VPN User

ray_stone · ‎06-13-2008

Hi, I have setup a new remote VPN connection and its working fine now I want to protect particular user who have a right to access the network by remote VPN. Is it possible that user will able to use his credentials by only a particular public IP, means if user A want to connect with remote vpn then his public must be "1.1.1.1" but user A try to connect from other outside machine which has a different IP like "2.2.2.2" not able to access VPN and second question can we implement the security MAC based and map MAC address with UID then only User could able to access it. Thanks.

kwillacey · ‎06-13-2008

The remote access vpn should allow any IP address to connect so you should not have that problem.

michael.leblanc · ‎06-13-2008

You've not stated the type of VPN, so I'll assume you are referring to IPSec.

Usually, the point of a RAVPN is to facilitate secure connectivity from locations that are NOT pre-determined. That is why "dynamic" crypto maps are used.

Your interest in restricting a RAVPN Client to specific source IPs seems odd to me. If you were to pursue such an interest, you would likely define a "static" crypto map, and define the specific "peer addresses".

If you use appropriate credentials (incl. Xauth), I don't think you need to restrict RAVPN Clients to specific source IPs.

If "all" RAVPN Clients were connecting from pre-determined source IPs, you could use an external interface ACL to limit the sources that could establish ISAKMP connections, thereby preventing tunnel establishment.

With regard to MAC addresses:

When a frame arrives at the IPSec endpoint, the source MAC address is the MAC address of the "last-hop" router interface that placed the packet on the wire. The RAVPN host's MAC address is not present.