|
|
December 1999
Cisco Secure VPN Client provides client-to-gateway Virtual Private Networking capability on a Windows 95, Windows 98, and Windows NT desktop or laptop computer. The information in this document applies to versions 1.0 and 1.0a of the Cisco Secure VPN Client.
The only caveat resolved in version 1.0a is CSCdp19890.
These release notes contain the following sections:
Cisco Secure VPN Client provides Virtual Private Networking (VPN) capability on a desktop or laptop computer. Based on the latest industry-standard IPSec recommendations, Cisco Secure VPN Client enables secure client-to-gateway communications over TCP/IP networks, including the Internet.
Cisco Secure VPN Client gives you the tools you need to use public key encryption for your secure Internet communications. It automatically generates the public/private key pair you need to obtain a digital certificate. It lets you import and maintain digital certificates in its Certificate Manager, and it allows you to import or configure your Secure Connection in its Security Policy Editor.
The following sections list the computer and network requirements. Refer to http://www.cisco.com/go/vpnclient for the latest version of the release notes.
Cisco Secure VPN Client requires the following:
Step 1 Close all other programs before continuing.
Step 2 If you are upgrading from a previous version of SafeNet/SoftPK Client or Cisco Secure VPN Client, uninstall the old version, then reboot, then install the new version. When you uninstall a previous version, you may keep any existing key pairs and certificates.
Step 3 Insert the Cisco Secure VPN Client CD-ROM. The installation program should start automatically. If it does not, perform the following:
(a) Click Start>Run.
(b) Type d:\setup.exe ("d" designates your CD-ROM drive, which could be different depending on your computer's setup).
Step 4 When the Installation Wizard starts, follow the instructions on your screen.
Step 5 When the setup completes, select Yes, I want to restart my computer now. Remove the CD-ROM, and click Finish. Your computer will automatically restart.
The SafeNet icon appears in the status area of your Windows taskbar, which is usually located in the lower right corner of your screen.
Step 6 Once you have successfully installed Cisco Secure VPN Client, you need either a pre-shared key or a digital certificate and a Secure Connection to secure communications. Look for detailed instructions in your Cisco Secure VPN Client Quick Start Guide or help file. To access the help file, right-click the SafeNet icon on the taskbar and select Help.
Cisco Secure VPN Client starts automatically each time your computer starts, and runs transparently on your computer.
The SafeNet icon changes color and image as you begin and end communications sessions:
For more information, review the help file, which you can view by right-clicking the SafeNet icon on the taskbar, or from the Help menu in the Security Policy Editor or Certificate Manager.
You can temporarily deactivate the client by right-clicking the SafeNet icon on the taskbar and clicking Deactivate Security Policy. When you are ready to restart the client, click Activate Security Policy on this same menu.
To uninstall Cisco Secure VPN Client:
Step 1 Click Start>Settings>Control Panel.
Step 2 Double-click Add/Remove Programs. The Add/Remove Programs Properties window appears.
Step 3 Click the Install/Uninstall tab.
Step 4 Click Cisco Secure VPN Client from the list.
Step 5 Click Add/Remove.
Step 6 You are prompted with the following:
Are you sure you want to completely remove `Cisco Secure VPN
Client' and all of its components?
Click Yes. You will still be prompted to save or delete your certificates and key pairs.
Step 7 The uninstall starts, and you are prompted with the following:
Would you like to delete Security Policy Personal Certificates
and Private/Public Keys?
If you plan to reinstall this product, click No; otherwise, click Yes.
Step 8 After the uninstallation completes, if any files were in use, you are prompted with a reminder that you should restart your computer to remove files in use during the uninstallation. Click OK at this prompt to acknowledge this reminder.
Step 9 If prompted to restart your computer, click OK.
Step 10 Restart your computer now by clicking Start>Shutdown.
The following restrictions apply to both version 1.0 and 1.0a:
This section provides information about using Cisco Secure VPN Client, versions 1.0. and 1.0a.
The Entrust CA is supported through the file method. After you have installed the Cisco Secure VPN Client, you can view the Create a certificate request file online help topic for information about the file method. You can access online help from the Security Policy Editor, Certificate Manager, or by right-clicking the SafeNet taskbar icon. When the online help appears, click the Contents tab. The Create a certificate request file help topic is located in the Working with Digital Certificates>Requesting Digital Certificates from CAs>Manual Enrollment topic folder.
Cisco Secure VPN Client does not support the use of CEP with the Entrust CA.
Installing the client causes Equant dial service to fail if the Inverse IP Insight tool is also present. The Equant Dial Manager software must be installed after the client has been installed.
