cc/td/doc/product/vpn/client/3_6
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Configuring the VPN Client

How to Get Help

Determining the VPN Client Version

What Is a Connection Entry?

How To Create a New Connection Entry

Choosing an Authentication Method

Completing the Connection Wizard

What Next?

Setting or Changing Connection Entry Properties

Changing General Settings

Changing Authentication Settings

Changing Connection Settings

Changing the VPN Device Address for a Connection Entry


Configuring the VPN Client


This chapter explains how to configure the VPN Client.

To configure the VPN Client, you enter values for a set of parameters known as a connection entry. The VPN Client uses a connection entry to identify and connect securely to a specific private network.

Parameters include a name and description for the connection, the name or address of the VPN device (remote server), and information that identifies you to the VPN device.


Note If your system administrator has completely configured your connection entry for you, you can skip this chapter and go directly to " Connecting to a Private Network."


This chapter explains the following configuration tasks:

How to Get Help

What Is a Connection Entry?

How To Create a New Connection Entry

Setting or Changing Connection Entry Properties

Changing the VPN Device Address for a Connection Entry

How to Get Help

The VPN Client comes with a complete, context-sensitive, browser-based help system. You can display help in the following ways:

On the Program Menu, choose Start > Programs > Cisco Systems VPN Client > Help.
(See Figure 3-1.) This method displays the entire help file beginning with a list of topics.

Figure 3-1 Choosing Help from the Cisco Systems VPN Client Program Menu


Note If you installed the VPN Client via the Microsoft Windows Installer, the Cisco Systems VPN Client menu does not include the Uninstall VPN Client option.


Press F1 at any window while using the VPN Client, including the main window of each application (VPN Dialer, Log Viewer, and Certificate Manager). This method displays context-sensitive information.

Click the Help button on windows that display it. (See Figure 3-2.) This method displays context-sensitive information.

Figure 3-2 Help Button

Choose Help from the menu that appears when you click on the icon in the title bar. (See Figure 3-3.)

Figure 3-3 Menu Containing Help Option

Determining the VPN Client Version

To display the version number of the software release you are currently using, follow these steps:


Step 1 Click the icon in the title bar. (See Figure 3-3.)

The VPN Client displays a menu.

Step 2 Click About VPN Client on the menu displayed.

The VPN Client displays the version you are currently using. (See Figure 3-4.)

Step 3 After viewing the version number, click OK.


Figure 3-4 Displaying the VPN Client Software Version

When you are connected, you can display the software version by clicking About... on the menu you display by right clicking the Dialer icon in the system tray.

Figure 3-5 Displaying Version from Menu Available from System Tray

What Is a Connection Entry?

To use the VPN Client, you must create at least one connection entry, which identifies the following information:

The VPN device (the remote server) to access

Preshared keys—The IPSec group to which the system administrator assigned you. Your group determines how you access and use the remote network. For example, it specifies access hours, number of simultaneous logins, user authentication method, and the IPSec algorithms your VPN Client uses

Certificates—The name of the certificate you are using for authentication

Optional parameters that govern VPN Client operation and connection to the remote network

You can create multiple connection entries if you use your VPN Client to connect to multiple networks (though not simultaneously) or if you belong to more than one VPN remote access group.

For connection entry parameters, see "Gathering Information You Need".

How To Create a New Connection Entry

Start the VPN Client by choosing Start > Programs > Cisco Systems VPN Client > VPN Dialer.

Figure 3-6 Starting the VPN Dialer


Note If you installed the VPN Client via the Microsoft Windows Installer, the Cisco Systems VPN Client menu does not include the Uninstall VPN Client option.


The VPN Dialer application starts and displays its main dialog box. (See Figure 3-7.)

Figure 3-7 VPN Dialer Main Dialog Box


Step 1 At the main dialog, click New.

The first New Connection Entry Wizard dialog box appears. (See Figure 3-8.)

Figure 3-8 Entering Name and Description

Step 2 Enter a unique name for this new connection. You can use any name to identify this connection; for example, Engineering. This name can contain spaces, and it is not case-sensitive.

Step 3 Enter a description of this connection. This field is optional, but it helps further identify this connection. For example, Connection to Engineering remote server.

Step 4 Click Next.

The second New Connection Entry Wizard dialog box appears. (See Figure 3-9.)

Figure 3-9 Identifying Server

Step 5 Enter the hostname or IP address of the remote VPN device you want to access, and click Next.


