Switch User Manual
12 User Management
12-26
VPN 3000 Concentrator Series User Guide
Tunnel Type
Click the drop-down menu button and select the type of IPSec tunnel that this group’s clients use:
LAN-to-LAN = IPSec LAN-to-LAN connections between two VPN Concentrators (or between a VPN 
Concentrator and another protocol-compliant security gateway). See 
Configuration | System | Tunneling 
Protocols | IPSec LAN-to-LAN
. If you select this type, ignore the rest of the parameters on this tab.
Remote Access = Remote IPSec client connections to the VPN Concentrator. If you select this type, 
configure 
Remote Access Parameters below.
Remote Access Parameters
These group parameters apply to remote-access IPSec client connections only. If you select Remote 
Access
 for Tunnel Type, configure these parameters.
Group Lock
Check the box to restrict users to remote access through this group only. The IPSec client connects to 
the VPN Concentrator via a group name and password, and then the system authenticates a user via a 
username and password. If this box is not checked, the system authenticates a user without regard to the 
user’s assigned group.
Authentication
Click the drop-down menu button and select the user authentication method (authentication server type) 
to use with this group’s remote-access IPSec clients. This selection identifies the authentication method, 
not the specific server. Configure authentication servers on the 
Configuration | System | Servers | 
Authentication 
screens.
Selecting any authentication method (other than 
None) enables ISAKMP Extended Authentication, also 
known as XAuth.
None = No IPSec user authentication method. If you checked L2TP over IPSec under Tunneling 
Protocols
, use this selection.
RADIUS = Authenticate users via external Remote Authentication Dial-In User Service.
NT Domain = Authenticate users via external Windows NT Domain system.
SDI = Authenticate users via external RSA Security Inc. SecureID system.
Internal = Authenticate users via internal VPN Concentrator authentication server.
Mode Configuration
Check the box to use Mode Configuration with this group’s IPSec clients (also known as the ISAKMP 
Configuration Method or Configuration Transaction). This option exchanges configuration parameters 
with the client while negotiating Security Associations. If you check this box, configure the desired 
Mode Configuration Parameters below; otherwise, ignore them.
To use split tunneling, you must check this box.
If you checked 
L2TP over IPSec under Tunneling Protocols, do not check this box.










