Corporate Headquarters
Release November
Cisco Systems, Inc
170 West Tasman Drive San Jose, CA
Copyright 2001, Cisco Systems, Inc
VPN 3002 Hardware Client Reference
System Configuration
Configuration
Configuration | System
C O N T E N T S
Configuration | System | Tunneling Protocols
Configuration | System | Servers | DNS
Configuration | System | IP Routing
Configuration System Management Protocols
Administration
Configuration | Policy Management
Administration | Ping
Administration | Access Rights
Monitoring | Routing Table
Monitoring
Monitoring | Live Event Log
Monitoring | System Status
LED Indicators
Files for Troubleshooting A-1
Monitoring | Statistics | MIB-II
Monitoring | Statistics | MIB-II| IP
78-13782-01
viii
Contents
Prerequisites
Preface
Organization
Chapter
Title
Chapter
Description
Chapter
VPN 3002 Hardware Client Documentation
Related Documentation
VPN 3000 Series Concentrator Documentation
VPN Client Documentation
Other References
Documentation conventions
Convention
boldface font
Data Formats
Obtaining Documentation
World Wide Web
Documentation CD-ROM
Ordering documentation
Obtaining technical assistance
Documentation feedback
Cisco.com
Contacting TAC by telephone
Contacting TAC by using the Cisco TAC website
Technical Assistance Center
OL-1893-01
Preface Obtaining technical assistance
VPN 3002 Hardware Client Reference
C H A P T E R
Using the VPN 3002 Hardware Client Manager
VPN 3002 Hardware Client Browser Requirements
Recommended PC Monitor/Display Settings
Connecting to the VPN 3002 Using HTTP
JavaScript and Cookies
Navigation Toolbar
Installing the SSL Certificate in Your Browser
Installing the SSL Certificate in Your Browser
VPN 3002 Hardware Client Reference
OL-1893-01
Figure 1-2Install SSL Certificate Screen
4.Click Install Certificate
5.Click Next to continue
7.Click Finish
Viewing Certificates with Internet Explorer
Installing the SSL Certificate with Netscape
1-10
Reinstallation
First-timeInstallation
2.Click Next> to proceed
1-11
1-12
1-13
8.Click Continue
1-14
Viewing Certificates with Netscape
Click OK when finished
1-15
1-16
Connecting to the VPN 3002 Using HTTPS
Configuring HTTP, HTTPS, and SSL Parameters
1-17
Logging into the VPN 3002 Hardware Client Manager
Figure 1-27Manager Main Welcome Screen
1-18
Logging into the VPN 3002 Hardware Client Manager
VPN 3002 Hardware Client Reference
Individual User Authentication
Interactive Hardware Client Authentication
1-19
VPN 3002 Hardware Client Reference
1-20
Step 1 Click the Connection Login Status button
The Connection/Login Status screen displays
Step 1 Click the Connect Now button
Step 2 Click Connect
1-21
Figure 1-31Connection Login Status Screen
Figure 1-33Connection/Login Status Screen
1-22
Figure 1-32Individual User Authentication Screen
OL-1893-01
1-23
VPN 3002 Hardware Client Reference
Status bar
Title bar
Mouse pointer and tips
Top frame
Restore
Reset
Table of Contents
Configuration
Main frame
Open or expanded
Manager screen
1-26
–Interfaces: Ethernet parameters
1-27
Figure 1-35Manager Table of Contents
Navigating the VPN 3002 Hardware Client Manager
1-28
C H A P T E R
Configuration
Configuration
OL-1893-01
Chapter 2 Configuration Configuration
VPN 3002 Hardware Client Reference
C H A P T E R
Configuration | Interfaces
Interfaces
Ethernet 1 Private, Ethernet 2 Public
Interface
DNS Servers
DNS Domain Name
Status
Default Gateway
IP Address
Subnet Mask
Disabled
Configuration | Interfaces | Private
Static IP Addressing
IP Address
Subnet Mask
Apply/Cancel
Speed
Duplex
DHCP Client
Configuration | Interfaces | Public
PPPoE Client
Disabled
