VPN Client User Guide for Windows
Contents
1. Alt Name DNS The name of the Domain Name Server for the Subject Alternative Name Alt Name Email The email address of the Subject Alternative Name Alt Name IP Addr The IP address of the Subject Alternative Name After you have finished viewing the certificate click OK to close it Verifying a Certificate The Certificate Manager provides a quick way for you to check the validity of a certificate for example to see if it is within the valid beginning and ending date range To see if the certificate is valid choose it in the certificate store display the Options pull down menu and choose Verify The Certificate Manager displays a message such as the one in Figure 6 20 indicating whether the certificate is still valid Figure 6 20 Verifying a Certificate s Validity Certificate Store Pat Clark Cisco Pat Clark Micrasnft Validity Check x Certificate signature is not valid Options v 60794 VPN Client User Guide for Window s u 78 14738 01 Chapter6 Enrolling and Managing Certificates Managing Personal and CA RA Certificates i The following table shows the messages you might see when you check the validity of your certificate Message Description Certificate is not valid yet The current date is prior to the certificate s valid start date You must wait until the certificate becomes valid Certificate has expired The current date is after the certificate s valid end date2. W index VPN device 5 25 NT Domain authentication 1 4 4 6 domain name 4 7 password 4 7 username 4 7 NT features logon 5 14 VPN Client 1 3 O options Application Launcher 5 11 auto disconnect 5 16 Automatic VPN Initiation 5 16 Clone entry 5 3 Delete entry 5 4 Erase User Password 5 7 Import entry 5 5 Rename entry 5 5 Save Password 5 7 shortcut 5 10 start before logon 5 14 Stateful Firewall Always on 5 11 Windows Logon Properties 5 14 Options menu 3 14 organizational unit in certificate enrollment 6 4 organization of this manual ix P packets bypassed 4 26 decrypted 4 26 discarded 4 26 encrypted 4 26 parameters connection entry 3 1 passcode RSA authentication 4 8 passwords enrollment request changing 6 28 erasing 4 6 5 7 expiration 4 7 import 6 16 internal server authentication 4 6 invalid 4 6 IPSec group changing 3 21 ISP logon 4 3 NT Domain authentication 4 7 personal certificate 6 22 private key 41 RADIUS authentication 4 6 saving 4 6 5 7 PAT 3 17 Peer Certificate Domain Name Verification 1 4 peer response timeout adjusting 3 19 personal firewall see firewalls phonebook entries DUN 3 26 PIN RSA authentication 4 9 PKCS10 format 6 12 PKIs supported 2 2 4 11 Plain Old Telephone Service see POTS port transparent tunneling 4 25 Port Address Translation 3 17 POTS connection technology 1 2 VPN Client User Guide for Windows 78 14738 01 preconfigured connection
3. The Properties gt Authentication tab see Figure 3 19 lets you change the name or password of the IPSec group to which you are assigned Your group determines your access to and use of the remote network The group name and password are essential parameters in authenticating you as a user of the remote network VPN Client User Guide for Windows m rere _ Chapter 3 Configuring the VPN Client Setting or Changing Connection Entry Properties W If you want to choose a different certificate you also use this screen Figure 3 19 Changing Authentication Parameters from the Authentication Tab Properties for Engineering General Authentication Connections Your administrator may have provided you with group parameters or a digital certificate to authenticate your access to the remote server If so select the appropriate authentication method and complete your entries a vpnclient Password Confirm Password C Certificate alice Cisco o ats Catt Cancel Help 6m it Changing Group Name or Group Passw ord You usually specify a group name and group password when you create a connection entry However you can use the Authentication tab to change a group name or group password if your system administrator so instructs you or to enter the group name and password if the connection entry does not already have them In the Name field enter or edit the group name This entry is case sensitiv
4. Country The two character country code where the owner s system is located Email The email address of the owner of the certificate Key Size The size of the signing key pair in bits for example 1024 Subject The fully qualified distinguished name DN of certificate s owner This specific example includes the following parts Other items may be included depending on the certificate type However these fields are fairly standard cnis the common name ou is the organizational unit department ois the organization lis the locality city or town 78 14738 01 VPN Client User Guide for Windows Chapter6 Enrolling and Managing Certificates W Managing Personal and CA RA Certificates stis the state or province of the owner cis the country eis the email address of the owner Issuer The fully qualified distinguished name DN of the source that provided the certificate The fields in this example are the same as for Subject e Serial Number A unique identifier used for tracking the validity of the certificate on Certificate Revocation Lists CRLs Not Before The beginning date that the certificate is valid Not After The end date beyond which the certificate is no longer valid The next three fields may be used during a connection attempt as part of validation for example to make sure that the Subject Alternative IP Address matches the IP Address of the VPN Concentrator
5. E VPN Client User Guide for Window s 78 14738 01 Chapter6 Enrolling and Managing Certificates Enrolling fora Certificate i Figure 6 8 Certificate Status Messages Enrollment Status Enrollment status Cisco Systems fGenerating key pair Generating self signed certificate Submitting request Status 308 50784 Step6 What happens next depends on your CA See Figure 6 8 Some CAs may provide immediate response If so the Enrollment Status window reflects this fact and displays an OK button Click OK and you see a message that your enrollment succeeded You can view and manage the certificate under the Personal Certificates tab Ifthe enrollment status is Request pending your CA does not immediately approve your request and the Enrollment Status window shows the Suspend button Click Suspend Your request appears under the Enrollment Requests tab while you are waiting for the CA to issue the certificate When the CA issues your certificate choose the certificate and then choose Resume from the Options pull down menu to complete the enrollment See Figure 6 9 VPN Client User Guide for Windows 78 14738 01 g eo Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Figure 6 9 Resuming Enrollment Request E Cisco Systems YPN Client Certificate Manager Alice Wonderland Request Pat Clark Request Patrick Clarkson Request 60312 Res
6. Figure 3 9 Identifying Server New Connection Entry Wizard The following information identifies the server to which you connect for access to the remote network Cisco Systems Host name or IP address of the server E ngHost com lt Back Cancel Help 60789 Step5 Enter the hostname or IP address of the remote VPN device you want to access and click Next The third New Connection Entry Wizard dialog box appears See Figure 3 10 Choosing an Authentication M ethod You can connect as part of a group configured on a VPN device or by supplying an identity digital certificate Group Authentication For group authentication perform the following procedure See Figure 3 10 VPN Client User Guide for Window s 78 14738 01 a 37 Chapter3 Configuring the VPN Client HI How To Create a New Connection Entry Figure 3 10 Group Authentication Properties for Engineering General Authentication Connections Your administrator may have provided you with group parameters or a digital certificate to authenticate your access to the remote server If so select the appropriate authentication method and complete your entries Jame vpnelient Password Confirm en Password C Certificate Hame Alice Cisco Send G4 Certificate Ghar Cancel Help 6m s0 Step1 In the Name field enter the name of the IPSec group to which you belong This entry is case sensitiv
7. HI Authenticating to Connect to the Private Netw ork Figure 4 3 Confirming Connections to ISP Connecting to 200 70 50 250 B Initiating remote access connection to your ISP please wait Connection History Initializing the connection Initiating remote access connection to your ISP please wait ued 60759 When the ISP connection is established a Dial Up Networking icon appears in the system tray on the Windows task bar See Figure 4 4 Figure 4 4 Dial Up Networking task bar Icon Authenticating to Connect to the Private Netw ork This section assumes you are connected to the Internet If you connect using Dial Up Networking verify that its icon is visible in the Windows task bar system tray See Figure 4 4 If not your Dial Up Networking connection is not active and you need to establish it before continuing If you did not do so earlier click Connect on the VPN Client s main dialog box See Figure 4 1 The VPN Client starts tunnel negotiation and displays the Connection History dialog box See Figure 4 5 VPN Client User Guide for Windows maa E 78 14738 01 Chapter4 Connecting to a Private Netw ork Authenticating to Connect to the Private Network W Figure 4 5 Negotiating Dialog Box Cisco Systems YPN Client Cisco Systems aoe AFE Connecting to 10 10 32 32 B Authenticating user Connection History 60761 The next phase in tunnel negotiation is user authe
8. The Certificate Manager asks you to enter the network address of the issuing CA See Figure 6 6 VPN Client User Guide for Windows Pos W 78 14738 01 Chapter6 Enrolling and Managing Certificates Enrolling fora Certificate i Figure 6 6 Entering Network Address Enrollment CA Network Address Enrollment CA Network Address Enter the URL or IP Address of the Certificate Authority Enter the URL or IP Address of the Certificate Authority Certificate Authority Cisco Systems Certificate Authority kNew gt z New URL or Network Address reper 61 44 246 41 certsry mscep mscep dll Domain faa2000 com Challenge Password me Required Fields Required Fields i E crea e s E crea oe 60783 Step2 Choose one of the following procedures Choose an existing Certificate Authority from the drop down menu The URL or Network Address and Domain fields are automatically filled Renter the Challenge password or enter a new password which you can obtain from the CA or your network administrator Choose lt New gt from the drop down menu Enter the URL or Network Address of the CA and the CA s Domain both of which are required Some CAs require that you enter a password to access their site If this is the case enter the password in the Challenge Password field You can get the password from the CA or from your network administrator Step3 When you have completed t
9. amp Notes use the following conventions Note Means reader take note Notes contain helpful suggestions or references to material not covered in the publication Cautions use the following conventions Caution Data Formats Means reader be careful Cautions alert you to actions or conditions that could result in equipment damage or loss of data As you configure and manage the system enter data in the following formats unless the instructions indicate otherwise Type of Data Format IP Addresses IP addresses use 4 byte dotted decimal notation for example 192 168 12 34 as the example indicates you can omit leading zeros in a byte position Subnet Masks and Wildcard Masks Subnet masks use 4 byte dotted decimal notation for example 255 255 255 0 Wildcard masks use the same notation for example 0 0 0 255 as the example illustrates you can omit leading zeros in a byte position MAC Addresses MAC addresses use 6 byte hexadecimal notation for example 00 10 5A 1F 4F 07 Hostnames Hostnames use legitimate network hostname or end system name notation for example vPNo1 Spaces are not allowed A hostname must uniquely identify a specific system on a network Text Strings Text strings use upper and lower case alphanumeric characters Most text strings are case sensitive for example simon and Simon represent different usernames In most cases the maximum lengt
10. ARISING IN ANY WAY OUT OF THE USE OF THE SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 78 14738 01 VPN Client User Guide for Windows Appendix A Copyrights and Licenses VPN Client User Guide for Windows Pas 78 14738 01 Numerics 802 11x networks wireless LANs 4 16 A accessing local LAN 3 18 adapter card for network 2 2 adding backup servers 3 23 connection entry 3 5 address remote server changing 3 26 VPN device 3 7 Administrator privileges 2 1 AES algorithm 1 5 algorithms AES 155 authentication 1 5 DES 1 5 encryption 1 5 HMAC 15 MD5 15 SHA 1 1 5 triple DES 1 5 Application Launcher 5 11 Are You There see AYT firewall policy authentication algorithms 1 5 certificate 2 2 3 8 Entrust 3 10 INDEX features in VPN Client 1 4 information connection status 4 25 internal server 1 4 4 5 methods 1 4 4 5 NT Domain 1 4 dialog box 4 6 domain name 4 7 password 4 7 username 4 7 properties changing 3 20 RADIUS 4 5 RSA next cardcode 4 11 passcode 4 8 PIN 49 username 4 8 4 9 SDI seeRSA SecurID 1 4 4 8 smart card 4 14 SoftID 1 4 4 8 auto initiation authenticating 4 18 changing option values 4 20 connection failures 4 22 connection profile 4 17 disabling 4 20 5 17 disabling while suspended 4 21 disconnecting 4 19 enabling 4 21 5 17 managing 5 16 78 14738 01 VPN Client User Guide for Windows E W index restarting 4 21
11. Starting a Connection Before Logging on to a Windows NT Platform Step 1 On a Windows NT platform you can connect to the private network before you log on to your system This feature is called start before logon and its purpose is primarily to let you log in to the domain and run login scripts Your administrator may have set this up for you Once you establish a VPN connection your credentials are sent to a domain controller for logging in to your system If you need to launch an application before you log on see the section Launching an Application for information When you have established a successful VPN connection the VPN Dialer window closes and your logon window displays If the connection is not successful the VPN Dialer window continues to display Your administrator may have set up a banner that lets you know when you have a successful connection To activate this feature follow these steps Open the VPN Client Options pull down menu shown in Figure 5 3 and choose Windows Logon Properties VPN Client User Guide for Windows a 78 14738 01 Chapter5 Managing the VPN Client Managing Windows NT Logon Properties Hil Step2 Check Enable start before logon and then click OK See Figure 5 18 What Happens When You Use Start Before Logon When start before logon is active the following events occur when your system starts Your system logon dialog box displays Other messages might display as well
12. The IPSec group to which the system administrator assigned you Your group determines how you access and use the remote network For example it specifies access hours number of simultaneous logins user authentication method and the IPSec algorithms your VPN Client uses Certificates The name of the certificate you are using for authentication Optional parameters that govern VPN Client operation and connection to the remote network You can create multiple connection entries if you use your VPN Client to connect to multiple networks though not simultaneously or if you belong to more than one VPN remote access group For connection entry parameters see Gathering Information You Need How To Create a New Connection Entry Start the VPN Client by choosing Start gt Programs gt Cisco Systems VPN Client gt VPN Dialer Figure 3 6 Starting the VPN Dialer Ls Accessories Ls Startup Command Prompt e Internet Explorer EN windows NT Explorer L Administrative Tools Common fS Cisco Systems YPN Client amp Certificate Manager LE Network ICE Help LE Paint Shop Pro 6 ag Log Viewer LE Startup lt Q Set MTU S WinZip Z Uninstall VPN Client LE Zone Labs VPN Dialer 67535 Note If you installed the VPN Client via the Microsoft Windows Installer the Cisco Systems VPN Client menu does not include the Uninstall VPN Client option The VPN Dialer application starts and displays its main dialog box
13. connection entry 3 6 WLANs auto initiation 4 16 78 14738 01 VPN Client User Guide for Windows W index X X 509 DER file 6 12 Z Zone Labs Integrity 4 25 4 27 4 31 VPN Client User Guide for Window s ua 78 14738 01
14. existing certificate profile you are not interacting with the Entrust PKI If you see this message click OK to continue After completing the Entrust Login dialog box see Figure 4 15 click OK You may receive a security warning message from Entrust This warning occurs for example when an application attempts to access your Entelligence profile for the first time or when you are logging in after a VPN Client software update The message happens because Entrust wants to verify that it is acceptable for the VPN Client to access your Entrust profile Figure 4 17 Entrust Security Waming Entrust Security Warning Cisco Systems PN Client K 2 Cisco Systems YPN Client is trying to access Entrust Do you wish to continue Yes Details gt gt At the warning message click Yes to continue 607 44 You can now use your Entrust certificate for authenticating your new connection entry 78 14738 01 VPN Client User Guide for Window s E Chapter4 Connecting to a Private Network E Connecting with Digital Certificates Entrust Inactivity Timeout If you have a secure connection and you see a padlock next to the Entelligence icon in the Windows system tray Entelligence has timed out However you have not lost your connection If you see the Entelligence icon with an X next to it you are logged out of Entrust and you did not have a secure connection initially To make a new connection start from the beginni
15. gt ISAKMP OAK INFO HASH NOTIFY KEEP_ALIVE to 10 10 32 32 Z 15 12 20 194 05 03 00 Sev Info 4 ANetIKE 0x63000012 SENDING gt gt gt ISAKMP OAK QM HASH SA NON ID ID to 10 10 32 32 8 15 12 20 204 05 03 00 Sev Info 4 ANetIKE0x63000013 RECEIVING lt lt lt ISAKMP OAK QM HASH SA NON ID ID from 10 10 32 32 9 15 12 20 214 05 03 00 Sev Info 4 ANetIKE0x63000012 SENDING gt gt gt ISAKMP OAK QM HASH to 10 10 32 32 Ready Printing the Log File To print the events displayed in the current window choose File gt Print from the main menu Alternatively you can click the Printer icon VPN Client User Guide for Windows 78 14738 01 a 523 Chapter5 Managing the VPN Client W Viewing and Managing the VPN Client Event Log Saving the Log File To save the currently displayed events in the ipseclog file on your hard drive choose File gt Save as from the main menu Alternatively click the Disk icon The ipseclog file is a text txt file in DOS format The Log Viewer saves the information to the Client install directory which by default is the pathname Program Files Cisco Systems VPN Client VPN Client IPSECLOG TXT You can specify any directory and name See Figure 5 25 Figure 5 25 Saving a Log File Save As Save in E VPN Cien ics c L Profiles Filename A Save as type IPSec Log Files log Cancel 60777 Clearing the Events Display To eliminate all the events cu
16. resuming 4 19 retry interval 5 17 states 4 23 suspending 4 19 system tray icons 4 23 using 4 16 Automatic VPN Initiation option 5 16 AYT firewall policy 4 25 4 28 backup servers adding 3 23 disabling 3 24 enabling 3 23 removing 3 24 Baltimore Technologies 4 11 base 64 encoded file type 6 12 binary encoded file type 6 12 bytes in connection statistics 4 26 bytes out connection statistics 4 26 C cable connection 1 2 modem 1 2 4 2 CA certificates 6 5 Centralized Protection Policy see CPP firewall policy certificate changing 3 22 changing password 6 22 completing enrollment form 6 4 connecting 4 11 deleting 6 21 enrollment file types 6 12 PKI 4 11 with CA 6 4 Entrust 3 10 expiring 4 12 exporting 6 23 importing 6 15 managing 6 17 name 3 5 3 8 4 1 stores 6 3 verifying 3 10 6 20 viewing 6 18 Certificate Authorities CA CA certificates tab 6 5 certificate 2 2 supported 4 11 Certificate Manager Options menu 6 17 overview 6 1 starting 6 2 changing certificate 3 22 certificate password 6 22 connection entry description 3 17 connection entry properties 3 14 group name or group password 3 21 password on an enrollment request 6 28 remote server address 3 26 Cisco certificate store 6 3 classes that generate events 5 22 clearing events display 5 24 Client Server policy firewalls 4 25 4 27 4 31 Client IP address in connection status 4 24 cloning a connection entry 5 3 closing the VPN Cli
17. time connected connection status 4 27 transparent tunneling enabling 3 17 port 4 25 stateful firewall 3 17 triple DES algorithm 1 5 E VPN Client User Guide for Window s 78 14738 01 tunnel definition 1 2 negotiation 4 4 transparent 3 17 U UDP protocol firewalls 4 30 transparent tunneling 3 17 UniCERT 411 uninstalling the VPN Client InstallShield 5 29 MSI 5 32 upgrade notification 5 25 upgrading VPN Client software using InstallShield 5 27 using MSI 5 29 URL or Network Address of CA 6 7 user authentication 1 4 4 5 see also authentication username internal server authentication 4 6 ISP logon 4 3 NT Domain authentication 4 7 RADIUS authentication 4 6 RSA authentication 4 8 4 9 V verifying a certificate 3 10 6 20 version VPN Client displaying 3 3 viewing certificate 6 18 connection status 4 24 enrollment request 6 26 Virtual Private Network VPN defined 1 1 VPN defined 1 1 VPN Client applications 1 1 event log 5 17 features 1 3 installing 2 1 software updates 5 27 5 29 version 3 3 VPN Client version 3 6 removing 2 8 VPN Concentrator see VPN device VPN device authentication using internal server 4 5 backup 3 23 changing address 3 26 Cisco 1 1 DPD 3 19 hostname 3 7 IP address 3 7 notifications 5 25 VPN Dialer closing 4 32 main dialog box 3 6 Index Ww Windows NT logon properties 5 14 platforms requirement 2 1 username and password 3 20 wizard
18. 10 minutes Create Shortcut Properties Note Enabling of Automatic YPN Initiation will not take effect until the YPN dialer has been closed Cancel Stateful Firewall Always On Application Launcher Automatic YPN Initiation Windows Logon Properties 71795 To disable or enable auto initiation follow these steps Select Automatic VPN Initiation from the Options menu To disable auto initiation click to remove the check mark from Enable Or to enable auto initiation after it has been disabled click Enable to check it Click OK If you are enabling auto initiation you then must close the VPN Dialer The authentication dialog then prompts you to enter your authentication information To change the setting of the retry interval enter the new value 1 to 10 in the Retry Interval box and click OK Viewing and Managing the VPN Client Event Log Examining the event log can often help a network administrator diagnose problems with an IPSec connection between a VPN Client and a peer device The log viewer application collects event messages from all processes that contribute to the client peer connection This section shows how to use the Log Viewer to retrieve and manage this information 78 14738 01 VPN Client User Guide for Windows Chapter5 Managing the VPN Client HI Viewing and Managing the VPN Client Event Log Starting the Log Viewer To start the Log Viewer use the following pa
19. 14738 01 _ Chapter 5 Managing the VPN Client Uninstalling the VPN Client with the Uninstall Application i Figure 5 33 Confirming Your Connections InstallShield Wizard Setup Status VPN Client Setup is performing the requested operations YPN Client Installer Do you wish to delete your existing connection profiles Installshield Cancel 6754 Step3 To preserve your connection profiles which contain configured connection entries click No Then the Uninstall Wizard asks if you want to delete your certificates See Figure 5 34 Figure 5 34 Confirming Your Certificates InstallShield Wizard Setup Status YPN Client Setup is performing the requested operations YPN Client Installer 2 Do you wish to delete your existing Cisco certificates no Installshield Step4 To keep your certificates click No 6758 Finally the Uninstall Wizard prompts you to restart your system To complete the uninstallation you must restart your system 78 14738 01 VPN Client User Guide for Window s E Chapter5 Managing the VPN Client HZ Removing the VPN Client Software MSI Installation Step5 To restart your system click Yes the default and then click Finish The installation program restarts your system Be sure to remove any diskette from its drive before you restart your system Note When you uninstall the VPN Client software after you have run the Log Vi
20. 3 26 Changing the VPN Device Address fora Connection Entry 3 26 VPN Client User Guide for Windows a 78 14738 01 Contents W CHAPTER 4 Connecting to a Private Network 4 1 Starting the VPN Dialer 4 2 Connection Procedure 4 2 Using the VPN Client to Connect to the Internet via Dial Up Networking 4 3 Authenticating to Connect to the Private Network 4 4 User Authentication 4 5 Authenticating Through the VPN Device Internal Server or RADIUS Server 4 5 Authenticating Through a Windows NT Domain 4 6 Changing your Password 4 7 Authenticating Through RSA Data Security RSA SecurlD SDI 4 8 RSA User Authentication SecurlD Tokencards Tokencards Pinpads and Keyfobs and SoftID v1 0 Windows 95 Windows 98 and Windows ME 48 RSA User Authentication SoftID v1 x Windows NT Only and SoftlD v2 0 All Operating Systems 49 RSA New PIN Mode 4 9 SecurlD Next Cardcode Mode 4 11 Connecting with Digital Certificates 4 11 Connecting with an Entrust Certificate 4 12 Accessing Your Profile 4 12 Entrust Inactivity Timeout 4 14 Using Entrust SignOn and Start Before Logon Together 4 14 Connecting with a Smart Card or Token 4 14 Completing the Private Network Connection 4 16 Using Automatic VPN Initiation 4 16 Connecting Through Auto Initiation 4 17 Disconnecting YourSession 4 19 Changing Option Values W hile Auto Initiation is Suspended 4 20 Disabling Auto Initiation 4 20 Disabling While Suspended 4 21 Restarting After Disabling Auto Initi
21. 5 Step 6 Figure 6 24 Exporting a Certificate Export Certificate The certificate password is not exported with the certificate To password protect the certificate file enter Cisco SYSTEMS a value in the Export password field To export the CA certificate and any intermediate CA certificates select the Export certificate chain option Certificate password Export password pa Confirm Export password m Export file name Jexport_newcert cec Browse Required Field 60747 In the Certificate password field enter the password initiated during enrollment The Certificate password protects the certificate in the certificate store so an unauthorized individual can not use it This is the password you optionally entered when you enrolled for the certificate In the Export password field enter an optional password to protect the export file Then enter it again in the Confirm password field In the Export filename field enter the filename for the exported certificate Only the filename is required Use the Browse feature to locate a target directory for the exported certificate To export the CA and or RA certificate with your personal certificate check the Export certificate chain option After completing all the information click OK The Certificate Manager displays a message indicating whether your certificate export was successful See Figure 6 25 VPN Client User Guide for Wi
22. Client User Guide for Window s M428 i 78 14738 01 Chapter4 Connecting to a Private Netw ork Viewing Connection Status i Centralized Protection Policy CPP Using the Cisco Integrated Client CPP is a stateful firewall policy that is defined on and controlled from the VPN Concentrator It can add protection for the VPN Client PC and private network from intrusion when split tunneling is in use For CPP see Figure 4 36 the Firewall tab shows you the firewall rules in effect Figure 4 36 Firewall Tab for CPP Cisco Systems PN Client Connection Status General Statistics Firewall Firewall Policy Centralized Protection Policy CPP Product Cisco Integrated Client Firewall Rules Act Dir Sic Address DstAddress Proto Sre Port Dst Peal Drop In Any For O Local In Any Drop 0 Local Action Drop Direction Inbound Source Address Any Destination Address Local Protocol Any Source Port N A Destination Port N A Time connected 00 00 31 OK Notifications Disconnect 67543 This status screen lists the following information Firewall Policy The policy established on the VPN Concentrator for this VPN Client e Product Lists the name of the firewall currently in use such as Cisco Integrated Client Zone Alarm Pro and so on Firewall Rules The Firewall Rules section shows all of the firewall rules currently in effect on the VPN Client Rules are in order of impo
