|
|
This chapter explains how to configure the VPN Client.
To configure the VPN Client, you enter values for a set of parameters known as a connection entry. The VPN Client uses a connection entry to identify and connect securely to a specific private network.
Parameters include a name and description for the connection, the name or address of the VPN device (remote server), and information that identifies you to the VPN device.
 |
Note If your system administrator has completely preconfigured your connection entry, you can skip this chapter and go directly to "Connecting to a Private Network." |
This chapter explains the following configuration tasks:
The VPN Client comes with a complete, context-sensitive, browser-based help system. You can display help in the following ways:
To display the version number of the software release you are currently using, follow these steps:
Step 1 Click the icon in the title bar. (See Figure 3-3 .)
The VPN Client displays a menu.
Step 2 Click About VPN Client on the menu displayed.
The VPN Client displays the version you are currently using. (See Figure 3-4.)
Step 3 After viewing the version number, click OK.
When you are connected, you can display the software version by clicking About... on the menu you display by right clicking the Dialer icon in the system tray.
To use the VPN Client, you must create at least one connection entry, which identifies the following information:
You can create multiple connection entries if you use your VPN Client to connect to multiple networks (though not simultaneously) or if you belong to more than one VPN remote access group.
For connection entry parameters, refer to "Gathering Information You Need".
Start the VPN Client by choosing Start > Programs > Cisco Systems VPN Client > VPN Dialer.
The VPN Dialer application starts and displays its main dialog box. (See Figure 3-7.)
Step 1 At the main dialog, click New.
The first New Connection Entry Wizard dialog box appears. (See Figure 3-8.)
Step 2 Enter a unique name for this new connection. You can use any name to identify this connection; for example, Engineering. This name can contain spaces, and it is not case-sensitive.
Step 3 Enter a description of this connection. This field is optional, but it helps further identify this connection. For example, Connection to Engineering remote server.
Step 4 Click Next.
The second New Connection Entry Wizard dialog box appears. (See Figure 3-9.)
Step 5 Enter the hostname or IP address of the remote VPN device you want to access, and click Next.
The third New Connection Entry Wizard dialog box appears. (See Figure 3-10.)
You can connect as part of a group (configured on a VPN device) or by supplying an identity digital certificate.
For group authentication, perform the following procedure: (See Figure 3-10.)
Step 1 In the Name field, enter the name of the IPSec group to which you belong. This entry is case-sensitive.
Step 2 In the Password field, enter the password (which is also case-sensitive) for your IPSec group. The field displays only asterisks.
Step 3 Verify your password by entering it again in the Confirm Password field.
Step 4 To continue, click Next.
For certificate authentication, perform the following procedure, which varies according the type of certificate you are using:
Step 1 Click the Certificates radio button.
Step 2 Choose the name of the certificate you are using from the pull-down menu. (See Figure 3-11.)
If the field says No Certificates Installed and is shaded, then you must first enroll for a certificate before you can use this feature. For information on enrolling for a certificate, see "Enrolling and Managing Certificates." Or, consult your network administrator.
To send CA certificate chains, click Send CA Certificate Chain. This parameter is disabled by default.
The CA certificate chain includes all CA certificates in the hierarchy of certificates from the root certificate, which must be installed on the VPN Client, to the identity certificate. This feature enables the a peer VPN Concentrator to trust the VPN Client's identity certificate given the same root certificate, without having all the same subordinate CA certificates actually installed.
1. On the VPN Client, you have this chain in the certificate hierarchy:
2. On the VPN Concentrator, you have this chain in the certificate hierarchy
3. Though the identity certificates are issued by different CA certificates, the VPN Concentrator can still trust the VPN Client's identity certificate, since it has received the chain of certificates installed on the VPN Client PC.
