VPN 3000 Concentrator Series User Guide Release 2.5 July 2000 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface Table of contents About this manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—2 Configuration Logout tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logged in: [username] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—3 Interfaces RIP Parameters tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10 Inbound RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10 Outbound RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—4 System Configuration Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Timeslots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PPP Multilink Parameters tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—6 Address Management Configuration | System | Servers | Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 Accounting Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 Add / Modify / Delete / Move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—7 Tunneling Protocols Configuration | System | Address Management | Pools | Add or Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Range Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Range End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—8 IP Routing Remote Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15 Network List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15 IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—9 Management Protocols Tunnel Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Override Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 Apply / Cancel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—10 Events Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Maximum Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—10 Events Configuration | System | Events | FTP Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 FTP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—11 General 11 General Configuration | System | General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Configuration | System | General | Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 System Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—12 User Management Configuration | User Management | Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16 Current Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16 Add / Modify / Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—13 Policy Management Configuration | User Management | Groups | Modify (External) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-32 Group Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-32 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—13 Policy Management Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy . . . . . List Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Generate Local List . . .
Contents—13 Policy Management Configuration | Policy Management | Traffic Management | Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-28 Filter List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30 Add Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—14 Administration 14 Administration Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1 Administration | Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—14 Administration Administration | Monitoring Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20 Enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20 Refresh Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—14 Administration Administration | File Management | TFTP Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Concentrator File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring Subject Alternative Name (Fully Qualified Domain Name) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46 CRL Distribution Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46 Back . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring Event IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8 Event string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8 Monitor | System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring Packets Received . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-17 Bytes Received . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-17 Packets Transmitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring xxiv Monitor | Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Summary table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring Bar Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-40 Percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-40 Monitor | Sessions | Top Ten Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring xxvi Monitor | Statistics | L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Total Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring System Capability Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-58 No-SA Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-58 IPSec (Phase 2) Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-65 Server Unreachable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-65 Other Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring Invalid Type Received . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-73 Address List Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-73 Invalid Authentication Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring xxx UDP Datagrams Received . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UDP Datagrams Transmitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UDP Errored Datagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—15 Monitoring Area Border Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-90 Area LSA Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-91 Area LSA Checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—16 Using the Command Line Interface Monitor | Statistics | MIB-II | SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requests Received . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—A Errors and troubleshooting 2.3.2 Administration > System Reboot > Schedule Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-15 2.3.3 Administration > System Reboot > Schedule Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-15 2.5 Administration > Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-15 2.5.
Contents—B Copyrights, licenses, and notices LED indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9 VPN Concentrator LEDs (front) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-10 VPN Concentrator LEDs (rear) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents—Index Tables Table 5-1: RADIUS accounting record attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 Table 7-1: Cisco-supplied default IKE Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20 Table 10-1: VPN Concentrator event classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface About this manual The VPN 3000 Concentrator Series User Guide provides guidelines for configuring the Cisco VPN 3000 Concentrator, details on all the functions available in the VPN 3000 Concentrator Series Manager, and instructions for using the VPN 3000 Concentrator Series Command Line Interface. Prerequisites We assume you have read the VPN 3000 Concentrator Series Getting Started manual and have followed the minimal configuration steps in Quick Configuration.
Preface Chapter 6, Address Management explains how to configure client IP addresses available in your private network addressing scheme, that let the client function as a VPN tunnel endpoint. Chapter 7, Tunneling Protocols explains how to configure system-wide parameters for PPTP and L2TP, how to configure IPSec LAN-to-LAN connections, and how to configure IKE proposals for IPSec. These are the three most popular VPN tunneling protocols.
Documentation Conventions The VPN 3000 Monitor User Guide explains how to install, set up, and use the VPN 3000 Monitor, which is a separate Java™ application that polls VPN 3000 Concentrators in a network for information and displays that information on your workstation. The VPN 3000 Concentrator Series Getting Started manual, this VPN 3000 Concentrator Series User Guide, and the VPN 3000 Client User Guide are provided on the system software distribution CD-ROM in PDF format.
Preface Data Formats As you configure and manage the system, enter data in these formats unless the instructions indicate otherwise. IP addresses IP addresses use 4-byte dotted decimal notation; for example, 192.168.12.34. You can omit leading zeros in a byte position. Subnet masks and wildcard masks Subnet masks use 4-byte dotted decimal notation; for example, 255.255.255.0. Wildcard masks are the reverse of subnet masks and use the same notation; for example, 0.0.0.255.
Contacting Cisco with questions Contacting Cisco with questions Cisco provides extensive technical support through its own staff and through authorized agents. If you have questions, we suggest you first try the Cisco Web site at www.cisco.com, and go to the Service & Support section. From there you can go to additional support areas such as the Technical Assistance Center (TAC), software updates, technical documentation, and service and support solutions.
C H A P T E R 1 Using the VPN 3000 Concentrator Series Manager The VPN 3000 Concentrator Series Manager is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3000 Concentrator with a standard Web browser. To use it, you need only to connect to the VPN Concentrator using a PC and browser on the same private network with the VPN Concentrator. The Manager uses the standard Web client / server protocol, HTTP (Hypertext Transfer Protocol), which is a cleartext protocol.
1 Using the VPN 3000 Concentrator Series Manager • Internet Explorer 5.0: – On the Tools menu, select Internet Options. – On the Security tab, click Custom Level. – In the Security Settings window, scroll down to Scripting. – Click Enable under Active scripting. – Click Enable under Scripting of Java applets. • Navigator / Communicator 4.5: – On the Edit menu, select Preferences. – On the Advanced screen, check the box for Enable JavaScript. Cookies Be sure cookies are enabled in the browser.
Connecting to the VPN Concentrator using HTTP Connecting to the VPN Concentrator using HTTP When your system administration tasks and network permit a cleartext connection between the VPN Concentrator and your browser, you can use the standard HTTP protocol to connect to the system. Even if you plan to use HTTPS, you use HTTP at first to install an SSL certificate in your browser. 1 Bring up the browser.
1 Using the VPN 3000 Concentrator Series Manager installed, you can connect using HTTPS. You need to install the certificate from a given VPN Concentrator only once. Managing the VPN Concentrator is the same with or without SSL. Manager screens may take slightly longer to load with SSL because of encryption / decryption processing. When connected via SSL, the browser shows a locked-padlock icon on its status bar. Both Microsoft Internet Explorer and Netscape Navigator support SSL.
