VPN 3002 Hardware Client Reference, Release 4.0 April 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxvii Prerequisites xxvii Organization xxvii Related Documentation xxix VPN 3002 Hardware Client Documentation xxix VPN 3000 Series Concentrator Documentation xxix VPN Client Documentation xxix Documentation on VPN Software Distribution CDs xxix Other References xxx Documentation conventions Data Formats xxxi xxx Obtaining Documentation xxxii World Wide Web xxxii Documentation CD-ROM xxxii Ordering Documentation xxxii Documentation Feedback xxxii Obtaining Technical Assistanc
Contents Viewing Certificates with Netscape Connecting to the VPN 3002 Using HTTPS 1-14 1-16 Configuring HTTP, HTTPS, and SSL Parameters 1-16 Logging into the VPN 3002 Hardware Client Manager 1-17 Interactive Hardware Client and Individual User Authentication Interactive Hardware Client Authentication 1-18 Individual User Authentication 1-18 1-18 Logging In With Interactive Hardware Client and Individual User Authentication Understanding the VPN 3002 Hardware Client Manager Window Organization of t
Contents DHCP Client 3-6 PPPoE Client 3-6 PPPoE User Name 3-7 PPPoE Password 3-7 Verify PPPoE Password 3-7 Static IP Addressing 3-7 IP Address 3-7 Subnet Mask 3-7 MAC Address 3-7 Speed 3-7 Duplex 3-8 MTU 3-8 IPSec Fragmentation Policy 3-8 Apply / Cancel 3-9 CHAPTER 4 System Configuration 4-1 Configuration | System CHAPTER 5 Servers 4-1 5-1 Configuration | System | Servers 5-1 Configuration | System | Servers | DNS Enabled 5-2 Domain 5-2 Primary DNS Server 5-2 Secondary DNS Server 5-2 Tertiary
Contents About IPSec over TCP 6-6 Use Certificate 6-7 Certificate Transmission 6-7 Group 6-7 Name 6-7 Password 6-7 Verify 6-7 User 6-7 Name 6-8 Password 6-8 Verify 6-8 CHAPTER 7 IP Routing 7-1 Configuration | System | IP Routing 7-1 Configuration | System | IP Routing | Static Routes Static Routes 7-2 Add / Modify / Delete 7-2 7-2 Configuration | System | IP Routing | Static Routes | Add or Modify Network Address 7-3 Subnet Mask 7-3 Metric 7-3 Destination 7-4 Destination Router Address 7-4 Interfa
Contents Option Value 7-8 Nonconfigurable DHCP Options CHAPTER 8 Management Protocols 7-9 8-1 Configuration | System | Management Protocols 8-1 Configuration | System | Management Protocols | HTTP/HTTPS 8-2 About HTTP/HTTPS 8-2 Enable HTTP 8-2 Enable HTTPS 8-3 Enable HTTPS on Public 8-3 HTTP Port 8-3 HTTPS Port 8-3 Maximum Sessions 8-3 Apply/Cancel 8-3 Configuration | System | Management Protocols | Telnet Enable Telnet 8-4 Enable Telnet/SSL 8-5 Telnet Port 8-5 Telnet/SSL Port 8-5 Maximum Connect
Contents Enable SSH 8-14 Enable SSH on Public 8-14 SSH Port 8-14 Maximum Sessions 8-14 Key Regeneration Period 8-14 Encryption Protocols 8-14 Enable SCP 8-15 Apply / Cancel 8-15 Configuration | System | Management Protocols | XML Enable 8-16 Enable HTTPS on Public 8-16 Enable SSH on Public 8-17 CHAPTER 9 Events 8-16 9-1 Event Class 9-1 Event Severity Level 9-3 Event Log 9-4 Event Log Data 9-4 Configuration | System | Events 9-5 Configuration | System | Events | General Syslog Format 9-6 Sever
Contents Add/Modify/Delete 9-12 Configuration | System | Events | Trap Destinations | Add or Modify Destination 9-13 SNMP Version 9-13 Community 9-13 Port 9-14 Add or Apply/Cancel 9-14 Configuration | System | Events | Syslog Servers Syslog Servers 9-15 Add/Modify/Delete 9-15 9-14 Configuration | System | Events | Syslog Servers | Add or Modify Syslog Server 9-16 Port 9-16 Facility 9-16 Add or Apply/Cancel 9-17 CHAPTER 10 General 10-1 Configuration | System | General | Identification System Name 1
Contents Network Extension Mode with Split Tunneling 11-4 VPN 3000 Series Concentrator Settings Required for Network Extension Mode Network Extension Mode per Group 11-4 Tunnel Initiation 11-5 Tunnel Initiation with Interactive Hardware Client Authentication 11-5 Data Initiation 11-6 Configuration | Policy Management | Traffic Management | PAT Enable 11-6 11-6 Configuration | Policy Management | Traffic Management | PAT | Enable PAT Enabled 11-7 Apply/Cancel 11-7 Configuration | Policy Management | Certi
Contents Error (Ping) 12-8 Administration | Access Rights 12-9 Administration | Access Rights | Administrators Administrator 12-10 Password 12-10 Verify 12-10 Enabled 12-11 Apply/Cancel 12-11 Administration | Access Rights | Access Settings Session Idle Timeout 12-12 Session Limit 12-12 Config File Encryption 12-12 Apply/Cancel 12-12 12-9 12-12 Administration | File Management 12-13 View (Save) 12-13 Delete 12-14 Swap Config Files 12-14 Config File Upload via HTTP 12-14 Administration | File Managem
Contents Obtaining SSL Certificates 12-30 Enabling Digital Certificates on the VPN 3002 Deleting Digital Certificates 12-30 12-31 Administration | Certificate Management 12-33 Certificate Authorities Table 12-34 Fields 12-34 Identity Certificates Table 12-34 SSL Certificate Table [ Generate ] 12-35 Fields 12-36 Enrollment Status Table 12-37 [Remove All:] 12-37 Fields 12-37 Administration | Certificate Management | Enroll Identity Certificate 12-39 SSL Certificate 12-39 12-39 Administration | Certifi
Contents Administration | Certificate Management | Install | Certificate Obtained via Enrollment Enrollment Status Table 12-50 << Go back and choose a different type of certificate 12-50 Administration | Certificate Management | Install | Certificate Type SCEP (Simple Certificate Enrollment Protocol) 12-51 Cut & Paste Text 12-51 Upload File from Workstation 12-51 << Go back and choose a different type of certificate 12-51 12-50 12-51 Administration | Certificate Management | Install | CA Certificate | S
Contents Go to Certificate Management 12-61 Go to Certificate Enrollment 12-61 Go to Certificate Installation 12-61 Administration | Certificate Management | Delete Fields 12-62 Yes / No 12-63 12-62 Administration | Certificate Management | View Enrollment Request Enrollment Request Fields 12-64 Back 12-65 CHAPTER 13 12-63 Administration | Certificate Management | Cancel Enrollment Request Fields 12-66 Yes / No 12-66 12-65 Administration | Certificate Management | Delete Enrollment Request Fields 1
Contents Tunnel Established to 13-10 Duration 13-10 Tunnel Type 13-10 Security Associations 13-10 Type 13-10 Remote Address 13-10 Encryption 13-10 Authentication 13-10 Octets In 13-10 Octets Out 13-10 Packets In 13-10 Packets Out 13-11 Other 13-11 Front Panel 13-11 Back Panel 13-11 Monitoring | System Status | Memory Status Refresh 13-12 System Memory Summary 13-12 Total Memory 13-12 Memory Status 13-12 Total Block Usage 13-13 Block Usage List 13-13 Block Size (Bytes) 13-13 Used/Free Blocks 13-13 Used/Free
Contents Rx Broadcast Tx Broadcast 13-17 13-17 Monitoring | User Status 13-18 Refresh 13-18 Cisco IP Phone Bypass Enabled/Disabled Username 13-18 IP Address 13-18 MAC Address 13-18 Login Time 13-18 Duration 13-18 Actions 13-18 Monitoring | Statistics 13-18 13-19 Monitoring | Statistics | IPSec 13-20 Reset 13-20 Restore 13-20 Refresh 13-21 IKE (Phase 1) Statistics 13-21 Active Tunnels 13-21 Total Tunnels 13-21 Received Bytes 13-21 Sent Bytes 13-21 Received Packets 13-21 Sent Packets 13-21 Received Pack
Contents Decryption Failures 13-23 Hash Validation Failures 13-23 System Capability Failures 13-23 No-SA Failures 13-23 IPSec (Phase 2) Statistics 13-24 Active Tunnels 13-24 Total Tunnels 13-24 Received Bytes 13-24 Sent Bytes 13-24 Received Packets 13-24 Sent Packets 13-24 Received Packets Dropped 13-24 Received Packets Dropped (Anti-Replay) 13-24 Sent Packets Dropped 13-25 Inbound Authentications 13-25 Failed Inbound Authentications 13-25 Outbound Authentications 13-25 Failed Outbound Authentications 13-2
Contents Octets Sent/Received 13-28 Packets Sent/Received 13-28 Sockets Active 13-28 Sockets Peak 13-28 Sockets Total 13-28 Max Connections 13-28 Monitoring | Statistics | Telnet 13-29 Reset 13-29 Restore 13-29 Refresh 13-29 Active Sessions 13-29 Attempted Sessions 13-30 Successful Sessions 13-30 Telnet Sessions 13-30 Client IP Address:Port 13-30 Inbound Octets Total 13-30 Inbound Octets Command 13-30 Inbound Octets Discarded 13-30 Outbound Octets Total 13-30 Outbound Octets Dropped 13-30 Monitoring | Stat
Contents Max Active Sessions 13-33 Monitoring | Statistics | DHCP 13-34 Reset 13-34 Restore 13-34 Refresh 13-34 Active Leases 13-34 Maximum Active Leases 13-34 Timeouts 13-35 Pool Start 13-35 Pool End 13-35 Leased IP Address 13-35 Time Left 13-35 MAC Address 13-35 Host Name 13-35 Monitoring | Statistics | SSH 13-36 Reset 13-36 Restore 13-36 Refresh 13-36 Octets Sent/Received 13-36 Packets Sent/Received 13-37 Active Sessions 13-37 Maximum Sessions 13-37 Total Sessions 13-37 SSH Sessions 13-37 Login Name 1
Contents Source IP Address/Port 13-39 Destination IP Address/Port 13-39 Translated IP Address/Port 13-39 Direction 13-39 Age 13-39 Type 13-39 Translated Bytes/Packets 13-40 Monitoring | Statistics | PPPoE 13-40 Reset 13-40 Restore 13-40 Refresh 13-41 User Name 13-41 Session ID 13-41 PPPoE Access Concentrator 13-41 MAC Address 13-41 Server Name 13-41 Duration 13-41 PADI Timeouts 13-41 PADR Timeouts 13-41 Multiple PADO Rx 13-42 PADT Rx 13-42 PADT Tx 13-42 Generic Errors Rx 13-42 Malformed Packets Rx 13-42 Mo
Contents Restore 13-46 Refresh 13-46 TCP Segments Received 13-46 TCP Segments Transmitted 13-47 TCP Segments Retransmitted 13-47 TCP Timeout Min 13-47 TCP Timeout Max 13-47 TCP Connection Limit 13-47 TCP Active Opens 13-47 TCP Passive Opens 13-47 TCP Attempt Failures 13-47 TCP Established Resets 13-48 TCP Current Established 13-48 UDP Datagrams Received 13-48 UDP Datagrams Transmitted 13-48 UDP Errored Datagrams 13-48 UDP No Port 13-48 Monitoring | Statistics | MIB-II | IP 13-49 Reset 13-49 Restore 13-49 R
Contents Refresh 13-52 Total Received/Transmitted 13-52 Errors Received/Transmitted 13-53 Destination Unreachable Received/Transmitted 13-53 Time Exceeded Received/Transmitted 13-53 Parameter Problems Received/Transmitted 13-53 Source Quench Received/Transmitted 13-53 Redirects Received/Transmitted 13-53 Echo Requests (PINGs) Received/Transmitted 13-53 Echo Replies (PINGs) Received/Transmitted 13-53 Timestamp Requests Received/Transmitted 13-54 Timestamp Replies Received/Transmitted 13-54 Address Mask Requ
Contents Monitoring | Statistics | MIB-II | SNMP Reset 13-60 Restore 13-60 Refresh 13-60 Requests Received 13-60 Bad Version 13-60 Bad Community String 13-61 Parsing Errors 13-61 Silent Drops 13-61 Proxy Drops 13-61 CHAPTER 14 Using the Command-Line Interface 13-60 14-1 Accessing the Command-line Interface 14-1 Console Access 14-1 Telnet or Telnet/SSL access 14-2 Starting the Command-line Interface 14-2 Using the Command-line Interface 14-3 Choosing Menu Items 14-3 Entering Values 14-3 Navigating Q
Contents 1.3.6 Configuration > System Management > General Config 14-9 1.4 Configuration > Policy Management 14-9 1.4.1 Configuration > Policy Management > Traffic Management 14-9 2 Administration 14-9 2.1 Administration > Software Update 14-9 2.2 Administration > System Reboot 14-10 2.2.2 Administration > System Reboot > Schedule Reboot 14-10 2.2.3 Administration > System Reboot > Schedule Shutdown 14-10 2.3 Administration > Ping 14-10 2.4 Administration > Access Rights 14-10 2.4.