This feature provides flexibility since the intermediate CA certificates don't need to be actually installed on the peer.
|
Note Certificate chains are not supported for Entrust Entelligence. Therefore the Send CA Certificate Chain checkbox on the Authentication Tab is unchecked and disabled when you select Entelligence Certificate. |
Optionally you might want to verify that the certificate you are using is still valid, using the following procedure:
Step 1 To verify the validity of a certificate, click Validate Certificate... and enter the password.
The VPN Dialer might prompt for a password to secure the certificate. If so, enter the password.
You receive a report letting you know whether the certificate is valid. If the password is not valid, you need to try again. If you do not know the password, see your system administrator. An identity certificate has a public and private key, and a time period within which it is valid. Make sure the certificate is valid before you continue.
Step 2 After you have verified that the certificate is valid, click Next.
If you have an Entrust Entelligence certificate enrolled, the pull-down menu includes the entry "Entelligence Certificate (Entrust)." (See Figure 3-12.)
An Entrust Entelligence certificate is stored in a Profile, which you obtain when you log in to Entrust Entelligence.
Choose Entelligence Certificate (Entrust) from the pull-down menu and click Next.
For more information about connecting with Entrust Entelligence, see "Connecting with an Entrust Certificate."
If you are using a smart card or electronic token to authenticate a connection, create a connection entry that defines the certificate provided by the smart card. For example, if you are using ActivCard Gold, an accompanying certificate is in the Microsoft Certificate Store. When you create a new connection entry for using the smart card, select that certificate. (See Figure 3-13.)
The VPN Client supports authentication with digital certificates through a smart card or an electronic token. There are several vendors that provide smart cards and tokens, including the following:
| Vendor | Software and Version | Card/Token Tested | Vendor Web site |
|---|---|---|---|
GemPLUS | GemSAFE Workstation 2.0 or later | GEM195 | www.gemplus.com |
Activcard | Activcard Gold version 2.0.1 or later | Palmera 32K | www.activcard.com |
Aladdin | eToken Runtime Environment (RTE) version 2.6 or later | PRO and R2 tokens | www.ealaddin.com |
The VPN Client works only with smart cards and tokens that support CRYPT_NOHASHOID.
After you enter authentication information and click Next, the fourth New Connection Entry Wizard dialog box appears. (See Figure 3-14.)
To complete the connection entry configuration, use the following procedure.
Step 1 Review the connection entry name. If you want to change any previous entries, click Back until you get to the desired dialog box.
Step 2 To complete your entry, click Finish.
The final New Connection Entry Wizard dialog box closes. Your new connection entry now appears in the Connection Entry drop-down list on the VPN Client's main dialog box.
If you need to configure optional connection entry parameters or change parameters for an existing connection entry, continue to the next section.
Otherwise, you can skip to "Connecting to a Private Network."
To change parameters or to set optional parameters for an existing connection entry, follow these steps:
Step 1 In the VPN Client's main dialog box, click the Connection Entry drop-down menu button and choose the entry you want to configure.
Step 2 Then click Options and choose Properties from the menu. (See Figure 3-15.)
The Properties dialog box appears. The fields in this dialog box differ according to the operating system you are using.
Step 3 Click the tab for the parameters you want to change:
See the appropriate section of this chapter for each tab and parameter.
Step 4 When you have finished setting parameters, click OK. The Properties dialog box closes and the VPN Dialer saves your changes.
To discard your changes, click Cancel. The Properties dialog box closes and discards all changes.
The Properties > General tab lets you set general parameters for this connection entry. (See Figure 3-17.)
To change the description of this connection entry, enter or edit the description field. This field is optional, but it can help you identify this connection.
Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing Network Address Translation (NAT) or Port Address Translations (PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets and can allow for both IKE (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.
The VPN Client also sends keepalives frequently, ensuring that the mappings on the devices are kept active.
Not all devices support multiple simultaneous connections behind them. Some cannot map additional sessions to unique source ports. Be sure to check with your device's vendor to verify whether this limitation exists. Some vendors support Protocol-50 (ESP) Port Address Translation, which might let you operate without enabling transparent tunneling.