The third New Connection Entry Wizard dialog box appears. (See Figure 3-10.)

Choosing an Authentication Method

You can connect as part of a group (configured on a VPN device) or by supplying an identity digital certificate.

Group Authentication

For group authentication, perform the following procedure: (See Figure 3-10.)

Figure 3-10 Group Authentication


Step 1 In the Name field, enter the name of the IPSec group to which you belong. This entry is case-sensitive.

Step 2 In the Password field, enter the password (which is also case-sensitive) for your IPSec group. The field displays only asterisks.

Step 3 Verify your password by entering it again in the Confirm Password field.

Step 4 To continue, click Next.


Certificate Authentication

For certificate authentication, perform the following procedure, which varies according the type of certificate you are using:


Step 1 Click the Certificates radio button.

Step 2 Choose the name of the certificate you are using from the pull-down menu. (See Figure 3-11.)

If the field says No Certificates Installed and is shaded, then you must first enroll for a certificate before you can use this feature. For information on enrolling for a certificate, see "Enrolling and Managing Certificates" Or, consult your network administrator.


Figure 3-11 Certificate Authentication

Sending a Certificate Authority Certificate Chain

To send CA certificate chains, click Send CA Certificate Chain. This parameter is disabled by default.

The CA certificate chain includes all CA certificates in the hierarchy of certificates from the root certificate, which must be installed on the VPN Client, to the identity certificate. This feature enables the a peer VPN Concentrator to trust the VPN Client's identity certificate given the same root certificate, without having all the same subordinate CA certificates actually installed.

Example 3-1 CA Certificate Chains

1. On the VPN Client, you have this chain in the certificate hierarchy:

Root Certificate

CA Certificate 1

CA Certificate 2

Identity Certificate

2. On the VPN Concentrator, you have this chain in the certificate hierarchy

Root Certificate

CA Certificate 3

Identity Certificate

3. Though the identity certificates are issued by different CA certificates, the VPN Concentrator can still trust the VPN Client's identity certificate, since it has received the chain of certificates installed on the VPN Client PC.

This feature provides flexibility since the intermediate CA certificates don't need to be actually installed on the peer.


Note Certificate chains are not supported for Entrust Entelligence. Therefore the Send CA Certificate Chain checkbox on the Authentication Tab is unchecked and disabled when you select Entelligence Certificate.


Validating a Certificate

Optionally you might want to verify that the certificate you are using is still valid, using the following procedure:


Step 1 To verify the validity of a certificate, click Validate Certificate... and enter the password.

If the VPN Dialer prompts for a password to secure the certificate, enter the password.

You receive a report letting you know whether the certificate is valid. If the password is not valid, you need to try again. If you do not know the password, see your system administrator. An identity certificate has a public and private key, and a time period within which it is valid. Make sure the certificate is valid before you continue.

Step 2 After you have verified that the certificate is valid, click Next.


Configuring an Entrust Certificate for Authentication

If you have an Entrust Entelligence certificate enrolled, the pull-down menu includes the entry "Entelligence Certificate (Entrust)." (See Figure 3-12.)

Figure 3-12 Entrust Entelligence Certificate

An Entrust Entelligence certificate is stored in a Profile, which you obtain when you log in to Entrust Entelligence.

Choose Entelligence Certificate (Entrust) from the pull-down menu and click Next.

For more information about connecting with Entrust Entelligence, see " Connecting with an Entrust Certificate."

Configuring a Connection Entry for a Smart Card

If you are using a smart card or electronic token to authenticate a connection, create a connection entry that defines the certificate provided by the smart card. For example, if you are using ActivCard Gold, an accompanying certificate is in the Microsoft Certificate Store. When you create a new connection entry for using the smart card, select that certificate. (See Figure 3-13.)

Figure 3-13 Creating a Connection Entry for a Smart Card

Smart Cards Supported

The VPN Client supports authentication with digital certificates through a smart card or an electronic token. There are several vendors that provide smart cards and tokens, including the following:

Vendor
Software and Version
Card/Token Tested
Vendor Web site

GemPLUS

GemSAFE Workstation 2.0 or later

GEM195

www.gemplus.com

Activcard

Activcard Gold version 2.0.1 or later

Palmera 32K

www.activcard.com

Aladdin

eToken Runtime Environment (RTE) version 2.6 or later

PRO and R2 tokens

www.ealaddin.com


The VPN Client works only with smart cards and tokens that support CRYPT_NOHASHOID.

