-
VPN Client Administrator Guide, Release 4.0
-
Preface
-
Configuration Information for an Administrator
-
Preconfiguring the VPN Client for Remote Users
-
Configuring Automatic Initiation-- Windows Only
-
Using the VPN Client Command-Line Interface
-
Customizing the VPN Client Software
-
Troubleshooting and Programmer Notes
-
Windows Installer (MSI) Information
-
Index
-
Table of Contents
-
Table of Contents
Preconfiguring the VPN Client for Remote UsersProfiles
Creating a Global Profile
Global Profile Configuration Parameters
Setting Up RADIUS SDI Extended Authentication
Creating a .pcf file for a Connection Profile
Distributing Configured VPN Client Software to Remote Users
Preconfiguring the VPN Client for Remote Users
This chapter explains how to prepare configurations for remote users and how to distribute them. This chapter includes the following sections:
Profiles
Groups of configuration parameters define the connection entries that remote users use to connect to a VPN device. Together these parameters form files called profiles. There are two profiles: a global profile and an individual profile.
- A global profile sets rules for all remote users; it contains parameters for the VPN Client as a whole. The name of the global profile file is vpnclient.ini.
- Individual profiles contain the parameter settings for each connection entry and are unique to that connection entry. Individual profiles have a
.pcf extension.
Profiles get created in two ways:
1. When an administrator or a remote user creates connection entries using the VPN Client graphical user interface (Windows and Macintosh only)
2. When you create profiles using a text editor
In the first case, the remote user is also creating a file that can be edited through a text editor. You can start with a profile file generated through the GUI and edit it. This approach lets you control some parameters that are not available in the VPN Client GUI application. For example, auto-initiation or dial-up wait for third-party dialers.
The default location for individual profiles is:
This chapter explains how to create and edit the vpnclient.ini and individual profiles. Both files use the same conventions.
 |
Note The easiest way to create a profile for the Windows platforms is to run the VPN Client and use the VPN Client GUI to configure the parameters. When you have created a profile in this way, you can copy the .pcf file to a distribution disk for your remote users. This approach eliminates errors you might introduce by typing the parameters and the group password gets automatically converted to an encrypted format. |
File Format for All Profile Files
The vpnclient.ini and .pcf files follow normal Windows.ini file format:
- Use a semicolon (;) to begin a comment.
- Place section names within brackets [section name]; they are not case sensitive.
- Use key names to set values for parameters; keyword = value. Keywords without values, or unspecified keywords, use VPN Client defaults. Keywords can be in any order and are not case sensitive, although using lower and uppercase makes them more readable.
Making a Parameter Read Only
To make a parameter read-only so that the client user cannot change it within the VPN Client applications, precede the parameter name with an exclamation mark (!). This controls what the user can do within the VPN Client applications only. You cannot prevent someone from editing the global or .pcf file and removing the read-only designator.
Creating a Global Profile
The name of the global profile is vpnclient.ini. This file is located in the following directories:
These are the default locations created during installation.
Features Controlled by Global Profile
The vpnclient.ini file controls the following features on all VPN Client platforms:
- Start before logon
- Automatic disconnect upon log off
- Control of logging services by class
- Certificate enrollment
- Identity of a proxy server for routing HTTP traffic
- Identity of an application to launch upon connect
- Missing group warning message
- Logging levels for log classes
- RADIUS SDI extended authentication behavior
- GUI parameters—appearance and behavior of GUI applications
The vpnclient.ini file controls the following additional features in the Windows platform:
- Location of the Entrust.ini file
- List of GINAs that are not compatible with the VPN Client
- Auto initiation
- Setting of the Stateful Firewall option
- The method to use in adding suffixes to domain names on Windows 2000 and Windows XP platforms
- When working with a third-party dialer, time to wait after receiving an IP address before initiating an IKE tunnel
- Network proxy server for routing HTTP traffic
- Application launching
- DNS suffixes
- Force Network Login, which forces a user on Windows NT, Windows 2000, or Windows XP to log out and log back in to the network without using cached credentials
Sample vpnclient.ini file
|
Note Profiles for the VPN Client are interchangeable between platforms. Keywords that are specific to the Windows platform are ignored by other platforms. |
This sample file shows what you might see if you open it with a text editor
The rest of this section explains the parameters that can appear in the vpnclient.ini file, what they mean, and how to use them.
