VPN Client User Guide for Mac OS X Release 4.6 August 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS About This Guide Audience vii Contents vii vii Related Documentation Terminology viii viii Document Conventions Data Formats ix viii Obtaining Documentation ix Cisco.com ix Documentation CD-ROM ix Ordering Documentation x Documentation Feedback x Obtaining Technical Assistance x Cisco.
Contents Preconfiguring the User Profile 2-3 Preconfiguring the Global Profile 2-3 Bundling a Root Certificate with the Installation Package for Darwin 2-4 Installing the VPN Client 2-4 Authentication 2-4 VPN Client Installation Process 2-6 Introduction 2-6 Accepting the License Agreement 2-7 Selecting the Application Destination 2-7 Choosing the Installation Type 2-8 CLI Version Install Script Notes 2-12 Uninstalling the VPN Client CHAPTER 3 2-12 Navigating the User Interface VPN Client Menu 3-1 3
Contents Mutual Group Authentication 4-4 Certificate Authentication 4-4 Transport Parameters 4-6 Enable Transport Tunneling 4-7 Transparent Tunneling Mode 4-7 Allow Local LAN Access 4-7 Peer Response Timeout 4-8 Backup Servers CHAPTER 5 4-8 Establishing a VPN Connection Checking Prerequisites 5-1 5-1 Establishing a Connection 5-1 Connecting to a Default Connection Entry 5-3 Choosing Authentication Methods 5-3 Shared Key Authentication 5-3 VPN Group Name and Password Authentication RADIUS Server Au
Contents CHAPTER 7 Managing the VPN Client 7-1 Managing Connection Entries 7-1 Importing a Connection Entry 7-1 Modifying a Connection Entry 7-2 Deleting a Connection Entry 7-3 Event Logging 7-4 Enable Logging 7-4 Clear Logging 7-5 Set Logging Options 7-5 Opening the Log Window 7-7 Viewing Statistics 7-8 Tunnel Details 7-9 Route Details 7-10 Notifications 7-11 INDEX VPN Client User Guide for Mac OS X vi OL-5490-01
About This Guide This VPN Client User Guide describes how to install, use, and manage the Cisco VPN Client for the Macintosh operating system, Version 10.2 or later. You can manage the VPN Client for Mac OS X from the graphical user interface or from the command-line interface. The VPN Client for Mac OS X installer program installs both the graphical user interface and the command-line version of the VPN Client.
About This Guide Related Documentation • Chapter 7, “Managing the VPN Client.” This chapter describes how to manage VPN Client connections, use the event log, and view tunnel details, including packet and routing data. Related Documentation The following is a list of user guides and other documentation related to the VPN Client for Mac OS X and the VPN devices that provide the connection to the private network. • Release Notes for the Cisco VPN Client, Release 4.
About This Guide Obtaining Documentation Caution Means reader be careful. Cautions alert you to actions or conditions that could result in equipment damage or loss of data. Data Formats When you configure the VPN Client, enter data in these formats unless the instructions indicate otherwise. • IP Address—Use standard 4-byte dotted decimal notation (for example, 192.168.12.34). You can omit leading zeros in a byte position.
About This Guide Obtaining Technical Assistance Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/en/US/partner/ordering/index.shtml • Registered Cisco.
About This Guide Obtaining Technical Assistance • Download and test software packages • Order Cisco learning materials and merchandise • Register for online skill assessment, training, and certification programs To obtain customized information and service, you can self-register on Cisco.com at this URL: http://www.cisco.com Technical Assistance Center The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution.
About This Guide Obtaining Additional Publications and Information Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
C H A P T E R 1 Understanding the VPN Client The Cisco VPN Client for Mac OS X is a software application that runs on any Macintosh computer using operating system Version 10.2 or later. The VPN Client on a remote PC, communicating with a Cisco VPN device on an enterprise network or with a service provider, creates a secure connection over the Internet. This connection allows you to access a private network as if you were an on-site user, creating a Virtual Private Network (VPN).
Chapter 1 Understanding the VPN Client VPN Client Overview VPN Client Overview The VPN Client works with a Cisco VPN device to create a secure connection, called a tunnel, between your computer and a private network. It uses Internet Key Exchange (IKE) and Internet Protocol Security (IPSec) tunneling protocols to establish and manage the secure connection.
