background image

 

1-6

VPN Client User Guide for Mac OS X

OL-5490-01

Chapter 1      Understanding the VPN Client

VPN Client Features

VPN Client IPSec Attributes

The VPN Client supports the IPSec attributes listed in 

Table 1-5

.

Split tunneling

The ability to simultaneously direct packets over the Internet in 
clear text and encrypted through an IPSec tunnel. The VPN device 
supplies a list of networks to the VPN Client for tunneled traffic. 
You enable split tunneling on the VPN Client and configure the 
network list on the VPN device.

Support for Split DNS

The ability to direct DNS packets in clear text over the Internet to 
domains served through an external DNS (serving your ISP) or 
through an IPSec tunnel to domains served by the corporate DNS. 
The VPN server supplies a list of domains to the VPN Client for 
tunneling packets to destinations in the private network. For 
example, a query for a packet destined for corporate.com would go 
through the tunnel to the DNS that serves the private network, while 
a query for a packet destined for myfavoritesearch.com would be 
handled by the ISP's DNS. This feature is configured on the VPN 
server (VPN Concentrator) and enabled on the VPN Client by 
default. To use Split DNS, you must also have split tunneling 
configured.

Table 1-4

IPSec Features (continued)

IPSec Feature

Description

Table 1-5

IPSec Attributes

IPSec Attribute

Description

Main Mode and Aggressive 
Mode

Ways to negotiate phase one of establishing ISAKMP Security 
Associations (SAs)

Authentication algorithms

HMAC (Hashed Message Authentication Coding) with MD5 
(Message Digest 5) hash function

HMAC with SHA-1 (Secure Hash Algorithm) hash function

Authentication Modes

Preshared Keys

Mutual Group Authentication

X.509 Digital Certificates

Diffie-Hellman Groups

Group 1 = 768-bit prime modulus

Group 2 = 1024-bit prime modulus

Group 5 = 1536 prime modulus

Note

See the 

Cisco VPN Client Administrator Guide

 for more 

information about DH Group 5.

Encryption algorithms

56-bit DES (Data Encryption Standard)

168-bit Triple-DES

AES 128-bit and 256-bit

Summary of Contents for OL-5490-01

Page 1: ...ms Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 VPN Client User Guide for Mac OS X Release 4 6 August 2004 Customer Order Number Text Part Number OL 5490 01 ...

Page 2: ... CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES VPN Client User Guide for Mac OS X Copyright 2004 Cisco Systems Inc All rights reserved CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco ...

Page 3: ...om x Technical Assistance Center xi Cisco TAC Website xi Cisco TAC Escalation Center xii Obtaining Additional Publications and Information xii C H A P T E R 1 Understanding the VPN Client 1 1 Connection Technologies 1 1 VPN Client Overview 1 2 VPN Client Features 1 3 Program Features 1 3 Authentication Features 1 5 IPSec Features 1 5 VPN Client IPSec Attributes 1 6 C H A P T E R 2 Installing the V...

Page 4: ... E R 3 Navigating the User Interface 3 1 VPN Client Menu 3 1 Choosing a Run Mode 3 2 Operating in Simple Mode 3 2 VPN Client Window Simple Mode 3 2 Main Menus Simple Mode 3 3 Connection Entries Menu 3 3 Status Menu 3 3 Operating in Advanced Mode 3 4 VPN Client Window Advanced Mode 3 4 Toolbar Action Buttons Advanced Mode 3 5 Main Tabs Advanced Mode 3 5 Main Menus Advanced Mode 3 6 Connection Entri...

Page 5: ... 3 Shared Key Authentication 5 3 VPN Group Name and Password Authentication 5 4 RADIUS Server Authentication 5 4 SecurID Authentication 5 5 Using Digital Certificates 5 6 C H A P T E R 6 Enrolling and Managing Certificates 6 1 Using the Certificate Store 6 1 Enrolling Certificates 6 2 Managing Enrollment Requests 6 5 Viewing the Enrollment Request 6 5 Deleting an Enrollment Request 6 5 Changing th...

