VPN 3002 Hardware Client User Guide Release 3.0 March 2001 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Table of contents Table of contents Preface About this manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Additional documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Documentation on VPN software distribution CDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—Table of contents 5 Servers Configuration | System | Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Configuration | System | Servers | DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 6 Tunneling Configuration | System | Tunneling Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—Table of contents Configuration | System | Events | Syslog Servers | Add or Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15 10 General Configuration | System | General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Configuration | System | General | Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—Table of contents Monitoring | Filterable Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Monitoring | Live Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-8 Monitoring | System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index
Contents—Table of contents viii VPN 3002 Hardware Client User Guide
Contents Tables Table 9-1: VPN 3002 event classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Table 9-2: VPN 3002 event severity levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Table 9-3: Configuring “well-known” SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface About this manual The VPN 3002 Hardware Client User Guide provides guidelines for configuring the Cisco VPN 3002, details on all the functions available in the VPN 3002 Hardware Client Manager, and instructions for using the VPN 3002 Command Line Interface. Prerequisites We assume you have read the VPN 3002 Hardware Client Getting Started manual and have followed the minimal configuration steps in Quick Configuration. That section of the VPN Hardware Client Manager is not described here.
Preface Chapter 7, IP Routing explains how to configure static routes, default gateways, and DHCP parameters and options. Chapter 8, Management Protocols explains how to configure built-in VPN 3002 servers that provide management functions:, HTTP and HTTPS, Telnet, SNMP, SNMP Community Strings, SSL and SSH. Chapter 9, Events explains how to configure system events such as alarms, traps, error conditions, network problems, task completion, or status changes.
Documentation on VPN software distribution CDs Documentation on VPN software distribution CDs The VPN 3000 Concentrator and VPN 3002 Hardware Client documentation is provided on the VPN 3000 Concentrator software distribution CD-ROM in PDF format. The VPN Client documentation is included on the VPN Client software distribution CD-ROM, also in PDF format.
Preface Documentation feedback If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. You can e-mail your comments to bug-doc@cisco.com. To submit your comments by mail, for your convenience many documents contain a response card behind the front cover.
Other references http://www.cisco.com/tac P3 and P4 level problems are defined as follows: • P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue. • P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration. In each of the above cases, use the Cisco TAC website to quickly find answers to your questions. To register for Cisco.com, go to the following website: http://www.
Documentation conventions We use these typographic conventions in this manual: Font Meaning This font Document, chapter, and section titles. Emphasized text. This font Command-line prompts and entries, data-entry-field entries, system displays, filenames, etc. This font Literal entries you should make exactly as shown. Variables that the system supplies. Ignore the angle brackets. This font Menus, menu items, keyboard keys, icons, screen names, data-entry field names, etc.
Data formats Filenames Filenames on the VPN 3002 follow the DOS 8.3 naming convention: a maximum of eight characters for the name, plus a maximum of three characters for an extension. For example, LOG00007.TXT is a legitimate filename. The VPN3002 always stores filenames as uppercase. Port numbers Port numbers use decimal numbers from 0 to 65535 with no commas or spaces.
C H A P T E R 1 Using the VPN 3002 Hardware Client Manager The VPN 3002 Hardware Client Manager is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3002 with a standard Web browser. To use it, you need only to connect to the VPN 3002 using a PC and browser on the same private network with the VPN 3002. The Manager uses the standard Web client / server protocol, HTTP (Hypertext Transfer Protocol), which is a cleartext protocol.
1 Using the VPN 3002 Hardware Client Manager • Internet Explorer 4.0: – On the View menu, select Internet Options. – On the Security tab, click Custom (for expert users) then click Settings. – In the Security Settings window, scroll down to Scripting. – Click Enable under Scripting of Java applets. – Click Enable under Active scripting. • Internet Explorer 5.0: – On the Tools menu, select Internet Options. – On the Security tab, click Custom Level.
Recommended PC monitor / display settings Recommended PC monitor / display settings For best ease of use, we recommend setting your monitor or display: • Desktop area = 1024 x 768 pixels or greater. Minimum = 800 x 600 pixels. • Color palette = 256 colors or higher. Connecting to the VPN 3002 using HTTP When your system administration tasks and network permit a cleartext connection between the VPN 3002 and your browser, you can use the standard HTTP protocol to connect to the system.
1 Using the VPN 3002 Hardware Client Manager HTTPS is often confused with a similar protocol, S-HTTP (Secure HTTP), which encrypts only HTTP application-level data. SSL encrypts all data between client and server at the IP socket level, and is thus more secure. SSL uses digital certificates for authentication. The VPN 3002 creates a self-signed SSL server certificate when it boots, and this certificate must be installed in the browser. Once the certificate is installed, you can connect using HTTPS.
Installing the SSL certificate in your browser You need to install the SSL certificate from a given VPN 3002 only once. If you do reinstall it, the browser repeats all these steps each time. A few seconds after the VPN 3002 Hardware Client Manager SSL screen appears, Internet Explorer displays a File Download dialog box that identifies the certificate filename and source, and asks whether to Open or Save the certificate. To immediately install the certificate in the browser, select Open.
1 Using the VPN 3002 Hardware Client Manager Figure 1-5: Internet Explorer Certificate Manager Import Wizard dialog box 5 Click Next to continue. The wizard opens the next dialog box asking you to select a certificate store. Figure 1-6: Internet Explorer Certificate Manager Import Wizard dialog box 6 Let the wizard Automatically select the certificate store, and click Next. The wizard opens a dialog box to complete the installation.
Installing the SSL certificate in your browser Figure 1-7: Internet Explorer Certificate Manager Import Wizard dialog box 7 Click Finish. The wizard opens the Root Certificate Store dialog box asking you to confirm the installation. Figure 1-8: Internet Explorer Root Certificate Store dialog box 8 To install the certificate, click Yes. This dialog box closes, and a final wizard confirmation dialog box opens.
1 Using the VPN 3002 Hardware Client Manager Figure 1-10: Internet Explorer Security Alert dialog box 11 Click OK. The VPN 3002 Hardware Client displays the HTTPS version of the Manager login screen. Figure 1-11: VPN 3002 Hardware Client Manager login screen using HTTPS (Internet Explorer) The browser maintains the HTTPS state until you close it or access an unsecure site; in the latter case you may see a Security Alert screen.
Installing the SSL certificate in your browser Figure 1-12: Internet Explorer 4.0 Certificate Properties screen Click any of the Field items to see Details. Click Close when finished. Second, you can view all the certificates that are stored in Internet Explorer 4.0. Click the browser View menu and select Internet Options. Click the Content tab, then click Authorities in the Certificates section. In Internet Explorer 5.0, click the browser Tools menu and select Internet Options.
1 Using the VPN 3002 Hardware Client Manager Reinstallation You need to install the SSL certificate from a given VPN 3002 only once. If you try to reinstall it, Netscape displays the note in Figure 1-14. Click OK and just connect to the VPN 3002 using SSL (see Step 7 on page 1-13). Figure 1-14: Netscape reinstallation note First-time installation The instructions below follow from Step 2 on page 1-4 and describe first-time certificate installation.
Installing the SSL certificate in your browser Figure 1-16: Netscape New Certificate Authority screen 2 2 Click Next> to proceed. Netscape displays the next New Certificate Authority screen, which lets you examine details of the VPN 3002 Hardware Client SSL certificate. Figure 1-17: Netscape New Certificate Authority screen 3 3 Click Next> to proceed. Netscape displays the next New Certificate Authority screen, with choices for using the certificate. No choices are checked by default.
1 Using the VPN 3002 Hardware Client Manager Figure 1-18: Netscape New Certificate Authority screen 4 4 You must check at least the first box, Accept this Certificate Authority for Certifying network sites. Click Next> to proceed. Netscape displays the next New Certificate Authority screen, which lets you choose to have the browser warn you about sending data to the VPN 3002. Figure 1-19: Netscape New Certificate Authority screen 5 5 Checking the box is optional.
Installing the SSL certificate in your browser Figure 1-20: Netscape New Certificate Authority screen 6 6 In the Nickname field, enter a descriptive name for this certificate. “Nickname” is something of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN 3002 10.10.147.2. This name appears in the list of installed certificates; see Viewing certificates with Netscape below. Click Finish. You can now connect to the VPN 3002 using HTTP over SSL (HTTPS).
1 Using the VPN 3002 Hardware Client Manager Figure 1-22: VPN 3002 Hardware Client Manager login screen using HTTPS (Netscape) The browser maintains the HTTPS state until you close it or access an unsecure site; in the latter case, you may see a Security Information Alert dialog box. Proceed to Logging in the VPN 3002 Hardware Client Manager on page 1-17 to log in as usual.
Installing the SSL certificate in your browser Figure 1-23: Netscape Security Info window Click View Certificate to see details of the specific certificate in use. Figure 1-24: Netscape View Certificate screen Click OK when finished. Second, you can view all the certificates that are stored in Netscape. On the Security Info window, select Certificates then Signers. The “nickname” you entered in Step 6 identifies the VPN 3002 Hardware Client SSL certificate.
