Cisco Systems VPN 3002 User Manual
VPN 3002 Hardware Client
Reference
Release 3.5
November 2001
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-1893-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOU T
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONS IBILITY FOR TH EIR
APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SE T FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX op erating system. All righ ts reser ved. Copy right © 1981, Regent s of th e Unive rsity of Calif ornia.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED
“AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCL AIM ALL WARRANTI ES, EXPRESSE D OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR P URPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE , OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROF ITS OR LOSS OR DAMAG E TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Network ing Ac ademy,
the Cisco Systems Networking Academy lo go, Fas t Step, Fo llow M e Browsi ng, Form Share, Fr ameShare , GigaStack, IGX, Inter net Quoti ent, IP/VC , iQ
Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Read iness Scor ecard, MG X, the Network ers logo, Packet, RateMUX, ScriptBuilder,
ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing
the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems,
Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco
IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV,
LightStream, MICA, Netwo rk Regi strar, PIX, Pos t-Rout ing, P re-Rou ting, Registr ar, St rataView Plus, Stratm, SwitchPr obe, Tel eRout er, and VCO are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in t he U.S. and cert ain other countri es.
All other trademarks mentioned in this docu men t or Web site are the prop erty of their respective ow ners. The use of th e word part ner does not imply a
partnership relationship between Cisco and any other com pany. (0106R)
VPN 3002 Hardware Client Reference
Copyright © 2001, Cisco Systems, Inc.
All rights reserved.
Preface ix
Prerequisites ix
Organization ix
Related Documentation xi
Documentation conventions xii
Obtaining Documentation xiii
Obtaining technical assistance xiv
Using the VPN 3002 Hardware Client Manager 1-1
VPN 3002 Hardware Client Browser Requirements 1-1
Connecting to the VPN 3002 Using HTTP 1-2
Installing the SSL Certificate in Your Browser 1-3
CONTENTS
Connecting to the V PN 3002 Using HTTPS 1-16
Configuring HTTP, HTTPS, and SSL Parameters 1-16
Logging into the VPN 3002 Hardware Client Manager 1-17
Interactive Hardware Client and Individual User Authentication 1-19
Logging In With Int e ractive Hardware Client and Individual User Authentication 1-19
Understanding the VPN 3002 Hardware Client Mana ger Window 1-23
Organization of the VPN 3002 Hardware Client Manager 1-27
Navigating the VPN 3002 Hardware Client Manager 1-28
Configuration 2-1
Configuration 2-1
Interfaces 3-1
Configuration | Interfaces 3-1
Configuration | Interfaces | Private 3-4
Configuration | Interfaces | Public 3-6
System Configuration 4-1
78-13782-01
Configuration | System 4-1
VPN 3000 Series Concentrator Reference Volume I: Configuration
iii
Contents
Servers 5-1
Configuration | System | Servers 5-1
Configuratio n | System | Servers | DNS 5-1
Tunneling 6-1
Configuration | System | Tunneling Protocols 6-2
Configuration | System | Tunneling Protocols | IPSec 6-2
IP Routing 7-1
Configuration | System | IP Routing 7-1
Configuration | System | IP Routing | Static Routes 7-2
Configuration | System | IP Routing | Static Routes |
Add or Modify
Configuration | System | IP Routing | Default Gateways 7-4
Configuration | System | IP Routing | DHCP 7-6
7-3
Configuratio n | System | IP Routing | DHCP Options 7-7
Configuratio n | System | IP Routing | DHCP Options |
Add or Modify
7-8
Management Protocols 8-1
Configuratio n | System | Management Protocols 8-1
Configuratio n | System | Management Protocols | HTTP/HTTPS 8-2
Configuration | System | Management Protocols | Telnet 8-4
Configuratio n | System | Management Protocols | SNMP 8-6
Configuration | System | Management Protocols |
SNMP Communities
8-7
Configuratio n | System | Management Protocols | SSL 8-10
Configuratio n | System | Management Protocols | SSH 8-13
Configuratio n | System | Management Protocols | XML 8-16
Events 9-1
Event Class 9-1
Event Severity Le vel 9-3
iv
Event Log 9-4
Configuration | System | Events 9-5
Configuration | System | Events | General 9-5
Configuration | System | Events | Classes 9-8
VPN 3000 Series Concentrator Reference Volume I: Configuration
78-13782-01
Configuratio n | System | Events | Classes | Add or Modify 9-10
Configuration | System | Events | Trap Destinations 9-12
Configuration | System | Events | Trap Destinations |
Add or Modify
Configuration | System | Events | Syslog Servers 9-14
Configuratio n | System | Events | Syslog Servers | Add or Modify 9-16
General 10-1
Configuration | System | General 10-1
