VPN 3002 Hardware Client Reference Release 3.5 November 2001 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E NT S Preface ix Prerequisites ix Organization ix Related Documentation xi Documentation conventions xii Obtaining Documentation xiii Obtaining technical assistance xiv Using the VPN 3002 Hardware Client Manager 1-1 VPN 3002 Hardware Client Browser Requirements Connecting to the VPN 3002 Using HTTP 1-2 Installing the SSL Certificate in Your Browser Connecting to the VPN 3002 Using HTTPS 1-1 1-3 1-16 Configuring HTTP, HTTPS, and SSL Parameters 1-16 Logging into the VPN 3002 Ha
Contents Servers 5-1 Configuration | System | Servers 5-1 Configuration | System | Servers | DNS Tunneling 5-1 6-1 Configuration | System | Tunneling Protocols 6-2 Configuration | System | Tunneling Protocols | IPSec IP Routing 6-2 7-1 Configuration | System | IP Routing 7-1 Configuration | System | IP Routing | Static Routes 7-2 Configuration | System | IP Routing | Static Routes | Add or Modify 7-3 Configuration | System | IP Routing | Default Gateways Configuration | System | IP Routing
Contents Configuration | System | Events | Classes | Add or Modify Configuration | System | Events | Trap Destinations 9-10 9-12 Configuration | System | Events | Trap Destinations | Add or Modify 9-13 Configuration | System | Events | Syslog Servers 9-14 Configuration | System | Events | Syslog Servers | Add or Modify General 9-16 10-1 Configuration | System | General 10-1 Configuration | System | General | Identification Configuration | System | General | Time and Date Policy Management Client
Contents Administration | Certificate Management | Enroll | Certificate Type | PKCS10 12-39 Administration | Certificate Management | Enrollment or Renewal | Request Generated Administration | Certificate Management | Enroll | Identity Certificate | SCEP Administration | Certificate Management | Enroll | SSL Certificate | SCEP Administration | Certificate Management | Install 12-40 12-41 12-42 12-44 Administration | Certificate Management | Install | Certificate Obtained via Enrollment Administratio
Contents Monitoring | Statistics | PPPoE 13-36 Monitoring | Statistics | MIB-II 13-39 Monitoring | Statistics | MIB-II | Interfaces Monitoring | Statistics | MIB-II | TCP/UDP Monitoring | Statistics | MIB-II | IP 13-40 13-42 13-45 Monitoring | Statistics | MIB-II | ICMP 13-48 Monitoring | Statistics | MIB-II | ARP Table Monitoring | Statistics | MIB-II | Ethernet Monitoring | Statistics | MIB-II | SNMP Using the Command-Line Interface 14-1 Starting the Command-line Interface Menu Reference 13-5
Contents VPN 3000 Series Concentrator Reference Volume I: Configuration viii 78-13782-01
Preface The VPN 3002 Hardware Client Reference provides guidelines for configuring the Cisco VPN 3002, details on all the functions available in the VPN 3002 Hardware Client Manager, and instructions for using the VPN 3002 Command Line Interface. Prerequisites We assume you have read the VPN 3002 Hardware Client Getting Started manual and have followed the minimal configuration steps in Quick Configuration. That section of the VPN Hardware Client Manager is not described here.
Preface Organization Chapter Title Description Chapter 5 Servers Explains how to configure the VPN 3002 to communicate with DNS servers to convert hostnames to IP addresses. Chapter 6 Tunneling Explains how to configure IPSec. Chapter 7 IP Routing Explains how to configure static routes, default gateways, and DHCP parameters and options.
Preface Related Documentation Related Documentation Refer to the following documents for further information about Cisco VPN 3000 Series applications and products. VPN 3002 Hardware Client Documentation The VPN 3002 Hardware Client Getting Started manual provides information to take you from unpacking and installing the VPN 3002, through configuring the minimal parameters to make it operational (called Quick Configuration). This manual is online only.
Preface Documentation conventions versions on the Cisco web site, click the Support icon on the toolbar at the top of the VPN Concentrator Manager, Hardware Client Manager, or Client window. To open the documentation, you need Acrobat® Reader 3.0 or later; version 4.5 is included on the Cisco VPN 3000 Concentrator software distribution CD-ROM and on the VPN Client software distribution CD-ROM.
Preface Obtaining Documentation Data Formats As you configure and manage the system, enter data in the following formats unless the instructions indicate otherwise: Type of Data Format IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34); as the example indicates, you can omit leading zeros in a byte position. Subnet Masks and Wildcard Masks Subnet masks use 4-byte dotted decimal notation (for example, 255.255.255.0).
Preface Obtaining technical assistance Ordering documentation Cisco documentation is available in the following ways: • Registered Cisco Direct Customers can order Cisco Product documentation from the Networking Products MarketPlace: http://www.cisco.com/cgi-bin/order/order_root.pl • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.
Preface Obtaining technical assistance Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco. To access Cisco.com, go to the following website: http://www.cisco.
Preface Obtaining technical assistance VPN 3002 Hardware Client Reference xvi OL-1893-01
C H A P T E R 1 Using the VPN 3002 Hardware Client Manager The VPN 3002 Hardware Client Manager is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3002 with a standard web browser. To use it, you connect to the VPN 3002, using a PC and browser on the same private network with the VPN 3002. The Manager uses the standard web client / server protocol, HTTP (Hypertext Transfer Protocol), which is a cleartext protocol.
Chapter 1 Using the VPN 3002 Hardware Client Manager Connecting to the VPN 3002 Using HTTP JavaScript and Cookies Be sure JavaScript and Cookies are enabled in the browser. Refer to the documentation for your browser for instructions. Navigation Toolbar Do not use the browser navigation toolbar buttons Back, Forward, or Refresh/Reload with the VPN 3002 Hardware Client Manager unless instructed to do so. To protect access security, clicking Refresh/Reload automatically logs out the Manager session.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-1 VPN 3002 Hardware Client Manager Login Screen To continue using HTTP for the whole session, skip to “Logging into the VPN 3002 Hardware Client Manager.” Installing the SSL Certificate in Your Browser The Manager provides the option of using HTTP over SSL with the browser. SSL creates a secure session between your browser (VPN 3002 hardware client) and the VPN Concentrator (server).
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Follow these steps to install and use the SSL certificate for the first time. We provide separate instructions for Internet Explorer and Netscape Navigator when they diverge. Step 1 Connect to the VPN 3002 using HTTP as above. Step 2 On the login screen, click the Install SSL Certificate link.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-3 3. Internet Explorer File Download Dialog Box Click the Open this file from its current location radio button, then click OK. The browser displays the Certificate dialog box with information about the certificate. You must now install the certificate. Figure 1-4 4. Internet Explorer Certificate Dialog Box Click Install Certificate. The browser starts a wizard to install the certificate.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-5 5. Internet Explorer Certificate Manager Import Wizard Dialog Box Click Next to continue. The wizard opens the next dialog box asking you to select a certificate store. Figure 1-6 6. Internet Explorer Certificate Manager Import Wizard Dialog Box Let the wizard Automatically select the certificate store, and click Next. The wizard opens a dialog box to complete the installation.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-7 7. Internet Explorer Certificate Manager Import Wizard Dialog Box Click Finish. The wizard opens the Root Certificate Store dialog box asking you to confirm the installation. Figure 1-8 8. To install the certificate, click Yes. This dialog box closes, and a final wizard confirmation dialog box opens. Figure 1-9 9.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-10 Internet Explorer Security Alert Dialog Box 11. Click OK. The VPN 3002 Hardware Client displays the HTTPS version of the Manager login screen. Figure 1-11 VPN 3002 Hardware Client Manager Login Screen Using HTTPS (Internet Explorer) The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case you might see a Security Alert screen.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-12 Internet Explorer 4.0 Certificate Properties Screen Click any of the Field items to see Details. Click Close when finished. Second, you can view all the certificates that are stored in Internet Explorer 4.0. Click the browser View menu and select Internet Options. Click the Content tab, then click Authorities in the Certificates section. In Internet Explorer 5.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Reinstallation You need to install the SSL certificate from a given VPN 3002 only once. If you try to reinstall it, Netscape displays the note in Figure 1-14. Click OK and just connect to the VPN 3002 using SSL (see Step 7 in this section.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-16 Netscape New Certificate Authority Screen 2 2. Click Next> to proceed. Netscape displays the next New Certificate Authority screen, which lets you examine details of the VPN 3002 Hardware Client SSL certificate. Figure 1-17 Netscape New Certificate Authority Screen 3 3. Click Next> to proceed.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-18 Netscape New Certificate Authority Screen 4 4. You must check at least the first box, Accept this Certificate Authority for Certifying network sites. Click Next> to proceed. Netscape displays the next New Certificate Authority screen, which lets you choose to have the browser warn you about sending data to the VPN 3002. Figure 1-19 Netscape New Certificate Authority Screen 5 5.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-20 Netscape New Certificate Authority Screen 6 6. In the Nickname field, enter a descriptive name for this certificate. “Nickname” is something of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN 3002 10.10.147.2. This name appears in the list of installed certificates; see “Viewing Certificates with Netscape,” below. Click Finish.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-22 VPN 3002 Hardware Client Manager Login Screen Using HTTPS (Netscape) The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case, you might see a Security Information Alert dialog box. Proceed to the section, “Logging into the VPN 3002 Hardware Client Manager,” to log in as usual.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-23 Netscape Security Info Window Click View Certificate to see details of the specific certificate in use. Figure 1-24 Netscape View Certificate Screen Click OK when finished. Second, you can view all the certificates that are stored in Netscape. On the Security Info window, select Certificates, then Signers.
Chapter 1 Using the VPN 3002 Hardware Client Manager Connecting to the VPN 3002 Using HTTPS Figure 1-25 Netscape Certificates Signers List Select a certificate, then click Edit, Verify, or Delete. Click OK when finished. Connecting to the VPN 3002 Using HTTPS When you have installed the SSL certificate in the browser, you can connect directly using HTTPS. Step 1 Bring up the browser.
Chapter 1 Using the VPN 3002 Hardware Client Manager Logging into the VPN 3002 Hardware Client Manager Figure 1-26 VPN Hardware Client Manager HTTPS Login Screen Logging into the VPN 3002 Hardware Client Manager Logging into the VPN 3002 Hardware Client Manager is the same for both types of connections, cleartext HTTP or secure HTTPS. Entries are case-sensitive. With Microsoft Internet Explorer, you can select the Tab key to move from field to field; other browsers might work differently.
Chapter 1 Using the VPN 3002 Hardware Client Manager Logging into the VPN 3002 Hardware Client Manager Figure 1-27 Manager Main Welcome Screen From here you can navigate the Manager using either the table of contents in the left frame, or the Manager toolbar in the top frame.
Chapter 1 Using the VPN 3002 Hardware Client Manager Interactive Hardware Client and Individual User Authentication Interactive Hardware Client and Individual User Authentication Interactive hardware client and individual user authentication provide security by requiring manual entry of usernames and passwords prior to connection. You configure these features on the VPN Concentrator to which this VPN 3002 connects, and the VPN Concentrator pushes the policies you set to the VPN 3002.
Chapter 1 Using the VPN 3002 Hardware Client Manager Logging In With Interactive Hardware Client and Individual User Authentication Figure 1-28 VPN 3002 Hardware Client Manager Login Screen Step 1 Click the Connection Login Status button. The Connection/Login Status screen displays Figure 1-29 Connection Login Status Screen . Step 1 Click the Connect Now button. The VPN 3002 Interactive Authentication screen displays.