Chapter 1 Understanding the VPN Client VPN Client Features VPN Client Features The tables in the following sections describe the VPN Client features. Table 1-1 lists the VPN Client main features. Table 1-1 VPN Client Main Features Features Description Operating System Mac OS Version 10.2 or later Connection types • async serial PPP • Internet-attached Ethernet • DSL The VPN Client for Mac OS X does not support Bluetooth wireless technology.
Chapter 1 Understanding the VPN Client VPN Client Features Table 1-2 Program Features (continued) Program Feature Description Automatic VPN Client configuration option The ability to import a configuration file. Event logging The VPN Client log collects events for viewing and analysis. NAT Transparency (NAT-T) Enables the VPN Client and the VPN device to automatically detect when to use IPSec over UDP to work properly in Port Address Translation (PAT) environments.
Chapter 1 Understanding the VPN Client VPN Client Features Table 1-2 Program Features (continued) Program Feature Description Connect on open This feature lets a user connect to the default user profile when starting the VPN Client. You can enable this feature on the Preferences menu under the VPN Client tab. VPN Client API VPN Client provides an application programming interface for performing VPN Client tasks without using the command-line or graphical interfaces that Cisco provides.
Chapter 1 Understanding the VPN Client VPN Client Features Table 1-4 IPSec Features (continued) IPSec Feature Description Split tunneling The ability to simultaneously direct packets over the Internet in clear text and encrypted through an IPSec tunnel. The VPN device supplies a list of networks to the VPN Client for tunneled traffic. You enable split tunneling on the VPN Client and configure the network list on the VPN device.
Chapter 1 Understanding the VPN Client VPN Client Features Table 1-5 IPSec Attributes (continued) IPSec Attribute Description Extended Authentication (XAUTH) The capability of authenticating a user within IKE. This authentication is in addition to the normal IKE phase 1 authentication, where the IPSec devices authenticate each other. The extended authentication exchange within IKE does not replace the existing IKE authentication.
Chapter 1 Understanding the VPN Client VPN Client Features VPN Client User Guide for Mac OS X 1-8 OL-5490-01
C H A P T E R 2 Installing the VPN Client This chapter describes how to install the VPN Client for Mac OS X. Verifying System Requirements The VPN Client for Mac OS X runs on any Power Macintosh or compatible computer with the Macintosh operating system Versions 10.2 or later and 30 MB of hard disk space. Mac OS X VPN Clients support only single interface FastEthernet network adapters. This VPN Client does not support any multiport adapters.
Chapter 2 Installing the VPN Client Obtaining the VPN Client Software Obtaining the VPN Client Software The VPN Client software is available from the Cisco website and comes as a disk image file (vpnclient--GUI.k9.dmg). Only system administrators can obtain and distribute the VPN Client software. To obtain the installer: Step 1 Copy or download the image file to your Desktop. Step 2 Double-click to extract the VPN Client installer to your Desktop.
Chapter 2 Installing the VPN Client Preconfiguring the VPN Client Figure 2-2 VPN Client Installer Directory Preconfiguring the User Profile The VPN Client uses parameters that must be uniquely configured for each remote user of the private network. Together these parameters make up a user profile, which is contained in a profile configuration file (.pcf file). To distribute preconfigured profiles, copy the configuration files (.pcf files) into the Profiles folder in the vpnclient installer directory.
Chapter 2 Installing the VPN Client Bundling a Root Certificate with the Installation Package for Darwin Bundling a Root Certificate with the Installation Package for Darwin To use mutual authentication, the VPN Client computer must have a root certificate installed. You can bundle a root certificate with the installation package so that the root certificate is installed automatically. The following steps place a root certificate with the installation package. The root certificate is contained in a file.
Chapter 2 Installing the VPN Client Installing the VPN Client Figure 2-3 Step 2 Authorization Window Click the lock to authenticate your password. The Authenticate dialog box appears (Figure 2-4). Figure 2-4 Authenticate Dialog Box Step 3 Enter your administrator username and a password or challenge phrase. Step 4 Click OK. If the authentication is successful, continue to the installation process. Contact your network administrator if you cannot authenticate for installation.
