Index

Index
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
R
S
T
U
V
W
X
Z

Index

A

access hours, configuring 15-3

add 15-4

modify 15-4

accounting record attributes, RADIUS 5-28

accounting servers

configuring 5-28

add

access hours 15-4

address pool 6-6

email recipient of events 10-33

event class 10-18

filter (traffic management) 15-40

filter rule (traffic management) 15-15

IPSec LAN-to-LAN connection 7-17

NAT rule 15-55

network list 15-9

NTP host 5-41

OSPF area 8-12

security association (traffic management) 15-29

security association to rule on filter 15-46

SMTP server for events 10-30

SNMP community 9-13

SNMP event destination 10-23

static route for IP routing 8-5

syslog server to receive events 10-26

user on internal server (user management) 14-122

address management, configuring 6-2

address pools

configuring 6-5

add 6-6

modify 6-6

alarm thresholds, power, configuring 3-6

alerts, IPSec 7-39

Are You There (AYT) firewall policy 14-25, 14-29, 14-67, 14-71

assignment of IP addresses, configuring 6-3

assign rules to filter (traffic management) 15-43

authentication features, summary of 14-35, 14-77

authentication parameters

changing group delimiter 11-6

global 11-6

order of checking 14-2

authentication servers

configuring 5-2

internal 5-13

Kerberos/Active Directory 5-11, 14-93

NT Domain 5-7

RADIUS 5-5

SecurID 5-9, 14-91

internal 14-1

testing 5-15, 14-96

authorization parameters

authorization required 14-14, 14-58

authorization type 14-14, 14-58

DN field 14-15, 14-59

authorization servers

configuring 5-21, 14-99

LDAP 5-23, 14-103

RADIUS 5-21, 14-101

testing 5-26, 14-106

autodiscovery, network 7-11, 7-24

automatic software update, See client update 12-1

automatic switchover (redundancy) 8-18

B

Backup LAN-to-LAN, See IPSec LAN-to-LAN, redundancy 7-11

bandwidth management

bandwidth aggregation 15-66

bandwidth policing 15-65, 15-67

bandwidth reservation 15-65

burst size 15-67

configuring 15-67

enabling on interface 3-20, 15-64, 15-67

in LAN-to-LAN configuration 15-67, 15-68

overview of 15-65

policing rate 15-67

policy

assigning to group 14-118, 15-67

assigning to interface 3-21, 15-67

assigning to LAN-to-LAN 7-24, 15-67

specifying the link rate 3-20, 15-67

bandwidth policies

configuring 15-64

banner for IPSec clients, configuring 14-17, 14-62

base group, configuring (user management) 14-4

base group global preshared secret 14-16

bibliography xv

bootcode, upgrading xiv

browser

installing SSL certificate 1-5

navigation toolbar, do not use with Manager 1-3

Netscape Navigator, problems with 1-3

requirements 1-2

built-in servers, configuring

See management protocols 9-1

burst size 15-67

C

Central Protection Policy (CPP) 14-25, 14-29, 14-67, 14-71, 15-15

certificate group matching 15-72

defining rules 15-72

fields 15-76

policy 15-79

configuring 15-72

rules

adding 15-74, 15-76

assigning to groups 15-76

deleting 15-74

enabling 15-76

modifying 15-74, 15-76

reordering 15-74

change security association on rule 15-48

Cisco IP Phone Bypass 14-31

Cisco Secure ACS RADIUS server 14-1

CiscoSecure ACS server 5-2, 5-18, 14-1

Cisco VPN Client

IPSec attributes 7-9, 15-24

IPSec support 14-8, 14-52, 14-128

route advertisement 8-22

supports Mode Configuration 14-16, 14-60

client firewall 14-25, 14-67

and split tunneling 14-25, 14-67

Are You There (AYT) policy 14-25, 14-29, 14-67, 14-71

Central Protection Policy (CPP) 14-25, 14-29, 14-67, 14-71, 15-15

configuring rules for firewall filters 14-25, 14-67, 15-15, 15-17, 15-19, 15-22

custom 14-28, 14-70

local 14-25, 14-67

supported products 14-27, 14-69

vendor and product codes 14-28, 14-70

Zone Labs Integrity Server 14-25, 14-29, 14-67, 14-71

client update 12-1

enabling 12-3

image files 12-2

compression

IPComp 14-15, 14-59

MPPC 14-38, 14-40, 14-80, 14-82

configuration section of Manager 2-1

connecting to VPN Concentrator

using HTTP 1-4

using HTTPS 1-20

conventions

documentation xiv

typographic xiv

copy

filter (traffic management) 15-40

filter rule (traffic management) 15-15

IKE proposal 7-32

network list 15-9

crash, system, saves log file 10-8

D

data

formats xvii

date and time, configuring 11-3

Daylight-Saving Time, enabling 11-4

default

event handling, configuring 10-7

filter rules

table 15-12

using 15-11

