Cisco VPN Client User Guide for Mac OS X
Contents
1. Encryption algorithms e 56 bit DES Data Encryption Standard e 168 bit Triple DES e AES 128 bit and 256 bit Extended Authentication XAUTH The capability of authenticating a user within IKE This authentication is in addition to the normal IKE phase 1 authentication where the IPSec devices authenticate each other The extended authentication exchange within IKE does not replace the existing IKE authentication Mode Configuration Also known as ISAKMP Configuration Method Tunnel Encapsulation Modes e IPSec over UDP NAT PAT e IPSec over TCP NAT PAT IP compression IPCOMP using LZS Data compression algorithm E Cisco VPN Client User Guide for Mac OS X OL 3138 02 CHAPTER 2 Installing the VPN Client This chapter describes how to install the VPN Client for Mac OS X Verifying System Requirements The VPN Client for Mac OS X runs on any Power Macintosh or compatible computer with the Macintosh operating system Versions 10 1 5 or later and 30 MB of hard disk space Gathering Information You Need To configure and use the VPN Client you might be required to have the following information This information is normally obtained from the system administrator of the private network you want to access The system administrator might preconfigure much of this data e Hostname or IP address of the secure gateway you are connecting to Your IPSec Group Name for preshared keys Your I2. e Ifyou are using a GUI VPN Client a pop up message appears stating the reason for the disconnect the message is appended to the Notifications log and is logged in the IPSec log Log Viewer window e Ifyou are using a command line client the message appears on your terminal and is logged in the IPSec log For IPSec deletes which do not tear down the connection an event message appears in the IPSec log file but no message pops up or appears on the terminal S Note The VPN concentrator you are connected to must be running software version 4 0 or later Single SA The ability to support a single security association SA per VPN connection Rather than creating a host to network SA pair for each split tunneling network this feature provides a host to ALL approach creating one tunnel for all appropriate network traffic apart from whether split tunneling is in use Authentication Features The VPN Client supports the authentication features listed in Table 1 3 Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter1 Understanding the VPN Client VPN Client Features MI Table 1 3 Authentication Features Authentication Feature Description User authentication through VPN central site device e Internal through the VPN device s database e RADIUS Remote Authentication Dial In User Service NT Domain Windows NT e RSA formerly SDI SecurID or SoftID Certificate Ma
3. e From an enrollment request file To enroll a digital certificate for user authentication Click the Certificates tab Click Enroll at the top of the VPN Client window The Certificate Enrollment dialog box appears Choose a certificate enrollment type e Ifyou choose Online you obtain a certificate by enrolling with a CA over the network e Ifyou choose File the VPN Client generates an enrollment request file that you can email to a CA or post into a webpage form Figure 6 2 shows the Certificate Enrollment Dialog Box H Cisco VPN Client User Guide for Mac OS X 0L 3138 02 Chapter 6 Enrolling and Managing Certificates Step 4 Enrolling Certificates W Figure 6 2 Online Certificate Enrollment o o VPN Client Certificate Enrollment Choose a certificate enrollment type f9 Online Certificate Authority lt New gt H CA URL CA Domain Challenge Password O File Filenar New Password coce EB 87155 Enter the enrollment parameters e For online enrollment enter e For Certificate Authority The Common name or the Subject name of the CA Certificate This drop down list contains a history of previously enrolled CA certificates If you select a CA from this list the CA URL and the CA Domain fields are pre populated For lt New gt online enrollments you must enter the CA URL and the CA Domain manually CA URL The URL or network addr
4. Company O The company name for the certificate State ST The state for the certificate Country C The 2 letter country code for your country For example US This two letter country code must conform to ISO 3166 country abbreviations Step7 Click Enroll to enroll a certificate from a CA Go Back to review previous certificate enrollment parameters or Cancel m Cisco VPN Client User Guide for Mac OS X 0L 3138 02 Chapter6 Enrolling and Managing Certificates Enrolling Certificates W The certificate enrollment is listed in the certificate store asa request To resume a certificate enrollment request right click and choose Resume Certificate Enrollment Alternately you can resume an enrollment from the Certificates menu A prompt indicates whether the certificate enrollment is successful Figure 6 4 Figure 6 4 Enrollment Complete NPNClent i Certificate enrollment completed sucessfully ox 3 76483 If the certificate enrollment is not successful contact your network administrator Managing Enrollment Requests While a request 1s pending approval by the CA administration the VPN Client places the enrollment request in the list on the Certificates tab You can view delete or change the password for any request in the list or you can retry a network enrollment request To perform any of these actions select the pending enrollment request and click on the Certificate
5. Install Cisco VPN Client Installing the VPN Client Introduction License Select Destination Installation Type amp Installing Finish Up Easy Install Click Install to perform a basic installation of this software package f Customize f GoBack Install 87153 To choose which packages to install click Customize to open the Custom Install window Figure 2 9 Figure 2 9 Custom Install Window Install Cisco VPN Client Introduction License Select Destination Installation Type Installing Finish Up Custom Install Checked packages will be installed Size v vpnclient bin Upgrade 2 646 K m wv vpnclient gui Upgrade 4 327 K v vpnclient kext Upgrade 431K wv vpnclient profiles Upgrade 63K wv vpnclient startup Upgrade 2K Approximate installed size 109 869 K f Easy Install f GoBack Y Install 87152 The packages with the blue check box are optional To make a package part of your installation check the blue box To remove a package from your installation uncheck the blue box OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter2 Installing the VPN Client Bl installing the VPN Client Click Easy Install to return to the default installation packages or Install to continue with a custom installation A progress bar lists the installation steps as they occur Figure 2 10 Figure 2 10 Install Softw
6. OL 3138 02 Chapter 1 Understanding the VPN Client VPN Client Features MI Table 1 1 VPN Client Main Features continued Features Description Tunnel protocol IPSec User Authentication e RADIUS e RSA SecurID e VPN server internal user list e PKI digital certificates NT Domain Windows NT Program Features The VPN Client supports the Program features listed in Table 1 2 Table 1 2 Program Features Program Feature Description Servers Supported e Cisco IOS devices that support Easy VPN server functionality e VPN 3000 Series Concentrators Cisco PIX Firewall Series Version 6 2 or later Interfaces supported e Graphical user interface e Command line interface Online Help Complete browser based context sensitive Help Note The online help requires MS Internet Explorer Local LAN access The ability to access resources on a local LAN while connected through a secure gateway to a central site VPN server ifthe central site grants permission Automatic VPN Client configuration option The ability to import a configuration file Event logging The VPN Client log collects events for viewing and analysis NAT Transparency NAT T Enables the VPN Client and the VPN device to automatically detect when to use IPSec over UDP to work properly in Port Address Translation PAT environments Update of centrally controlled backup server list The VPN
7. Registered Cisco com users can order the Documentation CD ROM product number DOC CONDOCCD through the online Subscription Store http www cisco com go subscription OL 3138 02 Cisco VPN Client User Guide for Mac OS X H About This Guide BE Obtaining Technical Assistance Ordering Documentation You can find instructions for ordering documentation at this URL http www cisco com univercd cc td doc es_inpck pdi htm You can order Cisco documentation in these ways Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Networking Products MarketPlace http www cisco com en US partner ordering index shtml Registered Cisco com users can order the Documentation CD ROM Customer Order Number DOC CONDOCCD gt through the online Subscription Store http www cisco com go subscription e Nonregistered Cisco com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters California U S A at 408 526 7208 or elsewhere in North America by calling 800 553 NETS 6387 Documentation Feedback You can submit comments electronically on Cisco com On the Cisco Documentation home page click Feedback at the top of the page You can e mail your comments to bug doc cisco com You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following addre
8. Step4 Confirm the password by entering it again Stepb Click Save The Connection Entry dialog box closes and you return to the Connection Entries tab Certificate Authentication Use this procedure if you plan to use digital certificates for authenticating for this connection entry You can obtain a digital certificate for use with the VPN Client by enrolling with a Public Key Infrastructure PKT or by importing a certificate from a file To configure this connection entry for a digital certificate Step 1 From the Authentication tab click the Certificate Authentication radio button Figure 4 4 Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 4 Configuring Connection Entries Step 2 Step 3 Step 4 Authentication Methods MI Figure 4 4 Certificate Authentication Certificate Authentication Name E Send CA Certificate Chain Erase User Password Cancel save 76720 Select a certificate from the Name drop down menu If the Name field displays No Certificates Installed you must first enroll or import a certificate before you can use this feature See the Enrolling Certificates section on page 6 2 or Importing a Certificate section on page 6 7 for more information To send CA certificate chains check the Send CA Certificate Chain check box This parameter is disabled by default A CA certificate chain includes all CA certifica
9. enrollment request 6 5 VPN Client defined 1 1 features 1 2 icon 5 2 menus 3 6 quitting 3 2 window 3 4 5 2 VPN Daemon 7 6 VPN device DPD 48 VPN devices 1 1 VPNGroup 4 4 VPN server notification 1 4 VPN startup 2 8 Index M Ww warnings 6 10 window log 3 8 window settings 3 2 X X 509 1 2 XAUTH extented authentication 1 6 OL 3138 02 Cisco VPN Client User Guide for Mac OS X H W index Cisco VPN Client User Guide for Mac OS X N S OL 3138 02
10. Change the password used to protect the certificate while it is in the VPN Client certificate store Cisco VPN Client User Guide for Mac OS X 01 3138 02 EN Chapter3 Navigating the User Interface Bl Operating in Advanced Mode e Retry Certificate Enrollment Retry a previously started certificate enrollment e Show or Hide CA RA Certificates This menu option toggles to Show or Hide root certificates issued by either a Certificate Authority CA or a Registration Authority RA Log Menu Use the Log menu Figure 3 12 to enable disable view or clear the event log or to adjust the log settings Figure 3 12 Log Menu Options Help Disable SE Clear Log Settings Log Window 3L Search Log 36F Save 87164 e Enable Disable Enable or disable event logging e Clear Clear the event log e Log Settings Open the Log Settings window to view current settings or make adjustments Log Window Open the Log Window which is a separate window that displays events From this window you can save the display edit logging levels by event class and clear both log displays The Log Window shows more events than the display area of the main advanced mode window Search Log Open the Search Log dialog box Figure 3 13 Figure 3 13 Log Search Dialog Box o o VPN Client Search Log Fir 87596 Enter the exact string to match in the Find entry field The search string is not case sensitive and w
11. process 2 5 requirements 2 1 successful 2 11 installation packages 2 8 installer directory 2 3 extracting 2 2 icon 22 package 2 2 installing the GUI 2 4 2 8 interfaces supported 1 1 invalid certificate 6 11 IP address 7 9 IPCOMP IP compression 1 6 IPSec attributes 1 6 features 1 5 group 4 4 module 7 6 with VPN 1 1 ISDN 1 1 K keepalives 1 5 kernelextension 2 8 key pair 6 8 preshared 1 6 4 1 size 6 2 6 8 keywords 2 2 L LAN connection 1 1 launch from notification 1 4 launch browser 7 12 license agreement 2 6 local LAN access 1 3 4 7 7 10 log menu 3 8 settings 3 8 tab 3 5 window 3 8 7 8 log file saving 3 8 7 8 logging classes 7 6 clear 7 5 levels 7 7 options 7 5 view in external window 7 7 login simultaneous 4 1 Macintosh OS services 3 2 main mode 1 6 main tabs certificates 3 5 connection entries 3 5 log 3 5 main VPN Client window 3 4 5 2 managing certificates 6 1 connection entries 7 1 MD5 Message Digest 5 1 6 menus certificates 3 7 connection entries 3 6 log 3 8 E Cisco VPN Client User Guide for Mac OS X OL 3138 02 main 3 6 right click 3 8 status 3 7 minimize client window 3 2 mode advanced 3 4 aggressive 1 6 authentication 1 6 configuration 1 6 main 1 6 simple 3 2 transparent tunneling 4 7 tunnel encapsulation 1 6 modify connection entry 7 2 MTU size 1 3 NAT Transparency 1 3 7 10 new passwor
12. 2003 Sev Debug 7 1KE 0x43000075 NAV Trace SA I Cookie 8CB837ADF4C91439 R Cookie 0000000000000000 AM SND MSGl Event EV GEN DHKEY 13 14 30 56 817 03 06 2003 Sev Debug 7 IKE 0x43000075 NAV Trace gt SA I Cookie 8CB837ADF4C91439 R Cookie 0000000000000000 AM SND MSGl Event EV BLD MSG Cisco Systems Connection Entries Certificates fog CurState CurState CurState yt Not connected 76556 Every VPN session contains at least one log entry the connection history To disable logging click the Disable button at the top of the VPN Client window Clear Logging To clear the event messages from the logging window click Clear at the top of the VPN Client window Clearing the display does not reset event numbering or clear the log file itself S Note To store the event messages before you clear the log choose Save from the Log menu Set Logging Options Logging options apply to the active VPN session Changing the logging settings clears the event log and the new logging settings take effect immediately To set logging options for the VPN Client Step1 Click the Log tab Step2 Click Options at the top of the VPN Client window The Log Settings dialog box appears Figure 7 5 OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter7 Managing the VPN Client BE EventLogging Figure 7 5 Log Settings VPN Client Log Settings Changing logging levels will take
13. 7 Log Window o o VPN Client Log Window Cisco Systems VPN Client Version 3 7 interim brian Copyright C 1998 2003 Cisco Systems Inc All Rights Reserved Client Type s Mac OS X Running on Darwin 1 4 Darwin Kernel Version 1 4 Sun Sep 9 15 39 59 PDT 2001 root xnu xnu 201 0bj 1l RELEASE PPC Power Macintosh Clar Save gt 4 Log Settings 3 76558 The following buttons allow you to manage the information in the Log Window Save the data in the event log to a file S Note The VPN Client saves the information to the Client install directory The default file name is based on the date and time in 24 hour format that the log file was created for example LOG 2003 03 13 52 56 text You can save what is in the present log to a different directory and filename but you cannot change the default log directory and filename Open the Log Settings window Clear the information listed in the log window Close the Log Window Viewing Statistics View VPN session information on the Statistics window The Statistics window lists tunnel details route details and other information related to the active VPN session including P addresses assigned for this session Byte and packet transfer statistics Encryption and authentication algorithms Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 7 Managing the VPN Client Viewing Statistics Hi e Split tunneling