Contents VPN 3002 Front LEDs B-2 VPN 3002 Rear LEDs B-3 System Errors B-3 Settings on the VPN Concentrator B-4 VPN 3002 Hardware Client Manager Errors B-5 Invalid Login or Session Timeout B-5 Manager Logs Out B-6 Incorrect Display B-7 Error Message B-7 Not Allowed Message B-8 Not Found B-9 Microsoft Internet Explorer Script Error: No such interface supported Command-line Interface Errors B-9 B-10 INDEX VPN 3002 Hardware Client Reference, Release 4.
Contents VPN 3002 Hardware Client Reference, Release 4.
Preface The VPN 3002 Hardware Client Reference provides guidelines for configuring the Cisco VPN 3002, details on all the functions available in the VPN 3002 Hardware Client Manager, and instructions for using the VPN 3002 Command Line Interface. Prerequisites We assume you have read the VPN 3002 Hardware Client Getting Started manual and have followed the minimal configuration steps in Quick Configuration. That section of the VPN Hardware Client Manager is not described here.
Preface Organization Chapter Title Description Chapter 5 Servers Explains how to configure the VPN 3002 to communicate with DNS servers to convert hostnames to IP addresses. Chapter 6 Tunneling Explains how to configure IPSec. Chapter 7 IP Routing Explains how to configure static routes, default gateways, and DHCP parameters and options.
Preface Related Documentation Related Documentation Refer to the following documents for further information about Cisco VPN 3000 Series applications and products. VPN 3002 Hardware Client Documentation The VPN 3002 Hardware Client Getting Started manual provides information to take you from unpacking and installing the VPN 3002, through configuring the minimal parameters to make it operational (called Quick Configuration). This manual is online only.
Preface Documentation conventions versions on the Cisco web site, click the Support icon on the toolbar at the top of the VPN Concentrator Manager, Hardware Client Manager, or Client window. To open the documentation, you need Acrobat® Reader 3.0 or later; version 4.5 is included on the Cisco VPN 3000 Concentrator software distribution CD-ROM and on the VPN Client software distribution CD-ROM.
Preface Documentation conventions Data Formats As you configure and manage the system, enter data in the following formats unless the instructions indicate otherwise: Type of Data Format IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34); as the example indicates, you can omit leading zeros in a byte position. Subnet Masks and Wildcard Masks Subnet masks use 4-byte dotted decimal notation (for example, 255.255.255.0).
Preface Obtaining Documentation Obtaining Documentation These sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com Translated documentation is available at this URL: http://www.cisco.com/public/countries_languages.
Preface Obtaining Technical Assistance You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Obtaining Technical Assistance Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance.
Preface Obtaining Technical Assistance • Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available. Cisco TAC Web Site You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL: http://www.cisco.
C H A P T E R 1 Using the VPN 3002 Hardware Client Manager The VPN 3002 Hardware Client Manager is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3002 with a standard web browser. To use it, you connect to the VPN 3002, using a PC and browser on the same private network with the VPN 3002. The Manager uses the standard web client / server protocol, HTTP (Hypertext Transfer Protocol), which is a cleartext protocol.
Chapter 1 Using the VPN 3002 Hardware Client Manager Connecting to the VPN 3002 Using HTTP JavaScript and Cookies Be sure JavaScript and Cookies are enabled in the browser. Refer to the documentation for your browser for instructions. Navigation Toolbar Do not use the browser navigation toolbar buttons Back, Forward, or Refresh/Reload with the VPN 3002 Hardware Client Manager unless instructed to do so. To protect access security, clicking Refresh/Reload automatically logs out the Manager session.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-1 VPN 3002 Hardware Client Manager Login Screen To continue using HTTP for the whole session, skip to “Logging into the VPN 3002 Hardware Client Manager.” Installing the SSL Certificate in Your Browser The Manager provides the option of using HTTP over SSL with the browser. SSL creates a secure session between your browser (VPN 3002 hardware client) and the VPN Concentrator (server).
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Follow these steps to install and use the SSL certificate for the first time. We provide separate instructions for Internet Explorer and Netscape Navigator when they diverge. Step 1 Connect to the VPN 3002 using HTTP as above. Step 2 On the login screen, click the Install SSL Certificate link.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-3 Step 1 Internet Explorer File Download Dialog Box Click the Open this file from its current location radio button, then click OK. The browser displays the Certificate dialog box with information about the certificate. You must now install the certificate. Figure 1-4 Step 2 Internet Explorer Certificate Dialog Box Click Install Certificate.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-5 Step 3 Internet Explorer Certificate Manager Import Wizard Dialog Box Click Next to continue. The wizard opens the next dialog box asking you to select a certificate store. Figure 1-6 Step 4 Internet Explorer Certificate Manager Import Wizard Dialog Box Let the wizard Automatically select the certificate store, and click Next. The wizard opens a dialog box to complete the installation.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-7 Step 5 Internet Explorer Certificate Manager Import Wizard Dialog Box Click Finish. The wizard opens the Root Certificate Store dialog box asking you to confirm the installation. Figure 1-8 Step 6 To install the certificate, click Yes. This dialog box closes, and a final wizard confirmation dialog box opens.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-10 Internet Explorer Security Alert Dialog Box Step 9 Click OK. The VPN 3002 Hardware Client displays the HTTPS version of the Manager login screen. Figure 1-11 VPN 3002 Hardware Client Manager Login Screen Using HTTPS (Internet Explorer) The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case you might see a Security Alert screen.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-12 Internet Explorer 4.0 Certificate Properties Screen Click any of the Field items to see Details. Click Close when finished. Second, you can view all the certificates that are stored in Internet Explorer 4.0. Click the browser View menu and select Internet Options. Click the Content tab, then click Authorities in the Certificates section. In Internet Explorer 5.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Reinstallation You need to install the SSL certificate from a given VPN 3002 only once. If you try to reinstall it, Netscape displays the note in Figure 1-14. Click OK and just connect to the VPN 3002 using SSL (see Step 7 in this section.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-16 Netscape New Certificate Authority Screen 2 Step 2 Click Next> to proceed. Netscape displays the next New Certificate Authority screen, which lets you examine details of the VPN 3002 Hardware Client SSL certificate. Figure 1-17 Netscape New Certificate Authority Screen 3 Step 3 Click Next> to proceed.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-18 Netscape New Certificate Authority Screen 4 Step 4 You must check at least the first box, Accept this Certificate Authority for Certifying network sites. Click Next> to proceed. Netscape displays the next New Certificate Authority screen, which lets you choose to have the browser warn you about sending data to the VPN 3002.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-20 Netscape New Certificate Authority Screen 6 Step 6 In the Nickname field, enter a descriptive name for this certificate. “Nickname” is something of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN 3002 10.10.147.2. This name appears in the list of installed certificates; see “Viewing Certificates with Netscape,” below. Click Finish.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-22 VPN 3002 Hardware Client Manager Login Screen Using HTTPS (Netscape) The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case, you might see a Security Information Alert dialog box. Proceed to the section, “Logging into the VPN 3002 Hardware Client Manager,” to log in as usual.
Chapter 1 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-23 Netscape Security Info Window Click View Certificate to see details of the specific certificate in use. Figure 1-24 Netscape View Certificate Screen Click OK when finished. Second, you can view all the certificates that are stored in Netscape. On the Security Info window, select Certificates, then Signers.
Chapter 1 Using the VPN 3002 Hardware Client Manager Connecting to the VPN 3002 Using HTTPS Figure 1-25 Netscape Certificates Signers List Select a certificate, then click Edit, Verify, or Delete. Click OK when finished. Connecting to the VPN 3002 Using HTTPS When you have installed the SSL certificate in the browser, you can connect directly using HTTPS. Step 1 Bring up the browser.
Chapter 1 Using the VPN 3002 Hardware Client Manager Logging into the VPN 3002 Hardware Client Manager Figure 1-26 VPN Hardware Client Manager HTTPS Login Screen Logging into the VPN 3002 Hardware Client Manager Logging into the VPN 3002 Hardware Client Manager is the same for both types of connections, cleartext HTTP or secure HTTPS. Entries are case-sensitive. With Microsoft Internet Explorer, you can select the Tab key to move from field to field; other browsers might work differently.
Chapter 1 Using the VPN 3002 Hardware Client Manager Interactive Hardware Client and Individual User Authentication Interactive Hardware Client and Individual User Authentication Interactive hardware client and individual user authentication provide security by requiring manual entry of usernames and passwords prior to connection. You configure these features on the VPN Concentrator to which this VPN 3002 connects, and the VPN Concentrator pushes the policies you set to the VPN 3002.
Chapter 1 Using the VPN 3002 Hardware Client Manager Logging In With Interactive Hardware Client and Individual User Authentication Logging In With Interactive Hardware Client and Individual User Authentication You access the interactive hardware client authentication and individual user authentication login screens from the VPN 3002 Hardware Client Manager login screen.
Chapter 1 Using the VPN 3002 Hardware Client Manager Logging In With Interactive Hardware Client and Individual User Authentication Step 1 Click the Connect Now button. The VPN 3002 Interactive Authentication screen displays. Figure 1-29 VPN 3002 Interactive Authentication Screen Step 1 Enter the username and password for the VPN 3002. Step 2 Click Connect. If you have entered the valid username and password, the Connect Login Status screen displays the message that the VPN 3002 is connected.
Chapter 1 Using the VPN 3002 Hardware Client Manager Logging In With Interactive Hardware Client and Individual User Authentication Figure 1-31 Individual User Authentication Screen Step 1 Enter the username and password for this VPN 3002 user. Step 2 Click Login. If the username and password you entered are valid, the Connection/Login Status window displays information about the connection.
Chapter 1 Using the VPN 3002 Hardware Client Manager Understanding the VPN 3002 Hardware Client Manager Window Understanding the VPN 3002 Hardware Client Manager Window The VPN 3002 Hardware Client Manager window on your browser consists of three frames—top, left, and main—and it provides helpful messages and tips as you move the mouse pointer over window items. The title bar and status bar also provide useful information Figure 1-33 VPN 3002 Hardware Client Manager Window.
Chapter 1 Using the VPN 3002 Hardware Client Manager Understanding the VPN 3002 Hardware Client Manager Window Title bar The title bar at the top of the browser window includes the VPN 3002 device name or IP address in brackets, for example, [10.10.4.6]. Status bar The status bar at the bottom of the browser window displays Manager activity and explanatory messages for some items.
Chapter 1 Using the VPN 3002 Hardware Client Manager Understanding the VPN 3002 Hardware Client Manager Window Save Click the Save icon to save the active configuration and make it the boot configuration. In this state, the reminder indicates that the active configuration is the same as the boot configuration, but you can save it anyway. When you change the configuration, the reminder changes to Save Needed. Save Needed This reminder indicates that yo have changed the active configuration.
Chapter 1 Using the VPN 3002 Hardware Client Manager Understanding the VPN 3002 Hardware Client Manager Window Open or expanded Main frame (Manager screen) Click the open/expanded icon to close subordinate sections and titles. Clicking on this icon does not change the screen in the main frame. The main frame displays the current VPN 3002 Hardware Client Manager screen. Many screens include a bullet list of links and descriptions of subordinate sections and titles.
Chapter 1 Using the VPN 3002 Hardware Client Manager Organization of the VPN 3002 Hardware Client Manager Organization of the VPN 3002 Hardware Client Manager The VPN 3002 Hardware Client Manager consists of three major sections and many subsections: • Configuration: setting all the parameters for the VPN 3002 that govern its use and functionality as a VPN device: – Quick Configuration: supplying the minimal parameters needed to make the VPN 3002 operational. – Interfaces: Ethernet parameters.
Chapter 1 Using the VPN 3002 Hardware Client Manager Navigating the VPN 3002 Hardware Client Manager Navigating the VPN 3002 Hardware Client Manager Your primary tool for navigating the VPN 3002 Hardware Client Manager is the table of contents in the left frame. Figure 1-34 shows all its entries, completely expanded. (The figure shows the frame in multiple columns, but the actual frame is a single column. Use the scroll controls to move up and down the frame.
Chapter 1 Using the VPN 3002 Hardware Client Manager Navigating the VPN 3002 Hardware Client Manager VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 2 Configuration Configuring the VPN 3002 means setting all the parameters that govern its use and functionality as a VPN device. Cisco supplies default parameters that cover typical installations and uses; after you supply minimal parameters in Quick Configuration, the system is operational. But to tailor the system to your needs, and to provide an appropriate level of system security, you can configure the system in detail.
Chapter 2 Configuration Configuration VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 3 Interfaces This section of the VPN 3002 Hardware Client Manager applies functions that are interface-specific, rather than system-wide. Configuration | Interfaces You configure two network interfaces for the VPN 3002 to operate as a VPN device: the private interface and the public interface. If you used Quick Configuration as described in the VPN 3002 Hardware Client Getting Started manual, the system supplied many default parameters for the interfaces.
Chapter 3 Interfaces Configuration | Interfaces Figure 3-1 VPN 3002 Configuration | Interfaces Screen To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area. Interface The VPN 3002 interface installed in the system. To configure an interface, click the appropriate link.
Chapter 3 Interfaces Configuration | Interfaces Status The operational status of this interface: • UP (green) = Configured, enabled, and operational; ready to pass data traffic. • DOWN (red) Configured but disabled or disconnected. • Testing = In test mode; no regular data traffic can pass. • Dormant (red) = Configured and enabled but waiting for an external action, such as an incoming connection. • Not Present (red) = Missing hardware components.
Chapter 3 Interfaces Configuration | Interfaces | Private Configuration | Interfaces | Private This screen lets you configure parameters for the private interface. It displays the current parameters, if any. Figure 3-2 Caution Configuration | Interfaces | Private Screen If you modify any parameters of the private interface that you are currently using to connect to the VPN 3002, you will break the connection, and you will have to restart the Manager from the login screen.