Chapter 1 Using the VPN 3002 Hardware Client Manager Logging In With Interactive Hardware Client and Individual User Authentication Figure 1-30 VPN 3002 Interactive Authentication Screen Step 1 Enter the username and password for the VPN 3002. Step 2 Click Connect. If you have entered the valid username and password, the Connect Login Status screen displays the message that the VPN 3002 is connected. Next you authenticate the user.
Chapter 1 Using the VPN 3002 Hardware Client Manager Logging In With Interactive Hardware Client and Individual User Authentication Figure 1-32 Individual User Authentication Screen Step 1 Enter the username and password for this VPN 3002 user. Step 2 Click Login. If the username and password you entered are valid, the Connection/Login Status window displays information about the connection.
Chapter 1 Using the VPN 3002 Hardware Client Manager Understanding the VPN 3002 Hardware Client Manager Window Understanding the VPN 3002 Hardware Client Manager Window The VPN 3002 Hardware Client Manager window on your browser consists of three frames—top, left, and main—and it provides helpful messages and tips as you move the mouse pointer over window items. The title bar and status bar also provide useful information Figure 1-34 VPN 3002 Hardware Client Manager Window.
Chapter 1 Using the VPN 3002 Hardware Client Manager Understanding the VPN 3002 Hardware Client Manager Window Title bar The title bar at the top of the browser window includes the VPN 3002 device name or IP address in brackets, for example, [10.10.4.6]. Status bar The status bar at the bottom of the browser window displays Manager activity and explanatory messages for some items.
Chapter 1 Using the VPN 3002 Hardware Client Manager Understanding the VPN 3002 Hardware Client Manager Window Save Click the Save icon to save the active configuration and make it the boot configuration. In this state, the reminder indicates that the active configuration is the same as the boot configuration, but you can save it anyway. When you change the configuration, the reminder changes to Save Needed. Save Needed This reminder indicates that yo have changed the active configuration.
Chapter 1 Using the VPN 3002 Hardware Client Manager Understanding the VPN 3002 Hardware Client Manager Window Open or expanded Main frame (Manager screen) Click the open/expanded icon to close subordinate sections and titles. Clicking on this icon does not change the screen in the main frame. The main frame displays the current VPN 3002 Hardware Client Manager screen. Many screens include a bullet list of links and descriptions of subordinate sections and titles.
Chapter 1 Using the VPN 3002 Hardware Client Manager Organization of the VPN 3002 Hardware Client Manager Organization of the VPN 3002 Hardware Client Manager The VPN 3002 Hardware Client Manager consists of three major sections and many subsections: • Configuration: setting all the parameters for the VPN 3002 that govern its use and functionality as a VPN device: – Quick Configuration: supplying the minimal parameters needed to make the VPN 3002 operational. – Interfaces: Ethernet parameters.
Chapter 1 Using the VPN 3002 Hardware Client Manager Navigating the VPN 3002 Hardware Client Manager Navigating the VPN 3002 Hardware Client Manager Your primary tool for navigating the VPN 3002 Hardware Client Manager is the table of contents in the left frame. Figure 1-35 shows all its entries, completely expanded. (The figure shows the frame in multiple columns, but the actual frame is a single column. Use the scroll controls to move up and down the frame.
C H A P T E R 2 Configuration Configuring the VPN 3002 means setting all the parameters that govern its use and functionality as a VPN device. Cisco supplies default parameters that cover typical installations and uses; after you supply minimal parameters in Quick Configuration, the system is operational. But to tailor the system to your needs, and to provide an appropriate level of system security, you can configure the system in detail.
Chapter 2 Configuration Configuration VPN 3002 Hardware Client Reference 2-2 OL-1893-01
C H A P T E R 3 Interfaces This section of the VPN 3002 Hardware Client Manager applies functions that are interface-specific, rather than system-wide. You configure two network interfaces for the VPN 3002 to operate as a VPN device: the private interface and the public interface. If you used Quick Configuration as described in the VPN 3002 Hardware Client Getting Started manual, the system supplied many default parameters for the interfaces. Here you can configure them explicitly.
Chapter 3 Interfaces Configuration | Interfaces Figure 3-1 VPN 3002 Configuration | Interfaces Screen To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area. Interface The VPN 3002 interface installed in the system. To configure an interface, click the appropriate link.
Chapter 3 Interfaces Configuration | Interfaces Status The operational status of this interface: • UP (green) = Configured, enabled, and operational; ready to pass data traffic. • DOWN (red) Configured but disabled or disconnected. • Testing = In test mode; no regular data traffic can pass. • Dormant (red) = Configured and enabled but waiting for an external action, such as an incoming connection. • Not Present (red) = Missing hardware components.
Chapter 3 Interfaces Configuration | Interfaces | Private Configuration | Interfaces | Private This screen lets you configure parameters for the private interface. It displays the current parameters, if any. Figure 3-2 Caution Configuration | Interfaces | Private Screen If you modify any parameters of the private interface that you are currently using to connect to the VPN 3002, you will break the connection, and you will have to restart the Manager from the login screen.
Chapter 3 Interfaces Configuration | Interfaces | Private Subnet Mask Enter the subnet mask for this interface, using dotted decimal notation (for example 255.255.255.0). The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is not allowed.
Chapter 3 Interfaces Configuration | Interfaces | Public Configuration | Interfaces | Public This screen lets you select a connection method—DHCP, PPPoE, or static IP addressing—for the public interface. It also allows you to disable the public interface. Figure 3-3 Configuration | Interfaces | Public Screen Disabled To make the interface offline, click Disabled. This state lets you retain or change its configuration parameters.
Chapter 3 Interfaces Configuration | Interfaces | Public PPPoE User Name If you have selected PPPoE, enter a valid PPPoE username. PPPoE Password If you have selected PPPoE, enter the PPPoE password for the username you entered above. Verify PPPoE Password If you have selected PPPoE, enter the PPPoE password again to verify it. Static IP Addressing click this radio button if you want to use a static IP address.
Chapter 3 Interfaces Configuration | Interfaces | Public Duplex If you are using static IP addressing, click the drop-down menu button and select the interface transmission mode: • Auto = Let the VPN 3002 automatically detect and set the appropriate transmission mode, either full or half duplex (default). Be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the transmission mode.
C H A P T E R 4 System Configuration System configuration means configuring parameters for system-wide functions in the VPN 3002. Configuration | System This section of the Manager lets you configure parameters for: • Servers: identifying servers for DNS information for the VPN 3002. • Tunneling Protocols: configuring IPSec connections. • IP Routing: configuring static routes, default gateways, and DHCP.
Chapter 4 System Configuration Configuration | System VPN 3002 Hardware Client Reference 4-2 OL-1893-01
C H A P T E R 5 Servers Configuring servers means identifying DNS servers to the VPN 3002 so it can communicate with them correctly. DNS servers convert hostnames to IP addresses. The VPN 3002 functions as a client of these servers. Configuration | System | Servers This section of the Manager lets you configure the VPN 3002 to communicate with DNS servers.
Chapter 5 Servers Configuration | System | Servers | DNS Figure 5-2 Configuration | System | Servers | DNS Screen Enabled To use DNS functions, check Enabled (the default). To disable DNS, clear the box. Domain Enter the name of the registered domain of the ISP for the VPN 3002; for example, yourisp.com. Maximum 48 characters. This entry is sometimes called the domain name suffix or sub-domain.
Chapter 5 Servers Configuration | System | Servers | DNS Timeout Period Enter the initial time in seconds to wait for a response to a DNS query before sending the query to the next server. Minimum is 1, default is 2, maximum is 30 seconds. This time doubles with each retry cycle through the list of servers. Timeout Retries Enter the number of times to retry sending a DNS query to the configured servers, in order.
Chapter 5 Servers Configuration | System | Servers | DNS VPN 3002 Hardware Client Reference 5-4 OL-1893-01
C H A P T E R 6 Tunneling Tunneling is the heart of virtual private networking. Tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. The secure connection is called a tunnel, and the VPN 3002 uses the IPSec tunneling protocol to: • Negotiate tunnel parameters. • Establish tunnels. • Authenticate users and data. • Manage security keys. • Encrypt and decrypt data.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols Configuration | System | Tunneling Protocols This section lets you configure the IPSec tunneling protocol. Click IPSec on the Tunneling Protocols screen. Figure 6-1 Configuration | System | Tunneling Protocols Screen Configuration | System | Tunneling Protocols | IPSec The VPN 3002 complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec – DES-56 – 3DES-168 • Extended Authentication (XAuth) • Mode Configuration (also known as ISAKMP Configuration Method) • Tunnel Encapsulation Mode Figure 6-2 Configuration | System | Tunneling Protocols | IPSec Screen Remote Server Enter the IP address or hostname of the remote server. This is the IP address or hostname of the public interface on the VPN Concentrator to which this VPN 3002 connects.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind the VPN 3002 obtain DNS and WINS information from the VPN 3002 through DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec The VPN 3002 in Fargo first tries to reach San Jose. If the initial IKE packet for that connection (1) times out (8 seconds), it tries to connect to Austin (2). Should this negotiation also time out, it tries to connect to Boston (3). These attempts continue until the VPN 3002 has tried all servers on its backup server list, to a maximum of 10.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec About IPSec over TCP IPSec over TCP encapsulates encrypted data traffic within TCP packets. This feature enables the VPN 3002 to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with modification to existing firewall rules.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec Password In the Group Password field, enter a unique password for this group. This is the group password configured on the VPN Concentrator to which this VPN 3002 connects. Minimum is 4, maximum is 32 characters, case-sensitive. The field displays only asterisks. Verify In the Group Verify field, re-enter the group password to verify it. The field displays only asterisks.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec VPN 3002 Hardware Client Reference 6-8 OL-1893-01
C H A P T E R 7 IP Routing The VPN 3002 includes an IP routing subsystem with static routing, default gateways, and DHCP. To route packets, the subsystem uses static routes and the default gateway. If you do not configure the default gateway, the subsystem drops packets that it can not otherwise route. You configure static routes and default gateways in this section. This section also includes the system-wide DHCP (Dynamic Host Configuration Protocol) server parameters.
Chapter 7 IP Routing Configuration | System | IP Routing | Static Routes Configuration | System | IP Routing | Static Routes This section of the Manager lets you configure static routes for IP routing. Figure 7-2 Configuration | System | IP Routing | Static Routes Screen Static Routes The Static Routes list shows manual IP routes that have been configured. The format is [destination network address/subnet mask -> outbound destination]; for example, 192.168.12.0/255.255.255.0 -> 10.10.0.2.
Chapter 7 IP Routing Configuration | System | IP Routing | Static Routes | Add or Modify Configuration | System | IP Routing | Static Routes | Add or Modify These Manager screens let you: • Add: Configure and add a new static, or manual, route to the IP routing table. • Modify: Modify the parameters for a configured static route. Figure 7-3 Configuration | System | IP Routing | Static Routes | Add Screen Network Address Enter the destination network IP address that this static route applies to.
Chapter 7 IP Routing Configuration | System | IP Routing | Default Gateways Destination Click a radio button to select the outbound destination for these packets. You can select only one destination: either a specific router/gateway, or a VPN 3002 interface. Destination Router Address Enter the IP address of the specific router or gateway to which to route these packets; that is, the IP address of the next hop between the VPN 3002 and the packet’s ultimate destination.