Page 6: ...nnection Entries 7 1 Importing a Connection Entry 7 1 Modifying a Connection Entry 7 2 Deleting a Connection Entry 7 3 Event Logging 7 4 Enable Logging 7 4 Clear Logging 7 5 Set Logging Options 7 5 Opening the Log Window 7 7 Viewing Statistics 7 8 Tunnel Details 7 9 Route Details 7 10 Notifications 7 11 I N D E X ...

Page 7: ... and management and know how to install configure and manage internetworking systems Contents This guide contains the following chapters Chapter 1 Understanding the VPN Client This chapter describes how the VPN Client software works and lists the main features Chapter 2 Installing the VPN Client This chapter describes how to install the VPN Client software application Chapter 3 Navigating the User...

Page 8: ...e The term Cisco VPN device refers to the following Cisco products Cisco IOS devices that support Easy VPN server functionality Cisco VPN 3000 Series Concentrators Cisco PIX Firewall Series The term PC refers generically to any personal computer The term click means click the left button on a normally configured multi button mouse The term right click means click the right button on a normally con...

Page 9: ...e maximum length of user names and passwords is generally 32 characters unless specified otherwise Obtaining Documentation Cisco provides several ways to obtain documentation technical assistance and other technical resources These sections explain how to obtain technical information from Cisco Systems Cisco com You can access the most current Cisco documentation on the World Wide Web at this URL ...

Page 10: ...page click Feedback at the top of the page You can e mail your comments to bug doc cisco com You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address Cisco Systems Attn Customer Document Ordering 170 West Tasman Drive San Jose CA 95134 9883 We appreciate your comments Obtaining Technical Assistance Cisco provides...

Page 11: ...twork is severely degraded affecting significant aspects of business operations No workaround is available Priority level 1 P1 Your production network is down and a critical impact to business operations will occur if service is not restored quickly No workaround is available Cisco TAC Website You can use the Cisco TAC website to resolve P3 and P4 issues yourself saving both cost and time The site...

Page 12: ...oducts products_catalog_links_launch html Cisco Press publishes a wide range of networking publications Cisco suggests these titles for new and experienced users Internetworking Terms and Acronyms Dictionary Internetworking Technology Handbook Internetworking Troubleshooting Guide and the Internetworking Design Guide For current Cisco Press titles and other information go to Cisco Press online at ...

Page 13: ...isco PIX Firewall Series Version 6 2 or later With the graphical user interface for the VPN Client for Mac OS X you can establish a VPN connection to a private network manage connection entries certificates events logging and view tunnel routing data You can also manage the VPN Client for Mac OS X using the command line interface CLI If you are running Darwin or if you prefer to manage the VPN Cli...

Page 14: ...igital certificates Establishing user access rights hours of access connection time allowed destinations allowed protocols Managing security keys for encryption and decryption Authenticating encrypting and decrypting data through the tunnel For example to use a remote PC to read e mail at your organization the connection process might be similar to the following Step 1 Connect to the Internet Step...

Page 15: ...rt Bluetooth wireless technology Protocol IP Tunnel protocol IPSec User Authentication RADIUS RSA SecurID VPN server internal user list PKI digital certificates NT Domain Windows NT Table 1 2 Program Features Program Feature Description Servers Supported Cisco IOS devices that support Easy VPN server functionality VPN 3000 Series Concentrators Cisco PIX Firewall Series Version 6 2 or later Interfa...

Page 16: ...de the new hostname and VPN Client address Notifications Software update notifications from the VPN server upon connection Launching from notification Ability to launch a location site containing upgrade software from a VPN server notification Alerts Delete with reason The VPN Client provides you with a reason code or reason text when a disconnect occurs The VPN Client supports the delete with rea...

Page 17: ...tication through VPN central site device Internal through the VPN device s database RADIUS Remote Authentication Dial In User Service NT Domain Windows NT RSA formerly SDI SecurID or SoftID Certificate Management Allows you to manage the certificates in the certificate stores Certificate Authorities CAs CAs that support PKI SCEP enrollment Peer Certificate Distinguished Name Verification Prevents ...

