170 West Tasman Drive San Jose, CA
Release November
Corporate Headquarters
Cisco Systems, Inc
Copyright 2001, Cisco Systems, Inc
VPN 3002 Hardware Client Reference
C O N T E N T S
Configuration
System Configuration
Configuration | System
Configuration System Management Protocols
Configuration | System | Servers | DNS
Configuration | System | Tunneling Protocols
Configuration | System | IP Routing
Administration | Access Rights
Configuration | Policy Management
Administration
Administration | Ping
Monitoring | System Status
Monitoring
Monitoring | Routing Table
Monitoring | Live Event Log
Monitoring | Statistics | MIB-II| IP
Files for Troubleshooting A-1
LED Indicators
Monitoring | Statistics | MIB-II
78-13782-01
viii
Contents
Chapter
Preface
Prerequisites
Organization
Chapter
Chapter
Title
Description
VPN Client Documentation
Related Documentation
VPN 3002 Hardware Client Documentation
VPN 3000 Series Concentrator Documentation
boldface font
Documentation conventions
Other References
Convention
Documentation CD-ROM
Obtaining Documentation
Data Formats
World Wide Web
Cisco.com
Obtaining technical assistance
Ordering documentation
Documentation feedback
Contacting TAC by telephone
Contacting TAC by using the Cisco TAC website
Technical Assistance Center
OL-1893-01
Preface Obtaining technical assistance
VPN 3002 Hardware Client Reference
C H A P T E R
Using the VPN 3002 Hardware Client Manager
VPN 3002 Hardware Client Browser Requirements
Navigation Toolbar
Connecting to the VPN 3002 Using HTTP
Recommended PC Monitor/Display Settings
JavaScript and Cookies
OL-1893-01
Installing the SSL Certificate in Your Browser
Installing the SSL Certificate in Your Browser
VPN 3002 Hardware Client Reference
Figure 1-2Install SSL Certificate Screen
4.Click Install Certificate
5.Click Next to continue
7.Click Finish
Viewing Certificates with Internet Explorer
Installing the SSL Certificate with Netscape
1-10
Reinstallation
First-timeInstallation
2.Click Next> to proceed
1-11
1-12
1-13
8.Click Continue
1-14
Viewing Certificates with Netscape
Click OK when finished
1-15
1-16
Connecting to the VPN 3002 Using HTTPS
Configuring HTTP, HTTPS, and SSL Parameters
1-17
Logging into the VPN 3002 Hardware Client Manager
VPN 3002 Hardware Client Reference
1-18
Figure 1-27Manager Main Welcome Screen
Logging into the VPN 3002 Hardware Client Manager
VPN 3002 Hardware Client Reference
Interactive Hardware Client Authentication
Individual User Authentication
1-19
Step 1 Click the Connect Now button
Step 1 Click the Connection Login Status button
1-20
The Connection/Login Status screen displays
Step 2 Click Connect
1-21
Figure 1-31Connection Login Status Screen
Figure 1-33Connection/Login Status Screen
1-22
Figure 1-32Individual User Authentication Screen
OL-1893-01
1-23
VPN 3002 Hardware Client Reference
Top frame
Title bar
Status bar
Mouse pointer and tips
Configuration
Reset
Restore
Table of Contents
1-26
Open or expanded
Main frame
Manager screen
–Interfaces: Ethernet parameters
1-27
Figure 1-35Manager Table of Contents
Navigating the VPN 3002 Hardware Client Manager
1-28
C H A P T E R
Configuration
Configuration
OL-1893-01
Chapter 2 Configuration Configuration
VPN 3002 Hardware Client Reference
C H A P T E R
Configuration | Interfaces
Interfaces
DNS Domain Name
Interface
Ethernet 1 Private, Ethernet 2 Public
DNS Servers
Subnet Mask
Default Gateway
Status
IP Address
IP Address
Configuration | Interfaces | Private
Disabled
Static IP Addressing
Duplex
Apply/Cancel
Subnet Mask
Speed
Disabled
Configuration | Interfaces | Public
DHCP Client
PPPoE Client