Installing the SSL certificate in your browser Figure 1-3: Internet Explorer File Download dialog box 3 Click the Open this file from its current location radio button, then click OK. The browser displays the Certificate dialog box with information about the certificate. You must now install the certificate. Figure 1-4: Internet Explorer Certificate dialog box 4 Click Install Certificate. The browser starts a wizard to install the certificate.
1 Using the VPN 3000 Concentrator Series Manager Figure 1-5: Internet Explorer Certificate Manager Import Wizard dialog box 5 Click Next to continue. The wizard opens the next dialog box asking you to select a certificate store. Figure 1-6: Internet Explorer Certificate Manager Import Wizard dialog box 6 Let the wizard Automatically select the certificate store, and click Next. The wizard opens a dialog box to complete the installation.
Installing the SSL certificate in your browser Figure 1-7: Internet Explorer Certificate Manager Import Wizard dialog box 7 Click Finish. The wizard opens the Root Certificate Store dialog box asking you to confirm the installation. Figure 1-8: Internet Explorer Root Certificate Store dialog box 8 To install the certificate, click Yes. This dialog box closes, and a final wizard confirmation dialog box opens.
1 Using the VPN 3000 Concentrator Series Manager Figure 1-10: Internet Explorer Security Alert dialog box 11 Click OK. The VPN Concentrator displays the HTTPS version of the Manager login screen. Figure 1-11: VPN Concentrator Manager login screen using HTTPS (Internet Explorer) The browser maintains the HTTPS state until you close it or access an unsecure site; in the latter case you may see a Security Alert screen. Proceed to Logging in the VPN Concentrator Manager on page 1-18 to log in as usual.
Installing the SSL certificate in your browser Viewing certificates with Internet Explorer There are (at least) two ways to examine certificates stored in Internet Explorer. First, note the padlock icon on the browser status bar in Figure 1-11. If you double-click on the icon, the browser opens a Certificate Properties screen showing details of the specific certificate in use. Figure 1-12: Internet Explorer 4.0 Certificate Properties screen Click any of the Field items to see Details.
1 Using the VPN 3000 Concentrator Series Manager Installing the SSL certificate with Netscape This section describes SSL certificate installation using Netscape Navigator / Communicator 4.5. Reinstallation You need to install the SSL certificate from a given VPN Concentrator only once. If you try to reinstall it, Netscape displays the note in Figure 1-14. Click OK and just connect to the VPN Concentrator using SSL (see Step 7 on page 1-13).
Installing the SSL certificate in your browser Figure 1-16: Netscape New Certificate Authority screen 2 2 Click Next> to proceed. Netscape displays the next New Certificate Authority screen, which lets you examine details of the VPN Concentrator SSL certificate. Figure 1-17: Netscape New Certificate Authority screen 3 3 Click Next> to proceed. Netscape displays the next New Certificate Authority screen, with choices for using the certificate. No choices are checked by default.
1 Using the VPN 3000 Concentrator Series Manager Figure 1-18: Netscape New Certificate Authority screen 4 4 You must check at least the first box, Accept this Certificate Authority for Certifying network sites. Click Next> to proceed. Netscape displays the next New Certificate Authority screen, which lets you choose to have the browser warn you about sending data to the VPN Concentrator. Figure 1-19: Netscape New Certificate Authority screen 5 5 Checking the box is optional.
Installing the SSL certificate in your browser Figure 1-20: Netscape New Certificate Authority screen 6 6 In the Nickname field, enter a descriptive name for this certificate. “Nickname” is something of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN Concentrator 10.10.147.2. This name appears in the list of installed certificates; see Viewing certificates with Netscape below. Click Finish. You can now connect to the VPN Concentrator using HTTP over SSL (HTTPS).
1 Using the VPN 3000 Concentrator Series Manager Figure 1-22: VPN Concentrator Manager login screen using HTTPS (Netscape) The browser maintains the HTTPS state until you close it or access an unsecure site; in the latter case, you may see a Security Information Alert dialog box. Proceed to Logging in the VPN Concentrator Manager on page 1-18 to log in as usual.
Installing the SSL certificate in your browser Viewing certificates with Netscape There are (at least) two ways to examine certificates stored in Netscape Navigator / Communicator 4.5. First, note the locked-padlock icon on the bottom status bar in Figure 1-22. If you click on the icon, Netscape opens a Security Info window. (You can also open this window by clicking Security on the Navigator Toolbar at the top of the Netscape window.
1 Using the VPN 3000 Concentrator Series Manager Figure 1-25: Netscape Certificates Signers list Select a certificate, then click Edit, Verify, or Delete. Click OK when finished.
Connecting to the VPN Concentrator using HTTPS Connecting to the VPN Concentrator using HTTPS Once you have installed the VPN Concentrator SSL certificate in the browser, you can connect directly using HTTPS. 1 Bring up the browser. 2 In the browser Address or Location field, enter https:// plus the VPN Concentrator private interface IP address; for example, https://10.10.147.2. The browser displays the VPN Concentrator Manager HTTPS login screen.
1 Using the VPN 3000 Concentrator Series Manager Logging in the VPN Concentrator Manager Logging in the VPN Concentrator Manager is the same for both types of connections: cleartext HTTP or secure HTTPS. Entries are case-sensitive, so type them carefully. With Microsoft Internet Explorer, you can press the Tab key to move from field to field; other browsers may work differently. If you make a mistake, click the Clear button and start over. The entries that follow are the factory-supplied default entries.
Configuring HTTP, HTTPS, and SSL parameters Configuring HTTP, HTTPS, and SSL parameters HTTP, HTTPS, and SSL are enabled by default on the VPN Concentrator, and they are configured with recommended parameters that should suit most administration tasks and security requirements. To configure HTTP and HTTPS parameters, see the Configuration | System | Management Protocols | HTTP/ HTTPS screen. To configure SSL parameters, see the Configuration | System | Management Protocols | SSL screen.
1 Using the VPN 3000 Concentrator Series Manager Mouse pointer and tips As you move the mouse pointer over an active area, the pointer changes shape and icons change color. A description also appears in the status bar area. If you momentarily rest the pointer on an icon, a descriptive tip appears for that icon. Top frame (Manager toolbar) The Manager toolbar in the top frame provides quick access to Manager features.
Understanding the VPN Concentrator Manager window tac@cisco.com Click this link to open your configured email application and compose an email message to Cisco’s Technical Assistance Center (TAC). When you finish, the application closes and returns to this Support screen. Logout tab Click to log out of the Manager and return to the login screen. Logged in: [username] The administrator username you used to log in to this Manager session.
