Preconfiguring the VPN Client for Remote Users

This chapter explains how to prepare configurations for remote users and how to distribute them. This chapter includes the following sections:

• Profiles

• Creating a Global Profile

• Creating Connection Profiles

Profiles

Groups of configuration parameters define the connection entries that remote users use to connect to a VPN device. Together these parameters form files called profiles. There are two profiles: a global profile and an individual profile. A global profile sets rules for all remote users; it contains parameters for the VPN Client as a whole. The name of the global profile file is vpnclient.ini. Individual profiles contain the parameter settings for each connection entry and are unique to that connection entry. Individual profiles have a .pcf extension.

Profiles get created in two ways: when you or a remote user creates connection entries using the VPN Dialer application (connection wizard) or when you create profiles using a text editor. In the first case, the remote user is also creating a file that can be edited through a text editor. You can start with a profile file generated through the GUI and edit it. This approach lets you control some parameters that are not available in the VPN Client GUI application.

The default location for individual profiles is C:\Program Files\Cisco Systems\VPN Client\Profiles.

This chapter explains how to create and edit the vpnclient.ini and individual profiles. Both files use the same conventions.

Note The easiest way to create a profile is to run the VPN Client and use the VPN Dialer application to configure the parameters. When you have created a profile in this way, you can copy the .pcf file to a distribution disk for your remote users. This approach eliminates errors you might introduce by typing the parameters and the group password gets automatically converted to an encrypted format.

File Format for All Profile Files

The vpnclient.ini and .pcf files follow normal Windows.ini file format:

•Use a semicolon (;) to begin a comment.

•Place section names within brackets [section name]; they are not case sensitive.

•Use key names to set values for parameters; keyword = value. Keywords without values, or unspecified keywords, use VPN Client defaults. Keywords can be in any order and are not case sensitive, although using lower and uppercase makes them more readable.

Making a Parameter Read Only

To make a parameter read-only so that the client user cannot change it within the VPN Client applications, precede the parameter name with an exclamation mark (!). This controls what the user can do within the VPN Client applications only. You cannot prevent someone from editing the global or .pcf file and removing the read-only designator.

Creating a Global Profile

The name of the global profile is vpnclient.ini. You can locate it in the C:\Program Files\Cisco Systems\VPN Client directory (default location created during installation).

Features Controlled by Global Profile

The vpnclient.ini file controls the following features:

•Start before logon

•Automatic disconnect upon log off

•Control of logging services by class

•Setting of the Stateful Firewall option

•Certificate enrollment

•Identity of a proxy server for routing HTTP traffic

•Identity of an application to launch upon connect

•Missing group warning message

•Location of the Entrust.ini file

•List of GINAs that are not compatible with the VPN Client

•Auto initiation

•Microsoft Outlook to Microsoft Exchange polling

•The method to use in adding suffixes to domain names on Windows 2000 and Windows XP platforms

Sample vpnclient.ini file

This sample file shows what you might see if you open it with a text editor

[main] 
IncompatibleGinas=PALGina.dll,theirgina.dll

RunAtLogon=0 
EnableLog=1

DialerDisconnect=1

AutoInitiationEnable=1

AutoInitiationRetryInterval=1

AutoInitiationList=techsupport,admin

[techsupport]

Network=175.55.0.0

Mask=255.255.0.0

ConnectionEntry=ITsupport

[admin]

Network=176.55.0.0

Mask=255.255.0.0

ConnectionEntry=Administration

[LOG.IKE]

LogLevel=1

[LOG.CM]

LogLevel=1

[LOG.PPP]

LogLevel=2

[LOG.DIALER]

LogLevel=2

[LOG.CVPND]

LogLevel=1

[LOG.CERT]

LogLevel=0

[LOG.IPSEC]

LogLevel=3

[LOG.FIREWALL]

LogLevel=1

[LOG.CLI]

LogLevel=1

[CertEnrollment]

SubjectName=Alice Wonderland

Company=University of OZ

Department=International Relations

State=Massachusetts

Country=US

Email=AliceW@UOZ.com

CADomainName=CertsAreUs

CAHostAddress=10.10.10.10

CACertificate=CAU

[Application Launcher]

Enable=1

Command=c:\apps\apname.exe

The rest of this section explains the parameters that can appear in the vpnclient.ini file, what they mean, and how to use them.

Global Profile Configuration Parameters

Table 2-1 lists all parameters, keywords, and values. It also includes the parameter name as used in the VPN Client GUI application if it exists, and where to configure it in the application.

