Cisco Systems VPN 3002 User's Manual
Contents
1. 61743 See the appropriate chapter in this manual for each section of the Manager Online help is available for all sections VPN 3002 Hardware Client Reference E OL 1893 01 2 1 Chapter2 Configuration W Configuration my VPN 3002 Hardware Client Reference 2 2 OL 1893 01 Configuration Note CHAPTER Interfaces This section of the VPN 3002 Hardware Client Manager applies functions that are interface specific rather than system wide You configure two network interfaces for the VPN 3002 to operate as a VPN device the private interface and the public interface If you used Quick Configuration as described in the VPN 3002 Hardware Client Getting Started manual the system supplied many default parameters for the interfaces Here you can configure them explicitly The VPN 3002 includes some IP routing functions static routes DHCP and PPPoE You configure static routes the default gateway and DHCP in the IP Routing section see the Configuration System IP Routing screens PPPoE requires no further configuration than supplying a username and password in the Public Interface parameter Interfaces This section lets you configure the private and public interfaces Private is the interface to your private network internal LAN Public is the interface to the public network Configuring an Ethernet interface includes supplying an IP address and subnet mask and setting speed an2. Chapter12 Administration Administration Ping W Reboot ignoring the Configuration file Reboot using all the factory defaults that is start the system as if it had no conrte file You will need to go through all the Quick Configuration steps described in the VPN 3002 Getting Started manual including setting the system date and time and supplying an IP address for the Ethernet 1 private interface using the system console This option does not destroy any existing conritc file and it does not reset Administrator parameter settings When to Reboot Shutdown Apply Cancel Administration Click a radio button to select when to reboot or shutdown You can select only one option Now Reboot or shutdown as soon as you click Apply This is the default selection Delayed by NN minutes Reboot or shutdown nn minutes from when you click Apply based on system time Enter the desired number in the field the default is 10 minutes FYI 1440 minutes 24 hours At time HH MM Reboot or shutdown at the specified system time based on a 24 hour clock Enter the desired time in the field Use 24 hour notation and enter numbers in all positions The default is 10 minutes after the current system time Wait for sessions to terminate do not allow new sessions Reboot or shutdown as soon as the last session terminates and do not allow any new sessions in the meantime If you the administrator are the last se
3. No SA Failures Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon my VPN 3002 Hardw are Client Reference EES OL 1893 01 Chapter13 Monitoring Monitoring Statistics IPSec Hi Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated IKE Phase 1 Statistics This table provides IPSec Phase 1 IKE Internet Key Exchange global statistics During IPSec Phase IKE the two peers establish control tunnels through which they negotiate Security Associations Active Tunnels The number of currently active IKE control tunnels Total Tunnels The cumulative total of all currently and previously active IKE control tunnels Received Bytes The cumulative total of bytes octets received by all currently and previously active IKE tunnels Sent Bytes The cumulative total of bytes octets sent by all currently and previously active IKE tunnels
4. Means reader take note Notes contain helpful suggestions or references to material not covered in the publication Cautions use the following conventions Means reader be careful Cautions alert you to actions or conditions that could result in equipment damage or loss of data my VPN 3002 Hardw are Client Reference OL 1893 01 Preface Obtaining Documentation W Data Formats As you configure and manage the system enter data in the following formats unless the instructions indicate otherwise Type of Data Format IP Addresses IP addresses use 4 byte dotted decimal notation for example 192 168 12 34 as the example indicates you can omit leading zeros in a byte position Subnet Masks and Subnet masks use 4 byte dotted decimal notation for example Wildcard Masks 255 255 255 0 Wildcard masks use the same notation for example 0 0 0 255 as the example illustrates you can omit leading zeros in a byte position MAC Addresses MAC addresses use 6 byte hexadecimal notation for example 00 10 5A 1F 4F 07 Hostnames Hostnames use legitimate network hostname or end system name notation for example VPNO1 Spaces are not allowed A hostname must uniquely identify a specific system on a network Text Strings Text strings use upper and lower case alphanumeric characters Most text strings are case sensitive for example simon and Simon represent different usernames In most cases
5. 2 6 Administration gt Certificate Management Enrollment Installation 1 2 3 Certificate Authorities 4 Identity Certificates 5 SSL Certificate 6 Back Certificates gt 2 6 2 Administration gt Certificate M anagement gt Installation 1 Install Certificate Authority 2 Install SSL Certificate from Enrollment 3 Install SSL Certificate with private key 4 Install Identity Certificate from Enrollment 5 Back Certificates gt VPN 3002 Hardw are Client Reference E OL 1893 01 14 11 Chapter 14 Using the Command Line Interface Mi Menu Reference 2 6 3 Administration gt Certificate Management gt Certificate Authorities Certificate Authorities 1 View Certificate 2 Delete Certificate 4 Back Certificates gt _ 2 6 4 Administration gt Certificate Management gt Identity Certificates Identity Certificates 1 View Certificate 2 Delete Certificate 3 Back Certificates gt _ 2 6 5 Administration gt Certificate M anagement gt SSL Certificate 3 Monitoring Subject rar to Quit lt SPACE gt to Continue gt Issuer ror 6 Out lt SPACE gt to Continue gt Serial Number 1 Delete Certificate 2 Generate Certificate 3 Back Certificates gt Routing Table Event Log System Status User Status General Statistics Back Monitor gt _ my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter 14 Using the Comm
6. 61715 If you modify any parameters of the private interface that you are currently using to connect to the VPN 3002 you will break the connection and you will have to restart the Manager from the login screen To make the interface offline click Disabled This state lets you retain or change its configuration parameters If the interface is configured but disabled offline the appropriate Ethernet Link Status LED blinks green on the VPN 3002 front panel Static IP Addressing IP Address To change the IP address of the private interface click Static IP Addressing Enter the IP address for this interface using dotted decimal notation for example 192 168 12 34 Note that 0 0 0 0 is not allowed Be sure no other device is using this address on the network my VPN 3002 Hardware Client Reference OL 1893 01 Chapter3 Interfaces Subnet M ask MAC Address Speed Duplex Apply Cancel Reminder Configuration Interfaces Private Mi Enter the subnet mask for this interface using dotted decimal notation for example 255 255 255 0 The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered For example the IP address 192 168 12 34 is a Class C address and the standard subnet mask is 255 255 255 0 You can accept this entry or change it Note that 0 0 0 0 is not allowed This is the unique hardware MAC Media Access Control address for this interfac
7. Help gt _ To return to the main menu from this help menu enter n or u for home or 2 or b or B for back at the prompt VPN 3002 Hardware Client Reference Fe OL 1893 01 Chapter14 Using the Command Line Interface W Using the Command line Interface Saving the Configuration File Configuration and administration entries take effect immediately and are included in the active or running configuration However if you reboot the VPN 3002 without saving the active configuration you lose any changes To save changes to the system configuration CONFIG file navigate to the main menu At the prompt enter 4 for Save changes to Config file Configuration Administration Monitoring Save changes to Config file Help Information Exit Main gt 4 The system writes the active configuration to the CONFIG file and redisplays the main menu Stopping the Command line Interface To stop the command line interface navigate to the main menu and enter 6 for Exit at the prompt Configuration Administration Monitoring Save changes to Config file Help Information Exit Done Make sure you save any configuration changes before you exit from the CLI Understanding Access Rights What you see and can configure depends on administrator access rights If you do not have permission to configure an option you see rather than a number in menus For example here is the main menu for the default Monitor admini
8. clear cache after software update 12 4 installing SSL certificate 1 3 navigation toolbar don t use with Manager 1 2 requirements 1 1 built in servers configuring See management protocols 8 1 C CA Certificate Authority definition 12 16 CA certificates definition 12 16 installing 12 44 VPN 3002 Hardw are Client Reference E OL 1893 01 W index cancelling an enrollment request 12 60 certificate PEM encoded 12 28 Certificate Authority CA definition 12 16 certificate management 12 16 certificate request fields 12 20 certificates See also digital certificates changing administrator properties and rights 12 9 Cisco com website xiv clear event log 13 5 CLI accessing 14 1 viaconsole 14 1 via Telnet 14 2 Back and Home choices 14 5 choosing a menu item 14 3 configuration menu 14 7 entering values 14 3 errors A 10 help command 14 5 main menu 14 2 14 7 menu reference 14 7 navigating with shortcut numbers 14 4 prompt contains menu context 14 3 saving configuration file 14 6 shortcut numbers 14 4 Starting 14 2 stopping 14 6 using 14 1 14 3 client authentication SSL HTTPS only 8 11 client mode definition 11 1 effect on backup server connection 6 5 See also PAT mode Command Line Interface See CLI my VPN 3002 Hardware Client Reference concentrator settings required for Network Extension mode 11 3 required for PAT 11 2 CONFIG BAK file See backup configuration file use in troubleshooting A 2
9. enabling on public interface for XML support 8 17 encryption algorithms 8 14 host key 8 13 port number 8 14 RSA key 8 13 server key 8 13 server key regeneration 8 14 session key 8 13 Statistics 13 32 SSL client authentication HTTPS only 8 11 configuring internal server 8 10 encryption algorithms 8 11 Statistics 13 28 SSL certificate 8 10 12 16 enrolling 12 37 enrolling via SCEP 12 42 generating 12 33 installing in browser 1 3 installing with Internet Explorer 1 4 installing with Netscape 1 9 obtaining 12 28 viewing with Internet Explorer 1 8 viewing with Netscape 1 14 VPN Concentrator 1 3 standards IEEE standard 802 3 Ethernet networks 13 53 ITU 12 50 RFC 1650 Ethernet interface MIB objects 13 53 Index W RFC 1907 SNMP version 2 MIB objects 13 56 RFC 2011 ARP table entries 13 51 RFC 2011 IP and ICMP MIB objects 13 45 13 48 RFC 2012 TCP MIB objects 13 42 RFC 2013 UDP MIB objects 13 42 RFC 2459 12 50 X 509 12 50 X 520 12 50 starting the CLI 14 2 static routes adding 7 3 configuring for IP routing 7 2 modifying 7 3 statistics devices behind the VPN 3002 Hardware Client 13 14 DHCP 13 30 DNS 13 27 HTTP 13 22 IPSec 13 16 MIB II 13 39 ARP table 13 51 Ethernet 13 53 ICMP 13 48 interfaces 13 40 IP traffic 13 45 SNMP 13 56 TCP UDP 13 42 monitoring 13 1 13 15 PPPoE 13 36 public private Ethernet interface 13 11 SSH 13 32 SSL 13 28 Telnet 13 25 user status 13 14 stoppin
10. Domain Name System 61748 System Servers DNS This screen lets you configure the Domain Name System DNS servers for the VPN 3002 DNS servers convert domain names to IP addresses Configuring DNS servers here lets you enter hostnames for example mail01 rather than IP addresses as you configure and manage the VPN 3002 You can configure up to three DNS servers that the system queries in order DNS information that you add here is for the VPN 3002 only PCs located behind the VPN 3002 on the private network get DNS information that is configured on the central site VPN Concentrator in the Group settings for the VPN 3002 VPN 3002 Hardware Client Reference E OL 1893 01 5 1 Chapter5 Servers W Configuration System Servers DNS Enabled Domain Figure 5 2 Configuration System Servers DNS Screen Configure system wide DNS Domain Name System servers G Configuring DNS is optional but it lets you use hostnames rather than IP addresses Enabled M Domainf Primary DNS Server ooo Secondary DNS Server ooo 8 8 8Ft Tertiary DNS Server ooo Timeout Period 2000 seconds Timeout Retries e200 Apply Cancel 61749 To use DNS functions check Enabled the default To disable DNS clear the box Enter the name of the registered domain of the ISP for the VPN 3002 for example yourisp com Maximum 48 characters This entry is sometimes called the domain name suffix
11. Events General 9 5 Configuration System Events Classes 9 8 my VPN 3000 Series Concentrator Reference Volume I Configuration iv 78 13782 01 Configuration System Events Classes Add or Modify 9 10 Configuration System Events Trap Destinations 9 12 Configuration System Events Trap Destinations Add or Modify 9 13 Configuration System Events Syslog Servers 9 14 Configuration System Events Syslog Servers Add or M odify General 10 1 Configuration System General 10 1 Configuration System General Identification 10 2 Configuration System General Time and Date 10 3 Policy Management 11 1 Client Mode PAT 11 1 Network ExtensionMode 11 2 Configuration Policy Management 11 5 Configuration Policy Management Traffic Management 11 5 Configuration Policy Management Traffic Management PAT 11 6 Configuration Policy Management Traffic Management PAT Enable 11 6 Administration 12 1 Administration 12 1 Administration Software Update 12 2 Administration System Reboot 12 5 Administration Ping 12 7 Administration Access Rights 12 9 Administration Access Rights Administrators 12 9 Administration Access Rights Access Settings 12 11 Administration File Management 12 12 Administration File Management Swap Config Files 12 13 Administration File Management Config File Upload 12 14 Certificate Management 12 16 Administrat
12. To include your settings for default event handling in the active configuration click Apply The Manager returns to the Configuration System Events screen To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Events screen System Events Classes This section of the Manager lets you add configure modify and delete specific event classes for special handling You can thus override the general or default handling of event classes For example you might want to send email for HARDWAREMON events of severity 1 2 whereas default event handling does not send any email Event classes denote the source of an event and refer to a specific hardware or software subsystem within the VPN 3002 Table 9 1 describes the event classes my VPN 3002 Hardware Client Reference OL 1893 01 Chapter 9 Events Configuration System Events Classes Hi Figure 9 3 Configuration System Events Classes Screen This section lets you configure special handling of specific event classes Click the Add button to add an event class or select an event class and click Modify or Delete Configured Event Classes Actions MIB2TRAP Add __Mocity Modify Delete 61770 To configure default event handling click the highlighted link th
13. User Random user process messages Mail Mail system Daemon System daemons Auth Security or authorization messages Syslog Internal syslogd generated messages LPR Line printer subsystem News Network news subsystem UUCP UUCP UNIX to UNIX Copy Program subsystem Reserved 9 through Reserved 14 Outside the Local range with no name or assignment yet but usable CRON Clock daemon Local 0 through Local 7 default User defined my VPN 3002 Hardware Client Reference 9 16 OL 1893 01 Chapter9 Events Configuration System Events Syslog Servers Add or Modify W Add or Apply Cancel To add this server to the list of syslog servers click Add Or to apply your changes to this syslog server click Apply Both actions include your entry in the active configuration The Manager returns to the Configuration System Events Syslog Servers screen Any new server appears in the Syslog Servers list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration System Events Syslog Servers screen and the Syslog Servers list is unchanged VPN 3002 Hardware Client Reference E OL 1893 01 Chapter9 Events W Configuration System Events Syslog Servers Add or Modify my VPN 3002
14. VPN 3002 Hardware Client Reference g oL 1893 01 ETH Appendix A Troubleshooting and System Errors HE Command line Interface Errors Command line Interface Errors These errors may occur while using the menu based command line interface from a console or Telnet session Table A 9 Command Line Interface Errors Error Problem Possible Cause Solution ERROR Bad IP Address Subnet Mask Wildcard Mask Area ID The system expected a valid 4 byte dotted decimal entry and the entry was not in that format You entered something other than a 4 byte dotted decimal number You might have omitted a byte position or entered a number greater than 255 in a byte position You entered 0 0 0 0 instead of an appropriate address At the prompt reenter a valid 4 byte dotted decimal number ERROR Out of Range value entered Try again The system expected a number within a certain range and the entry was outside that range e You entered a letter instead of a number You entered a number greater than the possible menu numbers At the prompt reenter a number in the appropriate range ERROR The Passwords do not match Please try again The entry fora password and the entry to verify the password do not match You mistyped an entry e You entered either a password or verify entry but not the other At the Verify prompt reenter the password If
15. Certificate Management Enroll Identity Certificate PKCS10 Screen Enter the information to be included in the certificate request The CA s certificate musi be installed as a Certificate Authority before installing the certificate you requested Please wait for the operation to finish Enter the common name for the VEN Common Name CN 3002 Hardware Chent to be used in this PEL Organizational Unit OU Enter the department Organization 0 Enter the Orgarization or company Locality L Enter the city or town State Province SP Enter the State or Province Enter the two letter country abbreviation Country C e g United States US Enter the Fully Qualified Doman Name Subject aimee sr PO for the VPN 3002 Hardware Client to be used in this PEL Enter the E Mail Address for the VPN Subject see a 3002 Hardware Chent to be used in this PEI Key Size IRSA SIZ bits eelect the key size for the generated ESADA key pair Enrall Cancel rai Step 5 Fill in the fields and click Enroll For information on the fields on this screen see Table 12 1 The Manager displays the Administration Certificate Management Enrollment Request Generated screen See Figure 12 28 Figure 12 28 Administration Certificate Management Enrollment Request Generated Screen A certificate request has been generated The request is shown below Copy and paste the certificate request to the CA s ma
16. Chent authentication requires an installed Certificate Authority and a personal certificate installed in your browser SSL Version Negotiate SSLV2V3 gt Select the SSL version to use Using a SSL V2 Hello provides compatibility with most browsers Ce eras as 768 bit RSA Key Select the key size used in the generated certificate Apply Cancel Client Authentication 61766 Encryption Algorithms Check the boxes for the encryption algorithms that the VPN 3002 SSL server can negotiate with a client and use for session encryption All are checked by default You must check at least one algorithm to enable SSL Unchecking all algorithms disables SSL The algorithms are negotiated in the following order you cannot change the order but you can enable or disable selected algorithms e RRC4 128 MD5 RC4 encryption with a 128 bit key and the MDS5 hash function This option is available in most SSL clients 3DES 168 SHA Triple DES encryption with a 168 bit key and the SHA 1 hash function This is the strongest most secure option DES 56 SHA DES encryption with a 56 bit key and the SHA 1 hash function RC4 40 MD5 Export RC4 encryption with a 128 bit key 40 bits of which are private and the MDS hash function This option is available in the non U S versions of many SSL clients DES 40 SHA Export DES encryption with a 56 bit key 40 bits of which are private and the SHA 1 hash function This o
17. Enable Telnet SSL Check the box to enable Telnet over SSL The box is checked by default Telnet SSL uses Telnet over a secure encrypted connection Telnet Port Enter the port number that the Telnet server uses The default is 23 which is the well known port number Telnet SSL Port Enter the port number that Telnet over SSL uses The default is 992 which is the well known port number Maximum Connections Enter the maximum number of concurrent combined Telnet and Telnet SSL connections that the server allows Minimum is 1 default is 5 maximum is 10 Apply Cancel To apply your Telnet settings and to include the settings in the active configuration click Apply The Manager returns to the Configuration System Management Protocols screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Management Protocols screen Figure 8 5 Configuration System Management Protocols Screen Save Needed This section lets you configure built in management protocol servers In the left frame or in the list of links below click the function you want HTTP HTTPS Hypertext Transfer Protocol Secure Telnet terminal emulation protocol SNMP Simple Network Management Protocol SNMP Community Strings identiiers for valid SNMP clients S
18. Failed Encryptions The cumulative total of outbound encryptions that failed by all currently and previously active IPSec Phase 2 tunnels This number should be zero or very small if not check the event log for an internal IPSec subsystem problem VPN 3002 Hardware Client Reference a OL 1893 01 13 21 Chapter13 Monitoring W Monitoring Statistics HTTP System Capability Failures The total number of system capacity failures that occurred during processing of all currently and previously active IPSec Phase 2 tunnels These failures indicate that the system has run out of memory or some other critical resource check the event log No SA Failures The cumulative total of nonexistent Security Association failures which occurred during processing of all currently and previously active IPSec Phase 2 tunnels These failures occur when the system receives an IPSec packet for which it has no Security Association and might indicate synchronization problems Protocol Use Failures The cumulative total of protocol use failures that occurred during processing of all currently and previously active IPSec Phase 2 tunnels These failures indicate errors parsing IPSec packets Monitoring Statistics HTTP This screen shows statistics for HTTP activity on the VPN 3002 since it was last booted or reset To configure system wide HTTP server parameters see the Configuration System Management Protocols HTTP screen Figur
19. Inc YPH 3002 Hardware Client ypn01 Microsoft Internet Explorer File Edit View Favorites Tools Help ce 2 9 Gi E 3 a g Back Ported Stop Refresh Home Search Favorites History Mail Size Address http 10 10 99 50 access html r Go x Xm VPN 3002 Main Help Support Logout jx Hardware Client Manager Logged in admin Configuration Administration Monitoring Configuration Administration Monitoring Welcome to the VPN S002 Hardware Chent Manager In the left frame or the navigation bar above click the function you want Configuration to configure all features of this device s Admimistration to control administrative functions on this device hionitoring to view status statistics and logs on this device The bar at the top right has Man te return te this screen Help to get help for the current screen support to access VPN S002 Hardware Chent support and documentation Logout to log out of this session and return to the Manager login screen Under the location bar in the upper right these icons may appear Click to e Save lal save the active configuration and make tt the boot configuration Save Needed fal as above indicating you have changed the active configuration Reftesh to refresh statistics Cisco Systems eee ae aie y From here you can navigate the Manager using either the table of contents in the left frame or the Manager to
20. Note Table 9 2 Event Seventy Levels Level Category Description 1 Fault A crash or non recoverable error 2 Warning A pending crash or severe problem that requires user intervention 3 Warning A potentially serious problem that may require user action 4 Information An information only event with few details 5 Information An information only event with moderate detail 6 Information An information only event with greatest detail 7 Debug Least amount of debugging detail 8 Debug Moderate amount of debugging detail 9 Debug Greatest amount of debugging detail 10 Packet Decode High level packet header decoding 11 Packet Decode Low level packet header decoding 12 Packet Decode Hex dump of header 13 Packet Decode Hex dump of packet Within a severity level category higher numbered events provide more details than lower numbered events without necessarily duplicating the lower level details For example within the Information category Level 6 provides greater detail than Level 4 but does not necessarily include the same information as Level 4 Logging higher numbered severity levels degrades performance since more system resources are used to log and handle these events The Debug 7 9 and Packet Decode 10 13 severity levels are intended for use by Cisco engineering and support personnel We recommend that you avoid logging these events unless Cisco requests it The VPN 3002 by
21. The Manager opens the Configuration System IP DHCP Options Modify screen VPN 3002 Hardware Client Reference g OL 1893 01 7 7 Chapter7 IP Routing W Configuration System IP Routing DHCP Options Add or Modify To remove a configured DHCP option select the option from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining DHCP options in the list Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window Configuration System IP Routing DHCP Options Add or Modify These screens let you Add a new DHCP option to the list of DHCP options this VPN 3002 uses Modify a configured DHCP option Figure 7 7 Configuration System IP Routing DHCP Options Add Screen Configure and add a DHCP option DHCP Option Select Option Option Value Add Cancel 61759 DHCP Option Use the pull down menu to the DHCP Options field to select the option you want to add or modify You can add or modify only one option at a time Option Value Enter the value you want this option to use for example the IP address for the TFTP server option the number of seconds for the ARP Cache Timeout option or 0 to enable or disable IP forwarding etc my VPN 3002 Hardware Client Re
22. The distribution point for CRLs from the issuer of this certificate If this information is included in the certificate in the proper format and you enable CRL checking you do not have to provide it on the Administration Certificate Management Configure CA Certificate screen To return to the Administration Certificate Management screen click Back my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter12 Administration Administration Certificate Management Configure CA Certificate E Administration Certificate Management Configure CA Certificate This screen lets you configure this CA certificate to be able to issue identity certificates via SCEP Figure 12 48 Administration Certificate Management Configure CA Certificate Screen Certificate ES Avo Kooth DSsr Ch SEP Configuration Enrollment URL Polling o Lateral i Enter the polling interval in minutes htte 100 220 0 11 0 446 p Enter the UEL for enrollment Polling Limit none Enter the maximum number of polling attempts to reach the SCEP PET Enter none to set no lint on the number of attempts Apply Cancel 66261 Certificate The certificate for which you are configuring SCEP parameters This is the name in the Subject field of the Certificate Authorities table on the Administration Certificate Management screen SCEP Configuration Enrollment URL Enter the URL where the VPN 3002 should sen
23. Yes This certificate can issue identity and SSL certificates via SCEP e No This certificate cannot issue certificates via SCEP S Note If you want to use a certificate for SCEP enrollment but that certificate is not SCEP enabled reinstall it using SCEP Actions This column allows you to manage particular certificates The actions available vary with type and status of the certificate e View View details of this certificate Configure Enable CRL Certificate Revocation List checking for this CA certificate modify SCEP parameters or enable acceptance of subordinate CA certificates Delete Delete this certificate from the VPN 3002 Show RAs SCEP enabled CA certificates sometimes have supporting RA certificates View details of these certificates Only available for CA certificates Hide RAs Hide the details of the RA certificates my VPN 3002 Hardware Client Reference OL 1893 01 Chapter12 Administration Administration Certificate Management W Enrollment Status Table This table tracks the status of active enrollment requests The VPN 3002 supports one installed identity certificate and one outstanding enrollment request If you currently have an identity certificate on your VPN 3002 and you want to change it you can request a second certificate but the VPN 3002 does not install this certificate immediately The new certificate appears in the Enrollment Status t
24. server is lost and the backup servers have different DNS and WINS information clients cannot be updated until the DHCP lease expires About Backup Servers IPSec backup servers let a VPN 3002 connect to the central site when its primary central site VPN Concentrator is unavailable You configure backup servers for a VPN 3002 either on the VPN 3002 or on a group basis at the central site VPN Concentrator If you configure backup servers on the primary central site VPN Concentrator that VPN Concentrator pushes the backup server policy to the VPN 3002 hardware clients in the group By default the policy is to use the backup server list configured on the VPN 3002 Alternatively the VPN Concentrator can push a policy that supplies a list of backup servers in order of priority replacing the backup server list on the VPN 3002 if one is configured It can also disable the feature and clear the backup server list on the VPN 3002 if one is configured Figure 6 3 illustrates how the backup server feature works Figure 6 3 Backup Server Implementation Fargo VPN 3002 gags a Byes 3000 Concentrator SE S a camel San Jose VPN 3080 Concentrator Austin VPN 3000 i Concentrator 8 XYZ corporation has large sites in three cities San Jose California Austin Texas and Boston Massachusetts They just opened a regional sales office in Fargo North Dakota To provide access to the corporate network from Fargo they use a VP
25. www cisco com tac P3 and P4 level problems are defined as follows P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue P4 You need information or assistance on Cisco product capabilities product installation or basic product configuration In each of the above cases use the Cisco TAC website to quickly find answers to your questions To register for Cisco com go to the following website http www cisco com register If you cannot resolve your technical issue by using the TAC online resources Cisco com registered users can open a case online by using the TAC Case Open tool at the following website http www cisco com tac caseopen Contacting TAC by telephone If you have a priority level 1 P1 or priority level 2 P2 problem contact TAC by telephone and immediately open a case To obtain a directory of toll free numbers for your country go to the following website http www cisco com warp public 687 Directory DirTAC shtml P1 and P2 level problems are defined as follows Pl Your production network is down causing a critical impact to business operations if service is not restored quickly No workaround is available P2 Your production network is severely degraded affecting significant aspects of your business operations No workaround is available VPN 3002 Hardware Client Reference Piss OL 1893 01 Preface W
26. 15 x Select the range of severity values to enter in the log Severity to Console fi 3 x Select the range of severity values to display on the console Severity to Syslog None gt Select the range of severity values to send to a Syslog server Severity to Trap None a mee the range of severity values to send to an SNMP Apply Cancel 61769 VPN 3002 Hardware Client Reference E oL 1893 01 95 Chapter9 Events W Configuration System Events General Syslog Format Click the Syslog Format drop down menu button and choose the format for all events sent to UNIX syslog servers Choices are Original Original VPN 3002 event format with information on one line Each entry in the event log consists of the following fields Sequence Date Time SEV Severity Class Number RPT RepeatCount String Sequence The sequence number of the event Date The date the event occurred The date is in the following format MM DD YYYY Time The time the event occurred The time is in the following format hh mm ss ttt Severity The severity of the event 1 13 To see how this original severity level maps to Cisco IOS severity levels see Table 9 2 Class Number The event class and event number For a list of event classes see the Events chapter RepeatCount The number of times this particular event has occurred since the VPN 3002 was last booted String The description of the event The string sometimes inc
27. 1893 01 Chapter7 IP Routing Configuration System IP Routing DHCP Options W Apply Cancel To apply the settings for DHCP parameters and to include your settings in the active configuration click Apply The Manager returns to the Configuration System IP Routing screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration System IP Routing screen Configuration System IP Routing DHCP Options This section lets you configure DHCP options Figure 7 6 Configuration System IP Routing DHCP Options Screen This section lets you configure parameters for DHCP servers Click the Add button to add an option or select an option and click Modify or Delete Click here to configure global DHCP settings for this device DHCP Options Actions Add Modify Delete gi 61758 DHCP Option DHCP Options are facilities that allow the VPN 3002 DHCP server to respond to configurable parameters for specific kinds of devices such as PCs IP telephones print servers etc as well as an IP address Add M odify Delete To configure and add DHCP options click Add The Manager opens the Configuration System IP DHCP Options Add screen To modify a configured DHCP option select the option from the list and click Modify
28. 255 255 will match af addresses Check to enable SSH on the Public interface This wall allow XML over SSH through the Public interface Enter the IP address and wildcard from which to allow SSH IP Address jO 0 0 0 SSH access on onthe Public interface Note Enter a wildcard mask which is the reverse of a subnet mask A wildcard mask has 1s in bit positions to ignore Os in bit positions to match Entering 0 0 0 0 will SSH Wildeard mask j255 255 255 255 match the specified address entering 255 255 255 255 will match al addresses Apply Cancel Enable SSH on Public 8224 Enable XML Check the Enable check box the default to enable the XML management capability You must also enable HTTPS or SSH on the VPN 3002 public interface Disabling the XML management capability is not recommended Enable HTTPS on Public Check the Enable HTTPS on Public check box to allow XML management over HTTPS on the VPN 3002 public interface my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter8 Management Protocols Configuration System Management Protocols XML W HTTPS IP Address Enter the IP address from which to allow HTTPS access on the VPN 3002 public interface HTTPS Wildcard mask Enter the wildcard mask for the HTTPS IP address N Note Enter a wildcard mask which is the reverse of a subnet mask A wildcard mask has 1s in bit positions to ignore and Os in bit positions to match For example ent
29. 3002 Refer to Chapter 14 User Management in the VPN 3000 Series Concentrator Reference Volume 1 Step 3 If the VPN 3002 uses PAT mode enable a method of address assignment for the VPN 3002 DHCP address pools per user or client specified Refer to Chapter 6 Address Management in the VPN 3000 Series Concentrator Reference Volume I my VPN 3002 Hardw are Client Reference A4 OL 1893 01 Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors W If you are using Network Extension mode configure a default gateway or a static route to the private Step 4 network of the VPN 3002 Refer to Chapter 8 IP Routing in the VPN 3000 Series Concentrator Reference Volume I Step 5 Check the Event log Refer to Chapter 10 Events in the VPN 3000 Series Concentrator Reference Volume TI VPN 3002 Hardware Client M anager Errors The following sections describe errors that might occur while using the HTML based VPN 3002 Hardware Client Manager with a browser Invalid Login or Session Timeout The Manager displays the Invalid Login or Session Timeout screen see Figure A 1 Figure A 1 Invalid Login or Session Timeout Screen VPN 3002 HARDWARE CLIENT MANAGER Invalid Login or Session Timeout VPN 3002 Hardware Client Login Fassword Login Clear Cisco Systems Copyright 1993 2001 Cisco Systems Inc 61694 VPN 3002 Hardware Client Refere
30. 4 information in the event log 13 3 using configuration files A 2 tunnel configuring protocols 6 2 endpoint 6 1 functional description 6 1 initiation 11 4 protocols 6 1 type model number system 13 9 typographic conventions Xv U UDP MIB II traffic statistics 13 42 updating software on VPN 3002 12 2 upload files to VPN 3002 12 14 user status 13 14 using the CLI 14 3 using the VPN Concentrator Manager 1 1 V viewing digital certificate details 12 50 digital certificates on VPN 3002 12 31 enrollment request 12 58 OL 1893 01 event log 13 5 SSL certificates with Internet Explorer 1 8 with Netscape 1 14 VPN 3002 status sessions statistics and event logs 13 1 VPN 3002 Hardware Client Manager errors A 5 navigating 1 28 organization 1 27 window 1 23 VPN Concentrator Manager logging in 1 17 using 1 1 W WINS backup server configuring 6 4 X X 509 digital certificates 12 16 standards 12 50 X 520 standards 12 50 XML configuring 8 16 enabling 8 16 VPN 3002 Hardw are Client Reference OL 1893 01 Index W W index my VPN 3002 Hardware Client Reference IN 12 OL 1893 01
31. 58 live 13 6 entering values with CLI 14 3 monitoring 13 3 13 6 erasing the event log 13 5 save 13 5 error saved on system crash or reboot A 1 an error has occurred A 7 saved on system failure or reboot 9 4 bad IP address A 10 stored in nonvolatile memory 13 3 CLI A 10 view 13 5 insufficient authorization A 8 viewing 13 6 invalid login A 5 exiting from CLI 14 6 Manager unexpectedly logs out A 6 message displays A 7 no such interface supported IE A 9 j not allowed A 8 file management on VPN 3002 12 12 not found A 9 file upload to VPN 3002 12 2 12 14 out of range value A 10 stopping 12 3 12 14 passwords do not match A 10 filterable event log monitoring 13 3 session timeout A 5 flash memory VPN 3002 Hardware Client Manager A 5 corrupting 12 2 12 5 Ethernet managing files 12 12 interface temporary files in 12 14 status and statistics 13 11 format MIB II statistics 13 53 data xiii event event log 13 5 class 9 1 syslog 9 6 configuring 9 5 front panel display monitoring 13 11 configuring default handling 9 5 configuring for special handling modify 9 10 G configuring special handling 9 8 gateways default 7 4 add 9 10 general default event handling 9 5 definition 9 1 general parameters configuring 10 1 severity level 9 3 my VPN 3002 Hardw are Client Reference IN 4 OL 1893 01 generating SSL server certificate 12 33 geteventlog 13 5 H halting the VPN 3002 12 5 help CLI 14 5 Home and Back CLI choice
32. 9 Events Explains how to configure system events such as alarms traps error conditions network problems task completion or status changes Chapter 10 General Explains how to configure the system identification date and time Chapter 11 Policy Management Explains how to configure and use PAT and Network Extension modes Chapter 12 Administration Explains how to configure and use high level VPN 3002 administrator activities such as who is allowed to configure the system what software runs on it rebooting and shutting down the system managing its configuration files and managing X 509 digital certificates Chapter 13 Monitoring Explains the many status statistics sessions and event log screens that you can use to monitor the VPN 3002 Chapter 14 Using the Command Line Interface Explains how to use the built in menu and command line based administrative management system via the system console or a Telnet session With the CLI you can access and configure all the same parameters as you can using the HTML based VPN 3002 Hardware Client Manager Appendix A Troubleshooting and System Errors Describes common errors that may occur while configuring the system and how to correct them It also describes all system and module LED indicators Appendix B Copyrights Licenses and Notices my VPN 3002 Hardware Client Reference Provides copyright licenses
33. Authentication S Note Individual user authentication protects the central site from access by unauthorized persons on the same LAN as the VPN 3002 When you enable individual user authentication each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the VPN Concentrator even though the tunnel already exists If you direct the browser to a site on the remote network behind the VPN Concentrator the VPN 3002 directs the browser to the proper pages for login When you successfully log in the browser displays the page you originally entered You can also log in by directing the browser to the private interface of the VPN 3002 html interface You do this by entering the IP address of the private interface in the browser Location or Address field The browser displays the login screen for the VPN 3002 Click the Connect Login Status button to authenticate You cannot use the command line interface to login if user authentication is enabled You must use a browser Logging In With Interactive Hardware Clientand Individual User Authentication You access the interactive hardware client authentication and individual user authentication login screens from the VPN 3002 Hardware Client Manager login screen The sequence in the login example that follows assumes that both interactive hardware client authentication and individual user authenti
34. Configuration System Management Protocols SNMP Figure 13 25 Monitoring Statistics MIB II SNMP Screen Requests Received 10 Bad Version Bad Conumnuty tring Parsing Errors Silent Drops Proxy Drops BF rO3 To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon To update the screen and its data click Refresh The date and time indicate when the screen was last updated Requests Received Bad Version The total number of SNMP messages received by the VPN 3002 The total number of SNMP messages received that were for an unsupported SNMP version The VPN 3002 supports SNMP version 2 my VPN 3002 Hardware Client Reference OL 1893 01 Chapter13 Monitoring Monitoring Statistics MIB II SNMP W Bad Community String The total number of SNMP messages received that used an SNMP community string the VPN 3002 did not recognize See Configuration System Management Protocols SNMP Communities to configure permitted community
35. Configure SNMP Community Strings 5 Configure SSL 7 Configure XML 8 Back Network gt my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter14 Using the Command Line Interface 1 3 5 Configuration gt System Management gt Event Configuration General Classes Syslog Servers Back Oe WN FF Trap Destinations Event gt 1 3 6 Configuration gt System M anagement gt General Config 1 System Identification 2 System Time and Date 3 Back General gt 1 4 Configuration gt Policy Management 1 Traffic Management 2 Back Polley gt 1 4 1 Configuration gt Policy Management gt Traffic Management 1 Port Address Translation PAT 2 Back Traffic gt 2 Administration Software Update System Reboot Ping File Management Certificate Management 1 2 3 4 Access Rights 5 6 7 Back 2 1 Administration gt Softw are Update Name of the file for main code upgrade vpn3002c bin IP address of the host where the file resides 10 10 66 10 M odify any of the above C ontinue or E xit M Menu Reference W VPN 3002 Hardw are Client Reference E OL 1893 01 Chapter 14 Using the Command Line Interface Mi Menu Reference 2 2 Administration gt System Reboot 1 Cancel Scheduled Reboot Shutdown 2 Schedule Reboot 3 Schedule Shutdown 4 Back 2 2 2 Administration gt System Reboot gt Schedule Reboot 1 Sav
36. Date Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System General screen my VPN 3002 Hardware Client Reference OL 1893 01 CHAPTER Policy Management The VPN 3002 works in either of two modes Client mode or Network Extension mode Policy management on the VPN 3002 includes deciding whether you want the VPN 3002 to use Client Mode or Network Extension mode This section lets you enable or disable PAT Client M ode PAT Client mode also called Port Address Translation PAT mode isolates all devices on the VPN 3002 private network from those on the corporate network In PAT mode IPSec encapsulates all traffic going from the private network of the VPN 3002 to the network s behind the Internet Key Exchange IKE peer that is the central site VPN Concentrator PAT mode uses NAT Network Address Translation NAT translates the network addresses of the devices connected to the VPN 3002 private interface to the IP address of the VPN 3002 public interface The VPN Concentrator assigns this address NAT also keeps track of these mappings so that it can forward replies to the correct device All traffic from the private network appears on the network behind the IKE peer with a single source IP address This IP address is the one the central si
37. Hardware Client Reference E OL 1893 01 7 1 Chapter7 IP Routing W Configuration System IP Routing Static Routes Configuration Static Routes System IP Routing Static Routes This section of the Manager lets you configure static routes for IP routing Figure 7 2 Configuration System IP Routing Static Routes Screen This section lets you configure static routes for IP routing Static Routes Actions Default gt 192 168 12 77 192 168 12 0 255 255 255 0 gt 10 10 0 2 Add Modify Delete The Static Routes list shows manual IP routes that have been configured The format is destination network address subnet mask gt outbound destination for example 192 168 12 0 255 255 255 0 gt 10 10 0 2 If you have configured the default gateway it appears first in the list as Default gt default router address If no static routes have been configured the list shows Empty Add Modify Delete Reminder To configure and add a new static route click Add The Manager opens the Configuration System IP Routing Static Routes Add screen To modify a configured static route select the route from the list and click Modify The Manager opens the Configuration System IP Routing Static Routes Modify screen If you select the default gateway the Manager opens the Configuration System IP Routing Default Gateways screen To delete a configured static route s
38. II Screen This section shows statistics recorded in standard MIB II objects In the left frame or in the list of links below click the MIB I statistics you want to view Interfaces packets in and out on Ethernet interfaces and VPN tunnels TCP UDP segments and datagrams received and transmitted timeouts resets etc IP packets received and transmitted fragmentation data etc ICMP received and transmitted PINGs timestamps mask requests etc ARP Table physical addresses IP addresses and mapping type Ethernet transmit errors collisions etc SNMP in packets bad community strings parse errors etc 61686 VPN 3002 Hardware Client Reference g OL 1893 01 Chapter13 Monitoring W Monitoring Statistics MIB II Interfaces Monitoring Statistics MIB II Interfaces This screen shows statistics in MIB II objects for VPN 3002 interfaces since the system was last booted or reset Figure 13 19 Monitoring Statistics MIB II Interfaces Screen Reset g7 Refresh Unicast Multicast Broadcast Interface Status In Out In Out In Out Private Interface UP 1060 1071 101899 ol s9086 139 Public Interface UP DHCP 147 173 11224 o 175082 11 68311 Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can
39. Internet Explorer This section describes SSL certificate installation using Microsoft Internet Explorer 5 0 With Internet Explorer 4 0 some dialog boxes are different but the process is similar You need to install the SSL certificate from a given VPN 3002 only once If you do reinstall it the browser repeats all these steps each time A few seconds after the VPN 3002 Hardware Client Manager SSL screen appears Internet Explorer displays a File Download dialog box that identifies the certificate filename and source and asks whether to Open or Save the certificate To immediately install the certificate in the browser select Open If you Save the file the browser prompts for a location you must then double click the file to install it my VPN 3002 Hardware Client Reference OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client M anager Installing the SSL Certificate in Your Browser Mi Figure 1 3 Intemet Explorer File Download Dialog Box File Download xX fou have chosen to download a file from this location ssl crt from 100 200 147 2 What would you like to do with this file Save this file to disk M Always ask before opening this type of file Cancel More Info 61649 3 Click the Open this file from its current location radio button then click OK The browser displays the Certificate dialog box with information about the certificate You must now install the certificate Figure
40. Lab VPN _ You can enter a new name at the prompt or just press Enter to keep the current name VPN 3002 Hardware Client Reference Fe OL 1893 01 14 3 Chapter14 Using the Command Line Interface W Using the Command line Interface Navigating Quickly There are two ways to move quickly through the command line interface shortcut numbers and the Back Home options Both ways work only when you are at a menu not when you are at a value entry Using Shortcut Numbers When you become familiar with the structure of the interface which parallels the HTML based VPN 3002 Hardware Client Manager you can quickly access any level by entering a series of numbers separated by periods For example suppose you want to change the Access Rights for Administrators The series of menus that gets to that level from the main menu is Main gt 1 Configuration 2 Administration 3 Monitoring 4 Save changes to Config file 5 Help Information 6 Exit Main gt 2 Administration Software Update System Reboot Ping Access Rights File Management Certificate Management Back Config gt 4 Access Rights 1 Administrators 2 Access Settings 3 Back Admin gt 1 Administrative Users Username Enabled admin Yes config No isp No 1 Modify Administrator 2 Back Admin gt l gt Which Administrator to Modify Admin gt my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter 1