14. Main tabs for managing the VPN Client Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 3 Navigating the User Interface Operating in Advanced Mode W Toolbar Action Buttons Advanced Mode The action buttons at the top of the VPN Client window vary depending on which tab is forward For example if the Connections tab is forward the Connect New Import Modify and Delete buttons control operations for the selected connection entry see Figure 3 6 If the Certificates tab is forward the View Import Export Enroll Verify and Delete buttons control operations for the selected certifi cate Figure 3 7 Figure 3 7 Toolbar Buttons Certificates Tab 5 z E gh Cisco SYSTEMS B mm View Import Export Enroll Verify Delete This section describes the three main tabs for managing the VPN Client Figure 3 8 Figure 3 8 VPN Client GUI Main Tabs 808 VPN Client Version 4 0 interim brian A LA Ne Z3 E Sa Cisco SYSTEMS Connect New Import Modify Delete Certificates Log 03 SanJose sjc vpn cluster cisco com IPSec 04 SanjJose nat sjc vpn cluster cisco com IPSec UDP 05 RTP rtp vpn cluster cisco com IPSec 06 RTP nat rtp vpn cluster cisco com IPSec UDP 07 Amsterdam ams vpn cluster cisco com IPSec 08 Amsterdam nat ams vpn cluster cisco com IPSec UDP 09 Sydney syd vpn cluster cisco com IPSec 10 Sydney nat syd vpn cluster cisco com IPSec
15. Mode W Status Menu Use the Status menu Figure 3 10 to display the tunnel and route statistics or to view notifications from the VPN device Figure 3 10 Status Menu VPNClient Connection Entries Certificates Log Options Help Statistics Notifications 87172 Reset Stats e Statistics Open the Statistics window to view tunnel details and route details e Notifications Open the Notifications window to view notices from the VPN device e Reset Stats Reset the VPN session statistics on the Tunnel Details tab of the Statistics window Certificates Menu Use the Certificates menu Figure 3 11 asa shortcut to frequently used certificate operations The menu option applies to the certificate that is currently selected on the Certificates tab S Note A certificate must be selected to use Certificates menu options Figure 3 11 Certificates Menu Log Options Help View Import Export Enroll Verify Delete Change Certificate Password Retry Certificate Enrollment v Show CA RA Certificates 87150 e View View the properties of the selected certificate e Import Import a certificate from a file e Export Export the selected certificate to a specified file location e Enroll Enroll a digital certificate for user authentication e Verify Verify that the selected certificate is valid e Delete Delete the selected certificate Change Certificate Password
16. TeleRouter TransPath and VCO are registered trademarks of Cisco Systems Inc and or its affiliates in the U S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0303R Cisco VPN Client User Guide for Mac OS X Copyright 2003 Cisco Systems Inc All rights reserved CHAPTER 1 CHAPTER 2 About This Guide vii Audience vii Contents vii Related Documentation viii Terminology viii Document Conventions viii Data Formats ix Obtaining Documentation ix Cisco com ix Documentation CD ROM ix Ordering Documentation x Documentation Feedback x Obtaining Technical Assistance x Cisco com x Technical Assistance Center xi Cisco TAC Website xi Cisco TAC Escalation Center xii Obtaining Additional Publications and Information xii Understanding the VPN Client 1 1 Connection Technologies 1 1 VPN Client Overview 1 1 VPN Client Features 1 2 Program Features 1 3 Authentication Features 1 4 IPSec Features 1 5 VPN Client IPSec Attributes 1 6 Installing the VPN Client 2 1 Verifying System Requirements 2 1 Gathering Information You Need 2 1 Obtaining the VPN Client Software 2 1 Preconfiguring the VPN Client 2 2 Cisco VPN Client User Guide for Mac OS X 01 3138 02 BB Contents Preconfiguring
17. The menu option applies to the connection entry that is currently selected on the Connection Entries tab Note A connection entry must be selected to use Connection Entries menu options Figure 3 9 Connection Entries Menu VPNClient KeA E Status Certificates Log Options Help mt d E hh A Connect to 03 SanJose Modify Delete Duplicate Set as Default Connection Entry New Import il 76553 Connect to Establish a VPN connection using the selected connection entry If the Connections tab is not selected a submenu which lists all available connection entries is displayed Disconnect Disconnect the current VPN session Modify Modify the properties of the selected connection entry Delete Delete the selected connection entry Duplicate Duplicate the selected connection entry This menu choice allows you to create a new connection entry using the configuration from a current connection entry as a template Set as Default Connection Entry Use the selected connection entry as the default The default connection entry is used for this VPN session unless you select an alternate connection entry New Configure a new connection entry Import Import a connection entry from a file To configure a new connection entry see Chapter 4 Configuring Connection Entries Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter3 Navigating the User Interface Operating in Advanced
18. also be configured for Network Address Translation NAT or Port Address Translations PAT Transparent tunneling encapsulates Protocol 50 ESP traffic within UDP packets It allows for both IKE UDP 500 and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and or firewalls The most common application for transparent tunneling is behind a home router performing PAT Not all devices support multiple simultaneous connections behind them Some cannot map additional sessions to unique source ports Check with your device s vendor to see if this limitation exists Some vendors support Protocol 50 ESP PAT which might let you operate without enabling transparent tunneling e To use transparent tunneling the IPSec group in the Cisco VPN device must be configured to support it e Transparent Tunneling is enabled by default To disable this parameter clear the check box We recommend that you keep this parameter enabled Transparent Tunneling Mode The transparent tunneling mode you select must match the mode used by the VPN device providing your connection to the private network e Ifyou select IPSec over UDP NAT PAT the default mode the port number is negotiated e Ifyou select TCP you must enter the port number for TCP in the TCP port field This port number must match the port number configured on the VPN device The default port number is 10000 Note Either mode operates prope
19. connection entry Note If you cannot choose the Save Password option your system administrator does not allow this option If you can choose this option be aware that using it might compromise system security because your password is stored on your PC and is available to anyone who uses your PC Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 5 Establishing a VPN Connection Using Digital Certificates W If Save Password is checked and authentication fails your password may be invalid To eliminate a saved password choose Erase User Password from the Connection Entries menu SecurlD Authentication RSA SecurID authentication methods include physical RSA SecurID cards and keychain fobs and PC software called RSA SecurID for passcode generation RSA SecurID cards can vary The passcode might be combination ofa PIN and a card code or you might be required to enter a PIN on the card to display the passcode Ask your network administrator for the correct procedure When you use RSA SecurID passcodes for authentication e The process varies slightly for different operating systems e Ifyou use physical RSA SecurID cards or keychain fobs the VPN Client displays the appropriate RSA user authentication dialog box e Ifyou use RSA SecurID for passcode generation it must be running on your workstation In most configurations you use RSA SecurID with VPN group authentication With this type of authenti
20. e Chapter 5 Establishing a VPN Connection This chapter describes how to connect to a private network using the VPN Client an Internet connection and the user authentication methods supported by the VPN Client e Chapter 6 Enrolling and Managing Certificates This chapter describes how to obtain digital certificates to use for authentication and how to manage these certificates in the VPN Client certificate store OL 3138 02 Cisco VPN Client User Guide for Mac OS X H About This Guide HI Related Documentation Chapter 7 Managing the VPN Client This chapter describes how to manage VPN Client connections use the event log and view tunnel details including packet and routing data Related Documentation The following is a list of user guides and other documentation related to the VPN Client for Mac OS X and the VPN devices that provide the connection to the private network Release Notes for the Cisco VPN Client Release 4 0 Cisco VPN Client Administrator Guide Release 4 0 e Cisco VPN 3000 Series Concentrator Getting Started Guide Release 4 0 e Cisco VPN 3000 Series Concentrator Reference Volume I Configuration Release 4 0 Cisco VPN 3000 Series Concentrator Reference Volume II Administration and Monitoring Release 4 0 Terminology In this user guide e The term Cisco VPN device refers to the following Cisco products Cisco IOS devices that support Easy VPN server functionality V
21. e NAT transparency To view VPN session statistics choose Statistics from the Status menu The Statistics window has two tabs Tunnel Details and Route Details The Tunnel Details tab lists information about the VPN tunnel The Route Details tab lists information about excluded and secured routes Tunnel Details The Tunnel Details tab Figure 7 8 displays the IP addresses assigned for this session and byte and packet statistics Figure 7 8 Statistics Window Tunnel Details 6 66 k VPN Client Statistics Tunnel Details Route Details Addr Bytes ess Information ent 45 45 Packets Connection Information Crypto Encryptior uthenticatior Transport Encrypted ansparent T ir Ina ypt cal LAN Di ir mpr Nor Close 87171 Use the Reset button to clear the fields in the tunnel details display Alternately you can reset the statistics by choosing Reset Stats from the Status menu Table 7 2 describes the statistics fields on the Tunnel Details tab Table 7 2 Tunnel Details Field Description Client Address Information IP address assigned to the client for this VPN session Server Address Information IP address of the VPN device you are connected to Bytes Received Number of bytes received by the client during the active session Bytes Sent Number of bytes sent by the client during the active session Packets Encrypted Number of packets encrypted during this VPN sessio
22. effect immediately and will cause the current log viewer to be cleared IKE 3 High res LOG IKE Connection Manager Daemon cvpnd User Authentication Certificates IPSec Command Line GUI 3 High A LOG CM 3 High a LOG CVPND 3 High LOG XAUTH 3 High 9 Loc cerr 3 High rey LOG IPSEC 3 High LOG CLI 1 Low LOG GUI 76568 Table 7 1 describes the log classes that generate events in the VPN Client log viewer Table 7 1 VPN Client Logging Classes Log Class Description Module LOG IKE Internet Key Exchange module which manages secure associations IKE LOG CM Connection Manager CM which drives VPN connections CM dials a PPP device configures IKE for establishing secure connections and manages connection states Connection Manager LOG CVPND Cisco VPN Daemon which initializes client service and controls the messaging process and flow Daemon cvpnd LOG XAUTH Extended authorization application which validates a remote user s credentials eXtended AUTHentication LOG CERT Certificate management process which handles obtaining validating and renewing certificates from certificate authorities CERT also displays errors that occur as you use the application Certificates LOG IPSEC IPSec module which obtains network traffic and applies IPSec rules to it IPSec LOG CLI Com
23. for Mac OS X 01 3138 02 Hm Chapter5 Establishing a VPN Connection Bi Choosing Authentication Methods VPN Group Name and Password Authentication The VPN group login method uses your VPN group name and password for authentication Figure 5 5 You can use VPN group authentication alone or with other authentication methods Figure 5 5 VPN Group Authentication VPNClient VPN Group Authentication Croup Authentication for sample Enter your Group name and Group Password Cisco Systems Group Name monkeys Password weewwre i b fool OK Cancel 76477 Enter your group name and password and click OK The group name is the name of the IPSec group configured on the VPN device for this connection entry RADIUS Server Authentication You can use RADIUS server authentication with VPN group authentication With this type of authentication two prompts appear The first prompt is for the VPN group name and password and the RADIUS user authentication prompt follows Figure 5 6 Figure 5 6 User Authentication for RADIUS VPNClient eXtended AUTHentication Xauth for radiusassigned Enter Username and Password Cisco Systems Username radiusassigned Password e Save Password tT f OK 3 Cancel 76487 Enter your username and password and click OK Check the Save Password check box if you do not want to be prompted for your RADIUS password each time you start a VPN session using this
24. global profiles place the vpnclient ini in the VPN Client installer directory Note Step 1 Refer to the Cisco VPN Client Administrator Guide for information on creating user profiles global profiles and the complete list of file parameters keywords and values To access the installer directory Double click the vpnclient installer icon Figure 2 1 Figure 2 1 Installer Icon Alternately you can right click control click the VPN Client installer icon and choose Open from the menu Figure 2 2 shows the vpnclient installer directory This directory contains the installer package and any preconfigured files in the Profiles and Resources folders Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 2 Installing the VPN Client Preconfiguring the VPN Client Bl Figure 2 2 VPN Client Installer Directory 0 99 vpnclient Back View i Computer Home Favorites Applications 3 E Cisco VPN Client mpkg Profiles Resources e Qo ceo oO h Preconfiguring the User Profile The VPN Client uses parameters that must be uniquely configured for each remote user of the private network Together these parameters make up a user profile which is contained in a profile configuration file pcf file To distribute preconfigured profiles copy the configuration files pcf files into the Profiles folder in the vpnclient installer directory Any file with a pcf extension found in this folder is
