Cisco OL-5490-01 User Manual

VPN Client User Guide for Mac OS X

Release 4.6

August 2004

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Customer Order Number: Text Part Number: OL-5490-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Pac ket , PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)

VPN Client User Guide for Mac OS X

About This Guide vii

Audience vii

Contents vii

Audience

About This Guide

This VPN Client User Guide describes how to install, use, and manage the Cisco VPN Client for the Macintosh operating system, Version 10.2 or later. You can manage the VPN Client for Mac OS X from the graphical user interface or from the command-line interface.

The VPN Client for Mac OS X installer program installs both the graphical user interface and the command-line version of the VPN Client.

This guide is for remote clients who want to set up virtual private network (VPN) connections to a central site. Network administrators can also use this guide for information about configuring and managing VPN connections for remote clients. You should be familiar with the Macintosh platform and know how to use Macintosh applications. Network administrators should be familiar with Macintosh system configuration and management and know how to install, configure, and manage internetworking systems.

This guide contains the following chapters:

• Chapter 1, “Understanding the VPN Client.” This chapter describes how the VPN Client software

works and lists the main features.

• Chapter 2, “Installing the VPN Client.” This chapter describes how to install the VPN Client

software application.

• Chapter 3, “Navigating the User Interface.” This chapter describes the main VPN Client window

and the tools, tabs, menus and icons for navigating the user interface.

• Chapter 4, “Configuring Connection Entries.” This chapter describes how to configure VPN Client

connection entries, including optional parameters.

• Chapter 5, “Establishing a VPN Connection.” This chapter describes how to connect to a private

network using the VPN Client, an Internet connection, and the user authentication methods supported by the VPN Client.

• Chapter 6, “Enrolling and Managing Certificates.” This chapter describes how to obtain digital

certificates to use for authentication and how to manage these certificates in the VPN Client certificate store.

OL-5490-01

VPN Client User Guide for Mac OS X

vii

Terminology

In this user guide:

• The term Cisco VPN device refers to the following Cisco products:

–

Cisco IOS devices that support Easy VPN server functionality

–

Cisco VPN 3000 Series Concentrators

–

Cisco PIX Firewall Series

• The term “PC” refers generically to any personal computer.

• The term click means click the left button on a normally-configured multi-button mouse. The term

right-click means click the right button on a normally-configured multi-button mouse. If your mouse has only one button, use Ctrl-Click to access the right-click menus.

Document Conventions

This guide uses the following typographic conventions:

• Boldface font—Describes user actions and commands.

• Italic font—Describes arguments that you supply the values for.

• Screen font—Describes terminal sessions and information displayed by the system.

• Boldface screen font—Describes information that you must enter.

viii

Notes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the

publication.

Cautions use the following conventions:

VPN Client User Guide for Mac OS X

OL-5490-01

About This Guide

Caution Means reader be careful. Cautions alert you to actions or conditions that could result in equipment

Data Formats

Obtaining Documentation

damage or loss of data.

When you configure the VPN Client, enter data in these formats unless the instructions indicate otherwise.

• IP Address—Use standard 4-byte dotted decimal notation (for example, 192.168.12.34). You can

omit leading zeros in a byte position.

• Hostnames—Use legitimate network host or end-system name notation (for example, VPN01).

Spaces are not allowed. A hostname must uniquely identify a specific system on a network. A hostname can be up to 255 characters in length.

• User names and Passwords—Text strings for user names and passwords use alphanumeric characters

in both upper- and lower-case. Most text strings are case sensitive. For example, simon and Simon would represent two different user names. The maximum length of user names and passwords is generally 32 characters, unless specified otherwise.

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco web sites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store:

OL-5490-01

http://www.cisco.com/go/subscription

VPN Client User Guide for Mac OS X

Obtaining Technical Assistance

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

• Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number

DOC-CONDOCCD=) through the online Subscription Store:

http://www.cisco.com/go/subscription

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

About This Guide

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can e-mail your comments to bug-doc@cisco.com.

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.

Cisco.com

VPN Client User Guide for Mac OS X

Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com provides a broad range of features and services to help you with these tasks:

• Streamline business processes and improve productivity

• Resolve technical issues with online support

OL-5490-01

About This Guide

• Download and test software packages

• Order Cisco learning materials and merchandise

• Register for online skill assessment, training, and certification programs

To obtain customized information and service, you can self-register on Cisco.com at this URL:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.

