VPN Client User Guide for Windows
Contents
1. Step1 Start the VPN Client by choosing Start gt Programs gt Cisco Systems VPN Client gt VPN Client Step2 The VPN Client application starts and displays the advanced mode main window Figure 4 1 If you are not already there open the Options menu in simple mode and choose Advanced Mode or press Ctrl M Figure 4 1 VPN Client Main Window PN Client 4 6 Rel E lol x Connection Entries Status Certificates Log Options Help A LE 7 Cisco Systems tel aJ di E Connect New Import Modify Delete Connection Entries Certificates Log Connection Entry Host Transport Beta_132 63 67 72 132 IPSec Beta_134 63 67 72 134 IPSec Documentation 10 10 99 30 IPSec UDP Engineering 10 10 32 32 IPSec UDP Engineering_Cert 10 10 32 32 IPSec UDP Engineering_pre_shared 10 10 32 32 IPSec UDP 87723 Not connected i Step3 Select New from the toolbar or the Connection Entries menu The VPN Client displays a form Figure 4 2 VPN Client User Guide for Windows P42 E OL 5489 01 Chapter4 Configuring and Managing Connection Entries Choosing an Authentication Method Hi Figure 4 2 Creating a New Connection Entry YPN Client Properties for 10 86 194 173 x Connection Entry Connection4B C Description o ocumentation Concentrator i Host JH ostnameABC Authentication Transport Backup Servers Dial Up C Group Authentication Mutual Group Authentication Name ey P2. 4 Connection Entries Certificates Log Connection Enty Hs Transport 5 Beta_132 TestServer IPSec Beta_134 63 67 72 134 IPSec Documentation 10 10 99 30 IPSec TCP Documentation duplicate 10 10 99 30 IPSec TCP 6 E Engineering 10 10 32 32 IPSec UDP Engineering_Cert 10 10 32 30 IPSec UDP Engineering_pre_shared 10 10 32 33 IPSec UDP 87720 7 Connected to Engineering Connected Time 0 day s 00 00 12 ha 1 VPN Client version information 5 Display area for the main tabs 2 Menu bar 6 The currently active connection entry if the Connection Entry area is showing 3 Toolbar action buttons The buttons that are 7 Connection status bar The left side of the available depend on which tab is forward status bar shows the connection entry name and connection status When connected the right side shows the connection time for this VPN session Use the down arrow to display the number of bytes in and out and the IP address of the VPN device 4 Main tabs for managing the VPN Client Toolbar Action Buttons Advanced Mode The action buttons at the top of the VPN Client window vary depending on which tab is forward Cisco VPN Client User Guide for Windows OL 5489 01 Chapter3 Navigating the User Interface VPN Client Window Advanced Mode W e If the Connection Entries tab is forward the Connect New Import Modify and Delete buttons control operation
3. Cisco SYSTEMS Connection Entries Certi ee Enroll Connection Enty Transport verify Delete Change Certificate Password Retry Certificate Enrollment Show CA RA Certificates 87771 Not connected VPN Client User Guide for Windows lt ol 5489 01 _ Chapter 6 Enrolling and Managing Certificates Viewing a Certificate Enrolling fora Certificate Hi To display a certificate select it in the certificate store then do one of the following Open the Certificates menu and choose View Click View on the toolbar above the Certificates tab Double click the certificate Figure 6 12 shows a sample certificate from a Microsoft certificate service provider This is only an example Not all certificates are guaranteed to look like this one Figure 6 12 Viewing a Certificate YPN Client Certificate Properties for Joe Smith Common Name Department Company State Country Email MD5 Thumbprint SHA1 Thumbprint Key Size Subject Issuer Serial Number Not valid before Not valid after Change Password Joe Smith Marketing Some Company Massachusetts US jsmith somescompany com 5403B47203DDEC45F8F3C1 945985BECC FS88E 9226FDB8974C5D 2E 5E872C0D 703760002770 1024 e jsmith somescompany com cn Joe Smith ou Marketing o Some Company st Massachusetts c US e jsmith somescompany com cn Joe Smith ou Marketing o Some Company st Mass
4. PN Client Import Certificate xj Import from File Import Path Browse Import Password Import from Microsoft Certificate store Import Certificate GEM 1024 sig ou cert r Entering a new password is optional It is recommended to password protect identity certificates Cancel 87743 Step 2 Select Import from File the default Step3 Complete the Import Certificate form e Import Path The complete pathname for the certificate You can type the name or browse your file system to locate the file e Import Password This password must exactly match the password given during enrollment online or given when exported if a file including upper and lower case letters For example sKate8 is not exactly the same as Skate In online enrollment this password is kept with the certificate in file enrollment this password is not retained e New Password The password to be stored with the certificate Use this password to protect the certificate while it is in the certificate store This password is optional but we recommend that you always protect your certificate with a password e Verify Password The password that you enter here must match what you entered in the New Password field Step4 To complete the import request click Import or to cancel your request click Cancel Importing a Certificate from the Microsoft Certificate Store To import a certificate from the Microsoft Certificate st
5. Disconnecting When Logging Off of a Windows NT Platform This parameter controls whether your VPN Client connection automatically disconnects when you log off your Windows NT system To always automatically terminate your connection when you log off check this parameter This parameter is checked by default To disable auto disconnect while logging off uncheck this parameter When you uncheck the parameter the VPN Client displays the warning message shown in Figure 7 4 I OL 5489 01 VPN Client User Guide for Windows Chapter7 Managing the VPN Client W Managing Windows NT Logon Properties Figure 7 4 Auto disconnect Warning Message YPN Client xj Warning If you disable this feature the YPN Client will not automatically disconnect your YPN connection when you logoff As a result your computer may remain connected after logoff Disabling this parameter allows your connection to remain up during and after log off which allows profiles or folders to be synchronized during log off You would disable this parameter when using the Windows roaming profiles feature Note With this feature disabled you must completely shut down your system to disconnect your VPN Client connection Managing Automatic VPN Initiation Step 1 When your network administrator has configured your VPN Client for automatic VPN initiation by including it in the vpnclient ini file the Options menu includes the option Automat
6. Time The Time field shows the time of the event hour minutes seconds The hour is based on a 24 hour clock For example 15 25 09 identifies an event that occurred at 3 25 09 PM Date The date field shows the date of the event MM DD YYYY For example 2 03 2003 identifies an event that occurred on February 3 2003 Severity type level This field reports the severity type and level of the event for example Sev Info 4 which identifies an informational event severity level 4 identifies event types and severity levels VPN Client User Guide for Windows zu OL 5489 01 Chapter 7 Managing the VPN Client Table 7 1 Fields in an Event Message Viewing and Managing the VPN Client Event Log W Field Meaning Event Class Message This field shows the module or source of the event and the message identifier ID associated with the module For example TPSEC 0x63700012 Message Text A brief message describing the event Usually this message is no more than 80 characters For example Delete all keys associated with peer 10 10 99 40 direction of the transmission gt gt gt for sending and lt lt lt for receiving In a message containing arrows the arrows indicate the Table 7 2 Event Types and Severity Levels Type Level Meaning Fault 1 A system failure or nonrecoverable error Warning 2 3 Imminent system failure or a serious problem that may require user intervention
7. WE Obtaining Technical Assistance Documentation Feedback You can submit comments electronically on Cisco com In the Cisco Documentation home page click the Fax or Email option in the Leave Feedback section at the bottom of the page You can e mail your comments to bug doc cisco com You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address Cisco Systems Attn Document Resource Connection 170 West Tasman Drive San Jose CA 95134 9883 We appreciate your comments Obtaining Technical Assistance Cisco com Cisco provides Cisco com as a starting point for all technical assistance Customers and partners can obtain online documentation troubleshooting tips and sample configurations from online tools by using the Cisco Technical Assistance Center TAC Web Site Cisco com registered users have complete access to the technical support resources on the Cisco TAC Web Site Cisco com is the foundation of a suite of interactive networked services that provides immediate open access to Cisco information networking solutions services programs and resources at any time from anywhere in the world Cisco com is a highly integrated Internet application and a powerful easy to use tool that provides a broad range of features and services to help you with these tasks e Streamline business processes and improve productivity e Resolve techni
8. The VPN Client displays a dialog box prompting for the name of the application See Figure 7 2 Figure 7 2 Entering the Name of the Application PN Client Application Launcher J x To execute an application or command when establishing a connection enter the fully qualified file name and optional command line parameters associated with the application MV Enable Filename fe applications my_applicatior OK Cancel 87725 Step2 To enable the feature click Enable Step3 Either type the complete pathname of the application or click Browse to locate the application See Figure 7 2 Step4 Click Apply to activate the application or click Cancel to cancel the operation Turning Off Application Launcher To disable Application Launcher follow these steps Step1 Open the Options menu and choose Application Launcher Step2 When the Application Launcher dialog box displays click the Enable check box to uncheck it Managing Windows NT Logon Properties This section describes special logon features for the Windows NT platform which includes Windows NT 4 0 Windows 2000 and Windows XP These features include e Ability to start a connection before logging on to a Windows NT system e Permission to launch a third party application before logging on to a Windows NT system e Control over auto disconnect when logging off of a Windows NT system To access the Windows logon properties open the VPN Client Opti
9. DDNS hostname population The VPN Client sends its hostname to the VPN device when the connection is established If this occurs the VPN device can send the hostname in a DHCP request This causes the DNS server to update its database to include the new hostname and VPN Client address Application Launcher The ability to launch an application or a third party dialer from the VPN Client Uninstall package InstallShield Automatic uninstall of the 5000 VPN Client software with the InstallShield installation package Automatic dialup connection Automatic connection by way of Microsoft Dial Up Networking or any other third party remote access dialer Notifications Software update notifications from the VPN server upon connection Launching from notification Ability to launch a location site containing upgrade software from a VPN server notification Auto initiation The ability to automatically initiate secure wireless VPN connections seamlessly Virtual adapter Available on Windows 2000 and Windows XP this software only driver acts as a valid interface in the system to solve application incompatibly problems Alerts Delete with reason The VPN Client can display to the user the reason for a VPN 3000 Concentrator initiated disconnection if that information is available If the VPN 3000 Concentrator disconnects the VPN Client and tears down the tunnel the VPN Client displays a pop up w
10. Informational 4 6 Level 4 provides the most general type high level information Levels 5 and 6 provide more detailed information about the connection Filtering Events To control the amount of information collected in the log use the following procedure Step 1 To change logging settings do one of the following e Display the Log menu and choose Log Settings e Click the Log Settings icon in the toolbar above the Log tab e Click Log Settings on the Log Window The VPN Client displays the log settings dialog box See Figure 7 10 I OL 5489 01 VPN Client User Guide for Windows Chapter7 Managing the VPN Client W Viewing and Managing the VPN Client Event Log Step 2 Step 3 Figure 7 10 Displaying and Changing Log Settings b PN Client Log Settings J xj Changing logging levels will take effect immediately and will cause the current log window to be cleared IKE LOG IKE Connection Manager 1 Low z LOG CM Daemon cvpnd 1 Low z LOG CVPND User Authentication i Low z LOG XAUTH Certificates 1 Low gt LOG CERT IPSec 1 Low LOG IPSEC Command Line 1 Low gt LOG CLI GU 1 Low z LOG GUI PPP 1 Low x LOG PPP Firewalk 1 Low z LOG FIREWALL 87762 To change the filter level do the following For each of the logs you want to change click the down arrow and choose from the following options that the Log Settings dialog box displays Dis
11. and paste it here Your administrator will tell you what you need to enter here depending on the type of tokencard you are using After entering the code click OK OL 5489 01 VPN Client User Guide for Windows A Chapter5 Connecting to a Private Network HT Authenticating to Connect to the Private Network RSA User Authentication SoftID v1 x Windows NT Only and SecurlD v2 0 All Operating Systems Step 1 Step 2 Step 3 If you are using SoftID version 1 x under Windows NT or SecurID version 2 0 under any operating system the VPN Client displays an authentication window asking for your username and PIN See Figure 5 8 Figure 5 8 Authenticating Through SoftID on Windows NT 2 YPN Client User Authentication for Sdi5Group Enter Username and Password Cisco Srstems Username Fsattid50 3 A In the Username field enter your username This entry is case sensitive In the PIN field enter your SoftID or SecurID PIN The VPN Client gets the passcode from SoftID or SecurID by communicating directly with SoftID or SecurID The SoftID or SecurID application must be installed but does not have to be running on your PC After entering the PIN click OK RSA New PIN Mode Step 1 The first time you authenticate using SecurID or SoftID all operating systems or if you are using a new SecurID card and if the RSA administrator allows you to create your own PIN the authentication program asks if yo
12. 12 User Information dialog box 5 4 Diffie Hellman groups 1 7 Digital Subscriber Line see DSL direct network connection 2 2 disabling application launch before startup 7 5 automatic disconnect when logging off Windows NT 7 5 backup servers 4 11 Dial Up Networking 4 12 local LAN access 4 8 I OL 5489 01 VPN Client User Guide for Windows W index third party dial up 4 12 disconnecting automatic 7 5 private network 5 30 displaying help 3 13 software version 3 14 DNS server 1 4 documentation cautions xii notes xii domain name certificate enrollment 6 4 NT Domain authentication 5 6 DPD adjusting peer time out 4 9 keep alive mechanism DSL connection technology 1 2 modem 1 2 5 3 DUN phonebook entries 4 12 e mail address in certificate enrollment 6 4 enabling auto initiation 7 6 backup servers 4 9 local LAN access 4 8 logging on to Microsoft Network 4 6 start before logon 7 4 stateful firewall 7 1 transparent tunneling 4 7 enabling connect history display 3 3 enabling connect on open 3 10 enabling tool tips 3 3 encryption connection status 5 22 encryption algorithm 1 7 enrolling certificates 6 3 file request 6 6 ina PKI 5 10 enrollment request changing password 6 17 completing 6 18 deleting 6 17 form 6 3 managing 6 15 pasting 6 6 viewing 6 16 Entrust certificate configuring 4 5 connecting with 5 11 SignOn using with start before logon 5 12 Technologies 5 10 Erase User Pass
13. 2000 and Windows XP systems Enabling Stateful Firewall Always On The VPN Client includes an integrated stateful firewall that provides protection when split tunneling is in effect and protects the VPN Client PC from Internet attacks while the VPN Client is connected to a VPN Concentrator through an IPSec tunnel This integrated firewall includes a feature called Stateful Firewall Always On OL 5489 01 VPN Client User Guide for Windows E Chapter7 Managing the VPN Client W Launching an Application Step 1 Step 2 Stateful Firewall Always On provides even tighter security When enabled this feature allows no inbound sessions from all networks regardless of whether a VPN connection is in effect Also the firewall is active for both encrypted and unencrypted traffic There are two exceptions to this rule e DHCP which sends requests to the DHCP server out one port but receives responses from DHCP through a different port For DHCP the stateful firewall allows inbound traffic e ESP The stateful firewall allows ESP traffic from the secure gateway because ESP rules are packet filters and not session based filters For the latest information on other exceptions if any refer to Release Notes for Cisco VPN Client for Windows To enable or disable the stateful firewall use the following procedure Display the Options menu and click Stateful Firewall Always on Or right click the lock icon in the system tr
14. 3 VPN Client User Guide for Windows Pi E OL 5489 01 Enrolling Through the Network 6 3 Enrolling Through a File Request 6 6 Managing Personal and CA RA Certificates 6 8 Viewing a Certificate 6 9 Importing a Certificate File 6 10 Importing a Certificate from a File 6 10 Importing a Certificate from the Microsoft Certificate Store 6 11 Verifying a Certificate 6 12 Deleting a Certificate 6 13 Changing the Password on a Personal Certificate 6 13 Exporting a Certificate 6 14 Showing CA RA Certificates 6 15 Managing Enrollment Requests 6 15 Viewing the Enrollment Request 6 16 Deleting an Enrollment Request 6 17 Changing the Password on an Enrollment Request 6 17 Completing an Enrollment Request 6 18 Managing the VPN Client 7 1 Enabling Stateful Firewall Always On 7 1 Launching an Application 7 2 Turning Off Application Launcher 7 3 Managing Windows NT Logon Properties 7 3 Starting a Connection Before Logging on to a Windows NT Platform What Happens When You Use Start Before Logon 7 4 Turning Off Start Before Logon 7 5 Permission to Launch an Application Before Log On 7 5 Disconnecting When Logging Off of a Windows NT Platform 7 5 Managing Automatic VPN Initiation 7 6 Viewing and Managing the VPN Client Event Log 7 7 The Log Tab 7 7 Enabling or Disabling the Log 7 8 Displaying the Log Window 7 9 Filtering Events 7 11 Searching the Log File 7 13 Saving the Log File 7 13 Clearing the Events Display in the Log Window and Log Tab
15. 5489 01 DSL 1 2 5 3 ISDN 5 3 requirement 2 2 MSI 2 4 installation 2 4 maintenance dialog 2 6 repair dialog 2 6 MTU size 1 3 mutual authentication automatic installlation of root certificate 2 7 NAT 4 7 NAT Transparency 1 3 network adapter or interface card 2 2 connection direct 2 2 Network Address Translation 4 7 notifications firewall 7 15 upgrade 7 16 VPN device 7 14 NT Domain authentication 5 5 domain name 5 6 password 5 6 username 5 6 NT features logon 7 4 O options Application Launcher 7 2 auto disconnect 7 5 Automatic VPN Initiation 7 6 start before logon 7 4 Stateful Firewall Always on 7 1 Windows Logon Properties 7 3 Options menu 4 7 organizational unit in certificate enrollment 6 4 organization of this manual ix Index W P packets bypassed 5 23 decrypted 5 23 discarded 5 23 encrypted 5 23 passcode RSA authentication 5 7 passwords enrollment request changing 6 17 erasing 5 5 expiration 5 6 internal server authentication 5 5 invalid 5 5 ISP logon 5 4 NT Domain authentication 5 6 personal certificate 6 13 private key 5 1 RADIUS authentication 5 5 saving 5 5 PAT 4 7 peer certificate 1 5 peer response timeout adjusting 4 9 personal firewall see firewalls phonebook entries DUN 4 12 PIN RSA authentication 5 8 PKCS10 format 6 6 OL 5489 01 VPN Client User Guide for Windows E W index PKIs supported 2 2 5 10 Plain Old Telephone Serv
16. 7 14 7 4 Contents W VPN Client User Guide for Windows I oL 5489 01 vi E Contents Receiving Notifications From a VPN Device 7 14 Firewall Notifications 7 15 Disconnect with Reason Messages 7 15 Upgrading VPN Client Software 7 16 All Windows Platforms 7 16 Upgrade Notifications 7 16 Upgrading the VPN Client Software Using MSI 7 16 Upgrading the VPN Client Software Using InstallShield 7 17 Updating the VPN Client Software Automatically Windows 2000 and Windows XP Systems 7 20 Full Installation 7 21 Minor Update 7 21 Profile Update 7 22 appendix A Client Software License Agreement of Cisco Systems 1 Zone Labs 3 INDEX VPN Client User Guide for Windows i OL 5489 01 Audience Preface The VPN Client User Guide for Windows tells you how to install use and manage the Cisco VPN Client with Cisco Systems products This guide is for users of remote clients who want to set up virtual private network VPN connections to a central site Network administrators can also use this guide for information about configuring and managing VPN connections for remote clients We assume that you are familiar with the Windows platform and know how to use Windows applications A network administrator should be familiar with Windows system configuration and management and know how to install configure and manage internetworking systems For information specific to a network administrator see VPN Client Administrator Guide Org
17. Cisco Systems K2 Connect Not connected 87781 Figure 5 2 Connecting from Advanced Mode PN Client 4 6 Rel 0 x Connection Entries Status Certificates Log Options Help A Ras z Pd Cisco Systems ee rare Connect New Import Modify Delete Connection Entries Certificates Log Connection Entry Host Transport Beta_132 63 67 72 132 IPSec Beta_134 63 67 72 134 IPSec Documentation 10 10 99 30 IPSec UDP Engineering 10 10 32 32 IPSec UDP Engineering_Cert 10 10 32 32 IPSec UDP Engineering_pre_shared 10 10 32 32 IPSec UDP 87723 Not connected 4 Connecting to a Default Connection Entry If you have configured a default connection entry sometimes called default user or default profile the VPN Client uses this connection entry when it starts The name of this feature is Connect on Open An administrator configures this feature for you For information see the VPN Client Administrator Guide For information on setting a connection entry to be the default see Setting a Default Connection Entry VPN Client User Guide for Windows OL 5489 01 Chapter5 Connecting to a Private Network Starting the VPN Client W Connecting from Simple Mode To connect to a VPN device through simple mode follow these steps Step 1 If necessary click the drop down menu showing connection entries and choose the desired connection entry Step2 Click Connect The VPN Client dis
18. Delete Connection Profiles YPN Client Installer x 2 Do you wish to delete your existing connection profiles 87847 The wizard displays a dialog box asking whether you want to delete your existing Cisco certificates See Figure 2 7 Click Yes the default to delete them or No to retain them Figure 2 7 Uninstall Dialog Box Delete Certificates YPN Client Installer Ee gt Do you wish to delete your existing Cisco certificates I 87846 To remove the Cisco VPN Client click Next Or to halt the wizard click Cancel When you respond to this dialog box the wizard removes the Cisco VPN Client If you elected to remove your connection profiles and or certificates these files are also removed otherwise these files remain on your system To make these changes take effect you must restart your computer When it finishes uninstalling the VPN Client the wizard asks whether you want to restart your computer now or restart later Select the appropriate radio button and click Finish If you select Restart Now the wizard exits and restarts your computer If you select Restart Later the wizard simply exits Automatically Installing a Root Certificate on the VPN Client PC Step 1 Step 2 What Next Some types of authentication such as mutual or hybrid authentication require that the VPN Client s PC have a root certificate installed To have a root certificate automatically installed during installation follow
19. IPSec over UDP NAT PAT 4 8 Using IPSec over TCP NAT PAT Firewall 4 8 Allowing Local LAN Access 4 8 Adjusting the Peer Response Timeout Value 4 9 Enabling and Adding Backup Servers 4 9 Removing Backup Servers 4 10 Changing the Order of the Servers 4 10 Disabling Backup Servers 4 11 Configuring a Connection to the Internet Through Dial up Networking 4 11 Microsoft Dial up Networking 4 12 Third Party Dial up Program 4 12 Completing a Connection Entry 4 12 Setting a Default Connection Entry 4 12 Creating a Shortcut fora Connection Entry 4 13 Duplicating a Connection Entry 4 13 Modifying a Connection Entry 4 13 Deleting a Connection Entry 4 14 Importing a New Connection Entry 4 14 Erasing a Saved Password for a Connection Entry 4 15 Connecting to a Private Network 5 1 Starting the VPN Client 5 2 Connecting to a Default Connection Entry 5 2 Connecting from Simple Mode 5 3 Connecting from Advanced Mode 5 3 Authentication Alternatives 5 3 Using the VPN Client to Connect to the Internet via Dial Up Networking 5 4 Authenticating to Connect to the Private Network 5 4 Authenticating Through the VPN Device Internal Server or RADIUS Server 5 5 Authenticating Through a Windows NT Domain 5 5 Changing your Password 5 6 Authenticating Through RSA Data Security RSA SecurlD SDI 5 7 RSA User Authentication SecurlD Tokencards Tokencards Pinpads and Keyfobs and SoftID v1 0 Windows 98 and Windows ME 5 7 RSA User Authentication SoftID v1 x W
20. Install 119113 To install the update close all programs and choose Install Now To install the update when you exit from the VPN Client select Install Later VPN Client User Guide for Windows Chapter 7 Managing the VPN Client Upgrading VPN Client Software Hi Toreject the installation choose Don t Install If you choose Don t Install autoupdate prompts you again next time you start the VPN Client e A required profile update The profile update distributes new or modified profiles You can choose from only two options Install Now or Install Later To install the update close all programs and choose Install Now To install the update when you exit from the VPN Client select Install Later If you choose Install Later when you exit from the VPN Client autoupdate installs the update If the update does not succeed autoupdate displays an error message identifying the problem Figure 7 24 Automatic Installation Error Message E Autoinstall Cisco Systems YPN Client Update E Oj x The following error has occurred while updating Failed to Profile Copy Files Cisco Systems VPN Client Please contact your system administrator Cisco Systems Copyright 1998 2004 Cisco Systems Inc 119109 When this happens click Finish and then contact your system administrator I OL 5489 01 VPN Client User Guide for Windows Chapter7 Managing the VPN Client HZ
21. My Computer File name Beta_1 34 pct in Files of type Jal Files 7 Cancel ZA My Network Ps 87757 The VPN Client displays a message to let you know that the import action succeeded and places the imported profile in the Cisco Systems VPN Client Profiles directory Erasing a Saved Password for a Connection Entry You or your administrator might have configured an entry to save the authentication password on your PC so you do not have to enter a password when you are connecting to the VPN device Normally we recommend that you not use this feature because storing the password on the PC can compromise security and requiring a password to authenticate you every time you attempt to connect to the VPN device is fundamental to maintaining security on the private network However there may be reasons for temporarily bypassing the authentication dialog box for example when you want to create a batch file for your PC to log in to a VPN device to accomplish some task that requires using the private network behind the VPN device If there is a password saved on your system and authentication fails your password might be invalid To eliminate a saved password you need to modify the connection entry profile use the following procedure Step 1 Select a connection entry in the display underneath the Connection Entries tab Step2 To modify the selected connection entry do one of the following actions e Display th
22. Network W Viewing Connection Information Viewing Tunnel Details To display information about your IPSec tunnel pull down the Status menu and choose Statistics Then click the Tunnel Details tab The VPN Client shows IP security information listing the IPSec statistics for this VPN tunnel to the private network Figure 5 31 Viewing Tunnel Information x Route Details Firewall Address Information Connection Information Client 200 200 100 50 Entry Engineering Server 10 10 32 32 Time 2 day s 00 31 48 Bytes Crypto Received 311360 Encryption 168 bit 3 DES Sent 841656 Authentication HMAC MD5 Packets Transport Encrypted 5560 Transparent Tunneling Inactive Decrypted 5560 Local LAN Disabled Discarded 56272 Compression None Bypassed 19580 Close 87850 The statistics are the following e Address Information Client IP address The IP address assigned to the VPN Client for the current session Server IP address The IP address of the VPN device to which the VPN Client is connected e Connection Information Connection Entry The name of the profile you are using to establish the connection Time Length of time the connection has been up e Bytes Received The total amount of data received after a secure packet has been successfully decrypted Sent The total amount of encrypted data transmitted through the tunnel e Crypto Encryption The data encryption method for traffi