filters

table 15-38

using 15-37

gateways, configuring for IP routing 8-7

IKE proposals, table 7-29

security associations, table 15-26, 15-27

tunnel gateway, configuring 8-7

delete

filter rule (traffic management) 15-23

group (user management) 14-43

internal authentication server 5-14

security association (traffic management) 15-36

user on internal server (user management) 14-121

DHCP

functions within the VPN Concentrator, configuring 8-14

IP address range 14-8, 14-52

servers, configuring 5-34

modify 5-36

digital certificates

in IPSec LAN-to-LAN 7-20

display settings 1-3

DNS

configuring for group 14-51

servers, configuring 5-32

documentation

additional xiv

conventions xiv

dynamic filters 15-1

E

email recipients of events, configuring 10-31

add 10-33

Ethernet interfaces

F

filter 15-1

add (traffic management) 15-40

add security association to rule on 15-46

assign rules to (traffic management) 15-43

configuring (traffic management) 15-37

configuring on base group 14-6

configuring on group 14-50

configuring on interface

Ethernet 3-12

configuring on user 14-127

copy (traffic management) 15-40

default

table 15-38

using 15-37

modify (traffic management) 15-40

filter rules 15-1

add (traffic management) 15-15

configuring 15-11

copy (traffic management) 15-15

default

table 15-12

using 15-11

delete (traffic management) 15-23

modify (traffic management) 15-15

filters

dynamic 15-1

firewall 15-15, 15-38

firewall 14-25, 14-67

firewall, client 14-67

See client firewall 14-67

firewall, client, See client firewall 14-25

flash memory

saving log files in 10-7

formats

data xvii

fragmentation policy

IPSec 3-14, 7-23

FTP

configuring internal server 9-2

using to save log files 10-8, 10-14

G

gateways, default 8-7

general parameters, configuring 11-1

global authentication parameters 11-6

groups, configuring, user management 14-42

delete 14-43

modify external 14-84

modify internal 14-45

H

hold down routes

adding to routing table 8-22

HTTP

configuring internal server 9-4

using with Manager 1-4

HTTPS

configuring internal server 9-4

connecting using 1-20

I

idle time allowed in keepalive monitoring 14-12

IKE keepalives 14-12, 14-56

and Easy VPN compliant clients 14-12, 14-56

idle time allowed in keepalive monitoring 14-56

IKE proposals

active 7-30

add 7-32

configuring 7-28

copy 7-32

modify 7-32

copy 7-32

default, table 7-29

inactive 7-30

in IPSec LAN-to-LAN 7-22

in security association 15-24

modify 7-32

IKE security association

See security associations

inheritance, of group and user parameters 1-3

installing SSL certificate

with Internet Explorer 1-6

with Netscape 1-13

Install SSL Certificate (screen) 1-5

interfaces

configuring 3-2

Ethernet, configuring 3-9

OSPF 3-17

RIP 3-15

speed 3-12

transmission mode 3-12

filter

Ethernet 3-12

public 3-11, 7-16, 15-54

section of Manager 3-1

status 3-4

internal authentication server

configuring 5-13

deleting 5-14

maximum groups and users 14-1

Internet Explorer, requirements 1-2

IP addresses

configuring assignment of 6-3

IPComp data compression 14-15, 14-59

IP Phone Bypass 14-31

IP routing

configuring 8-2

section of Manager 8-1

IPSec

alerts 7-39

banner for clients 14-17, 14-62

Cisco VPN Client 7-9, 14-8, 14-52, 14-128, 15-24

configuring 7-9

base group 14-8, 14-9

group (internal) 14-52, 14-53

user (internal server) 14-128, 14-129

data compression 14-15, 14-59

discussion 7-9

fragmentation policy 3-14, 7-23

Mode Configuration 14-16, 14-60

rules 15-6

security associations

See security associations

XAuth 14-14, 14-58

IPSec LAN-to-LAN

automatic parameters 7-18, 7-27, 15-18

configuring 7-11

add connection 7-17

no public interfaces screen 7-16

parameters for redundant systems 8-18

Done (screen) 7-27

redundancy 7-11

and load balancing 7-11

and VRRP 7-11

configuring 7-13

example 7-13

rules that apply IPSec 15-18

using network lists 7-19, 7-24

IPSec NAT-T 7-23

IPSec over TCP 7-36

IPSec through NAT

configuring

base group 14-18

J

JavaScript, requirements 1-2

K

keepalives, See IKE keepalives 14-56

Kerberos/Active Directory authentication

configuring 14-93

Kerberos/Active Directory authentication, configuring 5-11

on Linux server 5-11, 14-93

L

L2TP

configuring

base group 14-7, 14-36

group (internal) 14-52, 14-78

