Release November
Corporate Headquarters
Cisco Systems, Inc
170 West Tasman Drive San Jose, CA
VPN 3002 Hardware Client Reference
Copyright 2001, Cisco Systems, Inc
Configuration
System Configuration
Configuration | System
C O N T E N T S
Configuration | System | Servers | DNS
Configuration | System | Tunneling Protocols
Configuration | System | IP Routing
Configuration System Management Protocols
Configuration | Policy Management
Administration
Administration | Ping
Administration | Access Rights
Monitoring
Monitoring | Routing Table
Monitoring | Live Event Log
Monitoring | System Status
Files for Troubleshooting A-1
LED Indicators
Monitoring | Statistics | MIB-II
Monitoring | Statistics | MIB-II| IP
78-13782-01
viii
Contents
Preface
Prerequisites
Organization
Chapter
Chapter
Title
Description
Chapter
Related Documentation
VPN 3002 Hardware Client Documentation
VPN 3000 Series Concentrator Documentation
VPN Client Documentation
Documentation conventions
Other References
Convention
boldface font
Obtaining Documentation
Data Formats
World Wide Web
Documentation CD-ROM
Obtaining technical assistance
Ordering documentation
Documentation feedback
Cisco.com
Contacting TAC by telephone
Contacting TAC by using the Cisco TAC website
Technical Assistance Center
OL-1893-01
Preface Obtaining technical assistance
VPN 3002 Hardware Client Reference
C H A P T E R
Using the VPN 3002 Hardware Client Manager
VPN 3002 Hardware Client Browser Requirements
Connecting to the VPN 3002 Using HTTP
Recommended PC Monitor/Display Settings
JavaScript and Cookies
Navigation Toolbar
Installing the SSL Certificate in Your Browser
Installing the SSL Certificate in Your Browser
VPN 3002 Hardware Client Reference
OL-1893-01
Figure 1-2Install SSL Certificate Screen
4.Click Install Certificate
5.Click Next to continue
7.Click Finish
Viewing Certificates with Internet Explorer
Installing the SSL Certificate with Netscape
1-10
Reinstallation
First-timeInstallation
1-11
2.Click Next> to proceed
1-12
8.Click Continue
1-13
Viewing Certificates with Netscape
1-14
1-15
Click OK when finished
1-16
Connecting to the VPN 3002 Using HTTPS
Configuring HTTP, HTTPS, and SSL Parameters
Logging into the VPN 3002 Hardware Client Manager
1-17
1-18
Figure 1-27Manager Main Welcome Screen
Logging into the VPN 3002 Hardware Client Manager
VPN 3002 Hardware Client Reference
Interactive Hardware Client Authentication
Individual User Authentication
1-19
VPN 3002 Hardware Client Reference
Step 1 Click the Connection Login Status button
1-20
The Connection/Login Status screen displays
Step 1 Click the Connect Now button
Step 2 Click Connect
1-21
Figure 1-31Connection Login Status Screen
Figure 1-33Connection/Login Status Screen
1-22
Figure 1-32Individual User Authentication Screen
OL-1893-01
1-23
VPN 3002 Hardware Client Reference
Title bar
Status bar
Mouse pointer and tips
Top frame
Reset
Restore
Table of Contents
Configuration
Open or expanded
Main frame
Manager screen
1-26
1-27
–Interfaces: Ethernet parameters
Figure 1-35Manager Table of Contents
Navigating the VPN 3002 Hardware Client Manager
1-28
C H A P T E R
Configuration
Configuration
OL-1893-01
Chapter 2 Configuration Configuration
VPN 3002 Hardware Client Reference
C H A P T E R
Configuration | Interfaces
Interfaces
Interface
Ethernet 1 Private, Ethernet 2 Public
DNS Servers
DNS Domain Name
Default Gateway
Status
IP Address
Subnet Mask
Configuration | Interfaces | Private
Disabled
Static IP Addressing
IP Address
Apply/Cancel
Subnet Mask
Speed
Duplex
Configuration | Interfaces | Public
DHCP Client
PPPoE Client
Disabled