23. Note This parameter appears only on VPN Clients installed on systems running Windows 98 and Windows ME For information on logging on to Windows NT and Windows 2000 systems see the section Starting a Connection Before Logging on to a Windows NT Platform If you do not need or do not have privileges for Microsoft Windows resources on the private network disable this parameter For example if you require only FTP access to the private network you could disable this parameter If you enable this parameter click one of the radio buttons to choose the logon process e Use default system logon credentials Use the Windows logon username and password on your PC to log on to the private network With this option you do not need to manually enter your logon username and password each time you connect to the private network This is the default selection e Prompt for network logon credentials The private network prompts you for a username and password to use its resources If the logon username or password on your PC differs from those on the private network use this option VPN Client User Guide for Windows mae W OL 5489 01 Chapter 4 Configuring and Managing Connection Entries Configuring Transparent Tunneling W Configuring Transparent Tunneling Next configure the transparent tunneling by completing the fields on the Transport tab Figure 4 4 Figure 4 4 Configuring Transport Parameters P
24. OU The OU is the same as the Group Name configured in a VPN 3000 Series Concentrator for example Company The name of the company or organization O to which you belong for example University State The name of your state ST for example Massachusetts Country The 2 letter country code for your country C for example US This two letter country code must conform to ISO 3166 country abbreviations Email Your email address e for example alicew university edu IP Address The IP address of your system for example 10 10 10 1 Domain The Fully Qualified Domain Name of the host for your system for example Dialin_Server Together all these fields except IP address and domain comprise your distinguished name DN VPN Client User Guide for Windows lt ol 5489 01 _ Chapter 6 Enrolling and Managing Certificates Step 5 Enrolling for a Certificate Hi To complete the enrollment click Enroll Or to edit the form click Back What happens next depends on your CA e Some CAs provide immediate response If so you see a message that your enrollment succeeded You can view and manage the certificate under the Certificates tab e Ifthe enrollment status is Request pending your CA does not immediately approve your request You see a status pending pop up window Figure 6 4 Figure 6 4 Enrollment Request Pending Message xi i Certificate enrollment is now pending To continue the cur
25. Remove Programs control panel and select Cisco VPN Client See Figure 2 4 Figure 2 4 Removing Cisco VPN Client Currently installed programs Sort by Name X Change or Click here For support information Used frequently Remove LastUsedOn 3 28 2003 Programs To change th it pii oc is program or remove it from your computer clic Change or Remove _ change Remove fH DellTouch Size 1 67MB Add New Directory Band Shell Extension i Documentum WorkSpace 3 2 Programs amp El HTML Help Workshop AddiRenove ie Intel Ultra ATA Storage Driver Windows i Microsoft IntelliPoint Components e Microsoft Internet Explorer 5 5 SP2 amp F Microsoft Office 2000 Premium 87844 Click Remove You see a dialog box asking you to confirm that you want to remove the VPN Client from your PC See Figure 2 5 Figure 2 5 Uninstall Confirmation Dialog Box Add Remove Programs XI Q 4re you sure you want to remove Cisco Systems YPN Client 4 0 Beta_4 From your computer Yes No 87842 Click Yes The Installer displays a dialog box Figure 2 6 asking whether you want to delete your existing connection profiles Click Yes the default if you want to remove your connection profiles or No to retain them VPN Client User Guide for Windows EN a Chapter2 _ Installing the VPN Client Step 5 Step 6 Step 7 Installing the VPN Client Through Microsoft Windows Installer W Figure 2 6 Uninstall Dialog Box
26. Statistics Then click the Route Details tab I OL 5489 01 VPN Client User Guide for Windows Chapter5 Connecting to a Private Network WE Viewing Connection Information Figure 5 32 Viewing Routing Information amp PN Client Statistics x Si Firewall Tunnel Details iF Local LAN Routes Secured Routes Subnet Mask Subnet Mask 10 10 32 32 255 255 255 255 0 0 0 0 87779 Close In Figure 5 32 the columns show the following types of information Local LAN Routes The Local LAN Routes box shows the network addresses of the networks you can access on your local LAN while you are connected to your organization s private network through an IPSec tunnel You can access up to 10 networks on the client side of the connection A network administrator at the central site must configure the networks you can access from the client side For information on configuring Local LAN Access on the VPN 3000 Concentrator refer to VPN Client Administrator Guide Chapter 1 e Network tThe IP address of the excluded route e Subnet Mask The subnet mask of the IP address for this route Secured Routes The Secured Routes box shows the following information e Network The IP address of the remote private network with which this VPN Client has a security association SA e Subnet Mask The subnet mask of the IP address for this SA Firewall Tab The Firewall tab displays information about the V
27. Upgrading VPN Client Software VPN Client User Guide for Windows 724 E OL 5489 01 APPENDIX A Copyrights and Licenses Client Software License Agreement of Cisco Systems THE SOFTWARE TO WHICH YOU ARE REQUESTING ACCESS IS THE PROPERTY OF CISCO SYSTEMS THE USE OF THIS SOFTWARE IS GOVERNED BY THE TERMS AND CONDITIONS OF THE AGREEMENT SET FORTH BELOW BY CLICKING YES ON THIS SCREEN YOU INDICATE THAT YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THAT AGREEMENT THEREFORE PLEASE READ THE TERMS AND CONDITIONS CAREFULLY BEFORE CLICKING ON YES IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THE AGREEMENT CLICK NO ON THIS SCREEN IN WHICH CASE YOU WILL BE DENIED ACCESS TO THE SOFTWARE Ownership of the Software 1 The software contained in the Cisco Systems VPN Client the Software to which you are requesting access is owned or licensed by Cisco Systems and is protected by United States copyright laws laws of other nations and or international treaties Grant of License 2 Cisco Systems hereby grants to you the right to install and use the Software on an unlimited number of computers provided that each of those computers must use the Software only to connect to Cisco Systems products and subject to export restrictions in paragraph 4 hereof You may make one copy of the Software for each such computer for the purpose of installing the Software on that computer The Software is licensed for use only with Cisco Sys
28. VPN Initiation Step 3 Figure 5 28 Setting Auto Initiation Parameters b PN Client Automatic PN Initiation x MV Enable automatic YPN initiation Retry Interval p 1 to 10 minutes ow ea 87729 Click to remove the check mark from Enable and click OK The log displays a message Auto initiation has been disabled and auto initiation terminates Note Unchecking Enable does not remove Automatic VPN Initiation option from the Options menu This option always shows up in the menu as long as the feature has been configured by your network administrator Disabling While Suspended Step 1 Step 2 Step 3 Alternatively when auto initiation is suspended and you want to disable it follow these steps Right click the yellow lock icon in the system tray Select Disable Auto initiation The VPN Client displays a message asking whether you are sure that you want to disable auto initiation To completely disable auto initiation and eliminate further automatic retries click Yes To cancel the action and keep auto initiation enabled click No Restarting After Disabling Automatic VPN Initiation Step 1 Step 2 Step 3 Step 4 When you want to restart auto initiation follow these steps Launch the VPN Client from the Start gt Programs gt Cisco Systems VPN Client menu Click Options Select Automatic VPN Initiation Check the Enable check box set the retry interval and click OK The log shows th
29. authentication window perform the following steps The title bar identifies the connection entry name Figure 5 5 Authenticating Through an Internal or RADIUS Server YPN Client User Authentication for NtGroup 24x Enter Username and Password Cisco SYSTEWS Usemame fuser SOSOSC CS S Password 1 I Save Password 87709 Step 1 In the Username field enter your username This entry is case sensitive Step2 In the Password field enter your password This entry is case sensitive The field displays only asterisks Step3 Click OK Note If you cannot choose the Save Password option your administrator does not allow this option If you can choose this option be aware that using it might compromise system security since your password is then stored on your PC and is available to anyone who uses your PC If Save Password is checked and authentication fails your password may be invalid To eliminate a saved password go to advanced mode and click Erase User Password Proceed to the section Viewing Connection Information Authenticating Through a Windows NT Domain To display the Windows NT Domain user authentication window perform the following steps The title bar identifies the connection entry name VPN Client User Guide for Windows oL 5489 01 g 5s Chapter5 Connecting to a Private Network HT Authenticating to Connect to the Private Network Figure 5 6 Authenticating Throug
30. certificates installed on your system If this is not the case then you need to obtain a digital certificate In many cases the network administrator of your organization can provide you with a certificate If not then you can obtain one by enrolling with a PKI directly using the Certificate Manager application or you can obtain an Entrust profile through Entrust Entelligence Currently we support the following PKIs e UniCERT from Baltimore Technologies www baltimoretechnologies com e Entrust PKI from Entrust Technologies www entrust com e Versign Www verisign com e Microsoft Certificate Services in Microsoft Windows 2000 Server e Cisco Certificate Store The Web sites listed in parentheses in this list contain information about the digital certificates that each PKI provides The easiest way to enroll in a PKI or import a certificate is to use the Certificate Manager see Enrolling and Managing Certificates or Entrust Entelligence see Entrust documentation Every time you connect using a certificate the VPN Client verifies that your certificate has not expired If your certificate is within one month of expiring the VPN Client displays a message when you attempt to connect or when you use the Properties option The message displays the certificate common name the not before date the not after date and the number of days until the certificate expires or since it has expired What happens when you pres
31. click Save or Cancel Figure 7 12 Saving a Log File Save in E VPN Client e ct Ea Certificates MsiHelper exe Logs P ppptool exe History Profiles 9 qt mt311 dll P Resources LASetMTU exe G Setup vch html Desktop cvpnd exe vpnelient exe FAULTLOG TXT vpnelient ini B InstHelper dll a vpngui exe My Documents 5 internal ini ipsecdialer exe ipseclog exe My Network Pee File name E Save as type fal Files Cancel ZL 87760 Clearing the Events Display in the Log Window and Log Tab To eliminate all the events currently displayed in the Log Window and the Log tab do one of the following e Click the Clear icon in the toolbar above the Log tab e Open the Log menu and choose Clear e Click Clear on the Log Window Clearing the log display does not reset event numbering nor does it clear the log file itself Receiving Notifications From a VPN Device The VPN device secure gateway through which you connect to the private network at your organization can send you notifications You can receive a notification from your network administrator when it is time to update the VPN Client software when the VPN device detects that a required firewall is not running or when the VPN Client receives a disconnect with reason notification Other notifications are essentially documentary and can include connection history client disconnect notices and an administrator defined banne
32. completely remove Cisco Systems Inc YPN Client and all of its components 60822 To completely remove the VPN Client software from your system click Yes Otherwise click No Next the Uninstall Wizard asks if you want to delete your connection profiles See Figure 7 19 Figure 7 19 Confirming Your Connections YPN Client Installer 2 Do you wish to delete your existing connection profiles 87785 To preserve your connection profiles which contain configured connection entries click No Then the Uninstall Wizard asks if you want to delete your certificates See Figure 7 20 I OL 5489 01 VPN Client User Guide for Windows Chapter7 Managing the VPN Client HZ Upgrading VPN Client Software Step 4 Step 5 Figure 7 20 Confirming Your Certificates YPN Client Installer Ee 7 Do you wish to delete your existing Cisco certificates 87784 To keep your certificates click No Finally the Uninstall Wizard prompts you to restart your system To complete the uninstallation you must restart your system To restart your system click Yes the default and then click Finish The installation program restarts your system Be sure to remove any diskette from its drive before you restart your system Note When you uninstall the VPN Client software and you have clicked yes to remove your certificate and profile directories the vpnclient ini and log files remain on your system Since these
33. completing all the information click Export The VPN Client displays a message indicating whether your certificate export was successful Managing Enrollment Requests Showing CA RA Certificates You can view but not modify the current list of CA and RA certificates by selecting Show CA RA Certificates from the Certificates menu The VPN Client displays the list in a new window Figure 6 19 Figure 6 19 CA RA Certificates List VPN Client 4 6 Rel 0 x Connection Entries Status Certificates Log Options Help F f View Import Connection Entries Certificate 5 wb web enroll localmachine wb scep cert from mssub DE Export wb ID from msmsub ou cert 1024 ne wb activ sub 1024 both TestCASub TestCA6 8 ms sub1 sha 06 2001 GEM 1024 sig ou cert E g Ey Enroll Verify Log Microsoft Machine 512 Cisco 1024 Microsoft 1024 Microsoft 1024 512 512 512 1024 1024 1024 1024 512 Request 1024 Microsoft 1024 Delete Validity until Jan 27 2004 16 53 26 until Jun 4 2003 14 15 49 until Jun 4 2003 14 15 49 until Jun 4 2003 14 15 49 until Mar 26 2003 16 24 21 until Mar 25 2004 16 16 23 until Jun 4 2003 14 15 49 until Jun 4 2003 14 15 49 until Jun 4 2003 14 15 49 until Jun 4 2003 14 19 49 until Jun 4 2003 14 19 48 until Jun 4 2022 10 01 30 until Apr 18 2003 17 58 53 until Jun 4 2003 14 15 49 Cisco SYSTEMS Connected to wb3030 2 Managing Enrollment Requests W
34. corporate PC whenever you are connected to your home network whether that network is a wireless or a wired LAN The VPN Client lets you know when your connection is auto initiating and informs you of various stages in the process of an auto initiated connection You can suspend resume disconnect or disable auto initiation When you disconnect or the connection attempt fails the VPN Client automatically retries auto initiation using a configured interval called the retry interval From The VPN Client Options menu you can disable auto initiation and you can change the interval between connection attempts Enabling Automatic VPN Initiation After you have established a connection right click the yellow lock icon in the system tray and select Enable Auto initiation from the menu that appears see Figure 5 21 VPN Client User Guide for Windows Ea OL 5489 01 Chapter 5 Connecting to a Private Network Connecting Through Automatic VPN Initiation Figure 5 21 Enabling Auto Initiation VPN Client Statistics LogViewer Notifications Disconnect Enable Auto initiation StatefulFirewall About 87728 Using Automatic VPN Initiation The VPN Client displays a dialog box Figure 5 22 asking whether you want to enable auto initiation and asking you to specify the number of minutes between retries Figure 5 22 Auto Initialization Dialog a YPNClient Automatic PN Initiation V Enable automati
35. disable using backup servers uncheck the Enable backup server s check box Configuring a Connection to the Internet Through Dial up Networking To connect to a private network using a dial up connection perform the following steps Step 1 Use a dial up connection to your Internet service provider ISP to connect to the Internet Step2 Use the VPN Client to connect to the private network through the Internet To enable and configure this feature check the Connect to the Internet via dial up check box This feature is not checked by default See Figure 4 7 Figure 4 7 Connecting to the Internet Through Dial up Connection Entry Engineering Description Connection to Engineering Server A Host Serve oston Authentication Transport Backup Servers Dial Up V Connect to Internet via dial up Microsoft Dial Up Networking Phonebook Entry v Third party dial up application Application Browse Erase User Password Cancel 87753 You can connect to the Internet using the VPN Client application in either of the following ways e Microsoft Dial up Networking DUN e Third party dial up program VPN Client User Guide for Windows oL 5489 01 EZIN Chapter4 Configuring and Managing Connection Entries HZ Completing a Connection Entry Microsoft Dial up Networking If you have DUN phonebook entries and have enabled Connect to the Internet via dial up Microsoft Dial up Network
36. entry name and choose Duplicate The VPN Client enters the duplicate into the list as name duplicate Step3 To change the name of the duplicate connection entry follow these steps a Right click on the new connection entry b Choose Modify from the menu c Type a new name into the Connection Entry box Step 4 To save the new name click Save or to cancel the change click Cancel Modifying a Connection Entry To change your connection entry settings perform the following steps Step 1 Select a connection entry in the list underneath the Connection Entries tab Step2 To modify the selected connection entry do one of the following actions e Display the Connection Entries menu and choose Modify e Click the Modify icon on the toolbar above the Connection Entries tab e Right click the selected entry and choose Modify from the menu Step3 Modify the information in the fields you want to change VPN Client User Guide for Windows oL 5489 01 ESEN Chapter4 Configuring and Managing Connection Entries HZ Deleting a Connection Entry Step 4 To save your changes click Save or to cancel your changes click Cancel Deleting a Connection Entry Step 1 Step 2 Step 3 To delete a connection entry use the following procedure Select a connection entry in the display underneath the Connection Entries tab To delete the selected entry do one of the following actions e Display the Connection Entries menu and choose
37. files were generated after you installed the software they are not removed when you uninstall the software You must remove them manually Updating the VPN Client Software Automatically Windows 2000 and Windows XP Systems Beginning with VPN Client Release 4 6 the VPN Client software can install new releases updates to releases and new or modified profiles automatically on Windows 2000 and Windows XP systems For information on how to manage this feature refer to VPN Client Administrator Guide Autoupdate can reduce or eliminate the need for rebooting during installation For MSI installation autoupdate removes the old version of the VPN Client software automatically and then resumes installation in the same manner as InstallShield When a new version or update is available the autoupdate program displays a dialog for an example see Figure 7 21 that lets you choose to install it right away install it later or not to install the package at all In the later case however every time you connect to the VPN Concentrator you see the dialog asking you to install the update until you finally install it If an administrator requires that you install the update your choices are limited to Install Now or Install Later VPN Client User Guide for Windows e720 E OL 5489 01 Chapter7 Managing the VPN Client Upgrading VPN Client Software Hi Figure 7 21 Automatic Installation Full Install E Autoinstall Cisco Systems YPN
38. in Figure 3 15 Figure 3 15 Displaying Version from Right Click Menu YPN Client Stateful Firewall Always On Exit YPN Client 87777 wy Note The menu you see when you are not connected differs from the menu that displays when the connection is active but you can display version information from both menus e From the Help menu as follows Step 1 Click Help Step2 Select About VPN Client Cisco VPN Client User Guide for Windows E TE CHAPTER l Configuring and Managing Connection Entries This chapter explains how to configure a connection entry for the VPN Client The VPN Client uses a connection entry to identify and connect securely to a specific private network To configure a connection entry you enter values for a set of parameters which include a name and description for the connection the name or address of the VPN device remote server and information that identifies you to the VPN device Note If your system administrator has completely configured your connection entry for you you can skip this chapter and go directly to Connecting to a Private Network This chapter explains the following configuration tasks e What Is a Connection Entry e Creating a New Connection Entry e Choosing an Authentication Method e Configuring Microsoft Network Access Windows 98 and Windows ME e Configuring Transparent Tunneling e Enabling and Adding Backup Servers e Configuring a Connection
39. password to access their site If such is the case with this CA enter the password in the Challenge Password field To find out the password contact the CA or your network administrator New Password The password that protects this certificate If your connection entry requires certificate authentication you must enter this password each time you connect The password can be up to 32 characters in length Passwords are case sensitive For example sKate8 and Skate8 are different passwords Step4 Click Next The VPN Client displays page two of the enrollment request Figure 6 3 Figure 6 3 Online Enrollment Form Page Two PN Client Certificate Enrollment xj Enter certificate fields denotes a required field Name EN oesmh ti iti UO Department OU Marketing Company 0 Some Compay SS State ST Massachusetts Country C US Email E Jismith somecompary com IP Address CF Domain Jsomecompary com Back Enroll Cancel 87736 Common Name Your common name CN which is the unique name for this certificate This field is required The common name can be the name of a person system or other entity it is the most specific level in the identification hierarchy The common name becomes the name of the certificate for example Alice Wonderland Department The name of the department to which you belong for example International Studies This field correlates to the Organizational Unit
40. software update The message happens because Entrust wants to verify that it is acceptable for the VPN Client to access your Entrust profile Figure 5 16 Entrust Security Warning Entrust Security Warning Cisco Systems PN Client 2 Cisco Systems YPN Client is trying to access Entrust Do you wish to continue Yes Details gt gt Step4 At the warning message click Yes to continue 607 dd You can now use your Entrust certificate for authenticating your new connection entry Entrust Inactivity Timeout If you have a secure connection and you see a padlock next to the Entelligence icon in the Windows system tray Entelligence has timed out However you have not lost your connection If you see the Entelligence icon with an X next to it you are logged out of Entrust and you did not have a secure connection initially To make a new connection start from the beginning see Accessing Your Profile Using Entrust SignOn and Start Before Logon Together Entrust SignOn is an optional Entrust application that lets you use one login and password to access Microsoft Windows and Entrust applications This application is similar to start before logon which is a VPN Client feature that enables you to dial in before logging on to Windows NT For information about start before logon see Starting a Connection Before Logging on to a Windows NT Platform VPN Client User Guide for Windows OL 5489 01 C
41. these steps Place the root certificate in a file named rootcert without an extension Place the rootcert file in your installation directory When the VPN Client software is installed on your PC to configure it see Configuring and Managing Connection Entries I OL 5489 01 VPN Client User Guide for Windows Chapter 2 Installing the VPN Client HZ Installing the VPN Client Through Microsoft Windows Installer VPN Client User Guide for Windows P28 W OL 5489 01 CHAPTER Navigating the User Interface This chapter describes the main VPN Client window and the tools tabs menus and icons for navigating the user interface This chapter contains the following sections e Configuring the VPN Client for Accessibility e Choosing a Run Mode e VPN Client Window Simple Mode e VPN Client Window Advanced Mode e Toolbar Action Buttons Advanced Mode e Main Tabs Advanced Mode e Menus Advanced Mode e Right Click Menus e How to Get Help Configuring the VPN Client for Accessibility You can activate accessibility features in the VPN Client for Windows user interface Accessibility features include the following e No system tray icon When connected the VPN Client is minimized and you can access it with the key combination Alt Tab e Sound and visual notifications for all dialogs and text edit boxes e Sound and visual notifications when connecting and disconnecting To activate the accessibility
42. to the Internet Through Dial up Networking e Completing a Connection Entry e Setting a Default Connection Entry e Creating a Shortcut for a Connection Entry e Duplicating a Connection Entry e Modifying a Connection Entry e Deleting a Connection Entry e Importing a New Connection Entry VPN Client User Guide for Windows oL 5489 01 EN Chapter4 Configuring and Managing Connection Entries W What Is a Connection Entry What Is a Connection Entry To use the VPN Client you must create at least one connection entry which identifies the following information e The VPN device the remote server to access e Preshared keys The IPSec group to which the system administrator assigned you Your group determines how you access and use the remote network For example it specifies access hours number of simultaneous logins user authentication method and the IPSec algorithms your VPN Client uses e Certificates The name of the certificate you are using for authentication e Optional parameters that govern VPN Client operation and connection to the remote network You can create multiple connection entries if you use your VPN Client to connect to multiple networks though not simultaneously or if you belong to more than one VPN remote access group For connection entry parameters see Gathering Information You Need Creating a New Connection Entry Use the following procedure to create a new connection entry
43. tunnel to domains served by the corporate DNS The VPN server supplies a list of domains to the VPN Client for tunneling packets to destinations in the private network For example a query for a packet destined for corporate com would go through the tunnel to the DNS that serves the private network while a query for a packet destined for myfavoritesearch com would be handled by the ISP s DNS This feature is configured on the VPN server and enabled on the VPN Client by default To use Split DNS you must also have split tunneling configured LZS data compression A feature that benefits modem users VPN Client IPSec Attributes The VPN Client supports the IPSec attributes listed in Table 1 6 Table 1 6 IPSec Attributes IPSec Attribute Description Main Mode and Aggressive Mode Ways to negotiate phase one of establishing ISAKMP Security Associations SAs Authentication algorithms e HMAC Hashed Message Authentication Coding with MD5 Message Digest 5 hash function e HMAC with SHA 1 Secure Hash Algorithm hash function Authentication Modes e Preshared Keys e Mutual Group Authentication e X 509 Digital Certificates Diffie Hellman Groups e Group 1 768 bit prime modulus e Group 2 1024 bit prime modulus e Group 5 1536 bit prime modulus Encryption algorithms e 56 bit DES Data Encryption Standard e 168 bit Triple DES e AES 128 bit and 256 bit Extended Authentication XA
44. uninstall a previous version of the VPN 3000 Client or the Cisco 5000 VPN Client Follow the instructions on the uninstall wizard dialog boxes to automatically uninstall the program and reboot After your system reboots the Cisco Systems VPN Client Setup wizard resumes Follow the instructions on the screens and enter the following information A destination folder for the VPN Client files or click Next gt to enter the default location C Program Files Cisco Systems VPN Client After you have installed the VPN Client the InstallShield Wizard displays the following screen You must restart your computer before you can configure and use the VPN Client See Figure 2 2 Figure 2 2 Completing InstallShield Installation Cisco Systems YPN Client Setup InstallShield Wizard Complete The InstallShield Wizard has successfully installed YPN Client Before you can use the program you must restart your computer C No will restart my computer later Remove any disks from their drives and then click Finish to complete setup 67529 e To restart now click Finish Your system reboots Be sure to remove any diskette from the drive before you reboot e To restart later click the No radio button and then click Finish The VPN Client Setup closes Remember you must restart your computer before you can use the VPN Client Installing the VPN Client Through Microsoft Windows Installer Microsoft Windows Installer MSI is av
45. 489 01 VPN Client User Guide for Windows W index username internal server authentication 5 5 ISP logon 5 4 NT Domain authentication 5 6 RADIUS authentication 5 5 RSA authentication 5 7 5 8 V verifying a certificate 6 12 version VPN Client displaying 3 14 viewing certificate 6 9 connection status 5 21 enrollment request 6 16 Virtual Private Network VPN defined 1 1 VPN defined 1 1 VPN Client applications 1 1 event log 7 7 features 1 2 installing 2 1 menus 3 6 software updates 7 16 7 17 version 3 14 window 3 4 VPN Client API 1 5 VPN Client version 3 6 removing 2 6 VPN device authentication using internal server 5 5 backup 4 9 Cisco 1 1 DPD 4 9 hostname 4 3 IP address 4 3 notifications 7 14 VPN Dialer closing 5 30 main dialog box 4 2 wW Windows NT logon properties 7 3 platforms requirement 2 1 window settings 3 3 3 10 WLANs auto initiation 5 15 X X 509 DER file 6 6 XAUTH extended authentication 1 7 Z Zone Labs Integrity 5 25 5 29 E VPN Client User Guide for Windows OL 5489 01