Chapter 2 Installing the VPN Client Installing the VPN Client VPN Client Installation Process You must complete all steps in the VPN Client installation process before you can use the VPN Client software. At any time during the installation process, you can go back to a previous step and adjust your selections.
Chapter 2 Installing the VPN Client Installing the VPN Client Accepting the License Agreement You are required to read and accept the Cisco software license agreement before you can continue with the installation process (See Figure 2-6). Figure 2-6 Cisco Licence Agreement Before you accept the license agreement, you can: • Print the license agreement. • Save the license agreement to a file. • Go Back to the Introduction window. • Continue and agree to the terms in the license agreement.
Chapter 2 Installing the VPN Client Installing the VPN Client Figure 2-7 Select Destination Window Click Continue. The VPN Client is installed in the Applications directory. Choosing the Installation Type The default installation process installs the following packages with the VPN Client application: • VPN Client application binaries (includes everything in the directory /usr/local/bin, including the ipseclog). • VPN Client graphical user interface.
Chapter 2 Installing the VPN Client Installing the VPN Client Figure 2-8 Easy Install Window To choose which packages to install, click Customize to open the Custom Install window (Figure 2-9). Figure 2-9 Custom Install Window The packages with the blue check box are optional. To make a package part of your installation, check the blue box. To remove a package from your installation, uncheck the blue box.
Chapter 2 Installing the VPN Client Installing the VPN Client Click Easy Install to return to the default installation packages, or Install to continue with a custom installation. A progress bar lists the installation steps as they occur (Figure 2-10). Figure 2-10 Install Software Progress Window When the installation is finished, a window appears to indicate whether the installation was successful (Figure 2-11).
Chapter 2 Installing the VPN Client Installing the VPN Client Figure 2-11 Successful Installation Confirmation Window Click Close. If you do not receive this confirmation, the installation was not successful. You must start the installation process again from the beginning or contact your network administrator for assistance. To begin using the Client, double-click the VPN Client application icon located in the Applications directory (Figure 2-12).
Chapter 2 Installing the VPN Client Uninstalling the VPN Client Figure 2-12 Location of VPN Client Application CLI Version Install Script Notes The VPN Client installer includes both the graphical user interface and the command-line version of the VPN Client for Mac OS X. You can choose to manage the VPN Client using only the command-line.
Chapter 2 Installing the VPN Client Uninstalling the VPN Client Note We recommend that you uninstall any previous version of the VPN Client for Mac OS X before you install a new version. The VPN Client uninstall script uninstalls any previous command-line or GUI version of the VPN Client from your workstation. To uninstall the VPN Client for Mac OS X Step 1 Open a terminal window.
Chapter 2 Installing the VPN Client Uninstalling the VPN Client VPN Client User Guide for Mac OS X 2-14 OL-5490-01
C H A P T E R 3 Navigating the User Interface This chapter describes the main VPN Client window and the tools, tabs, menus and icons for navigating the user interface. VPN Client Menu Use the VPN Client menu (Figure 3-1) to manage the VPN Client application and main window settings. Figure 3-1 VPN Client Menu • About VPN Client—Displays the current VPN Client version, the VPN Client type (platform), and the copyright information. • Preferences—Sets VPN Client window preferences (Figure 3-2).
Chapter 3 Navigating the User Interface Choosing a Run Mode – Save window settings—Saves changes to the VPN Client window. For example, you can save the window size; the window position; the selected tab; and the view (simple or advanced mode).
Chapter 3 Navigating the User Interface Operating in Simple Mode Figure 3-3 VPN Client Window—Simple Mode The main VPN Client window shows only the version information, the default connection entry, the connect button, and the status bar. Main Menus—Simple Mode This section describes the abbreviated menu choices available in simple mode. The Certificates and Log menus are only available in advanced mode. Connection Entries Menu Figure 3-4 shows the Connection Entries menu options for simple mode.
Chapter 3 Navigating the User Interface Operating in Advanced Mode Operating in Advanced Mode Use Advanced mode to manage the VPN Client; configure connection entries; manage certificates; view and manage event logging; and view tunnel statistics and routing data. VPN Client Window—Advanced Mode The following sections describe the main VPN Client window in Advanced Mode, the primary buttons and tabs for navigating the user interface, the main menu options, and the right-click menu options.
