Page 1 VPN 3002 Hardware Client Reference Release 3.5 November 2001 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-1893-01...
Page 2 ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems, Inc.;...
Page 3: Table Of Contents
Installing the SSL Certificate in Your Browser Connecting to the VPN 3002 Using HTTPS Configuring HTTP, HTTPS, and SSL Parameters Logging into the VPN 3002 Hardware Client Manager Interactive Hardware Client and Individual User Authentication Logging In With Interactive Hardware Client and Individual User Authentication...
Page 4 Contents Servers Configuration | System | Servers Configuration | System | Servers | DNS Tunneling Configuration | System | Tunneling Protocols Configuration | System | Tunneling Protocols | IPSec IP Routing Configuration | System | IP Routing Configuration | System | IP Routing | Static Routes Configuration | System | IP Routing | Static Routes | Add or Modify Configuration | System | IP Routing | Default Gateways...
Page 5 Configuration | System | Events | Classes | Add or Modify Configuration | System | Events | Trap Destinations Configuration | System | Events | Trap Destinations | Add or Modify Configuration | System | Events | Syslog Servers Configuration | System | Events | Syslog Servers | Add or Modify General 10-1 Configuration | System | General...
Page 6 Contents Administration | Certificate Management | Enroll | Certificate Type | PKCS10 12-39 Administration | Certificate Management | Enrollment or Renewal | Request Generated 12-40 Administration | Certificate Management | Enroll | Identity Certificate | SCEP 12-41 Administration | Certificate Management | Enroll | SSL Certificate | SCEP 12-42 Administration | Certificate Management | Install 12-44...
Page 7 Using the Command-line Interface Menu Reference Troubleshooting and System Errors Files for Troubleshooting LED Indicators System Errors Settings on the VPN Concentrator VPN 3002 Hardware Client Manager Errors Command-line Interface Errors N D E X 78-13782-01 13-36 13-39 13-40 13-42...
Page 8 Contents VPN 3000 Series Concentrator Reference Volume I: Configuration viii 78-13782-01...
Page 9: Preface
VPN 3002 Command Line Interface. Prerequisites We assume you have read the VPN 3002 Hardware Client Getting Started manual and have followed the minimal configuration steps in Quick Configuration. That section of the VPN Hardware Client Manager is not described here.
Page 10 Copyrights, Licenses and Notices VPN 3002 Hardware Client Reference Description Explains how to configure the VPN 3002 to communicate with DNS servers to convert hostnames to IP addresses. Explains how to configure IPSec. Explains how to configure static routes, default gateways, and DHCP parameters and options.
Page 11: Related Documentation
The VPN 3002 Hardware Client Basic Information sticky label summarizes information for quick configuration. It is provided with the VPN 3002 and you can also print it from the online version; you can affix the label to the VPN 3002.
Page 12: Documentation Conventions
Reader 3.0 or later; version 4.5 is included on the Cisco VPN 3000 Concentrator software distribution CD-ROM and on the VPN Client software distribution CD-ROM. Other References Other useful references include: Cisco Systems, Dictionary of Internetworking Terms and Acronyms. Cisco Press: 2001. • Virtual Private Networking: An Overview. Microsoft Corporation: 1999. (Available from Microsoft •...
Page 13: Obtaining Documentation
In most cases, the maximum length of text strings is 48 characters. Filenames on the VPN 3002 follow the DOS 8.3 naming convention: a maximum of eight characters for the name, plus a maximum of three characters for an extension. For example, LOG00007.TXT is a legitimate filename.
Page 14: Obtaining Technical Assistance
In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available. VPN 3002 Hardware Client Reference Preface OL-1893-01...
Page 15 P1—Your production network is down, causing a critical impact to business operations if service is • not restored quickly. No workaround is available. • P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available. OL-1893-01 Obtaining technical assistance VPN 3002 Hardware Client Reference...
Page 16: Configuration | System | Management Protocols Snmp Communities
Preface Obtaining technical assistance VPN 3002 Hardware Client Reference OL-1893-01...
Page 17: Using The Vpn 3002 Hardware Client Manager
The VPN 3002 Hardware Client Manager is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3002 with a standard web browser. To use it, you connect to the VPN 3002, using a PC and browser on the same private network with the VPN 3002.
Page 18: Connecting To The Vpn 3002 Using Http
Even if you plan to use HTTPS, you use HTTP at first to install an SSL certificate in your browser. Bring up the browser. In the browser Address or Location field, you can just enter the VPN 3002 private interface IP address; for example, 10.10.147.2. The browser automatically assumes and supplies an http:// prefix.
Page 19: Installing The Ssl Certificate In Your Browser
SSL uses digital certificates for authentication. The VPN 3002 creates a self-signed SSL server certificate when it boots, and this certificate must be installed in the browser. Once the certificate is installed, you can connect using HTTPS. You need to install the certificate from a given VPN 3002 only once.
Page 20 This section describes SSL certificate installation using Microsoft Internet Explorer 5.0. (With Internet Explorer 4.0, some dialog boxes are different but the process is similar.) You need to install the SSL certificate from a given VPN 3002 only once. If you do reinstall it, the browser repeats all these steps each time.
Page 21 Chapter 1 Using the VPN 3002 Hardware Client Manager Figure 1-3 Internet Explorer File Download Dialog Box Click the Open this file from its current location radio button, then click OK. The browser displays the Certificate dialog box with information about the certificate. You must now install the certificate.
Page 22 Internet Explorer Certificate Manager Import Wizard Dialog Box Let the wizard Automatically select the certificate store, and click Next. The wizard opens a dialog box to complete the installation. VPN 3002 Hardware Client Reference Chapter 1 Using the VPN 3002 Hardware Client Manager OL-1893-01...
Page 23 Internet Explorer Certificate Manager Import Wizard Final Dialog Box Click OK to close this dialog box, and click OK on the Certificate dialog box You can now connect to the VPN 3002 using HTTP over SSL (HTTPS). On the Manager SSL screen certificate, click here to connect to the VPN 3002 Hardware Client using SSL.
Page 24 Figure 1-10 Internet Explorer Security Alert Dialog Box Click OK. The VPN 3002 Hardware Client displays the HTTPS version of the Manager login screen. Figure 1-11 VPN 3002 Hardware Client Manager Login Screen Using HTTPS (Internet Explorer) The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case you might see a Security Alert screen.
Page 25 Certificates in the Certificates section. On the Certificate Manager, click the T rusted Root Certification Authorities tab. The VPN 3002 Hardware Client SSL certificate name is its Ethernet 1 (private) IP address. Figure 1-13 Internet Explorer 4.0 Certificate Authorities List Select a certificate, then click View Certificate.
Page 26 Installing the SSL Certificate in Your Browser Reinstallation You need to install the SSL certificate from a given VPN 3002 only once. If you try to reinstall it, Netscape displays the note in Step 7 in this section. Figure 1-14 Netscape Reinstallation Note...
Page 27 Chapter 1 Using the VPN 3002 Hardware Client Manager Figure 1-16 Netscape New Certificate Authority Screen 2 Click Next> to proceed. Netscape displays the next New Certificate Authority screen, which lets you examine details of the VPN 3002 Hardware Client SSL certificate.
Page 28 Figure 1-19 Netscape New Certificate Authority Screen 5 Checking the box is optional. Doing so means that you get a warning whenever you apply settings on a Manager screen, so it is probably less intrusive to manage the VPN 3002 without those warnings. Click Next> to proceed.
Page 29 This name appears in the list of installed certificates; see below. Click Finish. You can now connect to the VPN 3002 using HTTP over SSL (HTTPS). On the Manager SSL screen certificate, click here to connect to the VPN 3002 Hardware Client using SSL.
Page 30 Using the VPN 3002 Hardware Client Manager Installing the SSL Certificate in Your Browser Figure 1-22 VPN 3002 Hardware Client Manager Login Screen Using HTTPS (Netscape) The browser maintains the HTTPS state until you close it or access an unsecured site; in the latter case, you might see a Security Information Alert dialog box.
Page 31 Second, you can view all the certificates that are stored in Netscape. On the Security Info window, select Certificates, then Signers. The “nickname” you entered in Step 6 in the section, “First-time Installation,” identifies the VPN 3002 Hardware Client SSL certificate. VPN 3002 Hardware Client Reference 1-15...
Page 32: Connecting To The Vpn 3002 Using Https
Step 1 Bring up the browser. Step 2 In the browser Address or Location field, enter https:// plus the VPN 3002 private interface IP address; for example, https://10.10.147.2. The browser displays the VPN 3002 Hardware Client Manager HTTPS login screen.
Page 33: Logging Into The Vpn 3002 Hardware Client Manager
Figure 1-26 VPN Hardware Client Manager HTTPS Login Screen Logging into the VPN 3002 Hardware Client Manager Logging into the VPN 3002 Hardware Client Manager is the same for both types of connections, cleartext HTTP or secure HTTPS. Entries are case-sensitive. With Microsoft Internet Explorer, you can select the Tab key to move from field to field;...
Page 34 Chapter 1 Using the VPN 3002 Hardware Client Manager Logging into the VPN 3002 Hardware Client Manager Figure 1-27 Manager Main Welcome Screen From here you can navigate the Manager using either the table of contents in the left frame, or the Manager toolbar in the top frame.
Page 35: Interactive Hardware Client And Individual User Authentication
• You can also log in by directing the browser to the private interface of the VPN 3002 html interface.You do this by entering the IP address of the private interface in the browser Location or Address field.
Page 36 Logging In With Interactive Hardware Client and Individual User Authentication Figure 1-28 VPN 3002 Hardware Client Manager Login Screen Step 1 Click the Connection Login Status button. The Connection/Login Status screen displays Figure 1-29 Connection Login Status Screen Click the Connect Now button.