46. C resource that you choose is based on the priority of the problem and the conditions of service contracts when applicable Cisco TAC Web Site You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself saving both cost and time The site provides around the clock access to online tools knowledge bases and software To access the Cisco TAC Web Site go to this URL http www cisco com tac All customers partners and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site The Cisco TAC Web Site requires a Cisco com login ID and password If you have a valid service contract but do not have a login ID or password go to this URL to register http www cisco com register If you are a Cisco com registered user and you cannot resolve your technical issues by using the Cisco TAC Web Site you can open a case online by using the TAC Case Open tool at this URL http www cisco com tac caseopen If you have Internet access we recommend that you open P3 and P4 cases through the Cisco TAC Web Site Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues These classifications are assigned when severe network degradation significantly impacts business operations When you contact the TAC Escalation Center with a P1 or P2 problem a Cisco TAC engineer automatically opens a case To obtain a
47. Cisco SYSTEMS VPN Client User Guide for Windows Release 4 6 August 2004 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Customer Order Number DOC OL 5489 01 Y THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California Berkeley UCB as part of UCB s public domain version of the UNIX operating system All rights reserved Copyright 1981 Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING
48. Client Update Oj x Full Install has been downloaded Choose one of the options below Choosing Install Now requires you to Cisco Systems VPN Client reboot Install Now closes your YPN connection exits the VPN client and installs the update immediately Before installing the update you should close all programs Install Later defers installing the update until after the VPN Client has exited Don t Install will not install the update Copyright 1998 2004 Cisco Systems Inc Install Now Install Later Don t Install Cisco SYSTEMS 119110 There are three types of automatic installs Full Installation minor update profile update Full Installation For a major update you do a full installation Full installations can be either optional or required Major updates require a reboot e An optional full installation The update package is a new major release Figure 7 21 shows your choices Install Now Install Later Don t Install To install the update close all programs and choose Install Now To install the update when you exit from the VPN Client select Install Later To reject the installation choose Don t Install If you choose Don t Install autoupdate prompts you again next time you start the VPN Client e A required full installation The update package is a major update You can choose from only two options Install Now or Install Later To install the update close all pro
49. Delete e Click the Delete icon on the toolbar above the Connection Entries tab e Right click the selected entry and choose Delete from the menu To confirm the deletion choose Delete from the pop up window or to cancel the deletion and keep the connection entry choose Do not Delete Importing a New Connection Entry Step 1 Step 2 Your network administrator might have created other connection entry profiles for you To use such a profile you must first import that profile to the Profiles directory on your PC To import a new connection entry profile from a file use the following procedure Either display the Connection Entries menu and choose Import or click the Import icon on the toolbar above the Connection Entries tab The VPN Client displays the Import VPN Connection dialog box Type the file name a file with a pcf extension in the File Name box or browse to find the file you want to import Figure 4 8 VPN Client User Guide for Windows nana OL 5489 01 Chapter4 Configuring and Managing Connection Entries Erasing a Saved Password for a Connection Entry W Figure 4 8 Choosing a Profile to Import PN Client Select connection entry to import 2 x Look in A My Documents e ex EJ My Documents My Pictures a Beta _132 pcf T oenm sealat h ocumentation pcf Desktop a Engineering pcf Engineering_Cert pc a Engineering _pre_shared pcf History My Documents a
50. Don t Install If you choose Don t Install autoupdate prompts you again next time you start the VPN Client e A required minor update The update package is a minor update You can choose from only two options Install Now or Install Later To install the update close all programs and choose Install Now To install the update when you exit from the VPN Client select Install Later If you choose Install Later when you exit from the VPN Client autoupdate installs the update Profile Update Profile updates distribute new and or modified user profiles and can also contain updated software Profile updates can be either optional or required They may or may not require a reboot e An optional profile update The profile update distributes new or modified profiles Figure 7 23 shows your choices Install Now Install Later Don t Install Figure 7 23 Automatic Installation Profile Update E Autoinstall Cisco Systems YPN Client Update iol xj Profile Update has been downloaded Choose one of the options below Cisco Systems VPN Client Install Now closes your YPN connection exits the VPN client and installs the update immediately Before installing the update you should close all programs Install Later defers installing the update until after the VPN Client has exited Cisco Systems Don t Install will not install the update Copyright 1998 2004 Cisco Systems Inc Install Now Install Later Don t
51. Forward Outbound 200 200 100 50 32 Any Any N A N A Forward Outbound Local Any Any N A N A Drop Inbound Any Local Any N A N A Drop Outbound Local Any Any N A N A Close This status screen lists the following information x 87754 e Firewall Policy The policy established on the VPN Concentrator for this VPN Client e Product The name of the firewall currently in use such as Cisco Integrated Client Zone Alarm Pro and so on e Firewall Rules Information about the firewall rules currently in effect as described in the following section The Firewall Rules section shows all of the firewall rules currently in effect on the VPN Client Rules are in order of importance from highest to lowest level The rules at the top of the table allow inbound and outbound traffic between the VPN Client and the secure gateway and between the VPN Client and the private networks with which it communicates For example there are two rules in effect for each private network that the VPN Client connects to through a tunnel one rule that allows traffic outbound and another that allows traffic inbound These rules are part of the VPN Client software Since they are at the top of the table the VPN Client enforces them before examining CPP rules This approach lets the traffic flow to and from private networks I OL 5489 01 VPN Client User Guide for Windows Chapter5 Connecting to a Private Network W Viewing Con
52. I OL 5489 01 Contents W E Contents Removing a VPN Client Version Installed with MSI Installer 2 6 Automatically Installing a Root Certificate on the VPN Client PC 2 7 What Next 2 7 Navigating the User Interface 3 1 Configuring the VPN Client for Accessibility 3 1 Choosing a Run Mode 3 2 VPN Client Window Simple Mode 3 3 VPN Client Window Advanced Mode 3 4 Toolbar Action Buttons Advanced Mode 3 4 Main Tabs Advanced Mode 3 5 Menus Advanced Mode 3 6 Connection Entries Menu 3 6 Status Menu 3 7 Certificates Menu 3 8 Log Menu 3 9 Options Menu 3 10 Right Click Menus 3 11 Connection Entries Tab Right Click Menu 3 11 Certificates Tab Right Click Menu 3 12 Log Tab Right Click Menu 3 13 How to Get Help 3 13 Determining the VPN Client Version 3 14 Configuring and Managing Connection Entries 4 1 What Is a Connection Entry 4 2 Creating a New Connection Entry 4 2 Choosing an Authentication Method 4 3 Group Authentication 4 3 Mutual Group Authentication 4 4 Certificate Authentication 4 4 Sending a Certificate Authority Certificate Chain 4 5 Validating a Certificate 4 5 Configuring an Entrust Certificate for Authentication 4 5 Configuring a Connection Entry fora Smart Card 4 6 Smart Cards Supported 4 6 Configuring Microsoft Network Access Windows 98 and Windows ME Configuring Transparent Tunneling 4 7 4 6 VPN Client User Guide for Windows OL 5489 01 Contents W Enabling Transparent Tunneling 4 7 Using
53. N device you can see a list of the local LANs available by looking at the Routes table See Figure 4 5 To display the Routes table use the following procedure Display the Status menu and choose Statistics Choose Route Details from the Statistics dialog box The routes table shows local LAN routes which do not traverse and IPSec tunnel and secured routes which do traverse an IPSec tunnel to a central site device The routes in the local LAN routes column are for locally available resources Note This feature works only on one NIC card the same NIC card as the tunnel VPN Client User Guide for Windows mae W OL 5489 01 Chapter4 Configuring and Managing Connection Entries Figure 4 5 Routes Table PN Client Statistics Enabling and Adding Backup Servers W x Tunnel Details Firewall Local LAN Routes Secured Routes Subnet Mask Subnet Mask 10 10 32 32 255 255 255 255 0 0 0 0 87779 Close While connected you cannot print or browse the local LAN by name when disconnected you can print and browse by name For more information on this limitation refer to VPN Client Administrator Guide Chapter 1 Adjusting the Peer Response Timeout Value The VPN Client uses a keepalive mechanism called Dead Peer Detection DPD to check the availability of the VPN device on the other side of an IPSec tunnel If the network is unusually busy or unreliable you might need to increa
54. N Client Properties for Engineering i xj Connection Entry Engineering Description Tests ystem E Host h 0 10 32 32 it Backup Servers Dia Up Authentication JV Enable Transparent Tunneling IPSec over UDP NAT PAT C IPSec over TCP TGP Part fi 0000 I Allow Local LAN Access Peer response timeout seconds 30 Erase User Password 87718 Enabling Transparent Tunneling Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall which may also be performing Network Address Translation NAT or Port Address Translations PAT Transparent tunneling encapsulates Protocol 50 ESP traffic within UDP packets and can allow for both IKE UDP 500 and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and or firewalls The most common application for transparent tunneling is behind a home router performing PAT The VPN Client also sends keepalives frequently ensuring that the mappings on the devices are kept active Not all devices support multiple simultaneous connections behind them Some cannot map additional sessions to unique source ports Be sure to check with your device s vendor to verify whether this limitation exists Some vendors support Protocol 50 ESP Port Address Translation IPSec passthrough which might let you operate without enabling transparent tunneling To
55. OL 5489 01 Chapter 7 Managing the VPN Client Managing Windows NT Logon Properties W Disconnect VPN connection when logging off parameter see Disconnecting When Logging Off of a Windows NT Platform following This action keeps your connection open Now you can log back on to the system For information on enrolling certificates and importing certificates into your Cisco store see Enrolling and Managing Certificates For information about using start before logon with the Entrust SignOn feature see Connecting with an Entrust Certificate Turning Off Start Before Logon Step 1 Step 2 Step 3 To turn this feature off use the following procedure Open the VPN Client Options menu shown in Figure 7 1 and choose Windows Logon Properties Click to uncheck Enable start before logon and then click OK or to cancel thus keeping the feature enabled click Cancel To make these changes take effect reboot your PC Permission to Launch an Application Before Log On Your system administrator determines whether you can launch applications and third party dialers before you log on to a Windows NT platform To protect system and network security your system administrator might have disabled this feature If this feature is greyed out you cannot launch applications and third party dialers before logging on to a Windows NT platform You must have system administrator privileges to change this parameter
56. OL 5489 01 VPN Client User Guide for Windows Appendix A Copyrights and Licenses VPN Client User Guide for Windows Pas E OL 5489 01 Numerics 508 accessibility compliance 1 5 802 11x networks wireless LANs 5 15 A accessibiliy compliance 1 5 accessing local LAN 4 8 adapter card for network 2 2 adding backup servers 4 9 connection entry 4 2 address VPN device 4 3 Administrator privileges 2 1 AES Advanced Encryption Standard 1 7 aggressive mode 1 7 algorithms data compression 1 8 encryption 1 7 Application Launcher 7 2 Are You There see AYT firewall policy authentication algorithms 1 7 certificate 2 2 4 4 Entrust 4 5 extended 1 7 information connection status 5 22 internal server 5 5 mode 1 7 INDEX NT Domain dialog box 5 5 domain name 5 6 password 5 6 username 5 6 RADIUS 5 5 RSA next cardcode 5 9 passcode 5 7 PIN 5 8 username 5 7 5 8 SecurID 5 7 smart card 5 13 SoftID 5 7 auto initiation authenticating 5 17 changing option values 5 19 connection failures 5 21 connection profile 5 16 disabling 5 19 7 6 disabling while suspended 5 20 disconnecting 5 19 enabling 5 20 7 6 managing 7 6 restarting 5 20 resuming 5 18 retry interval 7 6 suspending 5 18 using 5 15 autoinstall VPN Client software 7 20 full installation 7 21 minor update 7 21 OL 5489 01 VPN Client User Guide for Windows E W index profile update 7 22 VPN Client sofwa
57. PN Client s firewall configuration VPN Client User Guide for Windows OL 5489 01 Chapter 5 Connecting to a Private Network Viewing Connection Information W Configuring the Firewall on the Concentrator The VPN Concentrator s network manager specifies the name of the firewall that the VPN Client is enforcing such as the Cisco Integrated Client Zone Labs ZoneAlarm ZoneAlarm Pro BlackICE Defender and so on and sets up the firewall policy under the Configuration User Management Base Group or Group Client FW tab The following firewall policy options exist AYT Are You There enforces the use of a specific firewall but does not require you to have a specific firewall policy The supported firewall software on the VPN Client PC controls its own rules The VPN Client polls the firewall every 30 seconds to make sure it is still running but does not confirm that a specific policy is enforced Centralized Protection Policy CPP or Policy Pushed as defined on the VPN Concentrator lets you define a stateful firewall policy that the VPN Client enforces for Internet traffic while a tunnel is in effect CPP is for use during split tunneling and is not relevant for a tunnel everything configuration In a tunnel everything configuration all traffic other than tunneled traffic is blocked during the tunneled connection This policy takes advantage of the Cisco Integrated Client The policy rules are defined on the VPN Conc
58. Password Change Success Message PN Client xj i Success password for certificate Joe Smith was changed 87744 Exporting a Certificate Step 1 Step 2 Step 3 Step 4 You may want to export a certificate primarily for backing up your certificate and private key or moving them to another system When you export a certificate you are making a copy of it To export a certificate follow these steps Display the Certificates menu and choose Export or click the Export icon on the toolbar above the Certificates tab The VPN Client displays the Export Certificate dialog box Figure 6 18 Figure 6 18 Exporting a Certificate PN Client Export Certificate GEM 1024 sig ou cert Export Path Browse J Export entire certificate chain Enter a password to protect the exported certificate this is optional Password Verify Password Cancel 8774 In the Export path field enter the path for the exported certificate or use the Browse feature to locate a target directory for the exported certificate To export the CA and or RA certificate with your personal certificate check the Export entire certificate chain check box In the Password field enter an optional password to protect the export file Then enter it again in the Verify Password field VPN Client User Guide for Windows 01 5489 01 _ Chapter 6 Enrolling and Managing Certificates Step 5 After
59. Server IPSec Beta_134 63 67 72 134 IPSec Documentation 10 10 99 30 IPSec TCP Documentation duplicate 10 10 99 30 IPSec TCP Engineering 10 10 32 32 IPSec UDP Engineering_Cert 10 10 32 30 IPSec UBP Engineering_pre_shared 10 10 32 33 IPSec UBP 87752 Connected to Engineering Connected Time 0 day s 00 00 12 If the network administrator of the Cisco VPN device has created a client banner you see a message designated for all clients connecting to that device for example The Documentation Server will be down for routine maintenance on Sunday After you complete your connection the VPN Client minimizes to a closed lock icon in the system tray on the Windows task bar You are now connected securely to the private network via a tunnel through the Internet and you can access the private network as if you were an onsite user Using Automatic VPN Initiation Your VPN Client can automatically initiate a VPN connection based on the network to which your machine is connected This feature is called auto initiation for on site Wireless LANs WLANs Auto initiation makes the user experience resemble a traditional wired network in which VPNs secure WLANs These environments are also known as WLANs On site WLAN VPNs are similar to remote access VPNs with an important distinction In an on site wireless VPN environment enterprise administrators have deployed wireless 802 11x networks in corporate facilities and these netw
60. UTH The capability of authenticating a user within IKE This authentication is in addition to the normal IKE phase 1 authentication where the IPSec devices authenticate each other The extended authentication exchange within IKE does not replace the existing IKE authentication Mode Configuration Also known as ISAKMP Configuration Method I OL 5489 01 VPN Client User Guide for Windows Chapter1 Understanding the Cisco VPN Client HZ VPN Client Features Table 1 6 IPSec Attributes continued IPSec Attribute Description Tunnel Encapsulation Modes e IPSec over UDP NAT PAT e IPSec over TCP NAT PAT e IPSec over NAT T IP compression IPCOMP using Data compression algorithm LZS Windows Features Supported The VPN Client supports the Windows NT Windows 2000 and Windows XP features listed in Table 1 7 Table 1 7 Windows NT Features Windows NT Feature Description Password expiration information Password expiration information when authenticating through a RADIUS server that references an NT user database When you log in the VPN Concentrator sends a message that your password has expired and asks you to enter a new one and then confirm it On a Release 3 5 or higher VPN Client the prompt asks you to enter and verify a password Start before logon The ability to establish a VPN connection before logging on to a Windows NT platform which includes Windows NT 4 0 Windows 2000 a
61. WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco Unity Follow Me Browsing FormShare and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn and iQuick Study are service marks of Cisco Systems Inc and Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCNA CCNP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS the Cisco IOS logo Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Empowering the Internet Generation Enterprise Solver EtherChannel EtherSwitch Fast Step GigaStack Internet Quotient IOS IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard LightStream MGX MICA the Networkers logo Networking Academy Network Registrar Packet PIX Post Routing Pre Routing RateMUX Registrar ScriptShare SlideCast SMARTnet StrataView Plus Stratm SwitchProbe TeleRouter The Fastest Way to Increase Your Internet Quotient TransPath and VCO are register
62. ab Step2 Display the Certificates menu and choose Verify or click the Verify icon on the toolbar above the Certificates tab The VPN Client displays a message such as the one in Figure 6 15 indicating whether the certificate is still valid Figure 6 15 Verifying a Certificate s Validity PN Client x i i Certificate Joe Smith is valid 87747 VPN Client User Guide for Windows Pei ol 5489 01 _ Chapter 6 Enrolling and Managing Certificates Step 3 Enrolling for a Certificate Hi The following table shows the messages you might see when you check the validity of your certificate Message Description Certificate is not valid yet The current date is prior to the certificate s valid start date You must wait until the certificate becomes valid Certificate has expired The current date is after the certificate s valid end date You need to enroll for a new certificate Certificate signature is not You do not have the CA certificate or the CA certificate that you v lid have may have expired You might need to download or import the CA certificate Certificate lt name gt is valid You have a working certificate enrolled After viewing the message click OK Deleting a Certificate Step 1 Step 2 Step 3 Step 4 To delete a certificate follow this procedure Select the certificate from the certificate store under the Certificates tab certificate store Display
63. abled Inhibits event reporting for the chosen class Low Provides the least amount of information This choice includes severity levels 1 through 3 all faults and warnings Low is the default for all classes Medium Includes severity levels 1 through 4 all in Low plus the first level informational events which provide general information about the connection Note that a first level informational event is level 4 and appears in the event display as Info 4 High Includes severity levels 1 through 6 thus adding two levels of informational events Info 5 and Info 6 This setting can lower the performance of all applications on your system so use it only when your network administrator or a support engineer suggests that you do so After making your changes click Apply to save or Cancel to cancel your changes Table 7 3 defines the classes modules that generate events Table 7 3 Classes That Generate Events in the VPN Client Class Name Definition CERT Certificate management process CERT which handles getting validating and renewing certificates from certificate authorities CERT also displays errors that occur as you use the application CLI Command Line Interface which lets managers start and end connections get status information and so on through a command line rather than using the VPN Client graphical user interface CM Connection manager CM which drives VPN connections CM dials a PPP device config
64. achusetts c US 1E70B8145582C7E 304F0BCO424F1433E Wed Mar 19 16 58 53 2003 Fri Apr 18 17 58 53 2003 877468 A typical certificate such as that shown in Figure 6 12 contains the following information Common Name The name of the owner usually the first name and last name This field identifies the owner within the Public Key Infrastructure PKI organization Department The name of the owner s department which is same as the Organizational Unit OU Note that when connecting to a VPN 3000 Concentrator the OU should generally match the Group Name configured for the owner in the VPN 3000 Concentrator Company The organization where the owner is using the certificate State The state where the owner is using the certificate Country The two character country code where the owner s system is located Email The email address of the owner of the certificate 01 5489 01 VPN Client User Guide for Windows Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Thumbprint The MD5 and SHA 1 hash to the certificate s complete contents This provides a way to validate the certificate s authenticity For example if you contact the issuing CA you can use this identifier to verify that this is the correct certificate to use Key Size The size of the signing key pair in bits for example 1024 Subject The fully qualified distinguished name DN of certificate s owner This s
65. ailable for Windows NT Windows 2000 and Windows XP Note If you are using the MSI installer you must have Windows NT based products such as Windows NT 4 0 with SP6 Windows 2000 or Windows XP Installing with MSI also requires administrator privileges Windows Installer 2 0 must be installed on a Windows NT or Windows 2000 PC before configuring the PC for a Restricted User with Elevated Privileges CSCea37900 VPN Client User Guide for Windows ose Chapter 2 Installing the VPN Client Installing the VPN Client Through Microsoft Windows Installer Hil To install the VPN Client using MSI use the following procedure Step 1 Exit all Windows programs and disable any antivirus software Step2 Insert the Cisco Systems CD ROM in your system s CD ROM drive Step3 Choose Start gt Run The Run dialog box appears Step4 Enter E VPN Client CD ROM Msi vpclient_en exe where E is your system s CD ROM drive Step5 Click OK gt Note Cisco does not allow you to install the VPN Client software from a network drive If you attempt to do so you receive an error message The program displays the Cisco Systems logo and Microsoft Installer Setup window Click Next to start the installation and then follow the instructions on the dialog boxes MSI installs the VPN Client in the default location C Program Files Cisco Systems VPN Client If you want a different destination folder for the VPN Client files enter the alte
66. al window and setting logging levels Refer to Managing the VPN Client for more information Cisco VPN Client User Guide for Windows oL 5489 01 nE Chapter3 Navigating the User Interface E VPN Client Window Advanced Mode Menus Advanced Mode The following sections describe the VPN Client menus located at the top of your screen when the VPN Client application is active on your desktop Connection Entries Menu Use the Connection Entries menu Figure 3 7 as a shortcut to frequently used connection entry operations Figure 3 7 Connection Entries Menu VPN Client 4 6 Rel E iol x Connection Entries Status Certificates Log Options Help Connect to Ctrl 0 Disconnect Ctrl D Create Shortcut Modify Delete Duplicate Set as Default Connection Entry New Import Exit YPN Client Ctrl Q Not connected 87772 Connect to Connect to a VPN device using the selected connection entry If the Connections tab is not selected a submenu which lists all available connection entries is displayed Disconnect End your current VPN session Create Shortcut Create a shortcut on your desktop for the current connection entry Modify Edit the current connection entry Delete Remove the current connection entry Duplicate Make a copy of the selected connection entry This menu choice lets you create a new connection entry us
67. anization This guide is organized as follows Chapter Title Description Chapter 1 Understanding the Cisco VPN Explains briefly what the VPN Client is and how Client it works Chapter 2 Installing the VPN Client Tells you how to install the VPN Client Chapter 3 Navigating the User Interface Describes the main VPN Client window and the tools tabs menus and icons for navigating the user interface including accessibility features Chapter 4 Configuring and Managing Tells you how to configure the VPN Client Connection Entries including setting optional parameters Chapter 5 Connecting to a Private Network Tells you how to connect to a private network using the VPN Client and an Internet connection shows how to get status information on your connection and how to use automatic VPN initiation I OL 5489 01 VPN Client User Guide for Windows Preface W Terminology Chapter Title Description Chapter 6 Enrolling and Managing Tells you how to obtain digital certificates to use Certificates for authentication and how to manage these certificates on your system Chapter 7 Managing the VPN Client Tells you how to manage VPN Client connections upgrade or uninstall VPN Client software reconfigure the VPN Client automatically use the Log and set up special features such as Start Before Logon Appendix A Copyrights and Licenses Provides copyright and license information for software th
68. assword 7 Confirm Password C Certificate Authentication Hame e xf Send CA Certificate Chain Erase User Password Cancel Eases raion 87719 Step4 Enter a unique name for this new connection You can use any name to identify this connection for example Engineering This name can contain spaces and it is not case sensitive Step5 Enter a description of this connection This field is optional but it helps further identify this connection For example Connection to Engineering remote server Step6 Enter the hostname or IP address of the remote VPN device you want to access Choosing an Authentication Method Under the Authentication tab enter the information for the method you want to use You can connect as part of a group configured on a VPN device or by supplying an identity digital certificate Group Authentication Your network administrator usually configures group authentication for you If this is not the case use the following procedure Step1 Click the Group Authentication radio button Step2 In the Name field enter the name of the IPSec group to which you belong This entry is case sensitive Step3 In the Password field enter the password which is also case sensitive for your IPSec group The field displays only asterisks VPN Client User Guide for Windows oL 5489 01 EN Chapter4 Configuring and Managing Connection Entries HI Choosing an Authentication Method Step4 Veri
69. at auto initiation is now in effect For an example see Figure 5 29 VPN Client User Guide for Windows u OL 5489 01 Chapter5 Connecting to a Private Network Viewing Connection Information W Figure 5 29 Auto Initation Log Messages 15727 14 22 45 721 04 2202 Sev Info 6 DIALER 0x63300009 Auto initiation has been suspended 15728 16 24 25 578 04 22 02 Sev Info 6 DIALER 0x63300009 Auto initiation has been disabled 15729 16 36 09 671 04 22 02 Sev Info 6 DIALER 0x63300009 Auto initiation has been enabled 15730 16 36 09 671 04 22 02 Sev Info 6 CM 0x63 100036 Auto initiation condition detected Local IP 10 10 0 32 Network 10 10 32 32 Mask 0 0 0 0 Connection Entry Engineering 71788 Step5 Close the VPN Client dialog The Authentication window displays Connection Failures If the auto initiation attempt fails the VPN Client notifies you with a dial status dialog and a warning message Figure 5 30 Auto Initiation Failure Message YPN Client x Secure YPN Connection terminated locally by the Client Reason An unrecognized error occurred while establishing the YPN connection 87750 Viewing Connection Information From the Status menu you can view the following information about your private network connection e Tunnel details e Routing information e Firewall information e Notifications VPN Client User Guide for Windows oL 5489 01 EN Chapter5 Connecting to a Private