Chapter 7 IP Routing Configuration | System | IP Routing | Default Gateways Default Gateway Enter the IP address of the default gateway or router. Use dotted decimal notation; for example, 192.168.12.77. This address must not be the same as the IP address configured on any VPN 3002 interface. If you do not use a default gateway, enter 0.0.0.0 (the default entry). To delete a configured default gateway, enter 0.0.0.0.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Configuration | System | IP Routing | DHCP This screen lets you configure DHCP (Dynamic Host Configuration Protocol) server parameters that apply to DHCP server functions within the VPN 3002. The DHCP server for the private interface lets IP hosts in its network automatically obtain IP addresses from a limited pool of addresses for a fixed length of time, or lease period.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Options Apply/Cancel To apply the settings for DHCP parameters, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entries, click Cancel.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Options | Add or Modify To remove a configured DHCP option, select the option from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining DHCP options in the list. Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Options | Add or Modify Nonconfigurable DHCP Options You cannot configure the following DHCP Options: • Subnet Mask (option 1) • Router (option 3) • Domain Name Server (option 6) • Domain Name (option 15) • NetBios Name Server/WINS (option 44). You configure these values on the central-site VPN Concentrator for the group to which the VPN 3002 Hardware Client belongs.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Options | Add or Modify VPN 3002 Hardware Client Reference 7-10 OL-1893-01
C H A P T E R 8 Management Protocols The VPN 3002 Hardware Client includes various built-in servers, using various protocols, that let you perform typical network and system management functions. This section explains how you configure and enable those servers.
Chapter 8 Management Protocols Configuration | System | Management Protocols | HTTP/HTTPS Configuration | System | Management Protocols | HTTP/HTTPS This screen lets you configure and enable the VPN 3002 HTTP/HTTPS server: Hypertext Transfer Protocol and HTTP over SSL (Secure Sockets Layer) protocol. When the server is enabled, you can use a Web browser to communicate with the VPN 3002. HTTPS lets you use a Web browser over a secure, encrypted connection.
Chapter 8 Management Protocols Configuration | System | Management Protocols | HTTP/HTTPS Enable HTTPS Check the box to enable the HTTPS server. The box is checked by default. HTTPS, also known as HTTP over SSL, lets you use the Manager over an encrypted connection. Enable HTTPS on Public Check the box to enable HTTPS on the Public interface. HTTP Port Enter the port number that the HTTP server uses. The default is 80, which is the well-known port.
Chapter 8 Management Protocols Configuration | System | Management Protocols | Telnet Figure 8-3 Configuration | System | Management Protocols Screen Configuration | System | Management Protocols | Telnet This screen lets you configure and enable the VPN 3002 Telnet terminal emulation server, and Telnet over SSL (Secure Sockets Layer protocol). When the server is enabled, you can use a Telnet client to communicate with the VPN 3002.
Chapter 8 Management Protocols Configuration | System | Management Protocols | Telnet Enable Telnet/SSL Check the box to enable Telnet over SSL. The box is checked by default. Telnet/SSL uses Telnet over a secure, encrypted connection. Telnet Port Enter the port number that the Telnet server uses. The default is 23, which is the well-known port number. Telnet/SSL Port Enter the port number that Telnet over SSL uses. The default is 992, which is the well-known port number.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SNMP Configuration | System | Management Protocols | SNMP This screen lets you configure and enable the SNMP (Simple Network Management Protocol) agent. When enabled, you can use an SNMP manager to collect information from the VPN 3002 but not to configure it. To use SNMP, you must also configure an SNMP Community on the Configuration | System | Management Protocols | SNMP Communities screen.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SNMP Communities Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SNMP Communities Community Strings The Community Strings list shows SNMP community strings that have been configured. If no strings have been configured, the list shows --Empty--. Add/Modify/Delete To configure and add a new community string, click Add. The Manager opens the Configuration | System | Management Protocols | SNMP Communities | Add screen.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SNMP Communities Figure 8-10 Configuration | System | Management Protocols | SNMP Communities | Add Screen Community String Enter the SNMP community string. Maximum 31 characters, case-sensitive. Add or Apply / Cancel To add this entry to the list of configured community strings, click Add. Or to apply your changes to this community string, click Apply. Both actions include your entry in the active configuration.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSL Configuration | System | Management Protocols | SSL This screen lets you configure the VPN 3002 SSL (Secure Sockets Layer) protocol server. These settings apply to both HTTPS and Telnet over SSL. HTTPS lets you use a web browser over a secure, encrypted connection to manage the VPN 3002. SSL creates a secure session between the client and the VPN 3002 server.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSL Figure 8-12 Configuration | System | Management Protocols | SSL Screen Encryption Algorithms Check the boxes for the encryption algorithms that the VPN 3002 SSL server can negotiate with a client and use for session encryption. All are checked by default. You must check at least one algorithm to enable SSL. Unchecking all algorithms disables SSL.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSL SSL Version Click the drop-down menu button and select the SSL version to use. SSL Version 3 has more security options than Version 2, and TLS (Transport Layer Security) Version 1 has more security options than SSL Version 3. Some clients that send an SSL Version 2 “Hello” (initial negotiation), can actually use a more secure version during the session. Telnet/SSL clients usually can use only SSL Version 2.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSH Figure 8-13 Configuration | System | Management Protocols Screen Configuration | System | Management Protocols | SSH This screen lets you configure the VPN 3002 SSH (Secure Shell) protocol server. SSH is a secure Telnet-like terminal emulator protocol that you can use to manage the VPN 3002, using the Command Line Interface, over a remote connection. The SSH server supports SSH1 (protocol version 1.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSH Enable SSH Check the box to enable the SSH server. The box is checked by default. Disabling the SSH server provides additional security by preventing SSH access. Enable SSH on Public Check the box to enable SSH on the Public interface. SSH Port Enter the port number that the SSH server uses. The default is 22, which is the well-known port. Maximum Sessions Enter the maximum number of concurrent SSH sessions allowed.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSH Apply / Cancel To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel.
Chapter 8 Management Protocols Configuration | System | Management Protocols | XML Configuration | System | Management Protocols | XML This screen lets you configure the VPN 3002to support an XML-based interface. Enabling XML management (the default condition) allows the VPN 3002 to be more easily managed by a centralized management system. XML is enabled by default. To disable the XML option, clear the check box. To reenable the XML option, click the check box.
Chapter 8 Management Protocols Configuration | System | Management Protocols | XML HTTPS IP Address Enter the IP address from which to allow HTTPS access on the VPN 3002 public interface. HTTPS Wildcard-mask Enter the wildcard mask for the HTTPS IP address. Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has 1s in bit positions to ignore, and 0s in bit positions to match. For example, entering 0.0.0.0 matches the specified address; entering 255.255.255.
Chapter 8 Management Protocols Configuration | System | Management Protocols | XML VPN 3002 Hardware Client Reference 8-18 OL-1893-01
C H A P T E R 9 Events An event is any significant occurrence within or affecting the VPN 3002 such as an alarm, trap, error condition, network problem, task completion, threshold breach, or status change. The VPN 3002 records events in an event log, which is stored in nonvolatile memory. You can also specify that certain events trigger a console message, a UNIX syslog record, or an SNMP management system trap. Event attributes include class and severity level.
Chapter 9 Events Event Class Class Name Class Description (Event Source) (*Cisco-specific Event Class) EVENTMIB Event MIB changes* FSM Finite State Machine subsystem (for debugging)* FTPD FTP daemon subsystem GENERAL NTP subsystem and other general events HARDWAREMON Hardware monitoring (fans, temperature, voltages, etc.
Chapter 9 Events Event Severity Level Note The Cisco-specific event classes provide information that is meaningful only to Cisco engineering or support personnel. Also, the DBG and DECODE events require significant system resources and might seriously degrade performance. We recommend that you avoid logging these events unless Cisco requests it.
Chapter 9 Events Event Log Event Log The VPN 3002 records events in an event log, which is stored in nonvolatile memory. Thus the event log persists even if the system is powered off. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first. The VPN 3002 holds 256 events. The log wraps when it is full; that is, newer events overwrite older events when the log is full.
Chapter 9 Events Configuration | System | Events Configuration | System | Events This section of the Manager lets you configure how the VPN 3002 handles events. Events provide information for system monitoring, auditing, management, accounting, and troubleshooting. Figure 9-1 Configuration | System | Events Screen Configuration | System | Events | General This Manager screen lets you configure the general, or default, handling of all events. These defaults apply to all event classes.
Chapter 9 Events Configuration | System | Events | General Syslog Format Click the Syslog Format drop-down menu button and choose the format for all events sent to UNIX syslog servers. Choices are: • Original = Original VPN 3002 event format with information on one line. Each entry in the event log consists of the following fields: Sequence Date Time SEV=Severity Class/Number RPT=RepeatCount String – Sequence: The sequence number of the event. – Date: The date the event occurred.
Chapter 9 Events Configuration | System | Events | General The Original severities and the Cisco IOS severities differ. Original severities number from 1-13. (For the meaning of each Original severity, see Table 9-2 on page 9-3.) Cisco IOS severities number from 0–7. Table 9-3 shows the meaning of Cisco IOS severities and how they map to Original severities.
Chapter 9 Events Configuration | System | Events | Classes Severity to Trap Click the drop-down menu button and select the range of event severity levels to send to an SNMP network management system (NMS) by default. Event messages sent to SNMP systems are called “traps.” The choices are: None, 1, 1-2, 1-3. The default is None; if you choose this range, no events are sent as SNMP traps.
Chapter 9 Events Configuration | System | Events | Classes Figure 9-3 Configuration | System | Events | Classes Screen To configure default event handling, click the highlighted link that says “Click here to configure general event parameters.” Configured Event Classes The Configured Event Classes list shows the event classes that have been configured for special handling.
Chapter 9 Events Configuration | System | Events | Classes | Add or Modify Configuration | System | Events | Classes | Add or Modify These screens let you: Add: Configure and add the special handling of a specific event class. Modify: Modify the special handling of a specific event class. Figure 9-4 Configuration | System | Events | Classes | Add Screen Class Name Add screen: Click the drop-down menu button and select the event class you want to add and configure for special handling.
Chapter 9 Events Configuration | System | Events | Classes | Add or Modify Severity to Console Click the drop-down menu button and select the range of event severity levels to display on the console. The choices are: None, 1, 1-2, 1-3,..., 1-13. The default is 1-3; if you choose this range, events of severity level 1 through severity level 3 are displayed on the console. Severity to Syslog Click the drop-down menu button and select the range of event severity levels to send to a UNIX syslog server.
Chapter 9 Events Configuration | System | Events | Trap Destinations Configuration | System | Events | Trap Destinations This section of the Manager lets you configure SNMP network management systems as destinations of event traps. Event messages sent to SNMP systems are called “traps.” If you configure any event handling, default or special, with values in Severity to Trap fields, you must configure trap destinations in this section.
Chapter 9 Events Configuration | System | Events | Trap Destinations | Add or Modify To remove an SNMP trap destination that has been configured, select the destination from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list. Reminder: The Manager immediately includes your changes in the active configuration.
Chapter 9 Events Configuration | System | Events | Syslog Servers Port Enter the UDP port number by which you access the destination SNMP server. Use a decimal number from 0 to 65535. The default is 162, which is the well-known port number for SNMP traps. Add or Apply/Cancel To add this system to the list of SNMP trap destinations, click Add. Or to apply your changes to this trap destination, click Apply. Both actions include your entry in the active configuration.