Static IP Addressing
PPPoE Password
Verify PPPoE Password
PPPoE User Name
Reminder
Apply / Cancel
Duplex
C H A P T E R
System Configuration
Configuration | System
OL-1893-01
Chapter 4 System Configuration
Configuration | System
VPN 3002 Hardware Client Reference
C H A P T E R
Configuration | System | Servers
Configuration | System | Servers | DNS
Servers
Secondary DNS Server
Enabled
Domain
Primary DNS Server
Configuration | System | Servers | DNS
Timeout Period
Timeout Retries
Apply / Cancel
OL-1893-01
Configuration | System | Servers | DNS
Chapter
VPN 3002 Hardware Client Reference
C H A P T E R
Tunneling
Configuration System Tunneling Protocols
Remote Server
Backup Servers
About Backup Servers
IPSec over TCP Port
IPSec over TCP
About IPSec over TCP
Use Certificate
Certificate Transmission
Group
Password
Password
User
Verify
Tunneling
Chapter
VPN 3002 Hardware Client Reference
OL-1893-01
C H A P T E R
Configuration | System | IP Routing
IP Routing
Chapter 7 IP Routing
Static Routes
Add / Modify / Delete
Reminder
Subnet Mask
Network Address
Metric
Interface
Add or Apply / Cancel
Destination
Destination Router Address
Reminder
Default Gateway
Apply / Cancel
Metric
Enabled
Configuration | System | IP Routing | DHCP
Lease Timeout
Address Pool Start/End
Reminder
DHCP Option
Add/Modify/Delete
Apply/Cancel
Reminder
Option Value
DHCP Option
Nonconfigurable DHCP Options
OL-1893-01
7-10
Chapter 7 IP Routing
VPN 3002 Hardware Client Reference
C H A P T E R
Configuration | System | Management Protocols
Management Protocols
About HTTP/HTTPS
Enable HTTP
HTTPS Port
Enable HTTPS
Enable HTTPS on Public
HTTP Port
VPN 3002 Hardware Client Reference
Enable Telnet
Chapter 8 Management Protocols
Maximum Connections
Enable Telnet/SSL
Telnet Port
Telnet/SSL Port
Apply / Cancel
Enable SNMP
SNMP Port
Maximum Queued Requests
Reminder
Reminder
Community Strings
Communities | Add or Modify
Add/Modify/Delete
Reminder
Community String
Add or Apply / Cancel
Related information
8-10
8-11
Client Authentication
Encryption Algorithms
Apply/Cancel
SSL Version
Generated Certificate Key Size
8-12
OL-1893-01
8-13
Chapter 8 Management Protocols
VPN 3002 Hardware Client Reference
Key Regeneration Period
Enable SSH
Enable SSH on Public
SSH Port
Reminder
8-15
Apply / Cancel
To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen
Chapter 8 Management Protocols
Enable XML
8-16
Enable HTTPS on Public
SSH Wildcard-mask
HTTPS IP Address
HTTPS Wildcard-mask
SSH IP Address
OL-1893-01
8-18
Chapter 8 Management Protocols
VPN 3002 Hardware Client Reference
Class Name
Events
Event Class
Class Description Event Source
EVENTMIB
Class Description Event Source
Class Name
Cisco-specificEvent Class
Description
Event Severity Level
Level
Category
Event Log Data
Event Log
Figure 9-1Configuration | System | Events Screen
Configuration | System | Events
Configuration System Events General
String
Syslog Format
Cisco IOS Severity
Severity to Log
Severity to Console
Severity to Syslog
To send this “well-known”
Configuration | System | Events | Classes
Configure either General event
Severity to Trap
Reminder
Configured Event Classes
Add/Modify/Delete
9-10
Enable
Class Name
Modify screen
Severity to Syslog
Add or Apply/Cancel
9-11
Severity to Console
Chapter
Trap Destinations
9-12
Add/Modify/Delete
Destination
SNMP Version
Community
9-13
Add or Apply/Cancel
Configuration System Events Syslog Servers
Port
9-14
Reminder
Syslog Servers
9-15
Add/Modify/Delete
Port
Syslog Server
Facility
9-16
Reminder
9-17
Add or Apply/Cancel
To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list
OL-1893-01