user (internal server) 14-128, 14-132

configuring system-wide parameters 7-6

data compression 14-40, 14-82

L2TP over IPSec

configuring

base group 14-8

group (internal) 14-52

user (internal server) 14-128

default security association to use 14-10, 14-54, 14-130

do not use Mode Configuration 14-16, 14-60

IKE proposal required 7-30

no IPSec user authentication 14-14, 14-58

Windows 2000 client support 7-1, 14-8, 14-52, 14-128

LAN-to-LAN

See IPSec LAN-to-LAN

LDAP authorization server

configuring 14-103

LDAP authorization servers, configuring 5-23

LEAP Bypass

explanation 14-33, 14-76

LEAP Bypass, configuring 14-31, 14-73

Linux server and Kerberos/Active Directory authentication 5-11, 14-93

load balancing 13-1

and VRRP 8-18, 13-1

configuring 13-4

cluster 13-5

device 13-6

preliminary steps 13-2

device priority 13-6

defaults 13-6

virtual cluster 13-1

virtual cluster master 13-1

local LAN access for VPN client 14-22, 14-64

log files

See event log

logging in the VPN Concentrator Manager 1-21

name

factory default (Manager) 1-21

password, factory default (Manager) 1-21

screen 1-4

HTTPS 1-20

Internet Explorer 1-10

Netscape 1-17

M

management protocols, configuring 9-1

Manager table of contents 1-23

memory, upgrading xiv

MIB-II

system object 11-2

Mode Configuration, IPSec 14-16, 14-60

and split tunneling 14-16, 14-60

Cisco VPN Client supports 14-16, 14-60

modify

access hours 15-4

accounting server 5-30

address pool 6-6

authentication server 5-5

authorization server 5-21

DHCP server 5-36

event class 10-18

filter (traffic management) 15-40

filter rule (traffic management) 15-15

group (external) (user management) 14-84

group (internal) (user management) 14-45

IKE proposal 7-32

NAT rule 15-55

network list 15-9

NTP host 5-41

OSPF area 8-12

security association (traffic management) 15-29

SMTP server for events 10-30

SNMP community 9-13

SNMP event trap destination 10-23

static route, for IP routing 8-5

syslog server to receive events 10-26

user on internal server (user management) 14-122

monitor / display settings 1-3

movianVPN client support 7-22, 7-34, 14-10, 14-54, 14-130, 15-32, 15-35

MPPC data compression 14-38, 14-40, 14-80, 14-82

MTU 3-13

N

NAT

configuring 15-50

enable 15-51

no public interfaces screen 15-54

NAT rules, configuring 15-52

add 15-55

modify 15-55

NAT-T (NAT Traversal) 7-23, 7-38

NAT transparency 7-36

navigating

the VPN Concentrator Manager 1-23

Netscape Navigator

problems with 1-3

requirements 1-2

network autodiscovery 7-11, 7-24

network lists 15-1

configuring 15-7

add 15-9

automatic generation 15-10

copy 15-9

modify 15-9

IPSec LAN-to-LAN 7-19, 7-24

network time, configuring

See NTP 5-38

No Public Interfaces screen

IPSec LAN-to-LAN 7-16

NAT 15-54

NT Domain, configuring authentication server 5-7

NTP, configuring 5-38

hosts (servers) 5-40

add 5-41

modify 5-41

synchronization 5-39

O

organization of the VPN Concentrator Manager 1-22

OSPF 3-1, 3-2

configuring

on Ethernet interface 3-17

system-wide parameters 8-9

with reverse route injection 8-21

OSPF areas, configuring 8-11

add 8-12

modify 8-12

P

password

factory default (Manager) 1-21

policing rate 15-67

policy management

configuring 15-2

section of Manager 15-1

power thresholds, configuring 3-6

PPTP

configuring

base group 14-7, 14-36

group (internal) 14-52, 14-78

user (internal server) 14-128, 14-132

configuring system-wide parameters 7-3

data compression 14-38, 14-80

pre-shared secret 14-16

product codes for client firewalls 14-28, 14-70

R

RADIUS

accounting, configuring 5-28

accounting record attributes 5-28

authentication server, configuring 5-5

authorization server, configuring 5-21

Cisco Secure ACS RADIUS server 14-1

Class attribute format to authenticate group name 14-42

RADIUS authorization server

configuring 14-101

reboot system

saves log file 10-8

redundancy

configuring, system 8-18

references (bibliography) xv

requirements

browser 1-2

Internet Explorer 1-2

JavaScript 1-2

Netscape Navigator 1-2

reverse route injection 7-24

RIP 3-1, 3-2

configuring on Ethernet interface 3-15

with network autodiscovery 7-24

with reverse route injection 8-21

routes, adding to routing table

network autodiscovery 7-24

reverse route injection 7-24

RRI See reverse route injection

RSA Security 5-9, 14-91

