Creating VPN Tunneling Connection Profiles
Use the Users > Resource Policies > VPN Tunneling > Connection Profiles page to create VPN tunneling connection profiles. When the system receives a client request to start a VPN tunneling session, it assigns an IP address to the client-side agent. The system assigns this IP address based on the DHCP Server or IP Address Pool policies that apply to a user's role. In addition, this feature allows you to specify the transport protocol, encryption method, and whether or not to employ data compression for the VPN tunneling session.
Nodes in a multi-site cluster share configuration information, which means that devices in different networks share an IP address pool. Since any node may receive the client request to start the VPN tunneling session, you need to specify an IP filter for that node that filters out only those network addresses available to that node. When the cluster node receives a request to create a VPN tunnel, it assigns the IP address for the session from the filtered IP address pool.
Ivanti recommends using standalone nodes or clusters of a maximum of two nodes behind a load balancer.
Ivanti Security Appliance (ISA)/ISA-V does not support clusters containing more than two nodes for ICS.
To write a VPN tunneling connection profile:
1.In the admin console, choose Users > Resource Policies > VPN Tunneling > Connection Profiles.
2.On the Connection Profiles page, click New Profile and configure the settings described in the following table.
3.Save the configuration.
4.On the Connection Profiles page, order the profiles according to how you want to evaluate them. Keep in mind that once the system matches the resource requested by the user to a resource in a profile's (or a detailed rule's) Resource list, it performs the specified action and stops processing profiles. See the following table.
VPN Tunneling Connection Profile Settings
Setting |
Guidelines |
Name |
A name to label this policy. |
Description |
A description of the policy (optional). |
IPv4 address assignment |
|
Enable IPv4 address assignment to clients |
Select this option to enable IPv4 connections and to specify how IPv4 addresses are assigned to clients. IPv6-only address assignment is supported on ISAC Windows Desktop, but not on MacOS, Linux, or mobile platforms (iOS and Android). |
DHCP servers |
Specify the hostname or IP address of a network Dynamic Host Configuration Protocol (DHCP) server responsible for handling client-side IP address assignment. You can specify up to three DHCP servers by listing each one on a separate line. When multiple DHCP servers are listed, the system sends a DHCP Discover message to all listed DHCP servers and then waits five seconds for a response. If multiple DHCP servers respond, the system chooses the one with the longest lease period. The system sends a DHCP release packet to the DHCP server when the VPN tunneling session ends. DHCP provides a framework for passing configuration information to hosts. Configuration parameters and other control information are carried in tagged data items that are stored in the options field of the DHCP message. You can specify the DHCP options to forward by entering the option number, its value and type and then clicking Add. For a complete list of DHCP options, see the "RFC2132 - DHCP Options and BOOTP Vendor Extensions" article available on the Internet. To delete an option, select the check box next to the option number then click the Delete button. |
DHCP options |
By default, the client's hostname is sent by Ivanti Connect Secure to the DHCP server in the DHCP hostname option. Passing the useruid in the DHCP hostname option is no longer supported. As an alternative, you can configure the following entry in the DHCP options table. Admins can configure any sub-option (1-255) for DHCP option. DHCP option 82, sub-option 5 is qualified and other options are compatible. For example: option number=12, option value=<username><authMethod>, option type=String Or you can pass a value by adding an entry in the DHCP options table for hostname with whatever value you want. For example: option number=12, option value=foo, option type=String |
IPv4 address pool |
Specify IP addresses or a range of IP addresses for the system to assign to clients that run the VPN tunneling service. Use the canonical format: ip_range. The last component of the IP address is a range delimited by a hyphen (-). No special characters are allowed. The ip_range can be specified as shown in the following list: a.b.c.d - Specifies a single IP address. a.b.c.d-e.f.g.h - Specifies all IP addresses from the first address to the last address, inclusive. a.b.c.d-f.g.h - An abbreviated form that specifies the range a.b.c.d through a.f.g.h a.b.c.d-g.h - An abbreviated form that specifies the range a.b.c.d through a.b.g.h. a.b.c.d-h - An abbreviated form that specifies the range a.b.c.d through a.b.c.h. a.b.c.d/mask - Follows CIDR notation to assign the IPv4 address. For example , 172.21.10.10/31 will not assign any IP address to the ISAC client , with /31 we get only two addresses 172.21.10.10 - network address cannot be assigned to the ISAC client. 