|
|
This chapter explains how to connect to a private network with the VPN Client.
We assume you have configured at least one VPN Client connection entry as described in "Configuring the VPN Client." To connect to a private network, you also need the following information:
Refer to your entries in "Gathering Information You Need," as you complete the steps described here, which includes the following sections:
Step 1 To start the VPN Dialer application, choose Start > Programs > Cisco Systems VPN Client > VPN Dialer.
The VPN Dialer displays the VPN Client's main dialog box. (See Figure 4-1.)
Step 2 If necessary, click the Connection Entry drop-down menu and choose the desired connection entry.
To connect to a private network, perform the following steps:
Step 1 Connect to the Internet, if necessary.
Step 2 Connect to the private network through the Internet.
This section describes how to connect to the Internet via Dial-Up Networking by running only the VPN Client. Your connection entry must be configured with Connect to the Internet via Dial-Up Networking enabled; see "Configuring the VPN Client".
Step 1 Click Connect on the VPN Client's main dialog box. (See Figure 4-1.)
If your credentials are not stored in the RAS database, the Dial-up Networking User Information dialog box appears. (See Figure 4-2.) This dialog box varies depending on the version of Windows you are using.
Step 2 Enter your username and password to access your ISP. These entries may be case-sensitive. The Password field displays only asterisks.
Step 3 Click OK.
You see the Connection History dialog box. (See Figure 4-3.)
When the ISP connection is established, a Dial-Up Networking icon appears in the system tray on the Windows task bar. (See Figure 4-4.)
This section assumes you are connected to the Internet. If you connect using Dial-Up Networking, verify that its icon is visible in the Windows task bar system tray. (See Figure 4-4.) If not, your Dial-Up Networking connection is not active and you need to establish it before continuing.
If you did not do so earlier, click Connect on the VPN Client's main dialog box. (See Figure 4-1.)
The VPN Client starts tunnel negotiation and displays the Connection History dialog box.
(See Figure 4-5.)
The next phase in tunnel negotiation is user authentication.
User authentication means proving that you are a valid user of this private network. User authentication is optional. Your administrator determines whether it is required.
The VPN Client displays a user authentication dialog box that differs according to the authentication that your IPSec group uses. Your system administrator tells you which method to use.
To continue, refer to your entries in "Gathering Information You Need" and go to the appropriate authentication section that follows.
To display the user authentication dialog box, perform the following steps. The title bar identifies the connection entry name.
Step 1 In the Username field, enter your username. This entry is case-sensitive.
Step 2 In the Password field, enter your password. This entry is case-sensitive. The field displays only asterisks.
Step 3 Click OK.
Proceed to the section "Completing the Private Network Connection."
To display the Windows NT Domain user authentication dialog box, perform the following steps. The title bar identifies the connection entry name.
Step 1 In the Username field, enter your username. This entry is case-sensitive.
Step 2 In the Password field, enter your password. This entry is case-sensitive. The field displays only asterisks.
Step 3 In the Domain field, enter your Windows NT Domain name, if it is not already there.
Step 4 Click OK.
Skip to "Completing the Private Network Connection."
Your network administrator may have configured your group for RADIUS with Expiry authentication on the VPN 3000 Concentrator. If this feature is in effect and your password has expired, a dialog box prompts you to enter and confirm a new password.
After you have tried unsuccessfully to log in three times, you might receive one of the following login messages:
RSA (formerly SDI) SecurID authentication methods include physical SecurID cards and keychain fobs, and PC software called SoftID. SecurID cards also vary: with some cards, the passcode is a combination of a PIN and a cardcode; with others, you enter a PIN on the card and it displays a passcode. Ask your system administrator for the correct procedure.
Authentication via these methods also varies slightly for different operating systems. If you use an RSA method, the VPN Client displays the appropriate RSA user authentication dialog box. The title bar identifies the connection entry name.
To display an authentication dialog box asking for your username and passcode, perform the following steps. (See Figure 4-8.) If you are using SoftID, it must be running on your PC.
Step 1 In the Username field, enter your username. This entry is case-sensitive.
Step 3 After entering the code, click OK.
If you are using SoftID under Windows NT, the VPN Client displays an authentication dialog box asking for your username and PIN. (See Figure 4-9).
Step 1 In the Username field, enter your username. This entry is case-sensitive.
Step 3 After entering the PIN, click OK.
The first time you authenticate using SecurID or SoftID (all operating systems), or if you are using a new SecurID card, and if the RSA administrator allows you to create your own PIN, the authentication program asks if you want to create your own PIN. (See Figure 4-10.)
Step 1 Enter your response y for yes or n for no. No is the default response. Then, click OK. What happens next depends on your response.
Step 2 To receive a PIN, you must respond y for yes and then click OK. When you do, the authentication program generates a PIN for you and displays it. (See Figure 4-13.) Be sure to remember your PIN.
Step 3 To continue, click OK.
Sometimes SecurID authentication prompts you to enter the next cardcode from your token card, as in Figure 4-14. SecurID displays this prompt either to resynchronize the token card with the RSA server, or because it noticed several unsuccessful attempts to authenticate with this username.