1 Using the VPN 3000 Concentrator Series Manager Refresh Click to refresh (update) the screen contents on screens where it appears (mostly in the Monitoring section). The date and time above this reminder indicate when the screen was last updated. Cisco Systems logo Click the Cisco Systems logo to open a browser and go to the Cisco web site, www.cisco.com. Left frame (Table of contents) The left frame provides a table of contents to Manager screens.
Organization of the VPN Concentrator Manager Organization of the VPN Concentrator Manager The VPN Concentrator Manager consists of three major sections and many subsections: • Configuration: setting all the parameters for the VPN Concentrator that govern its use and functionality as a VPN device: – Interfaces: Ethernet, WAN, and power supply interface parameters.
1 Using the VPN 3000 Concentrator Series Manager Navigating the VPN Concentrator Manager Your primary tool for navigating the VPN Concentrator Manager is the table of contents in the left frame. Figure 1-30 shows all its entries, completely expanded. (The figure shows the frame in multiple columns, but the actual frame is a single column. Use the scroll controls to move up and down the frame.
C H A P T E R 2 Configuration Configuring the VPN Concentrator means setting all the parameters that govern its use and functionality as a VPN device. Cisco supplies default parameters that cover typical installations and uses; and once you supply minimal parameters in Quick Configuration, the system is operational. But to tailor the system to your needs, and to provide an appropriate level of system security, you should configure the system in detail.
C H A P T E R 3 Interfaces This section of the VPN 3000 Concentrator Series Manager applies primarily to Ethernet and WAN network interfaces. Here you configure functions that are interface-specific, rather than system-wide. There is also a screen to configure power supply and voltage sensor alarms.
3 Interfaces Configuration | Interfaces This section lets you configure the three VPN Concentrator Ethernet interface modules and, if present, two WAN module interface ports. You can also configure alarm thresholds for the power supply modules. Model 3005 comes with two Ethernet interfaces. Models 3015–3080 come with three Ethernet interfaces. Optionally, all models can have a WAN interface module installed, with two T1/E1 WAN interface ports.
Configuration | Interfaces Figure 3-1: Configuration | Interfaces screen Model 3005 Model 3015–3080 To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area. Interface The VPN Concentrator interface installed in the system. To configure an interface, click the appropriate link.
3 Interfaces Ethernet 1 (Private), Ethernet 2 (Public), Ethernet 3 (External) To configure Ethernet interface parameters, click the appropriate highlighted link in the table or click in a highlighted module on the back-panel image. See Configuration | Interfaces | Ethernet 1 2 3. WAN Interface in slot N, Port A B To configure parameters for a specific WAN interface port, click the appropriate highlighted link in the table.
Configuration | Interfaces | Power Power Supplies To configure alarm thresholds on system power supplies, click the appropriate highlighted link or click in a highlighted power supply module in the back-panel image and see Configuration | Interfaces | Power.
3 Interfaces Figure 3-2: Configuration | Interfaces | Power screen Model 3005 Model 3015–3080 Alarm Thresholds The fields show default values for alarm thresholds in centivolts; e.g., 361 = 3.61 volts. Enter or edit these values as desired. The hardware sets voltage thresholds in increments that may not match an entered value. The fields show the actual thresholds, and the values may differ from your entries. CPU High and low thresholds for the voltage sensors on the CPU chip.
Configuration | Interfaces | Ethernet 1 2 3 Apply / Cancel To apply your settings to the system and include them in the active configuration, click Apply. The Manager returns to the Configuration | Interfaces screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. Reminder: To discard your settings, click Cancel. The Manager returns to the Configuration | Interfaces screen.
3 Interfaces Figure 3-3: Configuration | Interfaces | Ethernet 1 2 3 screen, General tab General Parameters tab This tab lets you configure general interface parameters: IP address, subnet mask, public interface status, filter, speed, and transmission mode. Enabled To make the interface functional and online, check Enabled. If not enabled, the interface is offline; this state lets you retain or change its configuration parameters while it is offline.
Configuration | Interfaces | Ethernet 1 2 3 IPSec LAN-to-LAN, for example. You should designate only one VPN Concentrator interface as a public interface. MAC Address This is the unique hardware MAC (Medium Access Control) address for this interface, displayed in 6-byte hexadecimal notation. You cannot change this address. Filter The filter governs the handling of data packets through this interface: whether to forward or drop, according to configured criteria.
3 Interfaces Figure 3-4: Configuration | Interfaces | Ethernet 1 2 3 screen, RIP tab RIP Parameters tab RIP is a routing protocol that routers use for messages to other routers, to determine network connectivity, status, and optimum paths for sending data traffic. RIP uses distance-vector routing algorithms, and it is an older protocol that generates more network traffic than OSPF. The VPN Concentrator includes IP routing functions that support RIP versions 1 and 2.
Configuration | Interfaces | Ethernet 1 2 3 RIPv2 Only = Send only RIPv2 messages on this interface. RIPv2/v1 compatible = Send RIPv2 messages that are compatible with RIPv1 on this interface. Figure 3-5: Configuration | Interfaces | Ethernet 1 2 3 screen, OSPF tab OSPF Parameters tab OSPF is a routing protocol that routers use for messages to other routers, to determine network connectivity, status, and optimum paths for sending data traffic.
3 Interfaces The 0.0.0.0 area ID identifies a special area—the backbone—that contains all area border routers, which are the routers connected to multiple areas. Enter the area ID in the field, using IP address format in dotted decimal notation (e.g., 10.10.0.0). The default entry is 0.0.0.0, the backbone. Your entry also appears in the OSPF Area list on the Configuration | System | IP Routing | OSPF Areas screen. OSPF Priority This entry assigns a priority to the OSPF router on this interface.
Configuration | Interfaces | Ethernet 1 2 3 Enter the delay as a number from 0 to 3600 seconds. The default is 1 second, which is a typical value for LANs. OSPF Authentication This parameter sets the authentication method for OSPF protocol messages. OSPF messages can be authenticated so that only trusted routers can route messages within the domain. This authentication method must be the same for all routers on a common network.
3 Interfaces Configuration | Interfaces | WAN Card in Slot N The Manager displays this screen when you click the WAN module in the back-panel image on the Configuration | Interfaces screen. The table shows the status of the WAN module interface ports, and from there you can choose a port to configure. Note that the LEDs on this screen do not show actual WAN card LED states.