Global Profile Configuration Parameters
Table 2-1 lists all parameters, keywords, and values. It also includes the parameter name as used in the VPN Client GUI application if it exists, and where to configure it in the application.
Each parameter can be configured on all VPN Client platforms unless specified.
Table 2-1 vpnclient.ini file parameters
| .ini Parameter (Keyword) | VPN Client Parameter Description | Values | VPN Client GUI Configuration Location(s) |
|---|---|---|---|
|
Specifies the number of seconds to wait between receiving an IP address from a third-party dialer such as General Packet Radio Services (GPRS) before initiating an IKE tunnel. This grants enough time for the connection to go through on the first attempt. |
After the keyword and equal sign, enter the number of seconds to wait. |
||
|
Lists Graphical Identification and Authentication dynamic link libraries (GINA.DLLs) that are not compatible with Cisco's GINA. Adding a GINA to the list causes the VPN Client to leave the GINA alone during installation and use fallback mode. The VPN Client goes into fallback mode only if RunAtLogon = 1. Otherwise, the Client GINA is never installed. (See "Installing the VPN Client Without User Interaction". |
After the keyword and equal sign, enter the name(s) of the GINAs, separated by commas. For example: |
||
|
Controls the pop up window warning that occurs when a user tries to connect without setting the group name in a preshared connection. |
0= (default) Do not show the warning message. |
||
|
Specifies whether to start the VPN Client connection before users log on to their Microsoft network. Available only for the Windows NT platform (Windows NT 4.0, Windows 2000 and Windows XP). This feature is sometimes known as the NT Logon feature. |
Options > Windows Logon Properties > Enable start before logon |
||
|
Locates the entrust.ini file if it is in a location that is different from the default.ini file. The default location is the base Windows system directory. |
|||
|
Determines whether to automatically disconnect upon logging off a Windows NT platform (Windows NT 4.0, Windows 2000 and Windows XP). Disabling this parameter lets the VPN connection remain when the user logs off, allowing that user to log back in without having to establish another connection. |
Options > Windows Logon Properties > Disconnect VPN connection when logging off |
||
|
There are limitations to DialerDisconnect. For example, in the case of MS DUN, the RAS (PPP) connection might go down when the user logs off. For more information about this specific case, see the following URL: http://support.microsoft.com/support/kb/articles/Q158/9/09.asp?LN=EN-US&SD=gn&FR=0&qry=RAS%20AND%20LOGOFF&rn k=2&src=http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/DHCS_MSPSS_gn_SRCH&SPR=NTW40
|
|||
|
Determines whether to override log settings for the classes that use the logging services. By default, logging is turned on. This parameter lets a user disable logging without having to set the log levels to zero for each of the classes. By disabling logging you can improve the performance of the client system. |
|||
|
Determines whether the stateful firewall is always on. When enabled, the stateful firewall always on feature allows no inbound sessions from all networks, whether a VPN connection is in effect or not. Also, the firewall is active for both tunneled and nontunneled traffic. |
|||
|
Controls whether StatefulFirewall (Always On) allows ICMP traffic. Some DHCP Servers use ICMP pings to detect if the DHCP client PCs are up so that the lease can be revoked or retained. |
|||
|
Enables auto initiation, which is an automated method for establishing a wireless VPN connection in a LAN environment. For information on this feature see Configuring Automatic VPN Initiation__EMDASH__Windows Only |
|||
|
Specifies the time to wait, in minutes, before retrying auto initiation after a connection attempt failure. |
|||
|
Changes the retry interval from minutes (the default) to seconds. The range in seconds is 5-600. |
|||
|
Identifies auto initiation-related section names within the vpnclient.ini file. The vpnclient.ini file can contain a maximum of 64 auto initiation list entries. |
|||
|
Each section contains a network address, network mask, connection entry name, and a connect flag. The network and mask values identify a subnet. The connection entry identifies a connection profile (.pcf file). The connect flag specifies whether to auto initiate the connection. |
Section name in brackets |
||
|
For each class that follows, use the LogLevel= parameter to set the logging level |
|||
|
Identifies the Internet Key Exchange class for setting the logging level. |
|||
|
Identifies the Connection Manager class for setting the logging level. |
|||
|
Identifies the Extend authorization class for setting the logging level. |
|||
|
Identifies the Cisco VPN Daemon class for setting the logging level. |
|||
|
Identifies the Certificate Management class for setting the logging level. |
|||
|
Identifies the IPSec module class for setting the logging level. |
|||
|
Identifies the Command-Line Interface class for setting the logging level. |
|||
|
Identifies the Graphical User Interface class for setting the logging level. |
|||
|
Determines the log level for individual classes that use logging services. By default, the log level for all classes is |
The VPN Client supports log levels from 1 (lowest) to 15 (highest). To set logging levels, you must first enable logging: EnableLog=1. |