Configuration | System | General | Iden tification 10-2
Configuratio n | System | General | Time and Date 10-3
Policy Management 11-1
Client Mode/PAT 11-1
Network Extension Mode 11-2
9-13
Contents
Configuration | Policy Management 11-5
Configuratio n | Policy Management | Traf fic Management 11-5
Configuration | Policy Management | Traffic
Management | PAT
11-6
Configuratio n | Policy Management | Traf fic Management |
PAT | Enable
11-6
Administration 12-1
Administration 12-1
Administration | Software Update 12-2
Administration | System Reboot 12-5
Administration | Ping 12-7
Administration | Access Rights 12-9
Administration | Access Rights | Administrat ors 12-9
Administration | Access Rights | Access Settings 12-11
Administration | File Management 12-12
Administration | File Management | Swap Config Files 12-13
Administration | File Management | Config Fi le Upload 12-14
78-13782-01
Certificate Management 12-16
Administration | Certificate Management 12-31
Administration | Certificate Management | Enroll 12-37
Administration | Certificate Management | Enroll | Certificate Type 12-38
VPN 3000 Series Concentrator Reference Volume I: Configuration
v
Contents
Administration | Certificate Management | Enroll | Certificate Type | PKCS10 12-39
Administration | Certificate Management | Enrollment or Renewal | Request Generated 12-40
Administration | Certificate Management | Enroll | IdentityCert ificate | SCEP 12-41
Administration | Certificate Management | Enroll | SSLCertificate | SCEP 12-42
Administration | Certificate Management | Install 12-44
Administration | Certificate Manageme nt | Install | Certificate Obtained via Enrollment 12-45
Administration | Certificate Manageme nt | Install | Certi ficate Type 12-46
Administration | Certificate Management | Install | CACertificate | SCEP 12-47
Administration | Certificate Manageme nt | Install | Certi ficate Type | Cut and Paste Text 12-48
Administration | Certifica te Manag ement | Inst all | Certificate Type | Upload File from Workstation 12-49
Administration | Certificate Management | View 12-50
Administration | Certificate Management | ConfigureCACertificate 12-53
Administration | Certificate Management | Renewal 12-54
Administration | Certificate Management | Activate or Re-Submit | Status 12-56
Administration | Certificate Management | Delete 12-57
Administration | Certificate Management | View EnrollmentRequest 12-58
Administration | Certificate Management | CancelEnrollmentRequest 12-60
Administration | Certificate Management | DeleteEnrollmentRequest 12-61
Monitoring 13-1
Monitoring | Routing Table 13-2
Monitoring | Filterable Event Log 13-3
Monitoring | Live Event Log 13-6
Monitoring | System Status 13-8
Monitoring | System Status | Private/Public Interface 13-11
Monitoring | User Status 13-14
Monitoring | Statistics 13-15
Monitoring | Statistics | IPSec 13-16
Monitoring | Statistics | HTTP 13-22
Monitoring | Statistics | Telnet 13-25
vi
Monitoring | Statistics | DNS 13-27
Monitoring | Statistics | SSL 13-28
Monitoring | Statistics | DHCP 13-30
Monitoring | Statistics | SSH 13-32
Monitoring | Statistics | NAT 13-34
VPN 3000 Series Concentrator Reference Volume I: Configuration
78-13782-01
Monitoring | Statistics | PPPoE 13-36
Monitoring | Statistics | MIB-II 13-39
Monitoring | Statistics | MIB-II | Interfaces 13-40
Monitoring | Statistics | MIB-II | TCP/UDP 13-42
Monitoring | Statistics | MIB-II | IP 13-45
Monitoring | Statistics | MIB-II | ICMP 13-48
Monitoring | Statistics | MIB-II | ARP Table 13-51
Monitoring | Statistics | MIB-II | Ethernet 13-53
Monitoring | Statistics | MIB-II | SNMP 13-56
Using the Command-Line Interface 14-1
Accessing the Command -line Interface 14-1
Starting the Command-line Interface 14-2
Using the Command-line Interface 14-3
Contents
I
NDEX
Menu Reference 14-7
Troubleshooting and Sys tem Errors A-1
Files for Troubleshooting A-1
LED Indicators A-2
System Errors A-3
Settings on the VPN Con centrator A-4
VPN 3002 Hardware Client Manager Errors A-5
Command-line Interface Errors A-10
78-13782-01
VPN 3000 Series Concentrator Reference Volume I: Configuration
vii
Contents
viii
VPN 3000 Series Concentrator Reference Volume I: Configuration
78-13782-01
Preface
The VPN 3002 H ardware Client Ref erence provide s guide line s f or co nfig uring the C isco V PN 30 02,
details on all the functions available in the VPN 3002 Hardware Client Manager, and instructions for
using the VPN 3002 Co mm an d Li ne I nter fac e.
Prerequisites
W e assume you have read the VPN 3002 Hardware Client Getting Started manual and have followed the
minimal configuration steps in Quick Configuration. That section of the VPN Hardware Client Manager
is not described here .
We also assume you are an expe rien ced sys tem ad mini stra tor or n etwor k admin istra tor wit h app ropria te
education and training, who knows how to install, configure, and manage internetworking systems.