41. Name E mail Yes Yes The e mail address of the VPN 3002 user E mail Address Challenge Password No Yes This field appears if you are requesting a certificate using SCEP my VPN 3002 Hardware Client Reference Use this field according to the policy of your CA Your CA might have given you a password If so enter it here for authentication Your CA might allow you to provide your own password to use to identify yourself to the CA in the future If so create your password here Your CA might not require a password If so leave this field blank OL 1893 01 Chapter12 Administration Table 12 1 Fields in a Certificate Request Certificate Management W Verify Challenge Password No Yes Re enter the challenge password Key Size Yes Yes The algorithm for generating the public key private key pair and the key size If you are requesting an SSL certificate of if you are requesting an identity certificate using SCEP only the RSA options are available RSA 512 bits Generate 512 bit keys using the RSA Rivest Shamir Adelman algorithm This key size provides sufficient security and is the default selection It is the most common and requires the least processing e RSA 768 bits Generate 768 bit keys using the RSA algorithm This key size provides normal security It requires approximately 2 to 4 times more processing than the 512 bit key RSA 1024 bits Gener
42. Obtaining technical assistance my VPN 3002 Hardw are Client Reference xvi OL 1893 01 Using the VPN 3002 Hardware Client M anager The VPN 3002 Hardware Client Manager is an HTML based interface that lets you configure administer monitor and manage the VPN 3002 with a standard web browser To use it you connect to the VPN 3002 using a PC and browser on the same private network with the VPN 3002 The Manager uses the standard web client server protocol HTTP Hypertext Transfer Protocol which is a cleartext protocol However you can also use the Manager in a secure encrypted HTTP connection over SSL Secure Sockets Layer protocol known as HTTPS To use a cleartext HTTP connection see the section Connecting to the VPN 3002 Using HTTP To use HTTP over SSL HTTPS with the Manager The first time connect to the Manager using HTTP and Install an SSL certificate in the browser see Installing the SSL Certificate in Your Browser When the SSL certificate is installed you can connect directly using HTTPS see Connecting to the VPN 3002 Using HTTPS VPN 3002 Hardware Client Brow ser Requirements Note The VPN 3002 Hardware Client Manager requires either Microsoft Internet Explorer version 4 0 or higher or Netscape Navigator version 4 5 4 7 For best results we recommend Internet Explorer Whatever browser and version you use install the latest patches and service packs for it Yo
43. Packets Received Header Errors The number of IP data packets received and discarded due to errors in IP headers including bad checksums version number mismatches other format errors etc Packets Received Address Errors The number of IP data packets received and discarded because the IP address in the destination field was not a valid address for the VPN 3002 This count includes invalid addresses for example 0 0 0 0 and addresses of unsupported classes such as Class E Packets Received Unknown Protocols The number of IP data packets received and discarded because of an unknown or unsupported protocol Packets Received Discarded The number of IP data packets received that had no problems preventing continued processing but that were discarded for example for lack of buffer space This number does not include any packets discarded while awaiting reassembly Packets Received Delivered The number of IP data packets received and successfully delivered to IP user protocols including ICMP on the VPN 3002 that is the VPN 3002 was the final destination Packets Forwarded The number of IP data packets received and forwarded to destinations other than the VPN 3002 Outbound Packets Discarded The number of outbound IP data packets that had no problems preventing their transmission to a destination but that were discarded for example for lack of buffer space my VPN 3002 Hardware Client Reference 13 46 OL
44. Received Packets The cumulative total of packets received by all currently and previously active IKE tunnels Sent Packets The cumulative total of packets sent by all currently and previously active IKE tunnels Received Packets Dropped The cumulative total of packets that were dropped during receive processing by all currently and previously active IKE tunnels If there is a problem with the content of a packet such as hash failure parsing error or encryption failure received in Phase 1 or the negotiation of Phase 2 the system drops the packet This number should be zero or very small if not check for misconfiguration Sent Packets Dropped The cumulative total of packets that were dropped during send processing by all currently and previously active IKE tunnels This number should be zero if not check for a network problem check the event log for an internal subsystem failure or contact Cisco support VPN 3002 Hardware Client Reference a OL 1893 01 13 17 Chapter 13 Monitoring Hi Monitoring Statistics IPSec Received Notifies The cumulative total of notify packets received by all currently and previously active IKE tunnels A notify packet is an informational packet that is sent in response to a bad packet or to indicate status for example error packets keepalive packets etc Sent Notifies The cumulative total of notify packets sent by all currently and previously active IKE tunnels See comment
45. Screen Config File Upload Error An error occured while uploading the config file 61661 Click the link Click here to see the list of files to go to the Administration File Management View screen and examine space and files in Flash memory Click the link Click here to return to File Upload to return to the Administration File Management File Upload screen VPN 3002 Hardware Client Reference g OL 1893 01 12 15 Chapter12 Administration W Certificate Management Certificate Management Digital certificates are a form of digital identification used for authentication Certificate Authorities CAs issue them in the context of a Public Key Infrastructure PKI which uses public key private key encryption to ensure security CAs are trusted authorities who sign issue certificates to verify their authenticity A CA certificate is one used to sign other certificates A CA certificate that is self signed is called a root certificate one issued by another CA certificate is called a subordinate certificate CAs also issue identity certificates which are the certificates for specific systems or hosts There can be up to six root or subordinate CA certificates including supporting RA certificates but only one identity certificate on a VPN 3002 The VPN 3002 supports X 509 digital certificates International Telecommunications Union Recommendation X 509 including SSL Secure Sockets Layer cer
46. Second you can view all the certificates that are stored in Internet Explorer 4 0 Click the browser View menu and select Internet Options Click the Content tab then click Authorities in the Certificates section In Internet Explorer 5 0 click the browser Tools menu and select Internet Options Click the Content tab then click Certificates in the Certificates section On the Certificate Manager click the Trusted Root Certification Authorities tab The VPN 3002 Hardware Client SSL certificate name is its Ethernet 1 private IP address Figure 1 13 Intemet Explorer 4 0 Certificate Authorities List Certificate Authorities Issuers Trust sites people and publishers with credentials issued by the following Certifying Authorities Issuer Type Network server authentication v ATT Certificate Services ATT Directory Services C GTE CyberTrust Global Root GTE CyberTrust Root GTE CyberTrust Root internetM Cl Keywitness Canada Inc keywitness keywitness ca gt View Certificate Delete Close 61685 Select a certificate then click View Certificate The browser displays the Certificate Properties screen as in Figure 1 12 above Installing the SSL Certificate with Netscape This section describes SSL certificate installation using Netscape Navigator Communicator 4 5 VPN 3002 Hardware Client Reference OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client
47. Ssv CH 07502014 Yes View Configure Delete Identity Certificates current 1 maximum 1 subject Issuer Expiration Actions L server at test Re Avo fRoothtD Ss CH Oo af2002 View Renew Delete SOL Certificate Generate Norte The public key in the SSL certificate is also used for the SSH host kev subject Issuer Expiration Actions 10 10 99 90 at Cisco Systems Inc 10 10 99 90 at Cisco Systems Inc ONA 2004 View Renew Delete Enrollment Status Remove All Errored Timed out Rejected Cancelled current 1 available 1 Subject Issuer Date Use Reason Method Status Actions oPU 24 RS Avo RoothDisrylN 10 23 2001 ID Inta SCEP Rejected View Resubmit Delete BF 600 VPN 3002 Hardware Client Reference i OL 1893 01 12 31 Chapter12 Administration W Administration Certificate Management Certificate Authorities Table This table shows root and subordinate CA certificates installed on the VPN 3002 Fields These fields appear in the Certificate Authorities table Field Content Subject Issuer The Common Name CN or Organizational Unit OU if present plus the Organization O in the Subject and Issuer fields of the certificate The format is CN at O OU at O or just O for example Root 2 at CyberTrust The CN OU and O fields display a maximum of 33 characters each See Administration Certificate Management Certificates View Expiration The expiration date of the
48. Telnet terminal emulation protocol SNMP Simple Network Management Protocol SNMP Community Strings identiiers for valid SNMP chents SSL Secure Sockets Layer used with HTTPS SSH Secure Shell a secure Telnet like protocol 61699 VPN 3002 Hardware Client Reference g OL 1893 01 89 Chapter8 ManagementProtocols W Configuration System Management Protocols SSL Configuration System Management Protocols SSL This screen lets you configure the VPN 3002 SSL Secure Sockets Layer protocol server These settings apply to both HTTPS and Telnet over SSL HTTPS lets you use a web browser over a secure encrypted connection to manage the VPN 3002 SSL creates a secure session between the client and the VPN 3002 server The client first authenticates the server they negotiate session security parameters and then they encrypt all data passed during the session If during negotiation the server and client cannot agree on security parameters the session terminates SSL uses digital certificates for authentication The VPN 3002 creates a self signed SSL server certificate when it boots or you can install in the VPN 3002 an SSL certificate that has been issued in a PKI context This certificate must then be installed in the client for HTTPS Telnet does not usually require it You need to install the certificate from a given VPN 3002 only once The default SSL settings should suit most a
49. VPN 3002 has three predefined administrators admin System administrator with access to and rights to change all areas This is the only administrator enabled by default in other words this is the only administrator who can log in to and use the VPN 3002 Hardware Client Manager as supplied by Cisco config Configuration administrator with access rights to Quick Configuration and monitoring management options only e monitor Monitor administrator with rights to monitoring management options only Note The VPN 3002 saves Administrator parameter settings from this screen in nonvolatile memory not in the active configuration CONFIG file Thus these settings are retained even if the system loses power These settings are also retained even if you reboot the system with the factory configuration file Password Enter or edit the unique password for this administrator Maximum is 31 characters The field displays only asterisks amp Note The default password that Cisco supplies is the same as the username We strongly recommend that you change this password Verify Re enter the password to verify it The field displays only asterisks Enabled Check the box to enable or clear the box to disable an administrator Only enabled administrators can log in to and use the VPN 3002 Hardware Client Manager You must enable at least one administrator and you can enable all administrators By default o
50. Warn me before sending information to sites certified by this Certificate Authority lt Back Next gt Cancel 61719 5 Checking the box is optional Doing so means that you get a warning whenever you apply settings on a Manager screen so it is probably less intrusive to manage the VPN 3002 without those warnings Click Next gt to proceed Netscape displays the final New Certificate Authority screen which asks you to name the certificate my VPN 3002 Hardware Client Reference OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client M anager Installing the SSL Certificate in Your Browser Mi Figure 1 20 Netscape New Certificate Authority Screen 6 pou New Certificate Authority Netscape A New Certificate Authority You have accepted this Certificate Authority You must now select a nickname that will be used to identify this Certificate Authority for example Mozilla s Certificate Shack Nickname lt Back Finish Cancel 61720 6 In the Nickname field enter a descriptive name for this certificate Nickname is something of a misnomer We suggest you use a clearly descriptive name such as Cisco VPN 3002 10 10 147 2 This name appears in the list of installed certificates see Viewing Certificates with Netscape below Click Finish You can now connect to the VPN 3002 using HTTP over SSL HTTPS 7 On the Manager SSL screen Figure 1 2 click the link that says After
51. a highlighted module on the back panel image See Configuration Interfaces Private Public DNS Server s To configure DNS Server s click the highlighted link in the table See Configuration System Servers DNS DNS Domain Name To configure DNS Server s click the highlighted link in the table See Configuration System Servers DNS my VPN 3002 Hardware Client Reference 3 2 OL 1893 01 Chapter3 Interfaces Configuration Interfaces Hi Status The operational status of this interface UP green Configured enabled and operational ready to pass data traffic DOWN red Configured but disabled or disconnected Testing In test mode no regular data traffic can pass Dormant red Configured and enabled but waiting for an external action such as an incoming connection Not Present red Missing hardware components Lower Layer Down red Not operational because a lower layer interface is down Unknown red Not configured or not able to determine status Not Configured Present but not configured Waiting for DHCP PPPoE Waiting for DHCP or PPPoE to assign an IP address IP Address The IP address configured on this interface Subnet Mask The subnet mask configured on this interface MAC Address This is the unique hardware MAC Media Access Control address for this interface displayed in 6 byte hexadecimal notation You cannot change this a
52. apply your SSL settings and to include your settings in the active configuration click Apply The Manager returns to the initial Login screen To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Management Protocols screen my VPN 3002 Hardware Client Reference OL 1893 01 Chapter8 Management Protocols Configuration System Management Protocols SSH Mi Figure 8 13 Configuration System Management Protocols Screen Save Needed This section lets you configure built in management protocol servers In the left frame or in the list of links below click the function you want HTTP HTTPS Hypertext Transfer Protocol Secure Telnet terminal emulation protocol SNMP Simple Network Management Protocol SNMP Community Strings identifiers for valid SNMP clients SSL Secure Sockets Layer used with HTTPS SSH Secure Shell a secure Telnet like protocol 61699 Configuration System Management Protocols SSH This screen lets you configure the VPN 3002 SSH Secure Shell protocol server SSH is a secure Telnet like terminal emulator protocol that you can use to manage the VPN 3002 using the Command Line Interface over a remote connection The SSH server supports SSH1 protocol version 1 5 which uses two RSA
53. as Errors Received Transmitted ICMP messages solicit and provide information about the network environment my VPN 3002 Hardware Client Reference 13 48 OL 1893 01 Chapter13 Monitoring Monitoring Statistics MIB II ICMP W Errors Received Transmitted The number of ICMP messages that the VPN 3002 received but determined to have ICMP specific errors bad ICMP checksums bad length etc The number of ICMP messages that the VPN 3002 did not send due to problems within ICMP such as a lack of buffers Destination Unreachable Received Transmitted The number of ICMP Destination Unreachable messages received sent Destination Unreachable messages apply to many network situations including inability to determine a route an unusable source route specified and the Don t Fragment flag set for a packet that must be fragmented Time Exceeded Received Transmitted The number of ICMP Time Exceeded messages received sent Time Exceeded messages indicate that the lifetime of the packet has expired or that a router cannot reassemble a packet within a time limit Parameter Problems Received Transmitted The number of ICMP Parameter Problem messages received sent Parameter Problem messages indicate a syntactic or semantic error in an IP header Source Quench Received Transmitted The number of ICMP Source Quench messages received sent Source Quench messages provide rudimentary flow control they request a reduction in the r
54. backup servers Also if you require interactive hardware client authentication and or individual user authentication for the VPN 3002 on the primary VPN Concentrator be sure to configure it on backup servers as well IPSec over TCP Check IPSec over TCP if you want to connect using IPSec over TCP This feature must also be enabled on the VPN Concentrator to which this VPN 3002 connects See the explanation that follows IPSec over TCP Port Enter the PSec over TCP port number You can enter one port The port that you configure on the VPN 3002 must also match that configured on the VPN Concentrator to which this VPN 3002 connects VPN 3002 Hardware Client Reference E OL 1893 01 Chapter6 Tunneling W Configuration System Tunneling Protocols IPSec About IPSec over TCP Note IPSec over TCP encapsulates encrypted data traffic within TCP packets This feature enables the VPN 3002 to operate in an environment in which standard Encapsulating Security Protocol ESP Protocol 50 or Internet Key Exchange IKE UDP 500 cannot function or can function only with modification to existing firewall rules IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet and enables secure tunneling through both NAT and PAT devices and firewalls This feature does not work with proxy based firewalls The VPN 3002 Hardware Client which supports one tunnel at a time can connect using either standard IP
55. boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration Interfaces screen VPN 3002 Hardware Client Reference Piss OL 1893 01 Chapter3 Interfaces W Configuration Interfaces Public Configuration Interfaces Public This screen lets you select a connection method DHCP PPPoE or static IP addressing for the public interface It also allows you to disable the public interface Figure 3 3 Configuration Interfaces Public Screen Configuring the Public Interface C Disabled DHCP Client Lease Info 192 168 0 5 expires in 70 47 19 hh mm ss C PPPoE Client PPPoE User Name Select to connect to a public network wa PPPoE PPPoE Password Enter the PPPoE User Name and Password Ventfy Verify PPPoE Password C Static IP Addressi Select to configure the IP Address and Subnet IP Address Mask Enter the IP Address and Subnet Mask for Subnet Mask 255 255 2550 this interface Select to disable this interface Select to obtain the IP Address Subnet Mask and Default Gateway via DHCP MAC Address 00 90 44 04 01 05 Speed 10 100 auto Duplex Auto The MAC address for this interface Select the speed for this interface Select the duplex mode for this interface Cancel 61702 Disabled To make the interface offline click Disabled This state lets you r
56. clients SSL V3 with SSL V2 Hello The server insists on SSL Version 3 but accepts an initial Version 2 Hello SSL V3 Only The server insists on SSL Version 3 only SSL V2 Only The server insists on SSL Version 2 only This selection works with most Telnet SSL clients TLS V1 Only The server insists on TLS Version 1 only At present only Microsoft Internet Explorer 5 0 supports this option TLS V1 with SSL V2 Hello The server insists on TLS Version 1 but accepts an initial SSL Version 2 Hello At present only Microsoft Internet Explorer 5 0 supports this option Generated Certificate Key Size Apply Cancel Reminder Click the drop down menu button and select the size of the RSA key that the VPN 3002 uses in its self signed generated SSL server certificate A larger key size increases security but it also increases the processing necessary in all transactions over SSL The increases vary depending on the type of transaction encryption or decryption Choices are 512 bit RSA Key This key size provides sufficient security It is the most common and requires the least processing 768 bit RSA Key This key size provides normal security and is the default selection It requires approximately 2 to 4 times more processing than the 512 bit key 1024 bit RSA Key This key size provides high security It requires approximately 4 to 8 times more processing than the 512 bit key To
57. configuration quick 2 1 system 41 VPN 3002 Hardware Client Manager 2 1 configuration files automatic backup with file upload 12 14 changes with software update 12 2 handling at reboot or shutdown 12 6 handling during file upload 12 14 managing and viewing 12 12 saving with CLI 14 6 swap 12 13 useful for troubleshooting A 2 configuration menu CLI 14 7 configuring administrative access to the VPN 3002 12 9 backup servers 6 3 default gateways for IP routing 7 4 interfaces 3 1 private interface 3 4 public interface 3 6 remote server 6 3 static routes for IP routing 7 2 VPN Concentrator with CLI 14 1 connecting to VPN Concentrator using HTTP 1 2 using HTTPS 1 16 console accessing CLI via 14 1 conventions documentation Xv typographic xv crash dump file A 1 OL 1893 01 crash system saves log file A 1 CRSHDUMP TXT file A 1 D data formats xiii data initiation VPN 3002 and central site concentrator 11 5 date and time configuring 10 3 Daylight Saving Time DST enabling 10 3 default event handling configuring 9 5 gateways configuring for IP routing 7 4 Monitor administrator access rights CLI 14 6 delete digital certificate 12 30 12 57 enrollment request 12 61 DES 40 SHA Export SSL encryption algorithm 8 11 DES 56 SHA SSL encryption algorithm 8 11 DES 56 SSH encryption algorithm 8 14 DHCP 7 9 configuring parameters on VPN 3002 7 6 Statistics 13 30 digital certificates CA 12 16 definition 12
58. enter polling mode In polling mode the VPN 3002 re sends the certificate request to the CA a specified number of times at regular intervals until the CA responds or the process times out For information on configuring the polling limit and interval see the Administration Certificate Management Configure CA Certificate screen The certificate request appears in the Enrollment Status table on the Administration Certificate Management screen until the CA responds Once the CA responds and issues the certificate the VPN 3002 checks to see if it already has an active certificate If there is no active certificate the VPN 3002 installs the new certificate automatically If there already is an active certificate the new certificate appears in the Enrollment Status table you have to activate it manually If the CA responds immediately the Manager installs the identity certificate on the VPN 3002 and displays the Administration Certificate Management Enrollment Request Generated screen See Figure 12 26 VPN 3002 Hardware Client Reference g OL 1893 01 Chapter12 Administration W Certificate Management Figure 12 26 Administration Certificate Management Enrollment Request Generated Screen A certificate request has been generated SCEFP Status Installed e oto Certificate Management e 30 to Certificate Enrollment e Go to Certificate Installation 60192 Step6 Click Go to Certificate Management The M
59. expires and the IP address becomes available for reuse Using DHCP simplifies configuration since you do not need to know what IP addresses are considered valid on a particular network Figure 7 5 Configuration System IP Routing DHCP Screen Configure system wide DHCP Dynamic Host Configuration Protocol parameters Enabled F Check to enable DHCP Lease Timeout 120 minutes Address Pool Start 192 168 10 2 Address Pool End 192 168 10 128 Apply Cancel 61757 Check the box to enable the DHCP server functions on the VPN 3002 The box is checked by default To use DHCP address assignment you must enable DHCP functions here Lease Timeout Enter the timeout in minutes for addresses that are obtained from the DHCP server Minimum is 5 default is 120 maximum is 500000 minutes DHCP servers lease IP addresses to clients on the VPN 3002 private network for this period of time The Lease Timeout period you configure applies only when the tunnel to the VPN Concentrator is established When the tunnel is not established the Lease Timeout period is 5 minutes Address Pool Start End Enter the range of IP addresses that the DHCP server can assign Use dotted decimal notation The default is 127 successive addresses with the first address being the address immediately after that of the private interface The maximum number of addresses you can configure is 127 my VPN 3002 Hardw are Client Reference 7 6 OL
60. hierarchy CN OU O L SP and C These labels and acronyms conform to X 520 terminology and they echo the fields on the Administration Certificate Management Enrollment screen CN Common Name the name of a person system or other entity This is the lowest most specific level in the identification hierarchy For the VPN 3002 self signed SSL certificate the CN is the IP address on the Ethernet 1 Private interface at the time the certificate is generated SSL compares this CN with the address you use to connect to the VPN 3002 via HTTPS as part of its validation OU Organizational Unit the subgroup within the organization O O Organization the name of the company institution agency association or other entity L Locality the city or town where the organization is located SP State Province the state or province where the organization is located C Country the two letter country abbreviation These codes conform to ISO Public Key Type Request Usage MD5 Thumbprint SHA1 Thumbprint Generated 3166 country abbreviations The algorithm and size of the public key that the CA or other issuer used in generating this certificate The type of certificate Identity or SSL A 128 bit MD5 hash of the complete certificate contents shown as a 16 byte string This value is unique for every certificate and it positively identifies the certificate If you question a certificate s authenticity you can check this val
61. installing the SSL certificate click here to connect to the VPN 3002 Hardware Client using SSL Depending on how your browser is configured you might see a Security Information Alert dialog box Figure 1 21 Netscape Security Information Alert Dialog Box Security Information x You have requested a secure document The document and any information you send back are encrypted for privacy while in transit For more information on security choose Document Information from the wiew meny W Show This Alert Next Time 8 Click Continue The VPN 3002 displays the HTTPS version of the Manager login screen VPN 3002 Hardware Client Reference g OL 1893 01 Chapter1 Using the VPN 3002 Hardware ClientManager W installing the SSL Certificate in Your Browser Figure 1 22 VPN 3002 Hardware Client Manager Login Screen Using HTTPS Netscape VPN 3002 HARDWARE CLIENT MANAGER VPH 3002 Hardware Chent Login Taon Login Clear Cisco Systems Copyright 1998 2001 Cisco Systems Ine The browser maintains the HTTPS state until you close it or access an unsecured site in the latter case you might see a Security Information Alert dialog box Proceed to the section Logging into the VPN 3002 Hardware Client Manager to log in as usual View ing Certificates with Netscape There are at least two ways to examine certificates stored in Netscape Navigator Communicator 4 5 First note the locked padlo
62. keys 6 6 private interface configuring 3 4 definition 3 1 private keys saving in Flash memory 12 16 public interface configuring 3 6 definition 3 1 Public Key Certificate Syntax 10 See PKCS 10 Public Key Infrastructure PKI 6 6 12 16 Q Quick Configuration 2 1 R RC4 128 SSH encryption algorithm 8 14 RC4 40 MD5 Export SSL encryption algorithm 8 11 reboot handling configuration files 12 6 reloads the boot configuration file 12 13 saving log file 12 5 A 1 system 12 5 re enrolling a certificate 12 54 re keying acertificate 12 54 remote server configuring 6 3 renewing a DHCP lease 7 6 renewing digital certificates 12 54 requirements VPN 3002 Hardware Client Reference a OL 1893 01 W index browser 1 1 Internet Explorer 1 1 IPSec over TCP 6 6 JavaScript 1 2 Netscape Navigator 1 1 RFC 1650 Ethernet interface MIB objects 13 53 RFC 1907 SNMP version 2 MIB objects 13 56 RFC 2011 ARP table entries 13 51 RFC 2011 IP and ICMP MIB objects 13 45 13 48 RFC 2012 TCP MIB objects 13 42 RFC 2013 UDP MIB objects 13 42 RFC 2459 12 50 root CA certificate 12 16 routing table monitoring 13 2 RRC4 128 MD5 SSL encryption algorithm 8 11 RSA key SSH 8 13 S SAVELOG TXT file 9 4 12 5 A 1 saving configuration file with CLI 14 6 event log 13 5 log file on system reboot 9 4 12 5 SCEP Simple Certificate Enrollment Protocol definition 12 16 enrolling an identity certificate 12 41 enrolling SSL certi
63. least costly route For example if this route uses a low speed line you might assign a high metric so the system will use it only if all high speed routes are unavailable Apply Cancel Reminder To apply the settings for default gateways and to include your settings in the active configuration click Apply The Manager returns to the Configuration System IP Routing screen If you configure a Default Gateway it also appears in the Static Routes list on the Configuration System IP Routing Static Routes screen To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration System IP Routing screen VPN 3002 Hardware Client Reference E OL 1893 01 7 5 Chapter7 IP Routing W Configuration System IP Routing DHCP Configuration Enabled System IP Routing DHCP This screen lets you configure DHCP Dynamic Host Configuration Protocol server parameters that apply to DHCP server functions within the VPN 3002 The DHCP server for the private interface lets IP hosts in its network automatically obtain IP addresses from a limited pool of addresses for a fixed length of time or lease period Before the lease period expires the VPN 3002 displays a message offering to renew it If the lease is not renewed the connection terminates when the lease
64. module on the back panel image and click anywhere in the highlighted area The Manager displays the appropriate Monitoring System Status Interface screen Monitoring System Status Private Public Interface This screen displays status and statistics for a VPN 3002 Ethernet interface To configure an interface see Configuration Interfaces Figure 13 6 Monitoring System Status Public Interface Screen Back Interface IP Address Status Rx Unicast Tx Unicast Rx Multicast Tx Multicast Rx Broadcast Tx Broadcast Reset Public Interface 130 0 0 2 UP 3031 3397 0 0 0 8 61676 To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer VPN 3002 Hardware Client Reference OL 1893 01 Chapter 13 Monitoring Hi Monitoring System Status Private Public Interface Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Back To return to
65. or sub domain The DNS system within the VPN 3002 automatically appends this domain name to hostnames before sending them to a DNS server for resolution Primary DNS Server Enter the IP address of the primary DNS server using dotted decimal notation for example 192 168 12 34 Be sure this entry is correct to avoid DNS resolution delays Secondary DNS Server Enter the IP address of the secondary first backup DNS server using dotted decimal notation If the primary DNS server does not respond to a query within the Timeout Period specified below the system queries this server Tertiary DNS Server Enter the IP address of the tertiary second backup DNS server using dotted decimal notation If the secondary DNS server does not respond to a query within the Timeout Period specified below the system queries this server my VPN 3002 Hardware Client Reference OL 1893 01 Chapter5 Servers Configuration System Servers DNS W Timeout Period Enter the initial time in seconds to wait for a response to a DNS query before sending the query to the next server Minimum is 1 default is 2 maximum is 30 seconds This time doubles with each retry cycle through the list of servers Timeout Retries Enter the number of times to retry sending a DNS query to the configured servers in order In other words this is the number of times to cycle through the list of servers before returning an error Minimum is 0 default is 2 max
66. out and displays the main login screen The browser might appear to hang during a reboot that is you cannot log in and you must wait for the reboot to finish You can log back in while the VPN 3002 is in a shutdown state before you turn power off If a delayed reboot or shutdown is pending the Manager also displays a message that describes when the action is scheduled to occur Reboot or shutdown that does not wait for sessions to terminate terminates all active sessions without warning and prevents new user sessions The VPN 3002 automatically saves the current event log file as SAVELOG TXT when it reboots and it overwrites any existing file with that name See Configuration System Events General Administration Config File Management and Monitoring Filterable Event Log for more information on the event log file VPN 3002 Hardware Client Reference g OL 1893 01 Chapter12 Administration HM Administration System Reboot Figure 12 6 Administration System Reboot Screen This section presents reboot options A reboot the browser may appear to hang as the device is rebooted Reboot Shutdown without automatic reboot Cancel a scheduled reboot shutdown Save the active configuration at time of reboot Configuration Reboot without saving the active configuration Reboot ignoring the configuration file Now Delayed by fi 0 minutes At time fi 1 02 24 hour clock Wait for sessions to terminate d
67. software subsystem within the VPN 3002 Table 9 1 describes the event classes Table 9 1 Event Classes Class Description Event Source Class Name Cisco specific Event Class AUTH Authentication AUTHDBG Authentication debugging AUTHDECODE Authentication protocol decoding AUTOUPDATE Autoupdate subsystem CAPI Cryptography subsystem CERT Digital certificates subsystem CONFIG Configuration subsystem DHCP DHCP subsystem DHCPDBG DHCP debugging DHCPDECODE DHCP decoding DM Data Movement subsystem DNS DNS subsystem DNSDBG DNS debugging DNSDECODE DNS decoding EVENT Event subsystem EVENTDBG Event subsystem debugging VPN 3002 Hardware Client Reference Fa OL 1893 01 Chapter9 Events W Event Class Class Description Event Source Class Name Cisco specific Event Class EVENTMIB Event MIB changes FSM Finite State Machine subsystem for debugging FTPD FTP daemon subsystem GENERAL NTP subsystem and other general events HARDWAREMON Hardware monitoring fans temperature voltages etc HTTP HTTP subsystem HWDIAG Hardware diagnostics for WAN module IKE ISAKMP Oakley IKE subsystem IKEDBG ISAKMP Oakley IKE debugging IKEDECODE ISAKMP Oakley IKE decoding IP IP router subsystem IPDBG IP router debugging IPDECODE IP packet decoding IPSEC IP
68. still enabled the Manager returns to the main login screen If both HTTP and HTTPS are disabled you can no longer use the Manager and you will have to gain access through the console other configured connection Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Management Protocols screen VPN 3002 Hardware Client Reference Fe OL 1893 01 8 3 Chapter8 ManagementProtocols W Configuration System Management Protocols Telnet Figure 8 3 Configuration System Management Protocols Screen Save Needed This section lets you configure built in management protocol servers In the left frame or in the list of links below click the function you want HTTP HTTPS Hypertext Transfer Protocol Secure Telnet terminal emulation protocol SNMP Simple Network Management Protocol SNMP Community Strings identiiers for valid SNMP clients SSL Secure Sockets Layer used with HTTPS SSH Secure Shell a secure Telnet lke protocol 61699 Configuration System Management Protocols Telnet This screen lets you configure and enable the VPN 3002 Telnet terminal emulation server and Telnet over SSL Secure Sockets Layer protocol When the server is enabled you can use a Telnet client to communicate with the VPN 300
69. that allows you to generate an enrollment request based on the content of an existing certificate When you renew a certificate via SCEP the new certificate does not automatically overwrite the original certificate It remains in the Enrollment Request table until the administrator manually activates it For more information on activating certificates see the Administration Certificate Management Activate or Re Submit Status section Use this screen to re enroll or re key a certificate If you re enroll the certificate the new certificate uses the same key pair as the expiring certificate If you re key the certificate it uses a new key pair Figure 12 49 Administration Certificate Management Renewal This section allows you to re enroll or re key a certiticate so that the VPH 3002 Hardware Chent updates its certificate The certificate request can be sent to a CA which tn turn sends back a certificate Please wait for the operation to finish Certificate 55L Certificate select the type of renewal A re enrollment uses the Re enrollment Renewal Type C Rek same key for the certificate A re tey generates a Ba new key for the certificate aa PRCT Request Manual 7 Select the renewal method for this certificate Challenge Password Verify Enter and verify the challenge password for this certhicate request Challenge Password Renew Cancel S260 my VPN 3002 Hardw are Client Refer
70. the Monitoring System Status screen click Back Interface The VPN 3002 Ethernet interface number Private interface Public interface IP Address The IP address configured on this interface Status The operational status of this interface UP UP DHCP UP PPPoE configured and enabled ready to pass data traffic Waiting for DHCP PPPoE configured and enabled waiting for negotiations to complete Disabled configured but disabled DOWN DOWN DHCP DOWN PPPOoE configured but Testing in test mode no regular data traffic can pass Dormant configured and enabled but waiting for an external action such as an incoming connection Not Present missing hardware components Lower Layer Down not operational because a lower layer interface is down Unknown not configured my VPN 3002 Hardware Client Reference 13 12 OL 1893 01 Chapter13 Monitoring Monitoring System Status Private Public Interface Hi Rx Unicast The number of unicast packets that were received by this interface since the VPN 3002 was last booted or reset Unicast packets are those addressed to a single host Tx Unicast The number of unicast packets that were routed to this interface for transmission since the VPN 3002 was last booted or reset including those that were discarded or not sent Unicast packets are those addressed to a single host Rx Multicast The number of multicast packe
71. the left frame or in the list of links below click the function you want Traffic Management Port Address Translation 61782 Traffic Management To enable or disable PAT click Traffic Management Configuration Policy Management Traffic Management The Manager displays the Configuration Policy Management Traffic Management screen Figure 11 2 Configuration Policy Management Traffic Management Screen This section lets you configure functions and parameters that manage data traffic In the left frame or in the list of links below click the function you want e PAT configure Port Address Translation 61783 VPN 3002 Hardware Client Reference g OL 1893 01 115 Chapter 11 Policy Management W Configuration Policy Management Traffic Management PAT PAT To configure PAT Port Address Translation click PAT Configuration Policy Management Traffic Management PAT The Configuration Policy Management Traffic Management PAT screen displays Figure 11 3 Configuration Policy Management Traffic Management PAT Screen This section of the Manager lets you configure PAT Port Address Translation In the left frame or in the list of links below click the function you want e Enable enable PAT 61784 PAT mode provides many to one translation that is it translates many private network addresses to the single address configured on the public netwo
72. the maximum length of text strings is 48 characters Filenames Filenames on the VPN 3002 follow the DOS 8 3 naming convention a maximum of eight characters for the name plus a maximum of three characters for an extension For example LOGO00007 TXT is a legitimate filename The VPN 3002 always stores filenames in uppercase Port Numbers Port numbers use decimal numbers from 0 to 65535 Commas and spaces are not permitted Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites http www cisco com http www china cisco com http www europe cisco com Documentation CD ROM Cisco documentation and additional literature are available in a CD ROM package which ships with your product The Documentation CD ROM is updated monthly and may be more current than printed documentation The CD ROM package is available as a single unit or as an annual subscription VPN 3002 Hardware Client Reference Fe OL 1893 01 xii Preface W Obtaining technical assistance Ordering documentation Cisco documentation is available in the following ways Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace http www cisco com cgi bin order order_root pl e Registered Cisco com users c
73. the requested certificate has not yet been installed This value is used only for PKCS10 manual enrollment requests Polling The CA did not immediately fulfill the enrollment request the VPN 3002 has entered polling mode This value is used only for enrollment request created using SCEP Timedout The SCEP polling cycle has ended after reaching the configured maximum number of retries This value is used only for enrollment request created using SCEP Rejected The CA refused to issue the certificate This value is used only for enrollment request created using SCEP e Cancelled The certificate request was cancelled while the VPN 3002 was in polling mode Complete The CA has fulfilled the renewal request To bring this new certificate into service click Activate Error An error occurred during the enrollment process Enrollment was stopped Submitting The certificate request is being sent to the CA Actions This column allows you to manage enrollments requests The actions available vary with the type and status of the enrollment request e View View details of this enrollment request Install Install the enrollment request This action is available only for PKCS10 manual enrollment requests e Cancel Cancel a request that is pending This action is available only for SCEP enrollment requests with Polling status Re submit Re initiate SCEP communications with the CA or RA
74. using the previously entered request information This action is available only for SCEP enrollment requests e Activate Bring this certificate into service Delete Delete an enrollment request from the VPN 3002 my VPN 3002 Hardware Client Reference 12 36 OL 1893 01 Chapter12 Administration Administration Certificate Management Enroll Hi Administration Certificate Management Enroll Choose whether you are creating an enrollment request for an identity certificate or an SSL certificate Figure 12 35 Administration Certificate Management Enroll Screen This section allows you to create an SSL or identity certificate request The identity certificate request allows the VPM S002 Hardware Chent to be enrolled inte the PET The certificate request can be sent to a CA which will issue a certificate Tre CA s certificate must be instatled asa Certificate Authority before installing the certificate vou requested Choose the type of certificate request to create e Identity certiticate e SSL certificate lt lt so back to Certticate Management 68255 Identity Certificate Click Identity Certificate to create a certificate request for an identity certificate The Manager displays the Administration Certificate Management Enroll Identity Certificate screen SSL Certificate Click SSL Certificate to create a certificate request for an SSL certificate The Manager displays the Administratio
75. 002 has a previously configured backup server list it can connect to the servers on that list It can download a backup server list only from the primary VPN Concentrator The VPN 3002 cannot download a backup server list from a backup server The VPN Concentrators that you configure as backup servers do not have to be aware of each other If you change the configuration of backup servers or delete a backup server during an active session between a VPN 3002 and a backup server the session continues without adopting that change New settings take effect the next time the VPN 3002 connects to its primary VPN Concentrator You can configure the backup server feature from the primary VPN Concentrator or the VPN 3002 From the VPN Concentrator configure backup servers on either of the Configuration User Management Base Group or Groups Mode Configuration screens On the VPN 3002 configure backup servers on the Configuration System Tunneling Protocols IPSec screen The list you configure on the VPN 3002 applies only if the option Use Client Configured List is set in the IPSec Backup Servers parameter To set this option go to the Mode Configuration tab on the Configuration User Management Groups Add Modify screen of the primary VPN Concentrator to which the VPN 3002 connects The group name username and passwords that you configure for the VPN 3002 must be identical for the primary VPN Concentrator and all
76. 02 Administrators configure administrator usernames passwords and rights Access Settings set administrative session timeout and limits Figure 12 10 Administration Access Rights Screen Save Neededhy This section of the Manager lets you configure administrative access to the VEN 3002 Hardware Chent In the left frame or in the list of links below click the function you want e Administrators administrators passwords and access nights e Access Settings session timeout and limits 61795 Administration Access Rights Administrators Administrators are special users who can access and change the configuration administration and monitoring functions on the VPN 3002 Only administrators can use the VPN 3002 Hardware Client Manager This section of the Manager lets you change administrator properties and rights Any changes take effect as soon as you click Apply Figure 12 11 Administration Access Rights Administrators Screen This section presents administrator users Any changes you make take effect immediately Administrator admin Password tatt Verify errn Administrator cenfig Enabled Password Erra Verify ere Administrator szenifar Enabled Password preser Verify rrer Apply Cancel 61796 VPN 3002 Hardware Client Reference g OL 1893 01 12 9 Chapter12 Administration W Administration Access Rights Administrators Administrator The
77. 1 4 Intemet Explorer Certificate Dialog Box Certificate x General Details Certification Path Certificate Information This CA Root certificate is not trusted To enable trust install this certificate into the Trusted Root Certification Authorities store Issued to 100 200 147 2 Issued by 100 200 147 2 Valid from 4 21 00 to 4 21 03 61650 4 Click Install Certificate The browser starts a wizard to install the certificate The certificate store is where such certificates are stored in Internet Explorer VPN 3002 Hardware Client Reference g oL 1893 01 15 Chapter1 Using the VPN 3002 Hardware ClientManager W installing the SSL Certificate in Your Browser Figure 1 5 Intemet Explorer Certificate Manager Import Wizard Dialog Box Certificate Manager Import Wizard Welcome to the Certificate Manager Import Wizard This wizard helps to copy certificates certificate trust lists and certificate revocation lists from your disk to the certificate store What is a certificate 4 certificate is a confirmation of your identity issued by a certification authority Certificates contain information used to protect data or to establish secure network connections What is a certificate store A certificate store is a system area where certificates certificate trust lists and certificate revocation lists are stored Click Next to continue or Cancel to exit 61651 5 Click Nex
78. 10 backup server addresses host names from high priority to low Enter each backup server addressihost name ona single line IPSec over TCP a Check to enable IPSec over TCP IPsec over Gg TCP Port Enter IPSec over TCP port 1 65535 Use Certificate Chek to use the mstalled certificate Certificate Entire certificate cham Choose how to send the distal certificate to the Transmission Identity certificate only Server Name Password VYenfy Group 3002Group User 3002user Apply Cancel r599 Step2 Check the Use Certificate check box Step3 Select a Certificate Transmission option If you want the VPN 3002 to send the peer the identity certificate and all issuing certificates including the root certificate and any subordinate CA certificates click Entire certificate chain If you want to send the peer only the identity certificate click Identity certificate only Step4 Click Apply The Manager returns to the Configuration System Tunneling Protocols screen Step5 Click the Save Needed icon VPN 3002 Hardware Client Reference g oL 1893 01 12 29 Chapter12 Administration W Certificate Management Deleting Digital Certificates Delete digital certificates in the following order 1 Identity or SSL certificates 2 Subordinate certificates 3 Root certificates Note You cannot delete a certificate if it is in use by an SA if it is the issuer of another installed certifi
79. 16 deleting 12 30 12 57 enabling on the VPN 3002 12 29 enrolling 12 16 12 22 12 24 12 37 expiration 12 17 fields 12 51 generating SSL 12 33 identity 12 16 12 32 installing 12 16 12 22 12 24 12 45 automatically via SCEP 12 17 manually 12 19 IPSec LAN to LAN 6 6 managing 12 16 index W PKCS 10 request 12 40 renewal 12 54 root 12 16 saving in Flash memory 12 16 SCEP enabled 12 17 SSL 1 3 12 16 troubleshooting 12 17 viewing and managing on VPN 3002 12 31 viewing details 12 50 X 509 12 16 disabling the public interface 3 6 display PC monitor recommended settings 1 2 DNS backup server configuring 6 4 servers configuring 5 1 statistics 13 27 documentation additional xi cautions xii conventions XV notes xii obtaining xiii Domain Name Servers See DNS downloading backup server list from a VPN Concentrator 6 5 event log to PC 13 5 Dynamic Host Configuration Protocol See DHCP encryption algorithms SSH 8 14 SSL 8 11 enrolling certificates 12 37 digital certificates 12 16 identity certificates 12 20 identity certificate via SCEP 12 41 enrollment request VPN 3002 Hardw are Client Reference E OL 1893 01 W index cancelling 12 60 trap destinations configuring 9 12 creating 12 37 event log deleting 12 61 clear erase 13 5 PKCS 10 12 24 12 40 definition 9 4 removing according to status 12 35 download to PC 13 5 status table 12 35 format 9 6 13 5 time limit 12 17 get 13 5 viewing details 12
80. 1893 01 Chapter13 Monitoring Monitoring Statistics MIB I IP W Outbound Packets with No Route The number of outbound IP data packets discarded because no route could be found to transmit them to their destination This number includes any packets that the VPN 3002 could not route because all of its default routers were down Packets Transmitted Requests The number of IP data packets that local IP user protocols including ICMP supplied to transmission requests This number does not include any packets counted in Packets Forwarded Fragments Needing Reassembly The number of IP fragments received by the VPN 3002 that needed to be reassembled Reassembly Successes The number of IP data packets successfully reassembled Reassembly Failures The number of failures detected by the IP reassembly algorithm for whatever reason timed out errors etc This number is not necessarily a count of discarded IP fragments since some algorithms can lose track of the number of fragments by combining them as they are received Fragmentation Successes The number of IP data packets that have been successfully fragmented by the VPN 3002 Fragmentation Failures The number of IP data packets that have been discarded because they needed to be fragmented but could not be because the Don t Fragment flag was set Fragments Created The number of IP data packet fragments that have been generated by the VPN 3002 VPN 3002 H