Configuration | Interfaces | WAN Card in Slot N | Port A B | Select T1/E1 Red = (Red) Red alarm: Line has lost synchronization or signal. This alarm indicates out of frame errors or a mismatched framing format, or a disconnected line. Blue = (Blue) Blue alarm: A problem on the receive path is causing the line to lose the remote signal. This alarm indicates a problem in the data bit stream.
3 Interfaces E1: up to 31 64-Kbps channels The E1 interface conforms to European Digital Hierarchy standards, with up to 31 64-Kbps channels for a maximum of 1984 Kbps. When you click this link, the Manager opens the Configuration | Interfaces | WAN Card in Slot N | Port A B as E1 screen, which lets you configure E1 parameters. Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 This screen lets you configure parameters for the WAN interface port you selected.
Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 Figure 3-8: Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 screen, IP tab IP Parameters tab This tab lets you configure IP address, subnet mask, public interface status, and filter. Enabled To make the WAN interface functional and online, check Enabled. If not enabled, the interface is offline; this state lets you retain or change its configuration parameters while it is offline.
3 Interfaces Filter The filter governs the handling of data packets through this interface: whether to forward or drop, according to configured criteria. Cisco supplies three default filters that you can modify and use with the VPN Concentrator. You can configure filters on the Configuration | Policy Management | Traffic Management screens. Click the drop-down menu button and select the filter to apply to this interface: 1. Private (Default) = Allow all packets except source-routed IP packets. 2.
Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 Inbound RIP This parameter applies to RIP messages coming into the VPN Concentrator. It configures the system to listen for RIP messages on this interface. Click the drop-down menu button and select the inbound RIP function: Disabled = No inbound RIP functions; i.e., the system does not listen for any RIP messages on this interface (default). RIPv1 Only = Listen for and interpret only RIPv1 messages on this interface.
3 Interfaces Figure 3-10: Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 screen, OSPF tab OSPF Parameters tab OSPF is a routing protocol that routers use for messages to other routers, to determine network connectivity, status, and optimum paths for sending data traffic. OSPF uses link-state routing algorithms, and it is a newer protocol than RIP. It generates less network traffic and generally provides faster routing updates, but it requires more processing power than RIP.
Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 Enter the area ID in the field, using IP address format in dotted decimal notation (e.g., 10.10.0.0). The default entry is 0.0.0.0, the backbone. Your entry also appears in the OSPF Area list on the Configuration | System | IP Routing | OSPF Areas screen. OSPF Priority This entry assigns a priority to the OSPF router on this interface.
3 Interfaces OSPF Authentication This parameter sets the authentication method for OSPF protocol messages. OSPF messages can be authenticated so that only trusted routers can route messages within the domain. This authentication method must be the same for all routers on a common network. Click the drop-down menu button and select the authentication method: None = No authentication. OSPF messages are not authenticated (default). Simple Password = Use a clear-text password for authentication.
Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 WAN Parameters tab This tab lets you configure T1/E1 parameters: line coding, line framing, line buildout, clock source, data inversion, loopback mode, and timeslots. Line Coding A T1/E1 line uses a bipolar format for generating signals, with alternating plus and minus pulses. The line codes maintain synchronization on the line. To set the correct line code, consult your T1/E1 carrier.
3 Interfaces Buildout Line buildout is a conditioning factor that limits loss of signal strength on the line. Your T1/E1 carrier provides information on how to set this option. The length of the line and the transmit power across it determine the buildout value, which is measured in decibels (dB). Click the drop-down menu button and select the buildout value for the line: -0.0 dB = This is the default selection. -7.5 dB -15.
Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 Figure 3-12: Configuration | Interfaces | WAN Card in Slot N | Port A B as T1 or E1 screen, PPP tab PPP Multilink Parameters tab This tab lets you configure a PPP Multilink connection on this WAN interface. PPP (Point-to-Point Protocol) provides communication between two points over a serial interface, in this case a synchronous line.
C H A P T E R 4 System Configuration System configuration means configuring parameters for system-wide functions in the VPN Concentrator. Configuration | System This section of the Manager lets you configure parameters for VPN Concentrator system-wide functions. • Servers: identifying servers for authentication, accounting, DNS, DHCP, and NTP. • Address Management: assigning addresses to clients as a tunnel is established.
C H A P T E R 5 Servers Configuring servers means identifying them to the VPN 3000 Concentrator so it can communicate with them correctly. These servers provide user authentication and accounting functions, convert hostnames to IP addresses, assign client IP addresses, and synchronize the system with network time. The VPN Concentrator functions as a client of these servers.
5 Servers Configuration | System | Servers | Authentication This section lets you configure the VPN Concentrator internal server and external RADIUS, NT Domain, and SDI servers for authenticating users. To create and use a VPN, you must configure at least one authentication server type; i.e., at least one method of authenticating users.
Configuration | System | Servers | Authentication | Add or Modify Authentication Servers The Authentication Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type; e.g., 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server of each type is the primary, the rest are backup. Add / Modify / Delete / Move / Test To configure a new user authentication server, click Add.
5 Servers Find your selected Server Type below. Server Type = RADIUS Configure these parameters for a RADIUS (Remote Authentication Dial-In User Service) authentication server. Figure 5-3: Configuration | System | Servers | Authentication | Add or Modify RADIUS screen Authentication Server Enter the IP address or hostname of the RADIUS authentication server; e.g., 192.168.12.34. Maximum 32 characters.
Configuration | System | Servers | Authentication | Add or Modify Server Secret Enter the RADIUS server secret (also called the shared secret); e.g., C8z077f. Maximum 64 characters. The field shows only asterisks. Verify Re-enter the RADIUS server secret to verify it. The field shows only asterisks. Add or Apply / Cancel To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply.
5 Servers Server Port Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 139. Timeout Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. Minimum is 1 second, default is 4 seconds, maximum is 30 seconds. Retries Enter the number of times to retry sending a query to the server after the timeout period.
Configuration | System | Servers | Authentication | Add or Modify Figure 5-5: Configuration | System | Servers | Authentication | Add or Modify SDI screen Authentication Server Enter the IP address or hostname of the SDI authentication server; e.g., 192.168.12.34. Maximum 32 characters. (If you have configured a DNS server, you can enter a hostname in this field; otherwise, enter an IP address.) Server Port Enter the UDP port number by which you access the server.
5 Servers Server Type = Internal Server The VPN Concentrator internal authentication server lets you enter a maximum of 100 groups and users (combined) in its database. To do so, see the Configuration | User Management screens, or click the highlighted link on the Configuration | System | Servers | Authentication screen. The internal server has no configurable parameters, therefore there is no Modify screen.