The SecurID Next Cardcode Mode dialog box might appear. (See Figure 4-14.)
In the Passcode field, enter the next code from your token card. This field requires only a cardcode. Do not include your PIN as part of the passcode.
Now continue to "Completing the Private Network Connection."
Before you created a connection entry using a digital certificate, you must have already enrolled in a Public Key Infrastructure (PKI), have received approval from the Certificate Authority (CA), and have one or more certificates installed on your system. If this is not the case, then you need to obtain a digital certificate. In many cases, the network administrator of your organization can provide you with a certificate. If not, then you can obtain one by enrolling with a PKI directly using the Certificate Manager application, or you can obtain an Entrust profile through Entrust Entelligence™. Currently, we support the following PKIs:
The websites listed in parentheses in this list contain information about the digital certificates that each PKI provides. The easiest way to enroll in a PKI or import a certificate is to use the Certificate Manager (see "Enrolling and Managing Certificates") or Entrust Entelligence (see Entrust documentation).
What happens when you press Connect can depend on the level of private key protection on your certificate. If your certificate is password protected, you are prompted to enter the password.
This section provides important information about what to expect when connecting with an Entrust certificate under certain conditions.
If you are not already logged in, you must log in to Entrust Entelligence to access your Entrust Entelligence certificate profile, using the following procedure:
After you choose Connect on the VPN Client main dialog box, the Entrust logon dialog box appears. (See Figure 4-15.)
Step 1 Choose a profile name from the pull-down menu.
Your network administrator has previously configured one or more profiles for you through Entrust Entelligence. If the software is installed on your system but there are no profiles available, then you need to get a profile from your network administrator or directly through Entrust. Refer to Entrust Entelligence Quick Start Guide for instructions on obtaining a profile. The VPN Client Administrator Guide contains supplementary configuration information.
Step 2 After choosing a profile, enter your Entrust password.
Check the Work offline field to use Entrust Entelligence without connecting to the Entrust PKI. If Work offline is checked and you press OK, the Entrust wizard displays the message shown in Figure 4-16.
You can ignore this message. Since you are connecting to your organization's private network using an existing certificate profile, you are not interacting with the Entrust PKI. If you see this message, click OK to continue.
Step 3 After completing the Entrust Login dialog box (see Figure 4-15), click OK.
You may receive a security warning message from Entrust. This warning occurs, for example, when an application attempts to access your Entelligence profile for the first time or when you are logging in after a VPN Client software update. The message happens because Entrust wants to verify that it is acceptable for the VPN Client to access your Entrust profile.
Step 4 At the warning message, click Yes to continue.
You can now use your Entrust certificate for authenticating your new connection entry.
If you have a secure connection and you see a padlock next to the Entelligence icon in the Windows system tray, Entelligence has timed out. However you have not lost your connection. If you see the Entelligence icon with an X next to it, you are logged out of Entrust and you did not have a secure connection initially. To make a new connection, start from the beginning (see "Accessing Your Profile").
Entrust SignOn™ is an optional Entrust application that lets you use one login and password to access Microsoft Windows and Entrust applications. This application is similar to Start Before Logon, which is a VPN Client feature that enables you to dial in before logging on to Windows NT. For information about Start Before Logon, see "Starting a Connection Before Logging on to a Windows NT Platform".
If you want to use these two features together, you should make sure you have installed Entrust Entelligence with the Entrust SignOn module before installing the VPN Client. For information about installing Entrust SignOn, refer to Entrust documentation and the VPN Client Administrator Guide, Chapter 1.
To use these two features together, follow these steps:
Step 1 Start your system.
When the SignOn option is installed, Entrust displays its own Ctrl Alt Delete dialog box.
Step 2 Click Ctrl Alt Delete.
The Entrust Options dialog box and the VPN Dialer login dialog box both pop up. The VPN Dialer dialog box is active.
Step 3 To start your VPN connection, click Connect on the VPN Dialer main dialog box.
The Entrust login dialog box becomes active.
Step 4 To log in to your Entrust profile, enter your Entrust password.
The VPN Dialer password prompt dialog box becomes active.
Step 5 Enter your VPN dialer username and password.
The VPN Client authenticates your credentials and optionally displays a banner and/or a notification. Respond to the banner or notification as required. Then the Windows NT logon dialog box is active.
Step 6 To complete the connection, enter your Windows NT logon credentials in the Windows logon dialog box and you are done.
The VPN Client supports authentication with digital certificates through a smart card or electronic token. There are several vendors that provide smart cards and tokens. For an up-to-date list of those that the VPN Client currently supports, see "Smart Cards Supported". Smart card support is provided through Microsoft Cryptographic API (MS CAPI). Any CryptoService provider you use must support signing with CRYPT_NOHASHOID.
Once you or your network administrator has configured a connection entry that uses a Microsoft certificate provided by a smart card, you must insert the smart card into the receptor. When you start your connection, you are prompted to enter a password or PIN, depending on the vendor. For example, Figure 4-18 shows the authentication prompt from ActivCard Gold.
In above example, you would type your PIN code in the Enter PIN code field and click OK.