rules 15-1

add security association to, on filter 15-46

assign to filter (traffic management) 15-43

change security association on 15-48

filter, configuring 15-11

rules, NAT, configuring 15-52

add 15-55

modify 15-55

S

SAs See security associations

SAVELOG.TXT file 10-8

screen

SDI 5-9, 14-91

SecurID 5-9, 14-91

SecurID, configuring authentication server 5-9, 14-91

security associations 15-1

add to rule on filter 15-46

change on rule 15-48

configuring 15-24

add 15-29

delete 15-36

modify 15-29

default, table 15-26, 15-27

IKE proposals in 15-24

negotiation phases 15-24

servers 5-1

authorization

configuring 14-99

configuring

authentication 5-2

authorization 5-18, 5-19

DHCP 5-34, 5-36

DNS 5-32

firewall 5-37

internal authentication 5-13

Kerberos/Active Directory authentication 5-11, 14-93

LDAP authorization 5-23, 14-103

NT Domain authentication 5-7

NTP 5-38

NTP Hosts 5-40, 5-41

RADIUS accounting 5-28

RADIUS authentication 5-5

RADIUS authorization 5-21, 14-101

SDI authentication 5-9

system access to 5-1

deleting internal authentication 5-14

testing

authorization 5-26, 14-106

testing authentication 5-14

sessions

maximum permitted 11-5

changing 11-5

SMTP servers, configuring for events 10-28

add 10-30

modify 10-30

SNMP

configuring internal server 9-10

event trap destinations, configuring 10-21

add 10-23

modify 10-23

traps, configuring "well-known" 10-11

SNMP communities, configuring 9-12

add 9-13

modify 9-13

software update, automatic 12-1

enabling 12-3

image files 12-2

speed, configuring Ethernet interface 3-12

split tunneling 14-22, 14-64

and firewalls 14-25, 14-67

split tunneling, IPSec

requires Mode Configuration 14-16, 14-60

split tunneling network list 14-24, 14-65

SSH

configuring internal server 9-18

host key 9-18

server key 9-18

server key regeneration 9-19

session key 9-18

SSL

client authentication 9-16

configuring internal server 9-14

SSL certificate 9-14

installing in browser 1-5

installing with Internet Explorer 1-6

installing with Netscape 1-13

viewing with Internet Explorer 1-11

viewing with Netscape 1-18

VPN Concentrator 1-5

static routes, configuring for IP routing 8-3

add 8-5

modify 8-5

strip realm 14-8

switchover, automatic (redundancy) 8-18

syslog servers, configuring for events 10-25

add 10-26

modify 10-26

system configuration section of Manager 4-1

system identification, configuring 11-2

T

table of contents, Manager 1-23

Telnet

configuring internal server 9-8

Telnet over SSL

configuring internal server 9-8

shareware client 9-8

TFTP

and automatic software update 12-1

configuring internal server 9-6

time and date, configuring 11-3

time zone, configuring 11-3

traffic management, configuring 15-6

transmission mode, configuring Ethernet interface 3-12

traps, configuring

"well-known" 10-11

destination systems 10-21, 10-23

general events 10-11

specific events 10-20

troubleshooting

consult event log 10-5

tunnel default gateway, configuring 8-7

tunneling protocols

configuring 7-2

section of Manager 7-1

typographic conventions xiv

U

upgrading

bootcode xiv

memory xiv

user attributes, default

See base group 14-4

user management

configuring 14-3

section of Manager 14-1

users, configuring on internal server (user management) 14-120

add 14-122

delete 14-121

modify 14-122

V

vendor codes for client firewalls 14-28, 14-70

viewing SSL certificates

with Internet Explorer 1-11

with Netscape 1-18

virtual cluster 13-1

configuration 13-5

IP address 13-1

master 13-1

VPN 3002 Hardware Client

route advertisement 8-22

software update 12-1

VPN Concentrator Manager

logging in 1-21

navigating 1-23

organization of 1-22

sidebar (figure) 1-23

VRRP

configuring 8-18

W

welcome text for IPSec clients, configuring 14-17, 14-62

wildcard masks 7-24, 7-25, 15-10, 15-19

Windows 2000 client

and Mode Configuration 14-16, 14-60

configure transport mode 15-31

L2TP over IPSec support 7-1, 14-8, 14-52, 14-128

PPTP support 14-7, 14-52, 14-128

WINS, configuring for group 14-51

wireless support See movianVPN client support 7-34

X

XAuth 14-14, 14-58

XML

configuring as system management protocol 9-20

Z

Zone Labs Integrity Server 14-25, 14-29, 14-67, 14-71

Table of Contents

Index

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

R

S

T

U

V

W

X

Z