Chapter 3 Interfaces Configuration | Interfaces | Private Subnet Mask Enter the subnet mask for this interface, using dotted decimal notation (for example 255.255.255.0). The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is not allowed.
Chapter 3 Interfaces Configuration | Interfaces | Public Configuration | Interfaces | Public This screen lets you select a connection method—DHCP, PPPoE, or static IP addressing—for the public interface. It also allows you to disable the public interface. Figure 3-3 Configuration | Interfaces | Public Screen Disabled To make the interface offline, click Disabled. This state lets you retain or change its configuration parameters.
Chapter 3 Interfaces Configuration | Interfaces | Public PPPoE User Name If you have selected PPPoE, enter a valid PPPoE username. PPPoE Password If you have selected PPPoE, enter the PPPoE password for the username you entered above. Verify PPPoE Password If you have selected PPPoE, enter the PPPoE password again to verify it. Static IP Addressing click this radio button if you want to use a static IP address.
Chapter 3 Interfaces Configuration | Interfaces | Public Duplex If you are using static IP addressing, click the drop-down menu button and select the interface transmission mode: • Auto = Let the VPN 3002 automatically detect and set the appropriate transmission mode, either full or half duplex (default). Be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the transmission mode.
Chapter 3 Interfaces Configuration | Interfaces | Public example, suppose a PC behind a VPN 3002 wants to FTP put a large file to an FTP server behind a VPN Concentrator. The PC transmits packets that when encapsulated would exceed the VPN 3002’s MTU size on the public interface. The following options determine how the VPN 3002 processes these packets. The fragmentation policy you set here applies to all traffic travelling out the VPN 3002 public interface to VPN Concentrators.
Chapter 3 Interfaces Configuration | Interfaces | Public VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 4 System Configuration System configuration means configuring parameters for system-wide functions in the VPN 3002. Configuration | System This section of the Manager lets you configure parameters for: • Servers: identifying servers for DNS information for the VPN 3002. • Tunneling Protocols: configuring IPSec connections. • IP Routing: configuring static routes, default gateways, and DHCP.
Chapter 4 System Configuration Configuration | System VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 5 Servers Configuring servers means identifying DNS servers to the VPN 3002 so it can communicate with them correctly. DNS servers convert hostnames to IP addresses. The VPN 3002 functions as a client of these servers. Configuration | System | Servers This section of the Manager lets you configure the VPN 3002 to communicate with DNS servers.
Chapter 5 Servers Configuration | System | Servers | DNS Figure 5-2 Configuration | System | Servers | DNS Screen Enabled To use DNS functions, check Enabled (the default). To disable DNS, clear the box. Domain Enter the name of the registered domain of the ISP for the VPN 3002; for example, yourisp.com. Maximum 48 characters. This entry is sometimes called the domain name suffix or sub-domain.
Chapter 5 Servers Configuration | System | Servers | DNS Timeout Period Enter the initial time in seconds to wait for a response to a DNS query before sending the query to the next server. Minimum is 1, default is 2, maximum is 30 seconds. This time doubles with each retry cycle through the list of servers. Timeout Retries Enter the number of times to retry sending a DNS query to the configured servers, in order.
Chapter 5 Servers Configuration | System | Servers | DNS VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 6 Tunneling Tunneling is the heart of virtual private networking. Tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. The secure connection is called a tunnel, and the VPN 3002 uses the IPSec tunneling protocol to: • Negotiate tunnel parameters. • Establish tunnels. • Authenticate users and data. • Manage security keys. • Encrypt and decrypt data.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols Configuration | System | Tunneling Protocols This section lets you configure the IPSec tunneling protocol. Click IPSec on the Tunneling Protocols screen. Figure 6-1 Configuration | System | Tunneling Protocols Screen Configuration | System | Tunneling Protocols | IPSec The VPN 3002 complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec • Encryption Algorithms: – DES-56 = Data Encryption Standard (DES) with a 56-bit key. – 3DES-168 = Triple-DES with a 168-bit key. – AES-128 = Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES. – AES-192 = AES encryption with a 192-bit key. – AES-256 = AES encryption with a 256-bit key.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec Backup Easy VPN Servers To configure IPSec backup servers on the VPN 3002, enter up to 10 backup servers, using either IP address or hostname. Enter each backup server on a separate line. To enter a hostname, a DNS server must be configured. Further, if you use hostnames and the DNS server is unavailable, significant delays can occur.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec XYZ corporation has large sites in three cities: San Jose, California; Austin, Texas; and Boston, Massachusetts. They just opened a regional sales office in Fargo, North Dakota. To provide access to the corporate network from Fargo, they use a VPN 3002 that connects to a VPN 3080 in San Jose (1). If the VPN 3002 is unable to contact the corporate network, Fargo cannot place orders.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec Alert when disconnecting The VPN 3002 notifies the VPN Concentrator at the central site of sessions that are about to be disconnected from its side of the connection, and conveys the reason. The VPN Concentrator decodes the reason, and displays it in the event log or in a pop-up screen. The feature is enabled by default. This screen lets you disable the feature so that the VPN 3002 does not send or receive alerts.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec Use Certificate This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management, which is where you install digital certificates on the VPN 3002. Check the box to use digital certificates.
Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec Name In the User Name field, enter a unique name for the user in this group. Maximum is 32 characters, case-sensitive.This is the username configured on the central-site VPN Concentrator to which this VPN 3002 connects. Maximum is 32 characters, case-sensitive. Password In the User Password field, enter the password for this user.
C H A P T E R 7 IP Routing The VPN 3002 includes an IP routing subsystem with static routing, default gateways, and DHCP. To route packets, the subsystem uses static routes and the default gateway. If you do not configure the default gateway, the subsystem drops packets that it can not otherwise route. You configure static routes and default gateways in this section. This section also includes the system-wide DHCP (Dynamic Host Configuration Protocol) server parameters.
Chapter 7 IP Routing Configuration | System | IP Routing | Static Routes Configuration | System | IP Routing | Static Routes This section of the Manager lets you configure static routes for IP routing. Figure 7-2 Configuration | System | IP Routing | Static Routes Screen Static Routes The Static Routes list shows manual IP routes that have been configured. The format is [destination network address/subnet mask -> outbound destination]; for example, 192.168.12.0/255.255.255.0 -> 10.10.0.2.
Chapter 7 IP Routing Configuration | System | IP Routing | Static Routes | Add or Modify Configuration | System | IP Routing | Static Routes | Add or Modify These Manager screens let you: • Add: Configure and add a new static, or manual, route to the IP routing table. • Modify: Modify the parameters for a configured static route. Figure 7-3 Configuration | System | IP Routing | Static Routes | Add Screen Network Address Enter the destination network IP address that this static route applies to.
Chapter 7 IP Routing Configuration | System | IP Routing | Default Gateways Destination Click a radio button to select the outbound destination for these packets. You can select only one destination: either a specific router/gateway, or a VPN 3002 interface. Destination Router Address Enter the IP address of the specific router or gateway to which to route these packets; that is, the IP address of the next hop between the VPN 3002 and the packet’s ultimate destination.
Chapter 7 IP Routing Configuration | System | IP Routing | Default Gateways Default Gateway Enter the IP address of the default gateway or router. Use dotted decimal notation; for example, 192.168.12.77. This address must not be the same as the IP address configured on any VPN 3002 interface. If you do not use a default gateway, enter 0.0.0.0 (the default entry). To delete a configured default gateway, enter 0.0.0.0.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Configuration | System | IP Routing | DHCP This screen lets you configure DHCP (Dynamic Host Configuration Protocol) server parameters that apply to DHCP server functions within the VPN 3002. The DHCP server for the private interface lets IP hosts in its network automatically obtain IP addresses from a limited pool of addresses for a fixed length of time, or lease period.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Options Apply/Cancel To apply the settings for DHCP parameters, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entries, click Cancel.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Options | Add or Modify To remove a configured DHCP option, select the option from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining DHCP options in the list. Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Options | Add or Modify Nonconfigurable DHCP Options You cannot configure the following DHCP Options: • Subnet Mask (option 1) • Router (option 3) • Domain Name Server (option 6) • Domain Name (option 15) • NetBios Name Server/WINS (option 44). You configure these values on the central-site VPN Concentrator for the group to which the VPN 3002 Hardware Client belongs.
Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Options | Add or Modify VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 8 Management Protocols The VPN 3002 Hardware Client includes various built-in servers, using various protocols, that let you perform typical network and system management functions. This section explains how you configure and enable those servers.
Chapter 8 Management Protocols Configuration | System | Management Protocols | HTTP/HTTPS Configuration | System | Management Protocols | HTTP/HTTPS This screen lets you configure and enable the VPN 3002 HTTP/HTTPS server: Hypertext Transfer Protocol and HTTP over SSL (Secure Sockets Layer) protocol. When the server is enabled, you can use a Web browser to communicate with the VPN 3002. HTTPS lets you use a Web browser over a secure, encrypted connection.
Chapter 8 Management Protocols About HTTP/HTTPS Enable HTTPS Check the box to enable the HTTPS server. The box is checked by default. HTTPS, also known as HTTP over SSL, lets you use the Manager over an encrypted connection. Enable HTTPS on Public Check the box to enable HTTPS on the Public interface. HTTP Port Enter the port number that the HTTP server uses. The default is 80, which is the well-known port. HTTPS Port Enter the port number that the HTTPS server uses.
Chapter 8 Management Protocols Configuration | System | Management Protocols | Telnet Figure 8-3 Configuration | System | Management Protocols Screen Configuration | System | Management Protocols | Telnet This screen lets you configure and enable the VPN 3002 Telnet terminal emulation server, and Telnet over SSL (Secure Sockets Layer protocol). When the server is enabled, you can use a Telnet client to communicate with the VPN 3002.
Chapter 8 Management Protocols Configuration | System | Management Protocols | Telnet Enable Telnet/SSL Check the box to enable Telnet over SSL. The box is checked by default. Telnet/SSL uses Telnet over a secure, encrypted connection. Telnet Port Enter the port number that the Telnet server uses. The default is 23, which is the well-known port number. Telnet/SSL Port Enter the port number that Telnet over SSL uses. The default is number.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SNMP Configuration | System | Management Protocols | SNMP This screen lets you configure and enable the SNMP (Simple Network Management Protocol) agent. When enabled, you can use an SNMP manager to collect information from the VPN 3002 but not to configure it. To use SNMP, you must also configure an SNMP Community on the Configuration | System | Management Protocols | SNMP Communities screen.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SNMP Communities Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SNMP Communities | Add or Modify Community Strings The Community Strings list shows SNMP community strings that have been configured. If no strings have been configured, the list shows --Empty--. Add/Modify/Delete To configure and add a new community string, click Add. The Manager opens the Configuration | System | Management Protocols | SNMP Communities | Add screen.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SNMP Communities | Add or Modify Figure 8-10 Configuration | System | Management Protocols | SNMP Communities | Add Screen Community String Enter the SNMP community string. Maximum 31 characters, case-sensitive. Add or Apply / Cancel To add this entry to the list of configured community strings, click Add. Or to apply your changes to this community string, click Apply.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSL Configuration | System | Management Protocols | SSL This screen lets you configure the VPN 3002 SSL (Secure Sockets Layer) protocol server. These settings apply to both HTTPS and Telnet over SSL. HTTPS lets you use a web browser over a secure, encrypted connection to manage the VPN 3002. SSL creates a secure session between the client and the VPN 3002 server.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSL Figure 8-12 Configuration | System | Management Protocols | SSL Screen Encryption Protocols Check the boxes for the encryption algorithms that the VPN 3002 SSL server can negotiate with a client and use for session encryption. All are checked by default. You must check at least one algorithm to enable SSL. Unchecking all algorithms disables SSL.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSL SSL Version Click the drop-down menu button and select the SSL version to use. SSL Version 3 has more security options than Version 2, and TLS (Transport Layer Security) Version 1 has more security options than SSL Version 3. Some clients that send an SSL Version 2 “Hello” (initial negotiation), can actually use a more secure version during the session. Telnet/SSL clients usually can use only SSL Version 2.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSH Figure 8-13 Configuration | System | Management Protocols Screen Configuration | System | Management Protocols | SSH This screen lets you configure the VPN 3002 SSH (Secure Shell) protocol server. SSH is a secure Telnet-like terminal emulator protocol that you can use to manage the VPN 3002, using the Command Line Interface, over a remote connection. The SSH server supports SSH1 (protocol version 1.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSH Enable SSH Check the box to enable the SSH server. The box is checked by default. Disabling the SSH server provides additional security by preventing SSH access. Enable SSH on Public Check the box to enable SSH on the Public interface. SSH Port Enter the port number that the SSH server uses. The default is 22, which is the well-known port. Maximum Sessions Enter the maximum number of concurrent SSH sessions allowed.
Chapter 8 Management Protocols Configuration | System | Management Protocols | SSH Enable SCP Check the Enable SCP check box to enable file transfers using secure copy (SCP) over SSH. Apply / Cancel To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.
Chapter 8 Management Protocols Configuration | System | Management Protocols | XML Configuration | System | Management Protocols | XML This screen lets you configure the VPN 3002 to support an XML-based interface. Enabling XML management (the default condition) allows the VPN 3002 to be more easily managed by a centralized management system. XML is enabled by default. To disable the XML option, clear the check box. To reenable the XML option, click the check box.
Chapter 8 Management Protocols Configuration | System | Management Protocols | XML Enable SSH on Public Check the Enable SSH on Public check box to allow XML management over Secure Shell (SSH) on the VPN 3002 public interface. VPN 3002 Hardware Client Reference, Release 4.