70. at the VPN Client uses Terminology In this user guide the term Cisco VPN device refers to the following Cisco products e Cisco VPN 3000 Series Concentrators e Cisco Secure PIX Firewall devices e IOS platform devices such as the Cisco 7100 Series Routers Related Documentation The VPN Client includes an extensive online HTML based help system including a pdf version of the manual that you can access through a browser in several ways e Click the Help icon on the Cisco Systems VPN Client programs menu Start gt Programs gt Cisco Systems VPN Client gt Help e Press F1 while using the applications e Select Help gt Help VPN Client from the Help menu The VPN Client Administrator Guide tells a network administrator how to e Configure a VPN 3000 Concentrator for several specific features Configure a VPN 3000 Concentrator for remote access users Configure VPN Client firewall policy on a VPN 3000 Concentrator Notify remote users of a client update Setup Local LAN Access for the VPN Client Configure the VPN Concentrator to update VPN Client backup servers Set up the VPN Concentrator and the VPN Client for NAT Transparency Configure Entrust Entelligence for the VPN Client Set up authentication using Smart Cards e Automate remote user profiles e Configure auto initiation e Use the VPN Client command line interface VPN Client User Guide for Windows OL 5489 01 Preface Related Do
71. ate Password dialog box See Figure 6 22 Figure 6 22 Changing a Certificate Password 4 PN Client Certificate Password 2 xi Enter your Certificate Password for Patrick Clarkson 87731 Step3 Type in the password you are currently using and click OK Step4 At the prompt type the new password and click OK Step5 At the next prompt type your new password again to verify it and click OK The VPN Client responds with a success message Note You can also change the password from the View dialog box VPN Client User Guide for Windows 01 5489 01 a e17 Chapter6 Enrolling and Managing Certificates W Managing Enrollment Requests Completing an Enrollment Request Step 1 Step 2 Step 3 To complete a pending online enrollment request use the following procedure Select the request under the Certificates tab The VPN Client displays a dialog box confirming the certificate s pending status and describing how to complete the enrollment procedure Figure 6 23 Figure 6 23 Completing a Pending Online Certificate Enrollment Request PN Client x i Certificate enrollment is now pending To continue the current enrollment select the certificate being enrolled and do one of the Following Choose Retry From the Certificates menu OR Right click the selected certificate and choose Retry 87737 Select the certificate being enrolled then do one of the following e Choose Retry from
72. ation program removes the old version and asks you to confirm the system restart See Figure 7 16 I OL 5489 01 VPN Client User Guide for Windows Chapter7 Managing the VPN Client HZ Upgrading VPN Client Software Step 3 Step 4 Figure 7 16 Confirming the System Restart InstallShield Wizard Cisco Systems YPN Client Installer Setup has finished removing the existing version of the Cisco Systems VPN Client To continue with the Cisco Systems VPN Client installation you MUST reboot your computer now C No will restart my computer later Setup will continue after your computer reboots Bancel 67544 Be sure to remove any diskette from its drive before you restart your system If you are installing from diskettes reinsert Disk 1 after your system restarts and displays the Windows logo screen but before the desktop appears To restart your system click Yes I want to restart my computer now the default and click Finish The installation wizard restarts your system Once your system has restarted installation continues automatically Follow the instructions as if you were installing for the first time See Installing the VPN Client Through InstallShield Uninstalling the VPN Client with the Uninstall Application Note This option is available only if you have installed the VPN Client via InstallShield Uninstalling the VPN Client means completely removing all VPN Client softwa
73. ay and choose Stateful Firewall When the stateful firewall is enabled you see a check in front of the option This feature is disabled by default During a VPN connection to view the status of this feature right click the lock icon in the system tray Launching an Application Step 1 You can configure the dialer to launch an application automatically before establishing a connection Some examples of why you would want to use this feature follow e You are configured for start before logon and you need to start an authentication application at the logon desktop e You want to launch a monitoring application such before each connection To configure the VPN Client to launch an application from the logon desktop use the Application Launcher The Application Launcher starts the specified application once per session To launch an application again you must exit from the VPN Client restart the VPN Client and launch the application To activate Application Launcher follow these steps Open the VPN Client Options menu shown in Figure 7 1 and choose Application Launcher Figure 7 1 Choosing Application Launcher Application Launcher Automatic VPN Initiation Windows Logon Properties Stateful Firewall Always On Simple Mode Ctrl T Ctrl P Preferences 87724 VPN Client User Guide for Windows 72 E OL 5489 01 Chapter7 Managing the VPN Client Managing Windows NT Logon Properties W
74. c VPN initiation Retry Interval a 1 to 10 minutes e 87729 Check the check box to enable auto initiation and specify an retry interval ranging from 1 to 10 minutes After you have enabled auto initiation if you close or lose your connection auto initiation automatically attempts to reconnect at the specified interval until you exit the VPN Client or disable or suspend auto initiation Typically when you start your wireless system normally a laptop your connection initiates automatically You do not see the VPN Client s main dialog As the connection goes forward the VPN Client displays a sequence of screens The VPN Client also displays an authentication dialog such as the one shown in Figure 5 23 OL 5489 01 VPN Client User Guide for Windows Chapter5 Connecting to a Private Network W Using Automatic VPN Initiation Figure 5 23 Authenticating Automatic VPN Initialized Connection a PN Client User Authentication for Engineering 2 x Enter Username and Password Cisco SYSTEMS Fein Username pate Password ne e 87721 When you enter your authentication information your connection starts immediately as indicated by the closed yellow lock icon in the system tray Figure 5 24 Closed Lock Connected If your network administrator has defined a banner you ll also see that banner displayed To cancel the connection attempt click Cancel Connect on the toolba
75. c through this tunnel Encryption makes data unreadable if intercepted Authentication The data or packet authentication method used for traffic through this tunnel Authentication verifies that no one has tampered with data VPN Client User Guide for Windows OL 5489 01 Chapter5 Connecting to a Private Network Viewing Connection Information W e Packets Packets encrypted The total number of secured data packets transmitted out the port Packets decrypted tThe total number of data packets received on the port Packets discarded The total number of data packets that the VPN Client rejected because they did not come from the secure VPN device gateway Packets bypassed The total number of data packets that the VPN Client did not process because they did not need to be encrypted Local ARPs and DHCP fall into this category e Transport Transparent Tunneling tThe status of tunnel transparent mode in the VPN Client either active or inactive Local LAN Access Whether access to your local area network while the tunnel is active is enabled or disabled For information on configuring this feature see Allowing Local LAN Access Compression Whether data compression is in effect as well as the type of compression in use Currently LZS is the only type of compression that the VPN Client supports Viewing Routing Information To display routing information pull down the Status menu and choose
76. cal issues with online support e Download and test software packages e Order Cisco learning materials and merchandise e Register for online skill assessment training and certification programs If you want to obtain customized information and service you can self register on Cisco com To access Cisco com go to this URL http www cisco com Technical Assistance Center The Cisco Technical Assistance Center TAC is available to all customers who need technical assistance with a Cisco product technology or solution Two levels of support are available the Cisco TAC Web Site and the Cisco TAC Escalation Center VPN Client User Guide for Windows Pv OL 5489 01 Preface Obtaining Technical Assistance W Cisco TAC inquiries are categorized according to the urgency of the issue e Priority level 4 P4 You need information or assistance concerning Cisco product capabilities product installation or basic product configuration e Priority level 3 P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue e Priority level 2 P2 Your production network is severely degraded affecting significant aspects of business operations No workaround is available e Priority level 1 P1 Your production network is down and a critical impact to business operations will occur if service is not restored quickly No workaround is available The Cisco TA
77. central site device e Internal through the VPN device s database e RADIUS Remote Authentication Dial In User Service e NT Domain Windows NT e RSA formerly SDI SecurID or SoftID Certificate Authorities CAs CAs that support PKI SCEP enrollment Entrust Entelligence Ability to use Entrust Entelligence certificates Certificate Management Ability to manage the certificates in the certificate stores Smart cards Ability to authenticate using smart cards with certificates Peer Certificate Distinguished Name Verification Prevents a VPN Client from connecting to an invalid gateway by using a stolen but valid certificate and a hijacked IP address If the attempt to verify the domain name of the peer certificate fails the VPN Client connection also fails I OL 5489 01 VPN Client User Guide for Windows Chapter1 Understanding the Cisco VPN Client HZ VPN Client Features Firewall Features The VPN Client supports the firewall features listed in Table 1 4 Table 1 4 Firewall Features Firewall Feature Description Support for firewalls e Cisco Integrated Firewall e Cisco Security Agent e ZoneAlarmPro 2 6 3 57 and higher e ZoneAlarm 2 6 3 57 and higher e ZoneLabs Integrity 1 0 and higher e BlackIce Agent and BlackIce Defender 2 5 and higher e Sygate Personal Firewall and Sygate Personal Firewall Pro Version 5 0 Build 1175 and higher Centralized Protection Policy e Sup
78. ction status 5 22 setting logging levels 7 11 Severity levels in events 7 12 Simple Certificate Enrollment Protocol see SCEP smart card connecting with 5 13 connection entry configuring 4 6 products supported 4 6 SoftID authentication 5 7 software license agreement 1 software token applications launching from VPN Dialer 7 2 split tunneling 1 6 start before logon configuring 7 4 using with Entrust SignOn 5 12 starting the VPN Dialer connecting to private network 4 2 5 2 stateful firewall always on 7 1 DHCP traffic 7 2 transparent tunneling 4 8 state in certificate enrollment 6 4 statistics local LAN routes 5 24 status firewall 5 26 stopping the VPN Dialer 5 30 stores certificate 6 2 system requirements 2 1 Index W T TCP IP requirement 2 2 TCP protocol firewalls 5 28 transparent tunneling 4 7 third party dial up program 4 12 tool tips enabling 3 3 transparent tunnel 4 7 transparent tunneling 1 6 enabling 4 7 stateful firewall 4 8 tunnel definition 1 2 negotiation 5 5 transparent 4 7 tunneling encapsulation mode 1 8 protocol 1 3 split 1 6 U UDP protocol firewalls 5 28 transparent tunneling 4 7 UniCERT 5 10 uninstalling the VPN Client InstallShield 7 18 updating profiles automatically 7 22 updating VPN Client software automatically 7 20 upgrade notification 7 16 upgrading VPN Client software using InstallShield 7 17 using MSI 7 16 user authentication 1 3 1 5 I OL 5
79. cumentation W e Customize the VPN Client software text icons and installation e Use the SetMTU application e Obtain troubleshooting information e Work with Microsoft Windows Installer The VPN Client guides are provided on the Cisco VPN 3000 Concentrator s software distribution CD ROM in PDF format To view the latest version on the Cisco Web site go to the following site and click VPN Client http www cisco com en US products sw secursw ps2308 prod_technical_documentation html VPN 3000 Series Concentrator Documentation The VPN 3000 Concentrator Series Getting Started guide explains how to unpack and install the VPN Concentrator and how to configure the minimal parameters This is known as Quick Config The VPN 3000 Series Concentrator Reference Volume I Configuration explains how to start and use the VPN Concentrator Manager It details the Configuration screens and explains how to configure your device beyond the minimal parameters you set during quick configuration The VPN 3000 Series Concentrator Reference Volume II Administration and Monitoring provides guidelines for administering and monitoring the VPN Concentrator It explains and defines all functions available in the Administration and Monitoring screens of the VPN Concentrator Manager Appendixes to this manual provide troubleshooting guidance and explain how to access and use the alternate command line interface The VPN Concentrator Manager also includes online hel
80. d click the Disconnect button or right click the lock and select Disconnect from the menu in the standard way The VPN Client displays the following message See Figure 5 27 Figure 5 27 Disconnecting Your Session PN Client xj You have terminated your VPN connection i You no longer have access to your network resources 4 VPN connection will be auto initiated every 2 minutes Do you wish to temporarily suspend the auto initiation Functionality Suspend 87751 To suspend auto initiation click Yes Auto initiation suspends until you resume it disable it or log off When you click No auto initiation stays in effect and the VPN Client automatically retries auto initiation according to the retry interval for example every minute Changing Option Values While Auto Initiation is Suspended When auto initiation is suspended you can change VPN Client options as follows Step 1 Double click yellow lock icon in the system tray Step2 Click Options The VPN Client displays the Options menu Disabling Automatic VPN Initiation To completely shut down auto initiation you can disable it through the Options menu by following these steps Step1 Display the VPN Client main window and click Options Step2 Select Automatic VPN Initiation The VPN Client displays the window shown in Figure 5 28 VPN Client User Guide for Windows oL 5489 01 a 5 19 Chapter5 Connecting to a Private Network HZ Using Automatic
81. d or electronic token Several vendors provide smart cards and tokens For an up to date list of those that the VPN Client currently supports see Smart Cards Supported Smart card support is provided through Microsoft Cryptographic API MS CAPI Any CryptoService provider you use must support signing with CRYPT_NOHASHOID Note Smart cards generally have only the private key associated with a certificate so even without having the smart card inserted you can still create an individual certificate authentication profile You must insert the smart card however to complete the authentication process Once you or your network administrator has configured a connection entry that uses a Microsoft certificate provided by a smart card you must insert the smart card into the receptor When you start your connection you are prompted to enter a password or PIN depending on the vendor For example Figure 5 17 shows the authentication prompt from ActivCard Gold I OL 5489 01 VPN Client User Guide for Windows Chapter5 Connecting to a Private Network HI Completing the Private Network Connection Figure 5 17 ActivCard Gold PIN Prompt ActivCard Gold Enter PIN g D Enter PIN code Carca 67518 In this example you would type your PIN code in the Enter PIN code field and click OK The next example shows how to log in to eToken from Aladdin You select the token in the eToken Name column type a password in
82. d running on a system but not to confirm that a specific policy is enforced Figure 5 33 Firewall Tab for AYT capability YPN Client 4 6 Rel ES Firewall Policy Are you there AYT Product ZoneLabs ZoneAlarm Close 87755 VPN Client User Guide for Windows u OL 5489 01 Chapter5 Connecting to a Private Network Centralized Protection Policy CPP Using the Cisco Integrated Client Firewall Rules Viewing Connection Information CPP is a stateful firewall policy that is defined on and controlled from the VPN Concentrator It can add protection for the VPN Client PC and private network from intrusion when split tunneling is in use CPP sends down a stateful firewall policy for the integrated firewall in the VPN Client for use while connected with split tunneling For CPP see Figure 5 34 the Firewall tab shows you the firewall rules in effect Figure 5 34 Firewall Tab for CPP YPN Client Statistics Tunnel Details Route Details Firewall Policy Centralized Protection Policy CPP Product Cisco Systems Integrated Client Firewall Rules Act Di SrcAddress DstAddress Proto Sre Port_ Dst Port Forward Inbound 10 10 32 32 32 10 10 0 32 32 17 1109 Forward Outbound 10 10 0 32 32 10 10 32 32 32 17 1109 500 Forward Inbound 10 10 32 32 32 10 10 0 32 32 50 Any Any Forward Outbound 10 10 0 32 32 10 10 32 32 32 50 Any Any Forward Inbound Any 200 200 100 50 32 Any N A N A
83. d you can set the following preferences Save window settings Saves any changes you make to the VPN Client window Minimize upon connect Places the VPN Client closed lock icon in the system tray when the VPN connection is established Enable tool tips Activates tool tips for the toolbar action buttons Enable connect history display Displays connection history information Enable accessibility options Places the VPN Client in the task bar rather than the system tray for easier access and sounds a beep to indicate that a connection has been made Enable connect on open Connects to the default connection entry when you start the VPN Client when you open or double click the VPN Client icon I OL 5489 01 Cisco VPN Client User Guide for Windows Chapter3 Navigating the User Interface E VPN Client Window Advanced Mode e From the Help menu you can display context sensitive browser based online Help VPN Client Window Advanced Mode The following sections describe the VPN Client main window in Advanced Mode the primary buttons and tabs for navigating the user interface the main menu options and the right click menu options Figure 3 4 shows the VPN Client window and the primary navigation areas Figure 3 4 VPN Client Main Window in Advanced Mode 1 PRD aoe aco 5 xi 2 Connection Entries Status Certificates Log Options Help 3 Fe E g S Pdl Cisco Systems Disconnect New Import Modify Delete
84. directory of toll free Cisco TAC telephone numbers for your country go to this URL http www cisco com warp public 687 Directory DirTAC shtml Before calling please check with your network operations center to determine the level of Cisco support services to which your company is entitled for example SMARTnet SMARTnet Onsite or Network Supported Accounts NSA When you call the center please have available your service agreement number and your product serial number I OL 5489 01 VPN Client User Guide for Windows Preface HZ Obtaining Technical Assistance VPN Client User Guide for Windows OL 5489 01 Understanding the Cisco VPN Client The Cisco VPN Client for Windows referred to in this user guide as VPN Client is software that runs on a Microsoft Windows based PC The VPN Client on a remote PC communicating with a Cisco Easy VPN server on an enterprise network or with a service provider creates a secure connection over the Internet Through this connection you can access a private network as if you were an on site user Thus you have a Virtual Private Network VPN The server verifies that incoming connections have up to date policies in place before establishing them Cisco IOS VPN 3000 Series Concentrators and PIX central site servers can all terminate VPN connections from VPN Clients As a remote user low speed or high speed you first connect to the Internet Then you use the VPN Client to secure
85. drop any inbound and drop any outbound are always at the bottom of the list These two rules act as a safety net and are in effect only when traffic does not match any of the rules higher in the hierarchy To display the fields of a specific rule click on the first column and observe the fields in the next area below the list of rules For example the window section underneath the rules in Figure 5 34 displays the fields for the rule that is highlighted in the list A firewall rule includes the following fields e Action The action taken if the data traffic matches the rule Drop Discard the session Forward Allow the session to go through e Direction The direction of traffic to be affected by the firewall Inbound traffic coming into the PC also called local machine Outbound traffic going out from the PC to all networks while the VPN Client is connected to a secure gateway e Source Address The address of the traffic that this rule affects Any all traffic for example drop any inbound traffic This field can also contain a specific IP address and subnet mask Local the local machine if the direction is Outbound then the Source Address is local e Destination Address The packet s destination address that this rule checks the address of the recipient Any all traffic for example forward any outbound traffic Local The local machine if the direction is Inbound the Destination Address is
86. e Connection Entries menu and choose Modify e Click the Modify icon on the toolbar above the Connection Entries tab e Right click the selected entry and choose Modify from the menu Step3 Click Erase User Password VPN Client User Guide for Windows oL 5489 01 ais Chapter4 Configuring and Managing Connection Entries W Erasing a Saved Password for a Connection Entry Step4 To save your changes click Save or to cancel your changes click Cancel Note If you get a failed to authenticate message you should enable Erase User Password on the VPN Client and verify that your password is valid When you attempt to connect the VPN Client prompts you to enter your password With Erase User Password in effect the next time you connect the authentication dialog box prompts you to enter your password VPN Client User Guide for Windows Ca OL 5489 01 CHAPTER Connecting to a Private Network This chapter explains how to connect to a private network with the VPN Client We assume you have configured at least one VPN Client connection entry as described in Configuring and Managing Connection Entries To connect to a private network you also need the following information ISP logon username and password if necessary User authentication information If you are authenticated via the VPN 3000 Concentrator internal server your username and password If you are authenticated via a RADIUS server your userna
87. e InstallShield installer If you are on a Windows 2000 or Windows XP system updating VPN Client software and profiles occurs automatically This section supplies instructions for all the various ways you can upgrade your software All Windows Platforms If you are using a Windows 95 Windows 98 or Windows NT platform you must update the VPN Client software manually Generally an administrator sends a notification to inform you that you must upgrade Upgrade Notifications Remote users receive a notification message when it is time to upgrade the VPN Client software The notification includes the location where the remote user can obtain the upgrade When you receive an upgrade notification that includes a URL click Launch to go to the site and retrieve the upgrade software You will receive an upgrade notification every time you connect until you have installed the upgrade software For an example of an upgrade notification see Figure 7 14 Upgrading the VPN Client Software Using MSI Upgrading the VPN Client software using MSI in this recommended way retains existing connection entries and their parameters You must remove any version of the Cisco VPN Client or any other VPN Client before upgrading the Cisco VPN Client with MSI To install an upgrade of the VPN Client to replace an existing version on your system use the following procedure Step 1 Remove any existing version of the VPN Client software through the Add Remove available f
88. e default profile when it activates Cisco VPN Client User Guide for Windows Eu OL 5489 01 Chapter3 Navigating the User Interface Right Click Menus W Right Click Menus Use the right click Menus from the Connection Entries tab the Certificates tab or the Log tab for frequently performed operations The sections that follow introduce the features you can use from right click menus for the following operations e Connection entries e Certificates e Log Connection Entries Tab Right Click Menu Figure 3 12 shows the right click menu options available when a connection entry is highlighted on the Connection Entries tab display Figure 3 12 Connection Entries Right Click Menu s VPN Client 4 6 Rel 10l x Connection Entries Status Certificates Log Options Help Ss E BA Cisco Systems Disconnect New Import Modify Delete Connection Entries Certificates Log __ Connection Enty Host Transport Engineering_pre_shared 10 10 32 33 IPSec UBP Engineering_Cert 10 10 32 30 IPSec UBP Engineering IPSec UDP Documentation duplicate Connect IPSec TCP Documentation Disconnect IPSec TCP Beta_134 Duplicate IPSec Beta_132 IPSec Delete Create Shortcut Modify Erase Saved User Password Set as Default Connection Entry Connected to Engineering Connected Time 2 day s 00 45 16 87778 N e Connect Use the selected connection entry to connect to a VPN device e D
89. e log in one of the following ways e Click Disable on the toolbar above the Log tab VPN Client User Guide for Windows e E OL 5489 01 Chapter7 Managing the VPN Client Viewing and Managing the VPN Client Event Log W e Display the Log menu and choose Disable Displaying the Log Window You can see a complete view of the log file by using the Log Window which is scrollable Step 1 Display the Log Window in one of the following ways e Display the Log menu and choose Log Window Figure 7 8 e Press Ctrl L e Click the Log Window icon on the toolbar above the Log tab Figure 7 7 Figure 7 8 Displaying Log Messages from the Log Menu PN Client 4 6 Rel 5 x Connection Entries Status Certificates Log Options Help A E Far Disable Ctrl E aoe Clear Connect New Import Certificates Lo Cisco Systems Log Settings Log Window Ctrl L Search Log Ctrl F Save Connection Entries n Tant IPSec UDP Connection Enty Engineering 87759 Not connected 4 The Log Window appears on the screen See Figure 7 9 By default the filter is set to low so you might not see any events displayed in this window see Filtering Events VPN Client User Guide for Windows oL 5489 01 Chapter7 Managing the VPN Client W Viewing and Managing the VPN Client Event Log Figure 7 9 Log Window E YPN Client Log Window loj x Cisco Systems VPN Client Vers
90. ed trademarks of Cisco Systems Inc and or its affiliates in the U S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0304R VPN Client User Guide for Windows Copyright 2004 Cisco Systems Inc All rights reserved Preface ix Audience ix Organization ix Terminology x Related Documentation x VPN 3000 Series Concentrator Documentation xi Cisco PIX Firewall Documentation xi Conventions xii Data Formats xii Obtaining Documentation xiii World Wide Web xiii Documentation CD ROM xiii Ordering Documentation xiii Documentation Feedback xiv Obtaining Technical Assistance xiv Cisco com xiv Technical Assistance Center xiv Cisco TAC Web Site xv Cisco TAC Escalation Center xv Understanding the Cisco VPN Client 1 1 How the VPN Client Works 1 2 Connection Technologies 1 2 VPN Client Features 1 2 Program Features 1 3 Authentication Features 1 5 Firewall Features 1 6 IPSec Features 1 6 VPN Client IPSec Attributes 1 7 Windows Features Supported 1 8 Installing the VPN Client 2 1 Installation Applications 2 1 Verifying System Requirements 2 1 Gathering Information You Need 2 2 Installing the VPN Client Through InstallShield 2 3 Installing the VPN Client Through Microsoft Windows Installer 2 4 VPN Client User Guide for Windows
91. ent 4 6 Rel i Oy x Connection Entries Status Certificates Log Options Help Cisco Systems Disable Clear Log Settings Log Window E Connection Entries Certificates Log Cisco Systems VPN Client Version 4 0 int_94 Copyright tC 1998 2003 Cisco Systems Inc All Rights Reserved Client Type s Windows WinNT Running on 5 0 2195 status connected to Engineering Connected Time 0 day s 00 02 21 X 87763 This window lets you e View the log in the Log tab screen e Enable or disable logging events e Clear the log display in both the Log tab screen and the Log Window e Change the log filtering settings e Display the complete log in the log window and within the window perform the following actions Search the log Save the messages to the log file Change log filter settings Clear the log display Enabling or Disabling the Log Step 1 Step 2 Enabling and disabling the log does not clear the events from the log file To control the flow of information logged use the following procedure You can also control the amount of information collected by changing the log filtering settings To start collecting event messages into the log file you must enable the log in one of the following ways e Click Enable on the toolbar above the Log tab e Display the Log menu and choose Enable The log is disabled by default To end collecting event messages into the log file you must disable th
