I have a group of end users using certificate-based authentication stored on smart cards to access internal resources from remote locations. The smart cards are also used to authenticate and lock user's workstations/laptops. The problem is when an end user has an IPSec tunnel established and locks his environment, the only way to log back on is to remove and reinsert the smart card to get to the PIN prompt. This effectively breaks the VPN IPSec tunnel.
VPN client documentation states, "When a smart card is removed from the system, the tunnel is now automatically torn down. This enhancement causes the tunnel to immediately drop upon removal of the smart card from the system. This is an "always on" feature."
I understand the idea here is to break the secure tunnel when credentials are removed. But in the situation I just described, are there suggestions to getting around this? Local authentication using a user/pass pair is not an option; strictly the PIN supplied on the smart card.
Perhaps the vpnclient.ini file can be modified with a string to prevent the tunnel from breaking when the smart card is removed?
Thanks for any input you may have.