However, virtual private ne tw ork s a nd VPN devi ces m ight be ne w to y ou. You should be familiar w ith
Windows system configuration and management, and you should be familiar with Microsoft Internet
Explorer or Ne tsca pe N avi gat or or Co mm unic ator b rowse rs.
Organization
This manual is organized by th e orde r in which sec tions ap pear in the VPN 30 02 Hardw are Clien t
Manager table of contents (the left frame of the Manager browser window; see Figure 1-35 in Chapter 1,
“Using the VPN 300 2 Ha rdwa re C lient Ma nage r.”
Chapter Title Description
Chapter 1 Using the VPN 3002
Chapter 2 Configuration Describes the main VPN 3002 Hardware Client
Chapter 3 Interfaces Explains how to c on figu re the VPN 3 002 pri vate
Chapter 4 System Configurati on Describes the system configuration screen of the
Hardware Client Mana ger
Explains how to log in, navigate, and use the VPN
3002 Hardware Client Manager with a browser. It
explains both HTTP and HTTPS bro wser
connections, and how to install the SSL certi ficate
for a secure (HTTPS) connection.
Manager configura tion scree n.
and public interfaces.
VPN 3002 Hardware C lie nt Mana ger.
OL-1893-01
VPN 3002 Hardware Client Reference
ix
Organization
Preface
Chapter Title Description
Chapter 5 Servers Explains how to c on figu re the VP N 3 002 to
communicate with DNS servers to convert
hostnames to IP a ddres ses.
Chapter 6 Tunneling Explains how to configure IPSec.
Chapter 7 IP Routing Explains how to c on figu re st atic r oute s, defa ult
gateways, and DHCP para meters and options.
Chapter 8 Management Protocol s Explains how to c on figu re bu ilt -in VP N 3 002
servers that provide management functions:,
HTTP and HTTPS, Telnet, SNMP, SNMP
Community Strings, SSL and SSH.
Chapter 9 Events Explains how to configure system events such as
alarms, traps, error conditions, network problems,
task completion, or status chan ges.
Chapter 10 General Explains how to configure the system
identification, date, and time.
Chapter 11 Policy Management Explains how to c on figu re a nd use PAT and
Network Extensi on mo des .
Chapter 12 Administration Explains how t o configure and use high-level VPN
3002 administrator acti vities such as wh o is
allowed to conf igur e the syste m, w hat so ftw are
runs on it, rebooting and shutting down the system,
managing its configurati on files, an d managi ng
X.509 digital certificates.
Chapter 13 Monitoring Explains the many status, statistics, sessions, and
event log screens that you can use to monitor the
VPN 3002.
Chapter 14 Using the Comma nd- Line
Interface
Appendix A Troubleshooting and System
Errors
Appendix B C opyright s, License s and
Notices
Explains how to use the bui lt-in men u- and
command-line-base d administ rative ma nageme nt
system via the system console or a Telnet session.
With the CLI , you can ac cess and conf igure all the
same parameters a s you can usi ng t h e
HTML-based VPN 3002 Hardware Client
Manager.
Describes common errors that may occur while
configuring the system, and how to correct them.
It also describes all system and module LED
indicator s .
Provides copyright licenses and notic es.
VPN 3002 Hardware Client Reference
x
OL-1893-01
Preface
Related Documentation
Refer to the following documents for further information about Cisco VPN 3000 Series applications and
products.
VPN 3002 Hardware Client Documenta tion
The VPN 3002 Hardware Client Getting Started manual pr ovid es i nfo rmati on to ta ke you fr om
unpacking and installing the VPN 300 2, thro ugh confi guring the mi nimal pa ramet ers to make it
operational (called Quick Configuration). This manual is online only.
The VPN 3002 Hardware Client Quick Start Card summarizes the information for quick configuration.
This quick refe renc e c ar d is pr ovid ed wi th t he V PN 3002 a nd is al so avai la ble on line .
The VPN 3002 H ardware Client Basic Inf ormati on sticky label summarizes information for quick
configuration. I t is p rov id ed wit h th e V PN 3002 and y ou can al so pri nt i t f ro m th e onli ne ver si on; you
can affix the label to the VPN 3002.
The HTML interface, called the VPN 300 2 Hardware Client Manager, includes online help that you can
access by clicking the Help icon on the toolbar in the Manag er windo w.
Related Documentation
VPN 3000 Series Concentrator Documentation
The VPN 3000 Series Concentrator Reference V olume I: Configuration explains how to start and use the
VPN Concentrator Ma na ger. It details the Con figu ratio n sc ree ns an d exp lai ns how to c on figur e yo ur
device beyond the mi nim al p aram ete rs you s et duri n g q uic k con figur ati on .
The VPN 3000 Series Conc entrator Re ference Volume II: Administration and Monit oring provides
guidelines for administering and monitoring the VPN Concentrator. It explains and defines all functions
available in the Administration and Monitoring screens of the VPN Concentrator Manager. Appendixes
to this manual provide tro ublesho oting guida nce and ex plain how to access and use the alterna te
command-line interface.
