System information

166 Chapter 4: Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys
Require Individual User Authentication—You can also require all other users con-
nected to the VPN 3002 Hardware Client to authenticate before using the IPSec tunnel by
checking this attribute box. Each user is prompted for a username and password and is
authenticated using whatever method the IPSec group requires.
User Idle Timeout—The default idle timeout for a user’s connection is 30 minutes. The
smallest idle timeout period you can use is 1 minute. You can enter 0 to tell the concentrator
to never drop an idle connection. When a user’s connection has been idle for the period of
time specified by the idle timeout period, the concentrator drops the connection.
Cisco IP Phone Bypass—Checking this field tells the VPN concentrator not to negotiate
individual user authentication for IP phones.
Allow Network Extension Mode—You can configure the VPN 3000 Concentrator
to support Network Extension mode with VPN 3002 Hardware Clients in site-to-site
networks by checking this field. The VPN 3002 Hardware Client must also be configured
to support network extension mode, or the two devices can never connect to one another.
The default connection mode is Port Address Translation (PAT).
Figure 4-25 Configuration | User Management | Groups | Modify > HW Client
Modify Groups—PPTP/L2TP Tab
If you selected PPTP, L2TP, or L2TP over IPSec as an allowable tunneling protocol to be used
for VPN connections, you might need to make adjustments to the attributes displayed on the
PPTP/L2TP Tab, shown in Figure 4-26. Client and VPN concentrator settings must match
during VPN tunnel negotiations, or the tunnel is not established. The following attributes are
shown on this screen:
Use Client Address—You can allow clients to supply their own address for the client end
of the VPN tunnel. This is not a good idea from a security perspective, so be careful about
chpt_04.fm Page 166 Friday, April 4, 2003 9:19 AM