Chapter 9 Events Configuration | System | Events | Syslog Servers Syslog Servers The Syslog Servers list shows the UNIX syslog servers that have been configured as recipients of event messages. You can configure a maximum of five syslog servers. If no syslog servers have been configured, the list shows --Empty--. Add/Modify/Delete To configure a new syslog server, click Add. See Configuration | System | Events | Syslog Servers | Add.
Chapter 9 Events Configuration | System | Events | Syslog Servers | Add or Modify Configuration | System | Events | Syslog Servers | Add or Modify These Manager screens let you: Add: Configure and add a UNIX syslog server as a recipient of event messages. You can configure a maximum of five syslog servers. Modify: Modify a configured UNIX syslog server that is a recipient of event messages.
Chapter 9 Events Configuration | System | Events | Syslog Servers | Add or Modify Add or Apply/Cancel To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list.
Chapter 9 Events Configuration | System | Events | Syslog Servers | Add or Modify VPN 3002 Hardware Client Reference 9-18 OL-1893-01
C H A P T E R 10 General General configuration parameters include VPN 3002 environment items: system identification, time, and date. Configuration | System | General This section of the Manager lets you configure general VPN 3002 parameters. • Identification: system name, contact person, system location. • Time and Date: system time and date.
Chapter 10 General Configuration | System | General | Identification Configuration | System | General | Identification This screen lets you configure system identification parameters that are stored in the standard MIB-II system object. Network management systems using SNMP can retrieve this object and identify the system. Configuring this information is optional.
Chapter 10 General Configuration | System | General | Time and Date Configuration | System | General | Time and Date This screen lets you set the time and date on the VPN 3002. Setting the correct time is very important so that logging information is accurate. Figure 10-3 Configuration | System | General | Time and Date Screen Current Time The screen shows the current date and time on the VPN 3002 at the time the screen displays. You can refresh this by redisplaying the screen.
Chapter 10 General Configuration | System | General | Time and Date Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | General screen.
C H A P T E R 11 Policy Management The VPN 3002 works in either of two modes: Client mode or Network Extension mode. Policy management on the VPN 3002 includes deciding whether you want the VPN 3002 to use Client Mode or Network Extension mode. This section lets you enable or disable PAT. Client Mode/PAT Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the VPN 3002 private network from those on the corporate network.
Chapter 11 Policy Management Network Extension Mode The network and addresses on the private side of the VPN 3002 are hidden, and cannot be accessed directly. VPN 3000 Series VPN Concentrator Settings Required for PAT For the VPN 3002 to use PAT, these are the requirements for the central-site VPN Concentrator. 1. The VPN Concentrator at the central site must be running Software version 3.x or later. 2.
Chapter 11 Policy Management Network Extension Mode Network Extension Mode with Split Tunneling You always assign the VPN 3002 to a client group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec operates on all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator. PAT does not apply.
Chapter 11 Policy Management Network Extension Mode Tunnel Initiation The VPN 3002 always initiates the tunnel to the central-site VPN Concentrator. The central-site VPN Concentrator cannot initiate a tunnel to a VPN 3002. The VPN 3002 creates only one IPSec tunnel to the central-site VPN Concentrator, in either PAT or Network Extension mode. The tunnel can support multiple encrypted data streams between users behind the VPN 3002 and the central site.
Chapter 11 Policy Management Configuration | Policy Management Table 11-1 Data Initiation: VPN 3002 and Central-Site VPN Concentrator VPN 3002 Can Send Data First Central-Site VPN Concentrator Can Send Data First (after VPN 3002 initiates the tunnel) Mode Tunneling Policy PAT All traffic tunneled Yes No PAT Split tunneling enabled Yes No Network Extension All traffic tunneled Yes Yes Network Extension Split tunneling enabled No Yes Configuration | Policy Management The Configuration |
Chapter 11 Policy Management Configuration | Policy Management | Traffic Management | PAT PAT To configure PAT (Port Address Translation) click PAT. Configuration | Policy Management | Traffic Management | PAT The Configuration | Policy Management | Traffic Management | PAT screen displays.
Chapter 11 Policy Management Configuration | Policy Management | Traffic Management | PAT | Enable PAT Enabled Check the box to enable Client Mode (PAT), or clear it to enable Network Extension Mode. Note Remember that to use Network Extension Mode, you must configure an IP address other than the default for the private interface. If you do not change the IP address of the private interface, you can not disable PAT.
Chapter 11 Policy Management Configuration | Policy Management | Traffic Management | PAT | Enable VPN 3002 Hardware Client Reference 11-8 OL-1893-01
C H A P T E R 12 Administration Administering the VPN 3002 involves activities that keep the system operational and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN device, but administration involves higher level activities such as who is allowed to configure the system, and what software runs on it. Administration This section of the Manager lets you control administrative functions on the VPN 3002.
Chapter 12 Administration Administration | Software Update Figure 12-1 Administration Screen Administration | Software Update This section of the Manager lets you update the VPN 3002 executable system software. This process uploads the file to the VPN 3002, which then verifies the integrity of the file. The new image file must be accessible by the workstation you are using to manage the VPN 3002. Software image files ship on the Cisco VPN 3002 CD-ROM.
Chapter 12 Administration Administration | Software Update Figure 12-2 Administration | Software Update Screen Current Software Revision The name, version number, and date of the software image currently running on the system. Browse... Enter the complete pathname of the new image file, or click Browse... to find and select the file from your workstation or network. Cisco-supplied VPN 3002 software image files are named: vpn3002 ...
Chapter 12 Administration Administration | Software Update Software Update Progress This window shows the progress of the software upload. It refreshes the number of bytes transferred at 10-second intervals. Figure 12-3 Administration | Software Update Progress Window When the upload is finished, or if the upload is cancelled, the progress window closes. Software Update Success The Manager displays this screen when it completes the software upload and verifies the integrity of the software.
Chapter 12 Administration Administration | System Reboot Figure 12-5 Administration | Software Update Error Screen Administration | System Reboot This screen lets you reboot or shutdown (halt) the VPN 3002 with various options. We strongly recommend that you shut down the VPN 3002 before you turn power off. If you just turn power off without shutting down, you might corrupt Flash memory and affect subsequent operation of the system.
Chapter 12 Administration Administration | System Reboot Figure 12-6 Administration | System Reboot Screen Action Click a radio button to select the desired action. You can select only one action. • Reboot = Reboot the VPN 3002. Rebooting terminates all sessions, resets the hardware, loads and verifies the software image, executes system diagnostics, and initializes the system. A reboot takes about 60-75 seconds. (This is the default selection.
Chapter 12 Administration Administration | Ping • Reboot ignoring the Configuration file = Reboot using all the factory defaults; that is, start the system as if it had no CONFIG file. You will need to go through all the Quick Configuration steps described in the VPN 3002 Getting Started manual, including setting the system date and time and supplying an IP address for the Ethernet 1 (private) interface, using the system console.
Chapter 12 Administration Administration | Ping Address/Hostname to Ping Enter the IP address or hostname of the system you want to test. (If you configured a DNS server, you can enter a hostname; otherwise, enter an IP address.) Maximum is 64 characters. Ping/Cancel To send the ping message, click Ping. The Manager pauses during the test, which might take a few moments; please wait for the operation to finish. The Manager then displays either a Success or Error screen; see below.
Chapter 12 Administration Administration | Access Rights Administration | Access Rights This section of the Manager lets you configure and control administrative access to the VPN 3002. • Administrators: configure administrator usernames, passwords, and rights. • Access Settings: set administrative session timeout and limits.
Chapter 12 Administration Administration | Access Rights | Administrators Administrator The VPN 3002 has three predefined administrators: Note • admin = System administrator with access to, and rights to change, all areas. This is the only administrator enabled by default; in other words, this is the only administrator who can log in to, and use, the VPN 3002 Hardware Client Manager as supplied by Cisco.
Chapter 12 Administration Administration | Access Rights | Access Settings Administration | Access Rights | Access Settings This screen lets you configure general options for administrator access to the Manager. Figure 12-12 Administration | Access Rights | Access Settings Screen Session Idle Timeout Enter the idle timeout period in seconds for administrative sessions. If there is no activity for the period, the Manager session terminates.
Chapter 12 Administration Administration | File Management Administration | File Management This section of the Manager lets you manage files in VPN 3002 Flash memory. (Flash memory acts like a disk.) These files include CONFIG, CONFIG.BAK, saved log files, and copies of any of these files that you have saved under different names. Figure 12-13 Administration | File Management | View Screen View (Save) View Files lets you view configuration and saved log files.
Chapter 12 Administration Administration | File Management | Swap Config Files Swap Config Files Swap Config Files lets you swap the boot configuration file with the backup configuration file. When you select this option, the Administration | File Management | Swap Config Files window displays. Config File Upload via HTTP Config File Upload allows you to upload a configuration file. When you select this option, the Administration | File Management | Config File Upload window displays.
Chapter 12 Administration Administration | File Management | Config File Upload Administration | File Management | Config File Upload This screen lets you use HTTP (Hypertext Transfer Protocol) to transfer a configuration file from your PC, or a system accessible from your PC, to the VPN 3002 Flash memory. This function provides special handling for configuration (config) files. If the uploaded file has the VPN 3002 filename config, the system deletes any existing config.
Chapter 12 Administration Administration | File Management | Config File Upload Figure 12-16 Administration | File Management | File Upload Progress Window When the upload is finished, or if the upload is cancelled, the progress window closes. File Upload Success The Manager displays this screen to confirm that the file upload was successful.
Chapter 12 Administration Certificate Management Certificate Management Digital certificates are a form of digital identification used for authentication. Certificate Authorities (CAs) issue them in the context of a Public Key Infrastructure (PKI), which uses public-key/private-key encryption to ensure security. CAs are trusted authorities who “sign” (issue) certificates to verify their authenticity. A CA certificate is one used to sign other certificates.
Chapter 12 Administration Certificate Management If you have trouble enrolling or installing digital certificates via SCEP, enable both the CLIENT and CERT event classes to assist in troubleshooting. Digital certificates indicate the time frame during which they are valid. Therefore, it is essential that the time on the VPN 3002 is correct and synchronized with network time. See Configuration | System | Servers | NTP and Configuration | System | General | Time and Date.
Chapter 12 Administration Certificate Management Step 2 Click Click here to install a CA certificate. Note The Click here to install a CA certificate option is only available from this window when no CA certificates are installed on the VPN 3002. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen. Then click Install CA Certificate.
Chapter 12 Administration Certificate Management Installing CA Certificates Manually Note If you install a CA certificate using the manual method, you cannot use this CA later to request identity or SSL certificates with SCEP. If you want to be able to use SCEP to request certificates, obtain the CA certificate using SCEP. Step 1 Retrieve a CA certificate from your CA and download it to your PC.
Chapter 12 Administration Certificate Management Enrolling and Installing Identity Certificates When you generate a request for an identity certificate, you need to provide the following information. Tip Check to be sure that you have this information before you begin. Table 12-1 Fields in a Certificate Request Field Name Abbreviation Manual SCEP Recommended Content Common Name CN Yes Yes The primary identity of the entity associated with the certificate, for example, Engineering VPN.
Chapter 12 Administration Certificate Management Table 12-1 Fields in a Certificate Request Verify Challenge Password - No Yes Re-enter the challenge password. Key Size Yes Yes The algorithm for generating the public-key/private-key pair, and the key size. If you are requesting an SSL certificate, of if you are requesting an identity certificate using SCEP, only the RSA options are available. - Yes No • RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman) algorithm.