92. ent 4 6 Rel o 215 xf Connection Entries Status Certificates Log Options Help 2a E E Disable Ctrl E Cisco SYSTEMS Clear e Connect New Import Connection Entries Certificates Lo bag Saas Log Window m 7 Ctrl L Connection Entry Transport Engineering Search Log Ctrl F IPSec UDP Save 87759 Not connected NS e Enable Disable Start collecting events Enable stop collecting events Disable e Clear Erase the events displayed on the log tab and log window e Log Settings Change the logging levels of event classes e Log Window Bring up a separate window that displays events From this window you can save the display edit logging levels by event class and clear both log displays The window shows more events than the display area of the main advanced mode window e Search Log Bring up a dialog box into which you enter the exact string to be matched The search string is not case sensitive and wildcards are not supported Matched instances are highlighted on the log tab not the log window e Save Store the current log in a specified log file Cisco VPN Client User Guide for Windows oL 5489 01 EN Chapter3 Navigating the User Interface E VPN Client Window Advanced Mode Options Menu Use the Options menu to perform various actions such as launching an application Figure 3 11 shows the choices available from the Options menu Figure 3 11 Controlli
93. entions A Caution Means reader be careful Cautions alert you to actions or conditions that could result in equipment damage or loss of data Data Formats As you configure and manage the system enter data in the following formats unless the instructions indicate otherwise Type of Data Format IP Addresses IP addresses use 4 byte dotted decimal notation for example 192 168 12 34 as the example indicates you can omit leading zeros in a byte position Subnet Masks and Wildcard Masks Subnet masks use 4 byte dotted decimal notation for example 255 255 255 0 Wildcard masks use the same notation for example 0 0 0 255 as the example illustrates you can omit leading zeros in a byte position MAC Addresses MAC addresses use 6 byte hexadecimal notation for example 00 10 5A 1F 4F 07 Hostnames Hostnames use legitimate network hostname or end system name notation for example vpno1 Spaces are not allowed A hostname must uniquely identify a specific system on a network VPN Client User Guide for Windows OL 5489 01 Preface Obtaining Documentation W Type of Data Format Text Strings Text strings use upper and lower case alphanumeric characters Most text strings are case sensitive for example simon and Simon represent different usernames In most cases the maximum length of text strings is 48 characters Port Numbers Port numbers use decimal numbe
94. entrator and sent to the VPN Client during each connection attempt The VPN Client enforces these rules for all non tunneled traffic while the tunnel is active amp Note CPP affects only Internet traffic Traffic across the tunnel is unaffected by its policy rules If you are operating in tunnel everything mode enabling CPP has no effect Client Server corresponding to Policy from Server Zone Labs Integrity on the VPN Concentrator relates to Zone Labs Integrity solution The policy is defined on the Integrity Server in the private network and sent to the VPN Concentrator which in turns sends it to the Integrity Agent on the VPN Client PC to implement Since Integrity is a fully functional personal firewall it can intelligently decide on network traffic based on applications as well as data Table 5 1 summarizes the policy options available for the various supported firewalls Table 5 1 Firewalls and Policy Options Summary Policy Options Pushed From Firewall AYT CPP Server Cisco Integrated Firewall X Network Ice BlackICE Defender X Zone Labs ZoneAlarm X X Zone Labs ZoneAlarm Pro X X Zone Labs ZoneAlarm or ZoneAlarm Pro X X Zone Labs Integrity X Sygate Personal Firewall X Sygate Personal Firewall Pro X Sygate Security Agent X Cisco Intrusion Prevention Security Agent X Custom Firewall X X X OL 5489 01 VPN Client User Guide for Windows Chapter5 Connecting t
95. f the certificate you are using from the menu If the field says No Certificates Installed and is shaded then you must first enroll for a certificate before you can use this feature For information on enrolling for a certificate see Enrolling and Managing Certificates or consult your network administrator VPN Client User Guide for Windows Maa g OL 5489 01 Chapter4 Configuring and Managing Connection Entries Choosing an Authentication Method W Sending a Certificate Authority Certificate Chain To send CA certificate chains click Send CA Certificate Chain This parameter is disabled by default The CA certificate chain includes all CA certificates in the hierarchy of certificates from the root certificate which must be installed on the VPN Client to the identity certificate This feature enables the peer VPN Concentrator to trust the VPN Client s identity certificate given the same root certificate without having all the same subordinate CA certificates actually installed Example 4 1 CA Certificate Chains 1 On the VPN Client you have this chain in the certificate hierarchy Root Certificate CA Certificate 1 CA Certificate 2 Identity Certificate 2 On the VPN Concentrator you have this chain in the certificate hierarchy Root Certificate CA Certificate 3 Identity Certificate 3 Though the identity certificates are issued by different CAs the VPN Concentrator can still trust the VPN Clien
96. features use this procedure Step 1 Open the Options menu and display the Preferences menu Cisco VPN Client User Guide for Windows oL 5489 01 Chapter3 Navigating the User Interface W Choosing a Run Mode Figure 3 1 Enabling Accessibility Options a VPN Client Version 400 4 1 0 i lolx Connection Entries Status Certificates Log Options Help Connect New Import Modify Delete Connection Entries Ce PEYSUR E moni X Connection Enty 7 i T AA 3 J Hide upon connect 14 Boxborough na IV Enable tooltips 18 Richardson 19 Richardson nat 20 HongKong IV Enable accessibility options 21 HongKong nat 22 Singapore 23 Singapore nat Engineering_Cert Engineering_pre_shared 10 10 32 33 IPSec UDP IV Enable connect history display IV Enable connect on open 119112 Step2 Check Enable accessibility options and click OK Step3 Restart the VPN Client to activate the accessibility features Choosing a Run Mode You can run the VPN Client in simple mode or in advanced mode The default is advanced mode although your network administrator might have configured simple mode as the default e Use simple mode if you want only to start the VPN Client application and connect to a VPN device using the default connection entry e Use advanced mode for the following tasks Managing the VPN Client Configuring connection entries Enrolling for and managing certificates Viewing and managing event logging Viewing tun
97. file from your network administrator or directly through Entrust Refer to Entrust Entelligence Quick Start Guide for instructions on obtaining a profile The VPN Client Administrator Guide contains supplementary configuration information After choosing a profile enter your Entrust password Check the Work offline field to use Entrust Entelligence without connecting to the Entrust PKI If Work offline is checked and you press OK the Entrust wizard displays the message shown in Figure 5 15 OL 5489 01 VPN Client User Guide for Windows Chapter5 Connecting to a Private Network HI Connecting with Digital Certificates Figure 5 15 Entrust Login Message Entrust Login i i x AN You are working offline because the Entrust Directory was unavailable Working offline allows you to encrypt files For yourself and others using cached certificates however some of these certificates may be revoked 60739 You can ignore this message Since you are connecting to your organization s private network using an existing certificate profile you are not interacting with the Entrust PKI If you see this message click OK to continue Step3 After completing the Entrust Login window see Figure 5 14 click OK You may receive a security warning message from Entrust This warning occurs for example when an application attempts to access your Entelligence profile for the first time or when you are logging in after a VPN Client
98. fy your password by entering it again in the Confirm Password field Mutual Group Authentication To use mutual group authentication you need a root certificate that is compatible with the central site VPN installed on your system Your network administrator can load a root certificate on your system during installation When you select mutual group authentication the VPN Client software verifies whether you have a root certificate installed If not it prompts you to install one Figure 4 3 Mutual Group Authentication Prompt YPN Client X AN You must have a CA Certificate in order to use this feature Please import one to continue 119606 Before you continue you must import a root certificate For information on importing a certificate see Importing a Certificate File When you have installed a root certificate if required follow the steps in Group Authentication If you delete the root certificate from the user profile and you try to connect without it the VPN Client displays the following error message PN Client i xj amp Error 31 The certificate associated with this Connection Entry no longer exists or Failed to open Please select another certificate 119370 Certificate Authentication For certificate authentication perform the following procedure which varies according the type of certificate you are using Step 1 Click the Certificate Authentication radio button Step2 Choose the name o
99. grams and choose Install Now To install the update when you exit from the VPN Client select Install Later If you choose Install Later when you exit from the VPN Client autoupdate installs the update Minor Update The update is a minor release a point release or a patch release Minor updates can be optional or required They may or may not require a reboot e An optional minor update The update package is not a new major release Figure 7 22 shows your choices Install Now Install Later Don t Install VPN Client User Guide for Windows oL 5489 01 EEN Chapter7 Managing the VPN Client HZ Upgrading VPN Client Software Figure 7 22 Automatic Installation Minor Update E Autoinstall Cisco Systems YPN Client Update oj x An Update has been downloaded Choose one of the options below Cisco Systems VPN Client Install Now closes your YPN connection exits the VPN client and installs the update immediately Before installing the update you should close all programs Install Later defers installing the update until after the VPN Client has exited Cisco Systems Don t Install will not install the update Copyright 1998 2004 Cisco Systems Inc Install Now Install Later Don t Install 119111 To install the update close all programs and choose Install Now To install the update when you exit from the VPN Client select Install Later Toreject the installation choose
100. h a Windows NT Domain YPN Client User Authentication for NtGroup Enter Username and Password Cisco SYSTEMS Usemame fusi Password 1 I Save Password 87709 Step 1 In the Username field enter your username This entry is case sensitive Step2 In the Password field enter your password This entry is case sensitive The field displays only asterisks Note If you are connecting to a legacy server that is to a VPN 3000 Concentrator running a software version prior to Release 4 0 you might also be prompted for a domain name If you see this field in the dialog box enter your Windows NT Domain name in the Domain field if it is not already there Step3 Click OK Skip to Viewing Connection Information Changing your Password Your network administrator may have configured your group for RADIUS with Expiry authentication on the VPN 3000 Concentrator If this feature is in effect and your password has expired a window prompts you to enter and confirm a new password After you have tried unsuccessfully to log in three times you might receive one of the following login messages e Restricted login hours e Account disabled e No dial in permission e Error changing password e Authentication failure These messages let you know the cause of your inability to log in For help contact your network administrator VPN Client User Guide for Windows OL 5489 01 Chapter 5 Connect
101. hapter 5 Connecting to a Private Network Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Connecting with Digital Certificates Hi If you want to use these two features together you should make sure you have installed Entrust Entelligence with the Entrust SignOn module before installing the VPN Client For information about installing Entrust SignOn refer to Entrust documentation and the VPN Client Administrator Guide Chapter 1 To use these two features together follow these steps Start your system When the SignOn option is installed Entrust displays its own Ctrl Alt Delete window Click Ctrl Alt Delete The Entrust Options window and the VPN Client login window both pop up The VPN Client window is active To start your VPN connection click Connect on the VPN Client main window The Entrust login window becomes active To log in to your Entrust profile enter your Entrust password The VPN Client password prompt window becomes active Enter your VPN dialer username and password The VPN Client authenticates your credentials and optionally displays a banner and or a notification Respond to the banner or notification as required Then the Windows NT logon window is active To complete the connection enter your Windows NT logon credentials in the Windows logon window then you are done Connecting with a Smart Card or Token The VPN Client supports authentication with digital certificates through a smart car
102. he IKE SA Log Settings Log Window Copy Ctrl C Select All Ctri 4 Sev Info 6 Sev Info 6 Sev Info 6 KE Ox630000S2 KE 0x630000S2 IKE 0x63000052 IKE O0x63000052 IKE O0x63000082 Cisco Systems 87764 Cut Removes the selected item from the current context and saves a copy to the clipboard Select All Selects the entire contents of the log file usually in preparation for another operation How to Get Help The VPN Client comes with a complete context sensitive browser based help system You can display help in the following ways On the Program Menu choose Start gt Programs gt Cisco Systems VPN Client gt Help This method displays the entire help file beginning with a list of topics Press F1 at any window while using the VPN Client This method displays context sensitive information Click the Help button on windows that display it This method displays context sensitive information Choose Help VPN Client from the menu that appears when you click the Help menu in the Menu bar I OL 5489 01 Cisco VPN Client User Guide for Windows Chapter3 Navigating the User Interface W How to Get Help Determining the VPN Client Version You can determine the version of the VPN Client and the VPN Client type from the system tray or from the Help menu e From the system tray Step1 Right click the closed padlock icon Step2 Choose About VPN Client from the menu shown
103. hile a request is pending approval by the CA administration the VPN Client places the enrollment Connected Time 0 day s 00 06 05 request in the list under the Certificates tab You can view delete or change the password on any request in the list or you can retry a network enrollment request To perform any of these actions click the Certificates tab and select the action on the Certificates menu See Figure 6 20 01 5489 01 VPN Client User Guide for Windows Chapter6 Enrolling and Managing Certificates W Managing Enrollment Requests Figure 6 20 Managing Enrollment Requests PN Client 4 6 Rel lol x Connection Entries Status Certificates Log Options Help SF oo oR an View Import Export Enroll Verify Delete Connection Entries Certificates Log Validiy CA Patrick Clarkson 87722 status not connected Viewing the Enrollment Request To display the enrollment request select the request display the Certificates menu and choose View from the Certificates menu The VPN Client displays the pending request See Figure 6 21 Figure 6 21 Viewing an Enrollment Request YPN Client Certificate Properties for Joe Smith Common Name Department Company State Country Email MD5 Thumbprint SHA1 Thumbprint Key Size Subject Issuer Serial Number Not valid before Not valid after Joe Smith Marketing Some Company Massachusetts US jsmi
104. ic VPN Initiation auto initiation See Figure 7 5 When you select this option the VPN Client displays a dialog box that lets you enable disable auto initiation and change the setting of the retry interval Disabling auto initiation in this way does not remove it from your configuration If you need to enable auto initiation after you have disabled it you can return to this dialog box and enable it again The only way you can remove auto initiation from your configuration is through editing the vpnclient ini file For complete information on auto initiation see Using Automatic VPN Initiation Figure 7 5 Choosing Automatic VPN Initiation Application Launcher Automatic YPN Initiation Windows Logon Properties Stateful Firewall Always On Simple Mode Ctrl T Ctrl P 87730 Preferences To disable or enable auto initiation follow these steps Choose Automatic VPN Initiation from the Options menu The VPN Client displays the Automatic VPN Initiation Dialog Box Figure 7 6 VPN Client User Guide for Windows re E OL 5489 01 Chapter 7 Managing the VPN Client Step 2 Step 3 Step 4 Step 5 Viewing and Managing the VPN Client Event Log W Figure 7 6 Automatic VPN Initiation Dialog Box PN Client Automatic PN Initiation x MV Enable automatic YPN initiation Retry Interval a 1 to 10 minutes e 87729 To enable auto initiation after it has bee
105. icates VPN Client 4 6 Rel lol x Connection Entries Status Certificates Log Options Help 5 JES wje S Cisco SYSTEMS gi rare View Import Export Enroll Verify Delete Connection Entries Certificates Log Certificate ee Store Key Size VAi CA until Mar 25 2004 16 16 23 Patrick Clarkson until Jan 1 2003 14 09 4 status not connected The toolbar displays the tasks you can perform from the Certificates tab e View Displays the details of the currently selected certificate for example common name department and so on e Import Imports a certificate from a file or certificate store e Export Exports the currently selected certificate e Enroll Enrolls for a certificate with a certificate authority via the network or a file e Verify Checks to see if the currently selected certificate has expired e Delete Removes the currently selected certificate or certificate request from the certificate store Using Certificate Stores A certificate store is a location in your local file system that contains personal certificates The major store for the VPN Client is the Cisco store which contains certificates you have enrolled for through the Simple Certificate Enrollment Protocol SCEP Your system also includes a Microsoft certificate store that may contain certificates that your organization provides or that you have installed previously You can manage them just like the certif
106. icates in your Cisco store or you can import them to your Cisco store New certificates obtained through enrollment or importing go into the Cisco store There are two types of Microsoft certificates certificates for individuals to use and a Microsoft certificate for your local PC itself So if several people are using the same PC each person can have his or her own certificate and there can also be a certificate for the local system on Windows 2000 and Windows XP On a Windows 98 system you can use only non exportable certificates with Internet Explorer version 5 1 SP2 Microsoft certificates with non exportable private keys are also available The Certificates tab displays a list of the certificates currently in your certificate stores Figure 6 1 The display shows the following information e Certificate The name of the certificate VPN Client User Guide for Windows a 0l 5489 01 Chapter6 Enrolling and Managing Certificates Enrolling for a Certificate Hi e Store The name of the store that contains the certificate this can be Cisco Microsoft Microsoft machine Request CA or RA e Key Size The size of the key pair in bits 512 1024 and so on that protects the certificate e Validity Expiration date of the certificate Enrolling for a Certificate Your system administrator may have already set up your VPN Client with digital certificates If not or if you want to add certificates you can obtain a cert
107. ice see POTS Port Address Translation 4 7 POTS connection technology 1 2 preconfigured connection entry 4 1 private key password 5 1 private network connecting 5 3 5 4 disconnecting 5 30 privileges required for installing VPN Client 2 1 profile connection entry 4 2 default 4 12 Entrust 4 5 roaming 7 6 profile update 7 22 program features 1 3 protocol 1 2 Protocol 50 ESP traffic 4 7 protocol numbers 5 28 protocols DPD ESP 4 7 ICMP 5 28 IKE 1 2 IPSec 1 2 4 8 TCP 4 7 5 28 UDP 4 7 5 28 Public Key Infrastructure see PKIs Q quitting the VPN Client 5 30 RADIUS authentication password 5 5 procedure 5 5 username 5 5 RAM requirements 2 2 remote access connection closing before uninstall 7 18 removing backup servers 4 10 the VPN Client InstallShield 7 18 repair dialog MSI 2 6 requirements system 2 1 resetting connection statistics 5 30 restarting your computer after installation 2 4 retry interval auto initiation 7 6 roaming profiles 7 6 root certificate installing automatically 2 7 RSA formerly SDI authentication 5 7 Next Cardcode 5 9 passcode 5 7 PIN 5 8 rules firewalls 5 27 S Save Password option 5 5 saving a log file 7 13 SCEP Cisco store 6 2 searching log file 7 13 secure associations 5 24 E VPN Client User Guide for Windows OL 5489 01 secure gateway address 4 3 notifications to client 7 14 SecurID authentication 5 7 Server IP address conne
108. ient supports smart cards via the MS CAPI Interface Gathering Information You Need To configure and use the VPN Client you might need the information listed in this section Ask for this information from the system administrator of the private network you want to access Your system administrator might have preconfigured much of this data if so he or she will tell you which items you need Hostname or IP address of the secure gateway to which you are connecting Your IPSec Group Name for preshared keys Your IPSec Group Password for preshared keys If authenticating with a digital certificate the name of the certificate If authenticating through the secure gateway s internal server your username and password If authenticating through a RADIUS server your username and password If authenticating through an NT Domain server your username and password VPN Client User Guide for Windows P22 E OL 5489 01 Chapter2 Installing the VPN Client Installing the VPN Client Through InstallShield i e If authenticating through a token vendor your username and PIN e If authenticating through a smart card your smart card reader PIN or passcode and the name of the certificate stored on the smart card e If you should configure backup server connections the hostnames or IP addresses of the backup servers Installing the VPN Client Through InstallShield Step 1 Step 2 Step 3 Step 4 Step 5 amp To insta
109. ificate by enrolling with a Certificate Authority CA over the network or by creating a file request Enrolling Through the Network When you enroll for a personal certificate either you go through a CA from which your system already has a root certificate or you obtain a root certificate from the CA as part of the enrollment process The CA Certificates tab displays the current list of CA certificates See Figure 6 1 Use this section to gather the information before you begin To enroll for a certificate with a CA over the network follow this procedure Step 1 In advanced mode either click the Enroll icon on the toolbar above the Certificates tab or display the Certificates menu and choose Enroll Step2 Click Online as the certificate type There are two forms to fill out Step 3 Fill out the first form Figure 6 2 as follows Figure 6 2 Online Enrollment Form YPN Client Certificate Enrollment x Choose a certificate enrollment type Online Certificate Authority CA URL CA Domain Challenge Password C File File encoding Base 64 Filename New Password 87739 e CA URL The URL or network address of the CA This parameter is required e CA Domain The CA s domain name This parameter is required VPN Client User Guide for Windows 01 5489 01 Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Challenge Password Some CA s require a
110. indow showing the reason for the disconnect and also logs a message to the Notifications log and the IPSec log file IPSec deletes that do not tear down the connection generate an event message only in the log file Single SA The ability to support a single SA per VPN connection Rather than creating a host to network security association SA pair for each split tunneling network this feature provides a host to ALL approach creating one tunnel for all appropriate network traffic apart from whether split tunneling is in use Coexistence with third party client software Compatibility with Microsoft Nortel Checkpoint Intel and other VPN clients the ability to use other VPN products while the VPN Client is installed This does not allow each VPN Client to make connections simultaneously Automatic updates The VPN device pushes an automatic update to the VPN Client to implement When the VPN Client connects to the VPN device it receives a location from which to download an update The VPN Client then connects through a VPN tunnel to this location and downloads the update which comprises VPN Client files and profiles When the download has completed the VPN Client verifies the integrity of the files and installs them This feature is for Windows 2000 and Windows XP only VPN Client User Guide for Windows OL 5489 01 _ Chapter 1 Understanding the Cisco VPN Client VPN Client Features W Tab
111. indows NT Only and SecurlD v2 0 All Operating Systems 5 8 VPN Client User Guide for Windows oL 5489 01 E E Contents RSA New PIN Mode 5 8 SecurlD Next Cardcode Mode 5 9 Connecting with Digital Certificates 5 10 Connecting with an Entrust Certificate 5 11 Accessing Your Profile 5 11 Entrust Inactivity Timeout 5 12 Using Entrust SignOn and Start Before Logon Together 5 12 Connecting with a Smart Card or Token 5 13 Completing the Private Network Connection 5 14 Using Automatic VPN Initiation 5 15 Enabling Automatic VPN Initiation 5 16 Connecting Through Automatic VPN Initiation 5 17 Disconnecting Your Session 5 19 Changing Option Values While Auto Initiation is Suspended 5 19 Disabling Automatic VPN Initiation 5 19 Disabling While Suspended 5 20 Restarting After Disabling Automatic VPN Initiation 5 20 Connection Failures 5 21 Viewing Connection Information 5 21 Viewing Tunnel Details 5 22 Viewing Routing Information 5 23 Local LAN Routes 5 24 Secured Routes 5 24 Firewall Tab 5 24 Configuring the Firewall on the Concentrator 5 25 Viewing Firewall Information on the VPN Client 5 26 AYT Firewall Tab 5 26 Centralized Protection Policy CPP Using the Cisco Integrated Client 5 27 Firewall Rules 5 27 Client Server Firewall Tab 5 29 Resetting Statistics 5 30 Disconnecting your VPN Client Connection 5 30 Closing the VPN Client 5 30 Enrolling and Managing Certificates 6 1 Using Certificate Stores 6 2 Enrolling for a Certificate 6
112. ing Through the Network Step6 After completing the page two of the form click Enroll The VPN Client displays a message to let you know whether your request succeeded If successful the message contains the name of the file See Figure 6 9 and Figure 6 10 Figure 6 9 Enroll File Success Message x Certificate enrollment request was created and saved to file c wbtest VPN Client User Guide for Windows 01 5489 01 a 67 Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Figure 6 10 Enrollment Request Failed Message 2 YPN Client x A Unable to create certificate enrollment request Step 7 Click OK to complete the file enrollment request Managing Personal and CA RA Certificates From the Certificates menu Figure 6 11 or the toolbar above the Certificates tab you can perform the following tasks to manage personal and CA RA certificates e View a certificate e Verify that a certificate is still valid within the dates assigned to it and has not been revoked e Export a certificate to a file that you can e mail e Delete a certificate e For personal certificates only change the certificate password Certificates menu only e For personal certificates only retry certificate enrollment e Show or hide CA RA certificates Figure 6 11 Certificates Menu ioj x Connection Entries Status Certificates Log Options Help A View aod E Import Connect New
113. ing is enabled by default To link a VPN Client connection entry to a Dial Up Networking phonebook entry use the following procedure Step1 Click Microsoft Dial up Networking if it is not already enabled Step2 To link your VPN Client connection entry to a DUN entry click the down arrow next to the Phonebook entry field and choose an entry from the menu The VPN Client then uses this DUN entry to automatically dial into the Microsoft network before making the VPN connection to the private network Third Party Dial up Program If you have no DUN phonebook entries and have enabled Connect to the Internet via dial up then Third party dial up application is enabled by default To connect to the Internet using a third party dial up program follow these steps Step1 Click Third party dial up application if it is not already enabled Step2 Use Browse to enter the name of the program in the Application field This application launches the connection to the Internet This string you choose or enter here is the pathname to the command that starts the application and the name of the command for example c isp ispdialer exe dialEngineering Your network administrator might have set this up for you If not consult your network administrator Completing a Connection Entry To complete the connection entry click Save The VPN Client stores your new connection entry in the Cisco Systems VPN Client Profiles directory Setting a Default Connec
114. ing the configuration from a current connection entry as a template Set as Default Connection Entry Make the current connection entry the default New Create a new connection entry Import Bring in a new connection entry profile from a file Exit VPN Client Close the VPN Client application To configure a connection entry see Configuring and Managing Connection Entries Cisco VPN Client User Guide for Windows E OL 5489 01 Chapter3 Navigating the User Interface VPN Client Window Advanced Mode W Status Menu Use the Status menu Figure 3 8 to display routes and notifications and to reset the statistics display Figure 3 8 Status Menu io x Connection Entries Status Certificates Log Options Help A Statistics is k Notifications Connect Cisco SYSTEMS Modify Delete Connection Entries este Connection Enty _ Host Transport 87774 Not connected A e Statistics View tunnel details route details and firewall information for the current VPN session e Notifications View notices from the VPN device you are currently connected to e Reset Stats Clear the statistics from the statistics displays and start over Cisco VPN Client User Guide for Windows o1 5489 01 TEN Chapter3 Navigating the User Interface E VPN Client Window Advanced Mode Certificates Menu Use the Certificates menu Figure 3 9 to enroll and manage ce