Page 18: ...would go through the tunnel to the DNS that serves the private network while a query for a packet destined for myfavoritesearch com would be handled by the ISP s DNS This feature is configured on the VPN server VPN Concentrator and enabled on the VPN Client by default To use Split DNS you must also have split tunneling configured Table 1 4 IPSec Features continued IPSec Feature Description Table 1...

Page 19: ...ormal IKE phase 1 authentication where the IPSec devices authenticate each other The extended authentication exchange within IKE does not replace the existing IKE authentication Mode Configuration Also known as ISAKMP Configuration Method Tunnel Encapsulation Modes IPSec over UDP NAT PAT IPSec over TCP NAT PAT IP compression IPCOMP using LZS Data compression algorithm Table 1 5 IPSec Attributes co...

Page 20: ...1 8 VPN Client User Guide for Mac OS X OL 5490 01 Chapter 1 Understanding the VPN Client VPN Client Features ...

Page 21: ... might need the following information You can normally obtain this information from the system administrator of the private network you want to access The system administrator might have preconfigured much of this data Hostname or IP address of the secure gateway you are connecting to Your IPSec Group Name for preshared keys Your IPSec Group Password for preshared keys If authenticating with a dig...

Page 22: ... Client installer To distribute custom user profiles to the installer program place the files in the Profiles folder of the VPN Client installer To distribute custom images place the files in the Resources folder of the VPN Client installer To distribute custom global profiles place the vpnclient ini in the VPN Client installer directory Note Refer to the Cisco VPN Client Administrator Guide for i...

Page 23: ...pnclient installer directory Any file with a pcf extension found in this folder is placed in the Profiles directory when the VPN Client is installed Preconfiguring the Global Profile A global profile sets rules for all remote users it contains parameters for the VPN Client as a whole The name of the global profile file is vpnclient ini The vpnclient ini file controls the following features Control...

Page 24: ...rt root_cert_filename Volumes CiscoVPNClient Step 3 In the GUI press Apple E while focusing on the CiscoVPNClient folder or using the CLI enter the following command umount Volumes CiscoVPNClient Installing the VPN Client The following sections describe how to install the VPN Client software The VPN Client for Mac OS X installer program installs by default both the graphical user interface and the...

Page 25: ... lock to authenticate your password The Authenticate dialog box appears Figure 2 4 Figure 2 4 Authenticate Dialog Box Step 3 Enter your administrator username and a password or challenge phrase Step 4 Click OK If the authentication is successful continue to the installation process Contact your network administrator if you cannot authenticate for installation ...

Page 26: ...ections The installation process includes the following steps Introduction page 2 6 Accepting the License Agreement page 2 7 Selecting the Application Destination page 2 7 Choosing the Installation Type page 2 8 Introduction The first window that appears during installation is the introduction The right pane of the Introduction window Figure 2 5 lists system requirements The left pane displays eac...

Page 27: ...he license agreement you can Print the license agreement Save the license agreement to a file Go Back to the Introduction window Continue and agree to the terms in the license agreement When you have completely read the Cisco VPN Client software license agreement click Continue To continue with the installation click Agree Selecting the Application Destination If your workstation has more than one...

Page 28: ...ation binaries includes everything in the directory usr local bin including the ipseclog VPN Client graphical user interface VPN Client kernel extension VPN Client profiles includes the global profile vpnclient ini and any user profiles pcf files VPN startup the system startup script to automatically start the client at boot time The VPN Client application binaries and the VPN Client kernel extens...

Page 29: ...asy Install Window To choose which packages to install click Customize to open the Custom Install window Figure 2 9 Figure 2 9 Custom Install Window The packages with the blue check box are optional To make a package part of your installation check the blue box To remove a package from your installation uncheck the blue box ...

Page 30: ...all to return to the default installation packages or Install to continue with a custom installation A progress bar lists the installation steps as they occur Figure 2 10 Figure 2 10 Install Software Progress Window When the installation is finished a window appears to indicate whether the installation was successful Figure 2 11 ...

Page 31: ...n Confirmation Window Click Close If you do not receive this confirmation the installation was not successful You must start the installation process again from the beginning or contact your network administrator for assistance To begin using the Client double click the VPN Client application icon located in the Applications directory Figure 2 12 ...