Verify PPPoE Password
PPPoE Password
PPPoE User Name
Static IP Addressing
Reminder
Apply / Cancel
Duplex
C H A P T E R
System Configuration
Configuration | System
Configuration | System
Chapter 4 System Configuration
VPN 3002 Hardware Client Reference
OL-1893-01
Configuration | System | Servers | DNS
Configuration | System | Servers
Servers
C H A P T E R
Domain
Enabled
Primary DNS Server
Secondary DNS Server
Timeout Retries
Timeout Period
Apply / Cancel
Configuration | System | Servers | DNS
Chapter
Configuration | System | Servers | DNS
VPN 3002 Hardware Client Reference
OL-1893-01
C H A P T E R
Tunneling
Configuration System Tunneling Protocols
Remote Server
Backup Servers
About Backup Servers
IPSec over TCP Port
IPSec over TCP
Certificate Transmission
Use Certificate
Group
About IPSec over TCP
User
Password
Verify
Password
VPN 3002 Hardware Client Reference
Chapter
OL-1893-01
Tunneling
C H A P T E R
Configuration | System | IP Routing
IP Routing
Add / Modify / Delete
Static Routes
Reminder
Chapter 7 IP Routing
Subnet Mask
Network Address
Metric
Destination
Add or Apply / Cancel
Destination Router Address
Interface
Apply / Cancel
Default Gateway
Metric
Reminder
Lease Timeout
Configuration | System | IP Routing | DHCP
Address Pool Start/End
Enabled
Add/Modify/Delete
DHCP Option
Apply/Cancel
Reminder
Reminder
Option Value
DHCP Option
Nonconfigurable DHCP Options
Chapter 7 IP Routing
7-10
VPN 3002 Hardware Client Reference
OL-1893-01
C H A P T E R
Configuration | System | Management Protocols
Management Protocols
About HTTP/HTTPS
Enable HTTP
Enable HTTPS on Public
Enable HTTPS
HTTP Port
HTTPS Port
VPN 3002 Hardware Client Reference
Enable Telnet
Chapter 8 Management Protocols
Telnet Port
Enable Telnet/SSL
Telnet/SSL Port
Maximum Connections
SNMP Port
Enable SNMP
Maximum Queued Requests
Apply / Cancel
Reminder
Communities | Add or Modify
Community Strings
Add/Modify/Delete
Reminder
Reminder
Community String
Add or Apply / Cancel
Related information
8-10
8-11
Client Authentication
Encryption Algorithms
Generated Certificate Key Size
SSL Version
8-12
Apply/Cancel
Chapter 8 Management Protocols
8-13
VPN 3002 Hardware Client Reference
OL-1893-01
Enable SSH on Public
Enable SSH
SSH Port
Key Regeneration Period
Apply / Cancel
8-15
To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen
Reminder
8-16
Enable XML
Enable HTTPS on Public
Chapter 8 Management Protocols
HTTPS Wildcard-mask
HTTPS IP Address
SSH IP Address
SSH Wildcard-mask
Chapter 8 Management Protocols
8-18
VPN 3002 Hardware Client Reference
OL-1893-01
Event Class
Events
Class Description Event Source
Class Name
Class Name
Class Description Event Source
Cisco-specificEvent Class
EVENTMIB
Level
Event Severity Level
Category
Description
Event Log Data
Event Log
Figure 9-1Configuration | System | Events Screen
Configuration | System | Events
Configuration System Events General
String
Syslog Format
Severity to Console
Severity to Log
Severity to Syslog
Cisco IOS Severity
Configure either General event
Configuration | System | Events | Classes
Severity to Trap
To send this “well-known”
Reminder
Configured Event Classes
Add/Modify/Delete
Class Name
Enable
Modify screen
9-10
9-11
Add or Apply/Cancel
Severity to Console
Severity to Syslog
9-12
Trap Destinations
Add/Modify/Delete
Chapter
Community
SNMP Version
9-13
Destination
Port
Configuration System Events Syslog Servers
9-14
Add or Apply/Cancel
9-15
Syslog Servers
Add/Modify/Delete
Reminder
Facility
Syslog Server
9-16
Port
Add or Apply/Cancel
9-17
To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list
Reminder
Chapter