23. Finish to save this entry To connect to the remote network select the Dial button from the main window To modify this connection entry click Options on the main window and select Properties from the menu that appears lt Back Cancel Help 60791 To complete the connection entry configuration use the following procedure Step1 Review the connection entry name If you want to change any previous entries click Back until you get to the desired dialog box Step2 To complete your entry click Finish The final New Connection Entry Wizard dialog box closes Your new connection entry now appears in the Connection Entry drop down list on the VPN Client s main dialog box W hat Next If you need to configure optional connection entry parameters or change parameters for an existing connection entry continue to the next section Otherwise you can skip to Connecting to a Private Network VPN Client User Guide for Windows 78 14738 01 a 3 13 Chapter3 Configuring the VPN Client HI Setting or Changing Connection Entry Properties Setting or Changing Connection Entry Properties To change parameters or to set optional parameters for an existing connection entry follow these steps Step1 Inthe VPN Client s main dialog box click the Connection Entry drop down menu button and choose the entry you want to configure Step2 Then click Options and choose Properties from the menu See Fi
24. Guide for Window s 78 14738 01 Chapter 2 Installing the VPN Client Step 2 Step 3 What Next Installing the VPN Client Through Microsoft Windows Installer Mil If you want to remove your connection profiles and or certificates click the box es on the dialog By default this wizard does not delete these files To continue press Next The wizard continues and displays the dialog shown in Figure 2 7 Figure 2 7 Cisco Systems VPN Client 3 6 Uninstall dialog e Cisco Systems YPN Client 3 6 Rel Uninstall as i Cisco Systems VPN Client 3 6 Rel Uninstall This will remove Cisco Systems VPN Client 3 6 Rel from your machine Are you sure you want to continue Click the Next button to remove the application Click the Cancel button to exit the uninstall process Cancel 78381 To remove the Cisco VPN Client version 3 6 click Next Or to halt the wizard click Cancel When you click Next the wizard removes the Cisco VPN Client version 3 6 If you elected to remove your connection profiles and or certificates these files are also removed otherwise these files remain on your system When you click Cancel the wizard prompts you to either Resume or Exit Setup To stop removal click Exit Setup If you want to continue the removal click Resume When the VPN Client software is installed on your PC to configure it see Configuring the VPN Client 78 14738 01 VPN Client User Gui
25. Networking if it is not already enabled To link your VPN Client connection entry to a DUN entry click the down arrow next to the Phonebook entry field and choose an entry from the drop down menu The VPN Client then uses this DUN entry to automatically dial into the Microsoft network before making the VPN connection to the private network 78 14738 01 VPN Client User Guide for Window s E Chapter3 Configuring the VPN Client HI Changing the VPN Device Address for a Connection Entry Third Party Dial up Program If you have no DUN phonebook entries and have enabled Connect to the Internet via dial up then Third party dial up application is enabled by default To connect to the Internet using a third party dial up program follow these steps Step 1 Step 2 Click Third party dial up application if it is not already enabled Use Browse to enter the name of the program in the Application field This application launches the connection to the Internet This string you choose or enter here is the pathname to the command that starts the application and the name of the command for example c isp ispdialer exe dialEngineering Your network administrator might have set this up for you If not consult your network administrator Changing the VPN Device Address for a Connection Entry To change the address of the VPN device in a connection entry and to make the change temporary or permanent follow these steps
26. Security Inc Distribution is limited to ne authorized licensees of RSA Data Security Inc Any unauthorized reproduction or Cus distribution of this document is strictly prohibited BSAFE is a trademark of RSA Data Security Inc The RSA Public Key Cryptosystem is protected by U S Patent 4 405 829 Copyright c 1999 2000 2001 Zone Labs Inc All rights reserved Zone Labs ZoneAlarm ZoneAlarm Pro TrueVector and Zone Labs Integrity are trademarks of Zone Labs Inc The Software is Zone Labs proprietary information No license is granted to the source code of the Software No part of this publication may be reproduced distributed or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of Zone Labs Inc THE SOFTWARE IS PROVIDED BY ZONE LABS AS IS WITHOUT WARRANTY OF ANY KIND ZONE LABS DISCLAIMS ANY AND ALL WARRANTIES WHETHER EXPRESS IMPLIED OR STATUTORY INCLUDING BUT WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ZONE LABS SHALL NOT BE LIABLE FOR DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY COVER RELIANCE OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF PROFITS LOSS OF DATA OR USE OR BUSINESS INTERRUPTION ARISING FROM ANY CAUSE ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE
27. See Figure 3 7 VPN Client User Guide for Windows 78 14738 01 TEN Chapter3 Configuring the VPN Client HI How To Create a New Connection Entry Figure 3 7 VPN Dialer Main Dialog Box i Cisco Systems YPN Client Cisco Systems Host name or IP address of remote server ooe 60826 Step1 At the main dialog click New The first New Connection Entry Wizard dialog box appears See Figure 3 8 Figure 3 8 Entering Name and Description New Connection Entry Wizard The VPN Client lets you create secure connections to remote networks This wizard helps you create a Cisco Systems connection entry for connecting to a specific remote network Name of the new connection entry le ngineering Description of the new connection entry optional Connection to Engineering remote server Cancel Help 650788 VPN Client User Guide for Window s e W 78 14738 01 Chapter3 Configuring the VPN Client How To Create a New Connection Entry Ml Step2 Enter a unique name for this new connection You can use any name to identify this connection for example Engineering This name can contain spaces and it is not case sensitive Step3 Enter a description of this connection This field is optional but it helps further identify this connection For example Connection to Engineering remote server Step4 Click Next The second New Connection Entry Wizard dialog box appears See Figure 3 9
28. The VPN Client authenticates your credentials and optionally displays a banner and or a notification Respond to the banner or notification as required Then the Windows NT logon dialog box is active To complete the connection enter your Windows NT logon credentials in the Windows logon dialog box and you are done Connecting with a Smart Card or Token The VPN Client supports authentication with digital certificates through a smart card or electronic token Several vendors provide smart cards and tokens For an up to date list of those that the VPN Client currently supports see Smart Cards Supported Smart card support is provided through Microsoft Cryptographic API MS CAPI Any CryptoService provider you use must support signing with CRYPT_NOHASHOID VPN Client User Guide for Windows rere Chapter4 Connecting to a Private Netw ork Connecting with Digital Certificates Hi Once you or your network administrator has configured a connection entry that uses a Microsoft certificate provided by a smart card you must insert the smart card into the receptor When you start your connection you are prompted to enter a password or PIN depending on the vendor For example Figure 4 18 shows the authentication prompt from ActivCard Gold Figure 4 18 ActivCard Gold PIN Prompt ActivCard Gold Enter PIN D Enter PIN code ores 67515 In above example you would type your PIN code in the Enter PIN code field and clic
29. User Guide for Windows a26 i 78 14738 01 Chapter4 Connecting to a Private Netw ork Secured Routes Viewing Connection Status W The Secured Routes section lists the IPSec Security Associations SAs In Figure 4 34 under Secured Routes the columns show the following types of information Local LAN Routes Time Connected Firewall Tab Key icon In the first row you see a key icon at the start of the connection entry This key shows that the route is secure The software generates a key as soon as the client needs to send secure data through the tunnel to the networks on the other side The absence of a key means that the SA is no longer active The SA may have timed out due to inactivity Sending data to this network re establishes the SA and the key reappears Network The IP address of the remote private network with which this VPN Client has an SA Subnet Mask The subnet mask of the IP address for this SA Bytes The total amount of data this SA has processed This includes data before encryption as well as encrypted data received Src Port Dst Port and Protocol are for future use If active the Local LAN Routes box shows the network addresses of the networks you can access on your local LAN while you are connected to your organization s private network through an IPSec tunnel You can access up to 10 networks on the client side of the connection A network administrator at the central site must configure the
30. Windows 98 and Windows ME To display an authentication dialog box asking for your username and passcode perform the following steps See Figure 4 8 If you are using SoftID it must be running on your PC Figure 4 8 Authenticating through RSA User Authentication for MyCompany a Enter Username and Password Username Jiceuser Passcode Carca 60717 Step1 In the Username field enter your username This entry is case sensitive Step2 In the Passcode field enter a SecurID code With SoftID you can copy this code from the SoftID window and paste it here Your administrator will tell you what you need to enter here depending on the type of tokencard you are using Step3 After entering the code click OK VPN Client User Guide for Windows Pas W 78 14738 01 Chapter4 Connecting to a Private Netw ork Authenticating to Connect to the Private Network W RSA User Authentication SoftiID v1 x Windows NT Only and SoftiD v2 0 All Operating Systems Step 1 Step 2 Step 3 If you are using SoftID under Windows NT the VPN Client displays an authentication dialog box asking for your username and PIN See Figure 4 9 Figure 4 9 Authenticating Through SoftiD on Windows NT ES inline for Engineering amp Enter Username and Password Username Jioeuser Pin Cancel 60718 In the Username field enter your username This entry is case sensitive In the PIN field enter y
31. You need to enroll for a new certificate Certificate signature is not You do not have the CA certificate or the CA certificate that you valid have may have expired You might need to download or import the CA certificate Certificate is valid You have a working certificate enrolled Deleting a Certificate To delete a certificate follow this procedure Step1 Choose the certificate in the certificate store display the Options pull down menu and choose Delete If the certificate has a password the Certificate Manager prompts you to enter it See Figure 6 21 Figure 6 21 Entering Password for Deleting a Certificate Certificate Store Pat Cla Cinna Pat PEGs eres lie x Password Cancel Options 60796 Step2 In the Password field type the password given to the certificate during enrollment and click OK Next the Certificate Manager asks you to confirm See Figure 6 22 VPN Client User Guide for Window s 78 14738 01 g 621 Chapter6 Enrolling and Managing Certificates W Managing Personal and CA RA Certificates Figure 6 22 Confirming Deletion Pat Clark Cisco Pat Clark Microsnft Delete Certificate Are you sure you want to delete the Certificate Options v 60730 Step 3 To complete the deletion click Yes If you decide not to delete this certificate click No Changing the Password on a Personal Certificate To change the password on a p
32. a laptop your connection initiates automatically You do not see the VPN Dialer s main dialog As the connection goes forward the VPN Dialer displays the dial status screen see Figure 4 22 78 14738 01 VPN Client User Guide for Windows Chapter4 Connecting to a Private Network W Using Automatic VPN Initiation Figure 4 22 Viewing Dial Status of an Auto Initiated VPN Connection Auto initiating YPN connection to 10 10 32 32 2 Authenticating user Connection History Initializing the connection Contacting the gateway at 10 10 32 32 Authenticating user 71791 Also the VPN Dialer displays the authentication dialog such as the one shown in Figure 4 23 Figure 4 23 Authenticating Auto Initialized Connection User Authentication for Engineering Enter Username and Password Username pate Password pet c 71787 When you enter your authentication information your connection starts immediately as you can tell by viewing the closed yellow lock icon in the system tray Figure 4 24 Closed Lock Connected Or to cancel the connection attempt click Cancel in the Dial Status dialog When you cancel the connection attempt the VPN Dialer displays the following message VPN Client User Guide for Window s Pais E 78 14738 01 Chapter4 Connecting to a Private Netw ork Using Automatic VPN Initiation Hi Figure 4 25 Canceling Connection Attempt During Authent
33. connection entry start the Cisco VPN Client and choose VPN Dialer from the menu of applications The VPN Client main dialog box appears See Figure 5 2 Figure 5 2 VPN Client Main Dialog Box VPN Dialer L Cisco Systems YPN Client Connection Entry Engineering Options Host name or IP address of remote server EngHost com Connect Close 60738 Click the Connection Entry drop down menu arrow and choose an entry Click Options to display the menu VPN Client User Guide for Window s 78 14738 01 Chapter5 Managing the VPN Client Managing VPN Client Connection Entries Ml Figure 5 3 VPN Client Options Menu Cisco Systems YPN Client Connection Entry Engineering new fOpiions Clone Entry Host name or IP address of remote server Delete 7 hoioa232 Import Entry Erase Weer Passiyord Connect Create Shortcut v Stateful Firewall Always On Application Launcher Windows Logon Properties 67541 Note Ona Windows 9x Windows Me or Windows XP home system the VPN Client does not display Windows Logon Properties Cloning a Connection Entry To clone a connection entry with all its properties and use it as the basis for creating a new entry follow these steps Step1 On the VPN Client s main dialog box click the Connection Entry drop down menu and choose the entry you want to clone Step2 On the VPN Client Options menu choose Clone E
34. control the amount of information to view with the Log Viewer choose Options gt Filter Alternatively you can click the Filter icon pa The Log Viewer displays the Log Viewer Filter message to let you choose the amount of information you want to capture See Figure 5 23 VPN Client User Guide for Windows 78 14738 01 _ Chapter 5 Managing the VPN Client Step 1 Step 2 Viewing and Managing the VPN ClientEventLog il Figure 5 23 Log Viewer Filter Message Filter Log Events 4 Low setting displays only critical or warning events A High setting displays all events To change filter level Double click on one item or select more than one item and right click Choose the level from the menu that displays CERT CLI CM CVPND DIALER FIREWALL IKE IPSEC PPP AUTH 60771 To change the filter level do the following Double click on one item or choose more than one item and right click Choose from the following options that the Log Viewer displays Disable Inhibits event reporting for the chosen class Low Provides the least amount of information This choice includes severity levels 1 through 3 all faults and warnings Low is the default for all classes Medium lIncludes severity levels 1 through 4 all in Low plus the first level informational events which provide general information about the connection Note that a first level informational event is level 4 and appears in the even
35. entry 3 1 Printer icon in log viewer 5 23 printing a log file 5 23 private key password 41 private network connecting 4 2 4 4 disconnecting 4 32 privileges required for installing VPN Client 2 1 profile connection entry 3 5 Entrust 3 11 file importing into VPN Client 5 5 roaming 5 16 properties general 3 17 Properties dialog box 3 15 Protocol 50 ESP traffic 3 17 protocol numbers 4 30 protocols DPD ESP 3 17 ICMP 4 30 IKE 1 2 IPSec 1 2 3 18 TCP 3 17 4 30 UDP 3 17 4 30 Public Key Infrastructure see PKIs Q quitting the VPN Client 4 32 Index R RADIUS authentication password 4 6 procedure 4 5 username 4 6 RAM requirements 2 2 reconfiguring automatically 5 5 remote access connection closing before uninstall 5 29 Remote Authentication Dial In User Service see RADIUS authentication remote server changing address 3 26 removing backup servers 3 24 the VPN Client InstallShield 5 29 removing a client configuration the VPN Client MSI 5 32 renaming a connection entry 5 5 repair dialog MSI 2 8 requirements system 2 1 resetting connection statistics 4 32 restarting your computer after installation 2 4 resuming an enrollment request 6 29 retry interval auto initiation 5 17 roaming profiles 5 16 RSA formerly SDI authentication 1 4 4 8 Next Cardcode 4 11 passcode 4 8 PIN 4 9 rules firewalls 4 29 78 14738 01 VPN Client User Guide for Windows W
36. networks you can access from the client side For information on configuring Local LAN Access on the VPN 3000 Concentrator refer to VPN Client Administrator Guide Chapter 1 The Statistics tab also displays the time in days hours minutes and seconds that has elapsed since you initiated the connection The Firewall tab displays information about the VPN Client s firewall configuration The VPN Concentrator s network manager sets up the firewall policy under Configuration User Management Base Group or Group Client FW tab There are three options Are You There The supported personal firewall software on the VPN Client PC controls its own rules The VPN Client polls the firewall every 30 seconds to make sure it is still running but does not confirm that a specific policy is enforced Centralized Protection Policy This policy takes advantage of the Cisco Integrated Client The policy rules are defined on the VPN Concentrator and sent to the VPN Client during each connection attempt The VPN Client enforces these rules for all non tunneled traffic while the tunnel is active Client Server This policy relates to Zone Labs Integrity solution The policy is defined on the Integrity Server in the private network and sent to the VPN Concentrator which in turns sends it to the Integrity Agent on the VPN Client PC to implement Since Integrity is a fully functional personal firewall it can intelligently decide on network traffic based
37. on applications as well as data 78 14738 01 VPN Client User Guide for Windows Chapter4 Connecting to a Private Network WE Viewing Connection Status amp Note CPP affects Internet traffic only Traffic across the tunnel is unaffected by its policy rules If you are operating in tunnel everything mode enabling CPP has no affect The information shown on this tab varies according to your firewall policy AYT When the Are You there AYT is the supported capability the Firewall tab shows only the firewall policy AYT and the name of the firewall product see Figure 4 35 Centralized Protection Policy CPP When CPP is the supported capability the Firewall tab includes the firewall policy the firewall in use and firewall rules see Figure 4 36 Client Server When the Client Server is the supported capability the Firewall tab displays the firewall policy as Client Server the name of the product as ZoneLabs Integrity Agent the user ID session ID and the addresses and port numbers of the firewall servers see Figure 4 37 AYT Firewall Tab The Firewall tab shows that AYT is running and displays the name of the firewall product that supports AYT Figure 4 35 Firewall Tab for AYT capability Cisco Systems PN Client Connection Status Firewall Policy Are you there AYT Product ZoneLabs ZoneAlarm Time connected 00 02 05 Notifications if Disconnect 67520 VPN
38. the port number configured on the secure gateway The default port number is 10000 Note When using the VPN Client behind an ESP aware NAT Firewall the port on the NAT Firewall device may be closed due to the VPN Client s keepalive implementation called DPD Dead Peer Detection When a client is idle it does not send a keepalive until it sends data and gets no response To allow the VPN Client to work through ESP aware NAT Firewalls add the ForceKeepAlives parameter to the pcf profile configuration file for the affected connection profile This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals Use the following syntax when adding this parameter to the Main section of any pcf file ForceKeepAlives 1 For more information see Connection Profile Configuration Parameters in the VPN Client Administrator Guide Allowing Local LAN Access amp The Allow Local LAN Access parameter gives you access to the resources on your local LAN printer fax shared files other systems when you are connected through a secure gateway to a central site VPN device When this parameter is enabled and your central site is configured to permit it you can access local resources while connected When this parameter is disabled all traffic from your Client system goes through the IPSec connection to the secure gateway To enable this feature check Allow Local LAN Access to disable it c
39. to the Internet then start the VPN Client and establish a secure connection through the Internet to your organization s private network When you open your e mail the Cisco VPN server uses IPSec to encrypt the e mail message It then transmits the message through the tunnel to your VPN Client which decrypts the message so you can read it on your remote PC If you reply to the e mail message the VPN Client uses IPSec to process and return the message to the private network through the Cisco VPN server Connection Technologies The VPN Client lets you use any of the following technologies to connect to the Internet e POTS Plain Old Telephone Service Uses a dial up modem to connect ISDN Integrated Services Digital Network May use a dial up modem to connect e Cable Uses a cable modem always connected DSL Digital Subscriber Line Uses a DSL modem always connected You can also use the VPN Client on a PC with a direct LAN connection VPN Client User Guide for Windows rere Chapter 1 Understanding the Cisco VPN Client VPN Client Features W VPN Client Features The VPN Client includes the following features Program Features Complete browser based context sensitive HTML based Help Support for VPN 3000 Series Concentrator platforms that run Release 3 0 and above VPN Client Release 3 0 and above will not work with Releases 2 x of the VPN 3000 Concentrator Command line interface to the VPN Di
40. 38 01 _ Chapter 5 Managing the VPN Client Enabling Stateful Firewall Always On W The shortcut appears on your desktop as in this example See Figure 5 14 Figure 5 14 Connection Entry Shortcut Engineering The VPN Client main dialog box remains open Enabling Stateful Firewall Always On The VPN Client includes an integrated stateful firewall that provides protection when split tunneling is in effect and protects the VPN Client PC from Internet attacks while the VPN Client is connected to a VPN Concentrator through an IPSec tunnel This integrated firewall includes a feature called Stateful Firewall Always On Stateful Firewall Always On provides even tighter security When enabled this feature allows no inbound sessions from all networks whether or not a VPN connection is in effect Also the firewall is active for both encrypted and non encrypted traffic There are two exceptions to this rule The first is DHCP which sends requests to the DHCP server out one port but receives responses from DHCP through a different port For DHCP the stateful firewall allows inbound traffic The second is ESP The stateful firewall allows ESP traffic from the secure gateway because ESP rules are packet filters and not session based filters For the latest information on other exceptions if any refer to Release Notes for Cisco VPN Client for Windows To enable the stateful firewall click Stateful Firewall Always on
41. 460 01 24 01 Sev Info 4 Created a new key structure 75 11 13 46 460 01 24 01 Sev Info 4 Added key with SPI 0xb22b0833 into key list Status bars Feady Displaying the Version of the Software Loading IPsec SA Message ID 0x2E1C84AB OUTBOUND SPI 0x339C21FD IKE0x63000025 Loaded OUTBOUND ESP SPI 0x339C21FD IKE 0x63000026 CM 0x63100021 IPSEC 0x63700010 IPSEC 0x6370000F IPSEC 0x63700010 IPSEC 0x6370000F d 60775 To display a brief help message that gives you the version number of the software choose Help from the main menu or click the Help icon e Collecting Events To start collecting event messages into the log file choose Options gt Capture When a check mark appears in front of the Capture option Log Viewer is collecting events This option is off by default Alternatively you can click the Capture icon EY 78 14738 01 VPN Client User Guide for Windows Chapter5 Managing the VPN Client W Viewing and Managing the VPN Client Event Log Each message in the log file comprises at least two lines containing the following fields Event Time Date Severity type level EventClass MessageID Message text Table 5 1 describes the fields in an event message Table 5 2 describes Event types and severity levels Table 5 1 Fields in an Event Message Field Meaning Event The first field shows the event number Events are numbered incrementally an
42. 7540 VPN Client User Guide for Window s 78 14738 01 a 3 15 Chapter3 Configuring the VPN Client HI Setting or Changing Connection Entry Properties Figure 3 17 Connection Entry Properties Dialog Box Windows NT Windows 2000 and Windows XP Properties for Engineering General Authentication Connections Enter a description of this connection entry optional Connection to Engineering YPN Device M Enable Transparent Tunneling C Allow IPSec over UDP NAT PAT TCP port f 0000 F Allow local LAN access Peer response timeout 30 30 480 seconds Cancel Help Step3 Click the tab for the parameters you want to change 67546 General tab Change the connection entry description Enable transparent tunneling Allow local LAN Access Adjust the peer response time out Log on to Microsoft Network Authentication tab Change the group name or group password Change the certificate you want to use Connections tab Enable add and remove backup server connections Connect to the Internet via Dial Up Networking See the appropriate section of this chapter for each tab and parameter VPN Client User Guide for Windows P36 i 78 14738 01 _ Chapter 3 Configuring the VPN Client Setting or Changing Connection Entry Properties W When you have finished setting parameters click OK The Properties dialog box closes and the VPN Dialer saves your changes To discard your cha
43. 9 154 68 0 255 255 255 0 Time connected 00 01 04 Notifications Reset Disconnect 60820 Upgrade Notifications The notification shown in Figure 5 27 informs a remote user that it is time to upgrade the VPN Client software The notification includes the location where the remote user can obtain the upgrade When you receive an upgrade notification that includes a URL click Launch to go to the site and retrieve the upgrade software You will receive an upgrade notification every time you connect until you have installed the upgrade software 78 14738 01 VPN Client User Guide for Windows Chapter5 Managing the VPN Client HI Receiving Notifications From a VPN Device Figure 5 27 Notification of a Software Upgrade Cisco Systems PN Client Notifications Notifications Text Time Your network administrator has placed an update of the Cisco Syst 15 25 30 Notification Text Nour network administrator has placed an update of the Cisco Systems YPN Client at the following location http www mycompany com clientupdate Click the Launch button to open your Internet browser to this location ha Launch 60793 Firew all Notifications If the VPN Client and VPN Concentrator firewall configurations do not match the VPN Concentrator notifies the VPN Client while negotiating the connection The notification includes the policy that the VPN Concentrator requires For example the notification i