172.21.10.11 - Broadcast address cannot be assigned to the ISAC client. In case of CIDR we need to have address space of minimum 4 addresses , so that two addresses are used for network and broadcast respectively and we will have two addresses to assign to the Host/ISAC client. Be sure to specify a sufficient number of addresses in the IP address pool for all of the endpoints in your deployment. When all of the addresses in the pool have been assigned to endpoints, additional endpoints are unable to obtain a virtual IP address and are blocked from accessing protected resources. The system logs a message in the Event log when an IP address cannot be assigned to an endpoint. We recommend that you set up your network so that the client-side IP address pool, or the DHCP server specified in the VPN tunneling connection profile, resides on the same subnet as Ivanti Connect Secure. If your network topology dictates that the system internal IP interface and the IP address pool or DHCP server reside on different subnets, you need to add static routes to your intranet's gateway router(s) to ensure that your Enterprise resources and Ivanti Connect Secure can see each other on the internal network. If you are running a multi-unit cluster across a LAN, make sure that the IP address pool contains addresses that are valid for each node in the cluster. Then, configure an IP filter for each node to apply to this IP address pool. The system does not support a common IP address pool for VPN tunneling for an Active/Active cluster. In A/A VPN tunneling deployments, we recommend that you split the IP pool into node-specific sub-pools. Furthermore, you are advised to perform static route configuration on the backend router infrastructure in a coordinated fashion, with static routes to each sub-pool pointing to the internal IP address of the hosting cluster node as the next-hop gateway. IP address pool also supports attribute substitution. For example, you can enter a RADIUS role mapping attribute in this field, such as <userAttr.Framed-IP-Address>. |
IPv6 address assignment |
|
Enable IPv6 address assignment to clients |
Select this option to enable IPv6 connections. IPv6 must be enabled on internal interface for IPv6 addresses to be allocated to clients.
|
DHCPv6 servers |
Specify the hostname or IPv6 address of a network Dynamic Host Configuration Protocol (DHCP) server responsible for handling client-side IP address assignment. You can specify up to three DHCP servers by listing each one on a separate line. When multiple DHCP servers are listed, the system sends a DHCP Discover message to all listed DHCP servers and then waits five seconds for a response. If multiple DHCP servers respond, the system chooses the one with the longest lease period. The system sends a DHCP release packet to the DHCP server when the VPN tunneling session ends. This feature is available on 22.5R2.1 release. |
DHCP Subnet Selection |
This option allows ICS to specify the subnet on which to allocate an IP address. Specify the IPv6 prefix address, which defines the range of IPaddress to be assigned by the DHCP server for the Profile users. For example: f00:112::/64 This feature is available on 22.5R1/22.6R2 release. |
IPv6 address pool |
Specify IPv6 address ranges for this profile, one per line. Like the IPv4 address pool, the configuration supports entering ip_range values. We recommend using the IPv6 network prefix / netmask style (such as 2001:DB8::6:0/112). |
Connection settings |
|
Transport |
Select one of the following options for transport, encryption, and compression settings: ESP - Use a UDP encapsulated ESP transfer method to securely transfer data between the client and Connect Secure. ESP uses an LZO compression algorithm. You can use the default settings or configure data transfer parameters by defining the UDP port, ESP-to-SSL fallback time-out value, and ESP encryption key lifetime values. SSL - Use the standard SSL transport method. SSL uses a deflate compression method. In SSL mode, compression is controlled by the Enable GZIP compression option on the System Maintenance Options page. To support IPv6 connections, be sure to set MTU greater than 1380. We recommend 1500. If the MTU value on the external interface is lower than 1380 and IPv6 address assignment is enabled, the transport setting for the connection profile is ignored. To avoid IP fragmentation, the session falls back to SSL mode for both IPv6 and IPv4 traffic. |
|
If you select ESP mode, configure the following transport and compression settings: UDP port - Port through which you intend to direct UDP connection traffic. The default port number is 4500. Whether you specify a custom port number or choose to use the default port number (4500), you must also ensure that other devices along the encrypted tunnel allow UDP traffic to pass between Ivanti Connect Secure and the clients. For example, if you employ an edge router and a firewall between the Internet and your corporate intranet, you must ensure that port 4500 is enabled on both the router and the firewall and that port 4500 is configured to pass UDP traffic. IKEv2 uses port 500 exclusively. Do not configure port 500 in your VPN Tunneling profiles. ESP to SSL fallback timeout - Period of time (in seconds) to fall back to the SSL connection already established following UDP connection failure. The default is 15 seconds. A