Table 2-1 vpnclient.ini file parameters
.ini Parameter (Keyword)	VPN Client Parameter Description	Values	VPN Client GUI Configuration Location(s)
[main]	Required keyword to identify main section.	[main] Enter exactly as shown, as first entry in the file.	Does not appear in GUI
IncompatibleGinas	Lists Graphical Identification and Authentication dynamic link libraries (GINA.DLLs) that are not compatible with Cisco's GINA. Adding a GINA to the list causes the VPN Client to leave the GINA alone during installation and use fallback mode. The VPN Client goes into fallback mode only if RunAtLogon = 1. Otherwise, the Client gina is never installed. (See "Installing the VPN Client Without User Interaction".	After the keyword and equal sign, enter the name(s) of the GINAs, separated by commas. For example: IncompatibleGinas= PALgina.dll, Yourgina.dll, Theirgina.dll Do not enclose the name in quotes.	Does not appear in GUI
MissingGroupDialog	Controls the pop up window warning that occurs when a user tries to connect without setting the group name in a preshared connection.	0= Do not show the warning message. 1=Show the warning message.	Does not appear in GUI
RunAtLogon	Specifies whether to start the VPN Client connection before users log on to their Microsoft network. Available only for the Windows NT platform (Windows NT 4.0, Windows 2000 and Windows XP). This feature is sometimes known as the NT Logon feature.	0 = Disable 1 = Enable Default = 0	Dialer > Options > Windows Logon Properties > Enable start before logon
EntrustIni=	Locates the entrust.ini file if it is in a location that is different from the default.ini file. The default location is the base Windows system directory.	Complete pathname of location	Does not appear in GUI
DialerDisconnect=	Determines whether to automatically disconnect upon logging off a Windows NT platform (Windows NT 4.0, Windows 2000 and Windows XP). Disabling this parameter lets the VPN connection remain when the user logs off, allowing that user to log back in without having to establish another connection.	0 = Disable 1 = Enable Default = 1 (disconnect on logoff)	Dialer > Options > Windows Logon Properties > Disconnect VPN connection when logging off
There are limitations to DialerDisconnect. For example, in the case of MS DUN, the RAS (PPP) connection might go down when the user logs off. For more information about this specific case, see the following URL: http://support.microsoft.com/support/kb/articles/Q158/9/09.asp?LN=EN-US&SD=gn&FR=0&qry=RAS%20AND%20LOGO FF&rnk=2&src=DHCS_MSPSS_gn_SRCH&SPR=NTW40
EnableLog=	Determines whether to override log settings for the classes that use the logging services. By default, logging is turned on. This parameter lets a user disable logging without having to set the log levels to zero for each of the classes. By disabling logging you can improve the performance of the client system.	0 = Disable 1 = Enable Default = 1	Log Viewer > Options > Capture
StatefulFirewall=	Determines whether the stateful firewall is always on. When enabled, the stateful firewall always on feature allows no inbound sessions from all networks, whether a VPN connection is in effect or not. Also, the firewall is active for both tunneled and nontunneled traffic.	0 = Disable 1 = Enable Default = 0	Dialer > Options > Stateful Firewall (Always On)
AutoInitiationEnable	Enables auto initiation, which is an automated method for establishing a wireless VPN connection in a LAN environment	0 = Disable 1 = Enable Default = 0	Dialer > Options > Automatic VPN Initiation
AutoInitiationRetry- Interval	Specifies the time to wait, in minutes, before retrying auto initiation after a connection attempt failure.	1 to 10 minutes Default = 1	Dialer > Options > Automatic VPN Initiation
AutoInitiationList	Identifies auto initiation-related section names within the vpnclient.ini file. Each section contains a Network, Mask, and ConnectionEntry. The Network and Mask values identify a subnet. The ConnectionEntry identifies a connection entry profile (.pcf) file. The vpnclient.ini file can contain a maximum of 64 entries.	A list of section names separated by commas; for example: SJWLAN, RTPWLAN, CHWLAN	Does not appear in GUI
[section name] (of an item in the AutoInitiationList)	Identifies the network address, subnet mask, and connection entry name for an item in the AutoInitiationList	Network = IP address Mask = Subnet mask ConnectionEntry = name of a connection entry (profile). Example: [SJWLAN] Network=110.110.110.0 Mask=255.255.0.0 ConnectionEntry=SantaJuan ita WirelessLAN	Does not appear in GUI
OutlookNotify	Controls Microsoft Outlook to Microsoft Exchange polling. In MS Outlook 2000, if Outlook is polling and synchronizing at the same time, Outlook hangs. If you prefer synchronization over new mail notifications, disable this parameter.	0 = Disable 1 = Enable Default = 1	Does not appear in GUI
For each class that follows, use the LogLevel= parameter to set the logging level
[LOG.IKE]	Identifies the IKE class for setting the logging level.	[LOG.IKE] Enter exactly as shown.	Log Viewer > Options > Filter
[LOG.CM]	Identifies the CM class for setting the logging level.	[LOG.CM] Enter exactly as shown.	Log Viewer > Options > Filter