9-18
VPN 3002 Hardware Client Reference
OL-1893-01
General
Configuration | System | General
10-1
C H A P T E R
System Name
Configuration | System | General | Identification
Contact
Location
Enable DST Support
Configuration | System | General | Time and Date
Current Time
New Time
Configuration | System | General | Time and Date
10-4
Reminder
Chapter 10 General
Client Mode/PAT
Policy Management
Client Mode with Split Tunneling
11-1
11-2
Network Extension Mode
Chapter 11 Policy Management
Network Extension Mode
11-3
Network Extension Mode with Split Tunneling
Data Initiation
Tunnel Initiation
Step 2 Click Connect Now
11-4
Traffic Management
Configuration | Policy Management
Mode
Tunneling Policy
Management | PAT
Configuration Policy Management Traffic
11-6
Enable
11-7
PAT Enabled
Apply/Cancel
Reminder
Chapter 11 Policy Management
11-8
VPN 3002 Hardware Client Reference
OL-1893-01
Administration
Administration
12-1
C H A P T E R
Figure 12-1Administration Screen
Administration | Software Update
12-2
Current Software Revision
Upload/Cancel
Browse
12-3
Software Update Success
Software Update Progress
Software Update Error
12-4
12-5
Administration | System Reboot
Chapter 12 Administration
Administration | System Reboot
Action
Configuration
12-6
Figure 12-6Administration | System Reboot Screen
When to Reboot/Shutdown
Administration | Ping
12-7
Apply/Cancel
Error Ping
Ping/Cancel
Address/Hostname to Ping
Success Ping
Administration | Access Rights | Administrators
Administration | Access Rights
12-9
Figure 12-10Administration | Access Rights Screen
Password
Administrator
Verify
12-10
Session Idle Timeout
Administration | Access Rights | Access Settings
Encrypt Config File
Session Limit
View Save
Administration | File Management
Delete
12-12
Config File Upload via HTTP
Swap Config Files
OK/Cancel
12-13
File Upload Progress
Local Config File/Browse
12-14
Upload/Cancel
12-15
File Upload Error
File Upload Success
12-16
Enrolling and Installing Digital Certificates
Certificate Management
12-17
12-18
12-19
Installing CA Certificates Manually
Recommended Content
Enrolling and Installing Identity Certificates
Abbrev
Field Name
Verify Challenge Password
12-21
12-22
Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The VPN 3002 sends the certificate request to the CA
12-23
12-24
Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. See Figure
12-25
Certificate Obtained via Enrollment Screen
12-26
12-27
Obtaining SSL Certificates
12-29
Enabling Digital Certificates on the VPN
12-30
Deleting Digital Certificates
12-31
Administration | Certificate Management
Certificate Authority
Certificate Authorities Table
Content
Identity Certificates Table
Fields
12-33
SSL Certificate Table Generate
Content
12-34
Subject/Issuer
Fields
Remove All
Enrollment Status Table
12-35
Content
Content
12-36
Field
Status
Identity Certificate
Administration | Certificate Management | Enroll
SSL Certificate
12-37
Type
Install a New SA Using SCEP before Enrolling
Enroll via PKCS10 Request Manual
Enroll via SCEP at Name of SCEP CA
12-39
Enroll / Cancel
Fields
Go to Certificate Enrollment
Go to Certificate Management
12-40
Chapter 12 Administration
Fields
Go to Certificate Installation
12-41
Enroll / Cancel
12-42
Chapter 12 Administration
VPN 3002 Hardware Client Reference
Enroll
Cancel
12-43
Fields
Install CA Certificate
Administration | Certificate Management | Install
Install SSL Certificate with Private Key
Install Certificate Obtained via Enrollment
Certificate Obtained via Enrollment Screen
12-45
Enrollment Status Table
Cut & Paste Text
SCEP Simple Certificate Enrollment Protocol
