|
|
This chapter documents all of the windows and features of the Windows and Mac OS VPN 5000 Clients. This guide shows the Windows version, but these two platforms are virtually identical in content. Figures and text in this section are applicable to both environments, except where indicated.
To access the VPN Client window while you are connected, click on the spinning globe in the Windows Tool Tray for Windows clients. For Macintosh clients, select the VPN 5000 Client from the application menu. This window automatically appears as part of the normal login procedure.
The following tabbed sections allow you to set up logins, view statistics, and set other client parameters.
The Hide and Exit buttons appear on each tab of the window.
Hide removes the window from your screen. Exit exits the client program. For Mac OS clients, Command-Q is used to quit the client application.
The Configuration Tab contains a list of your available login configurations. The following tables describe the buttons and checkboxes on the window.
| Button | Action |
|---|---|
Add | Creates a new login |
Remove | Deletes a login |
Edit | Edits the selected login |
Set as Default | Sets a pre-selected login when the client loads |
Connect | Establishes a tunnel connection |
Disconnect | Disconnects the active tunnel session. |
Advanced | Opens the Advanced Configuration Properties Window |
| Checkbox | Action |
|---|---|
Auto-Connect to Default when Opened | Sets whether the default login automatically connects to the server when you open the client. |
Auto-Connect to Default before Logon (Windows only) | Sets whether the default login automatically connects to the server before logging into your computer and domain. This feature enables you to log into the corporate network domain at startup. |
To access this window, click the Advanced button on the Configuration tab of the VPN Client window.
If the VPN 5000 Concentrator is configured to save secrets, all static passwords entered in the client are saved in the configuration file so you do not need to enter them again. To prevent your passwords from being read in the configuration file, enable password encryption in the file by checking the Encrypt Passwords box.
To access this window, click the Add or Edit button on the Configuration Tab.
This window allows you to enter and change parameters for the selected login. Many parameters require that the client be configured to match the configuration of the server.
For more information on configuring your server, see the appropriate configuration or reference guide for the Cisco VPN 5000 series products.
Parameter | Description |
This login method uses only the shared key password for authentication. | |
This method requires you to manually import a root certificate to establish a tunnel with the server. | |
Login Name | Name of the tunnel user. This name must also be configured on the server and, if present, the authentication service. The name can be between 1 and 60 alphanumeric characters, no spaces allowed. |
Primary VPN Server | IP address or fully qualified domain name of the server that the client software connects to. |
Secondary VPN Server | Alternate server address. |
Enables Network Address Translation (NAT) transparency for client sessions. The server must be configured to have an ESP transform set. Check the NAT Transparency Mode if you are having problems connecting through a NAT device or through an ISP. | |
Advanced button | Opens the Advanced Login Properties window |
To access this window, click the Advanced button on the Login Properties window. This window sets the local tunneling control.
| Checkbox | Action |
|---|---|
Tunnel IP | Enables IP-in-IP tunneling to the IP networks configured in the server. |
Tunnel MS Networking (NetBT) | (Windows Only) Enables Microsoft networking functionality over IP transport if it is enabled on the server. |
Tunnel IPX | (Windows Only) Enables connections to IPX servers. |
Local LAN traffic is not tunneled, if enabled on the server. | |
Exclude DHCP (bootp) from Tunnel |
When the Configuration tab is forward, you can right-click on any login name to view the current tunneling control options, clear the saved secrets, or clear the byte count.
The Tunneling Control Options are set in the Advanced Login Properties Window. Clearing Saved Secrets allows you to establish new passwords for this user. Clear Byte Count resets the bytes transmitted and bytes received values to zero for this user.
The Logging tab displays messages related to tunnel connections for troubleshooting purposes.
The Log Message Level drop-down list determines the detail of messages logged. The log information displays in the window.
| Log Message Level | Description |
|---|---|
Error | Reports errors. |
Warning | Reports warnings and errors. |
Status | Reports connection status, warnings, and errors. |
Debug | Reports every action and provides detailed information about the connection conversation between the client and the server. |
 |
Caution Cisco recommends that you do not use Debug on a daily basis. It generates a large number of log messages. |
The General tab displays information about the VPN 5000 Client and packet statistics for each session.
The Version Information section displays the current version of the VPN 5000 Client software and the information listed in the following table.
Version Information Field | Description |
Static VxD | Version of the static driver. |
Client VxD | Version of the Windows 95/98 driver. |
VPN 5000 Concentrator | Version number of the code for the last VPN 5000 Concentrator the client was connected to. |
IP Address | IP address the VPN 5000 Concentrator gives you for this session. |
The Statistics section displays information related to the tunnel traffic. This information is used for troubleshooting purposes.
