|
|
Administering the VPN 3002 involves activities that keep the system operational and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN device, but administration involves higher level activities such as who is allowed to configure the system, and what software runs on it.
This section of the Manager lets you control administrative functions on the VPN 3002.
ping to determine connectivity.
This section of the Manager lets you update the VPN 3002 executable system software. This process uploads the file to the VPN 3002, which then verifies the integrity of the file.
The new image file must be accessible by the workstation you are using to manage the VPN 3002. Software image files ship on the Cisco VPN 3002 CD-ROM. Updated or patched versions are available from the Cisco Website, www.cisco.com, under Service & Support > Software Center.
It takes a few minutes to upload and verify the software, and the system displays the progress. Please wait for the operation to finish.
To run the new software image, you must reboot the VPN 3002. The system prompts you to reboot when the update is finished.
We also recommend that you clear your browser's cache after you update the software image: delete all the browser's temporary internet files, history files, and location bar references.
 |
Note The VPN 3002 has two locations for storing image files: the active location, which stores the image currently running on the system; and the backup location. Updating the image overwrites the stored image file in the backup location and makes it the active location for the next reboot. Updating twice, therefore, overwrites the image file in the active location; and the current image file is lost. The Manager displays a warning on this screen if you have already updated the image without rebooting. |
 |
Caution You can update the software image while the system is still operating as a VPN device. Rebooting the system, however, terminates all active sessions. |
|
Caution While the system is updating the image, do not perform any other operations that affect flash memory (listing, viewing, copying, deleting, or writing files.) Doing so may corrupt memory. |
Updating the software image also makes available any new Cisco-supplied configurable selections. When you reboot with the new image, the system updates the active configuration in memory with these new selections, but it does not write them to the CONFIG file until you click the Save Needed icon in the Manager window.
The name, version number, and date of the software image currently running on the system.
Enter the complete pathname of the new image file, or click Browse... to find and select the file from your workstation or network. Cisco-supplied VPN 3002 software image files are named:
The Major and Minor Version numbers are always present; the Sustaining and Patch Version numbers are present only if needed.
Be sure you select the correct file for your VPN 3002; otherwise the update will fail.
To upload the new image file to the VPN3002, click Upload.
To cancel your entries on this screen, or to stop a file upload that is in progress, click Cancel. The Manager returns to the main Administration screen. If you then return to the Administration | Software Update screen, you may see a message that a file upload is in progress. Click the highlighted link to stop it and clear the message.
This window shows the progress of the software upload. It refreshes the number of bytes transferred at 10-second intervals.
When the upload is finished, or if the upload is cancelled, the progress window closes.
The Manager displays this screen when it completes the software upload and verifies the integrity of the software. To go to the Administration | System Reboot screen, click the highlighted link.
We strongly recommend that you clear your browser's cache after you update the software image: delete all the browser's temporary internet files, history files, and location bar references.
This screen appears if there was an error in uploading or verifying the image file. You may have selected the wrong file. Click the highlighted link to return to the Administration | Software Update screen and try the update again, or contact Cisco support.
This screen lets you reboot or shutdown (halt) the VPN 3002 with various options.
We strongly recommend that you shut down the VPN 3002 before you turn power off. If you just turn power off without shutting down, you may corrupt flash memory and affect subsequent operation of the system.
If you are logged in the Manager when the system reboots or halts, it automatically logs you out and displays the main login screen. The browser may appear to hang during a reboot; that is, you cannot log in and you must wait for the reboot to finish. You can log back in while the VPN3002 is in a shutdown state, before you turn power off.
If a delayed reboot or shutdown is pending, the Manager also displays a message that describes when the action is scheduled to occur.
|
Note Reboot or shutdown that does not wait for sessions to terminate, terminates all active sessions without warning and prevents new user sessions. |
The VPN 3002 automatically saves the current event log file as SAVELOG.TXT when it reboots, and it overwrites any existing file with that name. See Configuration | System | Events | General, Administration | Config File Management, and Monitoring | Filterable Event Log for more information on the event log file.