115. ing to a Private Network Authenticating to Connect to the Private Network Hl Authenticating Through RSA Data Security RSA SecurID SDI RSA formerly SDI SecurID authentication methods include physical SecurID cards and keychain fobs and SecurID PC software formerly called SoftID SecurID cards also vary with some cards the passcode is a combination of a PIN and a cardcode with others you enter a PIN on the card and it displays a passcode Ask your system administrator for the correct procedure Authentication via these methods also varies slightly for different operating systems If you use an RSA method the VPN Client displays the appropriate RSA user authentication window The title bar identifies the connection entry name RSA User Authentication SecurlD Tokencards Tokencards Pinpads and Keyfobs and SoftID v1 0 Windows 98 and Windows ME Step 1 Step 2 Step 3 To display an authentication window asking for your username and passcode perform the following steps See Figure 5 7 If you are using SoftID it must be running on your PC Figure 5 7 Authenticating Through RSA YPN Client User Authentication for Sdi5Group Enter Username and Password Cisco Systems Username keyfob0617 M Passcode XXXXXXXXXXKX 87710 In the Username field enter your username This entry is case sensitive In the Passcode field enter a SecurID code With SoftID you can copy this code from the SoftID window
116. ini x Cancel 87761 The search string is not case sensitive and wildcards are not supported Search terms are highlighted only on the log tab display not in the log window even if the log tab was not the active tab Saving the Log File Step 1 To save the currently displayed events in the log file on your hard drive use the following procedure Either display the Log menu and choose Save or click Save on the Log Window The VPN Client saves the information to the Client install directory which by default is the pathname Program Files Cisco Systems VPN Client VPN Client Logs The default file name includes the word LOG and is based on the date and time in 24 hour format that the log file was created for example LOG yyyy MM dd hh mm ss txt This new format complies with the ISO 8601 extended specification for representations of dates and times and avoids issues with localization The new log file names have a chronological order that is the same as their alphanumeric order This provides for a method of enumerating only the log files generated by the GUI OL 5489 01 VPN Client User Guide for Windows E Chapter7 Managing the VPN Client HI Receiving Notifications From a VPN Device wy Note You can save the contents of the present log to a different directory and filename but you cannot change the default log directory and filename See Figure 7 12 Step2 After typing in the name of the file
117. ion the VPN Client window closes and your logon window displays If the connection is not successful the VPN Client window continues to display Your administrator might have set up a banner that lets you know when you have a successful connection To activate start before logon follow these steps Open the VPN Client Options menu shown in Figure 7 1 and choose Windows Logon Properties Click Enable start before logon and then click OK or to cancel the operation click Cancel See Figure 7 3 What Happens When You Use Start Before Logon When start before logon is active the following events occur when your system starts e Your system logon dialog box displays Other messages might display as well depending on your setup Wait until you see the VPN Client start e The VPN Client starts and displays the connection dialog box over the system logon dialog box e You connect to the private network of the VPN Device The connection dialog box goes away e You log on to your system Note You can use certificates for authentication with start before logon when your personal certificate along with the CA or intermediary certificate s are in your Cisco certificate store and the Microsoft local machine but not your personal Microsoft store CAPI certificates However to use a CAPI certificate you can log on using cached credentials connect using your CAPI certificate and disable the VPN Client User Guide for Windows
118. ion 4 0 int_38 Copyright iC 1998 2002 Cisco Systems Inc All Rights Reserved Client Type s WinNT Running on 5 0 2195 re connection using Ethernet 3 15 34 40 656 12 05 02 Sew Info 4 CM 0x631000z26 Attempt connection with server 10 10 32 32 4 15 34 40 656 12 05 02 Sev Info 6 IKE 0x6300003B Attempting to establish a connection with 10 10 32 32 5 15 34 40 696 12 05 02 Sev Info 4 IKE 0x63000013 SENDING gt gt gt ISAKMP OAK AG SA KE NON ID VID Xauth VID dpd VID Nat T VID Frag VID Unity to 10 10 32 32 6 15 34 40 926 12 05 02 Sev Info 5 IKE 0x6300002F Received ISAKMP packet peer 10 10 32 32 7 15 34 40 926 12 05 02 Sev Info 4 IKE 0x63000014 RECEIVING lt lt lt ISAKMP OAK AG SA KE NON ID HASH VID Unity VID Xauth VID dpd VID Frag VID VID from 10 10 32 32 8 15 34 40 926 12 05 02 Sev Info 5 IKE O0x63000001 Peer is a Cisco Unity compliant peer 9 15 34 40 926 12 05 02 Sev Info S IKE Ox63000001 Peer supports XAUTH zi Save Log Stings Clear LA 87765 Each message in the log file comprises at least two lines containing the following fields Event Time Date Severity type level EventClass MessageID Message text Table 7 1 describes the fields in an event message Table 7 2 describes Event types and severity levels Table 7 1 Fields in an Event Message Field Meaning Event The first field shows the event number Events are numbered incrementally and never reset
119. isconnect End the current VPN session e Duplicate Made a copy of the selected connection entry This action allows you to create a new connection entry using the configuration from a current connection entry as a template e Delete Frase the selected connection entry e Create Shortcut Place a link to the connection entry on your desktop e Modify Edit the properties of the current connection entry for example its name hostname and so on Cisco VPN Client User Guide for Windows oL 5489 01 m Chapter3 Navigating the User Interface W Right Click Menus e Erase Saved User Password Delete the user password that is saved on the VPN Client workstation forcing the VPN Client to prompt you for a password each time you establish a connection e Setas Default Connection Entry Use the selected connection entry as the default Certificates Tab Right Click Menu Figure 3 13 shows the right click menu options available when the Certificates tab is forward and a certificate entry is highlighted Figure 3 13 Certificates Tab Right Click Menu YPN Client ersion 4 0 Rel E 5 x Connection Entries Status Certificates Log Options Help Bre fE i gt F w E View Import Export Enroll Verify Delete Connection Entries Certificates Log Certificate TestC46 8 until Mar 25 2004 16 x Patrick Clarkson genis invalid expired on Jan 1 2003 14 09 42 Cisco SYSTEMS Ex
120. j96RQPcCMKXuGSQ ct4rx 6QZ29mEgUCO4SCTZ2Z2DGHMjg1JghG xW Xc Be ink9H1 j lqdXHMBtANvwJ962JHVUKXDBmrLkOGI qlixUMOapJ9DShHUADZIKmJ AgMBAAGgGSDBEBgkqghkiG 9wO6BCQ4x0 TASMDUGA1UdEQQuMCyHBAOKCgGBF2FsaWNl YkBucndhbm16YXRpb24ub3 JnggtEZX2Z21b6 9 wbWWudDANBgkqhkiG9wGBAQQFAADB QQAAFgZCASSUSK106kmI 2N6w4Bu01 81 WNY qGXRHQp wPsUM4 435 j7D6C1LXqU4aU4 wh hth9MRP92xk3HF 8WTaQ1 GkbxZoLNG9xpzO0 I WoqCMY Jq egiQF Zeme3wOjF2Cnh yj scUGoSieedQM4b9whinghpg42F 2NLF4568i1Ee07q7U0g END NEW CERTIFICATE REQUEST 60725 Step3 In the Filename field enter the full pathname for the file request When you browse for an appropriate directory for placing the file request the Certificate Manager shows only the files of the chosen file type You can save your file enrollment requests in the Certificates directory which is a subdirectory of the directory where the VPN Client is installed An example of a complete pathname is c program files cisco systems vpn client certificates p10req3 p10 Step4 In the New Password field enter the password that protects this certificate If your connection entry requires certificate authentication you must enter this password each time you connect The password can be up to 32 characters in length Passwords are case sensitive For example sKate8 and Skate8 are different passwords Step5 Click Next The VPN Client displays page two of the form This form is the same as the one used for enrolling via the network See Enroll
121. le 1 2 Program Features continued Program Feature Description Browser proxy configuration for Internet Explorer When connecting to the secure gateway at a central location the VPN Client changes the web browser proxy to accommodate the organization s environment When disconnecting the software returns to the user s default browser application This feature applies to Internet Explorer only The VPN Concentrator administrator configures this feature in the VPN Concentrator Manager see VPN Client Administrator Guide Chapter 1 Connect on open This feature lets a user connect to the default user profile when starting the VPN Client limited to the vpngui exe program 508 accessibility compliance Starting with 4 6 the VPN Client complies with all 508 standards for accessibility For information about activating the accessibility features before you progress any further refer to Configuring the VPN Client for Accessibility VPN Client API Authentication Features VPN Client provides an application programming interface for performing VPN Client tasks without using the command line or graphical interfaces that Cisco provides This API comes with a user guide for programmers which is in a format that can be edited The VPN Client supports the authentication features listed in Table 1 3 Table 1 3 Authentication Features Authentication Feature Description User authentication through VPN
122. lephone Service Uses a dial up modem to connect e ISDN Integrated Services Digital Network May use a dial up modem to connect e Cable Uses a cable modem always connected e DSL Digital Subscriber Line Uses a DSL modem always connected You can also use the VPN Client on a PC with a direct LAN connection VPN Client Features The tables in the following sections describe the VPN Client features Table 1 1 lists the VPN Client main features Table 1 1 VPN Client for Windows Main Features Features Description Operating System Windows 98 Windows NT Windows ME Windows 2000 Windows XP Connection types e async serial PPP e Internet attached Ethernet Protocol IP VPN Client User Guide for Windows OL 5489 01 _ Chapter 1 Understanding the Cisco VPN Client VPN Client Features W Table 1 1 VPN Client for Windows Main Features continued Features Description Tunnel protocol IPSec User Authentication e RADIUS e RSA SecurID e VPN server internal user list e PKI digital certificates e Smart cards e NT Domain Windows NT Program Features The VPN Client supports the program features listed in Table 1 2 Table 1 2 Program Features Program Feature Description On line Help e Complete browser based context sensitive Help Servers supported e Cisco IOS devices that support Easy VPN server functionality e VPN 3000 Series Concentrators e Cisco PIX Fire
123. ll the VPN Client on your system follow these steps We suggest you accept the defaults unless your system administrator has instructed otherwise Exit all Windows programs and disable any antivirus software Insert the Cisco Systems CD ROM in your system s CD ROM drive Choose Start gt Run The Run dialog box appears Enter E VPN Client CD ROM InstallShield setup exe where E is your system s CD ROM drive Click OK Note Step 6 Cisco does not allow you to install the VPN Client software from a network drive If you attempt to do so you receive an error message The program displays the Cisco Systems logo and InstallShield Setup window shown in Figure 2 1 Figure 2 1 Starting InstallShield Installation Cisco Systems YPN Client Setup Welcome to the Installshield Wizard for YPN Client The InstallShield Wizard will install YPN Client on your Computer To continue click Next a Cancel 67530 If the InstallShield Wizard identifies an existing version of either the VPN 3000 Client or the Cisco 5000 VPN Client it displays a dialog box that asks if you want to uninstall the existing client program To continue click Yes OL 5489 01 VPN Client User Guide for Windows E Chapter2 Installing the VPN Client W Installing the VPN Client Through Microsoft Windows Installer Step 7 Step 8 The VPN Client launches the appropriate uninstall wizard the Cisco VPN Client uninstall wizard to
124. local e Protocol The Internet Assigned Number Authority IANA number of the protocol that this rule concerns 6 for TCP 17 for UDP and so on e Source Port Source port used by TCP or UDP e Destination Port Destination port used by TCP or UDP VPN Client User Guide for Windows a OL 5489 01 Chapter5 Connecting to a Private Network Viewing Connection Information W Client Server Firewall Tab When Client Server is the supported policy the Firewall tab displays the name of the firewall policy the name of the product the user ID session ID and the addresses and port numbers of the firewall servers in the private network see Figure 5 35 Zone Labs Integrity is a Client Server firewall solution in which the Integrity Server IS acts as the firewall server that pushes firewall policy to the Integrity Agent IA residing on the VPN Client PC Zone Labs Integrity can also provide a centrally controlled always on personal firewall Figure 5 35 Client Server Firewall Tab YPN Client Statistics a x Tunnel Details Route Details Firewall Policy Client Server Product ZoneLabs Integrity Agent User ID un 200 70 50 248 IntegrityGroup Q4DOMAIN barney rubble Session ID 1041 Servers Address 100 50 0 10 Close 87756 e Firewall Policy This field shows that Client Server is the supported policy e Product Lists the name of the Client Server solution currently in use such as Zone Lab
125. ly access private enterprise networks through a Cisco VPN server that supports the VPN Client The VPN Client comprises the following applications which you select from the Programs menu Figure 1 1 VPN Client Applications as Installed by the Install Shield Wizard iy Cisco Systems YPN Client IE Help LA Set MTU W Uninstall VPN Client 87758 VPN Client The applications are as follows e Help Displays an online manual with instructions on using the applications e SetMTU Lets you manually change the size of the maximum transmission unit see the VPN Client Administrator Guide Chapter 6 e VPN Client Lets you configure connections to a VPN server start connections enroll for certificates to authenticate connections to VPN servers and display events from the log e Uninstall VPN Client Lets you safely remove the VPN Client software from your system and retain your connection and certificate configurations amp Note You can install the VPN Client through either the InstallShield wizard or the Microsoft Installer If you install the VPN Client through the Microsoft Installer the Programs menu shown in Figure 1 1 does not contain the Uninstall application OL 5489 01 VPN Client User Guide for Windows E Chapter1 Understanding the Cisco VPN Client W How the VPN Client Works How the VPN Client Works The VPN Client works with a Cisco VPN server to create a secure connection called a tun
126. me and password If you are authenticated via an Windows NT Domain server your username password and if necessary domain name If you are authenticated via RSA Data Security formerly SDI SecurID or SoftID your username and PIN If you use a digital certificate for authentication the name of the certificate and your username and password If your private key is password protected for security reasons you also need this password Refer to your entries in Gathering Information You Need as you complete the steps described here which include the following sections Starting the VPN Client Using the VPN Client to Connect to the Internet via Dial Up Networking Authenticating to Connect to the Private Network Connecting with Digital Certificates Completing the Private Network Connection Using Automatic VPN Initiation Viewing Connection Information Closing the VPN Client Disconnecting your VPN Client Connection I OL 5489 01 VPN Client User Guide for Windows Chapter5 Connecting to a Private Network HZ Starting the VPN Client Starting the VPN Client To start the VPN Client application choose Start gt Programs gt Cisco Systems VPN Client gt VPN Client The VPN Client displays the VPN Client s main window in either simple mode Figure 5 1 or advanced mode Figure 5 2 which is the default Figure 5 1 Connecting from Simple Mode o x Connection Entries Status Options Help
127. n Dip Authentication Transport i MV Enable Backup Servers Engineering_backup Add Remove Erase User Password Cancel 87717 Step4 Enter the hostname or IP address of the backup server Use a maximum of 255 characters The hostname or IP address appears in the Enable backup server s list Step5 To add more backup devices repeat Steps 2 3 and 4 Removing Backup Servers To remove a server from the backup list select the server in the list and click Remove The VPN Client displays a dialog box asking you to confirm the deletion The server name no longer appears in the list Note If you click Cancel in the dialog box after a modification like Remove the item is not removed from the pcf file You must click Save to make any changes on any of the tabs permanent Changing the Order of the Servers When necessary the VPN Client tries the backup servers in the order in which they appear in the backup servers list starting at the top To reorder the servers in the list select a server and click the up arrow to increase the server s priority or the down arrow to decrease the server s priority VPN Client User Guide for Windows Cu OL 5489 01 Chapter4 Configuring and Managing Connection Entries Configuring a Connection to the Internet Through Dial up Networking W Disabling Backup Servers You can disable using backup servers without removing backup servers from the list To
128. n disabled click Enable automatic VPN initiation or to disable auto initiation click to uncheck Enable automatic VPN initiation To change the setting of the retry interval enter the new value 1 to 10 in the Retry Interval box Click Apply If you are enabling auto initiation you then must close the VPN Client The authentication dialog then prompts you to enter your authentication information Note You can also enable disable resume and suspend auto initiation from the right click menu depending on the state of your connection Viewing and Managing the VPN Client Event Log The Log Tab When you start the VPN Client and enable logging the VPN Client creates a new empty log file for your session The log collects event messages from all processes that contribute to the client peer connection Examining the event log can often help a network administrator diagnose problems with an IPSec connection between a VPN Client and a peer device During a session you can view the log from the Log tab and the Log Window You can also view a saved log file with a text editor This section shows how to use the log to retrieve and manage this information You can manage and also view the log from the Log tab Figure 7 7 OL 5489 01 VPN Client User Guide for Windows E Chapter7 Managing the VPN Client W Viewing and Managing the VPN Client Event Log Figure 7 7 Viewing and Managing Events using the Log Tab VPN Cli
129. nd Windows XP systems Automatic VPN disconnect on The ability to enable or disable automatic disconnect when logging logoff off a Windows NT platform Disabling this feature allows for roaming profile synchronization VPN Client User Guide for Windows OL 5489 01 CHAPTER Installing the VPN Client This chapter explains how to install the VPN Client on your PC and includes the following sections e Verifying System Requirements e Gathering Information You Need e Installing the VPN Client Through InstallShield e Installing the VPN Client Through Microsoft Windows Installer To upgrade the VPN Client software or to uninstall it see Managing the VPN Client A Caution Installing the VPN Client software using InstallShield on Windows NT or Windows 2000 requires Administrator privileges If you do not have Administrator privileges you must have someone with Administrator privileges install the product for you Installation Applications You can install the VPN Client on your system through either of two different applications InstallShield and Microsoft Windows Installer MSI Both applications use installation wizards to walk you through the installation Installing the VPN Client through InstallShield includes an Uninstall icon in the program group MSI does not In the latter case to manually remove VPN Client applications you can use the Microsoft Add Remove Programs utility Verifying System Requiremen
130. nection Information CPP rules defined on the VPN Concentrator are only for nontunneled traffic and appear next in the table For information on configuring filters and rules for CPP see VPN Client Administrator Guide Chapter 1 A default rule Firewall Filter for VPN Client Default on the VPN Concentrator lets the VPN Client send any data out but permits return traffic in response only to outbound traffic Finally there are two rules listed at the bottom of the table These rules defined on the VPN Concentrator specify the filter s default action either drop or forward If not changed the default action is drop These rules are used only if the traffic does not match any of the preceding rules in the table Note The Cisco Integrated Client firewall is stateful in nature where the protocols TCP UDP and ICMP allow inbound responses to outbound packets For exceptions refer to VPN Client Administrator Guide Chapter 1 If you want to allow inbound responses to outbound packets for other protocols such as HTTP a network administrator must define specific filters on the VPN Concentrator You can move the bars on the column headings at the top of the box to expand their width for example to display the complete words Action and Direction rather than Act or Dir However each time you exit from the display and then open this status tab again the columns revert to their original width Default rules on the VPN Concentrator
131. nects the VPN Client and tears down the tunnel the VPN Client displays a popup window showing the reason for the disconnect and also logs a message to the Notifications log and the IPSec log file For IPSec deletes that do not tear down the connection the event message appears only in the log file These disconnect events include e Administrative disconnect VPN Client User Guide for Windows oL 5489 01 a 715 Chapter7 Managing the VPN Client HZ Upgrading VPN Client Software e VPN 3000 Concentrator shutdown or reboot e Idle time disconnect e Maximum connection time disconnect For a shutdown or reboot scheduled at a future time the VPN 3000 Concentrator sends the disconnect notification at the time of the actual shutdown or reboot This feature does not provide advanced or early notification of a future event for example it does not send messages such as The Concentrator is going to shut down in 30 minutes The disconnect with reason feature is enabled by default but an administrator can configure the VPN 3000 Concentrator to turn off these disconnect notifications This feature is not configurable on the VPN Client When this feature is enabled the VPN 3000 Concentrator and the VPN Client negotiate whether to display these messages Upgrading VPN Client Software There are several ways to update VPN Client Software For all Windows platforms you can update software manually using either the MSI installer or th
132. nel between your computer and the private network It uses the Internet Key Exchange IKE and Internet Protocol Security IPSec tunneling protocols to make and manage secure connections Some of the steps include e Negotiating tunnel parameters Addresses algorithms lifetime and so on e Establishing tunnels according to the parameters e Authenticating users Making sure users are who they say they are by usernames group names and passwords and X 509 digital certificates e Establishing user access rights Hours of access connection time allowed destinations allowed protocols and so on e Managing security keys for encryption and decryption e Authenticating encrypting and decrypting data through the tunnel For example to use a remote PC to read e mail at your organization you connect to the Internet then start the VPN Client and establish a secure connection through the Internet to your organization s private network When you open your e mail the Cisco VPN server uses IPSec to encrypt the e mail message It then transmits the message through the tunnel to your VPN Client which decrypts the message so you can read it on your remote PC If you reply to the e mail message the VPN Client uses IPSec to process and return the message to the private network through the Cisco VPN server Connection Technologies The VPN Client lets you use any of the following technologies to connect to the Internet e POTS Plain Old Te
133. nel routing data To toggle between advanced mode and simple mode press Ctrl M Alternately you can choose a mode from the Options menu Cisco VPN Client User Guide for Windows ose or Chapter 3 Navigating the User Interface VPN Client Window Simple Mode W VPN Client Window Simple Mode In simple mode you work with a scaled down version of the VPN Client user interface Figure 3 2 Figure 3 2 VPN Client Window Simple Mode Connection Entries Status Options Help Cisco Systems s Connect Not connected 87781 The VPN Client main window shows the version information the current connection entry the connect button and the status bar Use the down arrow to display other connection entries e From the Connection Entries menu Figure 3 3 you can Connect to or disconnect from the connection entry shown in the box Create a shortcut for the connection entry shown in the box Import a new connection profile Set the current connection entry as the default connection entry Exit from the VPN Client Figure 3 3 Simple Mode Connection Entries Menu VPN Client 4 6 Rel loj x Connection Entries Status Options Help Connect Ctrl 0 Disconnect Ctrl D Create Shortcut Import Set as Default Connection Entry Exit YPN Client ctrl Q 87780 e From the Status menu you can display notifications e From the Options menu you can switch to Advanced Mode an
134. ng VPN Client Options PN Client 4 6 Rel E 05 x Connection Entries Status Certificates Log Options Help A E oe i Application Launcher Cisco Systems A Noa 5 ra Windows Logon Properties PEN Stateful Firewall Always On Connection Entries Certificates Log Simple Mode Ctrl M Preferences Connection Enty Transport 87773 Not connected 4 e Application Launcher Start an application before connecting to a VPN device e Windows Logon Properties Control logon features for the Windows NT platform Ability to start a connection before logging on to a Windows NT system Permission to launch a third party application before logging on to a Windows NT system Control of auto disconnect behavior when logging off e Stateful Firewall Always On Enable disable the internal stateful firewall e Simple Mode Switch to simple mode e Preferences Set the following features Save window settings Save any changes you make to the VPN Client window Hide upon connect Place the VPN Client window in the dock when the VPN connection is established Enable tool tips Enable tool tips for the toolbar action buttons Enable connect history display Enable the display of connection history information Enable accessibility options Activate 508 accessibility features on the VPN Client graphical user interface Enable connect on open Causes the VPN Client to connect to th
135. nning on your PC but not connected to a remote network do one of the following e From the Connection Entries menu on the VPN Client s main window select Exit VPN Client See Figure 5 1 e Press CTRL Q on your keyboard e Press Alt F4 on your keyboard VPN Client User Guide for Windows m OL 5489 01 CHAPTER Enrolling and Managing Certificates This chapter explains how to enroll and manage personal certificates specifically how to perform the following tasks e Obtain personal certificates through enrollment with a certificate authority CA which is an organization that issues digital certificates that verify that you are who you say you are See Using Certificate Stores for a description of personal certificates e Import certificates e Manage certificates and enrollment requests This chapter includes the following sections e Using Certificate Stores e Enrolling for a Certificate e Managing Personal and CA RA Certificates e Managing Enrollment Requests To get started with certificates open the Certificates tab on the VPN Client main window in advanced mode Figure 6 1 The Certificates tab lists the certificates you currently have enrolled If there are no certificate showing you need to enroll with a CA or contact your system administrator VPN Client User Guide for Windows 01 5489 01 EN Chapter6 Enrolling and Managing Certificates W Using Certificate Stores Figure 6 1 Managing Certif
136. o a Private Network W Viewing Connection Information Viewing Firewall Information on the VPN Client The Firewall tab displays information about the VPN Client s firewall configuration including the firewall policy and the configured firewall product The remaining contents of the Firewall tab depend on these two configured options The information shown on this tab varies according to your firewall policy e AYT When the Are You there AYT is the supported capability the Firewall tab shows only the firewall policy AYT and the name of the firewall product see Figure 5 33 AYT enforces the use of a specific personal firewall but does not require you to have a specific firewall policy e Centralized Protection Policy CPP When CPP is the supported capability the Firewall tab includes the firewall policy the firewall in use and firewall rules see Figure 5 34 e Client Server When the Client Server is the supported capability the Firewall tab displays the firewall policy as Client Server the name of the product as ZoneLabs Integrity Agent the user ID session ID and the addresses and port numbers of the firewall servers see Figure 5 35 AYT Firewall Tab The Firewall tab shows that AYT is running and displays the name of the firewall product that supports AYT AYT is used in conjunction with Cisco Intrusion Prevention Security Agent or Zone Labs Zone Alarm or Zone Alarm Pro to ensure that the firewall is enabled an
