manualshive.com logo in svg

Cisco VPN 3002 Hardware Client Manager, Reference Manual

The Cisco VPN 3002 Hardware Client Manager is a powerful product designed to enhance your remote network connectivity. Get started easily with the Quick Start Manual available for free download at manualshive.com, providing comprehensive instructions and insights for optimal usage of this innovative hardware client.

Share
Download
background image

C H A P T E R

 

6-1

VPN 3002 Hardware Client Reference

OL-1893-01

6

Tunneling

Tunneling is the heart of virtual private networking. Tunnels make it possible to use a public TCP/IP 
network, such as the Internet, to create secure connections between remote users and a private corporate 
network.

The secure connection is called a tunnel, and the VPN 3002 uses the IPSec tunneling protocol to:

Negotiate tunnel parameters.

Establish tunnels.

Authenticate users and data.

Manage security keys.

Encrypt and decrypt data.

Manage data transfer across the tunnel.

Manage data transfer inbound and outbound as a tunnel endpoint.

The VPN 3002 functions as a bidirectional tunnel endpoint:

It can receive plain packets from the private network, encapsulate them, create a tunnel, and send 
them to the other end of the tunnel where they are unencapsulated and sent to their final destination

It can receive encapsulated packets from the public network, unencapsulate them, and send them to 
their final destination on the private network.

This section explains how to configure the IPSec tunneling protocol.

Summary of Contents for VPN 3002 Hardware Client Manager

Page 1: ...isco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 VPN 3002 Hardware Client Reference Release 3 5 November 2001 Text Part Number OL 1893 01 ...

Page 2: ...FITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AccessPath AtmDirector Browse with Me CCIP CCSI CD PAC CiscoLink the Cisco Powered Network logo Cisco Systems Networking Academy the Cisco Systems Networking Academy logo Fast Step Follow Me Browsing FormShare FrameShare GigaStack...

Page 3: ... the VPN 3002 Using HTTPS 1 16 Configuring HTTP HTTPS and SSL Parameters 1 16 Logging into the VPN 3002 Hardware Client Manager 1 17 Interactive Hardware Client and Individual User Authentication 1 19 Logging In With Interactive Hardware Client and Individual User Authentication 1 19 Understanding the VPN 3002 Hardware Client Manager Window 1 23 Organization of the VPN 3002 Hardware Client Manager...

Page 4: ... Configuration System IP Routing DHCP Options 7 7 Configuration System IP Routing DHCP Options Add or Modify 7 8 Management Protocols 8 1 Configuration System Management Protocols 8 1 Configuration System Management Protocols HTTP HTTPS 8 2 Configuration System Management Protocols Telnet 8 4 Configuration System Management Protocols SNMP 8 6 Configuration System Management Protocols SNMP Communit...

Page 5: ...anagement 11 5 Configuration Policy Management Traffic Management 11 5 Configuration Policy Management Traffic Management PAT 11 6 Configuration Policy Management Traffic Management PAT Enable 11 6 Administration 12 1 Administration 12 1 Administration Software Update 12 2 Administration System Reboot 12 5 Administration Ping 12 7 Administration Access Rights 12 9 Administration Access Rights Admi...

Page 6: ...om Workstation 12 49 Administration Certificate Management View 12 50 Administration Certificate Management Configure CA Certificate 12 53 Administration Certificate Management Renewal 12 54 Administration Certificate Management Activate or Re Submit Status 12 56 Administration Certificate Management Delete 12 57 Administration Certificate Management View Enrollment Request 12 58 Administration Ce...

Page 7: ...ing Statistics MIB II ARP Table 13 51 Monitoring Statistics MIB II Ethernet 13 53 Monitoring Statistics MIB II SNMP 13 56 Using the Command Line Interface 14 1 Accessing the Command line Interface 14 1 Starting the Command line Interface 14 2 Using the Command line Interface 14 3 Menu Reference 14 7 Troubleshooting and System Errors A 1 Files for Troubleshooting A 1 LED Indicators A 2 System Error...

Page 8: ...Contents viii VPN 3000 Series Concentrator Reference Volume I Configuration 78 13782 01 ...

Page 9: ...amiliar with Windows system configuration and management and you should be familiar with Microsoft Internet Explorer or Netscape Navigator or Communicator browsers Organization This manual is organized by the order in which sections appear in the VPN 3002 Hardware Client Manager table of contents the left frame of the Manager browser window see Figure 1 35 in Chapter 1 Using the VPN 3002 Hardware ...

Page 10: ...Extension modes Chapter 12 Administration Explains how to configure and use high level VPN 3002 administrator activities such as who is allowed to configure the system what software runs on it rebooting and shutting down the system managing its configuration files and managing X 509 digital certificates Chapter 13 Monitoring Explains the many status statistics sessions and event log screens that y...

Page 11: ... explains how to configure your device beyond the minimal parameters you set during quick configuration The VPN 3000 Series Concentrator Reference Volume II Administration and Monitoring provides guidelines for administering and monitoring the VPN Concentrator It explains and defines all functions available in the Administration and Monitoring screens of the VPN Concentrator Manager Appendixes to ...

Page 12: ...l IPSec www whatis com a web reference site with definitions for computer networking and data communication terms Documentation conventions This document uses the following conventions Notes use the following conventions Note Means reader take note Notes contain helpful suggestions or references to material not covered in the publication Cautions use the following conventions Caution Means reader ...

Page 13: ...mit leading zeros in a byte position Subnet Masks and Wildcard Masks Subnet masks use 4 byte dotted decimal notation for example 255 255 255 0 Wildcard masks use the same notation for example 0 0 0 255 as the example illustrates you can omit leading zeros in a byte position MAC Addresses MAC addresses use 6 byte hexadecimal notation for example 00 10 5A 1F 4F 07 Hostnames Hostnames use legitimate ...

Page 14: ...r Otherwise you can mail your comments to the following address Cisco Systems Inc Document Resource Connection 170 West Tasman Drive San Jose CA 95134 9883 We appreciate your comments Obtaining technical assistance Cisco provides Cisco com as a starting point for all technical assistance Customers and partners can obtain documentation troubleshooting tips and sample configurations from online tool...

Page 15: ... operations continue P4 You need information or assistance on Cisco product capabilities product installation or basic product configuration In each of the above cases use the Cisco TAC website to quickly find answers to your questions To register for Cisco com go to the following website http www cisco com register If you cannot resolve your technical issue by using the TAC online resources Cisco...

Page 16: ...xvi VPN 3002 Hardware Client Reference OL 1893 01 Preface Obtaining technical assistance ...

Page 17: ...n as HTTPS To use a cleartext HTTP connection see the section Connecting to the VPN 3002 Using HTTP To use HTTP over SSL HTTPS with the Manager The first time connect to the Manager using HTTP and Install an SSL certificate in the browser see Installing the SSL Certificate in Your Browser When the SSL certificate is installed you can connect directly using HTTPS see Connecting to the VPN 3002 Usin...

Page 18: ...tion toolbar to prevent mistakes while using the VPN 3002 Hardware Client Manager Recommended PC Monitor Display Settings For optimal use we recommend setting your monitor or display Desktop area 1024 x 768 pixels or greater Minimum 800 x 600 pixels Color palette 256 colors or higher Connecting to the VPN 3002 Using HTTP When your system administration tasks and network permit a cleartext connecti...

Page 19: ...protocol S HTTP Secure HTTP which encrypts only HTTP application level data SSL encrypts all data between client and server at the IP socket level and is thus more secure SSL uses digital certificates for authentication The VPN 3002 creates a self signed SSL server certificate when it boots and this certificate must be installed in the browser Once the certificate is installed you can connect usin...

Page 20: ...he browser Continue below for Internet Explorer or skip to Installing the SSL Certificate with Netscape Installing the SSL certificate with Internet Explorer This section describes SSL certificate installation using Microsoft Internet Explorer 5 0 With Internet Explorer 4 0 some dialog boxes are different but the process is similar You need to install the SSL certificate from a given VPN 3002 only...

Page 21: ... the Open this file from its current location radio button then click OK The browser displays the Certificate dialog box with information about the certificate You must now install the certificate Figure 1 4 Internet Explorer Certificate Dialog Box 4 Click Install Certificate The browser starts a wizard to install the certificate The certificate store is where such certificates are stored in Inter...

Page 22: ...net Explorer Certificate Manager Import Wizard Dialog Box 5 Click Next to continue The wizard opens the next dialog box asking you to select a certificate store Figure 1 6 Internet Explorer Certificate Manager Import Wizard Dialog Box 6 Let the wizard Automatically select the certificate store and click Next The wizard opens a dialog box to complete the installation ...

Page 23: ... install the certificate click Yes This dialog box closes and a final wizard confirmation dialog box opens Figure 1 9 Internet Explorer Certificate Manager Import Wizard Final Dialog Box 9 Click OK to close this dialog box and click OK on the Certificate dialog box Figure 1 4 to close it You can now connect to the VPN 3002 using HTTP over SSL HTTPS 10 On the Manager SSL screen Figure 1 2 click the...

Page 24: ...HTTPS Internet Explorer The browser maintains the HTTPS state until you close it or access an unsecured site in the latter case you might see a Security Alert screen Proceed to Logging into the VPN 3002 Hardware Client Manager to log in as usual Viewing Certificates with Internet Explorer There are at least two ways to examine certificates stored in Internet Explorer First note the padlock icon on...

Page 25: ... Certificates section In Internet Explorer 5 0 click the browser Tools menu and select Internet Options Click the Content tab then click Certificates in the Certificates section On the Certificate Manager click the Trusted Root Certification Authorities tab The VPN 3002 Hardware Client SSL certificate name is its Ethernet 1 private IP address Figure 1 13 Internet Explorer 4 0 Certificate Authoriti...

Page 26: ...2 using SSL see Step 7 in this section Figure 1 14 Netscape Reinstallation Note First time Installation The instructions below follow from Step 2 in Installing the SSL Certificate in Your Browser and describe first time certificate installation A few seconds after the VPN 3002 Hardware Client Manager SSL screen appears Netscape displays a New Certificate Authority screen Figure 1 15 Netscape New C...

Page 27: ...thority Screen 2 2 Click Next to proceed Netscape displays the next New Certificate Authority screen which lets you examine details of the VPN 3002 Hardware Client SSL certificate Figure 1 17 Netscape New Certificate Authority Screen 3 3 Click Next to proceed Netscape displays the next New Certificate Authority screen with choices for using the certificate No choices are checked by default ...

Page 28: ...roceed Netscape displays the next New Certificate Authority screen which lets you choose to have the browser warn you about sending data to the VPN 3002 Figure 1 19 Netscape New Certificate Authority Screen 5 5 Checking the box is optional Doing so means that you get a warning whenever you apply settings on a Manager screen so it is probably less intrusive to manage the VPN 3002 without those warn...

Page 29: ... 147 2 This name appears in the list of installed certificates see Viewing Certificates with Netscape below Click Finish You can now connect to the VPN 3002 using HTTP over SSL HTTPS 7 On the Manager SSL screen Figure 1 2 click the link that says After installing the SSL certificate click here to connect to the VPN 3002 Hardware Client using SSL Depending on how your browser is configured you migh...

Page 30: ... case you might see a Security Information Alert dialog box Proceed to the section Logging into the VPN 3002 Hardware Client Manager to log in as usual Viewing Certificates with Netscape There are at least two ways to examine certificates stored in Netscape Navigator Communicator 4 5 First note the locked padlock icon on the bottom status bar in Figure 1 22 If you click the icon Netscape opens a S...