1 Using the VPN 3002 Hardware Client Manager Figure 1-25: Netscape Certificates Signers list Select a certificate, then click Edit, Verify, or Delete. Click OK when finished. Connecting to the VPN 3002 using HTTPS Once you have installed the SSL certificate in the browser, you can connect directly using HTTPS. 1 Bring up the browser. 2 In the browser Address or Location field, enter https:// plus the VPN 3002 private interface IP address; for example, https://10.10.147.2.
Logging in the VPN 3002 Hardware Client Manager Figure 1-26: VPN Hardware Client Manager HTTPS login screen Logging in the VPN 3002 Hardware Client Manager Logging in the VPN 3002 Hardware Client Manager is the same for both types of connections: cleartext HTTP or secure HTTPS. Entries are case-sensitive. With Microsoft Internet Explorer, you can press the Tab key to move from field to field; other browsers may work differently. If you make a mistake, click the Clear button and start over.
1 Using the VPN 3002 Hardware Client Manager Figure 1-27: Manager Main Welcome screen From here you can navigate the Manager using either the table of contents in the left frame, or the Manager toolbar in the top frame. Configuring HTTP, HTTPS, and SSL parameters HTTP, HTTPS, and SSL are enabled by default on the VPN 3002, and they are configured with recommended parameters that should suit most administration tasks and security requirements.
Understanding the VPN 3002 Hardware Client Manager window Understanding the VPN 3002 Hardware Client Manager window The VPN 3002 Hardware Client Manager window on your browser consists of three frames — top, left, and main — and it provides helpful messages and tips as you move the mouse pointer over window items. The title bar and status bar also provide useful information. Figure 1-28: VPN 3002 Hardware Client Manager window.
1 Using the VPN 3002 Hardware Client Manager Mouse pointer and tips As you move the mouse pointer over an active area, the pointer changes shape and icons change color. A description also appears in the status bar area. If you momentarily rest the pointer on an icon, a descriptive tip appears for that icon. Top frame (Manager toolbar) The Manager toolbar in the top frame provides quick access to Manager features.
Understanding the VPN 3002 Hardware Client Manager window tac@cisco.com Click this link to open your configured email application and compose an email message to Cisco’s Technical Assistance Center (TAC). When you finish, the application closes and returns to this Support screen. Logout tab Click to log out of the Manager and return to the login screen. Logged in: [username] The administrator username you used to log in to this Manager session.
1 Using the VPN 3002 Hardware Client Manager configuration automatically when you reach the Done screen, and there is neither the Save or Save Needed button. Refresh Click to refresh (update) the screen contents on screens where it appears (mostly in the Monitoring section). The date and time above this reminder indicate when the screen was last updated. Cisco Systems logo Click the Cisco Systems logo to open a browser and go to the Cisco web site, www.cisco.com.
Navigating the VPN 3002 Hardware Client Manager – System: parameters for system-wide functions such as server access, IPSec tunneling protocol, built-in management servers, event handling, and system identification. – Policy Management: enabling PAT (Port Address Translation). • Administration: managing higher level functions that keep the VPN3002 operational and secure, such as who is allowed to configure the system, what software runs on it, and managing its configuration files and digital certificates.
C H A P T E R 2 Configuration Configuring the VPN 3002 means setting all the parameters that govern its use and functionality as a VPN device. Cisco supplies default parameters that cover typical installations and uses; and once you supply minimal parameters in Quick Configuration, the system is operational. But to tailor the system to your needs, and to provide an appropriate level of system security, you can configure the system in detail.
C H A P T E R 3 Interfaces This section of the VPN 3002 Hardware Client Manager applies functions that are interface-specific, rather than system-wide. You configure two network interfaces for the VPN 3002 to operate as a VPN device: the Private interface and the Public interface. If you used Quick Configuration as described in the VPN 3002 Hardware Client Getting Started manual, the system supplied many default parameters for the interfaces. Here you can configure them explicitly.
3 Interfaces Figure 3-1: VPN 3002-8E Configuration | Interfaces screen To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area. Interface The VPN3002 interface installed in the system. To configure an interface, click the appropriate link.
Configuration | Interfaces | Private IP Address The IP address configured on this interface. Subnet Mask The subnet mask configured on this interface. Configuration | Interfaces | Private This screen lets you configure parameters for the Private Interface. It displays the current parameters, if any.
3 Interfaces If the interface is configured but disabled (offline), the appropriate Ethernet Link Status LED blinks green on the VPN 3002 front panel. IP Address Enter the IP address for this interface, using dotted decimal notation (e.g., 192.168.12.34). Note that 0.0.0.0 is not allowed. Be sure no other device is using this address on the network. Subnet Mask Enter the subnet mask for this interface, using dotted decimal notation (e.g., 255.255.255.0).
Configuration | Interfaces | Public Apply / Cancel To apply your settings to the system and include them in the active configuration, click Apply. The Manager returns to the Configuration | Interfaces screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | Interfaces screen.
3 Interfaces IP Address Enter the IP address for this interface, using dotted decimal notation (e.g., 192.168.12.34). Note that 0.0.0.0 is not allowed. Be sure no other device is using this address on the network. Subnet Mask Enter the subnet mask for this interface, using dotted decimal notation (e.g., 255.255.255.0). The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.
C H A P T E R 4 System Configuration System configuration means configuring parameters for system-wide functions in the VPN 3002. Configuration | System This section of the Manager lets you configure parameters for: • Servers: identifying servers for DNS information for the VPN 3002. • Tunneling Protocols: configuring IPSec connections. • IP Routing: configuring static routes, default gateways, and DHCP.
C H A P T E R 5 Servers Configuring servers means identifying them to the VPN 3002 so it can communicate with them correctly. For the VPN 3002, these are DNS servers that convert hostnames to IP addresses. The VPN 3002 functions as a client of these servers. Configuration | System | Servers This section of the Manager lets you configure the VPN 3002 to communicate with DNS servers.
5 Servers Figure 5-2: Configuration | System | Servers | DNS screen Enabled To use DNS functions, check Enabled (the default). To disable DNS, clear the box. Domain Enter the name of the registered domain of the ISP for the VPN 3002; e.g., yourisp.com. Maximum 48 characters. This entry is sometimes called the domain name suffix or sub-domain. The DNS system within the VPN 3002 automatically appends this domain name to hostnames before sending them to a DNS server for resolution.
Configuration | System | Servers | DNS Timeout Period Enter the initial time in seconds to wait for a response to a DNS query before sending the query to the next server. Minimum is 1, default is 2, maximum is 30 seconds. This time doubles with each retry cycle through the list of servers. Timeout Retries Enter the number of times to retry sending a DNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error.
C H A P T E R 6 Tunneling Tunneling is the heart of virtual private networking. The tunnels make it possible to use a public TCP/ IP network, such as the Internet, to create secure connections between remote users and a private corporate network. The secure connection is called a tunnel, and the VPN 3002 uses the IPSec tunneling protocol to: • Negotiate tunnel parameters. • Establish tunnels. • Authenticate users and data. • Manage security keys. • Encrypt and decrypt data.
6 Tunneling Configuration | System | Tunneling Protocols This section lets you configure the IPSec tunneling protocol. 1 Click IPSec. Figure 6-1: Configuration | System | Tunneling Protocols screen Configuration | System | Tunneling Protocols | IPSec The VPN 3002 complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol.
Configuration | System | Tunneling Protocols | IPSec • Mode Configuration (also known as ISAKMP Configuration Method) • Tunnel Encapsulation Mode Figure 6-2: Configuration | System | Tunneling Protocols | IPSec screen Peer Address Enter the IP address or hostname of the remote IKE peer. This is the IP address or hostname of the public interface on the VPN Concentrator to which this VPN 3002 connects. Use dotted decimal notation; e.g., 192.168.34.56.
Verify In the Group Verify field, re-enter the group password to verify it. The field displays only asterisks. User You must also enter a username and password, and they must match the username and password configured on the central-site Concentrator to which this VPN 3002 connects. Name In the User Name field, enter a unique name for the user in this group. Maximum is 32 characters, case-sensitive.This is the user name configured on the central-site Concentrator to which this VPN 3002 connects.
C H A P T E R 7 IP Routing The VPN 3002 itself includes an IP routing subsystem with static routing, default gateways, and DHCP. To route packets, the subsystem uses static routes and the default gateway. If you don’t configure the default gateway, the subsystem drops packets that it can’t otherwise route. You configure static routes and default gateways in this section. This section also includes the system-wide DHCP (Dynamic Host Configuration Protocol) server parameters.
7 IP Routing Configuration | System | IP Routing | Static Routes This section of the Manager lets you configure static routes for IP routing. Figure 7-2: Configuration | System | IP Routing | Static Routes screen Static Routes The Static Routes list shows manual IP routes that have been configured. The format is [destination network address/subnet mask -> outbound destination]; e.g., 192.168.12.0/ 255.255.255.0 -> 10.10.0.2.
Configuration | System | IP Routing | Static Routes | Add or Modify Configuration | System | IP Routing | Static Routes | Add or Modify These Manager screens let you: Add: Configure and add a new static, or manual, route to the IP routing table. Modify: Modify the parameters for a configured static route. Figure 7-3: Configuration | System | IP Routing | Static Routes | Add or Modify screen Network Address Enter the destination network IP address that this static route applies to.