To use transparent tunneling, the central-site group in the Cisco VPN device must be configured to support it. For an example, refer to the VPN 3000 Concentrator Manager, Configuration | User Management | Groups | IPSec tab (refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration or Help in the VPN 3000 Concentrator Manager browser).
This parameter is enabled by default. To disable this parameter, clear the check. We recommend that you always keep this parameter checked.
Then select a mode of transparent tunneling, over UDP or over TCP. The mode you use must match that used by the secure gateway to which you are connecting. Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if you are in an extranet environment, then in general, TCP mode is preferable. UDP does not operate with stateful firewalls so in this case, you should use TCP.
To enable Allow IP over UDP, click the radio button. With UDP, the port number is negotiated. UDP is the default mode.
To enable Use IPSec over TCP, click the radio button. When using TCP, you must also enter the port number for TCP in the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10000.
|
Note When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the NAT/Firewall device
may be closed due to the VPN Client's keepalive implementation, called DPD (Dead Peer Detection).
When a client is idle, it does not send a keepalive until it sends data and gets no response. To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the ForceKeepAlives parameter to the *.pcf (profile configuration file) for the affected connection profile. This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals. Use the following syntax when adding this parameter to the [Main] section of any *.pcf file: ForceKeepAlives=1 For more information, see "Connection Profile Configuration Parameters" in the VPN Client Administrator Guide. |
To enable this feature, check Allow Local LAN Access; to disable it, clear the check mark from the box. If the local LAN you are using is not secure, you should disable this feature. For example, you would disable this feature when you are using a local LAN in a hotel or airport.
A network administrator at the central site configures a list of networks at the Client side that you can access. You can access up to 10 networks when this feature is enabled. When Allow Local LAN Access is enabled and you are connected to a central site, all traffic from your system goes through the IPSec tunnel except traffic to the networks excluded from doing so (in the network list).
When this feature is enabled and configured on the VPN Client and permitted on the central-site VPN device, you can see a list of the local LANs available by looking on the Statistics tab on the Connection Status dialog box. (See Figure 3-18.)
|
Note This feature works only on one NIC card, the same NIC card as the tunnel. |
The Local LAN routes section on the Connection Status dialog box lists the IP address and subnet mask of each available network. The Src Port and Dst Port fields are not currently used.
|
Note While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name. For more information on this limitation refer to VPN Client Administrator Guide, Chapter 1. |
To adjust the setting, enter the number of seconds in the Peer response timeout field.
The VPN Client continues to send DPD requests every 5 seconds, until it reaches the number of seconds specified by the Peer response timeout value.
The Logon to Microsoft Network parameter registers your PC on the private Microsoft network and lets you browse and use network resources after the VPN Client establishes a secure connection. This parameter is enabled by default.
To disable this parameter, clear the check.
|
Note This parameter appears only on VPN Clients installed on systems running Windows 95, Windows 98, and Windows ME. For information on logging on to Windows NT and Windows 2000 systems, see the section "Starting a Connection Before Logging on to a Windows NT Platform." |
If you do not need or do not have privileges for Microsoft Windows resources on the private network, disable this parameter. For example, if you require only FTP access to the private network, you could disable this parameter.
If you enable this parameter, click one of the radio buttons to choose the logon process:
When you are done with the General tab, click OK or click another tab.
The Properties > Authentication tab (see Figure 3-19) lets you change the name or password of the IPSec group to which you are assigned. Your group determines your access to, and use of, the remote network. The group name and password are essential parameters in authenticating you as a user of the remote network.
If you want to choose a different certificate, you also use this screen.
You usually specify a group name and group password when you create a connection entry. However, you can use the Authentication tab to change a group name or group password if your system administrator so instructs you; or to enter the group name and password if the connection entry does not already have them.
In the Name field, enter or edit the group name. This entry is case-sensitive.
In the Password field, enter or edit the group password. This entry is case-sensitive. The field displays only asterisks. Verify your password by entering it again in the Confirm Password field.