Page 31: ...ck View Certificate to see details of the specific certificate in use Figure 1 24 Netscape View Certificate Screen Click OK when finished Second you can view all the certificates that are stored in Netscape On the Security Info window select Certificates then Signers The nickname you entered in Step 6 in the section First time Installation identifies the VPN 3002 Hardware Client SSL certificate ...

Page 32: ...3002 private interface IP address for example https 10 10 147 2 The browser displays the VPN 3002 Hardware Client Manager HTTPS login screen A locked padlock icon on the browser status bar indicates an HTTPS session Also this login screen does not include the Install SSL Certificate link Configuring HTTP HTTPS and SSL Parameters HTTP HTTPS and SSL are enabled by default on the VPN 3002 and they ar...

Page 33: ...text HTTP or secure HTTPS Entries are case sensitive With Microsoft Internet Explorer you can select the Tab key to move from field to field other browsers might work differently If you make a mistake click the Clear button and start over The following entries are the factory supplied default entries If you have changed them use your entries Step 1 Click in the Login field and type admin Do not pr...

Page 34: ...sing the VPN 3002 Hardware Client Manager Logging into the VPN 3002 Hardware Client Manager Figure 1 27 Manager Main Welcome Screen From here you can navigate the Manager using either the table of contents in the left frame or the Manager toolbar in the top frame ...

Page 35: ... and password are valid the tunnel is established Individual User Authentication Individual user authentication protects the central site from access by unauthorized persons on the same LAN as the VPN 3002 When you enable individual user authentication each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind th...

Page 36: ...ardware Client and Individual User Authentication Figure 1 28 VPN 3002 Hardware Client Manager Login Screen Step 1 Click the Connection Login Status button The Connection Login Status screen displays Figure 1 29 Connection Login Status Screen Step 1 Click the Connect Now button The VPN 3002 Interactive Authentication screen displays ...

Page 37: ...Authentication Screen Step 1 Enter the username and password for the VPN 3002 Step 2 Click Connect If you have entered the valid username and password the Connect Login Status screen displays the message that the VPN 3002 is connected Next you authenticate the user Figure 1 31 Connection Login Status Screen Step 1 To authenticate an individual user click Log In Now The Individual User Authenticati...

Page 38: ...for this VPN 3002 user Step 2 Click Login If the username and password you entered are valid the Connection Login Status window displays information about the connection Figure 1 33 Connection Login Status Screen The user behind the VPN 3002 is connected to the VPN Concentrator at the central site Click Go back to the VPN 3002 administrative login page to return to the VPN 3002 Hardware Client Man...

Page 39: ...Understanding the VPN 3002 Hardware Client Manager Window The VPN 3002 Hardware Client Manager window on your browser consists of three frames top left and main and it provides helpful messages and tips as you move the mouse pointer over window items The title bar and status bar also provide useful information Figure 1 34 VPN 3002 Hardware Client Manager Window ...

Page 40: ... open context sensitive online help Help opens in a separate browser window that yo can move or resize as you want Close the help window when you are finished Click the Support tab to open a Manager screen with links to Cisco support and documentation resources Click the Logout tab to log out of the Manager and return to the login screen Logged in username The administrator username you used to lo...

Page 41: ...oot configuration and restores the Save reminder Refresh Click the Refresh icon to refresh update the screen contents on screens where it appears mostly in the Monitoring section The date and time above this reminder indicate when the screen was last updated Reset Click the Reset icon to reset or start anew the screen contents on screens where it appears mostly in the Monitoring section Restore Cl...

Page 42: ...se subordinate sections and titles Clicking on this icon does not change the screen in the main frame Main frame Manager screen The main frame displays the current VPN 3002 Hardware Client Manager screen Many screens include a bullet list of links and descriptions of subordinate sections and titles you can click a link to go to that Manager screen and open subordinate sections and titles in the ta...

Page 43: ...perational Interfaces Ethernet parameters System parameters for system wide functions such as server access IPSec tunneling protocol built in management servers event handling and system identification Policy Management enabling PAT Port Address Translation Administration managing higher level functions that keep the VPN3002 operational and secure such as who is allowed to configure the system wha...

Page 44: ...002 Hardware Client Manager Your primary tool for navigating the VPN 3002 Hardware Client Manager is the table of contents in the left frame Figure 1 35 shows all its entries completely expanded The figure shows the frame in multiple columns but the actual frame is a single column Use the scroll controls to move up and down the frame Figure 1 35 Manager Table of Contents ...

Page 45: ...ction of the Manager lets you configure all VPN 3002 features and functions Quick Configuration the minimal parameters needed to make the VPN 3002 operational For more information use online Help or see the VPN 3002 Hardware Client Getting Started manual available only online Interfaces parameters specific to the private and public interfaces System parameters for system wide functions server acce...

Page 46: ...2 2 VPN 3002 Hardware Client Reference OL 1893 01 Chapter 2 Configuration Configuration ...

Page 47: ...nd PPPoE You configure static routes the default gateway and DHCP in the IP Routing section see the Configuration System IP Routing screens PPPoE requires no further configuration than supplying a username and password in the Public Interface parameter Configuration Interfaces This section lets you configure the private and public interfaces Private is the interface to your private network interna...

Page 48: ...002 interface installed in the system To configure an interface click the appropriate link Ethernet 1 Private Ethernet 2 Public To configure Ethernet interface parameters click the appropriate highlighted link in the table or click in a highlighted module on the back panel image See Configuration Interfaces Private Public DNS Server s To configure DNS Server s click the highlighted link in the tab...

Page 49: ...status Not Configured Present but not configured Waiting for DHCP PPPoE Waiting for DHCP or PPPoE to assign an IP address IP Address The IP address configured on this interface Subnet Mask The subnet mask configured on this interface MAC Address This is the unique hardware MAC Media Access Control address for this interface displayed in 6 byte hexadecimal notation You cannot change this address De...

Page 50: ... the connection and you will have to restart the Manager from the login screen Disabled To make the interface offline click Disabled This state lets you retain or change its configuration parameters If the interface is configured but disabled offline the appropriate Ethernet Link Status LED blinks green on the VPN 3002 front panel Static IP Addressing To change the IP address of the private interf...

Page 51: ... port on the active network device hub switch router etc to which you connect this interface is also set to automatically negotiate the speed Otherwise select the appropriate fixed speed Duplex click the drop down menu button and select the interface transmission mode Auto Let the VPN 3002 automatically detect and set the appropriate transmission mode either full or half duplex default Be sure tha...

Page 52: ...ces Public Screen Disabled To make the interface offline click Disabled This state lets you retain or change its configuration parameters DHCP Client click this radio button if you want to obtain the IP address and subnet mask for this interface via DHCP If you click this button you do not make entries in the IP address and subnet mask parameters that follow PPPoE Client click this radio button if...

Page 53: ...mple 255 255 255 0 The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered For example the IP address 192 168 12 34 is a Class C address and the standard subnet mask is 255 255 255 0 You can accept this entry or change it Note that 0 0 0 0 is not allowed MAC Address This is the unique hardware MAC Media Access Control address for this interface dis...

Page 54: ... negotiate the transmission mode Otherwise select the appropriate fixed mode Full Duplex Fix the transmission mode as full duplex transmits and receives at the same time Half Duplex Fix the transmission mode as half duplex transmits or receives but not at the same time Apply Cancel To apply your settings to this interface and include your settings in the active configuration click Apply The Manage...

Page 55: ...r DNS information for the VPN 3002 Tunneling Protocols configuring IPSec connections IP Routing configuring static routes default gateways and DHCP Management Protocols configuring and enabling built in servers for HTTP HTTPS Telnet SNMP SSL SSH and XML Events handling system events via logs SNMP traps and syslog General identifying the system and setting the time and date See the appropriate chap...

Page 56: ...4 2 VPN 3002 Hardware Client Reference OL 1893 01 Chapter 4 System Configuration Configuration System ...

Page 57: ...tem Servers Screen Configuration System Servers DNS This screen lets you configure the Domain Name System DNS servers for the VPN 3002 DNS servers convert domain names to IP addresses Configuring DNS servers here lets you enter hostnames for example mail01 rather than IP addresses as you configure and manage the VPN 3002 You can configure up to three DNS servers that the system queries in order No...

Page 58: ...before sending them to a DNS server for resolution Primary DNS Server Enter the IP address of the primary DNS server using dotted decimal notation for example 192 168 12 34 Be sure this entry is correct to avoid DNS resolution delays Secondary DNS Server Enter the IP address of the secondary first backup DNS server using dotted decimal notation If the primary DNS server does not respond to a query...

Page 59: ... query to the configured servers in order In other words this is the number of times to cycle through the list of servers before returning an error Minimum is 0 default is 2 maximum is 10 retries Apply Cancel To apply your settings for DNS servers and include the settings in the active configuration click Apply The Manager returns to the Configuration System Servers screen Reminder To save the act...

Page 60: ...5 4 VPN 3002 Hardware Client Reference OL 1893 01 Chapter 5 Servers Configuration System Servers DNS ...

Page 61: ...ticate users and data Manage security keys Encrypt and decrypt data Manage data transfer across the tunnel Manage data transfer inbound and outbound as a tunnel endpoint The VPN 3002 functions as a bidirectional tunnel endpoint It can receive plain packets from the private network encapsulate them create a tunnel and send them to the other end of the tunnel where they are unencapsulated and sent t...

Page 62: ...psulation key management etc These negotiations involve two phases the first phase establishes the tunnel the IKE SA the second phase governs traffic within the tunnel the IPSec SA The VPN 3002 initiates all tunnels with the VPN Concentrator the VPN Concentrator functions only as responder The VPN 3002 as initiator proposes SAs the responder accepts rejects or makes counter proposals all in accord...

Page 63: ...e of the remote server This is the IP address or hostname of the public interface on the VPN Concentrator to which this VPN 3002 connects Use dotted decimal notation for example 192 168 34 56 To enter a hostname a DNS server must be configured Backup Servers To configure IPSec backup servers on the VPN 3002 enter up to 10 backup servers using either IP address or hostname Enter each backup server ...

Page 64: ... hardware clients in the group By default the policy is to use the backup server list configured on the VPN 3002 Alternatively the VPN Concentrator can push a policy that supplies a list of backup servers in order of priority replacing the backup server list on the VPN 3002 if one is configured It can also disable the feature and clear the backup server list on the VPN 3002 if one is configured Fi...

Page 65: ...ckup servers or delete a backup server during an active session between a VPN 3002 and a backup server the session continues without adopting that change New settings take effect the next time the VPN 3002 connects to its primary VPN Concentrator You can configure the backup server feature from the primary VPN Concentrator or the VPN 3002 From the VPN Concentrator configure backup servers on eithe...

Page 66: ...e preshared keys or a PKI Public Key Infrastructure digital identity certificate to authenticate the peer during Phase 1 IKE negotiations See the discussion under Administration Certificate Management which is where you install digital certificates on the VPN 3002 Check the box to use digital certificates Certificate Transmission If you configured authentication using digital certificates choose t...

Page 67: ...password and they must match the username and password configured on the central site VPN Concentrator to which this VPN 3002 connects Name In the User Name field enter a unique name for the user in this group Maximum is 32 characters case sensitive This is the username configured on the central site VPN Concentrator to which this VPN 3002 connects Maximum is 32 characters case sensitive Password ...

Page 68: ...6 8 VPN 3002 Hardware Client Reference OL 1893 01 Chapter 6 Tunneling Configuration System Tunneling Protocols IPSec ...