9-18
Chapter
VPN 3002 Hardware Client Reference
C H A P T E R
Configuration | System | General
General
10-1
Location
Configuration | System | General | Identification
System Name
Contact
New Time
Configuration | System | General | Time and Date
Enable DST Support
Current Time
Chapter 10 General
10-4
Configuration | System | General | Time and Date
Reminder
11-1
Policy Management
Client Mode/PAT
Client Mode with Split Tunneling
Network Extension Mode
Network Extension Mode
11-2
Chapter 11 Policy Management
11-3
Network Extension Mode with Split Tunneling
11-4
Tunnel Initiation
Data Initiation
Step 2 Click Connect Now
Tunneling Policy
Configuration | Policy Management
Traffic Management
Mode
Enable
Configuration Policy Management Traffic
Management | PAT
11-6
Reminder
PAT Enabled
11-7
Apply/Cancel
OL-1893-01
11-8
Chapter 11 Policy Management
VPN 3002 Hardware Client Reference
C H A P T E R
Administration
Administration
12-1
Figure 12-1Administration Screen
Administration | Software Update
12-2
12-3
Upload/Cancel
Current Software Revision
Browse
12-4
Software Update Progress
Software Update Success
Software Update Error
Administration | System Reboot
Administration | System Reboot
12-5
Chapter 12 Administration
Figure 12-6Administration | System Reboot Screen
Configuration
Action
12-6
Apply/Cancel
Administration | Ping
When to Reboot/Shutdown
12-7
Success Ping
Ping/Cancel
Error Ping
Address/Hostname to Ping
Figure 12-10Administration | Access Rights Screen
Administration | Access Rights
Administration | Access Rights | Administrators
12-9
12-10
Administrator
Password
Verify
Session Limit
Administration | Access Rights | Access Settings
Session Idle Timeout
Encrypt Config File
12-12
Administration | File Management
View Save
Delete
12-13
Swap Config Files
Config File Upload via HTTP
OK/Cancel
Upload/Cancel
Local Config File/Browse
File Upload Progress
12-14
12-15
File Upload Error
File Upload Success
12-16
Enrolling and Installing Digital Certificates
Certificate Management
12-17
12-18
12-19
Installing CA Certificates Manually
Field Name
Enrolling and Installing Identity Certificates
Recommended Content
Abbrev
Verify Challenge Password
12-21
12-22
Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The VPN 3002 sends the certificate request to the CA
12-23
12-24
Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. See Figure
12-25
Certificate Obtained via Enrollment Screen
12-26
12-27
Obtaining SSL Certificates
12-29
Enabling Digital Certificates on the VPN
12-30
Deleting Digital Certificates
12-31
Administration | Certificate Management
Certificate Authority
Fields
Content
Certificate Authorities Table
Identity Certificates Table
12-33
SSL Certificate Table Generate
Fields
12-34
Content
Subject/Issuer
Content
Enrollment Status Table
Remove All
12-35
Status
12-36
Content
Field
12-37
Administration | Certificate Management | Enroll
Identity Certificate
SSL Certificate
Enroll via SCEP at Name of SCEP CA
Install a New SA Using SCEP before Enrolling
Type
Enroll via PKCS10 Request Manual
12-39
Enroll / Cancel
Fields
Chapter 12 Administration
Go to Certificate Management
Go to Certificate Enrollment
12-40
Fields
Go to Certificate Installation
12-41
VPN 3002 Hardware Client Reference
12-42
Enroll / Cancel
Chapter 12 Administration
Fields
Cancel
Enroll
12-43
Install Certificate Obtained via Enrollment
Administration | Certificate Management | Install
Install CA Certificate
Install SSL Certificate with Private Key
Certificate Obtained via Enrollment Screen
12-45
Enrollment Status Table
12-46
SCEP Simple Certificate Enrollment Protocol