Chapter 3 Navigating the User Interface Operating in Advanced Mode Toolbar Action Buttons—Advanced Mode The action buttons at the top of the VPN Client window vary depending on which tab is forward. For example, if the Connections tab is forward, the Connect, New, Import, Modify, and Delete buttons control operations for the selected connection entry (see Figure 3-6).
Chapter 3 Navigating the User Interface Operating in Advanced Mode Main Menus—Advanced Mode The following sections describe the main VPN Client menus, located at the top of your screen, when the VPN Client application is running in advanced mode and active on your desktop. Connection Entries Menu Use the Connection Entries menu (Figure 3-9) as a shortcut to frequently-used connection entry operations.
Chapter 3 Navigating the User Interface Operating in Advanced Mode Status Menu Use the Status menu (Figure 3-10) to display the tunnel and route statistics or to view notifications from the VPN device. Figure 3-10 Status Menu • Statistics—Open the Statistics window to view tunnel details and route details. • Notifications—Open the Notifications window to view notices from the VPN device. • Reset Stats—Reset the VPN session statistics on the Tunnel Details tab of the Statistics window.
Chapter 3 Navigating the User Interface Operating in Advanced Mode • Retry Certificate Enrollment—Retry a previously started certificate enrollment. • Show or Hide CA/RA Certificates—This menu option toggles to Show or Hide root certificates issued by either a Certificate Authority (CA) or a Registration Authority (RA). Log Menu Use the Log menu (Figure 3-12) to enable, disable, view or clear the event log, or to adjust the log settings.
Chapter 3 Navigating the User Interface Operating in Advanced Mode Connection Entries Tab Right-Click Menu Figure 3-14 shows the right-click menu options available when the Connection Entries tab is selected. Figure 3-14 Connection Entries Right-Click Menu • Connect—Establish a VPN connection using the selected connection entry. • Disconnect—Disconnect the current VPN session. • Duplicate—Duplicate the selected connection entry.
Chapter 3 Navigating the User Interface Operating in Advanced Mode Certificates Tab Right-Click Menu Figure 3-15 shows the right-click menu options available when the Certificates tab is forward. Figure 3-15 Certificates Tab Right-Click Menu • View—View the properties of the selected certificate. • Export—Export the selected certificate to a specified file location • Verify—Verify that the selected certificate is valid.
C H A P T E R 4 Configuring Connection Entries A connection entry is a set of parameters that the VPN Client uses to identify and connect to a specific private network. Connection entry parameters include a name and description for the connection, the name or address of the VPN device (the remote server providing the connection), and authentication information that identifies you as a valid user to the VPN device. This chapter describes how to configure the parameters for a VPN Client connection entry.
Chapter 4 Configuring Connection Entries Creating a Connection Entry To create a connection entry: Step 1 Open the VPN Client application. The VPN Client window appears (Figure 4-1). Figure 4-1 VPN Client Window . Step 2 Click the Connection Entries tab. Step 3 Click New at the top of the VPN Client window. The Create New VPN Connection Entry dialog box appears (Figure 4-2).
Chapter 4 Configuring Connection Entries Authentication Methods Step 4 Enter a unique connection entry name. You can use any name to identify this connection. This name can contain spaces, and it is not case-sensitive. Step 5 Enter a description of this connection. This field is optional, but it helps to further identify this connection. For example, Connection to Engineering remote server.
Chapter 4 Configuring Connection Entries Authentication Methods Figure 4-3 Group Authentication Step 2 Enter the name of the IPSec group you belong to. Step 3 Enter the password for your IPSec group. The field displays only asterisks. Step 4 Confirm the password by entering it again. Step 5 Click Save. The Connection Entry dialog box closes, and you return to the Connection Entries tab.
Chapter 4 Configuring Connection Entries Authentication Methods Figure 4-4 Step 2 Certificate Authentication Select a certificate from the Name drop-down menu. If the Name field displays No Certificates Installed, you must first enroll or import a certificate before you can use this feature. See the “Enrolling Certificates” section on page 6-2 or “Importing a Certificate” section on page 6-7 for more information. Step 3 To send CA certificate chains, check the Send CA Certificate Chain check box.