||
|
Required keyword to identify the Certificate Enrollment section. |
|||
|
Identifies the company or organization of the certificate owner. |
|||
|
Identifies the department or organizational unit of the certificate owner. If matching by IPSec group in a VPN 3000 Concentrator, must match the group name in the configuration. |
|||
|
Identifies the two-letter code identifying the country of this certificate owner. |
|||
|
Identifies the IP address of the system of the certificate owner. |
|||
|
Identifies the fully qualified domain name of the host that is serving the certificate owner. |
|||
|
Identifies the domain name that the certificate authority belongs to; for network enrollment. |
|||
|
Identifies the IP address or hostname of the certificate authority. |
Internet hostname or IP address in dotted decimal notation. Maximum of 129 alphanumeric characters. |
||
|
Identifies the name of the self-signed certificate issued by the certificate authority. |
Maximum of 519 alphanumeric characters. Note: The VPNClient GUI ignores a read-only setting on this parameter. |
||
|
Identifies a proxy server you can use to route HTTP traffic. Using a network proxy can help prevent intrusions into your private network. |
IP address in dotted decimal notation or domain name. Maximum of 519 alphanumeric characters. The proxy setting sometimes has a port associated with it. |
||
|
Use this parameter to allow VPN Client users to launch an application when connecting to the private network. |
|||
|
The name of the application to be launched. This variable includes the pathname to the command, and the name of the command complete with arguments. |
|||
|
Determines the way the VPN Client treats suffixes to domain names. See "DNS Suffixes and the VPN Client__EMDASH__Windows 2000 and Windows XP Only", following this table. |
0 = do nothing |
||
|
Required keyword to identify the RADIUS SDI extended authentication (XAuth) section. Configure this section to enable a VPN Client to handle Radius SDI authentication the same as native SDI authentication, which makes authentication easier for VPN Client users to authenticate using SDI. |
|||
|
Enter text up to 32 bytes in length. The default text is a question mark. |
The question appears in the GUI during extended authentication. It is followed by a Response field. |
||
|
Enter text up to 32 bytes in length. Default text is "new PIN." |
|||
|
Enter text up to 32 bytes in length. Default text is "new passcode." |
|||
|
Identifies the Force Network Login section of the vpnclient.ini file. This feature forces a user on Windows NT, Windows 2000, and Windows XP to log out and log back in to the network without using cached credentials. |
Enter exactly as shown; this is required as part of the feature. |
||
|
Note You cannot use this feature with Start Before Logon. If users are connecting via dialup (RAS), you should add the registry key described in the Microsoft article: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q158909. Adding the registry key assures that the RAS connection does not drop when the user gets logged off. |
|||
|
Specifies what action to take for the Force Network Login feature. This parameter is required for this feature. |
0 = (default) Do not force the user to log out and log in. |
||
|
Determines the number of seconds to wait before performing an action specified by the Force parameter. This parameter is optional. |
|||
|
Specifies a message to display before performing the action specified by the Force parameter. Message can vary according to setting of Force. This parameter is optional. |
|||
|
Specifies the separator text that separates banner text from the message. If no banner exists, the separator is not displayed. This parameter is optional. |
|||
|
Required keyword to identify the section of the file that lets you control features of the Graphical User Interface application. |
|||
|
Specifies the name of the connection entry for the VPN Client to use to initiate a connection, unless otherwise indicated. |
|||
|
Where the window appears horizontally relative to your monitor's screen |
|||
|
Where the window appears vertically relative to your monitor's screen |
|||
|
Tracks which tab is currently visible in the advanced mode main dialog; an index. |
|||
|
Indicates the current setting for the status bar display. The status bar is the line area at the bottom of the dialog that shows the state of the connection (connect/not connected), if connected, the name of the connection entry on the left and what the status is on the right. |
If you click on the arrow on the right end of the status bar, the right part of the status bar changes. This value records the current display selection. |
||
|
Controls whether to minimize to a system tray icon upon connection to a VPN device. |
|||
|
Controls whether to display the connection history dialog during connection negotiation. |
Main menu > Options > Preferences > Enable Connection History Display |
||
DNS Suffixes and the VPN Client—Windows 2000 and Windows XP Only
When a command or program such as ping server123 passes a hostname without a suffix to a Windows 2000 or Windows XP platform, Windows 2000/XP has to convert the name into a fully-qualified domain name (FQDN). The Windows operating system has two methods for adding suffixes to domain names: Method 1 and Method 2. This section describes these two methods.