81. 2 You can fully manage and administer the VPN 3002 using the Cisco Command Line Interface CLI via Telnet Telnet server login usernames and passwords are the same as those enabled and configured on the Administration Access Rights Administrators screens Telnet SSL uses a secure encrypted connection This enabled by default for Telnet SSL clients See the Configuration System Management Protocols SSL screen to configure SSL parameters See the Administration Certificate Management Certificates screen to manage the SSL digital certificate Figure 8 4 Configuration System Management Protocols Telnet Screen Configure the Telnet server Enable Telnet lV Disabling will provide additional security Enable Telnet SSL M Telnet SSL uses SSL encryption to provide security Telnet Port 23 The default port is 23 Changing the port will provide additional security Telnet SSL Port 992 The default port is 992 Changing the port will provide additional security Maximum Connections 5 Enter the maximum number of concurrent connections Apply Cancel 61761 Enable Telnet Check the box to enable the Telnet server The box is checked by default Disabling the Telnet server provides additional security but doing so prevents using the Cisco CLI via Telnet my VPN 3002 Hardware Client Reference OL 1893 01 Chapter8 Management Protocols Configuration System Management Protocols Telnet Hi
82. 2 since it was last booted or reset These statistics conform to the IETF draft for the IPSec Flow Monitoring MIB Figure 13 9 Monitoring Statistics IPSec Screen Reset gRefresh IKE Phase 1 Statistics IPSec Phase 2 Statistics Active Tunnels a Active Tunnels 1 Total Tunnels 2 Total Tunnels 4 Received Bytes 61358 Received Bytes 6536 sent Bytes 7980 sent Bytes 2104 Received Packets 775 Received Packets 44 sent Packets 83 sent Packets 13 Received Packets Dropped a Received Packets Dropped oo sent Packets Dropped o Received Packets Dropped Anti Replay o Received Notifies 755 sent Packets Dropped o sent Notifies 132 Inbound Authentications 44 Received Phase 2 Exchanges 4 Failed Inbound Authentications o sent Phase 2 Exchanges o Outbound Authentications 13 Invalid Phase 2 Exchanges Received o Failed Outbound Authentications o Invalid Phase 2 Exchanges Sent o Decryptions 44 Rejected Received Phase 2 Exchanges o Failed Decryptions o Rejected Sent Phase 2 Exchanges o Encryptions 13 2 5A Delete Requests Received o Failed Encryptions o Phase 2 SA Delete Requests Sent 3 system Capability Failures o Initiated Tunnels o No SA Failures o Failed Initiated Tunnels o Protocol Use Failures o Failed Remote Tunnels o Authentication Failures o Decryption Failures o Hash Validation Failures e System Capability Failures
83. 3 Dynamic Delte 2 FF FF FF FF FF FF 16144 2460 Static 2 00 DO BC F3ED A8 161 44 246 2 Dynamic Delte 2 00 D0 3 35 21 44 161 44 246 3 Dynamic Detete 2 00 D0 00 AF FBFF 161 44 2464 Dynamic Delte 2 00 01 02 5F 9C 9F 16144 246 6 Dynamic Delete 2 00 A0 C9 E5 84 0E 161 44 246 7 Dynamic Delete 2 00 90 27 B1 07 36 161 44 246 8 Dynamic Delete 2 00 50 DAD 7 2E 0B 161 44 246 9 Dynamic Teete 2 O0 01 F6 00 88 48 141 44 246 10 Dynamic Delete 2 00 60 80 9C 12 44 161 44 246 11 Dynamic Delte 2 00 90 44 00 0E 7C 161 44 46 20 Dynamic Delte 2 0040 96 37 C9 8A 161 44 46 45 Dynamic Delte 2 08 00 20 F8 CE 22 161 44 46 46 Dynamic Delete 2 00 01 03 22 15 0C 161 44 46 47 Dynamic Delete 2 08 00 20 C1 D8 28 161 44 46 51 Dynamic Delete 2 08 00 20 FD 47 4C 161 44 246 54 Dynamic Delte 2 00 40 96 38 F3 20 161 44 246 55 Dynamic Peite 2 00 BO D0 68 9D 3E 161 44 246 56 Dynamic Delete 2 0050 04 D4 64 EF 161 44 246 57 Dynamic Delte 2 00 01 02 34 C4 2D 161 44 246 65 Dynamic Delete 2 00 40 96 48 55 3F 161 44 246 66 Dynamic Delete 3304 Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated VPN 3002 Hardware Client Reference g OL 1893 01 13 51 Chapter13 Monito
84. 3 Monitoring Hi Monitoring Statistics MIB II TCP UDP TCP Established Resets The number of established TCP connections that abruptly closed bypassing graceful termination TCP Current Established The number of TCP connections that are currently established or are gracefully terminating UDP Datagrams Received The total number of UDP datagrams received Datagram is the official UDP name for what is casually called a data packet UDP Datagrams Transmitted The total number of UDP datagrams sent Datagram is the official UDP name for what is casually called a data packet UDP Errored Datagrams The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port UDP No Port Datagram is the official UDP name for what is casually called a data packet UDP No Port The total number of received UDP datagrams that could not be delivered because there was no application at the destination port Datagram is the official UDP name for what is casually called a data packet my VPN 3002 Hardware Client Reference 13 44 OL 1893 01 Chapter 13 Monitoring Monitoring Statistics MIB II Reset Restore Refresh Monitoring Statistics MIB I IP W IP This screen shows statistics in MIB II objects for IP traffic on the VPN 3002 since it was last booted or reset RFC 2011 defines IP MIB objects Figure 13 21 Monitoring Stati
85. 4 Using the Command Line Interface Note Using the Command line Interface i As a shortcut you can just enter 2 4 1 1 at the Main gt prompt and move directly to the Modify Administrators menu Configuration Administration Monitoring Save changes to Config file Help Information Exit OY oF WN EF Main gt 2 4 1 1 gt Which Administrator to Modify Admin gt At this last prompt you cannot use a number shortcut At this prompt you must type in the name of the administrator you want to modify for example config Admin gt config The prompt always shows the current context in the menu structure Using Back and Home Most menus include a numbered Back choice Instead of entering a number you can just enter b or B to move back to the previous menu Also at any menu level you can just enter n or H to move home to the main menu Getting Help Information To display a brief help message enter 5 at the main menu prompt The command line interface explains how to navigate through menus and enter values This help message is available only at the main menu Cisco Systems Help information for the Command Line Interface From any menu except the Main menu BY or b for Back to previous menu AT or h for Home back to the main menu For Data entry Current values are in s Just hit Enter to accept value 1 View Help Again 2 Back
86. 8 74 Generated 03 07 2001 11 44 00 Enrollment Type Initial Enrollment Method 3CEP Enrollment Status Polling 1 attempts Are you sure you want to cancel this enrollment request 68195 my VPN 3002 Hardw are Client Reference 12 60 OL 1893 01 Chapter12 Administration Administration Certificate Management Delete Enrollment Request W Fields For a description of the fields in this enrollment request see the Enrollment Request Fields section on page 12 59 Yes No To cancel this enrollment request click Yes Note There is no undo The Manager returns to the Administration Certificate Management screen To retain this enrollment request click No The Manager returns to the Administration Certificate Management screen and the enrollment requests are unchanged Administration Certificate Management Delete Enrollment Request This screen shows you details of the enrollment request and allows you to delete it Deleting an enrollment request removes it from the Enrollment Request table on the Administration Certificate Management page and destroys all record of it Figure 12 53 Administration Certificate Management Delete Enrollment Request Subject CN Snoopy OU Ens D isco L Franklin SPH Ma C Us Public Key Type ESA 512 bits Request Usage Identity MDS Thumbprint 20 32 24 83 46 D2 CE 1C E9 C01 27 32 98 86 50 06 Generated Os 2 1 2001 17 25 56 Enrollment Type I
87. ANTED 114 01 26 2001 13 29 12 760 SEV 4 AUTH 21 RPT 6 User admin connected 115 01 26 2001 13 29 12 760 SEV 4 HTTP 4 RPT 2 10 10 98 10 New administrator login admin Pause Display Clear Display Restart 1 Warning This session will mot ime out Pause Display Resume Display Clear Display Restart Timer Monitoring Live EventLog W 61673 To pause the display click Pause Display While paused the screen does not display new events the button changes to Resume Display and the timer counts down to 0 and stops You can still scroll through the event log Click the button to resume the display of new events and restart the timer To clear the event display click Clear Display This action does not clear the event log only the display of events on this screen To clear the event display and reload the entire event log in the display click Restart The timer counts 5 4 3 2 1 to show where it is in the 5 second refresh cycle A momentary Rx indicates receipt of new events A steady 0 indicates the display has been paused VPN 3002 Hardware Client Reference g OL 1893 01 Chapter13 Monitoring Hi Monitoring System Status Monitoring System Status This screen shows the status of several software and hardware variables at the time the screen displays From this screen you can also display the status of the IPSec tunnel SAs tunnel duration plus front and rear panel displays of
88. C4 encryption with a 128 bit key This option provides adequate security and performance DES 56 DES encryption with a 56 bit key This option is least secure but provides the greatest export flexibility No Encryption Connect without encryption This option provides no security and is for testing purposes only It is not checked by default my VPN 3002 Hardware Client Reference OL 1893 01 Chapter 8 Management Protocols Configuration System Management Protocols SSH E Apply Cancel Reminder To apply your SSH settings and to include your settings in the active configuration click Apply The Manager returns to the Configuration System Management Protocols screen To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Management Protocols screen Figure 8 15 Configuration System Management Protocols Screen Save Neededfy This section lets you configure built in management protocol servers In the left frame or in the list of links below click the function you want HITP HTTPS Hypertext Transfer Protocol Secure Telnet terminal emulation protocol SNMP Simple Network Management Protocol SNMP Community Strings identiiers for valid SNMP chents SoL Secure Sockets Layer used with HTTPS SSH Secure
89. CEP or if you do not have network connectivity to your CA then you cannot use the automatic method you must use the manual method The manual method involves more steps You can do some of the steps using the Manager Other steps require that you exchange information with the CA directly You deliver your enrollment request and receive the certificate from the CA via the Internet email or a floppy disk Whether you use the automatic or manual method you follow the same overall certificate management procedure Install one or more CA certificates Enroll and install identity and SSL certificates Enable digital certificates on the VPN 3002 my VPN 3002 Hardware Client Reference OL 1893 01 Chapter12 Administration Certificate Management W If you have trouble enrolling or installing digital certificates via SCEP enable both the CLIENT and CERT event classes to assist in troubleshooting Digital certificates indicate the time frame during which they are valid Therefore it is essential that the time on the VPN 3002 is correct and synchronized with network time See Configuration System Servers NTP and Configuration System General Time and Date You must complete the enrollment and certificate installation process within one week of generating the request If you do not the pending request is deleted Installing CA Certificates Automatically Using SCEP If you plan to use SCEP to enroll for identity or SS
90. Certificate SCEP Screen Enter the information to be included in the certificate request Please wait for the operation to finish Enter the common name for the VPI Common Name CW S002 Hardware Chent to be used in this PEL Organizational Unit OU PO Enter the department Organization 0 PO Enter the Organization or company Locality L o Enter the city or town State Province SP PO Enter the State or Prowince Country C E Enter the two letter country abbreviation e s United States US Enter the Fully Quahtied Doman Name Subject ee PO for the VPN 3002 Hardware Client to be used m ths FEL Enter the E Mail Address for the VPN Subject Alternative Name m l me E Mail Address 5002 Hardware Chent to be used in this PET Challenge Password Enter and verify the challenge password Verify Challenge TT for this certificate request Password Key Size IRSA SI bits E Select the key size for the generated ESA key par Enroll Cancel br5oy Fields For an explanation of each of the fields on this screen see Table 12 1 on page 12 20 VPN 3002 Hardware Client Reference g OL 1893 01 12 41 Chapter12 Administration W Administration Certificate Management Enroll SSL Certificate SCEP Enroll Cancel To generate the certificate request and install the identity certificate on the VPN 3002 click Enroll The Manager displays the Administration Certificate Management E
91. Certificate Management Enrollment or Renewal Request Generated Administration Certificate Management Enrollment or Renewal Request Generated The Manager displays this screen when the system has successfully generated a certificate request The request is a Base 64 encoded file in PKCS 10 format Public Key Certificate Syntax 10 which most CAs recognize or require The system automatically saves this file in Flash memory with the filename shown in the screen pkcsNNNN txt You can select and copy the request to the clipboard or you can save it as a file on your PC or a network host Some CAs let you paste the request in a web interface some ask you to send a file use the method your CA requires In generating the request the system also generates the private key used in the PKI process That key remains on the VPN 3002 and it is not visible Note You must complete the enrollment and certificate installation process within one week of generating the request Figure 12 38 Administration Certificate Management Enrollment Request Generated Screen A certiiicate request has been generated The request is shown below Copy and paste the certificate request to the CA s management interface to generate the certificate MNIHFMHEC AD AWwETEPMADGALIUE Ax Ooo czdGSunFewDoYd Kod IbhveMAQEBEQADSALY ROU ddoF xd 2c osnNheLMVhsyxadwl e2W S5imTh Cs 25s aAdkFPVbpLLSE eS ezhauxest h FHLILJLACPENLHYO1e GhmTN6 zOlBR ean bg kqQnheiGowOobago
92. Cisco SYSTEMS Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San J ose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Text Part Number OL 1893 01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California Berkeley UCB as part of UCB s public domain version of the UNIX operating system All rights reserved Copyright 1981 Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURP
93. Cisco web site click the Support icon on the toolbar at the top of the VPN Concentrator Manager Hardware Client Manager or Client window To open the documentation you need Acrobat Reader 3 0 or later version 4 5 is included on the Cisco VPN 3000 Concentrator software distribution CD ROM and on the VPN Client software distribution CD ROM Other References Other useful references include Cisco Systems Dictionary of Internetworking Terms and Acronyms Cisco Press 2001 Virtual Private Networking An Overview Microsoft Corporation 1999 Available from Microsoft website e www ietf org for Internet Engineering Task Force IETF Working Group drafts on IP Security Protocol IPSec www whatis com a web reference site with definitions for computer networking and data communication terms Documentation conventions Note gt Caution This document uses the following conventions Convention Description boldface font Commands and keywords are in boldface italic font Arguments for which you supply values are in italics screen font Terminal sessions and information the system displays are in screen font boldface screen Information you must enter is in boldface screen font font A The symbol represents the key labeled Control for example the key combination D in a screen display means hold down the Control key while you press the D key Notes use the following conventions
94. End 10 10 99 91 10 10 99 317 Leased IP Address Time Left MAC Address Host Name 10 10 99 91 1 36 40 00 01 03 CF 9E 79 mkrupp w2k1 BF 683 Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Active Leases The number of DHCP leases currently active Maximum Active Leases The maximum number of DHCP leases simultaneously active at any one time my VPN 3002 Hardware Client Reference 13 30 OL 1893 01 Chapter13 Monitoring Monitoring Statistics DHCP E Timeouts The number of DHCP queries that failed because there was no response from the server Pool Start The IP address at the start of the DHCP IP address pool Pool End The IP address at the end of the DHCP IP address pool Leased IP Address The IP address leased from the DHCP server by the remote client Time Left The time re
95. Generate This table shows the SSL server certificate installed on the VPN 3002 The system can have only one SSL server certificate installed either a self signed certificate or one issued in a PKI context To generate a self signed SSL server certificate click Generate The system uses parameters set on the Configuration System Management Protocols SSL screen and generates the certificate The new certificate replaces any existing SSL certificate For a description of the fields in this table see the Certificate Authorities Table section on page 12 32 VPN 3002 Hardware Client Reference a OL 1893 01 12 33 Chapter12 Administration W Admini Fields stration Certificate M anagement These fields appear in the Certificate Authorities Identity Certificates or SSL Certificate tables Field Content Subject Issuer The Common Name CN or Organizational Unit OU if present plus the Organization O in the Subject and Issuer fields of the certificate The format is CN at O OU at O or just O for example Root 2 at CyberTrust The CN OU and O fields display a maximum of 33 characters each See Administration Certificate Management Certificates View Expiration The expiration date of the certificate The date format is MM DD Y YYY SCEP Issuer In order for a certificate to be available for SCEP enrollment it must be installed via SCEP This field indicates 1f the certificate is SCEP enabled
96. Hardware Client Reference OL 1893 01 Chapter6 Tunneling Configuration System Tunneling Protocols IPSec Mi Password In the Group Password field enter a unique password for this group This is the group password configured on the VPN Concentrator to which this VPN 3002 connects Minimum is 4 maximum is 32 characters case sensitive The field displays only asterisks Verify In the Group Verify field re enter the group password to verify it The field displays only asterisks User You must also enter a username and password and they must match the username and password configured on the central site VPN Concentrator to which this VPN 3002 connects Name In the User Name field enter a unique name for the user in this group Maximum is 32 characters case sensitive This is the username configured on the central site VPN Concentrator to which this VPN 3002 connects Maximum is 32 characters case sensitive Password In the User Password field enter the password for this user This is the user password configured on the central site VPN Concentrator to which this VPN 3002 connects Minimum is 4 maximum is 32 characters case sensitive Verify In the User Verify field re enter the user password to verify it The field displays only asterisks VPN 3002 Hardware Client Reference E OL 1893 01 6 7 Chapter6 Tunneling W Configuration System Tunneling Protocols IPSec my VPN 3002 Hardware Cl
97. Hardware Client Reference OL 1893 01 CHAPTER General General configuration parameters include VPN 3002 environment items system identification time and date Configuration System General This section of the Manager lets you configure general VPN 3002 parameters Identification system name contact person system location Time and Date system time and date Figure 10 1 Configuration System General Screen This section lets you configure general VPN 3002 Hardware Client options In the left frame or in the list of links below click the option you want e Identification system name contact location e Time and Date device time and date 61779 VPN 3002 Hardware Client Reference E OL 1893 01 Chapter10 General W Configuration System General Identification Configuration System General Identification This screen lets you configure system identification parameters that are stored in the standard MIB II system object Network management systems using SNMP can retrieve this object and identify the system Configuring this information 1s optional Figure 10 2 Configuration System General Identification Screen Configure system identification optional These entries are stored in the MIB I system object System TZ Enter a system name for the device e g Name vpn01 Contact Enter the name of the contact person i ucatan CS a the dev
98. L certificates you must obtain the associated CA certificate using SCEP The Manager does not let you enroll for a certificate from a CA unless that CA was installed using SCEP A certificate that is obtained via SCEP and therefore capable of issuing other SCEP certificates is called SCEP enabled Tip In order to obtain CA certificates using SCEP you need to know the URL of your CA Find out your CA s URL before beginning the following steps Step1 Using the VPN 3002 Hardware Client Manager display the Administration Certificate Management screen See Figure 12 19 Figure 12 19 Administration Certificate Management Screen Refresh This section lets you view and manage certiicates on the VPH S002 Hardware Client Installation of a CA certificate is required before identity and SSL certificates can be installed Click here to mstall a CA certificate e Click here to enroll with a Certificate Authority e Click here to mstall a certiicate Certificate Authorities current 0 maximum 6 subject Issuer Expiration SCEF Issuer Actions No Certificate Authorities Identity Certificates current 0 maximum 1 Subject Issuer Expiration Actions No Identity Certificates SOL Certificate Generate Mote The public key in the SS certificate is also used for the SSH host key Subject Issuer Expiration Actions 10 10 99 90 at Cisco Systems Inc 10 10 99 90 at Cisco Systems Inc O9 2 7 2004 View Renew Delete Enrollmen
99. Management Install Certificate Type Choose the method you want to use to install the certificate Figure 12 43 Administration Certificate Management Install CA Certificate Choose the method of installation e SCEP omple Certiticate Enrollment Protocol e Cut amp Paste Text e Upload File trom Workstation lt lt Go back to and choose a diferent type of certificate ste SCEP Simple Certificate Enrollment Protocol DNY Note This option is available only for CA certificates If you want to install the CA certificate automatically using SCEP click SCEP Simple Certificate Enrollment Protocol The Manager displays the Administration Certificate Management Install CA Certificate SCEP screen See Figure 12 44 Cut amp Paste Text If you want to cut and paste the certificate using a browser window click Cut amp Paste Text The Manager displays the Administration Certificate Management Install Certificate Type Cut amp Paste Text screen See Figure 12 45 Upload File from W orkstation If your CA certificate is stored in a file click Upload File from Workstation The Manager displays the Administration Certificate Management Install Certificate Type Upload File from Workstation screen See Figure 12 46 lt lt Go back and choose a different type of certificate If you do not want to install a CA certificate click lt lt Go back and choose a different type of certi
100. Management Install Certificate Type Cut and Paste Text Administration Certificate Management Install Certificate Type Cut and Paste Text To install the certificate using the manual method cut and paste the certificate text into the Certificate Text window Figure 12 45 Administration Certificate Management Install CA Certificate Cut and Paste Text Screen Faste the TA certificate text inte the box below Certificate Text Install Cancel 68174 Certificate Text Paste the PEM or base 64 encoded certificate text from the clipboard into this window If you are installing an SSL certificate with a private key include the encrypted private key Password N Note This field appears only if you are installing an SSL certificate with a private key Enter a password for decrypting the private key Install Cancel To install the certificate on the VPN 3002 click Install To discard your entries and cancel the request click Cancel The Manager returns to the Administration Certificate Management screen See Figure 12 19 my VPN 3002 Hardw are Client Reference 12 48 OL 1893 01 Chapter12 Administration Administration Certificate Management Install Certificate Type Upload File from Workstation Hi Administration Certificate Management Install Certificate Type Upload File from Workstation If you want to install a certificate stored on your PC use this sc
101. Manager W installing the SSL Certificate in Your Browser Reinstallation You need to install the SSL certificate from a given VPN 3002 only once If you try to reinstall it Netscape displays the note in Figure 1 14 Click OK and just connect to the VPN 3002 using SSL see Step 7 in this section Figure 1 14 Netscape Reinstallation Note Netscape Ed AN The Certificate that you are trying to download already exists in your database 61696 First time Installation The instructions below follow from Step 2 in Installing the SSL Certificate in Your Browser and describe first time certificate installation A few seconds after the VPN 3002 Hardware Client Manager SSL screen appears Netscape displays a New Certificate Authority screen Figure 1 15 Netscape New Certificate Authority Screen 1 gy New Certificate Authority Netscape A New Certificate Authority You are about to go through the process of accepting a Certificate Authority This has serious implications on the security of future encryptions using Netscape This assistant will help you decide whether or not you wish to accept this Certificate Authority Next gt Cancel 61707 1 Click Next gt to proceed Netscape displays the next New Certificate Authority screen which further explains the process my VPN 3002 Hardware Client Reference OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client M anager Installing the
102. Manager returns to the Configuration Policy Management Traffic Management PAT screen VPN 3002 Hardw are Client Reference E OL 1893 01 Chapter 11 Policy Management W Configuration Policy Management Traffic Management PAT Enable my VPN 3002 Hardware Client Reference OL 1893 01 CHAPTER Administration Administering the VPN 3002 involves activities that keep the system operational and secure Configuring the system sets the parameters that govern its use and functionality as a VPN device but administration involves higher level activities such as who is allowed to configure the system and what software runs on it Administration This section of the Manager lets you control administrative functions on the VPN 3002 Software Update upload and update the VPN 3002 software image System Reboot set options for VPN 3002 shutdown and reboot Ping use ICMP ping to determine connectivity Access Rights configure administrator profiles access and sessions Administrators configure administrator usernames passwords and rights Access Settings set administrative session idle timeout and limits Config File Management manage configuration files View Configuration Files view the configuration file currently on the VPN 3002 Swap Configuration Files swap backup and boot configuration files Upload Configuration Files upload a new configuration file to the VPN 3002 Certificate Management i
103. Monitoring Live Event Log This screen shows events in the current event log and automatically updates the display every 5 seconds The events might take a few seconds to load when you first open the screen Note for Netscape The live event log requires Netscape version 4 5 or higher It does not run on other versions of Netscape users l The screen always displays the most recent event at the bottom Use the scroll bar to view earlier events To filter and display events by various criteria see the Monitoring Filterable Event Log section above D Note Ifyou keep this Manager screen open your administrative session does not time out Each automatic screen update resets the inactivity timer See Session Idle Timeout on the Administration Access Rights Access Settings screen my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter 13 Monitoring Figure 13 4 Monitoring Live Event Log Screen onds 108 01 26 2001 13 28 37 210 SEV 4 IKE 49 RPT 4 130 0 0 1 Group 130 0 0 1 Security negotiation complete for peer 130 0 0 1 Initiator Inbound SPI 0x3ba95493 Outbound SPI 0x06a24120 111 01 26 2001 13 28 37 240 SEV 4 IKE 120 RPT 4 130 0 0 1 Group 130 0 0 1 PHASE 2 COMPLETED msgid ed237764 112 01 26 2001 13 29 05 350 SEV 4 AUTH 25 RPT 3 Management user admin disconnected duration 1 11 25 113 01 26 2001 13 29 12 760 SEV 5 AUTH 32 RPT 4 User attempted ADMIN logon lt ACCESS GR
104. N 3002 Hardware Client Manager table of contents the left frame of the Manager browser window see Figure 1 35 in Chapter 1 Using the VPN 3002 Hardware Client Manager Chapter Title Description Chapter 1 Using the VPN 3002 Explains how to log in navigate and use the VPN Hardware Client Manager 3002 Hardware Client Manager with a browser It explains both HTTP and HTTPS browser connections and how to install the SSL certificate for a secure HTTPS connection Chapter 2 Configuration Describes the main VPN 3002 Hardware Client Manager configuration screen Chapter 3 Interfaces Explains how to configure the VPN 3002 private and public interfaces Chapter 4 System Configuration Describes the system configuration screen of the VPN 3002 Hardware Client Manager VPN 3002 Hardware Client Reference E OL 1893 01 Oix o Preface W Organization Chapter Title Description Chapter 5 Servers Explains how to configure the VPN 3002 to communicate with DNS servers to convert hostnames to IP addresses Chapter 6 Tunneling Explains how to configure IPSec Chapter 7 IP Routing Explains how to configure static routes default gateways and DHCP parameters and options Chapter 8 Management Protocols Explains how to configure built in VPN 3002 servers that provide management functions HTTP and HTTPS Telnet SNMP SNMP Community Strings SSL and SSH Chapter
105. N 3002 that connects to a VPN 3080 in San Jose 1 If the VPN 3002 is unable to contact the corporate network Fargo cannot place orders The IPSec backup server feature lets the VPN 3002 connect to one of several sites in this case using Austin 2 and Boston 3 as backup servers in that order my VPN 3002 Hardware Client Reference OL 1893 01 Chapter6 Tunneling Note Configuration System Tunneling Protocols IPSec Mi The VPN 3002 in Fargo first tries to reach San Jose If the initial IKE packet for that connection 1 times out 8 seconds it tries to connect to Austin 2 Should this negotiation also time out it tries to connect to Boston 3 These attempts continue until the VPN 3002 has tried all servers on its backup server list to a maximum of 10 Be aware of the following characteristics of the backup server feature Ifthe VPN 3002 cannot connect after trying all backup servers on the list it does not automatically retry In Network Extension mode the VPN 3002 attempts a new connection after 4 seconds InClient mode the VPN 3002 attempts a new connection when the user clicks the Connect Now button on the Monitoring System Status screen or when data passes from the VPN 3002 to the VPN Concentrator A VPN 3002 must connect to the primary VPN Concentrator to download a backup server list configured on the primary VPN Concentrator If that VPN Concentrator is unavailable and if the VPN 3
106. NMP provides additional security SNMP Port Enter the port number that SNMP uses The default is 161 which is the well known port number Changing the port number provides additional security Maximum Queued Requests Enter the maximum number of outstanding queued requests that the SNMP agent allows Minimum is 1 default is 4 maximum is 200 Apply Cancel To apply your SNMP settings and to include the settings in the active configuration click Apply The Manager returns to the Configuration System Management Protocols screen my VPN 3002 Hardware Client Reference 8 6 OL 1893 01 Chapter8 Management Protocols Configuration System Management Protocols SNMP Communities W Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Management Protocols screen Figure 8 7 Configuration System Management Protocols Screen Save Neededh This section lets you configure built in management protocol servers In the left frame or in the list of links below click the function you want HTTP HTTPS Hypertext Transfer Protocol Secure Telnet terminal emulation protocol SNMP Simple Network Management Protocol SNMP Community Strings identifiers for valid SNMP clients SSL Secure Sockets Layer used with HTTPS S
107. Network Management Protocol SNMP Community Strings identifiers for valid SNMP clients SSL Secure Sockets Layer protocol SSH Secure Shell XML EXtensible Markup Language Figure 8 1 Configuration System Management Protocols Screen Save Needed This section lets you configure built in management protocol servers In the left frame or in the list of links below click the function you want HTTPIHTTES Hypertext Transfer Protocol Secure Telnet terminal emulation protocol SHME Simple Network Management Protocol SNMP Community Strings identifiers for valid SNMP chents SSL Secure Sockets Layer used with HTTPS SSH Secure Shell a secure Telnet like protocol EML eXtensible Markup Language used by external management application VPN 3002 Hardware Client Reference E OL 1893 01 8 1 Chapter8 ManagementProtocols W Configuration System Management Protocols HTTP HTTPS Configuration System Management Protocols HTTP HTTPS This screen lets you configure and enable the VPN 3002 HTTP HTTPS server Hypertext Transfer Protocol and HTTP over SSL Secure Sockets Layer protocol When the server is enabled you can use a Web browser to communicate with the VPN 3002 HTTPS lets you use a Web browser over a secure encrypted connection About HTTP HTTPS The Manager requires the HTTP HTTPS server If you click Apply even if you have made no changes on this s
108. OSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AccessPath AtmDirector Browse with Me CCIP CCSI CD PAC CiscoLink the Cisco Powered Network logo Cisco Systems Networking Academy the Cisco Systems Networking Academy logo Fast Step Follow Me Browsing FormShare FrameShare GigaStack IGX Internet Quotient IP VC iQ Breakthrough iQ Expertise iQ FastTrack the iQ Logo iQ Net Readiness Scorecard MGX the Networkers logo Packet RateMUX ScriptBuilder ScriptShare SlideCast SMARTnet TransPath Unity Voice LAN Wavelength Router and WebViewer are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn Discover All That s Possible and Empowering the Internet Generation are service marks of Cisco Systems Inc and Aironet ASIST BPX Catalyst CCDA CCDP CCIE CCNA CCNP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS the Cisco IOS logo Cisco Systems Cisco Systems Capital the Cisco Systems logo Enterprise Solver EtherChannel EtherSwitch FastHub FastSwitch IOS IP TV LightStream MICA Network Registrar PIX Post Routing Pre
109. P address of the specific router or gateway to which to route these packets that is the IP address of the next hop between the VPN 3002 and the packet s ultimate destination Use dotted decimal notation for example 10 10 0 2 We recommend that you select this option Interface Click the drop down menu button and select a configured VPN 3002 interface as the outbound destination We do not recommend this option enter a destination router address above Add or Apply Cancel To add a new Static route to the list of configured routes click Add Or to apply your changes to a static route click Apply Both actions include your entries in the active configuration The Manager returns to the Configuration System IP Routing Static Routes screen Any new route appears at the bottom of the Static Routes list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration System IP Routing Static Routes screen and the Static Routes list is unchanged Configuration System IP Routing Default Gatew ays This screen lets you configure the default gateway for IP routing You use this same screen both to initially configure and to change default gateways You can also configure the default gateway on the Configuration Quick System Info screen The IP routing subsyst
110. PN device Cisco supplies default parameters that cover typical installations and uses after you supply minimal parameters in Quick Configuration the system is operational But to tailor the system to your needs and to provide an appropriate level of system security you can configure the system in detail Configuration This section of the Manager lets you configure all VPN 3002 features and functions Quick Configuration the minimal parameters needed to make the VPN 3002 operational For more information use online Help or see the VPN 3002 Hardware Client Getting Started manual available only online Interfaces parameters specific to the private and public interfaces System parameters for system wide functions server access IPSec IP routing built in management servers system events and system identification Policy Management enabling or disabling Protocol Address Translation PAT Figure 2 1 Configuration Screen Save Needed This section of the Manager lets you configure all VPN 3002 Hardware Client features Tn the left frame or in the list of links below chick the feature you want to configure e Quick Configuration Basic configuration for the device e Interfaces Ethernet interfaces WAN interfaces and power supplies e System system wide parameters servers address assignment tunneling protocols IP routing management protocols events and identification e Policy Management PAT
111. Routing Registrar StrataView Plus Stratm SwitchProbe TeleRouter and VCO are registered trademarks of Cisco Systems Inc and or its affiliates in the U S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0106R VPN 3002 Hardware Client Reference Copyright 2001 Cisco Systems Inc All rights reserved CONTENTS Preface ix Prerequisites ix Organization ix Related Documentation xi Documentation conventions xii Obtaining Documentation xiii Obtaining technical assistance xiv Using the VPN 3002 Hardware ClientManager 1 1 VPN 3002 Hardware Client Browser Requirements 1 1 Connecting to the VPN 3002 Using HTTP 1 2 Installing the SSL Certificate in Your Browser 1 3 Connecting to the VPN 3002 Using HTTPS 1 16 Configuring HTTP HTTPS and SSL Parameters 1 16 Logging into the VPN 3002 Hardware Client Manager 1 17 Interactive Hardware Client and Individual User Authentication 1 19 Logging In With Interactive Hardware Client and Individual User Authentication 1 19 Understanding the VPN 3002 Hardware Client Manager Window 1 23 Organization of the VPN 3002 Hardware Client Manager 1 27 Navigating the VPN 3002 Hardware Client Manager 1 28 Configuration 2 1 Configuration 2 1 Interfaces 3 1 Configuration Interfaces 3 1 Configuration Interfaces Priv
112. SH Secure Shell a secure Telnet like protocol 61699 Configuration System Management Protocols SNMP Communities This section of the Manager lets you configure and manage SNMP community strings which identify valid communities from which the SNMP agent accepts requests A community string is like a password it validates messages between an SNMP manager and the agent To use the VPN 3002 SNMP agent you must configure and add at least one community string You can configure a maximum of 10 community strings To protect security the SNMP agent does not include the usual default public community string and we recommend that you not configure it Figure 8 8 Configuration System Management Protocols SNMP Communities screen Save Neededh This section lets you configure SNMP community strings Community Strings Actions NMSforv PNO1 Add Modify Delete 61763 VPN 3002 Hardware Client Reference g OL 1893 01 8 7 Chapter8 ManagementProtocols W Configuration System Management Protocols SNMP Communities Community Strings The Community Strings list shows SNMP community strings that have been configured If no strings have been configured the list shows Empty Add M odify Delete To configure and add a new community string click Add The Manager opens the Configuration System Management Protocols SNMP Communities Add screen To modify a configured community str
113. SSL Certificate in Your Browser Mi Figure 1 16 Netscape New Certificate Authority Screen 2 pou New Certificate Authority Netscape A New Certificate Authority 4 Certificate Authority certifies the identity of sites on the internet By accepting this Certificate Authority you will allow Netscape Communicator to connect to and receive information from any site that this authority certifies without prompting or warning you If you choose to refuse this Certificate Authority you will be prompted before you connect to or receive information from any site that this authority certifies lt Back Next gt Cancel 61716 2 Click Next gt to proceed Netscape displays the next New Certificate Authority screen which lets you examine details of the VPN 3002 Hardware Client SSL certificate Figure 1 17 Netscape New Certificate Authority Screen 3 ps New Certificate Authority Netscape A New Certificate Authority Here is the certificate for this Certificate Authority Examine it carefully The Certificate Fingerprint can be used to verify that this Authority is who they say they are To do this compare the Fingerprint against the Fingerprint published by this authority in other places Certificate for Cisco Systems Inc Signed by Cisco Systems Inc __More Info lt Back Next gt Cancel 61717 3 Click Next gt to proceed Netscape displays the next New Certificate Authority screen with
114. Sec IPSec over TCP or IPSec over UDP To use IPSec over TCP both the VPN 3002 and the VPN Concentrator to which it connects must be running version 3 5 software Use Certificate This parameter specifies whether to use preshared keys or a PKI Public Key Infrastructure digital identity certificate to authenticate the peer during Phase 1 IKE negotiations See the discussion under Administration Certificate Management which is where you install digital certificates on the VPN 3002 Check the box to use digital certificates Certificate Transmission Group Name If you configured authentication using digital certificates choose the type of certificate transmission Entire certificate chain Send the peer the identity certificate and all issuing certificates Issuing certificates include the root certificate and any subordinate CA certificates Identity certificate only Send the peer only the identity certificate The VPN 3002 connects to the VPN Concentrator using this Group name and password which must be con figured on the central site VPN Concentrator Group and usernames and passwords must be identical on the VPN 3002 and on the VPN Concentrator to which it connects In the Group Name field enter a unique name for the group to which this VPN 3002 belongs This is the group name configured on the central site VPN Concentrator to which this VPN 3002 connects Maximum is 32 characters case sensitive my VPN 3002
115. Security subsystem IPSECDBG IP Security debugging IPSECDECODE IP Security decoding LBSSF Load Balancing Secure Session Failover subsystem MIB2TRAP MIB II trap subsystem SNMP MIB II traps PPP PPP subsystem PPPDBG PPP debugging PPPDECODE PPP decoding PPPoE PPPoE subsystem PSH Operating system command shell PSOS Embedded real time operating system QUEUE System queue REBOOT System rebooting RM Resource Manager subsystem SNMP SNMP trap subsystem SSH SSH subsystem SSL SSL subsystem SYSTEM Buffer heap and other system utilities TCP TCP subsystem TELNET Telnet subsystem TELNETDBG Telnet debugging TELNETDECODE Telnet decoding TIME System time clock my VPN 3002 Hardware Client Reference OL 1893 01 Chapter 9 Events S Note Event Severity Level W The Cisco specific event classes provide information that is meaningful only to Cisco engineering or support personnel Also the DBG and DECODE events require significant system resources and might seriously degrade performance We recommend that you avoid logging these events unless Cisco requests it Event Severity Level Severity level indicates how serious or significant the event is that is how likely it is to cause unstable operation of the VPN 3002 whether it represents a high level or low level operation or whether it returns little or great detail Level 1 is most significant Table 9 2 describes the severity levels
116. Shell a secure Telnet like protocol 61699 VPN 3002 Hardware Client Reference fy OL 1893 01 Chapter8 ManagementProtocols W Configuration System Management Protocols XML Configuration System Management Protocols XML This screen lets you configure the VPN 3002to support an XML based interface Enabling XML management the default condition allows the VPN 3002 to be more easily managed by a centralized management system XML is enabled by default To disable the XML option clear the check box To reenable the XML option click the check box On this screen you can also configure the VPN 3002 to enable HTTPS or SSH or both on the public interface and to lock the XML interface to a specific HTTPS or SSH IP address Figure 8 16 Configuration System Management Protocols XML Screen Configure IML management Check to enable XML management Note that HTTPS or SOH must be enabled Check to enable HTTPS on the Public interface This Enable HTTPS on Public l will allow XML over HTTPS through the Public interface Enter the IP address and wildcard from which to allow HTTPS IP Address j0 0 0 0 HTTPS access on on the Public interface Note Enter a wildcard mask which is the reverse of a subnet mask A wildcard mask has 1s in bit positions to Enable M ignore Os in bit positions to match Entering 0 0 0 0 will HTTPS Wildcard mask j255 255 255 255 match the specified address entering 255 255
117. T Hi Translations Active The number of currently active NAT sessions Translations Peak The maximum number of NAT sessions that were simultaneously active on the VPN 3002 since it was last booted or reset Translations Total The total number of NAT sessions on the VPN 3002 since it was last booted or reset NAT Sessions The following sections provide detailed information about active NAT sessions on the VPN 3002 Source IP Address Port The source IP address and port for the NAT session Destination IP Address Port The destination IP address and port for the NAT session Translated IP Address Port The translated IP address and port for the NAT session The VPN3002 uses this port number to keep track of which devices initiate data transfer by keeping this record the VPN 3002 is able to correctly route responses Direction The direction inbound or outbound of the data transferred for the NAT session Age The number of half seconds remaining until the NAT session times out Type The type of packets for the NAT session The possible types are TCP NAT session UDP NAT session FTP session TETP session VPN 3002 Hardware Client Reference a OL 1893 01 13 35 Chapter13 Monitoring W Monitoring Statistics PPPoE NetBIOS over TCP Proxy NetBIOS over UDP Proxy NetBIOS Datagram Service Translated Bytes Packets The total number of translated bytes and packets for t
118. Time 15 12 10 February _ 23 2001 GMT 06 00 EST M Enable DST Support Apply Cancel 61781 Current Time The screen shows the current date and time on the VPN 3002 at the time the screen displays You can refresh this by redisplaying the screen New Time The values in the New Time fields are the time and date on the browser PC at the time the screen displays Any entries you make apply to the VPN 3002 however In the appropriate fields make any changes The fields are in order Hour Minute Second Month Day Year Time Zone Click the drop down menu buttons to select Month and Time Zone The time zone selections are offsets in hours relative to GMT Greenwich Mean Time which is the basis for Internet time synchronization Enter the Year as a four digit number Enable DST Support To enable DST support check the box During DST Daylight Saving Time clocks are set one hour ahead of standard time Enabling DST support means that the VPN 3002 automatically adjusts the time zone for DST or standard time If your system is in a time zone that uses DST you must enable DST support Apply Cancel To apply your time and date settings and to include your settings in the active configuration click Apply The Manager returns to the Configuration System General screen VPN 3002 Hardware Client Reference g oL 1893 01 103 Chapter10 General W Configuration System General Time and
119. Update Success Screen Software Update Success The VPN 3002 Hardware Chent has been successfully updated It is stromgiy recommended that you clear your browser s cache after rebooting the VPN 3002 Hardware Chent New features and options may not appear due to the cached data in your browser 61789 Softw are Update Error This screen appears if there was an error in uploading or verifying the image file You might have selected the wrong file Click the highlighted link to return to the Administration Software Update screen and try the update again or contact Cisco support my VPN 3002 Hardware Client Reference 12 4 OL 1893 01 Chapter 12 Administration Administration Note Administration System Reboot W Figure 12 5 Administration Software Update Error Screen Software Update Error An error occured while updating the image VPN 3002 Hardware Chent has not been successfully updated The current executable image has not been affected Click here to return to Software Update 61790 System Reboot This screen lets you reboot or shutdown halt the VPN 3002 with various options We strongly recommend that you shut down the VPN 3002 before you turn power off If you just turn power off without shutting down you might corrupt Flash memory and affect subsequent operation of the system If you are logged in the Manager when the system reboots or halts it automatically logs you
120. able you must activate it manually The VPN 3002 automatically deletes entries that have the status Timedout Failed Cancelled or Error and are older than one week Remove All Click a Remove All option to delete all enrollment requests of a particular status Errored Delete all enrollment requests with the status Error Timed out Delete all enrollment requests with the status Timed out Rejected Delete all enrollment requests with the status Rejected Cancelled Delete all enrollment requests with the status Cancelled Fields These fields appear in the Enrollment Status table Field Content Subject Issuer The Common Name CN or Organizational Unit OU if present plus the Organization O in the Subject and Issuer fields of the certificate The format is CN at O OU at O or just O for example Root 2 at CyberTrust The CN OU and O fields display a maximum of 33 characters each See Administration Certificate Management Certificates View Date The original date of enrollment Use The type of certificate identity or SSL Reason The type of enrollment initial re enrollment or re key Method The method of enrollment SCEP or manual VPN 3002 Hardware Client Reference a OL 1893 01 12 35 Chapter12 Administration W Administration Certificate Management Field Content Status In Progress The request has been created but
