VPN Client User Guide for Windows, Release 4.6 - Connecting to a Private Network [Cisco VPN Client]

Table Of Contents

Connecting to a Private Network

Starting the VPN Client

Connecting to a Default Connection Entry

Connecting from Simple Mode

Connecting from Advanced Mode

Authentication Alternatives

Using the VPN Client to Connect to the Internet via Dial-Up Networking

Authenticating to Connect to the Private Network

Authenticating Through the VPN Device Internal Server or RADIUS Server

Authenticating Through a Windows NT Domain

Changing your Password

Authenticating Through RSA Data Security (RSA) SecurID (SDI)

RSA User Authentication: SecurID Tokencards (Tokencards, Pinpads, and Keyfobs) and SoftID v1.0 (Windows 98, and Windows ME)

RSA User Authentication: SoftID v1.x (Windows NT Only) and SecurID v2.0 (All Operating Systems)

RSA New PIN Mode

SecurID Next Cardcode Mode

Connecting with Digital Certificates

Connecting with an Entrust Certificate

Accessing Your Profile

Entrust Inactivity Timeout

Using Entrust SignOn and Start Before Logon Together

Connecting with a Smart Card or Token

Completing the Private Network Connection

Using Automatic VPN Initiation

Enabling Automatic VPN Initiation

Connecting Through Automatic VPN Initiation

Disconnecting Your Session

Changing Option Values While Auto Initiation is Suspended

Disabling Automatic VPN Initiation

Disabling While Suspended

Restarting After Disabling Automatic VPN Initiation

Connection Failures

Viewing Connection Information

Viewing Tunnel Details

Viewing Routing Information

Local LAN Routes

Secured Routes

Firewall Tab

Configuring the Firewall on the Concentrator

Viewing Firewall Information on the VPN Client

AYT Firewall Tab

Centralized Protection Policy (CPP) Using the Cisco Integrated Client

Firewall Rules

Client/Server Firewall Tab

Resetting Statistics

Disconnecting your VPN Client Connection

Closing the VPN Client

Connecting to a Private Network

This chapter explains how to connect to a private network with the VPN Client.

We assume you have configured at least one VPN Client connection entry as described in "Configuring and Managing Connection Entries." To connect to a private network, you also need the following information:

•ISP logon username and password, if necessary.

•User authentication information:

–If you are authenticated via the VPN 3000 Concentrator internal server, your username and password.

–If you are authenticated via a RADIUS server, your username and password.

–If you are authenticated via an Windows NT Domain server, your username, password, and (if necessary) domain name.

–If you are authenticated via RSA Data Security (formerly SDI) SecurID or SoftID, your username and PIN.

–If you use a digital certificate for authentication, the name of the certificate and your username and password. If your private key is password protected for security reasons, you also need this password.

Refer to your entries in "Gathering Information You Need," as you complete the steps described here, which include the following sections:

•Starting the VPN Client

•Using the VPN Client to Connect to the Internet via Dial-Up Networking

•Authenticating to Connect to the Private Network

•Connecting with Digital Certificates

•Completing the Private Network Connection

•Using Automatic VPN Initiation

•Viewing Connection Information

•Closing the VPN Client

•Disconnecting your VPN Client Connection

Starting the VPN Client

To start the VPN Client application, choose Start > Programs > Cisco Systems VPN Client > VPN Client.

The VPN Client displays the VPN Client's main window in either simple mode (Figure 5-1) or advanced mode (Figure 5-2), which is the default.

Figure 5-1 Connecting from Simple Mode

Figure 5-2 Connecting from Advanced Mode

Connecting to a Default Connection Entry

If you have configured a default connection entry (sometimes called default user or default profile), the VPN Client uses this connection entry when it starts. The name of this feature is Connect on Open. An administrator configures this feature for you. For information, see the VPN Client Administrator Guide. For information on setting a connection entry to be the default, see "Setting a Default Connection Entry".

Connecting from Simple Mode

To connect to a VPN device through simple mode, follow these steps:

Step 1 If necessary, click the drop-down menu showing connection entries and choose the desired connection entry.

Step 2 Click Connect. The VPN Client displays a window to ask for authentication information.

Step 3 Enter your authentication information; for example, your username and password. (See "Authentication Alternatives").

Connecting from Advanced Mode

To connect to a VPN device through advanced mode, follow these steps:

Step 1 Using advanced mode, you can connect in one of the following ways.

•Display the Connection Entries menu and choose Connect.

•Click the Connect icon on the tool bar above the Connection Entries tab.

•Double-click a connection entry in the list of connection entries.

Step 2 Enter your authentication information; for example, your username and password. (See "Authentication Alternatives")

Authentication Alternatives

To connect to a private network through the Internet, you must authenticate the connection request:

•Systems with cable or DSL modems are usually connected to the Internet, so no additional action is necessary. Skip to "Authenticating to Connect to the Private Network."