Chapter 8 Management Protocols Configuration | System | Management Protocols | XML VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 9 Events An event is any significant occurrence within or affecting the VPN 3002 such as an alarm, trap, error condition, network problem, task completion, threshold breach, or status change. The VPN 3002 records events in an event log, which is stored in nonvolatile memory. You can also specify that certain events trigger a console message, a UNIX syslog record, or an SNMP management system trap. Event attributes include class and severity level.
Chapter 9 Events Event Class Class Name Class Description (Event Source) (*Cisco-specific Event Class) EVENTDBG Event subsystem debugging* EVENTMIB Event MIB changes* FSM Finite State Machine subsystem (for debugging)* FTPD FTP daemon subsystem GENERAL NTP subsystem and other general events HARDWAREMON Hardware monitoring (fans, temperature, voltages, etc.
Chapter 9 Events Event Severity Level NoteThe Cisco-specific event classes provide information that is meaningful only to Cisco engineering or support personnel. Also, the DBG and DECODE events require significant system resources and might seriously degrade performance. We recommend that you avoid logging these events unless Cisco requests it.
Chapter 9 Events Event Log Event Log The VPN 3002 records events in an event log, which is stored in nonvolatile memory. Thus the event log persists even if the system is powered off. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first. The VPN 3002 holds 256 events. The log wraps when it is full; that is, newer events overwrite older events when the log is full.
Chapter 9 Events Configuration | System | Events Configuration | System | Events This section of the Manager lets you configure how the VPN 3002 handles events. Events provide information for system monitoring, auditing, management, accounting, and troubleshooting. Figure 9-1Configuration | System | Events Screen Configuration | System | Events | General This Manager screen lets you configure the general, or default, handling of all events. These defaults apply to all event classes.
Chapter 9 Events Configuration | System | Events | General Syslog Format Click the Syslog Format drop-down menu button and choose the format for all events sent to UNIX syslog servers. Choices are: • Original = Original VPN 3002 event format with information on one line. Each entry in the event log consists of the following fields: Sequence Date Time SEV=Severity Class/Number RPT=RepeatCount String – Sequence: The sequence number of the event. – Date: The date the event occurred.
Chapter 9 Events Configuration | System | Events | General The Original severities and the Cisco IOS severities differ. Original severities number from 1-13. (For the meaning of each Original severity, see Table 8-1.) Cisco IOS severities number from 0–7. The “Cisco IOS Severities” table that follows shows the meaning of Cisco IOS severities and how they map to Original severities.
Chapter 9 Events Configuration | System | Events | Classes Severity to Trap Click the drop-down menu button and select the range of event severity levels to send to an SNMP network management system (NMS) by default. Event messages sent to SNMP systems are called “traps.” The choices are: None, 1, 1-2, 1-3. The default is None; if you choose this range, no events are sent as SNMP traps.
Chapter 9 Events Configuration | System | Events | Classes Figure 9-3 Configuration | System | Events | Classes Screen To configure default event handling, click the highlighted link that says “Click here to configure general event parameters.” Configured Event Classes The Configured Event Classes list shows the event classes that have been configured for special handling.
Chapter 9 Events Configuration | System | Events | Classes | Add or Modify Configuration | System | Events | Classes | Add or Modify These screens let you: Add: Configure and add the special handling of a specific event class. Modify: Modify the special handling of a specific event class. Figure 9-4 Configuration | System | Events | Classes | Add Screen Class Name Add screen: Click the drop-down menu button and select the event class you want to add and configure for special handling.
Chapter 9 Events Configuration | System | Events | Classes | Add or Modify Severity to Console Click the drop-down menu button and select the range of event severity levels to display on the console. The choices are: None, 1, 1-2, 1-3,..., 1-13. The default is 1-3; if you choose this range, events of severity level 1 through severity level 3 are displayed on the console. Severity to Syslog Click the drop-down menu button and select the range of event severity levels to send to a UNIX syslog server.
Chapter 9 Events Configuration | System | Events | Trap Destinations Configuration | System | Events | Trap Destinations This section of the Manager lets you configure SNMP network management systems as destinations of event traps. Event messages sent to SNMP systems are called “traps.” If you configure any event handling, default or special, with values in Severity to Trap fields, you must configure trap destinations in this section.
Chapter 9 Events Configuration | System | Events | Trap Destinations | Add or Modify To remove an SNMP trap destination that has been configured, select the destination from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list. Reminder: The Manager immediately includes your changes in the active configuration.
Chapter 9 Events Configuration | System | Events | Syslog Servers Port Enter the UDP port number by which you access the destination SNMP server. Use a decimal number from 0 to 65535. The default is 162, which is the well-known port number for SNMP traps. Add or Apply/Cancel To add this system to the list of SNMP trap destinations, click Add. Or to apply your changes to this trap destination, click Apply. Both actions include your entry in the active configuration.
Chapter 9 Events Configuration | System | Events | Syslog Servers Syslog Servers The Syslog Servers list shows the UNIX syslog servers that have been configured as recipients of event messages. You can configure a maximum of five syslog servers. If no syslog servers have been configured, the list shows --Empty--. Add/Modify/Delete To configure a new syslog server, click Add. See Configuration | System | Events | Syslog Servers | Add.
Chapter 9 Events Configuration | System | Events | Syslog Servers | Add or Modify Configuration | System | Events | Syslog Servers | Add or Modify These Manager screens let you: Add: Configure and add a UNIX syslog server as a recipient of event messages. You can configure a maximum of five syslog servers. Modify: Modify a configured UNIX syslog server that is a recipient of event messages.
Chapter 9 Events Configuration | System | Events | Syslog Servers | Add or Modify Add or Apply/Cancel To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list.
Chapter 9 Events Configuration | System | Events | Syslog Servers | Add or Modify VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 10 General General configuration parameters include VPN 3002 environment items: system identification, time, and date. Configuration | System | General This section of the Manager lets you configure general VPN 3002 parameters. • Identification: system name, contact person, system location. • Time and Date: system time and date. Figure 10-1 Configuration | System | General Screen VPN 3002 Hardware Client Reference, Release 4.
Chapter 10 General Configuration | System | General | Identification Configuration | System | General | Identification This screen lets you configure system identification parameters that are stored in the standard MIB-II system object. Network management systems using SNMP can retrieve this object and identify the system. Configuring this information is optional.
Chapter 10 General Configuration | System | General | Time and Date Configuration | System | General | Time and Date This screen lets you set the time and date on the VPN 3002. Setting the correct time is very important so that logging information is accurate. Figure 10-3 Configuration | System | General | Time and Date Screen Current Time The screen shows the current date and time on the VPN 3002 at the time the screen displays. You can refresh this by redisplaying the screen.
Chapter 10 General Configuration | System | General | Time and Date Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | General screen. VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 11 Policy Management The VPN 3002 works in either of two modes: Client mode or Network Extension mode. To view a brief interactive multimedia piece that explains the differences between the two modes, go to this url: http://www.cisco.com/mm/techsnap/VPN3002_techsnap.html Your web browser must be equipped with a current version of the Macromedia Flash Player to view the content.
Chapter 11 Policy Management Configuration | Policy Management | Traffic Management Certificate Validation To enable and set criteria that must match for the VPN 3002 to verify a certificate from the Concentrator to which it connects, click Certificate Validation. Configuration | Policy Management | Traffic Management When you click Traffic Management on the Configuration | Policy Management screen, the Manager displays the Configuration | Policy Management | Traffic Management screen.
Chapter 11 Policy Management Configuration | Policy Management | Traffic Management Client Mode with Split Tunneling You assign the VPN 3002 to a client group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec and PAT are applied to all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator.
Chapter 11 Policy Management Configuration | Policy Management | Traffic Management Step 3 Enter the username and password for the VPN 3002. Alternatively, you can initiate a tunnel by clicking Connect Now on the in the Monitoring | System Status screen. Network Extension Mode with Split Tunneling You always assign the VPN 3002 to a client group on the central-site VPN Concentrator.
Chapter 11 Policy Management Configuration | Policy Management | Traffic Management Tunnel Initiation The VPN 3002 always initiates the tunnel to the central-site VPN Concentrator. The central-site VPN Concentrator cannot initiate a tunnel to a VPN 3002. The VPN 3002 creates only one IPSec tunnel to the central-site VPN Concentrator, in either PAT or Network Extension mode. The tunnel can support multiple encrypted data streams between users behind the VPN 3002 and the central site.
Chapter 11 Policy Management Configuration | Policy Management | Traffic Management | PAT Data Initiation After the tunnel is established between the VPN 3002 and the central-site VPN Concentrator, the VPN Concentrator can initiate data exchange only in Network Extension mode with all traffic travelling through the tunnel. If you want the tunnel to remain up indefinitely, configure the VPN 3002 for Network Extension mode and do not use split tunneling.
Chapter 11 Policy Management Configuration | Policy Management | Traffic Management | PAT | Enable Configuration | Policy Management | Traffic Management | PAT | Enable This screen lets you enable or disable PAT, which applies PAT to all configured traffic traveling from the private interface to the public interface. Figure 11-4 Configuration | Policy Management | Traffic Management | PAT | Enable Screen PAT Enabled Check the box to enable Client Mode (PAT), or clear it to enable Network Extension Mode.
Chapter 11 Policy Management Configuration | Policy Management | Certificate Validation Configuration | Policy Management | Certificate Validation When you click Certificate Validation on the Configuration | Policy Management screen, the Manager displays the Configuration | Policy Management | Certificate Validation screen.
Chapter 11 Policy Management Configuration | Policy Management | Certificate Validation Distinguished Name Component Select the type of distinguished name (Subject or Issuer) and the fields you want to use in the matching criteria. A distinguished name can contain a selection from the following fields: Field Content Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology.
Chapter 11 Policy Management Configuration | Policy Management | Certificate Validation Operator The Operators are =, !=, * or !*. This section defines each of the operators, and explains how they are used in a sample Matching Criteria set at CN=”IDCert”,OU*”Cisco”,ISSUER-CN!=”Entrust”,ISSUER-OU!*”wonderland” Field Content Example Equals (=) The distinguished name field must CN=”ID Cert” specifies an exact match on exactly match the value. the CN.
C H A P T E R 12 Administration Administering the VPN 3002 involves activities that keep the system operational and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN device, but administration involves higher level activities such as who is allowed to configure the system, and what software runs on it. Administration This section of the Manager lets you control administrative functions on the VPN 3002.
Chapter 12 Administration Administration | Software Update Figure 12-1 Administration Screen Administration | Software Update This section of the Manager lets you update the VPN 3002 executable system software. This process uploads the file to the VPN 3002, which then verifies the integrity of the file. The new image file must be accessible by the workstation you are using to manage the VPN 3002. Software image files ship on the Cisco VPN 3002 CD-ROM.
Chapter 12 Administration Administration | Software Update Figure 12-2 Administration | Software Update Screen Current Software Revision The name, version number, and date of the software image currently running on the system. Browse... Enter the complete pathname of the new image file, or click Browse... to find and select the file from your workstation or network. Cisco-supplied VPN 3002 software image files are named: vpn3002 ...
Chapter 12 Administration Administration | Software Update Software Update Progress This window shows the progress of the software upload. It refreshes the number of bytes transferred at 10-second intervals. Figure 12-3 Administration | Software Update Progress Window When the upload is finished, or if the upload is cancelled, the progress window closes. Software Update Success The Manager displays this screen when it completes the software upload and verifies the integrity of the software.
Chapter 12 Administration Administration | System Reboot Figure 12-5 Administration | Software Update Error Screen Administration | System Reboot This screen lets you reboot or shutdown (halt) the VPN 3002 with various options. We strongly recommend that you shut down the VPN 3002 before you turn power off. If you just turn power off without shutting down, you might corrupt Flash memory and affect subsequent operation of the system.
Chapter 12 Administration Administration | System Reboot Figure 12-6 Administration | System Reboot Screen Action Click a radio button to select the desired action. You can select only one action. • Reboot = Reboot the VPN 3002. Rebooting terminates all sessions, resets the hardware, loads and verifies the software image, executes system diagnostics, and initializes the system. A reboot takes about 60-75 seconds. (This is the default selection.
Chapter 12 Administration Administration | Ping • Reboot ignoring the Configuration file = Reboot using all the factory defaults; that is, start the system as if it had no CONFIG file. You will need to go through all the Quick Configuration steps described in the VPN 3002 Getting Started manual, including setting the system date and time and supplying an IP address for the Ethernet 1 (private) interface, using the system console.
Chapter 12 Administration Administration | Ping Address/Hostname to Ping Enter the IP address or hostname of the system you want to test. (If you configured a DNS server, you can enter a hostname; otherwise, enter an IP address.) Maximum is 64 characters. Ping/Cancel To send the ping message, click Ping. The Manager pauses during the test, which might take a few moments; please wait for the operation to finish. The Manager then displays either a Success or Error screen; see below.
Chapter 12 Administration Administration | Access Rights Figure 12-9 Administration | Ping | Error Screen To return to the Administration | Ping screen, click Retry the operation. To go to the main Manager screen, click Go to main menu. Administration | Access Rights This section of the Manager lets you configure and control administrative access to the VPN 3002. • Administrators: configure administrator usernames, passwords, and rights.
Chapter 12 Administration Administration | Access Rights | Administrators Figure 12-11 Administration | Access Rights | Administrators Screen Administrator The VPN 3002 has three predefined administrators: Note • admin = System administrator with access to, and rights to change, all areas. This is the only administrator enabled by default; in other words, this is the only administrator who can log in to, and use, the VPN 3002 Hardware Client Manager as supplied by Cisco.
Chapter 12 Administration Administration | Access Rights | Administrators Enabled Check the box to enable, or clear the box to disable, an administrator. Only enabled administrators can log in to, and use, the VPN 3002 Hardware Client Manager. You must enable at least one administrator, and you can enable all administrators. By default, only admin is enabled. Apply/Cancel To save this screen settings in nonvolatile memory, click Apply. The settings immediately affect new sessions.