Configuration | System | Servers | Authentication | Test Yes / No To delete the internal authentication server, click Yes. There is no undo. The Manager returns to the Configuration | System | Servers | Authentication screen and shows the remaining entries in the Authentication Servers list. To not delete the internal authentication server, click No. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.
5 Servers To cancel the test and discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen. Authentication Server Test: Success If the VPN Concentrator communicates correctly with the authentication server, and the server correctly authenticates a valid user, the Manager displays a Success screen.
Configuration | System | Servers | Accounting The server may be improperly configured or out of service, the network may be down or clogged, etc. Check the server configuration parameters, be sure the server is operating, check the network connections, etc. Figure 5-11: Authentication Server Test: Authentication Error screen To return to the Configuration | System | Servers | Authentication | Test screen, click Retry the operation. To go to the main VPN Concentrator Manager screen, click Go to main menu.
5 Servers The VPN Concentrator communicates with RADIUS accounting servers per RFC 2139 and currently includes the attributes in Table 5-1 in the accounting start and stop records. These attributes may change.
Configuration | System | Servers | Accounting | Add or Modify To remove a configured user authentication server, select the server from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the Accounting Servers list. To change the priority order for configured servers, select the entry from the list and click Move ↑ or Move ↓. The Manager refreshes the screen and shows the reordered Accounting Servers list.
5 Servers Retries Enter the number of times to retry sending a query to the accounting server after the timeout period. If there is still no response after this number of retries, the system declares this server inoperative and uses the next accounting server in the list. Minimum is 0, default is 3, maximum is 10 retries. Server Secret Enter the server secret (also called the shared secret); e.g., C8z077f. The field shows only asterisks. Verify Re-enter the server secret to verify it.
Configuration | System | Servers | DNS Figure 5-14: Configuration | System | Servers | DNS screen Enabled To use DNS functions, check Enabled (the default). To disable DNS, clear the box. Domain Enter the name of the registered domain in which the VPN Concentrator is located; e.g., altiga.com. Maximum 48 characters. This entry is sometimes called the domain name suffix or sub-domain.
5 Servers Timeout Period Enter the initial time in seconds to wait for a response to a DNS query before sending the query to the next server. Minimum is 1, default is 2, maximum is 30 seconds. This time doubles with each retry cycle through the list of servers. Timeout Retries Enter the number of times to retry sending a DNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error.
Configuration | System | Servers | DHCP Figure 5-15: Configuration | System | Servers | DHCP screen DHCP Servers The DHCP Servers list shows the configured servers, in priority order. Each entry shows the server identifier, which can be an IP address or a hostname; e.g., 192.168.12.34. If no servers have been configured, the list shows --Empty--. The first server is the primary, the rest are backup. Add / Modify / Delete / Move To configure a new DHCP server, click Add.
5 Servers Configuration | System | Servers | DHCP | Add or Modify These screens let you: Add: Configure and add a new DHCP server to the list of configured servers. Modify: Modify the parameters for a configured DHCP server. Figure 5-16: Configuration | System | Servers | DHCP | Add or Modify screen DHCP Server Enter the IP address or hostname of the DHCP server; e.g., 192.168.12.34. (If you have configured a DNS server, you can enter a hostname in this field; otherwise, enter an IP address.
Configuration | System | Servers | NTP | Parameters To make the NTP function operational, you must configure at least one NTP server (host). You can configure up to 10 NTP servers. The VPN Concentrator queries all of them and synchronizes its system clock with the derived network time. Figure 5-17: Configuration | System | Servers | NTP screen Configuration | System | Servers | NTP | Parameters This Manager screen lets you configure the NTP synchronization frequency parameter; i.e.
5 Servers Configuration | System | Servers | NTP | Hosts This section of the Manager lets you add, modify, and delete NTP hosts (servers). To make the NTP function operational, you must configure at least one NTP host. You can configure a maximum of 10 hosts. The VPN Concentrator queries all configured hosts and derives the correct network time from their responses. Figure 5-19: Configuration | System | Servers | NTP | Hosts screen NTP Hosts The NTP Hosts list shows the configured servers.
Configuration | System | Servers | NTP | Hosts | Add or Modify Configuration | System | Servers | NTP | Hosts | Add or Modify These screens let you: Add a new NTP host to the list of configured hosts. Modify a configured NTP host. Figure 5-20: Configuration | System | Servers | NTP | Hosts | Add or Modify screen NTP Host Enter the IP address or hostname of the NTP host (server); e.g., 192.168.12.34.
C H A P T E R 6 Address Management IP addresses make internetworking connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number in order to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network; and once that connection is made, the second set connects client and server through the VPN tunnel.
6 Address Management Configuration | System | Address Management | Assignment This screen lets you select prioritized methods for assigning IP addresses to clients as a tunnel is established. The VPN Concentrator tries the selected methods in the order listed until it finds a valid IP address to assign. You must select at least one method. You can select any and all methods. There are no default methods.
Configuration | System | Address Management | Pools Use Address Pools Check this box to have the VPN Concentrator assign IP addresses from an internally configured pool. If you use this method, configure the IP address pools on the Configuration | System | Address Management | Pools screens below. Apply / Cancel To include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Address Management screen.
6 Address Management Add / Modify / Delete To configure a new IP address pool, click Add. The Manager opens the Configuration | System | Address Management | Pools | Add screen. To modify an IP address pool that has been configured, select the pool from the list and click Modify. The Manager opens the Configuration | System | Address Management | Pools | Modify screen. To delete an IP address pool that has been configured, select the pool from the list and click Delete. There is no confirmation or undo.
Configuration | System | Address Management | Pools | Add or Modify Add or Apply / Cancel To add this IP address pool to the list of configured pools, click Add. Or to apply your changes to this IP address pool, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Address Management | Pools screen. Any new pool appears at the end of the IP Pool Entry list.
C H A P T E R 7 Tunneling Protocols Tunneling protocols are the heart of virtual private networking. The tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. The secure connection is called a tunnel, and the VPN 3000 Concentrator Series uses tunneling protocols to: • Negotiate tunnel parameters. • Establish tunnels. • Authenticate users and data. • Manage security keys. • Encrypt and decrypt data.