We categorize Cisco TAC inquiries according to urgency:

• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,

product installation, or basic product configuration.

• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably

impaired, but most business operations continue.

Obtaining Technical Assistance

Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://tools.cisco.com/RPF/register/register.do

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

http://www.cisco.com/en/US/support/index.html

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.

• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects

of business operations. No workaround is available.

• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations

will occur if service is not restored quickly. No workaround is available.

OL-5490-01

VPN Client User Guide for Mac OS X

Obtaining Additional Publications and Information

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as

ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

About This Guide

• Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new

and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

• Pack et magazine is the Cisco monthly periodical that provides industry professionals with the latest

information about the field of networking. You can access Packet magazine at this URL:

http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html

• iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers

with the latest information about the networking industry. You can access iQ Magazine at this URL:

http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

• Training—Cisco offers world-class networking training, with current offerings in network training

listed at this URL:

http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html

xii

VPN Client User Guide for Mac OS X

OL-5490-01

CHA P TER

Understanding the VPN Client

The Cisco VPN Client for Mac OS X is a software application that runs on any Macintosh computer using operating system Version 10.2 or later. The VPN Client on a remote PC, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. This connection allows you to access a private network as if you were an on-site user, creating a Virtual Private Network (VPN).

The following VPN devices can terminate VPN connections from VPN Clients:

• Cisco IOS devices that support Easy VPN server functionality

• VPN 3000 Series Concentrators

• Cisco PIX Firewall Series, Version 6.2 or later

With the graphical user interface for the VPN Client for Mac OS X, you can establish a VPN connection to a private network; manage connection entries, certificates, events logging; and view tunnel routing data.

You can also manage the VPN Client for Mac OS X using the command-line interface (CLI). If you are running Darwin, or if you prefer to manage the VPN Client from the CLI, refer to the Cisco VPN Client Administration Guide.

Connection Technologies

The VPN Client lets you use any of the following technologies to connect to the Internet:

• POTS (Plain Old Telephone Service)—Uses a dial-up modem to connect.

• ISDN (Integrated Services Digital Network)—May use a dial-up modem to connect.

• Cable—Uses a cable modem; always connected.

• DSL (Digital Subscriber Line)—Uses a DSL modem; always connected.

You can also use the VPN Client on a PC with a direct LAN connection.

OL-5490-01

VPN Client User Guide for Mac OS X

1-1

VPN Client Overview

The VPN Client works with a Cisco VPN device to create a secure connection, called a tunnel, between your computer and a private network. It uses Internet Key Exchange (IKE) and Internet Protocol Security (IPSec) tunneling protocols to establish and manage the secure connection.

The steps used to establish a VPN connection can include:

• Negotiating tunnel parameters (addresses, algorithms, lifetime)

• Establishing VPN tunnels according to the parameters

• Authenticating users (from usernames, group names and passwords, and X.509 digital certificates.)

• Establishing user access rights (hours of access, connection time, allowed destinations, allowed

protocols)

• Managing security keys for encryption and decryption

• Authenticating, encrypting, and decrypting data through the tunnel

For example, to use a remote PC to read e-mail at your organization, the connection process might be similar to the following:

Chapter 1 Understanding the VPN Client

Step 1 Connect to the Internet.

Step 2 Start the VPN Client.

Step 3 Establish a secure connection through the Internet to your organization’s private network.

Step 4 When you open your e-mail

• The Cisco VPN device

–

Uses IPSec to encrypt the e-mail message

–

Transmits the message through the tunnel to your VPN Client

• The VPN Client

–

Decrypts the message so you can read it on your remote PC

–

Uses IPSec to process and return the message to the private network through the Cisco VPN device.

1-2

VPN Client User Guide for Mac OS X

OL-5490-01

Chapter 1 Understanding the VPN Client

VPN Client Features

The tables in the following sections describe the VPN Client features.

Table 1 - 1 lists the VPN Client main features.

Table 1-1 VPN Client Main Features

Features Description

Operating System Mac OS Version 10.2 or later

Connection types

Protocol IP

Tunnel protocol IPSec

User Authentication

VPN Client Features

• async serial PPP

• Internet-attached Ethernet

• DSL

Note The VPN Client for Mac OS X does not support Bluetooth

wireless technology.