Chapter 12 Administration Certificate Management Enrolling and Installing Identity Certificates Automatically Using SCEP Follow these steps for each identity certificate you want to obtain: Step 1 Display the Administration | Certificate Management screen. (See Figure 12-19.) Step 2 Click Click here to enroll with a Certificate Authority. The Manager displays the Administration | Certificate Management | Enroll screen. (See Figure 12-23.
Chapter 12 Administration Certificate Management Figure 12-25 Administration | Certificate Management | Enroll | Identity Certificate | SCEP Screen Step 5 Fill in the fields and click Enroll. (For information on the fields on this screen, see Table 12-1.) The VPN 3002 sends the certificate request to the CA. If the CA does not issue the certificate immediately (some CAs require manual verification of credentials and this can take time), the certificate request could enter polling mode.
Chapter 12 Administration Certificate Management Figure 12-26 Administration | Certificate Management | Enrollment | Request Generated Screen Step 6 Click Go to Certificate Management. The Manager displays the Administration | Certificate Management screen. Your new identity certificate appears in the Identity Certificates table.
Chapter 12 Administration Certificate Management Figure 12-27 Administration | Certificate Management | Enroll | Identity Certificate | PKCS10 Screen Step 5 Fill in the fields and click Enroll. (For information on the fields on this screen, see Table 12-1.) The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. (See Figure 12-28.
Chapter 12 Administration Certificate Management Step 7 Using the enrollment request you just generated, retrieve an identity certificate from your CA and download it to your PC according to the procedures outlined by the CA. Step 8 Using the Manager, display the Administration | Certificate Management screen. (See Figure 12-19.) Step 9 Click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen. (See Figure 12-29.
Chapter 12 Administration Certificate Management Figure 12-31 Administration | Certificate Management | Install | Identity Certificate Screen Step 12 Choose either installation method: Cut & Paste Text or Upload File from Workstation Step 13 The Manager displays a screen appropriate to your choice. Include the certificate information according to your chosen method. Click Install.
Obtaining SSL Certificates If you use a secure connection between your browser and the VPN 3002, the VPN 3002 requires an SSL certificate. You only need one SSL certificate on your VPN 3002. When you initially boot the VPN 3002, a self-signed SSL certificate is automatically generated. Because a self-signed certificate is self-generated, this certificate is not verifiable. No CA has guaranteed its identity. But this certificate allows you to make initial contact with the VPN 3002 using the browser.
Chapter 12 Administration Certificate Management Enabling Digital Certificates on the VPN 3002 Note Before you enable digital certificates on the VPN 3002, you must obtain at least one CA and one identity certificate. If you do not have a CA and an identity certificate installed on your VPN 3002, follow the steps in the previous section (“Enrolling and Installing Digital Certificates”) before beginning this section.
Chapter 12 Administration Certificate Management Deleting Digital Certificates Delete digital certificates in the following order: Note 1. Identity or SSL certificates 2. Subordinate certificates 3. Root certificates You cannot delete a certificate if it is in use by an SA, if it is the issuer of another installed certificate, or if it is referenced in an active certificate request. Follow these steps to delete certificates: Step 1 Display the Administration | Certificate Management screen.
Chapter 12 Administration Administration | Certificate Management Administration | Certificate Management This section of the Manager shows outstanding enrollment requests and all the certificates installed on the VPN 3002, and it lets you manage them. The links at the top of this screen guide you step-by-step through the process of enrolling and installing certificates. For more information on the certificate management process, see the “Enrolling and Installing Digital Certificates” section.
Chapter 12 Administration Administration | Certificate Management Certificate Authorities Table This table shows root and subordinate CA certificates installed on the VPN 3002. Fields These fields appear in the Certificate Authorities table: Field Content Subject/Issuer The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust.
Chapter 12 Administration Administration | Certificate Management SSL Certificate Table [ Generate ] This table shows the SSL server certificate installed on the VPN 3002. The system can have only one SSL server certificate installed: either a self-signed certificate or one issued in a PKI context. To generate a self-signed SSL server certificate, click Generate. The system uses parameters set on the Configuration | System | Management Protocols | SSL screen and generates the certificate.
Chapter 12 Administration Administration | Certificate Management Fields These fields appear in the Certificate Authorities, Identity Certificates, or SSL Certificate tables: Field Content Subject/Issuer The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each.
Chapter 12 Administration Administration | Certificate Management Enrollment Status Table This table tracks the status of active enrollment requests. The VPN 3002 supports one (installed) identity certificate and one (outstanding) enrollment request. If you currently have an identity certificate on your VPN 3002 and you want to change it, you can request a second certificate, but the VPN 3002 does not install this certificate immediately.
Chapter 12 Administration Administration | Certificate Management Field Status Actions Content • In Progress = The request has been created, but the requested certificate has not yet been installed. This value is used only for PKCS10 (manual) enrollment requests. • Polling = The CA did not immediately fulfill the enrollment request; the VPN 3002 has entered polling mode. This value is used only for enrollment request created using SCEP.
Chapter 12 Administration Administration | Certificate Management | Enroll Administration | Certificate Management | Enroll Choose whether you are creating an enrollment request for an identity certificate or an SSL certificate. Figure 12-35 Administration | Certificate Management | Enroll Screen Identity Certificate Click Identity Certificate to create a certificate request for an identity certificate.
Chapter 12 Administration Administration | Certificate Management | Enroll | Certificate Type Administration | Certificate Management | Enroll | Certificate Type Choose the method for enrolling the (identity or SSL) certificate. Figure 12-36 Administration | Certificate Management | Enroll | Identity Certificate Screen Enroll via PKCS10 Request (Manual) Click Enroll via PKCS10 Request (Manual) to enroll the certificate manually.
Chapter 12 Administration Administration | Certificate Management | Enroll | Certificate Type | PKCS10 Administration | Certificate Management | Enroll | Certificate Type | PKCS10 To generate an enrollment request for an SSL or identity certificate, you need to provide information about the VPN 3002. Figure 12-37 Administration | Certificate Management | Enroll | Identity Certificate via PKCS10 Screen Fields For an explanation of each of the fields on this screen, see Table 12-1 on page 12-20.
Chapter 12 Administration Administration | Certificate Management | Enrollment or Renewal | Request Generated Administration | Certificate Management | Enrollment or Renewal | Request Generated The Manager displays this screen when the system has successfully generated a certificate request. The request is a Base-64 encoded file in PKCS-10 format (Public Key Certificate Syntax-10), which most CAs recognize or require.
Chapter 12 Administration Administration | Certificate Management | Enroll | Identity Certificate | SCEP Go to Certificate Installation If you want to install the certificate you have just enrolled, click Go to Certificate Installation. The Manager displays the Administration | Certificate Management | Install screen.
Chapter 12 Administration Administration | Certificate Management | Enroll | SSL Certificate | SCEP Enroll / Cancel To generate the certificate request and install the identity certificate on the VPN 3002, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. (See Figure 12-38.) To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See Figure 12-19.
Chapter 12 Administration Administration | Certificate Management | Enroll | SSL Certificate | SCEP Fields For an explanation of each of the fields on this screen, see Table 12-1 on page 12-20. Enroll To generate the certificate request and install the SSL certificate on the VPN 3002, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. If there is already an active request for an SSL certificate, this error message appears.
Chapter 12 Administration Administration | Certificate Management | Install Administration | Certificate Management | Install Choose the type of certificate you want to install. Figure 12-41 Administration | Certificate Management | Install Screen Install CA Certificate If you want to install a CA certificate, click Install CA Certificate. The Manager displays the Administration | Certificate Management | Install | CA Certificate screen.
Chapter 12 Administration Administration | Certificate Management | Install | Certificate Obtained via Enrollment Administration | Certificate Management | Install | Certificate Obtained via Enrollment Once you have enrolled a certificate, you can install it. This screen allows you to install an enrolled certificate.
Chapter 12 Administration Administration | Certificate Management | Install | Certificate Type Administration | Certificate Management | Install | Certificate Type Choose the method you want to use to install the certificate. Figure 12-43 Administration | Certificate Management | Install | CA Certificate SCEP (Simple Certificate Enrollment Protocol) Note This option is available only for CA certificates.
Chapter 12 Administration Administration | Certificate Management | Install | CA Certificate | SCEP Administration | Certificate Management | Install | CA Certificate | SCEP In this screen, provide information about the certificate authority in order to retrieve and install a CA certificate automatically using SCEP. Figure 12-44 Administration | Certificate Management | Install | CA Certificate | SCEP Screen URL Enter the URL of the SCEP interface of the CA.
Chapter 12 Administration Administration | Certificate Management | Install | Certificate Type | Cut and Paste Text Administration | Certificate Management | Install | Certificate Type | Cut and Paste Text To install the certificate using the manual method, cut and paste the certificate text into the Certificate Text window.
Chapter 12 Administration Administration | Certificate Management | Install | Certificate Type | Upload File from Workstation Administration | Certificate Management | Install | Certificate Type | Upload File from Workstation If you want to install a certificate stored on your PC, use this screen to upload the certificate file to the VPN 3002.
Chapter 12 Administration Administration | Certificate Management | View Administration | Certificate Management | View The Manager displays this screen of certificate details when you click View for a certificate on the Administration | Certificate Management | Certificates screen. The details vary depending on the certificate content. The content and format for certificate details are governed by ITU (International Telecommunication Union) X.509 standards, specifically RFC 2459.
Chapter 12 Administration Administration | Certificate Management | View Certificate Fields A certificate contains some or all of the following fields: Field Content Subject The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same. Issuer The CA or other entity (jurisdiction) that issued the certificate. Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.
Chapter 12 Administration Administration | Certificate Management | View Field Content SHA1 Thumbprint A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate’s authenticity, you can check this value with the issuer. Validity The time period during which this certificate is valid. Format is MM/DD/YYYY at HH:MM:SS to MM/DD/YYYY at HH:MM:SS.
Chapter 12 Administration Administration | Certificate Management | Configure CA Certificate Administration | Certificate Management | Configure CA Certificate This screen lets you configure this CA certificate to be able to issue identity certificates via SCEP. Figure 12-48 Administration | Certificate Management | Configure CA Certificate Screen Certificate The certificate for which you are configuring SCEP parameters.
Chapter 12 Administration Administration | Certificate Management | Renewal Polling Limit Enter the number of times the VPN 3002 should re-send an enrollment request if the CA does not issue the certificate immediately. The minimum number of re-sends is 0; the maximum number is 100. If you do not want any polling limit (in other words you want infinite re-sends), enter none. Apply / Cancel To configure CRL checking for this certificate, click Apply.
Chapter 12 Administration Administration | Certificate Management | Renewal Certificate This field displays the type of certificate that you are re-enrolling or re-keying. Renewal Type Specify the type of request: • Re-enrollment = Use the same key pair as the expiring certificate. • Re-key = Use a new key pair. Enrollment Method Choose an enrollment method: • PKCS10 Request (Manual) = Enroll using the manual process. • Certificate Name via SCEP = Enroll automatically using this SCEP CA.
Chapter 12 Administration Administration | Certificate Management | Activate or Re-Submit | Status Administration | Certificate Management | Activate or Re-Submit | Status This status screen appears after you activate or re-submit an enrollment request. It displays the status of the request. If you are installing an SSL certificate with a private key, include the encrypted private key. Status • Installed = The CA returned the certificate and it has been added to the certificate store.