44. Authentication Tab is unchecked and disabled when you select Entelligence Certificate Validating a Certificate Optionally you might want to verify that the certificate you are using is still valid using the following procedure Step1 To verify the validity of a certificate click Validate Certificate and enter the password If the VPN Dialer prompts for a password to secure the certificate enter the password You receive a report letting you know whether the certificate is valid If the password is not valid you need to try again If you do not know the password see your system administrator An identity certificate has a public and private key and a time period within which it is valid Make sure the certificate is valid before you continue Step2 After you have verified that the certificate is valid click Next Configuring an Entrust Certificate for Authentication If you have an Entrust Entelligence certificate enrolled the pull down menu includes the entry Entelligence Certificate Entrust See Figure 3 12 VPN Client User Guide for Windows m rere Chapter3 Configuring the VPN Client How To Create a New Connection Entry Hl Figure 3 12 Entrust Entelligence Certificate New Connection Entry Wizard Your administrator may have provided you with group parameters or a digital certificate to authenticate your access to the remote server If so select the appropriate authentication me
45. Certificate Chain To send CA certificate chains click Send CA Certificate Chain This parameter is disabled by default The CA certificate chain includes all CA certificates in the hierarchy of certificates from the root certificate which must be installed on the VPN Client to the identity certificate This feature enables the a peer VPN Concentrator to trust the VPN Client s identity certificate given the same root certificate without having all the same subordinate CA certificates actually installed Example 3 1 CA Certificate Chains 1 On the VPN Client you have this chain in the certificate hierarchy Root Certificate CA Certificate 1 CA Certificate 2 VPN Client User Guide for Windows EE E Chapter3 Configuring the VPN Client W How To Create a New Connection Entry Identity Certificate 2 On the VPN Concentrator you have this chain in the certificate hierarchy Root Certificate CA Certificate 3 Identity Certificate 3 Though the identity certificates are issued by different CA certificates the VPN Concentrator can still trust the VPN Client s identity certificate since it has received the chain of certificates installed on the VPN Client PC This feature provides flexibility since the intermediate CA certificates don t need to be actually installed on the peer amp Note Certificate chains are not supported for Entrust Entelligence Therefore the Send CA Certificate Chain checkbox on the
46. Cisco SYSTEMS VPN Client User Guide for Windows Release 3 6 August 2002 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San J ose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Text Part Number 78 14738 01 Customer Order Number DOC 7814738 WS THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California Berkeley UCB as part of UCB s public domain version of the UNIX operating system All rights reserved Copyright 1981 Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXP
47. Email alicew university edu Key Size 1024 Subject e alicew university edu cn 4lice Wonderland ou lnteri Issuer e alicew university edu cn 4lice Wonderland ou lnteri Serial Number 6B140654C67F5898CDE17F141D869466 Not Before Fri Apr 05 11 41 48 2002 Not After Sun May 05 12 41 48 2002 MD5 Fingerprint 19F2CE04 B6BFO34B 3E 68D 3BDAF 33328 SHA1 Fingerprint 8907279676 7CO36B 779350281227 74E 721FDS09E PKCS10 MD5 Fingerprint 387944F49F 78B31D65D SB664F443B8D8 Note that the Issuer field shows the subject name and not the name of the CA since the CA has not yet issued the certificate Deleting an Enrollment Request Step 1 Step 2 Step 3 To delete an enrollment request follow these steps Click on the enrollment request in the list and choose Delete from the Options pull down menu The Certificate manager prompts you for a password Type the password in the Password field and click OK The Certificate Manager verifies the password If the password is correct the Certificate Manager asks you to confirm that you really want to delete the enrollment request To complete the deletion click Yes If you decide not to delete this certificate click No 78 14738 01 VPN Client User Guide for Window s E Chapter6 Enrolling and Managing Certificates WE Managing Enrollment Requests Changing the Password on an Enrollment Request To change the certificate password on an enrollment request use this
48. Installing the VPN Client Through Microsoft Windows Installer To upgrade the VPN Client software or to uninstall it see Managing the VPN Client A Caution Installing the VPN Client software using InstallShield on Windows NT or Windows 2000 requires Administrator privileges If you do not have Administrator privileges you must have someone with Administrator privileges install the product for you Installation Applications You can install the VPN Client on your system through two different applications InstallShield and Microsoft Windows Installer MSI Both applications use installation wizards to walk you through the installation Installing the VPN Client through InstallShield includes an Uninstall icon in the program group MSI does not In the latter case to manually remove VPN Client applications you can use the Microsoft Add Remove Programs utility Verifying System Requirements Verify that your computer meets these requirements Computer with a Pentium class processor or greater One of the following operating systems Microsoft Windows 95 OSR2 Windows 98 or Windows 98 second edition Windows ME Windows NT 4 0 with Service Pack 6 or higher Windows 2000 Windows XP 78 14738 01 VPN Client User Guide for Windows Chapter 2 Installing the VPN Client HH Gathering Information You Need Microsoft TCP IP installed Confirm via Start gt Settings gt Control Panel gt Netwo
49. N 3000 Series Concentrators and PIX central site servers can all terminate VPN connections from VPN Clients As a remote user low speed or high speed you first connec Client to securely access private enterprise networks through Client t to the Internet Then you use the VPN a Cisco VPN server that supports the VPN The VPN Client comprises the following applications which you select from the Programs menu Figure 1 1 VPN Client Applications as Installed by InstallS Accessories gt Startup We Command Prompt Internet Explorer By Windows NT Explorer i E Certificate Manager Help amp g Log Viewer LA Set MTU 5 Administrative Tools Common gt Ey Uninstall YPN Client amp VPN Dialer IS Cisco Systems VPN Client 5 Network ICE gt LE Paint Shop Pro amp gt 5 Startup gt S WinZip In logical order of use the applications are as follows hield 67531 Help Displays an online manual with instructions on using the applications VPN Dialer Lets you configure connections to a VPN server and lets you then start your connections Certificate Manager Lets you enroll for certificates to authenticate your connections to VPN servers Log Viewer Lets you display events from the log 78 14738 01 VPN Client User Guide for Windows Chapter1 Understanding the Cisco VPN Client WE How the VPN Client Works Uninstall VPN Client Lets you safe
50. PN Client User Guide for Windows 78 14738 01 6 29 Chapter6 Enrolling and Managing Certificates WE Managing Enrollment Requests VPN Client User Guide for Windows u 78 14738 01 APPENDIX Copyrights and Licenses Client Softw are License Agreement of Cisco Systems THE SOFTWARE TO WHICH YOU ARE REQUESTING ACCESS IS THE PROPERTY OF CISCO SYSTEMS THE USE OF THIS SOFTWARE IS GOVERNED BY THE TERMS AND CONDITIONS OF THE AGREEMENT SET FORTH BELOW BY CLICKING YES ON THIS SCREEN YOU INDICATE THAT YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THAT AGREEMENT THEREFORE PLEASE READ THE TERMS AND CONDITIONS CAREFULLY BEFORE CLICKING ON YES IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THE AGREEMENT CLICK NO ON THIS SCREEN IN WHICH CASE YOU WILL BE DENIED ACCESS TO THE SOFTWARE Ow nership of the Software 1 The software contained in the Cisco Systems VPN Client the Software to which you are requesting access is owned or licensed by Cisco Systems and is protected by United States copyright laws laws of other nations and or international treaties Grant of License 2 Cisco Systems hereby grants to you the right to install and use the Software on an unlimited number of computers provided that each of those computers must use the Software only to connect to Cisco Systems products and subject to export restrictions in paragraph 4 hereof You may make one copy of the Software for each such computer for t
51. PN Client connections upgrade or uninstall VPN Client software reconfigure the VPN Client automatically use the Log Viewer application and set up special features such as Start Before Logon VPN Client User Guide for Windows 78 14738 01 ix Preface Hl Terminology Chapter Title Description Chapter 6 Enrolling and Managing Tells you how to obtain digital certificates to use Certificates for authentication and how to manage these certificates on your system Appendix A Copyrights and Licenses Provides copyright and license information for software that the VPN Client uses Terminology In this user guide the term Cisco VPN device refers to the following Cisco products Cisco VPN 3000 Series Concentrator Cisco Secure PIX Firewall devices IOS platform devices such as the Cisco 7100 Series Routers Related documentation The VPN Client includes an extensive online HTML based help system that you can access through a browser in several ways e Click the Help icon on the Cisco Systems VPN Client programs menu Start gt Programs gt Cisco Systems VPN Client gt Help Press F1 while using the applications e Click the Help button on screens that include it The VPN Client Administrator Guide tells a network administrator how to Configure a VPN 3000 Concentrator for several specific features Configure a VPN 3000 Concentrator for remote access users Configure VPN Client fir
52. RESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP the Cisco Arrow logo the Cisco Powered Network mark the Cisco Systems Verified logo Cisco Unity Follow Me Browsing FormShare Internet Quotient iQ Breakthrough iQ Expertise iQ FastTrack the iQ Logo iQ Net Readiness Scorecard Networking Academy ScriptShare SMARTnet TransPath and Voice LAN are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn Discover All That s Possible The Fastest Way to Increase Your Internet Quotient and iQuick Study are service marks of Cisco Systems Inc and Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCNA CCNP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS the Cisco IOS logo Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Empowering the Internet Generation Enterprise Solver EtherChannel EtherS witch Fast Step GigaStack IOS IP TV LightStream MGX MICA the Networkers logo Network Registrar Packet PIX Post R
53. Step1 On the VPN Client main dialog box shown in Figure 3 25 click the Connection Entry drop down menu button and choose the entry if it is not already displayed Figure 3 25 Choosing a Connection Entry L Cisco Systems YPN Client g Engineering_Cert Host name or IP address of remote server 10 10 99 30 co 60727 VPN Client User Guide for Windows 78 14738 01 Chapter3 Configuring the VPN Client Changing the VPN Device Address fora Connection Entry W Step 2 Edit the address in the Host name or IP address of remote server field Step3 Click Connect The VPN Client displays a confirmation dialog box See Figure 3 26 Figure 3 26 Confirming Your Changes Cisco Systems PN Client Ye G The server addressing information has been modified Do you wish to save your changes 60728 Step4 Click one of the following To use this address for the current session only click No The VPN Client begins connecting to the VPN device but it does not save the change you have made to the connection entry To permanently change the address for this connection entry click Yes The VPN Client begins connecting to the VPN device and it saves the new address with the connection entry For an explanation of the connection process see Connection Procedure VPN Client User Guide for Window s 78 14738 01 a 327 Chapter3 Configuring the VPN Client HZ Changing the VPN Device Address for a Co
54. The Local LAN routes section on the Connection Status dialog box lists the IP address and subnet mask of each available network The Src Port and Dst Port fields are not currently used 60820 amp Note While connected you cannot print or browse the local LAN by name when disconnected you can print and browse by name For more information on this limitation refer to VPN Client Administrator Guide Chapter 1 Adjusting the Peer Response Timeout Value The VPN Client uses a keepalive mechanism called Dead Peer Detection DPD to check the availability of the VPN device on the other side of an IPSec tunnel If the network is unusually busy or unreliable you may need to increase the number of seconds to wait before the VPN Client decides that the peer is no longer active The default number of seconds to wait before terminating a connection is 90 seconds The minimum number of seconds you can configure is 30 seconds and the maximum is 480 seconds To adjust the setting enter the number of seconds in the Peer response timeout field The VPN Client continues to send DPD requests every 5 seconds until it reaches the number of seconds specified by the Peer response timeout value 78 14738 01 VPN Client User Guide for Window s E Chapter3 Configuring the VPN Client HI Setting or Changing Connection Entry Properties Logging on to Microsoft Netw ork Windows 95 Windows 98 and Windows ME The Logon to Microsoft Netwo
55. ain a new VPN Client profile pc file from your system administrator Load the file on your hard disk On the VPN Client main dialog box click Options and choose Import Entry from the menu The VPN Client opens a window for you to choose the profile file See Figure 5 7 78 14738 01 VPN Client User Guide for Windows Chapter5 Managing the VPN Client WE Managing VPN Client Connection Entries Figure 5 7 Choosing a File to Import Look in EVN Cien BI ci Certificates Profiles Files of type Profile Configuration Files pcf x Cancel 60755 Step4 Browse until you locate the profile file and when you have located it choose it and click Open See Figure 5 8 Figure 5 8 Importing the Profile File Look in E Fieste amp l c f File name Doc3 pet Files of type Profile Configuration Files pcf Cancel 60756 The VPN Client displays a message informing you that your file import was successful See Figure 5 9 If the profile already exists you receive a message asking if you want to overwrite it VPN Client User Guide for Window s 78 14738 01 _ Chapter 5 Managing the VPN Client Step 5 Managing VPN Client Connection Entries i Figure 5 9 Import Successful i Cisco Systems YPN Client MIDS Cisco Systems YPN Client x e Connec G Import operation has completed Engine Host name or IP address of remote server 10 10 32 32 Con
56. aler Local LAN access The ability to access resources on a local LAN while connected through a secure gateway to a central site VPN server if the central site grants permission Automatic VPN Client configuration option the ability to import a configuration file Log Viewer An application that collects events for viewing and analysis Set MTU size The VPN Client automatically sets a size that is optimal for your environment However you can set the MTU size manually as well For instructions on adjusting the MTU size see the VPN Client Administrator Guide Application Launcher The ability to launch an application or a third party dialer from the VPN Client Automatic uninstall of the Nortel Networks VPN Client and the 5000 VPN Client software with the InstallShield installation package Automatic connection by way of Microsoft Dial Up Networking or any other third party remote access dialer Software update notifications from the VPN server upon connection Ability to launch a location site containing upgrade software from a VPN server notification The ability to automatically initiate secure wireless VPN connections seamlessly NAT Transparency NAT T which lets the VPN Client and the VPN Concentrator automatically detect when to use IPSec over UDP to work properly in Port Address Translation environments Update of centrally controlled backup server list the VPN Client learns the backup VPN Concentrator list through connect
57. and complete your entries Group Access Information Name ipsec_group Daccnard pr Contin Password Certificate Name wb dkey exch 512 Microsoft Tl Send CA Certificate Chain Validate Certificate OK Cancel Help fence He Smart Cards Supported 78562 The VPN Client supports authentication with digital certificates through a smart card or an electronic token There are several vendors that provide smart cards and tokens including the following Vendor Softw are and Version Card Token Tested Vendor Web site GemPLUS GemSAFE Workstation 2 0 or later GEM195 www gemplus com Activcard Activcard Gold version 2 0 1 or later Palmera 32K www activcard com Aladdin eToken Runtime Environment RTE version 2 6 or later PRO and R2 tokens www ealaddin com The VPN Client works only with smart cards and tokens that support CRYPT_NOHASHOID VPN Client User Guide for Windows 78 14738 01 Chapter3 Configuring the VPN Client How To Create a New Connection Entry Hl Completing the Connection Wizard After you enter authentication information and click Next the fourth New Connection Entry Wizard dialog box appears See Figure 3 14 Figure 3 14 Completing the Connection Entry New Connection Entry Wizard fou have successfully created a new virtual private networking connection entry named Casco Systems Click
58. and lower case letters For example sKateS is not exactly the same as Skate8 In online enrollment this password is kept with the certificate in file enrollment this password is not retained Managing Personal and CA RA Certificates Using the Certificate Manager you can view a certificate verify that the certificate is still valid within the dates assigned to it and has not been revoked delete a certificate and export the certificate to a file that you can e mail For personal certificates only you can also change the certificate password To perform any of these actions use the Options menu on the main window See Figure 6 18 78 14738 01 VPN Client User Guide for Windows Chapter6 Enrolling and Managing Certificates W Managing Personal and CA RA Certificates Figure 6 18 Certificate Manager Options Menu Personal Certificates CA Certificates Enrollment Requests Personal Certificates CA Certificates Enrollment Requests Certificate Store Ji il Store Pat Clark Cisco RAdIntermediat Pat Clark Microsoft R vintermedite CA Stores kar bi Stores lt Alb x View Verity Import as Delete Export 60800 View ing a Certificate To display a certificate choose it in the certificate store open the Options pull down menu and choose View Or you can double click on the certificate to display it Figure 6 19 shows a sample certificate from a Microsoft certificate service pro
59. arent Tunneling Inactive Tunnel Port 0 Compression None Local LAN access Enabled Personal Firewall Cisco Integrated Client Firewall Policy Centralized Protection Policy CPP Note Stateful Firewall Always On status is not represented above To view this status tight click on the system tray icon If checked this functionality is enabled Time connected 00 06 15 Notifications eset Disconnect The parameters are the following Connection Entry The name of the profile you are using to establish the connection Client IP address The IP address assigned to the VPN Client for the current session Server IP address The IP address of the VPN device to which the VPN Client is connected VPN Client User Guide for Windows M424 78 14738 01 Chapter4 Connecting to a Private Netw ork Viewing Connection Status W Encryption The data encryption method for traffic through this tunnel Encryption makes data unreadable if intercepted Authentication The data or packet authentication method used for traffic through this tunnel Authentication verifies that no one has tampered with data Transparent Tunneling The status of tunnel transparent mode in the client either active or inactive Tunnel Port If Transparent Mode is active the tunnel port through which packets are passing This field also identifies whether the VPN Client is sending packets through UDP or TCP This port number comes f
60. ars Step4 Enter E VPN Client CD ROM InstallShield setup exe where E is your system s CD ROM drive Step5 Click OK Note Cisco does not allow you to install the VPN Client software from a network drive If you attempt to do so you receive an error message The program displays the Cisco Systems logo and InstallShield Setup window shown in Figure 2 1 VPN Client User Guide for Window s 78 14738 01 EN Chapter 2 Installing the VPN Client HZ installing the VPN Client Through InstallShield Step 6 Figure 2 1 Starting InstallShield Installation Cisco Systems YPN Client Setup Welcome to the Installshield Wizard for YPN Client The InstallShield Wizard will install YPN Client on your Computer To continue click Next If the InstallShield Wizard identifies an existing version of the VPN Client the Cisco 5000 Client or Nortel Networks Extranet Access Client it displays a dialog box that asks if you want to uninstall the existing client program To continue choose Yes The VPN Client launches the appropriate uninstall wizard the Cisco VPN Client uninstall wizard to uninstall a previous version of the VPN Client the Extranet Access Client wizard program or the Cisco 5000 wizard Follow the instructions on the uninstall wizard dialog boxes to automatically uninstall the program and reboot Note Step 7 Step 8 Having more than one VPN client on your system is not advisable After yo
61. assword can be up to 32 characters in length Passwords are case sensitive For example sKate8 and Skate8 are different passwords This password is called the personal certificate password Figure 6 4 Protecting a Certificate with a Password Certificate Password Protection Password protecting your certificate provides an additional level of security This password is optional Cisco SYSTEMS By choosing to protect your certificate with a password any operation that requires access to the certificate s private key will require the specified password to continue Note File based enrollments require the password used here to be re entered when the approved certificate is imported Password Confirmation Password Newt gt Cancel He 60741 After entering a password click Next to continue The Certificate Manager lets you choose between enrolling via the network or by creating a file See Figure 6 5 Enrolling via the network is also called online enrollment VPN Client User Guide for Windows 78 14738 01 65 Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Figure 6 5 Choosing Enrollment Method Enrollment Network or File Casco Systems 60782 Enrolling Through the Netw ork To enroll through the network retrieve a certificate from a CA and place it in the Cisco store using the following procedure Step1 Click Network and click Next See Figure 6 5
62. ate common name the not before date the not after date and the number of days until the certificate expires or since it has expired There is one exception to this rule When you are authenticating with a Microsoft certificate the VPN Dialer skips the automatic certificate validation process and starts the connection immediately If there is a problem with the certificate the connection attempt fails To obtain information about the failure look in the connection log file see Viewing and Managing the VPN Client Event Log To validate the certificate manually choose Properties gt Authentication gt Validate Certificate What happens when you press Connect can depend on the level of private key protection on your certificate If your certificate is password protected you are prompted to enter the password Connecting with an Entrust Certificate This section provides important information about what to expect when connecting with an Entrust certificate under certain conditions Accessing Your Profile If you are not already logged in you must log in to Entrust Entelligence to access your Entrust Entelligence certificate profile using the following procedure After you choose Connect on the VPN Client main dialog box the Entrust logon dialog box appears See Figure 4 15 Figure 4 15 Logging in to Entrust Entrust Login ax Entrust Copyright 1994 2000 Entrust Technologies Limited All rights r
63. ate Headquarters California U S A at 408 526 7208 or elsewhere in North America by calling 800 553 NETS 6387 Documentation Feedback You can submit comments electronically on Cisco com In the Cisco Documentation home page click the Fax or Email option in the Leave Feedback section at the bottom of the page You can e mail your comments to bug doc cisco com You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address Cisco Systems Attn Document Resource Connection 170 West Tasman Drive San Jose CA 95134 9883 VPN Client User Guide for Windows 78 14738 01 EN Preface HI Obtaining Technical Assistance We appreciate your comments Obtaining Technical Assistance Cisco com Cisco provides Cisco com as a Starting point for all technical assistance Customers and partners can obtain online documentation troubleshooting tips and sample configurations from online tools by using the Cisco Technical Assistance Center TAC Web Site Cisco com registered users have complete access to the technical support resources on the Cisco TAC Web Site Cisco com is the foundation of a suite of interactive networked services that provides immediate open access to Cisco information networking solutions services programs and resources at any time from anywhere in the world Cisco com is a highly integrated Internet application an
64. ation 4 21 Connection Failures 4 22 Summary of Auto Initiation States 4 23 Viewing Connection Status 4 24 General Information 4 24 Statistics 4 26 Secured Routes 4 27 Local LAN Routes 4 27 Time Connected 4 27 Firewall Tab 4 27 VPN Client User Guide for Windows ee E E Contents AYT Firewall Tab 4 28 Centralized Protection Policy CPP Using the Cisco Integrated Client 4 29 Firewall Rules 4 29 Client Server Firewall Tab 4 31 Resetting Statistics 4 32 Closing the VPN Client 4 32 Disconnecting your VPN Client Connection 4 32 CHAPTER 5 Managing the VPN Client 5 1 M anaging VPN Client Connection Entries 5 2 Cloning a Connection Entry 5 3 Deleting a Connection Entry 5 4 Renaming a Connection Entry 5 5 Importing a VPN Client Configuration File 5 5 Erasing a Saved Password fora Connection Entry 5 7 Creating a Shortcut fora Connection Entry 5 10 Enabling Stateful Firewall Always On 5 11 Launching an Application 5 11 M anaging Windows NT Logon Properties 5 14 Starting a Connection Before Logging on toa Windows NT Platform 5 14 What Happens When You Use Start Before Logon 5 15 Turning Off Start Before Logon 5 15 Permission to Launch an Application Before Log On 5 15 Disconnecting When Logging Off of a Windows NT Platform 5 16 Managing Auto Initiation 5 16 Viewing and M anaging the VPN Client Event Log 5 17 Starting the Log Viewer 5 18 Displaying the Version of the Software 5 19 Collecting Events 5 19 Filtering Events 5 20 Searc
65. ation x M Enable Retry Interval j2 1 10 minutes Note Enabling of Automatic YPN Initiation will not take effect until the YPN dialer has been closed Cancel 71719 VPN Client User Guide for Window s a20 i 78 14738 01 Chapter4 Connecting to a Private Netw ork Using Automatic VPN Initiation Hl Step3 Click to remove the check mark from Enable and click OK The log displays a message Auto initiation has been disabled and auto initiation terminates When you click the dialer icon in the system tray VPN Dialer is the only option displayed S Note Unchecking Enable does not remove Automatic VPN Initiation option from the Options menu This option always shows up in the menu as long as the feature has been configured by your network administrator Disabling While Suspended Alternatively when auto initiation is suspended and you want to disable it follow these steps Step1 Right click on the icon in the system tray Step2 Select Disable Auto initiation The VPN Dialer displays a warning message See Figure 4 30 Figure 4 30 Disabling an Auto Initiated Connection Cisco Systems YPN Client x Are you sure you want to disable automatic YPN initiation This setting will remain in effect until it is changed via the options menu 71722 Step3 To completely disable auto initiation and eliminate further automatic retries click Yes Or to cancel the action and keep auto