PPPoE Password
Verify PPPoE Password
PPPoE User Name
Static IP Addressing
Reminder
Apply / Cancel
Duplex
C H A P T E R
System Configuration
Configuration | System
Chapter 4 System Configuration
Configuration | System
VPN 3002 Hardware Client Reference
OL-1893-01
Configuration | System | Servers
Configuration | System | Servers | DNS
Servers
C H A P T E R
Enabled
Domain
Primary DNS Server
Secondary DNS Server
Timeout Period
Timeout Retries
Apply / Cancel
Configuration | System | Servers | DNS
Configuration | System | Servers | DNS
Chapter
VPN 3002 Hardware Client Reference
OL-1893-01
Tunneling
C H A P T E R
Configuration System Tunneling Protocols
Backup Servers
Remote Server
About Backup Servers
IPSec over TCP
IPSec over TCP Port
Use Certificate
Certificate Transmission
Group
About IPSec over TCP
Password
User
Verify
Password
Chapter
VPN 3002 Hardware Client Reference
OL-1893-01
Tunneling
C H A P T E R
Configuration | System | IP Routing
IP Routing
Static Routes
Add / Modify / Delete
Reminder
Chapter 7 IP Routing
Subnet Mask
Network Address
Metric
Add or Apply / Cancel
Destination
Destination Router Address
Interface
Default Gateway
Apply / Cancel
Metric
Reminder
Configuration | System | IP Routing | DHCP
Lease Timeout
Address Pool Start/End
Enabled
DHCP Option
Add/Modify/Delete
Apply/Cancel
Reminder
Reminder
Option Value
DHCP Option
Nonconfigurable DHCP Options
7-10
Chapter 7 IP Routing
VPN 3002 Hardware Client Reference
OL-1893-01
C H A P T E R
Configuration | System | Management Protocols
Management Protocols
Enable HTTP
About HTTP/HTTPS
Enable HTTPS
Enable HTTPS on Public
HTTP Port
HTTPS Port
VPN 3002 Hardware Client Reference
Enable Telnet
Chapter 8 Management Protocols
Enable Telnet/SSL
Telnet Port
Telnet/SSL Port
Maximum Connections
Enable SNMP
SNMP Port
Maximum Queued Requests
Apply / Cancel
Reminder
Community Strings
Communities | Add or Modify
Add/Modify/Delete
Reminder
Reminder
Community String
Add or Apply / Cancel
8-10
Related information
8-11
Client Authentication
Encryption Algorithms
SSL Version
Generated Certificate Key Size
8-12
Apply/Cancel
8-13
Chapter 8 Management Protocols
VPN 3002 Hardware Client Reference
OL-1893-01
Enable SSH
Enable SSH on Public
SSH Port
Key Regeneration Period
8-15
Apply / Cancel
To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen
Reminder
Enable XML
8-16
Enable HTTPS on Public
Chapter 8 Management Protocols
HTTPS IP Address
HTTPS Wildcard-mask
SSH IP Address
SSH Wildcard-mask
8-18
Chapter 8 Management Protocols
VPN 3002 Hardware Client Reference
OL-1893-01
Events
Event Class
Class Description Event Source
Class Name
Class Description Event Source
Class Name
Cisco-specificEvent Class
EVENTMIB
Event Severity Level
Level
Category
Description
Event Log
Event Log Data
Figure 9-1Configuration | System | Events Screen
Configuration | System | Events
Configuration System Events General
Syslog Format
String
Severity to Log
Severity to Console
Severity to Syslog
Cisco IOS Severity
Configuration | System | Events | Classes
Configure either General event
Severity to Trap
To send this “well-known”
Reminder
Configured Event Classes
Add/Modify/Delete
Enable
Class Name
Modify screen
9-10
Add or Apply/Cancel
9-11
Severity to Console
Severity to Syslog
Trap Destinations
9-12
Add/Modify/Delete
Chapter
SNMP Version
Community
9-13
Destination
Configuration System Events Syslog Servers
Port
9-14
Add or Apply/Cancel
Syslog Servers
9-15
Add/Modify/Delete
Reminder
Syslog Server
Facility
9-16
Port
9-17
Add or Apply/Cancel
To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list
Reminder
9-18
Chapter
VPN 3002 Hardware Client Reference
OL-1893-01
Configuration | System | General
General
10-1
C H A P T E R
Configuration | System | General | Identification
System Name
Contact
Location
Configuration | System | General | Time and Date
Enable DST Support
Current Time
New Time
10-4
Configuration | System | General | Time and Date
Reminder
Chapter 10 General
Policy Management
Client Mode/PAT
Client Mode with Split Tunneling
11-1
Network Extension Mode
11-2
Chapter 11 Policy Management
Network Extension Mode
Network Extension Mode with Split Tunneling
11-3
Tunnel Initiation
Data Initiation
Step 2 Click Connect Now
11-4
Configuration | Policy Management
Traffic Management
Mode
Tunneling Policy
Configuration Policy Management Traffic
Management | PAT
11-6
Enable
PAT Enabled
11-7
Apply/Cancel
Reminder
11-8
Chapter 11 Policy Management
VPN 3002 Hardware Client Reference
OL-1893-01
Administration
Administration
12-1
C H A P T E R
Figure 12-1Administration Screen
Administration | Software Update
12-2
Upload/Cancel
Current Software Revision
Browse
12-3
Software Update Progress
Software Update Success
Software Update Error
12-4
Administration | System Reboot
12-5
Chapter 12 Administration
Administration | System Reboot
Configuration
Action
12-6
Figure 12-6Administration | System Reboot Screen
Administration | Ping
When to Reboot/Shutdown
12-7
Apply/Cancel
Ping/Cancel
Error Ping
Address/Hostname to Ping
Success Ping
Administration | Access Rights
Administration | Access Rights | Administrators
12-9
Figure 12-10Administration | Access Rights Screen
Administrator
Password
Verify
12-10
Administration | Access Rights | Access Settings
Session Idle Timeout
Encrypt Config File
Session Limit
Administration | File Management
View Save
Delete
12-12
Swap Config Files
Config File Upload via HTTP
OK/Cancel
12-13
Local Config File/Browse
File Upload Progress
12-14
Upload/Cancel
12-15
File Upload Error
File Upload Success
12-16
Enrolling and Installing Digital Certificates
Certificate Management
12-17
12-18
Installing CA Certificates Manually
12-19
Enrolling and Installing Identity Certificates
Recommended Content
Abbrev
Field Name
12-21
Verify Challenge Password
12-22
12-23
Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The VPN 3002 sends the certificate request to the CA
12-24
12-25
Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. See Figure
12-26
Certificate Obtained via Enrollment Screen
12-27
Obtaining SSL Certificates
Enabling Digital Certificates on the VPN
12-29
Deleting Digital Certificates
12-30
12-31
Administration | Certificate Management
Certificate Authority
Content
Certificate Authorities Table
Identity Certificates Table
Fields
SSL Certificate Table Generate
12-33
12-34
Content
Subject/Issuer
Fields
Enrollment Status Table
Remove All
12-35
Content
12-36
Content
Field
Status
Administration | Certificate Management | Enroll
Identity Certificate
SSL Certificate
12-37
Install a New SA Using SCEP before Enrolling
Type
Enroll via PKCS10 Request Manual
Enroll via SCEP at Name of SCEP CA
12-39
Enroll / Cancel
Fields
Go to Certificate Management
Go to Certificate Enrollment
12-40
Chapter 12 Administration
Fields
Go to Certificate Installation
12-41
12-42
Enroll / Cancel
Chapter 12 Administration
VPN 3002 Hardware Client Reference
Cancel
Enroll
12-43
Fields
Administration | Certificate Management | Install
Install CA Certificate
Install SSL Certificate with Private Key
Install Certificate Obtained via Enrollment
Certificate Obtained via Enrollment Screen
12-45
Enrollment Status Table
SCEP Simple Certificate Enrollment Protocol