Chapter 12 Administration Administration | Access Rights | Access Settings Administration | Access Rights | Access Settings This screen lets you configure general options for administrator access to the Manager. Figure 12-12 Administration | Access Rights | Access Settings Screen Session Idle Timeout Enter the idle timeout period in seconds for administrative sessions. If there is no activity for the period, the Manager session terminates.
Chapter 12 Administration Administration | File Management Administration | File Management This section of the Manager lets you manage files in VPN 3002 Flash memory. (Flash memory acts like a disk.) These files include CONFIG, CONFIG.BAK, saved log files, memory reports, and copies of any of these files that you have saved under different names. Figure 12-13 Administration | File Management | View Screen View (Save) View Files lets you view configuration and saved log files.
Chapter 12 Administration Administration | File Management | Swap Config Files Delete Delete lets you delete configuration files, saved log files, crash dump files, and memory reports. To delete a file, click Delete next to the type of file you want to delete. When you select this option, a pop-up window displays asking you to confirm or cancel. If you confirm, the file is deleted; the Manager refreshes the screen and shows the revised list of files. There is no undo.
Chapter 12 Administration Administration | File Management | Config File Upload Administration | File Management | Config File Upload This screen lets you use HTTP (Hypertext Transfer Protocol) to transfer a configuration file from your PC, or a system accessible from your PC, to the VPN 3002 Flash memory. This function provides special handling for configuration (config) files. If the uploaded file has the VPN 3002 filename config, the system deletes any existing config.
Chapter 12 Administration Administration | File Management | Config File Upload Figure 12-16 Administration | File Management | File Upload Progress Window When the upload is finished, or if the upload is cancelled, the progress window closes. File Upload Success The Manager displays this screen to confirm that the file upload was successful.
Chapter 12 Administration Certificate Management Certificate Management Digital certificates are a form of digital identification used for authentication. A digital certificate contains information that identifies a device or user, such as the name, serial number, company, department, or IP address. Certificate Authorities (CAs) issue digital certificates in the context of a Public Key Infrastructure (PKI), which uses public-key/private-key encryption to ensure security.
Chapter 12 Administration Managing Certificates with SCEP The manual method involves more steps. You can do some of the steps using the Manager. Other steps require that you exchange information with the CA directly. You deliver your enrollment request and receive the certificate from the CA via the Internet, email, or a floppy disk. Note If you install a CA certificate using the manual method, you must also use the manual method to request identity or SSL certificates from that CA.
Chapter 12 Administration Managing Certificates with SCEP Figure 12-19 Administration | Certificate Management Screen Step 2 Click Click here to install a CA certificate. Note The Click here to install a CA certificate option is available from this window only when no CA certificates are installed on the VPN Concentrator. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen.
Chapter 12 Administration Managing Certificates with SCEP Figure 12-21 The Administration | Certificate Management | Install | CA Certificate | SCEP Screen Step 4 Fill in the fields and click Retrieve. • URL: Enter the URL of the CA’s SCEP interface. • CA Descriptor: Some CAs use descriptors to further identify the certificate. If your CA gave you a descriptor, enter it here. Otherwise enter a descriptor of your own. You must enter something in this field.
Chapter 12 Administration Managing Certificates with SCEP Figure 12-22 Administration | Certificate Management | Enroll Screen Step 3 Click Identity Certificate. The Manager displays the Administration | Certificate Management | Enroll | Identity Certificate screen. (See Figure 12-23.) Figure 12-23 Administration | Certificate Management | Enroll | Identity Certificate Screen Notice that a link appears corresponding to each SCEP-enabled CA certificate on the VPN Concentrator.
Chapter 12 Administration Managing Certificates with SCEP Step 4 Click Enroll via SCEP at Certificate Name. The Administration | Certificate Management | Enroll | Identity Certificate | SCEP screen displays. (See Figure 12-24.) Figure 12-24 Administration | Certificate Management | Enroll | Identity Certificate | SCEP Screen Step 5 Fill in the fields and click Enroll. (For information on the fields on this screen, see Table 12-1.) The VPN Concentrator sends the certificate request to the CA.
Chapter 12 Administration Enrolling and Installing Certificates Manually Figure 12-25 Administration | Certificate Management | Enrollment | Request Generated Screen Click Go to Certificate Management. The Manager displays the Administration | Certificate Management screen. Your new identity certificate appears in the Identity Certificates table.
Chapter 12 Administration Enrolling and Installing Certificates Manually Figure 12-26 Administration | Certificate Management Screen Step 3 Click Click here to install a CA certificate. The Administration | Certificate Management | Install screen displays. Note The Click here to install a CA certificate option is available from this screen only when no CA certificates are installed on the VPN Concentrator. If you do not see this option, click Click here to install a certificate.
Chapter 12 Administration Enrolling and Installing Certificates Manually Figure 12-28 Administration | Certificate Management | Install | CA Certificate Screen Step 5 Click Upload File from Workstation or Cut and Paste Text, depending on how you have retrieved the CA certificate. The Manager displays a screen appropriate to your choice. Step 6 Include certificate information according to your chosen method. Step 7 Click Install. The Manager installs the CA certificate on the VPN Concentrator.
Chapter 12 Administration Enrolling and Installing Certificates Manually Figure 12-30 Administration | Certificate Management | Enroll | Identity Certificate Screen Step 3 Click Enroll via PKCS10 Request (Manual). The Administration | Certificate Management | Enroll | Identity Certificate | PKCS10 Screen displays. Figure 12-31 Administration | Certificate Management | Enroll | Identity Certificate | PKCS10 Screen Step 4 Enter values in each of the fields on this screen.
Chapter 12 Administration Enrolling and Installing Certificates Manually Figure 12-32 Administration | Certificate Management | Enroll | Request Generated Screen The Manager displays this screen when the system has successfully generated a certificate request. Note You must complete the enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted.
Step 7 Close this browser window when you have finished. Requesting an Identity Certificate from a CA Manually Next you submit the identity request to a CA. This must be the same CA that issued the CA certificate for this LAN-to-LAN connection. Submit the request and retrieve an identity certificate according to the procedures of your CA.
Chapter 12 Administration Enrolling and Installing Certificates Manually Figure 12-35 Administration | Certificate Management | Install certificate obtained via enrollment Screen Step 3 In the Actions column of the Enrollment Status table, click Install. The Administration | Certificate Management | Install Identity Certificate screen displays.
Chapter 12 Administration Obtaining SSL Certificates Obtaining SSL Certificates If you use a secure connection between your browser and the VPN 3002, the VPN 3002 requires an SSL certificate. You only need one SSL certificate on your VPN 3002. When you initially boot the VPN 3002, a self-signed SSL certificate is automatically generated. Because a self-signed certificate is self-generated, this certificate is not verifiable. No CA has guaranteed its identity.
Chapter 12 Administration Deleting Digital Certificates Figure 12-37 Configuration | System | Tunneling Protocols | IPSec Screen Step 2 Check the Use Certificate check box. Step 3 Select a Certificate Transmission option. If you want the VPN 3002 to send the peer the identity certificate and all issuing certificates (including the root certificate and any subordinate CA certificates), click Entire certificate chain.
Chapter 12 Administration Deleting Digital Certificates Follow these steps to delete certificates: Step 1 Display the Administration | Certificate Management screen. (See Figure 12-19.) Step 2 Find the certificate you want to delete and click Delete. The Administration | Certificate Management | Delete screen appears. Figure 12-38 Administration | Certificate Management | Delete Screen Step 3 Click Yes. The Manager returns to the Administration | Certificate Management window.
Chapter 12 Administration Administration | Certificate Management Administration | Certificate Management This section of the Manager shows outstanding enrollment requests and all the certificates installed on the VPN 3002, and it lets you manage them. The links at the top of this screen guide you step-by-step through the process of enrolling and installing certificates. For more information on the certificate management process, see the “Enrolling and Installing Digital Certificates” section.
Chapter 12 Administration Administration | Certificate Management Certificate Authorities Table This table shows root and subordinate CA certificates installed on the VPN 3002. Fields These fields appear in the Certificate Authorities table: Field Content Subject/Issuer The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust.
Chapter 12 Administration Administration | Certificate Management SSL Certificate Table [ Generate ] This table shows the SSL server certificate installed on the VPN 3002. The system can have only one SSL server certificate installed: either a self-signed certificate or one issued in a PKI context. To generate a self-signed SSL server certificate, click Generate. The system uses parameters set on the Configuration | System | Management Protocols | SSL screen and generates the certificate.
Chapter 12 Administration Administration | Certificate Management Fields These fields appear in the Certificate Authorities, Identity Certificates, or SSL Certificate tables: Field Content Subject/Issuer The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root 2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each.
Chapter 12 Administration Administration | Certificate Management Enrollment Status Table This table tracks the status of active enrollment requests. The VPN 3002 supports one (installed) identity certificate and one (outstanding) enrollment request. If you currently have an identity certificate on your VPN 3002 and you want to change it, you can request a second certificate, but the VPN 3002 does not install this certificate immediately.
Chapter 12 Administration Administration | Certificate Management Field Status Actions Content • In Progress = The request has been created, but the requested certificate has not yet been installed. This value is used only for PKCS10 (manual) enrollment requests. • Polling = The CA did not immediately fulfill the enrollment request; the VPN 3002 has entered polling mode. This value is used only for enrollment request created using SCEP.
Chapter 12 Administration Administration | Certificate Management | Enroll Administration | Certificate Management | Enroll Choose whether you are creating an enrollment request for an identity certificate or an SSL certificate. Figure 12-40 Administration | Certificate Management | Enroll Screen Identity Certificate Click Identity Certificate to create a certificate request for an identity certificate.
Chapter 12 Administration Administration | Certificate Management | Enroll | Certificate Type Administration | Certificate Management | Enroll | Certificate Type Choose the method for enrolling the (identity or SSL) certificate. Figure 12-41 Administration | Certificate Management | Enroll | Identity Certificate Screen Enroll via PKCS10 Request (Manual) Click Enroll via PKCS10 Request (Manual) to enroll the certificate manually.
Chapter 12 Administration Administration | Certificate Management | Enroll | Certificate Type | PKCS10 Administration | Certificate Management | Enroll | Certificate Type | PKCS10 To generate an enrollment request for an SSL or identity certificate, you need to provide information about the VPN 3002. Figure 12-42 Administration | Certificate Management | Enroll | Identity Certificate via PKCS10 Screen Fields For an explanation of each of the fields on this screen, see Table 12-1.
Chapter 12 Administration Administration | Certificate Management | Enroll | Certificate Type | PKCS10 Table 12-1 Fields in a Certificate Request Field Name Manual SCEP Content Common Name (CN) Yes Yes The primary identity of the entity associated with the certificate, for example, Gateway A. Spaces are allowed. You must enter a name in this field.
Chapter 12 Administration Administration | Certificate Management | Enroll | Certificate Type | PKCS10 Table 12-1 Fields in a Certificate Request Field Name Manual SCEP Content Challenge Password No Yes This field displays if you are requesting a certificate using SCEP. Use this field according to the policy of your CA: Your CA might have given you a password. If so, enter it here for authentication. Your CA might allow you to provide your own password to identify yourself to the CA in the future.
Chapter 12 Administration Administration | Certificate Management | Enroll | Certificate Type | PKCS10 Enroll / Cancel To generate the certificate request, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen (See Figure 12-43.) with the text of your certificate. To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen.
Chapter 12 Administration Administration | Certificate Management | Enrollment or Renewal | Request Generated Administration | Certificate Management | Enrollment or Renewal | Request Generated The Manager displays this screen when the system has successfully generated a certificate request. The request is a Base-64 encoded file in PKCS-10 format (Public Key Certificate Syntax-10), which most CAs recognize or require.
Chapter 12 Administration Administration | Certificate Management | Enroll | Identity Certificate | SCEP Go to Certificate Installation If you want to install the certificate you have just enrolled, click Go to Certificate Installation. The Manager displays the Administration | Certificate Management | Install screen.
Chapter 12 Administration Administration | Certificate Management | Enroll | SSL Certificate | SCEP Enroll / Cancel To generate the certificate request and install the identity certificate on the VPN 3002, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. (See Figure 12-43.) To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See Figure 12-19.
Chapter 12 Administration Administration | Certificate Management | Enroll | SSL Certificate | SCEP Fields For an explanation of each of the fields on this screen, see Table 12-1. Enroll To generate the certificate request and install the SSL certificate on the VPN 3002, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. If there is already an active request for an SSL certificate, this error message appears.
Chapter 12 Administration Administration | Certificate Management | Install Administration | Certificate Management | Install Choose the type of certificate you want to install. Figure 12-46 Administration | Certificate Management | Install Screen Install CA Certificate If you want to install a CA certificate, click Install CA Certificate. The Manager displays the Administration | Certificate Management | Install | CA Certificate screen.
Chapter 12 Administration Administration | Certificate Management | Install | Certificate Obtained via Enrollment Administration | Certificate Management | Install | Certificate Obtained via Enrollment Once you have enrolled a certificate, you can install it. This screen allows you to install an enrolled certificate.
Chapter 12 Administration Administration | Certificate Management | Install | Certificate Type Administration | Certificate Management | Install | Certificate Type Choose the method you want to use to install the certificate. Figure 12-48 Administration | Certificate Management | Install | CA Certificate SCEP (Simple Certificate Enrollment Protocol) Note This option is available only for CA certificates.