Click a radio button to select the desired action. You can select only one action.
Click a radio button to select the configuration file handling at reboot. These selections apply to reboot only. You can select only one option.
CONFIG file, and reboot using that new file.CONFIG file and without saving the active configuration. (This is the default selection.)CONFIG file. You will need to go through all the Quick Configuration steps described in the VPN 3002 Getting Started manual, including setting the system date and time and supplying an IP address for the Ethernet 1 (Private) interface, using the system console. This option does not destroy any existing CONFIG file, and it does not reset Administrator parameter settings.Click a radio button to select when to reboot or shutdown. You can select only one option.
NN] minutes = Reboot or shutdown NN minutes from when you click Apply, based on system time. Enter the desired number in the field; the default is 10 minutes. (FYI: 1440 minutes = 24 hours.)HH:MM] = Reboot or shutdown at the specified system time, based on a 24-hour clock. Enter the desired time in the field. Use 24-hour notation and enter numbers in all positions. The default is 10 minutes after the current system time.To take action with the selected options, click Apply. The Manager returns to the main Administration screen if you don't reboot or shutdown now.
To cancel your settings on this screen, click Cancel. The Manager returns to the main Administration screen. (Note that this Cancel button does not cancel a scheduled reboot or shutdown.)
This screen lets you use the ICMP ping (Packet Internet Groper) utility to test network connectivity. Specifically, the VPN3002 sends an ICMP Echo Request message to a designated host. If the host is reachable, it returns an Echo Reply message, and the Manager displays a Success screen. If the host is not reachable, the Manager displays an Error screen.
You can also Ping hosts from the Administration | Sessions screen.
Enter the IP address or hostname of the system you want to test. (If you configured a DNS server, you can enter a hostname; otherwise, enter an IP address.) Maximum is 64 characters.
To send the ping message, click Ping. The Manager pauses during the test, which may take a few moments; please wait for the operation to finish. The Manager then displays either a Success or Error screen; see below.
To cancel your entry on this screen, click Cancel. The Manager returns to the main Administration screen.
If the system is reachable, the Manager displays a Success screen with the name of the tested host.
To return to the Administration | Ping screen, click Continue.
If the system is unreachable for any reason—host down, ICMP not running on host, route not configured, intermediate router down, network down or congested, etc.—the Manager displays an Error screen with the name of the tested host. To troubleshoot the connection, try to Ping other hosts that you know are working.
To return to the Administration | Ping screen, click Retry the operation.
To go to the main Manager screen, click Go to main menu.
This section of the Manager lets you configure and control administrative access to the VPN 3002.
Administrators are special users who can access and change the configuration, administration, and monitoring functions on the VPN3002. Only administrators can use the VPN 3002 Hardware Client Manager.
This section of the Manager lets you change administrator properties and rights. Any changes take effect as soon as you click Apply.
The VPN 3002 has three predefined administrators:
Enter or edit the unique password for this administrator. Maximum is 31 characters. The field displays only asterisks.
|
Note The default password that Cisco supplies is the same as the username. We strongly recommend that you change this password. |
Re-enter the password to verify it. The field displays only asterisks.
Check the box to enable, or clear the box to disable, an administrator. Only enabled administrators can log in to, and use, the VPN 3002 Hardware Client Manager. You must enable at least one administrator, and you can enable all administrators. By default, only admin is enabled.
To save this screen's settings in nonvolatile memory, click Apply. The settings immediately affect new sessions. The Manager returns to the Administration | Access Rights screen.
To discard your settings or changes, click Cancel. The Manager returns to the Administration | Access Rights screen.
This screen lets you configure general options for administrator access to the Manager.
Enter the idle timeout period in seconds for administrative sessions. If there is no activity for this period, the Manager session terminates. Minimum is 1, default is 600, and maximum is 1800 seconds (30 minutes).
The Manager resets the inactivity timer only when you click an action button (Apply, Add, Cancel, etc.) or a link on a screen—that is, when you invoke a different screen. Entering values or setting parameters on a given screen does not reset the timer.