Page 69: ...ection also includes the system wide DHCP Dynamic Host Configuration Protocol server parameters Configuration System IP Routing This section of the Manager lets you configure system wide IP routing parameters Static Routes manually configured routing tables Default Gateways routes for otherwise unrouted traffic DHCP Dynamic Host Configuration Protocol global parameters DHCP Options facilities that...

Page 70: ...add a new static route click Add The Manager opens the Configuration System IP Routing Static Routes Add screen To modify a configured static route select the route from the list and click Modify The Manager opens the Configuration System IP Routing Static Routes Modify screen If you select the default gateway the Manager opens the Configuration System IP Routing Default Gateways screen To delete ...

Page 71: ...twork IP address using dotted decimal notation for example 255 255 255 0 The subnet mask indicates which part of the IP address represents the network and which part represents hosts The router subsystem looks at only the network part The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered For example the IP address 192 168 12 0 is a Class C addres...

Page 72: ...ply your changes to a static route click Apply Both actions include your entries in the active configuration The Manager returns to the Configuration System IP Routing Static Routes screen Any new route appears at the bottom of the Static Routes list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard y...

Page 73: ... not on the public network Metric Enter the metric or cost for the route to the default gateway Use a number from 1 to 16 where 1 is the lowest cost The routing subsystem always tries to use the least costly route For example if this route uses a low speed line you might assign a high metric so the system will use it only if all high speed routes are unavailable Apply Cancel To apply the settings ...

Page 74: ...lid on a particular network Figure 7 5 Configuration System IP Routing DHCP Screen Enabled Check the box to enable the DHCP server functions on the VPN 3002 The box is checked by default To use DHCP address assignment you must enable DHCP functions here Lease Timeout Enter the timeout in minutes for addresses that are obtained from the DHCP server Minimum is 5 default is 120 maximum is 500000 minu...

Page 75: ... to the Configuration System IP Routing screen Configuration System IP Routing DHCP Options This section lets you configure DHCP options Figure 7 6 Configuration System IP Routing DHCP Options Screen DHCP Option DHCP Options are facilities that allow the VPN 3002 DHCP server to respond to configurable parameters for specific kinds of devices such as PCs IP telephones print servers etc as well as a...

Page 76: ...on click the Save Needed icon at the top of the Manager window Configuration System IP Routing DHCP Options Add or Modify These screens let you Add a new DHCP option to the list of DHCP options this VPN 3002 uses Modify a configured DHCP option Figure 7 7 Configuration System IP Routing DHCP Options Add Screen DHCP Option Use the pull down menu to the DHCP Options field to select the option you wa...

Page 77: ...HCP Options Subnet Mask option 1 Router option 3 Domain Name Server option 6 Domain Name option 15 NetBios Name Server WINS option 44 You configure these values on the central site VPN Concentrator for the group to which the VPN 3002 Hardware Client belongs As is the case for all group configuration parameters the central site VPN Concentrator pushes these values to the VPN 3002 over the tunnel ...

Page 78: ...7 10 VPN 3002 Hardware Client Reference OL 1893 01 Chapter 7 IP Routing Configuration System IP Routing DHCP Options Add or Modify ...

Page 79: ...m Management Protocols This section of the Manager lets you configure and enable built in VPN 3002 servers that provide management functions using HTTP HTTPS Hypertext Transfer Protocol and HTTP over SSL Secure Sockets Layer protocol Telnet terminal emulation protocol and Telnet over SSL SNMP Simple Network Management Protocol SNMP Community Strings identifiers for valid SNMP clients SSL Secure So...

Page 80: ... can reconnect with the other protocol if it is enabled and configured If you disable both HTTP and HTTPS you cannot use a Web browser to connect to the VPN 3002 Use the Cisco command line interface from the console or a Telnet session Related information For information on installing the SSL digital certificate in your browser and connecting via HTTPS see Chapter 1 Using the VPN 3002 Hardware Cli...

Page 81: ...imum Sessions Enter the maximum number of concurrent combined HTTP and HTTPS sessions users that the server allows Minimum is 1 default is 4 maximum is 10 Apply Cancel To apply your HTTP HTTPS server settings to include your settings in the active configuration and to break the current HTTP HTTPS connection click Apply If HTTP or HTTPS is still enabled the Manager returns to the main login screen ...

Page 82: ...ommand Line Interface CLI via Telnet Telnet server login usernames and passwords are the same as those enabled and configured on the Administration Access Rights Administrators screens Telnet SSL uses a secure encrypted connection This enabled by default for Telnet SSL clients See the Configuration System Management Protocols SSL screen to configure SSL parameters See the Administration Certificat...

Page 83: ...e well known port number Maximum Connections Enter the maximum number of concurrent combined Telnet and Telnet SSL connections that the server allows Minimum is 1 default is 5 maximum is 10 Apply Cancel To apply your Telnet settings and to include the settings in the active configuration click Apply The Manager returns to the Configuration System Management Protocols screen Reminder To save the ac...

Page 84: ...ions see Configuration System Events General and Trap Destinations For those functions the VPN 3002 acts as an SNMP client Figure 8 6 Configuration System Management Protocols SNMP Screen Enable SNMP Check the box to enable SNMP The box is checked by default Disabling SNMP provides additional security SNMP Port Enter the port number that SNMP uses The default is 161 which is the well known port nu...

Page 85: ...ration System Management Protocols SNMP Communities This section of the Manager lets you configure and manage SNMP community strings which identify valid communities from which the SNMP agent accepts requests A community string is like a password it validates messages between an SNMP manager and the agent To use the VPN 3002 SNMP agent you must configure and add at least one community string You c...

Page 86: ...NMP Communities Modify screen To delete a configured community string select the string from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in the list Reminder The Manager immediately includes your changes in the active configuration To save the active configuration and make it the boot configuration click the Save Neede...

Page 87: ...his community string click Apply Both actions include your entry in the active configuration The Manager returns to the Configuration System Management Protocols SNMP Communities screen a new entry appears at the bottom of the Community Strings list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard yo...

Page 88: ...02 an SSL certificate that has been issued in a PKI context This certificate must then be installed in the client for HTTPS Telnet does not usually require it You need to install the certificate from a given VPN 3002 only once The default SSL settings should suit most administration tasks and network security requirements We recommend that you not change them without good reason Note To ensure the...

Page 89: ...ecure option DES 56 SHA DES encryption with a 56 bit key and the SHA 1 hash function RC4 40 MD5 Export RC4 encryption with a 128 bit key 40 bits of which are private and the MD5 hash function This option is available in the non U S versions of many SSL clients DES 40 SHA Export DES encryption with a 56 bit key 40 bits of which are private and the SHA 1 hash function This option is available in the...

Page 90: ... Hello The server insists on TLS Version 1 but accepts an initial SSL Version 2 Hello At present only Microsoft Internet Explorer 5 0 supports this option Generated Certificate Key Size Click the drop down menu button and select the size of the RSA key that the VPN 3002 uses in its self signed generated SSL server certificate A larger key size increases security but it also increases the processin...

Page 91: ...tion The SSH server supports SSH1 protocol version 1 5 which uses two RSA keys for security All communication over the connection is encrypted To provide additional security the remote client authenticates the server and the server authenticates the client At the start of an SSH session the VPN 3002 sends both a host key and a server key to the client which responds with a session key that it gene...

Page 92: ...is period Minimum is 0 which disables key regeneration default is 60 minutes and maximum is 10080 minutes 1 week Note Use 0 disable key regeneration only for testing since it lessens security Encryption Algorithms Check the boxes for the encryption algorithms that the VPN 3002 SSH server can negotiate with a client and use for session encryption All algorithms are checked by default You must check...

Page 93: ...configuration click Apply The Manager returns to the Configuration System Management Protocols screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Management Protocols screen Figure 8 15 Configuration System Management Pro...

Page 94: ...eck box To reenable the XML option click the check box On this screen you can also configure the VPN 3002 to enable HTTPS or SSH or both on the public interface and to lock the XML interface to a specific HTTPS or SSH IP address Figure 8 16 Configuration System Management Protocols XML Screen Enable XML Check the Enable check box the default to enable the XML management capability You must also en...

Page 95: ...mple entering 0 0 0 0 matches the specified address entering 255 255 255 255 matches all addresses Enable SSH on Public Check the Enable SSH on Public check box to allow XML management over Secure Shell SSH on the VPN 3002 public interface SSH IP Address Enter the IP address from which to allow SSH access on the VPN 3002 public interface SSH Wildcard mask Enter the wildcard mask for the SSH IP add...

Page 96: ...8 18 VPN 3002 Hardware Client Reference OL 1893 01 Chapter 8 Management Protocols Configuration System Management Protocols XML ...

Page 97: ...l Event Class Event class denotes the source of the event and refers to a specific hardware or software subsystem within the VPN 3002 Table 9 1 describes the event classes Table 9 1 Event Classes Class Name Class Description Event Source Cisco specific Event Class AUTH Authentication AUTHDBG Authentication debugging AUTHDECODE Authentication protocol decoding AUTOUPDATE Autoupdate subsystem CAPI C...

Page 98: ...ding IPSEC IP Security subsystem IPSECDBG IP Security debugging IPSECDECODE IP Security decoding LBSSF Load Balancing Secure Session Failover subsystem MIB2TRAP MIB II trap subsystem SNMP MIB II traps PPP PPP subsystem PPPDBG PPP debugging PPPDECODE PPP decoding PPPoE PPPoE subsystem PSH Operating system command shell PSOS Embedded real time operating system QUEUE System queue REBOOT System reboot...

Page 99: ...performance since more system resources are used to log and handle these events Note The Debug 7 9 and Packet Decode 10 13 severity levels are intended for use by Cisco engineering and support personnel We recommend that you avoid logging these events unless Cisco requests it The VPN 3002 by default displays all events of severity level 1 through 3 on the console It writes all events of severity l...

Page 100: ... events when the log is full For the event log you can configure which event classes and severity levels to log Note The VPN 3002 automatically saves the log file if it crashes and when it is rebooted This log file is named SAVELOG TXT and it overwrites any existing file with that name The SAVELOG TXT file is useful for debugging Event Log Data Each entry record in the event log consists of severa...

Page 101: ...diting management accounting and troubleshooting Figure 9 1 Configuration System Events Screen Configuration System Events General This Manager screen lets you configure the general or default handling of all events These defaults apply to all event classes You can override these default settings by configuring specific events for special handling on the Configuration System Events Classes screens...

Page 102: ...enerated the event For example 3 12 06 1999 14 37 06 680 SEV 4 HTTP 47 RPT 17 10 10 1 35 New administrator login admin Cisco IOS Compatible Event format that is compatible with Cisco syslog management applications Each entry in the event log is one line consisting of the following fields Sequence Date Time TimeZone TimeZoneOffset Class Severity Number RPT RepeatCount String Sequence The sequence n...

Page 103: ...y to Console Click the drop down menu button and select the range of event severity levels to display on the console by default The choices are None 1 1 2 1 3 1 13 The default is 1 3 if you choose this range all events of severity level 1 through severity level 3 are displayed on the console Severity to Syslog Click the drop down menu button and select the range of event severity levels to send to...

Page 104: ...System Events screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Events screen Configuration System Events Classes This section of the Manager lets you add configure modify and delete specific event classes for special ha...

Page 105: ...me If no classes have been configured for special handling the list shows Empty Add Modify Delete To configure and add a new event class for special handling click Add See Configuration System Events Classes Add To modify an event class that has been configured for special handling select the event class from the list and click Modify See Configuration System Events Classes Modify To remove an eve...