Page 37 Step 2 Click Connect. If you have entered the valid username and password, the Connect Login Status screen displays the message that the VPN 3002 is connected. Next you authenticate the user. Figure 1-31 Connection Login Status Screen Step 1 To authenticate an individual user, click Log In Now.
Page 38 The user behind the VPN 3002 is connected to the VPN Concentrator at the central site. Click Go back to the VPN 3002 administrative login page to return to the VPN 3002 Hardware Client Manager login screen and access other features and functions of the VPN 3002.
Page 39: Understanding The Vpn 3002 Hardware Client Manager Window
Understanding the VPN 3002 Hardware Client Manager Window The VPN 3002 Hardware Client Manager window on your browser consists of three frames—top, left, and main—and it provides helpful messages and tips as you move the mouse pointer over window items.
Page 40 Chapter 1 Using the VPN 3002 Hardware Client Manager The title bar at the top of the browser window includes the VPN 3002 device name or IP address in brackets, for example, [10.10.4.6]. The status bar at the bottom of the browser window displays Manager activity and explanatory messages for some items.
Page 41 Click the Restore icon to restore the screen contents to their status prior to when you last clicked on the Reset icon. Click the Cisco Systems logo to open a browser and go to the Cisco.com web site, www.cisco.com On Manager screens, the left frame provides a table of contents. The table of contents uses the familiar Windows Explorer metaphor of collapsed and expanded entries.
Page 42 Click the open/expanded icon to close subordinate sections and titles. Clicking on this icon does not change the screen in the main frame. The main frame displays the current VPN 3002 Hardware Client Manager screen. Many screens include a bullet list of links and descriptions of subordinate sections and titles.
Page 43: Organization Of The Vpn 3002 Hardware Client Manager
Organization of the VPN 3002 Hardware Client Manager The VPN 3002 Hardware Client Manager consists of three major sections and many subsections: • Configuration: setting all the parameters for the VPN 3002 that govern its use and functionality as a VPN device: –...
Page 44: Navigating The Vpn 3002 Hardware Client Manager
Using the VPN 3002 Hardware Client Manager Navigating the VPN 3002 Hardware Client Manager Navigating the VPN 3002 Hardware Client Manager Your primary tool for navigating the VPN 3002 Hardware Client Manager is the table of contents in the left frame. Figure 1-35 shows all its entries, completely expanded.
Page 45: Configuration
Configuration Configuring the VPN 3002 means setting all the parameters that govern its use and functionality as a VPN device. Cisco supplies default parameters that cover typical installations and uses; after you supply minimal parameters in Quick Configuration, the system is operational. But to tailor the system to your needs, and to provide an appropriate level of system security, you can configure the system in detail.
Page 46 Chapter 2 Configuration Configuration VPN 3002 Hardware Client Reference OL-1893-01...
Page 47: Interfaces
This section of the VPN 3002 Hardware Client Manager applies functions that are interface-specific, rather than system-wide. You configure two network interfaces for the VPN 3002 to operate as a VPN device: the private interface and the public interface. If you used Quick Configuration as described in the VPN 3002 Hardware Client Getting Started manual, the system supplied many default parameters for the interfaces.
Page 48 Interface The VPN 3002 interface installed in the system. To configure an interface, click the appropriate link. Ethernet 1 (Private), Ethernet 2 (Public) To configure Ethernet interface parameters, click the appropriate highlighted link in the table or click in a highlighted module on the back-panel image.
Page 49: Subnet Mask
To configure a default gateway, click the appropriate highlighted link in the table or click in a highlighted module on the back-panel image. See Configuration | System | IP Routing | Default Gateways. OL-1893-01 Configuration | Interfaces VPN 3002 Hardware Client Reference...
Page 50: Configuration | Interfaces | Private
Configuration | Interfaces | Private Screen If you modify any parameters of the private interface that you are currently using to connect to the Caution VPN 3002, you will break the connection, and you will have to restart the Manager from the login screen. Disabled To make the interface offline, click Disabled.
Page 51 • • 10/100 auto = Let the VPN 3002 automatically detect and set the appropriate speed, either 10 or 100 Mbps (default). Be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the speed. Otherwise, select the appropriate fixed speed.
Page 52: Configuration | Interfaces | Public
PPPoE Client click this radio button if you want to connect using PPPoE. If you select PPPoE, you do not make entries in the static IP addressing parameters that follow. VPN 3002 Hardware Client Reference Chapter 3 Interfaces OL-1893-01...
Page 53 • 100 Mbps = Fix the speed at 100 megabits per second (100Base-T networks). 10/100 auto = Let the VPN 3002 automatically detect and set the appropriate speed, either 10 or 100 • Mbps (default). Be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the speed.
Page 54 • Auto = Let the VPN 3002 automatically detect and set the appropriate transmission mode, either full or half duplex (default). Be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the transmission mode.
Page 55: System Configuration
System Configuration System configuration means configuring parameters for system-wide functions in the VPN 3002. Configuration | System This section of the Manager lets you configure parameters for: Servers: identifying servers for DNS information for the VPN 3002. • • Tunneling Protocols: configuring IPSec connections.
Page 56 Chapter 4 System Configuration Configuration | System VPN 3002 Hardware Client Reference OL-1893-01...
Page 57: Servers
You can configure up to three DNS servers that the system queries in order. Note DNS information that you add here is for the VPN 3002 only. PCs located behind the VPN 3002 on the private network get DNS information that is configured on the central-site VPN Concentrator in the Group settings for the VPN 3002.
Page 58 To use DNS functions, check Enabled (the default). To disable DNS, clear the box. Domain Enter the name of the registered domain of the ISP for the VPN 3002; for example, Maximum 48 characters. This entry is sometimes called the domain name suffix or sub-domain. The DNS system within the VPN 3002 automatically appends this domain name to hostnames before sending them to a DNS server for resolution.
Page 59 To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Servers screen. OL-1893-01 Configuration | System | Servers | DNS VPN 3002 Hardware Client Reference...
Page 60 Chapter 5 Servers Configuration | System | Servers | DNS VPN 3002 Hardware Client Reference OL-1893-01...
Page 61: Tunneling
Tunneling is the heart of virtual private networking. Tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. The secure connection is called a tunnel, and the VPN 3002 uses the IPSec tunneling protocol to: • Negotiate tunnel parameters.
Page 62: Configuration | System | Tunneling Protocols
Configuration | System | Tunneling Protocols | IPSec The VPN 3002 complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol.
Page 63: Backup Servers
192.168.34.56. To enter a hostname, a DNS server must be configured. Backup Servers To configure IPSec backup servers on the VPN 3002, enter up to 10 backup servers, using either IP address or hostname. Enter each backup server on a separate line. To enter a hostname, a DNS server must be configured.
Page 64 Massachusetts. They just opened a regional sales office in Fargo, North Dakota. To provide access to the corporate network from Fargo, they use a VPN 3002 that connects to a VPN 3080 in San Jose (1). If the VPN 3002 is unable to contact the corporate network, Fargo cannot place orders. The IPSec backup server feature lets the VPN 3002 connect to one of several sites, in this case using Austin (2) and Boston (3) as backup servers, in that order.
Page 65 Tunneling The VPN 3002 in Fargo first tries to reach San Jose. If the initial IKE packet for that connection (1) times out (8 seconds), it tries to connect to Austin (2). Should this negotiation also time out, it tries to connect to Boston (3).
Page 66 VPN 3002 and on the VPN Concentrator to which it connects. Name In the Group Name field, enter a unique name for the group to which this VPN 3002 belongs. This is the group name configured on the central-site VPN Concentrator to which this VPN 3002 connects.
Page 67 In the Group Password field, enter a unique password for this group. This is the group password configured on the VPN Concentrator to which this VPN 3002 connects. Minimum is 4, maximum is 32 characters, case-sensitive. The field displays only asterisks.
Page 68 Chapter 6 Tunneling Configuration | System | Tunneling Protocols | IPSec VPN 3002 Hardware Client Reference OL-1893-01...
Page 69: Ip Routing
IP Routing The VPN 3002 includes an IP routing subsystem with static routing, default gateways, and DHCP. To route packets, the subsystem uses static routes and the default gateway. If you do not configure the default gateway, the subsystem drops packets that it can not otherwise route.
Page 70: Configuration | System | Ip Routing | Static Routes
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. VPN 3002 Hardware Client Reference Chapter 7 IP Routing...
Page 71: Configuration | System | Ip Routing | Static Routes | Add Or Modify
For example, if a route uses a low-speed line, you might assign a high metric so the system will use it only if all high-speed routes are unavailable. OL-1893-01 Configuration | System | IP Routing | Static Routes | Add or Modify VPN 3002 Hardware Client Reference...
Page 72: Configuration | System | Ip Routing | Default Gateways
Enter the IP address of the specific router or gateway to which to route these packets; that is, the IP address of the next hop between the VPN 3002 and the packet’s ultimate destination. Use dotted decimal notation; for example, 10.10.0.2. We recommend that you select this option.
Page 73 To delete a configured default gateway, enter 0.0.0.0. The default gateway must be reachable from a VPN 3002 interface, and it is usually on the public network. The Manager displays a warning screen if you enter an IP address that is not on one of its interface networks, and it displays a dialog box if you enter an IP address that is not on the public network.
Page 74: Configuration | System | Ip Routing | Dhcp
Before the lease period expires, the VPN 3002 displays a message offering to renew it. If the lease is not renewed, the connection terminates when the lease expires, and the IP address becomes available for reuse. Using DHCP simplifies configuration since you do not need to know what IP addresses are considered valid on a particular network.