[LOG.PPP]	Identifies the PPP class for setting the logging level.	[LOG.PPP] Enter exactly as shown.	Log Viewer > Options > Filter
[LOG.DIALER]	Identifies the DIALER class for setting the logging level.	[LOG.DIALER] Enter exactly as shown.	Log Viewer > Options > Filter
[LOG.CVPND]	Identifies the CVPND class for setting the logging level.	[LOG.CVPND] Enter exactly as shown.	Log Viewer > Options > Filter
[LOG.CERT]	Identifies the CERT class for setting the logging level.	[LOG.CERT] Enter exactly as shown.	Log Viewer > Options > Filter
[LOG.IPSEC]	Identifies the IPSEC class for setting the logging level.	[LOG.IPSEC] Enter exactly as shown.	Log Viewer > Options > Filter
[LOG.FIREWALL]	Identifies the FWAPI class for setting the logging level.	[LOG.FIREWALL] Enter exactly as shown	Log Viewer > Options > Filter
[LOG.CLI]	Identifies the CLI class for setting the logging level.	[LOG.CLI] Enter exactly as shown	Log Viewer > Options > Filter
LogLevel=	Determines the log level for individual classes that use logging services. By default, the log level for all classes is `Low`. You can use this parameter to override the default setting for the preceding [LOG] parameters.	0 = Disable 1 = Low - only critical and warning events 2 = Medium - critical, warning, and informational events 3 = High - all events Default = 1	Log Viewer > Options > Filter
[CertEnrollment]	Required keyword to identify the Certificate Enrollment section.	[CertEnrollment] Enter exactly as shown.	Does not appear in GUI
SubjectName=	Identifies the username associated with this certificate.	Maximum of 519 alphanumeric characters.	Certificate Manager > Enrollment form
Company=	Identifies the company or organization of the certificate owner.	Maximum of 129 alphanumeric characters.	Certificate Manager > Enrollment form
Department=	Identifies the department or organizational unit of the certificate owner. If matching by IPSec group in a VPN 3000 Concentrator, must match the group name in the configuration.	Maximum of 129 alphanumeric characters.	Certificate Manager > Enrollment form
State=	Identifies the state or province of the certificate owner	Maximum of 129 alphanumeric characters.	Certificate Manager > Enrollment form
Country=	Identifies the two-letter code identifying the country of this certificate owner.	Maximum of 2 alphanumeric characters.	Certificate Manager > Enrollment form
Email=	Identifies the certificate owner's email address.	Maximum of 129 alphanumeric characters.	Certificate Manager > Enrollment form
IPAddress	Identifies the IP address of the system of the certificate owner.	Internet address in dotted decimal notation.	Certificate Manager > Enrollment form
Domain	Identifies the fully qualified domain name of the host that is serving the certificate owner.	Maximum of 129 alphanumeric characters.	Certificate Manager > Enrollment form
CADomainName=	Identifies the domain name that the certificate authority belongs to; for network enrollment.	Maximum of 129 alphanumeric characters.	Certificate Manager > Enrollment form
CAHostAddress=	Identifies the IP address or hostname of the certificate authority.	Internet hostname or IP address in dotted decimal notation. Maximum of 129 alphanumeric characters.	Certificate Manager > Enrollment form
CACertificate=	Identifies the name of the self-signed certificate issued by the certificate authority.	Maximum of 519 alphanumeric characters. Note: The VPNClient GUI ignores a read-only setting on this parameter.	Certificate Manager > Enrollment form
NetworkProxy=	Identifies a proxy server you can use to route HTTP traffic. Using a network proxy can help prevent intrusions into your private network.	IP address in dotted decimal notation or domain name. Maximum of 519 alphanumeric characters. The proxy setting sometimes has a port associated with it. Example:`10.10.10.10:8080`	Does not appear in GUI
[ApplicationLauncher]	(No VPN Client field) Required keyword to identify Application Launcher section.	[ApplicationLauncher] Enter exactly as shown, as first entry in the section.	Does not appear in GUI
Enable=	Use this parameter to allow VPN Client users to launch an application when connecting to the private network.	0 = Disabled (default) 1 = Enabled Disabled means no launching.	Options> Application Launcher
Command=	The name of the application to be launched. This variable includes the pathname to the command, and the name of the command complete with arguments	command string Maximum 512 alphanumeric characters. Example: `c:\auth\swtoken.exe.`	Options> Application Launcher> Application
[DNS]	(No VPN Client field) Required keyword to identify DNS section.	[DNS] Enter exactly as shown, as first entry in the section.	Does not appear in GUI
AppendOriginalSuffix=	Determines the way the VPN Client treats suffixes to domain names. See "DNS Suffixes and the VPN Client (Windows 2000 and Windows XP Only)", following this table.	1= append the primary DNS suffix to the suffix that the VPN Concentrator supplies. 2= append the primary and connection-specific DNS suffixes to the suffix that the VPN Concentrator supplies.	Does not appear in GUI