When removing the Equant Dialer, remove the Inverse IP Insight application, and then install the Cisco Secure VPN Client.
Cisco Secure VPN Client lets you specify various combinations of IPSec protocols on the menu at Network Security Policy>connection_name>Security Policy>Key Exchange (Phase 2)>Proposal.
PIX Firewall and Cisco IOS software support all Cisco Secure VPN Client IPSec protocols with these exceptions:
You can specify an internal network address on the Security Policy Editor's My Identity menu by clicking Options>Global Policy Settings. In the Global Policy Settings dialog box, select the Allow to Specify Internal Network Address check box.
The Internal Network IP Address field then appears in the My Identity menu to the right of the ID Type field.
Before upgrading Microsoft Dial-Up Networking (DUN), uninstall the Cisco Secure VPN Client. Once DUN is installed and configured, reinstall the client. When you uninstall the Cisco Secure VPN Client, you can choose not to delete Security Policy Personal Certificates and Private/Public Keys. We recommend MS-DUN version 1.3 or later.
You can provide users a standardized Secure Connection by creating it with the values you determine, and then exporting it by clicking File>Export Security Policy. When you are prompted to protect the exported Secure Connection by making it non-editable, click Yes. When users open the Secure Connection, the Connection Security information displays the message that it is Secure. Users can view the parameters, but they cannot change them.
The Remote Party Identity and Addressing menu appears on the Connection menu after you start a new Network Security Policy.
The following ID Type values are supported as follows:
The default Internet Key Exchange (IKE) lifetime on the Cisco IOS router is 24 hours (86,400 seconds), the client has a default of 8 hours (28,800 seconds), and the PIX Firewall has a default of 24 hours.
The client must offer less than or the same lifetime value as the router. The smaller of the two lifetimes is negotiated. However, if the router is configured to use the default, this is the value applied, regardless of the lifetime proposed by the client.
The client may offer any value to the PIX Firewall, with the lower of the two lifetimes used.
On the menu at Network Security Policy>connection_name>Security Policy>Key Exchange (Phase 2)>Proposal, you can set the IPSec SA Life (lifetime) value to either Seconds or Kbytes (kilobytes). When specifying a lifetime in seconds, the peers, whether client and Cisco router or client and PIX Firewall, will agree to use the smaller of the values proposed by each peer.
By default, the router uses 1 hour (3,600 seconds), the Cisco Secure VPN Client uses 8 hours (28,800 seconds), and the PIX Firewall uses 8 hours for the IPSec SA lifetime. We recommend using the default values for optimal stability.
Before you configure a Secure Connection, you must already have established a connection and configured the preliminary settings through the Options>Secure>All Connections or Specified Connections options.
The purpose of configuring a Secure Connection is to create a security association (SA) for each connection through IKE negotiations.
There are two phases to every IKE negotiation, which you must also configure:
When enrolling a client with the VeriSign CA service, the domain name field of the online request must contain the FQDN (fully qualified domain name) of the device.
You can display the view log by right-clicking the SafeNet icon on the taskbar and clicking Log Viewer.
The open caveats described in this section provide important information that you need to run the Cisco Secure VPN Client. Table 1 lists the caveats for version 1.0. These open caveats also apply to version 1.0a.
If you have an account with Cisco Connection Online (CCO), you can use the Bug Toolkit to determine the status of open caveats:
1. Access CCO at http://www.cisco.com.
2. Click Login on the upper toolbar. When prompted, enter your CCO username and password.
3. Go to the Bug Toolkit on CCO at Service & Support>Online Technical Support>Software Bug Toolkit>Search for Bug by ID Number, or at http://www.cisco.com/kobayashi/bugs/bugs.html.