137. ompression 5 23 configuring browser proxy on VPN Concentrator 1 5 connect history display enabling 3 3 connecting before logon 7 4 to private network 5 3 5 4 E VPN Client User Guide for Windows OL 5489 01 to the internet via Dial Up Networking 4 11 to the internet via Dial Up Networking 5 4 with certificate 5 1 connecting to default connection entry 5 2 connection LAN 1 2 network direct 2 2 statistics packets bypassed 5 23 packets decrypted 5 23 packets discarded 5 23 packets encrypted 5 23 resetting 5 30 status local LAN routes list 5 24 secure associations 5 24 transparent tunneling 5 23 viewing 5 21 technologies 1 2 connection entry configuring smart card 4 6 creating 4 2 default 4 12 5 2 preconfigured 4 1 profile 4 2 connection types 1 2 connect on open 1 5 5 2 enabling 3 10 copyrights and licenses 1 country code in certificate enrollment 6 4 CPP firewall policy 5 25 5 27 creating connection entry 4 2 Index W D data formats xii data compression 1 8 Dead Peer Detection see DPD default connection entry 4 12 connecting 5 2 default profile 4 12 deleting certificate 6 13 enrollment request 6 17 department in certificate enrollment 6 4 DHCP request 1 4 DHCP traffic stateful firewall always on 7 2 Dial Up Networking closing before uninstall 7 18 connecting 4 11 5 4 dial up modem 1 2 disabling 4 12 enabling 4 12 icon on taskbar 5 4 phonebook entries 4 12 programs third party 4
138. ons menu shown in Figure 7 1 and choose Windows Logon Properties The VPN Client displays a dialog box containing three parameters See Figure 7 3 Ss Note The VPN Client displays Windows Logon Properties only on Windows NT Windows 2000 and Windows XP VPN Client User Guide for Windows oL 5489 01 EN Chapter7 Managing the VPN Client W Managing Windows NT Logon Properties Figure 7 3 Controlling Windows Logon Properties PN Client Windows Logon Properties xj Use these options to resolve Windows logon issues regarding NT domains and roaming profiles Press F1 for more information Vv Allow launching of third party applications before logon Application Launcher Third party dial up application V Disconnect VPN connection when logging off x coer 87786 Starting a Connection Before Logging on to a Windows NT Platform Step 1 Step 2 On a Windows NT platform you can connect to the private network before you log on to your system This feature is called start before logon and its purpose is primarily to let you log in to the domain and run login scripts Your administrator may have set this up for you Once you establish a VPN connection your credentials are sent to a domain controller for logging on to your system If you need to launch an application before you log on see the section Launching an Application for information When you have established a successful VPN connect
139. ore use the following procedure Step 1 Display the Certificates menu and choose Import or click the Import icon above the Certificates tab The Certificate Manager displays the Import Certificate dialog box See Figure 6 14 VPN Client User Guide for Windows 01 5489 01 m Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Figure 6 14 Importing a Certificate from the Microsoft Certificate Store PN Client Import Certificate xi Import from File Import Path Browse Import Password Import from Microsoft Certificate store Import Certificate 1EAN UMAR pebere ie Entering a new password is optional It is recommended to password protect identity certificates New Password Verify Password 87742 Step2 Select Import from Microsoft Certificate store Step3 New Password The case sensitive password to be stored with the certificate This password is optional but we recommend that you always protect your certificate with a password Step4 Verify Password The password that you enter here must match what you entered in the New Password field Step5 To complete the import request click Import or to cancel your request click Cancel Verifying a Certificate To see whether the certificate is valid choose it in the certificate store follow these steps Step 1 Select the certificate from the certificate store under the Certificates t
140. orks use VPNs to secure the wireless part of the network link In this case if your PC is ona WLAN without VPN you cannot access network resources If a VPN exists your access is similar to what it is with wired Ethernet connections Figure 5 20 shows the two different types of VPN access I OL 5489 01 VPN Client User Guide for Windows Chapter5 Connecting to a Private Network HZ Using Automatic VPN Initiation Figure 5 20 Remote Access VPN Versus On Site Wireless Access VPN Traditional Remote Access VPN Secured ume COrporate Emm iw Resources Corporate Network On site WLAN VPN In your connection profile your network administrator can configure a list of up to 64 matched networks address subnet masks and corresponding connection profiles pcf files When the VPN Client detects that your PC s network address matches one of the address subnet mask pairs in the auto initiation network list it checks whether the network administrator has configured that profile to allow the default or prohibit auto initiation If auto initiation is allowed the VPN Client automatically establishes a VPN connection using the matching profile for that network While auto initiation is primarily for an on site WLAN application you can also use auto initiation in any situation based on the presence of a specific network For example in your home office you may want to create an entry for your VPN to auto initiate from your
141. p that you can access by clicking the Help icon on the toolbar in the Manager window Other useful books articles and websites include e Dictionary of Internetworking Terms and Acronyms Cisco Press 2001 e Kosiur Dave Building and Managing Virtual Private Networks Wiley 1998 e Sheldon Tom Encyclopedia of Networking Osborne McGraw Hill 1998 e www ietf org for Internet Engineering Task Force IETF Working Group drafts on IP Security Protocol IPSec Cisco PIX Firewall Documentation The VPN Client can also interact with the Cisco PIX Firewall For information about using the PIX Firewall product see the following documents e Cisco PIX Firewall and VPN Configuration Guide Version 6 3 e Cisco PIX Firewall Command Reference Version 6 3 I OL 5489 01 VPN Client User Guide for Windows Preface E Conventions Conventions This document uses the following conventions Convention Description boldface font User actions and commands are in boldface italic font Arguments for which you supply values are in italics screen font Terminal sessions and information the system displays are in screen font boldface screen font Information you must enter is in boldface screen font Notes use the following conventions Note Means reader take note Notes contain helpful suggestions or references to material not covered in the publication Cautions use the following conv
142. party For permitted transfers you may not export the Software to any country for which the United States requires any export license or other governmental approval at the time of export without first obtaining the requisite license and or approval Furthermore you may not export the Software in violation of any export control laws of the United States or any other country For reference purposes only see the Cisco Encryption Tool Quick Reference Guide currently located at http www cisco com wwl export crypto tool stqrg html 6 You may not modify translate decompile disassemble use for any competitive analysis reverse engineer distribute or create derivative works from the Software or any accompanying documentation or any copy thereof in whole or in part 7 The subject license will terminate immediately if you do not comply with any and all of the terms and conditions set forth herein Upon termination for any reason you the licensee must immediately destroy the Software any accompanying documentation and all copies thereof in your possession You must also use commercially reasonable efforts to notify the third parties to whom you have distributed the Software that their rights of access and use of the Software have also ceased Cisco Systems is not liable to you for damages in any form solely by reason of termination of this license 8 You may not remove or alter any copyright trade secret patent trademark trade name logo
143. pecific example includes the following parts Other items may be included depending on the certificate type However these fields are fairly standard cnis the common name ou is the organizational unit department ois the organization lis the locality city or town stis the state or province of the owner cis the country eis the email address of the owner Issuer The fully qualified distinguished name DN of the source that provided the certificate The fields in this example are the same as for Subject Serial Number A unique identifier used for tracking the validity of the certificate on Certificate Revocation Lists CRLs Not Before The beginning date that the certificate is valid Not After The end date beyond which the certificate is no longer valid Importing a Certificate File You can import a certificate into the Cisco store from the Microsoft store or from a file The procedures vary slightly Importing a Certificate from a File To import a certificate from a file use the following procedure Step 1 Display the Certificates menu and choose Import or click the Import icon above the Certificates tab The Certificate Manager displays the Import Certificate Source dialog box See Figure 6 13 VPN Client User Guide for Windows cu 01 5489 01 Chapter6 Enrolling and Managing Certificates Enrolling for a Certificate Hi Figure 6 13 Importing a Certificate from File
144. plays a window to ask for authentication information Step3 Enter your authentication information for example your username and password See Authentication Alternatives Connecting from Advanced Mode To connect to a VPN device through advanced mode follow these steps Step 1 Using advanced mode you can connect in one of the following ways e Display the Connection Entries menu and choose Connect e Click the Connect icon on the tool bar above the Connection Entries tab e Double click a connection entry in the list of connection entries Step2 Enter your authentication information for example your username and password See Authentication Alternatives Authentication Alternatives To connect to a private network through the Internet you must authenticate the connection request e Systems with cable or DSL modems are usually connected to the Internet so no additional action is necessary Skip to Authenticating to Connect to the Private Network e Systems with modems or ISDN modems must connect to the Internet via Dial Up Networking If you connect to the Internet via Dial up Networking proceed to Using the VPN Client to Connect to the Internet via Dial Up Networking If you must manually connect to the Internet do it now When your connection is established skip to Authenticating to Connect to the Private Network If your system is already connected to the Internet via Dial Up Ne
145. port Verify Delete Change Certificate Password Retry Certificate Enrollment Connected to Engineering Connected Time 2 day s 00 44 07 e Verify Make sure that the selected certificate is valid e View Look at the properties of the selected certificate e Delete Erase the selected certificate e Export Send the selected certificate to a specified file location e Change Certificate Password Update the password that protects the certificate in the VPN Client certificate store e Retry Certificate Enrollment try a previous certificate enrollment again Cisco VPN Client User Guide for Windows OL 5489 01 Chapter 3 Navigating the User Interface Log Tab Right Click Menu How to Get Help W Figure 3 14 shows the right click menu options available when the Log tab is forward Figure 3 14 Log Tab Right Click Menu 2 PN Client 4 6 Rel Connection Entries Status Certificates Log Options Help 15 x Connected to Engineering Connected Time 2 day s 00 46 31 S Disable Connection Entries Certificates Log A Clear Sent a ping on the IKE SA 9782 Sent 9783 Sent 9784 Sent 9785 Sent 9786 Sent 17 39 31 961 02 26 02 ping on the IKE SA 17 39 51 990 02 26 70 ping on the IKE SA 17 40 12 019 02 26 03 ping on the IKE SA 17 40 32 048 02 26703 ping on the IKE SA 17 40 52 207 02 26703 ping on t
146. port for firewall policies pushed to the VPN Client from a VPN Concentrator Stateful Firewall Command line enable disable Stateful Firewall ICMP permission Configurable on the VPN Client IPSec Features The VPN Client supports the IPSec features listed in Table 1 5 Table 1 5 IPSec Features IPSec Feature Description Tunnel Protocol IPSec Transparent tunneling e IPSec over UDP for NAT and PAT e IPSec over TCP for NAT PAT and firewalls Key Management protocol Internet Key Exchange IKE IKE Keepalives A tool for monitoring the continued presence of a peer and reporting the VPN Client s continued presence to the peer This lets the VPN Client notify you when the peer is no longer present Another type of keepalives keeps NAT ports alive Split tunneling The ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel The VPN device supplies a list of networks to the VPN Client for tunneled traffic You enable split tunneling and configure the network list on the VPN device VPN Client User Guide for Windows OL 5489 01 _ Chapter 1 Understanding the Cisco VPN Client VPN Client Features W Table 1 5 IPSec Features continued IPSec Feature Description Support for Split DNS The ability to direct DNS packets in clear text over the Internet to domains served through an external DNS serving your ISP or through an IPSec
147. product designation or other proprietary and or other legal notices contained in or on the Software and any accompanying documentation These legal notices must be retained on any copies of the Software and accompanying documentation made pursuant to paragraphs 2 through 4 hereof 9 You shall acquire no rights of any kind to any copyright trade secret patent trademark trade name logo or product designation contained in or relating to the Software or accompanying documentation and shall not make use thereof except as expressly authorized herein or otherwise authorized in writing by Cisco Systems Limitation Of Liabilities 10 INSTALLATION AND USE OF THE SOFTWARE IS ALSO GOVERNED BY A SEPARATE LICENSE AGREEMENT BETWEEN CISCO SYSTEMS AND THE PURCHASER OF THE CISCO SYSTEMS VPN CLIENT PRODUCT THAT SEPARATE LICENSE AGREEMENT CONTAINS A DESCRIPTION OF ALL WARRANTIES PROVIDED BY CISCO SYSTEMS FOR THE SOFTWARE CISCO SYSTEMS PROVIDES NO WARRANTIES FOR THE SOFTWARE OTHER THAN THOSE SET FORTH IN THAT AGREEMENT AND ASSUMES NO LIABILITIES WITH RESPECT TO USE OF THE SOFTWARE BY YOU OR ANY THIRD PARTY VPN Client User Guide for Windows a OL 5489 01 Appendix A Copyrights and Licenses RSA software Zone Labs Copyright C 1995 1998 RSA Data Security Inc All rights reserved This work contains proprietary information of RSA Data Security Inc Distribution is limited to authorized licensees of RSA Data Security Inc Any unauthori
148. r A notification showing the login sequence typically appears when you start your dialer connection VPN Client User Guide for Windows Chapter7 Managing the VPN Client Receiving Notifications From a VPN Device Mi Step 1 To display notifications do one of the following e Open the Status menu and click Notifications See Figure 7 13 Figure 7 13 Displaying Notifications from the Status Menu Statistics 87782 Reset Stats e While connected right click the VPN Client icon in the system tray and click Notifications Figure 7 14 shows the Notifications dialog box Figure 7 14 Displaying Notifications YPN Client Notifications x Notifications 1 Mar 10 2003 15 35 04 Connection Banner 2 Mar 10 2003 15 35 04 Connection History Message Your network administrator has placed an update of the YPN Client at the following location http wwwin cisco com Click the Launch button to open your Internet browser to this location 87770 Firewall Notifications If the VPN Client and VPN Concentrator firewall configurations do not match the VPN Concentrator notifies the VPN Client while negotiating the connection The notification includes the policy that the VPN Concentrator requires The message states that the policy required is AYT and the firewall required is any Zone Labs product Disconnect with Reason Messages In addition in Release 4 0 when a VPN 3000 Concentrator discon
149. r When you cancel the connection attempt the VPN Client displays a message requesting you to confirm the cancellation To cancel click No The Log tab or Log Window shows the event log message Connection canceled To suspend auto initiation right click the yellow lock icon in the system tray and select Suspend Auto initiation from the menu In the event log you see the message Auto initation has been suspended When suspended also in the system tray you see that the yellow lock icon is now open Figure 5 25 Open Lock Suspended Auto Initiation To resume auto initiation after suspending right click on the open yellow lock icon and select Resume Auto initiation from the menu See Figure 5 26 Figure 5 26 Resuming Auto Initiation Resume Auto initiation Disable Auto initiation Stateful Firewall Always On About YPN Client 87775 VPN Client User Guide for Windows Ea OL 5489 01 Chapter5 Connecting to a Private Network Using Automatic VPN Initiation W Auto initiation resumes This is the simplest scenario of what happens during auto initiation At various points depending on the actions you take you see messages changes in the color of the icon in the system tray and differences in choices you can make The rest of this section describes these various alternatives Disconnecting Your Session To disconnect your session either double click the lock icon in the system tray an
150. r your PIN Figure 5 12 New PIN Received 2 YPN Client User Authentication for Sdi5Group PIN 5147 Please remember your new PIN then press Return to continue Username JkepfobO51 7 Cisco Systems 87715 To continue click OK SecurlD Next Cardcode Mode Sometimes SecurID authentication prompts you to enter the next cardcode from your token card as in Figure 5 13 SecurID displays this prompt either to resynchronize the token card with the RSA server or because it noticed several unsuccessful attempts to authenticate with this username The SecurID Next Cardcode Mode window might appear See Figure 5 13 I OL 5489 01 VPN Client User Guide for Windows Chapter5 Connecting to a Private Network HI Connecting with Digital Certificates Figure 5 13 Entering the Passcode for SecurlD Next Card YPN Client User Authentication for Sdi5Group Enter Next PASSCODE Cisco Systems Username keyfob0617 Tokencode 87716 In the Passcode field enter the next code from your token card This field requires only a cardcode Do not include your PIN as part of the passcode Now continue to Viewing Connection Information Connecting with Digital Certificates Note Before you create a connection entry using a digital certificate you must have already enrolled in a Public Key Infrastructure PKI have received approval from the Certificate Authority CA and have one or more
151. re minor update 7 21 automatic installation of root certificate 2 7 Automatic VPN Initiation option 7 6 autoupdating VPN Client software 7 20 AYT Are You There firewall policy 5 25 AYT firewall policy 5 25 5 26 backup servers adding 4 9 disabling 4 11 enabling 4 9 removing 4 10 Baltimore Technologies 5 10 base 64 encoded file type 6 6 binary encoded file type 6 6 browser proxy configuration 1 5 Cc cable connection 1 2 modem 1 2 5 3 CA certificates 6 3 Centralized Protection Policy CPP firewall policy 5 25 Centralized Protection Policy see CPP firewall policy certificate changing password 6 13 completing enrollment form 6 3 connecting 5 10 deleting 6 13 enrollment file types 6 6 PKI 5 10 with CA 6 3 Entrust 4 5 expiring 5 10 exporting 6 14 importing 6 10 managing 6 8 name 4 2 4 4 5 1 peer 1 5 stores 6 2 verifying 6 12 viewing 6 9 Certificate Authorities CA CA certificates tab 6 3 certificate 2 2 supported 5 10 Certificate Manager overview 6 1 changing certificate password 6 13 password on an enrollment request 6 17 Cisco certificate store 6 2 classes that generate events 7 12 clearing events display 7 14 Client Server policy firewalls 5 25 5 29 Client IP address in connection status 5 22 closing the VPN Client 5 30 common name in certificate enrollment 6 4 company in certificate enrollment 6 4 completing an enrollment request 6 18 compression algorithm LZS c
152. re from your computer For example if you are changing or upgrading your PC you might want to uninstall the VPN Client Also if you are getting ready to install Cisco VPN Client 4 0 using Microsoft Windows Installer MSI you can run the Uninstall application to remove previous versions of the Cisco VPN Client Do not attempt to uninstall or upgrade the VPN Client software from a mapped network drive Before you run the uninstall program make sure you have closed all of your remote access Dial Up Networking connections and all VPN Client applications Then use the following procedure See Figure 7 17 VPN Client User Guide for Windows 7 18 E ose or _ Chapter 7 Managing the VPN Client Upgrading VPN Client Software W Note Step 1 Step 2 Step 3 If you installed the VPN Client via the Microsoft Windows Installer the Cisco Systems VPN Client menu does not include the Uninstall VPN Client option Remove a previous version with Add Remove Software Choose Start gt Programs gt Cisco Systems VPN Client gt Uninstall VPN Client Figure 7 17 Running the Uninstall Program Fa Quadralay r E Help B vnc gt amp Set MTU Sametime Connect Uninstall YPN Client 87783 eee Chena YPN Client The Uninstall Wizard runs and asks if you want to really want to remove the VPN Client applications See Figure 7 18 Figure 7 18 Confirming Uninstall Question Q Are you sure you want to
153. red on the secure gateway The default port number is 10000 Allowing Local LAN Access Step 1 Step 2 In a multiple NIC configuration Local LAN access pertains only to network traffic on the interface on which the tunnel was established The Allow Local LAN Access parameter gives you access to the resources on your local LAN printer fax shared files other systems when you are connected through a secure gateway to a central site VPN device When this parameter is enabled and your central site is configured to permit it you can access local resources while connected When this parameter is disabled all traffic from your Client system goes through the IPSec connection to the secure gateway To enable this feature check Allow Local LAN Access to disable it uncheck the check box If the local LAN you are using is not secure you should disable this feature For example you would disable this feature when you are using a local LAN in a hotel or airport A network administrator at the central site configures a list of networks at the Client side that you can access You can access up to 10 networks when this feature is enabled When Allow Local LAN Access is enabled and you are connected to a central site all traffic from your system goes through the IPSec tunnel except traffic to the networks excluded from doing so in the network list When this feature is enabled and configured on the VPN Client and permitted on the central site VP
154. rent enrollment select the certificate being enrolled and do one of the Following Choose Retry from the Certificates menu OR Right click the selected certificate and choose Retry 87737 While you are waiting for the CA to issue the certificate your request appears in the certificates list under the Certificates tab as a request The store column shows Request When the CA issues your certificate choose the certificate and then choose Retry Certificate Enrollment from the Certificates menu to complete the enrollment See Figure 6 5 Figure 6 5 Retrying Enrollment Request View Import Export Enroll Verify Delete Change Certificate Password Retry Certificate Enrollment Show CA RA Certificates 87776 After you have obtained the certificate you see a message that your enrollment succeeded Figure 6 6 01 5489 01 VPN Client User Guide for Windows Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Figure 6 6 Enrollment Request Succeeded Message PN Client x A Certificate enrollment completed sucessfully 87740 Enrolling Through a File Request Alternatively you can enroll by creating a file using much the same form as for online enrollment See Figure 6 3 Once you have created a request file you can either e mail it to the CA and receive a certificate back or you can access the CA
155. rnative location when prompted to do so When the installation has completed the installer displays a confirmation dialog box Step6 Click Finish MSI prompts you to restart your system Step7 Click Yes to restart your system Note If you have not removed a previously installed VPN Client when you execute the vpnclient_en exe command or vpnclien_en msi an error message displays See Figure 2 3 You must uninstall the previously installed VPN Client before proceeding with the new installation To remove a VPN Client installed with the MSI installer use the Windows Add Remove Programs control panel To remove a VPN Client installed with InstallShield select Uninstall Client on the Programs gt VPN Client gt Uninstall Client menu sequence Figure 2 3 Uninstall Error Message i Installer Information x Error 28000 Before installing the Cisco Systems YPN Client 4 0 Beta_4 you must uninstall the previous version of Cisco Systems YPN Client using the Add Remove Program Files option in the Control Panel Then restart your system 87843 I OL 5489 01 VPN Client User Guide for Windows Chapter2 Installing the VPN Client W Installing the VPN Client Through Microsoft Windows Installer Removing a VPN Client Version Installed with MSI Installer Step 1 Step 2 Step 3 Step 4 To uninstall a VPN Client version that was installed with the MSI installer follow these steps Double click the Add
156. rom the Windows Control Panel Step2 Install the VPN Client using the MSI installer vpnclient_en msi Step3 Reboot your PC VPN Client User Guide for Windows P76 OL 5489 01 Chapter 7 Managing the VPN Client Upgrading VPN Client Software W Upgrading the VPN Client Software Using InstallShield Step 1 Step 2 Upgrading the VPN Client software using this method retains existing connection entries and their parameters To install an upgrade of the VPN Client over an existing version on your system use the following procedure which first uninstalls the existing version and then reboots your PC and installs the new version To begin the procedure follow the instructions in the Installing the VPN Client Through InstallShield Iin Chapter 2 When it starts the installation wizard detects the existing version and asks you to confirm that you want to remove that version and reboot your PC See Figure 7 15 Figure 7 15 Uninstalling an Existing Version Question Q Setup has detected an existing version of the Cisco Systems Inc YPN Client Before installing a new version setup must uninstall the existing version If you choose to continue setup will uninstall the existing version of the Cisco Systems Inc YPN Client and then reboot your PC After your PC reboots the Cisco Systems Inc YPN Client installation will continue Do you wish to continue 60829 To continue click Yes The install
157. rs from 0 to 65535 No commas or spaces are permitted in a number Obtaining Documentation These sections explain how to obtain documentation from Cisco Systems World Wide Web You can access the most current Cisco documentation on the World Wide Web at this URL http www cisco com Translated documentation is available at this URL http www cisco com public countries_languages shtml Documentation CD ROM Cisco documentation and additional literature are available in a Cisco Documentation CD ROM package which is shipped with your product The Documentation CD ROM is updated monthly and may be more current than printed documentation The CD ROM package is available as a single unit or through an annual subscription Ordering Documentation You can order Cisco documentation in these ways e Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Networking Products MarketPlace http www cisco com cgi bin order order_root pl e Registered Cisco com users can order the Documentation CD ROM through the online Subscription Store http www cisco com go subscription e Nonregistered Cisco com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters California U S A at 408 526 7208 or elsewhere in North America by calling 800 553 NETS 6387 VPN Client User Guide for Windows I oL 5489 01 a xii Preface
158. rtificates Figure 3 9 Enrolling and Managing Certificates VPN Client 4 6 Rel lolx Connection Entries Status Certificates Log Options Help Connection Entries Certi Expat Enroll Connection Enty Transport verify Delete A a View Cisco Systems aod Import Connect New Change Certificate Password Retry Certificate Enrollment Show CA RA Certificates Not connected 4 87771 View Display the properties of the selected certificate Import Bring in a certificate file from a specified file location Export Send the selected certificate to a specified file location Enroll Sign up with a Certificate Authority CA to obtain a certificate Verify Make sure that a certificate is still valid Delete Remove the selected certificate Change Certificate Password Update the password that protects the selected certificate in the VPN Client certificate store Retry Certificate Enrollment Try a previously attempted certificate enrollment again Show CA RA Certificates Display digital certificates issued by either a Certificate Authority CA or a Registration Authority RA Cisco VPN Client User Guide for Windows OL 5489 01 Chapter3 Navigating the User Interface VPN Client Window Advanced Mode W Log Menu Use the Log menu Figure 3 10 to manage the log Figure 3 10 Managing the IPSec Log YPN Cli