Upload File from Workstation
12-46
12-47
Retrieve / Cancel
CA Descriptor
Certificate Text
Install / Cancel
12-48
Password
12-49
Filename / Browse
Password
Install / Cancel
12-50
Administration | Certificate Management | View
Chapter 12 Administration
Administration | Certificate Management | View
12-51
Certificate Fields
Content
Field
12-52
Back
Content
Field
Configure CA Certificate
Administration | Certificate Management |
SCEP Configuration
Certificate
Polling Limit
Administration | Certificate Management | Renewal
12-54
Apply / Cancel
Verify Challenge Password
Challenge Password
Renew / Cancel
Renewal Type
Go to Certificate Installation
12-56
Status
Go to Certificate Management
Fields
Administration | Certificate Management | Delete
12-57
Yes / No
View Enrollment Request
12-58
Administration | Certificate Management |
12-59
Enrollment Request Fields
Content
Field
12-60
Cancel Enrollment Request
Administration Certificate Management
Content
12-61
Delete Enrollment Request
Administration | Certificate Management |
Fields
Fields
12-62
Yes / No
To delete this enrollment request, click Yes
13-1
Monitoring
C H A P T E R
Figure 13-1Monitoring Screen
Clear Routes
Monitoring | Routing Table
Valid Routes
Address
13-3
Monitoring | Filterable Event Log
Metric
Event Class
Select Filter Options
Severities
Client IP Address
Get Log
Event Log Format
Clear Log
There is no undo
Event Time
Monitoring | Live Event Log
Event Severity
Event Class/Number
Pause Display/Resume Display
Timer
Clear Display
Restart
Restore
Reset
Monitoring | System Status
13-8
Refresh
Bootcode Rev
VPN Client Type
Software Rev
Tunnel Established to
Authentication
Duration
Security Associations
Back Panel
Front Panel
Other
13-11
Restore
13-12
Refresh
Back
Tx Unicast
Rx Unicast
Rx Multicast
Tx Multicast
Login Time
Cisco IP Phone Bypass Enabled/Disabled
Monitoring | User Status
Username
13-15
Monitoring | Statistics
13-16
Monitoring Statistics IPSec
Reset
Restore
Active Tunnels
IKE Phase 1 Statistics
Total Tunnels
Received Bytes
Sent Phase-2Exchanges
Received Phase-2Exchanges
Invalid Phase-2Exchanges Received
Invalid Phase-2Exchanges Sent
Authentication Failures
Phase-2SA Delete Requests Sent
Initiated Tunnels
Failed Initiated Tunnels
Received Packets Dropped Anti-Replay
IPSec Phase 2 Statistics
13-20
Active Tunnels
Failed Inbound Authentications
Inbound Authentications
Outbound Authentications
Failed Outbound Authentications
Protocol Use Failures
Monitoring Statistics HTTP
13-22
System Capability Failures
Packets Sent/Received
Octets Sent/Received
Packets Sent Sockets/Sessions
Peak
Login Time
Login Name
HTTP Sessions
Max Connections
Active Sessions
Monitoring | Statistics | Telnet
13-25
Reset
Attempted Sessions
Inbound Octets Command
Successful Sessions
Telnet Sessions
Requests
Monitoring | Statistics | DNS
Responses
13-27
Monitoring | Statistics | SSL
Timeouts
Server Unreachable
Other Failures
Encrypted Inbound Octets
Unencrypted Inbound Octets
Unencrypted Outbound Octets
Encrypted Outbound Octets
Active Leases
Monitoring | Statistics | DHCP
Maximum Active Leases
13-30
Pool End
Pool Start
Leased IP Address
Time Left
13-32
Monitoring | Statistics | SSH
Reset
Restore
Remote IP Address:Port
SSH Sessions
13-33
Login Name
Packets In/Out
Monitoring | Statistics | NAT
13-34
Reset
Translations Active
NAT Sessions
Translations Peak
Translations Total
Translated Bytes/Packets
Monitoring | Statistics | PPPoE
13-36
Reset
PADI Timeouts
PPPoE Access Concentrator
PADR Timeouts
User Name
PADT Rx
Generic Errors Rx
PADT Tx
Malformed Packets Rx
13-39