Page 106: ...ss you are modifying You cannot change this field All subsequent parameters on this screen apply to this event class only Enable Check this box to enable the special handling of this event class The box is checked by default Clearing this box lets you set up the parameters for the event class but activate it later or temporarily disable special handling without deleting the entry The Configured Ev...

Page 107: ...the Syslog Format on the Configuration System Events General screen Severity to Trap Click the drop down menu button and select the range of event severity levels to send to an SNMP network management system Event messages sent to SNMP systems are called traps The choices are None 1 1 2 1 3 1 4 1 5 The default is None if you choose this range no events are sent as SNMP traps If you select any seve...

Page 108: ...own SNMP traps see Table 9 4 under Severity to Trap for Configuration System Events General To have an SNMP based network management system NMS receive any events you must also configure the NMS to see the VPN 3002 as a managed device or agent in the NMS domain Figure 9 5 Configuration System Events Trap Destinations Screen Trap Destinations The Trap Destinations list shows the SNMP network manage...

Page 109: ...estination system for event trap messages Modify Modify a configured SNMP destination system for event trap messages Figure 9 6 Configuration System Events Trap Destinations Add Screen Destination Enter the IP address or hostname of the SNMP network management system that is a destination for event trap messages If you have configured a DNS server you can enter a hostname otherwise enter an IP add...

Page 110: ...ve Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System Events Trap Destinations screen and the Trap Destinations list is unchanged Configuration System Events Syslog Servers This section of the Manager lets you configure UNIX syslog servers as recipients of event messages Syslog is a UNIX daemon or background process th...

Page 111: ...onfiguration System Events Syslog Servers Add To modify a syslog server that has been configured select the server from the list and click Modify See Configuration System Events Syslog Servers Modify To remove a syslog server that has been configured select the server from the list and click Delete There is no confirmation or undo The Manager refreshes the screen and shows the remaining entries in...

Page 112: ...er a hostname otherwise enter an IP address Port Enter the UDP port number by which you access the syslog server Use a decimal number from 0 to 65535 The default is 514 which is the well known port number Facility Click the drop down menu button and select the syslog facility tag for events sent to this server The facility tag lets the syslog server sort messages into different files or destinatio...

Page 113: ...tions include your entry in the active configuration The Manager returns to the Configuration System Events Syslog Servers screen Any new server appears in the Syslog Servers list Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your entries click Cancel The Manager returns to the Configuration Syste...

Page 114: ...9 18 VPN 3002 Hardware Client Reference OL 1893 01 Chapter 9 Events Configuration System Events Syslog Servers Add or Modify ...

Page 115: ...clude VPN 3002 environment items system identification time and date Configuration System General This section of the Manager lets you configure general VPN 3002 parameters Identification system name contact person system location Time and Date system time and date Figure 10 1 Configuration System General Screen ...

Page 116: ...em name that uniquely identifies this VPN 3002 on your network for example VPN01 Maximum 255 characters Contact Enter the name of the contact person who is responsible for this VPN 3002 Maximum 255 characters Location Enter the location of this VPN 3002 Maximum 255 characters Apply Cancel To apply your system identification settings and include them in the active configuration click Apply The Mana...

Page 117: ... VPN 3002 however In the appropriate fields make any changes The fields are in order Hour Minute Second Month Day Year Time Zone Click the drop down menu buttons to select Month and Time Zone The time zone selections are offsets in hours relative to GMT Greenwich Mean Time which is the basis for Internet time synchronization Enter the Year as a four digit number Enable DST Support To enable DST su...

Page 118: ...iguration System General Time and Date Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manager window To discard your settings click Cancel The Manager returns to the Configuration System General screen ...

Page 119: ...behind the IKE peer with a single source IP address This IP address is the one the central site VPN Concentrator assigns to the VPN 3002 The IP addresses of the computers on the VPN 3002 private network are hidden You cannot ping or access a device on the VPN 3002 private network from outside of that private network or directly from a device on the private network at the central site In client mod...

Page 120: ...etwork to the remote private network over the VPN tunnel IPSec encapsulates all traffic from the VPN 3002 private network to networks behind the central site VPN Concentrator PAT does not apply Therefore devices behind the VPN Concentrator have direct access to devices on the VPN 3002 private network over the tunnel and only over the tunnel and vice versa The VPN 3002 must initiate the tunnel but ...

Page 121: ...ble over the tunnel but are protected from the Internet that is they cannot be accessed directly VPN 3000 Series Concentrator Settings Required for Network Extension Mode For the VPN 3002 to use Network Extension mode these are the requirements for the central site VPN Concentrator 1 The VPN Concentrator at the central site must be running Software version 3 0 or later 2 Configure a group to which...

Page 122: ...nable interactive hardware client authentication the tunnel establishes when you perform the following steps Step 1 In the VPN 3002 Hardware Client login screen click the Connection Login Status button The Connection Login screen displays Step 2 Click Connect Now Step 3 Enter the username and password for the VPN 3002 See the section Logging In With Interactive Hardware Client and Individual User ...

Page 123: ...gement To enable or disable PAT click Traffic Management Configuration Policy Management Traffic Management The Manager displays the Configuration Policy Management Traffic Management screen Figure 11 2 Configuration Policy Management Traffic Management Screen Mode Tunneling Policy VPN 3002 Can Send Data First Central Site VPN Concentrator Can Send Data First after VPN 3002 initiates the tunnel PA...

Page 124: ...guration Policy Management Traffic Management PAT Screen PAT mode provides many to one translation that is it translates many private network addresses to the single address configured on the public network interface Enable To enable PAT click Enable Configuration Policy Management Traffic Management PAT Enable This screen lets you enable or disable PAT which applies PAT to all configured traffic ...

Page 125: ...u do not change the IP address of the private interface you can not disable PAT Apply Cancel To enable or disable PAT and include your setting in the active configuration click Apply The Manager returns to the Configuration Policy Management Traffic Management PAT screen Reminder To save the active configuration and make it the boot configuration click the Save Needed icon at the top of the Manage...

Page 126: ...11 8 VPN 3002 Hardware Client Reference OL 1893 01 Chapter 11 Policy Management Configuration Policy Management Traffic Management PAT Enable ...

Page 127: ... for VPN 3002 shutdown and reboot Ping use ICMP ping to determine connectivity Access Rights configure administrator profiles access and sessions Administrators configure administrator usernames passwords and rights Access Settings set administrative session idle timeout and limits Config File Management manage configuration files View Configuration Files view the configuration file currently on t...

Page 128: ... history files and location bar references Note The VPN 3002 has two locations for storing image files the active location which stores the image currently running on the system and the backup location Updating the image overwrites the stored image file in the backup location and makes it the active location for the next reboot Updating twice therefore overwrites the image file in the active locat...

Page 129: ...on Minor Version Patch Version bin for example vpn3002 3 5 Rel k9 bin The Major and Minor Version numbers are always present the Sustaining and Patch Version numbers are present only if needed Be sure you select the correct file for your VPN 3002 otherwise the update will fail Upload Cancel To upload the new image file to the VPN3002 click Upload To cancel your entries on this screen or to stop a ...

Page 130: ...n it completes the software upload and verifies the integrity of the software To go to the Administration System Reboot screen click the highlighted link We strongly recommend that you clear your browser cache after you update the software image delete all the temporary internet files history files and location bar references Figure 12 4 Administration Software Update Success Screen Software Updat...

Page 131: ...login screen The browser might appear to hang during a reboot that is you cannot log in and you must wait for the reboot to finish You can log back in while the VPN 3002 is in a shutdown state before you turn power off If a delayed reboot or shutdown is pending the Manager also displays a message that describes when the action is scheduled to occur Note Reboot or shutdown that does not wait for se...

Page 132: ...hutdown terminates all sessions and prevents new user sessions but not administrator sessions While the system is in a shutdown state the SYS LEDs blink on the front panel Cancel a scheduled reboot shutdown Cancel a reboot or shutdown that is waiting for a certain time or for sessions to terminate This is the default selection if a reboot or shutdown is pending Configuration Click a radio button t...

Page 133: ... 24 hour clock Enter the desired time in the field Use 24 hour notation and enter numbers in all positions The default is 10 minutes after the current system time Wait for sessions to terminate do not allow new sessions Reboot or shutdown as soon as the last session terminates and do not allow any new sessions in the meantime If you the administrator are the last session you must log out for the s...

Page 134: ...l The Manager returns to the main Administration screen Success Ping If the system is reachable the Manager displays a Success screen with the name of the tested host Figure 12 8 Administration Ping Success Screen Continue To return to the Administration Ping screen click Continue Error Ping If the system is unreachable for any reason host down ICMP not running on host route not configured interme...

Page 135: ...ministrative session timeout and limits Figure 12 10 Administration Access Rights Screen Administration Access Rights Administrators Administrators are special users who can access and change the configuration administration and monitoring functions on the VPN 3002 Only administrators can use the VPN 3002 Hardware Client Manager This section of the Manager lets you change administrator properties ...

Page 136: ... system loses power These settings are also retained even if you reboot the system with the factory configuration file Password Enter or edit the unique password for this administrator Maximum is 31 characters The field displays only asterisks Note The default password that Cisco supplies is the same as the username We strongly recommend that you change this password Verify Re enter the password t...

Page 137: ...link on a screen that is when you invoke a different screen Entering values or setting parameters on a given screen does not reset the timer Session Limit Enter the maximum number of simultaneous administrative sessions allowed Minimum is 1 default is 10 and maximum is 50 sessions Encrypt Config File To encrypt sensitive entries in the CONFIG file check the box default The CONFIG file is in ASCII ...

Page 138: ... file Some browser versions default to saving the file as an HTM file so you may need to change the file type Saving the file as an HTM file causes some data to be added to the top of the configuration file that is not valid configuration data If you subsequently upload the file containing the invalid data to the VPN Concentrator or VPN 3002 it may cause unpredictable results Alternatively you can...

Page 139: ...ile with the backup configuration file Every time you save the active configuration the system writes it to the CONFIG file which is the boot configuration file and it saves the previous CONFIG file as CONFIG BAK the backup configuration file To reload the boot configuration file and make it the active configuration you must reboot the system When you click OK the system automatically goes to the ...

Page 140: ...ation Access Rights Administrators screen Figure 12 15 Administration File Management Config File Upload Screen Local Config File Browse Enter the name of the file on your PC In a Windows environment enter the complete pathname using MS DOS syntax for example c vpn3002 config0077 You can also click the Browse button to open a file navigation window find the file and select it Upload Cancel To uplo...

Page 141: ... Administration Config File Management View screen and examine files in flash memory click the highlighted link File Upload Error The Manager displays this screen if there was an error during the file upload and the transfer was not successful Flash memory might be full or the file transfer might have been interrupted or cancelled Figure 12 18 Administration Config File Management Upload Error Scr...

Page 142: ...xt SSL certificate and vice versa Enrolling and Installing Digital Certificates To obtain a digital certificate for the VPN 3002 you must first enroll with a CA To enroll with a CA create an enrollment request and submit it to your CA The CA enrolls the VPN 3002 into the PKI and issues you a certificate Once you have the certificate you then have to install it on the VPN 3002 Note You must first i...

Page 143: ...f generating the request If you do not the pending request is deleted Installing CA Certificates Automatically Using SCEP If you plan to use SCEP to enroll for identity or SSL certificates you must obtain the associated CA certificate using SCEP The Manager does not let you enroll for a certificate from a CA unless that CA was installed using SCEP A certificate that is obtained via SCEP and theref...