7 IP Routing Destination Click a radio button to select the outbound destination for these packets. You can select only one destination: either a specific router/gateway, or a VPN 3002 interface. Destination Router Address Enter the IP address of the specific router or gateway to which to route these packets; that is, the IP address of the next hop between the VPN 3002 and the packet’s ultimate destination. Use dotted decimal notation; e.g., 10.10.0.2. We recommend that you select this option.
Configuration | System | IP Routing | DHCP Default Gateway Enter the IP address of the default gateway or router. Use dotted decimal notation; e.g., 192.168.12.77. This address must not be the same as the IP address configured on any VPN 3002 interface. If you do not use a default gateway, enter 0.0.0.0 (the default entry). To delete a configured default gateway, enter 0.0.0.0. The default gateway must be reachable from a VPN 3002 interface, and it is usually on the public network.
7 IP Routing Figure 7-5: Configuration | System | IP Routing | DHCP screen Enabled Check the box to enable the DHCP server functions on the VPN 3002. The box is checked by default. To use DHCP address assignment, you must enable DHCP functions here. Lease Timeout Enter the timeout in minutes for addresses that are obtained from the DHCP server. Minimum is 5, default is 120, maximum is 500000 minutes. DHCP servers “lease” IP addresses to clients on the VPN 3002’s private network for this period of time.
Configuration | System | IP Routing | DHCP Options Configuration | System | IP Routing | DHCP Options This section lets you configure DHCP options. Figure 7-6: Configuration | System | IP Routing | DHCP Options screen DHCP Option DHCP Options are facilities that allow the VPN 3002 DHCP server to respond to with configurable parameters for specific kinds of devices such as PCs, IP telephones, print servers, etc, as well as an IP address. Add / Modify / Delete To configure and add DHCP options, click Add.
7 IP Routing Configuration | System | IP Routing | DHCP Options | Add or Modify These screens let you Add a new DHCP option to the list of DHCP options this VPN 3002 uses. Modify a configured DHCP option. Figure 7-7: Configuration | System | IP Routing | DHCP Options | Add or Modify screen DHCP Option Use the pull-down menu to the DHCP Options field to select the option you want to add or modify. You can add or modify only one option at a time.
C H A P T E R 8 Management Protocols The VPN 3002 Hardware Client includes various built-in servers, using various protocols, that let you perform typical network and system management functions. This section explains how you configure and enable those servers.
8 Management Protocols Configuration | System | Management Protocols | HTTP/HTTPS This screen lets you configure and enable the VPN 3002 HTTP/HTTPS server: Hypertext Transfer Protocol and HTTP over SSL (Secure Sockets Layer) protocol. When the server is enabled, you can use a Web browser to communicate with the VPN 3002. HTTPS lets you use a Web browser over a secure, encrypted connection. Notes: The Manager requires the HTTP/HTTPS server.
Configuration | System | Management Protocols | HTTP/HTTPS Enable HTTPS Check the box to enable the HTTPS server. The box is checked by default. HTTPS—also known as HTTP over SSL—lets you use the Manager over an encrypted connection. Enable HTTPS on Public Check the box to enable HTTPS on the Public interface. HTTP Port Enter the port number that the HTTP server uses. The default is 80, which is the well-known port. HTTPS Port Enter the port number that the HTTPS server uses.
8 Management Protocols Configuration | System | Management Protocols | Telnet This screen lets you configure and enable the VPN 3002 Telnet terminal emulation server, and Telnet over SSL (Secure Sockets Layer protocol). When the server is enabled, you can use a Telnet client to communicate with the VPN 3002. You can fully manage and administer the VPN 3002 using the Cisco Command Line Interface via Telnet.
Configuration | System | Management Protocols | SNMP Maximum Connections Enter the maximum number of concurrent, combined Telnet and Telnet/SSL connections that the server allows. Minimum is 1, default is 5, maximum is 10. Apply / Cancel To apply your Telnet settings, and to include the settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.
8 Management Protocols Figure 8-6: Configuration | System | Management Protocols | SNMP screen Enable Check the box to enable SNMP. The box is checked by default. Disabling SNMP provides additional security. Port Enter the port number that SNMP uses. The default is 161, which is the well-known port number. Changing the port number provides additional security. Maximum Queued Requests Enter the maximum number of outstanding queued requests that the SNMP agent allows.
Configuration | System | Management Protocols | SNMP Communities Figure 8-7: Configuration | System | Management Protocols screen Configuration | System | Management Protocols | SNMP Communities This section of the Manager lets you configure and manage SNMP community strings, which identify valid communities from which the SNMP agent accepts requests. A community string is like a password: it validates messages between an SNMP manager and the agent.
8 Management Protocols Add / Modify / Delete To configure and add a new community string, click Add. The Manager opens the Configuration | System | Management Protocols | SNMP Communities | Add screen. To modify a configured community string, select the string from the list and click Modify. The Manager opens the Configuration | System | Management Protocols | SNMP Communities | Modify screen. To delete a configured community string, select the string from the list and click Delete.
Configuration | System | Management Protocols | SSL Community String Enter the SNMP community string. Maximum 31 characters, case-sensitive. Add or Apply / Cancel To add this entry to the list of configured community strings, click Add. Or to apply your changes to this community string, click Apply. Both actions include your entry in the active configuration.
8 Management Protocols Note: To ensure the security of your connection to the Manager, if you click Apply on this screen—even if you have made no changes—you will break your connection to the Manager and you must restart the Manager session from the login screen. Related information: • For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see Chapter 1, Using the VPN 3002 Hardware Client Manager.
Configuration | System | Management Protocols | SSL RC4-40/MD5 Export = RC4 encryption with a 128-bit key—40 bits of which are private—and the MD5 hash function. This option is available in the export (non-U.S.) versions of many SSL clients. DES-40/SHA Export = DES encryption with a 56-bit key—40 bits of which are private—and the SHA-1 hash function. This option is available in the export (non-U.S.) versions of many SSL clients.
8 Management Protocols 768-bit RSA Key = This key size provides normal security and is the default selection. It requires approximately 2 to 4 times more processing than the 512-bit key. 1024-bit RSA Key = This key size provides high security. It requires approximately 4 to 8 times more processing than the 512-bit key. Apply / Cancel To apply your SSL settings, and to include your settings in the active configuration, click Apply.
Configuration | System | Management Protocols | SSH Figure 8-14: Configuration | System | Management Protocols | SSH screen Enable SSH Check the box to enable the SSH server. The box is checked by default. Disabling the SSH server provides additional security by preventing SSH access. Enable SSH on Public Check the box to enable SSH on the Public interface. SSH Port Enter the port number that the SSH server uses. The default is 22, which is the well-known port.
8 Management Protocols Encryption Protocols Check the boxes for the encryption algorithms that the VPN 3002 SSH server can negotiate with a client and use for session encryption. All algorithms are checked by default. You must check at least one algorithm to enable a secure session. Unchecking all algorithms disables SSH. 3DES-168 = Triple-DES encryption with a 168-bit key. This option is the most secure but requires the greatest processing overhead. RC4-128 = RC4 encryption with a 128-bit key.
C H A P T E R 9 Events An event is any significant occurrence within or affecting the VPN 3002 such as an alarm, trap, error condition, network problem, task completion, threshold breach, or status change. The VPN 3002 records events in an event log, which is stored in nonvolatile memory. You can also specify that certain events trigger a console message, a UNIX syslog record, or an SNMP management system trap. Event attributes include class and severity level.
9 Events Table 9-1: VPN 3002 event classes (continued) 9-2 Class name Class description (event source) (*Cisco-specific event class) DNS DNS subsystem DNSDBG DNS debugging* DNSDECODE DNS decoding* EVENT Event subsystem* EVENTDBG Event subsystem debugging* EVENTMIB Event MIB changes* EXPANSIONCARD Expansion card (module) subsystem FILTER Filter subsystem FILTERDBG Filter debugging* FSM Finite State Machine subsystem (for debugging)* FTPD FTP daemon subsystem GENERAL NTP subsystem a
Event class Table 9-1: VPN 3002 event classes (continued) Class name Class description (event source) (*Cisco-specific event class) LBSSF Load Balancing/Secure Session Failover subsystem* MIB2TRAP MIB-II trap subsystem: SNMP MIB-II traps* OSPF OSPF subsystem PPP PPP subsystem PPPDBG PPP debugging* PPPDECODE PPP decoding* PPTP PPTP subsystem PPTPDBG PPTP debugging* PPTPDECODE PPTP decoding* PSH Operating system command shell* PSOS Embedded real-time operating system* QUEUE System q
9 Events Note: The Cisco-specific event classes provide information that is meaningful only to Cisco engineering or support personnel. Also, the DBG and DECODE events require significant system resources and may seriously degrade performance. We recommend that you avoid logging these events unless Cisco requests it. Event severity level Severity level indicates how serious or significant the event is; i.e.
Event log Note: The Debug (7–9) and Packet Decode (10–13) severity levels are intended for use by Cisco engineering and support personnel. We recommend that you avoid logging these events unless Cisco requests it. The VPN 3002, by default, displays all events of severity level 1 through 3 on the console. It writes all events of severity level 1 through 5 to the event log.