Enter the maximum number of simultaneous administrative sessions allowed. Minimum is 1, default is 10, and maximum is 50 sessions.
To encrypt sensitive entries in the CONFIG file, check the box (default). The CONFIG file is in ASCII text format (.INI format). Check this box to encrypt entries such as passwords, keys, and user information.
To use clear text for all CONFIG file entries, clear the box. For maximum security, we do not recommend this option.
To save your settings in the active configuration, click Apply. The Manager returns to the
Administration | Access Rights screen.
To cancel your settings, click Cancel. The Manager returns to the Administration | Access Rights screen.
This section of the Manager lets you manage config files and view crash dump files in VPN 3002 flash memory. (Flash memory acts like a disk.)
View Files lets you view or delete configuration, crash dump, and saved log files. When you select this option, the Administration | File Management | View Files window displays.
Swap Config Files lets you swap the boot configuration file with the backup configuration file. When you select this option, the Administration | File Management | Swap Config Files window displays.
Click Config File Upload to upload a configuration file. When you select this option, the
Administration | File Management | Config File Upload window displays.
This window includes these functions:
To view a file, click View <Type of File>. The Manager opens a new browser window to display the file, and the browser address bar shows the filename.
You can also save a copy of the file on the PC that is running the browser. Click the File menu on the new browser window and select Save As.... The browser opens a dialog box that lets you save the file. The default filename is the same as on the VPN3002.
Alternatively, you can use the secondary mouse button to click View on this Manager screen. A pop-up menu presents choices whose exact wording depends on your browser, but among them are:
When you are finished viewing or saving the file, close the new browser window.
To delete the selected file from flash memory, click Delete. The Manager opens a dialog box for you to confirm or cancel. If you confirm, the Manager refreshes the screen and shows the revised list of files.
This screen lets you swap the boot configuration file with the backup configuration file. Every time you save the active configuration, the system writes it to the CONFIG file, which is the boot configuration file; and it saves the previous CONFIG file as CONFIG.BAK, the backup configuration file.
To reload the boot configuration file and make it the active configuration, you must reboot the system. When you click OK, the system automatically goes to the Administration | System Reboot screen, where you can reboot the system. You can also click the highlighted link to go to that screen.
To swap CONFIG and CONFIG.BAK files, click OK. The Manager goes to the Administration | System Reboot screen.
To leave the files unchanged, click Cancel. The Manager returns to the Administration | File Management screen.
This screen lets you use HTTP (Hypertext Transfer Protocol) to transfer a configuration file from your PC—or a system accessible from your PC—to the VPN 3002 flash memory.
This function provides special handling for configuration (config) files. If the uploaded file has the VPN 3002 filename config, the system deletes any existing config.bak file, renames the existing config file as config.bak, then writes the new config file. However, these actions occur only if the file transfer is successful, so existing files are not corrupted.
To use these functions, you must have Administrator or Configuration Access Rights. See the Administration | Access Rights | Administrators screen.
Enter the name of the file on your PC. In a Windows environment, enter the complete pathname using MS-DOS syntax; e.g., c:\vpn3002\config0077. You can also click the Browse button to open a file navigation window, find the file, and select it.
To upload the file to the VPN 3002, click Upload. The Manager opens the File Upload Progress window.
To cancel your entries on this screen, or to stop a file upload that is in progress, click Cancel. The Manager returns to the Administration | Config File Management screen. Stopping an upload may leave a temporary file in VPN 3002 flash memory. Such files are named TnnnF.nnn (for example, T003F.002). You can delete them on the Administration | Config File Management | View Config Files screen.
This window shows the progress of the file upload. It refreshes the number of bytes transferred at 10-second intervals.
When the upload is finished, or if the upload is cancelled, the progress window closes.
The Manager displays this screen to confirm that the file upload was successful.
To go to the Administration | Config File Management | View screen and examine files in flash memory, click the highlighted link.