Chapter 4 Configuring Connection Entries Transport Parameters Transport Parameters This section describes transport parameters you can configure for a connection entry. The transport parameters include: • Enable Transport Tunneling, page 4-7 • Transparent Tunneling Mode, page 4-7 • Allow Local LAN Access, page 4-7 • Peer Response Timeout, page 4-8 To configure transport parameters: Step 1 Open the VPN Client application. Step 2 Select a connection entry.
Chapter 4 Configuring Connection Entries Transport Parameters Enable Transport Tunneling Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall. The router might also be configured for Network Address Translation (NAT) or Port Address Translations (PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets.
Chapter 4 Configuring Connection Entries Backup Servers • When this parameter is disabled, all traffic from your client system goes through the IPSec connection to the secure gateway. If the local LAN you are using is not secure, you should not enable local LAN access. For example, do not enable this feature when you are using a local LAN in a hotel or airport. To enable this feature, check the Allow Local LAN Access check box on the VPN Client.
Chapter 4 Configuring Connection Entries Backup Servers Figure 4-6 Backup Servers Tab Step 5 Check the Enable Backup Servers check box. This parameter is not enabled by default. The list of available backup servers is displayed. Backup servers are used in the order presented in the list. Step 6 To change the order in which the backup servers are used, select a backup server and use the arrow buttons to move the server up or down in the list. Step 7 Click Save.
Chapter 4 Configuring Connection Entries Backup Servers Step 3 Click OK. The backup server is added to the list of available backup servers. To remove a backup server, return to the Backup Server tab, select a server from the list, and click Remove.
C H A P T E R 5 Establishing a VPN Connection This chapter describes how to establish a VPN connection with a private network using the VPN Client and the user authentication methods supported by the VPN device that is providing your connection. Checking Prerequisites Before you can establish a VPN connection, you must have: • At least one connection entry configured on the VPN Client. See Chapter 4, “Configuring Connection Entries” for more information. • User authentication information.
Chapter 5 Establishing a VPN Connection Establishing a Connection Figure 5-1 VPN Client Icon The main VPN Client window appears. Figure 5-2 shows the VPN Client window in simple mode. Figure 5-2 VPN Client Window—Simple Mode Figure 5-3 shows the VPN Client window in advanced mode. Figure 5-3 VPN Client Window—Advanced Mode See Chapter 3, “Navigating the User Interface” for more information on simple mode and advanced mode.
Chapter 5 Establishing a VPN Connection Choosing Authentication Methods The status bar at the bottom of the main VPN Client window displays your connection status. When connected, the left side of the status bar indicates the connection entry name and the right side displays the amount of time that the VPN tunnel has been established.
Chapter 5 Establishing a VPN Connection Choosing Authentication Methods Figure 5-4 Shared Key Authentication Enter your Username and Password and click OK. VPN Group Name and Password Authentication The VPN group login method uses your VPN group name and password for authentication (Figure 5-5). You can use VPN group authentication alone or with other authentication methods. Figure 5-5 VPN Group Authentication Enter your group name and password and click OK.
Chapter 5 Establishing a VPN Connection Choosing Authentication Methods Figure 5-6 User Authentication for RADIUS Enter your username and password and click OK. Check the Save Password check box if you do not want to be prompted for your RADIUS password each time you start a VPN session using this connection entry. Note If you cannot choose the Save Password option, your system administrator does not allow this option.
Chapter 5 Establishing a VPN Connection Using Digital Certificates Figure 5-7 User Authentication for RSA SecurID Enter your username and RSA SecurID passcode and click OK. Using Digital Certificates The VPN Client works with Certificate Authorities (CAs) that support SCEP, manual enrollment, or PKCS import. Each time you establish a VPN connection using a certificate, the VPN Client verifies that your certificate is not expired.
C H A P T E R 6 Enrolling and Managing Certificates This chapter describes how to enroll and manage digital certificates for the VPN Client for Mac OS X, specifically how to perform the following tasks: • Obtain personal certificates through enrollment with a certificate authority (CA), which is an organization that issues digital certificates that verify that you are who you say you are.
Chapter 6 Enrolling and Managing Certificates Enrolling Certificates Figure 6-1 Certificate Store For each certificate, the following information is listed: • Certificate—The name of the certificate. • Store—The certificate store where this certificate resides. If you enroll a certificate from a Certificate Authority, the store is CA. If you import a certificate from a file, the store is Cisco. • Key Size—The size, in bits, of the signing key pair.