nonconfigurable idle timeout of 60 seconds also affects when fallback occurs. After the tunnel is established through ESP, the client sends keepalives after 60 seconds of inactivity on the ESP channel (the idle timeout). The total time to fallback is therefore the idle timeout (60 seconds) plus the fallback timeout. For example, if ESP to SSL fallback timeout is set to 25 seconds, it takes approximately 60+25 or 85 seconds for the VPN tunneling client to switch. Key lifetime (time based) - Period of time (in minutes) the system continues to employ the same ESP encryption key for this connection profile. Both the local and remote sides of the encrypted transmission tunnel use the same encryption key only for a limited period of time to help prevent unauthorized access. The default is 20 minutes. Key lifetime (bytes transferred) - Maximum amount of data that is transferred on the tunnel for an ESP encryption key. The default is 0 bytes, meaning no limit. When either of the key lifetime limits is reached, a new key is exchanged between Connect Secure and the client. The reason for changing keys is to help prevent unauthorized access, however, changing the encryption key too frequently can increase CPU overhead on the system. |
|
Replay Protection - Activates replay protection. When enabled, this option protects against hostile "repeat attacks" from the network. When packets arrive from the client, the system checks the IP header information to verify that a packet featuring the same IP header information has not already been received. If one has been received, the packet is rejected. This option is enabled by default. If you activate the Enable TOS Bits Copy option, IP packets with different TOS bits may be reordered when passing through gateway routers on your network. To ensure that any packets received out of order are not automatically dropped when they reach the system, you can disable the Replay Protection option. We recommend that you leave replay protection enabled if you are not expecting more than one source of packets from the client (for example, if only one application is transmitting and receiving traffic over the VPN tunnel). Compression - Use compression for the secure connection. Compression is useful for a slow link but may cause issues in extremely large deployments since extra cycles are spent compressing the data. If you have selected ESP, select one the following encryption settings: AES128/MD5 (maximize performance) - Uses Advanced Encryption Standard (AES) 128-bit encryption on the data channel and the MD5 authentication method for VPN tunneling sessions. AES128/SHA1 - Uses AES 128-bit encryption on the data channel and the SHA1 authentication method during VPN tunneling sessions. AES256/MD5 - Uses AES 256-bit encryption on the data channel and the MD5 authentication method for VPN tunneling sessions. AES256/SHA1 (maximize security) - Uses AES 256-bit encryption on the data channel and the SHA1 authentication method during VPN tunneling sessions. AES256/SHA256 (maximize security) - Uses AES 256-bit encryption on the data channel and the SHA2 authentication method during VPN tunneling sessions. This option is limited to PSA hardware. The MD5 authentication algorithm creates digital signatures. The MD5 authentication method translates an input string (like a user's ID or sign-in password, for example) into a fixed, 128-bit fingerprint (also called a "message digest") before it is transmitted to or from the system. |
DNS settings |
|
IVE DNS Settings |
In the DNS Settings section, select an option that determines the settings sent to the client: IVE DNS Settings - Send the system DNS settings. Manual DNS Settings - Override standard DNS settings with the settings you provide: Primary DNS - Enter the IP address for the primary DNS. Secondary DNS - Enter the IP address for the secondary DNS. DNS Domain(s) - Enter the DNS domain(s), such as "yourcompany.com, yourcompany.net". WINS-Enter the WINS resolution name or IP address. DHCP DNS Settings - Send to the client the values the DHCP server sends to Ivanti Connect Secure. There is no fallback to the DNS settings if the DHCP Server does not send any values. |
Auto-allow |
Select Auto-allow IP's in DNS/WINS settings (only for split-tunnel enabled mode) if you want to create an allow rule for the DNS server. For example, if you have defined policies to allow requests from IP address 10.0.0.0 but your DNS server has an address of 172.125.125.125 the DNS server requests will be dropped. If you select this option, the system creates a rule to allow the DNS requests. |
DNS search order |