The Manager displays this screen if there was an error during the file upload and the transfer was not successful. Flash memory may be full, or the file transfer may have been interrupted or cancelled.
Click the link—Click here to see the list of files—to go to the Administration | Config File Management | View screen and examine space and files in flash memory.
Click the link—Click here to return to File Upload—to return to the Administration | Config File Management | File Upload screen.
This section of the Manager lets you manage digital certificates:
Digital certificates are a form of digital identification used for authentication. CAs issue them in the context of a Public Key Infrastructure (PKI), which uses public-key / private-key encryption to ensure security. CAs are trusted authorities who "sign" certificates to verify their authenticity. The systems on each end of the VPN tunnel must have trusted certificates from the same CA, or from different CAs in a hierarchy of trusted relationships; e.g., "A" trusts "B," and "B" trusts "C," therefore "A" trusts "C."
CAs issue root certificates (also known as trusted or signing certificates). They may also issue subordinate trusted certificates. Finally, CAs issue identity certificates, which are the certificates for specific systems or hosts. There must be at least one identity certificate (and its root certificate) on a given VPN 3002; there may be more than one root certificate.
During IKE (IPSec) Phase 1 authentication, the communicating parties exchange certificate and key information, and they use the public-key / private-key pairs to generate a hash value; if the hash values match, the client is authenticated.
The VPN 3002 supports X.509 digital certificates (International Telecommunications Union Recommendation X.509), including SSL (Secure Sockets Layer) certificates that are self-signed or issued in a PKI context.
On the VPN 3002, digital certificates are stored as encrypted files in a secure area of flash memory. They do not require you to click Save Needed to store them, and they are not visible under Administration | Config File Management.
After you install a digital certificate on the VPN 3002, you can use it to negotiate an IPSec tunnel by selecting the check box Use Certificate on the Configuration | System | Tunneling Protocols | IPSec screen.
The VPN3002 can have only one SSL certificate installed. If you generate a self-signed SSL certificate, it replaces any installed PKI-context SSL certificate; and vice-versa.
For information on using SSL certificates, see Installing the SSL certificate in your browser in Chapter 1. See also Configuration | System | Management Protocols | HTTP/HTTPS and Telnet, and Configuration | System | Management Protocols | SSL.
Digital certificates carry a timestamp that determines a time frame for their validity. Therefore, it is essential that the time on the VPN 3002 is correct and synchronized with network time. Configuration | System | General | Time and Date.
Installing a digital certificate on the VPN 3002 requires these steps:
1. Use the Administration | Certificate Management | Enrollment screen to generate a certificate request. Save the request as a file, or copy it to the clipboard.
2. Process the certificate request to the chosen CA, usually using the CA's Web interface. Most CAs let you submit the request by pasting from the clipboard; otherwise, you can send a file.
3. From the CA, receive root (and perhaps subordinate) and identity certificates. Save them as text files on your PC or other reachable network host; do not open them or install them in your browser.
4. Use the Administration | Certificate Management | Installation screen to:
a. Install the root certificate on the VPN 3002 first.
b. Then install any subordinate certificate(s).
c. Finally, install the identity certificate.
5. Install an SSL certification if the one we generate for you is not good enough?
6. Use the Administration | Certificate Management | Certificates screen to view the certificates and check them, and perhaps to enable revocation checking.
See the appropriate Administration | Certificate Management screen for more details.
This screen lets you generate a certificate request to send to a CA (Certificate Authority), to enroll the VPN 3002 in a PKI.
The entries you make on this screen are governed by PKI standards and practices. The fields conform to ITU-T Recommendation X.520: Selected Attribute Types. You must get from the CA whether to make an entry and what to enter (format, content, and syntax). You must at least enter the Common Name (CN). All entries may appear in your identity certificate.
When you click Apply, the system generates a certificate request; see the Administration | Certificate Management | Enrollment | Request Generated screen.
Enter the name for this VPN 3002 that identifies it in the PKI; e.g., Engineering VPN. Spaces are allowed. You must enter a name in this field.