Chapter 6 Enrolling and Managing Certificates Enrolling Certificates Figure 6-2 Step 4 Online Certificate Enrollment Enter the enrollment parameters. • For online enrollment enter: – Certificate Authority—The Common name or the Subject name of the CA Certificate. This drop-down list contains a history of previously enrolled CA certificates. If you select a CA from this list, the CA URL and the CA Domain fields are pre-populated.
Chapter 6 Enrolling and Managing Certificates Enrolling Certificates Step 5 Click Next to continue with certificate enrollment. The Certificate Enrollment dialog box appears (Figure 6-3). Figure 6-3 Step 6 Enter the remaining certificate enrollment parameters. All fields are required unless they are grayed out. Table 6-1 describes the entry fields. Table 6-1 Step 7 Certificate Enrollment Certificate Enrollment Parameters Entry Field Description Name (CN) The common name for the certificate.
Chapter 6 Enrolling and Managing Certificates Enrolling Certificates The certificate enrollment is listed in the certificate store as a request. To resume a certificate enrollment request, right-click and choose Resume Certificate Enrollment. Alternately, you can resume an enrollment from the Certificates menu. A prompt indicates whether the certificate enrollment is successful (Figure 6-4).
Chapter 6 Enrolling and Managing Certificates Enrolling Certificates Step 3 Enter the password in the Password field (if there is one) and click OK. The VPN Client verifies the password. If the password is correct, the VPN Client deletes the request. Changing the Password on an Enrollment Request To change the certificate password on an enrollment request Step 1 Select the certificate request from the certificate store. Step 2 Choose Change Certificate Password from the Certificates menu.
Chapter 6 Enrolling and Managing Certificates Importing a Certificate Importing a Certificate A network administrator might place a certificate in a file. This certificate must be imported in to the certificate store before you can use it for authenticating the VPN Client to a VPN device. To import a certificate from a file Step 1 Click the Certificates tab. Step 2 Click Import at the top of the VPN Client window. The Import Certificate dialog box appears (Figure 6-6).
Chapter 6 Enrolling and Managing Certificates Viewing a Certificate Figure 6-7 Certificate Properties A typical digital certificate contains the following information: • Common name—The name of the owner, usually both the first and last names. This field identifies the owner within the Public Key Infrastructure (PKI organization). • Department—The name of the owner’s department. This is the same as the organizational unit in the Subject field.
Chapter 6 Enrolling and Managing Certificates Exporting a Certificate – state or province (st) – country (c) – e-mail address (e) Other items might be included in the Subject, depending on the certificate. Step 4 • Issuer—The fully qualified distinguished name (FQDN) of the source that provided the certificate. • Serial number—A unique identifier used for tracking the validity of the certificate on the Certificate Revocation Lists (CRLs).
Chapter 6 Enrolling and Managing Certificates Deleting a Certificate Figure 6-9 Step 9 Successful Export Prompt Click OK to return to the VPN Client window. Deleting a Certificate You can delete any certificate from your certificate store. You must provide a password to delete an enrollment certificate. Caution You cannot retrieve a certificate that has been deleted. To delete a user or root certificate Step 1 Click the Certificates tab. Step 2 Select the certificate to delete.
Chapter 6 Enrolling and Managing Certificates Verifying a Certificate Step 3 Click Delete at the top of the VPN Client window. The Certificate Password dialog box appears (Figure 6-11). Figure 6-11 Password Prompt for Deleting Enrollment Certificates. Step 4 Enter the Certificate Password for the selected certificate to delete. The Certificate Password is the password assigned by you to protect the certificate while it is in your certificate store.
Chapter 6 Enrolling and Managing Certificates Changing the Password on a Personal Certificate Changing the Password on a Personal Certificate To view personal (root) certificates issued by either a Certificate Authority (CA) or a Registration Authority (RA), use the Show/Hide CA/RA Certificates option from the Certificates menu. To change the password on a personal certificate Step 1 Select a certificate from the certificate store under the Certificates tab.