DNS Suffixes and the VPN Client (Windows 2000 and Windows XP Only)

When a command or program such as ping server123 passes a hostname without a suffix to a Windows 2000 or Windows XP platform, Windows 2000/XP has to convert the name into a fully-qualified domain name (FQDN). The Windows operating system has two methods for adding suffixes to domain names: Method 1 and Method 2. This section describes these two methods.

Method 1—Primary and Connection-Specific DNS Suffixes

A primary DNS suffix is global across all adapters. A connection-specific DNS suffix is only for a specific connection (adapter), so that each connection can have a different DNS suffix.

Identifying a Primary DNS Suffix

A primary suffix comes from the computer name. To find or assign a primary DNS suffix, use the following procedure according to your operating system:

On Windows 2000

Step 1 On a Windows 2000 desktop, right click the My Computer icon, and select Properties from the menu.

The System Properties dialog displays.

Step 2 Open the Network Identification tab.

The entry next to Full Computer Name identifies the computer's name and DNS suffix on this screen, for example, SILVER-W2KP.tango.dance.com. The part after the first dot is the primary DNS suffix, in this example: tango.dance.com.

Step 3 To change the primary DNS, click Properties on the Network Identification tab.

The Identification Changes dialog displays.

Step 4 Click More....

This action displays the DNS Suffix and Net BIOS Computer Name dialog. The Primary DNS suffix of this computer entry identifies the primary suffix. You can edit this entry.

On Windows XP

Step 1 Right click My Computer, and select Properties from the menu.

The System Properties dialog displays.

Step 2 Open the Computer Name tab.

The entry next to Full Computer Name identifies the computer's name and DNS suffix on this screen (for example, SILVER-W2KP.tango.dance.com). The part after the first dot is the primary DNS suffix (in this example: tango.dance.com).

Step 3 To change the primary DNS, click Change on the Computer Name tab.

The Computer Name Changes dialog displays.

Step 4 Click More....

This action displays the DNS Suffix and Net BIOS Computer Name dialog. The Primary DNS suffix of this computer entry identifies the primary suffix. You can edit this entry.

Identifying a Connection-Specific DNS Suffix

You can identify a connection-specific DNS suffix in one of two ways.

1. The connection-specific DNS value is listed as the DNS suffix for the selected connection on the Advanced TCP/IP Settings dialog.

Note The following instructions are for a Windows 2000 platform. There may be slight variations on a Windows XP platform.

To display the Advanced TCP/IP Settings dialog, use the following procedure:

Step 1 Right click the My Network Places icon to display the Properties dialog, which lists your connections.

Step 2 Double-click on a connection (for example, local) to display its Properties dialog. The connection uses the checked components, such as those shown in Figure 2-1, which shows components of a connection named Local Area Connection.

Figure 2-1 Displaying Properties for a Connection

Step 3 Double-click Internet Protocol (TCP/IP) to reveal its properties.

Step 4 Select Advanced.

Step 5 Display the DNS tab and look at DNS suffix for this connection box. If the box is empty, you can have it assigned by the DHCP Server.

a. To identify the connection-specific suffix assigned by the DHCP Server, use the ipconfig /all command (Alternative 2, below) and for the DNS Server address.

