Cisco Systems, Inc
Release November
Corporate Headquarters
170 West Tasman Drive San Jose, CA
VPN 3002 Hardware Client Reference
Copyright 2001, Cisco Systems, Inc
Configuration | System
Configuration
System Configuration
C O N T E N T S
Configuration | System | IP Routing
Configuration | System | Servers | DNS
Configuration | System | Tunneling Protocols
Configuration System Management Protocols
Administration | Ping
Configuration | Policy Management
Administration
Administration | Access Rights
Monitoring | Live Event Log
Monitoring
Monitoring | Routing Table
Monitoring | System Status
Monitoring | Statistics | MIB-II
Files for Troubleshooting A-1
LED Indicators
Monitoring | Statistics | MIB-II| IP
viii
Contents
78-13782-01
Organization
Preface
Prerequisites
Chapter
Description
Chapter
Title
Chapter
VPN 3000 Series Concentrator Documentation
Related Documentation
VPN 3002 Hardware Client Documentation
VPN Client Documentation
Convention
Documentation conventions
Other References
boldface font
World Wide Web
Obtaining Documentation
Data Formats
Documentation CD-ROM
Documentation feedback
Obtaining technical assistance
Ordering documentation
Cisco.com
Contacting TAC by using the Cisco TAC website
Technical Assistance Center
Contacting TAC by telephone
Preface Obtaining technical assistance
VPN 3002 Hardware Client Reference
OL-1893-01
Using the VPN 3002 Hardware Client Manager
VPN 3002 Hardware Client Browser Requirements
C H A P T E R
JavaScript and Cookies
Connecting to the VPN 3002 Using HTTP
Recommended PC Monitor/Display Settings
Navigation Toolbar
VPN 3002 Hardware Client Reference
Installing the SSL Certificate in Your Browser
Installing the SSL Certificate in Your Browser
OL-1893-01
Figure 1-2Install SSL Certificate Screen
4.Click Install Certificate
5.Click Next to continue
7.Click Finish
Viewing Certificates with Internet Explorer
Installing the SSL Certificate with Netscape
Reinstallation
First-timeInstallation
1-10
1-11
2.Click Next> to proceed
1-12
8.Click Continue
1-13
Viewing Certificates with Netscape
1-14
1-15
Click OK when finished
Connecting to the VPN 3002 Using HTTPS
Configuring HTTP, HTTPS, and SSL Parameters
1-16
Logging into the VPN 3002 Hardware Client Manager
1-17
Logging into the VPN 3002 Hardware Client Manager
1-18
Figure 1-27Manager Main Welcome Screen
VPN 3002 Hardware Client Reference
1-19
Interactive Hardware Client Authentication
Individual User Authentication
VPN 3002 Hardware Client Reference
The Connection/Login Status screen displays
Step 1 Click the Connection Login Status button
1-20
Step 1 Click the Connect Now button
1-21
Figure 1-31Connection Login Status Screen
Step 2 Click Connect
1-22
Figure 1-32Individual User Authentication Screen
Figure 1-33Connection/Login Status Screen
1-23
VPN 3002 Hardware Client Reference
OL-1893-01
Mouse pointer and tips
Title bar
Status bar
Top frame
Table of Contents
Reset
Restore
Configuration
Manager screen
Open or expanded
Main frame
1-26
1-27
–Interfaces: Ethernet parameters
Navigating the VPN 3002 Hardware Client Manager
1-28
Figure 1-35Manager Table of Contents
Configuration
Configuration
C H A P T E R
Chapter 2 Configuration Configuration
VPN 3002 Hardware Client Reference
OL-1893-01
Configuration | Interfaces
Interfaces
C H A P T E R
DNS Servers
Interface
Ethernet 1 Private, Ethernet 2 Public
DNS Domain Name
IP Address
Default Gateway
Status
Subnet Mask
Static IP Addressing
Configuration | Interfaces | Private
Disabled
IP Address
Speed
Apply/Cancel
Subnet Mask
Duplex
PPPoE Client
Configuration | Interfaces | Public
DHCP Client
Disabled