Page 75: Configuration | System | Ip Routing | Dhcp Options
Configuration | System | IP Routing | DHCP Options Screen DHCP Option DHCP Options are facilities that allow the VPN 3002 DHCP server to respond to configurable parameters for specific kinds of devices such as PCs, IP telephones, print servers, etc., as well as an IP address.
Page 76: Configuration | System | Ip Routing | Dhcp Options | Add Or Modify
Configuration | System | IP Routing | DHCP Options | Add or Modify These screens let you: Add a new DHCP option to the list of DHCP options this VPN 3002 uses. Modify a configured DHCP option. Figure 7-7 Configuration | System | IP Routing | DHCP Options | Add Screen DHCP Option Use the pull-down menu to the DHCP Options field to select the option you want to add or modify.
Page 77 • NetBios Name Server/WINS (option 44). You configure these values on the central-site VPN Concentrator for the group to which the VPN 3002 Hardware Client belongs. As is the case for all group configuration parameters, the central-site VPN Concentrator pushes these values to the VPN 3002 over the tunnel.
Page 78 Chapter 7 IP Routing Configuration | System | IP Routing | DHCP Options | Add or Modify VPN 3002 Hardware Client Reference 7-10 OL-1893-01...
Page 79: Management Protocols
Configuration | System | Management Protocols This section of the Manager lets you configure and enable built-in VPN 3002 servers that provide management functions using: HTTP/HTTPS: Hypertext Transfer Protocol, and HTTP over SSL (Secure Sockets Layer) protocol.
Page 80: Configuration | System | Management Protocols | Http/Https
If you disable both HTTP and HTTPS, you cannot use a Web browser to connect to the VPN 3002. Use the Cisco command-line interface from the console or a Telnet session.
Page 81 To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen. OL-1893-01 Configuration | System | Management Protocols | HTTP/HTTPS VPN 3002 Hardware Client Reference...
Page 82: Configuration | System | Management Protocols | Telnet
SSL (Secure Sockets Layer protocol). When the server is enabled, you can use a Telnet client to communicate with the VPN 3002. You can fully manage and administer the VPN 3002 using the Cisco Command Line Interface (CLI) via Telnet.
Page 83: Telnet Port
To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen. Figure 8-5 Configuration | System | Management Protocols Screen OL-1893-01 Configuration | System | Management Protocols | Telnet , which is the well-known port VPN 3002 Hardware Client Reference...
Page 84: Configuration | System | Management Protocols | Snmp
Configuration | System | Management Protocols | SNMP This screen lets you configure and enable the SNMP (Simple Network Management Protocol) agent. When enabled, you can use an SNMP manager to collect information from the VPN 3002 but not to configure it.
Page 85: Configuration | System | Management Protocols | Snmp Communities
SNMP manager and the agent. To use the VPN 3002 SNMP agent, you must configure and add at least one community string. You can configure a maximum of 10 community strings. To protect security, the SNMP agent does not include the usual default public community string, and we recommend that you not configure it.
Page 86: Community Strings
Configuration | System | Management Protocols | SNMP Communities | Add or Modify These Manager screens let you: Add: Configure and add a new SNMP community string. • Modify: Modify a configured SNMP community string. • VPN 3002 Hardware Client Reference Chapter 8 Management Protocols OL-1893-01...
Page 87 To discard your entry or changes, click Cancel. The Manager returns to the Configuration | System | Management Protocols | SNMP Communities screen, and the Community Strings list is unchanged. Figure 8-11 Configuration | System | Management Protocols Screen OL-1893-01 Configuration | System | Management Protocols | SNMP Communities VPN 3002 Hardware Client Reference...
Page 88: Configuration | System | Management Protocols | Ssl
SSL uses digital certificates for authentication. The VPN 3002 creates a self-signed SSL server certificate when it boots; or you can install in the VPN 3002 an SSL certificate that has been issued in a PKI context. This certificate must then be installed in the client (for HTTPS; Telnet does not usually require it).
Page 89 Figure 8-12 Configuration | System | Management Protocols | SSL Screen Encryption Algorithms Check the boxes for the encryption algorithms that the VPN 3002 SSL server can negotiate with a client and use for session encryption. All are checked by default. You must check at least one algorithm to enable SSL.
Page 90 2 “Hello.” At present, only Microsoft Internet Explorer 5.0 supports this option. Generated Certificate Key Size Click the drop-down menu button and select the size of the RSA key that the VPN 3002 uses in its self-signed (generated) SSL server certificate. A larger key size increases security, but it also increases the processing necessary in all transactions over SSL.
Page 91: Configuration | System | Management Protocols | Ssh
At the start of an SSH session, the VPN 3002 sends both a host key and a server key to the client, which responds with a session key that it generates and encrypts using the host and server keys. The RSA key of the SSL certificate is used as the host key, which uniquely identifies the VPN 3002.
Page 92 Enter the server key regeneration period in minutes. If the server key has been used for an SSH session, the VPN 3002 regenerates the key at the end of this period. Minimum is 0 (which disables key regeneration, default is 60 minutes, and maximum is 10080 minutes (1 week).
Page 93 To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen. Figure 8-15 Configuration | System | Management Protocols Screen OL-1893-01 Configuration | System | Management Protocols | SSH VPN 3002 Hardware Client Reference 8-15...
Page 94: Configuration | System | Management Protocols | Xml
XML option, click the check box. On this screen, you can also configure the VPN 3002 to enable HTTPS or SSH (or both) on the public interface and to lock the XML interface to a specific HTTPS or SSH IP address.
Page 95 Chapter 8 Management Protocols HTTPS IP Address Enter the IP address from which to allow HTTPS access on the VPN 3002 public interface. HTTPS Wildcard-mask Enter the wildcard mask for the HTTPS IP address. Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has 1s in bit positions to ignore, and 0s in bit positions to match.
Page 96 Chapter 8 Management Protocols Configuration | System | Management Protocols | XML VPN 3002 Hardware Client Reference 8-18 OL-1893-01...
Page 97: Events
Events An event is any significant occurrence within or affecting the VPN 3002 such as an alarm, trap, error condition, network problem, task completion, threshold breach, or status change. The VPN 3002 records events in an event log, which is stored in nonvolatile memory. You can also specify that certain events trigger a console message, a UNIX syslog record, or an SNMP management system trap.
Page 98 REBOOT SNMP SYSTEM TELNET TELNETDBG TELNETDECODE TIME VPN 3002 Hardware Client Reference Class Description (Event Source) (*Cisco-specific Event Class) Event MIB changes* Finite State Machine subsystem (for debugging)* FTP daemon subsystem NTP subsystem and other general events Hardware monitoring (fans, temperature, voltages, etc.)
Page 99: Event Severity Level
The VPN 3002, by default, displays all events of severity level 1 through 3 on the console. It writes all events of severity level 1 through 5 to the event log. You can change these defaults on the Configuration | System | Events | General screen, and you can configure specific events for special handling on the Configuration | System | Events | Classes screens.
Page 100: Event Log
For the event log, you can configure which event classes and severity levels to log. Note The VPN 3002 automatically saves the log file if it crashes, and when it is rebooted. This log file is named SAVELOG.TXT, and it overwrites any existing file with that name. The SAVELOG.TXT file is useful for debugging.
Page 101: Configuration | System | Events
Chapter 9 Events Configuration | System | Events This section of the Manager lets you configure how the VPN 3002 handles events. Events provide information for system monitoring, auditing, management, accounting, and troubleshooting. Figure 9-1 Configuration | System | Events Screen Configuration | System | Events | General This Manager screen lets you configure the general, or default, handling of all events.
Page 102 Click the Syslog Format drop-down menu button and choose the format for all events sent to UNIX syslog servers. Choices are: Original = Original VPN 3002 event format with information on one line. Each entry in the event • log consists of the following fields: Sequence Date Time SEV=Severity Class/Number RPT=RepeatCount String Sequence: The sequence number of the event.
Page 103 Cisco IOS severities and how they map to Original severities. Meaning Emergencies Alerts Critical Errors Warning Notification Informational Debugging Configuration | System | Events | General 9-3.) Cisco IOS severities number from Original Severity Not used Not used 5, 6 7-13 VPN 3002 Hardware Client Reference...
Page 104: Configuration | System | Events | Classes
Configuration | System | Events | Trap Destinations screens. The VPN 3002 can send the standard, or “well-known,” SNMP traps listed in SNMP NMS receive them, you must configure the events as in the table, and configure a trap destination.
Page 105 The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. OL-1893-01 Configuration | System | Events | Classes VPN 3002 Hardware Client Reference...
Page 106: Configuration | System | Events | Classes | Add Or Modify
The choices are: None, 1, 1-2, 1-3,..., 1-13. The default is 1-5; if you choose this range, events of severity level 1 through severity level 5 are entered in the event log. VPN 3002 Hardware Client Reference 9-10 Chapter 9...
Page 107 To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events | Classes screen. OL-1893-01 Configuration | System | Events | Classes | Add or Modify Table 9-4 under Severity to Trap for Configuration | VPN 3002 Hardware Client Reference 9-11...
Page 108: Configuration | System | Events | Trap Destinations
System | Events | General. To have an SNMP-based network management system (NMS) receive any events, you must also configure the NMS to “see” the VPN 3002 as a managed device or “agent” in the NMS domain. Figure 9-5 Configuration | System | Events | Trap Destinations Screen...
Page 109: Configuration | System | Events | Trap Destinations | Add Or Modify