66. ck OK Turning Off Application Launcher Step 1 Step 2 To disable Application Launcher follow these steps Open the Options pull down menu and choose Application Launcher When the Application Launcher dialog box displays clear the Enable checkbox 78 14738 01 VPN Client User Guide for Windows Chapter5 Managing the VPN Client W Managing Windows NT Logon Properties Managing Windows NT Logon Properties This section describes special logon features for the Windows NT platform which includes Windows NT 4 0 Windows 2000 and Windows XP These features include Ability to start a connection before logging on to a Windows NT system Permission to launch a third party application before logging on to a Windows NT system Control over auto disconnect when logging off of a Windows NT system To access the Windows logon properties open the VPN Client Options pull down menu shown in Figure 5 3 and choose Windows Logon Properties The VPN Client displays a dialog box containing three parameters See Figure 5 18 Note The VPN Client displays Windows Logon Properties only on Windows NT Windows 2000 and Windows XP Figure 5 18 Windows Logon Properties Windows Logon Properties Use these options to resolve Windows logon issues regarding NT domains and roaming profiles Press F1 for more information lV Enable start before logon I Disconnect YPN connection when logging off Cancel 60837
67. connection will be auto initiated every 2 minutes Do you wish to temporarily suspend the auto initiation functionality To suspend auto initiation click Yes To continue retrying click No When you click No the VPN Dialer keeps trying to connect until the connection goes through or you either disable auto initiation or log out VPN Client User Guide for Windows a22 E 78 14738 01 Chapter4 Connecting to a Private Netw ork Using Automatic VPN Initiation W Summary of Auto Initiation States This section shows each stage of auto initiation as indicated through the changes in the appearance of the lock icon in the system tray Closed lock Connected A secure connection is in effect Note that the closed yellow lock always indicates a secure connection whether or not you are using auto initiation Open yellow lock Not connected Auto initiation is suspended and waiting for a user action resuming or disabling Open green lock VPN Dialer is auto initiating a connection The VPN Dialer is attempting to auto initiate from the Dial Status dialog Closed yellow lock with red X over it Connection terminating You have chosen to disconnect The VPN Dialer asks if you want to suspend see Figure 4 28 Note that this icon is not specific to auto initiation but occurs any time you choose to disconnect Open Blue Lock Auto Initiation continues to be suspended with the VPN Dialer s main dialog box displaying When y
68. connection entry click No The VPN Client returns to its main dialog box VPN Client User Guide for Windows Eg 78 14738 01 Chapter5 Managing the VPN Client Managing VPN Client Connection Entries W Renaming a Connection Entry Step 1 Step 2 Step 3 You can rename a connection entry and retain all its properties Each connection entry name must be unique Since these names are not case sensitive be sure the new name differs in content not just case On the VPN Client s main dialog box click the Connection Entry drop down menu and choose the entry you want to rename On the VPN Client Options menu choose Rename Entry See Figure 5 3 The Rename Connection Entry dialog box appears See Figure 5 6 Figure 5 6 Entering a New Name for a Connection Entry Rename Connection Entry Ed Current connection entry name E ngineering Enter a new name for this connection entry p o Cancel Enter a new name for this connection entry in the field and click OK The dialog box closes The new name appears in the Connection Entry list in the VPN Client main dialog box Importing a VPN Client Configuration File Step 1 Step 2 Step 3 You can automatically configure your VPN Client with new settings by importing a new configuration file a file with a pcf extension called a profile that your system administrator supplies To automatically configure a VPN Client perform the following steps Obt
69. d never reset Time The Time field shows the time of the event hour minutes seconds The hour is based on a 24 hour clock For example 15 25 09 identifies an event that occurred at 3 25 09 PM Date The date field shows the date of the event MM DD YYYY For example 2 03 2001 identifies an event that occurred on February 3 2001 Severity type level This field reports the severity type and level of the event for example Sev Info 4 which identifies an informational event severity level 4 identifies event types and severity levels Event Class Message ID This field shows the module or source of the event and the message identifier associated with the module For example IPSEC 0x63700012 Message Text A brief message describing the event Usually this message is no more than 80 characters For example Delete all keys associated with peer 10 10 99 40 In a message containing arrows the arrows indicate the direction of the transmission gt gt gt for sending and lt lt lt for receiving Table 5 2 Event Types and Severity Levels Type Level Meaning Fault 1 A system failure or nonrecoverable error Warning 2 3 Imminent system failure or a serious problem that may require user intervention Informational 4 6 Level 4 provides the most general type high level information Levels 5 and 6 provide more detailed information about the connection Filtering Events To
70. d a powerful easy to use tool that provides a broad range of features and services to help you with these tasks Streamline business processes and improve productivity Resolve technical issues with online support Download and test software packages Order Cisco learning materials and merchandise Register for online skill assessment training and certification programs If you want to obtain customized information and service you can self register on Cisco com To access Cisco com go to this URL http www cisco com Technical Assistance Center The Cisco Technical Assistance Center TAC is available to all customers who need technical assistance with a Cisco product technology or solution Two levels of support are available the Cisco TAC Web Site and the Cisco TAC Escalation Center Cisco TAC inquiries are categorized according to the urgency of the issue Priority level 4 P4 You need information or assistance concerning Cisco product capabilities product installation or basic product configuration Priority level 3 P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue Priority level 2 P2 Your production network is severely degraded affecting significant aspects of business operations No workaround is available e Priority level 1 P1 Your production network is down and a critical impact to business operations wil
71. d to connections through a firewall IKE Internet Key Exchange IKE module which manages secure associations IPSEC IPSec module which obtains network traffic and applies IPSec rules to it PPP Point to Point Protocol XAUTH Extended authorization application which validates a remote user s credentials Searching the Log File To locate specific events or event types in the window choose Search from the main menu Alternatively you can click on the Search icon The Log Viewer displays the Find message See Figure 5 24 Enter a string to find and click Find Next You can match on whole words and on case VPN Client User Guide for Window s 78 14738 01 Chapter5 Managing the VPN Client Viewing and Managing the VPN ClientEventLog il Figure 5 24 Searching the Log Display Cisco Systems IPSec Log Viewer File Options Search Help Blaja Tie ale 1 15 06 29 660 05 03 00 Sev Info 4 ANetIKE 0x63000012 SENDING gt gt gt Ift 2 15 07 29 77 Findwhat iPSecDriver SENDING gt gt gt If I Match whole word only Cancel 3 15 08 29 86 SENDING gt gt gt Match case 4 15 09 29 949 05 03 00 Sev Info 4 ANetIKE 0x63000012 SENDING gt gt gt ISAKMP OAK INFO HASH NOTIFY KEEP_ALIVE to 10 10 32 32 5 15 10 30 036 05 03 00 Sev Info 4 ANetIKE0x63000012 SENDING gt gt gt ISAKMP OAK INFO HASH NOTIFY KEEP_ALIVE to 10 10 32 32 6 15 11 30 122 05 03 00 Sev Info 4 ANetIKE0x63000012 SENDING gt gt
72. de for Windows p Chapter 2 Installing the VPN Client HZ installing the VPN Client Through Microsoft Windows Installer VPN Client User Guide for Windows 2 10 i 78 14738 01 Configuring the VPN Client This chapter explains how to configure the VPN Client To configure the VPN Client you enter values for a set of parameters known as a connection entry The VPN Client uses a connection entry to identify and connect securely to a specific private network Parameters include a name and description for the connection the name or address of the VPN device remote server and information that identifies you to the VPN device Note If your system administrator has completely configured your connection entry for you you can skip this chapter and go directly to Connecting to a Private Network This chapter explains the following configuration tasks How to Get Help What Is a Connection Entry How To Create a New Connection Entry Setting or Changing Connection Entry Properties Changing the VPN Device Address for a Connection Entry How to Get Help The VPN Client comes with a complete context sensitive browser based help system You can display help in the following ways On the Program Menu choose Start gt Programs gt Cisco Systems VPN Client gt Help See Figure 3 1 This method displays the entire help file beginning with a list of topics 78 14738 01 VPN Client User Guide for W
73. depending on your setup Wait until you see the VPN Dialer start The VPN Dialer starts and displays the connection dialog box over the system logon dialog box You establish your connection to the private network of the VPN Device You log on to your system Note You can use certificates for authentication with start before logon when your personal certificate along with the CA or intermediary certificate s are in your Cisco certificate store and the Microsoft local machine but not your personal Microsoft store CAPI certificates However to use a CAPI certificate you can log on using cached credentials make a VPN connection using your CAPI certificate and disable the Disconnect VPN connection when logging off parameter see Disconnecting When Logging Off of a Windows NT Platform following This action keeps your connection open Now you can log back on to the system For information on enrolling certificates and importing certificates into your Cisco store see Enrolling and Managing Certificates For information about using start before logon with the Entrust SignOn feature see Connecting with an Entrust Certificate Turning Off Start Before Logon To turn this feature off open the Options pull down menu on the VPN Dialer connection dialog box and uncheck Enable start before logon The next time you log on to your system the VPN Dialer connection dialog box does not automatically display on yo
74. dows ian ii E Contents Installing the VPN Client Through InstallShield 2 3 Installing the VPN Client Through Microsoft Windows Installer 2 5 What Next 2 9 CHAPTER 3 Configuring the VPN Client 3 1 How to Get Help 3 1 Determining the VPN Client Version 3 3 What Is a Connection Entry 3 5 How To Create a New Connection Entry 3 5 Choosing an AuthenticationMethod 3 7 Group Authentication 3 7 Certificate Authentication 3 8 Sending a Certificate Authority Certificate Chain 3 9 Validating a Certificate 3 10 Configuring an Entrust Certificate for Authentication 3 10 Configuring a Connection Entry for a Smart Card 3 11 Smart Cards Supported 3 12 Completing the Connection Wizard 3 13 What Next 3 13 Setting or Changing Connection Entry Properties 3 14 Changing General Settings 3 17 Changing Connection Entry Description 3 17 Enabling Transparent Tunneling 3 17 Allowing Local LAN Access 3 18 Adjusting the Peer Response Timeout Value 3 19 Logging on to Microsoft Network Windows 95 Windows 98 and Windows ME 3 20 Changing Authentication Settings 3 20 Changing Group Name or Group Password 3 21 Choosing a Different Certificate 3 22 Changing Connection Settings 3 23 Enabling and Adding Backup Servers 3 23 Removing Backup Servers 3 24 Changing the Order of the Servers 3 24 Disabling Backup Servers 3 24 Configuring a Connection to the Internet Through Dial up Networking 3 24 Microsoft Dial up Networking 3 25 Third Party Dial up Program
75. e Company The name of the company or organization O to which you belong for example University State The name of your state ST for example Massachusetts VPN Client User Guide for Windows 78 14738 01 Chapter6 Enrolling and Managing Certificates Enrolling fora Certificate i e Country The 2 letter country code for your country C for example US This two letter country code must conform to ISO 3166 country abbreviations Email Your email address e for example alicew university edu IP Address The IP address of your system for example 10 10 10 1 Domain The Fully Qualified Domain Name of the host for your system for example Dialin_Server Together all these fields except IP address and domain comprise your distinguished name DN When you enroll a personal certificate either you go through a CA from which your system already has a root certificate or you obtain a root certificate from the CA as part of the enrollment process The CA Certificates tab displays the current list of CA certificates See Figure 6 2 Starting Enrollment To begin click New on the Certificate Manager s main screen under the Personal Certificates tab See Figure 6 2 The Certificate Manager prompts you to enter a password for the certificate you are enrolling See Figure 6 4 The password is optional but we recommend that you use one to protect your private key more effectively The p
76. e In the Password field enter or edit the group password This entry is case sensitive The field displays only asterisks Verify your password by entering it again in the Confirm Password field If either field is empty when you leave this dialog box the VPN Client reminds you to enter missing group information See Figure 3 20 To proceed click Yes or to terminate click No If you click No the message closes which lets you enter the missing information 78 14738 01 VPN Client User Guide for Window s E Chapter3 Configuring the VPN Client HI Setting or Changing Connection Entry Properties Figure 3 20 Reminder Dialog Box Cisco Systems PN Client The Group field is empty You will not be able to connect without this information Proceed Wo When you are done with the Authentication tab click OK or click another tab 60751 Choosing a Different Certificate To choose a different certificate check the Certificate radio button then click the drop down menu of certificates installed on your PC and choose one See Figure 3 21 Figure 3 21 Choosing a Certificate Properties for Engineering General Authentication Connections Your administrator may have provided you with group parameters or a digital certificate to authenticate your access to the remote server If so select the appropriate authentication method and complete your entries C Group Access Information Har fiz Pass
77. e Step2 In the Password field enter the password which is also case sensitive for your IPSec group The field displays only asterisks Step3 Verify your password by entering it again in the Confirm Password field Step4 To continue click Next Certificate Authentication For certificate authentication perform the following procedure which varies according the type of certificate you are using Step1 Click the Certificates radio button Step2 Choose the name of the certificate you are using from the pull down menu See Figure 3 11 VPN Client User Guide for Window s EN 78 14738 01 Chapter3 Configuring the VPN Client How To Create a New Connection Entry Ml If the field says No Certificates Installed and is shaded then you must first enroll for a certificate before you can use this feature For information on enrolling for a certificate see Enrolling and Managing Certificates Or consult your network administrator Figure 3 11 Certificate Authentication Properties for Engineering General Authentication Connections Your administrator may have provided you with group parameters or a digital certificate to authenticate your access to the remote server If so select the appropriate authentication method and complete your entries Group Access Information Alice Cisco Me Send CA Certificate Chain Validate Certificate Cancel Help 6m 36 Sending a Certificate Authority
78. e in accordance with Section 4 hereof You shall be responsible for providing all support to each such third party For permitted transfers you may not export the Software to any country for which the United States requires any export license or other governmental approval at the time of export without first obtaining the requisite license and or approval Furthermore you may not export the Software in violation of any export control laws of the United States or any other country For reference purposes only see the Cisco Encryption Tool Quick Reference Guide currently located at http www cisco com wwl export crypto tool stqrg html 6 You may not modify translate decompile disassemble use for any competitive analysis reverse engineer distribute or create derivative works from the Software or any accompanying documentation or any copy thereof in whole or in part 7 The subject license will terminate immediately if you do not comply with any and all of the terms and conditions set forth herein Upon termination for any reason you the licensee must immediately destroy the Software any accompanying documentation and all copies thereof in your possession You must also use commercially reasonable efforts to notify the third parties to whom you have distributed the Software that their rights of access and use of the Software have also ceased Cisco Systems is not liable to you for damages in any form solely by reason of termination of this
79. ent 4 32 common name in certificate enrollment 6 4 company in certificate enrollment 6 4 VPN Client User Guide for Windows 78 14738 01 completing an enrollment request 6 29 compression algorithm LZS compression 4 25 configuring connections automatically 5 5 connecting before logon 5 14 to private network 4 2 4 4 to the internet via Dial Up Networking 3 24 to the internet via Dial Up Networking 4 3 with certificate 4 1 connection LAN 1 2 network direct 2 2 properties changing 3 23 statistics bytes in 4 26 bytes out 4 26 packets bypassed 4 26 packets decrypted 4 26 packets discarded 4 26 packets encrypted 4 26 resetting 4 32 status key icon 4 27 local LAN routes list 4 27 secure associations 4 27 secured routes 4 27 time connected 4 27 transparent tunneling 4 25 viewing 4 24 technologies 1 2 connection entry changing remote server address 3 26 changing description 3 17 changing properties 3 14 cloning 5 3 creating 3 5 creating shortcut 5 10 definition 3 1 deleting 5 4 description 3 17 managing 5 2 optional parameters 3 14 parameters 3 1 preconfigured 3 1 profile 3 5 properties changing 3 14 renaming 5 5 copyrights and licenses A 1 country code in certificate enrollment 6 5 CPP firewall policy 4 25 4 29 creating connection entry 3 5 shortcut for connection entry 5 10 Index D data formats xii Data Encryption Standard see DES algorithm Dead Peer Detection see DPD deleti
80. ep3 Enter the full pathname for the file request When you browse for an appropriate directory for placing the file request the Certificate Manager shows only the files of the chosen file type See Figure 6 13 You can save your file enrollment requests in the Certificates directory which is a subdirectory of the directory where the VPN Client is installed Figure 6 13 Specifying a Filename Save As Save in a Certificates amp c File name p1 Oreg3 p10 Save as type PKCS1 0 Encoded Request File p10 a Cancel 60750 In this example the complete pathname is C Program Files Cisco Systems VPN Client Certificates p10req3 p10 Step4 Complete the form see the Enrollment Form section and click Next The Certificate Manager displays the summary screen and a message to let you know that your request succeeded See Figure 6 14 VPN Client User Guide for Window s 78 14738 01 a 6 13 Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Figure 6 14 Enroll File Success Message Casco Systems Enrollment File certreg req Certificate Store Cisco AA pRB thal Enroll File Success ae 607 49 Step5 Click OK on the message screen then click Finish on the summary screen You can view the file request under the Enrollment Requests tab See Figure 6 15 VPN Client User Guide for Windows Pelt 78 14738 01 Chapter6 Enrolling and Managing Certi
81. er Guide for Windows Chapter4 Connecting to a Private Network E Closing the VPN Client Resetting Statistics To reset all connection statistics to zero click Reset There is no undo Reset affects only the connection statistics not the other sections of this dialog box Closing the VPN Client You may want to close the VPN Client when it is running on your PC but not connected to a remote network To close the VPN Client when it is not connected to a remote network do one of the following Click Close on the VPN Dialer s main dialog box See Figure 4 1 Press Esc on your keyboard Press Alt F4 on your keyboard Disconnecting your VPN Client Connection To disconnect your PC from the private network do one of the following Double click the VPN Client icon on the Windows task bar Click Disconnect on the Connection Status dialog box See Figure 4 33 Click the VPN Client icon with the secondary mouse button and choose Disconnect from the pop up menu Your IPSec session ends and the VPN Client closes You must manually disconnect your dial up networking connection DUN VPN Client User Guide for Windows 432 E 78 14738 01 Managing the VPN Client This chapter explains the tasks you can perform to manage connection entries view and manage event reporting and upgrade or uninstall the VPN Client software The management features are available from the Cisco Systems VPN Client applicatio
82. ersonal certificate use this procedure Step1 Display the Options pull down menu and choose Password The Certificate Manager displays the Change Certificate Password dialog box See Figure 6 23 VPN Client User Guide for Windows 78 14738 01 Chapter6 Enrolling and Managing Certificates Managing Personal and CA RA Certificates i Figure 6 23 Changing a Certificate Password Change Certificate Password To modify or add a password associated with the specified certificate enter the information below Cisco SYSTEMS Current fro New XXXXXXXXXXX Confirm e Cancel 60726 Step2 In the Current field type the password you are currently using to protect your private key Step3 In the New field type the new password Step4 In the Confirm field type the same password again Step5 Click OK Exporting a Certificate You may want to export a certificate primarily for backing up your certificate and private key or moving them to another system When you export a certificate you are making a copy of it To export a certificate follow these steps Step1 Display the Options pull down menu and choose Export The Certificate Manager displays the Export Certificate dialog box See Figure 6 24 VPN Client User Guide for Windows 78 14738 01 a 6 23 Chapter6 Enrolling and Managing Certificates W Managing Personal and CA RA Certificates Step 2 Step 3 Step 4 Step
83. erver will be down for routine maintenance on Sunday 60765 After you complete your connection the VPN Client minimizes to an icon in the system tray on the Windows task bar You are now connected securely to the private network via a tunnel through the Internet and you can access the private network as if you were an onsite user Using Automatic VPN Initiation Your VPN Client can automatically initiate a VPN connection based on the network to which your machine is connected The name of this feature is called auto initiation for on site Wireless LANs WLANs Auto initiation makes the user experience resemble a traditional wired network in which VPNs secure WLANs These environments are also known as WLANs On site WLAN VPNs are similar to remote access VPNs with an important distinction In an on site wireless VPN environment enterprise administrators have deployed wireless 802 11x networks in corporate facilities and these networks use VPNs to secure the wireless part of the network link In this case if your PC is ona WLAN without VPN you cannot access network resources If a VPN exists your access is similar to what it is with wired Ethernet connections Figure 4 21 shows the two different types of VPN access VPN Client User Guide for Windows Ka 78 14738 01 Chapter4 Connecting to a Private Netw ork Using Automatic VPN Initiation Hl Figure 4 21 Remote Access VPN Versus On Site Wireless Access VPN Traditio
84. eserved Profile name wbrownS Browse JV Work offline OK Cancel Help 607 43 VPN Client User Guide for Window s Ka 78 14738 01 Chapter4 Connecting to a Private Netw ork Step 1 Step 2 Step 3 Step 4 Connecting with Digital Certificates Hi Choose a profile name from the pull down menu Your network administrator has previously configured one or more profiles for you through Entrust Entelligence If the software is installed on your system but there are no profiles available then you need to get a profile from your network administrator or directly through Entrust Refer to Entrust Entelligence Quick Start Guide for instructions on obtaining a profile The VPN Client Administrator Guide contains supplementary configuration information After choosing a profile enter your Entrust password Check the Work offline field to use Entrust Entelligence without connecting to the Entrust PKI If Work offline is checked and you press OK the Entrust wizard displays the message shown in Figure 4 16 Figure 4 16 Entrust Login Message Entrust Login A E ai AN You are working offline because the Entrust Directory was unavailable Working offline allows you to encrypt Files For yourself and others using cached certificates however some of these certificates may be revoked 60739 You can ignore this message Since you are connecting to your organization s private network using an
85. ewall policy on a VPN 3000 Concentrator Notify remote users of a client update Set up Local LAN Access for the VPN Client Configure the VPN Concentrator to update VPN Client backup servers Setup the VPN Concentrator and the VPN Client for NAT Transparency Configure Entrust Entelligence for the VPN Client Set up authentication using Smart Cards e Automate remote user profiles Configure auto initiation e Use the VPN Client command line interface Customize the VPN Client software text icons and installation Use the SetMTU application Obtain troubleshooting information Work with Microsoft Windows Installer VPN Client User Guide for Windows rere Preface Conventions W The VPN Client guides are provided on the Cisco VPN 3000 Concentrator s software distribution CD ROM in PDF format To view the latest version on the Cisco Web site go to the following site and click VPN Client http www cisco com univercd cc td doc product vpn index htm VPN 3000 Series Concentrator Documentation The VPN 3000 Concentrator Series Getting Started guide explains how to unpack and install the VPN Concentrator and how to configure the minimal parameters This is known as Quick Config The VPN 3000 Series Concentrator Reference Volume I Configuration explains how to start and use the VPN Concentrator Manager It details the Configuration screens and explains how to configure your device beyond the minimal para
86. ewer and you have clicked yes to remove your certificate and profile directories the vpnclient ini and ipseclog txt files remain on your system Since these files were generated after you installed the software they are not removed when you uninstall the software You have to remove them manually Removing the VPN Client Software M SI Installation To remove the VPN Client when it has been installed via MSI use the Add Remove utility available from the Control Panel You must remove any version of the Cisco VPN Client or any other VPN Client before upgrading the Cisco VPN Client with MSI VPN Client User Guide for Windows a 78 14738 01 CHAPTER Enrolling and Managing Certificates This chapter explains how to enroll and manage personal certificates using the Certificate Manager application Specifically it describes how to perform the following tasks Obtain personal certificates through enrollment with a Certificate Authority CA which is an organization that issues digital certificates that verify that you are who you say you are You can enroll for a certificate in two ways through the network online enrollment through a file Import certificates Manage certificates Viewing Verifying Deleting Exporting Manage enrollment requests This chapter covers the following topics Starting Certificate Manager What are Certificate Stores Enrolling for a Certificate Managing Personal and CA RA Certifica