Completing the Connection Wizard

After you enter authentication information and click Next, the fourth New Connection Entry Wizard dialog box appears. (See Figure 3-14.)

Figure 3-14 Completing the Connection Entry

To complete the connection entry configuration, use the following procedure.


Step 1 Review the connection entry name. If you want to change any previous entries, click Back until you get to the desired dialog box.

Step 2 To complete your entry, click Finish.

The final New Connection Entry Wizard dialog box closes. Your new connection entry now appears in the Connection Entry drop-down list on the VPN Client's main dialog box.


What Next?

If you need to configure optional connection entry parameters or change parameters for an existing connection entry, continue to the next section.

Otherwise, you can skip to " Connecting to a Private Network."

Setting or Changing Connection Entry Properties

To change parameters or to set optional parameters for an existing connection entry, follow these steps:


Step 1 In the VPN Client's main dialog box, click the Connection Entry drop-down menu button and choose the entry you want to configure.

Step 2 Then click Options and choose Properties from the menu. (See Figure 3-15.)

Figure 3-15 VPN Client Options Menu

The Properties dialog box appears. The fields in this dialog box differ according to the operating system you are using.

If you are using Microsoft Windows 95, Windows 98, or Windows ME, you see a dialog box that resembles the one in Figure 3-16.

If you are using Microsoft Windows NT, Windows 2000, or Windows XP, you see the dialog box in Figure 3-17.

Figure 3-16 Connection Entry Properties Dialog Box (Windows 95, Windows 98 and Windows ME)

Figure 3-17 Connection Entry Properties Dialog Box (Windows NT, Windows 2000, and Windows XP)

Step 3 Click the tab for the parameters you want to change:

General tab

Change the connection entry description

Enable transparent tunneling

Allow local LAN Access

Adjust the peer response time out

Log on to Microsoft Network

Authentication tab

Change the group name or group password

Change the certificate you want to use

Connections tab

Enable, add, and remove backup server connections

Connect to the Internet via Dial-Up Networking

See the appropriate section of this chapter for each tab and parameter.

Step 4 When you have finished setting parameters, click OK. The Properties dialog box closes and the VPN Dialer saves your changes.

To discard your changes, click Cancel. The Properties dialog box closes and discards all changes.


Changing General Settings

The Properties > General tab lets you set general parameters for this connection entry. (See Figure 3-17.)

Changing Connection Entry Description

To change the description of this connection entry, enter or edit the description field. This field is optional, but it can help you identify this connection.

Enabling Transparent Tunneling

Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing Network Address Translation (NAT) or Port Address Translations (PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets and can allow for both IKE (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.

The VPN Client also sends keepalives frequently, ensuring that the mappings on the devices are kept active.

Not all devices support multiple simultaneous connections behind them. Some cannot map additional sessions to unique source ports. Be sure to check with your device's vendor to verify whether this limitation exists. Some vendors support Protocol-50 (ESP) Port Address Translation (IPSec passthrough), which might let you operate without enabling transparent tunneling.

To use transparent tunneling, the central-site group in the Cisco VPN device must be configured to support it. For an example, refer to the VPN 3000 Concentrator Manager, Configuration | User Management | Groups | IPSec tab (refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration or Help in the VPN 3000 Concentrator Manager browser).

This parameter is enabled by default. To disable this parameter, clear the check. We recommend that you always keep this parameter checked.

Then select a mode of transparent tunneling, over UDP or over TCP. The mode you use must match that used by the secure gateway to which you are connecting. Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if you are in an extranet environment, then in general, TCP mode is preferable. UDP does not operate with stateful firewalls so in this case, you should use TCP.

Allow IPSec over UDP (NAT/PAT)

To enable Allow IPSec over UDP, click the radio button. With UDP, the port number is negotiated. UDP is the default mode.

Use IPSec over TCP (NAT/PAT/Firewall)

To enable Use IPSec over TCP, click the radio button. When using TCP, you must also enter the port number for TCP in the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10000.


Note When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the NAT/Firewall device may be closed due to the VPN Client's keepalive implementation, called DPD (Dead Peer Detection). When a client is idle, it does not send a keepalive until it sends data and gets no response.

To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the ForceKeepAlives parameter to the *.pcf (profile configuration file) for the affected connection profile. This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals.

Use the following syntax when adding this parameter to the [Main] section of any *.pcf file:

ForceKeepAlives=1

For more information, see "Connection Profile Configuration Parameters" in the VPN Client Administrator Guide.