Method 1—Primary and Connection-Specific DNS Suffixes
A primary DNS suffix is global across all adapters. A connection-specific DNS suffix is only for a specific connection (adapter), so that each connection can have a different DNS suffix.
Identifying a Primary DNS Suffix
A primary suffix comes from the computer name. To find or assign a primary DNS suffix, use the following procedure according to your operating system:
Step 1 On a Windows 2000 desktop, right click the My Computer icon, and select Properties from the menu.
The System Properties dialog displays.
Step 2 Open the Network Identification tab.
The entry next to Full Computer Name identifies the computer's name and DNS suffix on this screen, for example, SILVER-W2KP.tango.dance.com. The part after the first dot is the primary DNS suffix, in this example: tango.dance.com.
Step 3 To change the primary DNS suffix, click Properties on the Network Identification tab.
The Identification Changes dialog displays.
Step 4 Click More....
This action displays the DNS Suffix and Net BIOS Computer Name dialog. The Primary DNS suffix of this computer entry identifies the primary suffix. You can edit this entry.
Step 1 Right click My Computer, and select Properties from the menu.
The System Properties dialog displays.
Step 2 Open the Computer Name tab.
The entry next to Full Computer Name identifies the computer's name and DNS suffix on this screen (for example, SILVER-W2KP.tango.dance.com). The part after the first dot is the primary DNS suffix (in this example: tango.dance.com).
Step 3 To change the primary DNS suffix, click Change on the Computer Name tab.
The Computer Name Changes dialog displays.
Step 4 Click More....
This action displays the DNS Suffix and Net BIOS Computer Name dialog. The Primary DNS suffix of this computer entry identifies the primary suffix. You can edit this entry.
Identifying a Connection-Specific DNS Suffix
You can identify a connection-specific DNS suffix in one of two ways.
1. The connection-specific DNS value is listed as the DNS suffix for the selected connection on the Advanced TCP/IP Settings dialog.
|
Note The following instructions are for a Windows 2000 platform. There may be slight variations on a Windows XP platform. |
To display the Advanced TCP/IP Settings dialog, use the following procedure:
Step 1 Right click the My Network Places icon to display the Properties dialog, which lists your connections.
Step 2 Double-click on a connection (for example, local) to display its Properties dialog. The connection uses the checked components, such as those shown in Figure 2-1, which shows components of a connection named Local Area Connection.
Figure 2-1 Displaying Properties for a Connection
Step 3 Double-click Internet Protocol (TCP/IP) to reveal its properties.
Step 4 Select Advanced.
Step 5 Display the DNS tab and look at DNS suffix for this connection box. If the box is empty, you can have it assigned by the DHCP Server.
a. To identify the connection-specific suffix assigned by the DHCP Server, use the ipconfig /all command (Alternative 2, below) and for the DNS Server address.
2. The connection-specific DNS value is listed in the output from the ipconfig /all command, executed at the command-line prompt. Look under Windows 2000 IP Configuration for DNS Suffix Search List. Under Ethernet Adapter Connection Name, look for Connection-specific DNS Suffix.
Method 2—User Supplied DNS Suffix
For this method, you can provide specific suffixes. You can view and change suffixes in the DNS tab of the connection properties page. The Append these DNS suffixes (in order) edit box supplies the name that you can edit. The values you provide here are global to all adapters.