Cut & Paste Text
Upload File from Workstation
12-47
Retrieve / Cancel
CA Descriptor
Password
Install / Cancel
Certificate Text
12-48
Install / Cancel
Filename / Browse
12-49
Password
Administration | Certificate Management | View
Administration | Certificate Management | View
12-50
Chapter 12 Administration
Field
Certificate Fields
12-51
Content
Field
Back
12-52
Content
Certificate
Administration | Certificate Management |
Configure CA Certificate
SCEP Configuration
Apply / Cancel
Administration | Certificate Management | Renewal
Polling Limit
12-54
Renewal Type
Challenge Password
Verify Challenge Password
Renew / Cancel
Go to Certificate Management
12-56
Go to Certificate Installation
Status
Fields
Administration | Certificate Management | Delete
12-57
Administration | Certificate Management |
View Enrollment Request
Yes / No
12-58
Field
Enrollment Request Fields
12-59
Content
Content
Cancel Enrollment Request
12-60
Administration Certificate Management
Fields
Delete Enrollment Request
12-61
Administration | Certificate Management |
To delete this enrollment request, click Yes
12-62
Fields
Yes / No
Figure 13-1Monitoring Screen
Monitoring
13-1
C H A P T E R
Address
Monitoring | Routing Table
Clear Routes
Valid Routes
13-3
Monitoring | Filterable Event Log
Metric
Client IP Address
Select Filter Options
Event Class
Severities
There is no undo
Event Log Format
Get Log
Clear Log
Event Class/Number
Monitoring | Live Event Log
Event Time
Event Severity
Restart
Timer
Pause Display/Resume Display
Clear Display
13-8
Reset
Restore
Monitoring | System Status
Software Rev
Bootcode Rev
Refresh
VPN Client Type
Security Associations
Authentication
Tunnel Established to
Duration
13-11
Front Panel
Back Panel
Other
Back
13-12
Restore
Refresh
Tx Multicast
Rx Unicast
Tx Unicast
Rx Multicast
Username
Cisco IP Phone Bypass Enabled/Disabled
Login Time
Monitoring | User Status
13-15
Monitoring | Statistics
Restore
Monitoring Statistics IPSec
13-16
Reset
Received Bytes
IKE Phase 1 Statistics
Active Tunnels
Total Tunnels
Invalid Phase-2Exchanges Sent
Received Phase-2Exchanges
Sent Phase-2Exchanges
Invalid Phase-2Exchanges Received
Failed Initiated Tunnels
Phase-2SA Delete Requests Sent
Authentication Failures
Initiated Tunnels
Active Tunnels
IPSec Phase 2 Statistics
Received Packets Dropped Anti-Replay
13-20
Failed Outbound Authentications
Inbound Authentications
Failed Inbound Authentications
Outbound Authentications
System Capability Failures
Monitoring Statistics HTTP
Protocol Use Failures
13-22
Peak
Octets Sent/Received
Packets Sent/Received
Packets Sent Sockets/Sessions
Max Connections
Login Name
Login Time
HTTP Sessions
Reset
Monitoring | Statistics | Telnet
Active Sessions
13-25
Telnet Sessions
Inbound Octets Command
Attempted Sessions
Successful Sessions
13-27
Monitoring | Statistics | DNS
Requests
Responses
Other Failures
Timeouts
Monitoring | Statistics | SSL
Server Unreachable
Encrypted Outbound Octets
Unencrypted Inbound Octets
Encrypted Inbound Octets
Unencrypted Outbound Octets
13-30
Monitoring | Statistics | DHCP
Active Leases
Maximum Active Leases
Time Left
Pool Start
Pool End
Leased IP Address
Restore
Monitoring | Statistics | SSH
13-32
Reset
Login Name
SSH Sessions
Remote IP Address:Port
13-33
Reset
Monitoring | Statistics | NAT
Packets In/Out
13-34
Translations Total
NAT Sessions
Translations Active
Translations Peak
Reset
Monitoring | Statistics | PPPoE
Translated Bytes/Packets
13-36
User Name
PPPoE Access Concentrator
PADI Timeouts
PADR Timeouts
Malformed Packets Rx
Generic Errors Rx
PADT Rx
PADT Tx
13-39