Allowing Local LAN Access

The Allow Local LAN Access parameter gives you access to the resources on your local LAN (printer, fax, shared files, other systems) when you are connected through a secure gateway to a central-site VPN device. When this parameter is enabled and your central site is configured to permit it, you can access local resources while connected. When this parameter is disabled, all traffic from your Client system goes through the IPSec connection to the secure gateway.

To enable this feature, check Allow Local LAN Access; to disable it, clear the check mark from the box. If the local LAN you are using is not secure, you should disable this feature. For example, you would disable this feature when you are using a local LAN in a hotel or airport.

A network administrator at the central site configures a list of networks at the Client side that you can access. You can access up to 10 networks when this feature is enabled. When Allow Local LAN Access is enabled and you are connected to a central site, all traffic from your system goes through the IPSec tunnel except traffic to the networks excluded from doing so (in the network list).

When this feature is enabled and configured on the VPN Client and permitted on the central-site VPN device, you can see a list of the local LANs available by looking on the Statistics tab on the Connection Status dialog box. (See Figure 3-18.)


Note This feature works only on one NIC card, the same NIC card as the tunnel.


Figure 3-18 Local LAN Access

The Local LAN routes section on the Connection Status dialog box lists the IP address and subnet mask of each available network. The Src Port and Dst Port fields are not currently used.


Note While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name. For more information on this limitation refer to VPN Client Administrator Guide, Chapter 1.


Adjusting the Peer Response Timeout Value

The VPN Client uses a keepalive mechanism called Dead Peer Detection (DPD) to check the availability of the VPN device on the other side of an IPSec tunnel. If the network is unusually busy or unreliable, you may need to increase the number of seconds to wait before the VPN Client decides that the peer is no longer active. The default number of seconds to wait before terminating a connection is 90 seconds. The minimum number of seconds you can configure is 30 seconds and the maximum is 480 seconds.

To adjust the setting, enter the number of seconds in the Peer response timeout field.

The VPN Client continues to send DPD requests every 5 seconds, until it reaches the number of seconds specified by the Peer response timeout value.

Logging on to Microsoft Network (Windows 95, Windows 98, and Windows ME)

The Logon to Microsoft Network parameter registers your PC on the private Microsoft network and lets you browse and use network resources after the VPN Client establishes a secure connection. This parameter is enabled by default.

To disable this parameter, clear the check.


Note This parameter appears only on VPN Clients installed on systems running Windows 95, Windows  98, and Windows ME. For information on logging on to Windows NT and Windows 2000 systems, see the section " Starting a Connection Before Logging on to a Windows NT Platform."


If you do not need or do not have privileges for Microsoft Windows resources on the private network, disable this parameter. For example, if you require only FTP access to the private network, you could disable this parameter.

If you enable this parameter, click one of the radio buttons to choose the logon process:

Use default system logon credentials—Use the Windows logon username and password on your PC to log on to the private network. With this option, you do not need to manually enter your logon username and password each time you connect to the private network. This is the default selection.

Prompt for network logon credentials—The private network prompts you for a username and password to use its resources. If the logon username or password on your PC differs from those on the private network, use this option.

When you are done with the General tab, click OK or click another tab.

Changing Authentication Settings

The Properties > Authentication tab (see Figure 3-19) lets you change the name or password of the IPSec group to which you are assigned. Your group determines your access to, and use of, the remote network. The group name and password are essential parameters in authenticating you as a user of the remote network.

If you want to choose a different certificate, you also use this screen.

Figure 3-19 Changing Authentication Parameters from the Authentication Tab

Changing Group Name or Group Password

You usually specify a group name and group password when you create a connection entry. However, you can use the Authentication tab to change a group name or group password if your system administrator so instructs you; or to enter the group name and password if the connection entry does not already have them.

In the Name field, enter or edit the group name. This entry is case-sensitive.

In the Password field, enter or edit the group password. This entry is case-sensitive. The field displays only asterisks. Verify your password by entering it again in the Confirm Password field.

If either field is empty when you leave this dialog box, the VPN Client reminds you to enter missing group information. (See Figure 3-20.) To proceed, click Yes, or to terminate, click No. If you click No, the message closes, which lets you enter the missing information.

Figure 3-20 Reminder Dialog Box

When you are done with the Authentication tab, click OK or click another tab.

Choosing a Different Certificate

To choose a different certificate, check the Certificate radio button, then click the drop-down menu of certificates installed on your PC and choose one. (See Figure 3-21.)