Choices are SNMPv1 (version 1; the default) and SNMPv2 (version 2). Community Enter the community string to use in identifying traps from the VPN 3002 to this destination. The community string is like a password: it validates messages between the VPN 3002 and this NMS destination.
Page 110: Configuration | System | Events | Syslog Servers
This section of the Manager lets you configure UNIX syslog servers as recipients of event messages. Syslog is a UNIX daemon, or background process, that records events. The VPN 3002 can send event messages in two syslog formats to configured syslog systems. If you configure any event handling, default or special, with values in Severity to Syslog fields, you must configure syslog servers in this section.
Page 111: Syslog Servers
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. OL-1893-01 Configuration | System | Events | Syslog Servers VPN 3002 Hardware Client Reference 9-15...
Page 112: Configuration | System | Events | Syslog Servers | Add Or Modify
Reserved (9) through Reserved (14) = Outside the Local range, with no name or assignment yet, • but usable. • CRON = Clock daemon. Local 0 through Local 7 (default) = User defined. • VPN 3002 Hardware Client Reference 9-16 Chapter 9 Events OL-1893-01...
Page 113 To discard your entries, click Cancel. The Manager returns to the Configuration | System | Events | Syslog Servers screen, and the Syslog Servers list is unchanged. OL-1893-01 Configuration | System | Events | Syslog Servers | Add or Modify VPN 3002 Hardware Client Reference 9-17...
Page 114 Chapter 9 Events Configuration | System | Events | Syslog Servers | Add or Modify VPN 3002 Hardware Client Reference 9-18 OL-1893-01...
Page 115: General
General configuration parameters include VPN 3002 environment items: system identification, time, and date. Configuration | System | General This section of the Manager lets you configure general VPN 3002 parameters. • Identification: system name, contact person, system location. Time and Date: system time and date.
Page 116: Configuration | System | General | Identification
Enter a system name that uniquely identifies this VPN 3002 on your network; for example, VPN01. Maximum 255 characters. Contact Enter the name of the contact person who is responsible for this VPN 3002. Maximum 255 characters. Location Enter the location of this VPN 3002. Maximum 255 characters.
Page 117: Configuration | System | General | Time And Date
General Configuration | System | General | Time and Date This screen lets you set the time and date on the VPN 3002. Setting the correct time is very important so that logging information is accurate. Figure 10-3 Configuration | System | General | Time and Date Screen Current Time The screen shows the current date and time on the VPN 3002 at the time the screen displays.
Page 118 To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | General screen. VPN 3002 Hardware Client Reference 10-4 OL-1893-01...
Page 119: Policy Management
You assign the VPN 3002 to a client group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec and PAT are applied to all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator.
Page 120: Network Extension Mode
VPN Concentrator have direct access to devices on the VPN 3002 private network over the tunnel, and only over the tunnel, and vice versa. The VPN 3002 must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
Page 121 Chapter 8, “IP Routing” in the VPN 3000 Series Concentrator Reference Volume I. If you want the VPN 3002 to be able to reach devices on other networks that connect to this VPN Concentrator, review your Network Lists. See Chapter 15, “Policy Management” in the VPN 3000 Series Concentrator Reference Volume I.
Page 122 The VPN 3002 always initiates the tunnel to the central-site VPN Concentrator. The central-site VPN Concentrator cannot initiate a tunnel to a VPN 3002. The VPN 3002 creates only one IPSec tunnel to the central-site VPN Concentrator, in either PAT or Network Extension mode. The tunnel can support multiple encrypted data streams between users behind the VPN 3002 and the central site.
Page 123: Configuration | Policy Management
Chapter 11 Policy Management Table 11-1 Data Initiation: VPN 3002 and Central-Site VPN Concentrator Mode Network Extension Network Extension Configuration | Policy Management The Configuration | Policy Management screen introduces this section of the Manager. Figure 11-1 Configuration | Policy Management Screen Traffic Management To enable or disable PAT, click Traffic Management.
Page 124: Configuration | Policy Management | Traffic Management | Pat
This screen lets you enable or disable PAT, which applies PAT to all configured traffic flowing from the private interface to the public interface. Figure 11-4 Configuration | Policy Management | Traffic Management | PAT | Enable Screen VPN 3002 Hardware Client Reference 11-6 Chapter 11...
Page 125 To discard your entry and leave the active configuration unchanged, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | PAT screen. OL-1893-01 Configuration | Policy Management | Traffic Management | PAT | Enable VPN 3002 Hardware Client Reference 11-7...
Page 126 Chapter 11 Policy Management Configuration | Policy Management | Traffic Management | PAT | Enable VPN 3002 Hardware Client Reference 11-8 OL-1893-01...
Page 127: Administration
Administration This section of the Manager lets you control administrative functions on the VPN 3002. Software Update: upload and update the VPN 3002 software image. •...
Page 128: Administration | Software Update
It takes a few minutes to upload and verify the software, and the system displays the progress. Please wait for the operation to finish. To run the new software image, you must reboot the VPN 3002. The system prompts you to reboot when the update is finished.
Page 129 The Major and Minor Version numbers are always present; the Sustaining and Patch Version numbers are present only if needed. Be sure you select the correct file for your VPN 3002; otherwise the update will fail. Upload/Cancel To upload the new image file to the VPN3002, click Upload.
Page 130 This screen appears if there was an error in uploading or verifying the image file. You might have selected the wrong file. Click the highlighted link to return to the Administration | Software Update screen and try the update again, or contact Cisco support. VPN 3002 Hardware Client Reference 12-4 Chapter 12...
Page 131: Administration | System Reboot
The browser might appear to hang during a reboot; that is, you cannot log in and you must wait for the reboot to finish. You can log back in while the VPN 3002 is in a shutdown state, before you turn power off.
Page 132 60-75 seconds. (This is the default selection.) • Shutdown without automatic reboot = Shut down the VPN 3002; that is, bring the system to a halt so you can turn off the power. Shutdown terminates all sessions and prevents new user sessions (but not administrator sessions).
Page 133: Administration | Ping
This screen lets you use the ICMP Specifically, the VPN 3002 sends an ICMP Echo Request message to a designated host. If the host is reachable, it returns an Echo Reply message, and the Manager displays a Success screen. If the host is not reachable, the Manager displays an You can also Ping hosts from the Administration | Sessions screen.
Page 134 To return to the Administration | Ping screen, click Retry the operation. To go to the main Manager screen, click Go to main menu. VPN 3002 Hardware Client Reference 12-8 message, click Ping. The Manager pauses during the test, which might take a few...
Page 135: Administration | Access Rights
Chapter 12 Administration Administration | Access Rights This section of the Manager lets you configure and control administrative access to the VPN 3002. • Administrators: configure administrator usernames, passwords, and rights. • Access Settings: set administrative session timeout and limits.
Page 136 Check the box to enable, or clear the box to disable, an administrator. Only enabled administrators can log in to, and use, the VPN 3002 Hardware Client Manager. You must enable at least one administrator, and you can enable all administrators. By default, only admin is enabled.
Page 137: Administration | Access Rights | Access Settings
To save your settings in the active configuration, click Apply. The Manager returns to the Administration | Access Rights screen. To cancel your settings, click Cancel. The Manager returns to the Administration | Access Rights screen. OL-1893-01 Administration | Access Rights | Access Settings VPN 3002 Hardware Client Reference 12-11...
Page 138: Administration | File Management
Administration | File Management Administration | File Management This section of the Manager lets you manage files in VPN 3002 Flash memory. (Flash memory acts like a disk.) These files include CONFIG, CONFIG.BAK, saved log files, and copies of any of these files that you have saved under different names.
Page 139: Administration | File Management | Swap Config Files
To leave the files unchanged, click Cancel. The Manager returns to the Administration | File Management | View screen. OL-1893-01 Administration | File Management | Swap Config Files CONFIG file as , the backup configuration file. CONFIG CONFIG.BAK VPN 3002 Hardware Client Reference file, which is the boot configuration file; 12-13...
Page 140: Administration | File Management | Config File Upload
Upload/Cancel To upload the file to the VPN 3002, click Upload. The Manager opens the File Upload Progress window. To cancel your entries on this screen, or to stop a file upload that is in progress, click Cancel. The Manager returns to the Administration | File Management | View screen.
Page 141 Flash memory. Click the link, Click here to return to File Upload, to return to the Administration | File Management | File Upload screen. OL-1893-01 Administration | File Management | Config File Upload VPN 3002 Hardware Client Reference 12-15...
Page 142: Certificate Management
Enrolling and Installing Digital Certificates To obtain a digital certificate for the VPN 3002 you must first enroll with a CA. To enroll with a CA, create an enrollment request and submit it to your CA. The CA enrolls the VPN 3002 into the PKI and issues you a certificate.
Page 143 Digital certificates indicate the time frame during which they are valid. Therefore, it is essential that the time on the VPN 3002 is correct and synchronized with network time. See Configuration | System | Servers | NTP and Configuration | System | General | Time and Date.
Page 144 The Click here to install a CA certificate option is only available from this window when no CA certificates are installed on the VPN 3002. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen.