C H A P T E R 7 Managing the VPN Client This chapter describes how to manage connection entries, and view and manage the event logging. Managing Connection Entries The following sections describe the operations used to manage connection entries. This includes how to import, modify, and delete a connection entry. Importing a Connection Entry You can automatically configure your VPN Client with new settings by importing a new configuration file (a file with a.
Chapter 7 Managing the VPN Client Managing Connection Entries Figure 7-1 Import VPN Connection Step 3 Locate the connection entry to import. A valid connection entry configuration file must have a .pcf extension. Step 4 Click Open. The connection entry is added to the list of available profiles and you return to the Connection Entries tab. Alternately, you can copy the .pcf file into the profiles directory and restart the VPN Client application.
Chapter 7 Managing the VPN Client Managing Connection Entries Figure 7-2 Connection Entry Settings The existing configuration for this connection entry is displayed. Step 4 Make adjustments to this connection entry configuration. Step 5 Click Save. The VPN Client Properties dialog box closes and you return to the Connection Entries tab. Deleting a Connection Entry You can delete any connection entry that does not have an active VPN connection.
Chapter 7 Managing the VPN Client Event Logging Figure 7-3 Caution Step 4 Confirm Delete You cannot retrieve a connection entry that has been deleted. Click Delete to delete this connection entry. The connection entry is removed from the profiles directory and you are returned to the Connection Entries tab. Click Do not Delete to return to the VPN Client window without deleting the selected connection entry.
Chapter 7 Managing the VPN Client Event Logging Figure 7-4 Event Log Every VPN session contains at least one log entry, the connection history. To disable logging, click the Disable button at the top of the VPN Client window. Clear Logging To clear the event messages from the logging window, click Clear at the top of the VPN Client window. Clearing the display does not reset event numbering or clear the log file itself.
Chapter 7 Managing the VPN Client Event Logging Figure 7-5 Log Settings Table 7-1 describes the log classes that generate events in the VPN Client log viewer. Table 7-1 VPN Client Logging Classes Log Class Description Module [LOG.IKE] Internet Key Exchange module, which manages IKE secure associations. [LOG.CM] Connection Manager (CM), which drives VPN Connection Manager connections. (CM dials a PPP device, configures IKE for establishing secure connections, and manages connection states.
Chapter 7 Managing the VPN Client Event Logging Step 3 Select the logging level for each module that uses logging services. The logging levels allow you to choose the amount of information you want to capture. Figure 7-6 shows the logging levels. Figure 7-6 Logging Levels There are four logging levels: Step 4 • 0—Disables logging services for the specified [LOG] class. • 1—Low, displays only critical and warning events. This is the default.
Chapter 7 Managing the VPN Client Viewing Statistics Figure 7-7 Log Window The following buttons allow you to manage the information in the Log Window: • Note Save the data in the event log to a file. The VPN Client saves the information to the Client install directory. The default file name is based on the date and time (in 24-hour format) that the log file was created; for example, LOG-2003-03-13-52-56.text.
Chapter 7 Managing the VPN Client Viewing Statistics • Split tunneling • NAT transparency To view VPN session statistics, choose Statistics from the Status menu. The Statistics window has two tabs, Tunnel Details and Route Details. The Tunnel Details tab lists information about the VPN tunnel. The Route Details tab lists information about excluded and secured routes. Tunnel Details The Tunnel Details tab (Figure 7-8) displays the IP addresses assigned for this session and byte and packet statistics.
Chapter 7 Managing the VPN Client Viewing Statistics Table 7-2 Tunnel Details (continued) Field Description Connection Entry Name The name of the connection entry for this VPN session. Connection Time The connection time for this VPN session. Encryption Encryption algorithm used for this VPN session. The VPN Client supports: • 56-bit DES (Data Encryption Standard) • 168-bit Triple-DES • AES 128-bit and 256-bit Note Authentication The VPN Client continues to support DES/MD5.
Chapter 7 Managing the VPN Client Viewing Statistics Figure 7-9 Statistics Window—Route Details For each local LAN or secured route, the following information is listed: • Network—The IP address of the VPN device providing the route to the network. • Subnet Mask—The subnet mask applied to the route. Notifications The VPN device that provides your connection to the private network might send notifications to the VPN Client. These notifications appear on the Notifications window.