159. s Connect depends on the level of private key protection on your certificate If your certificate is password protected you are prompted to enter the password Note Because each certificate is associated with a connection profile you can create different connection profiles with different certificates VPN Client User Guide for Windows u OL 5489 01 Chapter 5 Connecting to a Private Network Connecting with Digital Certificates Hi Connecting with an Entrust Certificate This section provides important information about what to expect when connecting with an Entrust certificate under certain conditions Accessing Your Profile Step 1 Step 2 If you are not already logged in you must log in to Entrust Entelligence to access your Entrust Entelligence certificate profile using the following procedure After you choose Connect on the VPN Client main window the Entrust logon window appears See Figure 5 14 Figure 5 14 Logging in to Entrust Entrust Login Entrust Copyright 1994 2000 Entrust Technologies Limited All rights reserved Profile name wbrownS Browse JV Work offline OK Cancel Help 60743 Choose a profile name from the pull down menu Your network administrator has previously configured one or more profiles for you through Entrust Entelligence If the software is installed on your system but there are no profiles available then you need to get a pro
160. s Integrity Client e User ID In the format xx IP address of the VPN Concentrator group name and user name Where xx can be un or dn un The gateway based ID is based on the group and user name dn The gateway based ID is based on the distinguished name as is the case when using digital certificates The User ID is used to initialize the firewall client e Session ID The session ID of the connection between all of the entities This is used to initialize the firewall client and is helpful for troubleshooting e Servers The IP address and port number of each firewall server VPN Client User Guide for Windows oL 5489 01 E 52o Chapter5 Connecting to a Private Network WE Disconnecting your VPN Client Connection Resetting Statistics To reset all connection statistics to zero click Reset There is no undo Reset affects only the connection statistics not the other sections of this window Disconnecting your VPN Client Connection To disconnect your PC from the private network do one of the following e From the Connection Entries menu on the VPN Client s main window select Disconnect See Figure 5 1 e Right click the yellow lock icon in the system tray Click Disconnect on the menu Your IPSec session ends but the VPN Client does not automatically close You must manually disconnect your dial up networking connection DUN Closing the VPN Client To close the VPN Client when it is ru
161. s Web site and cut and paste the enrollment request in the area that the CA provides To enroll through a file request use the following procedure Step 1 On the Certificate Enrollment dialog box see Figure 6 7 click File as the certificate type Figure 6 7 Enrolling a Certificate Using a File Request YPN Client Certificate Enrollment x Choose a certificate enrollment type C Online Certificate Authority kew xf CA URL E CA Domain B Challenge Password R File encoding Base 64 x Filename New Password 87735 Step2 Click one of the following file types e Binary encoded A base 2 PKCS10 file Public Key Cryptography Standard for example an X 509 DER file You cannot display a binary encoded file e Base 64 encoded An ASCII encoded PKCS10 file that you can display in text format for example the request shown in Figure 6 8 Choose this type when you want to cut and paste the text into the CA Web site VPN Client User Guide for Windows lt ol 5489 01 Chapter6 Enrolling and Managing Certificates Enrolling for a Certificate Hi Figure 6 8 A PKCS10 Certificate File E cert cec txt Notepad File Edit Search Help BEGIN NEW CERTIFICATE REQUEST MIIBzjCCATCCAQAWR j ELMAKGA1UEBHNCUUNxCZAJBgNUBAgTAK1BMRMWwEQYDUQQK EwpGb3UuZGF GaW9uhRUwEwYDUQQLEwxGdWSkIF JhaxXNpbmcwg28wDQY JKo2 ThucN AQEBBQADgY GANI GJAOGBAKxCHeWAwi j mKWiLAOQUHIUUWL8x2iUu5 I frrorRSx36 bcASCthHUSQLQuT
162. s for the selected connection entry Figure 3 4 e If the Certificates tab is forward the View Import Export Enroll Verify and Delete buttons control operations for the selected certificate Figure 3 5 Figure 3 5 Toolbar Buttons Certificates Tab fi gt P Cisco SYSTEMS ES 7 G A View Import Export Enroll Verif Delete e Ifthe Log tab is forward the Disable Clear Log Settings and Log Window buttons control the logging operations Figure 3 6 Figure 3 6 Toolbar Buttons Log Tab Disable Clear Log Settings Log Window Cisco Systems 87849 Main Tabs Advanced Mode This section describes the main tabs for managing the VPN Client Figure 3 4 The main tabs are e Connection Entries tab Displays the list of current connection entries the host which is the VPN device each connection entry uses to gain access to the private network and the transport properties that are set for each connection entry Refer to Configuring and Managing Connection Entries for details on the Connection Entries tab e Certificates tab Displays the list of certificates in the VPN Client certificate store Use this tab to manage certificates Refer to Enrolling and Managing Certificates for more details on the Certificates tab e Log tab Displays event messages from all processes that contribute to the client peer connection enabling logging clearing the event log viewing the event log in an extern
163. se the number of seconds to wait before the VPN Client decides that the peer is no longer active The default number of seconds to wait before terminating a connection is 90 seconds The minimum number of seconds you can configure is 30 seconds and the maximum is 480 seconds To adjust the setting enter the number of seconds in the Peer response timeout field The VPN Client continues to send DPD requests every 5 seconds until it reaches the number of seconds specified by the Peer response timeout value Enabling and Adding Backup Servers The private network may include one or more backup VPN servers to use if the primary server is not available Your system administrator tells you whether to enable backup servers Information on backup servers can download automatically from the VPN Concentrator or you can manually enter this information To enable backup servers from the VPN Client use the following procedure OL 5489 01 VPN Client User Guide for Windows E Chapter4 Configuring and Managing Connection Entries W Enabling and Adding Backup Servers Step 1 Open the Backup Servers tab Figure 4 6 Step2 Check Enable Backup Server s This is not checked by default Step3 Click Add to enter a backup server s address Figure 4 6 Adding Backup Server Information PN Client Create New YPN Connection Entry i xj Connection Entry JEngineering Description Connection to Engineering Server E4 Host ServerBosto
164. t s identity certificate since it has received the chain of certificates installed on the VPN Client PC This feature provides flexibility since the intermediate CA certificates don t need to be actually installed on the peer gt Note Certificate chains are not supported for Entrust Entelligence Therefore the Send CA Certificate Chain checkbox on the Authentication Tab is unchecked and disabled when you select Entelligence Certificate Validating a Certificate Optionally you might want to verify that the certificate you are using is still valid using the following procedure Step 1 Select the certificate in the list of certificates underneath the Certificates tab Step2 Display the Certificates menu or right click on the certificate name and choose Verify The VPN Client displays a message to let you know whether the certificate is valid Configuring an Entrust Certificate for Authentication If you have an Entrust Entelligence certificate enrolled the menu includes the entry Entelligence Certificate Entrust An Entrust Entelligence certificate is stored in a Profile which you obtain when you log in to Entrust Entelligence Choose Entelligence Certificate Entrust from the menu VPN Client User Guide for Windows oL 5489 01 E Chapter4 Configuring and Managing Connection Entries E Configuring Microsoft Network Access Windows 98 and Windows ME For more information about connecting with Entrus
165. t Entelligence see Connecting with an Entrust Certificate Configuring a Connection Entry for a Smart Card If you are using a smart card or electronic token to authenticate a connection create a connection entry that defines the certificate provided by the smart card For example if you are using ActivCard Gold an accompanying certificate is in the Microsoft Certificate Store When you create a new connection entry for using the smart card choose that certificate Smart Cards Supported The VPN Client supports authentication with digital certificates through a smart card or an electronic token There are several vendors that provide smart cards and tokens including the following Vendor Software and Version Card Token Tested Vendor Web site GemPLUS GemSAFE Workstation 2 0 or later GEM195 www gemplus com Activcard Activcard Gold version 2 0 1 or later Palmera 32K www activcard com Aladdin eToken Runtime Environment RTE PRO and R2 tokens www ealaddin com version 2 6 or later The VPN Client works only with smart cards and tokens that support CRYPT_NOHASHOID Configuring Microsoft Network Access Windows 98 and Windows ME The Logon to Microsoft Network parameter registers your PC on the private Microsoft network and lets you browse and use network resources after the VPN Client establishes a secure connection This parameter is enabled by default To disable this parameter uncheck the check box
166. tem tray on the Windows task bar See Figure 5 4 Figure 5 4 Dial Up Networking Task Bar Icon Authenticating to Connect to the Private Network This section assumes you are connected to the Internet If you connect using Dial Up Networking verify that its icon is visible in the Windows task bar system tray See Figure 5 4 If not your Dial Up Networking connection is not active and you must establish it before continuing If you did not do so earlier click Connect on the VPN Client s main window See Figure 5 1 or Figure 5 2 VPN Client User Guide for Windows a OL 5489 01 Chapter5 Connecting to a Private Network Authenticating to Connect to the Private Network Hl The VPN Client starts tunnel negotiation and displays the status in the Status area bottom left of the window The next phase in tunnel negotiation is user authentication User authentication means proving that you are a valid user of this private network User authentication is optional Your administrator determines whether it is required The VPN Client displays a user authentication window that differs according to the authentication that your IPSec group uses Your system administrator tells you which method to use To continue refer to your entries in Gathering Information You Need and go to the appropriate authentication section that follows Authenticating Through the VPN Device Internal Server or RADIUS Server To display the user
167. tems products and for no other use Restrictions on Use and Transfer 3 You may also make one copy of the Software solely for backup or archival purposes To this end you may transfer the Software to a single set of disks provided you keep the disks solely for backup or archival purposes You may not use the backup or archival copy of the Software except in conjunction with Cisco Systems products I OL 5489 01 VPN Client User Guide for Windows Appendix A Copyrights and Licenses 4 You may copy and distribute the Software to your third party business partners and customers solely and exclusively for the purposes of accessing your Cisco VPN concentrators and thereby gaining remote access to your secure network Each such distribution of the Software to a third party must be accompanied by a copy of this Client Software License Agreement You may not copy or transfer the Software for any purpose other than as specified in this Agreement without the express written consent of Cisco Without intending to limit the foregoing you shall not post or otherwise make publicly available the Software to any external web site file server or other location to which there is unrestricted access 5 Cisco Systems will not provide end user support including Technical Assistance or TAC support to any third party that receives the Software in accordance with Section 4 hereof You shall be responsible for providing all support to each such third
168. th somescompany com 54038 47203DDEC45F8F 301 945985BECC F88E9226FDB8974C5D 2E5E 872C0D 703760002770 1024 e smith somescompany com cn Joe Smith ou Marketing o S ome Company st Massachusetts c US e jsmith somescompany com cn Joe Smith ou Marketing o S ome Company st Massachusetts c US 1E70B8145582C7E 304F0B COA24F1A33E Wed Mar 19 16 58 53 2003 Fri Apr 18 17 58 53 2003 Change Password E VPN Client User Guide for Windows 01 5489 01 Chapter6 Enrolling and Managing Certificates Managing Enrollment Requests Hil Note that the Issuer field shows the subject name and not the name of the CA since the CA has not yet issued the certificate You can change the certificate request password from this screen Deleting an Enrollment Request To delete an enrollment request follow these steps Step 1 Select the enrollment request display the Certificates menu and choose Delete The VPN Client prompts you for a password Step2 Type the password in the Password field if there is one and click OK The VPN Client verifies the password If the password is correct the VPN Client deletes the request Changing the Password on an Enrollment Request To change the certificate password on an enrollment request use this procedure Step 1 Select the certificate request in the list under the Certificates tab Step2 Display the Certificates menu and choose Change Certificate Password The VPN Client displays the Certific
169. the Certificates menu e Right click the selected certificate on the Certificates tab and choose Retry from the menu that appears Figure 6 24 Figure 6 24 Right Click Certificate Menu Export Verify Delete Change Certificate Password 87745 Retry Certificate Enrollment Click OK to close the dialog box VPN Client User Guide for Windows Peis ol 5489 01 amp CHAPTER 7 Managing the VPN Client This chapter explains the tasks you can perform to manage connection entries view and manage event reporting and upgrade or uninstall the VPN Client software This chapter includes the following sections e Enabling Stateful Firewall Always On e Launching an Application e Managing Windows NT Logon Properties e Viewing and Managing the VPN Client Event Log e Receiving Notifications From a VPN Device e Upgrading the VPN Client Software Using InstallShield e Uninstalling the VPN Client with the Uninstall Application e Updating the VPN Client Software Automatically Windows 2000 and Windows XP Systems To configure properties of connection entries see Configuring and Managing Connection Entries Note Note If you are a system administrator refer to the VPN Client Administrator Guide for information on configuring the VPN 3000 Concentrator and preparing preconfigured profiles for VPN Client users The VPN Client displays Windows Logon Properties only on Windows NT Windows
170. the Certificates menu and choose Delete or click the Delete icon in the toolbar above the Certificates tab If the certificate has a password the VPN Client prompts you to enter it In the Password field type the password given to the certificate during enrollment and click OK The VPN Client asks you to confirm that you want to delete this certificate Figure 6 16 To delete the certificate click Delete To cancel the deletion click Do Not Delete the default Figure 6 16 Confirming Certificate Deletion PN Client x AN 4re you sure you want to delete the certificate Joe Smith Delete 87734 Changing the Password on a Personal Certificate Step 1 To change the password on a personal certificate use this procedure Select a certificate from the certificate store under the Certificates tab 01 5489 01 VPN Client User Guide for Windows E Chapter6 Enrolling and Managing Certificates W Enrolling for a Certificate Step 2 Step 3 Step 4 Step 5 Display the Certificates menu and choose Change Certificate Password The VPN Client displays the Change Certificate Password dialog box In the Current field type the password you are currently using to protect your private key In the New field type the new password In the Confirm field type the same password again Click OK The VPN Client confirms that you have successfully changed your password Figure 6 17 Figure 6 17 Certificate
171. the User Password field and click OK Figure 5 18 eToken Prompt A eTCAPI Select an eToken x eToken Type eToken AKS ifdh 0 Card0S M4 Go User Password Login to your eToken to enable using creating your private key 67524 Note If your smart card or token is not inserted the authentication program displays an error message If this occurs insert your smart card or token and try again Completing the Private Network Connection After completing the user authentication phase the VPN Client continues negotiating security parameters and displays a window The connection entry display now indicates which connection entry is active In Figure 5 19 a yellow lock icon indicates the Engineering connection entry is active and the VPN Client User Guide for Windows OL 5489 01 Chapter 5 Connecting to a Private Network Using Automatic VPN Initiation Tl status line shows Connected to Engineering Clicking the down arrow icon at the lower right corner of the status line toggles a statistics display to show in turn the connect time bytes in and out and the IP address Figure 5 19 Completing the Private Network Connection VPN Client 4 6 Rel 0 x Connection Entries Status Certificates Log Options Help P KAE z Cisco Systems Sel rr Disconnect New Import Modify Delete Connection Entries Certificates Log __ Connection Enty _ Host Transpo Beta_132 Test
172. tion Entry If you have a default connection entry also known as default profile configured the VPN Client opens the default connection entry when you launch it To make one of your connection entries the default connection entry use the following procedure Step 1 Select a connection entry in the list underneath the Connection Entries tab Step2 Display the Connection Entries menu or right click the connection entry name and choose Set as Default Connection Entry VPN Client User Guide for Windows Ca OL 5489 01 Chapter4 Configuring and Managing Connection Entries Creating a Shortcut fora Connection Entry W The default connection entry appears as bold in the list of connection entries Creating a Shortcut for a Connection Entry To create a shortcut to a connection entry to appear on your desktop use the following procedure Step 1 Select a connection entry in the list underneath the Connection Entries tab Step2 Display the Connection Entries menu or right click the connection entry name and choose Create Shortcut The VPN Client places the shortcut on your desktop Duplicating a Connection Entry You can duplicate an existing connection entry to serve as the basis of a new connection entry To make a duplicate connection entry use the following procedure Step 1 Select a connection entry in the list underneath the Connection Entries tab Step2 Display the Connection Entries menu or right click the connection
173. ts Verify that your computer meets these requirements e A single Pentium class processor e One of the following operating systems Microsoft Windows 98 or Windows 98 second edition Windows ME Windows NT 4 0 with Service Pack 6 or higher Windows 2000 Windows XP VPN Client User Guide for Windows oL 5489 01 EN Chapter2 Installing the VPN Client HZ Gathering Information You Need Microsoft TCP IP installed Confirm via Start gt Settings gt Control Panel gt Network gt Protocols or Configuration 50 MB hard disk space RAM 32 MB for Windows 98 64 MB for Windows NT and Windows ME 64 MB for Windows 2000 128 MB recommended 128 MB for Windows XP 256 MB recommended To install the VPN Client CD ROM drive 3 5 inch high density diskette drive Administrator privileges if installing on Windows NT or Windows 2000 To use the VPN Client Direct network connection cable or DSL modem and network adapter interface card Internal or external modem To connect using a digital certificate for authentication A digital certificate signed by one of the following Certificate Authorities CAs installed on your PC Baltimore Technologies www baltimoretechnologies com Entrust Technologies www entrust com Microsoft Certificate Services Windows 2000 Netscape Security Verisign Inc www verisign com Ora digital certificate stored on a smart card the VPN Cl
174. ts MSI 2 4 data xii process 2 1 interface card for network 2 2 internal server authentication 5 5 O1 5489 01 VPN Client User Guide for Windows W index internet connecting via Dial Up Networking Internet Key Management protocol see IKE Internet Protocol Security see IPSec IOS platform devices supported x IP address certificate enrollment 6 4 server 5 22 VPN device 4 3 IPSec attributes 1 7 features 1 6 over TCP 4 8 over UDP 4 8 protocol 1 2 transparent tunneling connection status 5 23 ISDN connection technology 1 2 modem 5 3 ISP password 5 4 username 5 4 4 11 5 4 K keepalives 1 6 L LAN connection 1 2 launching an application 7 2 7 5 licenses and copyrights 1 local LAN access 1 3 4 8 connection status 5 24 log display clearing 7 14 log file saving 7 13 searching 7 13 log settings filtering events 7 11 logging levels 7 11 LZS compression 5 23 main mode 1 7 maintenance dialog MSI 2 6 main VPN Client window 3 4 managing auto initiation 7 6 certificates 6 1 6 8 enrollment request 6 15 event log 7 7 matching firewall configurations 7 15 menu connection entries 3 6 main 3 6 Microsoft Certificate Services 5 10 certificate store 6 2 Windows 2000 5 10 Windows Installer MSI installing VPN Client 2 4 mode aggressive 1 7 authentication 1 7 configuration 1 7 tunnel encapsulation 1 8 modems cable 1 2 5 3 dial up 1 2 E VPN Client User Guide for Windows OL
175. tworking skip to Authenticating to Connect to the Private Network VPN Client User Guide for Windows oL 5489 01 m53 Chapter5 Connecting to a Private Network HZ Using the VPN Client to Connect to the Internet via Dial Up Networking Using the VPN Client to Connect to the Internet via Dial Up Networking This section describes how to connect to the Internet via Dial Up Networking by running only the VPN Client Your connection entry must be configured with Connect to the Internet via Dial Up Networking enabled see Configuring and Managing Connection Entries Step 1 Click Connect on the VPN Client s main window See Figure 5 1 and Figure 5 2 If your credentials are not stored in the RAS database the Dial up Networking User Information dialog box appears See Figure 5 3 This dialog box varies depending on the version of Windows you are using Figure 5 3 Entering User Information 2x PN Client User Authentication for Engineering Enter Username and Password Cisco Systems Gina Username pate Password e e e 87721 Step2 Enter your username and password to access your ISP These entries may be case sensitive depending on your ISP The Password field displays only asterisks Step3 Click OK When the ISP connection is established the status line on the Connection window changes to show that the status is connected and a Dial Up Networking icon appears in the sys
176. u want to create your own PIN See Figure 5 9 Figure 5 9 SecurlD New PIN Request YPN Client User Authentication for Sdi5Group Do you want to enter your own pin y or n n Cisco SYSTEMS Response l cen 87712 Enter your response y for yes or n for no No is the default response Then click OK What happens next depends on your response e Ifyou responded yes Enter your new PIN in the New PIN field and enter it again in the Confirm PIN field Click OK See Figure 5 10 VPN Client User Guide for Windows a OL 5489 01 Chapter 5 Connecting to a Private Network Step 2 Step 3 Authenticating to Connect to the Private Network W Figure 5 10 Entering a New PIN Yourself YPN Client User Authentication for Sdi5Group Enter your new Access PIN containing 4 to 8 digits or x to cancel the new PIN procedure Cisco Systems New PIN oao Confirm PIN 87713 e Ifyou responded no the authentication program asks if you will accept a system generated PIN See Figure 5 11 Figure 5 11 Accepting a PIN from the System 2 YPN Client User Authentication for Sdi5Group ARE YOU PREPARED TO ACCEPT A SYSTEM GENERATED PIN y or n n Cisco SYSTEMS Response l E 87714 To receive a PIN you must respond y for yes and then click OK When you do the authentication program generates a PIN for you and displays it See Figure 5 12 Be sure to remembe
177. ures IKE for establishing secure connections and manages connection states VPN Client User Guide for Windows za OL 5489 01 Chapter 7 Managing the VPN Client Viewing and Managing the VPN Client Event Log W Table 7 3 Classes That Generate Events in the VPN Client continued Class Name Definition CVPND Cisco VPN Daemon main daemon which initializes client service and controls messaging process and flow GUI Windows only component which handles configuring a profile initiating a connection and monitoring it FIREWALL __ Firewall component which generates events related to connections through a firewall IKE Internet Key Exchange IKE module which manages secure associations IPSEC IPSec module which obtains network traffic and applies IPSec rules to it PPP Point to Point Protocol XAUTH Extended authorization application which validates a remote user s credentials If you change the log filter levels the change takes effect immediately for the events shown in both the Log Window and the Log tab but while this change clears the events display on the Log tab it does not clear the events in the log file Searching the Log File You can search the log file for the occurrence of a string of characters From the Log menu select Search Log This displays a dialog box Figure 7 11 into which you enter the exact string to be matched Figure 7 11 Log Search Dialog Box
178. use transparent tunneling the central site group in the Cisco VPN device must be configured to support it For an example refer to the VPN 3000 Concentrator Manager Configuration User Management Groups IPSec tab refer to VPN 3000 Series Concentrator Reference Volume 1 Configuration or Help in the VPN 3000 Concentrator Manager browser This parameter is enabled by default To disable this parameter uncheck the check box We recommend that you always keep this parameter checked OL 5489 01 VPN Client User Guide for Windows E Chapter4 Configuring and Managing Connection Entries WE Configuring Transparent Tunneling Then choose a mode of transparent tunneling over UDP or over TCP The mode you use must match that used by the secure gateway to which you are connecting Either mode operates properly through a PAT device Multiple simultaneous connections might work better with TCP and if you are in an extranet environment then in general TCP mode is preferable UDP does not operate with stateful firewalls so in this case you should use TCP Using IPSec over UDP NAT PAT To enable IPSec over UDP NAT PAT click the radio button With UDP the port number is negotiated UDP is the default mode Using IPSec over TCP NAT PAT Firewall To enable IPSec over TCP click the radio button When using TCP you must also enter the port number for TCP in the TCP port field This port number must match the port number configu
179. wall Series Version 6 2 or later Interface supported e Graphical user interface e Command line interface Local LAN access The ability to access resources on a local LAN while connected through a secure gateway to a central site VPN server if the central site grants permission Automatic VPN Client configuration option The ability to import a configuration file Event logging The VPN Client log collects events for viewing and analysis NAT Transparency NAT T Enables the VPN Client and the VPN device to automatically detect when to use IPSec over UDP to work properly in Port Address Translation PAT environments Update of centrally controlled backup server list The VPN Client learns the backup VPN server list when the connection is established This feature is configured on the VPN device and pushed to the VPN Client The backup servers for each connection entry are listed on the Backup Servers tab Set MTU size The VPN Client automatically sets a maximum transmission unit MTU size that is optimal for your environment However you can also set the MTU size manually For information on adjusting the MTU size see the VPN Client Administrator Guide I OL 5489 01 VPN Client User Guide for Windows Chapter1 Understanding the Cisco VPN Client HI VPN Client Features Table 1 2 Program Features continued Program Feature Description Support for Dynamic DNS
180. word option 5 5 ESP protocol transparent tunneling 4 7 traffic stateful firewall always on 7 2 etoken connecting with 5 13 events classes 7 12 setting logging levels 7 11 severity levels 7 12 viewing and managing 7 7 exiting the VPN Client 5 30 exporting a certificate 6 14 extended authentication 1 7 E VPN Client User Guide for Windows OL 5489 01 F F1 key displaying help 3 13 features IPSec 1 6 program 1 3 VPN Client 1 2 file types for certificate enrollment 6 6 filtering events 7 11 firewalls 5 27 firewalls 5 28 AYT policy 5 25 AYT tab 5 26 Client Server policy 5 25 5 29 configured on concentrator 5 25 CPP 5 25 CPP firewall policy 5 27 filtering 5 27 ICMP protocol 5 28 listed on Firewall tab 5 25 matching 7 15 notifications 7 15 policies 5 25 policy listed 5 25 rules 5 27 stateful 7 1 status 5 26 status screen 5 25 tab on status screen 5 25 TCP protocol 5 28 UDP protocol 5 28 Index W G generating events classes 7 12 hard disk space requirement 2 2 help displaying 3 13 Fl key 3 13 from program menu 3 13 hostname VPN device 4 3 IANA protocol numbers 5 28 ICMP protocol firewalls 5 28 icons Dial Up Networking 5 4 VPN Client viewing when connected 5 15 IKE keepalives 1 6 IKE protocol 1 2 importing certificate file 6 10 inactivity timeout Entrust 5 11 installing media requirements 2 2 installing VPN Client InstallShield 2 3 forma
181. zed reproduction or distribution of this document is strictly prohibited BSAFE is a trademark of RSA Data Security Inc The RSA Public Key Cryptosystem is protected by U S Patent 4 405 829 Copyright c 1999 2000 2001 Zone Labs Inc All rights reserved Zone Labs ZoneAlarm ZoneAlarm Pro TrueVector and Zone Labs Integrity are trademarks of Zone Labs Inc The Software is Zone Labs proprietary information No license is granted to the source code of the Software No part of this publication may be reproduced distributed or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of Zone Labs Inc THE SOFTWARE IS PROVIDED BY ZONE LABS AS IS WITHOUT WARRANTY OF ANY KIND ZONE LABS DISCLAIMS ANY AND ALL WARRANTIES WHETHER EXPRESS IMPLIED OR STATUTORY INCLUDING BUT WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ZONE LABS SHALL NOT BE LIABLE FOR DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY COVER RELIANCE OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF PROFITS LOSS OF DATA OR USE OR BUSINESS INTERRUPTION ARISING FROM ANY CAUSE ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THE SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE I
Download Pdf Manuals
Related Search