87. ficate type the password into the Import Password field This is the password assigned to protect the certificate s private key If you are importing from the Microsoft store this password is the one you or the network administrator entered during enrollment If you are importing a certificate from a file this is the password specified when the certificate was exported Step4 Click Next The Certificate Manager prompts for a password to be stored with the certificate See Figure 6 17 VPN Client User Guide for Windows 78 14738 01 _ Chapter 6 Enrolling and M anaging Certificates Step 5 Managing Personal and CA RA Certificates i Figure 6 17 Destination Password for Importing Certificate Certificate Password Protection Password protecting your certificate provides an additional level of security This password is optional Cisco SYSTEMS By choosing to protect your certificate with a password any operation that requires access to the certificate s private key will require the specified password to continue Note File based enrollments require the password used here to be re entered when the approved certificate is imported Password j Confirmation Password XXXXXXXX n 60754 Type a password into the Password field and click Finish This password must exactly match the password given during enrollment online or given when exported if a file including upper
88. ficates Enrolling fora Certificate i Figure 6 15 File Enrollment Requests Patrick Clarkson Request 60811 Importing a Certificate File You can import a certificate into the Cisco store from the Microsoft store or from a file To import a certificate use the following procedure Step1 On the Certificate Manager main window under the Personal Certificates tab click Import The Certificate Manager displays the Import Certificate Source dialog box See Figure 6 16 VPN Client User Guide for Windows 78 14738 01 a G15 Chapter 6 Enrolling and Managing Certificates W Enrolling for a Certificate Figure 6 16 Importing a Certificate Import Certificate Source Casco Systems The certificate source identifies where the certificate is imported from Additionally if the certifcate you are importing is protected by a password please enter it below Certificate source Patrick Clarkson 7 File Browse Import password pe Cancel Help 60758 Step2 To import a certificate do one of the following depending on where your certificate resides Importing from the Microsoft store Click Microsoft certificate and choose the certificate from the drop down menu The certificate must already be in your Microsoft store Importing from a file Click File and enter the pathname of the file into the field Step3 If a password is used to protect this certi
89. for firewall policies pushed to the VPN Client from a VPN Concentrator VPN Client IPSec Attributes The VPN Client supports these IPSec attributes e Main mode for negotiating phase one of establishing ISAKMP Security Associations SAs e Aggressive mode for negotiating phase one of establishing ISAKMP SAs Authentication algorithms HMAC Hashed Message Authentication Coding with MD5 Message Digest 5 hash function HMAC with SHA 1 Secure Hash Algorithm hash function Authentication Modes Preshared Keys X 509 Digital Certificates Diffie Hellman Groups for digital certificates 2 and 5 Encryption algorithms 56 bit DES Data Encryption Standard 168 bit Triple DES AES 128 bit and 256 bit amp Note You must be running Release 3 6 of the VPN Client to use the AES encryption algorithm Extended Authentication XAUTH Mode Configuration also known as ISAKMP Configuration Method Tunnel Encapsulation Mode IP compression IPCOMP using LZS VPN Client User Guide for Windows 78 14738 01 EN Chapter1 Understanding the Cisco VPN Client HI VPN Client Features VPN Client User Guide for Windows Mis E 78 14738 01 CHAPTER Installing the VPN Client This chapter explains how to install the VPN Client on your PC and includes the following sections Verifying System Requirements Gathering Information You Need Installing the VPN Client Through InstallShield
90. ftware InstallShield Figure 5 29 Uninstalling an Existing Version Question Setup has detected an existing version of the Cisco Systems Inc YPN Client Before installing a new version setup must uninstall the existing version If you choose to continue setup will uninstall the existing version of the Cisco Systems Inc YPN Client and then reboot your PC After your PC reboots the Cisco Systems Inc YPN Client installation will continue Do you wish to continue Step 2 Step 3 Step 4 60829 To continue click Yes The installation program removes the old version and asks you to confirm the system restart See Figure 5 30 Figure 5 30 Confirming the System Restart InstallShield Wizard Cisco Systems YPN Client Installer Setup has finished removing the existing version of the Cisco Systems YPN Client To continue with the Cisco Systems YPN Client installation you MUST reboot your computer now C No will restart my computer later Setup will continue after your computer reboots Carcel 6754 Be sure to remove any diskette from its drive before you restart your system If you are installing from diskettes reinsert Disk after your system restarts and displays the Windows logo screen but before the desktop appears To restart your system click Yes the default and click Finish The installation wizard restarts your system Once your system has restarted installation continues automa
91. gure 3 15 Figure 3 15 VPN Client Options Menu 2 Cisco Systems YPN Client Cisco Systems Connection Entry Engineering Host name or IP address of remote server Delete 7 10 10 32 32 Rename Entry Import Entry Erase User Password Connect Create Shortcut Properties Stateful Firewall Always On Application Launcher Windows Logon Properties 67523 The Properties dialog box appears The fields in this dialog box differ according to the operating system you are using If you are using Microsoft Windows 95 Windows 98 or Windows ME you see a dialog box that resembles the one in Figure 3 16 If you are using Microsoft Windows NT Windows 2000 or Windows XP you see the dialog box in Figure 3 17 VPN Client User Guide for Windows e314 78 14738 01 Chapter3 Configuring the VPN Client Setting or Changing Connection Entry Properties W Figure 3 16 Connection Entry Properties Dialog Box Windows 95 Windows 98 and Windows ME Properties for To 3 0 YPN X General Authentication Connections Enter a description of this connection entry optional M Enable Transparent Tunneling Allow IPSec over UDP NAT PAT C Use lPSec over TCP NAT PAT Firewall ICP pot TOGO T Allow local LAN access Peer response timeout 30 30 480 seconds M Logon to Microsoft Network Use default system logon credentials Prompt for network logon credentials 6
92. h of text strings is 48 characters Port Numbers Port numbers use decimal numbers from 0 to 65535 No commas or spaces are permitted in a number VPN Client User Guide for Window s 78 14738 01 Preface Obtaining Documentation W Obtaining Documentation These sections explain how to obtain documentation from Cisco Systems World Wide Web You can access the most current Cisco documentation on the World Wide Web at this URL http www cisco com Translated documentation is available at this URL http www cisco com public countries_languages shtml Documentation CD ROM Cisco documentation and additional literature are available in a Cisco Documentation CD ROM package which is shipped with your product The Documentation CD ROM is updated monthly and may be more current than printed documentation The CD ROM package is available as a single unit or through an annual subscription Ordering Documentation You can order Cisco documentation in these ways e Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Networking Products MarketPlace http www cisco com cgi bin order order_root pl e Registered Cisco com users can order the Documentation CD ROM through the online Subscription Store http www cisco com go subscription Nonregistered Cisco com users can order documentation through a local account representative by calling Cisco Systems Corpor
93. he network address information click Next The Certificate Manager displays the enrollment form for you to complete See Figure 6 3 Step4 Enter the information you collected before you started the enrollment process The only field that the Certificate Manager requires is Common Name However the CA may require some or all of the other fields Then click Next After you enter the form the Certificate Manager displays a summary that looks something like the one in Figure 6 7 VPN Client User Guide for Windows 78 14738 01 a 67 Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Figure 6 7 Enrollment Summary Enrollment Summary Casco Systems This is a summary of the information you have provided for this certificate enrollment request Select Finish to proceed with the enrollment or Back to make modifications CA Domain G42000 com Certificate Store Cisco Common Name Alice Wonderland Department International Studies Company University State Massachusetts Country US Email alicew university edu IP Address 10 10 10 1 Domain Dialin_Server Finish Cancel Help 607 4 Step5 To complete the enrollment click Finish The Certificate Manager displays a status window shown in Figure 6 8 that lets you monitor the progress of the certificate retrieval If the enrollment failed the status window indicates the cause so you can fix the problem and try again
94. he purpose of installing the Software on that computer The Software is licensed for use only with Cisco Systems products and for no other use Restrictions on Use and Transfer 3 You may also make one copy of the Software solely for backup or archival purposes To this end you may transfer the Software to a single set of disks provided you keep the disks solely for backup or archival purposes You may not use the backup or archival copy of the Software except in conjunction with Cisco Systems products 78 14738 01 VPN Client User Guide for Windows Appendix A Copyrights and Licenses 4 You may copy and distribute the Software to your third party business partners and customers solely and exclusively for the purposes of accessing your Cisco VPN concentrators and thereby gaining remote access to your secure network Each such distribution of the Software to a third party must be accompanied by a copy of this Client Software License Agreement You may not copy or transfer the Software for any purpose other than as specified in this Agreement without the express written consent of Cisco Without intending to limit the foregoing you shall not post or otherwise make publicly available the Software to any external web site file server or other location to which there is unrestricted access 5 Cisco Systems will not provide end user support including Technical Assistance or TAC support to any third party that receives the Softwar
95. hing the Log File 5 22 Printing the Log File 5 23 Saving the Log File 5 24 Clearing the Events Display 5 24 Receiving Notifications From a VPN Device 5 25 Upgrade Notifications 5 25 Firewall Notifications 5 26 Upgrading the VPN Client Software InstallShield 5 27 VPN Client User Guide for Windows lt a 78 14738 01 Upgrading the VPN Client Software MSI 5 29 Uninstalling the VPN Client with the Uninstall Application 5 29 Removing the VPN Client Software M SI Installation 5 32 CHAPTER 6 Enrolling and Managing Certificates 6 1 Starting Certificate Manager 6 2 What are Certificate Stores 6 3 Enrolling fora Certificate 6 4 Enrollment Form 6 4 Starting Enrollment 6 5 Enrolling Through the Network 6 6 Enrolling Through a File Request 6 11 Importing a Certificate File 6 15 M anaging Personal and CA RA Certificates 6 17 Viewing a Certificate 6 18 Verifying a Certificate 6 20 Deleting a Certificate 6 21 Changing the Password on a Personal Certificate 6 22 Exporting a Certificate 6 23 Managing Enrollment Requests 6 25 Viewing the Enrollment Request 6 26 Deleting an Enrollment Request 6 27 Changing the Password on an Enrollment Request 6 28 Completing an Enrollment Request 6 29 APPENDIX A Copyrights and Licenses A 1 Client Software License Agreement of Cisco Systems A 1 RSA software A 2 Zone Labs A 3 INDEX VPN Client User Guide for Windows 78 14738 01 Contents W E Contents VPN Client User Gu
96. ication Cisco Systems YPN Client x gt You have canceled your YPN connection You will not have access to your network resources 4 YPN connection will be auto initiated every 2 minutes Do you wish to temporarily suspend the auto initiation functionality 78373 To cancel click No If you are using the Log Viewer application in the event log you see the message Connection canceled To suspend click Yes in the event log you see the message Auto initation has been suspended When suspended also in the task bar you see that the yellow lock icon is now open Figure 4 26 Open Lock Suspended Auto Initiation To resume auto initiation after canceling right click on the open yellow lock icon and select Resume Auto initiation from the menu See Figure 4 27 Figure 4 27 Resuming Auto Initiation YPN Dialer ie ation Disable Auto initiation Stateful Firewall Always On 71724 About Auto initiation resumes This is the simplest scenario of what happens during auto initiation At various points depending on the actions you take you see messages changes in the color of the icon in the system tray and differences in choices you can make The rest of this section describes these various alternatives Disconnecting Your Session To disconnect your session either double click the lock icon in the system tray and click the Disconnect button or right click the lock and select Disconnect fr
97. ide for Windows evi i 78 14738 01 Preface This VPN Client User Guide tells you how to install use and manage the Cisco VPN Client with Cisco Systems products Audience This guide is for users of remote clients who want to set up virtual private network VPN connections to a central site Network administrators can also use this guide for information about configuring and managing VPN connections for remote clients We assume that you are familiar with the Windows platform and know how to use Windows applications A network administrator should be familiar with Windows system configuration and management and know how to install configure and manage internetworking systems For information specific to a network administrator see VPN Client Administrator Guide Organization This guide is organized as follows Chapter Title Description Chapter 1 Understanding the Cisco VPN Explains briefly what the VPN Client is and how Client it works Chapter 2 Installing the VPN Client Tells you how to install the VPN Client Chapter 3 Configuring the VPN Client Tells you how to configure the VPN Client including setting optional parameters Chapter 4 Connecting to a Private Network Tells you how to connect to a private network using the VPN Client and an Internet connection shows how to get status information on your connection and how to use auto initiation Chapter 5 Managing the VPN Client Tells you how to manage V
98. ile extension in the Browse dialog the associated file type will be selected on this page Casco Systems File name Browse File type Base 64 encoded req Binary encoded p10 Required Field SS 60766 Step2 Click one of the following file types Binary encoded A base 2 PKCS10 file Public Key Cryptography Standard for example an X 509 DER file You cannot display a binary encoded file Base 64 encoded An ASCII encoded PKCS10 file that you can display in text format for example the request shown in Figure 6 12 Choose this type when you want to cut and paste the text into the CA website Figure 6 12 A PKCS10 Certificate Request FA cert cec txt Notepad Iof x File Edit Search Help BEGIN NEW CERTIFICATE REQUEST HI IBzjCCATCCAQAWR j ELMAKGATUEBHMCUUMxC ZA JBGNUBAg TAK1BMRMWEQYDUQQK EwpGb3UuZGF GaW9uMRUWE wYDUQQLEwxGdWSk IF JhaXNpbmcwg28wDQY JKoZ IT hucN AQEBBQADgGY GAHI GJAOGBAKxXCHeWAWI j MKWIiLAOQUHLUYWL8x2ZiUuUSI FrrorRSx36 DcCASCCHUSQLQuT j 96RQPCMKXuUGSQ ct4rx GQZ29mEgUCO4CTZ22DGHNjg1JghG xW QQAAF gZCASSUSK1O6kmI 2N6w4Bu01 81 WNY qXHQp 6wPsUm41 43 J jD6C1LXquU4aut wh hth9MRP92xk3HF 8WTaQ1 GkbxZoLNG9xpz0 I WoqC NY Jq egiQF Zeme3wGjf2Cnh yjscUGoSieedQh4b9whinghpg42F 2NLF4568i1Ee07q7U0g END NEW CERTIFICATE REQUEST 60725 VPN Client User Guide for Windows Pel i 78 14738 01 Chapter6 Enrolling and Managing Certificates Enrolling fora Certificate i St
99. in which the Integrity Server IS acts as the firewall server that pushes firewall policy to the Integrity Agent IA residing on the VPN Client PC Zone Labs Integrity can also provide a centrally controlled always on personal firewall Figure 4 37 Client Server Firewall Tab Cisco Systems PN Client Connection Status General Statistics Firewall Firewall Policy Client Server Product ZoneLabs Integrity Agent User ID un 200 70 50 248 IntegrityGroup QADOMAIN barney rubble Session ID 1041 Servers Address Port 100 50 0 10 5000 Time connected 00 03 44 Notifications Disconnect 67525 Firewall Policy This field shows that Client Server is the supported policy Product Lists the name of the Client Server solution currently in use such as Zone Labs Integrity Client User ID In the format xx IP address of the VPN Concentrator group name and user name Where xx can be un or dn un The gateway based ID is based on the group and user name dn The gateway based ID is based on the distinguished name as is the case when using digital certificates The User ID is used to initialize the firewall client Session D The session ID of the connection between all of the entities This is used to initialize the firewall client and is helpful for troubleshooting Servers The IP address and port number of each firewall server For Release 3 6 there is only one 78 14738 01 VPN Client Us
100. index S Save Password option 4 6 5 7 saving a log file 5 24 SCEP Cisco store 6 3 SDI see RSA Search icon in log viewer 5 22 searching log file 5 22 secure associations 4 27 secured routes connection status 4 27 key icon 4 27 secure gateway address 3 7 notifications to client 5 25 Secure Hash Algorithm see SHA 1 algorithm SecurID authentication 1 4 4 8 Server IP address connection status 4 24 setting or changing connection entry properties 3 14 Severity levels in events 5 21 SHA 1 algorithm 1 5 shortcut creating for connection entry 5 10 Simple Certificate Enrollment Protocol see SCEP smart card connecting with 4 14 connection entry configuring 3 11 products supported 3 12 SoftID authentication 1 4 4 8 software license agreement A 1 software token applications launching from VPN Dialer 5 11 split DNS 1 4 split tunneling 1 4 start before logon configuring 5 14 using with Entrust SignOn 4 14 starting the VPN Dialer connecting to private network 3 5 4 2 using a shortcut 5 10 stateful firewall always on 5 11 DHCP traffic 5 11 transparent tunneling 3 17 state in certificate enrollment 6 4 statistics connection time 4 27 local LAN routes 4 27 packet 4 26 secured routes 4 27 status firewall 4 27 stopping the VPN Dialer 4 32 stores certificate 6 3 system requirements 2 1 T TCP IP requirement 2 2 TCP protocol firewalls 4 30 transparent tunneling 3 17 third party dail up program 3 26
101. indows Chapter3 Configuring the VPN Client WE How to Get Help Figure 3 1 Choosing Help from the Cisco Systems VPN Client Program Menu Accessories Startup gt Command Prompt e Internet Explorer y Windows NT Explorer a Administrative Tools Common gt FS Cisco Systems YPN Client b amp Certificate Manager E Network ICE LE Paint Shop Pro 6 gt eg Log Viewer LS Startup gt GJ Set MTU q amp WinZip gt 2 Uninstall VPN Client L Zone Labs gt amp VPN Dialer j DA Note If you installed the VPN Client via the Microsoft Windows Installer the Cisco Systems VPN Client menu does not include the Uninstall VPN Client option Press F1 at any window while using the VPN Client including the main window of each application VPN Dialer Log Viewer and Certificate Manager This method displays context sensitive information Click the Help button on windows that display it See Figure 3 2 This method displays context sensitive information VPN Client User Guide for Windows P32 78 14738 01 Chapter3 Configuring the VPN Client How toGetHelp W Figure 3 2 Help Button New Connection Entry Wizard Help Button 60787 Choose Help from the menu that appears when you click on the icon in the title bar See Figure 3 3 Figure 3 3 Menu Containing Help Option Click here and select Help L Cisco Systems VPN Client 60752 Determining the VPN Client Vers
102. initiation enabled click No Restarting After Disabling Auto Initiation When you want to restart auto initiation follow these steps Step1 Launch the VPN Dialer from the Start gt Programs gt Cisco Systems VPN Dialer menu Step2 Click Options Step3 Select Automatic VPN Initiation Step4 Check Enable and click OK The log shows that auto initiation is now in effect For an example see Figure 4 31 VPN Client User Guide for Windows ee EZE Chapter4 Connecting to a Private Network W Using Automatic VPN Initiation Figure 4 31 Auto Initation Log Messages 15727 14 22 45 721 04 22 02 Sev Info 6 DIALER 0x63300009 Auto initiation has been suspended 15728 16 24 25 578 04 22 02 Sev Info 6 DIALER 0x63300009 Auto initiation has been disabled 15729 16 36 09 671 04 22 02 Sev Info 6 DIALER 0x63300009 Auto initiation has been enabled 15730 16 36 09 671 04 22 02 Sev Info 6 CM 0x63100036 Auto initiation condition detected Local IP 10 10 0 32 Network 10 10 32 32 Mask 0 0 0 0 Connection Entry Engineering 71788 Step5 Close the VPN Dialer dialog The Authentication dialog box displays Connection Failures If the auto initiation attempt fails the VPN Dialer notifies you with a dial status dialog and a warning message Figure 4 32 Auto Initiation Failure Message Cisco Systems PN Client x A VPN connection could not be established ou will not have access to your network resources A VPN
103. ion To enable backup servers from the VPN Client perform the following steps Step1 Check Enable backup server s This is not checked by default Step2 Click Add to enter its address The Backup Server Information dialog box appears See Figure 3 23 VPN Client User Guide for Windows 78 14738 01 a 323 Chapter3 Configuring the VPN Client HI Setting or Changing Connection Entry Properties Figure 3 23 Entering Backup Server Information Backup Server Information Ed Enter the Host name or IP address of the backup ee Cancel 60709 Step3 Enter the hostname or IP address of the backup server Use a maximum of 255 characters Step4 Click OK The hostname or IP address appears in the Enable backup server s list See Figure 3 22 Step5 To add more backup devices repeat Steps 2 3 and 4 Removing Backup Servers To remove a server from the backup list choose the server from the list and click Remove There is no confirmation or undo The server name no longer appears in the list Changing the Order of the Servers To reorder the servers in the list choose a server and click Move Up to increase the server s priority or Move Down to decrease the server s priority Disabling Backup Servers You can disable using backup servers without removing backup servers from the list To disable using backup servers clear the Enable backup server s check Configuring a Connection to the Internet Through Dia
104. ion To display the version number of the software release you are currently using follow these steps Step1 Click the icon in the title bar See Figure 3 3 The VPN Client displays a menu Step2 Click About VPN Client on the menu displayed VPN Client User Guide for Windows 78 14738 01 EN Chapter3 Configuring the VPN Client HI How to Get Help The VPN Client displays the version you are currently using See Figure 3 4 Step3 After viewing the version number click OK Figure 3 4 Displaying the VPN Client Software Version a Cisco Systems YPN Client x Cisco SYSTEMS erase ana Version 3 6 int_34 2 Client Type s Windows WinNT Copyright 1998 2002 Cisco Systems Inc Contains firewall software licensed from Zone Labs Inc When you are connected you can display the software version by clicking About on the menu you display by right clicking the Dialer icon in the system tray Figure 3 5 Displaying Version from Menu Available from System Tray Status Notifications Disconnect v Stateful Firewall Always On About 67703 VPN Client User Guide for Window s Eg 78 14738 01 Chapter3 Configuring the VPN Client Whats a Connection Entry Mil What Is a Connection Entry To use the VPN Client you must create at least one connection entry which identifies the following information The VPN device the remote server to access Preshared keys
105. ion Launcher Option Cisco Systems YPN Client Connection Entry Engineering Host name or IP address of remote server 10 10 32 32 Erase User Basswood Stateful Firewall Always On Application Launcher Windows Logon Properties 67519 amp Note The VPN Client displays Windows Logon Properties only on Windows NT Windows 2000 and Windows XP The VPN Dialer displays a dialog box prompting for the name of the application See Figure 5 16 VPN Client User Guide for Window s 78 14738 01 Chapter5 Managing the VPN Client Step 2 Step 3 Launching an Application W Figure 5 16 Entering the Name of the Application Application Launcher x To execute an application or command when establishing a connection enter the fully qualified file name and optional command line parameters associated with the application Application Click Browse to locate and then choose the complete pathname to the application as well as the name of the application See Figure 5 17 The application name appears in the Application Launcher dialog box In this example the VPN Dialer is configured to launch the Log Viewer before a connection Figure 5 17 Choosing an Application To execute an application or command when establishing a connection enter the fully qualified file name and optional command line parameters associated with the application Application Click Enable and then cli
106. ion establishment This feature is configured on the VPN 3000 Concentrator and pushed to the VPN Client The addresses show in the VPN Dialer application in the Enable Backup Servers box under Options gt Properties gt Connections Support for Dynamic DNS DDNS hostname population The VPN Client sends its hostname to the VPN Concentrator during connection establishment The VPN Concentrator can send the hostname in a DHCP request that can cause a DNS server to update its database to include the new hostname and Client address Windows NT Window s 2000 and Window s XP Features Password expiration information when authenticating through a RADIUS server that references an NT user database When you log in the VPN Concentrator sends a message that your password has expired and asks you to enter a new one and then confirm it On pre Release 3 5 VPN Clients the prompt asks you to supply a PIN and to verify it On a 3 5 or above VPN Client the prompt asks you to enter and verify a password 78 14738 01 VPN Client User Guide for Window s E Chapter1 Understanding the Cisco VPN Client HI VPN Client Features Start Before Logon The ability to establish a VPN connection before logging on to a Windows NT platform which includes Windows NT 4 0 Windows 2000 and Windows XP systems Ability to disable automatic disconnect when logging off of a Windows NT platform This allows for roaming profile synchronization IPSec Featu
107. k OK The next example shows how to log in to eToken from Aladdin You select the token in the eToken Name column type a password in the User Password field and click OK Figure 4 19 eToken Prompt A eTCAPI Select an eToken L eToken AKS ifdhO Card0S M4 Go User Password Login to your eToken to enable using creating your private key x Coe 67524 Note If your smart card or token is not inserted the authentication program displays an error message If this occurs insert your smart card or token and try again VPN Client User Guide for Window s 78 14738 01 g 415 Chapter4 Connecting to a Private Network HZ Completing the Private Netw ork Connection Completing the Private Netw ork Connection After completing the user authentication phase the VPN Client continues negotiating security parameters and displays a dialog box See Figure 4 20 The title bar identifies the remote Cisco VPN device to which you are connecting Figure 4 20 Completing Connection History Connecting to 10 10 32 32 B Your link is now secure Connection History Contacting the security gateway at 10 10 32 32 Negotiating security policies Securing communication channel Nour link is now secure Cancel If the network administrator of the Cisco VPN device has created a client banner you see a message designated for all clients connecting to that device for example The Documentation S
108. ke sure you have closed all of your remote access Dial Up Networking connections and all VPN Client applications Then use the following procedure See Figure 5 31 Note Step 1 If you installed the VPN Client via the Microsoft Windows Installer the Cisco Systems VPN Client menu does not include the Uninstall VPN Client option Choose Start gt Programs gt Cisco Systems VPN Client gt Uninstall VPN Client 78 14738 01 VPN Client User Guide for Windows Chapter5 Managing the VPN Client W Uninstalling the VPN Client with the Uninstall Application Figure 5 31 Running the Uninstall Program Us Accessories Ls Startup Command Prompt Intemet Explorer EN Windows NT Explorer 3 Administrative Tools Common i V E Certificate Manager LE Network ICE Help LE Paint Shop Pro 6 g5 Log Viewer LS Startup lt Q Set MTU LE WinZip E Uninstall VPN Client LE Zone Labs The Uninstall Wizard runs and asks if you want to really want to remove the VPN Client applications See Figure 5 32 Figure 5 32 Confirming Uninstall Question Q Are you sure you want to completely remove Cisco Systems Inc YPN Client and all of its components ej Step2 To completely remove the VPN Client software from your system click Yes Otherwise click No 60822 Next the Uninstall Wizard asks if you want to delete your connection profiles See Figure 5 33 VPN Client User Guide for Windows u 78