Page 145 The Click here to install a CA certificate option is available from this window only when no Note CA certificates are installed on the VPN 3002. If you do not see this option, click Click here to install a certificate. The Manager displays the Administration | Certificate Management | Install screen.
Page 146 If you are requesting an SSL certificate, enter the IP address or domain name you use to connect to this VPN 3002, for example: 10.10.147.2. The name of the department or other organizational unit to which this VPN 3002 belongs, for example: CPU Design.
Page 147 DSA 512 bits = Generate 512-bit keys using DSA (Digital • Signature Algorithm). DSA 768 bits = Generate 768-bit keys using the DSA • algorithm. • DSA 1024 bits = Generate 1024-bit keys using the DSA algorithm. Certificate Management VPN 3002 Hardware Client Reference 12-21...
Page 148 Figure 12-24 Administration | Certificate Management | Enroll | Identity Certificate Screen Notice that a link appears corresponding to each SCEP-enabled CA certificate on the VPN 3002. The title of the link depends on the name of the CA certificate: Enroll via SCEP at Certificate Name. For example, if you have a CA certificate on your VPN 3002 named “TestCA6-8,”...
Page 149 Enrollment Status table on the Administration | Certificate Management screen until the CA responds. Once the CA responds and issues the certificate, the VPN 3002 checks to see if it already has an active certificate. If there is no active certificate, the VPN 3002 installs the new certificate automatically.
Page 150 CA and download it to your PC. • Again using the Manager, install the identity certificate on the VPN 3002. Follow these steps to generate a certificate enrollment request (PKCS-10): Using the Manager, display the Administration | Certificate Management screen. (See Step 1 Click Click here to enroll with a Certificate Authority.
Page 151 Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. (See Figure 12-28.) Figure 12-28 Administration | Certificate Management | Enrollment | Request Generated Screen Copy the enrollment request to the clipboard. Step 6 OL-1893-01 Certificate Management Table 12-1.) The VPN 3002 Hardware Client Reference 12-25...
Page 152 Certificate Obtained via Enrollment Screen Step 11 Find your enrollment request in the Enrollment Status table. Click Install. The Manager displays the Administration | Certificate Management | Install | Identity Certificate screen. (See VPN 3002 Hardware Client Reference 12-26 Chapter 12 Figure 12-29.)
Page 153 The Manager displays a screen appropriate to your choice. Include the certificate information according Step 13 to your chosen method. Click Install. The Manager installs the identity certificate on the VPN 3002 and displays the Administration | Certificate Management screen. Your new identity Certificate appears in the Identity Certificates table.
Page 154 Obtaining SSL Certificates If you use a secure connection between your browser and the VPN 3002, the VPN 3002 requires an SSL certificate. You only need one SSL certificate on your VPN 3002. When you initially boot the VPN 3002, a self-signed SSL certificate is automatically generated. Because a self-signed certificate is self-generated, this certificate is not verifiable.
Page 155 Enabling Digital Certificates on the VPN 3002 Note Before you enable digital certificates on the VPN 3002, you must obtain at least one CA and one identity certificate. If you do not have a CA and an identity certificate installed on your VPN 3002, follow the steps in the previous section beginning this section.
Page 156 Step 2 Delete screen appears. Figure 12-33 Administration | Certificate Management | Delete Screen Step 3 Step 4 Click Yes. The Manager returns to the Administration | Certificate Management window. VPN 3002 Hardware Client Reference 12-30 Chapter 12 Administration Figure 12-19.)
Page 157: Administration | Certificate Management
To install the certificate obtained via enrollment, click on Click Here to Install a Certificate. The VPN 3002 notifies you (by issuing a severity 3 CERT class event) if any of the installed certificates are within one month of expiration.
Page 158 Administration | Certificate Management Certificate Authorities Table This table shows root and subordinate CA certificates installed on the VPN 3002. Fields These fields appear in the Certificate Authorities table: Field Subject/Issuer Expiration SCEP Issuer Actions Identity Certificates Table This table shows installed server identity certificates. For a description of the fields in this table, see the “Certificate Authorities Table”...
Page 159 Administration | Certificate Management SSL Certificate Table [ Generate ] This table shows the SSL server certificate installed on the VPN 3002. The system can have only one SSL server certificate installed: either a self-signed certificate or one issued in a PKI context.
Page 160 Configure = Enable CRL (Certificate Revocation List) checking for this CA certificate, modify SCEP parameters, or enable acceptance of subordinate CA certificates. Delete = Delete this certificate from the VPN 3002. • Show RAs = SCEP-enabled CA certificates sometimes have supporting •...
Page 161 The VPN 3002 supports one (installed) identity certificate and one (outstanding) enrollment request. If you currently have an identity certificate on your VPN 3002 and you want to change it, you can request a second certificate, but the VPN 3002 does not install this certificate immediately. The new certificate appears in the Enrollment Status table;...
Page 162 Polling = The CA did not immediately fulfill the enrollment request; the • VPN 3002 has entered polling mode. This value is used only for enrollment request created using SCEP. • Timedout = The SCEP polling cycle has ended after reaching the configured maximum number of retries.
Page 163: Administration | Certificate Management | Enroll
SSL Certificate Click SSL Certificate to create a certificate request for an SSL certificate. The Manager displays the Administration | Certificate Management | Enroll | SSL Certificate screen. OL-1893-01 Administration | Certificate Management | Enroll VPN 3002 Hardware Client Reference 12-37...
Page 164: Administration | Certificate Management | Enroll | Certificate Type
You can enroll certificates using SCEP only if you installed the CA certificate using SCEP. One Enroll via SCEP at [Name of SCEP CA] link appears on this screen for each CA certificate on the VPN 3002 that was installed using SCEP. To see which CA certificates on your VPN 3002 were installed using SCEP, see the Certificate Authorities table on the Administration | Certificate Management screen.
Page 165: Administration | Certificate Management | Enroll | Certificate Type | Pkcs10
To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. OL-1893-01 Administration | Certificate Management | Enroll | Certificate Type | PKCS10 Table 12-1 on page Figure VPN 3002 Hardware Client Reference 12-20. 12-38.) with the text of 12-39...
Page 166: Administration | Certificate Management | Enrollment Or Renewal | Request Generated
In generating the request, the system also generates the private key used in the PKI process. That key remains on the VPN 3002, and it is not visible. You must complete the enrollment and certificate installation process within one week of generating Note the request.
Page 167: Administration | Certificate Management | Enroll | Identity Certificate | Scep
Figure 12-39 Administration | Certificate Management | Enroll | Identity Certificate | SCEP Screen Fields For an explanation of each of the fields on this screen, see OL-1893-01 Administration | Certificate Management | Enroll | Identity Certificate | SCEP Table 12-1 on page VPN 3002 Hardware Client Reference 12-20. 12-41...
Page 168: Administration | Certificate Management | Enroll | Ssl Certificate | Scep
Administration | Certificate Management | Enroll | SSL Certificate | SCEP Enroll / Cancel To generate the certificate request and install the identity certificate on the VPN 3002, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen.
Page 169 For an explanation of each of the fields on this screen, see Enroll To generate the certificate request and install the SSL certificate on the VPN 3002, click Enroll. The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen.
Page 170: Administration | Certificate Management | Install
If you want to install a certificate manually that you have obtained by enrolling a certificate request with a CA, click Install Certificate Obtained via Enrollment. The Manager displays the Administration | Certificate Management | Install Certificate Obtained via Enrollment screen. VPN 3002 Hardware Client Reference 12-44 Chapter 12...
Page 171: Administration | Certificate Management | Install | Certificate Obtained Via Enrollment
CA, click << Go back and choose a different type of certificate. The Manager returns to the Administration | Certificate Management | Install screen. OL-1893-01 Administration | Certificate Management | Install | Certificate Obtained via Enrollment “Enrollment Status Table” section on page VPN 3002 Hardware Client Reference 12-35. 12-45...
Page 172: Administration | Certificate Management | Install | Certificate Type
<< Go back and choose a different type of certificate If you do not want to install a CA certificate, click << Go back and choose a different type of certificate to display the Administration | Certificate Management | Install screen. (See VPN 3002 Hardware Client Reference 12-46 Figure 12-44.)
Page 173: Administration | Certificate Management | Install | Ca Certificate | Scep
Otherwise enter a descriptor of your own. You must enter something in this field. Retrieve / Cancel To retrieve a CA certificate from the CA and install it on the VPN 3002, click Retrieve. To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen.
Page 174: Administration | Certificate Management | Install | Certificate Type | Cut And Paste Text
Enter a password for decrypting the private key. Install / Cancel To install the certificate on the VPN 3002, click Install. To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See...
Page 175: Administration | Certificate Management | Install | Certificate Type | Upload File From Workstation
Enter a password for decrypting the private key. Install / Cancel To install the certificate on the VPN 3002, click Install. To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration | Certificate Management screen. (See...
Page 176: Administration | Certificate Management | View
Union) X.509 standards, specifically RFC 2459. The Subject and Issuer fields conform to ITU X.520. This screen is read-only; you cannot change any information here. Figure 12-47 Administration | Certificate Management | View Screen VPN 3002 Hardware Client Reference 12-50 OL-1893-01...