Monitoring | Statistics | MIB-II
Restore
Monitoring | Statistics | MIB-II| Interfaces
13-40
Reset
Multicast Out
Unicast In
Unicast Out
Multicast In
Reset
Monitoring | Statistics | MIB-II| TCP/UDP
TCP Segments Received
13-42
TCP Segments Retransmitted
TCP Timeout Min
TCP Timeout Max
TCP Segments Transmitted
UDP Datagrams Received
TCP Established Resets
UDP Errored Datagrams
TCP Current Established
Restore
Monitoring | Statistics | MIB-II| IP
13-45
Reset
Packets Received Unknown Protocols
Packets Received Header Errors
Packets Received Address Errors
Packets Received Total
Outbound Packets with No Route
Fragments Needing Reassembly
Reassembly Successes
Reassembly Failures
Reset
Monitoring Statistics MIB-II ICMP
Total Received/Transmitted
13-48
Time Exceeded Received/Transmitted
Errors Received/Transmitted
Parameter Problems Received/Transmitted
Destination Unreachable Received/Transmitted
Address Mask Replies Received/Transmitted
Timestamp Requests Received/Transmitted
Timestamp Replies Received/Transmitted
Address Mask Requests Received/Transmitted
Chapter 13 Monitoring
Monitoring | Statistics | MIB-II| ARP Table
13-51
Refresh
13-52
Physical Address
Mapping Type
Action/Delete
Restore
Monitoring | Statistics | MIB-II| Ethernet
13-53
Reset
SQE Test Errors
Alignment Errors
FCS Errors
Carrier Sense Errors
Speed Mbps
MAC Errors: Transmit
MAC Errors: Receive
Excessive Collisions
13-56
Monitoring | Statistics | MIB-II| SNMP
Requests Received
Bad Version
Proxy Drops
Parsing Errors
Bad Community String
Silent Drops
VPN 3002 Hardware Client Reference
13-58
Chapter 13 Monitoring
Monitoring | Statistics | MIB-II| SNMP
14-1
Using the Command-LineInterface
Accessing the Command-lineInterface
Console Access
14-2
Starting the Command-lineInterface
Telnet or Telnet/SSL access
14-3
Using the Command-lineInterface
Choosing Menu Items
Entering Values
14-4
Using Shortcut Numbers
Navigating Quickly
14-5
Using Back and Home
Getting Help Information
14-6
Saving the Configuration File
Stopping the Command-lineInterface
Understanding Access Rights
Menu Reference
1Configuration
1.1 Configuration > Quick Configuration
1.2 Configuration > Interface Configuration
1.3.1Configuration > System Management > Servers
1.3Configuration > System Management
2.1 Administration > Software Update
2Administration
1.4Configuration > Policy Management
14-10
2.2Administration > System Reboot
2.3Administration > Ping
2.4Administration Access Rights
2.6Administration > Certificate Management
2.5 Administration > File Management
3 Monitoring
3.3 Monitoring > System Status
3.1 Monitoring > Routing Table
3.2Monitoring > Event Log
3.2.2 Monitoring > Event Log > View Event Log
3.5Monitoring > General Statistics
3.4 Monitoring > User Status
Crash Dump File
Troubleshooting and System Errors
Files for Troubleshooting
Event Logs
Crash Dump File
LED Indicators
Configuration Files
VPN 3002 Front LEDs
VPN 3002 Rear LEDs
System Errors
Problem or Symptom
Possible Solution
on Connect Now
Settings on the VPN Concentrator
Series Concentrator Reference Volume
the VPN 3002 Hardware Client User Reference
Invalid Login or Session Timeout
VPN 3002 Hardware Client Manager Errors
Manager Logs Out
Problem
Solution
Login
Possible cause
Error Message
Incorrect Display
Back or Forward on
Possible cause
Not Allowed Message
Problem
Solution
Solution
Not Found
interface supported
Problem
Problem
Command-lineInterface Errors
Error
A-10
IN-1
Numerics
I N D E
help command
See CLI
IN-2
errors A-10
IN-3
IN-4
IN-5
IN-6
IN-7
IN-8
See also tunnel
IN-9
IN-10
IN-11
OL-1893-01
IN-12
Index
VPN 3002 Hardware Client Reference