4-7
VPN Client User Guide for Mac OS X
OL-5490-01
Chapter 4 Configuring Connection Entries
Transport Parameters
Enable Transport Tunneling
Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through
a router serving as a firewall. The router might also be configured for Network Address Translation
(NAT) or Port Address Translations (PAT).
Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets. It allows for both IKE
(UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or
PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home
router performing PAT.
Not all devices support multiple simultaneous connections behind them. Some cannot map additional
sessions to unique source ports. Check with your device's vendor to see if this limitation exists. Some
vendors support Protocol 50 (ESP) PAT, which might let you operate without enabling transparent
tunneling.
•
To use transparent tunneling, the IPSec group in the Cisco VPN device must be configured to
support it.
•
Transparent Tunneling is enabled by default. To disable this parameter, clear the check box. We
recommend that you keep this parameter enabled.
Transparent Tunneling Mode
The transparent tunneling mode you select must match the mode used by the VPN device providing your
connection to the private network.
•
If you select IPSec over UDP (NAT/PAT), the default mode, the port number is negotiated.
•
If you select TCP, you must enter the port number for TCP in the TCP port field. This port number
must match the port number configured on the VPN device. The default port number is 10000.
Note
Either mode operates properly through a PAT device. Multiple simultaneous connections might work
better with TCP, and if you are in an extranet environment, TCP mode is preferable. UDP does not
operate with stateful firewalls. Use TCP with this configuration.
Allow Local LAN Access
The Allow Local LAN Access parameter gives you access to resources on your local LAN when you are
connected through a secure gateway to a central-site VPN device.
•
When this parameter is enabled:
–
You can access local resources (printer, fax, shared files, other systems) while connected.
–
You can access up to 10 networks. A network administrator at the central site configures a list
of networks at the VPN Client side that you can access.
–
If you are connected to a central site, all traffic from your system goes through the IPSec tunnel
except traffic to the networks excluded from doing so (in the network list).
–
If enabled on the VPN Client and permitted on the central-site VPN device, you can see a list
of the local LANs that are available by choosing Statistics from the Status menu and clicking
the
Route Details
tab. For more information, see the
“Route Details” section on page 7-10
.