2. The connection-specific DNS value is listed in the output from the ipconfig /all command, executed at the command-line prompt. Look under Windows 2000 IP Configuration for DNS Suffix Search List. Under Ethernet Adapter Connection Name, look for Connection-specific DNS Suffix.

Method 2—User Supplied DNS Suffix

For this method, you can provide specific suffixes. You can view and change suffixes in the DNS tab of the connection properties page. The Append these DNS suffixes (in order) edit box supplies the name that you can edit. The values you provide here are global to all adapters.

VPN Client Behavior

When the VPN Client establishes a VPN tunnel to the VPN central device (for example, the VPN 3000 Concentrator), the VPN Client uses Method 2 without regard for the method that the Windows platform uses. If the Windows platform is using Method 2, the VPN Client appends the suffix provided by the VPN central device. This is the default behavior and works correctly with no problem

However if Windows is using Method 1, the VPN Client does not append the primary or connection-specific suffix. To fix this problem, you can set the AppendOriginalSuffix option in the vpnclient.ini file. In Table 2-1, the [DNS] section contains this option:

[DNS]

AppendOriginalSuffix Option=1:

In this case, the VPN Client appends the primary DNS suffix to the suffix provided by the VPN Concentrator. While the tunnel is established, Windows has two suffixes: one provided by the VPN Concentrator and the primary DNS suffix.

AppendOriginalSuffix Option=2:

In this case, the VPN Client appends the primary and connection-specific DNS suffixes to the suffix provided by the VPN Concentrator. While the tunnel is established, Windows has three suffixes: one provided by the VPN Concentrator, the primary DNS suffix, and the connection-specific DNS suffix.

Note If Windows is using Method 2, adding these values to the vpnclient.ini file has no effect.

The VPN Client sets these values every time a tunnel is established and then restores the original configuration when tearing down the tunnel.

Creating Connection Profiles

The VPN Client uses parameters that must be uniquely configured for each remote user of the private network. Together these parameters make up a user profile, which is contained in a profile configuration file (.pcf file) in the Program Files\Cisco Systems\VPN Client\Profiles directory (if the software installed in the default location) in the VPN Client user's local file system. These parameters include the remote server address, IPSec group name and password, use of a log file, use of backup servers, and automatic Internet connection via Dial-Up Networking. Each connection entry has its own .pcf file. For example, if you have three connection entries, named Doc Server, Documentation, and Engineering, the Profiles directory shows the list of .pcf files shown in Figure 2-2.

Figure 2-2 List of .pcf files

Features Controlled by Connection Profiles

A connection profile (.pcf file) controls the following features.

•Description of the connection profile

•The remote server address

•Authentication type

•Name of IPSec group containing the remote user

•Group password

•Connecting to the Internet via dial-up networking

•Type of dial-up networking connection

•Dial-Up networking phone book entry for Microsoft

•Command string for connecting through an ISP

•Name of remote user

•Remote user's password

•NT domain

•Backup servers

•Split DNS

•Logging on to Microsoft Network and credentials

•Transparent tunneling

•TCP tunneling port

•Allowing of local LAN access

•Enabling of IKE and ESP keepalives

•Setting of peer response timeout

•Certificate parameters for a certificate connection

•Setting of certificate chain

•Diffie-Hellman group

•Verification of the DN of a peer certificate

Sample .pcf file

When you open the Doc Server.pcf file, it looks like the example below. This is a connection entry that uses preshared keys. Note that the enc_ prefix (for example, enc_GroupPwd) indicates that the value for that parameter is encrypted.

[main]

Description=connection to TechPubs server

Host=10.10.99.30

AuthType=1

GroupName=docusers

GroupPwd=

enc_GroupPwd=158E47893BDCD398BF863675204775622C494B39523E5CB65434D3C851ECF2DCC8BD488857EFA
FDE1397A95E01910CABECCE4E040B7A77BF

EnableISPConnect=0

ISPConnectType=0

ISPConnect=

ISPCommand=

Username=alice

SaveUserPassword=0

UserPassword=

enc_UserPassword=

NTDomain=

EnableBackup=1

BackupServer=Engineering1, Engineering2, Engineering 3, Engineering4

EnableMSLogon=0

MSLogonType=0

EnableNat=1

EnableLocalLAN=0

TunnelingMode=0

TCPTunnelingPort=10000

CertStore=0

CertName=

CertPath=

CertSubjectName

SendCertChain=0

VerifyCertDN=CN="ID Cert",OU*"Cisco",ISSUER-CN!="Entrust",ISSURE-OU!*"wonderland"

DHGroup=2

ForceKeepAlives=0

PeerTimeOut=90

You can configure the VPN Client for remote users by creating a profile configuration file for each connection entry and distribute the .pcf files with the VPN Client software. These configuration files can include all, or only some, of the parameter settings. Users must configure those settings not already configured.