•Systems with modems or ISDN modems must connect to the Internet via Dial-Up Networking:

–If you connect to the Internet via Dial-up Networking, proceed to "Using the VPN Client to Connect to the Internet via Dial-Up Networking."

–If you must manually connect to the Internet, do it now. When your connection is established, skip to "Authenticating to Connect to the Private Network."

–If your system is already connected to the Internet via Dial-Up Networking, skip to "Authenticating to Connect to the Private Network."

Using the VPN Client to Connect to the Internet via Dial-Up Networking

This section describes how to connect to the Internet via Dial-Up Networking by running only the VPN Client. Your connection entry must be configured with Connect to the Internet via Dial-Up Networking enabled; see "Configuring and Managing Connection Entries".

Step 1 Click Connect on the VPN Client's main window. (See Figure 5-1 and Figure 5-2.)

If your credentials are not stored in the RAS database, the Dial-up Networking User Information dialog box appears. (See Figure 5-3.) This dialog box varies, depending on the version of Windows you are using.

Figure 5-3 Entering User Information

Step 2 Enter your username and password to access your ISP. These entries may be case-sensitive, depending on your ISP. The Password field displays only asterisks.

Step 3 Click OK.

When the ISP connection is established, the status line on the Connection window changes to show that the status is "connected", and a Dial-Up Networking icon appears in the system tray on the Windows task bar. (See Figure 5-4.)

Figure 5-4 Dial-Up Networking Task Bar Icon

Authenticating to Connect to the Private Network

This section assumes you are connected to the Internet. If you connect using Dial-Up Networking, verify that its icon is visible in the Windows task bar system tray. (See Figure 5-4.) If not, your Dial-Up Networking connection is not active, and you must establish it before continuing.

If you did not do so earlier, click Connect on the VPN Client's main window. (See Figure 5-1 or Figure 5-2.)

The VPN Client starts tunnel negotiation and displays the status in the Status area (bottom left of the window).

The next phase in tunnel negotiation is user authentication. User authentication means proving that you are a valid user of this private network. User authentication is optional. Your administrator determines whether it is required.

The VPN Client displays a user authentication window that differs according to the authentication that your IPSec group uses. Your system administrator tells you which method to use.

To continue, refer to your entries in "Gathering Information You Need" and go to the appropriate authentication section that follows.

Authenticating Through the VPN Device Internal Server or RADIUS Server

To display the user authentication window, perform the following steps. The title bar identifies the connection entry name.

Figure 5-5 Authenticating Through an Internal or RADIUS Server

Step 1 In the Username field, enter your username. This entry is case-sensitive.

Step 2 In the Password field, enter your password. This entry is case-sensitive. The field displays only asterisks.

Step 3 Click OK.

Note If you cannot choose the Save Password option, your administrator does not allow this option. If you can choose this option, be aware that using it might compromise system security, since your password is then stored on your PC and is available to anyone who uses your PC.

If Save Password is checked and authentication fails, your password may be invalid. To eliminate a saved password, go to advanced mode, and click Erase User Password.

Proceed to the section "Viewing Connection Information."

Authenticating Through a Windows NT Domain

To display the Windows NT Domain user authentication window, perform the following steps. The title bar identifies the connection entry name.

Figure 5-6 Authenticating Through a Windows NT Domain

Step 1 In the Username field, enter your username. This entry is case-sensitive.

Step 2 In the Password field, enter your password. This entry is case-sensitive. The field displays only asterisks.

Note If you are connecting to a legacy server (that is, to a VPN 3000 Concentrator running a software version prior to Release 4.0), you might also be prompted for a domain name. If you see this field in the dialog box, enter your Windows NT Domain name in the Domain field, if it is not already there.

Step 3 Click OK.

Skip to "Viewing Connection Information."

Changing your Password

Your network administrator may have configured your group for RADIUS with Expiry authentication on the VPN 3000 Concentrator. If this feature is in effect and your password has expired, a window prompts you to enter and confirm a new password.

After you have tried unsuccessfully to log in three times, you might receive one of the following login messages:

•Restricted login hours

•Account disabled

•No dial-in permission

•Error changing password

•Authentication failure

These messages let you know the cause of your inability to log in. For help, contact your network administrator.

Authenticating Through RSA Data Security (RSA) SecurID (SDI)

RSA (formerly SDI) SecurID authentication methods include physical SecurID cards and keychain fobs, and SecurID PC software (formerly called SoftID). SecurID cards also vary: with some cards, the passcode is a combination of a PIN and a cardcode; with others, you enter a PIN on the card and it displays a passcode. Ask your system administrator for the correct procedure.

Authentication via these methods also varies slightly for different operating systems. If you use an RSA method, the VPN Client displays the appropriate RSA user authentication window. The title bar identifies the connection entry name.