Chapter 12 Administration Administration | Certificate Management | Install | CA Certificate | SCEP Administration | Certificate Management | Install | CA Certificate | SCEP In this screen, provide information about the certificate authority in order to retrieve and install a CA certificate automatically using SCEP. Figure 12-49 Administration | Certificate Management | Install | CA Certificate | SCEP Screen URL Enter the URL of the SCEP interface of the CA.
Chapter 12 Administration Administration | Certificate Management | Install | Certificate Type | Cut and Paste Text Administration | Certificate Management | Install | Certificate Type | Cut and Paste Text To install the certificate using the manual method, cut and paste the certificate text into the Certificate Text window.
Chapter 12 Administration Administration | Certificate Management | Install | Certificate Type | Upload File from Workstation Administration | Certificate Management | Install | Certificate Type | Upload File from Workstation If you want to install a certificate stored on your PC, use this screen to upload the certificate file to the VPN 3002.
Chapter 12 Administration Administration | Certificate Management | View Administration | Certificate Management | View The Manager displays this screen of certificate details when you click View for a certificate on the Administration | Certificate Management | Certificates screen. The details vary depending on the certificate content. The content and format for certificate details are governed by ITU (International Telecommunication Union) X.509 standards, specifically RFC 2459.
Chapter 12 Administration Administration | Certificate Management | View Certificate Fields A certificate contains some or all of the following fields: Field Content Subject The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same. Issuer The CA or other entity (jurisdiction) that issued the certificate. Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.
Chapter 12 Administration Administration | Certificate Management | View Field Content SHA1 Thumbprint A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate’s authenticity, you can check this value with the issuer. Validity The time period during which this certificate is valid. Format is MM/DD/YYYY at HH:MM:SS to MM/DD/YYYY at HH:MM:SS.
Chapter 12 Administration Administration | Certificate Management | Configure CA Certificate Administration | Certificate Management | Configure CA Certificate This screen lets you configure this CA certificate to be able to issue identity certificates via SCEP. Figure 12-53 Administration | Certificate Management | Configure CA Certificate Screen Certificate The certificate for which you are configuring SCEP parameters.
Chapter 12 Administration Administration | Certificate Management | Renewal Polling Limit Enter the number of times the VPN 3002 should re-send an enrollment request if the CA does not issue the certificate immediately. The minimum number of re-sends is 0; the maximum number is 100. If you do not want any polling limit (in other words you want infinite re-sends), enter none. Apply / Cancel To configure CRL checking for this certificate, click Apply.
Chapter 12 Administration Administration | Certificate Management | Renewal Certificate This field displays the type of certificate that you are re-enrolling or re-keying. Renewal Type Specify the type of request: • Re-enrollment = Use the same key pair as the expiring certificate. • Re-key = Use a new key pair. Enrollment Method Choose an enrollment method: • PKCS10 Request (Manual) = Enroll using the manual process. • Certificate Name via SCEP = Enroll automatically using this SCEP CA.
Chapter 12 Administration Administration | Certificate Management | Activate or Re-Submit | Status Administration | Certificate Management | Activate or Re-Submit | Status This status screen appears after you activate or re-submit an enrollment request. It displays the status of the request. If you are installing an SSL certificate with a private key, include the encrypted private key.
Chapter 12 Administration Administration | Certificate Management | Delete Administration | Certificate Management | Delete The Manager displays this confirmation screen when you click Delete for a certificate on the Administration | Certificate Management screen. The screen shows the same certificate details as on the Administration | Certificate Management | View screen.
Chapter 12 Administration Administration | Certificate Management | View Enrollment Request Yes / No To delete this certificate, click Yes. Note There is no undo. The Manager returns to the Administration | Certificate Management screen and shows the remaining certificates. To retain this certificate, click No. The Manager returns to the Administration | Certificate Management screen, and the certificates are unchanged.
Chapter 12 Administration Administration | Certificate Management | View Enrollment Request Enrollment Request Fields An enrollment request contains some or all of the following fields: Field Content Subject The person or system that uses the certificate. Issuer The CA or other entity (jurisdiction) from whom the certificate is being requested. Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.
Chapter 12 Administration Administration | Certificate Management | Cancel Enrollment Request Field Content Enrollment Type The type of enrollment: initial, re-enroll, or re-key. Enrollment Method The method of enrollment: SCEP or manual. Enrollment Status The current status of the enrollment: complete, rejected, error, and so on. Back Click Back to display the Administration | Certificate Management screen.
Chapter 12 Administration Administration | Certificate Management | Delete Enrollment Request Fields For a description of the fields in this enrollment request, see the “Enrollment Request Fields” section. Yes / No To cancel this enrollment request, click Yes. Note There is no undo. The Manager returns to the Administration | Certificate Management screen. To retain this enrollment request, click No.
Chapter 12 Administration Administration | Certificate Management | Delete Enrollment Request Fields For a description of the fields in this enrollment request, see the “Enrollment Request Fields” section. Yes / No To delete this enrollment request, click Yes. Note There is no undo. The Manager returns to the Administration | Certificate Management screen and shows the remaining enrollment requests. To retain this enrollment request, click No.
Chapter 12 Administration Administration | Certificate Management | Delete Enrollment Request VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 13 Monitoring Monitoring The VPN 3002 tracks many statistics and the status of many items essential to system administration and management. This section of the Manager lets you view all those status items and statistics. You can even see the state of LEDs that show the status of hardware subsystems in the device. You can also see statistics that are stored and available in standard MIB-II data objects.
Chapter 13 Monitoring Monitoring | Routing Table Monitoring | Routing Table This screen shows the VPN 3002 routing table at the time the screen displays. Figure 13-2 Monitoring | Routing Table Screen . Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Valid Routes The total number of current valid routes that the VPN 3002 knows about.
Chapter 13 Monitoring Monitoring | Filterable Event Log Monitoring | Filterable Event Log This screen shows the events in the current event log, lets you filter and display events by various criteria, and lets you manage the event log file. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first. The VPN 3002 records events in nonvolatile memory, thus the event log persists even if the system is powered off.
Chapter 13 Monitoring Monitoring | Filterable Event Log Your filter options remain in effect as long as you continue working within and viewing Monitoring | Filterable Event Log screens. The Manager resets all options to their defaults if you leave and return, or if you click Filterable Event Log in the left frame of the Manager window (the table of contents). You cannot save filter options.
Chapter 13 Monitoring Monitoring | Filterable Event Log Get Log To download the event log from VPN 3002 memory to your PC and view it or save it as a text file, click Get Log. The Manager opens a new browser window to display the file. The browser address bar shows the VPN 3002 address and log file default filename; for example, http://10.10.4.6/LOG/vpn3002log.txt. To save a copy of the log file on your PC, click the File menu on the new browser window and select Save As....
Chapter 13 Monitoring Monitoring | Live Event Log Event Time The time of the event: hour:minute:second.millisecond. The hour is based on a 24-hour clock. For example, 14:37:06.680 identifies an event that occurred at 2:37:06.680 PM. Event Severity The severity level of the event; for example: SEV=4 identifies an event of severity level 4. See Table 9-3 under Configuration | System | Events for an explanation of severity levels.
Chapter 13 Monitoring Monitoring | Live Event Log Figure 13-4 Monitoring | Live Event Log Screen Pause Display/Resume Display To pause the display, click Pause Display. While paused, the screen does not display new events, the button changes to Resume Display, and the timer counts down to 0 and stops. You can still scroll through the event log. Click the button to resume the display of new events and restart the timer. Clear Display To clear the event display, click Clear Display.
Chapter 13 Monitoring Monitoring | System Status Monitoring | System Status This screen shows the status of several software and hardware variables at the time the screen displays. From this screen you can also display the status of the IPSec tunnel SAs, tunnel duration, plus front and rear panel displays of the VPN 3002. Figure 13-5 Monitoring | System Status Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | System Status VPN Client Type The type, or model number, of this VPN 3002 hardware client. Bootcode Rev The version name, number, and date of the VPN 3002 bootcode software file. When you boot or reset the system, the bootcode software runs system diagnostics, and it loads and executes the system software image. The bootcode is installed at the factory, and there is no need to upgrade it.
Chapter 13 Monitoring Monitoring | System Status Tunnel Established to The IP address of the VPN Concentrator to which this VPN 3002 connects. Duration The length of time that this tunnel has been up. Tunnel Type The type of tunnel and port. Possible types are IPSec, IPSec over TCP, IPSec over UDP, or IPSec over NAT-T. Security Associations This table describes the following attributes of the SAs for this VPN 3002. Type The type of tunnel for this SA, either IPSec or IKE (the control tunnel).
Chapter 13 Monitoring Monitoring | System Status Packets Out The number of packets this SA has sent since the tunnel has been up. Other Additional information about this SA, including mode. Front Panel The front panel image is an inactive link. Back Panel The back panel image includes active links for the VPN 3002 private and public interfaces Use the mouse pointer to select either the private or public module on the back-panel image and click anywhere in the highlighted area.
Chapter 13 Monitoring Monitoring | System Status | Memory Status Monitoring | System Status | Memory Status This screen displays status and data for the VPN 3002 system memory. Figure 13-6 Monitoring | System Status | Memory Status Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. System Memory Summary This section summarizes memory use on the VPN 3002. Total Memory Total amount of system memory, in megabytes, on the VPN 3002.
Chapter 13 Monitoring Monitoring | System Status | Memory Status Yellow: Memory resources are running low; approaching maximum number of connections. Red: Memory resources are critically low; new IPSec connections are prevented. Note It is possible for Memory Status to be Red, preventing new connections, even while total memory usage is significantly less than 100%. This is because some VPN 3002 functions and features require specific block sizes to operate, and those block sizes are critically low.
Chapter 13 Monitoring Monitoring | System Status | Memory Status Figure 13-7 Memory Detail Report VPN 3002 Hardware Client Reference, Release 4.
Chapter 13 Monitoring Monitoring | System Status | Private/Public Interface Monitoring | System Status | Private/Public Interface This screen displays status and statistics for a VPN 3002 Ethernet interface. To configure an interface, see Configuration | Interfaces. Figure 13-8 Monitoring | System Status | Public Interface Screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | System Status | Private/Public Interface Interface The VPN 3002 Ethernet interface number: • Private interface • Public interface IP Address The IP address configured on this interface. Status The operational status of this interface: • UP (UP/DHCP, UP/PPPoE) = configured and enabled, ready to pass data traffic. • Waiting for DHCP/PPPoE = configured and enabled, waiting for negotiations to complete. • Disabled = configured but disabled.
Chapter 13 Monitoring Monitoring | System Status | Private/Public Interface Tx Multicast The number of multicast packets that were routed to this interface for transmission since the VPN 3002 was last booted or reset, including those that were discarded or not sent. Multicast packets are those addressed to a specific group of hosts. Rx Broadcast The number of broadcast packets that were received by this interface since the VPN 3002 was last booted or reset.
Chapter 13 Monitoring Monitoring | User Status Monitoring | User Status This section displays statistics for devices behind the VPN 3002 Hardware Client. Figure 13-9 Monitoring | User Status screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Cisco IP Phone Bypass Enabled/Disabled Indicates whether the Cisco IP Phone Bypass feature is enabled or disabled for the VPN 3002.
Chapter 13 Monitoring Monitoring | Statistics Monitoring | Statistics This section of the Manager shows statistics for traffic and activity on the VPN 3002 since it was last booted or reset, and for current tunneled sessions, plus statistics in standard MIB-II objects for interfaces, TCP/UDP, IP, ICMP, the ARP table, and SNMP. • IPSec: total Phase 1 and Phase 2 tunnels, received and transmitted packets, failures, drops, etc. • HTTP: total data traffic and connection statistics.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Monitoring | Statistics | IPSec This screen shows statistics for IPSec activity, including the current IPSec tunnel, on the VPN 3002 since it was last booted or reset. These statistics conform to the IETF draft for the IPSec Flow Monitoring MIB. Figure 13-11 Monitoring | Statistics | IPSec Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. IKE (Phase 1) Statistics This table provides IPSec Phase 1 (IKE: Internet Key Exchange) global statistics. During IPSec Phase 1 (IKE), the two peers establish control tunnels through which they negotiate Security Associations. Active Tunnels The number of currently active IKE control tunnels.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Received Notifies The cumulative total of notify packets received by all currently and previously active IKE tunnels. A notify packet is an informational packet that is sent in response to a bad packet or to indicate status; for example, error packets, keepalive packets, etc. Sent Notifies The cumulative total of notify packets sent by all currently and previously active IKE tunnels. See comments for Received Notifies above.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Phase-2 SA Delete Requests Sent The cumulative total of requests to delete IPSec Phase-2 Security Associations sent by all currently and previously active IKE tunnels. Initiated Tunnels The cumulative total of IKE tunnels that this VPN 3002 initiated. Failed Initiated Tunnels The cumulative total of IKE tunnels that this VPN 3002 initiated and that failed to activate.
Chapter 13 Monitoring Monitoring | Statistics | IPSec IPSec (Phase 2) Statistics This table provides IPSec Phase 2 global statistics. During IPSec Phase 2, the two peers negotiate Security Associations that govern traffic within the tunnel. Active Tunnels The number of currently active IPSec Phase-2 tunnels. Total Tunnels The cumulative total of all currently and previously active IPSec Phase-2 tunnels.
Chapter 13 Monitoring Monitoring | Statistics | IPSec Sent Packets Dropped The cumulative total of packets dropped during send processing by all currently and previously active IPSec Phase-2 tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support.
Chapter 13 Monitoring Monitoring | Statistics | HTTP System Capability Failures The total number of system capacity failures that occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures indicate that the system has run out of memory or some other critical resource; check the event log.
Chapter 13 Monitoring Monitoring | Statistics | HTTP Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle’s trip odometer, versus the regular odometer.