• RADIUS

• RSA SecurID

Program Features

The VPN Client supports the Program features listed in Tab l e 1- 2 .

Table 1-2 Program Features

Program Feature Description

Servers Supported

Interfaces supported

Online Help Complete browser-based context-sensitive Help

Local LAN access The ability to access resources on a local LAN while connected

• VPN server internal user list

• PKI digital certificates

• NT Domain (Windows NT)

• Cisco IOS devices that support Easy VPN server functionality

• VPN 3000 Series Concentrators

• Cisco PIX Firewall Series, Version 6.2 or later

• Graphical user interface

• Command line interface

Note The online help requires MS Internet Explorer.

through a secure gateway to a central-site VPN server (if the central site grants permission).

OL-5490-01

VPN Client User Guide for Mac OS X

1-3

VPN Client Features

Chapter 1 Understanding the VPN Client

Table 1-2 Program Features (continued)

Program Feature Description

Automatic VPN Client configuration option

Event logging The VPN Client log collects events for viewing and analysis.

NAT Transparency (NAT-T) Enables the VPN Client and the VPN device to automatically detect

Update of a centrally controlled backup server list

Set MTU size The VPN Client automatically sets a size that is optimal for your

Support for Dynamic DNS (DDNS hostname population)

Notifications Software update notifications from the VPN server upon

Launching from notification Ability to launch a location site containing upgrade software from a

Alerts (Delete with reason) The VPN Client provides you with a reason code or reason text

The ability to import a configuration file.

when to use IPSec over UDP to work properly in Port Address Translation (PAT) environments.

The VPN Client learns the backup VPN server list when the connection is established. This feature is configured on the VPN device and pushed to the VPN Client. The backup servers for each connection entry are listed on the Backup Servers tab.

environment. However, you can also set the MTU size manually. For information on adjusting the MTU size, see the VPN Client Administrator Guide.

The VPN Client sends its hostname to the VPN device when the connection is established. If this occurs, the VPN device can send the hostname in a DHCP request. This causes the DNS server to update its database to include the new hostname and VPN Client address.

connection.

VPN server notification.

when a disconnect occurs. The VPN Client supports the delete with reason function for client-initiated disconnects, concentrator-initiated disconnects, and IPSec deletes.

1-4

• If you are using a GUI VPN Client, a pop-up message appears

stating the reason for the disconnect, the message is appended to the Notifications log, and is logged in the IPSec log (Log Viewer window).

• If you are using a command-line client, the message appears on

your terminal and is logged in the IPSec log.

• For IPSec deletes, which do not tear down the connection, an

event message appears in the IPSec log file, but no message pops up or appears on the terminal.

Note The VPN Concentrator you are connected to must be

running software version 4.0 or later.

Single-SA The ability to support a single security association (SA) per VPN

connection. Rather than creating a host-to-network SA pair for each split-tunneling network, this feature provides a host-to-ALL approach, creating one tunnel for all appropriate network traffic apart from whether split-tunneling is in use.

VPN Client User Guide for Mac OS X

OL-5490-01

Chapter 1 Understanding the VPN Client

Table 1-2 Program Features (continued)

Program Feature Description

Connect on open This feature lets a user connect to the default user profile when starting

VPN Client API VPN Client provides an application programming interface for

Authentication Features

The VPN Client supports the authentication features listed in Tab l e 1-3.

Table 1-3 Authentication Features

Authentication Feature Description

User authentication through VPN central-site device

VPN Client Features

the VPN Client. You can enable this feature on the Preferences menu under the VPN Client tab.

performing VPN Client tasks without using the command-line or graphical interfaces that Cisco provides. This API comes with a user guide for programmers, which is in a format that can be edited.

• Internal through the VPN device’s database

• RADIUS (Remote Authentication Dial-In User Service)

IPSec Features

• NT Domain (Windows NT)

• RSA (formerly SDI) SecurID or SoftID

Certificate Management Allows you to manage the certificates in the certificate stores.

Certificate Authorities (CAs) CAs that support PKI SCEP enrollment.

Peer Certificate Distinguished Name Verification

Prevents a VPN Client from connecting to an invalid gateway by using a stolen but valid certificate and a hijacked IP address. If the attempt to verify the domain name of the peer certificate fails, the VPN Client connection also fails.