Monitoring | Statistics | MIB-II
13-40
Monitoring | Statistics | MIB-II| Interfaces
Reset
Restore
Unicast Out
Unicast In
Multicast In
Multicast Out
TCP Segments Received
Monitoring | Statistics | MIB-II| TCP/UDP
13-42
Reset
TCP Timeout Max
TCP Timeout Min
TCP Segments Transmitted
TCP Segments Retransmitted
UDP Errored Datagrams
TCP Established Resets
TCP Current Established
UDP Datagrams Received
13-45
Monitoring | Statistics | MIB-II| IP
Reset
Restore
Packets Received Address Errors
Packets Received Header Errors
Packets Received Total
Packets Received Unknown Protocols
Reassembly Successes
Fragments Needing Reassembly
Reassembly Failures
Outbound Packets with No Route
Total Received/Transmitted
Monitoring Statistics MIB-II ICMP
13-48
Reset
Parameter Problems Received/Transmitted
Errors Received/Transmitted
Destination Unreachable Received/Transmitted
Time Exceeded Received/Transmitted
Timestamp Replies Received/Transmitted
Timestamp Requests Received/Transmitted
Address Mask Requests Received/Transmitted
Address Mask Replies Received/Transmitted
13-51
Monitoring | Statistics | MIB-II| ARP Table
Refresh
Chapter 13 Monitoring
Mapping Type
Physical Address
Action/Delete
13-52
13-53
Monitoring | Statistics | MIB-II| Ethernet
Reset
Restore
FCS Errors
Alignment Errors
Carrier Sense Errors
SQE Test Errors
MAC Errors: Receive
MAC Errors: Transmit
Excessive Collisions
Speed Mbps
Requests Received
Monitoring | Statistics | MIB-II| SNMP
Bad Version
13-56
Bad Community String
Parsing Errors
Silent Drops
Proxy Drops
Chapter 13 Monitoring
13-58
Monitoring | Statistics | MIB-II| SNMP
VPN 3002 Hardware Client Reference
Accessing the Command-lineInterface
Using the Command-LineInterface
Console Access
14-1
14-2
Starting the Command-lineInterface
Telnet or Telnet/SSL access
Choosing Menu Items
Using the Command-lineInterface
Entering Values
14-3
14-4
Using Shortcut Numbers
Navigating Quickly
14-5
Using Back and Home
Getting Help Information
Stopping the Command-lineInterface
Saving the Configuration File
Understanding Access Rights
14-6
1.1 Configuration > Quick Configuration
1Configuration
1.2 Configuration > Interface Configuration
Menu Reference
1.3.1Configuration > System Management > Servers
1.3Configuration > System Management
2.1 Administration > Software Update
2Administration
1.4Configuration > Policy Management
2.3Administration > Ping
2.2Administration > System Reboot
2.4Administration Access Rights
14-10
2.6Administration > Certificate Management
2.5 Administration > File Management
3 Monitoring
3.2Monitoring > Event Log
3.1 Monitoring > Routing Table
3.2.2 Monitoring > Event Log > View Event Log
3.3 Monitoring > System Status
3.5Monitoring > General Statistics
3.4 Monitoring > User Status
Files for Troubleshooting
Troubleshooting and System Errors
Event Logs
Crash Dump File
Configuration Files
LED Indicators
VPN 3002 Front LEDs
Crash Dump File
Problem or Symptom
System Errors
Possible Solution
VPN 3002 Rear LEDs
Series Concentrator Reference Volume
Settings on the VPN Concentrator
the VPN 3002 Hardware Client User Reference
on Connect Now
Invalid Login or Session Timeout
VPN 3002 Hardware Client Manager Errors
Solution
Problem
Login
Manager Logs Out
Incorrect Display
Error Message
Back or Forward on
Possible cause
Problem
Not Allowed Message
Solution
Possible cause
interface supported
Not Found
Problem
Solution
Error
Command-lineInterface Errors
A-10
Problem
IN-1
Numerics
I N D E
IN-2
See CLI
errors A-10
help command
IN-3
IN-4
IN-5
IN-6
IN-7
IN-8
See also tunnel
IN-9
IN-10
IN-11
Index
IN-12
VPN 3002 Hardware Client Reference
OL-1893-01