Description | |
The number of IP and IPX packets received and transmitted by the client during the active session. | |
Bad authentication | The number of packets with bad authentication. |
Bad encapsulation | The number of packets with bad encapsulation. |
Bad input | Number of packets that could not wrap properly. |
Bytes Received and Bytes Transmitted | Can be used for billing purposes, these list the number of bytes transmitted and received by the client during the active session. To reset the byte count in this field, you must right-click on the login name. See "Configuration Tab Right-Click Menus" section. |
Reset | Clears all displayed statistics except bytes received and transmitted. |
The Certificates tab allows you to manage your root certificates. During the login, each root certificate file is checked against the received server certificate for validity until the server's certificate is validated, or until there are no more root certificates. Root certificates are not bound to any user.
Each root certificate is saved in the root certificate section of the configuration file as in the following example.
[VPN Root Cert] rootcert1
Button | Action |
Import | Import root certificates |
Remove | Removes unused or unneeded root certificates |
View | Opens the Digital Certificate Information window |
To access this window, click the View button on the Certificates Tab of the VPN Client window. This window displays details about the selected root certificate.
| Field | Description |
|---|---|
Certificate Format Version | Indicates the X.509 version of the certificate format. |
Certificate Serial Number | Specifies the unique numerical identifier of the certificate in the domain of all public key certificates issued by the CA. |
Signature Algorithm ID for CA | Identifies the algorithm used by the CA to sign the certificate. |
Issuer Name | Specifies the X.500 distinguished name (DN) of the CA that issued the certificate. |
Validity Period | Specifies the dates and times for the start date and the expiration date of the certificate. |
Subject Name | Specifies the X.500 DN of the entity holding the private key corresponding to the public key identified in the certificate. |
Subject Public Key Information | The first part of this field identifies the value of the public key owned by the subject. The second part is the algorithm identifier specifying the algorithm with which the public key is to be used. |
Certificate Fingerprint | Identifies the fingerprint of the certificate so that it can be verified against the certificate on the server. |
The About tab displays product licensing and copyright information.
The Mac OS Client includes a help file with a Help tab.
The Windows Client includes the Help tab only if the administrator created a customized help file for your installer. See the "Customized Help Files" section.
This section describes the security windows that can appear during the login.
This window appears if you enabled password encryption (see "Advanced Configuration Properties" section) to decrypt the passwords in your configuration file for tunnel session.
If you are not using certificates, you are prompted for a shared secret to establish a tunnel between the client and the server. Additional passwords are sent over the tunnel.
If the VPN server uses a RADIUS server to authenticate users, the RADIUS password and authentication secret verifies the client to connect to the RADIUS VPN server.
The Password is the RADIUS password configured on the RADIUS server. If the VPN 5000 Concentrator specifies PAP authentication, enter the Authentication Secret.
This secret must match the PAPAuthSecret configured in the RADIUS section of the concentrator.
Client configurations that use SecurID have several special user prompts. In some cases you will see all of these prompts, in others you will only see some of the prompts.
Step 2 The first time you log in, the following prompt appears:
Step 3 Enter a PIN and click OK, or leave the edit box blank and click Cancel to have the system generate a PIN.
If the system generates the PIN, a dialog box with a new PIN appears:
Step 4 Memorize or note the PIN before clicking OK.
If you have logged in before, the following prompt appears:
Step 5 Enter the PASSCODE, which consists of your PIN plus the current code from your SecurID token.
If the passcode is accepted, a client tunnel is created and the globe icon starts spinning.
For a Windows client, the globe is located in the Windows Tool Tray.
For a Mac OS client, the globe is in the upper right-hand corner of the VPN Client window.
If the passcode is not accepted, the following prompt appears:
Step 6 Wait until the token code changes from the one you just entered and try again.
If the passcode is still unacceptable, you will receive an access denied message.
The administrator can set the SecurID server to require users to change their PINs. In this case, the following prompt appears:
Step 2 After memorizing or noting your new PIN, click OK.
You are prompted for your new passcode with the following dialog box.
When your passcode is accepted, the globe icon spins to indicate that you have established a connection.
If the vpn server uses an Axent Defender system to authenticate users, you see the following prompt.
Enter the 8-digit challenge that appears on the VPN Client - RADIUS passcode window into your keypad or on your screen.
The VPN Client icon appears in the Windows Tool Tray on the task bar. When you are connected to the server, the icon turns into a globe and spins.
Right-click the icon to activate the following drop-down menu:
In the Mac OS Client, the File menu includes the following commands:
Posted: Mon Jun 26 12:47:54 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.