25. how to view and manage the VPN Client event log The event log can help diagnose problems with an IPSec connection between the VPN Client and a peer VPN device The log collects event messages from all processes that contribute to the client peer connection From the Log tab on the VPN Client window you can e Enable logging e Clear the logging display View the event log in an external window e Set or change the logging levels Note To search the log choose Search Log from the Log menu Matched instances are highlighted on the Log tab Enable Logging S Note If you enable logging during normal use of the VPN Client it might affect the performance of the application We recommend that you only enable logging when troubleshooting To enable logging click Enable at the top of the VPN Client window Alternately you can choose Enable from the Log menu The event logging window displays Figure 7 4 Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter7 Managing the VPN Client Figure 7 4 Event Log eoo VPN Client Version 4 0 int 93 Event Logging W 9 B H d Disable Clear Log Settings Log Window 10 14 30 56 228 03 06 2003 Sev Debug 9 IKE 0x43000001 RequestLocalAddress delay done 0 times dE 14 30 56 287 03 06 2003 Sev Debug 7 IKE 0x43000075 NAV Trace gt SA I Cookie 8CB837ADF4C91439 R Cookie 0000000000000000 AM INITIAL Event EV INITIATOR 12 14 30 56 288 03 06
26. is valid e Delete Delete the selected certificate Change Certificate Password Change the password used to protect the certificate while it is 1n the VPN Client certificate store e Retry Certificate Enrollment Retry a previously started certificate enrollment Cisco VPN Client User Guide for Mac OS X EXE OL 3138 02 CHAPTER Configuring Connection Entries A connection entry is a set of parameters that the VPN Client uses to identify and connect to a specific private network Connection entry parameters include a name and description for the connection the name or address of the VPN device the remote server providing the connection and authentication information that identifies you as a valid user to the VPN device This chapter describes how to configure the parameters for a VPN Client connection entry Creating a Connection Entry To use the VPN Client you must create at least one connection entry which identifies the following information The VPN device that is providing access to the network e Preshared keys The IPSec group that you have been assigned to Your IPSec group determines the set of privileges you have for accessing and using the private network For example it specifies access hours number of simultaneous logins user authentication method and the IPSec algorithms your VPN Client uses e Certificates The name of the certificate you are using for authentication e Optional parameter
27. menu Viewing the Enrollment Request To display the enrollment request Step 1 Select the enrollment request in the certificate store Step2 Choose View from the Certificates menu Step3 The VPN Client displays the pending request The ssuer field shows the subject name and not the name of the CA since the CA has not yet issued the certificate Tip You can also change the certificate request password from the View dialog box Deleting an Enrollment Request To delete an enrollment request Step 1 Select the enrollment request from the certificate store Step2 Choose Delete from the Certificates menu The VPN Client prompts you for a password Cisco VPN Client User Guide for Mac OS X 01 3138 02 Ha Chapter6 Enrolling and Managing Certificates HZ Enrolling Certificates Step 3 Enter the password in the Password field if there is one and click OK The VPN Client verifies the password If the password is correct the VPN Client deletes the request Changing the Password on an Enrollment Request Step 1 Step 2 Step 3 Step 4 Step 5 To change the certificate password on an enrollment request Select the certificate request from the certificate store Choose Change Certificate Password from the Certificates menu The VPN Client displays the Certificate Password dialog box Figure 6 5 Figure 6 5 Changing a Certificate Password VPN Client Certificate Password Enter your Certificate Password f
28. of backup servers or to manually add a backup server See the Backup Servers section on page 4 8 for more information The Erase User Password button at the bottom of this dialog box erases the user password that is saved on the VPN Client workstation forcing the VPN Client to prompt you for a password each time you establish a connection Click Save The Connection Entry dialog box closes and you return to the Connection Entries tab OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter4 Configuring Connection Entries BB Authentication Methods Authentication Methods You can configure a connection entry to authenticate as part of a group which is configured on the VPN device or by supplying an identity digital certificate The Authentication tab on the Connection Entry Settings dialog box must be forward to select an authentication method for a connection entry Group Authentication Use this procedure if you plan to use group authentication for this connection entry To configure group authentication Step 1 From the Authentication tab click the Group Authentication radio button Figure 4 3 Figure 4 3 Group Authentication f Authentication Transport Backup Servers 9 Group Authentication IName Password Confirm Password 76724 Step2 Enter the name of the IPSec group you belong to Step3 Enter the password for your IPSec group The field displays only asterisks
29. step and adjust your selections The installation process includes the following steps e Introduction page 2 6 e Accepting the License Agreement page 2 6 e Selecting the Application Destination page 2 7 e Choosing the Installation Type page 2 8 76455 Cisco VPN Client User Guide for Mac OS X 01 3138 02 EN Chapter2 Installing the VPN Client Bl installing the VPN Client Introduction The first window that appears during installation is the introduction The right pane of the Introduction window Figure 2 5 lists system requirements The left pane displays each of the installation steps As you complete each step it is highlighted with a blue bullet Figure 2 5 Cisco VPN Client Introduction Window e Install Cisco VPN Client Welcome to the Cisco VPN Client Installer Introduction This software requires Mac OS X version 10 1 5 or greater To check your version Click on the apple icon in the title bar Installit then select About this Mac TM Continue 76456 Click Continue Accepting the License Agreement You are required to read and accept the Cisco software license agreement before you can continue with the installation process See Figure 2 6 Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter2 Installing the VPN Client Installing the VPN Client Mi Figure 2 6 Cisco Licence Agreement Install Cisco VPN Client To continue installing the
30. the User Profile 2 3 Preconfiguring the Global Profile 2 3 Installing the VPN Client 2 4 Authentication 2 4 VPN Client Installation Process 2 5 Introduction 2 6 Accepting the License Agreement 2 6 Selecting the Application Destination 2 7 Choosing the Installation Type 2 8 CLI Version Install Script Notes 2 12 Uninstalling the VPN Client 2 12 cHAPTER 3 Navigating the User Interface 3 1 VPN Client Menu 3 1 Choosing a Run Mode 3 2 Operating in Simple Mode 3 2 VPN Client Window Simple Mode 3 2 Main Menus Simple Mode 3 3 Connection Entries Menu 3 3 Status Menu 3 3 Operating in Advanced Mode 3 4 VPN Client Window Advanced Mode 3 4 Toolbar Action Buttons Advanced Mode 3 5 Main Tabs Advanced Mode 3 5 Main Menus Advanced Mode 3 6 Connection Entries Menu 3 6 Status Menu 3 7 Certificates Menu 3 7 Log Menu 3 8 Right Click Menus 3 8 Connection Entries Tab Right Click Menu 3 9 Certificates Tab Right Click Menu 3 10 cHAPTER 4 Configuring Connection Entries 4 1 Creating a Connection Entry 4 1 Authentication Methods 4 4 Group Authentication 4 4 Certificate Authentication 4 4 Cisco VPN Client User Guide for Mac OS X OL 3138 02 Transport Parameters 4 6 Enable Transport Tunneling 4 7 Transparent Tunneling Mode 4 7 Allow Local LAN Access 4 7 Peer Response Timeout 4 8 Backup Servers 4 8 cHAPTER 5 Establishing a VPN Connection 5 1 Checking Prerequisi
31. through an external DNS serving your ISP or through an IPSec tunnel to domains served by the corporate DNS The VPN server supplies a list of domains to the VPN Client for tunneling packets to destinations in the private network For example a query for a packet destined for corporate com would go through the tunnel to the DNS that serves the private network while a query for a packet destined for myfavoritesearch com would be handled by the ISP s DNS This feature is configured on the VPN server VPN concentrator and enabled on the VPN Client by default To use Split DNS you must also have split tunneling configured OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter1 Understanding the VPN Client WB VPN Client Features VPN Client IPSec Attributes The VPN Client supports the IPSec attributes listed in Table 1 5 Table 1 5 IPSec Attributes IPSec Attribute Description Main Mode and Aggressive Mode Ways to negotiate phase one of establishing ISAKMP Security Associations SAs Authentication algorithms e HMAC Hashed Message Authentication Coding with MD5 Message Digest 5 hash function e HMAC with SHA 1 Secure Hash Algorithm hash function Authentication Modes e Preshared Keys e X 509 Digital Certificates Diffie Hellman Groups e 1 DES e 2 DES and 3DES e 5 S Note See the Cisco VPN Client Administrator Guide for more information about DH Group 5
32. 14 01 10 01 PM 2 QuickTime Player amp Sherlock gt Stickies System Preferences 7 TextEdit gt 3 Utilities Vw VPNClient 1 15 03 12 41 PM 9 14 01 9 57 PM 9 14 01 10 02 PM 9 11 01 4 36 AM 9 14 01 10 03 PM 9 11 01 4 39 AM 7 24 02 7 16 AM CLI Version Install Script Notes 87149 The VPN Client installer includes both the graphical user interface and the command line version of the VPN Client for Mac OS X You can choose to manage the VPN Client using only the command line Use the following commands to start stop and restart VPN service System Library StartupItems CiscoVPN CiscoVPN start System Library StartupItems CiscoVPN CiscoVPN stop System Library StartupItems CiscoVPN CiscoVPN restart Alternately you can use these commands to interact with the kernel extension sudo SystemStarter start CiscoVPN sudo SystemStarter stop CiscoVPN sudo SystemStarter restart CiscoVPN During the installation process the application binaries are copied to the specified destination directory Uninstalling the VPN Client This section describes how to uninstall the VPN Client You must have administrator privileges to uninstall the VPN Client If you do not have administrator privileges you must have someone with administrator privileges uninstall the product for you Cisco VPN Client User Guide for Mac OS X OL 3138 02 Chapter2 Installing the VPN Client Uninstalling the VPN Clie
33. 5 challenge password certificate 6 3 challenge phrase 2 5 changing certificate password 6 11 password on an enrollment request 6 6 classes forlogging 7 6 clear log file 7 5 client type platform 3 1 client upgrades 7 12 coding HMAC 1 6 command line interface logging 7 6 common name certificate 6 4 configuration file 7 1 connection prerequisites 5 1 status 5 3 connection entries tab 3 5 connection entry creating 4 2 defined 4 1 delete 3 6 deleting 7 3 importing 7 1 menu 3 3 modifying 7 2 saving 7 3 setting default 3 3 3 6 template 3 6 connection manager 7 6 connection technologies 1 1 connection types 1 2 copyright information 3 1 country code 6 8 CRL Certificate Revocation List 6 9 custom installation 2 9 D data compression 1 6 7 10 data formats ix DDNS Dynamic Domain Name System 1 4 Dead Peer Detection see DPD default connection entry 3 3 default installation 2 9 delete certificate 6 10 connection entry 3 6 7 3 delete with reason 1 4 deleting enrollment request 6 5 department certificate 6 4 DES Data Encryption Standard 7 10 destination volume 2 7 DHCP request 1 4 Diffie Hellman groups 1 6 directory applications 2 8 disable logging 3 8 disconnect client 3 3 3 9 disk drive 2 7 disk space 2 1 DNS split 1 5 E Cisco VPN Client User Guide for Mac OS X OL 3138 02 documentation conventions viii obtaining ix related viii domains 1 5 DPD adjustin
34. Cisco SYSTEMS Cisco VPN Client User Guide for Mac OS X Release 4 0 April 2003 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Customer Order Number Text Part Number OL 3138 02 S THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California Berkeley UCB as part of UCB s public domain version of the UNIX operating system All rights reserved Copyright 1981 Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED O
35. Client learns the backup VPN server list when the connection is established This feature is configured on the VPN device and pushed to the VPN Client The backup servers for each connection entry are listed on the Backup Servers tab Set MTU size The VPN Client automatically sets a size that is optimal for your environment However you can also set the MTU size manually For information on adjusting the MTU size see the VPN Client Administrator Guide OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter1 Understanding the VPN Client WB VPN Client Features Table 1 2 Program Features continued Program Feature Description Support for Dynamic DNS The VPN Client sends its hostname to the VPN device when the DDNS hostname population connection is established If this occurs the VPN device can send the hostname in a DHCP request This causes the DNS server to update its database to include the new hostname and VPN Client address Notifications Software update notifications from the VPN server upon connection Launching from notification Ability to launch a location site containing upgrade software from a VPN server notification Alerts Delete with reason The VPN Client provides you with a reason code or reason text when a disconnect occurs The VPN Client supports the delete with reason function for client initiated disconnects concentrator initiated disconnects and IPSec deletes
36. HZ Enrolling Certificates Stepb Click Next to continue with certificate enrollment The Certificate Enrollment dialog box appears Figure 6 3 Figure 6 3 Certificate Enrollment o o 5 VPN Client Certificate Enrollment Enter certificate fields denotes a required field Name CN Domain Email E IP Address Department OU Company O State ST Country C f Cancel b a x Back Enroll 87158 Step6 Enter the remaining certificate enrollment parameters All fields are required unless they are grayed out Table 6 1 describes the entry fields Table 6 1 Certificate Enrollment Parameters Entry Field Description Name CN The common name for the certificate The common name can be the name of a person system or other entity It isthe most specific level in the identification hierarchy The common name becomes the name of the certificate For example Fred Flinstone Domain The Fully Qualified Domain Name FQDN of the host for your system For example Dialin Server Email E The user e mail address for the certificate For example email company com IP Address The IP address of the user s system For example 192 168 23 9 Department OU The VPN group that this user belongs to This field correlates to the Organizational Unit OU The OU is the same as the Group Name configured in a VPN 3000 Series Concentrator for example
37. PN 3000 Series Concentrators Cisco PIX Firewall Series e The term PC refers generically to any personal computer The term click means click the left button on a normally configured multi button mouse The term right click means click the nght button on anormally configured multi button mouse If your mouse has only one button use Ctrl Click to access the right click menus Document Conventions This guide uses the following typographic conventions e Boldface font Describes user actions and commands e Italic font Describes arguments that you supply the values for Screen font Describes terminal sessions and information displayed by the system Boldface screen font Describes information that you must enter Notes use the following conventions Note Means reader take note Notes contain helpful suggestions or references to material not covered in the publication Cautions use the following conventions Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 About This Guide A Obtaining Documentation Caution Data Formats Means reader be careful Cautions alert you to actions or conditions that could result in equipment damage or loss of data When you configure the VPN Client enter data in these formats unless the instructions indicate otherwise P Address Use standard 4 byte dotted decimal notation for example 192 168 12 34 You can omit leading zeros in a byte posi