7 Tunneling Protocols Configuration | System | Tunneling Protocols This section of the Manager lets you configure system-wide parameters for tunneling protocols. • PPTP: Configure PPTP parameters. • L2TP: Configure L2TP parameters. • IPSec: Configure IPSec parameters and connections. – LAN-to-LAN: IPSec LAN-to-LAN connections between two VPN Concentrators (or between the VPN Concentrator and another secure gateway). – IKE Proposals: IKE proposals for IPSec Security Associations and LAN-to-LAN connections.
Configuration | System | Tunneling Protocols | PPTP Figure 7-2: Configuration | System | Tunneling Protocols | PPTP screen Note: Cisco supplies default settings for PPTP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel. Enabled Check the box to enable PPTP system-wide functions on the VPN Concentrator, or clear it to disable. The box is checked by default.
7 Tunneling Protocols Packet Window Size Enter the maximum number of received but unacknowledged PPTP packets that the system can buffer. The system must queue unacknowledged PPTP packets until it can process them. Minimum is 0, maximum is 32, default is 16 packets. Limit Transmit to Window Check the box to limit the number of transmitted PPTP packets to the client’s packet window size. Ignoring the window improves performance, provided that the client can ignore the window violation.
Configuration | System | Tunneling Protocols | L2TP Apply / Cancel To apply your PPTP settings and to include them in the active configuration, click Apply. The Manager returns to the Configuration | System | Tunneling Protocols screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. Reminder: To discard your settings, click Cancel. The Manager returns to the Configuration | System | Tunneling Protocols screen.
7 Tunneling Protocols Enabled Check the box to enable L2TP system-wide functions on the VPN Concentrator, or clear it to disable. The box is checked by default. Caution: Disabling L2TP terminates any active L2TP sessions. Maximum Tunnel Idle Time Enter the time in seconds to wait before disconnecting an established L2TP tunnel with no active sessions. An open tunnel consumes system resources. Enter 0 to disconnect the tunnel immediately after the last session terminates (no idle time).
Configuration | System | Tunneling Protocols | IPSec Hello Interval Enter the time in seconds to wait when the L2TP tunnel is idle (no control or payload packets received) before sending a Hello (or “keep-alive”) packet to the remote client. Minimum is 1, maximum is 3600, and default is 60 seconds. Apply / Cancel To apply your L2TP settings and to include them in the active configuration, click Apply. The Manager returns to the Configuration | System | Tunneling Protocols screen.
7 Tunneling Protocols • Extended Authentication (XAuth) • Mode Configuration (also known as ISAKMP Configuration Method) • Tunnel Encapsulation Mode You configure IKE proposals (parameters for the IKE SA) here. You apply them to IPSec LAN-to-LAN connections in this section, and to IPSec SAs on the Configuration | Policy Management | Traffic Management | Security Associations screens. Therefore, you should configure IKE proposals before configuring other IPSec parameters.
Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN Figure 7-5: Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen LAN-to-LAN Connection The LAN-to-LAN Connection list shows connections that have been configured. The connections are listed in the order you configure them, in the format: Name (Peer IP Address) on Interface; for example, Branch 1 (192.168.34.56) on Ethernet 2 (Public). If no connections have been configured, the list shows --Empty--.
7 Tunneling Protocols Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | No Public Interfaces The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add an IPSec LAN-to-LAN connection. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled. You should designate only one VPN Concentrator interface as a public interface.
Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify Figure 7-7: Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify screen When you Add or Modify a connection on these screens, the VPN Concentrator automatically: • Creates or modifies two filter rules with the Apply IPSec action: one inbound, one outbound, named L2L: In and L2L: Out. • Creates or modifies an IPSec Security Association named L2L:.
7 Tunneling Protocols All of the rules, SAs, filters, and group have default parameters or those specified on this screen. You can modify the rules and SA on the Configuration | Policy Management | Traffic Management screens, the group on the Configuration | User Management | Groups screens, and the interface on the Configuration | Interfaces screens. However, we recommend that you keep the configured defaults.
Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify Digital Certificate This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management. Click the drop-down menu button and select the option.
7 Tunneling Protocols IKE Proposal This parameter specifies the set of attributes for Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. You must configure, activate, and prioritize IKE proposals before configuring LAN-to-LAN connections. Click the drop-down menu button and select the IKE proposal. The list shows only active IKE proposals in priority order.
Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify Note: An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask; i.e., the wildcard mask has 1s in bit positions to ignore, 0s in bit positions to match. For example: 0.0.0.0/255.255.255.255 = any address 10.10.1.35/0.0.0.0 = only 10.10.1.35 10.10.1.35/0.0.0.255 = all 10.10.1.
7 Tunneling Protocols Wildcard Mask Enter the wildcard mask for the private remote network. Use dotted decimal notation; e.g., 0.255.255.255. The system supplies a default wildcard mask appropriate to the IP address class. Add or Apply / Cancel Add screen: To add this connection to the list of configured LAN-to-LAN connections, click Add. If you are creating new network lists, the Manager automatically displays the appropriate Local or Remote Network List screens.
Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Local or Remote Network List Figure 7-8: Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Local or Remote Network List screen List Name The Manager supplies a default name that identifies the list as a LAN-to-LAN local or remote list, which we recommend you keep. Otherwise, enter a unique name for this network list. Maximum 48 characters, case-sensitive. Spaces are allowed.
7 Tunneling Protocols Generate Local List On the Local Network List screen, click this button to have the Manager automatically generate a network list using the first 200 valid network routes in the routing table for the Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table.) The Manager refreshes the screen after it generates the list, and you can then edit the Network List and the List Name. Note: The generated list replaces any existing entries in the Network List.
Configuration | System | Tunneling Protocols | IPSec | IKE Proposals Figure 7-9: Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen OK To close this screen and return to the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen, click OK. The LAN-to-LAN Connection list shows the new connection, and the Manager includes all the new settings in the active configuration.
7 Tunneling Protocols Figure 7-10: Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen Cisco supplies default IKE proposals that you can use or modify; see Table 7-1. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add for explanations of the parameters.
Configuration | System | Tunneling Protocols | IPSec | IKE Proposals Active Proposals The field shows the names of IKE proposals that have been configured, activated, and prioritized. As an IPSec responder, the VPN Concentrator checks these proposals in priority order, to see if it can find one that agrees with parameters in the initiator’s proposed SA.
7 Tunneling Protocols Modify To modify a configured IKE proposal, select it from either Active Proposals or Inactive Proposals and click this button. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Modify. Modifying an active proposal does not affect connections currently using it, but changes do affect subsequent connections.
Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add, Modify, or Copy Figure 7-11: Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add, Modify, or Copy screen Proposal Name Enter a unique name for this IKE proposal. Maximum is 48 characters, case-sensitive. Spaces are allowed. Authentication Mode This parameter specifies how to authenticate the remote client or peer. Authentication proves that the connecting entity is who you think it is.
7 Tunneling Protocols Authentication Algorithm This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from. Click the drop-down menu button and select the algorithm: MD5/HMAC-128 = HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default selection. SHA/HMAC-160 = HMAC with the SHA-1 hash function using a 160-bit key.
Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add, Modify, or Copy Data Lifetime If you select Data or Both under Lifetime Measurement above, enter the number of kilobytes of payload data after which the IKE SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB. Time Lifetime If you select Time or Both under Lifetime Measurement above, enter the number of seconds after which the IKE SA expires.
C H A P T E R 8 IP Routing In a typical installation, the VPN Concentrator is connected to the public network through an external router, which routes data traffic between networks, and it may also be connected to the private network through a router. The VPN Concentrator itself includes an IP routing subsystem with static routing, RIP (Routing Information Protocol), and OSPF (Open Shortest Path First) functions.
8 IP Routing Configuration | System | IP Routing This section of the Manager lets you configure system-wide IP routing parameters. • Static Routes: manually configured routing tables. • Default Gateways: routes for otherwise unrouted traffic. • OSPF: Open Shortest Path First routing protocol. • OSPF Areas: subnet areas within the OSPF domain. • DHCP: Dynamic Host Configuration Protocol global parameters. • Redundancy: Virtual Router Redundancy Protocol parameters.
Configuration | System | IP Routing | Static Routes | Add or Modify Static Routes The Static Routes list shows manual IP routes that have been configured. The format is [destination network address/subnet mask -> outbound destination]; e.g., 192.168.12.0/ 255.255.255.0 -> 10.10.0.2. If you have configured the default gateway, it appears first in the list as [Default -> default router address]. If no static routes have been configured, the list shows --Empty--.
8 IP Routing Network Address Enter the destination network IP address that this static route applies to. Packets with this destination address will be sent to the Destination below. Used dotted decimal notation; e.g., 192.168.12.0. Subnet Mask Enter the subnet mask for the destination network IP address, using dotted decimal notation (e.g., 255.255.255.0). The subnet mask indicates which part of the IP address represents the network and which part represents hosts.
Configuration | System | IP Routing | Default Gateways Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing | Static Routes screen, and the Static Routes list is unchanged.
8 IP Routing Tunnel Default Gateway Enter the IP address of the default gateway for tunneled data. Use dotted decimal notation; e.g., 10.10.0.2. If you do not use a tunnel default gateway, enter 0.0.0.0 (the default entry). To delete a configured tunnel default gateway, enter 0.0.0.0. This gateway is often a firewall in parallel with the VPN Concentrator and between the public and private networks. The tunnel default gateway applies to all tunneled traffic, including IPSec LAN-to-LAN traffic.
Configuration | System | IP Routing | OSPF Figure 8-5: Configuration | System | IP Routing | OSPF screen Enabled To enable the VPN Concentrator OSPF router, check the box. (By default it is not checked.) You must also enter a Router ID below. You must check this box for OSPF to work on any interface that uses it. To change a configured Router ID below, you must disable OSPF here.
8 IP Routing Apply / Cancel To apply your OSPF settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | IP Routing screen.
Configuration | System | IP Routing | OSPF Areas | Add or Modify Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. Configuration | System | IP Routing | OSPF Areas | Add or Modify These Manager screens let you: Add: Configure and add an OSPF area. Modify: Modify parameters for a configured OSPF area.
8 IP Routing External LSA Import Click the drop-down menu button and select whether to bring in LSAs from neighboring Autonomous Systems. LSAs describe the state of the AS router’s interfaces and routing paths. Importing those LSAs builds a more complete link-state database, but it requires more processing. The choices are: External = Yes, import LSAs from neighboring ASs (the default). No External = No, do not import external LSAs.
Configuration | System | IP Routing | DHCP Lease Timeout Enter the timeout in minutes for addresses that are obtained from a DHCP server. Minimum is 5, default is 120, maximum is 500000 minutes. DHCP servers “lease” IP addresses for this period of time. Before the lease expires, the VPN Concentrator asks to renew it on behalf of the client. If for some reason the lease is not renewed, the connection terminates when the lease expires. The DHCP server’s lease period takes precedence over this setting.
8 IP Routing Configuration | System | IP Routing | Redundancy This screen lets you configure parameters for Virtual Router Redundancy Protocol (VRRP), which manages automatic switchover from one VPN Concentrator to another in a redundant installation. Automatic switchover provides user access to the VPN even if one VPN Concentrator is out of service for some reason; e.g., system crash, power failure, hardware failure, physical interface failure, system shutdown or reboot.
Configuration | System | IP Routing | Redundancy Enable VRRP Check this box to enable VRRP functions. The box is not checked by default. Group ID Enter a number that uniquely identifies this group of redundant VPN Concentrators. This number must be the same on all systems in this group. Use a number from 1 (default) to 255. Since there is rarely more than one virtual group on a LAN, we suggest you accept the default.
8 IP Routing 2 (Public) The IP address for the Ethernet 2 (Public) interface shared by the virtual routers in this group. 3 (External) The IP address for the Ethernet 3 (External) interface shared by the virtual routers in this group. Apply / Cancel To apply the settings for VRRP, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.
C H A P T E R 9 Management Protocols The VPN 3000 Concentrator Series includes various built-in servers, using various protocols, that let you perform typical network and system management functions. This section explains how you configure and enable those servers. Configuration | System | Management Protocols This section of the Manager lets you configure and enable built-in VPN Concentrator servers that provide management functions using: • FTP: File Transfer Protocol.
9 Management Protocols Configuration | System | Management Protocols | FTP This screen lets you configure and enable the VPN Concentrator’s FTP (File Transfer Protocol) server. When the server is enabled, you can use an FTP client to upload and download files in VPN Concentrator flash memory. FTP server login usernames and passwords are the same as those enabled and configured on the Administration | Access Rights | Administrators screens.
Configuration | System | Management Protocols | HTTP/HTTPS Configuration | System | Management Protocols | HTTP/HTTPS This screen lets you configure and enable the VPN Concentrator’s HTTP/HTTPS server: Hypertext Transfer Protocol and HTTP over SSL (Secure Sockets Layer) protocol. When the server is enabled, you can use a Web browser to communicate with the VPN Concentrator. HTTPS lets you use a Web browser over a secure, encrypted connection.