Chapter 12 Administration Administration | Certificate Management | Delete Administration | Certificate Management | Delete The Manager displays this confirmation screen when you click Delete for a certificate on the Administration | Certificate Management screen. The screen shows the same certificate details as on the Administration | Certificate Management | View screen.
Chapter 12 Administration Administration | Certificate Management | View Enrollment Request Yes / No To delete this certificate, click Yes. Note There is no undo. The Manager returns to the Administration | Certificate Management screen and shows the remaining certificates. To retain this certificate, click No. The Manager returns to the Administration | Certificate Management screen, and the certificates are unchanged.
Chapter 12 Administration Administration | Certificate Management | View Enrollment Request Enrollment Request Fields An enrollment request contains some or all of the following fields: Field Content Subject The person or system that uses the certificate. Issuer The CA or other entity (jurisdiction) from whom the certificate is being requested. Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.
Chapter 12 Administration Administration | Certificate Management | Cancel Enrollment Request Field Content Enrollment Type The type of enrollment: initial, re-enroll, or re-key. Enrollment Method The method of enrollment: SCEP or manual. Enrollment Status The current status of the enrollment: complete, rejected, error, and so on. Back Click Back to display the Administration | Certificate Management screen.
Chapter 12 Administration Administration | Certificate Management | Delete Enrollment Request Fields For a description of the fields in this enrollment request, see the “Enrollment Request Fields” section on page 12-59. Yes / No To cancel this enrollment request, click Yes. Note There is no undo. The Manager returns to the Administration | Certificate Management screen. To retain this enrollment request, click No.
Chapter 12 Administration Administration | Certificate Management | Delete Enrollment Request Fields For a description of the fields in this enrollment request, see the “Enrollment Request Fields” section on page 12-59. Yes / No To delete this enrollment request, click Yes. Note There is no undo. The Manager returns to the Administration | Certificate Management screen and shows the remaining enrollment requests. To retain this enrollment request, click No.
C H A P T E R 13 Monitoring The VPN 3002 tracks many statistics and the status of many items essential to system administration and management. This section of the Manager lets you view all those status items and statistics. You can even see the state of LEDs that show the status of hardware subsystems in the device. You can also see statistics that are stored and available in standard MIB-II data objects. This section of the Manager lets you view VPN 3002 status, sessions, statistics, and event logs.
Chapter 13 Monitoring Monitoring | Routing Table Monitoring | Routing Table This screen shows the VPN 3002 routing table at the time the screen displays. Figure 13-2 Monitoring | Routing Table Screen . Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Clear Routes Clears the dynamic routing entries from the display. Clicking this button does not affect the display of static routing entries.
Chapter 13 Monitoring Monitoring | Filterable Event Log Age The number of seconds since this route was last updated or otherwise validated. The age is relative to the screen display time; for example, 25 means the route was last validated 25 seconds before the screen was displayed. 0 indicates a static, local, or default route. Metric The metric, or cost, of this route. 1 is lowest, 16 is highest.
Chapter 13 Monitoring Monitoring | Filterable Event Log Select Filter Options You can select any or all of the following options for filtering and displaying the event log. After selecting the option(s), click any one of the four Page buttons. The Manager refreshes the screen and displays the event log according to your selections. Your filter options remain in effect as long as you continue working within and viewing Monitoring | Filterable Event Log screens.
Chapter 13 Monitoring Monitoring | Filterable Event Log Get Log To download the event log from VPN 3002 memory to your PC and view it or save it as a text file, click Get Log. The Manager opens a new browser window to display the file. The browser address bar shows the VPN 3002 address and log file default filename; for example, http://10.10.4.6/LOG/vpn3002log.txt. To save a copy of the log file on your PC, click the File menu on the new browser window and select Save As....
Chapter 13 Monitoring Monitoring | Live Event Log Event Time The time of the event: hour:minute:second.millisecond. The hour is based on a 24-hour clock. For example, 14:37:06.680 identifies an event that occurred at 2:37:06.680 PM. Event Severity The severity level of the event; for example: SEV=4 identifies an event of severity level 4. See Table 9-4 under Configuration | System | Events for an explanation of severity levels.
Chapter 13 Monitoring Monitoring | Live Event Log Figure 13-4 Monitoring | Live Event Log Screen Pause Display/Resume Display To pause the display, click Pause Display. While paused, the screen does not display new events, the button changes to Resume Display, and the timer counts down to 0 and stops. You can still scroll through the event log. Click the button to resume the display of new events and restart the timer. Clear Display To clear the event display, click Clear Display.
Chapter 13 Monitoring Monitoring | System Status Monitoring | System Status This screen shows the status of several software and hardware variables at the time the screen displays. From this screen you can also display the status of the IPSec tunnel SAs, tunnel duration, plus front and rear panel displays of the VPN 3002. Figure 13-5 Monitoring | System Status Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | System Status Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. VPN Client Type The type, or model number, of this VPN 3002 hardware client. Bootcode Rev The version name, number, and date of the VPN 3002 bootcode software file. When you boot or reset the system, the bootcode software runs system diagnostics, and it loads and executes the system software image.
Chapter 13 Monitoring Monitoring | System Status Tunnel Established to The IP address of the VPN Concentrator to which this VPN 3002 connects. Duration The length of time that this tunnel has been up. Security Associations This table describes the following attributes of the SAs for this VPN 3002. Type The type of tunnel for this SA, either IPSec or IKE (the control tunnel). Remote Address Network/subnet mask for this split-tunneled SA. Encryption The encryption method this SA uses.
Chapter 13 Monitoring Monitoring | System Status | Private/Public Interface Other Additional information about this SA, including mode. Front Panel The front panel image is an inactive link. Back Panel The back panel image includes active links for the VPN 3002 private and public interfaces Use the mouse pointer to select either the private or public module on the back-panel image and click anywhere in the highlighted area.
Chapter 13 Monitoring Monitoring | System Status | Private/Public Interface Restore To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon. Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back To return to the Monitoring | System Status screen, click Back.
Chapter 13 Monitoring Monitoring | System Status | Private/Public Interface Rx Unicast The number of unicast packets that were received by this interface since the VPN 3002 was last booted or reset. Unicast packets are those addressed to a single host. Tx Unicast The number of unicast packets that were routed to this interface for transmission since the VPN 3002 was last booted or reset, including those that were discarded or not sent. Unicast packets are those addressed to a single host.
Chapter 13 Monitoring Monitoring | User Status Monitoring | User Status This section displays statistics for devices behind the VPN 3002 Hardware Client. Figure 13-7 Monitoring | User Status screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Cisco IP Phone Bypass Enabled/Disabled Indicates whether the Cisco IP Phone Bypass feature is enabled or disabled for the VPN 3002.
Chapter 13 Monitoring Monitoring | Statistics Monitoring | Statistics This section of the Manager shows statistics for traffic and activity on the VPN 3002 since it was last booted or reset, and for current tunneled sessions, plus statistics in standard MIB-II objects for interfaces, TCP/UDP, IP, ICMP, the ARP table, and SNMP. • IPSec: total Phase 1 and Phase 2 tunnels, received and transmitted packets, failures, drops, etc. • HTTP: total data traffic and connection statistics.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Monitoring | Statistics | IPSec This screen shows statistics for IPSec activity, including the current IPSec tunnel, on the VPN 3002 since it was last booted or reset. These statistics conform to the IETF draft for the IPSec Flow Monitoring MIB. Figure 13-9 Monitoring | Statistics | IPSec Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. IKE (Phase 1) Statistics This table provides IPSec Phase 1 (IKE: Internet Key Exchange) global statistics. During IPSec Phase 1 (IKE), the two peers establish control tunnels through which they negotiate Security Associations. Active Tunnels The number of currently active IKE control tunnels.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Received Notifies The cumulative total of notify packets received by all currently and previously active IKE tunnels. A notify packet is an informational packet that is sent in response to a bad packet or to indicate status; for example, error packets, keepalive packets, etc. Sent Notifies The cumulative total of notify packets sent by all currently and previously active IKE tunnels. See comments for Received Notifies above.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Phase-2 SA Delete Requests Sent The cumulative total of requests to delete IPSec Phase-2 Security Associations sent by all currently and previously active IKE tunnels. Initiated Tunnels The cumulative total of IKE tunnels that this VPN 3002 initiated. Failed Initiated Tunnels The cumulative total of IKE tunnels that this VPN 3002 initiated and that failed to activate.
Chapter 13 Monitoring Monitoring | Statistics | IPSec IPSec (Phase 2) Statistics This table provides IPSec Phase 2 global statistics. During IPSec Phase 2, the two peers negotiate Security Associations that govern traffic within the tunnel. Active Tunnels The number of currently active IPSec Phase-2 tunnels. Total Tunnels The cumulative total of all currently and previously active IPSec Phase-2 tunnels.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Sent Packets Dropped The cumulative total of packets dropped during send processing by all currently and previously active IPSec Phase-2 tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support.
Chapter 13 Monitoring Monitoring | Statistics | HTTP System Capability Failures The total number of system capacity failures that occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures indicate that the system has run out of memory or some other critical resource; check the event log.
Chapter 13 Monitoring Monitoring | Statistics | HTTP Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle’s trip odometer, versus the regular odometer.
Chapter 13 Monitoring Monitoring | Statistics | HTTP HTTP Sessions This section provides information about HTTP sessions on the VPN 3002 since it was last booted or reset. Login Name The name of the administrative user for the HTTP session. IP Address The IP address of administrative user for the HTTP session. Login Time The time when the HTTP session began. Encryption The encryption method used in the HTTP session. Octets Sent/Received Number of octets sent or received during the HTTP session.
Chapter 13 Monitoring Monitoring | Statistics | Telnet Monitoring | Statistics | Telnet This screen shows statistics for Telnet activity on the VPN 3002 since it was last booted or reset, and for current Telnet sessions. To configure the VPN 3002 Telnet server, see the Configuration | System | Management Protocols | Telnet screen. Figure 13-11 Monitoring | Statistics | Telnet Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | Telnet Attempted Sessions The total number of attempts to establish Telnet sessions on the VPN 3002 since it was last booted or reset. Successful Sessions The total number of Telnet sessions successfully established on the VPN 3002 since it was last booted or reset. Telnet Sessions This table shows statistics for active Telnet sessions on the VPN 3002. Each active session is a row.
Chapter 13 Monitoring Monitoring | Statistics | DNS Monitoring | Statistics | DNS This screen shows statistics for DNS (Domain Name System) activity on the VPN 3002 since it was last booted or reset. To configure the VPN 3002 to communicate with DNS servers, see the Configuration | System | Servers | DNS screen. Figure 13-12 Monitoring | Statistics | DNS Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | SSL Timeouts The number of DNS queries that failed because there was no response from the server. Server Unreachable The number of DNS queries that failed because, according to the VPN 3002 routing table, the address of the server is not reachable. Other Failures The number of DNS queries that failed for an unspecified reason.
Chapter 13 Monitoring Monitoring | Statistics | SSL Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Unencrypted Inbound Octets The number of octets (bytes) of inbound traffic output by the decryption engine. Encrypted Inbound Octets The number of octets (bytes) of encrypted inbound traffic sent to the decryption engine. This number includes negotiation traffic.
Chapter 13 Monitoring Monitoring | Statistics | DHCP Monitoring | Statistics | DHCP This screen shows statistics for DHCP (Dynamic Host Configuration Protocol) server activity on the VPN 3002 since it was last booted or reset. Each row of the table shows data for each IP address handed out to a DHCP client (PC) on the VPN 3002 private network. To configure the DHCP server, see Configuration | System | IP Routing | DHCP.