109. l occur if service is not restored quickly No workaround is available The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts when applicable VPN Client User Guide for Windows xv rere Preface Obtaining Technical Assistance Hl Cisco TAC Web Site You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself saving both cost and time The site provides around the clock access to online tools knowledge bases and software To access the Cisco TAC Web Site go to this URL http www cisco com tac All customers partners and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site The Cisco TAC Web Site requires a Cisco com login ID and password If you have a valid service contract but do not have a login ID or password go to this URL to register http www cisco com register If you are a Cisco com registered user and you cannot resolve your technical issues by using the Cisco TAC Web Site you can open a case online by using the TAC Case Open tool at this URL http www cisco com tac caseopen If you have Internet access we recommend that you open P3 and P4 cases through the Cisco TAC Web Site Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level or priority level 2 issues These classifications are assigned when severe netwo
110. l tab Properties 3 17 generating events classes 5 22 group name for IPSec changing 3 21 group password for IPSec changing 3 21 H hard disk space requirement 2 2 Hashed Message Authentication Coding see HMAC algorithm 78 14738 01 VPN Client User Guide for Windows W index help displaying 3 1 Fl key 3 1 from program menu 3 1 Help icon in log viewer 5 19 HMAC algorithm 1 5 hostname VPN device 3 7 IANA protocol numbers 4 30 ICMP protocol firewalls 4 30 icons Dial Up Networking 4 4 key 4 27 log viewer Disk 5 24 Erase 5 24 Filter 5 20 Help 5 19 Printer 5 23 Search 5 22 VPN Client viewing connection status 4 24 viewing when connected 4 16 VPN Dialer using to disconnect 4 32 IKE Keepalives 1 4 IKE protocol 1 2 importing certificate file 6 15 configuration 5 5 Import Password 6 16 inactivity timeout Entrust 4 12 installing media requirements 2 2 installing VPN Client InstallShield 2 3 MSI 2 5 process 2 1 interface card for network 2 2 internal server authentication 1 4 4 5 4 6 internet connecting via Dial Up Networking 3 24 4 3 Internet Key Management protocol see IKE Internet Protocol Security see IPSec IOS platform devices supported x IP address certificate enrollment 6 5 server 4 24 VPN device 3 7 IPSec attributes supported in VPN Client 1 5 features in VPN Client 1 4 group name 3 21 group password 3 21 over TCP 3 18 over UDP 3 18 protocol 1 2 transparent tunne
111. l up Netw orking To connect to a private network using a dial up connection perform the following two steps Step1 Use a dial up connection to your Internet service provider ISP to connect to the Internet Step 2 Use the VPN Client to connect to the private network through the Internet To enable and configure this feature check Connect to the Internet via dial up This is not checked by default See Figure 3 24 VPN Client User Guide for Windows 324 78 14738 01 Chapter3 Configuring the VPN Client Figure 3 24 Connecting to the Intemet Through Dial up Properties for Engineering General Authentication Connections 10 10 10 10 10 10 10 12 10 10 10 13 10 10 10 14 IM Connect to the Internet via dial up Microsoft DialUp Networking Phonebook Entry Third party dial up application Application OO Browse Add Remove Move Up eve Donn Z Microsoft Dial up Networking DUN Third party dial up program Microsoft Dial up Netw orking Step 1 Step 2 60731 Setting or Changing Connection Entry Properties W You can connect to the Internet using the VPN Dialer application in two different ways If you have DUN phonebook entries and have enabled Connect to the Internet via dial up Microsoft Dial up Networking is enabled by default To link a VPN Client connection entry to a Dial Up Networking phonebook entry perform the following steps Click Microsoft Dial up
112. lear the check mark from the box If the local LAN you are using is not secure you should disable this feature For example you would disable this feature when you are using a local LAN in a hotel or airport A network administrator at the central site configures a list of networks at the Client side that you can access You can access up to 10 networks when this feature is enabled When Allow Local LAN Access is enabled and you are connected to a central site all traffic from your system goes through the IPSec tunnel except traffic to the networks excluded from doing so in the network list When this feature is enabled and configured on the VPN Client and permitted on the central site VPN device you can see a list of the local LANs available by looking on the Statistics tab on the Connection Status dialog box See Figure 3 18 Note This feature works only on one NIC card the same NIC card as the tunnel VPN Client User Guide for Window s E rere _ Chapter 3 Configuring the VPN Client Setting or Changing Connection Entry Properties W Figure 3 18 Local LAN Access Cisco Systems PN Client Connection Status General Statistics Firewall Bytes in Bytes out Packets decrypted Packets encrypted Packets bypassed Packets discarded Secured routes 0 0 0 0 255 255 255 255 209 154 69 0 255 255 255 0 209 154 68 0 255 255 255 0 Time connected 00 01 04 Notifications Reset Disconnect
113. license 8 You may not remove or alter any copyright trade secret patent trademark trade name logo product designation or other proprietary and or other legal notices contained in or on the Software and any accompanying documentation These legal notices must be retained on any copies of the Software and accompanying documentation made pursuant to paragraphs 2 through 4 hereof 9 You shall acquire no rights of any kind to any copyright trade secret patent trademark trade name logo or product designation contained in or relating to the Software or accompanying documentation and shall not make use thereof except as expressly authorized herein or otherwise authorized in writing by Cisco Systems Limitation Of Liabilities 10 INSTALLATION AND USE OF THE SOFTWARE IS ALSO GOVERNED BY A SEPARATE LICENSE AGREEMENT BETWEEN CISCO SYSTEMS AND THE PURCHASER OF THE CISCO SYSTEMS VPN CLIENT PRODUCT THAT SEPARATE LICENSE AGREEMENT CONTAINS A DESCRIPTION OF ALL WARRANTIES PROVIDED BY CISCO SYSTEMS FOR THE SOFTWARE CISCO SYSTEMS PROVIDES NO WARRANTIES FOR THE SOFTWARE OTHER THAN THOSE SET FORTH IN THAT AGREEMENT AND ASSUMES NO LIABILITIES WITH RESPECT TO USE OF THE SOFTWARE BY YOU OR ANY THIRD PARTY VPN Client User Guide for Windows rear Appendix A Copyrights and Licenses RSA software Zone Labs Copyright C 1995 1998 RSA Data Security Inc All rights reserved This work pESA contains proprietary information of RSA Data
114. ling connection status 4 25 ISDN connection technology 1 2 modem 4 2 ISP password 4 3 username 4 3 VPN Client User Guide for Windows 78 14738 01 K key icon connection status 4 27 L LAN connection 1 2 launching an application 5 11 5 15 licenses and copyrights A 1 local LAN access 3 18 connection status 4 27 log file printing 5 23 saving 5 24 logging on to Microsoft Network 3 20 log viewer clearing 5 24 filtering events 5 20 icons Disk 5 24 Erase 5 24 Filter 5 20 Help 5 19 Printer 5 23 Search 5 22 options capture 5 19 filter 5 20 searching 5 22 LZS compression 4 25 M maintenance dialog MSI 2 8 managing auto initiation 5 16 certificates 6 1 6 17 connection entries 5 2 enrollment request 6 25 event log 5 17 matching firewall configurations 5 26 Message Digest 5 MD5 algorithm 1 5 Microsoft Certificate Services 4 11 certificate store 6 3 Network logging on 3 20 Windows 2000 4 11 Windows Installer MSI installing VPN Client 2 5 modems cable 1 2 4 2 dial up 1 2 DSL 1 2 4 2 ISDN 4 2 requirement 2 2 MSI 2 5 installation 2 5 removing 5 32 maintenance dialog 2 8 repair dialog 2 8 Index names IPSec group 3 21 NAT 3 17 network adapter or interface card 2 2 connection direct 2 2 Network Address Translation 3 17 New Connection Entry Wizard 3 6 notifications firewall 5 26 upgrade 5 25 78 14738 01 VPN Client User Guide for Windows
115. ly remove the VPN Client software from your system and retain your connection and certificate configurations amp Note There are two ways to install the VPN Client through the InstallShield wizard or through the Microsoft Installer If you install the VPN Client through the Microsoft Installer the Programs menu shown in Figure 1 1 does not contain the Uninstall application SetMTU Lets you manually change the size of the maximum transmission unit see the VPN Client Administrator Guide Chapter 6 How the VPN Client Works The VPN Client works with a Cisco VPN server to create a secure connection called a tunnel between your computer and the private network It uses Internet Key Exchange IKE and Internet Protocol Security IPSec tunneling protocols to make and manage the secure connection Some of the steps include Negotiating tunnel parameters Addresses algorithms lifetime and so on e Establishing tunnels according to the parameters Authenticating users Making sure users are who they say they are by way of usernames group names and passwords and X 509 digital certificates Establishing user access rights Hours of access connection time allowed destinations allowed protocols and so on Managing security keys for encryption and decryption Authenticating encrypting and decrypting data through the tunnel For example to use a remote PC to read e mail at your organization you connect
116. meters you set during quick configuration The VPN 3000 Series Concentrator Reference Volume II Administration and Monitoring provides guidelines for administering and monitoring the VPN Concentrator It explains and defines all functions available in the Administration and Monitoring screens of the VPN Concentrator Manager Appendixes to this manual provide troubleshooting guidance and explain how to access and use the alternate command line interface The VPN Concentrator Manager also includes online help that you can access by clicking the Help icon on the toolbar in the Manager window Other useful books articles and websites include Dictionary of Internetworking Terms and Acronyms Cisco Press 2001 Kosiur Dave Building and Managing Virtual Private Networks Wiley 1998 e Sheldon Tom Encyclopedia of Networking Osborne McGraw Hill 1998 www ietf org for Internet Engineering Task Force IETF Working Group drafts on IP Security Protocol IPSec Conventions This document uses the following conventions Convention Description boldface font User actions and commands are in boldface italic font Arguments for which you supply values are in italics screen font Terminal sessions and information the system displays are in screen font boldface screen Information you must enter is in boldface screen font font 78 14738 01 VPN Client User Guide for Windows Preface E Conventions
117. mmended that you exit all Windows programs before running this setup program Click Cancel to quit the setup program then close any programs you have running Click Next to continue the installation WARNING This program is protected by copyright law and international treaties Unauthorized reproduction or distribution of this program or any portion of it may result in severe civil and criminal penalties and will be prosecuted to the maximum extent possible under law Step7 Click Next to start the installation and then follow the instructions on the dialogs MSI installs the VPN Client in the default location C Program Files Cisco Systems VPN Client If you want a different destination folder for the VPN Client files enter the alternative location when prompted to do so When the installation has been completed the installer displays the dialog in Figure 2 4 VPN Client User Guide for Windows P26 W 78 14738 01 Chapter 2 Installing the VPN Client Installing the VPN Client Through Microsoft Windows Installer Mil Figure 2 4 Completing MSI Installation fe Cisco Systems YPN Client 3 Rel Setup Oe TT Cisco Systems VPN Client 3 6 Rel has been successfully installed Click the Finish button to exit this installation Cancel 78378 Step8 Click Finish MSI prompts you to restart your system Step9 Click Yes to restart your system Note If you have not removed the VPN Client 3 6 when y
118. n Figure 5 28 shows an example firewall notification The message states that the policy required is AYT and the firewall required is any Zone Labs product VPN Client User Guide for Windows u 78 14738 01 Chapter5 Managing the VPN Client Upgrading the VPN Client Software InstallShield i Figure 5 28 Firewall Notification Cisco Systems PN Client Notifications Notifications Text Time The Client did not match any of the Concentrator s firewall configur 08 58 19 Notification Text The Client did not match any of the Concentrator s firewall configurations Firewall Policy Product ZoneLabs Any Capability Are you There Upgrading the VPN Client Software InstallShield Upgrading the VPN Client software using this method retains existing connection entries and their parameters To install an upgrade of the VPN Client over an existing version on your system use the following procedure which first uninstalls the existing version and then reboots your PC and installs the new version Step1 To begin the procedure follow the instructions in the Installing the VPN Client Through InstallShield section in Chapter 2 When it starts the installation wizard detects the existing version and asks you to confirm that you want to remove that version and reboot your PC See Figure 5 29 VPN Client User Guide for Windows ee EZA Chapter5 Managing the VPN Client HI Upgrading the VPN Client So
119. nal Remote Access VPN Secured Corporate Resources wt Corporate Network On site WLAN VPN In your connection profile your network administrator can configure a list of up to 64 matched networks address submasks and corresponding connection profiles pcf files When the VPN Client detects that your PC s network address matches one of the addresses in the auto initiation network list it automatically establishes a VPN connection using the matching profile for that network While auto initiation is primarily for an on site WLAN application you can also use auto initiation in any situation based on the presence of a specific network For example in your home office you may want to create an entry for your VPN to auto initiate from your corporate PC whenever you are connected to your home network whether that network is a wireless or a wired LAN The VPN Dialer lets you know when your connection is auto initiating and informs you of various stages in the process of an auto initiated connection You can suspend resume disconnect or disable auto initiation When you disconnect or the connection attempt fails the VPN Dialer automatically retries auto initiation using a configured interval called the retry interval From The VPN Dialer Options menu you can disable auto initiation and you can change the interval between connection attempts Connecting Through Auto Initiation Typically when you start your wireless system normally
120. ndow s z 78 14738 01 Chapter6 Enrolling and Managing Certificates Managing Enrollment Requests W Figure 6 25 Export Message Casco Systems backup_Ca p7b M a f ee 607 45 Step7 To continue click OK Managing Enrollment Requests While a request is pending approval by the CA administration the Certificate Manager places the enrollment request under the Enrollment Requests tab You can view delete or change the password on any request in the list or you can resume a network enrollment request To perform any of these actions choose the Enrollment Requests tab and click on the Options pull down menu See Figure 6 26 VPN Client User Guide for Windows 78 14738 01 g 6 25 Chapter6 Enrolling and Managing Certificates WE Managing Enrollment Requests Figure 6 26 Managing Enrollment Requests Patrick Clarkson Request 60811 View ing the Enrollment Request To display the enrollment request click on its name in the list and choose View from the Options pull down menu The Certificate Manager displays the pending request See Figure 6 27 VPN Client User Guide for Windows u 78 14738 01 _ Chapter 6 Enrolling and M anaging Certificates Managing Enrollment Requests W Figure 6 27 Viewing an Enrollment Request Digital Certificate Common Name Alice Wonderland Department International Studies Company University State Massachusetts Country US
121. nect 60757 To continue click OK Alternatively you can copy the pcf file into the Profiles directory and restart the VPN Dialer application Your VPN Client is now configured with the connection entries and parameters specified by this new profile file You can examine or modify the connection entries by clicking the Connection Entry drop down menu on the main dialog box choosing an entry and clicking Options gt Properties Erasing a Saved Passw ord for a Connection Entry You or your administrator may have configured an entry to save the authentication password on your PC so you do not have to enter a password when you are connecting to the VPN device Normally we recommend that you not use this feature because storing the password on the PC can compromise security and requiring a password to authenticate you every time you attempt to connect to the VPN device is fundamental to maintaining security on the private network However there may be reasons for temporarily bypassing the authentication dialog box for example when you want to create a batch file for your PC to log in to a VPN device to accomplish some task that requires using the private network behind the VPN device If there is a password saved on your system and authentication fails your password might be invalid To eliminate a saved password use the Erase User Password feature on the Options menu Erase User Password is available only when you have pre
122. ng certificate 6 21 connection entry 5 4 enrollment request 6 27 department in certificate enrollment 6 4 DES algorithm 1 5 DHCP request 1 3 DHCP traffic stateful firewall always on 5 11 78 14738 01 VPN Client User Guide for Windows W index Dial Up Networking closing before uninstall 5 29 connecting 3 24 4 3 dial up modem 1 2 disabling 3 25 enabling 3 25 icon on taskbar 4 4 Microsoft 1 3 phonebook entries 3 25 programs third party 3 26 requirement for 2 2 User Information dialog box 4 3 Digital Subscriber Line see DSL direct network connection 2 2 disabling application launch before startup 5 15 automatic disconnect when logging off Windows NT 5 16 backup servers 3 24 Dial Up Networking 3 25 local LAN access 3 18 Logon to Microsoft Network parameter 3 20 third party dial up 3 26 disconnecting automatic 5 16 private network 4 32 Disk icon in log viewer 5 24 displaying help 3 1 software version 3 3 DNS dynamic 1 3 split 1 4 documentation cautions xii notes xii domain Certificate Authority 6 7 name certificate enrollment 6 5 NT Domain authentication 4 7 server 1 4 DPD adjusting peer time out 3 19 keep alive mechanism DSL connection technology 1 2 modem 1 2 4 2 DUN phonebook entries 3 26 e mail address in certificate enrollment 6 5 enabling auto initiation 5 17 backup servers 3 23 local LAN access 3 18 logging on to Microsoft Network 3 20 start before logon 5 14
123. ng see Accessing Your Profile Using Entrust SignOn and Start Before Logon Together Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Entrust SignOn is an optional Entrust application that lets you use one login and password to access Microsoft Windows and Entrust applications This application is similar to start before logon which is a VPN Client feature that enables you to dial in before logging on to Windows NT For information about start before logon see Starting a Connection Before Logging on to a Windows NT Platform If you want to use these two features together you should make sure you have installed Entrust Entelligence with the Entrust SignOn module before installing the VPN Client For information about installing Entrust SignOn refer to Entrust documentation and the VPN Client Administrator Guide Chapter 1 To use these two features together follow these steps Start your system When the SignOn option is installed Entrust displays its own Ctrl Alt Delete dialog box Click Ctrl Alt Delete The Entrust Options dialog box and the VPN Dialer login dialog box both pop up The VPN Dialer dialog box is active To start your VPN connection click Connect on the VPN Dialer main dialog box The Entrust login dialog box becomes active To log in to your Entrust profile enter your Entrust password The VPN Dialer password prompt dialog box becomes active Enter your VPN dialer username and password
124. ng your VPN Client Connection 78 14738 01 VPN Client User Guide for Windows Chapter4 Connecting to a Private Network W Starting the VPN Dialer Starting the VPN Dialer Step1 To start the VPN Dialer application choose Start gt Programs gt Cisco Systems VPN Client gt VPN Dialer The VPN Dialer displays the VPN Client s main dialog box See Figure 4 1 Figure 4 1 VPN Dialer Main Dialog Box L Cisco Systems YPN Client Connection Entry Engineering New Options v Host name or IP address of remote server 10 10 32 32 Close Step2 If necessary click the Connection Entry drop down menu and choose the desired connection entry 60737 Connection Procedure To connect to a private network perform the following steps Step1 Connect to the Internet if necessary Step2 Connect to the private network through the Internet Systems with cable or DSL modems are usually connected to the Internet so no additional action is necessary Skip to Authenticating to Connect to the Private Network e Systems with modems or ISDN modems must connect to the Internet via Dial Up Networking Ifyou connect to the Internet via Dial up Networking proceed to Using the VPN Client to Connect to the Internet via Dial Up Networking VPN Client User Guide for Windows Ka 78 14738 01 Chapter4 Connecting to a Private Netw ork Using the VPN Client to Connect to the Internet
125. nges click Cancel The Properties dialog box closes and discards all changes Changing General Settings The Properties gt General tab lets you set general parameters for this connection entry See Figure 3 17 Changing Connection Entry Description To change the description of this connection entry enter or edit the description field This field is optional but it can help you identify this connection Enabling Transparent Tunneling Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall which may also be performing Network Address Translation NAT or Port Address Translations PAT Transparent tunneling encapsulates Protocol 50 ESP traffic within UDP packets and can allow for both IKE UDP 500 and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and or firewalls The most common application for transparent tunneling is behind a home router performing PAT The VPN Client also sends keepalives frequently ensuring that the mappings on the devices are kept active Not all devices support multiple simultaneous connections behind them Some cannot map additional sessions to unique source ports Be sure to check with your device s vendor to verify whether this limitation exists Some vendors support Protocol 50 ESP Port Address Translation IPSec passthrough which might let you operate without enabling tran
126. nnection Entry VPN Client User Guide for Windows e328 78 14738 01 CHAPTER Connecting to a Private Netw ork This chapter explains how to connect to a private network with the VPN Client We assume you have configured at least one VPN Client connection entry as described in Configuring the VPN Client To connect to a private network you also need the following information ISP logon username and password if necessary User authentication information If you are authenticated via the VPN 3000 Concentrator internal server your username and password If you are authenticated via a RADIUS server your username and password If you are authenticated via an Windows NT Domain server your username password and domain name If you are authenticated via RSA Data Security formerly SDI SecurID or SoftID your username and PIN If you use a digital certificate for authentication the name of the certificate and your username and password If your private key is password protected for security reasons you also need this password Refer to your entries in Gathering Information You Need as you complete the steps described here which include the following sections Starting the VPN Dialer Using the VPN Client to Connect to the Internet via Dial Up Networking Authenticating to Connect to the Private Network Connecting with Digital Certificates Viewing Connection Status Closing the VPN Client Disconnecti
127. ns menu See Figure 5 1 Figure 5 1 Cisco Systems VPN Client Menu of Applications US Accessories Startup Command Prompt e Internet Explorer Q Windows NT Explorer LE Administrative Tools Common FS Cisco Systems VPN Client E Certificate Manager LE Network ICE Help LE Paint Shop Pro 6 g5 Log Viewer LE Startup lt Q Set MTU LE WinZip Z Uninstall VPN Client LE Zone Labs VPN Dialer Note If mi you installed the VPN Client via the Microsoft Windows Installer the Cisco Systems VPN Client enu does not include the Uninstall VPN Client option This chapter includes the following sections Managing VPN Client Connection Entries Enabling Stateful Firewall Always On Launching an Application Managing Windows NT Logon Properties Viewing and Managing the VPN Client Event Log Receiving Notifications From a VPN Device 78 14738 01 VPN Client User Guide forWindows gm Chapter5 Managing the VPN Client WE Managing VPN Client Connection Entries Upgrading the VPN Client Software InstallShield Uninstalling the VPN Client with the Uninstall Application To configure properties of connection entries see Configuring the VPN Client Note If you are a system administrator refer to the VPN Client Administrator Guide for information on configuring the VPN 3000 Concentrator and preparing preconfigured profiles for VPN Client users Managing VPN Client Connection Entries To manage a
128. ntication User Authentication User authentication means proving that you are a valid user of this private network User authentication is optional Your administrator determines whether it is required The VPN Client displays a user authentication dialog box that differs according to the authentication that your IPSec group uses Your system administrator tells you which method to use To continue refer to your entries in Gathering Information You Need and go to the appropriate authentication section that follows Authenticating Through the VPN Device Internal Server or RADIUS Server To display the user authentication dialog box perform the following steps The title bar identifies the connection entry name VPN Client User Guide for Windows 78 14738 01 45 Chapter4 Connecting to a Private Network HI Authenticating to Connect to the Private Netw ork Figure 4 6 Authenticating Through an Intemal or RADIUS Server User Authentication for Engineering The server has requested the information Qa specified below to complete the user authentication Username pate Password ja Gave Password Cancel 60715 Step1 In the Username field enter your username This entry is case sensitive Step2 Inthe Password field enter your password This entry is case sensitive The field displays only asterisks Step3 Click OK Note Ifyou cannot choose the Save Password option your administrato
129. ntry See Figure 5 3 The Clone Connection Entry dialog box appears See Figure 5 4 VPN Client User Guide for Windows I 78 14738 01 EN Chapter5 Managing the VPN Client WE Managing VPN Client Connection Entries Step 3 Step 4 Step 5 Figure 5 4 Clone Connection Entry Dialog Box Clone Connection Entry Ed Connection entry to be cloned E ngineering Enter a new name for this connection entry EngE ast Cancel Enter a name for the new connection entry in the field and click OK The dialog box closes The new name appears in the Connection Entry list in the VPN Client main dialog box To configure the properties of this new connection entry click Options gt Properties on the VPN Client main dialog box and see the Setting or Changing Connection Entry Properties Deleting a Connection Entry Step 1 Step 2 Step 3 To delete a configured connection entry follow these steps On the VPN Client s main dialog box click the Connection Entry drop down menu arrow and choose the entry you want to delete On the VPN Client Options menu choose Delete entry See Figure 5 3 A confirmation dialog box appears See Figure 5 5 Figure 5 5 Confiming Deletion of a Connection Entry Cisco Systems YPN Client a G Are you sure you want to delete Engineering2 60825 Click Yes or No To permanently delete the connection entry click Yes There is no undo To retain the