Page 32: ...VPN CiscoVPN start System Library StartupItems CiscoVPN CiscoVPN stop System Library StartupItems CiscoVPN CiscoVPN restart Alternately you can use these commands to interact with the kernel extension sudo SystemStarter start CiscoVPN sudo SystemStarter stop CiscoVPN sudo SystemStarter restart CiscoVPN During the installation process the application binaries are copied to the specified destination...

Page 33: ...N Client from your workstation To uninstall the VPN Client for Mac OS X Step 1 Open a terminal window Step 2 Run the following command sudo usr local bin vpn_uninstall Step 3 Enter your password Step 4 You are prompted to remove all profiles and certificates If you answer yes all binaries startup scripts certificates profiles and any directories that were created during the installation process ar...

Page 34: ...2 14 VPN Client User Guide for Mac OS X OL 5490 01 Chapter 2 Installing the VPN Client Uninstalling the VPN Client ...

Page 35: ... navigating the user interface VPN Client Menu Use the VPN Client menu Figure 3 1 to manage the VPN Client application and main window settings Figure 3 1 VPN Client Menu About VPN Client Displays the current VPN Client version the VPN Client type platform and the copyright information Preferences Sets VPN Client window preferences Figure 3 2 Figure 3 2 VPN Client Window Preferences ...

Page 36: ...ow All Displays all windows that were previously hidden Quit VPN Client Closes the VPN Client application Choosing a Run Mode You can run the VPN Client in simple mode or in advanced mode The default is advanced mode Use simple mode if you only want to start the VPN Client application and establish a connection to a VPN device using the default connection entry Use Advanced mode to manage the VPN ...

Page 37: ...ntries Menu Connect Establish a VPN connection using the selected connection entry If the Connections tab is not selected a submenu which lists all available connection entries is displayed Disconnect Disconnect the current VPN session Import Import a connection entry configuration file a file with a pcf extension called a profile Set as Default Connection Entry Use the selected connection entry a...

Page 38: ...face the main menu options and the right click menu options Figure 3 6 shows the VPN Client window and the primary navigation areas Figure 3 6 Main VPN Client Window 1 VPN Client version information 4 Display area for the main tabs 2 Toolbar action buttons The buttons that are available depend on which tab is forward 5 When connected the status bar displays information related to the current VPN s...

Page 39: ...ure 3 8 Figure 3 8 VPN Client GUI Main Tabs The three main tabs include Connection Entries tab Displays the list of current connection entries the host which is the VPN device each connection entry uses to gain access to the private network and the transport properties that are set for each connection entry Refer to Chapter 4 Configuring Connection Entries for more details on the Connection Entrie...

Page 40: ... entry If the Connections tab is not selected a submenu which lists all available connection entries is displayed Disconnect Disconnect the current VPN session Modify Modify the properties of the selected connection entry Delete Delete the selected connection entry Duplicate Duplicate the selected connection entry This menu choice allows you to create a new connection entry using the configuration...

Page 41: ...ates Menu Use the Certificates menu Figure 3 11 as a shortcut to frequently used certificate operations The menu option applies to the certificate that is currently selected on the Certificates tab Note A certificate must be selected to use Certificates menu options Figure 3 11 Certificates Menu View View the properties of the selected certificate Import Import a certificate from a file Export Exp...

Page 42: ...or make adjustments Log Window Open the Log Window which is a separate window that displays events From this window you can save the display edit logging levels by event class and clear both log displays The Log Window shows more events than the display area of the main advanced mode window Search Log Open the Search Log dialog box Figure 3 13 Figure 3 13 Log Search Dialog Box Enter the exact stri...

Page 43: ...n entry Disconnect Disconnect the current VPN session Duplicate Duplicate the selected connection entry This action allows you to create a new connection entry using the configuration from a current connection entry as a template Delete Delete the selected connection entry Modify Display the properties of the selected connection entry This action opens the VPN Client Properties window Erase Saved ...

Page 44: ...15 Certificates Tab Right Click Menu View View the properties of the selected certificate Export Export the selected certificate to a specified file location Verify Verify that the selected certificate is valid Delete Delete the selected certificate Change Certificate Password Change the password used to protect the certificate while it is in the VPN Client certificate store Retry Certificate Enro...