PPPoE User Name
PPPoE Password
Verify PPPoE Password
Static IP Addressing
Apply / Cancel
Duplex
Reminder
System Configuration
Configuration | System
C H A P T E R
VPN 3002 Hardware Client Reference
Chapter 4 System Configuration
Configuration | System
OL-1893-01
Servers
Configuration | System | Servers
Configuration | System | Servers | DNS
C H A P T E R
Primary DNS Server
Enabled
Domain
Secondary DNS Server
Apply / Cancel
Timeout Period
Timeout Retries
Configuration | System | Servers | DNS
VPN 3002 Hardware Client Reference
Configuration | System | Servers | DNS
Chapter
OL-1893-01
Tunneling
C H A P T E R
Configuration System Tunneling Protocols
Backup Servers
Remote Server
About Backup Servers
IPSec over TCP
IPSec over TCP Port
Group
Use Certificate
Certificate Transmission
About IPSec over TCP
Verify
Password
User
Password
OL-1893-01
Chapter
VPN 3002 Hardware Client Reference
Tunneling
Configuration | System | IP Routing
IP Routing
C H A P T E R
Reminder
Static Routes
Add / Modify / Delete
Chapter 7 IP Routing
Network Address
Metric
Subnet Mask
Destination Router Address
Add or Apply / Cancel
Destination
Interface
Metric
Default Gateway
Apply / Cancel
Reminder
Address Pool Start/End
Configuration | System | IP Routing | DHCP
Lease Timeout
Enabled
Apply/Cancel
DHCP Option
Add/Modify/Delete
Reminder
Option Value
DHCP Option
Reminder
Nonconfigurable DHCP Options
VPN 3002 Hardware Client Reference
7-10
Chapter 7 IP Routing
OL-1893-01
Configuration | System | Management Protocols
Management Protocols
C H A P T E R
Enable HTTP
About HTTP/HTTPS
HTTP Port
Enable HTTPS
Enable HTTPS on Public
HTTPS Port
Enable Telnet
Chapter 8 Management Protocols
VPN 3002 Hardware Client Reference
Telnet/SSL Port
Enable Telnet/SSL
Telnet Port
Maximum Connections
Maximum Queued Requests
Enable SNMP
SNMP Port
Apply / Cancel
Reminder
Add/Modify/Delete
Community Strings
Communities | Add or Modify
Reminder
Community String
Add or Apply / Cancel
Reminder
8-10
Related information
Client Authentication
Encryption Algorithms
8-11
8-12
SSL Version
Generated Certificate Key Size
Apply/Cancel
VPN 3002 Hardware Client Reference
8-13
Chapter 8 Management Protocols
OL-1893-01
SSH Port
Enable SSH
Enable SSH on Public
Key Regeneration Period
To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen
8-15
Apply / Cancel
Reminder
Enable HTTPS on Public
Enable XML
8-16
Chapter 8 Management Protocols
SSH IP Address
HTTPS IP Address
HTTPS Wildcard-mask
SSH Wildcard-mask
VPN 3002 Hardware Client Reference
8-18
Chapter 8 Management Protocols
OL-1893-01
Class Description Event Source
Events
Event Class
Class Name
Cisco-specificEvent Class
Class Description Event Source
Class Name
EVENTMIB
Category
Event Severity Level
Level
Description
Event Log
Event Log Data
Configuration | System | Events
Configuration System Events General
Figure 9-1Configuration | System | Events Screen
Syslog Format
String
Severity to Syslog
Severity to Log
Severity to Console
Cisco IOS Severity
Severity to Trap
Configuration | System | Events | Classes
Configure either General event
To send this “well-known”
Configured Event Classes
Add/Modify/Delete
Reminder
Modify screen
Enable
Class Name
9-10
Severity to Console
Add or Apply/Cancel
9-11
Severity to Syslog
Add/Modify/Delete
Trap Destinations
9-12
Chapter
9-13
SNMP Version
Community
Destination
9-14
Configuration System Events Syslog Servers
Port
Add or Apply/Cancel
Add/Modify/Delete
Syslog Servers
9-15
Reminder
9-16
Syslog Server
Facility
Port
To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list
9-17
Add or Apply/Cancel
Reminder
VPN 3002 Hardware Client Reference
9-18
Chapter
OL-1893-01
10-1
Configuration | System | General
General
C H A P T E R
Contact
Configuration | System | General | Identification
System Name
Location
Current Time
Configuration | System | General | Time and Date
Enable DST Support
New Time
Reminder
10-4
Configuration | System | General | Time and Date
Chapter 10 General
Client Mode with Split Tunneling
Policy Management
Client Mode/PAT
11-1
Chapter 11 Policy Management
Network Extension Mode
11-2
Network Extension Mode
Network Extension Mode with Split Tunneling
11-3
Step 2 Click Connect Now
Tunnel Initiation
Data Initiation
11-4
Mode
Configuration | Policy Management
Traffic Management
Tunneling Policy
11-6
Configuration Policy Management Traffic
Management | PAT
Enable
Apply/Cancel
PAT Enabled
11-7
Reminder
VPN 3002 Hardware Client Reference
11-8
Chapter 11 Policy Management
OL-1893-01
12-1
Administration
Administration
C H A P T E R
Administration | Software Update
12-2
Figure 12-1Administration Screen
Browse
Upload/Cancel
Current Software Revision
12-3
Software Update Error
Software Update Progress
Software Update Success
12-4
Chapter 12 Administration
Administration | System Reboot
12-5
Administration | System Reboot
12-6
Configuration
Action
Figure 12-6Administration | System Reboot Screen
12-7
Administration | Ping
When to Reboot/Shutdown
Apply/Cancel
Address/Hostname to Ping
Ping/Cancel
Error Ping
Success Ping
12-9
Administration | Access Rights
Administration | Access Rights | Administrators
Figure 12-10Administration | Access Rights Screen
Verify
Administrator
Password
12-10
Encrypt Config File
Administration | Access Rights | Access Settings
Session Idle Timeout
Session Limit
Delete
Administration | File Management
View Save
12-12
OK/Cancel
Swap Config Files
Config File Upload via HTTP
12-13
12-14
Local Config File/Browse
File Upload Progress
Upload/Cancel
File Upload Error
File Upload Success
12-15
Enrolling and Installing Digital Certificates
Certificate Management
12-16
12-17
12-18
Installing CA Certificates Manually
12-19
Abbrev
Enrolling and Installing Identity Certificates
Recommended Content
Field Name
12-21
Verify Challenge Password
12-22
12-23
Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The VPN 3002 sends the certificate request to the CA
12-24
12-25
Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. See Figure
12-26
Certificate Obtained via Enrollment Screen
12-27
Obtaining SSL Certificates
Enabling Digital Certificates on the VPN
12-29
Deleting Digital Certificates
12-30
Administration | Certificate Management
Certificate Authority
12-31
Identity Certificates Table
Content
Certificate Authorities Table
Fields
SSL Certificate Table Generate
12-33
Subject/Issuer
12-34
Content
Fields
12-35
Enrollment Status Table
Remove All
Content
Field
12-36
Content
Status
SSL Certificate
Administration | Certificate Management | Enroll
Identity Certificate
12-37
Enroll via PKCS10 Request Manual
Install a New SA Using SCEP before Enrolling
Type
Enroll via SCEP at Name of SCEP CA
Enroll / Cancel
Fields
12-39
12-40
Go to Certificate Management
Go to Certificate Enrollment
Chapter 12 Administration
Go to Certificate Installation
12-41
Fields
Chapter 12 Administration
12-42
Enroll / Cancel
VPN 3002 Hardware Client Reference
12-43
Cancel
Enroll
Fields
Install SSL Certificate with Private Key
Administration | Certificate Management | Install
Install CA Certificate
Install Certificate Obtained via Enrollment
12-45
Enrollment Status Table
Certificate Obtained via Enrollment Screen
Upload File from Workstation
SCEP Simple Certificate Enrollment Protocol
Cut & Paste Text
12-46
Retrieve / Cancel
CA Descriptor
12-47
12-48
Install / Cancel
Certificate Text
Password
Password
Filename / Browse
12-49
Install / Cancel
Chapter 12 Administration
Administration | Certificate Management | View
12-50
Administration | Certificate Management | View
Content
Certificate Fields
12-51
Field
Content
Back
12-52
Field
SCEP Configuration
Administration | Certificate Management |
Configure CA Certificate
Certificate
12-54
Administration | Certificate Management | Renewal
Polling Limit
Apply / Cancel
Renew / Cancel
Challenge Password
Verify Challenge Password
Renewal Type
Status
12-56
Go to Certificate Installation
Go to Certificate Management
Administration | Certificate Management | Delete
12-57
Fields
12-58
View Enrollment Request
Yes / No
Administration | Certificate Management |
Content
Enrollment Request Fields
12-59
Field
Administration Certificate Management
Cancel Enrollment Request
12-60
Content
Administration | Certificate Management |
Delete Enrollment Request
12-61
Fields
Yes / No
12-62
Fields
To delete this enrollment request, click Yes
C H A P T E R
Monitoring
13-1
Figure 13-1Monitoring Screen
Valid Routes
Monitoring | Routing Table
Clear Routes
Address
Monitoring | Filterable Event Log
Metric
13-3
Severities
Select Filter Options
Event Class
Client IP Address
Clear Log
Event Log Format
Get Log
There is no undo
Event Severity
Monitoring | Live Event Log
Event Time
Event Class/Number
Clear Display
Timer
Pause Display/Resume Display
Restart
Monitoring | System Status
Reset
Restore
13-8
VPN Client Type
Bootcode Rev
Refresh
Software Rev
Duration
Authentication
Tunnel Established to
Security Associations
Other
Front Panel
Back Panel
13-11
Refresh
13-12
Restore
Back
Rx Multicast
Rx Unicast
Tx Unicast
Tx Multicast
Monitoring | User Status
Cisco IP Phone Bypass Enabled/Disabled
Login Time
Username
Monitoring | Statistics
13-15
Reset
Monitoring Statistics IPSec
13-16
Restore
Total Tunnels
IKE Phase 1 Statistics
Active Tunnels
Received Bytes
Invalid Phase-2Exchanges Received
Received Phase-2Exchanges
Sent Phase-2Exchanges
Invalid Phase-2Exchanges Sent
Initiated Tunnels
Phase-2SA Delete Requests Sent
Authentication Failures
Failed Initiated Tunnels
13-20
IPSec Phase 2 Statistics
Received Packets Dropped Anti-Replay
Active Tunnels
Outbound Authentications
Inbound Authentications
Failed Inbound Authentications
Failed Outbound Authentications
13-22
Monitoring Statistics HTTP
Protocol Use Failures
System Capability Failures
Packets Sent Sockets/Sessions
Octets Sent/Received
Packets Sent/Received
Peak
HTTP Sessions
Login Name
Login Time
Max Connections
13-25
Monitoring | Statistics | Telnet
Active Sessions
Reset
Successful Sessions
Inbound Octets Command
Attempted Sessions
Telnet Sessions
Responses
Monitoring | Statistics | DNS
Requests
13-27
Server Unreachable
Timeouts
Monitoring | Statistics | SSL
Other Failures
Unencrypted Outbound Octets
Unencrypted Inbound Octets
Encrypted Inbound Octets
Encrypted Outbound Octets
Maximum Active Leases
Monitoring | Statistics | DHCP
Active Leases
13-30
Leased IP Address
Pool Start
Pool End
Time Left
Reset
Monitoring | Statistics | SSH
13-32
Restore
13-33
SSH Sessions
Remote IP Address:Port
Login Name
13-34
Monitoring | Statistics | NAT
Packets In/Out
Reset
Translations Peak
NAT Sessions
Translations Active
Translations Total
13-36
Monitoring | Statistics | PPPoE
Translated Bytes/Packets
Reset
PADR Timeouts
PPPoE Access Concentrator
PADI Timeouts
User Name
PADT Tx
Generic Errors Rx
PADT Rx
Malformed Packets Rx
Monitoring | Statistics | MIB-II