The VPN Concentrator Manager also includes online help that you can access by clicking the Help icon
on the toolbar in th e M anag er wind ow.
VPN Client Documentation
The VPN Client User Guide explains how to install, configure, and use the VPN Client, which lets a
remote client us e th e IPSec tunn eli ng p rotoc ol for sec ure con ne ction t o a pr iv ate n etwor k th rou gh th e
VPN Concentrator.
The VPN Client Administrator Guide tells how to config ure a VPN 300 0 Conce ntrat or for remot e user
connections using the VPN Client, how to automate remote user profiles, how to use the VPN Client
command-line i nte rfac e , an d how t o get tr ouble sho ot ing info rma ti on.
Documentation on VPN Software Dis trib ution CDs
The VPN 3000 Series Concentrator and VPN 3002 Hardware Client documentation are provided on the
VPN 3000 Concentrator software distribution CD-ROM in PDF format. The VPN Client documentation
is included on the VPN Client soft ware distri bution CD -ROM, al so in PDF form at. To view the latest
OL-1893-01
VPN 3002 Hardware Client Reference
xi
Documentation conventions
Preface
versions on the Cisco web site, click the Support icon on the toolbar at the top of the VPN Concentrator
Manager, Hardware Client Manager, or Client window. T o open the documentation, you need Acrobat
Reader 3.0 or later; version 4. 5 is include d on the Cisco VPN 3000 Conc entrato r software distribut ion
CD-ROM and on the VPN Client software distribution CD-ROM.
Other References
Other useful references include:
• Cisco Systems, Dictionary of Interne tworking Terms and Acronyms. Cisco Press: 2001.
• V irtual Private Networking: An Overview. Microsoft Corporation: 1999. (Available from Microsoft
website.)
• www.ietf.org for Internet Engineering Task Force (IETF) Working Group drafts on IP Security
Protocol (IPSec).
• www.whatis.com, a web refer enc e si te wi th d ef initio ns f or c om pute r, networking , and d at a
communication terms.
Documentation conventions
This document u s es t he f ol low ing co nve nti ons:
®
Convention Description
boldface font Commands and key word s are in boldface.
italic font Arguments for which you supply valu es are in italics.
screen font Terminal sessions and information the system displays
screen font.
are in
boldface screen
Information you must enter is in boldface screen font.
font
^ The symbol ^ r epre se nts t he key l abe led Co ntrol —for
example, the key combination ^D in a screen display
means hold down the Control key while you press the D
key.
Notes use the following conventions:
Note Means reader take note. Notes contain helpful sugg esti on s o r ref ere nces t o mat eri al no t cove red i n
the publication.
Cautions use the following conven tions:
Caution Means reader b e c areful. Cautions alert you to actions or conditions that could result in equipment
damage or loss of data.
xii
VPN 3002 Hardware Client Reference
OL-1893-01
Preface
Data Formats
Obtaining Documentation
As you configure and manage the system, enter data in the following formats unless the instructions
indicate otherwise:
Type of Data Format
IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34);
as the example indicates, you can omit leading zeros in a byte position.
Subnet Masks and
Wildcard Masks
MAC Addresses MAC addresses use 6-byte hexadec imal notat ion (for ex ample ,
Hostnames Hostnames use legitimate network h ostname or end-system name notatio n (for
Text Strings Text strings use upper- and lower-case alphanumeric characters. Most text
Filenames File names on th e VPN 3002 foll ow the DOS 8. 3 naming conve ntion : a
Port Numbers Port numbers use decimal nu mbe rs from 0 to 655 35. Com mas an d spa ces ar e
Subnet masks use 4-byte dotted dec imal nota tion (fo r exam ple,
255.255.255.0). Wildcard masks use the sam e notation (f or exam ple,
0.0.0.255); as the example illustrates, you can omit leading zeros in a byte
position.
00.10.5A.1F.4F.07) .
example, VPN01). Spaces are not allowed. A hostname must uniquely identify
a specific system o n a ne twor k.
strings are case-sensitive (for example, simon and Simon represent different
usernames). In most case s, t he m ax imum lengt h of t ext st rin gs is 48
characters.
maximum of eight chara cters fo r the name , plus a maxim um of thr ee
characters for an extension. For example, LOG00007.TXT is a legitimate
filename. The VPN 3 002 alwa ys st ores fil enam es i n uppe rca se.
not permitted.
Obtaining Documentation
The following sections prov ide sourc es for obta ining docum entati on from Cisco Syst ems.
World Wide Web
Yo u ca n a ccess t he mo st curr ent Cisc o docum en tati on on t he World Wide Web at the follow ing sit es:
• http://www.cisco.com
• http://www-china.cisco.com
• http://www-europe.cisco.com
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships
with yo ur product . The Doc umenta tion CD-RO M is updat ed month ly and may be more current than
printed documentation. The CD-ROM package is available as a single unit or as an annual subsc ri ption.