Page 45: ... Client you must create at least one connection entry which identifies the following information The VPN device that is providing access to the network Preshared keys The IPSec group that you have been assigned to Your IPSec group determines the set of privileges you have for accessing and using the private network For example it specifies access hours number of simultaneous logins user authentica...

Page 46: ... a connection entry Step 1 Open the VPN Client application The VPN Client window appears Figure 4 1 Figure 4 1 VPN Client Window Step 2 Click the Connection Entries tab Step 3 Click New at the top of the VPN Client window The Create New VPN Connection Entry dialog box appears Figure 4 2 Figure 4 2 Create New VPN Connection Entry ...

Page 47: ...ection on page 4 6 for more information Step 9 Use the Backup Servers tab to view the current list of backup servers or to manually add a backup server See the Backup Servers section on page 4 8 for more information Step 10 The Erase User Password button at the bottom of this dialog box erases the user password that is saved on the VPN Client workstation forcing the VPN Client to prompt you for a ...

Page 48: ... you have a root certificate installed If not it prompts to import one Before you continue you must import a root certificate For information on importing a certificate see Importing a Certificate When you have installed a root certificate if required follow the steps in Group Authentication Certificate Authentication Use this procedure if you plan to use digital certificates for authenticating fo...

Page 49: ...s feature enables a peer VPN Concentrator to trust the VPN Client s identity certificate given the same root certificate without having the same subordinate CA certificates actually installed The following is an example of a certificate chain On the VPN Client you have this chain in the certificate hierarchy a Root Certificate b CA Certificate 1 c CA Certificate 2 d Identity Certificate On the VPN...

Page 50: ... 8 To configure transport parameters Step 1 Open the VPN Client application Step 2 Select a connection entry Step 3 Click Modify at the top of the VPN Client window to access the VPN Client Properties dialog box Step 4 Click the Transport tab Figure 4 5 to display the existing transport parameters configured for this connection entry Figure 4 5 Transport Settings Step 5 Select your transport setti...

Page 51: ...st match the mode used by the VPN device providing your connection to the private network If you select IPSec over UDP NAT PAT the default mode the port number is negotiated If you select TCP you must enter the port number for TCP in the TCP port field This port number must match the port number configured on the VPN device The default port number is 10000 Note Either mode operates properly throug...

Page 52: ...efore terminating a connection is 90 seconds The minimum number of seconds you can configure is 30 seconds and the maximum is 480 seconds To adjust the setting enter the number of seconds in the Peer response timeout field The VPN Client continues to send DPD requests every 5 seconds until it reaches the number of seconds specified by the Peer response timeout value Backup Servers The private netw...

Page 53: ...e order in which the backup servers are used select a backup server and use the arrow buttons to move the server up or down in the list Step 7 Click Save The VPN Client Properties dialog box closes and you return to the Connection Entries tab If there are no backup servers listed or if you want to manually add a server to the list use the following procedure Step 1 Click the Add button on the Back...

Page 54: ...0 01 Chapter 4 Configuring Connection Entries Backup Servers Step 3 Click OK The backup server is added to the list of available backup servers To remove a backup server return to the Backup Server tab select a server from the list and click Remove ...

Page 55: ...e information User authentication information This includes your username and password and depending on the configuration of your connection entry might also include Passwords for RADIUS authentication VPN group name and password for connections to VPN devices PINs for RSA Data Security Digital certificates and associated passwords An Internet connection Contact your network administrator for prer...

Page 56: ...vanced Mode See Chapter 3 Navigating the User Interface for more information on simple mode and advanced mode Step 2 From the Connection Entries tab select the connection entry to use for this VPN session For simple mode select a connection entry from the drop down list Step 3 Click Connect at the top of the VPN Client window or double click the selected connection entry For simple mode click the ...

Page 57: ...etwork administrator determines whether user authentication is required The VPN Client supports Shared key or VPN group name and group password for authenticating the VPN device Mutual group authentication using a root certificate generally installed by your network administrator RADIUS server RSA Security SecurID Digital Certificates for authenticating the user The authentication prompts displaye...