You can also distribute the VPN Client to users without a configuration file and let them configure it on their own. In this case, when they complete their configuration using the VPN Client program, they are in effect creating a .pcf file for each connection entry, which they can edit and share.

To protect system security you should not include key security parameters such as the IPSec group password, authentication username, or authentication password in .pcf files for remote users.

Note Whatever preconfiguring you provide, you must supply users with the information they need to configure the VPN Client. See "Gathering Information You Need" in the VPN Client User Guide for Windows, Chapter 2 for information users need.

Creating a .pcf file for a Connection Profile

Each user requires a unique configuration file. Use Notepad or another ASCII text editor to create and edit each file. Save as a text-only file with no formatting.

Connection Profile Configuration Parameters

Table 2-2 lists all parameters, keywords, and values. It also includes the VPN Client parameter name (if it exists) that corresponds to the keyword and where it is configured on the VPN Client GUI.

Table 2-2 .pcf file parameters
.pcf Parameter (Keyword)	VPN Client Parameter Description	Values	VPN Client Configuration Location(s)
[main]	(No VPN Client field) Required keyword to identify main section.	[main] As the first entry in the file, enter exactly as shown.	Does not appear in GUI
Description=	Description A line of text that describes this connection entry. Optional.	Any text. Maximum 246 alphanumeric characters.	New > Wizard dialog box 1 Options > Properties > General tab
Host=	Remote server address The hostname or IP address of the Cisco remote access server (a VPN device) to which remote users connect.	Legitimate Internet hostname, or IP address in dotted decimal notation. Maximum 255 alphanumeric characters.	New > Wizard dialog box 2 VPN Client main dialog box
AuthType=	Authentication type	The authentication type of this user: 1 = Pre-shared keys 3 = Digital Certificate using an RSA signature. Default = 1	New > Wizard dialog box 3
GroupName=	Group Name The name of the IPSec group that contains this user. Used with pre-shared keys.	The exact name of the IPSec group configured on the VPN device. Maximum 32 alphanumeric characters. Case-sensitive.	New > Wizard dialog box 3 Options > Properties > Authentication tab
GroupPwd=	Group Password The password for the IPSec group that contains this user. Used with pre-shared keys. The first time the VPN Client reads this password, it replaces it with an encypted one (enc_GroupPwd).	The exact password for the IPSec group configured on the VPN device. Minimum of 4, maximum 32 alphanumeric characters. Case-sensitive clear text.	New > Wizard dialog box 3 Options > Properties > Authentication tab
encGroupPwd=	The password for the IPSec group that contains the user. Used with preshared keys. This is the scrambled version of the GroupPwd.	Binary data represented as alphanumeric text.	Does not appear in GUI.
EnableISPConnect=	Connect to the Internet via Dial-Up Networking Specifies whether the VPN Client automatically connects to an ISP before initiating the IPSec connection; determines whether to use PppType parameter.	0 = Disable (default) 1 = Enable Default = 0 The VPN Client GUI ignores a read-only setting on this parameter.	Options > Properties > Connections tab > Connect to the Internet via dial-up
ISPConnectType=	Dial-Up Networking connection entry type Identifies the type to use: ISPConnect or ISPCommand.	0 = ISPConnect 1 = ISPCommand The VPN Client GUI ignores a read-only setting on this parameter.	Options > Properties > Connections tab (choosing either DUN or Third Party (command)
ISPConnect=	Dial-Up Networking Phonebook Entry (Microsoft) Use this parameter to dial into the Microsoft network; dials the specified dial-up networking phone book entry for the user's connection. Applies only if EnableISPconnect=1 and ISPConnectType=0.	phonebook_name This variable is the name of the phone book entry for DUN - maximum of 256 alphanumeric characters. The VPN Client GUI ignores a read-only setting on this parameter.	Options > Properties > Connections tab > <Microsoft Dial-Up Networking
ISPCommand=	Dial-Up Networking Phonebook Entry (command) Use this parameter to specify a command to dial the user's ISP dialer. Applies only if EnableISPconnect=1 and ISPConnectType=1.	command string This variable includes the pathname to the command and the name of the command complete with arguments; for example: c:\isp\ispdialer.exe dialEngineering Maximum 512 alphanumeric characters.	Options > Properties > Connections tab > Third party dialup program
Username=	User Authentication: Username The name that authenticates a user as a valid member of the IPSec group specified in GroupName.	The exact username. Case-sensitive, clear text, maximum of 32 characters. The VPN Client prompts the user for this value during user authentication.	Connect > User Authentication dialog box
UserPassword=	User Authentication: Password The password used during extended authentication. The first time the VPN Client reads this password, it saves it in the file as the enc_UserPassword and deletes the clear-text version. If SaveUserPassword is disabled, then the VPN Client deletes the UserPassword and does not create an encrypted version. You should only modify this parameter manually if there is no GUI interface to manage profiles.	Maximum of 32 alphanumeric characters, case sensitive.	Connect > User Authentication dialog box
encUserPassword	Scrambled version of the user's password.	Binary data represented as alphanumeric text.	Does not appear in GUI.