Page 144: ...agement Install CA Certificate screen See Figure 12 20 Figure 12 20 Administration Certificate Management Install CA Certificate Step 3 Click SCEP Simple Certificate Enrollment Protocol The Manager displays the Administration Certificate Management Install CA Certificate SCEP screen See Figure 12 21 Figure 12 21 The Administration Certificate Management Install CA Certificate SCEP Screen Step 4 Fi...

Page 145: ...able from this window only when no CA certificates are installed on the VPN 3002 If you do not see this option click Click here to install a certificate The Manager displays the Administration Certificate Management Install screen Then click Install CA Certificate The Manager displays the Administration Certificate Management Install CA Certificate screen See Figure 12 22 Figure 12 22 Administrati...

Page 146: ...3002 is located for example San Jose Spaces are allowed State Province SP Yes Yes The state or province where this VPN 3002 is located for example California Spell the name out completely do not abbreviate Spaces are allowed Country C Yes Yes The country where this VPN 3002 is located for example US Use two characters no spaces and no periods This two character code must conform to ISO 3166 countr...

Page 147: ...s sufficient security and is the default selection It is the most common and requires the least processing RSA 768 bits Generate 768 bit keys using the RSA algorithm This key size provides normal security It requires approximately 2 to 4 times more processing than the 512 bit key RSA 1024 bits Generate 1024 bit keys using the RSA algorithm This key size provides high security and it requires appro...

Page 148: ...dentity Certificate screen See Figure 12 24 Figure 12 24 Administration Certificate Management Enroll Identity Certificate Screen Notice that a link appears corresponding to each SCEP enabled CA certificate on the VPN 3002 The title of the link depends on the name of the CA certificate Enroll via SCEP at Certificate Name For example if you have a CA certificate on your VPN 3002 named TestCA6 8 the...

Page 149: ...e CA responds or the process times out For information on configuring the polling limit and interval see the Administration Certificate Management Configure CA Certificate screen The certificate request appears in the Enrollment Status table on the Administration Certificate Management screen until the CA responds Once the CA responds and issues the certificate the VPN 3002 checks to see if it alr...

Page 150: ...send this enrollment request to your chosen CA Request an identity certificate from your CA and download it to your PC Again using the Manager install the identity certificate on the VPN 3002 Follow these steps to generate a certificate enrollment request PKCS 10 Step 1 Using the Manager display the Administration Certificate Management screen See Figure 12 19 Step 2 Click Click here to enroll wit...

Page 151: ...cate PKCS10 Screen Step 5 Fill in the fields and click Enroll For information on the fields on this screen see Table 12 1 The Manager displays the Administration Certificate Management Enrollment Request Generated screen See Figure 12 28 Figure 12 28 Administration Certificate Management Enrollment Request Generated Screen Step 6 Copy the enrollment request to the clipboard ...

Page 152: ...displays the Administration Certificate Management Install screen See Figure 12 29 Figure 12 29 Administration Certificate Management Install Screen Step 10 Click Install certificate obtained via enrollment The Manager displays the Administration Certificate Management Install Certificate Obtained via Enrollment screen See Figure 12 30 Figure 12 30 Administration Certificate Management Install Cer...

Page 153: ... installation method Cut Paste Text or Upload File from Workstation Step 13 The Manager displays a screen appropriate to your choice Include the certificate information according to your chosen method Click Install The Manager installs the identity certificate on the VPN 3002 and displays the Administration Certificate Management screen Your new identity Certificate appears in the Identity Certifi...

Page 154: ...e table The new certificate appears in the SSL Certificate table replacing the existing one If you want to obtain a verifiable SSL certificate that is one issued by a CA follow the same procedure you used to obtain identity certificates See the Enrolling and Installing Identity Certificates section But this time on the Administration Certificate Management Enroll screen click SSL certificate inste...

Page 155: ...ined you must enable authentication using digital certificates Step 1 Display the Configuration System Tunneling Protocols IPSec screen See Figure 12 32 Figure 12 32 Configuration System Tunneling Protocols IPSec Screen Step 2 Check the Use Certificate check box Step 3 Select a Certificate Transmission option If you want the VPN 3002 to send the peer the identity certificate and all issuing certif...

Page 156: ...A if it is the issuer of another installed certificate or if it is referenced in an active certificate request Follow these steps to delete certificates Step 1 Display the Administration Certificate Management screen See Figure 12 19 Step 2 Find the certificate you want to delete and click Delete The Administration Certificate Management Delete screen appears Figure 12 33 Administration Certificat...

Page 157: ...CA Certificate Note The Click here to install a CA certificate option is only available from this window when no CA certificates are installed on the VPN 3002 If you do not see this option click Click here to install a certificate The Manager displays the Administration Certificate Management Install Then click Install CA Certificate To create an SSL or identity certificate enrollment request clic...

Page 158: ...xpiration date of the certificate The date format is MM DD YYYY SCEP Issuer In order for a certificate to be available for SCEP enrollment it must be installed via SCEP This field indicates if the certificate is SCEP enabled Yes This certificate can issue identity and SSL certificates via SCEP No This certificate cannot issue certificates via SCEP Note If you want to use a certificate for SCEP enr...

Page 159: ... SSL server certificate installed either a self signed certificate or one issued in a PKI context To generate a self signed SSL server certificate click Generate The system uses parameters set on the Configuration System Management Protocols SSL screen and generates the certificate The new certificate replaces any existing SSL certificate For a description of the fields in this table see the Certi...

Page 160: ...EP enrollment it must be installed via SCEP This field indicates if the certificate is SCEP enabled Yes This certificate can issue identity and SSL certificates via SCEP No This certificate cannot issue certificates via SCEP Note If you want to use a certificate for SCEP enrollment but that certificate is not SCEP enabled reinstall it using SCEP Actions This column allows you to manage particular ...

Page 161: ...l option to delete all enrollment requests of a particular status Errored Delete all enrollment requests with the status Error Timed out Delete all enrollment requests with the status Timed out Rejected Delete all enrollment requests with the status Rejected Cancelled Delete all enrollment requests with the status Cancelled Fields These fields appear in the Enrollment Status table Field Content Su...

Page 162: ...led while the VPN 3002 was in polling mode Complete The CA has fulfilled the renewal request To bring this new certificate into service click Activate Error An error occurred during the enrollment process Enrollment was stopped Submitting The certificate request is being sent to the CA Actions This column allows you to manage enrollments requests The actions available vary with the type and status...

Page 163: ...tificate Figure 12 35 Administration Certificate Management Enroll Screen Identity Certificate Click Identity Certificate to create a certificate request for an identity certificate The Manager displays the Administration Certificate Management Enroll Identity Certificate screen SSL Certificate Click SSL Certificate to create a certificate request for an SSL certificate The Manager displays the Ad...

Page 164: ...ficate Authorities table on the Administration Certificate Management screen Yes in the SCEP Issuer column indicates that the CA certificate was installed using SCEP No indicates it was installed manually If no CA certificate on the VPN 3002 was installed using SCEP then no Enroll via SCEP at Name of SCEP CA link appears on this screen You do not have the option of using SCEP to enroll the certifi...

Page 165: ...2 Figure 12 37 Administration Certificate Management Enroll Identity Certificate via PKCS10 Screen Fields For an explanation of each of the fields on this screen see Table 12 1 on page 12 20 Enroll Cancel To generate the certificate request click Enroll The Manager displays the Administration Certificate Management Enrollment Request Generated screen See Figure 12 38 with the text of your certific...

Page 166: ...to send a file use the method your CA requires In generating the request the system also generates the private key used in the PKI process That key remains on the VPN 3002 and it is not visible Note You must complete the enrollment and certificate installation process within one week of generating the request Figure 12 38 Administration Certificate Management Enrollment Request Generated Screen To...

Page 167: ...cate Installation The Manager displays the Administration Certificate Management Install screen Administration Certificate Management Enroll Identity Certificate SCEP To generate an enrollment request for an identity certificate you need to provide information about the VPN 3002 Figure 12 39 Administration Certificate Management Enroll Identity Certificate SCEP Screen Fields For an explanation of ...

Page 168: ...stration Certificate Management Enrollment Request Generated screen See Figure 12 38 To discard your entries and cancel the request click Cancel The Manager returns to the Administration Certificate Management screen See Figure 12 19 Administration Certificate Management Enroll SSL Certificate SCEP To generate an enrollment request for an SSL certificate you need to provide information about the V...

Page 169: ...e VPN 3002 click Enroll The Manager displays the Administration Certificate Management Enrollment Request Generated screen If there is already an active request for an SSL certificate this error message appears To return to the Administration Certificate Management Enroll SSL Certificate SCEP screen click Retry the operation To return to the Main screen click Return to main menu Cancel To discard ...

Page 170: ...L Certificate with Private Key Some web servers export their SSL certificates with the private key attached If you have a PEM encoded certificate with a corresponding private key that you want to install click Install SSL Certificate with Private Key The Manager displays the Administration Certificate Management Install SSL Certificate with Private Key screen Install Certificate Obtained via Enrol...

Page 171: ...led certificate Figure 12 42 Administration Certificate Management Install Certificate Obtained via Enrollment Screen Enrollment Status Table For a description of the fields in this table see the Enrollment Status Table section on page 12 35 Go back and choose a different type of certificate If you do not want to install a certificate that you have obtained via filing an enrollment request with yo...

Page 172: ...n Certificate Management Install CA Certificate SCEP screen See Figure 12 44 Cut Paste Text If you want to cut and paste the certificate using a browser window click Cut Paste Text The Manager displays the Administration Certificate Management Install Certificate Type Cut Paste Text screen See Figure 12 45 Upload File from Workstation If your CA certificate is stored in a file click Upload File fr...

Page 173: ...istration Certificate Management Install CA Certificate SCEP Screen URL Enter the URL of the SCEP interface of the CA CA Descriptor Some CAs use descriptors to further identify the certificate If your CA gave you a descriptor enter it here Otherwise enter a descriptor of your own You must enter something in this field Retrieve Cancel To retrieve a CA certificate from the CA and install it on the V...

Page 174: ... Install CA Certificate Cut and Paste Text Screen Certificate Text Paste the PEM or base 64 encoded certificate text from the clipboard into this window If you are installing an SSL certificate with a private key include the encrypted private key Password Note This field appears only if you are installing an SSL certificate with a private key Enter a password for decrypting the private key Install...

Page 175: ...rom Workstation Screen Filename Browse Enter the name of the CA certificate file that is on your PC In a Windows environment enter the complete pathname using MS DOS syntax for example c Temp certnew cer You can also click the Browse button to open a file navigation window find the file and select it Password Note This field appears only if you are installing an SSL certificate with a private key ...

Page 176: ...rtificate on the Administration Certificate Management Certificates screen The details vary depending on the certificate content The content and format for certificate details are governed by ITU International Telecommunication Union X 509 standards specifically RFC 2459 The Subject and Issuer fields conform to ITU X 520 This screen is read only you cannot change any information here Figure 12 47 ...

Page 177: ...PS as part of its validation OU Organizational Unit the subgroup within the organization O O Organization the name of the company institution agency association or other entity L Locality the city or town where the organization is located SP State Province the state or province where the organization is located C Country the two letter country abbreviation These codes conform to ISO 3166 country a...

Page 178: ...SS Time uses 24 hour notation and is local system time The Manager checks the validity against the VPN 3002 system clock and it flags expired certificates in event log entries Subject Alternative Name Fully Qualified Domain Name The fully qualified domain name for this VPN 3002 that identifies it in this PKI The alternative name is an optional additional data field in the certificate and it provid...