Page 58: ...e 5 5 You can use VPN group authentication alone or with other authentication methods Figure 5 5 VPN Group Authentication Enter your group name and password and click OK The group name is the name of the IPSec group configured on the VPN device for this connection entry RADIUS Server Authentication You can use RADIUS server authentication with VPN group authentication With this type of authenticat...

Page 59: ... Connection Entries menu SecurID Authentication RSA SecurID authentication methods include physical RSA SecurID cards and keychain fobs and PC software called RSA SecurID for passcode generation RSA SecurID cards can vary The passcode might be combination of a PIN and a card code or you might be required to enter a PIN on the card to display the passcode Ask your network administrator for the corr...

Page 60: ...a certificate the VPN Client verifies that your certificate is not expired Valid A message appears that indicates the validation period for this certificate Expired A warning appears that indicates when the certificate expired Each digital certificate is protected by a password If the connection entry you are using requires a digital certificate for authentication the VPN Certificate Authenticatio...

Page 61: ... with certificates open the Certificates tab on the main VPN Client window in advanced mode The Certificates tab lists the certificates you currently have enrolled If there are no certificates showing you need to enroll with a CA or contact your system administrator Using the Certificate Store The VPN Client uses the notion of store to convey a location in your local file system for storing person...

Page 62: ...r if you want to add certificates you can obtain a certificate by enrolling with a Certificate Authority CA To enroll a digital certificate you must enroll using the PKI Framework standards receive approval from the CA and have the certificate installed on your system You can enroll a digital certificate Over the network from a CA From an enrollment request file To enroll a digital certificate for...

Page 63: ...tain the challenge password from your administrator or from the CA New Password The password for this certificate Each digital certificate is protected by a password If you create a connection entry that requires a digital certificate for authentication you must enter the certificate password each time you attempt a connection For file enrollment enter File encoding type of the output file Base 64...

Page 64: ...an be the name of a person system or other entity It is the most specific level in the identification hierarchy The common name becomes the name of the certificate For example Fred Flinstone Domain The Fully Qualified Domain Name FQDN of the host for your system For example Dialin_Server Email E The user e mail address for the certificate For example email company com IP Address The IP address of ...

Page 65: ...the list on the Certificates tab You can view delete or change the password for any request in the list or you can retry a network enrollment request To perform any of these actions select the pending enrollment request and click on the Certificate menu Viewing the Enrollment Request To display the enrollment request Step 1 Select the enrollment request in the certificate store Step 2 Choose View ...

Page 66: ...rd dialog box Figure 6 5 Figure 6 5 Changing a Certificate Password Step 3 Enter the current password and click OK Step 4 At the prompt enter the new password and click OK Step 5 At the next prompt enter the new password again to verify it and click OK The VPN Client responds with a success message Note You can also change the password from the View dialog box Retrying an Enrollment Request To ret...

Page 67: ...indow The import path is automatically entered in the Import Certificate dialog box Step 4 Enter the import password This is the password used to protect the certificate file called the import password and is assigned by the system administrator Step 5 Enter the New Password This is the password assigned by you to protect the certificate while it is in your certificate store This password is optio...

Page 68: ...ner is using the certificate Country The 2 character country code in which the owner s system is located Email The e mail address of the owner of the certificate Thumbprint The MD5 and SHA 1 hash of the certificate s complete contents This provides a means for validating the authenticity of the certificate For example if you contact the issuing CA you can use this identifier to verify that this ce...

Page 69: ...certificate from the certificate store to a specified file Step 1 Click the Certificates tab Step 2 Select the certificate to export Step 3 Click Export at the top of the VPN Client window The Export Certificate dialog box appears Figure 6 8 Figure 6 8 Export Certificate Step 4 Enter the export path If you do not know the export path browse to the export directory and click Open on the browser win...

Page 70: ... has been deleted To delete a user or root certificate Step 1 Click the Certificates tab Step 2 Select the certificate to delete Step 3 Click Delete at the top of the VPN Client window A warning prompt appears Figure 6 10 Figure 6 10 Delete Certificate Warning Step 4 Verify the name of the certificate and click Delete The selected certificate is deleted from the certificate store Click Do not Dele...