121. abled by default on the private network See the Configuration System Management Protocols Telnet screen on the Manager 2 Start the Telnet or Telnet SSL client and connect to the VPN 3002 using these parameters Host Name or Session Name The IP address on the VPN 3002 private interface e g 10 10 147 2 Port Telnet default Telnet port is 23 Telnet SSL port is 992 Terminal Type VT100 or ANSI S Note Telnet SSL If the client offers it enable both SSL and SSL only 3 The VPN 3002 displays a login prompt Login Starting the Command line Interface You start the command line interface by logging in Login usernames and passwords for both console and Telnet access are the same as those configured and enabled for administrators See the Administration Access Rights Administrators screen By default only admin is enabled This example uses the factory supplied default admin login and password If you have changed them use your entries At the prompts enter the administrator login name and password Entries are case sensitive Login admin Password admin The CLI does not show your entry The CLI displays the opening welcome message the main menu and the Main gt prompt Welcome to Cisco Systems VPN 3002 Hardware Client Command Line Interface Copyright C 1998 2001 Cisco Systems Inc 1 Configuration 2 Administration 3 Monitoring 4 Save changes to Config file 5 Help Informati
122. acement 68255 Step3 Click Identity Certificate The Manager displays the Administration Certificate Management Enroll Identity Certificate screen See Figure 12 24 Figure 12 24 Administration Certificate Management Enroll Identity Certificate Screen Select the enrollment method for the identity certificate To install a certticate with SCEP the issuing CA s certificate must also be installed with SCEP Click here to install a new CA using SCEP before enrolling e Enroll wa PECS10 Request Manual e Enrol wa SCEP at RS Avo Rooth DSsrrChN e Enrol wa SCEP at Test CA6 8 at Cisco lt lt so back and choose a ditterent type of certificate 686165 Notice that a link appears corresponding to each SCEP enabled CA certificate on the VPN 3002 The title of the link depends on the name of the CA certificate Enroll via SCEP at Certificate Name For example if you have a CA certificate on your VPN 3002 named TestCA6 8 the following link appears Enroll via SCEP at TestCA6 8 If you do not see any Enroll via SCEP options there are no SCEP enabled CA certificates on the VPN 3002 Follow the steps in the Installing CA Certificates Automatically Using SCEP section to obtain a CA certificate via SCEP before you proceed Step4 Click Enroll via SCEP at Certificate Name The Administration Certificate Management Enroll Identity Certificate SCEP screen appears See Figure 12 25 my VPN 3002 Hardw are Clien
123. ages ask for the address subnet mask for the LAN to which a router connects Address Mask Replies Received Transmitted The number of ICMP Address Mask Reply messages received sent Address Mask Reply messages respond to Address Mask Request messages by supplying the address subnet mask for the LAN to which a router connects my VPN 3002 Hardware Client Reference 13 50 OL 1893 01 Chapter13 Monitoring Monitoring Statistics MIB II ARP Table Hi Monitoring Statistics MIB II ARP Table This screen shows entries in the Address Resolution Protocol mapping table since the VPN 3002 was last booted or reset ARP matches IP addresses with physical MAC addresses so the system can forward traffic to computers on its network RFC 2011 defines MIB entries in the ARP table The entries are sorted first by Interface then by IP Address To speed display the Manager might construct multiple 64 row tables Use the scroll controls if present to view the entire series of tables You can also delete dynamic or learned entries in the mapping table Figure 13 23 Monitoring Statistics MIB II ARP Table Screen Refresh ARP Entries 136 Interface Physical Address IP Address Mapping Type Action 1 FF FF FF FF FFFF 19216800 Static 1 00 90 44 00 00 A2 192 168 10 1 Static 1 00 90 A4 00 00 A2 192 168 10 100 Static 1 FEFFEFFFFFFFF 192 168 255 255 Static 2 0010 5A12EF 78 10 10 232
124. an delete them on the Administration File Management View Config Files screen File Upload Progress This window shows the progress of the file upload It refreshes the number of bytes transferred at 10 second intervals my VPN 3002 Hardware Client Reference 12 14 OL 1893 01 Chapter12 Administration Administration File Management Config File Upload E Figure 12 16 Administration File Management File Upload Progress Window A File Upload Progress Micros Mi E3 417420 bytes transferred 10 second refresh 61659 When the upload is finished or if the upload is cancelled the progress window closes File Upload Success The Manager displays this screen to confirm that the file upload was successful Figure 12 17 Administration Config File Management Upload Success Screen Config File Upload Success The config file has been sucessfully transferred to the VPN 3002 Hardware Chent Click here to go to reboot options Click here to wiew the config file 61660 To go to the Administration Config File Management View screen and examine files in flash memory click the highlighted link File Upload Error The Manager displays this screen if there was an error during the file upload and the transfer was not successful Flash memory might be full or the file transfer might have been interrupted or cancelled Figure 12 18 Administration Config File Management Upload Error
125. an order the Documentation CD ROM through the online Subscription Store http www cisco com go subscription Nonregistered Cisco com users can order documentation through a local account representative by calling Cisco corporate headquarters California USA at 408 526 7208 or in North America by calling 800 553 NETS 6387 Documentation feedback If you are reading Cisco product documentation on the World Wide Web you can submit technical comments electronically Click Feedback in the toolbar and select Documentation After you complete the form click Submit to send it to Cisco You can e mail your comments to bug doc cisco com To submit your comments by mail for your convenience many documents contain a response card behind the front cover Otherwise you can mail your comments to the following address Cisco Systems Inc Document Resource Connection 170 West Tasman Drive San Jose CA 95134 9883 We appreciate your comments Obtaining technical assistance Cisco com Cisco provides Cisco com as a starting point for all technical assistance Customers and partners can obtain documentation troubleshooting tips and sample configurations from online tools For Cisco com registered users additional troubleshooting tools are available from the TAC website Cisco com is the foundation of a suite of interactive networked services that provides immediate open access to Cisco information and resources at anytime from an
126. anagement View Enrollment Request 12 58 Administration Certificate Management Cancel Enrollment Request 12 60 Administration Certificate Management Delete Enrollment Request 12 61 Monitoring 13 1 Monitoring Routing Table 13 2 Monitoring Filterable Event Log 13 3 Monitoring Live Event Log 13 6 Monitoring System Status 13 8 Monitoring System Status Private Public Interface 13 11 Monitoring User Status 13 14 Monitoring Statistics 13 15 Monitoring Statistics IPSec 13 16 Monitoring Statistics HTTP 13 22 Monitoring Statistics Telnet 13 25 Monitoring Statistics DNS 13 27 Monitoring Statistics SSL 13 28 Monitoring Statistics DHCP 13 30 Monitoring Statistics SSH 13 32 Monitoring Statistics NAT 13 34 my VPN 3000 Series Concentrator Reference Volume I Configuration 78 13782 01 Contents W Monitoring Statistics PPPoE 13 36 Monitoring Statistics MIB Il 13 39 Monitoring Statistics M IB II Interfaces 13 40 Monitoring Statistics M IB II TCP UDP 13 42 Monitoring Statistics M IB II IP 13 45 Monitoring Statistics M IB II ICMP 13 48 M onitoring Statistics M IB II ARP Table 13 51 Monitoring Statistics M IB II Ethernet 13 53 Monitoring Statistics M IB II SNMP 13 56 Using the Command Line Interface 14 1 Accessing the Command line Interface 14 1 Starting the Command line Interface 14 2 Using the Command line Interface 14 3 M enu Refe
127. anagement Protocols SSL screen my VPN 3002 Hardware Client Reference OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client M anager Logging into the VPN 3002 Hardware ClientManager W Figure 1 26 VPN Hardware Client Manager HTTPS Login Screen A Install SSL Certificate VPN 3002 amp Connection Login Status HARDWARE CLIENT MANAGER VEN 3002 Hardware Chent Logn Fassword Cisco SYSTEMS Login Clear Copyright 1998 2001 Cisco Systems Ine Logging into the VPN 3002 Hardware Client M anager Logging into the VPN 3002 Hardware Client Manager is the same for both types of connections cleartext HTTP or secure HTTPS Entries are case sensitive With Microsoft Internet Explorer you can select the Tab key to move from field to field other browsers might work differently If you make a mistake click the Clear button and Start over The following entries are the factory supplied default entries If you have changed them use your entries Step1 Click in the Login field and type admin Do not press Enter Step2 Click in the Password field and type admin The field shows _ Step 3 Click the Login button The Manager displays the main welcome screen Figure 1 27 VPN 3002 Hardware Client Reference g OL 1893 01 1 17 Chapter1 Using the VPN 3002 Hardware ClientManager HE Logging into the VPN 3002 Hardware Client M anager Figure 1 27 Manager Main Welcome Screen Cisco Systems
128. anager displays the Administration Certificate Management screen Your new identity certificate appears in the Identity Certificates table Enrolling and Installing Identity Certificates M anually If you need to obtain identity certificates using the manual process use the following general procedure Using the Manager generate a certificate enrollment request PKCS 10 Via the web email or floppy disk send this enrollment request to your chosen CA Request an identity certificate from your CA and download it to your PC Again using the Manager install the identity certificate on the VPN 3002 Follow these steps to generate a certificate enrollment request PKCS 10 Step1 Using the Manager display the Administration Certificate Management screen See Figure 12 19 Step2 Click Click here to enroll with a Certificate Authority The Manager displays the Administration Certificate Management Enroll screen See Figure 12 23 Step3 Click Identity Certificate The Manager displays the Administration Certificate Management Enroll Identity Certificate screen See Figure 12 24 Step4 Click Enroll via PKCS10 Request Manual The Manager displays the Administration Certificate Management Enroll Identity Certificate PKCS10 screen See Figure 12 27 my VPN 3002 Hardware Client Reference 12 24 OL 1893 01 Chapter12 Administration Certificate Management W Figure 12 27 Administration
129. and Line Interface 3 1 Monitoring gt Routing Table Routing Table rar to Quit lt SPACE gt to Continue gt 1 Refresh Routing Table 2 Clear Routing Table 3 Back Routing gt _ 3 2 Monitoring gt Event Log 1 Configure Log viewing parameters 2 View Event Log 3 Clear Log 4 Back Log gt _ 3 2 2 M onitoring gt Event Log gt View Event Log Event Log entries 1 First Page 2 Previous Page 3 Next Page 4 Last Page 5 Back 3 3 Monitoring gt System Status System Status Refresh System Status Connect Now Disconnect Now Back Status gt Card Status gt _ Menu Reference W VPN 3002 Hardw are Client Reference OL 1893 01 Chapter14 Using the Command Line Interface Mi Menu Reference 3 4 Monitoring gt User Status Authenticated Users Username IP Address MAC Address Login Time Duration 1 Refresh User Status 2 Log out User 3 Back Sessions gt 3 5 Monitoring gt General Statistics 1 Protocol Statistics 2 Server Statistics 3 MIB II Statistics 4 Back General gt _ 3 4 1 M onitoring gt General Statistics gt Protocol Statistics IPSec Statistics HTTP Statistics Telnet Statistics DNS Statistics SSL Statistics SSH Statistics PPPOE Statistics NAT Statistics Back OC OANA OP WN EF General gt _ 3 4 2 Monitoring gt General Statistics gt Server Statistics 1 DHCP Statistics 2 Back General gt 3 4 3 Monito
130. and notices OL 1893 01 Preface Related Documentation W Related Documentation Refer to the following documents for further information about Cisco VPN 3000 Series applications and products VPN 3002 Hardw are Client Documentation The VPN 3002 Hardware Client Getting Started manual provides information to take you from unpacking and installing the VPN 3002 through configuring the minimal parameters to make it operational called Quick Configuration This manual is online only The VPN 3002 Hardware Client Quick Start Card summarizes the information for quick configuration This quick reference card is provided with the VPN 3002 and is also available online The VPN 3002 Hardware Client Basic Information sticky label summarizes information for quick configuration It is provided with the VPN 3002 and you can also print it from the online version you can affix the label to the VPN 3002 The HTML interface called the VPN 3002 Hardware Client Manager includes online help that you can access by clicking the Help icon on the toolbar in the Manager window VPN 3000 Series Concentrator Documentation The VPN 3000 Series Concentrator Reference Volume I Configuration explains how to start and use the VPN Concentrator Manager It details the Configuration screens and explains how to configure your device beyond the minimal parameters you set during quick configuration The VPN 3000 Series Concentrator Reference Volume II Adm
131. ange In this mode the central site VPN Concentrator does not assign an IP address for tunneled traffic as it does in Client PAT mode The tunnel is terminated with the VPN 3002 private IP address the assigned IP address To use Network Extension mode you must configure an IP address other than the default of 192 168 10 1 and disable PAT In Network Extension mode the VPN 3002 automatically attempts to establish a tunnel to the VPN Concentrator However if you enable interactive hardware client authentication the tunnel establishes when you perform the following steps Click the Connection Login Status button on the VPN 3002 Hardware Client login screen The Connection Login screen displays Click Connect Now in the Connection Login screen Enter the username and password for the VPN 3002 Alternatively you can initiate a tunnel by clicking Connect Now on the in the Monitoring System Status screen my VPN 3002 Hardware Client Reference OL 1893 01 Chapter11 Policy Management Network Extension Mode W Netw ork Extension M ode with Split Tunneling You always assign the VPN 3002 to a client group on the central site VPN Concentrator If you enable split tunneling for that group IPSec operates on all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central site VPN Concentrator PAT does not apply Traffic from the VPN 3002 to any other destination than thos
132. ar html Referring Page Unknown Browser Mozilla 4 0 compatible MSIE 4 01 Windows NT JavaScript JavaScript 1 2 Software Version Cisco Systems Inc VPN 3000 Concentrator Series Version 2 5 6898 built by tshort on Apr 14 2000 13 55 31 DEBUG MASE 0 NDEBUG off Feature Set Go to the login page 61698 Table A 7 Not Found Message Displays Problem Possible cause Solution The Manager could not You updated the Clear the browser s cache delete its temporary find a screen software image and internet files history files and location bar did not clear the references Then try again browser s cache There is an internal Please note the system information on the screen Manager error and contact Cisco support personnel for assistance Microsoft Internet Explorer Script Error No such interface supported Microsoft Internet Explorer displays a Script Error dialog box that includes the error message No such interface supported Table A 8 Microsoft Intemet Explorer Scnpt Error Problem Possible cause Solution While using a Manager function A bug in the Internet Explorer 1 Click on No on the error that opens another browser JavaScript interpreter dialog box window such as Save Needed Help Software Update etc Internet Explorer cannot open 3 Close Internet Explorer the window and displays the 4 error dialog box 2 Log out of the Manager Reinstall Internet Explorer
133. ardware Client Reference a OL 1893 01 13 47 Chapter13 Monitoring W Monitoring Statistics MIB II ICMP Monitoring Statistics MIB II ICMP This screen shows statistics in MIB II objects for ICMP traffic on the VPN 3002 since it was last booted or reset RFC 2011 defines ICMP MIB objects Figure 13 22 Monitoring Statistics MIB II ICMP screen Received Transmitted Total aig 14319 Errors 0 Destination Unreachable Time Fxceeded Parameter Problems source Quench Redirects Echo Requests PINGS Echo Replies PINGs Timestamp Requests Timestamp Replies Address Mask Requests Address Mask Rephes BF ae Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Total Received Transmitted The total number of ICMP messages that the VPN 3002 received sent This number includes messages counted
134. at says Click here to configure general event parameters Configured Event Classes The Configured Event Classes list shows the event classes that have been configured for special handling The initial default entry is MIB2TRAP which are SNMP MIB II events or traps that you might want to monitor with an SNMP network management system Other configured event classes are listed in order by class number and name If no classes have been configured for special handling the list shows Empty Add M odify Delete To configure and add a new event class for special handling click Add See Configuration System Events Classes Add To modify an event class that has been configured for special handling select the event class from the list and click Modify See Configuration System Events Classes Modify To remove an event class that has been configured for special handling select the event class from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in the list Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window VPN 3002 Hardware ClientReference gm OL 1893 01 Chapter9 Events W Configuration System Events Classes Add or Modify Configuration System Event
135. ate 1024 bit keys using the RSA algorithm This key size provides high security and it requires approximately 4 to 8 times more processing than the 512 bit key Yes No DSA 512 bits Generate 512 bit keys using DSA Digital Signature Algorithm DSA 768 bits Generate 768 bit keys using the DSA algorithm DSA 1024 bits Generate 1024 bit keys using the DSA algorithm VPN 3002 Hardware Client Reference gm OL 1893 01 12 21 Chapter12 Administration W Certificate Management Enrolling and Installing Identity Certificates Automatically Using SCEP Follow these steps for each identity certificate you want to obtain Step1 Display the Administration Certificate Management screen See Figure 12 19 Step2 Click Click here to enroll with a Certificate Authority The Manager displays the Administration Certificate Management Enroll screen See Figure 12 23 Figure 12 23 Administration Certificate Management Enroll Screen This section allows you to create an SOL or identity certificate request The identity certificate request allows the VEH 3002 Hardware Chent to be enrolled inte the PET The certiticate request can be sent to a CA which will issue a certificate fhe CA s certificate must be installed asa Certificate Authority before installing the certificate vou requested Choose the type of certificate request to create e Identity certificate e SoL certificate lt lt so back to Certticate Man
136. ate 3 4 Configuration Interfaces Public 3 6 System Configuration 4 1 Configuration System 4 1 VPN 3000 Series Concentrator Reference Volume l Configuration gm 78 13782 01 WE Contents Servers 5 1 Configuration System Servers 5 1 Configuration System Servers DNS 5 1 Tunneling 6 1 Configuration System Tunneling Protocols 6 2 Configuration System Tunneling Protocols IPSec 6 2 IP Routing 7 1 Configuration System IP Routing 7 1 Configuration System IP Routing Static Routes 7 2 Configuration System IP Routing Static Routes Add or Modify 7 3 Configuration System IP Routing Default Gateways 7 4 Configuration System IP Routing DHCP 7 6 Configuration System IP Routing DHCP Options 7 7 Configuration System IP Routing DHCP Options AddorModify 7 8 ManagementProtocols 8 1 Configuration System Management Protocols 8 1 Configuration System Management Protocols HTTP HTTPS 8 2 Configuration System Management Protocols Telnet 8 4 Configuration System Management Protocols SNMP 8 6 Configuration System Management Protocols SNMP Communities 8 7 Configuration System Management Protocols SSL 8 10 Configuration System Management Protocols SSH 8 13 Configuration System Management Protocols XML_ 8 16 Events 9 1 Event Class 9 1 Event Severity Level 9 3 Event Log 9 4 Configuration System Events 9 5 Configuration System
137. ate it later or temporarily disable special handling without deleting the entry The Configured Event Classes list on the Configuration System Events Classes screen indicates disabled event classes Disabled event classes are handled according to the default parameters for all event classes Severity to Log Click the drop down menu button and select the range of event severity levels to enter in the event log The choices are None 1 1 2 1 3 1 13 The default is 1 5 if you choose this range events of severity level 1 through severity level 5 are entered in the event log my VPN 3002 Hardware Client Reference 9 10 OL 1893 01 Chapter9 Events Configuration System Events Classes Add or Modify W Severity to Console Click the drop down menu button and select the range of event severity levels to display on the console The choices are None 1 1 2 1 3 1 13 The default is 1 3 1f you choose this range events of severity level 1 through severity level 3 are displayed on the console Severity to Syslog Click the drop down menu button and select the range of event severity levels to send to a UNIX syslog server The choices are None 1 1 2 1 3 1 13 The default is None if you choose this range no events are sent to a syslog server N Note Sending events to a syslog server generates IP packets which can generate new events if this setting is above level 9 We strongly recommend that
138. ate of sending traffic on the network Redirects Received Transmitted The number of ICMP Redirect messages received sent Redirect messages advise that there is a better route to a particular destination Echo Requests PINGs Received Transmitted The number of ICMP Echo request messages received sent Echo messages are probably the most visible ICMP messages They test the communication path between network entities by asking for Echo Reply response messages Echo Replies PINGs Received Transmitted The number of ICMP Echo Reply messages received sent Echo Reply messages are sent in response to Echo messages to test the communication path between network entities VPN 3002 Hardw are Client Reference a OL 1893 01 13 49 Chapter13 Monitoring Hi Monitoring Statistics MIB II ICMP Timestamp Requests Received Transmitted The number of ICMP Timestamp request messages received sent Timestamp messages measure the propagation delay between network entities by including the originating time in the message and asking for the receipt time in a Timestamp Reply message Timestamp Replies Received Transmitted The number of ICMP Timestamp Reply messages received sent Timestamp Reply messages are sent in response to Timestamp messages to measure propagation delay in the network Address Mask Requests Received Transmitted The number of ICMP Address Mask Request messages received sent Address Mask Request mess
139. cast Out The number of unicast packets that were routed to this interface for transmission including those that were discarded or not sent Unicast packets are those addressed to a single host MulticastIn The number of multicast packets that were received by this interface Multicast packets are those addressed to a specific group of hosts Multicast Out The number of multicast packets that were routed to this interface for transmission including those that were discarded or not sent Multicast packets are those addressed to a specific group of hosts BroadcastIn The number of broadcast packets that were received by this interface Broadcast packets are those addressed to all hosts on a network Broadcast Out The number of broadcast packets that were routed to this interface for transmission including those that were discarded or not sent Broadcast packets are those addressed to all hosts on a network VPN 3002 Hardware Client Reference a OL 1893 01 13 41 Chapter13 Monitoring W Monitoring Statistics MIB II TCP UDP Monitoring Statistics MIB II TCP UDP This screen shows statistics in MIB II objects for TCP and UDP traffic on the VPN 3002 since it was last booted or reset RFC 2012 defines TCP MIB objects and RFC 2013 defines UDP MIB objects Figure 13 20 Monitoring Statistics MIB II TCP UDP Screen Reset g Refresh TCP UDP Segments Received 2061 Datagrams Received B46 Segm
140. cate or if it is referenced in an active certificate request Follow these steps to delete certificates Step1 Display the Administration Certificate Management screen See Figure 12 19 Step 2 Find the certificate you want to delete and click Delete The Administration Certificate Management Delete screen appears Figure 12 33 Administration Certificate Management Delete Screen Step 3 Subject Issuer CW 10 10 99 30 CW 10 10 99 30 OU VPM 3000 Concentrator OU jVPM S000 Concentrator O Cisco Systems Inc O Cisco Systems Inc L Franklin L Franklin SP NWassachusetts SPH Massachusetts C Us8 C Us Serial Number 3B6D11D6 signing Algorithm MIDS WwithksA Public Key Type RSA 1024 bits MDS Thumbprint FD 40 40 69 2D 84 F5 DD 43 0a F5 4D 99 a8 D6 2E SHA Thumbprint 6 39 6B 0E aF 19 a9 19 CE 9F F1 40 59 D9 1F 26 0B FB 01 13 Validity 8 29 2001 at 12 01 26 te 5 28 2004 at 12 01 26 Are you sure you want to delete this certificate 66191 Step4 Click Yes The Manager returns to the Administration Certificate Management window my VPN 3002 Hardw are Client Reference 12 30 OL 1893 01 Chapter12 Administration Administration Certificate Management W Administration Certificate Management This section of the Manager shows outstanding enrollment requests and all the certificates installed on the VPN 3002 and it lets you manage them The links at the top of this screen guide you step b
141. cation are required for this VPN 3002 to connect VPN 3002 Hardware Client Reference Fe OL 1893 01 1 19 Chapter1 Using the VPN 3002 Hardware ClientManager W Logging In With Interactive Hardware Client and Individual User Authentication Figure 1 28 VPN 3002 Hardware Client Manager Login Screen E Install SSL Certificate VPN 3002 Connection Login Status HARDWARE CLIENT MANAGER VEN 3002 Hardware Chent Logn Password Cisco SYSTEMS Login Clear Copyright 1998 2001 Cisco Systems Ince Step1 Click the Connection Login Status button The Connection Login Status screen displays Figure 1 29 Connection Login Status Screen Connection Login Status Thursday 27 September 2001 10 37 03 Refresh VFN 3002 Connection Status Connect Mow Individual User Authentication Individual User Authentication configuration is umzeown You need to connect the VPN 3002 to the remote network Step1 Click the Connect Now button The VPN 3002 Interactive Authentication screen displays my VPN 3002 Hardware Client Reference 1 20 OL 1893 01 Chapter 1 Using the VPN 3002 Hardware Client M anager Step 1 Step 2 Step 1 Logging In With Interactive Hardware Client and Individual User Authentication Figure 1 30 VPN 3002 Interactive Authentication Screen VPN 3002 Interactive Authentication Enter the folowing information needed to connect the VPN 3002 to the remote
142. certificate The date format is MM DD YYYY SCEP Issuer In order for a certificate to be available for SCEP enrollment it must be installed via SCEP This field indicates if the certificate is SCEP enabled e Yes This certificate can issue identity and SSL certificates via SCEP e No This certificate cannot issue certificates via SCEP S Note If you want to use a certificate for SCEP enrollment but that certificate is not SCEP enabled reinstall it using SCEP Actions This column allows you to manage particular certificates The actions available vary with type and status of the certificate e View View details of this certificate Configure Enable CRL Certificate Revocation List checking for this CA certificate modify SCEP parameters or enable acceptance of subordinate CA certificates Delete Delete this certificate from the VPN 3002 Show RAs SCEP enabled CA certificates sometimes have supporting RA certificates View details of these certificates Only available for CA certificates Hide RAs Hide the details of the RA certificates Identity Certificates Table This table shows installed server identity certificates For a description of the fields in this table see the Certificate Authorities Table section above my VPN 3002 Hardware Client Reference 12 32 OL 1893 01 Chapter12 Administration Administration Certificate Management W SSL Certificate Table
143. choices for using the certificate No choices are checked by default VPN 3002 Hardware Client Reference g OL 1893 01 Chapter1 Using the VPN 3002 Hardware ClientManager W installing the SSL Certificate in Your Browser Figure 1 18 Netscape New Certificate Authonty Screen 4 pau New Certificate Authority Netscape A New Certificate Authority Are you willing to accept this Certificate Authority for the purposes of certifying other internet sites email users or software developers MV Accept this Certificate Authority for Certifying network sites Accept this Certificate Authority for Certifying e mail users Accept this Certificate Authority for Certifying software developers 61718 lt Back Next gt Cancel 4 You must check at least the first box Accept this Certificate Authority for Certifying network sites Click Next gt to proceed Netscape displays the next New Certificate Authority screen which lets you choose to have the browser warn you about sending data to the VPN 3002 Figure 1 19 Netscape New Certificate Authonty Screen 5 rH New Certificate Authority Netscape A New Certificate Authority By accepting this Certificate Authority you have told Netscape Communicator to connect to to connect to and receive information from any site that it certifies without warning you or prompting you Netscape Communicator can however warn you before you send information to such a site
144. ck icon on the bottom status bar in Figure 1 22 If you click the icon Netscape opens a Security Info window You can also open this window by clicking Security on the Navigator Toolbar at the top of the Netscape window my VPN 3002 Hardware Client Reference 1 14 OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in YourBrowser Mi Figure 1 23 Netscape Security Info Window Netscape Security Info Passwords Navigator Messenger Java JavaScript Certificates Click View Certificate to see details of the specific certificate in use Figure 1 24 Netscape View Certificate Screen 2 View A Certificate Netscape Click OK when finished Second you can view all the certificates that are stored in Netscape On the Security Info window select Certificates then Signers The nickname you entered in Step 6 in the section First time Installation identifies the VPN 3002 Hardware Client SSL certificate VPN 3002 Hardware Client Reference g OL 1893 01 1 15 Chapter1 Using the VPN 3002 Hardware ClientManager HE Connecting to the VPN 3002 Using HTTPS Figure 1 25 Netscape Certificates Signers List Netscape olx Certificate Signers Certificates Security Info These certificates identify the certificate signers that you accept Passwords Naviratar Altiga YPN Concentrator 10 10 4 83 a Edit navigator American Express CA Messen
145. ckets with this destination address will be sent to the Destination below Used dotted decimal notation for example 192 168 12 0 Enter the subnet mask for the destination network IP address using dotted decimal notation for example 255 255 255 0 The subnet mask indicates which part of the IP address represents the network and which part represents hosts The router subsystem looks at only the network part The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered For example the IP address 192 168 12 0 is a Class C address and the standard subnet mask is 255 255 255 0 You can accept this entry or change it Note that 0 0 0 0 is not allowed here since that would resolve to the equivalent of a default gateway Enter the metric or cost for this route Use a number from 1 to 16 where 1 is the lowest cost The routing subsystem always tries to use the least costly route For example if a route uses a low speed line you might assign a high metric so the system will use it only if all high speed routes are unavailable VPN 3002 Hardware Client Reference g OL 1893 01 7 3 Chapter7 IP Routing W Configuration System IP Routing Default Gatew ays Destination Click a radio button to select the outbound destination for these packets You can select only one destination either a specific router gateway or a VPN 3002 interface Destination Router Address Enter the I
146. ckup configuration file To reload the boot configuration file and make it the active configuration you must reboot the system When you click OK the system automatically goes to the Administration System Reboot screen where you can reboot the system You can also click the highlighted link to go to that screen Figure 12 14 Administration File Management Swap Config Files Screen Every time the active configuration is saved a backup is made of the configuration file By clicking OK you can swap the backup configuration file with the boot configuration To reload the boot configuration you must then reboot the device You will be sent to the System Reboot screen after the configuration files have been swapped OK Cancel 61657 OK Cancel To swap CONFIG and CONFIG BAK files click OK The Manager goes to the Administration System Reboot screen To leave the files unchanged click Cancel The Manager returns to the Administration File Management View screen VPN 3002 Hardware Client Reference g oL 1893 01 Every Chapter12 Administration W Administration File Management Config File Upload Administration File Management Config File Upload This screen lets you use HTTP Hypertext Transfer Protocol to transfer a configuration file from your PC or a system accessible from your PC to the VPN 3002 Flash memory This function provides special handling for configuration conf
147. co Support immediately You see this LED display PWR green SYS LED green VPN LED off 1 Verify that the VPN Concentrator to which this VPN 3002 connects is running version 3 0 software 2 Navigate to Monitoring gt System Status Click on Connect Now Connect Now did not bring up the tunnel and the public interface LED rear of unit is off 1 Check that a LAN cable is properly attached to the public interface of the VPN 3002 2 Make sure the IP address for the public interface is properly configured Public interface LED is on but attempting to ping the default gateway Administration gt Ping yields no response 1 Make sure the default gateway is properly configured 2 Contact your ISP VPN 3002 Hardware Client Reference Fe OL 1893 01 Appendix A Troubleshooting and System Errors ME Settings on the VPN Concentrator Table A 1 Analyzing System Errors continued Problem or Symptom Possible Solution VPN LED is solid amber tunnel failed 1 Make sure the IPSec parameters are properly to establish to central site VPN configured Verify coro Public IP Address of the IKE peer central site VPN Concentrator is correct Group name and password are correct User name and password are correct 2 Make sure the group and user names and passwords match those set for the VPN 3002 on the central site VPN Concentrator 3 After you make any changes navigate
148. creen you break your HTTP HTTPS connection and you must restart the Manager session from the login screen If you disable either HTTP or HTTPS and that is the protocol you are currently using you can reconnect with the other protocol if it is enabled and configured If you disable both HTTP and HTTPS you cannot use a Web browser to connect to the VPN 3002 Use the Cisco command line interface from the console or a Telnet session Related information For information on installing the SSL digital certificate in your browser and connecting via HTTPS see Chapter 1 Using the VPN 3002 Hardware Client Manager To configure SSL parameters see the Configuration System Management Protocols SSL screen To install generate view or delete the SSL certificate on the VPN 3002 see the Administration Certificate Management screens Figure 8 2 Configuration System Management Protocols HTTP HTTPS Screen Configure the HTTP HTTPS server If you chck Apply you will break your HTTP HTTPS connection to this device and you will have to restart from the login screen Enable HTTP M Disabling will provide additional security Enable HTTPS M HTTPS uses SSL encryption to provide security Enable HTTPS on Public Check to enable HTTPS on the Public interface HTTP Port s0 The default port is 80 Changing the port will provide additional security HTTPS Port 443 The default port is 443 Changing the port will provide ad
149. creen shows statistics for DNS Domain Name System activity on the VPN 3002 since it was last booted or reset To configure the VPN 3002 to communicate with DNS servers see the Configuration System Servers DNS screen Figure 13 12 Monitoring Statistics DNS Screen Requests 6 Responses 1 Timeouts 3 Server Unreachable 0 Other Failures bres To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon To update the screen and its data click Refresh The date and time indicate when the screen was last updated The total number of DNS queries the VPN 3002 made since it was last booted or reset This number equals the sum of the numbers in the Responses Timeouts Server Unreachable and Other Failures fields the four fields that follow The number of DNS queries that were successfully resolved VPN 3002 Hardware Client Reference g OL 1893 01 Chapter13 Monitoring W Monitoring Statistics SSL Timeouts The number of DNS quer
150. croseconds on a 10 Mbps system my VPN 3002 Hardware Client Reference 13 54 OL 1893 01 Chapter13 Monitoring Monitoring Statistics M IB II Ethernet W Excessive Collisions The number of frames for which transmission on this interface failed due to excessive collisions MAC Errors Transmit The number of frames for which transmission on this interface failed due to an internal MAC sublayer transmit error This number does not include Carrier Sense Errors Late Collisions or Excessive Collisions MAC Errors Receive The number of frames for which reception on this interface failed due to an internal MAC sublayer receive error This number does not include Alignment Errors FCS Errors or Frame Too Long Errors Speed M bps The nominal bandwidth of the interface in megabits per second Duplex The current LAN duplex transmission mode for this interface Full Full Duplex transmission in both directions at the same time Half Half Duplex transmission in only one direction at a time VPN 3002 Hardw are Client Reference E OL 1893 01 13 55 Chapter13 Monitoring Hi Monitoring Statistics MIB Il SNMP Monitoring Statistics MIB II SNMP Reset Restore Refresh This screen shows statistics in MIB II objects for SNMP traffic on the VPN 3002 since it was last booted or reset RFC 1907 defines SNMP version 2 MIB objects To configure the VPN 3002 SNMP server see
151. d SCEP enrollment requests made to this CA certificate The default value of this field is the URL used to download this CA certificate Polling Interval If the CA does not issue the certificate immediately some CAs require manual verification of credentials and this can take time the certificate request could enter polling mode In polling mode the VPN 3002 re sends the certificate request to the CA over a specified period until the CA responds or the process times out Enter the number of minutes the VPN 3002 should wait between re sends The minimum number of minutes is 1 the maximum number of minutes is 60 The default value is 1 VPN 3002 Hardware Client Reference g oL 1893 01 12 53 Chapter12 Administration W Administration Certificate Management Renewal Polling Limit Enter the number of times the VPN 3002 should re send an enrollment request if the CA does not issue the certificate immediately The minimum number of re sends is 0 the maximum number is 100 If you do not want any polling limit in other words you want infinite re sends enter none Apply Cancel Administration To configure CRL checking for this certificate click Apply The Manager returns to the Administration Certificate Management screen To discard your settings click Cancel The Manager returns to the Administration Certificate Management screen Certificate Management Renewal Certificate renewal is a shortcut
152. d an SNMP destination system for event trap messages Modify Modify a configured SNMP destination system for event trap messages Figure 9 6 Configuration System Events Trap Destinations Add Screen Add a trap destination Destination p00 Enter the IP address or hostname of the trap destination SNMP Version SNMPv1 Select the SNMP version of the trap to send to this destination Community C Enter the community string to use in the trap Default is public Port hee 000 Enter the destination port for the trap Add Cancel 61775 Enter the IP address or hostname of the SNMP network management system that is a destination for event trap messages If you have configured a DNS server you can enter a hostname otherwise enter an IP address SNMP Version Community Click the drop down menu button and select the SNMP protocol version to use when formatting traps to this destination Choices are SNMPvI version 1 the default and SNMPv2 version 2 Enter the community string to use in identifying traps from the VPN 3002 to this destination The community string is like a password it validates messages between the VPN 3002 and this NMS destination If you leave this field blank the default community string is public VPN 3002 Hardware Client Reference i OL 1893 01 Chapter9 Events W Configuration System Events Syslog Servers Port Enter the UDP port number by which you access the destinatio
153. d or reset my VPN 3002 Hardware Client Reference 13 24 OL 1893 01 Chapter13 Monitoring Monitoring Statistics Telnet W Monitoring Statistics Telnet This screen shows statistics for Telnet activity on the VPN 3002 since it was last booted or reset and for current Telnet sessions To configure the VPN 3002 Telnet server see the Configuration System Management Protocols Telnet screen Figure 13 11 Monitoring Statistics Telnet Screen Active Sessions 1 Attempted Sessions Successful Sessions 1 Telnet Sessions Inbound Octets Outbound Octets Chent IP Address Port 10 10 98 10 4474 100 6 0 3563 0 Total Command Discarded Total Dropped 6 F706 Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Active Sessions The number of active Telnet sessions The Telne
154. d transmission mode Interface settings take effect as soon as you apply them If the system is in active use changes might affect tunnel traffic The table on the Configuration Interfaces screen shows all installed interfaces and their status VPN 3002 Hardware Client Reference Fa OL 1893 01 3 1 Chapter3 Interfaces W Configuration Interfaces Figure 3 1 VPN 3002 Configuration Interfaces Screen Tuesday 18 September 2001 15 18 58 Save Needed Refresh This section lets you configure the VPN 3002 Hardware Client s network interfaces In the table below or in the picture select and click the interface you want to configure Interface Status IP Address Subnet Mask MAC Address Default Gateway Ethernet 1 Private UP 10 10 99 50 255 255 0 0 00 90 44 00 25 48 Ethernet 2 Public Waiting for PPPOE 0 0 0 0 0 0 0 0 00 90 A4 00 25 A9 DNS server s 10 10 99 40 DNS Domain Namelispdomaincom MODEL CVIPN 3002 et Le eS To configure a module either click the appropriate link in the status table or use the mouse pointer to select the module on the back panel image and click anywhere in the highlighted area Interface The VPN 3002 interface installed in the system To configure an interface click the appropriate link Ethernet 1 Private Ethernet 2 Public To configure Ethernet interface parameters click the appropriate highlighted link in the table or click in
155. ddress Default Gatew ay The IP routing subsystem routes data packets first using static routes then the default gateway If you do not specify a default gateway the system drops packets it cannot otherwise route To configure a default gateway click the appropriate highlighted link in the table or click in a highlighted module on the back panel image See Configuration System IP Routing Default Gateways VPN 3002 Hardware Client Reference Fe OL 1893 01 3 3 Chapter3 Interfaces W Configuration Interfaces Private Configuration gt Caution Disabled Interfaces Private This screen lets you configure parameters for the private interface It displays the current parameters if any Figure 3 2 Configuration Interfaces Private Screen You are modifying the interface you are using to connect to this device If you make any changes you will break the connection and you will have to restart from the login screen Configuring the Private Interface C Disabled Select to disable this interface Static IP Addressing IP Address 10 10 99 50 select to configure the IP Address and Subnet Mask Enter the IP Address and Subnet Mask for this interface Subnet Mask f2 55 255 0 0 MAC Address 00 90 44 00 25 48 The MAC address for this interface Speed 10A 00 auto Select the speed for this interface Duplex Auto Select the duplex mode for this interface Apply Cancel
156. default displays all events of severity level 1 through 3 on the console It writes all events of severity level 1 through 5 to the event log You can change these defaults on the Configuration System Events General screen and you can configure specific events for special handling on the Configuration System Events Classes screens VPN 3002 Hardware Client Reference E OL 1893 01 Chapter9 Events W Event Log Event Log The VPN 3002 records events in an event log which is stored in nonvolatile memory Thus the event log persists even if the system is powered off For troubleshooting any system difficulty or just to examine details of system activity consult the event log first The VPN 3002 holds 256 events The log wraps when it is full that is newer events overwrite older events when the log is full For the event log you can configure which event classes and severity levels to log Note The VPN 3002 automatically saves the log file if it crashes and when it is rebooted This log file is named SAVELOG TXT and it overwrites any existing file with that name The SAVELOG TXT file is useful for debugging Event Log Data Each entry record in the event log consists of several fields including e A sequence number Date and time Event severity level Event class and number Event repetition count Event IP address only for certain events Description string For more informa
157. digital certificates for authentication The VPN 3002 creates a self signed SSL server certificate when it boots and this certificate must be installed in the browser Once the certificate is installed you can connect using HTTPS You need to install the certificate from a given VPN 3002 only once Managing the VPN 3002 is the same with or without SSL Manager screens might take slightly longer to load with SSL because of encryption decryption processing When connected via SSL the browser shows a locked padlock icon on its status bar Both Microsoft Internet Explorer and Netscape Navigator support SSL For HTTPS to work on the public interface you must enable HTTPS on the VPN 3002 through the command line interface or from an HTTP session on the private interface first VPN 3002 Hardware Client Reference g oL 1893 01 1 3 Chapter1 Using the VPN 3002 Hardware ClientManager W installing the SSL Certificate in Your Browser Step 1 Step 2 Follow these steps to install and use the SSL certificate for the first time We provide separate instructions for Internet Explorer and Netscape Navigator when they diverge Connect to the VPN 3002 using HTTP as above On the login screen click the Install SSL Certificate link The Manager displays the Install SSL Certificate screen and automatically begins to download and install its SSL certificate in your browser Figure 1 2 Install SSL Certificate Screen Install the SSL Ce
158. displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Octets Sent Received The total number of SSH octets bytes sent received since the VPN 3002 was last booted or reset my VPN 3002 Hardware Client Reference 13 32 OL 1893 01 Chapter13 Monitoring Monitoring Statistics SSH Mi Packets Sent Received The total number of SSH packets sent received since the VPN 3002 was last booted or reset Active Sessions The number of currently active SSH sessions Maximum Sessions The maximum number of simultaneously active SSH sessions on the VPN 3002 Total Sessions The total number of SSH sessions since the VPN 3002 was last booted or reset SSH Sessions Presents details on SSH sessions Login Name The name of the administrator using the session Remote IP Address Port The remote IP address for the session Login Time The time of day when the login for the session occurred Encryption The type of encryption algorithm used for the session Octets Sent Received The number of octets sent and received during the session Packets Sent Received The number of packets sent and received during the session VPN 3002 Hardware Client Reference a OL 1893 01 FEZES Chapter13 Monitoring W Monitoring Statistics NAT Monitoring Statistics NAT This screen s
159. ditional security Maximum Sessions 4 Enter the maximum number of concurrent HTTP HTTPS server users Apply Cancel 61760 Enable HTTP Check the box to enable the HTTP server The box is checked by default HTTP must be enabled to install the SSL certificate in the browser initially so you can thereafter use HTTPS Disabling the HTTP server provides additional security but makes system management less convenient See the notes above my VPN 3002 Hardware Client Reference 8 2 OL 1893 01 Chapter8 Management Protocols Configuration System Management Protocols HTTP HTTPS W Enable HTTPS Check the box to enable the HTTPS server The box is checked by default HTTPS also known as HTTP over SSL lets you use the Manager over an encrypted connection Enable HTTPS on Public Check the box to enable HTTPS on the Public interface HTTP Port Enter the port number that the HTTP server uses The default is 80 which is the well known port HTTPS Port Enter the port number that the HTTPS server uses The default is 443 which is the well known port Maximum Sessions Enter the maximum number of concurrent combined HTTP and HTTPS sessions users that the server allows Minimum is 1 default is 4 maximum is 10 Apply Cancel To apply your HTTP HTTPS server settings to include your settings in the active configuration and to break the current HTTP HTTPS connection click Apply If HTTP or HTTPS is