Page 179: ...istration Certificate Management screen SCEP Configuration Enrollment URL Enter the URL where the VPN 3002 should send SCEP enrollment requests made to this CA certificate The default value of this field is the URL used to download this CA certificate Polling Interval If the CA does not issue the certificate immediately some CAs require manual verification of credentials and this can take time the...

Page 180: ... Administration Certificate Management screen Administration Certificate Management Renewal Certificate renewal is a shortcut that allows you to generate an enrollment request based on the content of an existing certificate When you renew a certificate via SCEP the new certificate does not automatically overwrite the original certificate It remains in the Enrollment Request table until the adminis...

Page 181: ...Enroll using the manual process Certificate Name via SCEP Enroll automatically using this SCEP CA Challenge Password Your CA might have given you a password as a means of verifying your identity If you have a password from your CA enter it here If you did not receive a password from your CA choose a password now You can use this password in the future to identify yourself to your CA Verify Challen...

Page 182: ...tificate Polling The CA has pended the approval request or CA is unavailable Error There has been an error processing the enrollment request Go to Certificate Management If you want to view the certificate request click Go to Certificate Management The Manager displays the Administration Certificate Management screen See Figure 12 19 Go to Certificate Enrollment If you want to enroll another certi...

Page 183: ...details as on the Administration Certificate Management View screen Please note You must delete CA certificates from the bottom up server identity first then subordinate CA then root CA certificates last Otherwise the Manager displays an error message If the certificate is in use by an SA or referenced in an active enrollment request the Manager displays an error message Figure 12 50 Administratio...

Page 184: ...dministration Certificate Management screen and shows the remaining certificates To retain this certificate click No The Manager returns to the Administration Certificate Management screen and the certificates are unchanged Administration Certificate Management View Enrollment Request This screen allows you to view the details of an enrollment request Figure 12 51 Administration Certificate Manage...

Page 185: ...a HTTPS as part of its validation OU Organizational Unit the subgroup within the organization O O Organization the name of the company institution agency association or other entity L Locality the city or town where the organization is located SP State Province the state or province where the organization is located C Country the two letter country abbreviation These codes conform to ISO 3166 coun...

Page 186: ...request and allows you to cancel it You can cancel only a SCEP enrollment request and you can do so only when the request is in polling mode Once a request is cancelled you can then remove it re submit it or view its details Figure 12 52 Administration Certificate Management Cancel Enrollment Request Screen Enrollment Type The type of enrollment initial re enroll or re key Enrollment Method The me...

Page 187: ...ration Certificate Management screen To retain this enrollment request click No The Manager returns to the Administration Certificate Management screen and the enrollment requests are unchanged Administration Certificate Management Delete Enrollment Request This screen shows you details of the enrollment request and allows you to delete it Deleting an enrollment request removes it from the Enrollm...

Page 188: ...est see the Enrollment Request Fields section on page 12 59 Yes No To delete this enrollment request click Yes Note There is no undo The Manager returns to the Administration Certificate Management screen and shows the remaining enrollment requests To retain this enrollment request click No The Manager returns to the Administration Certificate Management screen and the enrollment requests are unch...

Page 189: ...d event logs Routing Table current valid routes protocols and metrics Filterable Event Log current event log in memory filterable by event class severity IP address etc Live Event Log current event log continuously updated System Status current software revisions uptime network interfaces and connection status General Statistics IPSec HTTP Telnet DNS SSL DHCP SSH PPPoE NAT and MIB II statistics fo...

Page 190: ...e routing table which shows only the best routes with duplicates removed Address The packet destination IP address that this route applies to This address is combined with the subnet mask to determine the destination route 0 0 0 0 indicates the default gateway Mask The subnet mask for the destination IP address in the Address field 0 0 0 0 indicates the default gateway Next Hop For remote routes t...

Page 191: ...t wraps when it is full that is entry 257 overwrites entry 1 etc Use the scroll controls if present to display more events in the log To configure event handling see the Configuration System Events screens To Get Save or Clear the event log file you must have Access Rights to Read Write Files See the Administration Administrators Modify Properties screen Figure 13 3 Monitoring Filterable Event Log...

Page 192: ...e keyboard Shift key and select the last severity level in the range To select multiple severity levels select the first severity level hold down the keyboard Ctrl key and select the other severity levels By default the Manager displays All severity levels See Table 9 4 under Configuration System Events for an explanation of severity levels Client IP Address To display all events relating to a sin...

Page 193: ...er but among them are Open Link Open Link in New Window Open in New Window Open and view the file in a new browser window as above Save Target As Save Link As Save a copy of the log file on your PC Your system will prompt for a filename and location The default filename is vpn3002log txt When you are finished viewing or saving the file close the new browser window Clear Log To clear the current ev...

Page 194: ...evel 4 See Table 9 4 under Configuration System Events for an explanation of severity levels Event Class Number The class or source of the event and the internal reference number associated with the specific event within the event class For example HTTP 47 indicates that an administrator logged in to the VPN 3002 using HTTP to connect to the Manager Table 9 2 under Configuration System Events desc...

Page 195: ...tops You can still scroll through the event log Click the button to resume the display of new events and restart the timer Clear Display To clear the event display click Clear Display This action does not clear the event log only the display of events on this screen Restart To clear the event display and reload the entire event log in the display click Restart Timer The timer counts 5 4 3 2 1 to s...

Page 196: ...13 5 Monitoring System Status Screen Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer vers...

Page 197: ...ineering change requires a bootcode upgrade only Cisco support personnel can do so Software Rev The version name number and date of the VPN 3002 Hardware Client system software image file You can update this image file from the Administration Software Update screen Up Since The date and time that the VPN 3002 was last booted or reset RAM Size The total amount of SDRAM memory installed in the VPN 3...

Page 198: ...pe of tunnel for this SA either IPSec or IKE the control tunnel Remote Address Network subnet mask for this split tunneled SA Encryption The encryption method this SA uses Authentication The authentication method this SA uses Octets In The number of octets bytes this SA has received since the tunnel has been up Octets Out The number of octets bytes this SA has sent since the tunnel has been up Pac...

Page 199: ...ays the appropriate Monitoring System Status Interface screen Monitoring System Status Private Public Interface This screen displays status and statistics for a VPN 3002 Ethernet interface To configure an interface see Configuration Interfaces Figure 13 6 Monitoring System Status Public Interface Screen Reset To reset or start anew the screen contents click Reset The system temporarily resets a co...

Page 200: ...02 Ethernet interface number Private interface Public interface IP Address The IP address configured on this interface Status The operational status of this interface UP UP DHCP UP PPPoE configured and enabled ready to pass data traffic Waiting for DHCP PPPoE configured and enabled waiting for negotiations to complete Disabled configured but disabled DOWN DOWN DHCP DOWN PPPoE configured but Testin...

Page 201: ...rface since the VPN 3002 was last booted or reset Multicast packets are those addressed to a specific group of hosts Tx Multicast The number of multicast packets that were routed to this interface for transmission since the VPN 3002 was last booted or reset including those that were discarded or not sent Multicast packets are those addressed to a specific group of hosts Rx Broadcast The number of ...

Page 202: ...ure is enabled or disabled for the VPN 3002 This feature is enabled or disabled for the group on the VPN Concentrator to which the VPN 3002 belongs For more information see Configuration User Management Base Group Groups Hardware Client tab for the VPN Concentrator Username The username for the session IP Address The IP address of the device logged in behind the VPN 3002 MAC Address The MAC addres...

Page 203: ...nd Phase 2 tunnels received and transmitted packets failures drops etc HTTP total data traffic and connection statistics Telnet total sessions and current session inbound and outbound traffic DNS total requests responses timeouts etc SSL total sessions encrypted vs unencrypted traffic etc DHCP leased addresses duration etc SSH total and active sessions bytes and packets sent and received etc PPPoE...

Page 204: ... Statistics IPSec Screen Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regul...

Page 205: ... by all currently and previously active IKE tunnels Received Packets The cumulative total of packets received by all currently and previously active IKE tunnels Sent Packets The cumulative total of packets sent by all currently and previously active IKE tunnels Received Packets Dropped The cumulative total of packets that were dropped during receive processing by all currently and previously activ...

Page 206: ...VPN 3002 Invalid Phase 2 Exchanges Received The cumulative total of IPSec Phase 2 exchanges that were received found to be invalid because of protocol errors and dropped by all currently and previously active IKE tunnels In other words the total of Phase 2 negotiations that were initiated by a remote peer but that this VPN 3002 dropped because of protocol errors Invalid Phase 2 Exchanges Sent The ...

Page 207: ...gital certificates or user level authentication Decryption Failures The cumulative total of decryptions that failed by all currently and previously active IKE tunnels Hash Validation Failures The cumulative total of hash validations that failed by all currently and previously active IKE tunnels Hash validation failures usually indicate misconfiguration or mismatched preshared keys or digital certi...

Page 208: ...n other words total bytes of IPSec only data sent by the IPSec subsystem after compressing the IPSec payload Received Packets The cumulative total of packets received by all currently and previously active IPSec Phase 2 tunnels Sent Packets The cumulative total of packets sent by all currently and previously active IPSec Phase 2 tunnels Received Packets Dropped The cumulative total of packets drop...

Page 209: ...dividual packet authentications performed by all currently and previously active IPSec Phase 2 tunnels Failed Outbound Authentications The cumulative total of outbound packet authentications that failed by all currently and previously active IPSec Phase 2 tunnels This number should be zero or very small if not check the event log for an internal IPSec subsystem problem Decryptions The cumulative t...

Page 210: ...all currently and previously active IPSec Phase 2 tunnels These failures occur when the system receives an IPSec packet for which it has no Security Association and might indicate synchronization problems Protocol Use Failures The cumulative total of protocol use failures that occurred during processing of all currently and previously active IPSec Phase 2 tunnels These failures indicate errors par...

Page 211: ...s icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data click Refresh The date and time indicate when the screen was last updated Octets Sent Received The total number of HTTP octets bytes sent or received since the VPN 3002 was last booted or reset Packets Sent Received The total number of HTTP packets sent or received since the VPN 3002 was last bo...

Page 212: ...TP session began Encryption The encryption method used in the HTTP session Octets Sent Received Number of octets sent or received during the HTTP session Packets Sent Received Number of packets sent or received during the HTTP session Sockets Active The number of currently active sockets for the HTTP session Sockets Peak The maximum number of sockets simultaneously active during the HTTP session S...

Page 213: ...orarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore T...

Page 214: ... active session is a row Client IP Address Port The IP address and TCP source port number of the remote Telnet client for this session Inbound Octets Total The total number of Telnet octets bytes received by this session Inbound Octets Command The number of octets bytes containing Telnet commands or options received by this session Inbound Octets Discarded The number of Telnet octets bytes receive...

Page 215: ...then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data...

Page 216: ...l traffic on the VPN 3002 since it was last booted or reset To configure SSL see Configuration System Management Protocols SSL Figure 13 13 Monitoring Statistics SSL Screen Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affe...

Page 217: ...tets bytes of encrypted inbound traffic sent to the decryption engine This number includes negotiation traffic Unencrypted Outbound Octets The number of unencrypted outbound octets bytes sent to the encryption engine Encrypted Outbound Octets The number of octets bytes of outbound traffic output by the encryption engine This number includes negotiation traffic Total Sessions The total number of SS...

Page 218: ...ck Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistica...