4. Enter the bug ID number and click Search to view the current status.
Table 1 lists the open caveats for version 1.0:
| DDTS ID | Description |
|---|---|
Issues with Security Association Lifetimes | |
CSCdm69419 | Cisco Secure VPN Client maintains only one pair of SAs for a given peer. Ideally, Cisco Secure VPN Client should always be the initiator when re-keying. If this does not happen, connectivity between the client and gateway may be disrupted temporarily until the new SA is used. This disruption may cause some application sessions to timeout. Once the new SA is used, connectivity is restored and the user should restart the application. We recommend that when configuring SA lifetimes, use seconds or apply the default value of Unspecified (28,800 seconds). |
CSCdm69381 | If the client is configured to send less than the Cisco IOS software default for IKE (86,400 seconds---24 hours), IKE will succeed but the lifetime set at the router will be the Cisco IOS software default, not the value proposed by the client. A workaround is to set the Cisco IOS software IKE lifetime to be the same as that of the client. |
Certificate Issues | |
CSCdm69396
| On the Windows NT 4.0 Service Pack 4, when adding a new CA certificate (online through CEP or importing from a file) no confirmation dialog is displayed. |
CSCdm69393
| The Cisco Secure VPN Client has a fixed CRL (Certificate Revocation List) download period of 4 hours. As a result, if the CRL has expired, the client will not be able to identify the validity of the remote peer's certificate. In this case, the client will not establish an IKE SA until the CRL is updated. As a workaround, we recommend setting the CA's CRL lifetime to 24 hours. This reduces the likelihood of the client acquiring a CRL with an imminent expiration. |
CSCdm69392 | For remote identity or a security gateway when using certificates, the identity type has to be Domain Name and the identity has to be specified as FQDN. Also, the IP address has to be specified because the FQDN is not resolvable on the Cisco Secure VPN Client computer. |
CSCdm69390
| The Security Policy Editor must be closed and reopened before changes made in the Certificate Manager are visible to the Secure Connection. |
Miscellaneous | |
CSCdm81468 | You may experience delays when setting up multiple secure connections from a single client to the same Cisco IOS software gateway. |
CSCdm89035 | Before adding or removing any network adapters from the Network Control Panel, uninstall the Cisco Secure VPN Client, and reboot the computer. After the adapters are configured appropriately, reinstall the client. If this procedure is not followed you may experience system instability upon rebooting after adapters have been added or removed. You can recover by starting your Windows system in Safe Mode, uninstalling the client, rebooting, and then reinstalling the client. |
CSCdm88523 | The Security Policy Editor dialog may continuously loop under the following conditions: · If the ID Type for a Connection Entry just above "Other Connections" is not IP Address, and · You delete this Connection Entry with the "Other Connections" entry highlighted, and · You click Save while "Other Connections" is still highlighted. A dialog box then appears and displays the following: SPDEDIT: The parameter value is invalid for the address
type selected.
If you click OK, the dialog box then continuously reappears. The workaround is to delete the connection entry, move the highlight away from the "Other Connections" Secure Connection, and save the changes. |
CSCdm80701 | Configuring the client for TCP traffic only also allows all UDP traffic if the gateway proposes the UDP-based Secure Connection. Generally, traffic is initiated from the client side, so this behavior is rare. Note This scenario does not apply to the PIX Firewall. |
CSCdm80643 | Installing the client causes Equant dial service to fail if the Inverse IP Insight tool is also present. The Equant Dial Manager software must be installed after the client has been installed. When removing the Equant Dialer, remove the Inverse IP Insight application, and then install the Cisco Secure VPN Client. |
CSCdm69425 | Toggling between Secure, Block, and Non-secure on a Secure Connection may cause a subnet defined as Remote Party Identity ID to change to IPAddress ID. The user will need to redefine the ID type. |
CSCdm68679 | When using mode config with Cisco Secure PIX Firewall and Cisco IOS software, more than one IP address may be used by a client, consequently, the error starting with "Non-Secure Connection" may appear in the View Log. This does not affect the traffic in any way and can be ignored. |
CSCdm60716 | Client and Windows NT privileges---The client must be installed and started from the Windows NT administrator login. |
CSCdm55397 | Uninstall any previous version of SafeNet/Soft-PK Client or Cisco Secure VPN Client before installing a new version of Cisco Secure VPN Client. |
There are no new open caveats in version 1.0a.
There are no new resolved caveats in version 1.0.
Caveat CSCdp19890 was resolved in version 1.0a. When you assign an internal IP address via either mode config or static configuration, attempts to log in to a Windows NT network may fail. The fix in CSCdp19890 uses the client's internal IP address as the source address in the NetBIOS payload, which lets the Windows NT Server successfully respond to the client.
A delay may occur between the time the Windows network login prompt appears and the actual establishment of the IPSec tunnel. This delay may cause the login attempt to time out because a server is not available. If this occurs, cancel the first attempt and retry. Use the event log on the Cisco Secure VPN Client during this process to view login status.
Use this document in conjuction with the Cisco Secure VPN Client Quick Start Guide included with the CD-ROM and available on CCO, and also with the online help included with the software. Also use this document in conjunction with the CCO online version of the Cisco Secure VPN Client Solutions Guide available at the following Cisco Secure VPN Client documentation site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/index.htm
Refer to the CCO online version of these release notes at the Cisco Secure VPN Client documentation site for the most current information.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments
Posted: Tue Dec 14 22:55:32 PST 1999
Copyright 1989-1999©Cisco Systems Inc.