Page 177 Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. For the VPN 3002 self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated. SSL compares this CN with the address you use to connect to the VPN 3002 via HTTPS, as part of its validation.
Page 178 The Manager checks the validity against the VPN 3002 system clock, and it flags expired certificates in event log entries. The fully qualified domain name for this VPN 3002 that identifies it in this PKI. The alternative name is an optional additional data field in the certificate, and it provides inter operability with many Cisco IOS and PIX systems in LAN-to-LAN connections.
Page 179: Administration | Certificate Management | Configure Ca Certificate
If the CA does not issue the certificate immediately (some CAs require manual verification of credentials and this can take time), the certificate request could enter polling mode. In polling mode, the VPN 3002 re-sends the certificate request to the CA over a specified period until the CA responds or the process times out.
Page 180: Administration | Certificate Management | Renewal
Administration | Certificate Management | Renewal Polling Limit Enter the number of times the VPN 3002 should re-send an enrollment request if the CA does not issue the certificate immediately. The minimum number of re-sends is 0; the maximum number is 100. If you do not want any polling limit (in other words you want infinite re-sends), enter none.
Page 181 Re-type the challenge password you just entered. Renew / Cancel To renew the certificate, click Renew. To discard your settings, click Cancel. The Manager returns to the Administration | Certificate Management screen. OL-1893-01 Administration | Certificate Management | Renewal VPN 3002 Hardware Client Reference 12-55...
Page 182: Administration | Certificate Management | Activate Or Re-Submit | Status
Go to Certificate Installation If you want to install the certificate you have just enrolled, click Go to Certificate Installation. The Manager displays the Administration | Certificate Management | Install screen. (See VPN 3002 Hardware Client Reference 12-56 Chapter 12...
Page 183: Administration | Certificate Management | Delete
Figure 12-50 Administration | Certificate Management | Delete Screen Fields For a description of the fields in this certificate, see the OL-1893-01 Administration | Certificate Management | Delete “Certificate Fields” section on page VPN 3002 Hardware Client Reference 12-51. 12-57...
Page 184: Administration | Certificate Management | View Enrollment Request
Administration | Certificate Management | View Enrollment Request This screen allows you to view the details of an enrollment request. Figure 12-51 Administration | Certificate Management | View Enrollment Request Screen VPN 3002 Hardware Client Reference 12-58 Chapter 12 Administration...
Page 185 Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. For the VPN 3002 self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated. SSL compares this CN with the address you use to connect to the VPN 3002 via HTTPS, as part of its validation.
Page 186: Administration | Certificate Management | Cancel Enrollment Request
You can cancel only a SCEP enrollment request, and you can do so only when the request is in polling mode. Once a request is cancelled, you can then remove it, re-submit it, or view its details. Figure 12-52 Administration | Certificate Management | Cancel Enrollment Request Screen VPN 3002 Hardware Client Reference 12-60 Content The type of enrollment: initial, re-enroll, or re-key.
Page 187: Administration | Certificate Management | Delete Enrollment Request
Enrollment Request table (on the Administration | Certificate Management page) and destroys all record of it. Figure 12-53 Administration | Certificate Management | Delete Enrollment Request OL-1893-01 Administration | Certificate Management | Delete Enrollment Request “Enrollment Request Fields” section on VPN 3002 Hardware Client Reference 12-61...
Page 188 The Manager returns to the Administration | Certificate Management screen and shows the remaining enrollment requests. To retain this enrollment request, click No. The Manager returns to the Administration | Certificate Management screen, and the enrollment requests are unchanged. VPN 3002 Hardware Client Reference 12-62 Chapter 12 Administration “Enrollment Request Fields”...
Page 189: Monitoring
Monitoring The VPN 3002 tracks many statistics and the status of many items essential to system administration and management. This section of the Manager lets you view all those status items and statistics. You can even see the state of LEDs that show the status of hardware subsystems in the device. You can also see statistics that are stored and available in standard MIB-II data objects.
Page 190: Monitoring | Routing Table
Monitoring | Routing Table Monitoring | Routing Table This screen shows the VPN 3002 routing table at the time the screen displays. Figure 13-2 Monitoring | Routing Table Screen Refresh Clear Routes Valid Routes Address Mask Next Hop Interface Protocol...
Page 191: Monitoring | Filterable Event Log
The VPN 3002 records events in nonvolatile memory, thus the event log persists even if the system is powered off. It holds 256 events, and it wraps when it is full (that is, entry 257 overwrites entry 1, etc.).
Page 192 First Page Previous Page Next Page Last Page VPN 3002 Hardware Client Reference 13-4 To display all the events in a single event class, click the drop-down menu button and select the event class. To select a contiguous range of event classes, select the first class in the range, hold down the keyboard Shif t key, and select the last class in the range.
Page 193 Event Date OL-1893-01 To download the event log from VPN 3002 memory to your PC and view it or save it as a text file, click Get Log. The Manager opens a new browser window to display the file. The browser address bar shows the VPN 3002 address and log file default filename;...
Page 194: Monitoring | Live Event Log
The class—or source—of the event, and the internal reference number associated with the specific event within the event class. For example: HTTP/47 indicates that an administrator logged in to the VPN 3002 using HTTP to connect to the Manager. Table 9-2 Events describes the event classes.
Page 195 The timer counts 5 – 4 – 3 – 2 – 1 to show where it is in the 5-second refresh cycle. A momentary Rx indicates receipt of new events. A steady 0 indicates the display has been paused. OL-1893-01 Monitoring | Live Event Log VPN 3002 Hardware Client Reference 13-7...
Page 196: Monitoring | System Status
This screen shows the status of several software and hardware variables at the time the screen displays. From this screen you can also display the status of the IPSec tunnel SAs, tunnel duration, plus front and rear panel displays of the VPN 3002. Figure 13-5 Monitoring | System Status Screen Reset To reset, or start anew, the screen contents, click Reset.
Page 197 The type, or model number, of this VPN 3002 hardware client. Bootcode Rev The version name, number, and date of the VPN 3002 bootcode software file. When you boot or reset the system, the bootcode software runs system diagnostics, and it loads and executes the system software image.
Page 198: Security Associations
Monitoring | System Status Tunnel Established to The IP address of the VPN Concentrator to which this VPN 3002 connects. Duration The length of time that this tunnel has been up. Security Associations This table describes the following attributes of the SAs for this VPN 3002.
Page 199: Monitoring | System Status | Private/Public Interface
The front panel image is an inactive link. Back Panel The back panel image includes active links for the VPN 3002 private and public interfaces Use the mouse pointer to select either the private or public module on the back-panel image and click anywhere in the highlighted area.
Page 200 To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. Back To return to the Monitoring | System Status screen, click Back. Interface The VPN 3002 Ethernet interface number: Private interface • Public interface •...
Page 201 Chapter 13 Monitoring Rx Unicast The number of unicast packets that were received by this interface since the VPN 3002 was last booted or reset. Unicast packets are those addressed to a single host. Tx Unicast The number of unicast packets that were routed to this interface for transmission since the VPN 3002 was last booted or reset, including those that were discarded or not sent.
Page 202: Monitoring | User Status
Indicates whether the Cisco IP Phone Bypass feature is enabled or disabled for the VPN 3002. This feature is enabled or disabled for the group on the VPN Concentrator to which the VPN 3002 belongs. For more information, see Configuration | User Management | Base Group/Groups, Hardware Client tab for the VPN Concentrator.
Page 203: Monitoring | Statistics
Monitoring Monitoring | Statistics This section of the Manager shows statistics for traffic and activity on the VPN 3002 since it was last booted or reset, and for current tunneled sessions, plus statistics in standard MIB-II objects for interfaces, TCP/UDP, IP, ICMP, the ARP table, and SNMP.
Page 204: Monitoring | Statistics | Ipsec
Monitoring | Statistics | IPSec This screen shows statistics for IPSec activity, including the current IPSec tunnel, on the VPN 3002 since it was last booted or reset. These statistics conform to the IETF draft for the IPSec Flow Monitoring MIB.
Page 205 IKE tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support. OL-1893-01 Monitoring | Statistics | IPSec VPN 3002 Hardware Client Reference 13-17...
Page 206 The cumulative total of IPSec Phase-2 exchanges that were received, found to be invalid because of protocol errors, and dropped, by all currently and previously active IKE tunnels. In other words, the total of Phase-2 negotiations that were initiated by a remote peer but that this VPN 3002 dropped because of protocol errors.
Page 207 The cumulative total of IKE tunnels that this VPN 3002 initiated. Failed Initiated Tunnels The cumulative total of IKE tunnels that this VPN 3002 initiated and that failed to activate. Failed Remote Tunnels The cumulative total of IKE tunnels that remote peers initiated and that failed to activate.
Page 208 IPSec Phase-2 tunnels. If the sequence number of a packet is a duplicate or out of bounds, there might be a faulty network or a security breach, and the system drops the packet. VPN 3002 Hardware Client Reference 13-20...
Page 209 The cumulative total of outbound encryptions that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check the event log for an internal IPSec subsystem problem. OL-1893-01 Monitoring | Statistics | IPSec VPN 3002 Hardware Client Reference 13-21...
Page 210: Monitoring | Statistics | Http