Page 219: ... IP address pool Pool End The IP address at the end of the DHCP IP address pool Leased IP Address The IP address leased from the DHCP server by the remote client Time Left The time remaining until the current IP address lease expires shown as HH MM SS MAC Address The hardwired MAC Medium Access Control address of the interface in 6 byte hexadecimal notation that maps to the IP Address Host Name Th...

Page 220: ...e chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you p...

Page 221: ...N 3002 Total Sessions The total number of SSH sessions since the VPN 3002 was last booted or reset SSH Sessions Presents details on SSH sessions Login Name The name of the administrator using the session Remote IP Address Port The remote IP address for the session Login Time The time of day when the login for the session occurred Encryption The type of encryption algorithm used for the session Oct...

Page 222: ...fecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset ic...

Page 223: ...he VPN 3002 Source IP Address Port The source IP address and port for the NAT session Destination IP Address Port The destination IP address and port for the NAT session Translated IP Address Port The translated IP address and port for the NAT session The VPN3002 uses this port number to keep track of which devices initiate data transfer by keeping this record the VPN 3002 is able to correctly rou...

Page 224: ...en Reset To reset or start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To...

Page 225: ...session is established MAC Address The MAC Medium Access Control address of the PPPoE Access Concentrator in 6 byte hexadecimal notations Server Name The name of the server for the PPPoE Access Concentrator Duration The amount of time that this PPPoE session has been up in the format hh mm ss PADI Timeouts The number of PPPoE Active Discovery Initiation packets for which the VPN 3002 received no r...

Page 226: ...E PADT Rx The number of PPPoE Active Discovery Terminate packets received PADT Tx The number of PPPoE Active Discovery Terminate packets sent Generic Errors Rx The number of errors received during the PPPoE session Malformed Packets Rx The number of malformed packets received during the PPPoE session ...

Page 227: ...roup of objects Interfaces packets sent and received on network interfaces and VPN tunnels TCP UDP Transmission Control Protocol and User Datagram Protocol segments and datagrams sent and received etc IP Internet Protocol packets sent and received fragmentation and reassembly data etc ICMP Internet Control Message Protocol ping timestamp and address mask requests and replies etc ARP Table Address ...

Page 228: ...en view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and its data c...

Page 229: ...e routed to this interface for transmission including those that were discarded or not sent Unicast packets are those addressed to a single host Multicast In The number of multicast packets that were received by this interface Multicast packets are those addressed to a specific group of hosts Multicast Out The number of multicast packets that were routed to this interface for transmission includin...

Page 230: ...ing the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon R...

Page 231: ...ed in milliseconds TCP Timeout Max The maximum value permitted for TCP retransmission timeout measured in milliseconds TCP Connection Limit The limit on the total number of TCP connections that the system can support A value of 1 means there is no limit TCP Active Opens The number of TCP connections that went directly from an unconnected state to a connection synchronizing state bypassing the list...

Page 232: ...or what is casually called a data packet UDP Datagrams Transmitted The total number of UDP datagrams sent Datagram is the official UDP name for what is casually called a data packet UDP Errored Datagrams The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port UDP No Port Datagram is the official UDP name for what is...

Page 233: ... The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values...

Page 234: ...ass E Packets Received Unknown Protocols The number of IP data packets received and discarded because of an unknown or unsupported protocol Packets Received Discarded The number of IP data packets received that had no problems preventing continued processing but that were discarded for example for lack of buffer space This number does not include any packets discarded while awaiting reassembly Pac...

Page 235: ...of IP fragments received by the VPN 3002 that needed to be reassembled Reassembly Successes The number of IP data packets successfully reassembled Reassembly Failures The number of failures detected by the IP reassembly algorithm for whatever reason timed out errors etc This number is not necessarily a count of discarded IP fragments since some algorithms can lose track of the number of fragments ...

Page 236: ...ou can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previously clicked the Reset icon Refresh To update the screen and i...

Page 237: ...a router cannot reassemble a packet within a time limit Parameter Problems Received Transmitted The number of ICMP Parameter Problem messages received sent Parameter Problem messages indicate a syntactic or semantic error in an IP header Source Quench Received Transmitted The number of ICMP Source Quench messages received sent Source Quench messages provide rudimentary flow control they request a ...

Page 238: ...ted The number of ICMP Timestamp Reply messages received sent Timestamp Reply messages are sent in response to Timestamp messages to measure propagation delay in the network Address Mask Requests Received Transmitted The number of ICMP Address Mask Request messages received sent Address Mask Request messages ask for the address subnet mask for the LAN to which a router connects Address Mask Replie...

Page 239: ...m can forward traffic to computers on its network RFC 2011 defines MIB entries in the ARP table The entries are sorted first by Interface then by IP Address To speed display the Manager might construct multiple 64 row tables Use the scroll controls if present to view the entire series of tables You can also delete dynamic or learned entries in the mapping table Figure 13 23 Monitoring Statistics M...

Page 240: ...tunnel FF FF FF FF FF FF a network broadcast address IP Address The IP address that maps to the Physical Address Mapping Type The type of mapping Other none of the following Invalid an invalid mapping Dynamic a learned mapping Static a static mapping on the VPN 3002 Action Delete To remove a dynamic or learned mapping from the table click Delete There is no confirmation or undo The Manager deletes...

Page 241: ...start anew the screen contents click Reset The system temporarily resets a counter for the chosen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen c...

Page 242: ... collision circuits on an interface Frame Too Long Errors The number of frames received on this interface that exceed the maximum permitted frame size Deferred Transmits The number of frames for which the first transmission attempt on this interface is delayed because the medium is busy This number does not include frames involved in collisions Single Collisions The number of successfully transmit...

Page 243: ...his number does not include Carrier Sense Errors Late Collisions or Excessive Collisions MAC Errors Receive The number of frames for which reception on this interface failed due to an internal MAC sublayer receive error This number does not include Alignment Errors FCS Errors or Frame Too Long Errors Speed Mbps The nominal bandwidth of the interface in megabits per second Duplex The current LAN du...

Page 244: ...osen statistics without affecting the operation of the device You can then view statistical information without affecting the actual current values of the counters or other management sessions The function is like that of a vehicle s trip odometer versus the regular odometer Restore To restore the screen contents to their actual statistical values click Restore This icon displays only if you previ...

Page 245: ...otect security the VPN 3002 does not include the usual default public community string Parsing Errors The total number of syntax or transmission errors encountered by the VPN 3002 when decoding received SNMP messages Silent Drops The total number of SNMP request messages that were silently dropped because the reply exceeded the maximum allowable message size Proxy Drops The total number of SNMP re...

Page 246: ...13 58 VPN 3002 Hardware Client Reference OL 1893 01 Chapter 13 Monitoring Monitoring Statistics MIB II SNMP ...

Page 247: ...arameters and options see the corresponding section of the Manager in this manual For example to understand Ethernet interface configuration parameters and choices see Configuration Interfaces Private Public in Chapter 3 Interfaces Accessing the Command line Interface You can access the command line interface in two ways via the system console or a Telnet or Telnet over SSL client Console Access T...

Page 248: ... SSL port is 992 Terminal Type VT100 or ANSI Note Telnet SSL If the client offers it enable both SSL and SSL only 3 The VPN 3002 displays a login prompt Login _ Starting the Command line Interface You start the command line interface by logging in Login usernames and passwords for both console and Telnet access are the same as those configured and enabled for administrators See the Administration ...

Page 249: ...ble options and setting parameters The prompt always shows the menu context Choosing Menu Items To use the command line interface enter a number at the prompt that corresponds to the desired menu item and press Enter For example this is the Configuration System General System Identification menu 1 Set System Name 2 Set Contact 3 Set Location 4 Back General _ Enter 1 to set the system name Entering...

Page 250: ...nager you can quickly access any level by entering a series of numbers separated by periods For example suppose you want to change the Access Rights for Administrators The series of menus that gets to that level from the main menu is Main _ 1 Configuration 2 Administration 3 Monitoring 4 Save changes to Config file 5 Help Information 6 Exit Main 2 Administration Software Update 2 System Reboot 3 P...

Page 251: ...sing Back and Home Most menus include a numbered Back choice Instead of entering a number you can just enter b or B to move back to the previous menu Also at any menu level you can just enter h or H to move home to the main menu Getting Help Information To display a brief help message enter 5 at the main menu prompt The command line interface explains how to navigate through menus and enter values...

Page 252: ...menu Stopping the Command line Interface To stop the command line interface navigate to the main menu and enter 6 for Exit at the prompt 1 Configuration 2 Administration 3 Monitoring 4 Save changes to Config file 5 Help Information 6 Exit Main 6 Done Make sure you save any configuration changes before you exit from the CLI Understanding Access Rights What you see and can configure depends on admin...

Page 253: ...e Configuration System Management IP Routing menu Note The menus and options and thus the keyboard shortcuts might change with new software versions Please check familiar shortcuts carefully when using a new release Main Menu 1 Configuration 2 Administration 3 Monitoring 4 Save changes to Config file 5 Help Information 6 Exit Main _ 1 Configuration 1 Quick Configuration 2 Interface Configuration 3...

Page 254: ...ng static routes etc 4 Management Protocols Telnet HTTP etc 5 Event Configuration 6 General Config system name time etc 7 Back System _ 1 3 1 Configuration System Management Servers 1 DNS Servers 2 Back Servers _ 1 3 2 Configuration System Management Tunneling Protocols 1 IPSec 2 Back Tunnel _ 1 3 3 Configuration System Management IP Routing 1 Static Routes 2 Default Gateway 3 DHCP 4 DHCP Options ...

Page 255: ...ime and Date 3 Back General _ 1 4 Configuration Policy Management 1 Traffic Management 2 Back Policy _ 1 4 1 Configuration Policy Management Traffic Management 1 Port Address Translation PAT 2 Back Traffic 2 Administration 1 Software Update 2 System Reboot 3 Ping 4 Access Rights 5 File Management 6 Certificate Management 7 Back Admin _ 2 1 Administration Software Update Name of the file for main c...

Page 256: ...n file 3 Reboot ignoring the Configuration file 4 Back Admin _ 2 2 3 Administration System Reboot Schedule Shutdown 1 Save active configuration and use it at next reboot 2 Shutdown without saving active Configuration file 3 Shutdown ignoring the Configuration file at next reboot 4 Back Admin _ 2 3 Administration Ping Ping host Admin 2 4 Administration Access Rights 1 Administrators 2 Access Settin...

Page 257: ... Config File 5 Swap Config Files 6 Upload Config File 7 Back File _ 2 5 5 Administration File Management Swap Configuration File Every time the active configuration is saved 1 Swap 2 Back Admin _ 2 6 Administration Certificate Management 1 Enrollment 2 Installation 3 Certificate Authorities 4 Identity Certificates 5 SSL Certificate 6 Back Certificates _ 2 6 2 Administration Certificate Management ...

Page 258: ... 6 4 Administration Certificate Management Identity Certificates Identity Certificates 1 View Certificate 2 Delete Certificate 3 Back Certificates _ 2 6 5 Administration Certificate Management SSL Certificate Subject q to Quit SPACE to Continue Issuer q to Quit SPACE to Continue Serial Number 1 Delete Certificate 2 Generate Certificate 3 Back Certificates _ 3 Monitoring 1 Routing Table 2 Event Log...

Page 259: ... Table 2 Clear Routing Table 3 Back Routing _ 3 2 Monitoring Event Log 1 Configure Log viewing parameters 2 View Event Log 3 Clear Log 4 Back Log _ 3 2 2 Monitoring Event Log View Event Log Event Log entries 1 First Page 2 Previous Page 3 Next Page 4 Last Page 5 Back Log _ 3 3 Monitoring System Status System Status 1 Refresh System Status 2 Connect Now 3 Disconnect Now 4 Back Status _ Card Status ...