The VPN Client supports the IPSec features listed in Tab le 1 -4

Ta b le 1- 4 I P S ec F e a t u r e s

IPSec Feature Description

Tunnel Protocol IPSec

Transparent tunneling

• IPSec over UDP for NAT and PAT

• IPSec over TCP for NAT and PAT

Key Management protocol Internet Key Exchange (IKE)

IKE Keepalives A tool for monitoring the continued presence of a peer and report

the VPN Client’s continued presence to the peer. This lets the VPN Client notify you when the peer is no longer present. Another type of keepalives keeps NAT ports alive.

OL-5490-01

VPN Client User Guide for Mac OS X

1-5

VPN Client Features

Chapter 1 Understanding the VPN Client

Table 1-4 IPSec Features (continued)

IPSec Feature Description

Split tunneling The ability to simultaneously direct packets over the Internet in

clear text and encrypted through an IPSec tunnel. The VPN device supplies a list of networks to the VPN Client for tunneled traffic. You enable split tunneling on the VPN Client and configure the network list on the VPN device.

Support for Split DNS The ability to direct DNS packets in clear text over the Internet to

domains served through an external DNS (serving your ISP) or through an IPSec tunnel to domains served by the corporate DNS. The VPN server supplies a list of domains to the VPN Client for tunneling packets to destinations in the private network. For example, a query for a packet destined for corporate.com would go through the tunnel to the DNS that serves the private network, while a query for a packet destined for myfavoritesearch.com would be handled by the ISP's DNS. This feature is configured on the VPN server (VPN Concentrator) and enabled on the VPN Client by default. To use Split DNS, you must also have split tunneling configured.

VPN Client IPSec Attributes

The VPN Client supports the IPSec attributes listed in Ta ble 1 -5.

Table 1-5 IPSec Attributes

IPSec Attribute Description

Main Mode and Aggressive Mode

Authentication algorithms

Authentication Modes

Diffie-Hellman Groups

Ways to negotiate phase one of establishing ISAKMP Security Associations (SAs)

• HMAC (Hashed Message Authentication Coding) with MD5

(Message Digest 5) hash function

• HMAC with SHA-1 (Secure Hash Algorithm) hash function

• Preshared Keys

• Mutual Group Authentication

• X.509 Digital Certificates

• Group 1 = 768-bit prime modulus

• Group 2 = 1024-bit prime modulus

• Group 5 = 1536 prime modulus

Note See the Cisco VPN Client Administrator Guide for more

information about DH Group 5.

1-6

Encryption algorithms

VPN Client User Guide for Mac OS X

• 56-bit DES (Data Encryption Standard)

• 168-bit Triple-DES

• AES 128-bit and 256-bit

OL-5490-01

Chapter 1 Understanding the VPN Client

Table 1-5 IPSec Attributes (continued)

IPSec Attribute Description

Extended Authentication (XAUTH)

Mode Configuration Also known as ISAKMP Configuration Method

Tunnel Encapsulation Modes

IP compression (IPCOMP) using LZS

VPN Client Features

The capability of authenticating a user within IKE. This authentication is in addition to the normal IKE phase 1 authentication, where the IPSec devices authenticate each other. The extended authentication exchange within IKE does not replace the existing IKE authentication.

• IPSec over UDP (NAT/PAT)

• IPSec over TCP (NAT/PAT)

Data compression algorithm

OL-5490-01

VPN Client User Guide for Mac OS X

1-7

VPN Client Features

Chapter 1 Understanding the VPN Client

1-8

VPN Client User Guide for Mac OS X

OL-5490-01

Installing the VPN Client

This chapter describes how to install the VPN Client for Mac OS X.

Verifying System Requirements

The VPN Client for Mac OS X runs on any Power Macintosh or compatible computer with the Macintosh operating system Versions 10.2 or later and 30 MB of hard disk space.

Mac OS X VPN Clients support only single interface FastEthernet network adapters. This VPN Client does not support any multiport adapters.

Gathering Information You Need

CHA P TER

To configure and use the VPN Client, you might need the following information.

You can normally obtain this information from the system administrator of the private network you want to access. The system administrator might have preconfigured much of this data.