SaveUserPassword	Determines whether or not the user password or its encrypted version are valid in the profile. This value is set in the VPN device, not the VPN Client.	0 = do not allow user to save password information locally. 1 = allow user to save password locally. Default = 0.	Does not appear in GUI.
NTDomain=	User Authentication: Domain The NT Domain name configured for the user's IPSec group. Applies only to user authentication via a Windows NT Domain server.	NT Domain name. Maximum 14 alphanumeric characters. Underbars are not allowed.	Connect > User Authentication dialog box
EnableBackup=	Enable backup server(s) Specifies whether to use backup servers if the primary server is not available.	0 = Disable 1 = Enable Default = 0	Options > Properties > Connections tab
BackupServer=	(Backup server list) List of hostnames or IP addresses of backup servers. Applies only if EnableBackup=1.	Legitimate Internet hostnames, or IP addresses in dotted decimal notation. Separate multiple entries by commas. Maximum of 255 characters in length.	Options > Properties > Connections tab
EnableMSLogon=	Logon to Microsoft Network Specifies that users log on to a Microsoft network. Applies only to systems running Windows 9x.	0 = Disable 1 = Enable Default = 1	Options > Properties > General tab
MSLogonType=	Use default system logon credentials. Prompt for network logon credentials. Specifies whether the Microsoft network accepts the user's Windows username and password for logon, or whether the Microsoft network prompts for a username and password. Applies only if EnableMSLogon=1.	0 = Use default system logon credentials (default); i.e., use the Windows logon username and password. 1 = Prompt for network logon username and password.	Options > Properties > General tab
EnableNat=	Enable Transparent Tunneling Allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing NAT or PAT.	0 = Disable 1 = Enable Default = 1	Options > Properties > General tab
TunnelingMode=	Specifies the mode of transparent tunneling, over UDP or over TCP; must match that used by the secure gateway with which you are connecting.	0 = UDP 1 = TCP Default = 0	Options > Properties > General tab
TCPTunnelingPort=	Specifies the TCP port number, which must match the port number configured on the secure gateway.	Port number from 1 through 65545 Default = 10000	Options > Properties > General tab
EnableLocalLAN=	Allow Local LAN Access. Specifies whether to enable access to resources on a local LAN at the Client site while connected through a secure gateway to a VPN device at a central site.	0 = Disable 1 = Enable Default = 0	Options> Properties > General tab
ForceKeepAlives=	Enable IKE and ESP keepalives. Allows the VPN Client to keep sending IKE and ESP keepalives for a connection at approximately 20 second intervals so the port on an ESP-aware NAT/Firewall does not close.	0 = Disable 1 = Enable Default = 0	Does not appear in GUI (hidden)
PeerTimeout=	Peer response timeout The number of seconds to wait before terminating a connection because the VPN device on the other end of the tunnel is not responding.	Number of seconds Minimum = 30 seconds Maximum = 480 seconds Default = 90 seconds	Options> Properties> General tab
CertStore=	Certificate Store Identifies the type of store containing the configured certificate.	1 = Cisco 2 = Microsoft Default = 0, no certificate The VPN Client GUI ignores a read-only setting on this parameter.	Does not appear in VPN Dialer GUI
CertName=	Certificate Name Identifies the certificate used to connect to a VPN device.	Maximum 129 alphanumeric characters The VPN Client GUI ignores a read-only setting on this parameter.	New > Wizard dialog box 3
CertPath=	The complete pathname of the directory containing the certificate file.	Maximum 259 alphanumeric characters The VPN Client GUI ignores a read-only setting on this parameter.	Does not appear in VPN Dialer GUI
CertSubjectName	The fully qualified distinguished name (DN) of certificate's owner. If present, the VPN Dialer enters the value for this parameter.	Either do not include this parameter or leave it blank. The VPN Client GUI ignores a read-only setting on this parameter.	Does not appear in VPN Dialer GUI
CertSerialHash	A hash of the certificate's complete contents, which provides a means of validating the authenticity of the certificate. If present, the VPN Dialer enters the value for this parameter.	Either do not include this parameter or leave it blank. The VPN Client GUI ignores a read-only setting on this parameter.	Does not appear in VPN Dialer GUI
SendCertChain	Sends the chain of CA certificates between the root certificate and the identity certificate plus the identity certificate to the peer for validation of the identity certificate.	0 = disable 1 = enable Default = 0	New > Wizard dialog box 3
VerifyCertDN	Prevents a user from connecting to a valid gateway by using a stolen but valid certificate and a hijacked IP address. If the attempt to verify the domain name of the peer certificate fails, the client connection also fails.	Include any certificate DN values of both subject and issuer: You can use all valid ASCII characters including -_@<>()., as well as wildcards. See example:	Does not appear in VPN Dialer GUI
Example: VerifyCertDN=CN="ID Cert",OU"Cisco",ISSUER-CN!="Entrust",ISSURE-OU!"wonderland" CN="ID Cert"—Specifies an exact match on the CN. OU"Cisco"—Specifies any OU that contains the string "Cisco". ISSUER-CN!"Entrust"—Specifies that the Issuer CN must not equal "Entrust". Issuer-OU!"wonderland"—Specifies that the Issuer OU must not contain "wonderland".
DHGroup=	Allows a network administrator to override the default group value on a VPN device used to generate Diffie- Hellman key pairs.	1 = modp group 1 2 = modp group 2 5 = modp group 5 Default = 2 Note: This value is preset only for pre-shared keys; for a certificate-authenticated connection, the DHGroup number is negotiated.	Does not appear in VPN Dialer GUI