IPSec Phase-2 tunnels. These failures indicate errors parsing IPSec packets. Monitoring | Statistics | HTTP This screen shows statistics for HTTP activity on the VPN 3002 since it was last booted or reset. To configure system-wide HTTP server parameters, see the Configuration | System | Management | Protocols | HTTP screen.
Page 211 Octets Sent/Received The total number of HTTP octets (bytes) sent or received since the VPN 3002 was last booted or reset. Packets Sent/Received The total number of HTTP packets sent or received since the VPN 3002 was last booted or reset.
Page 212 Monitoring | Statistics | HTTP HTTP Sessions This section provides information about HTTP sessions on the VPN 3002 since it was last booted or reset. Login Name The name of the administrative user for the HTTP session. IP Address The IP address of administrative user for the HTTP session.
Page 213: Monitoring | Statistics | Telnet
Monitoring Monitoring | Statistics | Telnet This screen shows statistics for Telnet activity on the VPN 3002 since it was last booted or reset, and for current Telnet sessions. To configure the VPN 3002 Telnet server, see the Configuration | System | Management Protocols | Telnet screen.
Page 214: Telnet Sessions
Monitoring | Statistics | Telnet Attempted Sessions The total number of attempts to establish Telnet sessions on the VPN 3002 since it was last booted or reset. Successful Sessions The total number of Telnet sessions successfully established on the VPN 3002 since it was last booted or reset.
Page 215: Monitoring | Statistics | Dns
Requests The total number of DNS queries the VPN 3002 made since it was last booted or reset. This number equals the sum of the numbers in the Responses, Timeouts, Server Unreachable and Other Failures fields (the four fields that follow).
Page 216: Monitoring | Statistics | Ssl
The number of DNS queries that failed because there was no response from the server. Server Unreachable The number of DNS queries that failed because, according to the VPN 3002 routing table, the address of the server is not reachable.
Page 217: Active Sessions
The total number of SSL sessions. Active Sessions The number of currently active SSL sessions. Max Active Sessions The maximum number of SSL sessions simultaneously active at any one time. OL-1893-01 Monitoring | Statistics | SSL VPN 3002 Hardware Client Reference 13-29...
Page 218: Monitoring | Statistics | Dhcp
This screen shows statistics for DHCP (Dynamic Host Configuration Protocol) server activity on the VPN 3002 since it was last booted or reset. Each row of the table shows data for each IP address handed out to a DHCP client (PC) on the VPN 3002 private network.
Page 219: Host Name
The hardwired MAC (Medium Access Control) address of the interface, in 6-byte hexadecimal notation, that maps to the IP Address. Host Name The name of the DHCP client (PC) on this interface. OL-1893-01 Monitoring | Statistics | DHCP VPN 3002 Hardware Client Reference 13-31...
Page 220: Monitoring | Statistics | Ssh
Monitoring | Statistics | SSH Monitoring | Statistics | SSH This screen shows statistics for SSH (Secure Shell) protocol traffic on the VPN 3002 since it was last booted or reset. To configure SSH, see Configuration | System | Management Protocols | SSH.
Page 221 Chapter 13 Monitoring Packets Sent/Received The total number of SSH packets sent/received since the VPN 3002 was last booted or reset. Active Sessions The number of currently active SSH sessions. Maximum Sessions The maximum number of simultaneously active SSH sessions on the VPN 3002.
Page 222: Monitoring | Statistics | Nat
To update the screen and its data, click Refresh . The date and time indicate when the screen was last updated. Packets In/Out The total of NAT packets inbound and outbound since the last time the VPN 3002 was rebooted or reset. VPN 3002 Hardware Client Reference 13-34...
Page 223: Nat Sessions
Translated IP Address/Port The translated IP address and port for the NAT session. The VPN3002 uses this port number to keep track of which devices initiate data transfer; by keeping this record, the VPN 3002 is able to correctly route responses.
Page 224: Monitoring | Statistics | Pppoe
The total number of translated bytes and packets for the NAT session. Monitoring | Statistics | PPPoE This screen shows statistics for PPPoE (PPP over Ethernet) activity on the VPN 3002 since it was last booted or reset. Figure 13-17 Monitoring | Statistics | PPPoE Screen Reset To reset, or start anew, the screen contents, click Reset.
Page 225: User Name
The number of PPPoE Active Discovery Initiation packets for which the VPN 3002 received no response. PADR Timeouts The number of PPPoE Active Discovery Request packets for which the VPN 3002 received no response. Multiple PADO Rx The number of multiple PPPoE Active Discovery Offer packets received, that is, the number of times more than one PPPoE access concentrator responded to the PADI the VPN 3002 sent.
Page 226 The number of PPPoE Active Discovery Terminate packets sent. Generic Errors Rx The number of errors received during the PPPoE session. Malformed Packets Rx The number of malformed packets received during the PPPoE session. VPN 3002 Hardware Client Reference 13-38 Chapter 13 Monitoring OL-1893-01...
Page 227: Monitoring | Statistics | Mib-Ii
SNMP: Simple Network Management Protocol requests, bad community strings, parsing errors, etc. • To configure and enable the VPN 3002 SNMP server, see the Configuration | System | Management Protocols | SNMP screen. Figure 13-18 Monitoring | Statistics | MIB-II Screen...
Page 228: Monitoring | Statistics | Mib-Ii | Interfaces
Monitoring | Statistics | MIB-II | Interfaces Monitoring | Statistics | MIB-II | Interfaces This screen shows statistics in MIB-II objects for VPN 3002 interfaces since the system was last booted or reset. Figure 13-19 Monitoring | Statistics | MIB-II | Interfaces Screen Reset To reset, or start anew, the screen contents, click Reset.
Page 229 The number of broadcast packets that were routed to this interface for transmission, including those that were discarded or not sent. Broadcast packets are those addressed to all hosts on a network. OL-1893-01 Monitoring | Statistics | MIB-II | Interfaces VPN 3002 Hardware Client Reference 13-41...
Page 230: Monitoring | Statistics | Mib-Ii | Tcp/Udp
Monitoring | Statistics | MIB-II | TCP/UDP This screen shows statistics in MIB-II objects for TCP and UDP traffic on the VPN 3002 since it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 defines UDP MIB objects.
Page 231 The number of TCP connection attempts that failed. Technically this is the number of TCP connections that went to an unconnected state, plus the number that went to a listening state, from a connection-synchronizing state. OL-1893-01 Monitoring | Statistics | MIB-II | TCP/UDP means there VPN 3002 Hardware Client Reference 13-43...
Page 232 The total number of received UDP datagrams that could not be delivered because there was no application at the destination port. Datagram is the official UDP name for what is casually called a data packet. VPN 3002 Hardware Client Reference 13-44 Chapter 13...
Page 233: Monitoring | Statistics | Mib-Ii | Ip
Monitoring Monitoring | Statistics | MIB-II | IP This screen shows statistics in MIB-II objects for IP traffic on the VPN 3002 since it was last booted or reset. RFC 2011 defines IP MIB objects. Figure 13-21 Monitoring | Statistics | MIB-II | IP Screen Reset To reset, or start anew, the screen contents, click Reset.
Page 234 Monitoring | Statistics | MIB-II | IP Packets Received (Total) The total number of IP data packets received by the VPN 3002, including those received with errors. Packets Received (Header Errors) The number of IP data packets received and discarded due to errors in IP headers, including bad checksums, version number mismatches, other format errors, etc.
Page 235 The number of outbound IP data packets discarded because no route could be found to transmit them to their destination. This number includes any packets that the VPN 3002 could not route because all of its default routers were down.
Page 236: Monitoring | Statistics | Mib-Ii | Icmp
Monitoring | Statistics | MIB-II | ICMP Monitoring | Statistics | MIB-II | ICMP This screen shows statistics in MIB-II objects for ICMP traffic on the VPN 3002 since it was last booted or reset. RFC 2011 defines ICMP MIB objects.
Page 237 The number of ICMP messages that the VPN 3002 received but determined to have ICMP-specific errors (bad ICMP checksums, bad length, etc.). The number of ICMP messages that the VPN 3002 did not send due to problems within ICMP such as a lack of buffers.
Page 238 The number of ICMP Address Mask Reply messages received/sent. Address Mask Reply messages respond to Address Mask Request messages by supplying the address (subnet) mask for the LAN to which a router connects. VPN 3002 Hardware Client Reference 13-50 Chapter 13...
Page 239: Monitoring | Statistics | Mib-Ii | Arp Table
Monitoring | Statistics | MIB-II | ARP Table This screen shows entries in the Address Resolution Protocol mapping table since the VPN 3002 was last booted or reset. ARP matches IP addresses with physical MAC addresses, so the system can forward traffic to computers on its network.
Page 240 Monitoring | Statistics | MIB-II | ARP Table Interface The VPN 3002 network interface on which this mapping applies: • Private Interface • Public Interface Physical Address The hardwired MAC (Media Access Control) address of a physical network interface card, in 6-byte hexadecimal notation, that maps to the IP Address.
Page 241: Monitoring | Statistics | Mib-Ii | Ethernet
Monitoring | Statistics | MIB-II | Ethernet This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN 3002 since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC 1650 defines Ethernet interface MIB objects.
Page 242: Alignment Errors
Late Collisions The number of times that a collision is detected on this interface later than 512 bit-times into the transmission of a packet. 512 bit-times = 51.2 microseconds on a 10-Mbps system. VPN 3002 Hardware Client Reference 13-54 Chapter 13...
Page 243 The current LAN duplex transmission mode for this interface: Full = Full-Duplex: transmission in both directions at the same time. • Half = Half-Duplex: transmission in only one direction at a time. • OL-1893-01 Monitoring | Statistics | MIB-II | Ethernet VPN 3002 Hardware Client Reference 13-55...
Page 244: Monitoring | Statistics | Mib-Ii | Snmp
Monitoring | Statistics | MIB-II | SNMP Monitoring | Statistics | MIB-II | SNMP This screen shows statistics in MIB-II objects for SNMP traffic on the VPN 3002 since it was last booted or reset. RFC 1907 defines SNMP version 2 MIB objects.