• Hostname or IP address of the secure gateway you are connecting to

• Your IPSec Group Name (for preshared keys)

• Your IPSec Group Password (for preshared keys)

• If authenticating with a digital certificate, the name of the certificate

• If authenticating through one of the following methods, your username and password

–

The secure gateway’s internal server

–

A RADIUS server

–

An NT Domain server

• If authenticating through a token vendor, your username and PIN

• If you are configuring backup server connections, the hostnames or IP addresses of the backup

servers

OL-5490-01

VPN Client User Guide for Mac OS X

2-1

Obtaining the VPN Client Software

The VPN Client software is available from the Cisco website and comes as a disk image file (vpnclient-<version>-GUI.k9.dmg). Only system administrators can obtain and distribute the VPN Client software.

To obtain the installer:

Step 1 Copy or download the image file to your Desktop.

Step 2 Double-click to extract the VPN Client installer to your Desktop.

Step 3 The image file remains on the Desktop.

Preconfiguring the VPN Client

This section describes how to distribute preconfigured configuration files (user profiles) and GUI preference files to the VPN Client installer.

Chapter 2 Installing the VPN Client

• To distribute custom user profiles to the installer program, place the files in the Profiles folder of the

VPN Client installer.

• To distribute custom images, place the files in the Resources folder of the VPN Client installer.

• To distribute custom global profiles, place the vpnclient.ini in the VPN Client installer directory.

Note Refer to the Cisco VPN Client Administrator Guide for information on creating user profiles, global

profiles, and the complete list of file parameters, keywords, and values.

To access the installer directory

Step 1 Double-click the vpnclient installer icon. (Figure 2-1).

Figure 2-1 Installer Icon

Alternately, you can right-click (control-click) the VPN Client installer icon and choose Open from the menu.

2-2

Figure 2-2 shows the vpnclient installer directory. This directory contains the installer package and any

preconfigured files in the Profiles and Resources folders.

VPN Client User Guide for Mac OS X

OL-5490-01

Chapter 2 Installing the VPN Client

Figure 2-2 VPN Client Installer Directory

Preconfiguring the User Profile

Preconfiguring the VPN Client

The VPN Client uses parameters that must be uniquely configured for each remote user of the private network. Together these parameters make up a user profile, which is contained in a profile configuration file (.pcf file).

To distribute preconfigured profiles, copy the configuration files (.pcf files) into the Profiles folder in the vpnclient installer directory.

Any file with a .pcf extension found in this folder is placed in the Profiles directory when the VPN Client is installed.

Preconfiguring the Global Profile

A global profile sets rules for all remote users; it contains parameters for the VPN Client as a whole. The name of the global profile file is vpnclient.ini.

The vpnclient.ini file controls the following features:

• Control of logging services by class

• Certificate enrollment

• Missing group warning message

• VPN Client GUI preferences, such as window locations and sizes

If you do not preconfigure a global profile, the vpnclient.ini file is populated with default settings. Each time you make changes, the vpnclient.ini file is updated and stored.

OL-5490-01

VPN Client User Guide for Mac OS X

2-3

Chapter 2 Installing the VPN Client

Bundling a Root Certificate with the Installation Package for Darwin

To use mutual authentication, the VPN Client computer must have a root certificate installed. You can bundle a root certificate with the installation package so that the root certificate is installed automatically. The following steps place a root certificate with the installation package. The root certificate is contained in a file. The name of the file must be rootcert with no extension.

Step 1 In the GUI, double-click vpnclient-darwin-<version>-K9.dmg or using the CLI, open

vpnclient-darwin-<version>-K9.dmg.

Step 2 In the GUI, drag and drop the root certificate into the CiscoVPNClient folder on the desktop, making

sure the file is renamed to rootcert or using the CLI, enter the following command.

cp -f <path_to_root_cert>/<root_cert_filename> /Volumes/CiscoVPNClient

Step 3 In the GUI, press <Apple>-E while focusing on the CiscoVPNClient folder or using the CLI, enter the

following command.

umount /Volumes/CiscoVPNClient

Installing the VPN Client

The following sections describe how to install the VPN Client software. The VPN Client for Mac OS X installer program installs, by default, both the graphical user interface and the command-line version of the VPN Client. However, you are not required to install the GUI. See the “Choosing the Installation

Type” section on page 2-8 for more information.

Note We recommend that you uninstall any previous version of the VPN Client for Mac OS X before you

install a new version. For more information, see “Uninstalling the VPN Client” section on page 2-12.