160. dministration tasks and network security requirements We recommend that you not change them without good reason Note To ensure the security of your connection to the Manager if you click Apply on this screen even if you have made no changes you break your connection to the Manager and you must restart the Manager session from the login screen Related information For information on installing the SSL digital certificate in your browser and connecting via HTTPS see Chapter 1 Using the VPN 3002 Hardware Client Manager To configure HTTPS parameters see the Configuration System Management Protocols HTTP HTTPS screen To configure Telnet SSL parameters see the Configuration System Management Protocols Telnet screen To manage SSL digital certificates see the Administration Certificate Management screens my VPN 3002 Hardware Client Reference OL 1893 01 Chapter8 Management Protocols Configuration System Management Protocols SSL W Figure 8 12 Configuration System Management Protocols SSL Screen Configure SSL If you click Apply you will break your HTTP HTTPS connection to this device and you will have to restart from the login screen M RC4 128 MD5 M 3DES 168 SHA l Encryption F DES 56 SHA Check the encryption algorithms to enable Unchecking Protocols F RC4 40 5 Export them all disables SSL M DES 40 SHA Export Check to enable chent authentication
161. e instead of Identity certificate Some web servers export their SSL certificates with the private key attached If you have a PEM encoded certificate with a corresponding private key that you want to install follow the same procedure you used to obtain identity certificates See the Enrolling and Installing Identity Certificates section But this time on the Administration Certificate Management Installation screen click Install SSL certificate with private key instead of Install certificate obtained via enrollment Chapter12 Administration Certificate Management I Enabling Digital Certificates on the VPN 3002 amp Note Before you enable digital certificates on the VPN 3002 you must obtain at least one CA and one identity certificate If you do not have a CA and an identity certificate installed on your VPN 3002 follow the steps in the previous section Enrolling and Installing Digital Certificates before beginning this section For the VPN 3002 to use the digital certificates you obtained you must enable authentication using digital certificates Step1 Display the Configuration System Tunneling Protocols IPSec screen See Figure 12 32 Figure 12 32 Configuration System Tunneling Protocols IPSec Screen Enter the information needed to connect to the central site VEN Concentrator server Remote Server 61 44 246 15 Enter remote server addressfhost name 152 156 10 1 e Enter up to
162. e displayed in 6 byte hexadecimal notation You cannot change this address click the drop down menu button and select the interface speed 10 Mbps Fix the speed at 10 megabits per second 10Base T networks 100 Mbps Fix the speed at 100 megabits per second 100Base T networks 10 100 auto Let the VPN 3002 automatically detect and set the appropriate speed either 10 or 100 Mbps default Be sure that the port on the active network device hub switch router etc to which you connect this interface is also set to automatically negotiate the speed Otherwise select the appropriate fixed speed click the drop down menu button and select the interface transmission mode Auto Let the VPN 3002 automatically detect and set the appropriate transmission mode either full or half duplex default Be sure that the port on the active network device hub switch router etc to which you connect this interface is also set to automatically negotiate the transmission mode Otherwise select the appropriate fixed mode Full Duplex Fix the transmission mode as full duplex transmits and receives at the same time Half Duplex Fix the transmission mode as half duplex transmits or receives but not at the same time To apply your settings to the system and include them in the active configuration click Apply The Manager returns to the Configuration Interfaces screen To save the active configuration and make it the
163. e 13 10 Monitoring Statistics HTTP Screen Reset g Refresh Sent Received Octets 1475558 240902 Packets 1666 502 Sockets Sessions Active 1 1 Total 177 T HTTP Sessions Octets Packets sockets Login Name IP Address Login Time Encryption Sent Received Sent Received Active Peak Total admin 161 44 246 135 Oct 11 17 15 46 None 374135 33033 412 65 il 4 44 Max Connections 5 68296 my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter13 Monitoring Reset Restore Refresh Monitoring Statistics HTTP W To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon To update the screen and its data click Refresh The date and time indicate when the screen was last updated Octets Sent Received The total number of HTTP octets bytes sent or received since the VPN 3002 was last booted or reset Packets Sent Received The total number of HTTP packets sent or received sinc
164. e FCS Frame Check Sequence used for error detection check FCS Errors The number of frames received on this interface that are an integral number of bytes in length but do not pass the FCS Frame Check Sequence check Carrier Sense Errors The number of times that the carrier sense signal was lost or missing when trying to transmit a frame on this interface SQE Test Errors The number of times that the SQE Signal Quality Error Test Error message was generated for this interface The SQE message tests the collision circuits on an interface Frame Too Long Errors The number of frames received on this interface that exceed the maximum permitted frame size Deferred Transmits The number of frames for which the first transmission attempt on this interface is delayed because the medium is busy This number does not include frames involved in collisions Single Collisions The number of successfully transmitted frames on this interface for which transmission 1s inhibited by exactly one collision This number is not included in the Multiple Collisions number Multiple Collisions The number of successfully transmitted frames on this interface for which transmission 1s inhibited by more than one collision This number does not include the Single Collisions number Late Collisions The number of times that a collision is detected on this interface later than 512 bit times into the transmission of a packet 512 bit times 51 2 mi
165. e VPN 3002 in Network Extension mode VPN 3002 Hardware Client Reference E oL 1893 01 13 9 Chapter13 Monitoring W Monitoring System Status Tunnel Established to The IP address of the VPN Concentrator to which this VPN 3002 connects Duration The length of time that this tunnel has been up Security Associations This table describes the following attributes of the SAs for this VPN 3002 Type The type of tunnel for this SA either PSec or IKE the control tunnel Remote Address Network subnet mask for this split tunneled SA Encryption The encryption method this SA uses Authentication The authentication method this SA uses Octets In The number of octets bytes this SA has received since the tunnel has been up Octets Out The number of octets bytes this SA has sent since the tunnel has been up Packets In The number of packets this SA has received since the tunnel has been up Packets Out The number of packets this SA has sent since the tunnel has been up my VPN 3002 Hardware Client Reference 13 10 OL 1893 01 Chapter13 Monitoring Other Additional information about this SA including mode Front Panel The front panel image is an inactive link Back Panel Monitoring System Status Private Public Interface Hil The back panel image includes active links for the VPN 3002 private and public interfaces Use the mouse pointer to select either the private or public
166. e active Configuration and use it at Reboot 2 Reboot without saving active Configuration file 3 Reboot ignoring the Configuration file 4 Back Admin gt 2 2 3 Administration gt System Reboot gt Schedule Shutdow n 1 Save active configuration and use it at next reboot 2 Shutdown without saving active Configuration file 3 Shutdown ignoring the Configuration file at next reboot 4 Back Admin gt 2 3 Administration gt Ping gt Ping host Admin gt 2 4 Administration gt Access Rights 1 Administrators 2 Access Settings 3 Back Admin gt _ 2 4 1 Administration gt Access Rights gt Administrators Admin gt 1 Administrative Users Username Enabled admin Yes config No 1sp No 1 Modify Administrator 2 Back Admin gt my VPN 3002 Hardware Client Reference OL 1893 01 Chapter14 Using the Command Line Interface Menu Reference W 2 4 2 Administration gt Access Rights gt Access Settings 1 Set Session Timeout 2 Set Session Limit 3 SertConfig File Encryption 4 Back 2 5 Administration gt File Management List of Files CONFIG CONFIG BAK View Config File Delete Config File View Backup Config File Swap Config Files Upload Config File 1 2 3 4 Delete Backup Config File 5 6 7 Back 2 5 5 Administration gt File Management gt Sw ap Configuration File Every time the active configuration is saved 1 Swap 2 Back Admin gt _
167. e buttons are also present at the bottom of the screen my VPN 3002 Hardware Client Reference OL 1893 01 Chapter 13 Monitoring Monitoring Filterable EventLog Mi Get Log To download the event log from VPN 3002 memory to your PC and view it or save it as a text file click Get Log The Manager opens a new browser window to display the file The browser address bar shows the VPN 3002 address and log file default filename for example http 10 10 4 6 LOG vpn30021log txt To save a copy of the log file on your PC click the File menu on the new browser window and select Save As The browser opens a dialog box that lets you save the file The default filename is vpn30021og txt Alternatively you can use the secondary mouse button to click Get Log on this Monitoring Filterable Event Log screen A pop up menu presents choices whose exact wording depends on your browser but among them are Open Link Open Link in New Window Open in New Window Open and view the file in a new browser window as above Save Target As Save Link As Save a copy of the log file on your PC Your system will prompt for a filename and location The default filename is vpn3002log txt When you are finished viewing or saving the file close the new browser window Clear Log To clear the current event log from memory click this button The Manager then refreshes the screen and shows the empty log A Caution The Manager imm
168. e main Administration screen to open the first level of subordinate Administration pages in the left frame if they are not already open and to close any open Configuration or Monitoring pages in the left frame Click the Monitoring tab to go to the main Monitoring screen to open Monitoring the first level of subordinate Monitoring pages in the left frame if they are not already open and to close any open Configuration or Administration pages in the left frame my VPN 3002 Hardware Client Reference 1 24 OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client M anager Understanding the VPN 3002 Hardware ClientManagerWindow W Save Click the Save icon to save the active configuration and make it the boot configuration In this state the reminder indicates that the active configuration is the same as the boot configuration but you can save it anyway When you change the configuration the reminder changes to Save Needed Save Needed This reminder indicates that yo have changed the active configuration Click the Save Needed icon to save the active configuration and make it the boot configuration As you make configuration entries they take effect immediately and are included in the active or running configuration However if you reboot the VPN 3002 without saving the active configuration and configuration changes are lost Clicking on this reminder saves the active configuration as the boot configuration and restore
169. e the VPN 3002 was last booted or reset Packets Sent Sockets Sessions Active Peak Total The number of HTTP connections for the VPN 3002 The number of currently active HTTP connections on the VPN 3002 The maximum number of HTTP connections that were simultaneously active on the VPN 3002 since it was last booted or reset The total number of HTTP connections on the VPN 3002 since it was last booted or reset VPN 3002 Hardware Client Reference a OL 1893 01 Chapter13 Monitoring W Monitoring Statistics HTTP HTTP Sessions This section provides information about HTTP sessions on the VPN 3002 since it was last booted or reset Login Name The name of the administrative user for the HTTP session IP Address The IP address of administrative user for the HTTP session Login Time The time when the HTTP session began Encryption The encryption method used in the HTTP session Octets Sent Received Number of octets sent or received during the HTTP session Packets Sent Received Number of packets sent or received during the HTTP session Sockets Active The number of currently active sockets for the HTTP session Sockets Peak The maximum number of sockets simultaneously active during the HTTP session Sockets Total The total number of sockets active during the HTTP session Max Connections The maximum number of concurrent HTTP connections for the VPN 3002 since it was last reboote
170. e the screen displays Figure 13 2 Monitoring Routing Table Screen Clear Routes Valid Routes 3 Address 00 0 0 Refresh Clear Routes Valid Routes Address Mask Next Hop Interface Protocol my VPN 3002 Hardware Client Reference 0 0 0 0 130 0 0 0 255 255 0 0 Mask Next Hop 130 0 0 1 0 0 0 0 192 168 10 0 255 255 255 0 0 0 0 0 Interface Protocol Age Metric Public Interface Default 0 1 Public Interface Local 0 1 Private Interface Local 0 1 61671 To update the screen and its data click Refresh The date and time indicate when the screen was last updated Clears the dynamic routing entries from the display Clicking this button does not affect the display of static routing entries The total number of current valid routes that the VPN 3002 knows about This number includes all valid routes and it might be greater than the number of rows in the routing table which shows only the best routes with duplicates removed The packet destination IP address that this route applies to This address is combined with the subnet mask to determine the destination route 0 0 0 0 indicates the default gateway The subnet mask for the destination IP address in the Address field 0 0 0 0 indicates the default gateway For remote routes the IP address of the next system in the path to the destination 0 0 0 0 indicates a local route that is there is no next hop The VPN 3002 network interface through which tra
171. e wa SCEP Please wait for the operation to complete URL CA Descriptor Required for some PET configurations Retrieve Cancel 68173 Step 4 Fill in the fields and click Retrieve For more information on this screen see the Administration Certificate Management Install Certificate Type section The Manager installs the CA certificate on the VPN 3002 and displays the Administration Certificate Management screen Your new CA certificate appears in the Certificate Authorities table my VPN 3002 Hardw are Client Reference 12 18 OL 1893 01 Chapter12 Administration Certificate Management W Installing CA Certificates M anually amp Note If you install a CA certificate using the manual method you cannot use this CA later to request identity or SSL certificates with SCEP If you want to be able to use SCEP to request certificates obtain the CA certificate using SCEP Step1 Retrieve a CA certificate from your CA and download it to your PC Step2 Using the VPN 3002 Hardware Client Manager display the Administration Certificate Management screen See Figure 12 19 Step3 Click Click here to install a CA certificate D Note The Click here to install a CA certificate option is available from this window only when no CA certificates are installed on the VPN 3002 If you do not see this option click Click here to install a certificate The Manager displays the Administration Certi
172. e within the network list on the central site VPN Concentrator travels in the clear without applying IPSec NAT translates the network addresses of the devices on the VPN 3002 private network to the address of the VPN 3002 public interface Thus the network and addresses on the private side of the VPN 3002 are accessible over the tunnel but are protected from the Internet that is they cannot be accessed directly VPN 3000 Series Concentrator Settings Required for Netw ork Extension M ode For the VPN 3002 to use Network Extension mode these are the requirements for the central site VPN Concentrator 1 The VPN Concentrator at the central site must be running Software version 3 0 or later 2 Configure a group to which you assign this VPN 3002 This includes assigning a group name and password See Chapter 14 User Management in the VPN 3000 Series Concentrator Reference Volume I 3 Configure one or more users for the group including usernames and passwords 4 Configure either a default gateway or a static route to the VPN 3002 private network See Chapter 8 IP Routing in the VPN 3000 Series Concentrator Reference Volume I 5 If you want the VPN 3002 to be able to reach devices on other networks that connect to this VPN Concentrator review your Network Lists See Chapter 15 Policy Management in the VPN 3000 Series Concentrator Reference Volume I VPN 3002 Hardware Client Reference E oL 1893 01 Chapter 11 Polic
173. ediately erases the event log from memory without asking for confirmation There is no undo Event Log Format Each entry record in the event log consists of eight or nine fields Sequence Date Time Severity Class Number Repeat IPAddress String The IPAddress field only appears in certain events For example 3 12 06 2001 14 37 06 680 SEV 4 HTTP 47 RPT 17 10 10 1 35 New administrator login admin Event Sequence The sequential number of the logged entry Numbering starts or restarts from 1 when the system powers up when you save the event log or when you clear the event log When the log file wraps after 256 entries numbering continues with event 257 overwriting event 1 Although numbering restarts at 1 when the system powers up it does not overwrite existing entries in the event log it appends them Assuming the log does not wrap it could contain several sequences of events starting at 1 Thus you can examine events preceding and following reboot or reset cycles Event Date The date of the event MM DD YY YY For example 12 06 2001 identifies an event that occurred on December 6 2001 VPN 3002 Hardware Client Reference E OL 1893 01 Chapter 13 Monitoring W Monitoring Live Event Log Event Time The time of the event hour minute second millisecond The hour is based on a 24 hour clock For example 14 37 06 680 identifies an event that occurred at 2 37 06 680 PM Event Severity The severity le
174. elect the route from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining static routes in the list You cannot delete the default gateways here to do so see the Configuration System IP Routing Default Gateways screen The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window my VPN 3002 Hardware Client Reference 7 2 OL 1893 01 Chapter 7 Configuration System IP Routing Static Routes Add or Modify W Configuration System IP Routing Static Routes Add or Modify These Manager screens let you Add Configure and add a new static or manual route to the IP routing table Modify Modify the parameters for a configured static route Figure 7 3 Configuration System IP Routing Static Routes Add Screen Configure and add a static route Network Address Enter the network address Subnet Mask Enter the subnet mask Metric mooo Enter the numeric metric for this route 1 through 16 Destination puter Enter the router gateway IP address Interface Ethernet Private 10 10 147 2 Select the interface to route to Add Cancel 61755 Netw ork Address Subnet M ask Metric Enter the destination network IP address that this static route applies to Pa
175. em routes data packets first using static routes then the default gateway If you do not specify a default gateway the system drops packets it can not otherwise route Figure 7 4 Configuration System IP Routing Default Gateways Screen Configure the default gateways for your system Default fioio9a90 Enter the IP address of the default gateway or router Enter 0 0 0 0 for no Gateway default router Metric fi Enter the metric from 1 to 16 Apply Cancel 61756 my VPN 3002 Hardware Client Reference OL 1893 01 Chapter 7 IP Routing Configuration System IP Routing Default Gateways Mi Default Gatew ay Metric Enter the IP address of the default gateway or router Use dotted decimal notation for example 192 168 12 77 This address must not be the same as the IP address configured on any VPN 3002 interface If you do not use a default gateway enter 0 0 0 0 the default entry To delete a configured default gateway enter 0 0 0 0 The default gateway must be reachable from a VPN 3002 interface and it is usually on the public network The Manager displays a warning screen if you enter an IP address that is not on one of its interface networks and it displays a dialog box if you enter an IP address that is not on the public network Enter the metric or cost for the route to the default gateway Use a number from 1 to 16 where 1 is the lowest cost The routing subsystem always tries to use the
176. ence OL 1893 01 Chapter12 Administration Administration Certificate Management Renewal W Certificate This field displays the type of certificate that you are re enrolling or re keying Renewal Type Specify the type of request Re enrollment Use the same key pair as the expiring certificate Re key Use a new key pair Enrollment M ethod Choose an enrollment method PKCS10 Request Manual Enroll using the manual process Certificate Name via SCEP Enroll automatically using this SCEP CA Challenge Password Your CA might have given you a password as a means of verifying your identity If you have a password from your CA enter it here If you did not receive a password from your CA choose a password now You can use this password in the future to identify yourself to your CA Verify Challenge Password Re type the challenge password you just entered Renew Cancel To renew the certificate click Renew To discard your settings click Cancel The Manager returns to the Administration Certificate Management screen VPN 3002 Hardware Client Reference a OL 1893 01 12 55 Chapter12 Administration W Administration Certificate Management Activate or Re Submit Status Administration Certificate Management Activate or Re Submit Status This status screen appears after you activate or re submit an enrollment request It displays the status of the reque
177. ents Transmitted 1921 Datagrams Transmitted 94 segments Retransmitted o Errored Datagrams o T Timeout Mim 1000 msec No Port o T Timeout Max 32000 msec Ic Connection Limit at Ac tive Opens o Passive Opens 194 Attemp t Failures oo Es tablished Resets 2 Current Established zi Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated TCP Segments Received The total number of segments received including those received in error and those received on currently established connections Segment is the official TCP name for what is casually called a data packet my VPN 3002 Hardware Client Reference 13 42 OL 1893 01 Chapter13 Monitoring Monitoring Statistics MIB II TCP UDP W TCP Segments Transmitted The total number of segments sent including those on currently established connec
178. ering 0 0 0 0 matches the specified address entering 255 255 255 255 matches all addresses Enable SSH on Public Check the Enable SSH on Public check box to allow XML management over Secure Shell SSH on the VPN 3002 public interface SSH IP Address Enter the IP address from which to allow SSH access on the VPN 3002 public interface SSH Wildcard mask Enter the wildcard mask for the SSH IP address N Note Enter a wildcard mask which is the reverse of a subnet mask A wildcard mask has 1s in bit positions to ignore and Os in bit positions to match For example entering 0 0 0 0 matches the specified address entering 255 255 255 255 matches all addresses VPN 3002 Hardware Client Reference E OL 1893 01 Chapter8 ManagementProtocols W Configuration System Management Protocols XML my VPN 3002 Hardware Client Reference OL 1893 01 CHAPTER Events An event is any significant occurrence within or affecting the VPN 3002 such as an alarm trap error condition network problem task completion threshold breach or status change The VPN 3002 records events in an event log which is stored in nonvolatile memory You can also specify that certain events trigger a console message a UNIX syslog record or an SNMP management system trap Event attributes include class and severity level Event Class Event class denotes the source of the event and refers to a specific hardware or
179. ertificate request The CA s certificate musi be installed as a Certificate duthoritv before instaliing the certificaie you requested Please wait for the operation to finish Enter the common name for the VEH Common Name CN 3002 Hardware Chent to be used in this PET Organizational Unit OU PO Enter the department Organization 0 PO Enter the Crearization or company Locality L PO Enter the city or town State Province SP Enter the State or Prowince Enter the two letter country abbreviation e s United States US Enter the Fully Qualified Doman Name Subject a PO for the VPN 3002 Hardware Client to be used in this PEL Enter the E Mail Address for the VPM Subject EE 3002 Hardware Chent to be used in this FEL Key Size IRSA SI bits melect the key size for the generated ESADA key pair Enroll Cancel Country C 6r601 Fields For an explanation of each of the fields on this screen see Table 12 1 on page 12 20 Enroll Cancel To generate the certificate request click Enroll The Manager displays the Administration Certificate Management Enrollment Request Generated screen See Figure 12 38 with the text of your certificate To discard your entries and cancel the request click Cancel The Manager returns to the Administration Certificate Management screen VPN 3002 Hardware Client Reference g OL 1893 01 12 39 Chapter12 Administration W Administration
180. es a few minutes to upload and verify the software and the system displays the progress Please wait for the operation to finish To run the new software image you must reboot the VPN 3002 The system prompts you to reboot when the update is finished We also recommend that you clear your browser cache after you update the software image delete all the temporary internet files history files and location bar references Note The VPN 3002 has two locations for storing image files the active location which stores the image currently running on the system and the backup location Updating the image overwrites the stored image file in the backup location and makes it the active location for the next reboot Updating twice therefore overwrites the image file in the active location and the current image file is lost The Manager displays a warning on this screen if you have already updated the image without rebooting A Caution You can update the software image while the system is still operating as a VPN device Rebooting the system however terminates all active sessions _A Caution While the system is updating the image do not perform any other operations that affect Flash memory listing viewing copying deleting or writing files Doing so might corrupt memory Updating the software image also makes available any new Cisco supplied configurable selections When you reboot with the new image the system updat
181. es the active configuration in memory with these new selections but it does not write them to the CONFIG file until you click the Save Needed icon in the Manager window my VPN 3002 Hardw are Client Reference 12 2 OL 1893 01 Chapter12 Administration Administration Software Update E Figure 12 2 Administration Software Update Screen This section lets you update the software on your VPN 3002 Hardware Chent VPN 3002 Hardware Chent will verify the integrity of the software image that you download It will take a few minutes for the upload and verification to take place Please wait for the operation to fuush Curent Software Revision Cisco Systems Inc VPN 3002 Hardware Client Version 3 0 int_66 Jan 22 2001 18 10 43 DEBUG MASK 0 NDEBUG off Type in the name of the image file below The current image file is vpn3002 d 3 0 3des bin Browse Upload Cancel 61787 Current Softw are Revision The name version number and date of the software image currently running on the system Brow se Enter the complete pathname of the new image file or click Browse to find and select the file from your workstation or network Cisco supplied VPN 3002 software image files are named vpn3002 lt Major Version gt lt Minor Version gt lt Patch Version gt bin for example vpn3002 3 5 Rel k9 bin The Major and Minor Version numbers are always present the Sustaining and Patch Version numbers are pre
182. etain or change its configuration parameters DHCP Client click this radio button if you want to obtain the IP address and subnet mask for this interface via DHCP If you click this button you do not make entries in the IP address and subnet mask parameters that follow PPPoE Client click this radio button if you want to connect using PPPoE If you select PPPoE you do not make entries in the static IP addressing parameters that follow my VPN 3002 Hardware Client Reference OL 1893 01 Chapter3 Interfaces Configuration Interfaces Public E PPPoE User Name If you have selected PPPoE enter a valid PPPoE username PPPoE Password If you have selected PPPoE enter the PPPoE password for the username you entered above Verify PPPoE Password If you have selected PPPoE enter the PPPoE password again to verify it Static IP Addressing click this radio button if you want to use a static IP address IP Address If you are using static IP addressing enter the IP address for this interface using dotted decimal notation for example 192 168 12 34 Note that 0 0 0 0 is not allowed Be sure no other device is using this address on the network Subnet M ask If you are using static IP addressing enter the subnet mask for this interface using dotted decimal notation for example 255 255 255 0 The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered For exa
183. eters on a given screen does not reset the timer Session Limit Enter the maximum number of simultaneous administrative sessions allowed Minimum is 1 default is 10 and maximum is 50 sessions Encrypt Config File To encrypt sensitive entries in the CONFIG file check the box default The CONFIG file is in ASCII text format INI format Check this box to encrypt entries such as passwords keys and user information To use clear text for all CONFIG file entries clear the box For maximum security we do not recommend this option Apply Cancel To save your settings in the active configuration click Apply The Manager returns to the Administration Access Rights screen To cancel your settings click Cancel The Manager returns to the Administration Access Rights screen VPN 3002 Hardware Client Reference g OL 1893 01 12 11 Chapter12 Administration Administration File Management Administration File Management View Save Delete S Note This section of the Manager lets you manage files in VPN 3002 Flash memory Flash memory acts like a disk These files include CONFIG CONFIG BAK saved log files and copies of any of these files that you have saved under different names Figure 12 13 Administration File Management View Screen This section of the Manager lets you view files on the VPN 35002 Hardware Client Config File View Delete Swap with Back up Config File Upload v
184. ets for example 10 10 4 6 Status bar The status bar at the bottom of the browser window displays Manager activity and explanatory messages for some items Mouse pointer and tips As you move the mouse pointer over an active area the pointer changes shape and icons change color A description also appears in the status bar area If you momentarily rest the pointer on an icon a descriptive tip appears for that icon Top frame The Manager toolbar in the top frame provides quick access to Manager toolbar Manager features These include the following icons Click the Main tab to go to the main Manager screen and to close all subordinate sections and titles in the left frame Click the Help tab to open context sensitive online help Help opens in a Separate browser window that yo can move or resize as you want Close the help window when you are finished Click the Support tab to open a Manager screen with links to Cisco Support support and documentation resources Click the Logout tab to log out of the Manager and return to the login Logout screen Logged in username The administrator username you used to log in to this Manager session Click the Configuration tab to go to the main Configuration screen to open the first level of subordinate Configuration pages in the left frame if they are not already open and to close any open Administration or Monitoring pages in the left frame m Click the Administration tab to go to th
185. ference 7 8 OL 1893 01 Chapter7 IP Routing Configuration System IP Routing DHCP Options Add or Modify Hi Nonconfigurable DHCP Options You cannot configure the following DHCP Options Subnet Mask option 1 Router option 3 Domain Name Server option 6 Domain Name option 15 NetBios Name Server WINS option 44 You configure these values on the central site VPN Concentrator for the group to which the VPN 3002 Hardware Client belongs As is the case for all group configuration parameters the central site VPN Concentrator pushes these values to the VPN 3002 over the tunnel VPN 3002 Hardware Client Reference Piss OL 1893 01 7 9 Chapter7 IP Routing W Configuration System IP Routing DHCP Options Add or Modify E VPN 3002 Hardw are Client Reference 7 10 OL 1893 01 CHAPTER Management Protocols The VPN 3002 Hardware Client includes various built in servers using various protocols that let you perform typical network and system management functions This section explains how you configure and enable those servers Configuration System Management Protocols This section of the Manager lets you configure and enable built in VPN 3002 servers that provide management functions using HTTP HTTPS Hypertext Transfer Protocol and HTTP over SSL Secure Sockets Layer protocol Telnet terminal emulation protocol and Telnet over SSL SNMP Simple
186. ffic moves on this route Private interface Public interface The protocol or source of this routing table entry Static configured static route Local local VPN 3002 interface address ICMP learned from an ICMP Internet Control Message Protocol redirect message Default the default gateway OL 1893 01 Chapter 13 Monitoring Monitoring Filterable EventLog Mi Age The number of seconds since this route was last updated or otherwise validated The age is relative to the screen display time for example 25 means the route was last validated 25 seconds before the screen was displayed O indicates a static local or default route Metric The metric or cost of this route 1 is lowest 16 is highest Monitoring Filterable Event Log This screen shows the events in the current event log lets you filter and display events by various criteria and lets you manage the event log file For troubleshooting any system difficulty or just to examine details of system activity consult the event log first The VPN 3002 records events in nonvolatile memory thus the event log persists even if the system is powered off It holds 256 events and it wraps when it is full that is entry 257 overwrites entry 1 etc Use the scroll controls if present to display more events in the log To configure event handling see the Configuration System Events screens To Get Save or Clear the event log fi
187. ficate 12 42 installing CA certificates 12 17 installing identity certificates 12 22 12 24 SCEP enabled certificate 12 17 troubleshooting 12 17 screen login using HTTPS 1 17 SDRAM memory 13 9 secure connection See also tunnel tunnel 6 1 my VPN 3002 Hardw are Client Reference Secure Shell protocol See SSH Secure Sockets Layer See SSL 12 16 Security Associations SAs 6 2 self signed certificates CA certificates 12 16 SSL 12 16 SSL certificate generating 12 33 server identity certificates 12 32 server key SSH 8 13 servers backup configuring 6 3 backup overview 6 4 configuring system access 5 1 remote configuring 6 3 session idle timeout live event log overrides 13 6 session key SSH 8 13 Session Timeout error A 5 severity level events 9 3 shutdown system 12 5 Simple Certificate Enrollment Protocol See SCEP Simple Network Management Protocol See SNMP SNMP configuring internal server 8 6 enabling 8 6 event trap destinations configuring 9 12 add 9 13 modify 9 13 MIB II statistics 13 56 port number 8 6 traps configuring well known 9 8 traps configuring for specific events 9 11 SNMP communities adding 8 8 configuring 8 7 modifying 8 8 software image filenames 12 3 13 9 OL 1893 01 updating on VPN 3002 procedure 12 2 stopping an image update 12 3 version info 12 3 13 9 split tunneling client PAT mode 11 1 Network Extension mode 11 3 SSH configuring internal server 8 13 enable 8 14
188. ficate Management Install screen Then click Install CA Certificate The Manager displays the Administration Certificate Management Install CA Certificate screen See Figure 12 22 Figure 12 22 Administration Certificate Management Install CA Certificate Choose the method of installation e SOEP omple Certiticate Enrollment Protocol e ut amp Paste Text e Upload File trom Workstation lt lt Go back to and choose a diferent type of certificate 5172 Step4 Choose either of the following installation methods Cut amp Paste Text or Upload File from Workstation Step5 The Manager displays a screen appropriate to your choice Include the certificate information according to your chosen method Click Install The Manager installs the CA Certificate on the VPN 3002 and displays the Administration Certificate Management screen Your new CA Certificate appears in the Certificate Authorities table VPN 3002 Hardw are Client Reference g oL 1893 01 12 19 Chapter12 Administration W Certificate Management Enrolling and Installing Identity Certificates When you generate a request for an identity certificate you need to provide the following information Tip Check to be sure that you have this information before you begin Table 12 1 Fields in a Certificate Request Abbrev Field Name iation Manual SCEP Recommended Content Common Name CN Yes Ye
189. ficate to display the Administration Certificate Management Install screen See Figure 12 41 my VPN 3002 Hardware Client Reference 12 46 OL 1893 01 Chapter12 Administration Administration Certificate Management Install CA Certificate SCEP E Administration Certificate Management Install CA Certificate SCEP In this screen provide information about the certificate authority in order to retrieve and install a CA certificate automatically using SCEP Figure 12 44 Administration Certificate Management Install CA Certificate SCEP Screen Enter the information needed to retrieve the CA certificate wa SCEP Please wait for the operation to complete URL CA Descriptor Required for some PET configurations Retrieve Cancel 66173 URL Enter the URL of the SCEP interface of the CA CA Descriptor Some CAs use descriptors to further identify the certificate If your CA gave you a descriptor enter it here Otherwise enter a descriptor of your own You must enter something in this field Retrieve Cancel To retrieve a CA certificate from the CA and install it on the VPN 3002 click Retrieve To discard your entries and cancel the request click Cancel The Manager returns to the Administration Certificate Management screen See Figure 12 19 VPN 3002 Hardw are Client Reference g OL 1893 01 12 47 Chapter12 Administration HM Administration Certificate
190. for a network problem check the event log for an internal subsystem failure or contact Cisco support Inbound Authentications The cumulative total number of inbound individual packet authentications performed by all currently and previously active IPSec Phase 2 tunnels Failed Inbound Authentications The cumulative total of inbound packet authentications that failed by all currently and previously active IPSec Phase 2 tunnels Failed authentications could indicate corrupted packets or a potential security attack man in the middle Outbound Authentications The cumulative total of outbound individual packet authentications performed by all currently and previously active IPSec Phase 2 tunnels Failed Outbound Authentications The cumulative total of outbound packet authentications that failed by all currently and previously active IPSec Phase 2 tunnels This number should be zero or very small if not check the event log for an internal IPSec subsystem problem Decryptions The cumulative total of inbound decryptions performed by all currently and previously active IPSec Phase 2 tunnels Failed Decryptions The cumulative total of inbound decryptions that failed by all currently and previously active IPSec Phase 2 tunnels This number should be zero or very small if not check for misconfiguration Encryptions The cumulative total of outbound encryptions performed by all currently and previously active IPSec Phase 2 tunnels
191. g CLI 14 6 file upload to VPN 3002 12 3 12 14 the VPN 3002 12 5 subordinate CA certificate 12 16 VPN 3002 Hardware Client Reference a OL 1893 01 W index superuser See administrators swap configuration files 12 13 syslog format events 9 6 syslog server configuring for events add 9 16 modify 9 16 port number 9 16 syslog servers configuring forevents 9 14 system configuration 4 1 system identification configuring 10 2 system reboot 12 5 reloads the boot configuration file 12 13 saving the log file 12 5 system shutdown 12 5 handling configuration files 12 6 system status monitoring 13 8 private public interface 13 11 T table of contents Manager 1 28 TCP UDP MIB II statistics 13 42 technical assistance obtaining xiv Technical Assistance Center TAC website xv Telnet accessing CLI 14 2 configuring internal server 8 4 enabling 8 4 port number 8 5 Statistics 13 25 Telnet over SSL configuring internal server 8 4 port number 8 5 time and date configuring 10 3 timeout administrator 12 11 live event log overrides 13 6 time zone configuring 10 3 my VPN 3002 Hardware Client Reference traffic management configuring 11 5 transmission mode configuring Ethernet interface 3 5 3 8 traps configuring well known 9 8 destination systems 9 12 9 13 general events 9 8 specific events 9 11 troubleshooting crash dump file A 1 event log A 1 files created for A 1 information in event log 9
192. g the option s click any one of the four Page buttons The Manager refreshes the screen and displays the event log according to your selections Your filter options remain in effect as long as you continue working within and viewing Monitoring Filterable Event Log screens The Manager resets all options to their defaults if you leave and return or if you click Filterable Event Log in the left frame of the Manager window the table of contents You cannot save filter options Event Class To display all the events in a single event class click the drop down menu button and select the event class To select a contiguous range of event classes select the first class in the range hold down the keyboard Shift key and select the last class in the range To select multiple event classes select the first class hold down the keyboard Ctrl key and select the other classes By default the Manager displays All Classes of events Table 9 4 under Configuration System Events describes the event classes Severities To display all events of a single severity level click the drop down menu button and select the severity level To select a contiguous range of severity levels select the first severity level in the range hold down the keyboard Shift key and select the last severity level in the range To select multiple severity levels select the first severity level hold down the keyboard Ctrl key and select the other severity levels By default t
193. ger American Express Global CA verify BBN Certificate Services CA Root 1 Java JavaScript BelSign Class 1 CA Delete BelSign Class 2 CA Certificates BelSign Class 3 CA Yours BelSign Object Publishing CA BelSign Secure Server CA People Canada Post Corporation CA Web Sites CertiSign BR Cisco YPN Concentrator 100 200 147 2 signers Equifax Premium CA c hic Equifax Secure CA x Modules ok Cancel Help Select a certificate then click Edit Verify or Delete Click OK when finished Connecting to the VPN 3002 Using HTTPS Step 1 Step 2 When you have installed the SSL certificate in the browser you can connect directly using HTTPS Bring up the browser In the browser Address or Location field enter https plus the VPN 3002 private interface IP address for example https 10 10 147 2 The browser displays the VPN 3002 Hardware Client Manager HTTPS login screen A locked padlock icon on the browser status bar indicates an HTTPS session Also this login screen does not include the Install SSL Certificate link Configuring HTTP HTTPS and SSL Parameters HTTP HTTPS and SSL are enabled by default on the VPN 3002 and they are configured with recommended parameters that should suit most administration tasks and security requirements To configure HTTP and HTTPS parameters see the Configuration System Management Protocols HTTP HTTPS screen To configure SSL parameters see the Configuration System M
194. hapter 9 Events Configuration System Events General The Original severities and the Cisco IOS severities differ Original severities number from 1 13 For the meaning of each Original severity see Table 9 2 on page 9 3 Cisco IOS severities number from 0 7 Table 9 3 shows the meaning of Cisco IOS severities and how they map to Original severities Table 9 3 Cisco IOS Severities Cisco IOS Severity Meaning Original Severity 0 Emergencies l 1 Alerts Not used 2 Critical 2 3 Errors Not used 4 Warning 3 5 Notification 4 6 Informational 5 6 7 Debugging 7 13 Severity to Log Click the drop down menu button and select the range of event severity levels to enter in the event log by default The choices are None 1 1 2 1 3 1 13 The default is 1 5 if you choose this range all events of severity level 1 through severity level 5 are entered in the event log Severity to Console Click the drop down menu button and select the range of event severity levels to display on the console by default The choices are None 1 1 2 1 3 1 13 The default is 1 3 if you choose this range all events of severity level 1 through severity level 3 are displayed on the console Severity to Syslog Click the drop down menu button and select the range of event severity levels to send to a UNIX syslog server by default The choices are None 1 1 2 1 3 1 6 The default is None if you choo
195. he Manager displays All severity levels See Table 9 4 under Configuration System Events for an explanation of severity levels Client IP Address To display all events relating to a single IP address enter the IP address in the field using dotted decimal notation for example 10 10 1 35 By default the Manager displays all IP addresses To restore the default enter 0 0 0 0 Events Page To display a given number of events per Manager screen page click the drop down menu button and select the number Choices are 10 25 50 100 250 and ALL By default the Manager displays 100 events per screen Direction To display events in a different chronological order click the drop down menu button and select the order Choices are Oldest to Newest Display events in actual chronological order with oldest events at the top of the screen This is the default selection Newest to Oldest Display events in reverse chronological order with newest events at the top of the screen To display the first page screen of the event log click this button By First Page it default the Manager displays the first page of the event log when you first open this screen To display the previous page screen of the event log click this button Previous Page 4 To display the next page screen of the event log click this button Next Page P To display the last page screen of the event log click this button Last Page All four Pag
196. he NAT session Monitoring Statistics PPPoE This screen shows statistics for PPPoE PPP over Ethernet activity on the VPN 3002 since it was last booted or reset Figure 13 17 Monitoring Statistics PPPoE Screen amp Refres h PPPoE Statistics PPPoE Access Concentrator User Name Session ID WLAC Address Server Name Duration test2 2 00 02 44 54 C0 70 7200 Mercury 0 26 55 PADI PADR Multiple PADO PADT PADT Generic Errors Malformed Packets Timeouts Timeouts Rx Rx Tx Rx Rx 1 0 0 1 0 0 0 m D t5 Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter13 Monitoring Monitoring Statistics PPPoE Ml User Name The username for the PPPoE session Session ID The ID for the session assigned by the ISP The Session ID combined with
197. hows statistics for NAT Network Address Translation activity on the VPN 3002 since it was last booted or reset Figure 13 16 Monitoring Statistics NAT screen Reset g Refresh Packets m 16 Out 199 Tra nslations Active Peak Total 0 NAT Sessions SOTLLCe Destination Translated Translated IP Address Fort IP Address Port IP Address Port Direction Age Type Bytes Packets 10 10 98 10 137 192 168 255 255 137 192 168 10 1 49233 Outbound 5713 Net BIOS UDP Proxy 1638 21 68310 Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Packets In Out The total of NAT packets inbound and outbound since the last time the VPN 3002 was rebooted or reset my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter13 Monitoring Monitoring Statistics NA
198. ia HTTP J Back up Config File View Delete Swap with Config File paved Log File View Delete View Files lets you view configuration and saved log files You can also save these files to the PC on which you are viewing them To view a file click View next to the type of file you want to see The Manager opens a new browser window to display the file and the browser address bar shows the filename You can also save a copy of the file on the PC that is running the browser Click the File menu on the new browser window and select Save As The browser opens a dialog box that lets you save the file The default filename is the same as on the VPN 3002 Be sure to save a configuration file as a TXT file not a HTM file Some browser versions default to saving the file as an HTM file so you may need to change the file type Saving the file as an HTM file causes some data to be added to the top of the configuration file that is not valid configuration data If you subsequently upload the file containing the invalid data to the VPN Concentrator or VPN 3002 it may cause unpredictable results Alternatively you can use the secondary mouse button to click View on this Manager screen A pop up menu presents choices whose exact wording depends on your browser but among them are Open Link Open Link in New Window Open in New Window Open and view the file in a new browser window as above Save Target As Save Li
199. icate information according to your chosen method Click Install The Manager installs the identity certificate on the VPN 3002 and displays the Administration Certificate Management screen Your new identity Certificate appears in the Identity Certificates table VPN 3002 Hardw are Client Reference g OL 1893 01 12 27 Obtaining SSL Certificates Step 1 Step 2 If you use a secure connection between your browser and the VPN 3002 the VPN 3002 requires an SSL certificate You only need one SSL certificate on your VPN 3002 When you initially boot the VPN 3002 a self signed SSL certificate is automatically generated Because a self signed certificate is self generated this certificate is not verifiable No CA has guaranteed its identity But this certificate allows you to make initial contact with the VPN 3002 using the browser If you want to replace it with another self signed SSL certificate follow these steps Display the Administration Certificate Management screen See Figure 12 19 Click Generate above the SSL Certificate table The new certificate appears in the SSL Certificate table replacing the existing one If you want to obtain a verifiable SSL certificate that is one issued by a CA follow the same procedure you used to obtain identity certificates See the Enrolling and Installing Identity Certificates section But this time on the Administration Certificate Management Enroll screen click SSL certificat