Cut & Paste Text
Upload File from Workstation
12-46
12-47
Retrieve / Cancel
CA Descriptor
Install / Cancel
Certificate Text
12-48
Password
Filename / Browse
12-49
Password
Install / Cancel
Administration | Certificate Management | View
12-50
Chapter 12 Administration
Administration | Certificate Management | View
Certificate Fields
12-51
Content
Field
Back
12-52
Content
Field
Administration | Certificate Management |
Configure CA Certificate
SCEP Configuration
Certificate
Administration | Certificate Management | Renewal
Polling Limit
12-54
Apply / Cancel
Challenge Password
Verify Challenge Password
Renew / Cancel
Renewal Type
12-56
Go to Certificate Installation
Status
Go to Certificate Management
Fields
Administration | Certificate Management | Delete
12-57
View Enrollment Request
Yes / No
12-58
Administration | Certificate Management |
Enrollment Request Fields
12-59
Content
Field
Cancel Enrollment Request
12-60
Administration Certificate Management
Content
Delete Enrollment Request
12-61
Administration | Certificate Management |
Fields
12-62
Fields
Yes / No
To delete this enrollment request, click Yes
Monitoring
13-1
C H A P T E R
Figure 13-1Monitoring Screen
Monitoring | Routing Table
Clear Routes
Valid Routes
Address
13-3
Monitoring | Filterable Event Log
Metric
Select Filter Options
Event Class
Severities
Client IP Address
Event Log Format
Get Log
Clear Log
There is no undo
Monitoring | Live Event Log
Event Time
Event Severity
Event Class/Number
Timer
Pause Display/Resume Display
Clear Display
Restart
Reset
Restore
Monitoring | System Status
13-8
Bootcode Rev
Refresh
VPN Client Type
Software Rev
Authentication
Tunnel Established to
Duration
Security Associations
Front Panel
Back Panel
Other
13-11
13-12
Restore
Refresh
Back
Rx Unicast
Tx Unicast
Rx Multicast
Tx Multicast
Cisco IP Phone Bypass Enabled/Disabled
Login Time
Monitoring | User Status
Username
Monitoring | Statistics
13-15
Monitoring Statistics IPSec
13-16
Reset
Restore
IKE Phase 1 Statistics
Active Tunnels
Total Tunnels
Received Bytes
Received Phase-2Exchanges
Sent Phase-2Exchanges
Invalid Phase-2Exchanges Received
Invalid Phase-2Exchanges Sent
Phase-2SA Delete Requests Sent
Authentication Failures
Initiated Tunnels
Failed Initiated Tunnels
IPSec Phase 2 Statistics
Received Packets Dropped Anti-Replay
13-20
Active Tunnels
Inbound Authentications
Failed Inbound Authentications
Outbound Authentications
Failed Outbound Authentications
Monitoring Statistics HTTP
Protocol Use Failures
13-22
System Capability Failures
Octets Sent/Received
Packets Sent/Received
Packets Sent Sockets/Sessions
Peak
Login Name
Login Time
HTTP Sessions
Max Connections
Monitoring | Statistics | Telnet
Active Sessions
13-25
Reset
Inbound Octets Command
Attempted Sessions
Successful Sessions
Telnet Sessions
Monitoring | Statistics | DNS
Requests
Responses
13-27
Timeouts
Monitoring | Statistics | SSL
Server Unreachable
Other Failures
Unencrypted Inbound Octets
Encrypted Inbound Octets
Unencrypted Outbound Octets
Encrypted Outbound Octets
Monitoring | Statistics | DHCP
Active Leases
Maximum Active Leases
13-30
Pool Start
Pool End
Leased IP Address
Time Left
Monitoring | Statistics | SSH
13-32
Reset
Restore
SSH Sessions
Remote IP Address:Port
13-33
Login Name
Monitoring | Statistics | NAT
Packets In/Out
13-34
Reset
NAT Sessions
Translations Active
Translations Peak
Translations Total
Monitoring | Statistics | PPPoE
Translated Bytes/Packets
13-36
Reset
PPPoE Access Concentrator
PADI Timeouts
PADR Timeouts
User Name
Generic Errors Rx
PADT Rx
PADT Tx
Malformed Packets Rx
Monitoring | Statistics | MIB-II
