so this Site must be disabled to avoid a misconfiguration in the Inter-Office VPN.
  8. Create User Group and User elements to define the user names and passwords for the VPN client users.
  9. Add the following Access rules in the policy of the central office firewall:
    Source Destination Action Users Authentication Source VPN
    ANY Central office internal networks Use VPN - Enforce VPN “Remote User VPN” “VPN Client Users” User Group “User Password” Authentication Service  
    VPN Client DHCP addresses Remote offices’ internal IP addresses Use VPN - Forward VPN “Inter- Office VPN”     Rule matches traffic from any VPN client
  10. Create a customized Stonesoft VPN Client installation package for Windows. A customized installation package allows users of Stonesoft VPN Client for Windows to install using a silent installation package that does not require their input. The administrators include the gateway contact information in the package so that the users do not need to enter it manually even when they use the Stonesoft VPN Client for the first time.