9 Events Configuration | System | Events This section of the Manager lets you configure how the VPN 3002 handles events. Events provide information for system monitoring, auditing, management, accounting, and troubleshooting. Figure 9-1: Configuration | System | Events screen Configuration | System | Events | General This Manager screen lets you configure the general, or default, handling of all events. These defaults apply to all event classes.
Configuration | System | Events | General Severity to Log Click the drop-down menu button and select the range of event severity levels to enter in the event log by default. Choices are: None, 1, 1-2, 1-3, ..., 1-13. The default is 1-5: all events of severity level 1 through severity level 5 are entered in the event log. Severity to Console Click the drop-down menu button and select the range of event severity levels to display on the console by default. Choices are: None, 1, 1-2, 1-3, ..., 1-13.
9 Events Apply / Cancel To include your settings for default event handling in the active configuration, click Apply. The Manager returns to the Configuration | System | Events screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events screen.
Configuration | System | Events | Classes | Add or Modify Add / Modify / Delete To configure and add a new event class for special handling, click Add. See Configuration | System | Events | Classes | Add. To modify an event class that has been configured for special handling, select the event class from the list and click Modify. See Configuration | System | Events | Classes | Modify.
9 Events All subsequent parameters on this screen apply to this event class only. Enable Check this box to enable the special handling of this event class. (The box is checked by default.) Clearing this box lets you set up the parameters for the event class but activate it later, or temporarily disable special handling without deleting the entry. The Configured Event Classes list on the Configuration | System | Events | Classes screen indicates disabled event classes.
Configuration | System | Events | Trap Destinations Add or Apply / Cancel To add this event class to the list of those with special handling, click Add. Or to apply your changes to this configured event class, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Classes screen. Any new event class appears in the Configured Event Classes list.
9 Events Add / Modify / Delete To configure a new SNMP trap destination, click Add. See Configuration | System | Events | Trap Destinations | Add. To modify an SNMP trap destination that has been configured, select the destination from the list and click Modify. See Configuration | System | Events | Trap Destinations | Modify. To remove an SNMP trap destination that has been configured, select the destination from the list and click Delete. There is no confirmation or undo.
Configuration | System | Events | Syslog Servers Community Enter the community string to use in identifying traps from the VPN 3002 to this destination. The community string is like a password: it validates messages between the VPN 3002 and this NMS destination. If you leave this field blank, the default community string is public. Port Enter the UDP port number by which you access the destination SNMP server. Use a decimal number from 0 to 65535.
9 Events Figure 9-7: Configuration | System | Events | Syslog Servers screen Syslog Servers The Syslog Servers list shows the UNIX syslog servers that have been configured as recipients of event messages. You can configure a maximum of five syslog servers. If no syslog servers have been configured, the list shows --Empty--. Add / Modify / Delete To configure a new syslog server, click Add. See Configuration | System | Events | Syslog Servers | Add.
Configuration | System | Events | Syslog Servers | Add or Modify Configuration | System | Events | Syslog Servers | Add or Modify These screens let you: Add a UNIX syslog server as a recipient of event messages. You can configure a maximum of five syslog servers. Modify a configured UNIX syslog server that is a recipient of event messages.
9 Events CRON = Clock daemon. Local 0 through Local 7 (default) = User defined. Add or Apply / Cancel To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list.
C H A P T E R 10 General General configuration parameters include VPN 3002 environment items: system identification, time, and date. Configuration | System | General This section of the Manager lets you configure general VPN 3002 parameters. • Identification: system name, contact person, system location. • Time and Date: system time and date.
10 General Configuration | System | General | Identification This screen lets you configure system identification parameters that are stored in the standard MIB-II system object. Network management systems using SNMP can retrieve this object and identify the system. Configuring this information is optional. Figure 10-2: Configuration | System | General | Identification screen System Name Enter a system name that uniquely identifies this VPN 3002 on your network; e.g., VPN01. Maximum 255 characters.
Configuration | System | General | Time and Date Configuration | System | General | Time and Date This screen lets you set the time and date on the VPN 3002. Setting the correct time is very important so that logging information is accurate. Figure 10-3: Configuration | System | General | Time and Date screen Current Time The screen shows the current date and time on the VPN 3002 at the time the screen displays. You can refresh this by redisplaying the screen.
C H A P T E R 11 Policy Management The VPN 3002 works in either of two modes: Client mode or Network Extension mode. Policy management on the VPN 3002 includes deciding whether your want the VPN 3002 to use Client Mode or Network Extension mode.This section lets you enable or disable PAT. Client mode/PAT Client mode, also called PAT (Port Address Translation) mode, isolates all devices on the VPN 3002 private network from those on the corporate network.
11 Policy Management VPN 3000 Series Concentrator settings required for PAT For the VPN 3002 to use PAT, these are the requirements for the central-site Concentrator. 1 The Concentrator at the central site must be running Software version 3.x or later. 2 Address assignment must be enabled, by whatever method you choose to assign addresses (e.g., DHCP, address pools, per user, or client-specified).
Configuration | Policy Management 5 If you want the VPN 3002 to be able to reach devices on other networks that connect to this Concentrator, review your Network Lists. See Chapter 15, Policy Management in the VPN 3000 Concentrator Series User Guide. Configuration | Policy Management The Configuration | Policy Management screen introduces this section of the Manager. Figure 11-1: Configuration | Policy Management screen Traffic Management To enable or disable PAT, click Traffic Management.
Configuration | Policy Management | Traffic Management | PAT The Configuration | Policy Management | Traffic Management | PAT screen displays. Figure 11-3: Configuration | Policy Management | Traffic Management | PAT screen PAT mode provides many-to-one translation; that is, it translates many private network addresses to the single address configured on the public network interface. Enable To enable PAT, click Enable.
Configuration | Policy Management | Traffic Management | PAT | Enable Apply / Cancel To enable or disable PAT, and include your setting in the active configuration, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | PAT screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entry and leave the active configuration unchanged, click Cancel.
C H A P T E R 12 Administration Administering the VPN 3002 involves activities that keep the system operational and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN device, but administration involves higher level activities such as who is allowed to configure the system, and what software runs on it. Administration This section of the Manager lets you control administrative functions on the VPN 3002.
12 Administration Figure 12-1: Administration screen Administration | Software Update This section of the Manager lets you update the VPN 3002 executable system software. This process uploads the file to the VPN 3002, which then verifies the integrity of the file. The new image file must be accessible by the workstation you are using to manage the VPN 3002. Software image files ship on the Cisco VPN 3002 CD-ROM. Updated or patched versions are available from the Cisco Website, www.cisco.
Administration | Software Update Figure 12-2: Administration | Software Update screen Current Software Revision The name, version number, and date of the software image currently running on the system. Browse... Enter the complete pathname of the new image file, or click Browse... to find and select the file from your workstation or network.
12 Administration Software Update Progress This window shows the progress of the software upload. It refreshes the number of bytes transferred at 10-second intervals. Figure 12-3: Administration | Software Update Progress window When the upload is finished, or if the upload is cancelled, the progress window closes. Software Update Success The Manager displays this screen when it completes the software upload and verifies the integrity of the software.
Administration | System Reboot Administration | System Reboot This screen lets you reboot or shutdown (halt) the VPN 3002 with various options. We strongly recommend that you shut down the VPN 3002 before you turn power off. If you just turn power off without shutting down, you may corrupt flash memory and affect subsequent operation of the system. If you are logged in the Manager when the system reboots or halts, it automatically logs you out and displays the main login screen.
12 Administration Shutdown without automatic reboot = Shut down the VPN 3002; that is, bring the system to a halt so you can turn off the power. Shutdown terminates all sessions and prevents new user sessions (but not administrator sessions). While the system is in a shutdown state, the SYS LEDs blink on the front panel. Cancel a scheduled reboot/shutdown = Cancel a reboot or shutdown that is waiting for a certain time or for sessions to terminate.
Administration | Ping Administration | Ping This screen lets you use the ICMP ping (Packet Internet Groper) utility to test network connectivity. Specifically, the VPN3002 sends an ICMP Echo Request message to a designated host. If the host is reachable, it returns an Echo Reply message, and the Manager displays a Success screen. If the host is not reachable, the Manager displays an Error screen. You can also Ping hosts from the Administration | Sessions screen.
12 Administration Error (Ping) If the system is unreachable for any reason—host down, ICMP not running on host, route not configured, intermediate router down, network down or congested, etc.—the Manager displays an Error screen with the name of the tested host. To troubleshoot the connection, try to Ping other hosts that you know are working. Figure 12-9: Administration | Ping | Error screen To return to the Administration | Ping screen, click Retry the operation.
Administration | Access Rights | Administrators Administration | Access Rights | Administrators Administrators are special users who can access and change the configuration, administration, and monitoring functions on the VPN3002. Only administrators can use the VPN 3002 Hardware Client Manager. This section of the Manager lets you change administrator properties and rights. Any changes take effect as soon as you click Apply.
12 Administration Password Enter or edit the unique password for this administrator. Maximum is 31 characters. The field displays only asterisks. Note: The default password that Cisco supplies is the same as the username. We strongly recommend that you change this password. Verify Re-enter the password to verify it. The field displays only asterisks. Enabled Check the box to enable, or clear the box to disable, an administrator.