38. PSec Group Password for preshared keys The name of the certificate if authenticating with a digital certificate e Your username and password if authenticating through The secure gateway s internal server A RADIUS server AnNT Domain server e Your username and PIN if authenticating through a token vendor The hostnames or IP addresses of the backup servers if you should configure backup server connections Obtaining the VPN Client Software The VPN Client software is available from the Cisco website and comes as a disk image file vpnclient lt version gt GUI k9 dmg Only system administrators can obtain and distribute the VPN Client software Cisco VPN Client User Guide for Mac OS X 01 3138 02 EN Chapter 2 Installing the VPN Client BE Preconfiguring the VPN Client Step 1 Step 2 Step 3 To obtain the installer Copy or download the image file to your Desktop Double click to extract the VPN Client installer to your Desktop The image file remains on the Desktop Preconfiguring the VPN Client This section describes how to distribute preconfigured configuration files user profiles and GUI preference files to the VPN Client installer To distribute custom user profiles to the installer program place the files in the Profiles folder of the VPN Client installer To distribute custom images place the files in the Resources folder of the VPN Client installer To distribute custom
39. R IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark the Cisco Systems Verified logo Cisco Unity Follow Me Browsing FormShare iQ Net Readiness Scorecard Networking Academy and ScriptShare are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn The Fastest Way to Increase Your Internet Quotient and iQuick Study are service marks of Cisco Systems Inc and Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCNA CCNP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS the Cisco IOS logo Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Empowering the Internet Generation Enterprise Solver EtherChannel EtherSwitch Fast Step GigaStack Internet Quotient IOS IP TV iQ Expertise the iQ logo LightStream MGX MICA the Networkers logo Network Registrar Packet PIX Post Routing Pre Routing RateMUX Registrar SlideCast SMARTnet StrataView Plus Stratm SwitchProbe
40. UDP sample 10 212 20 52 IPSec UDP 4 lo o T Not connected D The three main tabs include e Connection Entries tab Displays the list of current connection entries the host which is the VPN device each connection entry uses to gain access to the private network and the transport properties that are set for each connection entry Refer to Chapter 4 Configuring Connection Entries for more details on the Connection Entries tab e Certificates tab Displays the list of certificates in the VPN Client certificate store Use this tab to manage certificates Refer to Chapter 6 Enrolling and Managing Certificates for more details on the Certificates tab e Log tab Displays event messages from all processes that contribute to the client peer connection including enabling logging clearing the event log viewing the event log in an external window and setting logging levels Refer to Chapter 7 Managing the VPN Client for more information OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter3 Navigating the User Interface Bl Operating in Advanced Mode Main Menus Advanced Mode The following sections describe the main VPN Client menus located at the top of your screen when the VPN Client application is running in advanced mode and active on your desktop Connection Entries Menu Use the Connection Entries menu Figure 3 9 as a shortcut to frequently used connection entry operations
41. Vo3fasset id 44699 amp public view true amp kbns 1 html Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design development and operation of public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com en US about ac123 ac147 about cisco the internet protocol journal html Training Cisco offers world class networking training with current offerings in network training listed at this URL http www cisco com en US learning le3 1 learning_ recommended training list html Cisco VPN Client User Guide for Mac OS X mm OL 3138 02 Understanding the VPN Client The Cisco VPN Client for Mac OS X is a software application that runs on any Macintosh computer using operating system Version 10 1 5 or later The VPN Client on a remote PC communicating with a Cisco VPN device on an enterprise network or with a service provider creates a secure connection over the Internet This connection allows you to access a private network as if you were an on site user creating a Virtual Private Network VPN The following VPN devices can terminate VPN connections from VPN Clients e Cisco IOS devices that support Easy VPN server functionality e VPN 3000 Series Concentrators Cisco PIX Firewall Series Version 6 2 or later With the graphical user interface for the VPN Client for Mac OS X you can establish a VPN conn
42. X Import Path Browse Import Password Entering a new password is optional It is recommended to password protect identity certificates New Password Verify Password 76472 Enter the import path If you do not know the location browse to the folder where the certificate is located and click Open on the browser window The import path is automatically entered in the Import Certificate dialog box Enter the import password This is the password used to protect the certificate file called the import password and is assigned by the system administrator Enter the New Password This is the password assigned by you to protect the certificate while it is in your certificate store This password is optional but we recommend that you always protect your certificate with a password Verify the New Password again Click Import The certificate is installed in the VPN Client certificate store Viewing a Certificate Step 1 Step 2 Step 3 To view the contents of a certificate in the certificate store Click the Certificates tab Select the certificate to view Click View at the top of the VPN Client window or double click the certificate The Certificate Properties window appears Figure 6 7 OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter 6 Enrolling and Managing Certificates W viewing a Certificate Figure 6 7 Certificate Properties VPN Client Certificate Properti
43. ackup Servers tab for each connection entry Your network administrator can provide information regarding backup servers To use backup servers you must enable this parameter To enable backup servers Open the VPN Client application Select a connection entry Click Modify at the top of the VPN Client window The VPN Client Properties dialog box appears Click the Backup Servers tab Figure 4 6 Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 4 Configuring Connection Entries Backup Servers W Figure 4 6 Backup Servers Tab VPN Client Properties for 04 SanJose nat Description Connect to Cisco via San Jose using NAT HA D n a Host sjc vpn cluster cisco com f Authentication Transport f Backup Servers M Enable Backup Server rtp vpn cluster cisco com ams vpn cluster cisco com fada oe syd vpn cluster cisco com tky vpn cluster cisco com SCXZITTTT ibi Remove f Erase User Password f Cancel save 76719 Stepb Check the Enable Backup Servers check box This parameter is not enabled by default The list of available backup servers is displayed Backup servers are used in the order presented in the list Step6 To change the order in which the backup servers are used select a backup server and use the arrow buttons to move the server up or down in the list Step7 Click Save The VPN Client Properties dialog box closes and you return t
44. ange Certificate Password The VPN Client displays the Change Certificate Password dialog box In the Current field type the password you are currently using to protect your private key Step3 In the New field type the new password Step4 Inthe Confirm field type the same password again Step5 Click OK Cisco VPN Client User Guide for Mac OS X Pei OL 3138 02 Managing the VPN Client This chapter describes how to manage connection entries and view and manage the event logging Managing Connection Entries The following sections describe the operations used to manage connection entries This includes how to import modify and delete a connection entry Importing a Connection Entry You can automatically configure your VPN Client with new settings by importing a new configuration file a file with a pcf extension called a profile supplied by your network administrator To import a stored profile Step 1 Click the Connection Entries tab Step2 Click Import at the top of the VPN Client window The Import VPN Connection dialog box appears Figure 7 1 Cisco VPN Client User Guide for Mac OS X 01 3138 02 EN Chapter7 Managing the VPN Client B Managing Connection Entries Step 3 Step 4 Figure 7 1 Import VPN Connection Import VPN Connection From BE Desktop BE Desktop yY CiscoVPN 5 Documents gt amp CiscoVPN 3 jeremy p12 3 CiscoVPN app 1 E Library gt 3 new graphics m Movie
45. are Progress Window e Install Cisco VPN Client Install Software Introduction License Select Destination O Installation Type Installing Finish Up Processing vpnclient gui Writing files Time Remaining less than a minute 87152 When the installation 1s finished a window appears to indicate whether the installation was successful Figure 2 11 Cisco VPN Client User Guide for Mac OS X EXE OL 3138 02 Chapter2 Installing the VPN Client Installing the VPN Client M Figure 2 11 Successful Installation Confirmation Window o Install Cisco VPN Client Install Software Introduction 6 License Select Destination lnstallation Type lnstalling Finish Up The software was successfully installed Ceo 87159 Click Close If you do not receive this confirmation the installation was not successful You must start the installation process again from the beginning or contact your network administrator for assistance To begin using the Client double click the VPN Client application icon located in the Applications directory Figure 2 12 Cisco VPN Client User Guide for Mac OS X 01 3138 02 EX Chapter 2 Installing the VPN Client BE Uninstalling the VPN Client Figure 2 12 Location of VPN Client Application Applications far oo zm AX f a an y Back View Computer Home Favorites Applications Na A Date Modif Preview 9
46. ation 1 4 savelogfile 3 8 SCEP Simple Certificate Enrollment Protocol 6 1 SecurID authentication 5 5 session time 3 4 SHA 1 Secure Hash Algorithm 1 6 shared key authentication 5 3 show hide window 3 2 signing key pair 6 8 simple mode menu 3 3 window 3 2 single SA 1 4 software upgrades 1 4 7 11 split DNS 1 5 split tunneling 1 4 1 5 stateful firewalls 4 7 statistics tunnel 3 7 viewing 7 8 status bar 3 4 5 3 status menu 3 3 3 7 subnet mask 7 11 supported VPN devices 1 1 system adminstrator 2 1 system requirements 2 1 T tab certificates 3 5 connection entries 3 5 log 3 5 TCP port 4 7 technical support x template 3 6 terminate connections 1 1 terms license agreement 2 7 toggle command 3 2 tooltips enabling 3 2 transparent tunneling 1 5 4 7 transport parameters 4 6 tunneling 4 7 Triple DES Data Encryption Standard 1 6 tunneling encapsulation mode 1 6 protocol 1 3 split 1 5 transparent 4 7 tunnel routing data 3 2 tunnel statistics 3 7 E Cisco VPN Client User Guide for Mac OS X OL 3138 02 U UDP packets 4 7 uninstalling the VPN client 2 4 upgrades 7 11 user access 1 2 password 3 9 profiles 2 3 user authentication methods 5 3 supported types 1 3 VPN device 1 5 user profiles installing 2 8 V verify certificate 3 7 6 11 version information 3 4 view certificate properties 3 7 certificates 6 7 logging 7 7 notifications 3 7 statisitics 7 8 viewing
47. cation two prompts appear The first prompt is for the VPN group name and password and the RSA SecurID user authentication prompt follows Figure 5 7 Figure 5 7 User Authentication for RSA SecurID VPNClient eXtended AUTHentication Xauth for static Enter Username and Password Cisco Systems Username Static Password ge Save Password Passcode 3452 Ga OK 3 Cancel 76475 Enter your username and RSA SecurID passcode and click OK Using Digital Certificates The VPN Client works with Certificate Authorities CAs that support SCEP manual enrollment or PKCS import Each time you establish a VPN connection using a certificate the VPN Client verifies that your certificate 1s not expired e Valid A message appears that indicates the validation period for this certificate e Expired A warning appears that indicates when the certificate expired Each digital certificate is protected by a password Ifthe connection entry you are using requires a digital certificate for authentication the VPN Certificate Authentication dialog box appears Figure 5 8 OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter5 Establishing a VPN Connection W Using Digital Certificates Figure 5 8 Certificate Password VPNClient VPN Certificate Authentication Enter your Certificate Password for basiccert SEED 6 1 OK Cancel 76478 Enter the certificate password and c
48. d certificate 6 3 notifications 7 11 notifications from VPN device 1 4 notifications viewing 3 7 O obtaining documentation ix installer 2 2 software 2 1 operating system 1 2 P packages installation 2 8 remove 2 9 packets querying 1 5 tunneling 1 5 packets encrypted 7 9 parameters defining 2 3 transport 4 6 passcodes 5 5 password administrator 2 4 certificate 6 7 challenge 6 3 changing 3 7 import 6 7 new 6 3 passwords enrollment request changing 6 6 personal certificate 6 11 PAT Port Address Translation 1 3 4 7 pef file 2 3 7 1 peer certificate 1 5 peer response timeout 4 8 adjusting 4 8 peer VPN concentrator 4 5 PIX firewall 1 1 PKI Public Key Infrastructure 1 3 4 4 platform 3 1 POTS 1 1 preconfiguration tasks 2 2 preconfigured files 2 2 preconfigured keys 2 1 preferences client window 3 1 prerequisites installation 2 1 2 6 passwords 2 1 RSA PIN 5 1 VPN connection 5 1 preshared keys 4 1 private network 2 3 profile user 2 3 7 1 OL 3138 02 Index M Cisco VPN Client User Guide for Mac OS X H Bb index program features 1 3 progress bar installation 2 10 protocol 1 2 protocols DPD Q quitting client 3 2 RADIUS authentication 5 4 reset statistics 3 7 7 9 resume enrollment 3 10 resuming an enrollment request 6 6 right click menus 3 8 routing data 3 2 RSA 5 5 run mode 3 2 S SA security associ
49. e You can delete any certificate from your certificate store You must provide a password to delete an enrollmnet certificate A Caution You cannot retrieve a certificate that has been deleted To delete a user or root certificate Step 1 Click the Certificates tab Step2 Select the certificate to delete Step3 Click Delete at the top of the VPN Client window A warning prompt appears Figure 6 10 Figure 6 10 Delete Certificate Warning VPNClient A Are you sure you wan t to delete the certificate ou Boulder o Cisco Systems c US elere d A Do not Delete Delete 76555 Step4 Verify the name of the certificate and click Delete The selected certificate is deleted from the certificate store Click Do not Delete to return to the VPN Client window without deleting the selected certificate To delete an enrollment certificate Step 1 Click the Certificates tab Step2 Select the enrollment certificate to delete Cisco VPN Client User Guide for Mac OS X EXE OL 3138 02 Chapter6 Enrolling and Managing Certificates Verifying a Certificate W Step3 Click Delete at the top of the VPN Client window The Certificate Password dialog box appears Figure 6 11 Figure 6 11 Password Prompt for Deleting Enrollment Certificates VPN Client Certificate Password Enter your Certificate Password for annacert ok Cancel 87594 Step4 Enter the Certificate Password for the selected ce