OL-1893-01
VPN 3002 Hardware Client Reference
xiii
Obtaining technica l as sistance
Ordering documentation
Cisco documentation is available in the following ways:
• Registered Cisco D irect C ustom er s can orde r Cisc o Produ ct doc um entat ion fr om t he N etwo rking
Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
• Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription
Store:
http://www.cisco.com/go/subscription
• Nonregistered Cisco.c om use rs can or der docum enta ti on thro ugh a local acco unt re prese nta tive by
calling Cisco c or porat e h ea dqu art ers (C ali forn ia, U SA ) at 40 8 526-7208 or, in North A meri ca, b y
calling 800 553-NETS( 6387).
Documentation feedbac k
If you are reading Cisco product doc umen tation on the World Wide Web, you ca n submit techn ica l
comments electronically. Click Feedback in the toolbar and select Documen ta ti on . After you complete
the form, click Submit to send it to Cisco.
Yo u can e-ma il your comme nts to bug- doc@cis co.com .
Preface
To submit your comments by mail, f or yo ur c onv enie nce many d ocume nts co ntai n a r esponse ca rd
behind the front cove r. Otherwise, yo u c an ma il your co mme nts to t he fol low ing addr ess :
Cisco Systems, Inc.
Document Resource Connect ion
170 West Tasm an Driv e
San Jose, CA 95134- 988 3
We appreciate yo ur comm ents .
Obtaining technical assistance
Cisco provides Cisco. com as a st artin g point for all tec hni cal assi stan ce. Cus tome rs and p artne rs can
obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com
registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services th at pro vides immedia te, open
access to Cisco information and resources at anytime, from anywhere in the world. This highly
integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broa d range o f fe atur es and ser vic es to h elp cust om ers a nd part ner s stre a mline
business processes and improve productivity. Through Cisco.com, you can find information about Cisco
and our networking solutions, services, and programs. In addition, you can resolve technical issues with
online technical su ppo rt, dow nlo ad an d t est soft ware pac kage s, an d o rder Cisc o le ar ning mat eri als a nd
merchandise. Valuable online skill assessment, training, and certification programs are also available.
xiv
VPN 3002 Hardware Client Reference
OL-1893-01
Preface
Customers and partners can self-register on Cisco.com to obtain additional personalized information and
services. Registered users can order products, check on the status of an order, access technical support,
and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to the following website:
http://www.cisco.com
Technical Assistance Center
The Cisco TAC website is available to all customers who need te chnical assistanc e with a Cisco p roduct
or technology tha t i s und er w arra nty or c ov ered by a m ain tena nce c ontr act .
Contacting TAC by using the Cisco TAC website
If you have a pr i ority l evel 3 ( P3) or pr iori ty lev el 4 ( P4) pr oble m, c onta ct TAC by going to the TAC
website:
http://www.cisco.com/tac
P3 and P4 level problems are defi ned as fo llows:
Obtaining technical assistance
• P3—Y our network performance is degraded. Network functionality is noticeably impaired, but most
business operations continue.
• P4—Y ou need information or assistance on Cisco product capabilities, product installation, or basic
product configuratio n.
In each of the above cases, use the Cisc o TAC website to quickly find answers to your question s.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users
can open a case onl ine b y us ing the TAC Case Open tool at the fol lowin g w ebsi te :
http://www.cisco.com/tac/caseopen
Contacting TAC by telephone
If you have a pr io rity lev el 1 (P1) o r pri ori ty l eve l 2 (P2) prob l em, co ntac t TAC by telephone and
immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following
website:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defi ned as fo llows:
• P1—Y o u r pr oduct io n netwo rk is down , causing a critical impact to b usine ss ope ratio ns if ser vice is
not restored quickly. No workaround is availab le.
OL-1893-01
• P2—Your production network is sever ely degrad ed, affectin g signific ant aspe cts of your busi ness
operations. No wor ka round is ava ilabl e.
VPN 3002 Hardware Client Reference
xv
Obtaining technica l as sistance
Preface
xvi
VPN 3002 Hardware Client Reference
OL-1893-01
CHAPTER
1
Using the VPN 3002 Hardware Client Manager
The VPN 3002 Hardware Client Manager is an HTML-based interface that lets you configure,
administer, monitor, and manage the VPN 30 02 wi th a stand ard w eb bro wser. To use it, you connect to
the VPN 3002, u sing a PC and b rowse r on the same pri vat e ne two rk with the VP N 3 002 .
The Manager uses the standard web client / server protocol, HTTP (Hypertext Transfer Protocol), which
is a cleartext protocol. Howeve r, you can also use the Mana ge r in a secure, encr y pt ed HTT P co n ne ction
over SSL (Secure Sockets Layer) protocol, known as HTT PS.
• To use a clearte xt HT TP conne ction , see th e se ction, “Co nnec ting t o t he V PN 3 002 Us ing HTTP .”
• To use HTTP over SSL (HTTPS) with the Manager:
–
The first time, co nnect t o the Mana ger using HTTP, and
–
Install an SSL certificate in the browser; see “Installing the SSL Certificate in Your Browser.”