VPN Client Behavior
When the VPN Client establishes a VPN tunnel to the VPN central device (for example, the VPN 3000 Concentrator), the VPN Client uses Method 2 without regard for the method that the Windows platform uses. If the Windows platform is using Method 2, the VPN Client appends the suffix provided by the VPN central device. This is the default behavior and works correctly with no problem.
However if Windows is using Method 1, the VPN Client does not append the primary or connection-specific suffix. To fix this problem, you can set the AppendOriginalSuffix option in the vpnclient.ini file. In Table 2-1, the [DNS] section contains this option:
AppendOriginalSuffix Option=1:
In this case, the VPN Client appends the primary DNS suffix to the suffix provided by the VPN Concentrator. While the tunnel is established, Windows has two suffixes: one provided by the VPN Concentrator and the primary DNS suffix.
AppendOriginalSuffix Option=2:
In this case, the VPN Client appends the primary and connection-specific DNS suffixes to the suffix provided by the VPN Concentrator. While the tunnel is established, Windows has three suffixes: one provided by the VPN Concentrator, the primary DNS suffix, and the connection-specific DNS suffix.
|
Note If Windows is using Method 2, adding these values to the vpnclient.ini file has no effect. |
The VPN Client sets these values every time a tunnel is established and then restores the original configuration when tearing down the tunnel.
Setting Up RADIUS SDI Extended Authentication
You can configure the VPN Client to handle RADIUS SDI authentication the same way it handles "native" SDI authentication, which is more seamless and easier to use. With this configuration, users do not have to deal with the RSA SecurID software interface; the VPN Client software directly interfaces with the RSA SecureID software for the user.
To enable intelligent handling of RADIUS SDI authentication, you must configure one profile (.pcf) parameter and possibly three global (vpnclient.ini) parameters:
Now when the request comes in to the VPN Client, the software identifies it as a RADIUS SDI extended authentication request and knows how to process the request.
Creating Connection Profiles
The VPN Client uses parameters that must be uniquely configured for each remote user of the private network. Together these parameters make up a user profile, which is contained in a profile configuration file (.pcf file) in the VPN Client user's local file system in the following directories:
These parameters include the remote server address, IPSec group name and password, use of a log file, use of backup servers, and automatic Internet connection via Dial-Up Networking. Each connection entry has its own .pcf file. For example, if you have three connection entries, named Doc Server, Documentation, and Engineering, the Profiles directory shows the list of .pcf files.
Figure 2-2 shows the directory structure for the user profile in the Windows platforms.
Figure 2-2 List of .pcf files
Features Controlled by Connection Profiles
A connection profile (.pcf file) controls the following features on all platforms):
- Description of the connection profile
- The remote server address
- Authentication type
- Name of IPSec group containing the remote user
- Group password
- Connecting to the Internet via dial-up networking
- Name of remote user
- Remote user's password
- Backup servers
- Split DNS
- Type of dial-up networking connection
- Transparent tunneling
- TCP tunneling port
- Allowing of local LAN access
- Enabling of IKE and ESP keepalives
- Setting of peer response time-out
- Certificate parameters for a certificate connection
- Setting of certificate chain
- Diffie-Hellman group
- Verification of the DN of a peer certificate
- RADIUS SDI extended authentication setting
- Use of SDI hardware token setting
- Split DNS setting
- Use legacy IKE port setting
A connection profile (.pcf file) controls the following additional features on the Windows platform:
- Dial-Up networking phone book entry for Microsoft
- Command string for connecting through an ISP
- NT domain
- Logging on to Microsoft Network and credentials
- Change the default IKE port from 500/4500 (must be explicitly added)
- Enable Force Network Login, which forces a user on Windows NT, Windows 2000, and Windows XP to log out and then log back in to the network without using cached credentials
Sample .pcf file
|
Note Connection profiles for the VPN Client are interchangeable between platforms. Keywords that are specific to the Windows platform are ignored by other platforms. |
When you open the Doc Server.pcf file, it looks like the example below. This is a connection entry that uses preshared keys. Note that the enc_ prefix (for example, enc_GroupPwd) indicates that the value for that parameter is encrypted.