13-39
Monitoring | Statistics | MIB-II| Interfaces
13-40
Reset
Restore
Unicast In
Unicast Out
Multicast In
Multicast Out
Monitoring | Statistics | MIB-II| TCP/UDP
TCP Segments Received
13-42
Reset
TCP Timeout Min
TCP Timeout Max
TCP Segments Transmitted
TCP Segments Retransmitted
TCP Established Resets
UDP Errored Datagrams
TCP Current Established
UDP Datagrams Received
Monitoring | Statistics | MIB-II| IP
13-45
Reset
Restore
Packets Received Header Errors
Packets Received Address Errors
Packets Received Total
Packets Received Unknown Protocols
Fragments Needing Reassembly
Reassembly Successes
Reassembly Failures
Outbound Packets with No Route
Monitoring Statistics MIB-II ICMP
Total Received/Transmitted
13-48
Reset
Errors Received/Transmitted
Parameter Problems Received/Transmitted
Destination Unreachable Received/Transmitted
Time Exceeded Received/Transmitted
Timestamp Requests Received/Transmitted
Timestamp Replies Received/Transmitted
Address Mask Requests Received/Transmitted
Address Mask Replies Received/Transmitted
Monitoring | Statistics | MIB-II| ARP Table
13-51
Refresh
Chapter 13 Monitoring
Physical Address
Mapping Type
Action/Delete
13-52
Monitoring | Statistics | MIB-II| Ethernet
13-53
Reset
Restore
Alignment Errors
FCS Errors
Carrier Sense Errors
SQE Test Errors
MAC Errors: Transmit
MAC Errors: Receive
Excessive Collisions
Speed Mbps
Monitoring | Statistics | MIB-II| SNMP
Requests Received
Bad Version
13-56
Parsing Errors
Bad Community String
Silent Drops
Proxy Drops
13-58
Chapter 13 Monitoring
Monitoring | Statistics | MIB-II| SNMP
VPN 3002 Hardware Client Reference
Using the Command-LineInterface
Accessing the Command-lineInterface
Console Access
14-1
14-2
Starting the Command-lineInterface
Telnet or Telnet/SSL access
Using the Command-lineInterface
Choosing Menu Items
Entering Values
14-3
14-4
Using Shortcut Numbers
Navigating Quickly
14-5
Using Back and Home
Getting Help Information
Saving the Configuration File
Stopping the Command-lineInterface
Understanding Access Rights
14-6
1Configuration
1.1 Configuration > Quick Configuration
1.2 Configuration > Interface Configuration
Menu Reference
1.3Configuration > System Management
1.3.1Configuration > System Management > Servers
2.1 Administration > Software Update
2Administration
1.4Configuration > Policy Management
2.2Administration > System Reboot
2.3Administration > Ping
2.4Administration Access Rights
14-10
2.5 Administration > File Management
2.6Administration > Certificate Management
3 Monitoring
3.1 Monitoring > Routing Table
3.2Monitoring > Event Log
3.2.2 Monitoring > Event Log > View Event Log
3.3 Monitoring > System Status
3.4 Monitoring > User Status
3.5Monitoring > General Statistics
Troubleshooting and System Errors
Files for Troubleshooting
Event Logs
Crash Dump File
LED Indicators
Configuration Files
VPN 3002 Front LEDs
Crash Dump File
System Errors
Problem or Symptom
Possible Solution
VPN 3002 Rear LEDs
Settings on the VPN Concentrator
Series Concentrator Reference Volume
the VPN 3002 Hardware Client User Reference
on Connect Now
VPN 3002 Hardware Client Manager Errors
Invalid Login or Session Timeout
Problem
Solution
Login
Manager Logs Out
Error Message
Incorrect Display
Back or Forward on
Possible cause
Not Allowed Message
Problem
Solution
Possible cause
Not Found
interface supported
Problem
Solution
Command-lineInterface Errors
Error
A-10
Problem
IN-1
Numerics
I N D E
See CLI
IN-2
errors A-10
help command
IN-3
IN-4
IN-5
IN-6
IN-7
See also tunnel
IN-8
IN-9
IN-10
IN-11
IN-12
Index
VPN 3002 Hardware Client Reference
OL-1893-01