This document will demonstrate how to configure Client-to-Site VPN and detail how a remote user authenticates to the McAfee VPN Gateway, which is located at the main site.
You can also watch the steps described in this document by viewing the video below.
I - Background Information
The images below illustrate how the remote user securely connects to the main site. Fist, the user will first open a VPN client on their machine and attempts to connect to the VPN gateway. The VPN gateway queries the authentication server to verify the user credentials. Once the authentication is successful, a secure VPN tunnel between the user and their machine to the main office network is created.
Once the user is logged in, the User/Application-Based Rules which we have already created will strictly apply to these users. Let user “LMAJORS” log into the main office from home. When this user wants to access a website such as "Amazon.com," the request will follow the VPN hairpin route. The request goes to the main office firewall, which already has a role for user “LMajors.” Based on the sub-policy rule 15.5.1, the connection will be discarded.
Below is the VPN configuration page. In this case, we have two VPN gateways, "SantaClara Internal" gateway is the main office VPN gateway, and "IPsec Client" is the remote user's endpoint.
Drag-and-drop the "SantaClara Internal" gateway to the "Central Gateway" tab and drag-and-drop the "IPsec Client" to the "Satellite Gateways" tab. This will create a tunnel between the two gateways.
If the gateways are configured correctly, the status of the tunnel will be green. The status of the firewall will turn green when any user logs in via the VPN.
II - Demo
Let's do a simple test before we connect to the VPN gateway by trying to reach amazon.com in a web browser. We can indeed successfully connect to Amazon.com and other sites like Facebook.com.
The user is allowed to visit Amazon.com and Facebook.com since the connection request is not going through the hairpin route yet; rather it is going straight out to the Internet. Now let's connect to the VPN gateway. Below is an image of what the VPN client installed on the user's machine looks like.
Now let's go back and try to connect to Amazon.com, but before that, let's start the logs.
We can see that the connection to Amazon.com was discarded. This connection was discarded based on the sub-policy rule 15.5.1 which we configured earlier. This proves that the connection request is now using the hairpin route.
We can right click and view the rule. It will take us exactly to the rule that is discarding this connection.
As you can see, sub-policy rule 15.5.1 is in effect, which is discarding the connection.