When the SSL certificate is installed , you can connec t directly usi ng HTTPS; see “Connecting t o the
VPN 3002 Using HTTPS.”
VPN 3002 Hardware Client Browser Requirements
The VPN 3002 Hard w are Cli ent Man ag er re qu ire s e ith er M i croso ft Int ern et Expl orer v er sion 4. 0 o r
higher, or Netscape Navi gat or vers io n 4 .5 –4.7. For best resul ts, we re co mmend I nter net Expl or er.
Whatever browser an d ve rsion yo u u se, ins tall the la test patc hes an d ser vice p acks for it.
Note Yo u cannot use th e Live Eve nt Log feat ure with N etsca pe Naviga tor version 4. 0
OL-1893-01
VPN 3002 Hardware Client Reference
1-1
Connecting to the VPN 3002 Using HTT P
JavaScript an d Co ok ies
Be sure JavaScript and Cookies are enabled in the browser. Refer to the documentation for your browser
for instructions.
Navigation Toolba r
Do not use the browser navigation toolbar buttons Back, Forward, or Refresh/Reload with the VPN 3002
Hardware Client Manager unless instructed to do so. To protect access security, clicking Refresh/Reload
automatically lo gs o ut t he Ma nage r ses s ion. Clic king Ba ck or Fo rw ard mi ght displ ay stale M anag er
screens with incorrect data or settings.
We recommend that you hide the brows er navigat ion toolbar t o prevent mistak es while using the
VPN 3002 Hardware Client Manager.
Recommended PC Monitor/Display Settings
Chapter1 Using the VPN 3002 Hardware Client Manager
For optimal use, we recommend setting you r monitor or display:
• Desktop area = 1024 x 76 8 pi xels or gre ate r. Minimum = 80 0 x 60 0 pi xels .
• Color palette = 256 colors or higher.
Connecting to the VPN 3002 Using HTTP
When your system administra tion tasks and netwo rk permit a cle artext connecti on betwee n the VPN
3002 and your br owse r, you can u se the sta ndard H TTP prot ocol t o con ne ct to t he s yst em.
Even if you plan to use HTTPS, you use HTTP at first to install an SSL certificate in your browser.
1. Bring up the browser.
2. In the browser A ddress or L ocati on field, you can just enter the VPN 3002 private interface IP
address; for example, 10.10 .147. 2. The br owser autom aticall y assumes an d supplie s an http://
prefix.
The browser d isplay s t he V PN 3 002 H a rdwa re C lie nt M ana ger lo gin scr een.
1-2
VPN 3002 Hardware Client Reference
OL-1893-01
Chapter 1 Using th e VPN 3 00 2 H ardware Client Manager
Figure 1-1 VPN 3002 Hardware Client Manager Login Screen
Installing the SSL Certificate in Your Browser
To continue using HTTP for the whol e se ssion, sk ip to “Logging i nto the VP N 3002 Hardw are Clien t
Manager.”
Installing the SSL Certificate in Your Browser
The Manager provides th e option o f using HTTP over SSL with th e browser. SSL creates a secure
session between your brow ser (VPN 30 02 ha rdwa re c li ent) a nd the V PN Conc ent rator (se rver ). T his
protocol is known as H TTPS, and use s the htt ps:/
authenticates the server, then encrypts all data passed during the session.
HTTPS is often confu sed w ith a sim ilar pr otoc ol, S- HTT P (Se cure HT TP), whi ch e ncry pt s on ly H TTP
application-level data. SSL encrypts all data between client and server at the IP socket level, and is thus
more secure.
SSL uses digital cert ific ates for a uthent icat ion. The VPN 3 002 c reate s a se lf- signe d SSL ser ve r
certificate when it boots, and this certificate must be installed in the browser. Once the certificate is
installed, you can connect using HTTPS. You need to install the certificate from a given VPN 3002 only
once.
Managing the VPN 3002 is the same with or w ithout SSL. Manager scree ns might take slig htly longe r
to load with SSL because of encryption/decryption processing. When connected via SSL, the browser
shows a locked-padlock icon on its status bar. Both Microsoft Internet Explorer and Netscape Navigator
support SSL.
For HTTPS to work on the public interf ace, you must enable HTT PS on the VPN 30 02 through the
command-line interface or from an HTTP session on the private interface first.
/ prefix to connect to the server. The browser first
OL-1893-01
VPN 3002 Hardware Client Reference
1-3
Installing the SSL Certificate in Your B rowser
Follow these steps to install and use the SSL certificate for the first time. We provide separate
instructions fo r Inte rnet Ex plo re r an d N e tsca pe Na viga tor w hen th ey d iverge.
Step 1 Connect to the VPN 3002 usin g HTTP as abov e.
Step 2 On the login screen, click the Install SSL Certificate link.
The Manager displays the Install SSL Certificate screen and automatically begins to download and
install its SSL certificate in your browser.
Figure 1-2 Install SSL Certificate Screen
Chapter1 Using the VPN 3002 Hardware Client Manager
The installation sequence now differs depe nding on the browser. Continue below for Internet Explorer,
or skip to “Installing the SSL Certificate with Netscape.”