50. e 4 7 e Allow Local LAN Access page 4 7 Peer Response Timeout page 4 8 To configure transport parameters Step1 Open the VPN Client application Step2 Select a connection entry Step3 Click Modify at the top of the VPN Client window to access the VPN Client Properties dialog box Step4 Click the Transport tab Figure 4 5 to display the existing transport parameters configured for this connection entry Figure 4 5 Transport Settings VPN Client Properties for 03 SanJose h Description Connect to Cisco via San Jose SA B 5o a Host sjc vpn cluster cisco com Authentication Transport Backup Servers rO Enable Transport Tunneling IPSec over UDP NAT PAT IPSec over TCP TCP Port 10000 Allow Local LAN Access response timeout seconds 90 f Erase User Password f Cancel save s t n 76470 Stepb Select your transport settings Refer to the following sections for more information on transport settings Step6 Click Save The VPN Client Properties dialog box closes and you return to the Connection Entries tab Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 4 Configuring Connection Entries Transport Parameters W Enable Transport Tunneling Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall The router might
51. ection to a private network manage connection entries certificates events logging and view tunnel routing data You can also manage the VPN Client for Mac OS X using the command line interface CLI If you are running Darwin or if you prefer to manage the VPN Client from the CLI refer to the Cisco VPN Client Administration Guide Connection Technologies The VPN Client lets you use any of the following technologies to connect to the Internet e POTS Plain Old Telephone Service Uses a dial up modem to connect ISDN Integrated Services Digital Network May use a dial up modem to connect e Cable Uses a cable modem always connected DSL Digital Subscriber Line Uses a DSL modem always connected You can also use the VPN Client on a PC with a direct LAN connection VPN Client Overview The VPN Client works with a Cisco VPN device to create a secure connection called a tunnel between your computer and a private network It uses Internet Key Exchange IKE and Internet Protocol Security IPSec tunneling protocols to establish and manage the secure connection Cisco VPN Client User Guide for Mac OS X 01 3138 02 EN Chapter1 Understanding the VPN Client WB VPN Client Features Step 1 Step 2 Step 3 Step 4 The steps used to establish a VPN connection can include e Negotiating tunnel parameters addresses algorithms lifetime e Establishing VPN tunnels according to the parameters e Authenticat
52. ecure Hash Algorithm hash function Transparent tunneling Displays whether transparent tunneling is enabled if enabled lists the protocol and port number Local LAN Displays whether Local LAN access split tunneling is enabled Compression Displays what type of data compression is used if any Route Details The Route Details tab displays the routes that VPN traffic takes into the network which can be either Local LAN routes or secured routes Local LAN routes are excluded from the secure VPN tunnel e Secured routes are routes that go through the secured VPN tunnel To display route data during an active VPN session open the Statistics window and click the Route Details tab Figure 7 9 Cisco VPN Client User Guide for Mac OS X EXAM OL 3138 02 Chapter7 Managing the VPN Client Viewing Statistics M Figure 7 9 Statistics Window HRoute Details 6 6 6 VPN Client Statistics Tunnel Details Local LAN Routes Secured Routes Network Subnet Mask Network Subnet Mask 100 0 0 0 255 0 0 0 145 45 0 0 255 255 0 0 20 20 0 0 255 255 0 0 200 100 10 0 255 255 255 0 5 5 5 0 255 255 255 0 Close 87167 For each local LAN or secured route the following information is listed e Network The IP address of the VPN device providing the route to the network e Subnet Mask The subnet mask applied to the route Notifications The VPN device that provides your connection to the private networ
53. es for Test Certificate Common Name Department Company State Country Email MD5 Thumbprint SHA1 Thumbprint Key Size Subject Issuer Serial Number Not valid before Not valid after f Change Password Test Certificate Test Department Cisco Systems Colorado US Certificate Cisco com 1CAS94CE48A03CO02FOEFDSAF5C3572209 E299AFC589DCA 8312E7C1DC41391887389F7F4CC 1024 cn Test Certificate ou Test Department o Cisco Systems st Colorado c US e Certificate Cisco com cn Microsoft CA ou lab o ciso lab boulder st CO c US e zulu cisco com 0668COEB000400000F5B Thu Mar 20 16 04 50 2003 Sat Mar 20 16 14 50 2004 76577 A typical digital certificate contains the following information Common name The name of the owner usually both the first and last names This field identifies the owner within the Public Key Infrastructure PKI organization Department The name of the owner s department This is the same as the organizational unit in the Subject field Company The company in which the owner is using the certificate This is the same as the organization in the Subject field State The state in which the owner is using the certificate Country The 2 character country code in which the owner s system is located Email The e mail address of the owner of the certificate Thumbprint The MD5 and SHA 1 hash of the certificate s complete contents This provides a means for validating t
54. ess of the CA For example http 198 162 41 9 certsrv mcep mcep dll CA Domain The CA s domain name For example qa2000 com Challenge Password Some CAs require that you enter a password to access their site Enter this password in the Challenge Password field Obtain the challenge password from your administrator or from the CA New Password The password for this certificate Each digital certificate is protected by a password If you create a connection entry that requires a digital certificate for authentication you must enter the certificate password each time you attempt a connection file enrollment enter File encoding type of the output file Base 64 The default is an ASCII encoded PKCS10 file that you can display because it is in a text format Use this type when you want to cut and paste the text into the CA s website Binary a base 2 PKCS10 Public Key Cryptography Standards file You cannot display a binary encoded file Filename The full pathname for the file request For example Users Anna Documents Certificates mycert p 10 New Password The password for this certificate Each digital certificate is protected by a password If you create a connection entry that requires a digital certificate for authentication you must enter the certificate password each time you attempt a connection OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter6 Enrolling and Managing Certificates
55. etwork administrator determines whether user authentication is required The VPN Client supports e Shared key or VPN group name and group password for authenticating the VPN device e RADIUS server RSA Security SecurID Digital Certificates for authenticating the user The authentication prompts displayed during the connection process depend on the configuration of your IPSec group Refer to appropriate section in this chapter for more information on the user authentication method configured for each connection entry Note User names and passwords are case sensitive You have three opportunities to enter the correct information before an error message indicates that authentication failed Contact your network administrator 1f you cannot pass user authentication The following sections describe each user authentication method that the VPN Client supports Shared Key Authentication The shared key authentication method uses the username and shared key password for authentication Figure 5 4 The shared key password must be the same as the shared key password configured on the VPN device that is providing the connection to the private network Figure 5 4 Shared Key Authentication VPNClient eXtended AUTHentication Xauth for 03 SanJose Enter Username and Password Cisco Systems Username Password 7 3m OK y Cancel 76467 Enter your Username and Password and click OK Cisco VPN Client User Guide
56. g peer time out 4 8 keep alive mechanism DSL 1 1 duplicate function 3 9 easy install 2 9 Easy VPN 1 1 enablelogging 3 8 enable transport 4 7 encoding types 6 3 encryption algorithm 1 6 enrolling certificates 6 2 enrollment resume 3 10 enrollment parameters 6 4 enrollment request changing password 6 6 deleting 6 5 resuming 6 6 viewing 6 5 enrollment type certificate 6 2 erase user password 3 9 ESP protocol 50 4 7 event logging 3 2 event messages 3 5 export certificate 6 9 export path certificate 6 9 extended authentication 1 6 7 6 Index M authentication 1 4 IPSec 1 5 program 1 3 VPN Client 1 2 firewall see PIX firewall firewalls 4 7 FQDN Fully Qualified Distinguished Name 6 8 G graphical user interface logging 7 6 group authentication 5 4 names 1 2 passwords 1 2 group authentication 4 4 GUI installing 2 8 logging 7 6 supported 1 1 hard disk space 2 1 hash 6 8 7 10 hash function MD5 1 6 hiding client window 3 2 hijacked IP address 1 5 HMAC Hashed Message Authentication Coding 1 6 hostname 4 3 host name population 1 4 icon for installer 2 2 identity certificate 4 4 IKE Internet Key Exchange 1 1 7 6 F IKE keepalives 1 5 features image file 2 1 Cisco VPN Client User Guide for Mac OS X 01 3138 02 EU Bb index import certificate 6 7 connection entry 7 1 password 6 7 installation authentication 2 4 customize 2 9 default 2 9
57. he authenticity of the certificate For example if you contact the issuing CA you can use this identifier to verify that this certificate is the correct one to use Key size The size of the signing key pair in bits Subject The fully qualified distinguished name FQDN of the certificate s owner This field uniquely identifies the owner of the certificate in a format that can be used for LDAP and X 500 directory queries A typical subject includes the following fields common name cn organizational unit or department ou organization or company 0 locality city or town 1 E Cisco VPN Client User Guide for Mac OS X OL 3138 02 Chapter6 Enrolling and Managing Certificates Step 4 Exporting a Certificate Bl state or province st country c e mail address e Other items might be included in the Subject depending on the certificate e Issuer The fully qualified distinguished name FQDN of the source that provided the certificate e Serial number A unique identifier used for tracking the validity of the certificate on the Certificate Revocation Lists CRLs Not valid before The beginning date that the certificate is valid Not valid after The end date beyond which the certificate 1s no longer valid Click Close to return to the VPN Client window Exporting a Certificate Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 To export a certificate fr
58. how that you have installation privileges Step1 Open the installer package by double clicking the Cisco VPN Client mpkg file that resides in the installer directory See Figure 2 2 The Authorization window appears Figure 2 3 You must have an Administrator password to install the VPN Client application Figure 2 3 Authorization Window e Install Cisco VPN Client Authorization You need an Administrator password to atio install the software Az gt Click the lock to make changes g m 76548 Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter2 Installing the VPN Client Step 2 Installing the VPN Client W Click the lock to Authenticate your password The Authenticate dialog box appears Figure 2 4 Figure 2 4 Authenticate Dialog Box Authenticate You need an administrator name and password or phrase to make changes in Cisco VPN Client Name bob Password or phrase f Cancel fer gt Step3 Enter your administrator username and a password or challenge phrase Step4 Click OK If the authentication is successful continue to the installation process Contact your network administrator if you cannot authenticate for installation VPN Client Installation Process You must complete all steps in the VPN Client installation process before you can use the VPN Client software At any time during the installation process you can go back to a previous
59. ide for Mac OS X Em SERE Chapter 4 Configuring Connection Entries Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Creating a Connection Entry W Figure 4 2 Create New VPN Connection Entry VPN Client Create New VPN Connection Entry Description E lt Host Transport Backup Servers Group Authentication Name Password Confirm Password rO Certificate Authentication 4 Name Send CA Certificate Chain f j f Erase User Password Cancel save gt 76469 Enter a unique connection entry name You can use any name to identify this connection This name can contain spaces and it is not case sensitive Enter a description of this connection This field is optional but it helps to further identify this connection For example Connection to Engineering remote server Enter the Host name or IP address of the remote VPN device that is providing access to the private network Use the Authentication tab to select an authentication method You can connect as part of a group which is configured on the VPN device or by supplying an identity digital certificate See the Authentication Methods section on page 4 4 for more information Use the Transport tab to set transport parameters See the Transport Parameters section on page 4 6 for more information Use the Backup Servers tab to view the current list
60. ildcards are not allowed Matched instances are highlighted on the Log tab e Save Save the event log to a file Right Click Menus Use the right click menus from the Connection Entries tab or the Certificates tab as an alternate method for performing frequent VPN Client operations If your mouse has only one button use Ctrl Click to access the right click menus Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 3 Navigating the User Interface Operating in Advanced Mode W Connection Entries Tab Right Click Menu Figure 3 14 shows the right click menu options available when the Connection Entries tab is selected Figure 3 14 Connection Entries Right Click Menu 099 VPN Client Version 4 0 interim_brian Z5 a ca 5s F4 Cisco Systems IEEE E lul Connect New Import Modify Delete E Connection Entries Certificates Log Host Transport 03 SanJose sjc vpn cluster cisco com IPSec 04 Sanjose nat sjc vpn cluster cisco com IPSec UDP OS RTP rtp vpn cluster cisco com IPSec 06 RTP nat c rtp vnn cluster cisco com _ IPSec UDP 07 Amsterdam Connect IPSec 08 Amsterdam nat IPSec UDP 09 Sydney 3t ret IPSec 10 Sydney nat Duplicate IPSec UDP sample IPSec UDP Delete p 9 jale smd 905 II sh e Connect Establish a VPN connection using the selected connection entry e Disconnect Disconnect the current VPN session e Duplicate Duplicate the selected connection e
61. ing users from usernames group names and passwords and X 509 digital certificates e Establishing user access rights hours of access connection time allowed destinations allowed protocols Managing security keys for encryption and decryption e Authenticating encrypting and decrypting data through the tunnel For example to use a remote PC to read e mail at your organization the connection process might be similar to the following Connect to the Internet Start the VPN Client Establish a secure connection through the Internet to your organization s private network When you open your e mail e The Cisco VPN device Uses IPSec to encrypt the e mail message Transmits the message through the tunnel to your VPN Client e The VPN Client Decrypts the message so you can read it on your remote PC Uses IPSec to process and return the message to the private network through the Cisco VPN device VPN Client Features The tables in the following sections describe the VPN Client features Table 1 1 lists the VPN Client main features Table 1 1 VPN Client Main Features Features Description Operating System Mac OS Version 10 1 5 or later Connection types async serial PPP e nternet attached Ethernet e DSL S Note The VPN Client for Mac OS X does not support Bluetooth wireless technology Protocol IP E Cisco VPN Client User Guide for Mac OS X
62. k might send notifications to the VPN Client These notifications appear on the Notifications window To display the notifications window Figure 7 10 choose Notifications from the Status menu When you first establish a VPN connection you receive a notification regarding your connection This is typically the login banner or connection history Other notifications might include messages from your network administrator about upgrades to the VPN Client software or information regarding the specific VPN device you are connected to Cisco VPN Client User Guide for Mac OS X 01 3138 02 EX Chapter7 Managing the VPN Client W Viewing Statistics Figure 7 10 Notifications Window 020 VPN Client Notifications Notifications File MR no notification messages Message no data for this message Launch i Close 87595 The top pane of the Notifications window lists the title of each stored notification The bottom pane displays the notification message associated with the selected title All notifications from the VPN device are stored in this display during the VPN session Every VPN session contains at least one notification the connection history Some notifications contain a URL which directs you to the location of more current versions of the VPN Client If the URL exists the Launch button becomes active If you click the Launch button a browser open on your workstation Cisco VPN Client U
63. l use and manage the Cisco VPN Client for the Macintosh operating system Version 10 1 5 or later You can manage the VPN Client for Mac OS X from the graphical user interface or from the command line interface The VPN Client for Mac OS X installer program installs both the graphical user interface and the command line version of the VPN Client This guide is for remote Clients who want to set up virtual private network VPN connections to a central site Network administrators can also use this guide for information about configuring and managing VPN connections for remote Clients You should be familiar with the Macintosh platform and know how to use Macintosh applications Network administrators should be familiar with Macintosh system configuration and management and know how to install configure and manage internetworking systems This guide contains the following chapters e Chapter 1 Understanding the VPN Client This chapter describes how the VPN Client software works and lists the main features e Chapter 2 Installing the VPN Client This chapter describes how to install the VPN Client software application e Chapter 3 Navigating the User Interface This chapter describes the main VPN Client window and the tools tabs menus and icons for navigating the user interface Chapter 4 Configuring Connection Entries This chapter describes how to configure VPN Client connection entries including optional parameters
64. lick OK For more information on digital certificates see Chapter 6 Enrolling and Managing Certificates Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 CHAPTER Enrolling and Managing Certificates This chapter describes how to enroll and manage digital certificates for the VPN Client for Mac OS X specifically how to perform the following tasks e Obtain personal certificates through enrollment with a certificate authority CA which is an organization that issues digital certificates that verify that you are who you say you are Manage certificates and enrollment requests mport export view and verify certificates To get started with certificates open the Certificates tab on the main VPN Client window in advanced mode The Certificates tab lists the certificates you currently have enrolled If there are no certificates showing you need to enroll with a CA or contact your system administrator Using the Certificate Store The VPN Client uses the notion of store to convey a location in your local file system for storing personal certificates The main store for the VPN Client is the Cisco store which contains certificates enrolled through the Simple Certificate Enrollment Protocol SCEP and certificates that have been imported from a file The Certificates tab on the main VPN Client window displays the list of certificates in your certificate store Figure 6 1 OL 3138 02 Cisco VPN Client Use
65. llowing sections describe the main VPN Client window in Advanced Mode the primary buttons and tabs for navigating the user interface the main menu options and the right click menu options Figure 3 6 shows the VPN Client window and the primary navigation areas Figure 3 6 Main VPN Client Window o e e806 8 VPN Client Version 4 0 interim_brian EA E he E Cisco Systems Connect New Import Modifv Delete ER Connection Entries Certificates Log j Connection Entry Host Transport 03 SanJose sjc vpn cluster cisco com IPSec 04 SanjJose nat sjc vpn cluster cisco com IPSec UDP 05 RTP rtp vpn cluster cisco com IPSec 06 RTP nat rtp vpn cluster cisco com IPSec UDP 2 07 Amsterdam ams vpn cluster cisco com IPSec 08 Amsterdam nat ams vpn cluster cisco com IPSec UDP 09 Sydney syd vpn cluster cisco com IPSec 10 Sydney nat syd vpn cluster cisco com IPSec UDP L_ sample 10 212 20 52 IPSec UDP lo Oz Not connected e 1 VPN Client version information 4 Display area for the main tabs 2 Toolbar action buttons The buttons that are 5 When connected the status bar displays available depend on which tab is forward information related to the current VPN ses S10n The left side indicates the connection entry name and connection status The right side lists the amount of time for this session the client IP address and the number of bytes through the VPN tunnel 3
66. mand Line Interface which allows you to Command Line perform certain operations from the command line rather than using the VPN Client graphical user interface LOG GUI The VPN Client for Mac OS X user interface Graphical User Interface E Cisco VPN Client User Guide for Mac OS X OL 3138 02 Chapter7 Managing the VPN Client Event Logging Mi Step3 Select the logging level for each module that uses logging services The logging levels allow you to choose the amount of information you want to capture Figure 7 6 shows the logging levels Figure 7 6 Logging Levels 0 Disabled Changing logging levels will d will cause the current log viewer to be cleared 1 Low IKE 2 Medium 8 uocat 76567 Connection Manager a High n LOG CM There are four logging levels e Disables logging services for the specified LOG class e 1 Lovw displays only critical and warning events This is the default e 2 Medium displays critical warning and informational events e 3 High displays all events Step4 Click Apply This clears the event log and immediately applies the new logging levels Opening the Log Window To display the events log in a separate window click Log Window at the top of the VPN Client window The VPN Client Log Window appears Figure 7 7 Cisco VPN Client User Guide for Mac OS X 01 3138 02 EN Chapter7 Managing the VPN Client W Viewing Statistics Figure 7
67. n Packets Decrypted Packets Discarded Packets Bypassed Number of packets decrypted during this VPN session Number of packets discarded during this VPN session Number of packets bypassed during this VPN session OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter7 Managing the VPN Client W Viewing Statistics Table 7 2 Tunnel Details continued Field Description Connection Entry Name The name of the connection entry for this VPN session Connection Time The connection time for this VPN session Encryption Encryption algorithm used for this VPN session The VPN Client supports e 56 bit DES Data Encryption Standard e 168 bit Triple DES e AES 128 bit and 256 bit Note The VPN Client continues to support DES MDS However support for DES SHA is no longer available and Release 3 7 VPN Clients cannot connect to any central site device group that is configured for or proposing DES SHA The VPN Client must either connect to a different group or the system administrator for the central site device must change the configuration from DES SHA to DES MDS or another supported configuration The Cisco VPN Client Administrator Guide lists all supported encryption configurations Authentication Authentication algorithm used for this VPN session The VPN Client supports e HMAC MD 5 Hashed Message Authentication Coding with Message Digest 5 hash function HMAC SHA 1 S
68. n entry e Use Advanced mode to manage the VPN Client configure connection entries manage certificates to view and manage event logging or to view tunnel routing data To toggle between advanced mode and simple mode press Command M Alternately you can choose your mode from the Options menu Operating in Simple Mode Use simple mode when you only need to establish a connection to a VPN device using the default connection entry amp Note You must operate in advanced mode to manage certificates and event logging or to make configuration changes to a connection entry VPN Client Window Simple Mode When you run in simple mode you are presented with a scaled down version of the VPN Client user interface Figure 3 3 Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter3 Navigating the User Interface Operating in Simple Mode W Figure 3 3 VPN Client Window Simple Mode VPN Client Version 4 0 interim brian Cisco Systems 04 Sanjose nat all Connect 76722 Not connected The main VPN Client window shows only the version information the default connection entry the connect button and the status bar Main Menus Simple Mode This section describes the abbreviated menu choices available in simple mode The Certificates and Log menus are only available in advanced mode Connection Entries Menu Figure 3 4 shows the Connection Entries menu option
69. nagement Allows you to manage the certificates in the certificate stores Certificate Authorities CAs CAs that support PKI SCEP enrollment Peer Certificate Distinguished Name Verification Prevents a VPN Client from connecting to an invalid gateway by using a stolen but valid certificate and a hijacked IP address If the attempt to verify the domain name of the peer certificate fails the VPN Client connection also fails IPSec Features The VPN Client supports the IPSec features listed in Table 1 4 Table 1 4 IPSec Features IPSec Feature Description Tunnel Protocol IPSec Transparent tunneling e IPSec over UDP for NAT and PAT e IPSec over TCP for NAT and PAT Key Management protocol Internet Key Exchange IKE IKE Keepalives A tool for monitoring the continued presence of a peer and report the VPN Client s continued presence to the peer This lets the VPN Client notify you when the peer is no longer present Another type of keepalives keeps NAT ports alive Split tunneling The ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel The VPN device supplies a list of networks to the VPN Client for tunneled traffic You enable split tunneling on the VPN Client and configure the network list on the VPN device Support for Split DNS The ability to direct DNS packets in clear text over the Internet to domains served
70. nt Ml Note We recommend that you uninstall any previous version of the VPN Client for Mac OS X before you install a new version The VPN Client uninstall script uninstalls any previous command line or GUI version of the VPN Client from your workstation To uninstall the VPN Client for Mac OS X Step1 Open a terminal window Step2 Run the following command sudo usr local bin vpn uninstall Step3 Enter your password Step4 You are prompted to remove all profiles and certificates e f you answer yes all binaries startup scripts certificates profiles and any directories that were created during the installation process are removed e f you answer no all binaries and startup scripts are removed but certificates profiles and the vpnclient ini file remain Cisco VPN Client User Guide for Mac OS X 01 3138 02 EXE Chapter 2 Installing the VPN Client BE Uninstalling the VPN Client Cisco VPN Client User Guide for Mac OS X P24 OL 3138 02 Jj Navigating the User Interface This chapter describes the main VPN Client window and the tools tabs menus and icons for navigating the user interface VPN Client Menu Use the VPN Client menu Figure 3 1 to manage the VPN Client application and main window settings Figure 3 1 VPN Client Menu Connection Entries View Help About VPN Client Preferences Services gt Hide VPNClient 38H Hide Others Show All Quit VPNClient Q Abo
71. ntry This action allows you to create a new connection entry using the configuration from a current connection entry as a template e Delete Delete the selected connection entry e Modify Display the properties of the selected connection entry This action opens the VPN Client Properties window e Erase Saved User Password Erases the user password that is saved onthe VPN Client workstation forcing the VPN Client to prompt you for a password each time you establish a connection OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter3 Navigating the User Interface Bl Operating in Advanced Mode Certificates Tab Right Click Menu Figure 3 15 shows the right click menu options available when the Certificates tab is forward Figure 3 15 Certificates Tab Right Click Menu eee VPN Client Version 4 0 int_93 exc ES x e o ut Gig oo M EY Cisco Systems View Import Export Enroll Verify Delete An Connection Entries a ee Certificate Store Key Size Validity ou Bouldero Cisco Swetame siit TCA I until Apr 30 2011 17 59 59 Export Verify Delete Change Certificate Password 76708 E Not connected Retry Certificate Enrollment e View View the properties of the selected certificate e Export Export the selected certificate to a specified file location e Verify Verify that the selected certificate
72. o the Connection Entries tab If there are no backup servers listed or if you want to manually add a server to the list use the following procedure Step1 Click the Add button on the Backup Servers tab The VPN Client dialog box appears Figure 4 7 Figure 4 7 Add Backup Server VPNClient Enter backup server hostname or IP address L Step2 Enter the hostname or IP address of the backup server to add 76547 OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter4 Configuring Connection Entries Bl Backup Servers Step3 Click OK The backup server is added to the list of available backup servers To remove a backup server return to the Backup Server tab select a server from the list and click Remove Cisco VPN Client User Guide for Mac OS X EXAM OL 3138 02 CHAPTER 5 Establishing a VPN Connection This chapter describes how to establish a VPN connection with a private network using the VPN Client and the user authentication methods supported by the VPN device that is providing your connection Checking Prerequisites Before you can establish a VPN connection you must have e Atleast one connection entry configured on the VPN Client See Chapter 4 Configuring Connection Entries for more information e User authentication information This includes your username and password and depending on the configuration of your connection entry might also include Passw
73. om the certificate store to a specified file Click the Certificates tab Select the certificate to export Click Export at the top of the VPN Client window The Export Certificate dialog box appears Figure 6 8 Figure 6 8 Export Certificate Export Path Browse B Export entire certificate chain Enter a password to protect the exported certificate this is optional Password Verify Password qm Cancel Export 76557 Enter the export path If you do not know the export path browse to the export directory and click Open on the browser window The export path 1s automatically entered in the Export Certificate dialog box To export the entire certificate chain check the box next to this parameter Enter a password to protect the exported certificate file We recommend that you always enter a password to protect your certificates Verify the exported certificate file password Click Export The certificate 1s copied to the selected directory and a prompt Figure 6 9 indicates whether the export is successful OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter6 Enrolling and Managing Certificates Wi Deleting a Certificate Figure 6 9 Successful Export Prompt VPNClient Certificate ou Boulder o Cisco Systems c US sucessfully exported to Users bob Documents untitled p 76558 Step9 Click OK to return to the VPN Client window Deleting a Certificat
74. or annacert ox Cancel 87594 Enter the current password and click OK At the prompt enter the new password and click OK At the next prompt enter the new password again to verify it and click OK The VPN Client responds with a success message Note You can also change the password from the View dialog box Retrying an Enrollment Request Step 1 Step 2 Step 3 To retry a pending online enrollment request Select the enrollment request in the certificate store Choose Retry Client Enrollment from the Certificates menu The VPN Client prompts you to enter a password This password must match the password you are using to protect the certificate s private key if any Enter the password and click OK to resume the enrollment request Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 6 Enrolling and Managing Certificates Importing a Certificate W Importing a Certificate Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 A network administrator might place a certificate in a file This certificate must be imported in to the certificate store before you can use it for authenticating the VPN Client to a VPN device To import a certificate from a file Click the Certificates tab Click Import at the top of the VPN Client window The Import Certificate dialog box appears Figure 6 6 Figure 6 6 Import Certificate k VPN Client Import Certificate
75. ords for RADIUS authentication VPN group name and password for connections to VPN devices PINs for RSA Data Security Digital certificates and associated passwords e An Internet connection Contact your network administrator for prerequisite information Establishing a Connection To establish a VPN connection Step1 Open the VPN Client application by double clicking the VPN Client icon in the Applications folder If you created an alias you can double click the VPN Client icon on the Desktop or in the dock Figure 5 1 Cisco VPN Client User Guide for Mac OS X 01 3138 02 HN Chapter5 Establishing a VPN Connection WE Establishing a Connection Figure 5 1 VPN Client Icon PN a The main VPN Client window appears Figure 5 2 shows the VPN Client window in simple mode Figure 5 2 VPN Client Window Simple Mode Q VPN Client Version 4 0 interim brian E Cisco Systems 04 SanJose nat al Connect Not connected 76722 Figure 5 3 shows the VPN Client window in advanced mode Figure 5 3 VPN Client Window Advanced Mode 808 VPN Client Version 4 0 interim_brian C A 3 EA x Cisco Systems A3 78 k Connect New Import Modify Delete Certificates Log Connection Entry Host Transport 03 SanJose sjc vpn cluster cisco com IPSec 04 Sanjose nat sjc vpn cluster cisco com IPSec UDP O5 RTP rtp vpn cluster cisco com IPSec 06 RTP nat
76. ot secure you should not enable local LAN access For example do not enable this feature when you are using a local LAN in a hotel or airport To enable this feature check the Allow Local LAN Access check box on the VPN Client You must also enable this feature on the VPN device you are connecting to Peer Response Timeout The VPN Client uses a keepalive mechanism called Dead Peer Detection DPD to check the availability of the VPN device on the other side of an IPSec tunnel If the network is unusually busy or unreliable you may need to increase the number of seconds to wait before the VPN Client decides that the peer 1s no longer active The default number of seconds to wait before terminating a connection is 90 seconds The minimum number of seconds you can configure is 30 seconds and the maximum is 480 seconds To adjust the setting enter the number of seconds in the Peer response timeout field The VPN Client continues to send DPD requests every 5 seconds until it reaches the number of seconds specified by the Peer response timeout value Backup Servers Step 1 Step 2 Step 3 Step 4 The private network you are connecting to might include one or more backup VPN devices servers to use if the primary server is not available The list of available backup servers is pushed to the VPN Client when the connection is established or you can add a backup server to the list manually The list of existing backup servers is found on the B
77. placed in the Profiles directory when the VPN Client is installed Preconfiguring the Global Profile A global profile sets rules for all remote users it contains parameters for the VPN Client as a whole The name of the global profile file is vpnclient ini The vpnclient ini file controls the following features Control of logging services by class e Certificate enrollment Missing group warning message VPN Client GUI preferences such as window locations and sizes If you do not preconfigure a global profile the vpnclient ini file is populated with default settings Each time you make changes the vpnclient ini file is updated and stored OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter2 Installing the VPN Client Bl installing the VPN Client Installing the VPN Client The following sections describe how to install the VPN Client software The VPN Client for Mac OS X installer program installs by default both the graphical user interface and the command line version of the VPN Client However you are not required to install the GUI See the Choosing the Installation Type section on page 2 8 for more information Note We recommend that you uninstall any previous version of the VPN Client for Mac OS X before you install a new version For more information see Uninstalling the VPN Client section on page 2 12 Authentication Before you can start the installation process you must s
78. r Guide for Mac OS X H Chapter6 Enrolling and Managing Certificates HZ Enrolling Certificates Figure 6 1 Certificate Store e808 VPN Client Version 4 0 interim brian fz EJ m o 7 ww E ca A Cisco Systems E bl ej E b 4 View Import Export Enroll Verify Delete Connection Entries Log Certificate store v Key Size Validity testFilE Request 1024 until Apr 13 2003 17 20 49 testFilE Request 1024 until Apr 13 2003 17 21 23 testFileE Request 1024 until Apr 13 2003 17 21 38 76482 Not connected For each certificate the following information is listed e Certificate The name of the certificate e Store The certificate store where this certificate resides If you enroll a certificate from a Certificate Authority the store is CA If you import a certificate from a file the store is Cisco Key Size The size in bits of the signing key pair Validity The date and time when this certificate expires Enrolling Certificates Step 1 Step 2 Step 3 Your system administrator may have already set up your VPN Client with digital certificates If not or if you want to add certificates you can obtain a certificate by enrolling with a Certificate Authority CA To enroll a digital certificate you must enroll using the PKI Framework standards receive approval from the CA and have the certificate installed on your system You can enroll a digital certificate e Over the network from a CA
79. rly through a PAT device Multiple simultaneous connections might work better with TCP and if you are in an extranet environment TCP mode is preferable UDP does not operate with stateful firewalls Use TCP with this configuration Allow Local LAN Access The Allow Local LAN Access parameter gives you access to resources on your local LAN when you are connected through a secure gateway to a central site VPN device When this parameter is enabled Youcan access local resources printer fax shared files other systems while connected Youcan access up to 10 networks A network administrator at the central site configures a list of networks at the VPN Client side that you can access Ifyou are connected to a central site all traffic from your system goes through the IPSec tunnel except traffic to the networks excluded from doing so in the network list Ifenabled on the VPN Client and permitted on the central site VPN device you can see a list of the local LANs that are available by choosing Statistics from the Status menu and clicking the Route Details tab For more information see the Route Details section on page 7 10 OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter4 Configuring Connection Entries Bl Backup Servers When this parameter is disabled all traffic from your client system goes through the IPSec connection to the secure gateway If the local LAN you are using is n
80. rm Password Certificate Authentication gt Name Send CA Certificate Chain Erase User Password Cance save 76468 The existing configuration for this connection entry is displayed Make adjustments to this connection entry configuration Click Save The VPN Client Properties dialog box closes and you return to the Connection Entries tab Deleting a Connection Entry Step 1 Step 2 Step 3 You can delete any connection entry that does not have an active VPN connection To delete a connection entry The Connection Entries tab must be forward Select the connection entry to delete Click Delete at the top of the VPN Client window You are prompted to confirm the connection entry to delete Figure 7 3 OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter7 Managing the VPN Client BE EventLogging AN Figure 7 3 Confirm Delete VPN Client E M M A Are you sure you wan t to delete the connection entry 03 SanJose 76723 Caution Step 4 You cannot retrieve a connection entry that has been deleted Click Delete to delete this connection entry The connection entry is removed from the profiles directory and you are returned to the Connection Entries tab Click Do not Delete to return to the VPN Client window without deleting the selected connection entry Event Logging The following sections describe
81. rtificate to delete The Certificate Password is the password assigned by you to protect the certificate while it is in your certificate store This is the password set in the New Password field when you enrolled this certificate See the Enrolling Certificates section on page 6 2 Stepb Click OK The certificate is deleted from the certificate store Verifying a Certificate To verify that a certificate is valid Step1 Click the Certificates tab Step2 Click Verify at the top of the VPN Client window A prompt appears Figure 6 12 to indicate the validity of the certificate Figure 6 12 Verify Certificate VPNClient i Certificate ou Boulder o Cisco Systems c US is a valid certificate OK 76574 Step3 Click OK to return to the VPN Client window If your certificate 1s invalid contact the network administrator for instructions Changing the Password on a Personal Certificate To view personal root certificates issued by either a Certificate Authority CA or a Registration Authority RA use the Show Hide CA RA Certificates option from the Certificates menu Cisco VPN Client User Guide for Mac OS X 01 3138 02 EX Chapter6 Enrolling and Managing Certificates HZ Changing the Password on a Personal Certificate To change the password on a personal certificate Step 1 Select a certificate from the certificate store under the Certificates tab Step2 Display the Certificates menu and choose Ch
82. rtp vpn cluster cisco com IPSec UDP 07 Amsterdam ams vpn cluster cisco com IPSec 08 Amsterdam nat ams vpn cluster cisco com IPSec UDP 09 Sydney syd vpn cluster cisco com IPSec 10 Sydney nat syd vpn cluster cisco com IPSec UDP sample 10 212 20 52 IPSec UDP a JANI Y e Not connected 7 D See Chapter 3 Navigating the User Interface for more information on simple mode and advanced mode Step2 From the Connection Entries tab select the connection entry to use for this VPN session For simple mode select a connection entry from the drop down list Step3 Click Connect at the top of the VPN Client window or double click the selected connection entry For simple mode click the Connect button Step4 Respond to all user authentication prompts The user authentication prompts that appear depend on the configuration for this connection entry Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter5 Establishing a VPN Connection Choosing Authentication Methods W The status bar at the bottom of the main VPN Client window displays your connection status When connected the left side of the status bar indicates the connection entry name and the right side displays the amount of time that the VPN tunnel has been established Choosing Authentication Methods User authentication means proving that you are a valid user of this private network User authentication is optional Your n
83. s gt unabletoimport Music gt lig vpnclient da 7 Beta 2 GUI d Pictures a Public root cert txt 4 Sites Go to f Add to Favorites f Cancel Open N 9 76563 Locate the connection entry to import A valid connection entry configuration file must have a pcf extension Click Open The connection entry is added to the list of available profiles and you return to the Connection Entries tab Alternately you can copy the pcf file into the profiles directory and restart the VPN Client application Modifying a Connection Entry Step 1 Step 2 Step 3 You can make changes to a connection entry at any time The new configuration is stored in the profiles directory and is applied during the next connection attempt To modify a connection entry Click the Connection Entries tab Select the connection entry to modify Click Modify at the top of the VPN Client window The VPN Client Properties dialog box appears Figure 7 2 Cisco VPN Client User Guide for Mac OS X Em OL 3138 02 Chapter 7 Managing the VPN Client Step 4 Step 5 Managing Connection Entries W Figure 7 2 Connection Entry Settings VPN Client Properties for 03 Sanjose Description Connect to Cisco via San Jose i B 4 E Host sjc vpn cluster cisco com f Authentication Transport Backup Servers Group Authentication IName ciscovpnciuster Password ar Confi
84. s for simple mode Figure 3 4 Simple Mode Connection Entries Menu VPNClient Ka E Status Options Help Connect Import Set as Default Connection Entry 76721 e Connect Establish a VPN connection using the selected connection entry If the Connections tab is not selected a submenu which lists all available connection entries is displayed e Disconnect Disconnect the current VPN session Import Import a connection entry configuration file a file with a pcf extension called a profile e Set as Default Connection Entry Use the selected connection entry as the default The default connection entry is used for this VPN session unless you select an alternate connection entry Status Menu Figure 3 5 shows the Status Menu options for simple mode Figure 3 5 Simple Mode Status Menu VPNClient Connection Entries Options Help Statistics Notifications 87170 e Statistics Open the Statistics window to view tunnel details and route details e Notifications Open the Notifications window to view notices from the VPN device Cisco VPN Client User Guide for Mac OS X 01 3138 02 EN Chapter3 Navigating the User Interface Bl Operating in Advanced Mode Operating in Advanced Mode Use Advanced mode to manage the VPN Client configure connection entries manage certificates view and manage event logging and view tunnel statistics and routing data VPN Client Window Advanced Mode The fo
85. s on the Cisco TAC website require a Cisco com login ID and password If you have a valid service contract but do not have a login ID or password go to this URL to register http tools cisco com RPF register register do If you are a Cisco com registered user and you cannot resolve your technical issues by using the Cisco TAC website you can open a case online at this URL http www cisco com en US support index html If you have Internet access we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files OL 3138 02 Cisco VPN Client User Guide for Mac OS X H About This Guide HZ Obtaining Additional Publications and Information Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues These classifications are assigned when severe network degradation significantly impacts business operations When you contact the TAC Escalation Center with a P1 or P2 problem a Cisco TAC engineer automatically opens a case To obtain a directory of toll free Cisco TAC telephone numbers for your country go to this URL http www cisco com warp public 687 Directory DirTAC shtml Before calling please check with your network operations center to determine the level of Cisco support services to which your company is entitled for example SMARTnet SMARTnet Onsite or Network S
86. s that govern VPN Client operation and connection to the remote network You can create multiple connection entries if you use your VPN Client to connect to multiple networks though not simultaneously or if you belong to more than one IPSec group Cisco VPN Client User Guide for Mac OS X 01 3138 02 EN Chapter4 Configuring Connection Entries B Creating a Connection Entry To create a connection entry Step1 Open the VPN Client application The VPN Client window appears Figure 4 1 Figure 4 1 VPN Client Window e208 VPN Client Version 4 0 interim_brian A c Cisco Systems A gt Connect New Import Modify Delete BEER Certificates Log Connection Enty Fl Host Transport 03 SanJose sjc vpn cluster cisco com IPSec 04 Sanjose nat sjc vpn cluster cisco com IPSec UDP OS RTP rtp vpn cluster cisco com IPSec 06 RTP nat rtp vpn cluster cisco com IPSec UDP 07 Amsterdam ams vpn cluster cisco com IPSec 08 Amsterdam nat ams vpn cluster cisco com IPSec UDP 09 Sydney syd vpn cluster cisco com IPSec 10 Sydney nat syd vpn cluster cisco com IPSec UDP sample 10 212 20 52 IPSec UDP 3 5 Dd Not connected x Step2 Click the Connection Entries tab Step3 Click New at the top of the VPN Client window The Create New VPN Connection Entry dialog box appears Figure 4 2 Cisco VPN Client User Gu
87. s who need technical assistance with a Cisco product technology or solution Two levels of support are available the Cisco TAC website and the Cisco TAC Escalation Center The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts when applicable We categorize Cisco TAC inquiries according to urgency e Priority level 4 P4 You need information or assistance concerning Cisco product capabilities product installation or basic product configuration e Priority level 3 P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue e Priority level 2 P2 Your production network is severely degraded affecting significant aspects of business operations No workaround is available e Priority level 1 P1 Your production network is down and a critical impact to business operations will occur if service is not restored quickly No workaround is available Cisco TAC Website You can use the Cisco TAC website to resolve P3 and P4 issues yourself saving both cost and time The site provides around the clock access to online tools knowledge bases and software To access the Cisco TAC website go to this URL http www cisco com tac All customers partners and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website Some service
88. ser Guide for Mac OS X ExN OL 3138 02 A administrator password 2 4 advanced mode buttons 3 5 menus 3 6 tabs 3 5 window 3 4 AES Advanced Encryption Standard 1 6 aggressive mode 1 6 algorithms data compression 1 6 encryption 1 6 in VPN client 1 2 application binaries 2 8 applications directory 2 8 authentication algorithms 1 6 certificate 4 4 extended 1 6 features 1 4 installation 2 4 methods 4 4 mode 1 6 authentication methods 5 3 digital certificate 5 5 RADIUS 5 4 SecurID 5 5 shared key 5 3 VPN group name 5 4 authenticity 6 8 INDEX backup servers change order 4 9 list 4 8 tab 4 3 base 64 encoding type 6 3 binaries application 2 8 binary encoding type 6 3 bytes received 7 9 Cc CA Certificate Authority 6 2 cable modem 1 1 CAURL 6 3 certificate atlogin 5 5 authentication 4 4 chain 4 5 challenge password 6 3 change password 3 7 changing password 6 11 contents 6 2 deleting 6 10 digital 1 6 enrollment 3 10 expiration 6 2 exporting 6 9 file enrollment 6 2 identity 4 4 importing 6 7 import password 6 7 OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Bb index management 6 1 new password 6 3 online enrollment 6 2 password 5 5 6 7 peer 1 5 properties 6 8 resume enrollment 3 8 store 6 1 validity 3 7 verifying 6 11 viewing 6 7 view properties 3 7 X 509 1 6 certificate chain 6 9 certificates menu 3 7 certificates tab 3
89. software you must agree to the terms of the software license agreement 8 Introt Licen Selec Click Agree to continue or click Disagree to cancel the installation Instal Insta f Disagree f Agree yo Finist CAREFULLY BEFORE CLICKING ON YES IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THE AGREEMENT CLICK NO ON THIS SCREEN IN WHICH CASE YOU WILL BE DENIED ACCESS TO THE SOFTWARE Ownership of the Software 1 The software contained in the Cisco Systems VPN Client the Software to which you are requesting access is owned or licensed by Cisco Systems and is protected by United States copyright laws laws of other nations and or international treaties B Grant of License i f Prnt X f Save f GoBack Continue gt 87148 Before you accept the license agreement you can Print the license agreement e Save the license agreement to a file Go Back to the Introduction window Continue and agree to the terms in the license agreement When you have completely read the Cisco VPN Client software license agreement click Continue To continue with the installation click Agree Selecting the Application Destination If your workstation has more than one disk drive you can select the destination volume to install the VPN Client on your workstation Figure 2 7 shows the Select Destination window Cisco VPN Client User Guide for Mac OS X 01 3138 02 EN Chapter 2 Installing
90. ss Cisco Systems Attn Customer Document Ordering 170 West Tasman Drive San Jose CA 95134 9883 We appreciate your comments Obtaining Technical Assistance Cisco provides Cisco com which includes the Cisco Technical Assistance Center TAC Website as a starting point for all technical assistance Customers and partners can obtain online documentation troubleshooting tips and sample configurations from the Cisco TAC website Cisco com registered users have complete access to the technical support resources on the Cisco TAC website including TAC tools and utilities Cisco com Cisco com offers a suite of interactive networked services that let you access Cisco information networking solutions services programs and resources at any time from anywhere in the world Cisco com provides a broad range of features and services to help you with these tasks e Streamline business processes and improve productivity e Resolve technical issues with online support Cisco VPN Client User Guide for Mac OS X mm OL 3138 02 About This Guide Obtaining Technical Assistance W Download and test software packages Order Cisco learning materials and merchandise e Register for online skill assessment training and certification programs To obtain customized information and service you can self register on Cisco com at this URL http www cisco com Technical Assistance Center The Cisco TAC is available to all customer
91. tes 5 1 Establishing a Connection 5 1 Choosing Authentication Methods 5 3 Shared Key Authentication 5 3 VPN Group Name and Password Authentication 5 4 RADIUS Server Authentication 5 4 SecurlD Authentication 5 5 Using Digital Certificates 5 5 cHAPTER 6 Enrolling and Managing Certificates 6 1 Using the Certificate Store 6 1 Enrolling Certificates 6 2 Managing Enrollment Requests 6 5 Viewing the Enrollment Request 6 5 Deleting an Enrollment Request 6 5 Changing the Password on an Enrollment Request 6 6 Retrying an Enrollment Request 6 6 Importing a Certificate 6 7 Viewing a Certificate 6 7 Exporting a Certificate 6 9 Deleting a Certificate 6 10 Verifying a Certificate 6 11 Changing the Password on a Personal Certificate 6 11 cHAPTER 7 Managing the VPN Client 7 1 Managing Connection Entries 7 1 Importing a Connection Entry 7 1 Modifying a Connection Entry 7 2 Deleting a Connection Entry 7 3 Event Logging 7 4 Cisco VPN Client User Guide for Mac OS X Contents MI OL 3138 02 BB Contents Enable Logging 7 4 Clear Logging 7 5 Set Logging Options 7 5 Opening the Log Window 7 7 Viewing Statistics 7 8 Tunnel Details 7 9 Route Details 7 10 Notifications 7 11 INDEX Cisco VPN Client User Guide for Mac OS X mm OL 3138 02 Audience Contents About This Guide This VPN Client User Guide describes how to instal
92. tes in the certificate hierarchy from the root certificate This must be installed on the VPN Client to identify each certificate This feature enables a peer VPN Concentrator to trust the VPN Client s identity certificate given the same root certificate without having the same subordinate CA certificates actually installed The following is an example of a certificate chain Onthe VPN Client you have this chain in the certificate hierarchy a Root Certificate b CA Certificate 1 c CA Certificate 2 d Identity Certificate Onthe VPN Concentrator you have this chain in the certificate hierarchy a Root Certificate b CA Certificate c Identity Certificate Though the identity certificates are issued by different CA certificates the VPN device can still trust the VPN Client s identity certificate because it has received the chain of certificates installed on the VPN Client PC This feature provides flexibility because the intermediate CA certificates do not need to be installed on the peer Click Save The Connection Entry dialog box closes and you return to the Connection Entries tab OL 3138 02 Cisco VPN Client User Guide for Mac OS X H Chapter4 Configuring Connection Entries Transport Parameters Transport Parameters This section describes transport parameters you can configure for a connection entry The transport parameters include e Enable Transport Tunneling page 4 7 Transparent Tunneling Mode pag
93. the VPN Client HZ installing the VPN Client Figure 2 7 Select Destination Window e Install Cisco VPN Client Select a Destination Introduction ERA 3 Select a destination volume to install the Cisco VPN Client License Select Destination TF Inst Typ installit ES Fimis fi s WC HU classic Osx vpnclient 999MB 6 0GB 6 0M 107MB of disk space is required Cc E GUINEA for this installation Loo fact Conine Click Continue The VPN Client is installed in the Applications directory Choosing the Installation Type 87169 The default installation process installs the following packages with the VPN Client application e VPN Client application binaries includes everything in the directory usr local bin including the ipseclog e VPN Client graphical user interface e VPN Client kernel extension e VPN Client profiles includes the global profile vpnclient ini and any user profiles pcf files e VPN startup the system startup script to automatically start the client at boot time The VPN Client application binaries and the VPN Client kernel extension must be part of your installation However installing the other three packages is optional To install all packages click Install on the Easy Install window Figure 2 8 E Cisco VPN Client User Guide for Mac OS X OL 3138 02 Chapter 2 Installing the VPN Client Figure 2 8 Easy Install Window
94. tion e Hostnames Use legitimate network host or end system name notation for example VPNOI Spaces are not allowed A hostname must uniquely identify a specific system on a network A hostname can be up to 255 characters in length e User names and Passwords Text strings for user names and passwords use alphanumeric characters in both upper and lower case Most text strings are case sensitive For example simon and Simon would represent two different user names The maximum length of user names and passwords is generally 32 characters unless specified otherwise Obtaining Documentation Cisco com Cisco provides several ways to obtain documentation technical assistance and other technical resources These sections explain how to obtain technical information from Cisco Systems You can access the most current Cisco documentation on the World Wide Web at this URL http www cisco com univercd home home htm You can access the Cisco website at this URL http www cisco com International Cisco web sites can be accessed from this URL http www cisco com public countries_languages shtml Documentation CD ROM Cisco documentation and additional literature are available in a Cisco Documentation CD ROM package which may have shipped with your product The Documentation CD ROM is updated monthly and may be more current than printed documentation The CD ROM package is available as a single unit or through an annual subscription
95. upported Accounts NSA When you call the center please have available your service agreement number and your product serial number Obtaining Additional Publications and Information Information about Cisco products technologies and network solutions is available from various online and printed sources The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services Access the Cisco Product Catalog at this URL http www cisco com en US products products_catalog links launch html Cisco Press publishes a wide range of networking publications Cisco suggests these titles for new and experienced users Internetworking Terms and Acronyms Dictionary Internetworking Technology Handbook Internetworking Troubleshooting Guide and the Internetworking Design Guide For current Cisco Press titles and other information go to Cisco Press online at this URL http www ciscopress com Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking You can access Packet magazine at this URL http www cisco com en US about ac123 acll4 about cisco packet magazine html iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with the latest information about the networking industry You can access iQ Magazine at this URL http business cisco com prod tree taf
96. ut VPN Client Displays the current VPN Client version the VPN Client type platform and the copyright information e Preferences Sets VPN Client window preferences Figure 3 2 Figure 3 2 VPN Client Window Preferences oo08 Preferences Save window settings 3 Minimize upon connect v Enable tooltips ED C ai 76552 Cisco VPN Client User Guide for Mac OS X Chapter3 Navigating the User Interface HE Choosing a Run Mode Save window settings Saves changes to the VPN Client window For example you can save the window size the window position the selected tab and the view simple or advanced mode Minimize upon connect Places the VPN Client window in the dock when the VPN connection is established Enable tooltips Enables tool tips for the toolbar action buttons e Services Access standard Mac OS X services Hide VPN Client Remove the VPN Client window from your screen This option does not close the application or minimize the screen Hide Others Remove all windows except the VPN Client from your screen Show All Displays all windows that were previously hidden Quit VPN Client Closes the VPN Client application Choosing a Run Mode You can run the VPN Client in simple mode or in advanced mode The default is advanced mode Use simple mode if you only want to start the VPN Client application and establish a connection to a VPN device using the default connectio
Download Pdf Manuals
Related Search