Select the DNS server search order. Applicable only if split tunneling is enabled: Search client DNS first, then the device Search the device's DNS servers first, then the client Search device DNS only. DNS search order does not work with iOS clients. The DNS name resolution fields (located on the System > Network > Overview window) must be configured, otherwise all DNS queries will go to the client's DNS server. "Search device DNS only" is not supported for IPv6 DNS. Ivanti Secure Access Client and greater supports all DNS search order options. Prior versions of Ivanti Secure Access Client support only Search client DNS first, then the device and Search the device's DNS servers first, then the client. For the Search client DNS first, then the device and Search the device's DNS servers first, then the client options, DNS configured on the system are added to the end user's system along with the existing DNS already available on the end user's system. So, either the device DNS servers or client DNS servers get precedence at the end user's systems. When the Search device DNS only option is selected, DNS on the end user's system are replaced with device DNS. This option is recommended to avoid ISP's DNS hijacking. Note that this option is applicable only for Windows platforms; non-Windows clients will use the Search the device's DNS servers first, then the client search order if this option is selected. When using this option, you must ensure that packets to the system DNS are going through the tunnel. To do this, add the required routes to the split tunnel networks policy (Users > Resource Policies > VPN Tunneling > Split-Tunneling Networks), or select the Auto-allow IPs in DNS/WINS settings option. For the Search device DNS only option, the client software, removes the DNS information of the available adapters on the client system after the tunnel is created. Once the tunnel is created, the client does not monitor the presence of new adapters and does not monitor if changes are made to the DNS settings of existing adapters. Because of this, the Search device DNS only option may not work properly if any of the following occurs after the tunnel is created: A new interface appears with a DNS server that does DNS hijacking. A third-party application adds DNS to the adapters whose DNS was removed by the client as part of the tunnel set up process. Third-party applications change the TCP/IP option from "Use the following DNS servers" to "Obtain DNS servers automatically" for those adapters whose DNS was removed by the client software as part of the tunnel set up process. End users enable the interfaces that are in the disabled state during the tunnel set up process. On Windows 8, selecting either the first or second radio button sends DNS requests to both the client's and gateway's DNS at the same time. On Windows 10, selecting the first radio button will have the same effect as the second button. |
|
|
Proxy Server Settings |
|
Proxy server settings |
Select one of the following options: |
|
No proxy server - Specifies that the new profile requires no proxy server. Automatic (URL for PAC file on another server) - Specify the URL of the server on which the PAC file resides, and the frequency (in minutes) with which the client polls the server for an updated version of the PAC file. You can configure VPN tunneling to check for an updated PAC files as often as every 10 minutes. The default (and minimum) update period is 10 minutes. The PAC file should reside on a Web server, not on the local PC. The PAC file update method runs on a 10-minute interval. Specifying a frequency update period that is a multiple of 10 will get an exact result. If you specify the update frequency at a value that is not a multiple of 10, it is rounded up to the next interval. For example, if you specify the update frequency at 15 minutes, the system updates a PAC file every 20 minutes. VPN tunneling limits the size of internal (server side) PAC files. The logical maximum size is 256 KB. The actual maximum size that can be used in your deployment might be smaller, reduced according to the size of other VPN tunneling settings in use, such as the number of split tunnel networks and DNS suffix entries. Manual configuration - Specify the IP address or the hostname of the server and provide the port assignment. Preserve client-side proxy settings - By default, VPN tunneling may change proxy settings when needed. For example, VPN tunneling may temporarily change the proxy settings of the browser so that traffic intended for the VPN session uses the temporary proxy settings. Select the Preserve client-side proxy settings option to prevent the client-side proxy settings from being overridden by VPN tunneling. If you select this option, HTTP and FTP traffic path can change after VPN tunneling establishing the connection. Please analyze the proxy logic and split-tunnel option, and make sure it directs the traffic as intended. Disable client-side proxy settings - Disables the client's proxy settings after the VPN tunnel is established. In the use case where the client proxy configuration (proxy.pac) is hosted on a LAN server and users are outside the office network, proxy.pac is not accessible and users access the Internet directly. However, after a VPN tunnel is established, proxy.pac becomes accessible, and that causes all Internet requests to go through the tunnel to the proxy server. When you select Disable client-side proxy settings, client requests are served through the Ivanti server directly. When the tunnel is disconnected, the client proxy settings are restored. |
Roles |
Specify one of the following options: Policy applies to ALL roles - To apply this policy to all users. Policy applies to SELECTED roles - To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Policy applies to all roles OTHER THAN those selected below - To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. |