130. o a Private Network WE Viewing Connection Status Statistics The Statistics tab on the Connection Status dialog box shows statistics for data packets that the VPN Client has processed during the current session or since the statistics were reset Reset affects only this tab Figure 4 34 Viewing Statistics Cisco Systems PN Client Connection Status General Statistics Firewall Bytes in 720 Bytes out 1512 Packets decrypted 12 Packets encrypted 12 Packets bypassed 133 Packets discarded 3321 Secured routes 3 0 0 0 0 9 10 10 32 32 0 0 0 0 255 255 255 255 l 608 Local LAN routes 209 154 69 0 255 255 255 0 209 154 68 0 255 255 255 0 Time connected 00 22 07 Notifications Reset Disconnect Bytes in The total amount of data received after a secure packet has been successfully decrypted Bytes out The total amount of encrypted data transmitted through the tunnel e Packets decrypted The total number of data packets received on the port Packets encrypted The total number of secured data packets transmitted out the port e Packets bypassed The total number of data packets that the VPN Client did not process because they did not need to be encrypted Local ARPs and DHCP fall into this category Packets discarded The total number of data packets that the VPN Client rejected because they did not come from the secure VPN device gateway VPN Client
131. olling for a Certificate Your system administrator may have already set up your VPN Client with digital certificates If not or if you want to add certificates you can obtain a certificate by enrolling with a Certificate Authority CA over the network or by creating a file request In both cases you complete the same form shown in Figure 6 3 Enrollment Form This section describes the information required for filling out the certificate enrollment form Make sure you have all of the following information before you start Figure 6 3 Enrollment Form Enrollment Form Casco Systems Enter your certificate enrollment information in the fields provided below Common Name cn Alice Wonderlant Department fou E Required Field Company o State st Country c Email fe IP Address Domain lt Back Cancel Help 507 40 Common Name Your common name CN which is the unique name to use for this certificate This field is required The common name can be the name of a person system or other entity it is the most specific level in the identification hierarchy The common name becomes the name of the certificate for example Alice Wonderland Department The name of the department to which you belong for example International Studies This field correlates to the Organizational Unit OU The OU is the same as the Group Name configured in a VPN 3000 Series Concentrator for exampl
132. om the menu in the standard way The VPN Dialer displays the following message See Figure 4 28 VPN Client User Guide for Windows ee E Chapter4 Connecting to a Private Network W Using Automatic VPN Initiation Figure 4 28 Disconnecting Your Session Cisco Systems YPN Client p You have terminated your YPN connection You no longer have access to your network resources A YPN connection will be auto initiated every 2 minutes Do you wish to temporarily suspend the auto initiation functionality ne 71721 To suspend auto initiation click Yes Auto initiation suspends until you resume it disable it or log off When you click No auto initiation stays in effect and the VPN Dialer automatically retries auto initiation according to the retry interval for example every minute Changing Option Values While Auto Initiation is Suspended When auto initiation is suspended you can change VPN Dialer options as follows Step1 Double click yellow lock icon in the system tray Step2 Click Options The VPN Dialer displays the Options menu Disabling Auto Initiation To completely shut down auto initiation you can disable it through the Options menu by following these steps Step1 Display the VPN Dialer main dialog box and click Options Step2 Select Automatic VPN Initiation The VPN Dialer displays the dialog box shown in Figure 4 29 Figure 4 29 Setting Auto Initiation Parameters Automatic PN Initi
133. on the Options menu When Stateful Firewall Always On is enabled you see a check in front of the option This feature is disabled by default You can enable or disable this feature from the VPN Client Options menu During a VPN connection you can view the status of this feature by right clicking the lock icon in the system tray You can also enable or disable this feature from the same menu Launching an Application You can configure the dialer to automatically launch an application before establishing a connection Some examples of why you would want to use this feature follow You are configured for start before logon and you need to start an authentication application at the logon desktop You want to launch a monitoring application such as the Log Viewer before each connection See Figure 5 15 to Figure 5 17 To configure the VPN Dialer to launch an application from the logon desktop use the Application Launcher The Application Launcher starts the specified application once per session To launch an application again you must exit from the VPN Dialer restart the VPN Dialer and launch the application 78 14738 01 VPN Client User Guide for Windows Chapter5 Managing the VPN Client W Launching an Application To activate Application Launcher follow these steps Step1 Open the VPN Dialer Options pull down menu shown in Figure 5 3 and click Application Launcher See Figure 5 15 Figure 5 15 Applicat
134. one or more certificates installed on your system If this is not the case then you need to obtain a digital certificate In many cases the network administrator of your organization can provide you with a certificate If not then you can obtain one by enrolling with a PKI directly using the Certificate Manager application or you can obtain an Entrust profile through Entrust Entelligence Currently we support the following PKIs UniCERT from Baltimore Technologies www baltimoretechnologies com Entrust PKI from Entrust Technologies www entrust com e Versign www verisign com Microsoft Certificate Services in Microsoft Windows 2000 Server Cisco Certificate Store The websites listed in parentheses in this list contain information about the digital certificates that each PKI provides The easiest way to enroll in a PKI or import a certificate is to use the Certificate Manager see Enrolling and Managing Certificates or Entrust Entelligence see Entrust documentation 78 14738 01 VPN Client User Guide for Windows Chapter4 Connecting to a Private Network HI Connecting with Digital Certificates amp Note Every time you connect using a certificate the VPN Client checks to verify that your certificate has not expired If your certificate is within one month of expiring the VPN Client displays a message when you attempt to connect or when you use the Properties option The message displays the certific
135. ou click on this lock VPN Dialer is the only menu choice displayed If you click Close the VPN Dialer returns to the normal auto initiation suspended state e lel e ls lel El Open Red Lock Auto Initiation is disabling from the suspended state VPN Dialer displays the Disable warning dialog box see Figure 4 30 that lets you confirm or retreat Note Auto initiation does not connect if the VPN Dialer is opened by any means VPN Client User Guide for Windows ee Chapter4 Connecting to a Private Network WE Viewing Connection Status Viewing Connection Status The VPN Client icon on the task bar lets you view the status of your private network connection Double click the icon or Click the icon with the right mouse button and choose Status from the pop up menu The VPN Client Connection Status dialog box appears The dialog contains three tabs General See Figure 4 33 Statistics See Figure 4 34 Firewall See Figure 4 35 General Information The General tab on the Connection Status dialog box provides IP security information listing the IPSec parameters that govern the use of this VPN tunnel to the private network Figure 4 33 Viewing IPSec Security Information Cisco Systems PN Client Connection Status General Statistics Firewall Connection Entry Engineering Client IP address 209 154 64 50 Server IP address 10 10 32 32 Encryption 168 bit 3 DES Authentication HMAC MD5 Transp
136. ou execute the vpnclient_en exe command or vpnclien_en msi a maintenance and repair wizard displays See Figure 2 5 You do not see these screens when you remove the software through the Add Remove programs utility VPN Client User Guide for Window s I 78 14738 01 EN Chapter 2 Installing the VPN Client HZ installing the VPN Client Through Microsoft Windows Installer Figure 2 5 Repairing Removing VPN Client Applications i Cisco Systems YPN Client 3 6 Rel Setup Application Maintenance Select the maintenance operation to perform Repair Reinstall missing or corrupt files registry keys and shortcuts Preferences stored in the registry may be reset to default values Uninstall Cisco Systems YPN Client 3 6 Ref from this computer Wise Installation Wizard To remove the VPN Client version 3 6 from your system follow these steps Step1 Click the Remove radio button and then click Next The maintenance wizard displays the Remove Configuration Files dialog See Figure 2 6 Figure 2 6 Removing Cisco VPN Client 3 6 e Cisco Systems YPN Client 3 6 Rel Setup Remove Configuration Files Delete files from system To permanently remove connection profiles or certificates created with the Cisco Systems YPN Client 3 6 Ref select the appropriate options below I Remove all connection profiles I Remove all certificates Wise Installation Wizard Cancel 78380 VPN Client User
137. our SoftID PIN The VPN Client gets the passcode from SoftID by communicating directly with SoftID The SoftID application must be installed but does not have to be running on your PC After entering the PIN click OK RSA New PIN M ode Step 1 The first time you authenticate using SecurID or SoftID all operating systems or if you are using a new SecurID card and if the RSA administrator allows you to create your own PIN the authentication program asks if you want to create your own PIN See Figure 4 10 Figure 4 10 SecuriD New PIN Request User Authentication for MyCompany Do you want to enter your own pin y or n n Response OO Cancel 60719 Enter your response y for yes or n for no No is the default response Then click OK What happens next depends on your response 78 14738 01 VPN Client User Guide for Window s E Chapter4 Connecting to a Private Network HI Authenticating to Connect to the Private Netw ork Step 2 Step 3 If you responded yes Enter your new PIN in the New PIN field and enter it again in the Confirm PIN field Click OK See Figure 4 11 Figure 4 11 Entering a New PIN Yourself User Authentication for MyCompany If you responded no the authentication program asks if you will accept a system generated PIN See Figure 4 12 Figure 4 12 Accepting a PIN from the System User Authentication for Connect to MyCompany To
138. outing Pre Routing RateMUX Registrar SlideCast StrataView Plus Stratm SwitchProbe TeleRouter and VCO are registered trademarks of Cisco Systems Inc and or its affiliates in the U S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0206R VPN Client User Guide for Windows Copyright 2002 Cisco Systems Inc All rights reserved CONTENTS Preface ix Audience ix Organization ix Terminology x Related documentation x VPN 3000 Series Concentrator Documentation xi Conventions xi Data Formats xii Obtaining Documentation xiii WorldWide Web xiii Documentation CD ROM xiii Ordering Documentation xiii Documentation Feedback xiii Obtaining Technical Assistance xiv Cisco com xiv Technical Assistance Center xiv Cisco TAC Web Site xv Cisco TAC Escalation Center xv CHAPTER L Understanding the Cisco VPN Client 1 1 How the VPN Client Works 1 2 Connection Technologies 1 2 VPN Client Features 1 3 Program Features 1 3 Windows NT Windows 2000 and Windows XP Features 1 3 IPSec Features 1 4 Authentication Features 1 4 Firewall Features 1 5 VPN Client IPSec Attributes 1 5 CHAPTER 2 Installing the VPN Client 2 1 Installation Applications 2 1 Verifying System Requirements 2 1 Gathering Information You Need 2 2 VPN Client User Guide for Win
139. procedure Step1 Display the Options pull down menu and choose Password The Certificate Manager displays the Change Certificate Password dialog box See Figure 6 28 Figure 6 28 Changing a Certificate Password Change Certificate Password To modify or add a password associated with the specified certificate enter the information below Cisco Systems New oe Confirm e 60726 Step2 In the Current field type the password you are currently using Step3 In the New field type the new password Step4 In the Confirm field type your new password again Step5 Click OK VPN Client User Guide for Windows u 78 14738 01 Chapter6 Enrolling and Managing Certificates Managing Enrollment Requests W Completing an Enrollment Request To complete a pending enrollment request choose the request under the Enrollment Requests tab and choose Resume from the Options pull down menu The Certificate Manager prompts you to enter a password See Figure 6 29 This password must match the password you are using to protect the certificate s private key if any Figure 6 29 Entering Password to Resume Online Enrollment Personal Certificates CA Certificates Enrollment Requests Certificate Store amp lier a Pace declawed Mae ack AM Enter Enrollment Cert Password x Patr Sea Password Cance Options v 60813 Enter the password and click OK to resume enrollment V
140. r RADIUS with Expiry authentication on the VPN 3000 Concentrator If this feature is in effect and your password has expired a dialog box prompts you to enter and confirm a new password After you have tried unsuccessfully to log in three times you might receive one of the following login messages Restricted login hours Account disabled No dial in permission Error changing password Authentication failure These messages let you know the cause of your inability to log in For help contact your network administrator 78 14738 01 VPN Client User Guide for Windows Chapter4 Connecting to a Private Network HI Authenticating to Connect to the Private Netw ork Authenticating Through RSA Data Security RSA SecurlD SDI RSA formerly SDI SecurID authentication methods include physical SecurID cards and keychain fobs and PC software called SoftID SecurID cards also vary with some cards the passcode is a combination of a PIN and a cardcode with others you enter a PIN on the card and it displays a passcode Ask your system administrator for the correct procedure Authentication via these methods also varies slightly for different operating systems If you use an RSA method the VPN Client displays the appropriate RSA user authentication dialog box The title bar identifies the connection entry name RSA User Authentication SecurlD Tokencards Tokencards Pinpads and Keyfobs and SoftiD v1 0 Windows 95
141. r does not allow this option If you can choose this option be aware that using it might compromise system security since your password is then stored on your PC and is available to anyone who uses your PC If Save Password is checked and authentication fails your password may be invalid To eliminate a saved password click Options gt Erase User Password Proceed to the section Viewing Connection Status Authenticating Through a Windows NT Domain To display the Windows NT Domain user authentication dialog box perform the following steps The title bar identifies the connection entry name VPN Client User Guide for Windows Pe W 78 14738 01 Chapter4 Connecting to a Private Netw ork Step 1 Step 2 Step 3 Step 4 Authenticating to Connect to the Private Network W Figure 4 7 Authenticating Through a Windows NT Domain User Authentication for Companyx The remote peer requires additional user 2 authentication to authorize this connection Username simonz Password Gave Password 60716 In the Username field enter your username This entry is case sensitive In the Password field enter your password This entry is case sensitive The field displays only asterisks In the Domain field enter your Windows NT Domain name if it is not already there Click OK Skip to Viewing Connection Status Changing your Password Your network administrator may have configured your group fo
142. re 5 12 Figure 5 12 Verifying Erase User Password Cisco Systems YPN Client Q Are you sure you want to erase the user password for the Engineering connection entry 60746 With Erase User Password in effect the next time you connect the authentication dialog box prompts you to enter your password on the Options menu the Erase User Password feature is no longer available See Figure 5 13 VPN Client User Guide for Window s I 78 14738 01 EN Chapter5 Managing the VPN Client WE Managing VPN Client Connection Entries Figure 5 13 Erase User Password Unavailable Cisco Systems YPN Client Connection Entry Engineering New Clone Entry Host name or IP address of remote server Delete s 22 Import Entry Erase User Password Connect Create Shortcut Properties Stateful Firewall Always On Application Launcher Windows Logon Properties 67522 amp Note The VPN Client displays Windows Logon Properties only on Windows NT Windows 2000 and Windows XP Creating a Shortcut for a Connection Entry You can create a shortcut on your desktop to quickly and directly launch a VPN Client connection entry that you use frequently Step1 On the VPN Client s main dialog box click the Connection Entry drop down menu and choose an entry Step2 On the VPN Client Options menu choose Create Shortcut See Figure 5 3 VPN Client User Guide for Windows u 78 147
143. receive a PIN you must respond y for yes and then click OK When you do the authentication program generates a PIN for you and displays it See Figure 4 13 Be sure to remember your PIN Figure 4 13 New PIN Received User Authentication for MyCompany To continue click OK VPN Client User Guide for Windows 410 i 78 14738 01 Chapter4 Connecting to a Private Netw ork Connecting with Digital Certificates Hi SecurlD Next Cardcode M ode Sometimes SecurID authentication prompts you to enter the next cardcode from your token card as in Figure 4 14 SecurID displays this prompt either to resynchronize the token card with the RSA server or because it noticed several unsuccessful attempts to authenticate with this username The SecurID Next Cardcode Mode dialog box might appear See Figure 4 14 Figure 4 14 Entering the Passcode for SecunD Next Card User Authentication for Engineering By Enter Next PASSCODE Username softid5083 Passcode J Cancel 60721 In the Passcode field enter the next code from your token card This field requires only a cardcode Do not include your PIN as part of the passcode Now continue to Viewing Connection Status Connecting with Digital Certificates Before you created a connection entry using a digital certificate you must have already enrolled in a Public Key Infrastructure PKD have received approval from the Certificate Authority CA and have
144. remain up during and after log off which allows profiles or folders to be synchronized during log off You would disable this parameter when using the Windows roaming profiles feature Note With this feature disabled you must completely shut down your system to disconnect your VPN Client connection Managing Auto Initiation When your network administrator has configured your VPN Client for auto initiation by including it in the vpnclient ini file the Options menu includes the option Automatic VPN Initiation See Figure 5 20 When you select this option the VPN Dialer displays a dialog box that lets you enable disable auto initiation and change the setting of the retry interval Disabling auto initiation in this way does not remove it from your configuration If you need to enable auto initiation after you have disabled it you can return to this dialog box and enable it again The only way you can remove auto initiation from your configuration is through editing the vpnclient ini file For complete information on auto initiation see Using Automatic VPN Initiation VPN Client User Guide for Windows Eag 78 14738 01 _ Chapter 5 Managing the VPN Client Step 1 Step 2 Step 3 Step 4 Viewing and Managing the VPN ClientEventLog W Figure 5 20 Automatic VPN Initiation Option Clone Entry Automatic YPN Initiation Eg Delete Entry Rename Entry M Enable Import Entry Retry Interval 20 1
145. res IPSec tunneling protocol Transparent tunneling IPSec over UDP for NAT and PAT and IPSec over TCP for NAT PAT and firewalls IKE key management protocol IKE Keepalives Monitoring the continued presence of a peer and reporting the VPN Client s continued presence to the peer This lets the VPN Client notify you when the peer is no longer present Another type of keepalives keeps NAT ports alive Split tunneling The ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel The VPN Server supplies a list of networks to the VPN Client for tunneled traffic You enable split tunneling on the VPN Client and configure the network list on the VPN Server such as the VPN Concentrator Support for Split DNS The ability to direct DNS packets in clear text over the Internet to domains served through an external DNS serving your ISP or through an IPSec tunnel to domains served by the corporate DNS The VPN Server supplies a list of domains to the VPN Client for tunneling packets to destinations in the private network For example a query for a packet destined for corporate com would go through the tunnel to the DNS that serves the private network while a query for a packet destined for myfavoritesearch com would be handled by the ISP s DNS This feature is configured on the VPN Server VPN Concentrator and enabled on the VPN Client by default To use Split DNS you mus
146. rk gt Protocols or Configuration 10 MB hard disk space RAM 16 MB for Windows 95 98 32 MB for Windows NT and Windows ME 64 MB for Windows 2000 128 MB for Windows XP To install the VPN Client CD ROM drive 3 5 inch high density diskette drive Administrator privileges if installing on Windows NT or Windows 2000 To use the VPN Client Direct network connection cable or DSL modem and network adapter interface card Internal or external modem For Windows 95 Microsoft Dial Up Networking DUN version 1 2 or greater DUN 1 3 for Windows 95 is a recommended performance and security upgrade and it is available as a free download from the Microsoft Web site www microsoft com Windows 98 includes the DUN 1 3 functionality To connect using a digital certificate for authentication A digital certificate signed by one of the following Certificate Authorities CAs installed on your PC Baltimore Technologies www baltimoretechnologies com Entrust Technologies www entrust com Microsoft Certificate Services Windows 2000 Netscape Security Verisign Inc www verisign com Ora digital certificate stored on a smart card The VPN Client supports smart cards via the MS CAPI Interface Gathering Information You Need To configure and use the VPN Client you may need the information listed in this section Ask for this information from the system administrator of the private network you want to access Yo
147. rk degradation significantly impacts business operations When you contact the TAC Escalation Center with a P1 or P2 problem a Cisco TAC engineer automatically opens a case To obtain a directory of toll free Cisco TAC telephone numbers for your country go to this URL http www cisco com warp public 687 Directory DirTAC shtml Before calling please check with your network operations center to determine the level of Cisco support services to which your company is entitled for example SMARTnet SMARTnet Onsite or Network Supported Accounts NSA When you call the center please have available your service agreement number and your product serial number 78 14738 01 VPN Client User Guide for Windows Preface W Obtaining Technical Assistance VPN Client User Guide for Windows Pov 78 14738 01 CHAPTER Understanding the Cisco VPN Client The Cisco VPN Client for Windows referred to in this user g uide as VPN Client is a software program that runs on a Microsoft Windows based PC The VPN Client on a remote PC communicating with a Cisco Easy VPN server on an enterprise network or with a se rvice provider creates a secure connection over the Internet Through this connection you can access a private network as if you were an on site user Thus you have a Virtual Private Network VPN The server verifies that incoming connections have up to date policies in place before establishing them Cisco IOS VP
148. rk parameter registers your PC on the private Microsoft network and lets you browse and use network resources after the VPN Client establishes a secure connection This parameter is enabled by default To disable this parameter clear the check Note This parameter appears only on VPN Clients installed on systems running Windows 95 Windows 98 and Windows ME For information on logging on to Windows NT and Windows 2000 systems see the section Starting a Connection Before Logging on to a Windows NT Platform If you do not need or do not have privileges for Microsoft Windows resources on the private network disable this parameter For example if you require only FTP access to the private network you could disable this parameter If you enable this parameter click one of the radio buttons to choose the logon process Use default system logon credentials Use the Windows logon username and password on your PC to log on to the private network With this option you do not need to manually enter your logon username and password each time you connect to the private network This is the default selection Prompt for network logon credentials The private network prompts you for a username and password to use its resources If the logon username or password on your PC differs from those on the private network use this option When you are done with the General tab click OK or click another tab Changing Authentication Settings
149. rom the VPN device If UDP the port is negotiated if TCP the port is preconfigured If Transparent Tunneling is inactive then the value of Tunnel Port is zero Compression Whether data compression is in effect as well as the type of compression in use Currently LZS is the only type of compression that the VPN Client supports Local LAN Access Whether this parameter is enabled or disabled For information on configuring this feature see Allowing Local LAN Access Personal Firewall The name of the firewall that the VPN Client is enforcing such as the Cisco Integrated Client Zone Labs ZoneAlarm ZoneAlarm Pro BlackICE Defender and so on Firewall Policy tThe firewall policy in use AYT Are You There enforces the use of a specific personal firewall but does not require you to have a specific firewall policy Centralized Protection Policy CPP or Policy Pushed as defined on the VPN Concentrator lets you define a stateful firewall policy that the VPN Client enforces for Internet traffic while a tunnel is in effect CPP is for use during split tunneling and is not relevant for a tunnel everything configuration In a tunnel everything configuration all traffic other than tunneled traffic is blocked during the tunneled connection Client Server corresponding to Policy from Server Zone Labs Integrity on the VPN Concentrator 78 14738 01 VPN Client User Guide for Windows Chapter4 Connecting t
150. rrently displayed in the Log Viewer main window choose Options gt ClearLog Display from the main menu Alternatively you can click the Erase All icon If you want to store the event messages be sure you save them before you clear the display Clearing the display does not reset event numbering nor does it clear the log file itself VPN Client User Guide for Window s a 78 14738 01 Chapter 5 Managing the VPN Client Receiving Notifications From a VPN Device Mi Receiving Notifications From a VPN Device The VPN device secure gateway through which you connect to the private network at your organization can send you notifications Currently you can receive a notification from your network administrator when it is time to update the VPN Client software or when the VPN device that requires a specific firewall be running on the VPN Client PC detects that the firewall is not running A notification typically shows up when you start your dialer connection You can also display notifications while you are connected by clicking Notifications on the Connection Status dialog box See Figure 5 26 Figure 5 26 Displaying Notifications Cisco Systems PN Client Connection Status General Statistics Firewall Bytes in Bytes out Packets decrypted Packets encrypted Packets bypassed Packets discarded Secured routes 3 0 0 0 0 0 0 0 0 10 10 32 32 255 255 255 255 Local LAN routes 209 154 69 0 255 255 255 0 20