Authentication

Before you can start the installation process, you must show that you have installation privileges.

Step 1 Open the installer package by double-clicking the Cisco VPN Client.mpkg file that resides in the

installer directory. (See Figure 2-2).

The Authorization window appears (Figure 2-3). You must have an administrator password to install the VPN Client application.

2-4

VPN Client User Guide for Mac OS X

OL-5490-01

Chapter 2 Installing the VPN Client

Figure 2-3 Authorization Window

Installing the VPN Client

Step 2

Step 3

Step 4 Click OK.

Click the lock to authenticate your password. The Authenticate dialog box appears (Figure 2-4).

Figure 2-4 Authenticate Dialog Box

Enter your administrator username and a password or challenge phrase.

If the authentication is successful, continue to the installation process. Contact your network administrator if you cannot authenticate for installation.

OL-5490-01

VPN Client User Guide for Mac OS X

2-5

Installing the VPN Client

VPN Client Installation Process

You must complete all steps in the VPN Client installation process before you can use the VPN Client software.

At any time during the installation process, you can go back to a previous step and adjust your selections.

The installation process includes the following steps:

• Introduction, page 2-6

• Accepting the License Agreement, page 2-7

• Selecting the Application Destination, page 2-7

• Choosing the Installation Type, page 2-8

Introduction

The first window that appears during installation is the introduction. The right pane of the Introduction window (Figure 2-5) lists system requirements. The left pane displays each of the installation steps. As you complete each step, it is highlighted with a blue bullet.

Chapter 2 Installing the VPN Client

Figure 2-5 Cisco VPN Client—Introduction Window

Click Continue.

2-6

VPN Client User Guide for Mac OS X

OL-5490-01

Chapter 2 Installing the VPN Client

Accepting the License Agreement

You are required to read and accept the Cisco software license agreement before you can continue with the installation process (See Figure 2-6).

Figure 2-6 Cisco Licence Agreement

Installing the VPN Client

Before you accept the license agreement, you can:

• Print the license agreement.

• Save the license agreement to a file.

• Go Back to the Introduction window.

• Continue and agree to the terms in the license agreement.

When you have completely read the Cisco VPN Client software license agreement, click Continue.

To continue with the installation, click Agree.

Selecting the Application Destination

If your workstation has more than one disk drive, you can select the destination volume to install the VPN Client on your workstation. Figure 2-7 shows the Select Destination window.

OL-5490-01

VPN Client User Guide for Mac OS X

2-7

Installing the VPN Client

Chapter 2 Installing the VPN Client

Figure 2-7 Select Destination Window

Click Continue. The VPN Client is installed in the Applications directory.

Choosing the Installation Type

The default installation process installs the following packages with the VPN Client application:

• VPN Client application binaries (includes everything in the directory /usr/local/bin, including the

ipseclog).

• VPN Client graphical user interface.

• VPN Client kernel extension

• VPN Client profiles (includes the global profile, vpnclient.ini, and any user profiles, *.pcf files).

• VPN startup (the system startup script to automatically start the client at boot time).

The VPN Client application binaries and the VPN Client kernel extension must be part of your installation. However, installing the other three packages is optional.

To install all packages, click Install on the Easy Install window (Figure 2-8).

2-8

VPN Client User Guide for Mac OS X

OL-5490-01

+ 64 hidden pages

Cisco OL-5490-01 User Manual

CONTENTS

Audience

Contents

Related Documentation

Terminology

Document Conventions

Data Formats

Obtaining Documentation

Cisco.com

Documentation CD-ROM

Obtaining Technical Assistance

Ordering Documentation

Documentation Feedback

Cisco.com

Technical Assistance Center

Cisco TAC Website

Obtaining Additional Publications and Information

Cisco TAC Escalation Center

Understanding the VPN Client

Connection Technologies

VPN Client Overview

VPN Client Features

Program Features

Authentication Features

IPSec Features

VPN Client IPSec Attributes

Installing the VPN Client

Verifying System Requirements

Gathering Information You Need

Obtaining the VPN Client Software

Preconfiguring the VPN Client

Preconfiguring the User Profile

Preconfiguring the Global Profile

Bundling a Root Certificate with the Installation Package for Darwin

Installing the VPN Client

Authentication

VPN Client Installation Process

Introduction

Accepting the License Agreement

Selecting the Application Destination

Choosing the Installation Type