Chapter 13 Monitoring Monitoring | Statistics | HTTP HTTP Sessions This section provides information about HTTP sessions on the VPN 3002 since it was last booted or reset. Login Name The name of the administrative user for the HTTP session. IP Address The IP address of administrative user for the HTTP session. Login Time The time when the HTTP session began. Encryption The encryption method used in the HTTP session. Octets Sent/Received Number of octets sent or received during the HTTP session.
Chapter 13 Monitoring Monitoring | Statistics | Telnet Monitoring | Statistics | Telnet This screen shows statistics for Telnet activity on the VPN 3002 since it was last booted or reset, and for current Telnet sessions. To configure the VPN 3002 Telnet server, see the Configuration | System | Management Protocols | Telnet screen. Figure 13-13 Monitoring | Statistics | Telnet Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | Telnet Attempted Sessions The total number of attempts to establish Telnet sessions on the VPN 3002 since it was last booted or reset. Successful Sessions The total number of Telnet sessions successfully established on the VPN 3002 since it was last booted or reset. Telnet Sessions This table shows statistics for active Telnet sessions on the VPN 3002. Each active session is a row.
Chapter 13 Monitoring Monitoring | Statistics | DNS Monitoring | Statistics | DNS This screen shows statistics for DNS (Domain Name System) activity on the VPN 3002 since it was last booted or reset. To configure the VPN 3002 to communicate with DNS servers, see the Configuration | System | Servers | DNS screen. Figure 13-14 Monitoring | Statistics | DNS Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | SSL Timeouts The number of DNS queries that failed because there was no response from the server. Server Unreachable The number of DNS queries that failed because, according to the VPN 3002 routing table, the address of the server is not reachable. Other Failures The number of DNS queries that failed for an unspecified reason.
Chapter 13 Monitoring Monitoring | Statistics | SSL Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Unencrypted Inbound Octets The number of octets (bytes) of inbound traffic output by the decryption engine. Encrypted Inbound Octets The number of octets (bytes) of encrypted inbound traffic sent to the decryption engine. This number includes negotiation traffic.
Chapter 13 Monitoring Monitoring | Statistics | DHCP Monitoring | Statistics | DHCP This screen shows statistics for DHCP (Dynamic Host Configuration Protocol) server activity on the VPN 3002 since it was last booted or reset. Each row of the table shows data for each IP address handed out to a DHCP client (PC) on the VPN 3002 private network. To configure the DHCP server, see Configuration | System | IP Routing | DHCP.
Chapter 13 Monitoring Monitoring | Statistics | DHCP Timeouts The number of DHCP queries that failed because there was no response from the server. Pool Start The IP address at the start of the DHCP IP address pool. Pool End The IP address at the end of the DHCP IP address pool. Leased IP Address The IP address leased from the DHCP server by the remote client. Time Left The time remaining until the current IP address lease expires, shown as HH:MM:SS.
Chapter 13 Monitoring Monitoring | Statistics | SSH Monitoring | Statistics | SSH This screen shows statistics for SSH (Secure Shell) protocol traffic on the VPN 3002 since it was last booted or reset. To configure SSH, see Configuration | System | Management Protocols | SSH. Figure 13-17 Monitoring | Statistics | SSH Screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | SSH Packets Sent/Received The total number of SSH packets sent/received since the VPN 3002 was last booted or reset. Active Sessions The number of currently active SSH sessions. Maximum Sessions The maximum number of simultaneously active SSH sessions on the VPN 3002. Total Sessions The total number of SSH sessions since the VPN 3002 was last booted or reset. SSH Sessions Presents details on SSH sessions.
Chapter 13 Monitoring Monitoring | Statistics | NAT Monitoring | Statistics | NAT This screen shows statistics for NAT (Network Address Translation) activity on the VPN 3002 since it was last booted or reset. Figure 13-18 Monitoring | Statistics | NAT screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | NAT Translations Active The number of currently active NAT sessions. Translations Peak The maximum number of NAT sessions that were simultaneously active on the VPN 3002 since it was last booted or reset. Translations Total The total number of NAT sessions on the VPN 3002 since it was last booted or reset. NAT Sessions The following sections provide detailed information about active NAT sessions on the VPN 3002.
Chapter 13 Monitoring Monitoring | Statistics | PPPoE • NetBIOS over TCP Proxy • NetBIOS over UDP Proxy • NetBIOS Datagram Service • No Port Mapping (ICMP) • H.323 Proxies – RAS (Registration, Admission and Status) Proxy for a GateKeeper – ILS Proxy (Internet Locator Services) Proxy for an ILS server – H.225 (H.225 signalling protocol) Proxy – H.245 (H.245 control protocol) Proxy Translated Bytes/Packets The total number of translated bytes and packets for the NAT session.
Chapter 13 Monitoring Monitoring | Statistics | PPPoE Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. User Name The username for the PPPoE session. Session ID The ID for the session assigned by the ISP. The Session ID combined with the Access Concentrator MAC Address (see below) uniquely identifies the PPPoE session. PPPoE Access Concentrator The device your Internet Service Provider (ISP) uses to manage PPPoE traffic.
Chapter 13 Monitoring Monitoring | Statistics | PPPoE Multiple PADO Rx The number of multiple PPPoE Active Discovery Offer packets received, that is, the number of times more than one PPPoE access concentrator responded to the PADI the VPN 3002 sent. PADT Rx The number of PPPoE Active Discovery Terminate packets received. PADT Tx The number of PPPoE Active Discovery Terminate packets sent. Generic Errors Rx The number of errors received during the PPPoE session.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II Monitoring | Statistics | MIB-II This section of the Manager lets you view statistics that are recorded in standard MIB-II objects on the VPN 3002. MIB-II (Management Information Base, version 2) objects are variables that contain data about the system. They are defined as part of the Simple Network Management Protocol (SNMP); and SNMP-based network management systems can query the VPN 3002 to gather the data.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Interfaces Monitoring | Statistics | MIB-II | Interfaces This screen shows statistics in MIB-II objects for VPN 3002 interfaces since the system was last booted or reset. Figure 13-21 Monitoring | Statistics | MIB-II | Interfaces Screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Interfaces • Disabled = configured by disabled. • DOWN(DOWN/DHCP, DOWN/PPPoE) = configured but down. • Testing = in test mode; no regular data traffic can pass. • Dormant = configured and enabled but waiting for an external action, such as an incoming connection. • Not Present = missing hardware components. • Lower Layer Down = not operational because a lower-layer interface is down. • Unknown = not configured.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | TCP/UDP Monitoring | Statistics | MIB-II | TCP/UDP This screen shows statistics in MIB-II objects for TCP and UDP traffic on the VPN 3002 since it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 defines UDP MIB objects. Figure 13-22 Monitoring | Statistics | MIB-II | TCP/UDP Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | TCP/UDP TCP Segments Transmitted The total number of segments sent, including those on currently established connections but excluding those containing only retransmitted bytes. Segment is the official TCP name for what is casually called a data packet. TCP Segments Retransmitted The total number of segments retransmitted; that is, the number of TCP segments transmitted containing one or more previously transmitted bytes.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | TCP/UDP TCP Established Resets The number of established TCP connections that abruptly closed, bypassing graceful termination. TCP Current Established The number of TCP connections that are currently established or are gracefully terminating. UDP Datagrams Received The total number of UDP datagrams received. Datagram is the official UDP name for what is casually called a data packet.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | IP Monitoring | Statistics | MIB-II | IP This screen shows statistics in MIB-II objects for IP traffic on the VPN 3002 since it was last booted or reset. RFC 2011 defines IP MIB objects. Figure 13-23 Monitoring | Statistics | MIB-II | IP Screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | IP Packets Received (Total) The total number of IP data packets received by the VPN 3002, including those received with errors. Packets Received (Header Errors) The number of IP data packets received and discarded due to errors in IP headers, including bad checksums, version number mismatches, other format errors, etc.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | IP Outbound Packets with No Route The number of outbound IP data packets discarded because no route could be found to transmit them to their destination. This number includes any packets that the VPN 3002 could not route because all of its default routers were down. Packets Transmitted (Requests) The number of IP data packets that local IP user protocols (including ICMP) supplied to transmission requests.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ICMP Monitoring | Statistics | MIB-II | ICMP This screen shows statistics in MIB-II objects for ICMP traffic on the VPN 3002 since it was last booted or reset. RFC 2011 defines ICMP MIB objects. Figure 13-24 Monitoring | Statistics | MIB-II | ICMP screen Reset To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ICMP Errors Received/Transmitted The number of ICMP messages that the VPN 3002 received but determined to have ICMP-specific errors (bad ICMP checksums, bad length, etc.). The number of ICMP messages that the VPN 3002 did not send due to problems within ICMP such as a lack of buffers. Destination Unreachable Received/Transmitted The number of ICMP Destination Unreachable messages received/sent.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ICMP Timestamp Requests Received/Transmitted The number of ICMP Timestamp (request) messages received/sent. Timestamp messages measure the propagation delay between network entities by including the originating time in the message, and asking for the receipt time in a Timestamp Reply message. Timestamp Replies Received/Transmitted The number of ICMP Timestamp Reply messages received/sent.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ARP Table Monitoring | Statistics | MIB-II | ARP Table This screen shows entries in the Address Resolution Protocol mapping table since the VPN 3002 was last booted or reset. ARP matches IP addresses with physical MAC addresses, so the system can forward traffic to computers on its network. RFC 2011 defines MIB entries in the ARP table. The entries are sorted first by Interface, then by IP Address.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | ARP Table Interface The VPN 3002 network interface on which this mapping applies: • Private Interface • Public Interface Physical Address The hardwired MAC (Media Access Control) address of a physical network interface card, in 6-byte hexadecimal notation, that maps to the IP Address. Exceptions are: • 00 = a virtual address for a tunnel. • FF.FF.FF.FF.FF.FF = a network broadcast address.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Ethernet Monitoring | Statistics | MIB-II | Ethernet This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN 3002 since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC 1650 defines Ethernet interface MIB objects. To configure Ethernet interfaces, see Configuration | Interfaces.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Ethernet FCS Errors The number of frames received on this interface that are an integral number of bytes in length but do not pass the FCS (Frame Check Sequence) check. Carrier Sense Errors The number of times that the carrier sense signal was lost or missing when trying to transmit a frame on this interface. SQE Test Errors The number of times that the SQE (Signal Quality Error) Test Error message was generated for this interface.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | Ethernet MAC Errors: Transmit The number of frames for which transmission on this interface failed due to an internal MAC sublayer transmit error. This number does not include Carrier Sense Errors, Late Collisions, or Excessive Collisions. MAC Errors: Receive The number of frames for which reception on this interface failed due to an internal MAC sublayer receive error.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | SNMP Monitoring | Statistics | MIB-II | SNMP This screen shows statistics in MIB-II objects for SNMP traffic on the VPN 3002 since it was last booted or reset. RFC 1907 defines SNMP version 2 MIB objects. To configure the VPN 3002 SNMP server, see Configuration | System | Management Protocols | SNMP. Figure 13-27 Monitoring | Statistics | MIB-II | SNMP Screen Reset To reset, or start anew, the screen contents, click Reset.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | SNMP Bad Community String The total number of SNMP messages received that used an SNMP community string the VPN 3002 did not recognize. See Configuration | System | Management Protocols | SNMP Communities to configure permitted community strings. To protect security, the VPN 3002 does not include the usual default public community string.
Chapter 13 Monitoring Monitoring | Statistics | MIB-II | SNMP VPN 3002 Hardware Client Reference, Release 4.
C H A P T E R 14 Using the Command-Line Interface The VPN 3002 Hardware Client command-line interface (CLI) is a menu- and command-line-based configuration, administration, and monitoring system built into the VPN 3002. You use it via the system console or a Telnet (or Telnet over SSL) session. You can use the command-line interface to completely manage the system. You can access and configure the same parameters as the HTML-based VPN 3002 Hardware Client Manager.
Chapter 14 Using the Command-Line Interface Starting the Command-line Interface 3. Press Enter on the PC keyboard until you see the login prompt. (You might see a password prompt and error messages as you press Enter; ignore them and stop at the login prompt.) Login: _ Telnet or Telnet/SSL access To access the command-line interface via a Telnet or Telnet/SSL client: 1. Enable the Telnet or Telnet/SSL server on the VPN 3002. (They are both enabled by default on the private network.
Chapter 14 Using the Command-Line Interface Using the Command-line Interface Using the Command-line Interface This section explains how to: • Choose menu items. • Enter values for parameters and options. • Specify configured items by number or name. • Navigate quickly, using shortcuts, through the menus. • Display a brief help message. • Save entries to the system configuration file. • Stop the command-line interface. • Understand administrator access rights.
Chapter 14 Using the Command-Line Interface Using the Command-line Interface Navigating Quickly There are two ways to move quickly through the command-line interface: shortcut numbers, and the Back/Home options. Both ways work only when you are at a menu, not when you are at a value entry.
Chapter 14 Using the Command-Line Interface Using the Command-line Interface As a shortcut, you can just enter 2.4.1.1 at the Main-> prompt, and move directly to the Modify Administrators menu: 1) 2) 3) 4) 5) 6) Configuration Administration Monitoring Save changes to Config file Help Information Exit Main -> 2.4.1.1 > Which Administrator to Modify Admin -> Note At this last prompt, you cannot use a number shortcut.
Chapter 14 Using the Command-Line Interface Using the Command-line Interface Saving the Configuration File Configuration and administration entries take effect immediately and are included in the active, or running, configuration. However, if you reboot the VPN 3002 without saving the active configuration, you lose any changes. To save changes to the system configuration (CONFIG) file, navigate to the main menu. At the prompt, enter 4 for Save changes to Config file.