Page 245 Monitoring Bad Community String The total number of SNMP messages received that used an SNMP community string the VPN 3002 did not recognize. See Configuration | System | Management Protocols | SNMP Communities to configure permitted community strings. To protect security, the VPN 3002 does not include the usual default public community string.
Page 246 Chapter 13 Monitoring Monitoring | Statistics | MIB-II | SNMP VPN 3002 Hardware Client Reference 13-58 OL-1893-01...
Page 247: Using The Command-Line Interface
Connect a PC to the VPN 3002 via an RJ-45 serial cable (which Cisco supplies with the system) between the console port on the VPN 3002 and the COM1 or serial port on the PC. For more information, see the VPN 3002 Hardware Client Getting Started guide.
Page 248: Starting The Command-Line Interface
To access the command-line interface via a Telnet or Telnet/SSL client: Enable the Telnet or Telnet/SSL server on the VPN 3002. (They are both enabled by default on the private network.) See the Configuration | System | Management Protocols | Telnet screen on the Manager.
Page 249: Using The Command-Line Interface
> Host Name General -> [ Lab VPN ] _ You can enter a new name at the prompt, or just press Enter to keep the current name. OL-1893-01 Using the Command-line Interface . To VPN 3002 Hardware Client Reference 14-3...
Page 250 When you become familiar with the structure of the interface, which parallels the HTML-based VPN 3002 Hardware Client Manager, you can quickly access any level by entering a series of numbers separated by periods. For example, suppose you want to change the Access Rights for Administrators.
Page 251 To display a brief help message, enter how to navigate through menus and enter values. This help message is available only at the main menu. Cisco Systems. Help information for the Command Line Interface From any menu except the Main menu.
Page 252: Saving The Configuration File
-) Save changes to Config file 5) Help Information 6) Exit Main -> _ The default Monitor administrator can only monitor the VPN 3002, not configure system parameters or administer the system. See Administration | Access Rights | Administrators in information.
Page 253: Menu Reference
4) Policy Management 5) Back Config -> _ 1.1 Configuration > Quick Configuration See the VPN 3002 Hardware Client Getting Started guide for complete information about Quick Configuration. 1.2 Configuration > Interface Configuration This table shows current IP addresses. 1) Configure the Private Interface...
Page 254 1.3.4 Configuration > System Management > Management Protocols 1) Configure HTTP/HTTPS 2) Configure Telnet 3) Configure SNMP 4) Configure SNMP Community Strings 5) Configure SSL 7) Configure XML 8) Back Network -> _ VPN 3002 Hardware Client Reference 14-8 Chapter 14 Using the Command-Line Interface OL-1893-01...
Page 255 2.1 Administration > Software Update Name of the file for main code upgrade? [vpn3002c.bin] IP address of the host where the file resides? [10.10.66.10] (M)odify any of the above (C)ontinue or (E)xit? [M] OL-1893-01 Menu Reference VPN 3002 Hardware Client Reference 14-9...
Page 256 Admin -> _ 2.4.1 Administration > Access Rights > Administrators Admin -> 1 Administrative Users ------------------------ Username ------------------------ admin config ------------------------ 1) Modify Administrator 2) Back Admin -> VPN 3002 Hardware Client Reference 14-10 Enabled Chapter 14 Using the Command-Line Interface OL-1893-01...
Page 257 2.6.2 Administration > Certificate Management > Installation 1) Install Certificate Authority 2) Install SSL Certificate (from Enrollment) 3) Install SSL Certificate (with private key) 4) Install Identity Certificate (from Enrollment) 5) Back Certificates -> _ OL-1893-01 CONFIG.BAK Menu Reference VPN 3002 Hardware Client Reference 14-11...
Page 258 3) Back Certificates -> _ 3 Monitoring 1) Routing Table 2) Event Log 3) System Status 4) User Status 5) General Statistics 6) Back Monitor -> _ VPN 3002 Hardware Client Reference 14-12 Chapter 14 Using the Command-Line Interface OL-1893-01...
Page 259 5) Back Log -> _ 3.3 Monitoring > System Status System Status 1) Refresh System Status 2) Connect Now 3) Disconnect Now 4) Back Status -> _ Card Status -> _ OL-1893-01 Menu Reference VPN 3002 Hardware Client Reference 14-13...
Page 260 2) Back General -> _ 3.4.3 Monitoring > General Statistics > MIB II Statistics 1) Interface-based 2) System-level 3) Back MIB2 -> _ VPN 3002 Hardware Client Reference 14-14 IP Address MAC Address Chapter 14 Using the Command-Line Interface Login Time...
Page 261: Troubleshooting And System Errors
Monitoring | Filterable Event Log. The VPN 3002 automatically saves the event log to a file in flash memory if it crashes, and when it is rebooted. This log file is named SAVELOG.TXT, and it overwrites any existing file with that name. The SAVELOG.TXT file is useful for debugging.
Page 262: Led Indicators
Management for information on managing files in flash memory. LED Indicators LED indicators on the VPN 3002 are normally green or flashing amber. LEDs that are solid amber or off may indicate an error condition. Contact Cisco TAC if any LED indicates an error condition.
Page 263: System Errors
Flashing amber System Errors If you have configured the VPN 3002, and you are unable to connect to or pass data to the central-site VPN Concentrator, use appendix to check the settings on the VPN Concentrator to which this VPN 3002 connects.
Page 264: Settings On The Vpn Concentrator
Assign this VPN 3002 to a group. Configure group and user names and passwords. These must match Step 2 the group and user names and passwords that you set on the VPN 3002. Refer to Chapter 14, “User Management,” in the VPN 3000 Series Concentrator Reference Volume I.
Page 265: Vpn 3002 Hardware Client Manager Errors
Step 4 If you are using Network Extension mode, configure a default gateway or a static route to the private network of the VPN 3002. Refer to Chapter 8, “IP Routing,” in the VPN 3000 Series Concentrator Reference Volume I.
Page 266 VPN 3002 Hardware Client Manager Errors Table A-2 Invalid Login or Session Timeout Screen Problem You entered an invalid administrator login-name and password combination The Manager session has been idle longer than the configured timeout interval. (The default timeout interval is 600 seconds, which equals 10 minutes).
Page 267 To protect security and Do not use the browser navigation toolbar buttons the integrity of data with the VPN 3002 Hardware Client Manager. entries, clicking on Navigate using the location bar at the top of the Back or Forward on...
Page 268 VPN 3002 Hardware Client Manager Errors Not Allowed Message The Manager displays a screen with the message: “Not Allowed / You do not have sufficient authorization to access the specified page.” (see Figure A-3 Not Allowed Screen Table A-6 Not Allowed Message Displays...
Page 269 Cisco support personnel for assistance. Possible cause A bug in the Internet Explorer JavaScript interpreter. VPN 3002 Hardware Client Reference VPN 3002 Hardware Client Manager Errors Solution Click on No on the error dialog box. Log out of the Manager. Close Internet Explorer.
Page 270: Command-Line Interface Errors
ERROR:-- The Passwords do not The entry for a match. Please try again. password and the entry to verify the password do not match. VPN 3002 Hardware Client Reference A-10 Appendix A Possible Cause Solution You entered something other At the prompt, reenter a valid •...
Page 271: I N D E X
Manager requirements built-in servers, configuring See management 12-10 protocols CA (Certificate Authority) definition CA certificates definition installing I N D E X 14-5 13-11 12-13 A-10 13-9 12-13 12-4 12-16 12-16 12-44 VPN 3002 Hardware Client Reference IN-1...
Page 272 CLI swap useful for troubleshooting configuration menu, CLI configuring administrative access to the VPN 3002 backup servers default gateways for IP routing interfaces 14-4 private interface public interface remote server...
Page 273 IPSec LAN-to-LAN managing 12-16 OL-1893-01 PKCS-10 request renewal root saving in Flash memory SCEP-enabled troubleshooting viewing and managing on VPN 3002 viewing details 11-5 X.509 disabling the public interface 10-3 display/PC monitor, recommended settings backup server, configuring servers, configuring 14-6...
Page 274 (IE) not allowed not found out of range value A-10 passwords do not match A-10 session timeout VPN 3002 Hardware Client Manager Ethernet interface status and statistics 13-11 MIB-II statistics 13-53 event class configuring...
Page 275 XML support login screen 1-17 port number ICMP MIB-II statistics 13-48 PING 12-7 identification, configuring 10-2 identifying servers to the VPN 3002 identity certificates definition 12-16 enrolling 12-20, 12-37 installed on the VPN 3002 12-32 installing 12-20 maximum allowed...
Page 276 VPN 3002 Hardware Client Reference IN-6 management protocols, configuring Manager table of contents Manager unexpectedly logs out (error) managing digital certificates on VPN 3002 managing VPN Concentrator with CLI memory, SDRAM menu choosing a menu item in CLI context in CLI prompt...
Page 277 DHCP lease renewing digital certificates requirements 12-5 13-36 12-16 6-6, 12-16 8-14 12-6 12-13 12-5, A-1 12-5 12-54 12-54 12-54 VPN 3002 Hardware Client Reference Index 8-11 IN-7...
Page 278 12-17 screen login, using HTTPS 1-17 SDRAM memory 13-9 secure connection See also tunnel tunnel VPN 3002 Hardware Client Reference IN-8 Secure Shell protocol See SSH Secure Sockets Layer See SSL Security Associations (SAs) self-signed certificates CA certificates 13-53 12-16...
Page 279 RFC 2013, UDP MIB objects RFC 2459 X.509 X.520 starting the CLI static routes adding 8-17 configuring for IP routing modifying statistics devices behind the VPN 3002 Hardware Client DHCP HTTP IPSec MIB-II 8-11 ARP table Ethernet ICMP interfaces IP traffic...
Page 280 10-3 timeout, administrator 12-11 live event log overrides 13-6 time zone, configuring 10-3 VPN 3002 Hardware Client Reference IN-10 traffic management, configuring transmission mode, configuring Ethernet interface traps, configuring "well-known" destination systems general events specific events...
Page 281 13-5 SSL certificates with Internet Explorer with Netscape 1-14 VPN 3002 status, sessions, statistics, and event logs 13-1 VPN 3002 Hardware Client Manager errors navigating 1-28 organization 1-27 window 1-23 VPN Concentrator Manager logging in 1-17 using WINS backup server, configuring X.509...
Page 282 Index VPN 3002 Hardware Client Reference IN-12 OL-1893-01...

Cisco VPN 3002 Reference Manual

Preface

Using the VPN 3002 Hardware Client Manager

Configuration

Interfaces

System Configuration

Servers

Tunneling

IP Routing

Management Protocols

Events

General

Policy Management

Administration

Monitoring

Using the Command-Line Interface

Troubleshooting and System Errors

I N D E X

Quick Links

Related Manuals for Cisco VPN 3002

Summary of Contents for Cisco VPN 3002