RSA User Authentication: SecurID Tokencards (Tokencards, Pinpads, and Keyfobs) and SoftID v1.0 (Windows 98, and Windows ME)

To display an authentication window asking for your username and passcode, perform the following steps. (See Figure 5-7.) If you are using SoftID, it must be running on your PC.

Figure 5-7 Authenticating Through RSA

Step 1 In the Username field, enter your username. This entry is case-sensitive.

Step 2 In the Passcode field, enter a SecurID code. With SoftID, you can copy this code from the SoftID window and paste it here. Your administrator will tell you what you need to enter here, depending on the type of tokencard you are using.

Step 3 After entering the code, click OK.

RSA User Authentication: SoftID v1.x (Windows NT Only) and SecurID v2.0 (All Operating Systems)

If you are using SoftID version 1.x under Windows NT or SecurID version 2.0 under any operating system, the VPN Client displays an authentication window asking for your username and PIN. (See Figure 5-8.)

Figure 5-8 Authenticating Through SoftID on Windows NT

Step 1 In the Username field, enter your username. This entry is case-sensitive.

Step 2 In the PIN field, enter your SoftID or SecurID PIN. The VPN Client gets the passcode from SoftID or SecurID by communicating directly with SoftID or SecurID. The SoftID or SecurID application must be installed but does not have to be running on your PC.

Step 3 After entering the PIN, click OK.

RSA New PIN Mode

The first time you authenticate using SecurID or SoftID (all operating systems), or if you are using a new SecurID card, and if the RSA administrator allows you to create your own PIN, the authentication program asks if you want to create your own PIN. (See Figure 5-9.)

Figure 5-9 SecurID New PIN Request

Step 1 Enter your response: y for yes or n for no. No is the default response. Then, click OK. What happens next depends on your response.

•If you responded yes—Enter your new PIN in the New PIN field and enter it again in the Confirm PIN field. Click OK. (See Figure 5-10.)

Figure 5-10 Entering a New PIN Yourself

•If you responded no—the authentication program asks if you will accept a system-generated PIN. (See Figure 5-11.)

Figure 5-11 Accepting a PIN from the System

Step 2 To receive a PIN, you must respond y for yes and then click OK. When you do, the authentication program generates a PIN for you and displays it. (See Figure 5-12.) Be sure to remember your PIN.

Figure 5-12 New PIN Received

Step 3 To continue, click OK.

SecurID Next Cardcode Mode

Sometimes SecurID authentication prompts you to enter the next cardcode from your token card, as in Figure 5-13. SecurID displays this prompt either to resynchronize the token card with the RSA server, or because it noticed several unsuccessful attempts to authenticate with this username.

The SecurID Next Cardcode Mode window might appear. (See Figure 5-13.)

Figure 5-13 Entering the Passcode for SecurID Next Card

In the Passcode field, enter the next code from your token card. This field requires only a cardcode. Do not include your PIN as part of the passcode.

Now continue to "Viewing Connection Information."

Connecting with Digital Certificates

Before you create a connection entry using a digital certificate, you must have already enrolled in a Public Key Infrastructure (PKI), have received approval from the Certificate Authority (CA), and have one or more certificates installed on your system. If this is not the case, then you need to obtain a digital certificate. In many cases, the network administrator of your organization can provide you with a certificate. If not, then you can obtain one by enrolling with a PKI directly using the Certificate Manager application, or you can obtain an Entrust profile through Entrust Entelligence. Currently, we support the following PKIs:

•UniCERT from Baltimore Technologies (www.baltimoretechnologies.com)

•Entrust PKI™ from Entrust Technologies (www.entrust.com)

•Versign (www.verisign.com)

•Microsoft Certificate Services in Microsoft Windows 2000 Server

•Cisco Certificate Store

The Web sites listed in parentheses in this list contain information about the digital certificates that each PKI provides. The easiest way to enroll in a PKI or import a certificate is to use the Certificate Manager (see "Enrolling and Managing Certificates") or Entrust Entelligence (see Entrust documentation).

Note Every time you connect using a certificate, the VPN Client verifies that your certificate has not expired. If your certificate is within one month of expiring, the VPN Client displays a message when you attempt to connect or when you use the Properties option. The message displays the certificate common name, the "not before" date, the "not after" date, and the number of days until the certificate expires or since it has expired.

What happens when you press Connect depends on the level of private key protection on your certificate. If your certificate is password protected, you are prompted to enter the password.

Note Because each certificate is associated with a connection profile, you can create different connection profiles with different certificates.

Connecting with an Entrust Certificate

This section provides important information about what to expect when connecting with an Entrust certificate under certain conditions.

Accessing Your Profile

If you are not already logged in, you must log in to Entrust Entelligence to access your Entrust Entelligence certificate profile, using the following procedure:

After you choose Connect on the VPN Client main window, the Entrust logon window appears. (See Figure 5-14.)

Figure 5-14 Logging in to Entrust

Step 1 Choose a profile name from the pull-down menu.

Your network administrator has previously configured one or more profiles for you through Entrust Entelligence. If the software is installed on your system but there are no profiles available, then you need to get a profile from your network administrator or directly through Entrust. Refer to Entrust Entelligence Quick Start Guide for instructions on obtaining a profile. The VPN Client Administrator Guide contains supplementary configuration information.

Step 2 After choosing a profile, enter your Entrust password.

Check the Work offline field to use Entrust Entelligence without connecting to the Entrust PKI. If Work offline is checked and you press OK, the Entrust wizard displays the message shown in Figure 5-15.

Figure 5-15 Entrust Login Message

You can ignore this message. Since you are connecting to your organization's private network using an existing certificate profile, you are not interacting with the Entrust PKI. If you see this message, click OK to continue.

Step 3 After completing the Entrust Login window (see Figure 5-14), click OK.

You may receive a security warning message from Entrust. This warning occurs, for example, when an application attempts to access your Entelligence profile for the first time or when you are logging in after a VPN Client software update. The message happens because Entrust wants to verify that it is acceptable for the VPN Client to access your Entrust profile.

Figure 5-16 Entrust Security Warning

Step 4 At the warning message, click Yes to continue.

You can now use your Entrust certificate for authenticating your new connection entry.

Entrust Inactivity Timeout

If you have a secure connection and you see a padlock next to the Entelligence icon in the Windows system tray, Entelligence has timed out. However, you have not lost your connection. If you see the Entelligence icon with an X next to it, you are logged out of Entrust, and you did not have a secure connection initially. To make a new connection, start from the beginning (see "Accessing Your Profile").

Using Entrust SignOn and Start Before Logon Together

Entrust SignOn™ is an optional Entrust application that lets you use one login and password to access Microsoft Windows and Entrust applications. This application is similar to start before logon, which is a VPN Client feature that enables you to dial in before logging on to Windows NT. For information about start before logon, see "Starting a Connection Before Logging on to a Windows NT Platform".

If you want to use these two features together, you should make sure you have installed Entrust Entelligence with the Entrust SignOn module before installing the VPN Client. For information about installing Entrust SignOn, refer to Entrust documentation and the VPN Client Administrator Guide, Chapter 1.

To use these two features together, follow these steps:

Step 1 Start your system.

When the SignOn option is installed, Entrust displays its own Ctrl Alt Delete window.

Step 2 Click Ctrl Alt Delete.

The Entrust Options window and the VPN Client login window both pop up. The VPN Client window is active.

Step 3 To start your VPN connection, click Connect on the VPN Client main window.

The Entrust login window becomes active.

Step 4 To log in to your Entrust profile, enter your Entrust password.

The VPN Client password prompt window becomes active.

Step 5 Enter your VPN dialer username and password.

The VPN Client authenticates your credentials and optionally displays a banner and/or a notification. Respond to the banner or notification as required. Then the Windows NT logon window is active.

Step 6 To complete the connection, enter your Windows NT logon credentials in the Windows logon window, then you are done.

Connecting with a Smart Card or Token

The VPN Client supports authentication with digital certificates through a smart card or electronic token. Several vendors provide smart cards and tokens. For an up-to-date list of those that the VPN Client currently supports, see "Smart Cards Supported". Smart card support is provided through Microsoft Cryptographic API (MS CAPI). Any CryptoService provider you use must support signing with CRYPT_NOHASHOID.

Note Smart cards generally have only the private key associated with a certificate, so even without having the smart card inserted, you can still create an individual certificate-authentication profile. You must insert the smart card, however, to complete the authentication process.

Once you or your network administrator has configured a connection entry that uses a Microsoft certificate provided by a smart card, you must insert the smart card into the receptor. When you start your connection, you are prompted to enter a password or PIN, depending on the vendor. For example, Figure 5-17 shows the authentication prompt from ActivCard Gold.

Figure 5-17 ActivCard Gold PIN Prompt

In this example, you would type your PIN code in the Enter PIN code field and click OK.

The next example shows how to log in to eToken from Aladdin. You select the token in the eToken Name column, type a password in the User Password field, and click OK.

Figure 5-18 eToken Prompt

Note If your smart card or token is not inserted, the authentication program displays an error message. If this occurs, insert your smart card or token and try again.

Completing the Private Network Connection

After completing the user authentication phase, the VPN Client continues negotiating security parameters and displays a window. The connection entry display now indicates which connection entry is active. In Figure 5-19, a yellow lock icon indicates the Engineering connection entry is active and the status line shows Connected to "Engineering". Clicking the down arrow icon at the lower-right corner of the status line toggles a statistics display to show, in turn, the connect time, bytes in and out, and the IP address.

Figure 5-19 Completing the Private Network Connection

If the network administrator of the Cisco VPN device has created a client banner, you see a message designated for all clients connecting to that device; for example, The Documentation Server will be down for routine maintenance on Sunday.

After you complete your connection, the VPN Client minimizes to a closed-lock icon in the system tray on the Windows task bar.

You are now connected securely to the private network via a tunnel through the Internet, and you can access the private network as if you were an onsite user.

Using Automatic VPN Initiation

Your VPN Client can automatically initiate a VPN connection based on the network to which your machine is connected. This feature is called auto initiation for on-site Wireless LANs (WLANs). Auto initiation makes the user experience resemble a traditional wired network in which VPNs secure WLANs. These environments are also known as WLANs.

On-site WLAN VPNs are similar to remote access VPNs with an important distinction. In an on-site wireless VPN environment, enterprise administrators have deployed wireless 802.11x networks in corporate facilities, and these networks use VPNs to secure the wireless part of the network link. In this case, if your PC is on a WLAN without VPN, you cannot access network resources. If a VPN exists, your access is similar to what it is with wired Ethernet connections. Figure 5-20 shows the two different types of VPN access.

Figure 5-20 Remote Access VPN Versus On-Site Wireless Access VPN

In your connection profile, your network administrator can configure a list of up to 64 matched networks (address/subnet masks) and corresponding connection profiles (.pcf files). When the VPN Client detects that your PC's network address matches one of the address/subnet mask pairs in the auto initiation network list, it checks whether the network administrator has configured that profile to allow (the default) or prohibit auto initiation. If auto initiation is allowed, the VPN Client automatically establishes a VPN connection using the matching profile for that network.

While auto initiation is primarily for an on-site WLAN application, you can also use auto initiation in any situation based on the presence of a specific network. For example, in your home office, you may want to create an entry for your VPN to auto initiate from your corporate PC whenever you are connected to your home network, whether that network is a wireless or a wired LAN.

The VPN Client lets you know when your connection is auto initiating and informs you of various stages in the process of an auto initiated connection. You can suspend, resume, disconnect or disable auto initiation. When you disconnect or the connection attempt fails, the VPN Client automatically retries auto initiation using a configured interval called the retry interval. From The VPN Client Options menu, you can disable auto initiation, and you can change the interval between connection attempts.

Enabling Automatic VPN Initiation

After you have established a connection, right-click the yellow lock icon in the system tray and select Enable Auto-initiation from the menu that appears (see Figure 5-21).

Figure 5-21 Enabling Auto Initiation

The VPN Client displays a dialog box (Figure 5-22) asking whether you want to enable auto initiation and asking you to specify the number of minutes between retries.

Figure 5-22 Auto Initialization Dialog

Check the check box to enable auto initiation and specify an retry interval ranging from 1 to 10 minutes. After you have enabled auto initiation, if you close or lose your connection, auto initiation automatically attempts to reconnect at the specified interval until you exit the VPN Client, or disable or suspend auto initiation.

Connecting Through Automatic VPN Initiation

Typically when you start your wireless system (normally, a laptop), your connection initiates automatically. You do not see the VPN Client's main dialog. As the connection goes forward, the VPN Client displays a sequence of screens.

The VPN Client also displays an authentication dialog, such as the one shown in Figure 5-23.

Figure 5-23 Authenticating Automatic VPN Initialized Connection

When you enter your authentication information, your connection starts immediately, as indicated by the closed yellow lock icon in the system tray.

Figure 5-24 Closed Lock—Connected

If your network administrator has defined a banner, you'll also see that banner displayed.

To cancel the connection attempt, click Cancel Connect on the toolbar. When you cancel the connection attempt, the VPN Client displays a message requesting you to confirm the cancellation.

To cancel, click No. The Log tab or Log Window shows the event log message "Connection canceled."

To suspend auto initiation, right-click the yellow lock icon in the system tray and select Suspend Auto-initiation from the menu. In the event log, you see the message "Auto-initation has been suspended". When suspended, also in the system tray, you see that the yellow lock icon is now open.

Figure 5-25 Open Lock—Suspended Auto Initiation

To resume auto initiation after suspending, right-click on the open yellow lock icon and select Resume Auto-initiation from the menu.(See Figure 5-26.)

Figure 5-26 Resuming Auto Initiation

Auto initiation resumes. This is the simplest scenario of what happens during auto initiation. At various points, depending on the actions you take, you see messages, changes in the color of the icon in the system tray, and differences in choices you can make. The rest of this section describes these various alternatives.

Disconnecting Your Session

To disconnect your session, either double-click the lock icon in the system tray and click the Disconnect button or right-click the lock and select Disconnect from the menu (in the standard way). The VPN Client displays the following message. (See Figure 5-27.)

Figure 5-27 Disconnecting Your Session

To suspend auto initiation, click Yes. Auto initiation suspends until you resume it, disable it, or log off.

When you click No, auto initiation stays in effect and the VPN Client automatically retries auto initiation according to the retry interval; for example, every minute.

Changing Option Values While Auto Initiation is Suspended

When auto initiation is suspended, you can change VPN Client options as follows:

Step 1 Double-click yellow lock icon in the system tray.

Step 2 Click Options. The VPN Client displays the Options menu.

Disabling Automatic VPN Initiation

To completely shut down auto initiation, you can disable it through the Options menu by following these steps:

Step 1 Display the VPN Client main window and click Options.

Step 2 Select Automatic VPN Initiation. The VPN Client displays the window shown in Figure 5-28.

Figure 5-28 Setting Auto Initiation Parameters

Step 3 Click to remove the check mark from Enable and click OK. The log displays a message, "Auto-initiation has been disabled," and auto initiation terminates.

Note Unchecking Enable does not remove Automatic VPN Initiation option from the Options menu. This option always shows up in the menu as long as the feature has been configured by your network administrator.

Disabling While Suspended

Alternatively, when auto initiation is suspended and you want to disable it, follow these steps:

Step 1 Right-click the yellow lock icon in the system tray.

Step 2 Select Disable Auto-initiation. The VPN Client displays a message asking whether you are sure that you want to disable auto initiation.

Step 3 To completely disable auto initiation and eliminate further automatic retries, click Yes. To cancel the action and keep auto initiation enabled, click No.

Restarting After Disabling Automatic VPN Initiation

When you want to restart auto initiation, follow these steps:

Step 1 Launch the VPN Client from the Start > Programs > Cisco Systems VPN Client menu.

Step 2 Click Options.

Step 3 Select Automatic VPN Initiation.

Step 4 Check the Enable check box, set the retry interval, and click OK. The log shows that auto initiation is now in effect. For an example, see Figure 5-29.

Figure 5-29 Auto Initation Log Messages

Step 5 Close the VPN Client dialog. The Authentication window displays.

Connection Failures

If the auto initiation attempt fails, the VPN Client notifies you with a dial status dialog and a warning message.

Figure 5-30 Auto Initiation Failure Message

Viewing Connection Information

From the Status menu, you can view the following information about your private network connection:

•Tunnel details

•Routing information

•Firewall information

•Notifications

Viewing Tunnel Details

To display information about your IPSec tunnel, pull down the Status menu and choose Statistics. Then click the Tunnel Details tab. The VPN Client shows IP security information, listing the IPSec statistics for this VPN tunnel to the private network.

Figure 5-31 Viewing Tunnel Information

The statistics are the following:

•Address Information:

–Client IP address—The IP address assigned to the VPN Client for the current session.

–Server IP address—The IP address of the VPN device to which the VPN Client is connected.

•Connection Information

–Connection Entry—The name of the profile you are using to establish the connection.

–Time—Length of time the connection has been up.

•Bytes

–Received—The total amount of data received after a secure packet has been successfully decrypted.

–Sent—The total amount of encrypted data transmitted through the tunnel.

•Crypto

–Encryption—The data encryption method for traffic through this tunnel. Encryption makes data unreadable if intercepted.

–Authentication—The data, or packet, authentication method used for traffic through this tunnel. Authentication verifies that no one has tampered with data.

•Packets

–Packets encrypted—The total number of secured data packets transmitted out the port.

–Packets decrypted—The total number of data packets received on the port.

–Packets discarded—The total number of data packets that the VPN Client rejected because they did not come from the secure VPN device gateway.

–Packets bypassed—The total number of data packets that the VPN Client did not process because they did not need to be encrypted. Local ARPs and DHCP fall into this category.

•Transport

–Transparent Tunneling—The status of tunnel transparent mode in the VPN Client, either active or inactive.

–Local LAN Access—Whether access to your local area network while the tunnel is active is enabled or disabled. (For information on configuring this feature, see "Allowing Local LAN Access".)

–Compression—Whether data compression is in effect as well as the type of compression in use. Currently, LZS is the only type of compression that the VPN Client supports.

Viewing Routing Information

To display routing information, pull down the Status menu and choose Statistics. Then click the Route Details tab.

Figure 5-32 Viewing Routing Information

In Figure 5-32, the columns show the following types of information.

Local LAN Routes

The Local LAN Routes box shows the network addresses of the networks you can access on your local LAN while you are connected to your organization's private network through an IPSec tunnel. You can access up to 10 networks on the client side of the connection. A network administrator at the central site must configure the networks you can access from the client side. For information on configuring Local LAN Access on the VPN 3000 Concentrator, refer to VPN Client Administrator Guide, Chapter 1.

•Network—The IP address of the excluded route.

•Subnet Mask—The subnet mask of the IP address for this route.

Secured Routes

The Secured Routes box shows the following information:

•Network—The IP address of the remote private network with which this VPN Client has a security association (SA).

•Subnet Mask—The subnet mask of the IP address for this SA.

Firewall Tab

The Firewall tab displays information about the VPN Client's firewall configuration.

Configuring the Firewall on the Concentrator

The VPN Concentrator's network manager specifies the name of the firewall that the VPN Client is enforcing, such as the Cisco Integrated Client, Zone Labs ZoneAlarm, ZoneAlarm Pro, BlackICE Defender, and so on, and sets up the firewall policy under the Configuration | User Management | Base Group or Group | Client FW tab. The following firewall policy options exist:

•AYT (Are You There) enforces the use of a specific firewall but does not require you to have a specific firewall policy. The supported firewall software on the VPN Client PC controls its own rules. The VPN Client polls the firewall every 30 seconds to make sure it is still running, but does not confirm that a specific policy is enforced.

•Centralized Protection Policy (CPP) or "Policy Pushed" as defined on the VPN Concentrator lets you define a stateful firewall policy that the VPN Client enforces for Internet traffic while a tunnel is in effect. CPP is for use during split tunneling and is not relevant for a tunnel everything configuration. In a tunnel everything configuration, all traffic other than tunneled traffic is blocked during the tunneled connection. This policy takes advantage of the Cisco Integrated Client. The policy rules are defined on the VPN Concentrator and sent to the VPN Client during each connection attempt. The VPN Client enforces these rules for all non-tunneled traffic while the tunnel is active.

Note CPP affects only Internet traffic. Traffic across the tunnel is unaffected by its policy rules. If you are operating in tunnel everything mode, enabling CPP has no effect.

•Client/Server, corresponding to "Policy from Server" (Zone Labs Integrity) on the VPN Concentrator, relates to Zone Labs Integrity solution. The policy is defined on the Integrity Server in the private network and sent to the VPN Concentrator, which in turns sends it to the Integrity Agent on the VPN Client PC to implement. Since Integrity is a fully functional personal firewall, it can intelligently decide on network traffic based on applications as well as data.

Table 5-1 summarizes the policy options available for the various supported firewalls.

Table 5-1 Firewalls and Policy Options Summary

Firewall

Policy Options

AYT

Pushed (CPP)

From Server

Cisco Integrated Firewall

X

Network Ice BlackICE Defender

X

Zone Labs ZoneAlarm

X

X

Zone Labs ZoneAlarm Pro

X

X

Zone Labs ZoneAlarm or ZoneAlarm Pro

X

X

Zone Labs Integrity

X

Sygate Personal Firewall

X

Sygate Personal Firewall Pro

X

Sygate Security Agent

X

Cisco Intrusion Prevention Security Agent

X

Custom Firewall

X

X

X

Viewing Firewall Information on the VPN Client

The Firewall tab displays information about the VPN Client's firewall configuration, including the firewall policy and the configured firewall product. The remaining contents of the Firewall tab depend on these two configured options.

The information shown on this tab varies according to your firewall policy.

•AYT—When the Are You there (AYT) is the supported capability, the Firewall tab shows only the firewall policy (AYT) and the name of the firewall product (see Figure 5-33). AYT enforces the use of a specific personal firewall but does not require you to have a specific firewall policy.

•Centralized Protection Policy (CPP)—When CPP is the supported capability, the Firewall tab includes the firewall policy, the firewall in use, and firewall rules (see Figure 5-34).

•Client/Server—When the Client/Server is the supported capability, the Firewall tab displays the firewall policy as Client/Server, the name of the product as ZoneLabs Integrity Agent, the user ID, session ID, and the addresses and port numbers of the firewall servers (see Figure 5-35).

AYT Firewall Tab

The Firewall tab shows that AYT is running and displays the name of the firewall product that supports AYT. AYT is used in conjunction with Cisco Intrusion Prevention Security Agent or Zone Labs Zone Alarm or Zone Alarm Pro to ensure that the firewall is enabled and running on a system, but not to confirm that a specific policy is enforced.

Figure 5-33 Firewall Tab for AYT capability

Centralized Protection Policy (CPP) Using the Cisco Integrated Client

CPP is a stateful firewall policy that is defined on and controlled from the VPN Concentrator. It can add protection for the VPN Client PC and private network from intrusion when split tunneling is in use. CPP sends down a stateful firewall policy for the integrated firewall in the VPN Client for use while connected with split tunneling. For CPP (see Figure 5-34), the Firewall tab shows you the firewall rules in effect.

Figure 5-34 Firewall Tab for CPP

This status screen lists the following information:

•Firewall Policy—The policy established on the VPN Concentrator for this VPN Client.

•Product—The name of the firewall currently in use, such as Cisco Integrated Client, Zone Alarm Pro, and so on.

•Firewall Rules—Information about the firewall rules currently in effect, as described in the following section.

Firewall Rules

The Firewall Rules section shows all of the firewall rules currently in effect on the VPN Client. Rules are in order of importance from highest to lowest level. The rules at the top of the table allow inbound and outbound traffic between the VPN Client and the secure gateway and between the VPN Client and the private networks with which it communicates. For example, there are two rules in effect for each private network that the VPN Client connects to through a tunnel (one rule that allows traffic outbound and another that allows traffic inbound). These rules are part of the VPN Client software. Since they are at the top of the table, the VPN Client enforces them before examining CPP rules. This approach lets the traffic flow to and from private networks.