200. ication Union X 509 standards specifically RFC 2459 The Subject and Issuer fields conform to ITU X 520 This screen is read only you cannot change any information here Figure 12 47 Administration Certificate Management View Screen Subject Issuer CN Testl A6 8 RA CN TestlA6 8 OU Dervtest OU 04 O Cisco Systems O Cisco L Franklin L Franklin SPR A SP hiA C C erial Number 611S6DC A000 100000370 Simming Algorithm MDS Withk SA Public Key Type Certificate 5 Usage Distal Signature Hon Repuchation MDS Thumbprint SHALI Thumbprint Validity 6 22 2001 at 11 28 38 te 6 22 2002 at 11 38 38 ei iCH TestCA6 8 CN ZE PDO CN CDP CN Public Eey ca eenices N Sennces N C onticuration DC qa2Z000 DC comfobjectclass cRLDistributionP omt Back RSA 1024 bits ZEI 1Z2 65 2E 250 12 05 B4 49 16 FO 65 58 45 81 75 46 30 E2 0B 0F 44 04 41 05 5606 0A FA BS 5D9 C1 15 04 0D1 25 1E 66179 my VPN 3002 Hardw are Client Reference 12 50 OL 1893 01 Chapter 12 Administration Certificate Fields A certificate contains some or all of the following fields Field Subject Issuer CN OU SP Serial Number Signing Algorithm Public Key Type Certificate Usage MD5 Thumbprint Administration Certificate Management View Mi Content The person or system that uses the certificate For a CA root certificate the Subject and Issuer are the same The CA or other entity ju
201. ice location e g Computer Lab Apply Cancel 61780 System Name Enter a system name that uniquely identifies this VPN 3002 on your network for example VPNO1 Maximum 255 characters Contact Enter the name of the contact person who is responsible for this VPN 3002 Maximum 255 characters Location Enter the location of this VPN 3002 Maximum 255 characters Apply Cancel To apply your system identification settings and include them in the active configuration click Apply The Manager returns to the Configuration System General screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System General screen my VPN 3002 Hardware Client Reference 10 2 OL 1893 01 Chapter10 General Configuration System General Time and Date W Configuration System General Time and Date This screen lets you set the time and date on the VPN 3002 Setting the correct time is very important so that logging information is accurate Figure 10 3 Configuration System General Time and Date Screen Configure the time and date i Setting the time on your VPN 3002 Hardware Client is very important so that logging information is correct The current time on the device is Friday 23 February 2001 15 12 14 New
202. ient Reference 6 8 OL 1893 01 Configuration CHAPTER IP Routing The VPN 3002 includes an IP routing subsystem with static routing default gateways and DHCP To route packets the subsystem uses static routes and the default gateway If you do not configure the default gateway the subsystem drops packets that it can not otherwise route You configure static routes and default gateways in this section This section also includes the system wide DHCP Dynamic Host Configuration Protocol server parameters System IP Routing This section of the Manager lets you configure system wide IP routing parameters Static Routes manually configured routing tables Default Gateways routes for otherwise unrouted traffic DHCP Dynamic Host Configuration Protocol global parameters DHCP Options facilities that allow the VPN 3002 DHCP server to respond with configurable parameters for specific kinds of devices such as PCs IP telephones print servers etc as well as an IP address Figure 7 1 Configuration System IP Routing Screen This section lets you configure system wide IP Routing options Click here to configure interfaces In the left frame or in the list of links below click the option you want static Routes Default Gateways DHCP Dynamic Host Configuration Protocol global parameters DHCP Options Dynamic Host Configuration Protocol option parameters 61752 VPN 3002
203. ies that failed because there was no response from the server Server Unreachable The number of DNS queries that failed because according to the VPN 3002 routing table the address of the server is not reachable Other Failures The number of DNS queries that failed for an unspecified reason Monitoring Statistics SSL This screen shows statistics for SSL Secure Sockets Layer protocol traffic on the VPN 3002 since it was last booted or reset To configure SSL see Configuration System Management Protocols SSL Figure 13 13 Monitoring Statistics SSL Screen Inbound Octets Outbound Octets Unencrypted 35 4l4 Encrypted Tra 1903 Total Sessions l Active Sessions 0 Max Active Sessions l Br ros Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon my VPN 3002 Hardware Client Reference 13 28 OL 1893 01 Chapter13 Monitoring Monitoring Statistics SSL E Refresh To update the screen and its da
204. ig files If the uploaded file has the VPN 3002 filename config the system deletes any existing config bak file renames the existing config file as config bak then writes the new config file However these actions occur only if the file transfer is successful so existing files are not corrupted To use these functions you must have Administrator or Configuration Access Rights See the Administration Access Rights Administrators screen Figure 12 15 Administration File Management Config File Upload Screen This section lets you upload a config file to your VPN 3002 Hardware Client Please wait for the operation to fuush Type in the name of the file on your workstation Local Config File Browse Upload Cancel 61658 Local Config File Browse Enter the name of the file on your PC In a Windows environment enter the complete pathname using MS DOS syntax for example c vpn3002 config0077 You can also click the Browse button to open a file navigation window find the file and select it Upload Cancel To upload the file to the VPN 3002 click Upload The Manager opens the File Upload Progress window To cancel your entries on this screen or to stop a file upload that is in progress click Cancel The Manager returns to the Administration File Management View screen Stopping an upload might leave a temporary file in VPN 3002 Flash memory Such files are named TnnnF nnn for example TOO3F 002 You c
205. imum is 10 retries Apply Cancel To apply your settings for DNS servers and include the settings in the active configuration click Apply The Manager returns to the Configuration System Servers screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Servers screen VPN 3002 Hardware Client Reference E oL 1893 01 5 3 Chapter5 Servers W Configuration System Servers DNS my VPN 3002 Hardware Client Reference OL 1893 01 CHAPTER Tunneling Tunneling is the heart of virtual private networking Tunnels make it possible to use a public TCP IP network such as the Internet to create secure connections between remote users and a private corporate network The secure connection is called a tunnel and the VPN 3002 uses the IPSec tunneling protocol to Negotiate tunnel parameters Establish tunnels Authenticate users and data Manage security keys Encrypt and decrypt data Manage data transfer across the tunnel Manage data transfer inbound and outbound as a tunnel endpoint The VPN 3002 functions as a bidirectional tunnel endpoint It can receive plain packets from the private network encapsulate them create a tunnel and send them to the other end of the tunnel where they are unencapsulated and sen
206. ing select the string from the list and click Modify The Manager opens the Configuration System Management Protocols SNMP Communities Modify screen To delete a configured community string select the string from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in the list Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Management Protocols screen Figure 8 9 Configuration System Management Protocols Screen Save Neededhy This section lets you configure built in management protocol servers In the left frame or in the list of links below click the function you want HTTP HTTPS Hypertext Transfer Protocol Secure Telnet terminal emulation protocol SNMP Simple Network Management Protocol SNMP Community Strings identiiers for valid SNMP chents SSL Secure Sockets Layer used with HTTPS SSH Secure Shell a secure Telnet like protocol 61699 Configuration System Management Protocols SNMP Communities Add or Modify These Manager screens let you Add Configure and add a new SNMP community string Modify Modify a configured SNMP community stri
207. ing the PPPoE session my VPN 3002 Hardware Client Reference 13 38 OL 1893 01 Chapter 13 Monitoring Monitoring Statistics Monitoring Statistics MIB I W MIB II This section of the Manager lets you view statistics that are recorded in standard MIB II objects on the VPN 3002 MIB II Management Information Base version 2 objects are variables that contain data about the system They are defined as part of the Simple Network Management Protocol SNMP and SNMP based network management systems can query the VPN 3002 to gather the data Each subsequent screen displays the data for a standard MIB II group of objects Interfaces packets sent and received on network interfaces and VPN tunnels TCP UDP Transmission Control Protocol and User Datagram Protocol segments and datagrams sent and received etc IP Internet Protocol packets sent and received fragmentation and reassembly data etc ICMP Internet Control Message Protocol ping timestamp and address mask requests and replies etc ARP Table Address Resolution Protocol physical MAC addresses IP addresses and mapping types Ethernet errors and collisions MAC errors etc SNMP Simple Network Management Protocol requests bad community strings parsing errors etc To configure and enable the VPN 3002 SNMP server see the Configuration System Management Protocols SNMP screen Figure 13 18 Monitoring Statistics MIB
208. inistration and Monitoring provides guidelines for administering and monitoring the VPN Concentrator It explains and defines all functions available in the Administration and Monitoring screens of the VPN Concentrator Manager Appendixes to this manual provide troubleshooting guidance and explain how to access and use the alternate command line interface The VPN Concentrator Manager also includes online help that you can access by clicking the Help icon on the toolbar in the Manager window VPN Client Documentation The VPN Client User Guide explains how to install configure and use the VPN Client which lets a remote client use the IPSec tunneling protocol for secure connection to a private network through the VPN Concentrator The VPN Client Administrator Guide tells how to configure a VPN 3000 Concentrator for remote user connections using the VPN Client how to automate remote user profiles how to use the VPN Client command line interface and how to get troubleshooting information Documentation on VPN Software Distribution CDs The VPN 3000 Series Concentrator and VPN 3002 Hardware Client documentation are provided on the VPN 3000 Concentrator software distribution CD ROM in PDF format The VPN Client documentation is included on the VPN Client software distribution CD ROM also in PDF format To view the latest VPN 3002 Hardware Client Reference E oL 1893 01 E Preface Mi Documentation conventions versions on the
209. ion Certificate Management 12 31 Administration Certificate Management Enroll 12 37 Administration Certificate Management Enroll Certificate Type VPN 3000 Series Concentrator Reference Volume I Configuration 12 38 Contents W 78 13782 01 WE Contents Administration Certificate Management Enroll Certificate Type PKCS10 12 39 Administration Certificate Management Enrollment or Renewal Request Generated 12 40 Administration Certificate Management Enroll Identity Certificate SCEP 12 41 Administration Certificate Management Enroll SSL Certificate SCEP 12 42 Administration Certificate Management Install 12 44 Administration Certificate Management Install Certificate Obtained via Enrollment 12 45 Administration Certificate Management Install Certificate Type 12 46 Administration Certificate Management Install CA Certificate SCEP 12 47 Administration Certificate Management Install Certificate Type Cut and Paste Text 12 48 Administration Certificate Management Install Certificate Type Upload File from Workstation 12 49 Administration Certificate Management View 12 50 Administration Certificate Management Configure CA Certificate 12 53 Administration Certificate Management Renewal 12 54 Administration Certificate Management Activate or Re Submit Status 12 56 Administration Certificate Management Delete 12 57 Administration Certificate M
210. iously clicked the Reset icon my VPN 3002 Hardware Client Reference 13 8 OL 1893 01 Chapter13 Monitoring Monitoring System Status Mi Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated VPN Client Type The type or model number of this VPN 3002 hardware client Bootcode Rev The version name number and date of the VPN 3002 bootcode software file When you boot or reset the system the bootcode software runs system diagnostics and it loads and executes the system software image The bootcode is installed at the factory and there is no need to upgrade it If an engineering change requires a bootcode upgrade only Cisco support personnel can do so Softw are Rev The version name number and date of the VPN 3002 Hardware Client system software image file You can update this image file from the Administration Software Update screen Up Since The date and time that the VPN 3002 was last booted or reset RAM Size The total amount of SDRAM memory installed in the VPN 3002 Disconnect Now Disconnects the tunnel Connect Now Connects the tunnel Assigned IP Address The IP address assigned to the VPN 3002 by the central site VPN Concentrator when PAT mode is enabled This field is not displayed when the VPN 3002 is running in Network Extension mode because the central site VPN Concentrator does not assign an IP address to th
211. keys for security All communication over the connection is encrypted To provide additional security the remote client authenticates the server and the server authenticates the client At the start of an SSH session the VPN 3002 sends both a host key and a server key to the client which responds with a session key that it generates and encrypts using the host and server keys The RSA key of the SSL certificate is used as the host key which uniquely identifies the VPN 3002 See Configuration System Management Protocols SSL Figure 8 14 Configuration System Management Protocols SSH screen Configure SSH Only SSH1 protocol version 1 5 is supported Enable SSH M Disabling will provide additional security Enable SSH on Public F Check to enable 55H on the Public interface SSH Port Re The sea portis 22 Changing the port will provide additional security Enter the maximum number of concurrent SSH users Maximum Maximum Sessions 4 is 10 default is 4 SSH sessions are also limited by the configured number of maximum Telnet sessions Enter the server key regeneration period in minutes Setting to 0 Key Regeneration Period 60 disables server key regeneration Maximum is 1 week 10080 default is 1 hour 60 M 3DES 168 M RC4 128 Check the encryption algorithms to enable Unchecking them all Encryption Protocols nrc 56 effectively disables SSH L No Encryption Apply Cancel 61767 VPN 3002 Hardware Clien
212. l signature certificate signing nonrepudiation key or data encipherment etc A 128 bit MD5 hash of the complete certificate contents shown as a 16 byte string This value is unique for every certificate and it positively identifies the certificate If you question a root certificate s authenticity you can check this value with the issuer VPN 3002 Hardware Client Reference a OL 1893 01 Chapter12 Administration W Admini Back Era stration Certificate Management View Field SHA1 Thumbprint Validity Subject Alternative Name Fully Qualified Domain Name CRL Distribution Point Content A 160 bit SHA 1 hash of the complete certificate contents shown as a 20 byte string This value is unique for every certificate and it positively identifies the certificate If you question a certificate s authenticity you can check this value with the issuer The time period during which this certificate is valid Format is MM DD YYYY at HH MM SS to MM DD YYYY at HH MM SS Time uses 24 hour notation and is local system time The Manager checks the validity against the VPN 3002 system clock and it flags expired certificates in event log entries The fully qualified domain name for this VPN 3002 that identifies it in this PKI The alternative name is an optional additional data field in the certificate and it provides inter operability with many Cisco IOS and PIX systems in LAN to LAN connections
213. l currently and previously active IPSec Phase 2 tunnels after compression In other words total bytes of IPSec only data sent by the IPSec subsystem after compressing the IPSec payload Received Packets The cumulative total of packets received by all currently and previously active IPSec Phase 2 tunnels Sent Packets The cumulative total of packets sent by all currently and previously active IPSec Phase 2 tunnels Received Packets Dropped The cumulative total of packets dropped during receive processing by all currently and previously active IPSec Phase 2 tunnels excluding packets dropped due to anti replay processing If there is a problem with the content of a packet the system drops the packet This number should be zero or very small if not check for misconfiguration Received Packets Dropped Anti Replay The cumulative total of packets dropped during receive processing due to anti replay errors by all currently and previously active IPSec Phase 2 tunnels If the sequence number of a packet is a duplicate or out of bounds there might be a faulty network or a security breach and the system drops the packet my VPN 3002 Hardware Client Reference 13 20 OL 1893 01 Chapter13 Monitoring Monitoring Statistics IPSec Hi Sent Packets Dropped The cumulative total of packets dropped during send processing by all currently and previously active IPSec Phase 2 tunnels This number should be zero if not check
214. le you must have Access Rights to Read Write Files See the Administration Administrators Modify Properties screen Figure 13 3 Monitoring Filterable Event Log Screen Select Filter Options Fvent Class All Classes AUTH Severities AUTHDBG AUTHDECODE Client IP Address lo 0 0 0 Fvents Page 100 Direction Oldest to Newest bed a gt gt gt h Get Log Clear Log 33 01 26 2001 11 23 37 030 SEV 4 AUTH 21 RPT 2 User admin connected 34 01 26 2001 11 23 51 700 SEV 5 AUTH 32 RPT 2 User attempted ADMIN logon lt ACCESS GRANTED gt 35 01 26 2001 11 23 51 700 SEV 4 AUTH 21 RPT 3 User admin connected 36 01 26 2001 11 23 58 950 SEV 4 IKE 41 RPT 2 IKE Initiator New Phase 2 Intf 2 IKE Peer 130 0 0 1 local Proxy Address 10 10 99 32 remote Proxy Address 0 0 0 0 Sh ESP 3DES MDS 38 01 26 2001 11 23 58 990 SEV 5 IKE 73 RPT 3 130 0 0 1 Group 130 0 0 1 Responder forcing change of IPSec rekeying duration from 2147483647 to 28600 sec onds 41 01 26 2001 11 23 59 010 SEV 4 IKE 49 RPT 2 130 0 0 1 Group 130 0 0 1 Security negotiation complete for peer 150 0 0 1 Initiator Inbound SPI 0x26638275 Outbound SPI Ox6b962583 61672 VPN 3002 Hardware Client Reference g OL 1893 01 Chapter 13 Monitoring W Monitoring Filterable Event Log Select Filter Options You can select any or all of the following options for filtering and displaying the event log After selectin
215. ludes the IP address of the user whose session generated the event For example 3 12 06 1999 14 37 06 680 SEV 4 HTTP 47 RPT 17 10 10 1 35 New administrator login admin Cisco IOS Compatible Event format that is compatible with Cisco syslog management applications Each entry in the event log is one line consisting of the following fields Sequence Date Time TimeZone TimeZoneOffset Class Severity Number RPT RepeatCount String Sequence The sequence number of the event Date The date the event occurred The date is in the following format YYYY MMM DD Time The time the event occurred The time is in the following format hh mm ss ttt TimeZone The time zone in which the event occurred TimeZoneOffset The offset of the time zone from GMT Class The event class For a list of event classes see the Events chapter Severity The Cisco IOS severity of the event 0 7 Table 9 3 shows the mapping between Cisco IOS format severity levels and Original format severity levels Number The event number RepeatCount The number of times this particular event has occurred since the VPN Concentrator was last booted String The description of the event The string sometimes includes the IP address of the user whose session generated the event For example 3 1999 Dec 06 14 37 06 680 EDT 4 00 SHTTP 5 47 RPT 17 10 10 1 35 New administrator login admin my VPN 3002 Hardware Client Reference OL 1893 01 C
216. maining until the current IP address lease expires shown as HH MM SS MAC Address The hardwired MAC Medium Access Control address of the interface in 6 byte hexadecimal notation that maps to the IP Address Host Name The name of the DHCP client PC on this interface VPN 3002 Hardw are Client Reference E OL 1893 01 13 31 Chapter13 Monitoring Hi Monitoring Statistics SSH Monitoring Statistics SSH This screen shows statistics for SSH Secure Shell protocol traffic on the VPN 3002 since it was last booted or reset To configure SSH see Configuration System Management Protocols SSH Figure 13 15 Monitoring Statistics SSH Screen sent Received Qctets 1872 564 Packets 44 13 SeSSIONS Active Mastin Total SoH Sessions Remote Octets Packets Login Name IP Address Port Login Time Encryption Sent Received Sent Received adinin 3 0 0 44309 Mov 01 11 54 39 3DES 168 696 2f2 20 br ros Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon
217. mple the IP address 192 168 12 34 is a Class C address and the standard subnet mask is 255 255 255 0 You can accept this entry or change it Note that 0 0 0 0 is not allowed MAC Address This is the unique hardware MAC Media Access Control address for this interface displayed in 6 byte hexadecimal notation You cannot change this address Speed If you are using static IP addressing click the drop down menu button and select the interface speed 10 Mbps Fix the speed at 10 megabits per second 10Base T networks 100 Mbps Fix the speed at 100 megabits per second 100Base T networks 10 100 auto Let the VPN 3002 automatically detect and set the appropriate speed either 10 or 100 Mbps default Be sure that the port on the active network device hub switch router etc to which you connect this interface is also set to automatically negotiate the speed Otherwise select the appropriate fixed speed VPN 3002 Hardware Client Reference Fe OL 1893 01 3 7 Chapter3 Interfaces W Configuration Interfaces Public Duplex If you are using static IP addressing click the drop down menu button and select the interface transmission mode Auto Let the VPN 3002 automatically detect and set the appropriate transmission mode either full or half duplex default Be sure that the port on the active network device hub switch router etc to which you connect this interface is also set to automatically neg
218. n Certificate Management Enroll SSL Certificate screen VPN 3002 Hardw are Client Reference g OL 1893 01 12 37 Chapter12 Administration W Administration Certificate Management Enroll Certificate Type Administration Certificate Management Enroll Certificate Type Choose the method for enrolling the identity or SSL certificate Figure 12 36 Administration Certificate Management Enroll Identity Certificate Screen Select the enrollment method tor the identity certiticate To install a certticate with SCEP the issuing CA s certificate must also be installed with SCEP Click here to install a new CA using SCEP before enrolling e Enroll wa PE CS10 Request Manual e Enrol wa SCEP at RS Avo Rooth DSsr7rChN e Enrol wa SCEP at Test CA6 6 at Cisco lt lt so back and choose a ditterent type of certificate 686165 Enroll via PKCS10 Request M anual Click Enroll via PKCS10 Request Manual to enroll the certificate manually Enroll via SCEP at Name of SCEP CA You can enroll certificates using SCEP only if you installed the CA certificate using SCEP One Enroll via SCEP at Name of SCEP CA link appears on this screen for each CA certificate on the VPN 3002 that was installed using SCEP To see which CA certificates on your VPN 3002 were installed using SCEP see the Certificate Authorities table on the Administration Certificate Management screen Yes in the SCEP Issuer column indicate
219. n SNMP server Use a decimal number from 0 to 65535 The default is 162 which is the well known port number for SNMP traps Add or Apply Cancel To add this system to the list of SNMP trap destinations click Add Or to apply your changes to this trap destination click Apply Both actions include your entry in the active configuration The Manager returns to the Configuration System Events Trap Destinations screen Any new destination system appears in the Trap Destinations list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Events Trap Destinations screen and the Trap Destinations list is unchanged Configuration System Events Syslog Servers This section of the Manager lets you configure UNIX syslog servers as recipients of event messages Syslog is a UNIX daemon or background process that records events The VPN 3002 can send event messages in two syslog formats to configured syslog systems If you configure any event handling default or special with values in Severity to Syslog fields you must configure syslog servers in this section To configure default event handling and syslog formats click the highlighted link that says Click here to configure general event parameters To configure special event handling see the C
220. n displays my VPN 3002 Hardware Client Reference To protect access security clicking on Refresh or Reload on the browser toolbar automatically logs out the Manager session Do not use the browser navigation toolbar buttons with the VPN 3002 Hardware Client Manager Use only the Manager Refresh button where it appears on a screen We recommend that you hide the browser navigation toolbar to prevent mistakes OL 1893 01 Appendix A Troubleshooting and System Errors Incorrect Display VPN 3002 Hardware Client Manager Errors W The Manager displays an incorrect screen or data when you click on the browser back or forward button Table A 4 Browser Back or Forward Button Displays an Incorrect Screen or Incorrect Data Problem Possible Cause Solution You clicked on the Back or Forward button on the browser navigation toolbar and the Manager displayed the wrong screen or incorrect data Error Message To protect security and the integrity of data entries clicking on Back or Forward on the browser toolbar deletes pointers and values within the Manager Do not use the browser navigation toolbar buttons with the VPN 3002 Hardware Client Manager Navigate using the location bar at the top of the Manager window the table of contents in the left frame or links on Manager screens We recommend that you hide the browser navigation toolbar to prevent mistakes The Manager displa
221. nagement interface to generate the certificate NIHFMHEC AD AWETEPMADGALIUE Ax OGlm9 czdGSuNFewDoYd Kod IbhveMAQEBEQADSAALY ROU ddok xd 2c onNheLMVhsyxadwl e2W 5imTh ss 2W5s4aAdkPVb ILE es e hauxegst h FHLLJLACPENLHYO1e GhmTN6 z0IBB ean bg kqQhneilGowOobagQor AAW BAC yORKJasmesb uvyquLehiclpzwlCDHUG 6LvLrLPsazsvidleRCSLlitWwhEIFH16utcRkhb jIWisurEGt ehywudyYPhds e Go to Certticate Management e Go to Certificate Enrollment e 30 to Certificate Installation 68256 Step6 Copy the enrollment request to the clipboard VPN 3002 Hardw are Client Reference g oL 1893 01 12 25 Chapter12 Administration W Certificate Management Step7 Using the enrollment request you just generated retrieve an identity certificate from your CA and download it to your PC according to the procedures outlined by the CA Step8 Using the Manager display the Administration Certificate Management screen See Figure 12 19 Step9 Click Click here to install a certificate The Manager displays the Administration Certificate Management Install screen See Figure 12 29 Figure 12 29 Administration Certificate Management Install Screen Choose the type of certificate to install e Install CA certiticate e Install SSL certiticiate with private key e Install certificate obtained wia enrollment lt lt so back to Certticate Management 66171 Step 10 Click Install certificate obtained via enrollment The Manager display
222. nce g OL 1893 01 Appendix A Troubleshooting and System Errors ME VPN 3002 Hardware Client Manager Errors Table A 2 Invalid Login or Session Timeout Screen Problem Possible Cause Solution You entered an Typing error Reenter the login name and invalid administrator Invalid unrecognized password and click on Login login name and login name or password Use a valid login name and password password combination Verify your typing before clicking on Login The Manager session has been idle longer than the configured timeout interval The default timeout interval is 600 seconds which equals 10 minutes Manager Logs Out No activity has occurred for interval seconds The Manager resets the inactivity time only when you click on an action button such as Apply Add or Cancel or a link on a screen that invokes a different screen Entering values or setting parameters on a given screen does not reset the timer The timeout interval is set too low for normal use The Manager unexpectedly logs out Table A 3 Browser Refresh or Reload Button Logs Out the Manager Problem Possible Cause On the Administration Access Rights Access Settings screen change the Session Timeout interval to a larger value and click on Apply Solution You clicked on the Refresh or Reload button on the browser navigation toolbar and the Manager logged out The main login scree
223. nect Now on the in the Monitoring System Status screen after which the system prompts you to enter the username and password for the VPN 3002 See the section Monitoring System Status in the Monitoring chapter After the tunnel is established between the VPN 3002 and the central site VPN Concentrator the VPN Concentrator can initiate data exchange only in Network Extension mode with all traffic travelling through the tunnel If you want the tunnel to remain up indefinitely configure the VPN 3002 for Network Extension mode and do not use split tunneling Table 11 1 summarizes instances in which the VPN 3002 and the central site VPN Concentrator can initiate data exchange my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter11 Policy Management Configuration Policy Management W Table 11 1 Data Initiation VPN 3002 and Central Site VPN Concentrator VPN 3002 Can Send Central Site VPN Concentrator Can Send Data Mode Tunneling Policy Data First First after VPN 3002 initiates the tunnel PAT All traffic tunneled Yes No PAT Split tunneling Yes No enabled Network All traffic tunneled Yes Yes Extension Network Split tunneling Yes No Extension enabled Configuration Policy Management The Configuration Policy Management screen introduces this section of the Manager Figure 11 1 Configuration Policy Management Screen This section of the Manager lets you configure PAT In
224. network Please wait for the operation to complete nlor Lhername and Password Username Password Connect Cancel Enter the username and password for the VPN 3002 Click Connect If you have entered the valid username and password the Connect Login Status screen displays the message that the VPN 3002 is connected Next you authenticate the user Figure 1 31 Connection Login Status Screen Refresh VPN 3002 Connection Status VPN 3002 is connected Since O9 24 2001 17 31 46 for 0 00 28 hhmrn ss Individual User Authentication Individual User Authentication is required You need to log in to access to the remote network You are not logged in Log In Now IP 10 10 98 10 MAC 00 01 02 5 4 94 2D To authenticate an individual user click Log In Now The Individual User Authentication screen displays VPN 3002 Hardware Client Reference g OL 1893 01 Chapter1 Using the VPN 3002 Hardware ClientManager W Logging In With Interactive Hardware Client and Individual User Authentication Figure 1 32 Individual User Authentication Screen Individual User Authentication Enter the following information needed to log in to the remote network Please wait for the operation to complete Username Password Login Cancel Step1 Enter the username and password for this VPN 3002 user Step2 Click Login If the username and password you entered are valid the Connection Login Statu
225. nfiguration click the Save Needed icon at the top of the Manager window VPN 3002 Hardware Client Reference E oL 1893 01 Chapter9 Events W Configuration System Events Syslog Servers Add or Modify Configuration System Events Syslog Servers Add or Modify These Manager screens let you Add Configure and add a UNIX syslog server as a recipient of event messages You can configure a maximum of five syslog servers Modify Modify a configured UNIX syslog server that is a recipient of event messages Figure 9 8 Configuration System Events Syslog Servers Add Screen Add a syslog server Syslog Server Enter the IP address or hostname of the syslog server Port 51 4 Enter the port used by the syslog server Facility Local 7 Select the syslog facility tag for events sent to this server Add Cancel 61778 Syslog Server Enter the IP address or hostname of the UNIX syslog server to receive event messages If you have configured a DNS server you can enter a hostname otherwise enter an IP address Port Enter the UDP port number by which you access the syslog server Use a decimal number from 0 to 65535 The default is 514 which is the well known port number Facility Click the drop down menu button and select the syslog facility tag for events sent to this server The facility tag lets the syslog server sort messages into different files or destinations The choices are
226. nfirmation screen when you click Delete for a certificate on the Administration Certificate Management screen The screen shows the same certificate details as on the Administration Certificate Management View screen Please note You must delete CA certificates from the bottom up server identity first then subordinate CA then root CA certificates last Otherwise the Manager displays an error message If the certificate is in use by an SA or referenced in an active enrollment request the Manager displays an error message Figure 12 50 Administration Certificate Management Delete Screen Subject Issuer CW Linus CW TestCA6 amp OU 04 Q isco L Franklin SP A C Us Serial 407959B5000100000481 Number Sining Algorithm MDS Withks A Public Key ESA 512 bits Type S r FS FA F2 50 7E 61 CB 50 35 35 1 724 4E 58 556 73 1 46 Thumbprint SHAT SOICF IFL FO 64 40 6F 4C 19 a9 SFA BZ 3C 4A G51 18 91 45 69 D9 Thumbprint Validity 6 21 2001 at 16 36 57 to S T 2002 at 14 40 00 CRL Distribution Point fCN TestC A6 6 CN 2E PDC CN CDP CN Public Key services oN Ssennces CN C onheuration DC qa2000 DC com lobyectclass cRLDistributionP o Are you sure you want to delete this certificate Fields For a description of the fields in this certificate see the Certificate Fields section on page 12 51 VPN 3002 Hardware Client Reference g OL 1893 01 12 57 Chapter12 Adminis
227. ng a VPN 3002 Hardware Client Reference 8 8 OL 1893 01 Chapter8 Management Protocols Configuration System Management Protocols SNMP Communities W Figure 8 10 Configuration System Management Protocols SNMP Communities Add Screen Add an SNMP Community string Community String Enter the community string Add Cancel 61765 Community String Enter the SNMP community string Maximum 31 characters case sensitive Add or Apply Cancel To add this entry to the list of configured community strings click Add Or to apply your changes to this community string click Apply Both actions include your entry in the active configuration The Manager returns to the Configuration System Management Protocols SNMP Communities screen a new entry appears at the bottom of the Community Strings list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entry or changes click Cancel The Manager returns to the Configuration System Management Protocols SNMP Communities screen and the Community Strings list is unchanged Figure 8 11 Configuration System Management Protocols Screen Save Needed This section lets you configure built in management protocol servers Tn the left frame or in the list of links below click the function you want HTTP HTTPS Hypertext Transfer Protocol Secure
228. nitial Enrollment Method Manual OOB Enrollment Status In Progress Are you sure you want to delete this enrollment request 69184 VPN 3002 Hardware Client Reference g OL 1893 01 12 61 Chapter12 Administration W Administration Certificate Management Delete Enrollment Request Fields For a description of the fields in this enrollment request see the Enrollment Request Fields section on page 12 59 Yes No To delete this enrollment request click Yes Note There is no undo The Manager returns to the Administration Certificate Management screen and shows the remaining enrollment requests To retain this enrollment request click No The Manager returns to the Administration Certificate Management screen and the enrollment requests are unchanged my VPN 3002 Hardware Client Reference 12 62 OL 1893 01 CHAPTER Monitoring The VPN 3002 tracks many statistics and the status of many items essential to system administration and management This section of the Manager lets you view all those status items and statistics You can even see the state of LEDs that show the status of hardware subsystems in the device You can also see Statistics that are stored and available in standard MIB II data objects This section of the Manager lets you view VPN 3002 status sessions statistics and event logs Routing Table current valid routes protocols and metrics Filterable Event L
229. nk As Save a copy of the file on your PC Your system will prompt for a filename and location The default filename is the same as on the VPN 3002 When you are finished viewing or saving the file close the new browser window Delete lets you delete configuration and saved log files To delete a file click Delete nest to the type of file you want to delete When you select this option a pop up window displays asking you to confirm or cancel If you confirm the file is deleted the Manager refreshes the screen and shows the revised list of files There is no undo my VPN 3002 Hardware Client Reference OL 1893 01 Chapter12 Administration Administration File Management Swap Config Files W Swap Config Files Swap Config Files lets you swap the boot configuration file with the backup configuration file When you Select this option the Administration File Management Swap Config Files window displays Config File Upload via HTTP Config File Upload allows you to upload a configuration file When you select this option the Administration File Management Config File Upload window displays Administration File Management Swap Config Files This screen lets you swap the boot configuration file with the backup configuration file Every time you save the active configuration the system writes it to the conf 1G file which is the boot configuration file and it saves the previous conrtc file as CONFIG BAK the ba
230. nly admin is enabled Apply Cancel To save this screen settings in nonvolatile memory click Apply The settings immediately affect new sessions The Manager returns to the Administration Access Rights screen To discard your settings or changes click Cancel The Manager returns to the Administration Access Rights screen my VPN 3002 Hardw are Client Reference 12 10 OL 1893 01 Chapter12 Administration Administration Access Rights Access Settings W Administration Access Rights Access Settings This screen lets you configure general options for administrator access to the Manager Figure 12 12 Administration Access Rights Access Settings Screen This section presents General Access options Session Idle Timeout feon seconds Enter the administrative session idle timeout Limit is 1800 seconds Session Limit fi 0 Enter the maximum number of administrative sessions Encrypt Config File V Check to enable configuration file encryption Apply Cancel 61797 Session Idle Timeout Enter the idle timeout period in seconds for administrative sessions If there is no activity for the period the Manager session terminates Minimum is 1 default is 600 and maximum is 1800 seconds 30 minutes The Manager resets the inactivity timer only when you click an action button Apply Add Cancel etc or a link on a screen that is when you invoke a different screen Entering values or setting param
231. nrollment Request Generated screen See Figure 12 38 To discard your entries and cancel the request click Cancel The Manager returns to the Administration Certificate Management screen See Figure 12 19 Administration Certificate Management Enroll SSL Certificate SCEP To generate an enrollment request for an SSL certificate you need to provide information about the VPN 3002 Figure 12 40 Administration Certificate Management Enroll SSL Certificate SCEP Screen Enter the information to be included in the certificate request Please wait for the operation to finish Type in the name of the certificate file below Enter the common name for the VPM 3002 Comman Name tewi ee a Hardware Chent to be used in this PET Use the domain name or IF address you will use to connect to this VPM S002 Hardware Chent Organizational Unit mm Enter the department OU Organization Enter the Organization or company Locality L Enter the city or town State Province SP Enter the State or Prowince Enter the two letter country abbreviation fe 9 Country C United States US Subject Enter the Fully Qualified Doman Name for the Alternative Name VEN 3002 Hardware Chent to be used im this FODN PEL subject AltemativeName E i i ststi i i i istits S Enter the E Mail Address for the VPN 3002 Mail Address Hardware Chent to be used in this PET Challenge Password Enter and ve
232. ns traffic within the tunnel the IPSec SA The VPN 3002 initiates all tunnels with the VPN Concentrator the VPN Concentrator functions only as responder The VPN 3002 as initiator proposes SAs the responder accepts rejects or makes counter proposals all in accordance with configured SA parameters To establish a connection both entities must agree on the SAs The Cisco VPN 3002 supports these IPSec attributes but they are configurable on the central site VPN Concentrator not on the VPN 3002 Main mode for negotiating phase one of establishing ISAKMP Secure Associations SAs automatic if you are using certificates e Aggressive mode for negotiating phase one of establishing ISAKMP SAs Authentication Algorithms ESP MD5 HMAC 128 ESP SHA1 HMAC 160 e Authentication Modes Preshared Keys X 509 Digital Certificates Diffie Hellman Groups 1 and 2 Encryption Algorithms my VPN 3002 Hardware Client Reference 6 2 OL 1893 01 Chapter6 Tunneling Configuration System Tunneling Protocols IPSec Mi DES 56 3DES 168 Extended Authentication XAuth Mode Configuration also known as ISAKMP Configuration Method Tunnel Encapsulation Mode Figure 6 2 Configuration System Tunneling Protocols IPSec Screen Enter the information needed to connect to the central site VPN Concentrator peer Remote Enter remote server address host name server Enter up to 10 backup serve
233. nstall and manage digital certificates Enrollment create a certificate request to send to a Certificate Authority Installation install digital certificates Certificates view modify and delete digital certificates VPN 3002 Hardware Client Reference Ea OL 1893 01 12 1 Chapter12 Administration W Administration Software Update Figure 12 1 Administration Screen Save Needed This section of the Manager lets you control VPN 3002 Hardware Chent administrative functions In the left frame or in the list of links below click the function you want Software Update update hardware chent software system Reboot system reboot options Ping use ICMP ping to determine connectivity Access Rights configure administrator profiles access and sessions Contig File Management view save swap and transfer config files Certificate Management install and manage digital certificates 617386 Administration Softw are Update This section of the Manager lets you update the VPN 3002 executable system software This process uploads the file to the VPN 3002 which then verifies the integrity of the file The new image file must be accessible by the workstation you are using to manage the VPN 3002 Software image files ship on the Cisco VPN 3002 CD ROM Updated or patched versions are available from the Cisco Website www cisco com under Service amp Support gt Software Center It tak
234. oL Secure Sockets Layer used with HTTPS SSH Secure Shell a secure Telnet like protocol 61699 VPN 3002 Hardware Client Reference g oL 1893 01 85 Chapter8 ManagementProtocols W Configuration System Management Protocols SNMP Configuration System Management Protocols SNMP This screen lets you configure and enable the SNMP Simple Network Management Protocol agent When enabled you can use an SNMP manager to collect information from the VPN 3002 but not to configure it To use SNMP you must also configure an SNMP Community on the Configuration System Management Protocols SNMP Communities screen The settings on this screen have no effect on sending system events to SNMP trap destinations see Configuration System Events General and Trap Destinations For those functions the VPN 3002 acts as an SNMP client Figure 8 6 Configuration System Management Protocols SNMP Screen Configure the SNMP server Disabling will provide additional security You can use third party SNMP Enable V a i ama managers only for viewing statistics not for configuring this device Port fi 61 The default port is 161 Changing the port will provide additional security Maximum Queued Requests Apply Cancel 4 Enter the maximum number of outstanding queued requests 61762 Enable SNMP Check the box to enable SNMP The box is checked by default Disabling S
235. ocation http 10 10 99 504 access html al what s Related D VPN 3002 Hardware Client Mana ger Logged in admin Configuration Administration Monitorin Top frame Manager toolbar Left frame Table of contents ponere Quick Configuration henge Ware Save Needed Intentaces SP System EPS enrers This section of the VEN 3002 Hardware Chent Manager lets you configure DNS system wide parameters Tunneling Protocols IPSec HP Routin In the lett frame or in the list of links below click the parameters you want to Static Routes confoure Default atemays DHCP Servers DMS DHCP Options Tunneling Protocols IPSec fiianagement Protocols TEE TIE Routine static routes default gateways and DHCP eles Management Protocols HTTP HTTPS Telnet SNMP and SSL SNMP Events defaults and classes EIRE Cemmis General system name contact location and time and date SSL s H Events General Classes Trap Destinations Main frame Syslog Servers Manager screen Pr eneral Identification Time and Date Policy Wlanagement EhAd ministration EFMonitoring Cisco Systems Status bar a Doenan ES Z VPN 3002 Hardware Client Reference g OL 1893 01 Chapter1 Using the VPN 3002 Hardware ClientManager W Understanding the VPN 3002 Hardware Client M anager Window Title bar The title bar at the top of the browser window includes the VPN 3002 device name or IP address in brack
236. oes not change the screen in the main frame Main frame The main frame displays the current VPN 3002 Hardware Client Manager screen Manager screen Many screens include a bullet list of links and descriptions of subordinate sections and titles you can click a link to go to that Manager screen and open subordinate sections and titles in the table of contents i VPN 3002 Hardware Client Reference 1 26 OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client M anager Organization of the VPN 3002 Hardware ClientManager W Organization of the VPN 3002 Hardware Client M anager The VPN 3002 Hardware Client Manager consists of three major sections and many subsections Configuration setting all the parameters for the VPN 3002 that govern its use and functionality as a VPN device Quick Configuration supplying the minimal parameters needed to make the VPN 3002 operational Interfaces Ethernet parameters System parameters for system wide functions such as server access IPSec tunneling protocol built in management servers event handling and system identification Policy Management enabling PAT Port Address Translation Administration managing higher level functions that keep the VPN3002 operational and secure such as who is allowed to configure the system what software runs on it and managing its configuration files and digital certificates Monitoring viewing routing tables event logs sys
237. of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Events Classes screen VPN 3002 Hardware Client Reference E OL 1893 01 Chapter9 Events W Configuration System Events Trap Destinations Configuration System Events Trap Destinations This section of the Manager lets you configure SNMP network management systems as destinations of event traps Event messages sent to SNMP systems are called traps If you configure any event handling default or special with values in Severity to Trap fields you must configure trap destinations in this section To configure default event handling click the highlighted link that says Click here to configure general event parameters To configure special event handling see the Configuration System Events Classes screens To configure well known SNMP traps see Table 9 4 under Severity to Trap for Configuration System Events General To have an SNMP based network management system NMS receive any events you must also configure the NMS to see the VPN 3002 as a managed device or agent in the NMS domain Figure 9 5 Configuration System Events Trap Destinations Screen This section lets you configure SNMP systems as destinations of event traps Click the Add button to add a destination or select a destination and click Modify or Delete Click here to contio
238. og current event log in memory filterable by event class severity IP address etc Live Event Log current event log continuously updated System Status current software revisions uptime network interfaces and connection status e General Statistics IPSec HTTP Telnet DNS SSL DHCP SSH PPPoE NAT and MIB II Statistics for interfaces TCP UDP IP ICMP the ARP table Ethernet traffic and SNMP These Manager screens are read only snapshots of data or status at the time the screen displays Most screens have a Refresh button that you can click to get a fresh snapshot and update the screen but you cannot modify the data on the screen Figure 13 1 Monitoring Screen This section of the Manager lets you wew VPN 3002 Hardware Client status sessions statistics and event logs In the left frame or in the list of links below click the function you want e Routing Table current valid routes and protocols e Filterable Event Log current event log o Live Event Log current event log e System Status current software revisions uptime front panel LEDs network interfaces and connection status e Statistics IPSec HTTP Telnet DNS SSL DHCP 55H PPPoE and MIB I statistics 61708 VPN 3002 Hardware Client Reference E OL 1893 01 Chapter13 Monitoring Hi Monitoring Routing Table Monitoring Routing Table This screen shows the VPN 3002 routing table at the tim
239. olbar in the top frame my VPN 3002 Hardware Client Reference 1 18 OL 1893 01 Chapter 1 Using the VPN 3002 Hardware Client M anager Interactive Hardware Client and Individual User Authentication W Interactive Hardware Client and Individual User Authentication Interactive hardware client and individual user authentication provide security by requiring manual entry of usernames and passwords prior to connection You configure these features on the VPN Concentrator to which this VPN 3002 connects and the VPN Concentrator pushes the policies you set to the VPN 3002 You can use interactive hardware client authentication and individual user authentication in combination or separately For complete configuration information refer to the section on the Hardware Client tab in the User Management chapter of the VPN 3000 Series Concentrator Reference Volume 1 Configuration Interactive Hardware Client Authentication When you enable interactive hardware client authentication the VPN 3002 does not use a saved username and password Instead to connect you must manually enter a valid username and password for the VPN 3002 when prompted When the VPN 3002 initiates the tunnel it sends the username and password to the VPN Concentrator to which it connects The VPN Concentrator facilitates authentication on either the internal or an external server If the username and password are valid the tunnel is established Individual User