Chapter 7 Managing the VPN Client Viewing Statistics Figure 7-10 Notifications Window The top pane of the Notifications window lists the title of each stored notification. The bottom pane displays the notification message associated with the selected title. All notifications from the VPN device are stored in this display during the VPN session. Every VPN session contains at least one notification, the connection history.
INDEX A B administrator password backup servers 2-4 change order advanced mode buttons 3-5 menus tabs 3-6 4-8 tab 4-3 base-64 encoding type 3-5 window list 4-9 binaries, application 3-4 AES (Advanced Encryption Standard) aggressive mode 1-6 2-8 binary encoding type bytes received 1-6 6-3 6-3 7-9 algorithms data compression encryption 1-7 C 1-6 in VPN client CA (Certificate Authority) 1-2 application binaries cable modem 2-8 applications directory 2-8 CA URL 1-1 6-3
Index management defined 6-1 new password password peer delete 6-3 online enrollment menu 3-7 1-6 connect on open 5-3 3-1 6-8 custom installation 6-3 6-9 2-9 2-5 changing certificate password D 6-12 password on an enrollment request classes for logging 6-6 data compression data formats 7-6 1-7, 7-10 ix DDNS (Dynamic Domain Name System) 7-5 client type (platform) client upgrades 7-12 coding, HMAC 1-6 1-4 Dead Peer Detection 3-1 see DPD default connection entry command-li
Index directory, applications disable logging 2-7 disk space 2-1 DNS, split 1-6 F features authentication conventions related domains 1-7, 7-6 3-3, 3-9 documentation obtaining 6-9 extended authentication 3-8 disconnect client disk drive export path, certificate 2-8 IPSec viii 1-5 program ix 1-3 VPN Client viii 1-5 1-3 firewall, see PIX firewall 1-6 firewalls DPD adjusting peer time out 4-8 4-7 FQDN (Fully Qualified Distinguished Name) 6-8 keep alive mechanism DSL 1-1 G
Index I K icon for installer keepalives 2-2 identity certificate IKE keepalives image file kernel extension 4-3 IKE (Internet Key Exchange) 1-2, 7-6 pair 1-5 6-8 preshared import size connection entry password 2-2 7-1 6-7 L installation authentication customize 1-6, 4-1 6-2, 6-8 keywords 6-7 2-8 key 2-2 certificate 1-5 LAN connection 2-4 1-1 launch, from notification 2-9 1-4 default 2-9 launch browser process 2-6 license agreement 2-7 local LAN access 1-3, 4-7,
Index main tabs O certificates 3-5 connection entries log obtaining 3-5 documentation 3-5 main VPN Client window 3-4, 5-2 managing certificates installer 2-2 software 2-2 ix operating system 6-1 connection entries 1-3 7-1 MD5 (Message Digest 5) 1-6 P menus certificates packages 3-7 connection entries log installation 3-6 remove 3-8 main right-click 3-8 3-7 minimize client window querying 1-6 tunneling 1-6 packets encrypted 3-2 7-9 parameters mode advanced 3-4
Index PKI (Public Key Infrastructure) platform POTS 1-3, 4-4 S 3-1 SA (security association) 1-1 preconfiguration tasks save log file 2-2 1-4 3-8 preconfigured files 2-2 SCEP (Simple Certificate Enrollment Protocol) preconfigured keys 2-1 SecurID authentication preferences, client window session time 3-1 installation 3-4 shared key authentication 2-1, 2-6 passwords show/hide window 2-1 RSA PIN signing key pair 5-1 VPN connection preshared keys profile, user menu window 3-2
Index terms, license agreement toggle command notifications 2-7 statisitics 3-2 tooltips, enabling enrollment request 1-5, 4-7 transport 6-5 VPN Client parameters 4-6 tunneling 4-7 Triple-DES (Data Encryption Standard) tunneling 1-6 defined 1-2 features 1-3 icon 5-2 menus encapsulation mode protocol split 7-8 viewing 3-2 transparent tunneling 3-7 1-7 1-3 3-6 quitting 3-2 window 3-4, 5-2 VPN Daemon 1-6 transparent VPN device 4-7 tunnel routing data tunnel statistics
Index VPN Client User Guide for Mac OS X IN-8 OL-5490-01