Installing the SSL certificate with Internet Explorer
This section describes SSL certificate installation using Microsoft Internet Explorer 5.0. (With Internet
Explorer 4.0, so me dial og boxes a re di fferen t but the pr ocess i s sim ila r.)
You need to install the SSL certificate from a given VPN 3002 only once. If you do reinstall it, the
browser repeats all these steps each time.
A few seconds after the VPN 3002 Hardware Client Manager SSL screen appears, Internet Explorer
displays a File Download dialog box that identif ies the certificate fi lename and source, and asks whet her
to Open or Save the certific ate. To immediately install the certificate in the b rowser, select Open. If you
Save the file, the browser prompts for a location; you must then double-click the file to install it.
VPN 3002 Hardware Client Reference
1-4
OL-1893-01
Chapter 1 Using th e VPN 3 00 2 H ardware Client Manager
Figure 1-3 Internet Explorer File Download Dialog Box
3.
Click the Open this file from its current location radio button, then click OK.
The browser displays the Certificate dialog box with information about the certificate. You must now
install the certificate.
Installing the SSL Certificate in Your Browser
Figure 1-4 Internet Explorer Certificate Dialog Box
Click Install Certificate.
4.
The browser starts a wizard to install the certificate. The certificate store is where such certificates are
stored in Internet Explorer.
OL-1893-01
VPN 3002 Hardware Client Reference
1-5
Installing the SSL Certificate in Your B rowser
Figure 1-5 Internet Explorer Certificate Manager Import Wizard Dialog Box
5.
Click Next to continue.
Chapter1 Using the VPN 3002 Hardware Client Manager
The wizard op ens the nex t dia log box aski ng yo u to sel ect a c ert ific ate stor e.
Figure 1-6 Internet Explorer Certificate Manager Import Wizard Dialog Box
6. Let the wizard Automatically select the certificate store, and click Next.
The wizard opens a dialog box to complete the installation.
1-6
VPN 3002 Hardware Client Reference
OL-1893-01
Chapter 1 Using th e VPN 3 00 2 H ardware Client Manager
Figure 1-7 Internet Explorer Certificate Manager Import Wizard Dialog Box
7.
Click Finish.
The wizard opens the Root Certif icate St ore dialog box askin g you to confi rm the i nstalla tion.
Installing the SSL Certificate in Your Browser
Figure 1-8 Internet Explorer Root Certificate Store Dialog Box
8.
To install the certificate, click Yes. This dialog box closes, an d a final wiza rd conf irmati on dialog
box opens.
Figure 1-9 Internet Explorer Certificate Manager Import Wizard Final Dialog Box
9. Click OK to close this dialog box, and click OK on the Certificate dialog box (Figure 1- 4) to close
it.
Yo u ca n n ow c onne ct to t he V PN 3002 u sing HTTP ov er SSL ( HTTPS) .
OL-1893-01
10. On the Manager SSL screen (Figure 1-2), click the link that says After installing the SSL
certificate, click here to connect to the VPN 3002 Hardware Client using SSL.
Depending on how your brows er is confi gured, you might see a Security Al ert dialo g box.
VPN 3002 Hardware Client Reference
1-7
Installing the SSL Certificate in Your B rowser
Figure 1-10 Internet Explorer Security Alert Dialog Box
11.
Click OK.
The VPN 3002 Hardware Clien t displays the H TTPS versi on of the Manag er login scr een.
Figure 1-11 VPN 3002 Hardware Client Manager Login Screen Using HTTPS (Internet Explorer)
Chapter1 Using the VPN 3002 Hardware Client Manager
The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case
you might see a Security Alert screen.
Proceed to Logging into the VPN 3 002 H a rdwa re Cl ie nt M ana ger to log in as usual.
Viewing Certificates with Internet Explorer
There are (at least) two ways to examine certificates stored in Internet Explorer.
First, note the padlock icon on the bro wser statu s bar in Figure 1-11. If you double-click the icon, th e
browser opens a Certificate Properties screen showing details of the specific certificate in use.
VPN 3002 Hardware Client Reference
1-8
OL-1893-01
Chapter 1 Using th e VPN 3 00 2 H ardware Client Manager
Figure 1-12 Internet Explorer 4.0 Certificate Properties Screen
Click any of the Field items to see Details. Click Close when finished.
Second, you can v iew al l the certif icates that are st ored in In ternet E xplo rer 4 .0. C lick the bro wser View
menu and select Internet Options. Click the Content tab, then click Authorities in the Certificates
section.
In Internet Explore r 5.0, click the browser Tools menu and select Internet Options. Click the Content
tab, then click Certificates in the Certificates section. On the Certificate Manager, click the
Root Certification Authorities tab.
Installing the SSL Certificate in Your Browser
Trusted
The VPN 3002 Hardware Cli ent SSL certif icate na me is its Eth ernet 1 (pri vate) IP addre ss.