If either field is empty when you leave this dialog box, the VPN Client reminds you to enter missing group information. (See Figure 3-20.) To proceed, click Yes, or to terminate, click No.
When you are done with the Authentication tab, click OK or click another tab.
To choose a different certificate, check the Certificate radio button, then click the drop-down menu of certificates installed on your PC and choose one. (See Figure 3-21.)
When you are done with the Authentication tab, click OK or click another tab.
The Properties > Connections tab (shown in Figure 3-22) lets you set parameters that govern how you connect to the private network. You can enable and configure backup server connections, and automatically launch a dial-up networking application to connect to the Internet.
The private network may include one or more backup VPN devices (servers) to use if the primary server is not available. Your system administrator tells you whether to enable a backup server and gives you its address. Refer to your entries in the "Gathering Information You Need".
To enable backup servers, perform the following steps:
Step 1 Check Enable backup server(s). This is not checked by default.
Step 2 Click Add to enter its address.
The Backup Server Information dialog box appears. (See Figure 3-23.)
Step 3 Enter the hostname or IP address of the backup server. Use a maximum of 255 characters.
Step 4 Click OK.
The hostname or IP address appears in the Enable backup server(s) list. (See Figure 3-22.)
Step 5 To add more backup devices, repeat Steps 2, 3, and 4.
To remove a server from the backup list, choose the server from the list and click Remove. There is no confirmation or undo. The server name no longer appears in the list.
To reorder the servers in the list, choose a server and click Move Up to increase the server's priority or Move Down to decrease the server's priority.
You can disable using backup servers without removing backup servers from the list.
To disable using backup servers, clear the Enable backup server(s) check.
To connect to a private network using a dial-up connection, perform the following two steps:
Step 1 Use a dial-up connection to your Internet service provider (ISP) to connect to the Internet.
Step 2 Use the VPN Client to connect to the private network through the Internet.
To enable and configure this feature, check Connect to the Internet via dial-up. This is not checked by default. (See Figure 3-24.)
You can connect to the Internet using the VPN Dialer application in two different ways:
If you have DUN phonebook entries and have enabled Connect to the Internet via dial-up, Microsoft Dial-up Networking is enabled by default. To link a VPN Client connection entry to a Dial-Up Networking phonebook entry, perform the following steps:
Step 1 Click Microsoft Dial-up Networking (if it is not already enabled).
Step 2 To link your VPN Client connection entry to a DUN entry, click the down arrow next to the Phonebook entry field and choose an entry from the drop-down menu.
The VPN Client then uses this DUN entry to automatically dial into the Microsoft network before making the VPN connection to the private network.
If you have no DUN phonebook entries and have enabled Connect to the Internet via dial-up, then Third party dial-up application is enabled by default.
To connect to the Internet using a third party dial-up program, follow these steps:
Step 1 Click Third party dial-up application, if it is not already enabled.
Step 2 Use Browse to enter the name of the program in the Application field. This application launches the connection to the Internet.
This string you choose or enter here is the pathname to the command that starts the application and the name of the command; for example: c:\isp\ispdialer.exe dialEngineering. Your network administrator may have set this up for you. If not, consult your network administrator.
To change the address of the VPN device in a connection entry, and to make the change temporary or permanent, follow these steps:
Step 1 On the VPN Client main dialog box shown in Figure 3-25, click the Connection Entry drop-down menu button and choose the entry, if it is not already displayed.
Step 2 Edit the address in the Host name or IP address of remote server field.
Step 3 Click Connect. The VPN Client displays a confirmation dialog box. (See Figure 3-26.)
Step 4 Click one of the following:
To use this address for the current session only, click No. The VPN Client begins connecting to the VPN device, but it does not save the change you have made to the connection entry.
To permanently change the address for this connection entry, click Yes. The VPN Client begins connecting to the VPN device, and it saves the new address with the connection entry.
For an explanation of the connection process, see "Connection Procedure".
Posted: Wed Sep 25 04:03:19 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.