Chapter 13 Monitoring Monitoring | Statistics | DHCP Timeouts The number of DHCP queries that failed because there was no response from the server. Pool Start The IP address at the start of the DHCP IP address pool. Pool End The IP address at the end of the DHCP IP address pool. Leased IP Address The IP address leased from the DHCP server by the remote client. Time Left The time remaining until the current IP address lease expires, shown as HH:MM:SS.
Chapter 13 Monitoring Monitoring | Statistics | SSH Monitoring | Statistics | SSH This screen shows statistics for SSH (Secure Shell) protocol traffic on the VPN 3002 since it was last booted or reset. To configure SSH, see Configuration | System | Management Protocols | SSH. Figure 13-15 Monitoring | Statistics | SSH Screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | SSH Packets Sent/Received The total number of SSH packets sent/received since the VPN 3002 was last booted or reset. Active Sessions The number of currently active SSH sessions. Maximum Sessions The maximum number of simultaneously active SSH sessions on the VPN 3002. Total Sessions The total number of SSH sessions since the VPN 3002 was last booted or reset. SSH Sessions Presents details on SSH sessions.
Chapter 13 Monitoring Monitoring | Statistics | NAT Monitoring | Statistics | NAT This screen shows statistics for NAT (Network Address Translation) activity on the VPN 3002 since it was last booted or reset. Figure 13-16 Monitoring | Statistics | NAT screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | NAT Translations Active The number of currently active NAT sessions. Translations Peak The maximum number of NAT sessions that were simultaneously active on the VPN 3002 since it was last booted or reset. Translations Total The total number of NAT sessions on the VPN 3002 since it was last booted or reset. NAT Sessions The following sections provide detailed information about active NAT sessions on the VPN 3002.
Chapter 13 Monitoring Monitoring | Statistics | PPPoE • NetBIOS over TCP Proxy • NetBIOS over UDP Proxy • NetBIOS Datagram Service Translated Bytes/Packets The total number of translated bytes and packets for the NAT session. Monitoring | Statistics | PPPoE This screen shows statistics for PPPoE (PPP over Ethernet) activity on the VPN 3002 since it was last booted or reset. Figure 13-17 Monitoring | Statistics | PPPoE Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | PPPoE User Name The username for the PPPoE session. Session ID The ID for the session assigned by the ISP. The Session ID combined with the Access Concentrator MAC Address (see below) uniquely identifies the PPPoE session. PPPoE Access Concentrator The device your Internet Service Provider (ISP) uses to manage PPPoE traffic. Fields include Session ID, MAC Address, and Server Name. These fields have entries only if a PPPoE session is established.
Chapter 13 Monitoring Monitoring | Statistics | PPPoE PADT Rx The number of PPPoE Active Discovery Terminate packets received. PADT Tx The number of PPPoE Active Discovery Terminate packets sent. Generic Errors Rx The number of errors received during the PPPoE session. Malformed Packets Rx The number of malformed packets received during the PPPoE session.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II Monitoring | Statistics | MIB-II This section of the Manager lets you view statistics that are recorded in standard MIB-II objects on the VPN 3002. MIB-II (Management Information Base, version 2) objects are variables that contain data about the system. They are defined as part of the Simple Network Management Protocol (SNMP); and SNMP-based network management systems can query the VPN 3002 to gather the data.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Interfaces Monitoring | Statistics | MIB-II | Interfaces This screen shows statistics in MIB-II objects for VPN 3002 interfaces since the system was last booted or reset. Figure 13-19 Monitoring | Statistics | MIB-II | Interfaces Screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Interfaces • Disabled = configured by disabled. • DOWN(DOWN/DHCP, DOWN/PPPoE) = configured but down. • Testing = in test mode; no regular data traffic can pass. • Dormant = configured and enabled but waiting for an external action, such as an incoming connection. • Not Present = missing hardware components. • Lower Layer Down = not operational because a lower-layer interface is down. • Unknown = not configured.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | TCP/UDP Monitoring | Statistics | MIB-II | TCP/UDP This screen shows statistics in MIB-II objects for TCP and UDP traffic on the VPN 3002 since it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 defines UDP MIB objects. Figure 13-20 Monitoring | Statistics | MIB-II | TCP/UDP Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | TCP/UDP TCP Segments Transmitted The total number of segments sent, including those on currently established connections but excluding those containing only retransmitted bytes. Segment is the official TCP name for what is casually called a data packet. TCP Segments Retransmitted The total number of segments retransmitted; that is, the number of TCP segments transmitted containing one or more previously transmitted bytes.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | TCP/UDP TCP Established Resets The number of established TCP connections that abruptly closed, bypassing graceful termination. TCP Current Established The number of TCP connections that are currently established or are gracefully terminating. UDP Datagrams Received The total number of UDP datagrams received. Datagram is the official UDP name for what is casually called a data packet.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | IP Monitoring | Statistics | MIB-II | IP This screen shows statistics in MIB-II objects for IP traffic on the VPN 3002 since it was last booted or reset. RFC 2011 defines IP MIB objects. Figure 13-21 Monitoring | Statistics | MIB-II | IP Screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | IP Packets Received (Total) The total number of IP data packets received by the VPN 3002, including those received with errors. Packets Received (Header Errors) The number of IP data packets received and discarded due to errors in IP headers, including bad checksums, version number mismatches, other format errors, etc.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | IP Outbound Packets with No Route The number of outbound IP data packets discarded because no route could be found to transmit them to their destination. This number includes any packets that the VPN 3002 could not route because all of its default routers were down. Packets Transmitted (Requests) The number of IP data packets that local IP user protocols (including ICMP) supplied to transmission requests.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ICMP Monitoring | Statistics | MIB-II | ICMP This screen shows statistics in MIB-II objects for ICMP traffic on the VPN 3002 since it was last booted or reset. RFC 2011 defines ICMP MIB objects. Figure 13-22 Monitoring | Statistics | MIB-II | ICMP screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ICMP Errors Received/Transmitted The number of ICMP messages that the VPN 3002 received but determined to have ICMP-specific errors (bad ICMP checksums, bad length, etc.). The number of ICMP messages that the VPN 3002 did not send due to problems within ICMP such as a lack of buffers. Destination Unreachable Received/Transmitted The number of ICMP Destination Unreachable messages received/sent.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ICMP Timestamp Requests Received/Transmitted The number of ICMP Timestamp (request) messages received/sent. Timestamp messages measure the propagation delay between network entities by including the originating time in the message, and asking for the receipt time in a Timestamp Reply message. Timestamp Replies Received/Transmitted The number of ICMP Timestamp Reply messages received/sent.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ARP Table Monitoring | Statistics | MIB-II | ARP Table This screen shows entries in the Address Resolution Protocol mapping table since the VPN 3002 was last booted or reset. ARP matches IP addresses with physical MAC addresses, so the system can forward traffic to computers on its network. RFC 2011 defines MIB entries in the ARP table. The entries are sorted first by Interface, then by IP Address.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ARP Table Interface The VPN 3002 network interface on which this mapping applies: • Private Interface • Public Interface Physical Address The hardwired MAC (Media Access Control) address of a physical network interface card, in 6-byte hexadecimal notation, that maps to the IP Address. Exceptions are: • 00 = a virtual address for a tunnel. • FF.FF.FF.FF.FF.FF = a network broadcast address.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Ethernet Monitoring | Statistics | MIB-II | Ethernet This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN 3002 since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC 1650 defines Ethernet interface MIB objects. To configure Ethernet interfaces, see Configuration | Interfaces.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Ethernet Alignment Errors The number of frames received on this interface that are not an integral number of bytes in length and do not pass the FCS (Frame Check Sequence; used for error detection) check. FCS Errors The number of frames received on this interface that are an integral number of bytes in length but do not pass the FCS (Frame Check Sequence) check.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Ethernet Excessive Collisions The number of frames for which transmission on this interface failed due to excessive collisions. MAC Errors: Transmit The number of frames for which transmission on this interface failed due to an internal MAC sublayer transmit error. This number does not include Carrier Sense Errors, Late Collisions, or Excessive Collisions.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | SNMP Monitoring | Statistics | MIB-II | SNMP This screen shows statistics in MIB-II objects for SNMP traffic on the VPN 3002 since it was last booted or reset. RFC 1907 defines SNMP version 2 MIB objects. To configure the VPN 3002 SNMP server, see Configuration | System | Management Protocols | SNMP. Figure 13-25 Monitoring | Statistics | MIB-II | SNMP Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | SNMP Bad Community String The total number of SNMP messages received that used an SNMP community string the VPN 3002 did not recognize. See Configuration | System | Management Protocols | SNMP Communities to configure permitted community strings. To protect security, the VPN 3002 does not include the usual default public community string.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | SNMP VPN 3002 Hardware Client Reference 13-58 OL-1893-01
C H A P T E R 14 Using the Command-Line Interface The VPN 3002 Hardware Client command-line interface (CLI) is a menu- and command-line-based configuration, administration, and monitoring system built into the VPN 3002. You use it via the system console or a Telnet (or Telnet over SSL) session. You can use the command-line interface to completely manage the system. You can access and configure the same parameters as the HTML-based VPN 3002 Hardware Client Manager.
Chapter 14 Using the Command-Line Interface Starting the Command-line Interface 3. Press Enter on the PC keyboard until you see the login prompt. (You might see a password prompt and error messages as you press Enter; ignore them and stop at the login prompt.) Login: _ Telnet or Telnet/SSL access To access the command-line interface via a Telnet or Telnet/SSL client: 1. Enable the Telnet or Telnet/SSL server on the VPN 3002. (They are both enabled by default on the private network.
Chapter 14 Using the Command-Line Interface Using the Command-line Interface Using the Command-line Interface This section explains how to: • Choose menu items. • Enter values for parameters and options. • Specify configured items by number or name. • Navigate quickly, using shortcuts, through the menus. • Display a brief help message. • Save entries to the system configuration file. • Stop the command-line interface. • Understand administrator access rights.
Chapter 14 Using the Command-Line Interface Using the Command-line Interface Navigating Quickly There are two ways to move quickly through the command-line interface: shortcut numbers, and the Back/Home options. Both ways work only when you are at a menu, not when you are at a value entry.
Chapter 14 Using the Command-Line Interface Using the Command-line Interface As a shortcut, you can just enter 2.4.1.1 at the Main-> prompt, and move directly to the Modify Administrators menu: 1) 2) 3) 4) 5) 6) Configuration Administration Monitoring Save changes to Config file Help Information Exit Main -> 2.4.1.1 > Which Administrator to Modify Admin -> Note At this last prompt, you cannot use a number shortcut.
Chapter 14 Using the Command-Line Interface Using the Command-line Interface Saving the Configuration File Configuration and administration entries take effect immediately and are included in the active, or running, configuration. However, if you reboot the VPN 3002 without saving the active configuration, you lose any changes. To save changes to the system configuration (CONFIG) file, navigate to the main menu. At the prompt, enter 4 for Save changes to Config file.
Chapter 14 Using the Command-Line Interface Menu Reference Menu Reference This section shows all the menus in the first three levels below the main menu. (There are many additional menus below the third level; and within the first three levels, there are some non-menu parameter settings. To keep this chapter at a reasonable size, we show only the menus here.) The numbers in each heading are the keyboard shortcut to reach that menu from the main menu. For example, entering 1.3.