Figure 3-21 Choosing a Certificate

When you are done with the Authentication tab, click OK or click another tab.

Changing Connection Settings

The Properties > Connections tab (shown in Figure 3-22) lets you set parameters that govern how you connect to the private network. You can enable and configure backup server connections, and automatically launch a dial-up networking application to connect to the Internet.

Figure 3-22 Changing Parameter Values from the Connections tab

Enabling and Adding Backup Servers

The private network may include one or more backup VPN servers to use if the primary server is not available.Your system administrator tells you whether to enable backup servers. Information on backup servers can download automatically from the VPN Concentrator or you can manually enter this information.

To enable backup servers from the VPN Client, perform the following steps:


Step 1 Check Enable backup server(s). This is not checked by default.

Step 2 Click Add to enter its address.

The Backup Server Information dialog box appears. (See Figure 3-23.)

Figure 3-23 Entering Backup Server Information

Step 3 Enter the hostname or IP address of the backup server. Use a maximum of 255 characters.

Step 4 Click OK.

The hostname or IP address appears in the Enable backup server(s) list. (See Figure 3-22.)

Step 5 To add more backup devices, repeat Steps 2, 3, and 4.


Removing Backup Servers

To remove a server from the backup list, choose the server from the list and click Remove. There is no confirmation or undo. The server name no longer appears in the list.

Changing the Order of the Servers

To reorder the servers in the list, choose a server and click Move Up to increase the server's priority or Move Down to decrease the server's priority.

Disabling Backup Servers

You can disable using backup servers without removing backup servers from the list.

To disable using backup servers, clear the Enable backup server(s) check.

Configuring a Connection to the Internet Through Dial-up Networking

To connect to a private network using a dial-up connection, perform the following two steps:


Step 1 Use a dial-up connection to your Internet service provider (ISP) to connect to the Internet.

Step 2 Use the VPN Client to connect to the private network through the Internet.

To enable and configure this feature, check Connect to the Internet via dial-up. This is not checked by default. (See Figure 3-24.)


Figure 3-24 Connecting to the Internet Through Dial-up

You can connect to the Internet using the VPN Dialer application in two different ways:

Microsoft Dial-up Networking (DUN)

Third party dial-up program

Microsoft Dial-up Networking

If you have DUN phonebook entries and have enabled Connect to the Internet via dial-up, Microsoft Dial-up Networking is enabled by default. To link a VPN Client connection entry to a Dial-Up Networking phonebook entry, perform the following steps:


Step 1 Click Microsoft Dial-up Networking (if it is not already enabled).

Step 2 To link your VPN Client connection entry to a DUN entry, click the down arrow next to the Phonebook entry field and choose an entry from the drop-down menu.

The VPN Client then uses this DUN entry to automatically dial into the Microsoft network before making the VPN connection to the private network.


Third Party Dial-up Program

If you have no DUN phonebook entries and have enabled Connect to the Internet via dial-up, then Third party dial-up application is enabled by default.

To connect to the Internet using a third party dial-up program, follow these steps:


Step 1 Click Third party dial-up application, if it is not already enabled.

Step 2 Use Browse to enter the name of the program in the Application field. This application launches the connection to the Internet.

This string you choose or enter here is the pathname to the command that starts the application and the name of the command; for example: c:\isp\ispdialer.exe dialEngineering. Your network administrator might have set this up for you. If not, consult your network administrator.


Changing the VPN Device Address for a Connection Entry

To change the address of the VPN device in a connection entry, and to make the change temporary or permanent, follow these steps:


Step 1 On the VPN Client main dialog box shown in Figure 3-25, click the Connection Entry drop-down menu button and choose the entry, if it is not already displayed.

Figure 3-25 Choosing a Connection Entry

Step 2 Edit the address in the Host name or IP address of remote server field.

Step 3 Click Connect. The VPN Client displays a confirmation dialog box. (See Figure 3-26.)

Figure 3-26 Confirming Your Changes

Step 4 Click one of the following:

To use this address for the current session only, click No. The VPN Client begins connecting to the VPN device, but it does not save the change you have made to the connection entry.

To permanently change the address for this connection entry, click Yes. The VPN Client begins connecting to the VPN device, and it saves the new address with the connection entry.


For an explanation of the connection process, see " Connection Procedure".


hometocprevnextglossaryfeedbacksearchhelp

Posted: Mon Apr 18 08:03:24 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.