If you are requesting an SSL certificate, enter the IP address or domain name you use to connect to this VPN 3002; e.g., 10.10.147.2.
Enter the name for the department or other organizational unit to which this VPN 3002 belongs; e.g., CPU Design. Spaces are allowed.
Enter the name for the company or organization to which this VPN 3002 belongs; e.g., Cisco Systems. Spaces are allowed.
Enter the city or town where this VPN3002 is located; e.g., Franklin. Spaces are allowed.
Enter the state or province where this VPN 3002 is located; e.g., Massachusetts. Spell out completely, do not abbreviate. Spaces are allowed.
Enter the country where this VPN 3002 is located; e.g., US. Use two characters, no spaces, and no periods. This two-character code must conform to ISO 3166 country abbreviations.
Enter the fully qualified domain name or IP address for this VPN 3002 that identifies it in this PKI; e.g., vpn3030.altiga.com. This field is optional. The alternative name is an additional data field in the certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections.
Click the drop-down menu button and select the algorithm for generating the public-key / private-key pair, and the key size. If you are requesting an SSL certificate, you must select an RSA choice. Longer key lengths provide stronger security at the expense of increased processing overhead.
To generate the certificate request, click OK. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen, which shows the certificate request (see Figure 12-22 below).
To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen.
The Manager displays this screen when the system has successfully generated a certificate request. The request is a Base-64 encoded file in PKCS-10 format (Public Key Certificate Syntax-10), which most CAs recognize or require. The system automatically saves this file in flash memory with the filename shown in the screen (pkcsNNNN.txt).
In generating the request, the system also generates the private key used in the PKI process. That key remains on the VPN 3002, and it is not visible.
You must complete the enrollment and certificate installation process within two weeks of generating the request.
To go to the Certificate Installation screen, click the highlighted Certificate Installation page link.
To send the certificate request to a CA, enroll, and receive your digital certificates, follow these steps. (These are cut-and-paste steps; your CA may follow different procedures. In any case, you must end up with certificates saved as text files on your PC or other reachable network host.)
1. Select and copy the certificate request from the browser window to your clipboard.
2. Use a browser to connect to the CA's Web site. Navigate to the screen that lets you submit a PKCS-10 request via cut-and-paste.
3. Paste the certificate request in the CA screen, and submit the request.
4. The CA should respond with a new browser screen that says the certificates were successfully generated. That screen also should include active links that let you "Download the root certificate" and "Download the identity certificate."
5. With the secondary mouse button, click the root certificate download link and select Save Link As or Save Target As. You want to save the file as a text file on your PC or other reachable network host; do not open it or install it in the browser. The browser opens a dialog box that lets you navigate to the desired location and enter a filename. Use a name that clearly identifies this as a root certificate, with a .txt extension.
6. Repeat the previous step for any subordinate certificates, and finally for the identity certificate. Name the files so that you can distinguish the certificate types.
7. Proceed to the Administration | Certificate Management | Installation screen below.
This Manager screen lets you install digital certificates on the VPN 3002.
You can install certificates obtained via enrollment with a CA in a PKI (where the private key is generated on—and stays hidden on—the VPN 3002).
|
Note You must install the CA root certificate first, then install any other subordinate certificates from the CA. Install the identity certificate last. |
You can also install an SSL server identity certificate issued in a PKI context (not a self-signed SSL certificate). If you install such a certificate, it replaces any self-signed SSL certificate. The VPN 3002 can have only one SSL certificate, regardless of type.
Click the drop-down menu button and select the type of digital certificate to install.
Complete this field only if you select an import with Private Key certificate type. Enter the password for the private key.
Complete this field only if you select an import with Private Key certificate type. Re-enter the private key password to verify it.
Enter the complete path and filename of the certificate you are installing; e.g., d:\certs\ca_root.txt. Or click Browse to navigate to the file on your PC or other reachable network host.