CPP rules (defined on the VPN Concentrator) are only for nontunneled traffic and appear next in the table. For information on configuring filters and rules for CPP, see VPN Client Administrator Guide, Chapter 1. A default rule "Firewall Filter for VPN Client (Default)" on the VPN Concentrator lets the VPN Client send any data out, but permits return traffic in response only to outbound traffic.

Finally, there are two rules listed at the bottom of the table. These rules, defined on the VPN Concentrator, specify the filter's default action, either drop or forward. If not changed, the default action is drop. These rules are used only if the traffic does not match any of the preceding rules in the table.

Note The Cisco Integrated Client firewall is stateful in nature, where the protocols TCP, UDP, and ICMP allow inbound responses to outbound packets. For exceptions, refer to VPN Client Administrator Guide, Chapter 1. If you want to allow inbound responses to outbound packets for other protocols, such as HTTP, a network administrator must define specific filters on the VPN Concentrator.

You can move the bars on the column headings at the top of the box to expand their width; for example, to display the complete words Action and Direction rather than Act or Dir. However, each time you exit from the display and then open this status tab again, the columns revert to their original width. Default rules on the VPN Concentrator (drop any inbound and drop any outbound) are always at the bottom of the list. These two rules act as a safety net and are in effect only when traffic does not match any of the rules higher in the hierarchy.

To display the fields of a specific rule, click on the first column and observe the fields in the next area below the list of rules. For example, the window section underneath the rules in Figure 5-34 displays the fields for the rule that is highlighted in the list.

A firewall rule includes the following fields:

•Action—The action taken if the data traffic matches the rule:

–Drop = Discard the session.

–Forward = Allow the session to go through.

•Direction—The direction of traffic to be affected by the firewall:

–Inbound = traffic coming into the PC, also called local machine.

–Outbound = traffic going out from the PC to all networks while the VPN Client is connected to a secure gateway.

•Source Address—The address of the traffic that this rule affects:

–Any = all traffic; for example, drop any inbound traffic.

–This field can also contain a specific IP address and subnet mask.

–Local = the local machine; if the direction is Outbound then the Source Address is local.

•Destination Address—The packet's destination address that this rule checks (the address of the recipient).

–Any = all traffic; for example, forward any outbound traffic.

–Local = The local machine; if the direction is Inbound, the Destination Address is local.

•Protocol—The Internet Assigned Number Authority (IANA) number of the protocol that this rule concerns (6 for TCP; 17 for UDP and so on).

•Source Port—Source port used by TCP or UDP.

•Destination Port—Destination port used by TCP or UDP.

Client/Server Firewall Tab

When Client/Server is the supported policy, the Firewall tab displays the name of the firewall policy, the name of the product, the user ID, session ID, and the addresses and port numbers of the firewall servers in the private network (see Figure 5-35). Zone Labs Integrity is a Client/Server firewall solution in which the Integrity Server (IS) acts as the firewall server that pushes firewall policy to the Integrity Agent (IA) residing on the VPN Client PC. Zone Labs Integrity can also provide a centrally controlled always on personal firewall.

Figure 5-35 Client/Server Firewall Tab

•Firewall Policy—This field shows that Client/Server is the supported policy.

•Product—Lists the name of the Client/Server solution currently in use, such as Zone Labs Integrity Client.

•User ID—In the format xx://IP address of the VPN Concentrator/group name and user name

Where: xx can be un or dn:

–un = The gateway-based ID is based on the group and user name.

–dn = The gateway-based ID is based on the distinguished name (as is the case when using digital certificates).

–The User ID is used to initialize the firewall client.

•Session ID—The session ID of the connection between all of the entities. This is used to initialize the firewall client and is helpful for troubleshooting.

•Servers—The IP address and port number of each firewall server.

Resetting Statistics

To reset all connection statistics to zero, click Reset. There is no undo. Reset affects only the connection statistics, not the other sections of this window.

Disconnecting your VPN Client Connection

To disconnect your PC from the private network, do one of the following:

•From the Connection Entries menu on the VPN Client's main window, select Disconnect. (See Figure 5-1.)

•Right-click the yellow lock icon in the system tray. Click Disconnect on the menu.

Your IPSec session ends, but the VPN Client does not automatically close. You must manually disconnect your dial-up networking connection (DUN).

Closing the VPN Client

To close the VPN Client when it is running on your PC but not connected to a remote network, do one of the following:

•From the Connection Entries menu on the VPN Client's main window, select Exit VPN Client. (See Figure 5-1.)

•Press CTRL+Q on your keyboard.

•Press Alt-F4 on your keyboard.