Page 71: ...e certificate while it is in your certificate store This is the password set in the New Password field when you enrolled this certificate See the Enrolling Certificates section on page 6 2 Step 5 Click OK The certificate is deleted from the certificate store Verifying a Certificate To verify that a certificate is valid Step 1 Click the Certificates tab Step 2 Click Verify at the top of the VPN Cli...

Page 72: ...ertificates option from the Certificates menu To change the password on a personal certificate Step 1 Select a certificate from the certificate store under the Certificates tab Step 2 Display the Certificates menu and choose Change Certificate Password The VPN Client displays the Change Certificate Password dialog box In the Current field type the password you are currently using to protect your p...

Page 73: ...nnection entries This includes how to import modify and delete a connection entry Importing a Connection Entry You can automatically configure your VPN Client with new settings by importing a new configuration file a file with a pcf extension called a profile supplied by your network administrator To import a stored profile Step 1 Click the Connection Entries tab Step 2 Click Import at the top of ...

Page 74: ...rn to the Connection Entries tab Alternately you can copy the pcf file into the profiles directory and restart the VPN Client application Modifying a Connection Entry You can make changes to a connection entry at any time The new configuration is stored in the profiles directory and is applied during the next connection attempt To modify a connection entry Step 1 Click the Connection Entries tab S...

Page 75: ...uration Step 5 Click Save The VPN Client Properties dialog box closes and you return to the Connection Entries tab Deleting a Connection Entry You can delete any connection entry that does not have an active VPN connection To delete a connection entry Step 1 The Connection Entries tab must be forward Step 2 Select the connection entry to delete Step 3 Click Delete at the top of the VPN Client wind...

Page 76: ...with an IPSec connection between the VPN Client and a peer VPN device The log collects event messages from all processes that contribute to the client peer connection From the Log tab on the VPN Client window you can Enable logging Clear the logging display View the event log in an external window Set or change the logging levels Note To search the log choose Search Log from the Log menu Matched i...

Page 77: ...r at the top of the VPN Client window Clearing the display does not reset event numbering or clear the log file itself Note To store the event messages before you clear the log choose Save from the Log menu Set Logging Options Logging options apply to the active VPN session Changing the logging settings clears the event log and the new logging settings take effect immediately To set logging option...

Page 78: ...aemon which initializes client service and controls the messaging process and flow Daemon cvpnd LOG XAUTH Extended authorization application which validates a remote user s credentials eXtended AUTHentication LOG CERT Certificate management process which handles obtaining validating and renewing certificates from certificate authorities CERT also displays errors that occur as you use the applicati...

Page 79: ...ing Levels There are four logging levels 0 Disables logging services for the specified LOG class 1 Low displays only critical and warning events This is the default 2 Medium displays critical warning and informational events 3 High displays all events Step 4 Click Apply This clears the event log and immediately applies the new logging levels Opening the Log Window To display the events log in a se...

Page 80: ...ile was created for example LOG 2003 03 13 52 56 text You can save what is in the present log to a different directory and filename but you cannot change the default log directory and filename Open the Log Settings window Clear the information listed in the log window Close the Log Window Viewing Statistics View VPN session information on the Statistics window The Statistics window lists tunnel de...

Page 81: ...fields in the tunnel details display Alternately you can reset the statistics by choosing Reset Stats from the Status menu Table 7 2 describes the statistics fields on the Tunnel Details tab Table 7 2 Tunnel Details Field Description Client Address Information IP address assigned to the client for this VPN session Server Address Information IP address of the VPN device you are connected to Bytes R...

Page 82: ...ues to support DES MD5 However support for DES SHA is no longer available and Release 3 7 and later VPN Clients cannot connect to any central site device group that is configured for or proposing DES SHA The VPN Client must either connect to a different group or the system administrator for the central site device must change the configuration from DES SHA to DES MD5 or another supported configura...