Page 260: ...istics 1 Protocol Statistics 2 Server Statistics 3 MIB II Statistics 4 Back General _ 3 4 1 Monitoring General Statistics Protocol Statistics 1 IPSec Statistics 2 HTTP Statistics 3 Telnet Statistics 4 DNS Statistics 5 SSL Statistics 6 SSH Statistics 7 PPPoE Statistics 8 NAT Statistics 9 Back General _ 3 4 2 Monitoring General Statistics Server Statistics 1 DHCP Statistics 2 Back General _ 3 4 3 Mo...

Page 261: ...atile memory NVRAM To troubleshoot operational problems we recommend that you start by examining the event log To view the event log see Administration File Management View and click on View Saved Log File To configure events and to choose the events you want to view see Configuration System Events and Monitoring Filterable Event Log The VPN 3002 automatically saves the event log to a file in flas...

Page 262: ... See Administration File Management for information on managing files in flash memory LED Indicators LED indicators on the VPN 3002 are normally green or flashing amber LEDs that are solid amber or off may indicate an error condition Contact Cisco TAC if any LED indicates an error condition VPN 3002 Front LEDs The LEDs on the front of the VPN 3002 are LED Status Explanation PWR Green Unit is on an...

Page 263: ...rrors Problem or Symptom Possible Solution Tunnel is not up or not passing data PWR LED is off Make sure that the power cable is plugged into the VPN 3002 and a power outlet SYS LED is solid amber Unit has failed diagnostics Contact Cisco Support immediately You see this LED display PWR green SYS LED green VPN LED off 1 Verify that the VPN Concentrator to which this VPN 3002 connects is running ve...

Page 264: ... and password are correct 2 Make sure the group and user names and passwords match those set for the VPN 3002 on the central site VPN Concentrator 3 After you make any changes navigate to Monitoring System Status and click on Connect Now 4 Study the event log files To capture more events and to interpret events see Chapter 9 Events in the VPN 3002 Hardware Client User Reference My PC cannot commun...

Page 265: ...in the VPN 3000 Series Concentrator Reference Volume I Step 5 Check the Event log Refer to Chapter 10 Events in the VPN 3000 Series Concentrator Reference Volume I VPN 3002 Hardware Client Manager Errors The following sections describe errors that might occur while using the HTML based VPN 3002 Hardware Client Manager with a browser Invalid Login or Session Timeout The Manager displays the Invalid...

Page 266: ...when you click on an action button such as Apply Add or Cancel or a link on a screen that invokes a different screen Entering values or setting parameters on a given screen does not reset the timer The timeout interval is set too low for normal use On the Administration Access Rights Access Settings screen change the Session Timeout interval to a larger value and click on Apply Table A 3 Browser R...

Page 267: ...correct data To protect security and the integrity of data entries clicking on Back or Forward on the browser toolbar deletes pointers and values within the Manager Do not use the browser navigation toolbar buttons with the VPN 3002 Hardware Client Manager Navigate using the location bar at the top of the Manager window the table of contents in the left frame or links on Manager screens We recomme...

Page 268: ...to access an area of the Manager that you do not have authorization to access You logged in using an administrator login name that has limited privileges You logged in from a workstation that has limited access privileges Log in using the system administrator login name and password Defaults are admin admin Log in from a workstation with greater access privileges Have the system administrator chan...

Page 269: ...m Possible cause Solution The Manager could not find a screen You updated the software image and did not clear the browser s cache Clear the browser s cache delete its temporary internet files history files and location bar references Then try again There is an internal Manager error Please note the system information on the screen and contact Cisco support personnel for assistance Table A 8 Micro...

Page 270: ...er greater than 255 in a byte position You entered 0 0 0 0 instead of an appropriate address At the prompt reenter a valid 4 byte dotted decimal number ERROR Out of Range value entered Try again The system expected a number within a certain range and the entry was outside that range You entered a letter instead of a number You entered a number greater than the possible menu numbers At the prompt r...

Page 271: ...properties and rights changing 12 9 session idle timeout 12 11 ARP table 13 51 authentication client SSL HTTPS only 8 11 using digital certificates 12 16 B Back and Home CLI choices 14 5 back panel display monitoring 13 11 backup configuration file swapping 12 13 use in troubleshooting A 2 backup server list 6 4 backup servers configuring 6 3 DNS and WINS servers 6 4 overview 6 4 Bad IP Address er...

Page 272: ...tion 11 1 effect on backup server connection 6 5 See also PAT mode Command Line Interface See CLI concentrator settings required for Network Extension mode 11 3 required for PAT 11 2 CONFIG BAK file See backup configuration file use in troubleshooting A 2 configuration quick 2 1 system 4 1 VPN 3002 Hardware Client Manager 2 1 configuration files automatic backup with file upload 12 14 changes with...

Page 273: ...4 12 37 expiration 12 17 fields 12 51 generating SSL 12 33 identity 12 16 12 32 installing 12 16 12 22 12 24 12 45 automatically via SCEP 12 17 manually 12 19 IPSec LAN to LAN 6 6 managing 12 16 PKCS 10 request 12 40 renewal 12 54 root 12 16 saving in Flash memory 12 16 SCEP enabled 12 17 SSL 1 3 12 16 troubleshooting 12 17 viewing and managing on VPN 3002 12 31 viewing details 12 50 X 509 12 16 d...

Page 274: ... event class 9 1 configuring 9 5 configuring default handling 9 5 configuring for special handling modify 9 10 configuring special handling 9 8 add 9 10 definition 9 1 severity level 9 3 trap destinations configuring 9 12 event log clear erase 13 5 definition 9 4 download to PC 13 5 format 9 6 13 5 get 13 5 live 13 6 monitoring 13 3 13 6 save 13 5 saved on system crash or reboot A 1 saved on syste...

Page 275: ...12 16 idle timeout administrator sessions 12 11 live event log overrides 13 6 IEEE standard 802 3 Ethernet networks 13 53 image software filenames 12 3 indicators LED A 2 individual user authentication login screen 1 19 installing CA certificates 12 44 automatic method using SCEP 12 17 manual method 12 19 digital certificates 12 16 enrolled certificates 12 45 identity certificates 12 20 identity c...

Page 276: ... main menu CLI 14 2 14 7 management protocols configuring 8 1 Manager table of contents 1 28 Manager unexpectedly logs out error A 6 managing digital certificates on VPN 3002 12 31 managing VPN Concentrator with CLI 14 1 memory SDRAM 13 9 menu choosing a menu item in CLI 14 3 context in CLI prompt 14 3 menu reference CLI 14 7 MIB II statistics 13 39 ARP table 13 51 Ethernet traffic 13 53 interface...

Page 277: ...1 1 Port Address Translation mode See PAT mode port number HTTP 8 3 HTTPS 8 3 SNMP 8 6 SSH 8 14 syslog server 9 16 Telnet 8 5 Telnet over SSL 8 5 power turning off 12 5 PPPoE statistics 13 36 PPP over Ethernet See PPPoE prerequisites system administrator ix preshared keys 6 6 private interface configuring 3 4 definition 3 1 private keys saving in Flash memory 12 16 public interface configuring 3 6...

Page 278: ...P enabled certificate 12 17 troubleshooting 12 17 screen login using HTTPS 1 17 SDRAM memory 13 9 secure connection See also tunnel tunnel 6 1 Secure Shell protocol See SSH Secure Sockets Layer See SSL 12 16 Security Associations SAs 6 2 self signed certificates CA certificates 12 16 SSL 12 16 SSL certificate generating 12 33 server identity certificates 12 32 server key SSH 8 13 servers backup co...

Page 279: ...ning 12 28 viewing with Internet Explorer 1 8 viewing with Netscape 1 14 VPN Concentrator 1 3 standards IEEE standard 802 3 Ethernet networks 13 53 ITU 12 50 RFC 1650 Ethernet interface MIB objects 13 53 RFC 1907 SNMP version 2 MIB objects 13 56 RFC 2011 ARP table entries 13 51 RFC 2011 IP and ICMP MIB objects 13 45 13 48 RFC 2012 TCP MIB objects 13 42 RFC 2013 UDP MIB objects 13 42 RFC 2459 12 50...

Page 280: ... over SSL configuring internal server 8 4 port number 8 5 time and date configuring 10 3 timeout administrator 12 11 live event log overrides 13 6 time zone configuring 10 3 traffic management configuring 11 5 transmission mode configuring Ethernet interface 3 5 3 8 traps configuring well known 9 8 destination systems 9 12 9 13 general events 9 8 specific events 9 11 troubleshooting crash dump fil...

Page 281: ...N 3002 status sessions statistics and event logs 13 1 VPN 3002 Hardware Client Manager errors A 5 navigating 1 28 organization 1 27 window 1 23 VPN Concentrator Manager logging in 1 17 using 1 1 W WINS backup server configuring 6 4 X X 509 digital certificates 12 16 standards 12 50 X 520 standards 12 50 XML configuring 8 16 enabling 8 16 ...

Page 282: ...Index IN 12 VPN 3002 Hardware Client Reference OL 1893 01 ...

Reviews:

No comments

Related manuals for VPN 3002 Hardware Client Manager

D-Link DIR-855L Quick Installation Manual preview
DIR-855L
Brand: D-Link Pages: 28
D-Link DIR-826L Quick Install Manual preview
DIR-826L
Brand: D-Link Pages: 2
D-Link DIR-655 - Xtreme N Gigabit Router Wireless Quick Start Manual preview
DIR-655 - Xtreme N Gigabit Router Wireless
Brand: D-Link Pages: 3
D-Link DIR-605L Technical Support Setup Procedure preview
DIR-605L
Brand: D-Link Pages: 11
D-Link DIR-880L Quick Install Manual preview
DIR-880L
Brand: D-Link Pages: 12
D-Link DIR-842 Quick Install Manual preview
DIR-842
Brand: D-Link Pages: 12
D-Link DIR-821 Quick Install Manual preview
DIR-821
Brand: D-Link Pages: 24
D-Link DIR-803 Quick Installation Manual preview
DIR-803
Brand: D-Link Pages: 20
D-Link DIR-815/AC Quick Installation Manual preview
DIR-815/AC
Brand: D-Link Pages: 44
D-Link DIR-830M Quick Installation Manual preview
DIR-830M
Brand: D-Link Pages: 52
D-Link DIR-821 User Manual preview
DIR-821
Brand: D-Link Pages: 103
Opengear IMG4216-25 Quick Start Manual preview
IMG4216-25
Brand: Opengear Pages: 2
Dentsply Sirona inLab Speedcure 9494800 Instruction Manual preview
inLab Speedcure 9494800
Brand: Dentsply Sirona Pages: 91
IBM J02M Quick Start Manual preview
J02M
Brand: IBM Pages: 32
Jetter JetWeb JX2-PR0FI1 Operator'S Manual preview
JetWeb JX2-PR0FI1
Brand: Jetter Pages: 67
Alesis QUADRAVERB Reference Manual preview
QUADRAVERB
Brand: Alesis Pages: 61
dixell XT120C Installing And Operating Insructions preview
XT120C
Brand: dixell Pages: 4
Fracarro FRPRO EVO HD Quick Start Manual preview
FRPRO EVO HD
Brand: Fracarro Pages: 12

Brands by name

Popular brands

Load more brands