151. rtance from highest to lowest level The rules at the top of the table allow inbound and outbound traffic between the VPN Client and the secure gateway and between the VPN Client and the private networks with which it communicates For example there are two rules in effect for each private network that the VPN Client connects to through a tunnel one rule that allows traffic outbound and another that allows traffic inbound These rules are part of the VPN Client software Since they are at the top of the table the VPN Client enforces them before examining CPP rules This approach lets the traffic flow to and from private networks VPN Client User Guide for Windows 78 14738 01 EZE Chapter4 Connecting to a Private Network HI Viewing Connection Status CPP rules defined on the VPN Concentrator are only for nontunneled traffic and appear next in the table For information on configuring filters and rules for CPP see VPN Client Administrator Guide Chapter 1 A default rule Firewall Filter for VPN Client Default on the VPN Concentrator lets the VPN Client send any data out but permits return traffic in response only to outbound traffic Finally there are two rules listed at the bottom of the table These rules defined on the VPN Concentrator specify the filter s default action either drop or forward If not changed the default action is drop These rules are used only if the traffic does not match any of the preceding rule
152. rtificate Store Pat Clark Cisco Pat Clark Microsoft Stores kalb 7 Options 60723 What are Certificate Stores The Certificate Manager uses the notion of store to convey a location in your local file system for storing personal certificates The major store for the VPN Client is the Cisco store The Cisco store contains certificates you have enrolled for through the Simple Certificate Enrollment Protocol SCEP This application supports several standard enrollment protocols Your system also includes a Microsoft certificate store that may contain certificates that your organization provides or that you have installed previously You can manage them just like the certificates in your Cisco store or you can import them to your Cisco store New certificates obtained through enrollment or importing go into the Cisco store There are two types of Microsoft certificates certificates for individuals to use and also a Microsoft certificate for your local PC itself So if several people are using the same PC each person can have a certificate and there can also be a certificate for the local system on Windows 2000 and Windows XP On a Windows 9x system you can only use it with Internet Explorer version 5 1 SP2 Microsoft certificates with non exportable private keys are also available VPN Client User Guide for Windows 78 14738 01 a 63 Chapter 6 Enrolling and Managing Certificates W Enrolling for a Certificate Enr
153. s in the table Note The Cisco Integrated Client firewall is stateful in nature where the protocols TCP UDP and ICMP allow inbound responses to outbound packets For exceptions refer to VPN Client Administrator Guide Chapter 1 If you want to allow inbound responses to outbound packets for other protocols such as HTTP a network administrator must define specific filters on the VPN Concentrator You can move the bars on the column headings at the top of the box to expand their size for example to display the complete words Action and Direction rather than Act or Dir However each time you exit from the display and then open this status tab again you must expand the columns again Default rules on the VPN Concentrator drop any inbound and drop any outbound are always at the bottom of the list These two rules act as a safety net and are in effect only when traffic does not match any of the rules higher in the hierarchy To display the fields of a specific rule click on the first column and observe the fields in the next area below the list of rules For example the window section underneath the rules in Figure 4 36 displays the fields for the rule that is highlighted in the list A firewall rule includes the following fields e Action The action taken if the data traffic matches the rule Drop Discard the session Forward Allow the session to go through Direction The direction of traffic to be affected by the fire
154. sparent tunneling To use transparent tunneling the central site group in the Cisco VPN device must be configured to support it For an example refer to the VPN 3000 Concentrator Manager Configuration User Management Groups IPSec tab refer to VPN 3000 Series Concentrator Reference Volume 1 Configuration or Help in the VPN 3000 Concentrator Manager browser This parameter is enabled by default To disable this parameter clear the check We recommend that you always keep this parameter checked Then select a mode of transparent tunneling over UDP or over TCP The mode you use must match that used by the secure gateway to which you are connecting Either mode operates properly through a PAT device Multiple simultaneous connections might work better with TCP and if you are in an extranet environment then in general TCP mode is preferable UDP does not operate with stateful firewalls so in this case you should use TCP 78 14738 01 VPN Client User Guide for Windows Chapter3 Configuring the VPN Client HI Setting or Changing Connection Entry Properties Allow IPSec over UDP NAT PAT To enable Allow IPSec over UDP click the radio button With UDP the port number is negotiated UDP is the default mode Use IPSec over TCP NAT PAT Firew all amp To enable Use IPSec over TCP click the radio button When using TCP you must also enter the port number for TCP in the TCP port field This port number must match
155. stateful firewall 5 11 transparent tunneling 3 17 encryption algorithms 1 5 connection status 4 25 enrolling certificates 6 4 file request 6 11 network 6 6 inaPKI 4 11 enrollment request changing password 6 28 completing 6 29 deleting 6 27 form 6 4 managing 6 25 VPN Client User Guide for Windows 78 14738 01 pasting 6 11 resuming 6 29 viewing 6 26 Entrust certificate configuring 3 10 connecting with 4 12 SignOn using with start before logon 4 14 Technologies 4 11 Erase icon in log viewer 5 24 Erase User Password option 4 6 5 7 ESP protocol transparent tunneling 3 17 traffic stateful firewall always on 5 11 etoken connecting with 4 14 events classes 5 22 collecting 5 19 severity levels 5 21 viewing and managing 5 17 exiting the VPN Client 4 32 exporting a certificate 6 23 F F1 key displaying help 3 1 features of VPN Client 1 3 file types for certificate enrollment 6 12 Filter icon in log viewer 5 20 filtering events 5 20 firewalls 4 29 firewalls 4 30 AYT tab 4 28 Client Server policy 4 25 4 27 4 31 CPP firewall policy 4 29 filtering 4 29 ICMP protocol 4 30 matching 5 26 name on general status notifications 5 26 policies 4 25 policy listed 4 25 rules 4 29 stateful 5 11 status 4 27 status screen 4 25 support in VPN Client 1 5 tab on status screen 4 25 TCP protocol 4 30 UDP protocol 4 30 force keepalives ESP aware NAT 3 18 formats data xii Index G Genera
156. t also have split tunneling configured LZS data compression which can benefit modem users Authentication Features User authentication by way of VPN central site device Internal through the VPN device s database RADIUS Remote Authentication Dial In User Service NT Domain Windows NT RSA formerly SDI SecurID or SoftID Certificate Manager An application that lets you manage your identity certificates Ability to use Entrust Entelligence certificates Ability to authenticate using smart cards with certificates Peer Certificate Domain Name Verification prevents a client from connecting to a invalid gateway by using a stolen but valid certificate and a hijacked IP address If the attempt to verify the domain name of the peer certificate fails the client connection also fails VPN Client User Guide for Windows rear Chapter1 Understanding the Cisco VPN Client VPN Client Features W Firew all Features Support for Cisco Secure PIX Firewall platforms that run Release 6 0 and higher S Note Instructions on configuring the VPN Client to interoperate with Cisco Secure PIX Firewall Release 6 0 and above are available in IPSec User Guide for Cisco Secure PIX Firewall Support for personal firewalls Cisco Integrated Firewall CIC ZoneAlarmPro 2 6 3 57 ZoneAlarm 2 6 3 57 Zone Integrity BlackIce Agent and BlackIce Defender 2 5 Centralized Protection Policy Support
157. t display as Info 4 High Includes severity levels 1 through 6 thus adding two levels of informational events Info 5 and Info 6 This setting can lower the performance of all applications on your system so use it only when your network administrator or a support engineer suggests that you do so Table 5 3 defines the classes modules that generate events 78 14738 01 VPN Client User Guide for Windows Chapter5 Managing the VPN Client HZ Viewing and Managing the VPN Client Event Log Table 5 3 Classes That Generate Events in the VPN Client Class Name Definition CERT Certificate management process CERT which handles getting validating and renewing certificates from certificate authorities CERT also displays errors that occur as you use the application CLI Command Line Interface which lets managers start and end connections get status information and so on through a command line rather than using the VPN Client graphical user interface CM Connection manager CM which drives VPN connections CM dials a PPP device configures IKE for establishing secure connections and manages connection states CVPND Cisco VPN Daemon main daemon which initializes client service and controls messaging process and flow DIALER Windows only component which handles configuring a profile initiating a connection and monitoring it FIREWALL _ Firewall component which generates events relate
158. tes Managing Enrollment Requests 78 14738 01 VPN Client User Guide for Windows Chapter6 Enrolling and Managing Certificates HI Starting Certificate Manager Starting Certificate M anager To get started with certificates go to the Cisco Systems VPN Client menu the same menu that you use to start the client shown in Figure 6 1 Choose Start gt Programs gt Cisco Systems VPN Client gt Certificate Manager Figure 6 1 Choosing Certificate Manager Us Accessories Us Startup Command Prompt Intemet Explorer QJ Windows NT Explorer rc Administrative Tools Common fS Cisco Systems YPN Client S amp S Certificate Manager LE Network ICE Help LE Paint Shop Pro 6 g5 Log Viewer LE Startup lt Q Set MTU WinZip 22 Uninstall VPN Client LE Zone Labs amp YPN Dialer 67534 The Certificate Manager window opens See Figure 6 2 VPN Client User Guide for Window s lt 78 14738 01 Chapter6 Enrolling and Managing Certificates Whatare Certificate Stores W Figure 6 2 Certificate Manager Main Window EA Cisco Systems YPN Client Certificate Manager Personal certificates identify you to people and hosts you communicate with and are signed by a certificate authority certificate authority CA is an organization that issues certificates Enrollment requests are certificate requests that a CA has yet to approve Personal Certificates CA Certificates Enrollment Requests Ce
159. th from the Start menu Start gt Programs gt Cisco Systems VPN Client gt Log Viewer See Figure 5 21 Figure 5 21 Starting the Log Viewer Js Accessories LS Startup gt Command Prompt Internet Explorer LA Windows NT Explorer LE Administrative Tools Common fS Cisco Systems YPN Client E Certificate Manager LE Network ICE gt Help LE Paint Shop Pro 6 gt Bs LS Startup gt lt Q Set MTU 22 Uninstall VPN Client amp VPN Dialer m 3 Winzip j LE Zone Labs 67537 The Log Viewer starts displaying its main window See Figure 5 22 By default the filter is set to low so you may not see any events displayed in this window see the section Filtering Events For help on this window press F1 VPN Client User Guide for Window s u 78 14738 01 Chapter5 Managing the VPN Client Figure 5 22 Log Viewer Main Window Main Menus File Options Search Help Viewing and Managing the VPN ClientEventLog il Blaj ali 4 2 Tool bars INBOUND SPI 0x33082BB2 69 11 13 45 839 01 24 01 Sev Info 5 70 11 13 45 839 01 24 01 Sev Info 5 Loaded INBOUND ESP SPI 0x33082BB2 Log display areas _ yp Z714 11 13 45 839 01 24 01 Sev Info 4 Additional Phase 2 SA established 72 11 13 46 460 01 24 01 Sev Info 4 Created a new key structure 73 11 13 46 460 01 24 01 Sev Info 4 Added key with SPI O0xfd219c33 into key list 74 11 13 46
160. thod and complete your entries Group Access Information 5 Hame Password Contin FO ee ey Password Certificate Name Enteligence Certificate Entrust M Validate Certificate omoi Hee 60736 An Entrust Entelligence certificate is stored in a Profile which you obtain when you log in to Entrust Entelligence Choose Entelligence Certificate Entrust from the pull down menu and click Next For more information about connecting with Entrust Entelligence see Connecting with an Entrust Certificate Configuring a Connection Entry for a Smart Card If you are using a smart card or electronic token to authenticate a connection create a connection entry that defines the certificate provided by the smart card For example if you are using ActivCard Gold an accompanying certificate is in the Microsoft Certificate Store When you create a new connection entry for using the smart card select that certificate See Figure 3 13 VPN Client User Guide for Windows 78 14738 01 a 3 11 Chapter 3 Configuring the VPN Client HI How To Create a New Connection Entry Figure 3 13 Creating a Connection Entry for a Smart Card Properties for wb81 certs x General Authentication Connections Your administrator may have provided you with group Parameters or a digital certificate to authenticate your access to the remote server If so select the appropriate authentication method
161. tically Follow the instructions as if you were installing for the first time See Installing the VPN Client Through InstallShield VPN Client User Guide for Windows u 78 14738 01 _ Chapter 5 Managing the VPN Client Upgrading the VPN Client Software MSI W Upgrading the VPN Client Software M SI Step 1 Step 2 Upgrading the VPN Client software using this MSI in this recommended way retains existing connection entries and their parameters To install an upgrade of the VPN Client over an existing version on your system use the following procedure Remove any existing version of the VPN Client software through the Add Remove available from the Windows Control Panel Install the VPN Client using the MSI installer vpnclient_en msi Uninstalling the VPN Client with the Uninstall Application This option is available only if you have installed the VPN Client via InstallShield Uninstalling the VPN Client means completely removing all VPN Client software from your computer For example if you are changing or upgrading your PC you might want to uninstall the VPN Client Also if you are getting ready to install Cisco VPN Client 3 6 using Microsoft Windows Installer MSD you can run the Uninstall application to remove previous versions of the Cisco VPN Client Note Do not attempt to uninstall or upgrade the VPN Client software from a mapped network drive Before you run the uninstall program ma
162. ume After you have obtained the certificate the status screen updates to show the result See Figure 6 10 After viewing the screen click OK VPN Client User Guide for Windows e10 i 78 14738 01 Chapter6 Enrolling and Managing Certificates Enrolling fora Certificate i Figure 6 10 Receiving Status Update Enrollment Status Casco Systems 60795 Enrolling Through a File Request Alternatively you can enroll by creating a file using the same form as network enrollment See Figure 6 3 Once you have created a request file you can either e mail it to the CA and receive a certificate back or you can access the CA s website and cut and paste the enrollment request in the area that the CA provides To enroll through a file request use the following procedure Step1 At the Enrollment Network or File dialog box See Figure 6 5 click File and click Next The Certificate Manager prompts you to choose a file type for your file request and to specify a file name See Figure 6 11 VPN Client User Guide for Windows 78 14738 01 a cll Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Figure 6 11 Choosing file type and location Enrollment File Location To create an enrollment request file please select the type of file you wish to generate Contact your network administrator if you are not sure which encoded file type is required When you select a f
163. ur system administrator may have preconfigured much of this data if so he or she will tell you which items you need Hostname or IP address of the secure gateway to which you are connecting Your IPSec Group Name for preshared keys Your IPSec Group Password for preshared keys If authenticating with a digital certificate the name of the certificate VPN Client User Guide for Windows 22 rer Chapter 2 Installing the VPN Client Installing the VPN Client Through InstallShield il If authenticating through the secure gateway s internal server your username and password If authenticating through a RADIUS server your username and password If authenticating through an NT Domain server your username and password If authenticating through a token vendor your username and PIN If authenticating through a smart card your smart card reader PIN or passcode and the name of the certificate stored on the smart card If you should configure backup server connections the hostnames or IP addresses of the backup servers Installing the VPN Client Through InstallShield To install the VPN Client on your system follow these steps We suggest you accept the defaults unless your system administrator has instructed otherwise Step1 Exit all Windows programs and disable any antivirus software Step2 Insert the Cisco Systems CD ROM in your system s CD ROM drive Step3 Choose Start gt Run The Run dialog box appe
164. ur logon desktop Permission to Launch an Application Before Log On Your system administrator determines whether you can launch applications and third party dialers before you log on to a Windows NT platform To protect system and network security your system administrator might have disabled this feature If this feature is greyed out you cannot launch applications and third party dialers before logging on to a Windows NT platform You must have system administrator privileges to change this parameter VPN Client User Guide for Windows 78 14738 01 E Chapter5 Managing the VPN Client W Managing Windows NT Logon Properties Disconnecting When Logging Off of a Windows NT Platform This parameter controls whether your VPN Client connection automatically disconnects when you log off your Windows NT system To always automatically terminate your connection when you log off check this parameter This parameter is checked by default To disable auto disconnect while logging off remove the check from this parameter When you remove the check the VPN Client displays the warning message shown in Figure 5 19 Figure 5 19 Auto disconnect Waming Message Cisco Systems YPN Client AQ Warming If you disable this feature the YPN Client will not automatically disconnect your YPN connection when you logoff As a result your computer may remain connected after logoff 60814 Disabling this parameter allows your connection to
165. ur system reboots our own Cisco Systems VPN Client Setup wizard resumes Follow the instructions on the screens and enter the following information A destination folder for the VPN Client files or click Next gt to enter the default location C Program Files Cisco Systems VPN Client After you have installed the VPN Client the InstallShield Wizard displays the following screen You must restart your computer before you can configure and use the VPN Client See Figure 2 2 VPN Client User Guide for Windows ma 78 14738 01 Chapter 2 Installing the VPN Client Installing the VPN Client Through Microsoft Windows Installer Mil Figure 2 2 Completing InstallShield Installation Cisco Systems YPN Client Setup InstallShield Wizard Complete The InstallShield Wizard has successfully installed YPN Client Before you can use the program you must restart your computer C No will restart my computer later Remove any disks from their drives and then click Finish to complete setup Back Cancel 67529 To restart now click Finish Your system reboots Be sure to remove any diskette from the drive before you reboot To restart later click the No radio button and then click Finish The VPN Client Setup closes Remember you must restart your computer before you can use the VPN Client Installing the VPN Client Through Microsoft Windows Installer Microsoft Windows Installer MSI is available for Windo
166. via Dial Up Networking Mil Ifyou must manually connect to the Internet do it now When your connection is established skip to Authenticating to Connect to the Private Network If your system is already connected to the Internet via Dial Up Networking skip to Authenticating to Connect to the Private Network Using the VPN Client to Connect to the Internet via Dial Up Netw orking This section describes how to connect to the Internet via Dial Up Networking by running only the VPN Client Your connection entry must be configured with Connect to the Internet via Dial Up Networking enabled see Configuring the VPN Client Step 1 Click Connect on the VPN Client s main dialog box See Figure 4 1 If your credentials are not stored in the RAS database the Dial up Networking User Information dialog box appears See Figure 4 2 This dialog box varies depending on the version of Windows you are using Figure 4 2 Entering User Information Dial Up Networking User Information x Enter the username and password required for dial up networking User name Password Cancel Step2 Enter your username and password to access your ISP These entries may be case sensitive The Password field displays only asterisks Step3 Click OK 60734 You see the Connection History dialog box See Figure 4 3 VPN Client User Guide for Windows 78 14738 01 EEN Chapter4 Connecting to a Private Network
167. vider This is only an example Not all certificates are guaranteed to look like this one VPN Client User Guide for Windows Peis W 78 14738 01 _ Chapter 6 Enrolling and M anaging Certificates Managing Personal and CA RA Certificates i Figure 6 19 Displaying a Certificate Digital Certificate Common Name Alice Wonderland Department International Studies Company University State Massachusetts Country US Email alicew university edu Key Size 1024 Subject cn 4lice Wonderland ou nternational Studies o University st Massachv Issuer cn T estC46 8 ou 04 0 Cisco l Franklin st M4 c US e wbrown cisco Serial Number 3ECFB391000100000E51 Not Before Mon Jan 14 13 39 46 2002 Not After Sat 4ug 17 14 40 00 2002 Alt Name DNS Dialin_Server Alt Name Email alicew university edu Alt Name IP Addr 10 10 10 1 A typical certificate shown in Figure 6 19 contains the following information Common Name The name of the owner usually the first name and last name This field identifies the owner within the Public Key Infrastructure PKI organization Department The name of the owner s department which is same as the Organizational Unit OU Note that when connecting to a VPN 3000 Concentrator the OU should generally match the Group Name configured for the owner in the VPN 3000 Concentrator Company The organization where the owner is using the certificate State The state where the owner is using the certificate
168. viously checked Save Password on the User Authentication dialog box See Figure 5 10 78 14738 01 VPN Client User Guide for Window s E Chapter5 Managing the VPN Client WE Managing VPN Client Connection Entries Figure 5 10 Saving Password During Authentication 60315 When the VPN device allows saving passwords on the remote site and Save Password is in effect then Erase User Password is available on the Options menu See Figure 5 11 Note If you get a failed to authenticate message you should enable Erase User Password on the VPN Client and verify that your password is valid When you attempt to connect the VPN Client prompts you to enter your password VPN Client User Guide for Windows a 78 14738 01 Chapter5 Managing the VPN Client Managing VPN Client Connection Entries Ml Figure 5 11 Erase User Password Available 4 Cisco Systems YPN Client Cisco Systems Connection Entry Engineering Host name or IP address of remote server Delete Entry 10 10 32 32 Rename Entry Import Entry Erase User Password Create Shortcut Properties Stateful Firewall Always On Application Launcher Windows Logon Properties a wo amp Note The VPN Client displays Windows Logon Properties only on Windows NT Windows 2000 and Windows XP To enable this feature click Erase User Password The VPN Client prompts you to confirm See Figu
169. wall Inbound traffic coming into the PC also called local machine Outbound traffic going out from the PC to all networks while the VPN Client is connected to a secure gateway e Source Address The address of the traffic that this rule affects Any all traffic for example drop any inbound traffic This field can also contain a specific IP address and subnet mask Local the local machine if the direction is Outbound then the Source Address is local Destination Address The packet s destination address that this rule checks the address of the recipient Any all traffic for example forward any outbound traffic Local The local machine if the direction is Inbound the Destination Address is local Protocol The Internet Assigned Number Authority IANA number of the protocol that this rule concerns 6 for TCP 17 for UDP and so on Source Port Source port used by TCP or UDP Destination Port Destination port used by TCP or UDP VPN Client User Guide for Windows m rear Chapter4 Connecting to a Private Netw ork Viewing Connection Status W Client Server Firewall Tab When Client Server is the supported policy the Firewall tab displays the name of the firewall policy the name of the product the user ID session ID and the addresses and port numbers of the firewall servers in the private network see Figure 4 37 Zone Labs Integrity is a Client Server firewall solution
170. word EON Password Certificate Name lice Cisco hid Alice a 7 Send CA Cej Pat Clark Cisco Patrick Clarkson Microsoft 6m 13 When you are done with the Authentication tab click OK or click another tab VPN Client User Guide for Windows 78 14738 01 Chapter3 Configuring the VPN Client Setting or Changing Connection Entry Properties Mil Changing Connection Settings The Properties gt Connections tab shown in Figure 3 22 lets you set parameters that govern how you connect to the private network You can enable and configure backup server connections and automatically launch a dial up networking application to connect to the Internet Figure 3 22 Changing Parameter Values from the Connections tab Properties for Engineering General Authentication Connections V Enable backup servers 10 10 10 10 10 10 10 12 10 10 10 13 10 10 10 14 Add s H EmGYE Moye p OWN Microsoft Dial Up Nemwokna Phonebook Eriti a Third party dial up application Application rT Browse Cancel Help 60732 Enabling and Adding Backup Servers The private network may include one or more backup VPN servers to use if the primary server is not available Your system administrator tells you whether to enable backup servers Information on backup servers can download automatically from the VPN Concentrator or you can manually enter this informat
171. ws NT Windows 2000 and Windows XP To install the VPN Client using MSI use the following procedure Step1 Exit all Windows programs and disable any antivirus software Step2 Remove any VPN client software currently on your system including the following applications IRE SafeNet Client Nortel Networks VPN Client Altiga VPN Client Cisco VPN 3000 Client Cisco VPN 5000 Client Cisco VPN Client v3 0 through v3 6 To remove these applications select Control Panel gt Add Remove Programs Select the application and then click Add Remove After Windows removes the application you must reboot your system Step3 Insert the Cisco Systems CD ROM in your system s CD ROM drive Step4 Choose Start gt Run The Run dialog box appears VPN Client User Guide for Windows 78 14738 01 EN Chapter 2 Installing the VPN Client HZ installing the VPN Client Through Microsoft Windows Installer Step5 Enter E VPN Client CD ROM Msi vpclient_en exe where E is your system s CD ROM drive Step6 Click OK Note Cisco does not allow you to install the VPN Client software from a network drive If you attempt to do so you receive an error message The program displays the Cisco Systems logo and Microsoft Installer Setup window shown in Figure 2 3 Figure 2 3 Starting MSI Installation fe Cisco Systems YPN Client 3 6 Rel Setup Welcome to the Cisco Systems VPN Client 3 6 Rel Installation Wizard It is strongly reco
Download Pdf Manuals
Related Search