240. oments please wait for the operation to finish The Manager then displays either a Success or Error screen see below To cancel your entry on this screen click Cancel The Manager returns to the main Administration screen Success Ping If the system is reachable the Manager displays a Success screen with the name of the tested host Figure 12 8 Administration Ping Success Screen G 10 10 147 1 is alive Continue 61793 Continue To return to the Administration Ping screen click Continue Error Ping If the system is unreachable for any reason host down ICMP not running on host route not configured intermediate router down network down or congested etc the Manager displays an Error screen with the name of the tested host To troubleshoot the connection try to Ping other hosts that you know are working Figure 12 9 Administration Ping Error Screen Xx An error has occurred while attempting to perform the operation 10 10 147 100 cannot be reached Retry the operation or Go to main menu 61794 To return to the Administration Ping screen click Retry the operation To go to the main Manager screen click Go to main menu my VPN 3002 Hardware Client Reference 12 8 OL 1893 01 Chapter12 Administration Administration Access Rights Mi Administration Access Rights This section of the Manager lets you configure and control administrative access to the VPN 30
241. on You tried to access an area of the Manager that you do not have authorization to access my VPN 3002 Hardware Client Reference You logged in using an administrator login name that has limited privileges You logged in from a workstation that has limited access privileges Log in using the system administrator login name and password Defaults are admin admin Log in from a workstation with greater access privileges Have the system administrator change your privileges on the Administration Access Rights Administrators screen Have the system administrator change the privileges of your workstation on the Administration Access Rights Access Control List screen OL 1893 01 Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors W Not Found The Manager displays a screen with the message Not Found An error has occurred while attempting to access the specified page The screen includes additional information that identifies system activity and parameters Figure A 4 Not Found Screen Not Found An error has occurred while attempting to access the specified page The feature hasn t been A implemented yet or the page does not exist If you have recently upgraded or downgraded the VPN 3000 Concentrator Series clearing the browser s cache may solve the problem Error HTTP 404 Not Found Request GET http 10 10 147 2 foob
242. on 6 Exit Main gt E VPN 3002 Hardw are Client Reference 14 2 OL 1893 01 Chapter14 Using the Command Line Interface Using the Command line Interface i Using the Command line Interface This section explains how to Choose menu items Enter values for parameters and options Specify configured items by number or name Navigate quickly using shortcuts through the menus Display a brief help message Save entries to the system configuration file Stop the command line interface Understand administrator access rights The command line interface displays menus or prompts at every level to guide you in choosing configurable options and setting parameters The prompt always shows the menu context Choosing Menu Items To use the command line interface enter a number at the prompt that corresponds to the desired menu item and press Enter For example this is the Configuration gt System gt General gt System Identification menu Set System Name Set Contact Set Location Back 1 2 3 4 General gt _ Enter 1 to set the system name Entering Values The command line interface shows any current or default value for a parameter in brackets To change the value enter a new value at the prompt To leave the value unchanged just press Enter Continuing the example above this is the prompt to enter a value for the system name gt Host Name General gt
243. on or mismatched preshared keys or digital certificates System Capability Failures The cumulative total of system capacity failures that occurred during processing of all currently and previously active IKE tunnels These failures indicate that the system has run out of memory or that the tunnel count exceeds the system maximum No SA Failures The cumulative total of nonexistent Security Association failures that occurred during processing of all currently and previously active IKE tunnels These failures occur when the system receives a packet for which it has no Security Association and might indicate synchronization problems VPN 3002 Hardware Client Reference a OL 1893 01 13 19 Chapter13 Monitoring Hi Monitoring Statistics IPSec IPSec Phase 2 Statistics This table provides IPSec Phase 2 global statistics During IPSec Phase 2 the two peers negotiate Security Associations that govern traffic within the tunnel Active Tunnels The number of currently active IPSec Phase 2 tunnels Total Tunnels The cumulative total of all currently and previously active IPSec Phase 2 tunnels Received Bytes The cumulative total of bytes octets received by all currently and previously active IPSec Phase 2 tunnels before decompression In other words total bytes of PSec only data received by the IPSec subsystem before decompressing the IPSec payload Sent Bytes The cumulative total of bytes octets sent by al
244. on t allow new sessions When to Reboot Shutdown Apply Cancel 61791 Action Click a radio button to select the desired action You can select only one action Reboot Reboot the VPN 3002 Rebooting terminates all sessions resets the hardware loads and verifies the software image executes system diagnostics and initializes the system A reboot takes about 60 75 seconds This is the default selection Shutdown without automatic reboot Shut down the VPN 3002 that is bring the system to a halt so you can turn off the power Shutdown terminates all sessions and prevents new user sessions but not administrator sessions While the system is in a shutdown state the SYS LEDs blink on the front panel Cancel a scheduled reboot shutdown Cancel a reboot or shutdown that is waiting for a certain time or for sessions to terminate This is the default selection if a reboot or shutdown is pending Configuration Click a radio button to select the configuration file handling at reboot These selections apply to reboot only You can select only one option Save the active configuration at time of reboot Save the active configuration to the conrte file and reboot using that new file Reboot without saving the active configuration Reboot using the existing conrtie file and without saving the active configuration This is the default selection my VPN 3002 Hardware Client Reference 12 6 OL 1893 01
245. ondition VPN 3002 Front LEDs The LEDs on the front of the VPN 3002 are LED Status Explanation PWR Green Unit is on and has power Off Unit is powered off SYS Flashing amber Unit is performing diagnostics Solid amber Unit has failed diagnostics Flashing green Unit is negotiating DHCP or PPPoE Green Unit is operational VPN Off No VPN tunnel exists Amber Tunnel has failed Green Tunnel is established my VPN 3002 Hardware Client Reference A 2 OL 1893 01 Appendix A Troubleshooting and System Errors VPN 3002 Rear LEDs The LEDs on the rear of the VPN 3002 indicate the status of the private and public interfaces System Errors W LED Explanation Green Interface is connected to the network OFF Interface is not connected to the network Flashing amber Traffic is traveling across the interface System Errors Problem or Symptom If you have configured the VPN 3002 and you are unable to connect to or pass data to the central site VPN Concentrator use Table A 1 to analyze the problem Also use the following section of this appendix to check the settings on the VPN Concentrator to which this VPN 3002 connects Table A 1 Analyzing System Errors Possible Solution Tunnel is not up or not passing data PWR LED is off Make sure that the power cable is plugged into the VPN 3002 and a power outlet SYS LED is solid amber Unit has failed diagnostics Contact Cis
246. onfiguration See the VPN 3002 Hardware Client Getting Started guide for complete information about Quick Configuration 1 2 Configuration gt Interface Configuration This table shows current IP addresses 1 Configure the Private Interface 2 Configure the Public Interface 3 Back Interfaces gt _ VPN 3002 Hardw are Client Reference E OL 1893 01 Chapter 14 Using the Command Line Interface Mi Menu Reference 1 2 1 or 1 2 2 Configuration gt Interface Configuration gt Configure the Private Public Interface Enable Disable Set IP Address Set Subnet Mask Select Ethernet Speed Select Duplex Back Private Public Interface gt _ 1 3 Configuration gt System Management Servers DNS Tunneling Protocols IPSec IP Routing static routes etc Event Configuration General Config system name time etc 1 2 3 4 Management Protocols Telnet HTTP etc 5 6 7 Back System gt _ 1 3 1 Configuration gt System M anagement gt Servers 1 DNS Servers 2 Back servers gt _ 1 3 2 Configuration gt System Management gt Tunneling Protocols 1 IPSec 2 Back Tunnel gt 1 3 3 Configuration gt System M anagement gt IP Routing 1 Static Routes 2 Default Gateway 3 DHCP 4 DHCP Options 5 Back Routing gt _ 1 3 4 Configuration gt System M anagement gt M anagement Protocols 1 Configure HTTP HTTPS 2 Configure Telnet 3 Configure SNMP 4
247. onfiguration System Events Classes screens Figure 9 7 Configuration System Events Syslog Servers Screen This section lets you configure UNIX syslog servers to receive event messages Click the Add button to add a server or select a server and click Modify or Delete Click here to configure general event parameters Syslog Servers Actions 192 168 12 34 Add Modi Modify Delete 61776 my VPN 3002 Hardware Client Reference 9 14 OL 1893 01 Chapter9 Events Configuration System Events Syslog Servers W Syslog Servers The Syslog Servers list shows the UNIX syslog servers that have been configured as recipients of event messages You can configure a maximum of five syslog servers If no syslog servers have been configured the list shows Empty Add M odify Delete To configure a new syslog server click Add See Configuration System Events Syslog Servers Add To modify a syslog server that has been configured select the server from the list and click Modify See Configuration System Events Syslog Servers Modify To remove a syslog server that has been configured select the server from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in the list Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot co
248. ons see the corresponding section of the Manager in this manual For example to understand Ethernet interface configuration parameters and choices see Configuration Interfaces Private Public in Chapter 3 Interfaces Accessing the Command line Interface You can access the command line interface in two ways via the system console or a Telnet or Telnet over SSL client Console Access To use the console 1 Connect a PC to the VPN 3002 via an RJ 45 serial cable which Cisco supplies with the system between the console port on the VPN 3002 and the COM 1 or serial port on the PC For more information see the VPN 3002 Hardware Client Getting Started guide 2 Start a terminal emulator e g HyperTerminal on the PC Configure a connection to COM with port settings of 9600 bits per second 8 data bits No parity 1 stop bit Set the emulator for VT100 emulation or let it auto detect the emulation type VPN 3002 Hardware Client Reference Ea OL 1893 01 Chapter14 Using the Command Line Interface W Starting the Command line Interface 3 Press Enter on the PC keyboard until you see the login prompt You might see a password prompt and error messages as you press Enter ignore them and stop at the login prompt Login _ Telnet or Telnet SSL access To access the command line interface via a Telnet or Telnet SSL client 1 Enable the Telnet or Telnet SSL server on the VPN 3002 They are both en
249. or san Rac yORJasmesb uvyqvuLehiclpzwilCDHUG 6LvLrLPazsvidleRCSLiItwhEIFH16utcRkb jIW1isurEGt ehywudyYPhds e so to Certiicate Management e Go to Certificate Enrollment e 30 to Certificate Installation 60256 To go to the Administration File Management Files screen click the highlighted File Management page link From there you can view copy or delete the file in Flash memory Go to Certificate Management If you want to view the certificate request click Go to Certificate Management The Manager displays the Administration Certificate Management screen See Figure 12 19 Go to Certificate Enrollment If you want to enroll another certificate click Go to Certificate Enrollment The Manager displays the Administration Certificate Management Enroll screen my VPN 3002 Hardware Client Reference 12 40 OL 1893 01 Chapter12 Administration Administration Certificate Management Enroll Identity Certificate SCEP Ml Go to Certificate Installation If you want to install the certificate you have just enrolled click Go to Certificate Installation The Manager displays the Administration Certificate Management Install screen Administration Certificate Management Enroll Identity Certificate SCEP To generate an enrollment request for an identity certificate you need to provide information about the VPN 3002 Figure 12 39 Administration Certificate Management Enroll Identity
250. ot Store Subject 100 200 147 2 VPN 3000 Concentrator Series Cisco Systems Inc Franklin Massachusetts US Issuer Self Issued Time Validity Friday April 21 2000 through Monday April 21 2003 Serial Number 390066 4D Thumbprint shal 57260EF3 476683261 BCAF8B58 B7B15243 52421 48C Thumbprint md5 FBBEFS1C 1B70312F B230B62D 543E361B 61654 8 To install the certificate click Yes This dialog box closes and a final wizard confirmation dialog box opens Figure 1 9 Intemet Explorer Certificate Manager Import Wizard Final Dialog Box The import was successful 61655 9 Click OK to close this dialog box and click OK on the Certificate dialog box Figure 1 4 to close it You can now connect to the VPN 3002 using HTTP over SSL HTTPS 10 On the Manager SSL screen Figure 1 2 click the link that says After installing the SSL certificate click here to connect to the VPN 3002 Hardware Client using SSL Depending on how your browser is configured you might see a Security Alert dialog box VPN 3002 Hardw are Client Reference g OL 1893 01 1 7 Chapter1 Using the VPN 3002 Hardware ClientManager W installing the SSL Certificate in Your Browser Figure 1 10 Intemet Explorer Security Alert Dialog Box i You are about to view pages over a secure connection o Any information you exchange with this site cannot be viewed by anyone else on the Web T Inthe future do not show this
251. otiate the transmission mode Otherwise select the appropriate fixed mode Full Duplex Fix the transmission mode as full duplex transmits and receives at the same time Half Duplex Fix the transmission mode as half duplex transmits or receives but not at the same time Apply Cancel To apply your settings to this interface and include your settings in the active configuration click Apply The Manager returns to the Configuration Interfaces screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration Interfaces screen my VPN 3002 Hardware Client Reference 3 8 OL 1893 01 CHAPTER System Configuration System configuration means configuring parameters for system wide functions in the VPN 3002 Configuration System This section of the Manager lets you configure parameters for Servers identifying servers for DNS information for the VPN 3002 Tunneling Protocols configuring IPSec connections IP Routing configuring static routes default gateways and DHCP Management Protocols configuring and enabling built in servers for HTTP HTTPS Telnet SNMP SSL SSH and XML Events handling system events via logs SNMP traps and syslog General identifying the system and setting the time and date See the appropriate cha
252. out error A 5 IP MIB II statistics 13 45 IP routing configuring 7 1 IPSec VPN 3002 Hardw are Client Reference E OL 1893 01 W index attributes configurable on the central site concentrator 6 2 configuring 6 2 Statistics 13 16 IPSec over TCP 6 5 requirements 6 6 ITU International Telecommunication Union standards 12 50 J JavaScript requirements 1 2 L lease period DHCP 7 6 LED indicators table A 2 live event log 13 6 Netscape requirements 13 6 log file live event log 13 6 saving on system reboot 12 5 See also event log logging in to the VPN Concentrator Manager 1 17 login name factory default Manager 1 17 password factory default Manager 1 17 screen 1 3 HTTPS 1 17 HTTPS using Internet Explorer 1 8 HTTPS using Netscape 1 14 using CLI 14 2 using interactive hardware client authentication and individual user authentication 1 19 M main menu CLI 14 2 14 7 my VPN 3002 Hardware Client Reference management protocols configuring 8 1 Manager table of contents 1 28 Manager unexpectedly logs out error A 6 managing digital certificates on VPN 3002 12 31 managing VPN Concentrator with CLI 14 1 memory SDRAM 13 9 menu choosing a menu item in CLI 143 context in CLI prompt 14 3 menu reference CLI 14 7 MIB II Statistics 13 39 ARP table 13 51 Ethernet traffic 13 53 interfaces 13 40 IP traffic 13 45 SNMP 13 56 TCP UDP 13 42 system object 10 2 Microsoft Internet Explorer script erro
253. pter in this manual or the online help for each section Figure 4 1 Configuration System screen Save Needed This section of the VPN 3002 Hardware Client Manager lets you configure system wide parameters In the left frame or in the list of links below click the parameters you want to configure mervers DHS Tunneling Protocols PSec Parameters IP Routine static routes default gateways and DHCP Management Protocols HTTP HTTPS Telnet SNMP SSL SSH and XML Events defaults and classes General system name contact location and time and date VPN 3002 Hardware Client Reference E OL 1893 01 4 1 Chapter4 System Configuration W Configuration System my VPN 3002 Hardware Client Reference AQ OL 1893 01 Configuration Configuration Note CHAPTER Servers Configuring servers means identifying DNS servers to the VPN 3002 so it can communicate with them correctly DNS servers convert hostnames to IP addresses The VPN 3002 functions as a client of these servers System Servers This section of the Manager lets you configure the VPN 3002 to communicate with DNS servers Figure 5 1 Configuration System Servers Screen le H This section of the Manager lets you configure the VPN 3002 Hardware Chent to communicate with various servers In the left frame or in the list of links below click the servers you want to configure e DNS Servers
254. ption is available in the non U S versions of many SSL clients Client Authentication This parameter applies to HTTPS only it is ignored for Telnet SSL Check the box to enable SSL client authentication The box is not checked by default In the most common SSL connection the client authenticates the server not vice versa Client authentication requires personal certificates installed in the browser and trusted certificates installed in the server Specifically the VPN 3002 must have a root CA certificate installed and a certificate signed by one of the VPN 3002 trusted CAs must be installed in the Web browser See Administration Certificate Management VPN 3002 Hardware Client Reference fy OL 1893 01 8 11 Chapter8 ManagementProtocols W Configuration System Management Protocols SSL SSL Version Click the drop down menu button and select the SSL version to use SSL Version 3 has more security options than Version 2 and TLS Transport Layer Security Version 1 has more security options than SSL Version 3 Some clients that send an SSL Version 2 Hello initial negotiation can actually use a more secure version during the session Telnet SSL clients usually can use only SSL Version 2 Choices are Negotiate SSL V2 V3 The server tries to use SSL Version 3 but accepts Version 2 if the client can not use Version 3 This is the default selection This selection works with most browsers and Telnet SSL
255. r addresses host names Backup from hich priority to low Servers Enter each backup server addressfhost name on a DE single line IPsec sited T Check to enable IPSec over TCP IPSec over Cr f TCP Port Enter IPSec over TCP port 1 64535 Use rc sk Click to use the installed certificate Certificate Name Password Verify Group PO 0 0 Use o E Apply Cancel Remote Server Enter the IP address or hostname of the remote server This is the IP address or hostname of the public interface on the VPN Concentrator to which this VPN 3002 connects Use dotted decimal notation for example 192 168 34 56 To enter a hostname a DNS server must be configured Backup Servers To configure IPSec backup servers on the VPN 3002 enter up to 10 backup servers using either IP address or hostname Enter each backup server on a separate line To enter a hostname a DNS server must be configured Further if you use hostnames and the DNS server is unavailable significant delays can occur VPN 3002 Hardw are Client Reference g oL 1893 01 6 3 Chapter6 Tunneling W Configuration System Tunneling Protocols IPSec S Note If you are using hostnames it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers Otherwise if clients behind the VPN 3002 obtain DNS and WINS information from the VPN 3002 through DHCP and the connection to the primary
256. r message A 9 model number system 13 9 modifying event class 9 10 SNMP community 8 8 SNMP event trap destination 9 13 static route for IP routing 7 3 syslog server to receive events 9 16 monitoring statistics 13 1 NAT Network Address Translation definition 11 1 navigating the VPN 3002 Hardware Client Manager 1 28 Netscape Navigator requirements 1 1 Network Address Translation See NAT Network Extension mode 11 2 effect on backup server connection 6 5 OL 1893 01 required settings on VPN Concentrator 11 3 nonvolatile memory 12 10 event log stored in 13 3 No such interface supported error A 9 Not Allowed error A 8 Not Found error A 9 O options configurable only on central site Concentrator 7 9 Out of Range value error A 10 P password administrator 12 10 factory default Manager 1 17 Passwords do not match error A 10 PAT mode configuring 11 6 definition 11 1 enabling 11 6 many to one translation 11 6 required settings on VPN Concentrator 11 2 PC monitor display recommended settings 1 2 peer 6 2 PEM encoded certificate 12 28 ping a host 12 7 PKCS 10 enrollment request 12 24 12 40 policy management 11 1 Port Address Translation mode See PAT mode port number HTTP 8 3 HTTPS 8 3 SNMP 8 6 SSH 8 14 syslog server 9 16 index W Telnet 8 5 Telnet over SSL 8 5 power turning off 12 5 PPPoE statistics 13 36 PPP over Ethernet See PPPoE prerequisites system administrator Ix preshared
257. reen to upload the certificate file to the VPN 3002 Figure 12 46 Administration Certificate Management Install CA Certificate Upload File from Workstation Screen Enter the name of the CA certificate fle Install Cancel 686175 Filename Browse Enter the name of the CA certificate file that is on your PC In a Windows environment enter the complete pathname using MS DOS syntax for example c Temp certnew cer You can also click the Browse button to open a file navigation window find the file and select it Passw ord amp Note This field appears only if you are installing an SSL certificate with a private key Enter a password for decrypting the private key Install Cancel To install the certificate on the VPN 3002 click Install To discard your entries and cancel the request click Cancel The Manager returns to the Administration Certificate Management screen See Figure 12 19 VPN 3002 Hardw are Client Reference g OL 1893 01 12 49 Chapter12 Administration W Administration Certificate Management View Administration Certificate Management View The Manager displays this screen of certificate details when you click View for a certificate on the Administration Certificate Management Certificates screen The details vary depending on the certificate content The content and format for certificate details are governed by ITU International Telecommun
258. rence 14 7 Troubleshooting and System Errors A 1 Files for Troubleshooting A 1 LED Indicators A 2 System Errors A 3 Settings on the VPN Concentrator A 4 VPN 3002 Hardware Client M anager Errors A 5 Command line Interface Errors A 10 INDEX VPN 3000 Series Concentrator Reference Volume Configuration gm 78 13782 01 WE Contents my VPN 3000 Series Concentrator Reference Volume I Configuration viii 78 13782 01 Preface The VPN 3002 Hardware Client Reference provides guidelines for configuring the Cisco VPN 3002 details on all the functions available in the VPN 3002 Hardware Client Manager and instructions for using the VPN 3002 Command Line Interface Prerequisites We assume you have read the VPN 3002 Hardware Client Getting Started manual and have followed the minimal configuration steps in Quick Configuration That section of the VPN Hardware Client Manager is not described here We also assume you are an experienced system administrator or network administrator with appropriate education and training who knows how to install configure and manage internetworking systems However virtual private networks and VPN devices might be new to you You should be familiar with Windows system configuration and management and you should be familiar with Microsoft Internet Explorer or Netscape Navigator or Communicator browsers Organization This manual is organized by the order in which sections appear in the VP
259. ribes Ethernet networks and RFC 1650 defines Ethernet interface MIB objects To configure Ethernet interfaces see Configuration Interfaces Figure 13 24 Monitoring Statistics MIB II Ethemet Screen Reset g Refresh Errors Collisions WLAC Errors S Carrier SOE Frame Deferred Sneed Interface Alignment FCS amens a Too lransmits Single Multiple Late Excessive Transmit Receive Duplex sense Test Lane Mbps IRCEcCer ce mm ee se ee ow To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon To update the screen and its data click Refresh The date and time indicate when the screen was last updated The private or public interface to which the data in this row applies VPN 3002 Hardware Client Reference g OL 1893 01 Chapter 13 Monitoring Hi Monitoring Statistics MIB II Ethernet Alignment Errors The number of frames received on this interface that are not an integral number of bytes in length and do not pass th
260. rify the challenge password for this Verify Challenge OO certificate request Password Key Size IRSA 512 bits celect the key size for the generated RSA key par Enroll Cancel BF a03 my VPN 3002 Hardware Client Reference 12 42 OL 1893 01 Chapter12 Administration Administration Certificate Management Enroll SSL Certificate SCEP Ml Fields For an explanation of each of the fields on this screen see Table 12 1 on page 12 20 Enroll To generate the certificate request and install the SSL certificate on the VPN 3002 click Enroll The Manager displays the Administration Certificate Management Enrollment Request Generated screen If there is already an active request for an SSL certificate this error message appears xX An error has occurred while attempting to perform the operation Error generating request An SSL enrollment request already exists Retry the operation or Go to main menu 65193 To return to the Administration Certificate Management Enroll SSL Certificate SCEP screen click Retry the operation To return to the Main screen click Return to main menu Cancel To discard your entries and cancel the request click Cancel The Manager displays the Administration Certificate Management screen VPN 3002 Hardw are Client Reference g oL 1893 01 12 43 Chapter12 Administration W Administration Certificate Management Install Adminis
261. ring W Monitoring Statistics MIB II ARP Table Interface The VPN 3002 network interface on which this mapping applies Private Interface Public Interface Physical Address The hardwired MAC Media Access Control address of a physical network interface card in 6 byte hexadecimal notation that maps to the IP Address Exceptions are e 00 a virtual address for a tunnel FEFE FF FF FF FF a network broadcast address IP Address The IP address that maps to the Physical Address Mapping Type The type of mapping Other none of the following Invalid an invalid mapping Dynamic a learned mapping Static a static mapping on the VPN 3002 Action Delete To remove a dynamic or learned mapping from the table click Delete There is no confirmation or undo The Manager deletes the entry and refreshes the screen To delete an entry you must have the administrator privilege to Modify Config under General Access Rights See Administration Access Rights Administrators You cannot delete static mappings my VPN 3002 Hardware Client Reference 13 52 OL 1893 01 Chapter13 Monitoring Monitoring Statistics MIB II Ethernet W Monitoring Statistics MIB II Ethernet Reset Restore Refresh Interface This screen shows statistics in MIB II objects for Ethernet interface traffic on the VPN 3002 since it was last booted or reset IEEE standard 802 3 desc
262. ring gt General Statistics gt MIB II Statistics 1 Interface based 2 System level 3 Back MIB2 gt _ my VPN 3002 Hardw are Client Reference 14 14 OL 1893 01 APPENDIX Troubleshooting and System Errors Appendix A describes files for troubleshooting the VPN 3002 and LED indicators on the system It also describes common errors that might occur while configuring and using the system and how to correct them Files for Troubleshooting The VPN 3002 Hardware Client creates several files that you can examine and that can assist Cisco support engineers when troubleshooting errors and problems Event log SAVELOG TXT Event log that is automatically saved when the system crashes and when it is rebooted CRSHDUMP TXT Internal system data file that is written when the system crashes e CONFIG Normal configuration file used to boot the system CONFIG BAK Backup configuration file Event Logs The VPN 3002 records system events in the event log which is stored in nonvolatile memory NVRAM To troubleshoot operational problems we recommend that you start by examining the event log To view the event log see Administration File Management View and click on View Saved Log File To configure events and to choose the events you want to view see Configuration System Events and Monitoring Filterable Event Log The VPN 3002 automatically saves the event log to a file in flash memory if it cra
263. risdiction that issued the certificate Subject and Issuer consist of a specific to general identification hierarchy CN OU O L SP and C These labels and acronyms conform to X 520 terminology and they echo the fields on the Administration Certificate Management Enrollment screen Common Name the name of a person system or other entity This is the lowest most specific level in the identification hierarchy For the VPN 3002 self signed SSL certificate the CN is the IP address on the Ethernet 1 Private interface at the time the certificate is generated SSL compares this CN with the address you use to connect to the VPN 3002 via HTTPS as part of its validation Organizational Unit the subgroup within the organization O Organization the name of the company institution agency association or other entity Locality the city or town where the organization is located State Province the state or province where the organization is located Country the two letter country abbreviation These codes conform to ISO 3166 country abbreviations The serial number of the certificate Each certificate issued by a CA must be unique among all certificates issued by that CA CRL checking uses this serial number The cryptographic algorithm that the CA or other issuer used to sign this certificate The algorithm and size of the certified public key The purpose of the key contained in the certificate for example digita
264. rk interface Enable To enable PAT click Enable Configuration Policy Management Traffic Management PAT Enable This screen lets you enable or disable PAT which applies PAT to all configured traffic flowing from the private interface to the public interface Figure 11 4 Configuration Policy Management Traffic Management PAT Enable Screen Check the box to enable PAT over the tunnel Uncheck the box to disable PAT over the tunnel LAN Extension mode PAT Enabled Apply Cancel 61785 my VPN 3002 Hardware Client Reference OL 1893 01 Chapter11 Policy Management Configuration Policy Management Traffic Management PAT Enable W PAT Enabled Check the box to enable Client Mode PAT or clear it to enable Network Extension Mode amp Note Remember that to use Network Extension Mode you must configure an IP address other than the default for the private interface If you do not change the IP address of the private interface you can not disable PAT Apply Cancel To enable or disable PAT and include your setting in the active configuration click Apply The Manager returns to the Configuration Policy Management Traffic Management PAT screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entry and leave the active configuration unchanged click Cancel The
265. rtificate Step 1 Download the SSL Certificate The VPN 3002 Hardware Client supports HTTP over SSL also known as HTTPS This requires the use of SoL digital certificates A digital certificate has already been created for this VPN 3002 Hardware Chent It will automatically download to your browser You should wait a few seconds for the certificate to be downloaded In a few seconds a File Download dialog will appear for the SSL certificate Select Open this file from its current location to automatically install the SSL certificate If you chose Save this file to disk double clicking the file will install the certificate into Internet Explorer The certificate only needs to be installed once per VPN 3002 Hardware Chent If you installed a new SSL certificate onto the VPN 3002 Hardware Chent you may already have this certificate in your browser if the certificate does not automatically download after one minute click here to install it Step 2 Connect to the VPN 3002 Hardware Client using SSL To use SSL use the protocol identifier https rather than http when accessing the VPN 3002 Hardware Client e g https 10 10 99 50 After installing the SSL certificate click here to connect to the VPN 3002 Hardware Client using SSL 61648 The installation sequence now differs depending on the browser Continue below for Internet Explorer or skip to Installing the SSL Certificate with Netscape Installing the SSL certificate w ith
266. s Classes Add or Modify These screens let you Add Configure and add the special handling of a specific event class Modify Modify the special handling of a specific event class Figure 9 4 Configuration System Events Classes Add Screen This screen lets you add and configure an event class for special handling Class Name Select Class Select the event class to configure Enable M Check to enable special handling of this class Severity to Log 5 gt Select the range of severity values to enter in the log Severity to Console 3 gt Select the range of severity values to display on the console Severity to Syslog None gt Select the range of severity values to send to a Syslog server Severity to Trap None gt Select the range of severity values to send to an SNMP system Add Cancel 61772 Class Name Add screen Click the drop down menu button and select the event class you want to add and configure for special handling Please note that Select Class is an instruction reminder not a class Table 9 1 describes the event classes Modify screen The field shows the configured event class you are modifying You cannot change this field All subsequent parameters on this screen apply to this event class only Enable Check this box to enable the special handling of this event class The box is checked by default Clearing this box lets you set up the parameters for the event class but activ
267. s timeouts etc SSL total sessions encrypted vs unencrypted traffic etc DHCP leased addresses duration etc SSH total and active sessions bytes and packets sent and received etc PPPoE session ID server name duration etc NAT sessions inbound and outbound packets e MIB II Stats interfaces TCP UDP IP ICMP the ARP table Ethernet and SNMP Figure 13 8 Monitoring Statistics Screen This section shows statistics for VPIN 3002 Hardware Client tunneled sessions traffic connection activity and standard MIB II objects In the left frame or in the list of links below click the statistics you want to view IPSec tunnels received and transmitted packets failures etc HTTP connections received and transmitted octets and packets etc Telnet sessions inbound and outbound octets session details etc DNS requests responses timeouts etc SSL sessions encrypted vs decrypted traffic etc DHCP leases duration etc SSH sessions inbound and outbound octets etc PPPoE session ID server name and connection uptime etc MIB IT interfaces TCP UDP IP RIP OSPF ICMP ARP table etc 61709 VPN 3002 Hardware Client Reference g OL 1893 01 EES ty Chapter13 Monitoring W Monitoring Statistics IPSec Monitoring Statistics IPSec This screen shows statistics for IPSec activity including the current IPSec tunnel on the VPN 300
268. s 14 5 host key SSH 8 13 HTTP configuring internal server 8 2 enabling 8 2 port number 8 3 statistics 13 22 using with Manager 1 2 HTTPS configuring internal server 8 2 connecting using 1 16 definition 1 3 enabling 8 3 enabling on public interface for XML support 8 16 login screen 1 17 port number 8 3 I ICMP MIB II statistics 13 48 PING 12 7 identification configuring 10 2 identifying servers to the VPN 3002 5 1 identity certificates definition 12 16 enrolling 12 20 12 37 installed on the VPN 3002 12 32 installing 12 20 maximum allowed 12 16 index W idle timeout administrator sessions 12 11 live event log overrides 13 6 IEEE standard 802 3 Ethernet networks 13 53 image software filenames 12 3 indicators LED A 2 individual user authentication login screen 1 19 installing CA certificates 12 44 automatic method using SCEP 12 17 manual method 12 19 digital certificates 12 16 enrolled certificates 12 45 identity certificates 12 20 identity certificates automatic method 12 22 12 24 SSL certificate with Internet Explorer 1 4 with Netscape 1 9 Install SSL Certificate screen 1 4 interactive hardware client authentication login screen 1 19 interfaces configuring 3 1 Ethernet configuring transmission mode 3 5 3 8 MIB II statistics 13 40 private configuring 3 4 public configuring 3 6 public and private definition 3 1 status 3 3 Internet Explorer requirements 1 1 Invalid Login or Session Time
269. s The primary identity of the entity associated with the certificate for example Engineering VPN Spaces are allowed You must enter a name in this field If you are requesting an SSL certificate enter the IP address or domain name you use to connect to this VPN 3002 for example 10 10 147 2 Organizational Unit OU Yes Yes The name of the department or other organizational unit to which this VPN 3002 belongs for example CPU Design Spaces are allowed Organization O Yes Yes The name of the company or organization to which this VPN 3002 belongs for example Cisco Systems Spaces are allowed Locality L Yes Yes The city or town where this VPN 3002 is located for example San Jose Spaces are allowed State Province SP Yes Yes The state or province where this VPN 3002 is located for example California Spell the name out completely do not abbreviate Spaces are allowed Country C Yes Yes The country where this VPN 3002 is located for example US Use two characters no spaces and no periods This two character code must conform to ISO 3166 country codes Subject Alternative Name FQDN _ Yes Yes The fully qualified domain name that identifies this VPN 3002 in Fully Qualified Domain this PKI for example vpn3030 cisco com This field is optional Name The alternative name is an additional data field in the certificate that provides interoperability with many Cisco IOS and PIX systems in LAN to LAN connections Subject Alternative
270. s for Received Notifies above Received Phase 2 Exchanges The cumulative total of PSec Phase 2 exchanges received by all currently and previously active IKE tunnels that is the total of Phase 2 negotiations received that were initiated by a remote peer A complete exchange consists of three packets Sent Phase 2 Exchanges The cumulative total of IPSec Phase 2 exchanges that were sent by all currently and previously active and IKE tunnels that is the total of Phase 2 negotiations initiated by this VPN 3002 Invalid Phase 2 Exchanges Received The cumulative total of IPSec Phase 2 exchanges that were received found to be invalid because of protocol errors and dropped by all currently and previously active IKE tunnels In other words the total of Phase 2 negotiations that were initiated by a remote peer but that this VPN 3002 dropped because of protocol errors Invalid Phase 2 Exchanges Sent The cumulative total of IPSec Phase 2 exchanges that were sent and were found to be invalid by all currently and previously active IKE tunnels Rejected Received Phase 2 Exchanges The cumulative total of IPSec Phase 2 exchanges that were initiated by a remote peer received and rejected by all currently and previously active IKE tunnels Rejected exchanges indicate policy related failures such as configuration problems Rejected Sent Phase 2 Exchanges The cumulative total of IPSec Phase 2 exchanges that were initiated by this VPN 3002
271. s that the CA certificate was installed using SCEP No indicates it was installed manually If no CA certificate on the VPN 3002 was installed using SCEP then no Enroll via SCEP at Name of SCEP CA link appears on this screen You do not have the option of using SCEP to enroll the certificate Click Enroll via SCEP at Name of SCEP CA to enroll the certificate automatically using SCEP Install a New SA Using SCEP before Enrolling If you want to install a certificate using SCEP but no Enroll via SCEP at Name of SCEP CA link appears here click Install a new SA Using SCEP before Enrolling Install a CA certificate using SCEP then return to this screen to install the certificate A SCEP link now appears lt lt Go back and choose a different type of certificate Click lt lt Go back and choose a different type of certificate to return to the Administration Certificate Management Enroll screen See Figure 12 35 my VPN 3002 Hardware Client Reference OL 1893 01 Chapter12 Administration Administration Certificate Management Enroll Certificate Type PKCS10 E Administration Certificate Management Enroll Certificate Type PKCS 10 To generate an enrollment request for an SSL or identity certificate you need to provide information about the VPN 3002 Figure 12 37 Administration Certificate Management Enroll Identity Certificate via PKCS10 Screen Enter the information to be included in the c
272. s the Administration Certificate Management Install Certificate Obtained via Enrollment screen See Figure 12 30 Figure 12 30 Administration Certificate Management Install Certificate Obtained via Enrollment Screen Select a enrollment request to install Enrollment Status subject Issuer Date Use Reason Method Status Actions soapy MA 0052001 D Res Manual In View Install Delete enroll Progress w 10 99 30 RSAvS7RootMDSsrON 0310712001 ssr Be SCEP Complete si Activate Delete l ed View Re Linda 4 RSAvSTRoctMDSsrvCN 09 07 2001 D Initial SCEE Error submit Delete lt lt o back and choose a different type of certiicate 68188 Step 11 Find your enrollment request in the Enrollment Status table Click Install The Manager displays the Administration Certificate Management Install Identity Certificate screen See Figure 12 31 my VPN 3002 Hardware Client Reference OL 1893 01 Chapter12 Administration Certificate Management I Figure 12 31 Administration Certificate Management Install Identity Certificate Screen Choose the method of mstallation e Cut amp Paste Text Upload File trom Workstation lt lt Go back to and choose a different type of certificate 66159 Step 12 Choose either installation method Cut amp Paste Text or Upload File from Workstation Step 13 The Manager displays a screen appropriate to your choice Include the certif
273. s the Save reminder Refresh Click the Refresh icon to refresh update the screen contents on screens where it appears mostly in the Monitoring section The date and time above this reminder indicate when the screen was last updated Reset if Click the Reset icon to reset or start anew the screen contents on screens where it appears mostly in the Monitoring section Restore LF Click the Restore icon to restore the screen contents to their status prior to when you last clicked on the Reset icon Click the Cisco Systems logo to open a browser and go to the Cisco com web site www cisco com Cisco SYSTEMS Left frame On Manager screens the left frame provides a table of contents The Table of Contents table of contents uses the familiar Windows Explorer metaphor of collapsed and expanded entries Main section titles Click on a title to open subordinate sections and titles and to go to that Configuration Manager screen in the main frame Administration Monitoring Closed or collapsed Click the closed collapsed icon to open subordinate sections and titles Clicking on this icon does not change the screen in the main frame VPN 3002 Hardware Client Reference g oL 1893 01 1 25 Chapter1 Using the VPN 3002 Hardware ClientManager ME Understanding the VPN 3002 Hardware Client Manager Window Open or expanded t Click the open expanded icon to close subordinate sections and titles Clicking on this icon d
274. s window displays information about the connection Figure 1 33 Connection Login Status Screen Refresh VPN 3002 Connection Status VPN 3002 is connected Since 09 24 2001 17 31 46 for 0 02 09 hh mm ss Individual User Authentication You are logged in Username 3002user Log Out Now IP 10 10 98 10 MAC 00 01 02 3 4 95 2D since Sep 24 17 33 32 for 0 00 23 hh mm ss Go back to the VPN 3002 admiristrative login page The user behind the VPN 3002 is connected to the VPN Concentrator at the central site Click Go back to the VPN 3002 administrative login page to return to the VPN 3002 Hardware Client Manager login screen and access other features and functions of the VPN 3002 my VPN 3002 Hardw are Client Reference OL 1893 01 Chapter 1 Using the VPN 3002 Hardware Client M anager Understanding the VPN 3002 Hardware ClientManagerWindow W Understanding the VPN 3002 Hardware Client M anager Window The VPN 3002 Hardware Client Manager window on your browser consists of three frames top left and main and it provides helpful messages and tips as you move the mouse pointer over window items The title bar and status bar also provide useful information Figure 1 34 VPN 3002 Hardware Client Manager Window Title bar Cisco Systems Inc YPN 3002 Hardware Client 10 10 99 50 Netscape Fille Edit Yiew Go Communicator Help Piritan d Reload Home Geach coe Print Security ak Bookmarks Ai L
275. se this range no events are sent to a syslog server If you select any severity levels to send you must also configure the syslog server s on the Configuration System Events Syslog Servers screens VPN 3002 Hardware Client Reference E OL 1893 01 9 7 Chapter9 Events W Configuration System Events Classes Severity to Trap Apply Cancel Reminder Configuration Click the drop down menu button and select the range of event severity levels to send to an SNMP network management system NMS by default Event messages sent to SNMP systems are called traps The choices are None 1 1 2 1 3 The default is None if you choose this range no events are sent as SNMP traps If you select any severity levels to send you must also configure SNMP destination system parameters on the Configuration System Events Trap Destinations screens The VPN 3002 can send the standard or well known SNMP traps listed in Table 9 4 To have an SNMP NMS receive them you must configure the events as in the table and configure a trap destination Table 9 4 Configuring Well Known SNMP Traps To send this well known Configure either General event SNMP trap handling or this Event Class With this Severity to Trap coldStart EVENT 1 or higher linkDown IP 1 3 or higher linkUp IP 1 3 or higher authFailure SNMP 1 3 or higher 1 This trap is SNMP authentication failure not tunnel authentication failure
276. sent and rejected by all currently and previously active IKE tunnels See comment above Phase 2 SA Delete Requests Received The cumulative total of requests to delete IPSec Phase 2 Security Associations received by all currently and previously active IKE tunnels my VPN 3002 Hardware Client Reference 13 18 OL 1893 01 Chapter13 Monitoring Monitoring Statistics IPSec Hi Phase 2 SA Delete Requests Sent The cumulative total of requests to delete IPSec Phase 2 Security Associations sent by all currently and previously active IKE tunnels Initiated Tunnels The cumulative total of IKE tunnels that this VPN 3002 initiated Failed Initiated Tunnels The cumulative total of IKE tunnels that this VPN 3002 initiated and that failed to activate Failed Remote Tunnels The cumulative total of IKE tunnels that remote peers initiated and that failed to activate Authentication Failures The cumulative total of authentication attempts that failed by all currently and previously active IKE tunnels Authentication failures indicate problems with preshared keys digital certificates or user level authentication Decryption Failures The cumulative total of decryptions that failed by all currently and previously active IKE tunnels Hash Validation Failures The cumulative total of hash validations that failed by all currently and previously active IKE tunnels Hash validation failures usually indicate misconfigurati
277. sent only if needed Be sure you select the correct file for your VPN 3002 otherwise the update will fail Upload Cancel To upload the new image file to the VPN3002 click Upload To cancel your entries on this screen or to stop a file upload that is in progress click Cancel The Manager returns to the main Administration screen If you then return to the Administration Software Update screen you might see a message that a file upload is in progress Click the highlighted link to stop it and clear the message VPN 3002 Hardw are Client Reference g oL 1893 01 123 Chapter12 Administration W Administration Software Update Softw are Update Progress This window shows the progress of the software upload It refreshes the number of bytes transferred at 10 second intervals Figure 12 3 Administration Software Update Progress Window 965544 bytes transferred 10 second refresh 61788 When the upload is finished or if the upload is cancelled the progress window closes Softw are Update Success The Manager displays this screen when it completes the software upload and verifies the integrity of the software To go to the Administration System Reboot screen click the highlighted link We strongly recommend that you clear your browser cache after you update the software image delete all the temporary internet files history files and location bar references Figure 12 4 Administration Software
278. shes and when it is rebooted This log file is named SAVELOG TXT and it overwrites any existing file with that name The SAVELOG TXT file is useful for debugging To view SAVELOG TXT see Administration File Management View and click on View Saved Log File Crash Dump File If the VPN 3002 crashes during operation it saves internal system data in nonvolatile memory NVRAM and then automatically writes this data to a CRSHDUMP TXT file in flash memory when it is rebooted This file contains the crash date and time software version tasks stack registers memory buffers and timers which help Cisco support engineers diagnose the problem In case of a VPN 3002 Hardware Client Reference Poca Al Appendix A Troubleshooting and System Errors Mi LED Indicators crash we ask that you send this file when you contact TAC for assistance To view the CRSHDUMP TXT file see Administration File Management View and click on View Saved Log Crash Dump File Configuration Files The VPN 3002 saves the current boot configuration file CONFIG and its predecessor CONFIG BAK as files in flash memory These files may be useful for troubleshooting See Administration File Management for information on managing files in flash memory LED Indicators LED indicators on the VPN 3002 are normally green or flashing amber LEDs that are solid amber or off may indicate an error condition Contact Cisco TAC if any LED indicates an error c