Chapter 14 Using the Command-Line Interface Menu Reference Menu Reference This section shows all the menus in the first three levels below the main menu. (There are many additional menus below the third level; and within the first three levels, there are some non-menu parameter settings. To keep this chapter at a reasonable size, we show only the menus here.) The numbers in each heading are the keyboard shortcut to reach that menu from the main menu. For example, entering 1.3.
Chapter 14 Using the Command-Line Interface Menu Reference 1.2.1 or 1.2.2 Configuration > Interface Configuration > Configure the Private/Public Interface 1) 2) 3) 4) 5) 6) Enable/Disable Set IP Address Set Subnet Mask Select Ethernet Speed Select Duplex Back Private/Public Interface -> _ 1.3 Configuration > System Management 1) 2) 3) 4) 5) 6) 7) Servers (DNS) Tunneling Protocols (IPSec) IP Routing (static routes, etc.) Management Protocols (Telnet, HTTP, etc.
Chapter 14 Using the Command-Line Interface Menu Reference 1.3.5 Configuration > System Management > Event Configuration 1) 2) 3) 4) 5) General Classes Trap Destinations Syslog Servers Back Event -> _ 1.3.6 Configuration > System Management > General Config 1) System Identification 2) System Time and Date 3) Back General -> _ 1.4 Configuration > Policy Management 1) Traffic Management 2) Back Policy -> _ 1.4.
Chapter 14 Using the Command-Line Interface Menu Reference 2.2 Administration > System Reboot 1) 2) 3) 4) Cancel Scheduled Reboot/Shutdown Schedule Reboot Schedule Shutdown Back Admin -> _ 2.2.2 Administration > System Reboot > Schedule Reboot 1) 2) 3) 4) Save active Configuration and use it at Reboot Reboot without saving active Configuration file Reboot ignoring the Configuration file Back Admin -> _ 2.2.
Chapter 14 Using the Command-Line Interface Menu Reference 2.4.2 Administration > Access Rights > Access Settings 1) 2) 3) 4) Set Session Timeout Set Session Limit SertConfig File Encryption Back Admin -> _ 2.5 Administration > File Management List of Files ------------CONFIG CONFIG.BAK 1) 2) 3) 4) 5) 6) 7) View Config File Delete Config File View Backup Config File Delete Backup Config File Swap Config Files Upload Config File Back File -> _ 2.5.
Chapter 14 Using the Command-Line Interface Menu Reference 2.6.3 Administration > Certificate Management > Certificate Authorities Certificate Authorities . . . 1) View Certificate 2) Delete Certificate 4) Back Certificates -> _ 2.6.4 Administration > Certificate Management > Identity Certificates Identity Certificates . . . 1) View Certificate 2) Delete Certificate 3) Back Certificates -> _ 2.6.5 Administration > Certificate Management > SSL Certificate Subject . .
Chapter 14 Using the Command-Line Interface Menu Reference 3.1 Monitoring > Routing Table Routing Table . . 'q' to Quit, '' to Continue -> . . 1) Refresh Routing Table 2) Clear Routing Table 3) Back Routing -> _ 3.2 Monitoring > Event Log 1) 2) 3) 4) Configure Log viewing parameters View Event Log Clear Log Back Log -> _ 3.2.2 Monitoring > Event Log > View Event Log [Event Log entries] . . . 1) First Page 2) Previous Page 3) Next Page 4) Last Page 5) Back Log -> _ 3.
Chapter 14 Using the Command-Line Interface Menu Reference 3.4 Monitoring > User Status Authenticated Users ------------------Username IP Address MAC Address Login Time Duration ------------------------------------------------------------------------------1) Refresh User Status 2) Log out User 3) Back Sessions -> 3.5 Monitoring > General Statistics 1) 2) 3) 4) Protocol Statistics Server Statistics MIB II Statistics Back General -> _ 3.4.
A P P E N D I X A IKE Proposals IKE proposals are sets of parameters for Phase I IPSec negotiations. During Phase 1, the two peers establish a secure tunnel within which they then negotiate the Phase 2 parameters. You configure IKE proposals on the VPN Concentrator, not on the VPN 3002. The VPN Concentrator software includes a set of preconfigured IKE proposals active by default, and a second preconfigured set inactive by default. You can configure additional IKE proposals to a maximum of 150.
Appendix A IKE Proposals Valid IKE Proposals Authentication Mode Authentication Algorithm Encryption Algorithm Diffie- Hellman Group CiscoVPNClient-AES256-MD5 Preshared Keys (XAUTH) MD5/HMAC-128 AES-256 Group 2 (1024 bits) CiscoVPNClient-AES256-SHA Preshared Keys (XAUTH) SHA/HMAC-160 AES-256 Group 2 (1024 bits) IKE-3DES-MD5 Preshared Keys MD5/HMAC-128 3DES-168 Group 2 (1024 bits) IKE-3DES-SHA Preshared Keys SHA/HMAC-160 3DES-168 Group 2 (1024 bits) IKE-DES-MD5 Preshared Keys MD5
Appendix A IKE Proposals Valid IKE Proposals Proposal Name Authentication Mode Authentication Algorithm Encryption Algorithm Diffie- Hellman Group CiscoVPNClient-AES128-SHA-RSA-DH5 RSA Digital SHA/HMAC-160 Certificate (XAUTH) AES-128 Group 5 (1536 bits) CiscoVPNClient-AES192-MD5-RSA-DH5 RSA Digital MD5/HMAC-128 Certificate (XAUTH) AES-192 Group 5 (1536 bits) CiscoVPNClient-AES192-SHA-RSA-DH5 RSA Digital SHA/HMAC-160 Certificate (XAUTH) AES-192 Group 5 (1536 bits) CiscoVPNClient-AES256-MD5
Appendix A IKE Proposals Valid IKE Proposals Proposal Name Authentication Mode Authentication Algorithm Encryption Algorithm Diffie- Hellman Group CiscoVPNClient-AES128-SHA-DSA DSA Digital SHA/HMAC-160 Certificate (XAUTH) AES-128 Group 2 (1024 bits) CiscoVPNClient-AES256-SHA-DSA DSA Digital SHA/HMAC-160 Certificate (XAUTH) AES-256 Group 2 (1024 bits) CiscoVPNClient-3DES-SHA-DSA-DH5 DSA Digital SHA/HMAC-160 Certificate (XAUTH) 3DES-168 Group 5 (1536 bits) CiscoVPNClient-AES128-SHA-DSA-DH5
A P P E N D I X B Troubleshooting and System Errors Appendix A describes files for troubleshooting the VPN 3002 and LED indicators on the system. It also describes common errors that might occur while configuring and using the system, and how to correct them. Files for Troubleshooting The VPN 3002 Hardware Client creates several files that you can examine and that can assist Cisco support engineers when troubleshooting errors and problems: • Event log. • SAVELOG.
Appendix B Troubleshooting and System Errors LED Indicators memory, buffers, and timers which help Cisco support engineers diagnose the problem. In case of a crash, we ask that you send this file when you contact TAC for assistance. To view the CRSHDUMP.TXT file, see Administration | File Management | View, and click on View Saved Log Crash Dump File . Configuration Files The VPN 3002 saves the current boot configuration file (CONFIG) and its predecessor (CONFIG.BAK) as files in flash memory.
Appendix B Troubleshooting and System Errors System Errors VPN 3002 Rear LEDs The LEDs on the rear of the VPN 3002 indicate the status of the private and public interfaces. LED Explanation Green Interface is connected to the network. OFF Interface is not connected to the network. Flashing amber Traffic is traveling across the interface.
Appendix B Troubleshooting and System Errors Settings on the VPN Concentrator Table B-1 Analyzing System Errors (continued) Problem or Symptom VPN LED is solid amber (tunnel failed to establish to central-site VPN Concentrator). Possible Solution 1. Make sure the IPSec parameters are properly configured. Verify: – Public IP Address of the IKE peer (central-site VPN Concentrator) is correct. – Group name and password are correct. – User name and password are correct.
Appendix B Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Step 4 If you are using Network Extension mode, configure a default gateway or a static route to the private network of the VPN 3002. Refer to Chapter 8, “IP Routing,” in the VPN 3000 Series Concentrator Reference Volume I. Step 5 Check the Event log. Refer to Chapter 10, “Events,” in the VPN 3000 Series Concentrator Reference Volume I.
Appendix B Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Table B-2 Invalid Login or Session Timeout Screen Problem Possible Cause Solution You entered an invalid administrator login-name and password combination • Typing error. • • Invalid (unrecognized) login name or password. Reenter the login name and password, and click on Login. • Use a valid login name and password. • Verify your typing before clicking on Login.
Appendix B Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Incorrect Display The Manager displays an incorrect screen or data when you click on the browser back or forward button. Table B-4 Browser Back or Forward Button Displays an Incorrect Screen or Incorrect Data Problem Possible Cause Solution You clicked on the Back or Forward button on the browser navigation toolbar, and the Manager displayed the wrong screen or incorrect data.
Appendix B Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Not Allowed Message The Manager displays a screen with the message: “Not Allowed / You do not have sufficient authorization to access the specified page.” (see Figure B-3). Figure B-3 Table B-6 Not Allowed Screen Not Allowed Message Displays Problem You tried to access an area of the Manager that you do not have authorization to access.
Appendix B Troubleshooting and System Errors VPN 3002 Hardware Client Manager Errors Not Found The Manager displays a screen with the message: “Not Found/An error has occurred while attempting to access the specified page.” The screen includes additional information that identifies system activity and parameters. Figure B-4 Not Found Screen Table B-7 Not Found Message Displays Problem Possible cause The Manager could not find a screen.
Appendix B Troubleshooting and System Errors Command-line Interface Errors Command-line Interface Errors These errors may occur while using the menu-based command-line interface from a console or Telnet session. Table B-9 Command-Line Interface Errors Error Problem ERROR:-- Bad IP Address/Subnet Mask/Wildcard Mask/Area ID The system expected a valid 4-byte dotted decimal entry, and the entry was not in that format.
I N D EX using digital certificates Numerics 3DES-168/SHA SSL encryption algorithm 3DES-168 SSH encryption algorithm 12-17 8-11 B 8-14 Back and Home CLI choices 14-5 back panel display (monitoring) A 13-11 backup configuration file accessing the CLI 14-1 swapping access rights use in troubleshooting administration 12-9 backup server list default Monitor administrator (CLI) 14-6 access settings, general, for administrators 6-4 12-12 configuring 6-4 DNS and WINS servers event class
Index installing CONFIG.
Index troubleshooting D 12-20 viewing and managing on VPN 3002 data formats xxxi viewing details data initiation X.
Index an error has occurred ...
Index SSH CA certificates 8-13 HTTP 12-49 CA certificates, automatic method (using SCEP) configuring internal server enabling with Internet Explorer 13-26 with Netscape 1-2 HTTPS 1-4 1-9 Install SSL Certificate (screen) configuring internal server connecting using definition enabling login screen 1-16 1-19 interfaces configuring 8-3 enabling on public interface for XML support login screen 1-17 port number 8-3 3-1 Ethernet, configuring 8-16 transmission mode MIB-II statistics p
Index Ethernet traffic L interfaces lease period, DHCP 7-6 table SNMP B-2 13-49 13-60 TCP/UDP live event log 13-6 13-46 system object Netscape requirements 13-6 10-2 Microsoft Internet Explorer script error message log file model number, system live event log 13-6 12-5 event class See also event log 13-9 9-10 SNMP community logging in to the VPN Concentrator Manager 1-17 login 8-8 SNMP event trap destination static route, for IP routing name, factory default (Manager) 1-17
Index Public Key Certificate Syntax-10 See PKCS-10 P Public Key Infrastructure (PKI) 6-7, 12-17 password administrator 12-10 factory default (Manager) Q 1-17 Passwords do not match (error) B-10 Quick Configuration 2-1 PAT mode configuring definition 11-6 R 11-2 enabling 11-7 RC4-128 SSH encryption algorithm many-to-one translation 11-6 RC4-40/MD5 Export SSL encryption algorithm required settings on VPN Concentrator 11-3 PC monitor/display, recommended settings peer 1-2 6-2 ping
Index RSA key, SSH SSH 8-13 8-13 Session Timeout (error) severity level, events S shutdown system SAVELOG.
Index statistics 13-36 SSL client authentication (HTTPS only) configuring internal server encryption algorithms statistics enrolling 13-43 Ethernet 8-11 13-57 13-52 13-44 IP traffic SNMP 12-47 13-60 PPPoE 1-4 13-1, 13-19 13-40 public/private Ethernet interface 1-9 12-30 viewing with Internet Explorer viewing with Netscape 13-46 monitoring 1-3 installing with Netscape VPN Concentrator 13-49 TCP/UDP 12-35 installing with Internet Explorer 1-8 SSH 13-36 SSL 13-32 Telnet 1-14
Index monitoring 13-8 private/public interface 13-15 initiation 11-5 protocols 6-1 type (model number), system 13-9 T table of contents, Manager 1-27 TCP/UDP MIB-II statistics 13-46 U UDP MIB-II traffic statistics Telnet 13-46 updating software on VPN 3002 accessing CLI upload files to VPN 3002 14-2 configuring internal server enabling 14-3 using the VPN Concentrator Manager 8-5 1-1 13-29 Telnet over SSL configuring internal server port number V 8-4 8-5 valid IKE proposals t
Index X X.509 digital certificates standards 12-17 12-55 X.520 standards 12-55 XML configuring enabling 8-16 8-16 VPN 3002 Hardware Client Reference, Release 4.
Index VPN 3002 Hardware Client Reference, Release 4.