Administration | File Management Session Idle Timeout Enter the idle timeout period in seconds for administrative sessions. If there is no activity for this period, the Manager session terminates. Minimum is 1, default is 600, and maximum is 1800 seconds (30 minutes). The Manager resets the inactivity timer only when you click an action button (Apply, Add, Cancel, etc.) or a link on a screen—that is, when you invoke a different screen.
12 Administration View Files View Files lets you view or delete configuration, crash dump, and saved log files. When you select this option, the Administration | File Management | View Files window displays. Swap Config Files Swap Config Files lets you swap the boot configuration file with the backup configuration file. When you select this option, the Administration | File Management | Swap Config Files window displays. Config File Upload Click Config File Upload to upload a configuration file.
Administration | File Management | Swap Config Files Save Target As..., Save Link As... = Save a copy of the file on your PC. Your system will prompt for a filename and location. The default filename is the same as on the VPN 3002. When you are finished viewing or saving the file, close the new browser window. Delete To delete the selected file from flash memory, click Delete. The Manager opens a dialog box for you to confirm or cancel.
12 Administration Figure 12-16: Administration | File Management | Config File Upload screen Local Config File / Browse... Enter the name of the file on your PC. In a Windows environment, enter the complete pathname using MS-DOS syntax; e.g., c:\vpn3002\config0077. You can also click the Browse button to open a file navigation window, find the file, and select it. Upload / Cancel To upload the file to the VPN 3002, click Upload. The Manager opens the File Upload Progress window.
Administration | Certificate Management File Upload Success The Manager displays this screen to confirm that the file upload was successful. Figure 12-18: Administration | File Management | File Upload Success screen To go to the Administration | Config File Management | View screen and examine files in flash memory, click the highlighted link. File Upload Error The Manager displays this screen if there was an error during the file upload and the transfer was not successful.
12 Administration CAs issue root certificates (also known as trusted or signing certificates). They may also issue subordinate trusted certificates. Finally, CAs issue identity certificates, which are the certificates for specific systems or hosts. There must be at least one identity certificate (and its root certificate) on a given VPN 3002; there may be more than one root certificate.
Administration | Certificate Management | Enrollment a Install the root certificate on the VPN 3002 first. b Then install any subordinate certificate(s). c Finally, install the identity certificate. 5 Install an SSL certification if the one we generate for you is not good enough? 6 Use the Administration | Certificate Management | Certificates screen to view the certificates and check them, and perhaps to enable revocation checking.
12 Administration Figure 12-21: Administration | Certificate Management | Enrollment screen Common Name (CN) Enter the name for this VPN 3002 that identifies it in the PKI; e.g., Engineering VPN. Spaces are allowed. You must enter a name in this field. If you are requesting an SSL certificate, enter the IP address or domain name you use to connect to this VPN 3002; e.g., 10.10.147.2.
Administration | Certificate Management | Enrollment Locality (L) Enter the city or town where this VPN3002 is located; e.g., Franklin. Spaces are allowed. State/Province (SP) Enter the state or province where this VPN 3002 is located; e.g., Massachusetts. Spell out completely, do not abbreviate. Spaces are allowed. Country (C) Enter the country where this VPN 3002 is located; e.g., US. Use two characters, no spaces, and no periods. This two-character code must conform to ISO 3166 country abbreviations.
12 Administration Administration | Certificate Management | Enrollment | Request Generated The Manager displays this screen when the system has successfully generated a certificate request. The request is a Base-64 encoded file in PKCS-10 format (Public Key Certificate Syntax-10), which most CAs recognize or require. The system automatically saves this file in flash memory with the filename shown in the screen ( pkcsNNNN.txt).
Administration | Certificate Management | Installation 6 Repeat the previous step for any subordinate certificates, and finally for the identity certificate. Name the files so that you can distinguish the certificate types. 7 Proceed to the Administration | Certificate Management | Installation screen below. Administration | Certificate Management | Installation This Manager screen lets you install digital certificates on the VPN 3002.
12 Administration SSL Server (import with Private Key) = SSL certificate imported along with a private key from some source. Installing this certificate type is not a completely secure process, and we do not recommend using it. If you select this type, complete the Certificate Password and Verify fields below. Server Identity (via Enrollment) = Identity certificates obtained via enrollment with a CA in a PKI. Select this type and install the identity certificate last.
Administration | Certificate Management | Certificates Administration | Certificate Management | Certificates This screen shows all the certificates installed in the VPN 3002 and lets you view and delete certificates. You can also generate a self-signed SSL server certificate. The Manager displays this screen each time you install a digital certificate.
12 Administration Expiration The expiration date of the certificate. Format is MM/DD/YYYY. Actions/View/Delete To view details of this certificate, click View. The Manager opens the Administration | Certificate Management | Certificates | View screen; see below. To delete this certificate from the VPN 3002, click Delete. The Manager opens the Administration | Certificate Management | Certificates | Delete screen; see below.
Administration | Certificate Management | Certificates | View Issuer The CA or other entity (jurisdiction) that issued the certificate. Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology, and they echo the fields on the Administration | Certificate Management | Enrollment screen. CN= Common Name: the name of a person, system, or other entity.
12 Administration Public Key Type The algorithm and size of the public key that the CA or other issuer used in generating this certificate. Certificate Usage The purpose of the key contained in the certificate; e.g., digital signature, certificate signing, nonrepudiation, key or data encipherment, etc. This field displays only if a key usage extension is present. MD5 Thumbprint A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string.
Administration | Certificate Management | Certificates | Delete Administration | Certificate Management | Certificates | Delete The Manager displays this confirmation screen when you click Delete for a certificate on the Administration | Certificate Management | Certificates screen. The screen shows the same certificate details as on the Administration | Certificate Management | Certificates | View screen.
C H A P T E R 13 Monitoring The VPN 3002 tracks many statistics and the status of many items essential to system administration and management. This section of the Manager lets you view all those status items and statistics. You can even see the state of LEDs that show the status of hardware subsystems in the device. You can also see statistics that are stored and available in standard MIB-II data objects.
13 Monitoring Monitoring | Routing Table This screen shows the VPN3002 routing table at the time the screen displays. Figure 13-2: Monitoring | Routing Table screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Clear Routes Clears the dynamic routing entries from the display. Clicking this button does not affect the display of static routing entries.
Monitoring | Filterable Event Log Next Hop For remote routes, the IP address of the next system in the path to the destination. 0.0.0.0 indicates a local route; i.e., there is no next hop. Interface The VPN 3002 network interface through which traffic moves on this route: Private interface Public interface Protocol The protocol or source of this routing table entry: Static = configured static route. Local = local VPN 3002 interface address.
13 Monitoring Figure 13-3: Monitoring | Filterable Event Log screen Select Filter Options You can select any or all of the following options for filtering and displaying the event log. After selecting the option(s), click any one of the four Page buttons. The Manager refreshes the screen and displays the event log according to your selections. Your filter options remain in effect as long as you continue working within and viewing Monitoring | Filterable Event Log screens.
Monitoring | Filterable Event Log Severities To display all events of a single severity level, click the drop-down menu button and select the severity level. To select a contiguous range of severity levels, select the first severity level in the range, hold down the keyboard Shift key, and select the last severity level in the range. To select multiple severity levels, select the first severity level, hold down the keyboard Ctrl key, and select the other severity levels.
13 Monitoring All four Page buttons are also present at the bottom of the screen. Get Log To download the event log from VPN 3002 memory to your PC and view it or save it as a text file, click Get Log. The Manager opens a new browser window to display the file. The browser address bar shows the VPN 3002 address and log file default filename; for example, http://10.10.4.6/LOG/ vpn3002log.txt. To save a copy of the log file on your PC, click the File menu on the new browser window and select Save As....
Monitoring | Filterable Event Log Although numbering restarts at 1 when the system powers up, it does not overwrite existing entries in the event log; it appends them. Assuming the log doesn’t wrap, it could contain several sequences of events starting at 1. Thus you can examine events preceding and following reboot or reset cycles. Event date The date of the event: MM/DD/YYYY. For example, 12/06/1999 identifies an event that occurred on December 6, 1999.
13 Monitoring Monitoring | Live Event Log This screen shows events in the current event log and automatically updates the display every 5 seconds. The events may take a few seconds to load when you first open the screen. Note for Netscape users: The live event log requires Netscape versions 4.5, 4.6, or 4.7. It does not run on other versions of Netscape. The screen always displays the most recent event at the bottom. Use the scroll bar to view earlier events.
Monitoring | System Status Clear Display To clear the event display, click Clear Display. This action does not clear the event log, only the display of events on this screen. Restart To clear the event display and reload the entire event log in the display, click Restart. Timer The timer counts 5 – 4 – 3 – 2 – 1 to show where it is in the 5-second refresh cycle. A momentary Rx indicates receipt of new events. A steady 0 indicates the display has been paused.
13 Monitoring Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. VPN Client Type The type, or model number, of this VPN client. Bootcode Rev The version name, number, and date of the VPN 3002 bootcode software file. When you boot or reset the system, the bootcode software runs system diagnostics, and it loads and executes the system software image. The bootcode is installed at the factory, and there is no need to upgrade it.