279. ssion you must log out for the system to reboot or shutdown To take action with the selected options click Apply The Manager returns to the main Administration screen if you do not reboot or shutdown now To cancel your settings on this screen click Cancel The Manager returns to the main Administration screen Note that this Cancel button does not cancel a scheduled reboot or shutdown Ping This screen lets you use the ICMP ping Packet Internet Groper utility to test network connectivity Specifically the VPN 3002 sends an ICMP Echo Request message to a designated host If the host is reachable it returns an Echo Reply message and the Manager displays a Success screen If the host is not reachable the Manager displays an Error screen You can also Ping hosts from the Administration Sessions screen Figure 12 7 Administration Ping Screen This screen lets you test network connectivity Please wait for the operation to complete Address Hostname to Ping Ping Cancel 61792 VPN 3002 Hardware Client Reference g OL 1893 01 Chapter12 Administration W Administration Ping Address Hostname to Ping Enter the IP address or hostname of the system you want to test If you configured a DNS server you can enter a hostname otherwise enter an IP address Maximum is 64 characters Ping Cancel To send the ping message click Ping The Manager pauses during the test which might take a few m
280. st If you are installing an SSL certificate with a private key include the encrypted private key The enrollment request has been resubrrutted status Rejected e ro to Certificate Management e Go to Certificate Enrollment e oto Certiticate Installation 68155 Status Installed The CA returned the certificate and it has been added to the certificate store Rejected The CA refused to issue a certificate Polling The CA has pended the approval request or CA is unavailable Error There has been an error processing the enrollment request Go to Certificate Management If you want to view the certificate request click Go to Certificate Management The Manager displays the Administration Certificate Management screen See Figure 12 19 Go to Certificate Enrollment If you want to enroll another certificate click Go to Certificate Enrollment The Manager displays the Administration Certificate Management Enroll screen See Figure 12 35 Go to Certificate Installation If you want to install the certificate you have just enrolled click Go to Certificate Installation The Manager displays the Administration Certificate Management Install screen See Figure 12 41 my VPN 3002 Hardware Client Reference 12 56 OL 1893 01 Chapter12 Administration Administration Certificate Management Delete E Administration Certificate Management Delete The Manager displays this co
281. stics MIB II IP Screen Reset gRefresh Packets Received Total 3396 Packets Received Header Errors o Packets Received Address Errors o Packets Received Unknown Protocols oo Packets Received Discarded o Packets Received Delivered 2931 Packets Forwarded 2 Outbound Packets Discarded o Outbound Packets with No Route E Packets Transmitted Requests 2026 F Fragments Needing Reassembly zx Reassembly Successes o Reassembly Failures o F Fragmentation Successes oo Fragmenta tion Failures o Fragments Created o B8303 To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon To update the screen and its data click Refresh The date and time indicate when the screen was last updated VPN 3002 Hardw are Client Reference g OL 1893 01 Chapter 13 Monitoring Hi Monitoring Statistics MIB II IP Packets Received Total The total number of IP data packets received by the VPN 3002 including those received with errors
282. strator Configuration Administration 3 Monitoring Save changes to Config file 5 Help Information 6 Exit Main gt The default Monitor administrator can only monitor the VPN 3002 not configure system parameters or administer the system See Administration Access Rights Administrators in Chapter 12 Administration for more information my VPN 3002 Hardware Client Reference OL 1893 01 Chapter14 Using the Command Line Interface Menu Reference W M enu Reference This section shows all the menus in the first three levels below the main menu There are many additional menus below the third level and within the first three levels there are some non menu parameter settings To keep this chapter at a reasonable size we show only the menus here The numbers in each heading are the keyboard shortcut to reach that menu from the main menu For example entering 1 3 1 at the main menu prompt takes you to the Configuration gt System Management gt IP Routing menu Note The menus and options and thus the keyboard shortcuts might change with new software versions Please check familiar shortcuts carefully when using a new release Main Menu Configuration Administration Monitoring Save changes to Config file Help Information Exit Quick Configuration Interface Configuration Policy Management J 2 3 System Management 4 5 Back 1 1 Configuration gt Quick C
283. strings To protect security the VPN 3002 does not include the usual default public community string Parsing Errors The total number of syntax or transmission errors encountered by the VPN 3002 when decoding received SNMP messages Silent Drops The total number of SNMP request messages that were silently dropped because the reply exceeded the maximum allowable message size Proxy Drops The total number of SNMP request messages that were silently dropped because the transmission of the reply message to a proxy target failed for some reason other than a timeout VPN 3002 Hardw are Client Reference a OL 1893 01 13 57 Chapter13 Monitoring Hi Monitoring Statistics MIB II SNMP my VPN 3002 Hardware Client Reference 13 58 OL 1893 01 CHAPTER Using the Command Line Interface The VPN 3002 Hardware Client command line interface CLI is a menu and command line based configuration administration and monitoring system built into the VPN 3002 You use it via the system console or a Telnet or Telnet over SSL session You can use the command line interface to completely manage the system You can access and configure the same parameters as the HTML based VPN 3002 Hardware Client Manager This chapter describes general features of the command line interface and how to access and use it It does not describe the individual menu items and parameter entries For information on specific parameters and opti
284. t Reference OL 1893 01 Chapter 12 Administration Certificate Management W Figure 12 25 Administration Certificate Management Enroll Identity Certificate SCEP Screen Enter the information to be included in the certificate request Please wait for the operation to finish Enter the common name for the VEH Common Name CN S002 Hardware Chent to be used in this PET Organizational Unit OU PO Enter the department Organization 0 PO Enter the Crearization or company Locality L PO Enter the city or town State Province SP PO Enter the State or Prowince Enter the twe letter country abbreviation Country C e 2 United States US Enter the Fully Qualified Doman Name Subject Oe Cota PO for the VPN 3002 Hardware Client to be used in this PET Enter the E Mail Address for the VFM SOUJECH ae S002 Hardware Client to be used in this PEL Challenge Password Enter and verify the challenge password Verify Challenge T_T for this certificate request Password Key Size IRSA S12 bits E Select the key size for the generated ESA key pair Enroll Cancel Brooy Step 5 Fill in the fields and click Enroll For information on the fields on this screen see Table 12 1 The VPN 3002 sends the certificate request to the CA If the CA does not issue the certificate immediately some CAs require manual verification of credentials and this can take time the certificate request could
285. t Reference fy OL 1893 01 8 13 Chapter8 ManagementProtocols W Configuration System Management Protocols SSH Enable SSH Check the box to enable the SSH server The box is checked by default Disabling the SSH server provides additional security by preventing SSH access Enable SSH on Public Check the box to enable SSH on the Public interface SSH Port Enter the port number that the SSH server uses The default is 22 which is the well known port Maximum Sessions Enter the maximum number of concurrent SSH sessions allowed Minimum is 1 default is 4 and maximum is 10 Key Regeneration Period Enter the server key regeneration period in minutes If the server key has been used for an SSH session the VPN 3002 regenerates the key at the end of this period Minimum is 0 which disables key regeneration default 1s 60 minutes and maximum is 10080 minutes 1 week N Note Use 0 disable key regeneration only for testing since it lessens security Encryption Algorithms Check the boxes for the encryption algorithms that the VPN 3002 SSH server can negotiate with a client and use for session encryption All algorithms are checked by default You must check at least one algorithm to enable a secure session Unchecking all algorithms disables SSH 3DES 168 Triple DES encryption with a 168 bit key This option is the most secure but requires the greatest processing overhead e RC4 128 R
286. t Sessions table shows statistics for these sessions VPN 3002 Hardware Client Reference g oL 1893 01 13 25 Chapter 13 Monitoring W Monitoring Statistics Telnet Attempted Sessions The total number of attempts to establish Telnet sessions on the VPN 3002 since it was last booted or reset Successful Sessions The total number of Telnet sessions successfully established on the VPN 3002 since it was last booted or reset Telnet Sessions This table shows statistics for active Telnet sessions on the VPN 3002 Each active session is a row Client IP Address Port The IP address and TCP source port number of the remote Telnet client for this session Inbound Octets Total The total number of Telnet octets bytes received by this session Inbound Octets Command The number of octets bytes containing Telnet commands or options received by this session Inbound Octets Discarded The number of Telnet octets bytes received and dropped during input processing by this session Outbound Octets Total The total number of Telnet octets bytes transmitted by this session Outbound Octets Dropped The number of outbound Telnet octets dropped during output processing by this session my VPN 3002 Hardware Client Reference 13 26 OL 1893 01 Chapter13 Monitoring Monitoring Statistics DNS W Monitoring Statistics DNS Reset Restore Refresh Requests Responses This s
287. t Status Remove All Errored Timed out Rejected Cancelled current 0 available 2 subject Issuer Date Use Reason Method Status Actions No Enrollment Requests 6r604 VPN 3002 Hardware Client Reference g OL 1893 01 ivy Chapter12 Administration W Certificate Management Step 2 Click Click here to install a CA certificate S Note The Click here to install a CA certificate option is only available from this window when no CA certificates are installed on the VPN 3002 If you do not see this option click Click here to install a certificate The Manager displays the Administration Certificate Management Install screen Then click Install CA Certificate The Manager displays the Administration Certificate Management Install CA Certificate screen See Figure 12 20 Figure 12 20 Administration Certificate Management Install CA Certificate Choose the method of mstallation e SCEP Simple Certticate Enrollment Protocol e Cut amp Paste Text e Upload File trom Workstation lt lt Go back to and choose a different type of certificate 5172 Step3 Click SCEP Simple Certificate Enrollment Protocol The Manager displays the Administration Certificate Management Install CA Certificate SCEP screen See Figure 12 21 Figure 12 21 The Administration Certificate Management Install CA Certificate SCEP Screen Enter the information needed to retrieve the CA certiticat
288. t to continue The wizard opens the next dialog box asking you to select a certificate store Figure 1 6 Intemet Explorer Certificate Manager Import Wizard Dialog Box Certificate Manager Import Wizard Select a Certificate Store Certificate stores are system areas where certificates are stored Select the certificate store for the new certificates E E EEEE E E C Place all certificates into the following store mse lt Back Cancel 61652 6 Let the wizard Automatically select the certificate store and click Next The wizard opens a dialog box to complete the installation my VPN 3002 Hardware Client Reference 16 OL 1893 01 Chapter 1 Using the VPN 3002 Hardware Client M anager Installing the SSL Certificate in Your Browser Mi Figure 1 7 Intemet Explorer Certificate Manager Import Wizard Dialog Box Certificate Manager Import Wizard Completing the Certificate Manager Import Wizard You have successfully completed the Certificate Manager Import wizard You have selected the following for the import operation Certificate Store Selected by wizard Trusted Root Cettific Content Certificate gt i Cancel lt Back 61653 7 Click Finish The wizard opens the Root Certificate Store dialog box asking you to confirm the installation Figure 1 8 Intemet Explorer Root Certificate Store Dialog Box AN Do you want to ADD the following certificate to the Ro
289. t to their final destination It can receive encapsulated packets from the public network unencapsulate them and send them to their final destination on the private network This section explains how to configure the IPSec tunneling protocol VPN 3002 Hardware Client Reference E OL 1893 01 6 1 Chapter6 Tunneling W Configuration System Tunneling Protocols Configuration System Tunneling Protocols This section lets you configure the IPSec tunneling protocol Click IPSec on the Tunneling Protocols screen Figure 6 1 Configuration System Tunneling Protocols Screen This section of the Manager lets you configure system wide tunneling protocols In the left frame or in the list of links below click the protocol you want e IPSec IP Secunty Protocol 61750 Configuration System Tunneling Protocols IPSec The VPN 3002 complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator PSec provides the most complete architecture for VPN tunnels and it is perceived as the most secure protocol In IPSec terminology a peer is a remote access client or another secure gateway During tunnel establishment under IPSec the two peers negotiate Security Associations SAs that govern authentication encryption encapsulation key management etc These negotiations involve two phases the first phase establishes the tunnel the IKE SA the second phase gover
290. ta click Refresh The date and time indicate when the screen was last updated Unencrypted Inbound Octets The number of octets bytes of inbound traffic output by the decryption engine Encrypted Inbound Octets The number of octets bytes of encrypted inbound traffic sent to the decryption engine This number includes negotiation traffic Unencrypted Outbound Octets The number of unencrypted outbound octets bytes sent to the encryption engine Encrypted Outbound Octets The number of octets bytes of outbound traffic output by the encryption engine This number includes negotiation traffic Total Sessions The total number of SSL sessions Active Sessions The number of currently active SSL sessions Max Active Sessions The maximum number of SSL sessions simultaneously active at any one time VPN 3002 Hardware Client Reference a OL 1893 01 13 29 Chapter13 Monitoring W Monitoring Statistics DHCP Monitoring Statistics DHCP This screen shows statistics for DHCP Dynamic Host Configuration Protocol server activity on the VPN 3002 since it was last booted or reset Each row of the table shows data for each IP address handed out to a DHCP client PC on the VPN 3002 private network To configure the DHCP server see Configuration System IP Routing DHCP Figure 13 14 Monitoring Statistics DHCP Screen Active Leases 1 Need Actre Leases l Timeouts 985 Pool Start Pool
291. te VPN Concentrator assigns to the VPN 3002 The IP addresses of the computers on the VPN 3002 private network are hidden You cannot ping or access a device on the VPN 3002 private network from outside of that private network or directly from a device on the private network at the central site In client mode the tunnel establishes when data passes to the VPN Concentrator or when you click Connect Now in the Monitoring System Status screen Client M ode with Split Tunneling You assign the VPN 3002 to a client group on the central site VPN Concentrator If you enable split tunneling for that group IPSec and PAT are applied to all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central site VPN Concentrator Traffic from the VPN 3002 to any destination other than those within the network list for that group on the central site VPN Concentrator travels in the clear without applying IPSec NAT translates the network addresses of the devices connected to the VPN 3002 private interface to the assigned IP address of the public interface and also keeps track of these mappings so that it can forward replies to the correct device VPN 3002 Hardware Client Reference Ea OL 1893 01 11 1 Chapter 11 Policy Management W Network Extension Mode The network and addresses on the private side of the VPN 3002 are hidden and cannot be accessed directly VPN 3000 Series VPN Concentra
292. tem LEDs and status and data on user sessions This manual covers all these topics For Quick Configuration refer to the VPN 3002 Hardware Client Getting Started guide VPN 3002 Hardware Client Reference Fe OL 1893 01 Chapter1 Using the VPN 3002 Hardware ClientManager W Navigating the VPN 3002 Hardware Client M anager Navigating the VPN 3002 Hardware Client M anager Your primary tool for navigating the VPN 3002 Hardware Client Manager is the table of contents in the left frame Figure 1 35 shows all its entries completely expanded The figure shows the frame in multiple columns but the actual frame is a single column Use the scroll controls to move up and down the frame Figure 1 35 Manager Table of Contents Administration Software Update System Reboot Access Rights Administrators Access Settings ile Management View Files Swap Config File onfi File Upload ertificate Management Configuration Quick Configuration Tunneling Protocols IPSec IP Routing Static Routes Default Gateways iterable Event Log ive Event Log System Status Statistics IPSec HTTP Trap Destinations Syslog Servers General Identification Time and Date Policy Management Traffic Management 61713 61741 my VPN 3002 Hardware Client Reference 1 28 OL 1893 01 CHAPTER Configuration Configuring the VPN 3002 means setting all the parameters that govern its use and functionality as a V
293. the Access Concentrator MAC Address see below uniquely identifies the PPPoE session PPPoE Access Concentrator The device your Internet Service Provider ISP uses to manage PPPoE traffic Fields include Session ID MAC Address and Server Name These fields have entries only if a PPPoE session is established MAC Address The MAC Medium Access Control address of the PPPoE Access Concentrator in 6 byte hexadecimal notations Server Name The name of the server for the PPPoE Access Concentrator Duration The amount of time that this PPPoE session has been up in the format hh mm ss PADI Timeouts The number of PPPoE Active Discovery Initiation packets for which the VPN 3002 received no response PADR Timeouts The number of PPPoE Active Discovery Request packets for which the VPN 3002 received no response Multiple PADO Rx The number of multiple PPPoE Active Discovery Offer packets received that is the number of times more than one PPPoE access concentrator responded to the PADI the VPN 3002 sent VPN 3002 Hardware Client Reference a OL 1893 01 13 37 Chapter13 Monitoring Hi Monitoring Statistics PPPoE PADT Rx The number of PPPoE Active Discovery Terminate packets received PADT Tx The number of PPPoE Active Discovery Terminate packets sent Generic Errors Rx The number of errors received during the PPPoE session Malformed Packets Rx The number of malformed packets received dur
294. the VPN 3002 Figure 13 5 Monitoring System Status Screen Thursday 11 October 2001 18 02 28 Reset gRefresh VPN Chent Type 3002 8E Bootcode Rev Cisco Systems Inc WPH 3002 Hardware Client Version 3 0 Rel Feb 26 2001 10 39 17 2 56 52 Software Rev Cisco systems Inc VPN 3002 Hardware Client Version 3 5 int 74 Oct 10 2001 01 37 54 Up For 27 53 33 Up Since 10 10 2001 14 08 55 RAM Size 16 ME Disconnect Mow Connect Mow Assigned IP Address 193 168 10 1 Tunnel Fstablished to 161 44 246 107 Duration 1 23 11 Tunnel Type PSec over UDP Port 10000 security Associations Type Remote Address Encryption Authentication Sete Sereia eee Parkets Other In Out In Out IKE 161 44 246 107 SDES MD5 Pre Shared Key 5632 47545 l 614 Aesressive Mode DH Group IPSec 0 0 0 0 0 0 0 0 3DES HMA CMD 5 960 4936 5 35 In the pictures below select and click a module for status details 68308 Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you prev
295. the browser Address or Location field you can just enter the VPN 3002 private interface IP address for example 10 10 147 2 The browser automatically assumes and supplies an http prefix The browser displays the VPN 3002 Hardware Client Manager login screen E VPN 3002 Hardw are Client Reference 1 2 OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client M anager Installing the SSL Certificate in Your Browser Mi Figure 1 1 VPN 3002 Hardware Client Manager Login Screen E Install SSL Certificate VPN 3002 Connection Login Status HARDWARE CLIENT MANAGER VEN 3002 Hardware Client Logn Fassword Cisco SYSTEMS Login Clear Copyright 1998 2001 Cisco Systems Irne To continue using HTTP for the whole session skip to Logging into the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser The Manager provides the option of using HTTP over SSL with the browser SSL creates a secure session between your browser VPN 3002 hardware client and the VPN Concentrator server This protocol is known as HTTPS and uses the https prefix to connect to the server The browser first authenticates the server then encrypts all data passed during the session HTTPS is often confused with a similar protocol S HTTP Secure HTTP which encrypts only HTTP application level data SSL encrypts all data between client and server at the IP socket level and is thus more secure SSL uses
296. the original password is incorrect press Enter and reenter both the password and the verification at the prompts my VPN 3002 Hardware Client Reference OL 1893 01 Numerics 3DES 168 SHA SSL encryption algorithm 8 11 3DES 168 SSH encryption algorithm 8 14 A accessing the CLI 14 1 access rights administration 12 9 default Monitor administrator CLI 14 6 access Settings general for administrators 12 11 add event class 9 10 SNMP community 8 8 SNMP event destination 9 13 static route for IP routing 7 3 syslog server to receive events 9 16 Address Resolution Protocol ARP mapping table 13 51 administering the VPN 3002 12 1 administrators access rights 12 9 access settings general 12 11 configuring 12 9 parameters saved in nonvolatile memory 12 10 password 12 10 predefined 12 10 properties and rights changing 12 9 session idle timeout 12 11 ARP table 13 51 authentication client SSL HTTPS only 8 11 using digital certificates 12 16 IN DEX Back and Home CLI choices 14 5 back panel display monitoring 13 11 backup configuration file swapping 12 13 use in troubleshooting A 2 backup server list 6 4 backup servers configuring 6 3 DNS and WINS servers 6 4 Overview 6 4 Bad IP Address error A 10 bidirectional tunnel endpoint 6 1 bootcode version and filename 13 9 boot configuration file swapping 12 13 browser Back or Forward button displays incorrect screen or incorrect data A 7
297. then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Interface The VPN 3002 interface Private Public Status The operational status of this interface UP UP DHCP UP PPPoE configured and enabled ready to pass data traffic Waiting for DHCP PPPoE configured and enabled ready to pass data traffic my VPN 3002 Hardware Client Reference 13 40 OL 1893 01 Chapter13 Monitoring Monitoring Statistics MIB II Interfaces W Disabled configured by disabled DOWN DOWN DHCP DOWN PPPOE configured but down Testing in test mode no regular data traffic can pass Dormant configured and enabled but waiting for an external action such as an incoming connection Not Present missing hardware components Lower Layer Down not operational because a lower layer interface is down Unknown not configured UnicastIn The number of unicast packets that were received by this interface Unicast packets are those addressed to a single host Uni
298. tificates that are self signed or issued in a PKI context The VPN 3002 stores digital certificates and private keys in Flash memory You do not need to click Save Needed to store them and they are not visible under Administration File Management All stored private keys are encrypted The VPN 3002 can have only one SSL certificate installed If you generate a self signed SSL certificate it replaces any installed PKI context SSL certificate and vice versa Enrolling and Installing Digital Certificates Note Step 1 Step 2 Step 3 To obtain a digital certificate for the VPN 3002 you must first enroll with a CA To enroll with a CA create an enrollment request and submit it to your CA The CA enrolls the VPN 3002 into the PKI and issues you a certificate Once you have the certificate you then have to install it on the VPN 3002 You must first install a CA certificate before you enroll identity certificates from that CA You can enroll and install digital certificates on the VPN 3002 automatically or manually The automatic method uses the Simple Certificate Enrollment Protocol SCEP to streamline enrollment and installation SCEP is a secure messaging protocol that requires minimal user intervention This method is quicker and allows you to enroll and install certificates using only the Manager but is only available if you are both enrolling with a CA that supports SCEP and enrolling via the web If your CA does not support S
299. tion see the Monitoring Filterable Event Log screen my VPN 3002 Hardware Client Reference OL 1893 01 Chapter9 Events Configuration System Events Mi Configuration System Events This section of the Manager lets you configure how the VPN 3002 handles events Events provide information for system monitoring auditing management accounting and troubleshooting Figure 9 1 Configuration System Events Screen Save Neededf This section of the Manager lets you configure how the VPN 3002 Hardware Chent handles events alarms traps error conditions status changes etc In the left frame or in the list of links below chick the option you want to configure e General general default event handling Classes special handling of specific event classes e Trap Destinations SNMP trap message destinations e Syslog Servers UNIX syslog message servers 61768 Configuration System Events General This Manager screen lets you configure the general or default handling of all events These defaults apply to all event classes You can override these default settings by configuring specific events for special handling on the Configuration System Events Classes screens Figure 9 2 Configuration System Events General Screen This section lets you configure default event handling Syslog Format Original o o Select the format of Syslog messages Severity to Log
300. tions but excluding those containing only retransmitted bytes Segment is the official TCP name for what is casually called a data packet TCP Segments Retransmitted The total number of segments retransmitted that is the number of TCP segments transmitted containing one or more previously transmitted bytes Segment is the official TCP name for what is casually called a data packet TCP Timeout Min The minimum value permitted for TCP retransmission timeout measured in milliseconds TCP Timeout M ax The maximum value permitted for TCP retransmission timeout measured in milliseconds TCP Connection Limit The limit on the total number of TCP connections that the system can support A value of 1 means there is no limit TCP Active Opens The number of TCP connections that went directly from an unconnected state to a connection synchronizing state bypassing the listening state These connections are allowed but they are usually in the minority TCP Passive Opens The number of TCP connections that went from a listening state to a connection synchronizing state These connections are usually in the majority TCP Attempt Failures The number of TCP connection attempts that failed Technically this is the number of TCP connections that went to an unconnected state plus the number that went to a listening state from a connection synchronizing state VPN 3002 Hardware Client Reference a OL 1893 01 13 43 Chapter1
301. to Monitoring gt System Status and click on Connect Now 4 Study the event log files To capture more events and to interpret events see Chapter 9 Events in the VPN 3002 Hardware Client User Reference My PC cannot communicate with the 1 Verify that the VPN Concentrator to which this VPN remote network 3002 connects is running version 3 0 software 2 Navigate to Monitoring gt System Status and click on Connect Now Connect Now worked LED s for the private interface switch Make sure that a LAN cable is properly attached to the port are off private interface of the VPN 3002 and the PC LED s for the private interface switch 1 Is this PC configured as a DHCP client If so verify port are on that the DHCP server on the VPN 3002 is enabled 2 With any method of address assignment verify that the PC has an IP address and subnet mask Attempting to ping the default 1 Make sure your PC has an appropriate IP address gateway Administration gt Ping reachable on this network yie lde otes ponse 2 Contact your network administrator Settings on the VPN Concentrator If your VPN 3002 experiences connectivity problems check the configuration of the VPN Concentrator Step 1 Configure the connection as a Client not LAN to LAN Step2 Assign this VPN 3002 to a group Configure group and user names and passwords These must match the group and user names and passwords that you set on the VPN
302. tor Settings Required for PAT For the VPN 3002 to use PAT these are the requirements for the central site VPN Concentrator 1 The VPN Concentrator at the central site must be running Software version 3 x or later 2 Address assignment must be enabled by whatever method you choose to assign addresses for example DHCP address pools per user or client specified If the VPN Concentrator uses address pools for address assignment make sure to configure the address pools your network requires See Chapter 6 Address Management in the VPN 3000 Series Concentrator Reference Volume I 3 Configure a group to which you assign this VPN 3002 This includes assigning a group name and Password See Chapter 14 User Management in the VPN 3000 Series Concentrator Reference Volume I 4 Configure one or more users for the group including usernames and passwords Netw ork Extension Mode 11 2 Step 1 Step 2 Step 3 Network Extension mode allows the VPN 3002 to present a single routable network to the remote private network over the VPN tunnel IPSec encapsulates all traffic from the VPN 3002 private network to networks behind the central site VPN Concentrator PAT does not apply Therefore devices behind the VPN Concentrator have direct access to devices on the VPN 3002 private network over the tunnel and only over the tunnel and vice versa The VPN 3002 must initiate the tunnel but after the tunnel is up either side can initiate data exch
303. tration W Administration Certificate Management View Enrollment Request Yes No To delete this certificate click Yes Note There is no undo The Manager returns to the Administration Certificate Management screen and shows the remaining certificates To retain this certificate click No The Manager returns to the Administration Certificate Management screen and the certificates are unchanged Administration Certificate Management View Enrollment Request This screen allows you to view the details of an enrollment request Figure 12 51 Administration Certificate Management View Enrollment Request Screen Subject CN Snoopy OU Eng isco L Franklin SP Kla C US Public Key Type ESA 512 bits Request Usage Identity MDS Thumbprint 20 32 24 83 46 D2 CE 1C E9 C01 27 32 98 86 50 06 Generated 0S2 1 2001 1725 56 Enrollment Type Iritial Enrollment Method Harmal OGE Enrollment Status In Progress 68153 my VPN 3002 Hardw are Client Reference 12 58 OL 1893 01 Chapter12 Administration Administration Certificate Management View Enrollment Request W Enrollment Request Fields An enrollment request contains some or all of the following fields Field Content Subject The person or system that uses the certificate Issuer The CA or other entity jurisdiction from whom the certificate is being requested Subject and Issuer consist of a specific to general identification
304. tration Certificate Management Install Choose the type of certificate you want to install Figure 12 41 Administration Certificate Management Install Screen Choose the type of certificate to install e Install CA certiticate e Install SSL certiticiate with private key e Install certificate obtained wia enrollment lt lt so back to Certticate Management 66171 Install CA Certificate If you want to install a CA certificate click Install CA Certificate The Manager displays the Administration Certificate Management Install CA Certificate screen Install SSL Certificate with Private Key Some web servers export their SSL certificates with the private key attached If you have a PEM encoded certificate with a corresponding private key that you want to install click Install SSL Certificate with Private Key The Manager displays the Administration Certificate Management Install SSL Certificate with Private Key screen Install Certificate Obtained via Enrollment If you want to install a certificate manually that you have obtained by enrolling a certificate request with a CA click Install Certificate Obtained via Enrollment The Manager displays the Administration Certificate Management Install Certificate Obtained via Enrollment screen my VPN 3002 Hardware Client Reference 12 44 OL 1893 01 Chapter12 Administration Administration Certificate Management Install Certificate Obtained
305. ts that were received by this interface since the VPN 3002 was last booted or reset Multicast packets are those addressed to a specific group of hosts Tx Multicast The number of multicast packets that were routed to this interface for transmission since the VPN 3002 was last booted or reset including those that were discarded or not sent Multicast packets are those addressed to a specific group of hosts Rx Broadcast The number of broadcast packets that were received by this interface since the VPN 3002 was last booted or reset Broadcast packets are those addressed to all hosts on a network Tx Broadcast The number of broadcast packets that were routed to this interface for transmission since the VPN 3002 was last booted or reset including those that were discarded or not sent Broadcast packets are those addressed to all hosts on a network VPN 3002 Hardware Client Reference a OL 1893 01 13 13 Chapter13 Monitoring W Monitoring User Status Monitoring User Status This section displays statistics for devices behind the VPN 3002 Hardware Client Figure 13 7 Monitoring User Status screen Refresh Cisco LP Phone Sppass is disabled Username IP Address MAC Address Login Tome Duration hh mm ss Actions S00 fuser 10 10 98 10 00 01 02 34 95 aD Oct 11 16 40 44 1 24 00 Logout 68309 Refresh To update the screen and its data click Refresh The date and time indicate when the screen
306. u cannot use the Live Event Log feature with Netscape Navigator version 4 0 VPN 3002 Hardware Client Reference Fa OL 1893 01 1 1 Chapter1 Using the VPN 3002 Hardware ClientManager HE Connecting to the VPN 3002 Using HTTP J avaScript and Cookies Be sure JavaScript and Cookies are enabled in the browser Refer to the documentation for your browser for instructions Navigation Toolbar Do not use the browser navigation toolbar buttons Back Forward or Refresh Reload with the VPN 3002 Hardware Client Manager unless instructed to do so To protect access security clicking Refresh Reload automatically logs out the Manager session Clicking Back or Forward might display stale Manager screens with incorrect data or settings We recommend that you hide the browser navigation toolbar to prevent mistakes while using the VPN 3002 Hardware Client Manager Recommended PC M onitor Display Settings For optimal use we recommend setting your monitor or display Desktop area 1024 x 768 pixels or greater Minimum 800 x 600 pixels Color palette 256 colors or higher Connecting to the VPN 3002 Using HTTP When your system administration tasks and network permit a cleartext connection between the VPN 3002 and your browser you can use the standard HTTP protocol to connect to the system Even if you plan to use HTTPS you use HTTP at first to install an SSL certificate in your browser 1 Bring up the browser 2 In
307. ue with the issuer A 160 bit SHA 1 hash of the complete certificate contents shown as a 20 byte string This value is unique for every certificate and it positively identifies the certificate If you question a certificate s authenticity you can check this value with the issuer The date the request was initiated VPN 3002 Hardware Client Reference a OL 1893 01 Chapter12 Administration W Administration Certificate Management Cancel Enrollment Request Back Field Content Enrollment Type The type of enrollment initial re enroll or re key Enrollment Method The method of enrollment SCEP or manual Enrollment Status The current status of the enrollment complete rejected error and so on Click Back to display the Administration Certificate Management screen Administration Certificate Management Cancel Enrollment Request This screen shows you the details of the enrollment request and allows you to cancel it You can cancel only a SCEP enrollment request and you can do so only when the request is in polling mode Once a request is cancelled you can then remove it re submit it or view its details Figure 12 52 Administration Certificate Management Cancel Enrollment Request Screen Subject Issuer CN Linda 3 CN Rs Avs Rooth DAsrvlN OU O L S P C Public Key Type ESA 4512 baits Request Usage Identity MDS Thumbprint 49 92 F9 6F EB 23 CF F2 9D 5R 54 7B 79 27 1
308. ure general event parameters Trap Destinations Actions 192 168 12 34 SNMPVv1 Add Modify Delete 61773 Trap Destinations The Trap Destinations list shows the SNMP network management systems that have been configured as destinations for event trap messages and the SNMP protocol version associated with each destination If no trap destinations have been configured the list shows Empty Add M odify Delete To configure a new SNMP trap destination click Add See Configuration System Events Trap Destinations Add To modify an SNMP trap destination that has been configured select the destination from the list and click Modify See Configuration System Events Trap Destinations Modify my VPN 3002 Hardware Client Reference OL 1893 01 Chapter9 Events Reminder Configuration System Events Trap Destinations Add or Modify Hi To remove an SNMP trap destination that has been configured select the destination from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in the list The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window Configuration System Events Trap Destinations Add or Modify Destination These screens let you Add Configure and ad
309. vel of the event for example SEV 4 identifies an event of severity level 4 See Table 9 4 under Configuration System Events for an explanation of severity levels Event Class Number The class or source of the event and the internal reference number associated with the specific event within the event class For example HTTP 47 indicates that an administrator logged in to the VPN 3002 using HTTP to connect to the Manager Table 9 2 under Configuration System Events describes the event classes The internal reference number assists Cisco support personnel if they need to examine a log file Event Repeat The number of times that this specific event has occurred since the VPN 3002 was last booted or reset For example RPT 17 indicates that this is the seventeenth occurrence of this specific event Event IP address The IP address of the client or host associated with this event Only certain events have this field For tunnel related events this is typically the outer or tunnel endpoint address In the Event log format example above 10 10 1 35 is the IP address of the host PC from which admin logged in using the Manager Event String The string or message that describes the specific event Each event class comprises many possible events and the string gives a brief description Event strings usually do not exceed 80 characters In the Event log format example above New administrator login admin describes the event
310. via Enrollment W Administration Certificate Management Install Certificate Obtained via Enrollment Once you have enrolled a certificate you can install it This screen allows you to install an enrolled certificate Figure 12 42 Administration Certificate Management Install Certificate Obtained via Enrollment Screen Select a enrollment request to install Enrollment Status subject Issuer Date Use Reason Method Status Actions stoopy AMA 0052001 ID Pyer Manual In View Install Delete enroll Progress w 10 99 30 RSAyS7RootMDSsreON 09107 2001 ssr Be SEP Complete si Activate Delete View Re Linda 4 RSAvSTRoctMDSsrvCN 09 07 2001 D Initial SCEE Eror submit Delete lt lt o back and choose a different type of certiicate 68188 Enrollment Status Table For a description of the fields in this table see the Enrollment Status Table section on page 12 35 lt lt Go back and choose a different type of certificate If you do not want to install a certificate that you have obtained via filing an enrollment request with your CA click lt lt Go back and choose a different type of certificate The Manager returns to the Administration Certificate Management Install screen VPN 3002 Hardware Client Reference g oL 1893 01 12 45 Chapter12 Administration W Administration Certificate Management Install Certificate Type Administration Certificate
311. warning More Info 61656 11 Click OK The VPN 3002 Hardware Client displays the HTTPS version of the Manager login screen Figure 1 11 VPN 3002 Hardware Client Manager Login Screen Using HTTPS Intemet Explorer VPN 3002 HARDWARE CLIENT MANAGER VPN 3002 Hardware Client Login Password Login Clear Cisco Systems Copyright 1998 2001 Cisco Systems Inc 61667 The browser maintains the HTTPS state until you close it or access an unsecured site in the latter case you might see a Security Alert screen Proceed to Logging into the VPN 3002 Hardware Client Manager to log in as usual View ing Certificates with Internet Explorer There are at least two ways to examine certificates stored in Internet Explorer First note the padlock icon on the browser status bar in Figure 1 11 If you double click the icon the browser opens a Certificate Properties screen showing details of the specific certificate in use my VPN 3002 Hardware Client Reference 18 OL 1893 01 Chapter1 Using the VPN 3002 Hardware Client M anager Installing the SSL Certificate in Your Browser Figure 1 12 Intemet Explorer 4 0 Certificate Properties Screen Properties Ea Certificate properties Cm Details US Massachusetts Franklin Cisco Systems Inc YPN 3000 Concentrator Series 100 200 147 2 Close 61674 Click any of the Field items to see Details Click Close when finished
312. was last updated Cisco IP Phone Bypass Enabled Disabled Indicates whether the Cisco IP Phone Bypass feature is enabled or disabled for the VPN 3002 This feature is enabled or disabled for the group on the VPN Concentrator to which the VPN 3002 belongs For more information see Configuration User Management Base Group Groups Hardware Client tab for the VPN Concentrator Username The username for the session IP Address The IP address of the device logged in behind the VPN 3002 MAC Address The MAC address for the device logged in behind the VPN 3002 Login Time The date and time of day when the user logged in to the VPN 3002 Duration The length of time that the user has been logged in the format is hh mm ss Actions Possible actions Ping and Logout my VPN 3002 Hardw are Client Reference EESTE OL 1893 01 Chapter13 Monitoring Monitoring Statistics Hi Monitoring Statistics This section of the Manager shows statistics for traffic and activity on the VPN 3002 since it was last booted or reset and for current tunneled sessions plus statistics in standard MIB II objects for interfaces TCP UDP IP ICMP the ARP table and SNMP IPSec total Phase 1 and Phase 2 tunnels received and transmitted packets failures drops etc HTTP total data traffic and connection statistics Telnet total sessions and current session inbound and outbound traffic DNS total requests response
313. y Management W Network Extension Mode Tunnel Initiation The VPN 3002 always initiates the tunnel to the central site VPN Concentrator The central site VPN Concentrator cannot initiate a tunnel to a VPN 3002 The VPN 3002 creates only one IPSec tunnel to the central site VPN Concentrator in either PAT or Network Extension mode The tunnel can support multiple encrypted data streams between users behind the VPN 3002 and the central site With split tunneling enabled it can also support multiple unencrypted data streams to the internet In PAT mode the tunnel establishes when data passes to the VPN Concentrator or when you click Connect Now in the Monitoring System Status screen In Network Extension mode the VPN 3002 automatically attempts to establish a tunnel to the VPN Concentrator Tunnel Initiation w ith Interactive Hardw are Client Authentication Step 1 Step 2 Step 3 Data Initiation In either Client or Network Extension mode when you enable interactive hardware client authentication the tunnel establishes when you perform the following steps In the VPN 3002 Hardware Client login screen click the Connection Login Status button The Connection Login screen displays Click Connect Now Enter the username and password for the VPN 3002 See the section Logging In With Interactive Hardware Client and Individual User Authentication in Chapter 1 for detailed instructions Alternatively you can click Con
314. y step through the process of enrolling and installing certificates For more information on the certificate management process see the Enrolling and Installing Digital Certificates section To install a CA certificate via SCEP or manually click on Click Here to Install a CA Certificate D Note The Click here to install a CA certificate option is only available from this window when no CA certificates are installed on the VPN 3002 If you do not see this option click Click here to install a certificate The Manager displays the Administration Certificate Management Install Then click Install CA Certificate To create an SSL or identity certificate enrollment request click on Click Here to Enroll with a Certificate Authority To install the certificate obtained via enrollment click on Click Here to Install a Certificate The VPN 3002 notifies you by issuing a severity 3 CERT class event if any of the installed certificates are within one month of expiration The Manager displays this screen each time you install a digital certificate Figure 12 34 Administration Certificate Management Screen Refresh This section lets you view and manage certificates on the VPN 3002 Hardware Chent e Click here to enroll with a Certificate Authority e Click here to instal a certificate Certificate Authorities current 1 maximum 6 Subject Issuer Expiration SCEP Issuer Actions RS Avo fRootMDSsvrChN ESAvi RootMD
315. you keep this setting at or below level 6 Avoid setting this parameter above level 9 If you select any severity levels to send you must also configure the syslog server s on the Configuration System Events Syslog Servers screens and you should configure the Syslog Format on the Configuration System Events General screen Severity to Trap Click the drop down menu button and select the range of event severity levels to send to an SNMP network management system Event messages sent to SNMP systems are called traps The choices are None 1 1 2 1 3 1 4 1 5 The default is None if you choose this range no events are sent as SNMP traps If you select any severity levels to send you must also configure SNMP destination system parameters on the Configuration System Events Trap Destinations screens To configure well known SNMP traps see Table 9 4 under Severity to Trap for Configuration System Events General Add or Apply Cancel To add this event class to the list of those with special handling click Add Or to apply your changes to this configured event class click Apply Both actions include your entry in the active configuration The Manager returns to the Configuration System Events Classes screen Any new event class appears in the Configured Event Classes list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top
316. ys a screen with the message Error An error has occurred while attempting to perform the operation An additional error message describes the erroneous operation see Figure A 2 Figure A 2 Error Screen Xx An error has occurred while attempting to perform the operation Password and verification do not match Retry the operation or Go to main menu Table A 5 Error Message Displays Problem Possible cause 61695 Solution You tried to perform some operation that is not allowed The screen displays a message that describes the cause Click on Retry the operation to return to the screen where you were working and correct the mistake Carefully check all your previous entries on that screen The Manager attempts to retain valid entries but invalid entries are lost e Click on Go to main menu to go to the main Manager screen VPN 3002 Hardware Client Reference g OL 1893 01 A 7 Appendix A Troubleshooting and System Errors ME VPN 3002 Hardware Client Manager Errors NotA llowed Message The Manager displays a screen with the message Not Allowed You do not have sufficient authorization to access the specified page see Figure A 3 Figure A 3 Not Allowed Screen You do not have sufficient authorization to access the specified page Go to the Main Menu Login again Table A 6 Not Allowed Message Displays Problem Possible cause 61697 Soluti
317. ywhere in the world This highly integrated Internet application is a powerful easy to use tool for doing business with Cisco Cisco com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity Through Cisco com you can find information about Cisco and our networking solutions services and programs In addition you can resolve technical issues with online technical support download and test software packages and order Cisco learning materials and merchandise Valuable online skill assessment training and certification programs are also available my VPN 3002 Hardware Client Reference OL 1893 01 Preface Obtaining technical assistance W Customers and partners can self register on Cisco com to obtain additional personalized information and services Registered users can order products check on the status of an order access technical support and view benefits specific to their relationships with Cisco To access Cisco com go to the following website http www cisco com Technical Assistance Center The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract Contacting TAC by using the Cisco TAC w ebsite If you have a priority level 3 P3 or priority level 4 P4 problem contact TAC by going to the TAC website http
Download Pdf Manuals
Related Search