System information
160 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys
• IPSec Backup Servers—This attribute is used on Cisco VPN 3002 Hardware Clients and
is not required for remote access users.
• Intercept DHCP Configure Message—Enable DHCP intercept to permit Microsoft
Windows XP clients to perform split tunneling with the VPN concentrator. When you
enable this field, the VPN concentrator replies to the Microsoft Windows XP client DHCP
Inform message. This capability allows the VPN concentrator to provide the client with a
subnet mask, domain name, and classless static routes for the tunnel IP address when a
DHCP server is not available.
• Subnet Mask—Enter a valid subnet mask for Microsoft Windows clients requesting
DHCP services.
• Split Tunneling Policy—This option, disabled by default, permits clients to specify some
types of traffic as not requiring IPSec protection. This traffic is sent in clear text. The
options within this attribute are as follows:
— Tunnel everything—All data use the secure IPSec tunnel.
— Allow networks in list to bypass the tunnel—All data use the secure IPSec
tunnel except for data being sent to addresses on the network list. This option
gives users who have elected to tunnel all traffic the ability to access devices
such as printers on their local networks without having that traffic encrypted.
— Only tunnel networks in list—Uses the secure IPSec tunnel for data sent to
addresses on the network list. All other traffic is sent as clear text. This option
allows remote users to access public networks without requiring IPSec
tunneling through the corporate network.
• Split Tunneling Network List—If you select the Allow networks in list to bypass the
tunnel option, then this list is an exclusion list, allowing traffic to pass over the network
without going through IPSec. If you select the Only tunnel networks in list option, then
this list is an inclusion list that determines which traffic is handled via IPSec. You can
establish these lists elsewhere in the concentrator, or you can use the VPN Client Local
LAN option.
• Default Domain Name—If you supply a domain name here, the concentrator passes this
name to the client. Fully qualified domain names sent over the IPSec tunnel have this
domain name appended to the end.
• Split DNS Names—Enter a list of domain names that you want the VPN concentrator’s
internal DNS server to resolve for traffic going over the tunnel. This option is useful in
split-tunneling connections, permitting the internal DNS server to resolve domain names
for traffic through the tunnel. The ISP-assigned DNS servers resolve DNS requests that
travel in the clear to the Internet.
chpt_04.fm Page 160 Friday, April 4, 2003 9:19 AM