Monitoring | System Status Tunnel Established to: The IP address of the VPN 3000 Concentrator to which this VPN 3002 connects. Duration: The length of time that this tunnel has been up. Security Associations: This table describes the following attributes of the SAs for this VPN 3002. Type The type of tunnel for this SA, either IPSec or IKE (the control tunnel). Encryption The encryption method this SA uses. Authentication The authentication method this SA uses.
13 Monitoring Front Panel The front panel image is an inactive link. Back Panel The back panel image includes active links for the VPN 3002 Private and Public interfaces Use the mouse pointer to select either the private or public module on the back-panel image and click anywhere in the highlighted area. The Manager displays the appropriate Monitoring | System Status | Interface screen.
Monitoring | System Status | Private/Public Interface Public interface IP Address The IP address configured on this interface. Status The operational status of this interface: UP = configured and enabled, ready to pass data traffic. DOWN = configured but disabled. Testing = in test mode; no regular data traffic can pass. Dormant = configured and enabled but waiting for an external action, such as an incoming connection. Not Present = missing hardware components.
13 Monitoring Rx Broadcast The number of broadcast packets that were received by this interface since the VPN 3002 was last booted or reset. Broadcast packets are those addressed to all hosts on a network. Tx Broadcast The number of broadcast packets that were routed to this interface for transmission since the VPN 3002 was last booted or reset, including those that were discarded or not sent. Broadcast packets are those addressed to all hosts on a network.
Monitoring | Statistics | IPSec Monitoring | Statistics | IPSec This screen shows statistics for IPSec activity—including the current IPSec tunnel—on the VPN 3002 since it was last booted or reset. These statistics conform to the IETF draft for the IPSec Flow Monitoring MIB. Figure 13-8: Monitoring | Statistics | IPSec screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
13 Monitoring Active Tunnels The number of currently active IKE control tunnels. Total Tunnels The cumulative total of all currently and previously active IKE control tunnels. Received Bytes The cumulative total of bytes (octets) received by all currently and previously active IKE tunnels. Sent Bytes The cumulative total of bytes (octets) sent by all currently and previously active IKE tunnels.
Monitoring | Statistics | IPSec Received Phase-2 Exchanges The cumulative total of IPSec Phase-2 exchanges received by all currently and previously active IKE tunnels; i.e., the total of Phase-2 negotiations received that were initiated by a remote peer. A complete exchange consists of three packets. Sent Phase-2 Exchanges The cumulative total of IPSec Phase-2 exchanges that were sent by all currently and previously active and IKE tunnels; i.e.
13 Monitoring Failed Initiated Tunnels The cumulative total of IKE tunnels that this VPN 3002 initiated and that failed to activate. Failed Remote Tunnels The cumulative total of IKE tunnels that remote peers initiated and that failed to activate. Authentication Failures The cumulative total of authentication attempts that failed, by all currently and previously active IKE tunnels. Authentication failures indicate problems with preshared keys, digital certificates, or user-level authentication.
Monitoring | Statistics | IPSec Received Bytes The cumulative total of bytes (octets) received by all currently and previously active IPSec Phase-2 tunnels, before decompression. In other words, total bytes of IPSec-only data received by the IPSec subsystem, before decompressing the IPSec payload. Sent Bytes The cumulative total of bytes (octets) sent by all currently and previously active IPSec Phase-2 tunnels, after compression.
13 Monitoring Outbound Authentications The cumulative total of outbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels. Failed Outbound Authentications The cumulative total of outbound packet authentications that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check the event log for an internal IPSec subsystem problem.
Monitoring | Statistics | HTTP Monitoring | Statistics | HTTP This screen shows statistics for HTTP activity on the VPN 3002 since it was last booted or reset. To configure system-wide HTTP server parameters, see the Configuration | System | Management | Protocols | HTTP screen. Figure 13-9: Monitoring | Statistics | HTTP screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
13 Monitoring Max Connections The maximum number of HTTP connections that have been simultaneously active on the VPN 3002 since it was last booted or reset. Monitoring | Statistics | Telnet This screen shows statistics for Telnet activity on the VPN 3002 since it was last booted or reset, and for current Telnet sessions. To configure the VPN 3002’s Telnet server, see the Configuration | System | Management Protocols | Telnet screen.
Monitoring | Statistics | DNS Telnet Sessions This table shows statistics for active Telnet sessions on the VPN 3002. Each active session is a row. Client IP Address:Port The IP address and TCP source port number of this session’s remote Telnet client. Inbound Octets Total The total number of Telnet octets (bytes) received by this session. Inbound Octets Command The number of octets (bytes) containing Telnet commands or options, received by this session.
13 Monitoring Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Requests The total number of DNS queries the VPN 3002 made since it was last booted or reset. This number equals the sum of the numbers in the four cells below. Responses The number of DNS queries that were successfully resolved. Timeouts The number of DNS queries that failed because there was no response from the server.
Monitoring | Statistics | SSL Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Unencrypted Inbound Octets The number of octets (bytes) of inbound traffic output by the decryption engine. Encrypted Inbound Octets The number of octets (bytes) of encrypted inbound traffic sent to the decryption engine. This number includes negotiation traffic.
13 Monitoring Monitoring | Statistics | DHCP This screen shows statistics for DHCP (Dynamic Host Configuration Protocol) server activity on the VPN 3002 since it was last booted or reset. Each row of the table shows data for each IP address handed out to a DHCP client (PC) on the VPN 3002 private network. To configure the DHCP server, see Configuration | System | IP Routing | DHCP. Figure 13-13: Monitoring | Statistics | DHCP screen Refresh To update the screen and its data, click Refresh.
Monitoring | Statistics | SSH Monitoring | Statistics | SSH This screen shows statistics for SSH (Secure Shell) protocol traffic on the VPN 3002 since it was last booted or reset. To configure SSH, see Configuration | System | Management Protocols | SSH. Figure 13-14: Monitoring | Statistics | SSH screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
13 Monitoring Monitoring | Statistics | MIB-II This section of the Manager lets you view statistics that are recorded in standard MIB-II objects on the VPN 3002. MIB-II (Management Information Base, version 2) objects are variables that contain data about the system. They are defined as part of the Simple Network Management Protocol (SNMP); and SNMP-based network management systems can query the VPN 3002 to gather the data.
Monitoring | Statistics | MIB-II | Interfaces Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Interface The VPN 3002 interface: Private Public Status The operational status of this interface: UP = configured and enabled, ready to pass data traffic. DOWN = configured but disabled. Testing = in test mode; no regular data traffic can pass.
13 Monitoring Broadcast In The number of broadcast packets that were received by this interface. Broadcast packets are those addressed to all hosts on a network. Broadcast Out The number of broadcast packets that were routed to this interface for transmission, including those that were discarded or not sent. Broadcast packets are those addressed to all hosts on a network.
Monitoring | Statistics | MIB-II | TCP/UDP TCP Segments Retransmitted The total number of segments retransmitted; that is, the number of TCP segments transmitted containing one or more previously transmitted bytes. Segment is the official TCP name for what is casually called a data packet. TCP Timeout Min The minimum value permitted for TCP retransmission timeout, measured in milliseconds. TCP Timeout Max The maximum value permitted for TCP retransmission timeout, measured in milliseconds.
13 Monitoring UDP Datagrams Received The total number of UDP datagrams received. Datagram is the official UDP name for what is casually called a data packet. UDP Datagrams Transmitted The total number of UDP datagrams sent. Datagram is the official UDP name for what is casually called a data packet. UDP Errored Datagrams The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port (UDP No Port).
Monitoring | Statistics | MIB-II | IP Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Packets Received (Total) The total number of IP data packets received by the VPN 3002, including those received with errors. Packets Received (Header Errors) The number of IP data packets received and discarded due to errors in IP headers, including bad checksums, version number mismatches, other format errors, etc.
13 Monitoring Outbound Packets with No Route The number of outbound IP data packets discarded because no route could be found to transmit them to their destination. This number includes any packets that the VPN 3002 could not route because all of its default routers are down. Packets Transmitted (Requests) The number of IP data packets that local IP user protocols (including ICMP) supplied to transmission requests. This number does not include any packets counted in Packets Forwarded.
Monitoring | Statistics | MIB-II | ICMP Monitoring | Statistics | MIB-II | ICMP This screen shows statistics in MIB-II objects for ICMP traffic on the VPN 3002 since it was last booted or reset. RFC 2011 defines ICMP MIB objects. Figure 13-19: Monitoring | Statistics | MIB-II | ICMP screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Total Received / Transmitted The total number of ICMP messages that the VPN 3002 received / sent.
13 Monitoring Time Exceeded Received / Transmitted The number of ICMP Time Exceeded messages received / sent. Time Exceeded messages indicate that the lifetime of the packet has expired, or that a router cannot reassemble a packet within a time limit. Parameter Problems Received / Transmitted The number of ICMP Parameter Problem messages received / sent. Parameter Problem messages indicate a syntactic or semantic error in an IP header.
Monitoring | Statistics | MIB-II | ARP Table Address Mask Requests Received / Transmitted The number of ICMP Address Mask Request messages received / sent. Address Mask Request messages ask for the address (subnet) mask for the LAN to which a router connects. Address Mask Replies Received / Transmitted The number of ICMP Address Mask Reply messages received / sent.