Figure 1-13 Internet Explorer 4.0 Certificate Authorities List
Select a certificate , th en c lick View Certificate. The browser displays the Cer tif ica te Prop er ties scr een,
as in Figure 1-12 above.
Installing the SSL Certificate with Netscape
This section describes SSL certificate installation using Netscape Navigator / Communicator 4.5.
OL-1893-01
VPN 3002 Hardware Client Reference
1-9
Installing the SSL Certificate in Your B rowser
Reinstallation
You need to install the SSL certificate from a given VPN 3002 only once. If you try to reinstall it,
Netscape displays the note in Figure 1-14. Click OK and just conne ct to t he V PN 300 2 usi ng SSL ( see
Step 7 in this section.
Figure 1-14 Netscape Reinstallation Note
First-time Installation
The instructions below follow from Step 2 in “Installing the SSL Certificate in Your Browser,” and
describe first-time certificate installation.
A few seconds after the VPN 3002 Hardware Client Manager SSL screen appears, Netscape displays a
New Certificate Authority screen.
Chapter1 Using the VPN 3002 Hardware Client Manager
Figure 1-15 Netscape New Certificate Authority Screen 1
Click Next> to proceed.
1.
Netscape displays the next Ne w Certif icate Au thority screen, w hich furthe r explai ns the process.
1-10
VPN 3002 Hardware Client Reference
OL-1893-01
Chapter 1 Using th e VPN 3 00 2 H ardware Client Manager
Figure 1-16 Netscape New Certificate Authority Screen 2
2.
Click Next> to proceed.
Netscape displays the next New Certificate Authority screen, which lets you examine details of the VPN
3002 Hardware Client SSL cer tificate.
Installing the SSL Certificate in Your Browser
Figure 1-17 Netscape New Certificate Authority Screen 3
3.
Click Next> to proceed.
Netscape displays the next New Certificate Authority screen, with choices for using the certificate. No
choices are checked by default .
OL-1893-01
VPN 3002 Hardware Client Reference
1-11
Installing the SSL Certificate in Your B rowser
Figure 1-18 Netscape New Certificate Authority Screen 4
4.
You must check at least the first box, Accept this Certificate Authority for Certifying network
sites. Click Next> to proceed.
Chapter1 Using the VPN 3002 Hardware Client Manager
Netscape displays the next New Cer tifica te Author ity scree n, whic h lets you choo se to have the browser
warn you about sending data t o the VPN 30 02.
Figure 1-19 Netscape New Certificate Authority Screen 5
5. Checking the box is op tio na l. Doi ng so me an s tha t you ge t a war ning wh enev er yo u a pply setti ng s
on a Manager screen, so it is probably less intrusive to manage the VPN 3002 without those
warnings. Click Next> to proceed.
1-12
Netscape displays the final New Certificate Authority screen, which asks you to name the certificate.
VPN 3002 Hardware Client Reference
OL-1893-01
Chapter 1 Using th e VPN 3 00 2 H ardware Client Manager
Figure 1-20 Netscape New Certificate Authority Screen 6
6.
In the Nickname field, enter a descriptive name for this certificate. “Nickname” is something of a
misnomer. We suggest you use a cl ear ly d escrip tive name su ch a s
This name appears in the list of installed certificates; see “Viewing Certificates with Netscape,”
below.
Installing the SSL Certificate in Your Browser
Cisco VPN 3002 10.10.147.2.
Click Finish.
Yo u ca n n ow c onne ct to t he V PN 3002 u sing HTTP ov er SSL ( HTTPS) .
7. On the Manager SSL screen (Figure 1-2), click the link that says After installing the SSL
certificate, click here to connect to the VPN 3002 Hardware Client using SSL.
Depending on how your brows er is confi gured, you might see a Security In format ion Alert dial og box.
Figure 1-21 Netscape Security Information Alert Dialog Box
Click Continue.
8.
The VPN 3002 displays the HTT PS version of the M anager login screen.
OL-1893-01
VPN 3002 Hardware Client Reference
1-13
Installing the SSL Certificate in Your B rowser
Figure 1-22 VPN 3002 Hardware Client Manager Login Screen Using HTTPS (Netscape)
Chapter1 Using the VPN 3002 Hardware Client Manager
The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case,
you might see a Se c urity In for mat ion Ale rt dial og b ox.
Proceed to the section, “Logging into the VPN 300 2 Hardw are Clien t Manager,” to log in as usual.
Viewing Certificates with Netscape
There are (at l e ast ) two w ay s to exa m in e c er tif i cat es s tor ed in Ne t sca pe N av ig ato r / Co mm uni cat o r 4.5 .
First, note the locked-padlock icon on the bottom status bar in Figure 1-22. If you c lick the ic on,
Netscape opens a Secu ri ty Info w ind ow. (You can also open thi s wi nd ow b y c lick ing Sec urity on th e
Navigator Toolbar at the top of the Netscape window.)
1-14
VPN 3002 Hardware Client Reference
OL-1893-01
Loading...