13-39
Reset
Monitoring | Statistics | MIB-II| Interfaces
13-40
Restore
Multicast In
Unicast In
Unicast Out
Multicast Out
13-42
Monitoring | Statistics | MIB-II| TCP/UDP
TCP Segments Received
Reset
TCP Segments Transmitted
TCP Timeout Min
TCP Timeout Max
TCP Segments Retransmitted
TCP Current Established
TCP Established Resets
UDP Errored Datagrams
UDP Datagrams Received
Reset
Monitoring | Statistics | MIB-II| IP
13-45
Restore
Packets Received Total
Packets Received Header Errors
Packets Received Address Errors
Packets Received Unknown Protocols
Reassembly Failures
Fragments Needing Reassembly
Reassembly Successes
Outbound Packets with No Route
13-48
Monitoring Statistics MIB-II ICMP
Total Received/Transmitted
Reset
Destination Unreachable Received/Transmitted
Errors Received/Transmitted
Parameter Problems Received/Transmitted
Time Exceeded Received/Transmitted
Address Mask Requests Received/Transmitted
Timestamp Requests Received/Transmitted
Timestamp Replies Received/Transmitted
Address Mask Replies Received/Transmitted
Refresh
Monitoring | Statistics | MIB-II| ARP Table
13-51
Chapter 13 Monitoring
Action/Delete
Physical Address
Mapping Type
13-52
Reset
Monitoring | Statistics | MIB-II| Ethernet
13-53
Restore
Carrier Sense Errors
Alignment Errors
FCS Errors
SQE Test Errors
Excessive Collisions
MAC Errors: Transmit
MAC Errors: Receive
Speed Mbps
Bad Version
Monitoring | Statistics | MIB-II| SNMP
Requests Received
13-56
Silent Drops
Parsing Errors
Bad Community String
Proxy Drops
Monitoring | Statistics | MIB-II| SNMP
13-58
Chapter 13 Monitoring
VPN 3002 Hardware Client Reference
Console Access
Using the Command-LineInterface
Accessing the Command-lineInterface
14-1
Starting the Command-lineInterface
Telnet or Telnet/SSL access
14-2
Entering Values
Using the Command-lineInterface
Choosing Menu Items
14-3
Using Shortcut Numbers
Navigating Quickly
14-4
Using Back and Home
Getting Help Information
14-5
Understanding Access Rights
Saving the Configuration File
Stopping the Command-lineInterface
14-6
1.2 Configuration > Interface Configuration
1Configuration
1.1 Configuration > Quick Configuration
Menu Reference
1.3Configuration > System Management
1.3.1Configuration > System Management > Servers
2Administration
1.4Configuration > Policy Management
2.1 Administration > Software Update
2.4Administration Access Rights
2.2Administration > System Reboot
2.3Administration > Ping
14-10
2.5 Administration > File Management
2.6Administration > Certificate Management
3 Monitoring
3.2.2 Monitoring > Event Log > View Event Log
3.1 Monitoring > Routing Table
3.2Monitoring > Event Log
3.3 Monitoring > System Status
3.4 Monitoring > User Status
3.5Monitoring > General Statistics
Event Logs
Troubleshooting and System Errors
Files for Troubleshooting
Crash Dump File
VPN 3002 Front LEDs
LED Indicators
Configuration Files
Crash Dump File
Possible Solution
System Errors
Problem or Symptom
VPN 3002 Rear LEDs
the VPN 3002 Hardware Client User Reference
Settings on the VPN Concentrator
Series Concentrator Reference Volume
on Connect Now
VPN 3002 Hardware Client Manager Errors
Invalid Login or Session Timeout
Login
Problem
Solution
Manager Logs Out
Back or Forward on
Error Message
Incorrect Display
Possible cause
Solution
Not Allowed Message
Problem
Possible cause
Problem
Not Found
interface supported
Solution
A-10
Command-lineInterface Errors
Error
Problem
Numerics
I N D E
IN-1
errors A-10
See CLI
IN-2
help command
IN-3
IN-4
IN-5
IN-6
IN-7
See also tunnel
IN-8
IN-9
IN-10
IN-11
VPN 3002 Hardware Client Reference
IN-12
Index
OL-1893-01