13 Monitoring Interface The VPN 3002 network interface on which this mapping applies: Private Interface. Public Interface. Physical Address The hardwired MAC (Medium Access Control) address of a physical network interface card, in 6-byte hexadecimal notation, that maps to the IP Address. Exceptions are: 00 = a virtual address for a tunnel. FF.FF.FF.FF.FF.FF = a network broadcast address. IP Address The IP address that maps to the Physical Address.
Monitoring | Statistics | MIB-II | Ethernet Monitoring | Statistics | MIB-II | Ethernet This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN 3002 since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC 1650 defines Ethernet interface MIB objects. To configure Ethernet interfaces, see Configuration | Interfaces. Figure 13-21: Monitoring | Statistics | MIB-II | Ethernet screen Refresh To update the screen and its data, click Refresh.
13 Monitoring SQE Test Errors The number of times that the SQE (Signal Quality Error) Test Error message was generated for this interface. The SQE message tests the collision circuits on an interface. Frame Too Long Errors The number of frames received on this interface that exceed the maximum permitted frame size. Deferred Transmits The number of frames for which the first transmission attempt on this interface is delayed because the medium is busy.
Monitoring | Statistics | MIB-II | SNMP Speed (Mbps) This interface’s nominal bandwidth in megabits per second. Duplex The current LAN duplex transmission mode for this interface: Full = Full-Duplex: transmission in both directions at the same time. Half = Half-Duplex: transmission in only one direction at a time. Monitoring | Statistics | MIB-II | SNMP This screen shows statistics in MIB-II objects for SNMP traffic on the VPN 3002 since it was last booted or reset.
13 Monitoring Bad Community String The total number of SNMP messages received that used an SNMP community string the VPN 3002 did not recognize. See Configuration | System | Management Protocols | SNMP Communities to configure permitted community strings. To protect security, the VPN 3002 does not include the usual default public community string. Parsing Errors The total number of syntax or transmission errors encountered by the VPN 3002 when decoding received SNMP messages.
C H A P T E R 14 Using the Command Line Interface The VPN 3002 Hardware Client Command Line Interface (CLI) is a menu- and command-line-based configuration, administration, and monitoring system built into the VPN 3002. You use it via the system console or a Telnet (or Telnet over SSL) session. You can use the CLI to completely manage the system. You can access and configure the same parameters as the HTML-based VPN 3002 Hardware Client Manager.
14 Using the Command Line Interface Telnet or Telnet/SSL access To access the CLI via a Telnet or Telnet/SSL client: 1 Enable the Telnet or Telnet/SSL server on the VPN 3002. (They are both enabled by default on the private network.) See the Configuration | System | Management Protocols | Telnet screen on the Manager. 2 Start the Telnet or Telnet/SSL client, and connect to the VPN 3002 using these parameters: Host Name or Session Name = The IP address on the VPN 3002 Private interface; e.g., 10.10.147.
Using the CLI Using the CLI This section explains how to: • Choose menu items. • Enter values for parameters and options. • Specify configured items by number or name. • Navigate quickly—using shortcuts—through the menus. • Display a brief help message. • Save entries to the system configuration file. • Stop the CLI. • Understand CLI administrator access rights. The CLI displays menus or prompts at every level to guide you in choosing configurable options and setting parameters.
14 Using the Command Line Interface Navigating quickly through the CLI There are two ways to move quickly through the CLI: shortcut numbers, and the Back/Home options. Both ways work only when you are at a menu, not when you are at a value entry. Using shortcut numbers When you become familiar with the structure of the CLI—which parallels the HTML-based VPN 3002 Hardware Client Manager—you can quickly access any level by entering a series of numbers separated by periods.
Using the CLI > Which Administrator to Modify Admin -> As a shortcut, you can just enter 2.4.1.1 at the Main-> prompt, and move directly to the Modify Administrators menu: 1) 2) 3) 4) 5) 6) Configuration Administration Monitoring Save changes to Config file Help Information Exit Main -> 2.4.1.1 > Which Administrator to Modify Admin -> Note: At this last prompt, you cannot use a number shortcut. At this prompt, you must type in the name of the administrator you want to modify, for example, config.
14 Using the Command Line Interface Getting Help Information To display a brief help message, enter 5 at the main menu prompt. The CLI explains how to navigate through menus and enter values. This help message is available only at the main menu. Cisco Systems. Help information for the Command Line Interface From any menu except the Main menu. -- ’B’ or ’b’ for Back to previous menu. -- ’H’ or ’h’ for Home back to the main menu. For Data entry -- Current values are in ’[ ]’s.
CLI menu reference Stopping the CLI To stop the CLI, navigate to the main menu and enter 6 for Exit at the prompt: 1) 2) 3) 4) 5) 6) Configuration Administration Monitoring Save changes to Config file Help Information Exit Main -> 6 Done Make sure you save any configuration changes before you exit from the CLI. Understanding CLI access rights What you see and can configure with the CLI depends on administrator access rights.
14 Using the Command Line Interface Main menu 1) 2) 3) 4) 5) 6) Configuration Administration Monitoring Save changes to Config file Help Information Exit Main -> _ 1 Configuration 1) 2) 3) 4) 5) Quick Configuration Interface Configuration System Management Policy Management Back Config -> _ 1.1 Configuration > Quick Configuration See the VPN 3002 Hardware Client Getting Started guide for complete information about Quick Config. 1.
CLI menu reference 1.2 Configuration > System Management 1) 2) 3) 4) 5) 6) 7) Servers (DNS) Tunneling Protocols (IPSec) IP Routing (static routes, etc.) Management Protocols (Telnet, HTTP, etc.) Event Configuration General Config (system name, time, etc.) Back System -> _ 1.2.1 Configuration > System Management > Servers 1) DNS Servers 2) Back Servers -> _ 1.2.2 Configuration > System Management > Tunneling Protocols 1) DNS Servers 2) Back Tunnel -> _ 1.2.
14 Using the Command Line Interface 1.2.5 Configuration > System Management > Event Configuration 1) 2) 3) 4) 5) General Classes Trap Destinations Syslog Servers Back Event -> _ 1.2.6 Configuration > System Management > General Config 1) System Identification 2) System Time and Date 3) Back General -> _ 1.4 Configuration > Policy Management 1) Traffic Management 2) Back Policy -> _ 1.4.
CLI menu reference 2.2 Administration > System Reboot 1) 2) 3) 4) Cancel Scheduled Reboot/Shutdown Schedule Reboot Schedule Shutdown Back Admin -> _ 2.2.2 Administration > System Reboot > Schedule Reboot 1) 2) 3) 4) Save active Configuration and use it at Reboot Reboot without saving active Configuration file Reboot ignoring the Configuration file Back Admin -> _ 2.2.
14 Using the Command Line Interface 2.4.1 Administration > Access Rights > Administrators Admin -> 1 Administrative Users -----------------------Username Enabled -----------------------admin Yes config No isp No -----------------------1) Modify Administrator 2) Back Admin -> 2.4.2 Administration > Access Rights > Access Settings 1) 2) 3) 4) Set Session Timeout Set Session Limit Enable/Disable Encrypt Config File Back Admin -> _ 2.
CLI menu reference 2.5.5 Administration > File Management > Swap Configuration File Every time the active configuration is saved,... . . . 1) Swap 2) Back Admin -> _ 2.6 Administration > Certificate Management 1) 2) 3) 4) 5) 6) Enrollment Installation Certificate Authorities Identity Certificates SSL Certificate Back Certificates -> _ 2.6.
14 Using the Command Line Interface 2.6.4 Administration > Certificate Management > Identity Certificates Identity Certificates . . . 1) View Certificate 2) Delete Certificate 3) Back Certificates -> _ 2.6.5 Administration > Certificate Management > SSL Certificate Subject . . ’q’ to Quit, ’’ to Continue -> . Issuer . . ’q’ to Quit, ’’ to Continue -> . Serial Number . .
CLI menu reference 3.1 Monitoring > Routing Table Routing Table . . ’q’ to Quit, ’’ to Continue -> . . 1) Refresh Routing Table 2) Clear Routing Table 3) Back Routing -> _ 3.2 Monitoring > Event Log 1) 2) 3) 4) Configure Log viewing parameters View Event Log Clear Log Back Log -> _ 3.2.2 Monitoring > Event Log > View Event Log [Event Log entries] . . . 1) First Page 2) Previous Page 3) Next Page 4) Last Page 5) Back Log -> _ 3.3 Monitoring > System Status System Status . . .
14 Using the Command Line Interface 3.4 Monitoring > General Statistics 1) 2) 3) 4) Protocol Statistics Server Statistics MIB II Statistics Back General -> _ 3.4.1 Monitoring > General Statistics > Protocol Statistics 1) 2) 3) 4) 5) 6) IPSec Statistics HTTP Statistics Telnet Statistics DNS Statistics More Back General -> _ 3.4.2 Monitoring > General Statistics > Server Statistics 1) DHCP Statistics 2) Back General -> _ 3.4.
A P P E N D I X A Errors and troubleshooting This appendix describes files for troubleshooting the VPN 3002, LED indicators on the system, and common errors that may occur while configuring and using the system, and how to correct them. Files for troubleshooting The VPN 3002 Hardware Client creates several files that you can examine and that can assist Cisco support engineers, when troubleshooting errors and problems: • Event log. • SAVELOG.