You can enter the certificate text in either of two ways. If the certificate text is stored in a file, then enter the file name in the Local File/Browse field above. If the text of the certificate is displaying in another open window, you can copy and paste it here. This scrollable input field allows you to enter the certificate text directly, without having to save it to a file first.
To install the certificate, click OK. The Manager displays the Administration | Certificate management | Certificates screen.
To discard your entries and cancel the operation, click Cancel. The Manager returns to the Administration | Certificate Management screen.
This screen shows all the certificates installed in the VPN 3002 and lets you view and delete certificates. You can also generate a self-signed SSL server certificate.
The Manager displays this screen each time you install a digital certificate.
This table shows installed root and subordinate (trusted) certificates issued by Certificate Authorities (CAs).
This table shows installed server identity certificates.
This table shows the SSL server certificate installed on the VPN3002. The system can have only one SSL server certificate installed: either a self-signed certificate or one issued in a PKI context.
To generate a self-signed SSL server certificate, click Generate. The system uses parameters set on the Configuration | System | Management Protocols | SSL screen and generates the certificate. The new certificate replaces any existing SSL certificate.
The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; e.g., Root 2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each. See Administration | Certificate Management | Certificates | View.
The expiration date of the certificate. Format is MM/DD/YYYY.
To view details of this certificate, click View. The Manager opens the Administration | Certificate Management | Certificates | View screen; see below.
To delete this certificate from the VPN 3002, click Delete. The Manager opens the Administration | Certificate Management | Certificates | Delete screen; see below.
The Manager displays this screen of certificate details when you click View for a certificate on the Administration | Certificate Management | Certificates screen. The details vary depending on the certificate content.
The content and format for certificate details are governed by ITU (International Telecommunication Union) X.509 standards, specifically RFC 2459. The Subject and Issuer fields conform to ITU X.520.
This screen is read-only; you cannot change any information here.
The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same.
The CA or other entity (jurisdiction) that issued the certificate.
Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology, and they echo the fields on the Administration | Certificate Management | Enrollment screen.
Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.
For the VPN 3002 self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated. SSL compares this CN with the address you use to connect to the VPN 3002 via HTTPS, as part of its validation.
Organizational Unit: the subgroup within the organization (O).
Organization: the name of the company, institution, agency, association, or other entity.
Locality: the city or town where the organization is located.
State/Province: the state or province where the organization is located.
Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.
The serial number of the certificate. Each certificate issued by a CA or other entity must have a unique identifies. The serial number serves this purpose.
The cryptographic algorithm that the CA or other issuer used to sign this certificate.
The algorithm and size of the public key that the CA or other issuer used in generating this certificate.
The purpose of the key contained in the certificate; e.g., digital signature, certificate signing, nonrepudiation, key or data encipherment, etc. This field displays only if a key usage extension is present.
A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate's authenticity, you can check this value with the issuer.
A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate's authenticity, you can check this value with the issuer.
The time period during which this certificate is valid.
Format is MM/DD/YYYY at HH:MM:SS AM/PM to MM/DD/YYYY at HH:MM:SS AM/PM. Time uses 12-hour AM/PM notation, and is local system time.
The fully qualified domain name for this VPN 3002 that identifies it in this PKI. The alternative name is an optional additional data field in the certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections. This field displays only if the FQDN extension is present.
To return to the Administration | Certificate Management | Certificates screen, click Back.
The Manager displays this confirmation screen when you click Delete for a certificate on the Administration | Certificate Management | Certificates screen. The screen shows the same certificate details as on the Administration | Certificate Management | Certificates | View screen.
Please note:
Error getting SSL Certificate: SSLIOErr in the SSL Certificate table. Generate a new SSL certificate to clear this message.
To delete this certificate, click Yes. There is no undo. The Manager returns to the Administration | Certificate Management | Certificates screen and shows the remaining certificates.
To retain this certificate, click No. The Manager returns to the Administration | Certificate Management | Certificates screen, and the certificates are unchanged.
Posted: Tue Nov 19 15:17:53 PST 2002
Copyright 1989-2000©Cisco Systems Inc.