Chapter 14 Using the Command-Line Interface Menu Reference 1.2.1 or 1.2.2 Configuration > Interface Configuration > Configure the Private/Public Interface 1) 2) 3) 4) 5) 6) Enable/Disable Set IP Address Set Subnet Mask Select Ethernet Speed Select Duplex Back Private/Public Interface -> _ 1.3 Configuration > System Management 1) 2) 3) 4) 5) 6) 7) Servers (DNS) Tunneling Protocols (IPSec) IP Routing (static routes, etc.) Management Protocols (Telnet, HTTP, etc.
Chapter 14 Using the Command-Line Interface Menu Reference 1.3.5 Configuration > System Management > Event Configuration 1) 2) 3) 4) 5) General Classes Trap Destinations Syslog Servers Back Event -> _ 1.3.6 Configuration > System Management > General Config 1) System Identification 2) System Time and Date 3) Back General -> _ 1.4 Configuration > Policy Management 1) Traffic Management 2) Back Policy -> _ 1.4.
Chapter 14 Using the Command-Line Interface Menu Reference 2.2 Administration > System Reboot 1) 2) 3) 4) Cancel Scheduled Reboot/Shutdown Schedule Reboot Schedule Shutdown Back Admin -> _ 2.2.2 Administration > System Reboot > Schedule Reboot 1) 2) 3) 4) Save active Configuration and use it at Reboot Reboot without saving active Configuration file Reboot ignoring the Configuration file Back Admin -> _ 2.2.
Chapter 14 Using the Command-Line Interface Menu Reference 2.4.2 Administration > Access Rights > Access Settings 1) 2) 3) 4) Set Session Timeout Set Session Limit SertConfig File Encryption Back Admin -> _ 2.5 Administration > File Management List of Files ------------CONFIG CONFIG.BAK 1) 2) 3) 4) 5) 6) 7) View Config File Delete Config File View Backup Config File Delete Backup Config File Swap Config Files Upload Config File Back File -> _ 2.5.
Chapter 14 Using the Command-Line Interface Menu Reference 2.6.3 Administration > Certificate Management > Certificate Authorities Certificate Authorities . . . 1) View Certificate 2) Delete Certificate 4) Back Certificates -> _ 2.6.4 Administration > Certificate Management > Identity Certificates Identity Certificates . . . 1) View Certificate 2) Delete Certificate 3) Back Certificates -> _ 2.6.5 Administration > Certificate Management > SSL Certificate Subject . .
Chapter 14 Using the Command-Line Interface Menu Reference 3.1 Monitoring > Routing Table Routing Table . . ’q’ to Quit, ’’ to Continue -> . . 1) Refresh Routing Table 2) Clear Routing Table 3) Back Routing -> _ 3.2 Monitoring > Event Log 1) 2) 3) 4) Configure Log viewing parameters View Event Log Clear Log Back Log -> _ 3.2.2 Monitoring > Event Log > View Event Log [Event Log entries] . . . 1) First Page 2) Previous Page 3) Next Page 4) Last Page 5) Back Log -> _ 3.
Chapter 14 Using the Command-Line Interface Menu Reference 3.4 Monitoring > User Status Authenticated Users ------------------Username IP Address MAC Address Login Time Duration ------------------------------------------------------------------------------1) Refresh User Status 2) Log out User 3) Back Sessions -> 3.5 Monitoring > General Statistics 1) 2) 3) 4) Protocol Statistics Server Statistics MIB II Statistics Back General -> _ 3.4.
A P P E N D I X A Troubleshooting and System Errors Appendix A describes files for troubleshooting the VPN 3002 and LED indicators on the system. It also describes common errors that might occur while configuring and using the system, and how to correct them. Files for Troubleshooting The VPN 3002 Hardware Client creates several files that you can examine and that can assist Cisco support engineers when troubleshooting errors and problems: • Event log. • SAVELOG.
Appendix A Troubleshooting and System Errors LED Indicators crash, we ask that you send this file when you contact TAC for assistance. To view the CRSHDUMP.TXT file, see Administration | File Management | View, and click on View Saved Log Crash Dump File. Configuration Files The VPN 3002 saves the current boot configuration file (CONFIG) and its predecessor (CONFIG.BAK) as files in flash memory. These files may be useful for troubleshooting.
Appendix A Troubleshooting and System Errors System Errors VPN 3002 Rear LEDs The LEDs on the rear of the VPN 3002 indicate the status of the private and public interfaces. LED Explanation Green Interface is connected to the network. OFF Interface is not connected to the network. Flashing amber Traffic is traveling across the interface.
Appendix A Troubleshooting and System Errors Settings on the VPN Concentrator Table A-1 Analyzing System Errors (continued) Problem or Symptom VPN LED is solid amber (tunnel failed to establish to central-site VPN Concentrator). Possible Solution 1. Make sure the IPSec parameters are properly configured. Verify: – Public IP Address of the IKE peer (central-site VPN Concentrator) is correct. – Group name and password are correct. – User name and password are correct.
Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Step 4 If you are using Network Extension mode, configure a default gateway or a static route to the private network of the VPN 3002. Refer to Chapter 8, “IP Routing,” in the VPN 3000 Series Concentrator Reference Volume I. Step 5 Check the Event log. Refer to Chapter 10, “Events,” in the VPN 3000 Series Concentrator Reference Volume I.
Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Table A-2 Invalid Login or Session Timeout Screen Problem Possible Cause Solution You entered an invalid administrator login-name and password combination • Typing error. • • Invalid (unrecognized) login name or password. Reenter the login name and password, and click on Login. • Use a valid login name and password. • Verify your typing before clicking on Login.
Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Incorrect Display The Manager displays an incorrect screen or data when you click on the browser back or forward button. Table A-4 Browser Back or Forward Button Displays an Incorrect Screen or Incorrect Data Problem Possible Cause Solution You clicked on the Back or Forward button on the browser navigation toolbar, and the Manager displayed the wrong screen or incorrect data.
Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Not Allowed Message The Manager displays a screen with the message: “Not Allowed / You do not have sufficient authorization to access the specified page.” (see Figure A-3). Figure A-3 Table A-6 Not Allowed Screen Not Allowed Message Displays Problem You tried to access an area of the Manager that you do not have authorization to access.
Appendix A Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Not Found The Manager displays a screen with the message: “Not Found/An error has occurred while attempting to access the specified page.” The screen includes additional information that identifies system activity and parameters. Figure A-4 Not Found Screen Table A-7 Not Found Message Displays Problem Possible cause The Manager could not find a screen.
Appendix A Troubleshooting and System Errors Command-line Interface Errors Command-line Interface Errors These errors may occur while using the menu-based command-line interface from a console or Telnet session. Table A-9 Command-Line Interface Errors Error Problem ERROR:-- Bad IP Address/Subnet Mask/Wildcard Mask/Area ID The system expected a valid 4-byte dotted decimal entry, and the entry was not in that format.
I N D EX Numerics B 3DES-168/SHA SSL encryption algorithm 3DES-168 SSH encryption algorithm Back and Home CLI choices 8-11 14-5 back panel display (monitoring) 8-14 13-11 backup configuration file swapping A use in troubleshooting accessing the CLI backup server list 14-1 administration configuring 12-9 default Monitor administrator (CLI) 6-4 6-3 DNS and WINS servers 14-6 access settings, general, for administrators overview 12-11 event class 9-13 static route for IP routing 7-
Index cancelling an enrollment request concentrator settings 12-60 certificate required for Network Extension mode PEM-encoded required for PAT 12-28 Certificate Authority (CA) definition See backup configuration file use in troubleshooting 12-16 certificate request A-2 configuration quick 12-20 certificates system See also digital certificates Cisco.com website 2-1 4-1 VPN 3002 Hardware Client Manager changing administrator properties and rights clear event log 11-2 CONFIG.
Index crash, system PKCS-10 request saves log file renewal A-1 CRSHDUMP.TXT file root A-1 12-40 12-54 12-16 saving in Flash memory SCEP-enabled D SSL data formats VPN 3002 and central-site concentrator date and time, configuring viewing details 11-5 X.
Index cancelling trap destinations, configuring 12-60 creating 12-37 deleting 12-61 PKCS-10 event log clear (erase) definition 12-24, 12-40 removing according to status status table format get 12-17 viewing details live 12-58 entering values with CLI erasing the event log 13-5 9-6, 13-5 13-5 13-6 save 13-5 13-3, 13-6 13-5 saved on system crash or reboot an error has occurred ...
Index generating SSL server certificate get event log idle timeout 12-33 administrator sessions 13-5 12-11 live event log overrides IEEE standard 802.
Index attributes configurable on the central-site concentrator 6-2 management protocols, configuring configuring Manager unexpectedly logs out (error) statistics Manager table of contents 6-2 13-16 1-28 6-5 managing VPN Concentrator with CLI 6-6 memory, SDRAM ITU (International Telecommunication Union) standards 12-50 J menu reference, CLI statistics L SNMP A-2 13-45 13-56 TCP/UDP 13-6 13-42 system object 13-6 13-53 13-40 IP traffic LED indicators 10-2 Microsoft Internet Explore
Index required settings on VPN Concentrator Telnet 11-3 8-5 nonvolatile memory 12-10 Telnet over SSL event log stored in 13-3 power, turning off No such interface supported (error) Not Allowed (error) Not Found (error) 8-5 12-5 PPPoE A-9 statistics A-8 13-36 PPP over Ethernet See PPPoE A-9 prerequisites, system administrator preshared keys O ix 6-6 private interface configuring options configurable only on central-site Concentrator 7-9 Out of Range value (error) definition A-10 3
Index browser Secure Shell protocol See SSH 1-1 Internet Explorer IPSec over TCP JavaScript Secure Sockets Layer See SSL 1-1 Security Associations (SAs) 6-6 CA certificates 1-1 RFC 1650, Ethernet interface MIB objects RFC 1907, SNMP version 2 MIB objects RFC 2011, ARP table entries 13-53 13-56 RFC 2012,TCP MIB objects 13-45, 13-48 12-16 SSL certificate, generating server key, SSH backup, overview 6-3 6-4 configuring system access 12-16 routing table (monitoring) 12-32 8-13 backup, co
Index updating on VPN 3002 procedure RFC 1907, SNMP version 2 MIB objects RFC 2011, ARP table entries 12-2 stopping an image update version info RFC 2012,TCP MIB objects 12-3, 13-9 split tunneling RFC 2459 11-1 Network Extension mode 11-3 SSH configuring internal server enabling on public interface for XML support encryption algorithms RSA key 12-50 adding 7-3 DHCP 13-32 client authentication (HTTPS only) HTTP 13-22 IPSec 13-16 configuring internal server encryption algorithms Ethe
Index superuser See administrators traffic management, configuring swap configuration files transmission mode, configuring Ethernet interface syslog format, events 12-13 9-6 traps, configuring "well-known" configuring for events modify 9-8 destination systems 9-16 9-16 port number 9-16 syslog servers, configuring for events system configuration system reboot specific events 9-11 event log 10-2 A-1 A-1 files created for reloads the boot configuration file system shutdown 9-8 crash du
Index event log 13-5 SSL certificates with Internet Explorer with Netscape 1-8 1-14 VPN 3002 status, sessions, statistics, and event logs 13-1 VPN 3002 Hardware Client Manager errors A-5 navigating 1-28 organization window 1-27 1-23 VPN Concentrator Manager logging in using 1-17 1-1 W WINS backup server, configuring 6-4 X X.509 digital certificates standards 12-16 12-50 X.
Index VPN 3002 Hardware Client Reference IN-12 OL-1893-01