The next example shows how to log in to eToken from Aladdin. You select the token in the eToken Name column, type a password in the User Password field, and click OK.
 |
Note If your smart card or token is not inserted, the authentication program displays an error message. If this occurs, insert your smart card or token and try again. |
After completing the user authentication phase, the VPN Client continues negotiating security parameters and displays a dialog box. (See Figure 4-20.) The title bar identifies the remote Cisco VPN device to which you are connecting.
If the network administrator of the Cisco VPN device has created a client banner, you see a message designated for all clients connecting to that device; for example, The Documentation Server will be down for routine maintenance on Sunday.
After you complete your connection, the VPN Client minimizes to an icon in the system tray on the Windows task bar.
You are now connected securely to the private network via a tunnel through the Internet, and you can access the private network as if you were an onsite user.
The VPN Client icon on the task bar 
lets you view the status of your private network connection.
The VPN Client Connection Status dialog box appears. The dialog contains three tabs:
The General tab on the Connection Status dialog box provides IP security information, listing the IPSec parameters that govern the use of this VPN tunnel to the private network.
Theparameters are the following:
The Secured Routes section lists the IPSec Security Associations (SAs).
In Figure 4-22 under Secured Routes, the columns show the following types of information:
The Statistics tab also displays the time in days, hours, minutes and seconds, that has elapsed since you initiated the connection.
The Firewall tab displays information about the VPN Client's firewall configuration.
The VPN Concentrator's network manager sets up the firewall policy under Configuration | User Management | Base Group or Group | Client FW tab. There are three options:
|
Note CPP affects Internet traffic only. Traffic across the tunnel is unaffected by its policy rules. If you are operating in tunnel everything mode, enabling CPP has no affect. |
The information shown on this tab varies according to your firewall policy.
CPP is a stateful firewall policy that is defined on and controlled from the VPN Concentrator. It can add protection for the VPN Client PC and private network from intrusion when split tunneling is in use. For CPP (see Figure 4-24), the Firewall tab shows you the firewall rules in effect. Firewall Tab for CPP.
This status screen lists the following information:
Firewall Policy—The policy established on the VPN Concentrator for this VPN Client.
Product—Lists the name of the firewall currently in use, such as Cisco Integrated Client, Zone Alarm Pro, and so on.
CPP rules (defined on the VPN Concentrator) are only for nontunneled traffic and appear next in the table. For information on configuring filters and rules for CPP, see VPN Client Administrator Guide, Chapter 1. A default rule "Firewall Filter for VPN Client (Default)" on the VPN Concentrator lets the VPN Client send any data out, but permits return traffic in response only to outbound traffic.
Finally, there are two rules listed at the bottom of the table. These rules, defined on the VPN Concentrator, specify the filter's default action, either drop or forward. If not changed, the default action is drop. These rules are used only if the traffic does not match any of the preceding rules in the table.
|
Note The Cisco Integrated Client firewall is stateful in nature, where the protocols TCP, UDP, and ICMP allow inbound responses to outbound packets. For exceptions, refer to VPN Client Administrator Guide, Chapter 1. If you want to allow inbound responses to outbound packets for other protocols, such as HTTP, a network administrator must define specific filters on the VPN Concentrator. |
You can move the bars on the column headings at the top of the box to expand their size; for example, to display the complete words Action and Direction rather than Act or Dir. However, each time you exit from the display and then open this status tab again, you must expand the columns again. Default rules on the VPN Concentrator (drop any inbound and drop any outbound) are always at the bottom of the list. These two rules act as a safety net and are in effect only when traffic does notmatch any of the rules higher in the hierarchy.
To display the fields of a specific rule, click on the first column and observe the fields in the next area below the list of rules. For example, the window section underneath the rules in Figure 4-24 displays the fields for the rule that is highlighted in the list.
A firewall rule includes the following fields:
When Client/Server is the supported policy, the Firewall tab displays the name of the firewall policy, the name of the product, the user ID, session ID, and the addresses and port numbers of the firewall servers in the private network (see Figure 4-25). Zone Labs Integrity is a Client/Server firewall solution in which the Integrity Server (IS) acts as the firewall server that pushes firewall policy to the Integrity Agent (IA) residing on the VPN Client PC. Zone Labs Integrity can also provide a centrally controlled always on personal firewall.
Firewall Policy—This field shows that Client/Server is the supported policy.
Product—Lists the name of the Client/Server solution currently in use, such as Zone Labs Integrity Client.
User ID—In the format xx://IP address of the VPN Concentrator/group name and user name
Session ID—The session ID of the connection between all of the entities. This is used to initialize the firewall client and is helpful for troubleshooting.
Servers—The IP address and port number of each firewall server. For Release 3.5, there is only one.
To reset all connection statistics to zero, click Reset. There is no undo. Reset affects only the connection statistics, not the other sections of this dialog box.
You may want to close the VPN Client when it is running on your PC but not connected to a remote network.
To close the VPN Client when it is not connected to a remote network, do one of the following:
To disconnect your PC from the private network, do one of the following:
Your IPSec session ends and the VPN Client closes. You must manually disconnect your dial-up networking connection (DUN).
Posted: Wed Sep 25 04:03:44 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.