A Errors and troubleshooting buffers, timers, etc., which help Cisco support engineers diagnose the problem. In case of a crash, we ask that you send this file when you contact Cisco for assistance. to view the CRSHDUMP.TXT file, see Administration | File Management | View, and click View Saved Log Crash Dump File. Configuration files The VPN 3002 saves the current boot configuration file (CONFIG) and its predecessor (CONFIG.BAK) as files in flash memory. These files may be useful for troubleshooting.
Errors on the system Errors on the system If you have configured the VPN 3002, and you are unable to connect to or pass data to the central-site Concentrator, use this section to analyze the problem. Also, use the next section of this Appendix to check the settings on the Concentrator to which this VPN 3002 connects. Problem/symptom Possible solution Tunnel is not up/not passing data. PWR LED is off. Make sure that the power cable is plugged into the VPN 3002 and a power outlet. SYS LED is solid amber.
A Errors and troubleshooting Problem/symptom Possible solution Connect Now worked. LED(s) for the Private interface/ switch port are off. Make sure that a LAN cable is properly attached to the Private interface of the VPN 3002 and the PC. LED(s) for the Private interface/ switch port are on. 1 Is this PC configured as a DHCP client? If so, verify that the DHCP server on the VPN 3002 is enabled. 2 With any method of address assignment, verify that the PC got an IP address and subnet mask.
VPN 3002 Hardware Client Manager errors VPN 3002 Hardware Client Manager errors These errors may occur while using the HTML-based VPN 3002 Hardware Client Manager with a browser. Browser Refresh / Reload button logs out the Manager Problem Possible cause Solution You clicked the Refresh or Reload button on the browser’s navigation toolbar, and the Manager logged out. The main login screen appears.
A Errors and troubleshooting Invalid Login or Session Timeout The Manager displays the Invalid Login or Session Timeout screen Problem Possible cause Solution You entered an invalid administrator login name/password combination. • Typing error. Re-enter the login name and password, and click Login. Use a valid login name and password. Verify your typing before clicking Login. The Manager session has been idle longer than the configured timeout interval. • No activity for (interval) seconds.
VPN 3002 Hardware Client Manager errors Error / An error has occurred while attempting to perform... The Manager displays a screen with the message: Error / An error has occurred while attempting to perform the operation. An additional error message describes the erroneous operation. Problem Possible cause Solution You tried to perform some operation that is not allowed. The screen displays a message that describes the cause.
A Errors and troubleshooting Problem Possible cause Solution You tried to access an area of the Manager that you do not have authorization to access. • You logged in using an administrator login name that has limited privileges. Log in using the system administrator login name and password. (Defaults are admin / admin.) • You logged in from a workstation that has limited access privileges. Log in from a workstation with greater access privileges.
VPN 3002 Hardware Client Manager errors Problem Possible cause Solution The Manager could not find a screen. • You updated the software image and did not clear the browser’s cache. Clear the browser’s cache: delete its temporary internet files, history files, and location bar references. Then try again. • There is an internal Manager error. Please note the system information on the screen and contact Cisco support personnel for assistance.
A Errors and troubleshooting Command Line Interface errors These errors may occur while using the menu-based Command Line Interface from a console or Telnet session. ERROR:-- Bad IP Address/Subnet Mask/Wildcard Mask/Area ID. Problem Possible cause Solution The system expected a valid 4-byte dotted decimal entry, and the entry wasn’t in that format. • You entered something other than a 4-byte dotted decimal number.
B Copyrights, licenses, and notices Software License Agreement of Cisco Systems, Inc. CISCO SYSTEMS, INC. IS WILLING TO LICENSE TO YOU THE SOFTWARE CONTAINED IN THE ACCOMPANYING CISCO PRODUCT ONLY IF YOU ACCEPT ALL OF THE TERMS AND CONDITIONS IN THIS LICENSE AGREEMENT. PLEASE READ THIS AGREEMENT CAREFULLY BEFORE YOU OPEN THE PACKAGE BECAUSE, BY OPENING THE SEALED PACKAGE, YOU ARE AGREEING TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT.
4. You may permanently transfer the Software and accompanying written materials (including the most recent update and all prior versions) only in conjunction with a transfer of the entire Cisco product, and only if you retain no copies and the transferee agrees to be bound by the terms of this Agreement. Any transfer terminates your license. You may not rent or lease the Software or otherwise transfer or assign the right to use the Software, except as stated in this paragraph. 5.
16. This Agreement is governed by the laws of the State of Massachusetts. 17. If you have any questions concerning this Agreement or wish to contact Cisco Systems for any reason, please call (508) 541-7300, or write to Cisco Systems, Inc. 124 Grove Street, Suite 205 Franklin, Massachusetts 02038. 18. U.S. Government Restricted Rights. The Software and accompanying documentation are provided with Restricted Rights.
DHCP client Copyright © 1995, 1996, 1997 The Internet Software Consortium. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Portions Copyright © 1993 by Digital Equipment Corporation. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies, and that the name of Digital Equipment Corporation not be used in advertising or publicity pertaining to distribution of the document or software without specific, written prior permission.
NRL grants permission for redistribution and use in source and binary forms, with or without modification, of the software and documentation created at NRL provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Outline style table of contents in JavaScript OUTLINE STYLE TABLE OF CONTENTS in JAVASCRIPT, Version 3.0 by Danny Goodman (dannyg@dannyg.com) Analyzed and described at length in “JavaScript Bible”, by Danny Goodman (IDG Books ISBN 0-7645-3022-4) This program is Copyright 1996, 1997, 1998 by Danny Goodman. You may adapt this outline for your Web pages, provided these opening credit lines (down to the lower dividing line) are in your outline HTML document.
Client SNMP Copyright © 1996, 1997 by Westhawk Ltd. (www.westhawk.co.uk) Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that the above copyright notices appear in all copies and that both the copyright notice and this permission notice appear in supporting documentation. This software is provided “as is” without express or implied warranty. author tpanton@ibm.net (Tim Panton) SSH Copyright © 1993, 1995-2000 by DataFellows, Inc.
- Feb 1991 Bill_Simpson@um.cc.umich.edu variable number of conversation slots allow zero or one slots separate routines status display Telnet server Copyright phase2 networks 1996 All rights reserved SID: 1.1 Revision History: 1.1 97/06/23 21:17:43 root Regulatory Standards Compliance The VPN 3002 Hardware Client complies with these regulatory standards.
I N D E X Index A about this manual xi access rights section, administration 12-8 access settings, general, for administrators 12-10 accessing the CLI 14-1 add event class 9-9 SNMP community 8-8 SNMP event destination 9-12 static route for IP routing 7-3 syslog server to receive events 9-15 administering the VPN Concentrator 12-1 administration section of Manager 12-1 Administration (tab on Manager screen) 1-21 administrators access rights 12-8 access settings, general 12-10 configuring 12-9 parameters in
Index conventions documentation xvi typographic xvi cookies, requirements 1-2 copyrights and licenses B-1 crash, system, saves log file 9-5, A-1 CRSHDUMP.
Index data xvi hostnames xvi IP addresses xvi MAC addresses xvi port numbers xvii subnet masks xvi text strings xvi wildcard masks xvi front panel display (monitoring) 13-12 G gateways, default 7-4 general parameters, configuring 10-1 generating SSL server certificate 12-23 get event log 13-6 H halt system 12-5 help, CLI 14-6 Help (tab on Manager screen) 1-20 hostnames, format xvi HTTP configuring internal server 8-2 statistics 13-21 using with Manager 1-3 HTTPS configuring internal server 8-2 connecting
Index left frame (table of contents) 1-22 main frame 1-22 mouse pointer and tips 1-20 status bar 1-19 title bar 1-19 top frame (Manager toolbar) 1-20 managing VPN Concentrator with CLI 14-1 memory, SDRAM 13-10 menus, CLI, navigating 14-4 MIB-II statistics 13-28 system object 10-2 model number, system 13-10 modify event class 9-9 SNMP community 8-8 SNMP event trap destination 9-12 static route, for IP routing 7-3 syslog server to receive events 9-15 monitor / display settings 1-3 monitoring section of Manag
Index version info 12-3, 13-10 speed, configuring Ethernet interface 3-6 SSH configuring internal server 8-12 host key 8-12 server key 8-12 server key regeneration 8-13 session key 8-12 statistics 13-27 SSL client authentication 8-11 configuring internal server 8-9 statistics 13-24 SSL certificate 8-9, 12-16 generating 12-23 installing in browser 1-3 installing with Internet Explorer 1-4 installing with Netscape 1-9 viewing with Internet Explorer 1-8 viewing with Netscape 1-14 VPN Concentrator 1-4 starting
Index using the VPN Concentrator Manager 1-1 V viewing SSL certificates with Internet Explorer 1-8 with Netscape 1-14 VPN 3002 Hardware Client Manager errors A-5 VPN Concentrator Manager logging in 1-17 logging out 1-21 navigating 1-23 organization of 1-22 understanding the window 1-19 using 1-1 W wildcard masks, format xvi window, Manager, understanding 1-19 X X.