Page 83: ...at provides your connection to the private network might send notifications to the VPN Client These notifications appear on the Notifications window To display the notifications window Figure 7 10 choose Notifications from the Status menu When you first establish a VPN connection you receive a notification regarding your connection This is typically the login banner or connection history Other not...

Page 84: ...he notification message associated with the selected title All notifications from the VPN device are stored in this display during the VPN session Every VPN session contains at least one notification the connection history Some notifications contain a URL which directs you to the location of more current versions of the VPN Client If the URL exists the Launch button becomes active If you click the...

Page 85: ...ds 4 3 mode 1 6 authentication methods 5 3 digital certificate 5 6 RADIUS 5 4 SecurID 5 5 shared key 5 3 VPN group name 5 4 authenticity 6 8 B backup servers change order 4 9 list 4 8 tab 4 3 base 64 encoding type 6 3 binaries application 2 8 binary encoding type 6 3 bytes received 7 9 C CA Certificate Authority 6 2 cable modem 1 1 CA URL 6 3 certificate at login 5 6 authentication 4 4 chain 4 5 c...

Page 86: ... 3 connecting to default connection entry 5 3 connection prerequisites 5 1 status 5 3 connection entries tab 3 5 connection entry creating 4 2 default 5 3 defined 4 1 delete 3 6 deleting 7 3 importing 7 1 menu 3 3 modifying 7 2 saving 7 3 setting default 3 3 3 6 template 3 6 connection manager 7 6 connection technologies 1 1 connection types 1 3 connect on open 5 3 copyright information 3 1 countr...

Page 87: ...ting 6 5 resuming 6 6 viewing 6 5 enrollment type certificate 6 2 erase user password 3 9 ESP protocol 50 4 7 event logging 3 2 event messages 3 5 export certificate 6 9 export path certificate 6 9 extended authentication 1 7 7 6 F features authentication 1 5 IPSec 1 5 program 1 3 VPN Client 1 3 firewall see PIX firewall firewalls 4 7 FQDN Fully Qualified Distinguished Name 6 8 G graphical user in...

Page 88: ...alling the GUI 2 4 2 8 interfaces supported 1 1 invalid certificate 6 11 IP address 7 9 IPCOMP IP compression 1 7 IPSec attributes 1 6 features 1 5 group 4 4 module 7 6 with VPN 1 2 ISDN 1 1 K keepalives 1 5 kernel extension 2 8 key pair 6 8 preshared 1 6 4 1 size 6 2 6 8 keywords 2 2 L LAN connection 1 1 launch from notification 1 4 launch browser 7 12 license agreement 2 7 local LAN access 1 3 4...

Page 89: ...entry 7 2 MTU size 1 4 N NAT Transparency 1 4 7 10 new password certificate 6 3 notifications 7 11 notifications from VPN device 1 4 notifications viewing 3 7 O obtaining documentation ix installer 2 2 software 2 2 operating system 1 3 P packages installation 2 8 remove 2 9 packets querying 1 6 tunneling 1 6 packets encrypted 7 9 parameters defining 2 3 transport 4 6 passcodes 5 5 password adminis...

Page 90: ...t click menus 3 8 root certificate installing automatically on Darwin 2 4 routing data 3 2 RSA 5 5 run mode 3 2 S SA security association 1 4 save log file 3 8 SCEP Simple Certificate Enrollment Protocol 6 1 SecurID authentication 5 5 session time 3 4 SHA 1 Secure Hash Algorithm 1 6 shared key authentication 5 3 show hide window 3 2 signing key pair 6 8 simple mode menu 3 3 window 3 2 single SA 1 ...

Page 91: ...s 7 11 user access 1 2 password 3 9 profiles 2 3 user authentication methods 5 3 supported types 1 3 VPN device 1 5 user profiles installing 2 8 V verify certificate 3 7 6 11 version information 3 4 view certificate properties 3 7 certificates 6 7 logging 7 7 notifications 3 7 statisitics 7 8 viewing enrollment request 6 5 VPN Client defined 1 2 features 1 3 icon 5 2 menus 3 6 quitting 3 2 window ...

Page 92: ...Index IN 8 VPN Client User Guide for Mac OS X OL 5490 01 ...

Reviews: