VPN Client User Guide - RMA
Contents
1. Select lt New gt from the drop down menu Enter the URL or Network Address of the CA and the CA s Domain both of which are required Some CAs require that you enter a password to access their site If this 1s the case enter the password in the Challenge Password field You can get the password from the CA or from your network administrator 3 When you have completed the network address information click Next The Certificate Manager displays the enrollment form for you to complete Figure 6 3 4 Enter the information you collected before you started the enrollment process The only field that the Certificate Manager requires is Common Name However the CA may require some or all of the other fields Then click Next gt After you enter the form the Certificate Manager displays a summary that looks something like the one in Figure 6 7 VPN Client User Guide 6 5 6 Enrolling and managing certificates Figure 6 7 Enrollment summary Enrollment Summary This is a summary of the information you have provided for this certificate enrollment request Cisco Systems Select Finish to proceed with the enrollment or Back to make modifications CA Domain 0152000 com Certificate Store Cisco Common Mame Alice Wonderland Department International Studies Company University State Massachusetts Country US Email alicewl university edu IP Address 10 10 10 1 Domain Dialin Server Back Cancel H2. Figure 5 20 Uninstalling an existing version Question 2 Setup has detected an existing version of the Cisco Systems Inc VPN Client Before installing a new version setup must uninstall the existing version IF you choose to continue setup will uninstall the existing version of the Cisco Systeme Inc YPN Client and then reboot your PC After pour PC reboots the Cisco Systems Inc VPN Client installation will continue Do pon with to continue 2 To continue click Yes The installation program removes the old version and asks you to confirm the system restart Figure 5 21 Figure 5 21 Confirming the system restart InstallShield Wizard VPH Client Installer Setup has finished removing the existing version of the Cisco Systems Inc WPN Client To continue with the Cisco Systems Inc YPN Client installation C No will restart my computer later Setup will continue after your computer reboots Back dante Be sure to remove any diskette from its drive before you restart your system If you are installing from diskettes reinsert Disk 1 after your system restarts and displays the Windows logo screen but before the desktop appears 3 To restart your system click the Yes radio button the default and click Finish The installation wizard restarts your system Once your system has restarted installation continues automatically 4 Follow the instructions as if you were installing for the first time See Ins
3. VPN Client User Guide M anaging enrollment requests Deleting an enrollment request To delete an enrollment request follow these steps 1 Click on the enrollment request in the list and select Delete from the Options pull down menu The Certificate manager prompts you for a password 2 Type the password in the Password field and click OK The Certificate Manager verifies the password If the password is correct the Certificate Manager asks you to confirm that you really want to delete the enrollment request 3 Tocomplete the deletion click Yes If you decide not to delete this certificate click No Changing the passw ord on an enrollment request To change the password on a certificate use this procedure 1 Display the Options pull down menu and select Password The Certificate Manager displays the Change Certificate Password dialog Figure 6 28 Figure 6 28 Changing a certificate s password Change Certificate Password To modify ar add a password associated with the specified certificate enter the information below Cisco SYSTEMS Current In the Current field type the password you are currently using In the New field type the new password In the Confirm field type your new password again Click OK ur PB W N VPN Client User Guide 6 19 6 Enrolling and managing certificates Completing an enrollment request To complete a pending enrollment request select the request under the Enrollment
4. verifying a certificate 6 13 viewing connection status 4 9 enrollment request 6 18 viewing a certificate 6 12 VPN Client main dialog box 3 4 VPN Client version finding 3 3 VPN Concentrator authentication using internal server 1 2 4 4 hostname 3 5 IP address 3 5 VPN device hostname 2 2 IP address 2 2 VPN Virtual Private Network 1 1 W Windows 2000 requirement 2 1 Windows 95 98 requirement 2 1 Windows ME requirement 2 1 Windows NT requirement 2 1 Windows username and password 3 11 worksheet information you need 2 2 Index 6 X X 509 DER file 6 8 VPN 3000 Client User Guide
5. Certificate Stores lt All Personal Certificates CA Certificates Enrollment Requests HA Intermediate RA Intermediate CA View Verity Delete Export To display a certificate select it in the certificate store open the Options pull down menu and select View Or you can double click on the certificate to display it Figure 6 19 shows a sample certificate from a Microsoft certificate service provider This is only an example Not all certificates are guaranteed to look like this one Figure 6 19 Displaying a Certificate Digital Certificate Common Mame Department Company State Country Email Thumb Print Kep Size Subject Serial Number Mot Before Mot After ssuer Digital Certificate Alice Wonderland z Nebraska us alicewtewionderland edu AAEBDFBF C38A7SEBBDDE38F32DD40ED 1024 ecn 4 lice ou 4onderland o 0 2 st Hebraska c 115 e alicew wonderland e 61 7B 3S8F 70001 000001 BE Thu Jan 25 17 58 10 2001 FriJan 25 18 08 10 2002 cn T estLAB 8 ous DA o Disco l Franklin st MA c LI5 e wbrown icisco cor Mi VPN Client User Guide M anaging personal and CA RA certificates A typical certificate shown in Figure 6 19 contains the following information Common Name The name of the owner usually the first name and last name This field identifies the owner within the Public Key Infrastructure PKI organization Department The name of the owner s department which is same as the Organizational
6. Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San J ose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Customer Order Number DOC 7812304 Text Part Number 78 12304 01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA AR
7. 3 8 03 858 AAA AAA AAA 5 10 Figure sI e Anatomy Ol an CVENEINGSSAUC aria 5 10 Figure 5 17 LOG Viewer Eten messduB dadas XAGIAO CP AGERE A E VE ER DET C Ge ac 5 12 moues e earening tDe d09 GISDIAY a 635 309 4 EO AA Ed D MU PR EUR CHE ERA EO epa a 5 13 Figure S 19 Saving alog TIC eicbaceXonucadowi od AAA Oe OC EQ AO ERE Oe Oa ROG 5 14 Figure 5 20 nimstalihd di exis d Version sica i de E DOCCT EO AREE aa 5 15 Figure 5 2 Confirming the system testant and ca o e ERO CICER AC RAR AAA 5 15 Figure 5 27 RUMANO NEUMNA orra 93 4 43 ties taeda a 5 16 FIGUFE 5 23 CODTIERIDO UNOS ri 5 16 FIGURE 5 24 COnTIKMING VOUr CONNECHIONS 30339 3 3 966 ARANA RC 5 16 Figure 5 25 COnmifid your CEMINCALGS rar dd ool cO dE ene Ae a a 5 17 Fiore Gl Selecting Genilicate Mana ater asi dor a OR ond C ca C Ped CIC QE o RANIA 6 1 Figure 6 2 Certificate Manager Mal WINGOW rra E i C AAA AAA 6 2 FONE Gr EDTOTIE TIEF OTIO accu aC EA RES A Te SIE AC Pa AC QE a e QC C e 6 3 Figure 6 4 Protecting a certificate with a DaSSWOM ues vacioi 263a ea AA 6 4 Figure GS Selecting enrollment method ada qoo eade EQ EE EGER PO ECC CQ et 6 4 Figure 6 0 Entera network address a aov LA va res qun e LTA e RR 6 5 Fore 7 ENFOUMeERE SUTmid Ey a a ec d ACC e EQ Co aa Qoi eh EC CETERI C DR 6 6 Figure 6 8 Certificate status MESSI ra vocc Jor cC CO ERO CR dC eb POP SA JR CT PA OS 6 6 Figure 6 9 Resumihnd enrollimebe Fed 46S Lace a3 ead eae ag aca c Qe ERE AAA Qe C Pd ena a 6 7 Figure 6 10 Rece
8. The CD ROM package is available as a single unit or as an annual subscription Ordering Documentation Cisco documentation is available in the following ways Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace http www cisco com cgi bin order order_root pl Registered Cisco com users can order the Documentation CD ROM through the online Subscription Store http www cisco com go subscription Nonregistered Cisco com users can order documentation through a local account representative by calling Cisco corporate headquarters California USA at 408 526 7208 or in North America by calling 800 553 NETS 6387 Documentation Feedback If you are reading Cisco product documentation on the World Wide Web you can submit technical comments electronically Click Feedback in the toolbar and select Documentation After you complete the form click Submit to send it to Cisco You can e mail your comments to bug doc cisco com To submit your comments by mail for your convenience many documents contain a response card behind the front cover Otherwise you can mail your comments to the following address Cisco Systems Inc Document Resource Connection 170 West Tasman Drive San Jose CA 95134 9883 We appreciate your comments Terminology Obtaining Technical Assistance Cisco provides Cisco com as a starting point for all technical assistance Customers and pa
9. 12 Accepting a PIN from the system User Authentication for Connect to MyCompany ARE YOU PREPARED TU ACCEPT A STSTEM GENERATED PIN v or n n Response Caneel 2 To receive a PIN you must respond y for yes and then click OK When you do the authentication program generates a PIN for you and displays 1t Figure 4 13 Be sure to remember your PIN Figure 4 13 New PIN received User Authentication for Connect to MyCompany PIN 8008 Please remember pour new PIN eh then press Return to continue Ukemame softid5083 E Cancel 3 To continue click OK SecurlD Next Cardcode M ode Sometimes SecurID authentication prompts you to enter the next cardcode from your token card as in Figure 4 14 SecurID displays this prompt either to resynchronize the token card with the RSA server or because it noticed several unsuccessful attempts to authenticate with this username VPN Client User Guide 4 7 4 Connecting to a private netw ork The SecurlD Next Cardcode Mode dialog may appear Figure 4 14 SecuriD Next Cardcode mode dialog User Authentication for Engineering e Enter Next RSSCODE Username softid5D83 Passcode Caneel In the Passcode field enter the next code from your token card This field requires only a cardcode Do not include your PIN as part of the passcode Continue to Completing the private network connection Using digital certificates Note Be
10. 17 5 11 5 Managing the VPN Client 5 12 Figure 5 17 Log Viewer Filter message Filter Log Events Low setting displays only critical or warning events 4 High setting displays all events To change filter level Double click an one item or select more than one item and right click Choose the level from the menu that displays Medium High Low DIALER High IKE Disable IPSEC High PPP Medium Cancel To change the filter level do the following Double click on one item or select more than one item and right click Choose from the following options that the Log Viewer displays Disable inhibits event reporting for the selected class Low provides the least amount of information This choice includes severity levels 1 through 3 all faults and warnings Low is the default for all classes Medium includes severity levels 1 through 4 all in Low plus the first level informational events which provide general information about the connection Note that a first level informational event is level 4 and appears in the event display as Info 4 High includes severity levels 1 through 6 thus adding two levels of informational events Info 5 and Info 6 This setting can lower the performance of all applications on your system so use it only when your network administrator or a support engineer suggests that you do so Table 5 2 defines the classes modules that generate events Table 5 2 Classes tha
11. 6 PIN 2 3 4 6 username 2 3 4 6 SDI see RSA SecurID 1 3 4 5 SoftID 1 3 4 5 user methods 1 2 4 4 Authentication tab Properties 3 11 VPN 3000 Client User Guide INDEX backup servers adding 3 14 addresses 2 3 disabling 3 14 enabling 3 14 removing 3 14 See also remote server VPN Concentrator Baltimore Technologies 4 8 base 64 encoded file type 6 8 bibliography x binary encoded file type 6 8 bytes in connection statistics 4 10 bytes out connection statistics 4 10 C CA certificates 6 3 cable connection 1 2 cable modem 1 2 4 2 Capture icon log viewer 5 10 CD ROM installing from 2 4 certificate changing 3 13 changing password 6 15 completing the form 6 3 deleting 6 14 enrollment 4 8 6 2 file request 6 7 network 6 5 expiring of 4 8 exporting 6 16 importing 6 10 managing 6 11 name of 2 3 3 3 3 6 4 1 stores 6 2 using 4 8 verifying 6 13 viewing 6 12 Certificate Authorities CA certificates tab 6 3 Certificate Authorities CA 4 8 supported list 2 2 Index 1 Index Certificate Manager Options menu 6 11 overview 6 1 starting 6 1 changing certificate 3 13 certificate password 6 15 connection entry description 3 10 connection entry properties 3 7 group name or group password 3 12 password on an enrollment request 6 19 remote server address 3 16 Cisco certificate store 6 2 Cisco store 6 10 clearing events display 5 14 Client IP address connection status 4 10 cloning a connection entry
12. Client software is now installed on your PC Next you must configure it To proceed turn to Chapter 3 Configuring the VPN Client VPN Client User Guide 2 5 CHAPTER Configuring the VPN Client This chapter explains how to configure the VPN Client To configure the VPN Client you enter values for a set of parameters known as a connection entry The VPN Client uses a connection entry to identify and connect securely to a specific private network Parameters include a name and description for the connection the name or address of the VPN device the remote server and information that identifies you to the VPN device Note If your system administrator has completely preconfigured your connection entry you can skip this chapter and go directly to Chapter 4 Connecting to a private network The rest of this chapter explains how to Create a new connection entry e Set or change connection entry properties General Connection entry description Allow IPSec through NAT Peer response timeout Logon to Microsoft Network for Windows 95 Windows 98 and Windows ME only Authentication For using preshared keys IPSec group name and password For certificate Name of certificate Connections Enable or remove backup servers Connect via Dial Up Networking Change remote server address for a connection entry VPN Client User Guide 3 1 3 Configuring the VPN Client How to get help The VPN Client comes
13. Connection Entry drop down menu button and select the entry you want to configure 2 Then click Options and select Properties from the menu Figure 3 12 VPN Client User Guide 3 7 3 Configuring the VPN Client Figure 3 12 VPN Client Options menu il Cisco Systems YPN Client Cisco Systems Engineering 10 10 32 32 Select Properties The Properties dialog appears The fields in this dialog differ according to the operating system you are using e If you are using Microsoft Windows 95 or Windows 98 you see the dialog that looks like the one in Figure 3 13 e If you are using Microsoft Windows NT or Windows 2000 you see the dialog in Figure 3 14 Figure 3 13 Connection Entry Properties dialog Windows 95 and Windows 98 Properties for Engineering Connection entry Far the Engineering VPN 3000 Concentrator VPN Client User Guide VPN Client User Guide Setting or changing connection entry properties Figure 3 14 Connection Entry Properties dialog Windows NT and Windows 2000 Properties for Engineering General Authentication Connections Enter a description of this connection entro optional v Allow IPSec through NAT mode Peer response timeout so 30 480 seconds 3 Click the tab for the parameters you want to change General tab Changing the connection entry description Allow IPsec through NAT mode Peer response timeout in seconds Logging on to Microsoft Netwo
14. Figure 3 16 Properties dialog gt Authentication TaD arras rada la ces 3 12 Foues 17 Remilider dial ida qnis acra dc i ea CU E OE ECT Aa AAA OEC ACRI ERE C 3 12 Foure 3518 5 ELECTING Cortada Edw pi p Ue e CA OE TE EE an 3 13 Hawes 19 Properties didog Connections tab xam pecu cda eoe va va cac do PAGE Vaca Cada eve a 3 13 Figure 3 20 Backup server information dialog s adux a0 dcacd o aa Race EACUS RC EG Ee ele a 3 14 FIGUIE 3 21 Connect to tne Internet Malal Urra E P MERC NOCERE Ae ec 3 15 Figure 3 22 VPN Client Mali dialog dca AER 0 OPERA En C A PRESE XC AP CA E n ccs 3 16 FIGURE 3 23 Address CHANGE dialog arras A 3 16 Hgured T VEN CITeRE maldlal0d Icaria d pd C OEC ASQ RR CR a RO CR bor ac 4 2 Figure 4 2 Dial Up Networking User Information dialog iqxad us vs ridi aA i od ARO 4 3 Figure ds COMINO connections TO SP 1d actae died doa e AC RC EE CE Rn E OEC EP ACER 4 3 Hgure ded Dial Up Networking taSkDal ICON aia Dade PE RR TCU YER AC He dcl PAGE Vac CE acc e Eee 6x a 4 3 Foure dS Negotiating OTRO scio abanico oca n CR RP REC ERE Pe ab 4 4 Figure 4 6 Internal or RADIUS server authentication dialog i3 za paces sac e C ed FCR CC a CR aC er e Caes 4 4 Figure 4 7 Windows NT Domain authentication dialog aviar CR Oe CR CER EROR C CD PC eR Dee 4 5 que 4 8 RS Aumenta oda eu d c Oe d pad dE UT TS EN EE cV REA rd p E eee 4 6 Figure 4 9 SomID Windows N T authentication dialog arras 4 6 Figure A LO SecunD New PIN TGOUGSL aacra ac ae CA
15. SDI authentication 1 3 4 5 Next Cardcode 4 8 S Save Password option 4 5 saving log file 5 14 SDI see RSA Search icon log viewer 5 13 searching log file 5 13 secure associations connection status 4 11 secured routes connection status 4 11 key icon 4 11 SecurID authentication 1 3 4 5 server See backup servers remote server VPN Concentrator Server IP address connection status 4 10 severity levels events 5 11 SHA 1 Secure Hash Algorithm 1 3 shortcut creating for connection entry 5 4 SoftID authentication 1 3 4 5 software features of VPN Client 1 2 software license agreement 1 software token applications launching from VPN Dialer 5 7 start before logon 5 6 starting the VPN Client 3 4 4 1 via shortcut 5 4 state certificate enrollment 6 3 statistics connection 4 10 stopping the VPN Client 4 11 stores certificate 6 2 system administrator 2 2 system requirements 2 1 Index 5 Index T TCP IP requirement 2 1 Third party dail up program 3 15 time connected connection status 4 11 triple DES algorithm 1 3 tunnel 1 2 tunnel negotiation process 4 3 typographic conventions x U understanding the VPN Client 1 1 UniCERT 4 8 uninstalling the VPN Client 5 15 URL or Network Address CA 6 5 user authentication 1 2 4 4 See authentication username internal server authentication 4 4 ISP logon 2 2 4 3 NT Domain authentication 2 3 4 5 RADIUS authentication 2 3 4 4 RSA authentication 2 3 4 6 V
16. Setup exe The program displays the Cisco Systems logo and InstallShield Setup window Figure 2 1 Figure 2 1 Initial VPN Client installation window InstallShield Wizard Welcome to the InstallShield Wizard for VPN Client The InstallShield Wizard will install PM Client on your computer To continue click Next i Cancel Follow the directions on the screens and enter the following information A destination folder for the VPN Client files or Next gt to enter the default location C Program FilesNCisco SystemsNVPN Client VPN Client User Guide W hat next After you have installed the VPN Client the InstallShield Wizard displays the following screen You must restart your computer before you can configure and use the VPN Client Figure 2 2 Figure 2 2 Setup Complete dialog box InstallShield Wizard InstallShield Wizard Complete The InstallShield Wizard has successfully installed YPM Client Before you can use the program vou must restart your computer No will restart my computer later Remove any disks from their drives and then click Finish to complete setup Hack dante To restart now click Finish Your system reboots Be sure to remove any diskette from the drive before you reboot To restart later click the No radio button and then click Finish The VPN Client Setup closes Remember you must restart your computer before you can use the VPN Client W hat next The VPN
17. Unit OU Note that when connecting to a VPN 3000 Concentrator the OU must match the Group Name configured for the owner in the VPN 3000 Concentrator Company The organization where the owner is using the certificate State The state where the owner is using the certificate Country The two character country code where the owner s system is located Email The email address of the owner of the certificate Thumbprint An MDS hash of the certificate s complete contents which provides a means of validating the authenticity of the certificate For example you can contact the issuing CA and use this identifier to verify that this certificate is indeed the right one Key Size The size of the signing key pair in bits for example 512 Subject The fully qualified distinguished name DN of certificate s owner This specific example includes the following parts Other items may be included depending on the certificate type However these fields are fairly standard CN is the common name ou is the organizational unit department 0 is the organization lis the locality city or town Stis the state or province of the owner Cis the country eis the email address of the owner Serial Number A unique identifier used for tracking the validity of the certificate on Certificate Revocation Lists CRLs Not Before The beginning date that the certificate is valid Not After The end date beyond which the
18. Username field enter your username This entry is case sensitive 2 Inthe Pin field enter your SoftID PIN The VPN Client gets the passcode directly from SoftID by communicating directly with SoftID The SoftID application must be installed bud does not have to be running on your PC 3 Click OK The first time you authenticate using SecurID or SoftID all operating systems or if you are using a new SecurID card and if the RSA administrator allows you to create your own PIN the authentication program asks if you want to create your own PIN Figure 4 10 VPN Client User Guide Authenticating to connect to the private network Figure 4 10 SecuriD New PIN request User Authentication for Connect to MyCompany e Do pon want to enter your own pin y or n n Response OO Cancel 1 Enter your response y for yes or n for no No is the default response Then click OK What happens next depends on your response If you responded yes enter your new pin in the New Pin field Figure 4 11 and enter it again in the Confirm Pin field Click OK Figure 4 11 Entering a New PIN yourself User Authentication for Connect to MyCompany Enter pour new Access PIN containing 4 to 8 digits or amp to cancel the new PIN procedure New Pin WXXX Confirm Pin Cancel f you responded no the authentication program asks if you will accept a system generated PIN Figure 4 12 Figure 4
19. certificate 1s no longer valid Issuer The fully qualified distinguished name DN of the source that provided the certificate The fields in this example are the same as for Subject After you have finished viewing the certificate click OK to close it Verifying a certificate The Certificate Manager provides a quick way for you to check the validity of a certificate for example to see if it is within the valid beginning and ending date range To see if the certificate is valid select it in the certificate store display the Options pull down menu and select Verify VPN Client User Guide 6 13 6 Enrolling and managing certificates The Certificate Manager displays a message such as the one in Figure 6 20 indicating whether the certificate is still valid Figure 6 20 Verifying a certificate s validity Certificate Cisco Mirra Validity Check xl Certificate signature le not valid Options vw The following table shows the messages you can might see when you check the validity of your certificate M essage Certificate Certificate Certificate Certificate is not valid yet has expired Signature is not valid is valid Deleting a certificate 6 14 Meaning and action The current date is prior to the certificate s valid start date You must wait until the certificate becomes valid The current date is after the certificate s valid end date You need to enroll for new certificate You
20. decimal notation for example 192 168 12 34 You can omit leading zeros in a byte position Hostnames Hostnames use legitimate network host or end system name notation for example VPNO1 Spaces are not allowed A hostname must uniquely identify a specific system on a network A hostname can be up to 255 characters in length Usernames and Passw ords Text strings for usernames and passwords use alphanumeric characters upper and lower case Most text strings are case sensitive for example simon and Simon represent different usernames The maximum length of usernames and passwords is generally 32 characters Terminology In this user guide the term Cisco VPN device refers to the following Cisco products Cisco VPN 3000 Concentrator Series Cisco VPN 5000 Concentrator Series Cisco Secure PIX Firewall devices IOS platform devices such as the Cisco 7100 Series Routers Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites e http www cisco com e http www china cisco com e http www europe cisco com VPN Client User Guide xi Documentation CD ROM Cisco documentation and additional literature are available in a CD ROM package which ships with your product The Documentation CD ROM is updated monthly and may be more current than printed documentation
21. don t have the CA certificate or the CA certificate that you have may have expired You may need to download or import the CA certificate You have a working certificate enrolled To delete a certificate follow this procedure Select the certificate in the certificate store display the Options pull down menu and select Delete If there is a password on the certificate the Certificate Manager prompts you to enter it Figure 6 21 VPN Client User Guide M anaging personal and CA RA certificates Figure 6 21 Entering password for deleting a certificate Pat Il rle Pa Pat ERICH LC ET LC eee Password Cancel Options 2 Inthe Password field type the password given to the certificate during enrollment and click OK Next the Certificate Manager asks you to confirm Figure 6 22 Figure 6 22 Confiming deletion Fat Clark Fat Clark YR Delete Certificate E Are you sure you want to delete the Certificate Options 3 To complete the deletion click Yes If you decide not to delete this certificate click No Changing the passw ord on a personal certificate To change the password on a personal certificate use this procedure 1 Display the Options pull down menu and select Password The Certificate Manager displays the Change Password dialog Figure 6 23 VPN Client User Guide 6 15 6 Enrolling and managing certificates Figure 6 23 Changing a certificate s password Change
22. entry and retain all its properties Each connection entry name must be unique Since these names are not case sensitive be sure the new name differs in content not just case 1 On the VPN Client s main dialog click the Connection Entry drop down menu button and select the entry you want to rename 2 Onthe VPN Client Options menu Figure 5 2 select Rename The Rename Connection Entry dialog appears Figure 5 5 Figure 5 5 Rename Connection Entry dialog Rename Connection Entry Current connection entry name Engineering Enter a new name for this connection entry Cancel 3 Enter a new name for this connection entry in the field and click OK The dialog closes The new name appears in the Connection Entry list in the VPN Client main dialog Creating a shortcut for a connection entry You can create a shortcut on your desktop to quickly and directly launch a VPN Client connection entry that you use frequently 1 On the VPN Client s main dialog click the Connection Entry drop down menu button and select an entry 2 Onthe VPN Client Options menu Figure 5 2 select Create Shortcut The shortcut appears on your desktop as in this example Figure 5 6 Figure 5 6 Connection entry shortcut Engineering The VPN Client main dialog remains open Importing a VPN Client Configuration File You can automatically configure your VPN Client with new settings by importing a new configuration file a file with a p
23. fully qualified file name and optional command line parameters associated with the application Application Enable Browse Cancel 2 Click Browse to locate and then select the complete pathname to the application as well as the name of the application Figure 5 13 The application name appears in the Application Launcher dialog In this example the VPN Dialer is configured to launch the Log Viewer before a connection Figure 5 13 Selecting an application Look in ven Client Certificates D ipexauth exe J Profiles C ppptool exe Exi Cert arGLll exe da Seth TU exe c pnd exe G vpnclient exe dd ipsecdialer exe El PS ecLog exe Files of type Programs exe Cancel 3 Click Enable and then click OK Application Launcher To execute an application or command when establishing a connection enter the fully qualified file name and optional command line parameters associated with the application Application Program FilesCisco Systems V PM Clients PS ecLag exe Browse Cancel VPN Client User Guide Viewing and managing the VPN Client event log Turning off Application Launcher To disable Application Launcher 1 Open the Options pull down menu and select Application Launcher 2 When the Application Launcher dialog displays remove the check from in front of Enable View ing and managing the VPN Client event log Examining the event log can often help a network adm
24. over a network connection File based enrollment will produce a certificate request file which you need to submit to your administrator Please select the method pau wish to proceed with Enrollment type ii Network VPN Client User Guide Enrolling for a certificate Enrolling via the netw ork Enrolling through the network retrieves a certificate from a CA and places it in the Cisco store Use the following procedure 1 Click the Network radio button Figure 6 5 and click Next The Certificate Manager asks you to enter the network address of the issuing certificate authority Figure 6 6 Figure 6 6 Entering network address Enrollment CA Network Address Enrollment CA Network Address Enter the URL or IP Address of the Certificate Authority Enter the URL or IP Address of the Certificate Authority Cisco SYSTEMS Certificate Authority Cisco SYSTEMS Certificate Authority URL or Network Address https 61 44 246 41 certsrv mscep mscep dil Domain Domairr FU 252000 com Challenge Password Tm i Challenge Password Required Fields Required Fields Back Cancel Help Back Cancel Help 2 Do one of the following Select an existing Certificate Authority from the drop down menu The URL or Network Address and Domain fields are automatically filled Renter the Challenge password or enter a new password which you can obtain from the CA or your network administrator
25. with a complete context sensitive HTML help system You can display help in the following ways e On the Program Menu select Start gt Programs gt Cisco Systems VPN Client gt Help Figure 3 1 Figure 3 1 Cisco Systems VPN Client program menu Help Icon Press Fl at any window while using the VPN Client e Select the Help button on windows that display it Figure 3 2 Figure 3 2 Help button New Connection Entry Wizard our administrator may have provided vou with group parameters or a digital certificate to authenticate your Cisco SYSTEMS access to the remote server If sa select the appropriate authentication method and complete pour entries Group Access Informatio Name Password Confirm EE Password gt Cernea Hame o Certificates Installed validate Lentea Help button e Select Help from the menu that appears when you click on the icon in the title bar Figure 3 3 Figure 3 3 Help menu Click here for D MIE a MI menu and choose Hi Help E AlIt F A bout VPN Client E ey ar wa 3 2 VPN Client User Guide W hat is a connection entry Determining the VPN Client version To display the version number of the software release you are currently using follow these steps 1 Click the icon in the title bar Figure 3 3 The VPN Client displays a menu 2 Click About VPN Client on the menu displayed The VPN Client that displays the version you are currently us
26. 4 1 05 store oe POE RpEPPCTATTRISOrT4Tr T DER 3 3 Whatisa CONNECUON GNU asirio ir basa 3 3 How to create a new connection entry iiis ra 3 4 WnatReX insert aa id eta ai ee 3 7 Setting or changing connection entry properties 0 0ccccccococccc 3 7 Chanongo Generals ongs arnes atreva TOES RITA a ODER ETT EPIRI PE wer 3 10 Changing connection entry description cce dew Sc CER E dn AA ROO CEA 3 10 Allowing IPSec through SP Uno o Rber3 ew 2125 3 10 Adjusting the peer response timeout uuo A AAA A RC Ge o ERR ER ECC de 3 11 Logging on to M icrosoft Network Windows 95 Windows 98 and Windows ME oooooo o 3 11 VPN 3000 Client User Guide iii Contents Changing Authentication Settings lts dr dial 3 11 Adjusting the peer response timeout s o 3a A AAA ce S CH 3 11 Logging on to M icrosoft Network Windows 95 Windows 98 and Windows ME 3 11 Changing AUtfenticatloDS e LEITIQS ariadna 3 11 Changing aroun name OF drodp bass WONG esi sh sedan afe bod oet ar o e eos ed bebe rad heb o 3 12 SEIS CHING aCe TONE C CMU I Gae sooo otto voti teda S Diretta c abs ets tdt A adi este S o d 3 13 ranging COMNECHOSCTEINGS srta Air eec 3 13 Enablind ana adaInd backup Servers odo ctis ordo Edo doc E dar 3 14 Configuring a connection to the Internet via dial up networking sssssn nn n e 3 14 Changing the VPN device address for a connection entry oon n n n n n n n n nn nn 3 16 4 Connecting t
27. 4 11 13 46 460 01 24 01 Sev Info 4 IPSEC 0x63700010 Created a new key structure T5 11 13 46 160 01 24 01 amp ev Infn 4 IPSEC 0x6370000F Added key with SPI 0xb22b0833 into key list Status bar Ready Displaying the version of the softw are To display a brief help message that gives you the version number of the software select Help from the main menu or click the Help icon Collecting events To start collecting event messages into the log file select Options gt Capture When a check mark appears in front of the Capture option Log Viewer is collecting events This option is off by default Alternatively you can click the Capture icon EJ Each message in the log file comprises at least two lines containing the following fields Event Time Date Severity type level EventClass MessageID Message text Figure 5 16 shows a sample event message in the log file Figure 5 16 Anatomy of an event message Class Message ID Severity type level Time Date 54 15 25 09 643 2 03 01 Sev Info 4 IPSEC 0x63700012 Delete all keys associated with peer 10 10 99 40 L Message 5 10 VPN Client User Guide Viewing and managing the VPN Client event log Event The first field shows the event number Events are numbered incrementally and never reset Time The time of the event hour minutes seconds The hour is based on a 24 hour clock For example 15 25 09 identifies an event that occurred at 3 25 09 PM Date Th
28. 5 3 closing the VPN Client 4 11 common name certificate enrollment 6 3 company certificate enrollment 6 3 completing an enrollment request 6 20 configuring automatically 5 4 connecting before logon 5 6 to a private network 4 2 4 3 to the internet 1 1 via Dial Up Networking 3 14 4 2 with certificate 4 1 connection LAN 1 2 network direct 2 2 statistics resetting 4 11 status viewing 4 0 technologies 1 2 connection entry changing description 3 10 properties 3 7 remote server address 3 16 cloning 5 3 creating 3 4 creating shortcut for 5 4 definition 3 1 deleting 5 3 description 3 4 changing 3 10 managing 5 2 name 3 4 optional parameters 3 7 Index 2 parameters 3 1 preconfigured 3 1 properties changing 3 7 renaming 5 4 connection statistics 4 10 bytes in 4 10 bytes out 4 10 packets bypassed 4 11 packets decrypted 4 11 packets encrypted 4 11 connection status IPSec through NAT Mode 4 10 key icon 4 11 NAT Port 4 10 secure associations 4 11 secured routes 4 11 time connected 4 11 Connection Status dialog box 4 10 Connections tab Properties 3 13 conventions documentation x typographic x copyrights and licenses 1 country code certificate enrollment 6 3 creating new connection entry 3 4 shortcut for connection entry 5 4 Cybertrust Enterprise CA 4 8 D deleting certificate 6 14 connection entry 5 3 enrollment request 6 19 department certificate enrollment 6 3 DES Data Encryption Stan
29. A E d 1 1 Figure 2 ninal VPN Cientinstallation WIAGOW airada aaa idad 2 4 Figure 2 2 Setup Complete dialoQ DOK ariadna eras C Ie 2 5 Figure 3 i C1Sco Systems VPN Client program MENU wa sain NAAA ae 3 2 FIGUIC 3 2 HCD DUON d d A RA E D eae tana d e eee aa Aa 3 2 HOUR eID TG DUE oes deo bao RO QC CC Earn UP EHE Rd on ER elc Y dac pne Vac E atia eb ov oa id 3 2 Figure 3 4 Displaying the VPN Client software version maridado CR SR RC RR Cn en 3 3 FIG UIC SS VPN CENE mMan dialog at dnisdaieste y ox V Aa a SUP EY d OR A ael ERE ed SECO RES Ql PRODI Y a 3 4 Figure 3 6 New Connection Entry Wizard dialog alicubi RA RERO e C oT AE ECC CERE ERR CC E 3 4 HOWE New COnneClOnEnty Wizard ddog 2 ddquxadamdavsxevietedmIedA TE d d PER VERRE E M PA 19 3 5 Figure 3 9 New Connection entry Wizard dialogis catis R GR RR RU RR ESAE PCR ER FE cias 3 5 O TOUD Fac cca vr kw d vA UE E VCI IU a wea Dat Ex V aa nals Ou DO ed d MW Dp DeC Va daa 3 6 Figured IO Cerfic dte saisis uci tarii adco d OO a on ROAD Rb AAA 3 6 Figures rN ew Connection Enty Wizard dlalodid aiia dd eda coo Ea 1 E Y Gb od a e CR a aid 3 7 Figures 27 VPN Chient OpUOnS MENU ariadna 3 8 Figure 3 13 Connection Entry Properties dialog Windows 95 and Windows 98 ssacccccccceceeeeeeeeeeeenes 3 8 Figure 3 14 Connection Entry Properties dialog Windows NT and Windows 2000 sscccccccceeeeeeeeeeeenes 3 9 FIGURE 3 15 PrODORtISS dIalod c Generala x d race CERRAR Kio YE VY CEA CV ETE Eabb pa Penna 3 10
30. CO SYSTEMS AND THE PURCHASER OF THE CISCO SYSTEMS VPN 3000 CLIENT PRODUCT THAT SEPARATE LICENSE AGREEMENT CONTAINS A DESCRIPTION OF ALL WARRANTIES PROVIDED BY CISCO SYSTEMS FOR THE SOFTWARE CISCO SYSTEMS PROVIDES NO WARRANTIES FOR THE SOFTWARE OTHER THAN THOSE SET FORTH IN THAT AGREEMENT AND ASSUMES NO LIABILITIES WITH RESPECT TO YOUR USE OF THE SOFTWARE RSA softw are A 2 Copyright 1995 1998 RSA Data Security Inc All rights reserved This work contains proprietary SA information of RSA Data Security Inc Distribution is limited to authorized licensees of RSA Data as Security Inc Any unauthorized reproduction or distribution of this document is strictly prohibited cui CUP BSAFE is a trademark of RSA Data Security Inc The RSA Public Key Cryptosystem is protected by U S Patent 4 405 829 VPN 3000 Client User Guide A about this manual 1x adapter card network 2 2 adding backup servers 3 14 new connection entry 3 4 address backup servers 2 3 remote server changing 3 16 VPN Concentrator 3 5 VPN device 2 2 See also IP address algorithms authentication 1 3 DES 1 3 encryption 1 3 HMAC 1 3 MD5 1 3 SHA 1 1 3 triple DES 1 3 Application Launcher 5 7 authentication algorithms 1 3 certificate 3 6 requirements for 2 2 information connection status 4 10 internal server 1 2 4 4 NT Domain 1 2 4 5 domain name 2 3 4 5 password 2 3 4 5 username 2 3 4 5 RADIUS 1 2 4 4 RSA 1 3 4 5 next cardcode 4 8 passcode 4
31. Certificate Password To modify or add 4 password associated with the specified certificate enter the Information below Cisco Systems the all Current In the Current field type the password you are currently using to protect your private key In the New field type the new password In the Confirm field type the same password again Click OK Qi E UJ N Exporting a certificate You may want to export a certificate primarily for backing up your certificate and private key or moving them to another system When you export a certificate you are making a copy of it To export a certificate follow these steps 1 Display the Options pull down menu and select Export The Certificate Manager displays the Export Certificate dialog Figure 6 24 Figure 6 24 Exporting a certificate Export Certificate The certificate password ls not exported with the certificate To password protect the certificate file enter Cusco SYSTEMS a value in the Export password field To export the CA certificate and any intermediate CA certificates select the Export certificate chain option Certificate password Export file name esport newcert cec Browse Required Field Cancel 2 In the Certificate password field enter the password initiated during enrollment if any The Certificate password protects the certificate in the certificate store so an unauthorized individual can t use it This is the password you opt
32. ISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AtmDirector Browse with Me CCDA CCDE CCDP CCIE CCNA CCNP CCSI CD PAC CiscoLink the Cisco NetWorks logo the Cisco Powered Network logo Cisco Systems Networking Academy the Cisco Systems Networking Academy logo Fast Step Follow Me Browsing FormShare FrameShare GigaStack IGX Internet Quotient IP VC iQ Breakthrough iQ Expertise iQ FastTrack the iQ Logo iQ Net Readiness Scorecard MGX the Networkers logo Packet PIX RateMUX ScriptBuilder ScriptShare SlideCast SMARTnet TransPath Voice LAN Wavelength Router WebViewer are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn Empowering the Internet Generation are service marks of Cisco Systems Inc and Aironet ASIST BPX Catalyst Cisco the Cisco Certified Internetwork Expert logo Cisco IOS the Cisco IOS logo Cisco Systems Cisco Systems Capital the Cisco Systems logo Enterprise Solver EtherChannel EtherS witch FastHub FastSwitch IOS IP TV LightStream Network Registrar Post Routing Pre Routing Registrar StrataView Plus Stratm SwitchProbe TeleRouter and VCO are registered trademarks of Cisco Systems Inc or its affiliates in the U S and certain other countries All other brands names or trademarks mentioned in this document or Web site are the property of their respective owners The
33. N Clients http www cisco com univercd cc td doc product vpn index htm Other references Other useful books articles and websites include Frequently Asked Questions about Microsoft VPN Security Microsoft Corporation 1998 Available from Microsoft web site www microsoft com Kosiur Dave Building and Managing Virtual Private Networks Wiley 1998 Sheldon Tom Encyclopedia of Networking Osborne McGraw Hill 1998 Stallings William Data and Computer Communications 5th ed Prentice Hall 1997 Virtual Private Networking An Overview Microsoft Corporation 1999 Available from Microsoft web site www ietf org for Internet Engineering Task Force ETF Working Group drafts on IP Security Protocol IPSec Documentation Conventions We may use these typographic conventions in this manual Font Meaning This font Document chapter and section titles Emphasized text This font Command line prompts and entries data entry field entries system displays filenames etc This font Literal entries you should make exactly as shown lt This onto Variables that the system supplies Ignore the angle brackets This font Menus menu items keyboard keys icons screen names data entry field names etc X VPN Client User Guide Data Formats Data Formats As you configure and manage the VPN Client enter data in these formats unless the instructions indicate otherwise IP addresses IP addresses use 4 byte dotted
34. Programs Cisco Systems VPN Client VPN Dialer The VPN Client starts and displays its main dialog Figure 3 5 Figure 3 5 VPN Client main dialog il Cisco Systems YPH Client Host name or IP address of remote server gue 1 At the main dialog click New The first New Connection Entry Wizard dialog appears Figure 3 6 Figure 3 6 New Connection Entry Wizard dialog Hew Connection Entry Wizard The VPN Client lets you create secure connections to remote networks This wizard helps you create a Cisco SYSTEMS connection entry For connecting to a specific remate network Mame of the new connection entry Engineering Description of the new connection entry optional Connection to Engineering remote server Bat Cancel Help 2 Enter a unique name for this new connection You can use any name to identify this connection for example Engineering This name can contain spaces and it is not case sensitive 3 Enter a description of this connection This field is optional but it helps further identify this connection For example Connection to Engineering remote server 4 Click Next The second New Connection Entry Wizard dialog appears Figure 3 7 3 4 VPN Client User Guide W hat is a connection entry Figure 3 7 New Connection Entry Wizard dialog 2 New Connection Entry Wizard The following information identifies the server to which unu connect for access to the remote network Cisco Sy
35. R XR AA AAA AC CR 4 7 Figure 4 11 Entering a New PIN VOUSEI irna ca d E ae a T dra o n P e dec e rA RR c QR d ard 4 7 Figure ds 17 Accepting a PIN ONE SyS EMN acido ooa Cl aaa Ce YE AC ea d 4 7 Figure 4 13 New PINITOCBIVBO s vaca auti Cao ORG ECT a RR anc ACC CE QE S C mae e i 4 7 Figure 4 14 Secun Next Cardcoue mode dialog s rica xac affer PROCU a CR eR Vna Feci d e dede PROC OR 4 8 Fig re 4 15 Combletihg connection NISO 3 8 x mE 5E ER RC RE CO CC e POE ER ROUTER n CA ER 4 9 Foure Alo VPN Client Connection Status dI eO G miii 4 10 Foure S VPN Dialer Connect dialog rara a RO Ci p a o a 5 2 Foure S2 VEN CHERCODUONS MENU ai 5 2 Figure 5 3 Clone Comecton Enty dialog rra tidad AA EC A 5 3 FIGURE S4 Delete dialog adria aia 5 3 Figure 5 5 Rename Connection Entry dialogi pirita Ceca 5 4 Foure S 60 Connection entr noc A A A aa 5 4 Foure SA Selecting a TETO IT DOTT Acc ae ca ao RE RR C RR E 9 cb AE E E aC CUR ERR CC e 5 5 EO Ure S o IMPON Me pro leidas 5 5 Figure 5 9 pO SUE CBS ST UD mia rara 5 5 VPN 3000 Client User Guide Tables VPN 3000 Client User Guide Contents Figure 5 10 SETEING AID Start Berore LOGON ear 5 6 Figure 5 11 Application Launcher OPIO mirta 5 8 FOUS Sal 2 ADD ICA DON Eauncnerala 0d aria aa 5 8 A ele tIpg ari abDIICablfi q i at Xo p 3 3 Odor E DOPO Db ALI ACIE aH POR E CPUS 5 8 Hodes 4s Starting SD Eod VIGWOT dace dd a bcd EA L DA EE e EE P D E aae ara 5 9 Figur 5s 15 LO MIEWer main AW IDOOW 4 5
36. Requests tab and select Resume from the Options pull down menu The Certificate Manager prompts you to enter a password Figure 6 29 This password must match the password you are using to protect the certificate s private key if any Figure 6 29 Entering password to resume online enrollment Personal Certificates CA Certificates Enrollment Requests a eg aee serine IgE Don Enter Enrollment Cert Password Patr Sea Password Cancel Options Enter the password and click OK to resume enrollment 6 20 VPN Client User Guide APPENDIX Copyrights and licenses Client Softw are License Agreement of Cisco Systems THE SOFTWARE TO WHICH YOU ARE REQUESTING ACCESS IS THE PROPERTY OF CISCO SYSTEMS THE USE OF THIS SOFTWARE IS GOVERNED BY THE TERMS AND CONDITIONS OF THE AGREEMENT SET FORTH BELOW BY CLICKING YES ON THIS SCREEN YOU INDICATE THAT YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THAT AGREEMENT THEREFORE PLEASE READ THE TERMS AND CONDITIONS CAREFULLY BEFORE CLICKING ON YES IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THE AGREEMENT CLICK NO ON THIS SCREEN IN WHICH CASE YOU WILL BE DENIED ACCESS TO THE SOFTWARE Ow nership of the Softw are 1 The software contained in the Cisco Systems VPN Client the Software to which you are requesting access is owned or licensed by Cisco Systems and is protected by United States copyright laws laws of other nations and or internationa
37. Summary X This is a summary of the information you have provided for this certificate enrollment request Cisco Systems Select Finish to proceed with the enrollment or Back to make modifications Enrollment File certreg req Certificate Store Cisco hl Mi 1 l Li Enroll File Success Ea Creation of enrollment file was successful Back Finish Cancel Help 5 Click OK on the message screen then click Finish on the summary screen You can view the file request under the Enrollment Requests tab Figure 6 15 6 Enrolling and managing certificates Figure 6 15 File enrollment requests Personal Certificates CA Certificates Enrollment Requests Certificate Alice Wonderland Request Patrick Clarkson Request View Delete Import Password Resume Importing a certificate file You can import a certificate into the Cisco store from the Microsoft store or from a file To import a certificate use the following procedure 1 On the Certificate Manager main window under the Personal Certificates tab click the Import button The Certificate Manager displays the Import Certificate Source dialog Figure 6 16 Figure 6 16 Importing a certificate Import Certificate Source The certificate source identifies where the certificate iz imported from Additionally if the certifcate you are Cisco SYSTEMS importing is protected by a password please enter it below Certificate sour
38. WV 5cBeinK9Hl1jlIqdxHHBt Huu J962 HuUKxDBmrLk GIQlisUHDap J9D5hU1D2 IKm AGHBAAGGSDBEBgkghkiG9wGBCO4x0 TASHDUGATUdGEQQuUMCYHBAOKCgGBF2F s aUHT YkBucmdhbml vYXRpb25ub3JnggtE2x21bG9ubUUudDAHBgkqhkiG9wBBARQQFARR B g nnrgzcassuskIO6kmI2H6wABuDISTUHYqxsH pGwPsUmbIS3JjD6C15qUAU1 vh hth9HRPO92xk3HF8UTalQl BkbxzZoLH amp 9xpz lWVoqCHV Jq egigFzeme3u jF2Cnh yjscU amp GoSieedQHhb9wHnghpqszF2HLFA568ilEe07q7U0g END NEW CERTIFICATE REQUEST 3 Enter the full pathname for the file request When you browse for an appropriate directory for placing the file request the Certificate Manager shows only the files of the selected file type Figure 6 13 You can save your file enrollment requests in the Certificates directory which is a subdirectory of where the VPN Client is installed 6 8 VPN Client User Guide VPN Client User Guide Enrolling for a certificate Figure 6 13 Specifying a filename Save n y Certificates newcert pii laa plOreg p10 e pl Oreg p10 pl Oreq3 p10 File name pt Oreg3 p10 Save as type eros O Encoded Request Filef p1 0 Cancel In this example the complete pathname is C Program Files Cisco Systems VPN Client Certiticates plL0req gt pl10 4 Complete the form see Enrollment form and click Next gt The Certificate Manager displays the summary screen and a message to let you know that your request succeeded Figure 6 14 Figure 6 14 Enroll File Success message nrollment
39. anager prompts you to select a file type for your file request and to specify a file name Figure 6 11 Figure 6 11 Selecting file type and location Enrollment File Location To create an enrollment request file please select the tupe of file you wish to generate Cisco SYSTEMS Contact pour network administrator IF You are not sure which encoded file type i required When you select a file extension in the Browse dialog the associated file type will be selected on this page File name Browse File type Base 64 encoded req C Binary encoded p10 Required Field Back Cancel Help 2 Click one of the following file types Binary encoded a base 2 PKCS10 file Public Key Cryptography Standard for example an X 509 DER file You can t display a binary encoded file Base 64 encoded an ASCII encoded PKCS10 file that you can display because it is in text format such as the request in Figure 6 12 Select this type when you want to cut and paste the text into the CA s website Figure 6 12 A PKCS10 certificate request E cert cec txt Notepad File Edit Search Help BEGIN HEY CERTIFICATE REQUEST HIIBzjCChTcChHQRwRjELHAkGRT1UEBhHCUUHZCZzR JBgHUBRQTRKTBHRHuEQYDUQUE Eup amp b3Uu2GF BauOuHRUuEvUVDUQOQLEuxGdU5kRIF JhasHpbmcug28wDQv IKo2 IhucH RQEBBQ RDqgY BaHIGJAOGBRKxCHeWUAnwi jmkViLaogUhlUuULSx2iUu5Ifrr rR5538 bcASCtChU9gLQuT j96RQPcHKSu B5Q cthrs B29mEgUCOoACTZ22DBGHHj g1 gli x
40. authenticate your Cisco SYSTEMS access to the remote server IF so select the appropriate authentication method and complete pour entries Group Access Informatio Mame Remote SEIS Password ee Confirm oes Password gt Gerttieate METE Ne Certificates Installed valdate BETE TIGE f you are using certificate authentication Figure 3 10 Select the name of the certificate you are using If the field says No Certificates Installed and is shaded then you must first install a certificate before you can use this feature For information on enrolling fora certificate see Chapter 6 Figure 3 10 Certificate New Connection Entry Wizard our administrator may have provided you with group parameters or a digital certificate to authenticate your Cisco SYSTEMS access to the remote server If so select the appropriate authentication method and complete pour entries Group Access Informatio Mame Password Canfirm Doo 0o Password Certificate Mame Patrick Clarkson Microsoft Validate Certificate Back Cancel Help To verify the validity of the certificate click Validate Certificate and enter the password You ll receive a report letting you know whether the password is valid If not you need to try again If you don t know or can t remember the password see your system administrator An identity certificate has a public and private key and a time period within
41. authenticate your connections to VPN devices Chapter 6 Enrolling and managing certificates e Log Viewer lets you display events from the log Chapter 5 Managing the VPN Client SetMTU lets you change the MTU setting on your PC used for troubleshooting Chapter 5 Managing the VPN Client Uninstall VPN Client lets you safely remove the VPN Client software from your system and retain your connection and certificate configurations Chapter 5 Managing the VPN Client 1 1 1 Understanding the VPN Client How itworks The VPN Client works with a Cisco VPN device to create a secure connection called a tunnel between your computer and the private network It uses Internet Key Exchange IKE and Internet Protocol Security IPSec tunneling protocols to make and manage the secure connection Some of the steps include Negotiating tunnel parameters addresses algorithms lifetime etc Establishing tunnels according to the parameters Authenticating users making sure users are who they say they are via usernames group names and passwords and X 509 digital certificates Establishing user access rights hours of access connection time allowed destinations allowed protocols etc Managing security keys for encryption and decryption e Authenticating encrypting and decrypting data through the tunnel For example to use a remote PC to read email at your organization you connect to the Internet the
42. cates Certificate stores e what are they is sudo cedes doctos Poder aer foco palo aed b a E PU Cor d hand ed s 6 2 Enrollind Tor a Cer fiCale inre ia dO Eo UC OPER E EA QC PDC RC e CC CIC 6 2 A TUTTO T T OUTLET 6 3 e enroll melio seco tac been di d ba reb Cen i doe tao tak sero v beta Dau ea d deret d ode oda 6 4 EMONI via ERR B WOFPIC cariat ddieirk diete arrasada 6 5 Enfollna Mara Tile Te quest rada DD Peop ada 6 7 Imporgng a cerfcate Ne ic d a a a P RERCECEDIUE AAA a aan 6 10 Managing personal and CA RA certificates 0 0ooocccccc nnnm 6 11 MW IAG COMICO ada cire E aided avalon eren dade ion E tera dnt E aden Aeneas 6 12 Men VUNG accept CALC na e oleae Epl i idea ees ea ttr eU aaa n 6 13 A O 6 14 Changing the password on a personal certificate 2 ccc ccc eect eee eee nn 6 15 EXPONO a Certi edE rt ratita 6 16 Managing enrollment requests riada ida 6 17 VIEW INGANECNKONMENE REQUEST supo eo a P RE RH e a ace do bab en Cel Vere Uo sec S bte as 6 18 Deleting an enrellmeflb Fed UBSL acciri aleteo tapia dq tede redde bea sis 6 19 Changing the password on an enrollment request nnn 6 19 Completing an enroll mel b BOO Lu airada rienda eon dod oaa e OR inn 6 20 A Copyrights and licenses Index VPN 3000 Client User Guide Client Software License Agreement of Cisco Systems eene 1 RSA SOMW TG cessi cw AI A A AAA 2 Contents Figures vi Figure 1 1 VPNClent applications Soap AC co ws CR CAREER CIEGO A E d ed ACD PC C
43. ce Patrick Clarkson t File HTOUWEE Import password p Bat Cancel Help 2 To import a certificate do one of the following depending on whether where your certificate resides Importing from the Microsoft store click the Microsoft certificate radio button and select the certificate from the drop down menu The certificate must already be in your Microsoft store Importing from a file click the File radio button and enter the pathname of the file into the field 6 10 VPN Client User Guide M anaging personal and CA RA certificates 3 Ifa password is used to protect this certificate type the password into the Import Password field This is the password assigned to protect the certificate s private key If you are importing from the Microsoft store this password 1s the one you or the network administrator entered during enrollment If you are importing a certificate from a file this is the password specified when the certificate was exported 4 Click Next gt The Certificate Manager prompts for a password to be stored with the certificate Figure 6 17 Figure 6 17 Destination password for importing certificate Certificate Password Protection Password protecting your certificate provides an additional level of security This password ts optional Cisco SYSTEMS By choosing to protect pour certificate with a password any operation that requires access to the certificate
44. ce with a Cisco product or technology that is under warranty or covered by a maintenance contract Contacting TAC by Using the Cisco TAC Website If you have a priority level 3 P3 or priority level 4 P4 problem contact TAC by going to the TAC website http www cisco com tac P3 and P4 level problems are defined as follows e P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue e P4 You need information or assistance on Cisco product capabilities product installation or basic product configuration In each of the above cases use the Cisco TAC website to quickly find answers to your questions To register for Cisco com go to the following website http www cisco com register If you cannot resolve your technical issue by using the TAC online resources Cisco com registered users can open a case online by using the TAC Case Open tool at the following website http www cisco com tac caseopen VPN Client User Guide xiii Preface Contacting TAC by Telephone If you have a priority level 1 P1 or priority level 2 P2 problem contact TAC by telephone and immediately open a case To obtain a directory of toll free numbers for your country go to the following website http www cisco com warp public 687 Directory DirTAC shtml P1 and P2 level problems are defined as follows e Pl Your production network is down causing a critical impact to busine
45. centrator internal server your username and password If you are authenticated via a RADIUS server your username and password If you are authenticated via an Windows NT Domain server your username password and domain name If you are authenticated via RSA Data Security formerly SDI SecurID or SoftID your username and PIN If you use a digital certificate for authentication the name of the certificate your username and password If your private key is password protected for security reasons you also need this password Reminder Refer to your entries in Table 2 1 VPN Client information worksheet on page 2 2 as you complete steps here Starting the VPN Client 1 Start the VPN Client by selecting Start gt Programs gt Cisco Systems VPN Client gt VPN Dialer The VPN Client displays its main dialog Figure 4 1 VPN ClientUser Guide 4 1 4 Connecting to a private netw ork Figure 4 1 VPN Client main dialog il Cisco Systems YPN Client Cisco Systems Connection Entry Engineering m Hew Options Host name or IP address of remote server 1010 32 32 2 If necessary click the Connection Entry drop down menu button and select the desired connection entry Connection procedure Connecting to a private network is a simple one or two step process 1 Connect to the Internet if necessary 2 Connect to the private network through the Internet e Systems with cable or DSL modems are u
46. cess Informatio Name Remate SEIS Password Confirm Password C Cerificate Mere No Certificates Installed validate certificate Cancel Help Changing group name or group passw ord 3 12 You usually specify a group name and group password when you create a connection entry However you can use the Authentication tab to change a group name or group password if your system administrator so instructs you or to enter the group name and password if the connection entry does not already have them In the Name field enter or edit the group name maximum 32 characters This entry is case sensitive In the Password field enter or edit the group password maximum 32 characters This entry is case sensitive The field displays only asterisks Verify your password by entering it again in the Confirm Password field If either field is empty when you leave this dailog the VPN Client reminds you to enter missing group information Figure 3 17 To proceed click Yes or to terminate click No Figure 3 17 Reminder dialog Cisco Systems YPH Client The Group field is empty fou will not be able to connect without this information Proceed When you are done with the Authentication tab click OK or click another tab VPN Client User Guide Setting or changing connection entry properties Selecting a different certificate To select a different certificate make sure the radio button for Certificate i
47. cf extension called a profile that your system administrator supplies To automatically configure a VPN Client 1 Obtain a new VPN Client profile pc file from your system administrator 2 Load the file on your hard disk VPN Client User Guide VPN Client User Guide Importing a VPN Client Configuration File 3 On the VPN Client main dialog click Options and select Import from the menu The VPN Client opens a window for you to select the profile file Figure 5 7 Figure 5 7 Selecting a file to import Look in E ven Client E Ex 1 Certificates T Profiles Files of type Profile Configuration Files pef Cancel 4 Browse until you locate the profile file and when you have located it select it and click Open Figure 5 8 Figure 5 8 Importing the profile file Look in E Files_test E Ex File name Doc pet Files af type Profile Configuration Files pcf Cancel The VPN Client displays a message informing you that your file import was successful Figure 5 9 If the profile already exists you receive a message asking if you want to overwrite it Figure 5 9 Import successful il Cisco Systems YPN Client Cisco Systems At Cisco Systems YPH Client xl Connec a Import operation has completed Engine Host name or F address of remote server i 0 10 32 32 Connect Close 5 To continue click OK 5 Managing the VPN Client Alternatively you can co
48. dard algorithm 1 3 description connection entry 3 4 changing 3 10 dial up modem 1 2 Dial Up Networking 1 3 closing before uninstall 5 15 configuration information 2 3 connecting via 3 14 4 2 icon on taskbar 4 3 phonebook entries 3 15 requirement for 2 2 User Information dialog box 4 2 dial up networking programs third party 3 15 direct network connection 2 2 disabling backup servers 3 14 VPN 3000 Client User Guide disconnecting 4 12 Disk icon log viewer 5 14 diskettes installing from 2 4 displaying help 3 2 software version 3 3 documentation additional 1x conventions X domain Certificate Authority 6 5 domain name certificate enrollment 6 3 NT Domain authentication 2 3 4 5 DSL Digital Subscriber Line 1 2 DSL modem 1 2 4 2 email address certificate enrollment 6 3 enabling backup servers 3 14 encryption algorithms 1 3 information connection status 4 10 enrolling certificates 6 2 file request 6 7 network 6 5 enrolling in a PKI 4 8 Enrollment form 6 3 enrollment request changing password 6 19 completing 6 20 deleting 6 19 pasting 6 7 resuming 6 20 viewing 6 18 enrollment requests managing 6 17 Entrust Technologies 4 8 Erase icon log viewer 5 14 exiting the VPN Client 4 11 exporting a certificate 6 16 F F1 button 3 2 features software of VPN Client 1 2 file types for certificate enrollment 6 8 VPN 3000 Client User Guide Index Filter icon log viewer 5 11 filtering
49. dio buttons to select the logon process Use default system logon credentials Use the Windows logon username and password on your PC to log on to the private network With this option you do not need to manually enter your logon username and password each time you connect to the private network This is the default selection Prompt for netw ork logon credentials The private network prompts you for a username and password to use its resources If the logon username or password on your PC differs from those on the private network use this option When you are done with the General tab click OK or click another tab Changing Authentication settings VPN Client User Guide The Properties Authentication tab Figure 3 16 lets you change the name or password of the IPSec group to which you are assigned Your group determines your access to and use of the remote network The group name and password are essential parameters in authenticating you as a user of the remote network If you want to choose a different certificate you also use this screen 3 11 3 Configuring the VPN Client Figure 3 16 Properties dialog gt Authentication tab Properties For Engineering General Authentication Connections our administrator may have provided you with group parameters or a digital certificate to authenticate your access to the remote server If so select the appropriate authentication method and complete pour entries Group Ac
50. e date of the event MM DD YYYY For example 2 03 2001 identifies an event that occurred on February 3 2001 Severity type level The severity type and level of the event for example Sev Info 4 which identifies an informational event severity level 4 Table 5 1 identifies event types and severity levels Table 5 1 Event types and severity levels Type Levels Meaning Fault A system failure or non recoverable error Warning 2 3 Imminent system failure or a serious problem that may require user intervention Informational 4 6 Level 4 provides the most general type high level information Levels 5 and 6 provide more detailed information about the connection Event Class M essage ID The module or source of the event and the message identifier associated with the module For example IPSEC 0x63700012 Figure 5 16 Message text A brief message describing the event Usually this message is no more than 80 characters For example Delete all keys associated with peer 10 10 99 40 In a message containing arrows the arrows indicate the direction of the transmission gt gt gt for sending and lt lt lt for receiving Filtering events VPN ClientUser Guide To control the amount of information to view with the Log Viewer select Options Filter Alternatively you can click the Filter icon The Log Viewer displays the Log Viewer Filter message to let you choose the amount of information you want to capture Figure 5
51. e requirements VPN ClientUser Guide Computer with a Pentium class processor or greater One of the following operating systems Microsoft Windows 95 Windows 98 or Windows 98 second edition Windows ME Windows NT 4 0 with Service Pack 3 or higher Windows 2000 Microsoft TCP IP installed Confirm via Start gt Settings gt Control Panel gt Network gt Protocols or Configuration 10 MB hard disk space RAM 16 MB for Windows 95 98 or 32 MB for Windows NT and Windows ME 64 MB for Windows 2000 2 1 2 Installing the VPN Client e To install the VPN Client CD ROM drive or 3 5 high density diskette drive or Network connection Administrator privileges if installing on Windows NT or Windows 2000 To use the VPN Client Direct network connection cable or DSL modem and network adapter interface card or nternal or external modem and For Windows 95 Microsoft Dial Up Networking DUN version 1 2 or greater DUN 1 3 for Windows 95 is a recommended performance and security upgrade and it 1s available as a free download from the Microsoft Web site www microsoft com Windows 98 includes the DUN 1 3 functionality To connect using a digital certificate for authentication A digital certificate signed by one of the following Certificate Authorities CAs installed on your PC Baltimore Technologies www baltimoretechnologies com Entrust Techno
52. elect this option be aware that using it may compromise system security since your password is then stored on your PC and is available to anyone who uses your VPN Client Skip to Completing the private network connection Authenticating via Window s NT Domain The VPN Client displays the Windows NT Domain user authentication dialog The title bar identifies the connection entry name Figure 4 7 Windows NT Domain authentication dialog User Authentication for Companyx The remote peer requires additional user A authentication to authorize this connection Username simanz Password pe Save Password Domain GADOMAIN 1 In the Username field enter your username This entry is case sensitive 2 Inthe Password field enter your password This entry is case sensitive The field displays only asterisks 3 In the Domain field enter your Windows NT Domain name if it is not already there 4 Click OK Skip to Completing the private network connection Authenticating via RSA Data Security RSA SecurlD RSA formerly SDI SecurID authentication methods include physical SecurID cards and keychain fobs and PC software called SoftID SecurID cards also vary with some cards the passcode is a combination of a PIN and a cardcode with others you enter a PIN on the card and it displays a passcode Ask your system administrator for the correct procedure Authentication via these methods also varies slightly for diff
53. elp 5 To complete the enrollment click Finish The Certificate Manager displays a status window Figure 6 8 that lets you monitor the progress of the certificate retrieval If the enrollment failed the status window indicates the cause so you can fix the problem and try again Figure 6 8 Certificate status messages Enrollment Status Enrollment Status Enrollment status Enrollment status Cisco SYSTEMS Generating key pair Cisco Systems Generating key pair Generating self signed certificate Generating self signed certificate Submitting request FEN Submitting request Status 308 Request pending in t i _A 6 What happens next depends on your CA Figure 6 8 e Some CAs may provide immediate response If so the Enrollment Status window reflects this fact and displays an OK button Click OK and you see a message that your enrollment succeeded You can view and manage the certificate under the Personal Certificates tab e If the enrollment status is Request pending your CA does not immediately approve your request and the Enrollment Status window shows the Suspend button Click the Suspend button Your request appears under the Enrollment Requests tab while you are waiting for the CA to issue the certificate When the CA issues your certificate select the certificate and then select Resume from the Options pull down menu to complete the enrollment Figure 6 9 VPN Client User Gu
54. ep your certificates click No Finally the Uninstall Wizard prompts you to restart your system To complete the uninstallation you must restart your system 5 To restart your system click Yes the default and then click Finish The installation program restarts your system Be sure to remove any diskette from its drive before you restart your system Note When you uninstall the VPN Client software after you have run the Log Viewer and you have clicked yes to remove your certificate and profile directories the vpnclient ini and ipseclog txt files remain on your system Since these files were generated after you installed the software they are not removed when you uninstall the software VPN Client User Guide 5 17 5 Managing the VPN Client 5 18 VPN Client User Guide VPN Client User Guide CHAPTER Enrolling and managing certificates This chapter explains how to enroll and manage personal certificates using the Certificate Manager application specifically how to Obtain personal certificates through enrollment with a Certificate Authority CA which is an organization that issues digital certificates that verify that you are who you say you are You can enroll for a certificate in two ways through the network online enrollment via a file mport certificates Manage certificates Viewing Verifying Deleting Exporting Manage enrollment requests To get started with certificates go to the Ci
55. er 10 10 32 32 Rename Create Shortcut Properties Connect EEE EEE Import w Start Before Logon Clic k Start Before Logon Application Launcher W hat happens w hen you use Start Before Logon When Start Before Logon is active the following events occur when your system starts e First your system logon dialog displays There may be other messages that display as well depending on your setup You should wait until you see the VPN Dialer start e Next the VPN Dialer starts and displays the connection dialog over the system logon dialog e You establish your connection to the private network of the VPN Device Then you log on to your system VPN Client User Guide Importing a VPN Client Configuration File Turning off Start Before Logon Note To turn this feature off open the Options pull down menu on the VPN Dialer connection dialog and uncheck Start Before Logon The next time you start your system the VPN Dialer connection dialog does not automatically display on your logon desktop You can use certificates for authentication with Start Before Logon only when your personal certificate along with the CA or intermediary certificate s are in your Cisco certificate store not your Microsoft store For information on enrolling certificates and importing certificates into your Cisco store see Chapter 6 Enrolling and managing certificates Launching an application VPN Client User Guide You can conf
56. erent operating systems If you use an RSA method the VPN Client displays the appropriate RSA user authentication dialog The title bar identifies the connection entry name VPN Client User Guide 4 5 4 Connecting to a private netw ork RSA User Authentication SecurlD Tokencards Tokencards Pinpads and Keyfobs and SoftiD v1 0 Windows 95 and Window s 98 The VPN Client displays an authentication dialog asking for your username and passcode Figure 4 8 If you are using SoftID it must be running on your PC Figure 4 8 RSA authentication dialog User Authentication for Connect to MyCompany O Enter Username and Password Username softid5D83 Passcode EEXXXXX 1 In the Username field enter your username This entry is case sensitive 2 Inthe Passcode field enter an appropriate SecurID code With SoftID you can copy this code from the SoftID window and paste it here Your administrator will tell you what you need to enter here depending on the type of tokencard you are using 3 Click OK RSA User Authentication SoftiD v1 x Windows NT only and SoftlD v2 0 all operating systems RSA New PIN Mode If you are using SoftID under Windows NT the VPN Client displays an authentication dialog asking for your username and PIN Figure 4 9 SoftiD Windows NT authentication dialog User MAG for Engineering e Enter Username and Password Username lineuser Pin Cancel 1 In the
57. est under the Enrollment Requests tab You can view delete or change the password on any request in the list or you can resume a network enrollment request To perform any of these actions select the Enrollment Requests tab and click on the Options pull down menu Figure 6 26 VPN Client User Guide 6 17 6 Enrolling and managing certificates Figure 6 26 Managing enrollment requests Alice Wonderland Patrick Clarkson Request Request View Delete Password Resume Viewing the enrollment request 6 18 To display the enrollment request click on its name in the list and select View from the Options pull down menu The Certificate Manager displays the pending request Figure 6 27 Figure 6 27 Viewing an enrollment request Digital Certificate Common Mame Department Company State Country Email Thumb Print Key Size Subject Serial Number Mot Before Mot After ssuer Digital Certificate Alice Wonderland International Studies University Massachusetts us alicewitejunrversitu edu ECBBTBIF337475C73448AFB4E 48E 3C 73 1024 e alicew university edu cns4lice Wonderland ou International Studies c Lr Ps ESAFAF7ASOPBEE SEE 304404 83L SUBE Thu Jan 25 14 55 06 2001 sat Feb 24 14 56 06 2001 e alicewuniversity edu cn Alice Wonderland ou Intemational Studies o Ur Mi Note that the Issuer field shows the subject name and not the name of the CA since the CA has not yet issued the certificate
58. ets bypassed connection statistics 4 11 decrypted connection statistics 4 11 discarded connection statistics packets discarded 4 11 encrypted connection statistics 4 11 passcode RSA authentication 4 6 password internal server authentication 4 4 IPSec group 2 2 3 5 changing 3 12 ISP logon 2 2 4 3 NT Domain authentication 2 3 4 5 private key 4 1 RADIUS authentication 2 3 4 4 PIN RSA authentication 2 3 4 6 PKCS10 format 6 8 PKIs supported 2 2 4 8 POTS Plain Old Telephone Service 1 2 preconfigured connection entry 3 1 Printer icon log viewer 5 13 printing log file 5 13 private key password 4 1 private network connecting to 4 2 4 3 disconnecting from 4 12 Properties dialog box 3 8 protocols IKE 1 2 IPSec 1 2 Public Key Infrastructure See PKT Q quitting the VPN Client 4 11 R RADIUS authentication 4 4 password 2 3 4 4 username 2 3 4 4 RADIUS Remote Authentication Dial In User Service 1 2 RAM requirements 2 1 reconfiguring automatically 5 4 references bibliography x remote access connection closing before uninstall 5 15 remote server backup addresses 2 3 VPN 3000 Client User Guide Index changing address 3 16 See also backup servers VPN Concentrator removing backup servers 3 14 the VPN Client 5 15 renaming a connection entry 5 4 requirements system 2 1 resetting connection statistics 4 11 restarting your computer after installation 2 5 resuming an enrollment request 6 20 RSA formerly
59. events log viewer 5 11 G General tab Properties 3 10 group name IPSec 2 2 3 5 changing 3 12 group password IPSec 2 2 3 5 changing 3 12 GTE Cybertrust 4 8 H hard disk space requirement 2 1 help displaying 3 2 from program menu 3 2 Help icon log viewer 5 10 program menu 3 2 title line 3 2 HMAC Hashed Message Authentication Coding algorithm 1 3 hostname VPN Concentrator 3 5 hostname VPN device 2 2 how it works 1 2 HTML help displaying 3 2 i icon Dial Up Networking 4 3 key 4 11 VPN Client displays when connected 4 9 using to disconnect 4 12 using to view connection status 4 9 icons help program menu 3 2 title line 3 2 log viewer Capture 5 10 Disk 5 14 Erase 5 14 Filter 5 11 Help 5 10 Printer 5 13 Search 5 13 IKE protocol 1 2 import option 5 4 Index 3 Index Import Password 6 11 importing a certificate file 6 10 information you need worksheet 2 2 installation media requirements 2 1 installing VPN Client 2 1 new version 5 14 steps 2 4 interface card network 2 2 internal server authentication via 1 2 4 4 password 4 4 username 4 4 internet connecting to 1 1 via Dial Up Networking 3 14 4 2 Internet Key Management IKE protocol 1 2 Internet Protocol Security IPSec protocol 1 2 IP address certificate enrollment 6 3 IP address VPN Concentrator 3 5 IP address VPN device 2 2 IPSec group name 2 2 3 5 changing 3 12 group password 2 2 3 5 changing 3 12 protocol 1 2 IPSec t
60. fore date the not after date and the number of days until the certificate expires or since it has expired What happens when you press the Connect button can depend on the level of private key protection on your certificate If your certificate is password protected you are prompted to enter the password VPN Client User Guide Completing the private network connection Completing the private netw ork connection After completing the user authentication phase the VPN Client continues negotiating security parameters and displays a dialog Figure 4 15 The title bar identifies the remote Cisco VPN device you are connecting to Figure 4 15 Completing connection history Connecting to 10 10 32 32 B four link i now secure Connection History Contacting the security gateway at 10 10 32 32 Negotiating security policies Securing communication channel Tour link is now secure Cancel If the network administrator of the Cisco VPN device has created a client banner you see a message designated for all clients connecting to that device for example The Documentation Server will be down for routine maintenance on Sunday After you complete your connection the VPN Client minimizes to an icon in the system tray on the Windows taskbar You are now connected securely to the private network via a tunnel through the Internet and you can access the private network as if you were an on site user View i
61. fore you create a connection entry using a digital certificate you must have already enrolled in a Public Key Infrastructure PKI have received approval from the Certificate Authority CA and have one or more certificates installed on your system If this 1s not the case then you need to obtain a digital certificate In many cases the network administrator of your organization can provide you with a certificate If not then you can obtain one by enrolling with a PKI directly using the Certificate Manager application Currently we support the following PKIs e UniCERT from Baltimore Technologies www baltimoretechnologies com e Entrust PKI from Entrust Technologies www entrust com e Cybertrust Enterprise CAM from GTE Cybertrust www cybertrust com Versign WWw verisign com Microsoft Certificate Services in Microsoft Windows 2000 Server The websites listed in parentheses in this list contain information about the digital certificates that each PKI provides The easiest way to enroll in a PKI or import a certificate is to use the Certificate Manager see Chapter 6 Enrolling and managing certificates Every time you connect using a certificate the VPN Client checks to verify that your certificate has not expired If your certificate 1s within one month of expiring the VPN Client displays a message when you attempt to connect or when you use the Properties option The message displays the certificate common name the not be
62. g backup servers The private network may include one or more backup VPN devices servers to use 1f the primary server is not available Your system administrator tells you whether to enable a backup server and gives you its address Refer to your entries in Table 2 1 VPN Client information worksheet on page 2 2 1 To enable backup servers check the Enable backup server s This is not checked by default 2 Youcan now click Add to enter its address The Backup Server Information dialog appears Figure 3 20 Figure 3 20 Backup server information dialog Backup Server Information Enter the Host name ar IP address of the backup Cancel 3 Enter the hostname or IP address of the backup server maximum 255 characters 4 Click OK The hostname or IP address appears in the Enable backup server s list Figure 3 19 5 To add more backup devices repeat Steps 2 3 and 4 Removing backup servers To remove a server from the backup list select the server from the list and click Remove There is no confirmation or undo The server name no longer appears in the list Changing the order of the servers To reorder the servers in the list select a server and click Move Up to increase the server s priority or Move Down to decrease the server s priority Disabling backup servers You can disable using backup servers without removing backup servers from the list To disable using backup servers clear the Enable backup se
63. hrough NAT mode 4 10 ipsecdlr ini file importing into VPN Client 5 4 ISDN Integrated Services Digital Network 1 2 ISDN modem 4 2 ISP password 2 2 4 3 username 2 2 4 3 K key icon connection status 4 11 L LAN connection 1 2 launching an application 5 7 licenses and copyrights 1 log file printing 5 13 saving 5 14 log viewer clearing 5 14 event severity levels 5 11 filtering events 5 11 icons Capture 5 10 Disk 5 14 Erase 5 14 Index 4 Filter 5 11 Help 5 10 Printer 5 13 Search 5 13 searching 5 13 logging events to a file 3 10 logging on to Microsoft Network 3 11 M managing certificates 6 1 6 11 connection entries 5 2 enrollment requests 6 17 MDS5 Message Digest 5 algorithm 1 3 Microsoft certificate store 6 2 Microsoft 2000 certificate store 6 2 Microsoft 2000 store 6 10 Microsoft Certificate Services 4 8 Microsoft Network logging on 3 11 Microsoft Windows 2000 4 8 modem cable 1 2 4 2 dial up 1 2 DSL 1 2 4 2 ISDN 4 2 requirement for 2 2 name connection entry 3 4 IPSec group 2 2 3 5 changing 3 12 NAT Port 4 10 network adapter interface card 2 2 connection direct 2 2 installing from 2 4 New Connection Entry Wizard 3 4 NT Domain authentication 1 2 4 5 domain name 2 3 4 5 password 2 3 4 5 username 2 3 4 5 NT logon 5 6 O Options menu 3 8 organization of this manual 1x Organizational Unit OU certificate enrollment 6 3 VPN 3000 Client User Guide P pack
64. ide Enrolling for a certificate Figure 6 9 Resuming enrollment request Cisco Systems PN Client Certificate Manager Personal certificates identify you to people and hosts you communicate with and are signed by a certificate authority certificate authority CA is an organization that issues certificates Enrollment requests are certificate requests that a LA has yet to approve Personal Certificates CA Certificates Enrollment Requests Certificate Alice Wonderland Request Alice Wonderland Request Pat Clark Request Patrick Clarkson Request View Delete Import Password Resume After you have obtained the certificate the status screen updates to show the result Figure 6 10 Figure 6 10 Receiving status update Enrollment Status Enrollment status Cisco SYSTEMS Request success le r Je 7 Click the OK button Enrolling via a file request Alternatively you can enroll by creating a file using the same form as network enrollment Figure 6 3 Once you have created a request file you can either email it to the CA and receive a certificate back or you can access the CA s website and cut and paste the enrollment request in the area that the CA provides Use the following procedure VPN Client User Guide 6 7 6 Enrolling and managing certificates 1 At the Selecting method of enrollment dialog Figure 6 5 click the File radio button and click Next The Certificate M
65. igure the dialer to automatically launch an application before establishing a connection Some examples of why you would want to use this feature are e You are configured for Start Before Logon and you need to start an authentication application at the logon desktop e You want to launch a monitoring application such as the Log Viewer before each connection Figure 5 11 through Figure 5 13 To configure the VPN Dialer to launch an application from the logon desktop use the Application Launcher The Application Launcher starts the specified application once per session To launch an application again you must exit from the VPN Dialer restart the VPN Dialer and launch the application To activate Application Launcher 5 Managing the VPN Client 1 Open the VPN Dialer Options pull down menu Figure 5 2 and click Application Launcher Figure 5 11 Figure 5 11 Application Launcher option Cisco Systems Connection Entry Engineering Y Hew plions v i Clone Entry Host name or IP address of remote server Delete Rename 10 10 32 32 Create Shortcut Properties Connect EEEE EEEE Import Start Before Logon Application Launcher Click Application Launcher The VPN Dialer displays a dialog prompting for the name of the application Figure 5 12 Figure 5 12 Application Launcher dialog Application Launcher To execute an application or command when establishing a connection enter the
66. ing Figure 3 4 3 After viewing the version number click OK Figure 3 4 Displaying the VPN Client software version il Cisco Systems YPH Client Cisco Systems About Cisco Systems YPN Client E e Version 3 0 Beta 1 Copyright 1998 2001 Cisco Systems Inc Host name or IP address of remote server i 0 10 99 30 Connect Close W hat is a connection entry To use the VPN Client you must create at least one connection entry which identifies e The VPN device the remote server to access e For preshared keys The IPSec group to which the system administrator assigned you Your group determines how you access and use the remote network For example it specifies access hours number of simultaneous logins user authentication method and the IPSec algorithms your VPN Client uses Forcertificates The name of the certificate you are using for authentication Optional parameters that govern VPN Client operation and connection to the remote network You can create multiple connection entries if you use your VPN Client to connect to multiple networks though not simultaneously or if you are a member of more than one of the groups defined for a VPN device Reminder Refer to Table 2 1 VPN Client information worksheet on page 2 2 for connection entry parameters VPN Client User Guide 3 3 3 Configuring the VPN Client How to create a new connection entry Start the VPN Client by selecting Start
67. inistrator diagnose problems with an IPSec connection between a VPN Client and a peer device The log view application collects event messages from all processes that contribute to the client peer connection This section shows how to use the Log Viewer to retrieve and manage this information Starting the Log Viewer To start the Log Viewer use the following path from the Start menu Figure 5 14 Start Programs Cisco Systems VPN Client gt Log View er Figure 5 14 Starting the Log Viewer The Log Viewer starts displaying its main window Figure 5 15 By default the filter is set to low so you may not see any events displayed in this window see Filtering events VPN Client User Guide 5 9 5 Managing the VPN Client Figure 5 15 Log viewer main window 8 Ipseclog txt Cisco System IPSec Log Viewer M ain menu F Options Search Help Tool bar WS Al v B Loading IPsec SA Message ID 0x221C64A4B OUTBOUND SPI 0x339021FD INBOUND SPI 0x33082BB7 69 11 13 45 839 01 24 01 Sev Info IKE 0x63000025 Loaded OUTBOUND ESP SPI 0x339C21FD Log display 70 11 13 45 839 01 24 01 Sev Info 5 IKE 0x63000026 area Loaded IHBOLHHD ESP SPI 033082 BBZ2 71 11 13 45 839 01 2241 Sev Infn 4 CM x63100021 Additional Phase 2 SA established 72 11 13 46 460 01 24 01 Sev Info 4 IPSEC 0x63700010 Created a new key structure 73 11 13 46 460 01 24 01 Sev Info 4 IPSEC 0x6370000F Added key with SPIFOxfd 19c33 into key list 7
68. ionally entered when you enrolled for the certificate 6 16 VPN Client User Guide M anaging enrollment requests 3 Inthe Export password field enter an optional password to protect the export file Then enter it again in the Confirm password field 4 In the Exportfilename field enter the filename for the exported certificate Only the filename is required Use the Browse feature to locate a target directory for the exported certificate 5 To export the CA and or RA certificate with your personal certificate check the Export certificate chain option 6 After completing all the information click OK The Certificate Manager displays a message indicating whether your certificate export was successful Figure 6 25 Figure 6 25 Export message Export Certificate The certificate password is not exported with the certificate To password protect the certificate file enter Cisco SYSTEMS a value in the Export password field FEN To export the CA certificate and any intermediate CA certificates select the Export certificate chain option Certificate password Export 5uccess 3 a Export of certificate was successful gt ici 7 o LE z Export file name backup_CA p7b Browse v Export certificate chain Required Field Dk Cancel 7 To continue click OK Managing enrollment requests While a request is pending approval by the CA administration the Certificate Manager places the enrollment requ
69. is tunnel Authentication verifies that no one has tampered with data Client IP address The IP address assigned to the VPN Client for the current session Server IP address The IP address of the VPN device to which the VPN Client is connected IPSec through NAT The status of IPSec through NAT mode in the client either active or inactive NAT Port If IPSec through NAT mode is active the UDP port through which packets are using This port number comes from the VPN device If IPSec through NAT mode is inactive then the value of NAT Port is zero Compression Whether data compression is in effect as well as the type of compression in use Currently the type of compression is LZS Connection statistics 4 10 The Connection statistics section shows statistics for data packets that the VPN Client has processed during the current session or since the statistics were reset Reset affects only this part of the connection status screen Bytes in The total amount of data received after a secure packet has been successfully decrypted Bytes out The total amount of encrypted data transmitted through the tunnel VPN Client User Guide Closing the VPN Client Packets decrypted The total number of data packets received on the port Packets encrypted The total number of secured data packets transmitted out the port Packets bypassed The total number of data packets that the VPN Client did not process because they did not need t
70. iving Status Update uc cnni v COE pole o cv c pil cR EA ONG aC CSIRO a eT n ga e C a 6 7 FIgure 6 10 Selecting TIE type and loCatlOfT scia vo ED CC ab P C C AE ER CC DP CIC C CECI C PDC EC 6 8 Figure b 12 A PRESTO certificate Te quest a acida eR AAA b d E SEC eA 6 8 Foure G t SDECITVING a MEN TIG esa dea yd Oe E OP RA EIER p ECCE Pn EQ DECR E CC PO EY ea 6 9 Figure 6 14 Enroll Fle SUCCESS MESITA Ci viae ries qun LRT CL e a 6 9 FIGURE G LSe Pire enrollment requeste cado 6 10 FIdure 5 T6 a RO 6 10 Figure 6 17 Destination password for IMporting Cerca rra AAA CR C Rea 6 11 Figure 6 18 Certificate Manager Options MENU rr AA 6 12 FIgure 6 19 Displaying d Certi IC d ber ers AAA a a a a a AAA 6 12 Figure 6 20 VERIVING a certiticate s Vay 32 25 54 4 cio d 03d RE ARCET a Rod CE C UE QAAE C CIUE CR ECC eara 6 14 Figure 6 21 Entering password Tor deleting CertifICate icai aoa ca ed C CQ CD YQ CY C e 6 15 EIgure 6 22 COMMING del etlO Ti cis gn aa ca ec E ne GC CEP NS 6 15 Foure 6 23 Changing a certificates password Aa 6 16 FIdUre 5 24 EON a CONINCAlC rra AAA A 6 16 FIGUre 5 25 EXDO E MESSI AA AAA 6 17 Figure 6 26 Managing enrollment requests AAA c Rats 6 18 Figure 6 27 VIEWING an enrolment requesL 35 399 93 k a0 Ara AAA 6 18 Figure 6 28 Changing a certificate S DASS WO siria E QUAE ACCU C ORE SEE ae EDU CR 6 19 Figure 6 29 Entering password to resume online enrollment sarria cc e a ce C e nino 6 20 Table 2 1 VPN Client information Wor
71. ksheet daa ca ac d SE C eia E OC CA RC IC RC POE A 2 2 Table a Ever types and Seventy eV6l irpini e acd Cea ea wean ACE UAE Cea Vra ceat 5 12 Table 5 2 Classes that generate events in the VPN Client iiem 5 14 vii Preface About this manual This VPN Client User Guide tells you how to install use and manage the Cisco VPN Client with Cisco Systems products Organization Chapter 1 Understanding the VPN Client briefly explains what the VPN Client is and how it works Chapter 2 Installing the VPN Client tells you how to install the VPN Client Chapter 3 Configuring the VPN Client tells you how to configure the VPN Client including setting optional parameters Chapter 4 Connecting to a private network tells you how to connect to a private network using the VPN Client and an Internet connection Chapter 5 Managing the VPN Client tells you how to manage the VPN Client and its connections This chapter also explains how to install a new version uninstall reconfigure the VPN Client automatically set the MTU size and use the Log Viewer application Chapter 6 Enrolling and managing certificates tells you how to obtain digital certificates to use for authentication and how to manage these certificates on your system Appendix A Copyrights and licenses provides copyright and license information for software that the VPN Client uses Additional documentation The VPN Client includes an extensive online HTML based help sy
72. l treaties Grant of License 2 Cisco Systems hereby grants to you the right to install and use the Software on an unlimited number of computers provided that each of those computers must use the Software only to connect to Cisco Systems products and subject to export restrictions in paragraph 4 hereof You may make one copy of the Software for each such computer for the purpose of installing the Software on that computer The Software is licensed for use only with Cisco Systems products and for no other use Restrictions on Use and Transfer 3 You may not otherwise copy the Software except that you may make one copy of the Software solely for backup or archival purposes To this end you may transfer the Software to a single set of disks provided you keep the disks solely for backup or archival purposes You may not use the backup or archival copy of the Software except in conjunction with Cisco Systems products VPN 3000 Client User Guide A 1 A Copyrights and licenses 4 You may not transfer the Software to any third party without the express written permission of Cisco Systems For permitted transfers you may not export the Software to any country for which the United States requires any export license or other governmental approval at the time of export without first obtaining the requisite license and or approval Furthermore you may not export the Software in violation of any export control laws of the United States or any other co
73. logies www entrust com GTE Cybertrust www cybertrust com Verisign Inc www verisign com Microsoft Certificate Services Windows 2000 Gathering information you need To configure and use the VPN Client you may need the information listed in Table 2 1 Ask for this information from the system administrator of the private network you want to access Your system administrator may have preconfigured much of this data if so he or she will tell you which items you need We suggest you record the data now and refer to it as you proceed To protect security we suggest you memorize rather than write passwords PIN etc Table 2 1 VPN Client information worksheet Information you may need Write your data here Hostname or IP address of the remote device to which you are connecting Your IPSec Group Name pre shared keys Your IPSec Group Password pre shared keys If you connect via an ISP Internet Service Provider your logon username and password 2 2 VPN Client User Guide VPN Client User Guide Table 2 1 VPN Client information worksheet continued Information you may need Write your data here If you are using a certificate for authentication the name of your certificate If you are authenticated via the VPN Concentrator internal server your username and password If you are authenticated via a RADIUS server your username and password If you are authenticated via an NT Domain serve
74. lp Bella v E a 1 15 06 29 660 05 03 00 Sev Info 4 AMetIKE x63000012 SENDING gt gt gt I 57 2 15 07 29 77 Findwhat IPSecDriver mE SENDING gt gt gt Match whole word only Cancel 3 15 06 29 86 SENDING gt gt gt 1 Match case 4 15 09 29 949 050300 Sev Info 4 AMetIKE 0 63000012 SENDING gt gt gt ISAKMP OAK INFO HASH NOTIFY KEEP_ALPE to 10 10 32 32 5 15 10 30 036 0503 00 Sev Info 4 ANetIKE D 63000012 SENDING gt gt gt ISAKMP OAK INFO HASH NOTIFY KEEP_ALPE to 10 10 32 32 6 15 11 30 122 0503 00 Sev Info 4 ANetIKE 63000012 SENDING gt gt gt ISAKMP OAK INFO HASH NOTIFY KEEP_ALPE to 10 10 32 32 Fo 15 12 20 194 0503 00 Sev Info 4 ANetIKE 0 63000012 SENDING gt gt gt ISAKMP OAK OM HASH SA NON IE ID to 10 10 32 32 8 15 12 20 204 0503 00 Sev Info 4 ANetlKE D 63000013 RECENING lt lt lt ISAKMP OAK OM HASH 54 NOM ID ID from 10 10 32 32 9 15 12220 214 0503 00 Sev Info 4 ANetIKE D 63000012 SENDING gt gt gt ISAKMP OAK Gh HASHI to 10 10 32 22 Ready Printing the log file VPN Client User Guide You To print the events displayed in the current window select File gt Print from the main menu Alternatively you can click the Printer icon 5 13 5 Managing the VPN Client Saving the log file To save the currently displayed events in the ipseclog file on your hard drive select File Save as from the main menu Alternatively click the Disk ico
75. n The ipseclog file is a text txt file in DOS format The Log Viewer saves the information to the Client install directory which by default is the pathname Program Files Cisco Systems VPN Client VPN Client IPSECLOG TXT You can specify any directory and name Figure 5 19 Figure 5 19 Saving a log file Save in C ven Client zy Profiles Filename A Save az type IPS ec Log Files log Cancel Clearing the events display To eliminate all the events currently displayed in the Log Viewer main window select Options gt ClearLog Display from the main menu Alternatively you can click the Erase All icon If you want to store the event messages be sure you save them before you clear the display Clearing the display does not reset event numbering Installing a new version ofthe VPN Client Installing a new version this way retains existing connection entries and their parameters To install a new version of the VPN Client over an existing version on your system use the following procedure which first uninstalls the existing version and then reboots your PC and installs the new version 1 To begin the procedure follow the instructions under Installing the VPN Client on page 2 4 When it starts the installation wizard detects the existing version and asks you to confirm that you want to remove that version and reboot your PC Figure 5 20 5 14 VPN Client User Guide Uninstalling the VPN Client
76. n start the VPN Client and establish a secure connection through the Internet to your organization s private network When you open your email the Cisco VPN device uses IPSec to encrypt the email message and it transmits the message through the tunnel to your VPN Client which decrypts the message so you can read it on your remote PC If you reply to the email message the VPN Client uses IPSec to process and return the message to the private network through the Cisco VPN device Connection technologies Features 1 2 The VPN Client lets you use any of the current technologies to connect to the Internet POTS Plain Old Telephone Service uses a dial up modem to connect e SDN Integrated Services Digital Network may use a dial up modem to connect e Cable uses a cable modem always connected e DSL Digital Subscriber Line uses a DSL modem always connected You can also use the VPN Client on a PC with a direct LAN connection e IPSec tunneling protocol KE key management protocol KE Keepalives monitoring the continued presence of a peer and reporting the VPN Client s continued presence to the peer which prevents hung connections due to loss of connectivity e Data compression for modem users which speeds transmission e Split tunneling the ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel User authentication via VPN Concentrator Inter
77. nal VPN Concentrator server database RADIUS Remote Authentication Dial In User Service NT Domain Windows NT9 VPN Client User Guide Note Features RSA formerly SDI SecurID or SoftID Automatic connection via Microsoft Dial Up Networking Automatic VPN Client configuration option Log Viewer an application that collects events for viewing and analysis Set MTU size the ability to control the size of packets sent through the network Certificate Manager an application that lets you manage your identity certificates Complete browser based context sensitive HTML Help Support for Cisco Secure PIX Firewall platforms that run Release 6 0 and above Support for VPN Concentrator Series 3000 platforms LZS data compression Command line interface to the VPN Dialer Start Before Logon the ability to establish a VPN connecton before logging on to a Windows NT or Windows 2000 system Application Launcher the ability to launch an application from the logon desktop Instructions on configuring the VPN Client to interoperate with Cisco Secure PIX Firewall Release 6 0 are available in PSec User Guide for Cisco Secure PIX Firewall VPN Client IPSec attributes The VPN Client supports these IPSec attributes VPN Client User Guide Main mode for negotiating phase one of establishing ISAKMP Security Associations SAs Aggressive mode for negotiating phase one of establishing ISAKMP SAs Authentica
78. ng connection status VPN ClientUser Guide The VPN Client icon on the askoa lets you view the status of your private network connection e Double click the icon or e Click the icon with the right mouse button and select Status from the pop up menu 4 Connecting to a private netw ork The VPN Client Connection Status dialog appears Figure 4 16 Figure 4 16 VPN Client Connection Status dialog Cisco Systems YPN Client Connection Status IP security information Encryption 168 bit 3 DES Client IP address 10 10 33 10 Authentication HMAC MD5 Server IP address 10 10 32 32 IPSec through MAT Active NAT Pork 5000 Compression Mone Connection statistics Bytes Inc 128362 Bytes aut Packets decrypted Bb2 Packets encrypted Packets bypassed 1247 Packets discarded Secured routes Subnet Mask a 0 0 0 0 0 0 0 0 127603 310103232 295 255 255 255 71830 Time connected 02 31 20 Disconnect Reset The Connection Status dialog provides IP security information connection statistics and information about secure routes for your VPN tunnel connection IP security information The IP security information section lists the IPSec parameters that govern the use of this VPN tunnel to the private network Encryption The data encryption method for traffic through this tunnel Encryption makes data unreadable if intercepted Authentication The data or packet authentication method used for traffic through th
79. nstall the VPN Client To configure properties of connection entries see Chapter 3 If you are a system administrator see VPN Client Administrator Guide for information on configuring the VPN Concentrator and preparing preconfigured profiles for VPN Clients for users VPN ClientUser Guide 5 1 5 Managing the VPN Client Managing connection entries To manage a connection entry start the Cisco VPN Client and select VPN Dialer from the menu of applications The VPN Client Connect dialog appears Figure 5 1 Figure 5 1 VPN Dialer Connect dialog il Cisco Systems YPH Client Cisco Systems Connection Entre Engineering Host name or IP address of remote server EngHost cam Connect Cloze Click the Connection Entry drop down menu button and select an entry Click Options to display the menu Figure 5 2 VPN Client Options menu il Cisco Systems YPH Client Cisco Systems Connection Entry Engineering Mew Clone Entry Host name or IP address of remote server Delete 10 10 32 32 Rename Create Shortcut Properties Connect an Import wv Start Before Logon Application Launcher 5 2 VPN Client User Guide M anaging connection entries Cloning a connection entry You can clone a connection entry with all its properties and use it as the basis for creating a new one 1 On the VPN Client s main dialog click the Connection Entry drop down menu button and select
80. o a private netw ork Starano te VPN CHENU s e d o a ERE OG CIE N FDA Ea E A 4 1 Connect on Procedure s xx C Ree OX o d e OC CA OR RR n e e b cR RP RECTE a 4 2 Using the VPN Client to connect to the Internet via Dial Up Networking cccceeeeeeeueeeeeeeees 4 2 Authenticating to connect to the private network seen nnn n n n n n n nne 4 3 Use AUIS CALO TD scia ot Aoi dear e beso asi dete 4 4 Authenticating via the VPN device internal server or RADIUS server issssssssenn n e 4 4 Authenticating via Windows NT OREL secca tret ato erat ntl ad 4 5 Authenticating via RSA Data Security RSA SecurlD 0 ccc teeter tree mmm 4 5 Using digital cer ficales taria AAA AAA AA 4 8 Completing the private network connection nnn nnn 4 9 Viewing CONNECUON SAUS sco ACER EGO C Ed SECRET aC PAGAN a 4 9 IP ecu NOMA OTI gru iudei eio det ien dad dido dd isla das 4 10 CoTnecrons Qt I6 taa Nas 4 10 CUO OU ee dd 4 11 Tile cocer ridad nas dae mbltucdw vidi masta wher ene eae Vallis and 4 11 RESCUING Statistics onepdrdet dde ch sa aO ana arth chan d doce d ue atl T e ede ih ecard d di eps det 4 11 Closing me VPN CHENG ciar adc OR o Ed dba ae club Ee PCS CUT cid 4 11 Disconnecting your VPN Client connection nn nnn nnn nn nn nnnm 4 12 5 Managing the VPN Client Managind connecton entfles iaa CRT RI AAA 5 2 CONN SCO siue NADA MR E EO TET TR 5 3 Deleting cone CHO BILE ss otra rro dr Ioa ta da aor 5 3 Renaming COME CO Men tada d
81. o be encrypted Local ARPs and DHCP fall into this category Packets discarded The total number of data packets that the VPN Client rejected because they did not come from the secure VPN device gateway Secured routes The Secured routes section lists the IPSec Security Associations SAs The columns in the display show the following types of information Key icon In the first row shown in Figure 4 16 you see a key at the start of the connection entry This key shows that the route is secure The software generates a key as soon as the client needs to send secure data through the tunnel to the networks on the other side The absence of a key means that the SA is no longer active The SA may have timed out due to inactivity Sending data to this network re establishes the SA and the key reappears Network The IP address of the remote private network with which this VPN Client has an SA Subnet Mask The subnet mask of the IP address for this SA Bytes The total amount of data this SA has processed This includes data before encryption as well as encrypted data received Src Port DstPort and Protocol are for future use Time connected The Connection Status screen also displays the time in days hours minutes and seconds that has elapsed since you initiated the connection Resetting statistics To reset all Connection statistics to zero click Reset There is no undo Reset affects only the connection statistics not the o
82. ob eee arp E NR PER HE 5 4 Creating a shortcut Tor d connection BED ooa as n oa eaa Cr Ed P CR et qa E ATA OR e e R R et ae te 5 4 Importing a VPN Client Configuration File oooocccccccc 5 4 Starting connections before logging on Windows NT and Windows 2000 only cece cece 5 6 W hat happens when you Use Start Before Logon eiii ea RO Nc aede e et ur eaten 5 6 TUMAN ONS tart Berore EOGOTI ia or icd a aa abet wai mio bebe mats 5 7 EU DITS OTI eiae patei ticum atit ana Ra esti nee tU cap ad cg Wadia ane Genie dh Acataavagw ab etal 5 7 UHI OM ADO Icod UNNE uet wha te a pedea ed c nC De eee Cat dal 5 9 View ing and managing the VPN Clienteventlog nnn nnn nnnm nnn 5 9 SAMI LOO V Ie BIS ox aote ute Sop do eod cba tiep tad crt ean wean Sont ec abi dcos 5 9 Displaying the VETSION O HTR SOTDN BIO sarrere ene v actio b nine Eee accio aote Eme endo dees eaten co bend 5 10 VPN 3000 Client User Guide Contents COITBE HRS UBI roda tdo ei REN 5 10 dE RR E o S 5 11 il eT 5 11 Di dos 5 11 SD dador daa 5 11 EVEN Gla SS Mess que DAA TA A AAE 5 11 MeS 10 Fn ARO 5 11 CCT OVC CG pest A O s adepto Copied bue Facies Lac ede 5 11 Sa RC IRE Chet OG TB uat aUi O deti tatg optic idit ud afe 5 13 NAS ARR P PIC A 5 13 Savirid pedo 1B ed ase ARO EA 5 14 Cl arimgsthe TN 5 14 Installing a new version of the VPN Cliedt occccccccco 5 14 Uninstalling Me VPN Cent iria ri SAA AAA 5 15 6 Enrolling and managing certifi
83. onnection entry to a DUN entry click the down arrow next to the Phonebook entry field and select an entry from the drop down menu The VPN Client then uses this DUN entry to automatically dial into the Microsoft network before making the VPN connection to the private network Third party dial up program VPN ClientUser Guide If you have no DUN phonebook entries and Connectto the Internet via dial up is enabled then Third party dial up application is enabled by default To connect to the Internet using a third party dial up program use the following procedure 1 Click Third party dial up application if it is not already enabled 2 Use Browse to enter the name of the program in the Application field This application launches the connection to the Internet This string you select or enter here is the pathname to the command that starts the application and the name of the command for example c isp ispdialer exe dialEngineering Your network administrator may have set this up for you If not and if you don t know the name of the program consult your network administrator 3 15 3 Configuring the VPN Client Changing the VPN device address for a connection entry You can change the address of the VPN device in a connection entry and you can make the change temporary or permanent 1 Start the VPN Client The VPN Client main dialog appears Figure 3 22 2 Click the Connection Entry drop down menu button and select the en
84. py the pcf file into the Profiles directory and restart the VPN Dialer application Your VPN Client is now configured with the connection entries and parameters specified by this new profile file You can examine or modify the connection entries by clicking the Connection Entry drop down menu button on the main dialog selecting an entry and clicking Options Properties Starting connections before logging on Window s NT and Window s 2000 only You can connect to the private network before you log on to your system Your administrator may have set this up for you Once you establish a VPN connection your credentials are sent to a domain controller for logging in to your system If you need to launch an application before you logon see Launching an application for information When you have established a successful VPN connection the VPN Dialer window closes and your logon window displays If the connection is not successful the VPN Dialer window continues to display Your administrator may have set up a banner that lets you know when you have a successful connection To activate this feature open the VPN Client Options pull down menu Figure 5 2 and select Start Before Logon make sure it is checked Figure 5 10 Figure 5 10 Setting up Start Before Logon feature il Cisco Systems YPN Client Cisco Systems Connection Entry Engineering m Options Clone Entry Delete Host name or IP address of remote serv
85. r your username password and domain name If you are authenticated via SecurID or SoftID your username and PIN If you should configure backup server connections the hostnames or IP addresses of the backup servers If you connect to the ISP via Dial Up Networking Phone number of the ISP Modem properties e Server types Protocols TCP IP settings e Scripting e Multilink settings Gathering information you need 2 Installing the VPN Client Installing the VPN Client To install the VPN Client on your system follow these steps We suggest you accept the defaults unless your system administrator has instructed otherwise 1 Exit all Windows programs and disable any anti virus software 2 Start the appropriate VPN Client installation setup program elf VPN Client software is on CD ROM a b C d Insert the Cisco Systems CD ROM in your system s CD ROM drive Select Start Run The Run dialog box appears Enter E NVPN Client CD ROM setup Where E is your system s CD ROM drive Click OK elf VPN Client software is on diskettes a b C d Insert Disk 1 of three in your system s diskette drive Select Start Run The Run dialog box appears Enter A setup where A is your system s diskette drive Click OK elf VPN Client software is on a network Use Explorer to open the folder or directory containing the VPN Client software b Locate the file Setup exe Double click
86. rk Windows 95 98 e Authentication tab Changing the group name or group password Changing the certificate you want to use e Connections tab Enabling adding and removing backup server connections Connecting to the Internet via Dial Up Networking See the appropriate section of this chapter for each tab and parameter 4 When you are finished setting parameters click OK The Properties dialog closes and saves your changes To discard your changes click Cancel The Properties dialog closes and discards all changes 3 Configuring the VPN Client Changing General settings The Properties General tab lets you set general parameters for this connection entry Figure 3 15 Figure 3 15 Properties dialog gt General tab General Authentication Connections Enter a description of this connection entro optional v Allow IPSec through NAT mode Peer response timeout ao 30 480 seconds v Logon to Microsoft Network C Prompt for network logon credentials Changing connection entry description To change the description of this connection entry enter or edit the description field This field is optional and it s to help you identify this connection Allow ing IPSec through NAT mode 3 10 Allow IPSec through NAT mode enables secure transmission between the client and the VPN device through a router serving as a firewall which may also be performing Network Address Translation NAT or Port Addre
87. rtificate Manager prompts you to enter a password for the certificate you are enrolling Figure 6 4 The password 1s optional but we recommend that you use one to protect your private key more effectively The password can be up to 32 characters in length Passwords are case sensitive For example sKate and SkateS are different passwords This password becomes the personal certificate password Figure 6 4 Protecting a certificate with a password Certificate Password Protection Password protecting your certificate provides an additional level of security This password ts optional Cisco Systems By choosing to protect pour certificate with a password any operation that requires access to the certificate z private key will require the specified password to continue Note File based enrollments require the password used here to be re entered when the approved certificate is imported Password Confirmation Password Next gt Cancel Help After entering a password click Next to continue The Certificate Manager lets you select between enrolling via the network or by creating a file Figure 6 5 Enrolling via the network is also called online enrollment Figure 6 5 Selecting enrollment method Enrollment Network or File The enrollment wizard allows you to request a personal identity certificate from a Certificate Authority CA Cisco SYSTEMS Network based enrollment allows vou to connect directly to a CA
88. rtners can obtain documentation troubleshooting tips and sample configurations from online tools For Cisco com registered users additional troubleshooting tools are available from the TAC website Cisco com Cisco com is the foundation of a suite of interactive networked services that provides immediate open access to Cisco information and resources at anytime from anywhere in the world This highly integrated Internet application is a powerful easy to use tool for doing business with Cisco Cisco com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity Through Cisco com you can find information about Cisco and our networking solutions services and programs In addition you can resolve technical issues with online technical support download and test software packages and order Cisco learning materials and merchandise Valuable online skill assessment training and certification programs are also available Customers and partners can self register on Cisco com to obtain additional personalized information and services Registered users can order products check on the status of an order access technical support and view benefits specific to their relationships with Cisco To access Cisco com go to the following website http www cisco com Technical Assistance Center The Cisco TAC website is available to all customers who need technical assistan
89. rver s check Configuring a connection to the Internet via dial up netw orking 3 14 Connecting to a private network using a dial up connection is typically a two step process 1 Use a dial up connection to your Internet service provider ISP to connect to the Internet 2 Use the VPN Client to connect to the private network through the Internet To enable and configure this feature check the Connectto the Internet via dial up This is not checked by default Figure 3 21 VPN Client User Guide Figure 3 21 Connect to the Intemet via dial up Properties for Engineering General Authentication Connections 10 10 10 10 10 10 10 12 10 10 10 13 10 10 10 14 Ada Remove Move Dj MED Y Connect to the Internet via dial up C Microsoft DialUp Newsarking Phonebook Eriti Third party dial up application Application Browse Cancel Help Setting or changing connection entry properties You can connect to the Internet using the VPN Dialer application in two different ways e Microsoft Dial up Networking DUN e Third party dial up program Microsoft Dial up Netw orking If you have DUN phonebook entries and Connectto the Internet via dial up is enabled Microsoft Dial up Networking is enabled by default To link a VPN Client connection entry to a Dial Up Networking phonebook entry do the following 1 Click Microsoft Dial up Networking if it is not already enabled 2 To link your VPN Client c
90. s private key will require the specified password to continue Note File based enrollments require the password used here to be re entered when the approved certificate is imported Password j Back Cancel Help 5 Type a password into the Password field and click Finish This password must exactly match the password given during enrollment online or given when exported if file including upper and lower case letters For example sKate is not exactly the same as Skate In online enrollment this password is kept with the certificate in file enrollment this password is not retained Managing personal and CA RA certificates Using the Certificate Manager you can view a certificate verify that the certificate is still valid within the dates assigned to it and has not been revoked delete a certificate and export the certificate to a file that you can email to someone For personal certificates only you can also change the certificate s password To perform any of these actions use the Options menu on the main window Figure 6 18 VPN Client User Guide 6 11 6 Enrolling and managing certificates Figure 6 18 Certificate Manager Options menu Personal Certificates CA Certificates Enrollment Requests Certificate Fat Clark Pat Clark Stores All Import View ing a certificate 6 12 Lisco Microsoft Test LAB 8 View Very Delete Password Import Export
91. s selected then click the drop down menu of certificates installed on your PC and select one Figure 3 18 Figure 3 18 Selecting a certificate Properties for Engineering General Authentication Connections our administrator may have provided you with group parameters or a digital certificate to authenticate your access to the remote server If so select the appropriate authentication method and complete pour entries C Group Access Informatio Name vpnclient Password Confirm Password Certificate Mame Fat Clark Cisco bi Cancel Help When you are done with the Authentication tab click OK or click another tab Changing Connection settings The Properties gt Connections tab Figure 3 19 lets you set parameters that govern how you connect to the private network You can enable and configure backup server connections and automatically launch a dial up networking application to connect to the Internet Figure 3 19 Properties dialog gt Connections tab Properties for Engineering General Authentication Connections W Enable backup server z 10 10 10 10 10 10 10 12 10 10 10 13 10 10 10 14 Add Remove Move lip A M Connect to the Intemet via dial up C Microsoft DialUp Newsaking Phonebook Eriti Third party dial up application Application M Browse Cancel Help VPN Client User Guide 3 13 3 Configuring the VPN Client Enabling and addin
92. s the name of the certificate for example Alice Wonderland e Department The name of the department to which you belong for example International Studies This field correlates to the Organizational Unit OU The OU is the same as the Group Name configured in a VPN 3000 Series Concentrator for example e Company The name of the company or organization O to which you belong for example University State The name of your state ST for example Massachusetts Country The 2 letter country code for your country C for example US This two letter country code must conform to ISO 3166 country abbreviations e Email Your email address e for example alicew university edu e IP Address The IP address of your system for example 10 10 10 1 Domain The Fully Qualified Domain Name of the host for your system for example Dialin Server Together all these fields except IP address and domain comprise your distinguished name DN When you enroll a personal certificate you either go through a CA from which your system already has a root certificate or you obtain a root certificate from the CA as part of the enrollment process The CA Certificates tab displays the current list of CA certificates Figure 6 2 VPN Client User Guide 6 3 6 Enrolling and managing certificates Starting enrollment To begin click New on the Certificate Manager s main screen under the Personal Certificates tab Figure 6 2 The Ce
93. sco Systems VPN Client menu the same menu that you use to start the client shown in Figure 6 1 Select Start Programs Cisco Systems VPN Client Certificate Manager Figure 6 1 c Certificate tings a RUE aa A Lun j is Certificate Manager option 6 1 6 Enrolling and managing certificates The Certificate Manager window opens Figure 6 2 Figure 6 2 Certificate Manager main window Cisco Systems PN Client Certificate Manager Personal certificates identify pon to people and hosts you communicate with and are signed by a certificate authority A certificate authority LA is an organization that issues certificates Enrollment requests are certificate requests that a LA has yet to approve Personal Certificates CA Certificates Enrollment Requests Certificate Pat Clark Cisco Pat Clark Microsoft Stores Ally r Import Certificate stores w hatare they The Certificate Manager uses the notion of store to convey a location in your local file system for storing personal certificates The major store for the VPN Client is the Cisco store The Cisco store contains certificates you have enrolled for through the Simple Certificate Enrollment Protocol SCEP This application supports several standard enrollment protocols Your system also includes a Microsoft certificate store that may contain certificates that your organization provides or that you have installed previou
94. sername and password to access your ISP These entries may be case sensitive The Password field displays only asterisks 3 Click OK You see the connection history dialog Figure 4 3 Figure 4 3 Confiming connections to ISP B Initiating remote access connection to your ISP pleaze wait Connection History Initializing the connection Initiating remote access connection to your ISP please walt Po When the ISP connection is established a Dial Up Networking icon appears Figure 4 4 in the system tray on the Windows taskbar Figure 4 4 Dial Up Networking taskbar icon Continue with the next section Authenticating to connect to the private netw ork This section assumes you are connected to the Internet If you connect using Dial Up Networking verify that 1ts icon 1s visible in the Windows taskbar system tray Figure 4 4 If not your Dial Up Networking connection is not active and you need to establish it before continuing If you did not do so earlier click Connect on the VPN Client s main dialog Figure 4 1 The VPN Client starts tunnel negotiation and displays a dialog Figure 4 5 VPN Client User Guide 4 3 4 Connecting to a private netw ork Figure 4 5 Negotiating dialog il Cisco Systems YPN Client Cisco SysrEMS Connecting to 10 10 32 32 a Authenticating user Connection History Initializing the connection Contacting the security gateway at 10 10 32 32 Authenticating
95. sly You can manage them just like the certificates in your Cisco store or you can import them to your Cisco store New certificates obtained through enrollment or importing go into the Cisco store Enrolling for a certificate Your system administrator may have already set up your VPN Client with digital certificates If not or if you want to add certificates you can obtain a certificate by enrolling with a CA over the network or by creating a file request In both cases you complete the same form shown in Figure 6 3 6 2 VPN Client User Guide Enrolling for a certificate Enrollment form This section describes the information you ll need for filling out the certificate enrollment form Make sure you have all of the following information before you start Figure 6 3 Enrollment Form Enrollment Form Enter pour certificate enrollment information in the fields provided below Cisco Systems Common Name cn ALEA Department nu Intemational Studies Company o University State st Massachusetts Country c s Email e Jalicew universityedu IP Address om Domain Dialin_Server 0 Required Field Back Cancel Help e Common Name Your common name CN which is the unique name to use for this certificate This field is required The common name can be the name of a person system or other entity it s the most specific level in the identification hierarchy The common name become
96. ss Translations PAT The most common application for IPSec through NAT mode is behind a home router performing PAT Using this feature encapsulates Protocol 50 ESP traffic within UDP packets that the home router forwards to their destination The VPN Client also sends keepalives frequently ensuring that the mappings on the router are kept active Not all routers support multiple simultaneous connections behind them Some routers can t map additional sessions to unique source ports Therefore it s important to check with your router vendor to verify whether this limitation exists Some router vendors support Protocol 50 ESP Port Address Translation which may let you operate without using IPSec through NAT mode To use IPSec through NAT the central site group in the Cisco VPN device must be configured to support it For an example refer to the VPN Concentrator Manager Configuration User Management Groups IPSec tab see VPN 3000 Concentrator Series User Guide or refer to the VPN Concentrator Manager Help This parameter is enabled by default To disable this parameter clear the check We recommend that you always keep this parameter checked VPN Client User Guide Setting or changing connection entry properties Adjusting the peer response timeout The VPN Client uses a keepalive mechanism called Dead Peer Detection DPD to detect if the VPN device on the other side of an IPSec tunnel is unavailable If the network is unusuall
97. ss operations if service is not restored quickly No workaround is available e P2 Your production network is severely degraded affecting significant aspects of your business operations No workaround is available XIV VPN Client User Guide VPN Client User Guide CHAPTER Understanding the VPN Client The VPN Client is a software program that runs on a Microsoft Windows based PC The VPN Client on a remote PC communicating with a Cisco VPN device at an enterprise or service provider creates a secure connection over the Internet that lets you access a private network as if you were an on site user That s why it s called a VPN a Virtual Private Network As a remote user low speed or high speed you first connect to the Internet Then you use the VPN Client to securely access the private enterprise network through a Cisco VPN device that supports the VPN Client The VPN Client comprises the following applications which you select from the Program menu Figure 1 1 VPN Client applications Shut In logical order of use the applications are as follows Help displays an online manual with instructions on using the applications Chapter 3 Configuring the VPN Client e VPN Dialer lets you configure connections to a VPN device and lets you then start your connections Chapter 3 Configuring the VPN Client and Chapter 4 Connecting to a private network e Certificate Manager lets you enroll for certicates to
98. stem that you can access through a browser in several ways clicking the Help icon on the Cisco Systems VPN Client programs menu Start gt Programs gt Cisco Systems VPN Client gt Help pressing F1 while using the applications or clicking the Help button on screens that include it The VPN Client Administrator Guide tells how to configure a VPN 3000 Concentrator for remote user connections via the VPN Client how to automate remote user profiles how to use the VPN Client command line interface and how to get troubleshooting information The VPN 3000 Concentrator Series Getting Started manual explains how to unpack and install the VPN Concentrator and configure the minimal parameters to make it operate called Quick Configuration The VPN 3000 Concentrator Series User Guide provides details on all the functions available in the VPN Concentrator 3000 Manager and guidelines for configuring the VPN Concentrator VPN Client User Guide ix Preface The VPN Concentrator Manager also includes extensive online help that a system administrator can access by clicking the Help icon on the toolbar in the Manager window This user guide the VPN 3000 Concentrator Series Getting Started manual the VPN 3000 Concentrator Series User Guide and this VPN 3000 Client User Guide are provided on the Cisco VPN 3000 Concentrator s software distribution CD ROM in PDF format To view the latest version on the Cisco Web site go to the following site and click on VP
99. stems Hast name ar P address of the server Engh ost com Back Cancel Help 5 Enter the hostname or IP address of the remote VPN device you want to access and click Next The third New Connection Entry Wizard dialog appears Figure 3 8 6 You can connect as part of a group or via an identity digital certificate Figure 3 8 New Connection Entry Wizard dialog 3 New Connection Entry Wizard our administrator may have provided you with group parameters or a digital certificate to authenticate your access to the remote server If so select the appropriate authentication method and complete pour entries Cisco Systems Group Access Informatio Mame Password Confirm o Password Cernica Hame Ne Certificates Installed validate Lenticate e f you are using group authentication Enter the following information in the dialog Figure 3 9 In the Name field enter the name of the IPSec group to which you belong Maximum 32 characters This entry is case sensitive In the Password field enter the password also case sensitive for your IPSec group Maximum 32 characters The field displays only asterisks Verify your password by entering it again in the Confirm Password field VPN Client User Guide 3 5 3 Configuring the VPN Client Figure 3 9 Group New Connection Entry Wizard our administrator may have provided you with group parameters or a digital certificate to
100. sually connected to the Internet so no additional action is necessary Skip to Authenticating to connect to the private network e Systems with modems or ISDN modems must connect to the Internet via Dial Up Networking If you connect to the Internet via Dial up Networking proceed to Using the VPN Client to connect to the Internet via Dial Up Networking If you must manually connect to the Internet do it now When your connection is established skip to Authenticating to connect to the private network If your system is already connected to the Internet via Dial Up Networking skip to Authenticating to connect to the private network Using the VPN Client to connect to the Internet via Dial Up Netw orking 4 2 This section describes how to connect to the Internet via Dial Up Networking by running only the VPN Client Your connection entry must be configured with Connect to the Internet via Dial Up Networking enabled see Chapter 3 1 Click Connect on the VPN Client s main dialog see Figure 4 1 A Dial up Networking User Information dialog appears Figure 4 2 This dialog varies depending on the version of Windows you are using VPN Client User Guide Authenticating to connect to the private network Figure 4 2 Dial Up Networking User Information dialog Dial Up Networking User Information Enter the username and password required for dial up networking User name Password Cancel 2 Enter the u
101. t generate events in the VPN Client Class Name Definition CERT Certificate management process which handles getting validating and renewing certificates from certificate authorities CERT also displays errors that occur as you use the application CM Connection manager which drives VPN connections Dials a PPP device configures IKE for establishing secure connections and manages connection states CVPND Cisco VPN Daemon main daemon which initializes client service and controls messaging process and flow DIALER Windows only component which handles configuring a profile initiating a connection and monitoring it IKE Internet Key Exchange module which manages secure associations IPSEC IPSec module which obtains network traffic and applies IPSec rules to it VPN Client User Guide Viewing and managing the VPN Client event log Table 5 2 Classes that generate events in the VPN Client Class Name Definition PPP Point to Point Protocol XAUTH Extended authorization application which validates a remote user s credentials Searching the log file To locate specific events or event types in the window select Search from the main menu Alternatively you can click on the Search icon The Log Viewer displays the Find message Figure 5 18 Enter a string to find and click Find Next can match on whole words and on case Figure 5 18 Searching the log display A Cisco Systems IPSec Log Viewer File Options Search He
102. talling the VPN Client on page 2 4 Uninstalling the VPN Client VPN ClientUser Guide Uninstalling the VPN Client means completely removing all VPN Client software from your computer For example if you are changing or upgrading your PC you might want to uninstall the VPN Client Before you run the uninstall program make sure you have closed all of your remote access Dial Up Networking connections and all VPN Client applications Then use the following procedure Figure 5 22 5 15 5 Managing the VPN Client 5 16 1 Select Start gt Programs gt Cisco Systems VPN Client gt Uninstall VPN Client Figure 5 22 Running the Uninstall program Uninstall Client Option The Uninstall Wizard runs and asks if you want to really want to remove the VPN Client applications Figure 5 23 Figure 5 23 Confinning uninstall Question 2 To completely remove the VPN Client software from your system click Yes Otherwise click No Next the Uninstall Wizard asks 1f you want to delete your connection profiles Figure 5 24 Figure 5 24 Confirming your connections InstallShield Wizard Setup Status 3 To preserve your connection profiles which contain configured connection entries click No Then the Uninstall Wizard asks if you want to delete your certificates Figure 5 25 VPN Client User Guide Uninstalling the VPN Client Figure 5 25 Confirming your certificates InstallShield Wizard Setup Status 4 Toke
103. the entry you want to clone 2 Onthe VPN Client Options menu Figure 5 2 select Clone Entry The Clone Connection Entry dialog appears Figure 5 3 Figure 5 3 Clone Connection Entry dialog Clone Connection Entry Connection entry Eo be cloned E ngineering Enter a new name for this connection entry CT Cancel 3 Entera name for the new connection entry in the field and click OK The dialog closes The new name appears in the Connection Entry list in the VPN Client main dialog 4 To configure the properties of this new connection entry click Options gt Properties on the VPN Client main dialog and see Setting or changing connection entry properties in Chapter 3 Deleting a connection entry To delete a configured connection entry follow these steps 1 On the VPN Client s main dialog click the Connection Entry drop down menu button and select the entry you want to delete 2 On the VPN Client Options menu Figure 5 2 select Delete A confirmation dialog appears Figure 5 4 Figure 5 4 Delete dialog Cisco Systems YPH Client A CU i Are you sure you want to delete Engineeringz 3 Click the appropriate button To permanently delete the connection entry click Yes There is no undo To retain the connection entry click No The VPN Client returns to its main dialog VPN Client User Guide 5 3 5 Managing the VPN Client Renaming a connection entry You can rename a connection
104. ther sections of this dialog Closing the VPN Client You may want to close the VPN Client when it is running on your PC but not connected to a remote network To close the VPN Client when it is not connected to a remote network e Click Close on the VPN Client s main dialog see Figure 4 1 or Press Esc on your keyboard or e Press Alt F4 on your keyboard VPN Client User Guide 4 11 4 Connecting to a private netw ork Disconnecting your VPN Client connection To disconnect your PC from the private network you can do one of the following e Double click the VPN Client icon on the Windows taskbar Click Disconnect on the Connection Status dialog Figure 4 16 Click the VPN Client icon with the secondary mouse button and select Disconnect from the pop up menu Your IPSec session ends and the VPN Client closes You must manually disconnect your dial up networking connection DUN 4 12 VPN Client User Guide CHAPTER Managing the VPN Client This chapter explains how to Manage configured VPN Client connection entries Clone Entry Delete Rename Create a shortcut On a Windows NT or Windows 2000 system automatically initiate connections before logging on Launch an application from the logon desktop Import a configuration file Automatically configure the VPN Client Use the Log Viewer to examine events in the events log Install a new version of the VPN Client software on your PC Uni
105. tion algorithms HMAC Hashed Message Authentication Coding with MD5 Message Digest 5 hash function HMAC with SHA 1 Secure Hash Algorithm hash function Authentication Modes Preshared Keys X 509 Digital Certificates Diffie Hellman Groups 1 2 and 5 Encryption algorithms 56 bit DES Data Encryption Standard 168 bit Triple DES Extended Authentication XAUTH Mode Configuration also known as ISAKMP Configuration Method Tunnel Encapsulation Mode IP compression IPCOMP using LZS 1 Understanding the VPN Client Getting started To use the VPN Client you must do only three things e Install 1t Chapter 2 e Configure it Chapter 3 e Connect to the private network with it Chapter 4 To begin turn to Chapter 2 Installing the VPN Client VPN Client User Guide Note CHAPTER Installing the VPN Client This chapter explains how to install the VPN Client on your PC The steps are Verify that your computer meets the system requirements Gather information you need Install the VPN Client software To install a new version of the VPN Client or to uninstall 1t see Chapter 5 Installing the VPN Client software on Windows NT or Windows 2000 requires Administrator privileges If you do not have Administrator privileges you must have someone with Administrator privileges install the product for you Verifying system requirements Verify that your computer meets thes
106. try if it is not already displayed Figure 3 22 VPN Client main dialog il Cisco Systems YPN Client Connection Entry Documentation Documentation Engineering Engineering Cert Host name or IP address of remote server i 0 10 99 30 gue 3 Edit the address in the Host name or IP address of remote server field 4 Click Connect The VPN Client displays a confirmation dialog Figure 3 23 Figure 3 23 Address change dialog Cisco Systems YPH Client G The server addressing information has been modified Do vou wish to save pour changes 5 Click one of the following To use this address for the current session only click No The VPN Client begins connecting to the VPN device but it does not save your change with the connection entry To permanently change the address for this connection entry click Yes The VPN Client begins connecting to the VPN device and it saves the new address with the connection entry For an explanation of the connection process see Chapter 4 3 16 VPN Client User Guide CHAPTER Connecting to a private netw ork This chapter explains how to connect to a private network with the VPN Client We assume you have configured at least one VPN Client connection entry as described in Chapter 3 To complete the steps in this chapter you also need e SP logon username and password if necessary e User authentication information If you are authenticated via the VPN Con
107. untry 5 You may not modify translate decompile disassemble use for any competitive analysis reverse engineer distribute or create derivative works from the Software or any accompanying documentation or any copy thereof in whole or in part 6 The subject license will terminate immediately if you do not comply with any and all of the terms and conditions set forth herein Upon termination for any reason you the licensee must immediately destroy the Software any accompanying documentation and all copies thereof Cisco Systems is not liable to you for damages in any form solely by reason of termination of this license 7 You may not remove or alter any copyright trade secret patent trademark trade name logo product designation or other proprietary and or other legal notices contained in or on the Software and any accompanying documentation These legal notices must be retained on any copies of the Software and accompanying documentation made pursuant to paragraphs 2 and 3 hereof 8 You shall acquire no rights of any kind to any copyright trade secret patent trademark trade name logo or product designation contained in or relating to the Software or accompanying documentation and shall not make use thereof except as expressly authorized herein or otherwise authorized in writing by Cisco Systems Limitation Of Liabilities 9 INSTALLATION AND USE OF THE SOFTWARE IS ALSO GOVERNED BY A SEPARATE LICENSE AGREEMENT BETWEEN CIS
108. use of the word partner does not imply a partnership relationship between Cisco and any other company 001 1R VPN Client User Guide Copyright O 2001 Cisco Systems Inc All rights reserved CONTENTS Preface ABOUT MIS manual ranma iia IX enr eee IX Additional documentation on nsaiaiaaaiaasaiaiaia raria rara rara rara rara rara ia IX Other I II X Documentation ConventionS u s vu pos rara uad i qood rr da Unease ange aun see X Data FO MAS faa ota na Pac seta een ia nee eases xi rie feli ITERUM xi Hostnames oaa hh a ea xi Usernames and Passwords cc ccc cece tee ee eee hys xi TOMON TETUER Ee ne eer ee xi 1 Understanding the VPN Client Jide cH TO TDI TU eT eee rT ee ee ee eee 1 2 CONNECUON technologies iacta dacadotaodstor d 33v dp V dH pod RR ir We o C Ed d 1 2 Ue eT ee ee EID Kp Cr eee eT ee EN EE CINE ee ee DPF EDT RC re 1 2 VPN Ghent IPSec SMOUNCS adus Par dchd rra raro ias adios 1 3 OaulbEiu c riada ara dimiaaids 1 4 2 Installing the VPN Client Verifying system requirements 3 3 3 xi bo 9C CHR cU HER CES Eon ORE ER ER n c Ca e d 2 1 Gathering Inrormaton you N b iac ie e Y PP Y PP E Ed Xa d kae dace a d dora d p FPE EYE P Vd 2 2 Installing the VPN Client rra Rae RE Od MEER RUE bd a dd RES UOTE ba aba 2 4 WhatDeXt csxussdadibivsk6nerbks O 2 5 3 Configuring the VPN Client HOW O JEENCIO AT RRRDIUITMIITTUTTUIMMMTPSTT 3 2 Determining the VPN CIIehE VEISION 2434 9
109. user Pe Connect Close The next phase in tunnel negotiation is user authentication User authentication Reminder User authentication means proving that you are a valid user of this private network User authentication is optional Your administrator determines whether it s required The VPN Client displays a user authentication dialog that differs according to the authentication method used by the IPSec group to which you are assigned Your system administrator tells you which method you use To continue refer to your entries in Table 2 1 on page 2 2 and go to the appropriate section below Authenticating via the VPN device internal server or RADIUS server The VPN Client displays the user authentication dialog The title bar identifies the connection entry name Figure 4 6 Intemal or RADIUS server authentication dialog User Authentication for Engineering The server has requested the information eh specified below to complete the user authentication Username patc Password pe Save Password Cancel 1 In the Username field enter your username This entry is case sensitive 2 Inthe Password field enter your password This entry is case sensitive The field displays only asterisks 3 Click OK VPN Client User Guide Authenticating to connect to the private network Note If you cannot select the Save Password option your administrator does not allow this option If you can s
110. which it is valid Make sure the certificate 1s valid before you continue After you have verified that the certificate has a valid password click Next 3 6 VPN Client User Guide W hat next The fourth New Connection Entry Wizard dialog appears Figure 3 11 Figure 3 11 New Connection Entry Wizard dialog 4 New Connection Entry Wizard ou have successfully created a new virtual private networking connection entry named Cisco Systems Click Finish to save this entry To connect to the remote network select the Dial button fram the main window To modify this connection entry click Options on the main window and select Properties from the menu that appears Back Cancel Help 7 Review the connection entry name If you want to change any previous entries click Back until you get to the desired dialog 8 To complete your entry click Finish The New Connection Entry Wizard dialog closes Your new connection entry now appears in the Connection Entry drop down list on the VPN Client s main dialog W hat next If you need to configure optional connection entry parameters or change parameters for an existing connection entry continue to the next section Otherwise you can skip to Chapter 4 Connecting to a private network Setting or changing connection entry properties To change parameters or to set optional parameters for an existing connection entry 1 On the VPN Client s main dialog click the
111. y busy or unreliable you may need to increase the number of seconds to wait before the VPN Client decides that the peer is no longer active The default number of seconds to wait before terminating a connection is 90 seconds The minimum number of seconds you can configure is 30 seconds and the maximum is 480 seconds To adjust the setting enter the number of seconds in the Peer response timeout field The VPN Client continues to send DPD requests every 5 seconds until it reaches the number of seconds specified by the Peer response timeout value Logging on to Microsoft Netw ork Window s 95 Windows 98 and Windows ME Note The Logon to Microsoft Network parameter registers your PC on the private Microsoft network and lets you browse and use network resources after the VPN Client establishes a secure connection This parameter is enabled by default To disable this parameter clear the check This parameter appears only on VPN Clients installed on systems running Windows 95 Windows 98 and Windows ME For information on logging on to Windows NT and Windows 2000 systems see Starting connections before logging on Windows NT and Windows 2000 only in Chapter 5 If you do not need or do not have privileges for Microsoft Windows resources on the private network disable this parameter For example if you require only FTP access to the private network you could disable this parameter If you enable this parameter click one of the ra
Download Pdf Manuals
Related Search