Distributing Configured VPN Client Software to Remote Users

When you have created the VPN Client profile configuration file, you can distribute it to users separately or as part of the VPN Client software.

Separate Distribution

To distribute the configuration file separately and have users import it to the VPN Client after they have installed it on their PCs, follow these steps:

Step 1 Distribute the appropriate profile files to users on whatever media you prefer.

Step 2 Supply users with necessary configuration information for Table 2-1 in Chapter 2 of the VPN Client User Guide for Windows.

Step 3 Instruct users to:

a. Install the VPN Client according to the instructions in Chapter 2 of the VPN Client User Guide for Windows.

b. Start the VPN Client and follow the instructions in Chapter 5 of the VPN Client User Guide for Windows. See the section "Importing a VPN Client Configuration File."

c. Finish configuring the VPN Client according to the instructions in Chapter 3 of the VPN Client User Guide for Windows.

d. Connect to the private network, and enter parameters according to the instructions in Chapter 4 of the VPN Client User Guide for Windows.

Distribution with the VPN Client Software

If the vpnclient.ini file is bundled with the VPN Client software when it is first installed, it automatically configures the VPN Client during installation. You can also distribute the profile files (one .pcf file for each connection entry) as preconfigured connection profiles for automatic configuration.

To distribute preconfigured copies of the VPN Client software to users for installation, perform the following steps:

Step 1 Copy the VPN Client software files from the distribution CD-ROM into each directory where you created an vpnclient.ini (global) file and separate connection profiles for a set of users.

Step 2 Prepare and distribute the bundled software.

CD-ROM or network distribution: Be sure the vpnclient.ini file and profile files are in the same directory with all the CD-ROM image files. You can have users install from this directory through a network connection; or you can copy all files to a new CD-ROM for distribution; or you can create a self-extracting ZIP file that contains all the files from this directory, and have users download it, and then install the software.

Step 3 Supply users with any other necessary configuration information and instructions. See Chapter 2 of the VPN Client User Guide for Windows.

Table Of Contents