9 Management Protocols Enable HTTPS Check the box to enable the HTTPS server. The box is checked by default. HTTPS—also known as HTTP over SSL—lets you use the VPN Concentrator Manager over an encrypted connection. HTTP Port Enter the port number that the HTTP server uses. The default is 80, which is the well-known port. Changing the port number provides additional security. HTTPS Port Enter the port number that the HTTPS server uses. The default is 443, which is the well-known port.
Configuration | System | Management Protocols | TFTP Figure 9-4: Configuration | System | Management Protocols | TFTP screen Enable Check the box to enable the TFTP server. The box is not checked by default. Disabling the TFTP server provides additional security. Port Enter the port number that the TFTP server uses. The default is 69, which is the well-known port. Changing the port number provides additional security.
9 Management Protocols Configuration | System | Management Protocols | Telnet This screen lets you configure and enable the VPN Concentrator’s Telnet terminal emulation server, and Telnet over SSL (Secure Sockets Layer protocol). When the server is enabled, you can use a Telnet client to communicate with the VPN Concentrator. You can fully manage and administer the VPN Concentrator using the Cisco Command Line Interface via Telnet.
Configuration | System | Management Protocols | SNMP Telnet/SSL Port Enter the port number that Telnet over SSL uses. The default is 992, which is the well-known port number. Changing the port number provides additional security. Maximum Connections Enter the maximum number of concurrent, combined Telnet and Telnet/SSL connections that the server allows. Minimum is 1, default is 5, maximum is 10.
9 Management Protocols Enable Check the box to enable the SNMP server. The box is checked by default. Disabling the SNMP server provides additional security. Port Enter the port number that the SNMP server uses. The default is 161, which is the well-known port number. Changing the port number provides additional security. Maximum Queued Requests Enter the maximum number of outstanding queued requests that the SNMP server allows. Minimum is 1, default is 4, maximum is 200.
Configuration | System | Management Protocols | SNMP Communities Figure 9-7: Configuration | System | Management Protocols | SNMP Communities screen Community Strings The Community Strings list shows SNMP community strings that have been configured. If no strings have been configured, the list shows --Empty--. Add / Modify / Delete To configure and add a new community string, click Add. The Manager opens the Configuration | System | Management Protocols | SNMP Communities | Add screen.
9 Management Protocols Configuration | System | Management Protocols | SNMP Communities | Add or Modify These Manager screens let you: Add: Configure and add a new SNMP community string. Modify: Modify a configured SNMP community string. Figure 9-8: Configuration | System | Management Protocols | SNMP Communities | Add or Modify screen Community String Enter the SNMP community string. Maximum 31 characters, case-sensitive.
Configuration | System | Management Protocols | SSL issued in a PKI context. This certificate must then be installed in the client (for HTTPS; Telnet doesn’t usually require it). You need to install the certificate from a given VPN Concentrator only once. The default SSL settings should suit most administration tasks and network security requirements. We recommend that you not change them unadvisedly.
9 Management Protocols Encryption Protocols Check the boxes for the encryption algorithms that the VPN Concentrator SSL server can negotiate with a client and use for session encryption. All are checked by default. You must check at least one algorithm to enable SSL. Unchecking all algorithms disables SSL. The algorithms are negotiated in the order shown. You cannot change the order, but you can enable or disable selected algorithms.
Configuration | System | Management Protocols | SSL TLS V1 with SSL V2 Hello = The server insists on TLS Version 1 but accepts an initial SSL Version 2 “Hello.” At present, only Microsoft Internet Explorer 5.0 supports this option. Generated Certificate Key Size Click the drop-down menu button and select the size of the RSA key that the VPN Concentrator uses in its self-signed (generated) SSL server certificate.
C H A P T E R 10 Events An event is any significant occurrence within or affecting the VPN 3000 Concentrator such as an alarm, trap, error condition, network problem, task completion, threshold breach, or status change. The VPN Concentrator records events in an event log, which is stored in nonvolatile memory. You can also specify that certain events trigger a console message, a UNIX syslog record, an email message, or an SNMP management system trap. Event attributes include class and severity level.
10 Events Table 10-1: VPN Concentrator event classes (continued) 10-2 Class name Class description (event source) (*Cisco-specific event class) DNSDBG DNS debugging* DNSDECODE DNS decoding* EVENT Event subsystem* EVENTDBG Event subsystem debugging* EVENTMIB Event MIB changes* EXPANSIONCARD Expansion card (module) subsystem FILTER Filter subsystem FILTERDBG Filter debugging* FSM Finite State Machine subsystem (for debugging)* FTPD FTP daemon subsystem GENERAL NTP subsystem and othe
Event class Table 10-1: VPN Concentrator event classes (continued) Note: Class name Class description (event source) (*Cisco-specific event class) OSPF OSPF subsystem PPP PPP subsystem PPPDBG PPP debugging* PPPDECODE PPP decoding* PPTP PPTP subsystem PPTPDBG PPTP debugging* PPTPDECODE PPTP decoding* PSH Operating system command shell* PSOS Embedded real-time operating system* QUEUE System queue* REBOOT System rebooting RM Resource Manager subsystem* SMTP SMTP event handling SN
10 Events Event severity level Severity level indicates how serious or significant the event is; i.e., how likely it is to cause unstable operation of the VPN concentrator, whether it represents a high-level or low-level operation, or whether it returns little or great detail. Level 1 is most significant. Table 10-2 describes the severity levels. Table 10-2: VPN Concentrator event severity levels Level Category Description 1 Fault A crash or non-recoverable error.
Event log Event log The VPN Concentrator records events in an event log, which is stored in nonvolatile memory. Thus the event log persists even if the system is powered off. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first. The Model 3015–3080 event log holds 2048 events, the Model 3005 holds 256 events. The log wraps when it is full; that is, newer events overwrite older events when the log is full.
10 Events Configuration | System | Events | General This Manager screen lets you configure the general, or default, handling of all events. These defaults apply to all event classes. You can override these default settings by configuring specific events for special handling on the Configuration | System | Events | Classes screens. Figure 10-2: Configuration | System | Events | General screen Save Log on Wrap Check this box to automatically save the event log when it is full.
Configuration | System | Events | General You can manage saved log files with options on this screen and on the Administration | File Management screens. Save Log Format Click the drop-down menu button to specify the format of the saved log files. Multiline = Entries are ASCII text and appear on multiple 80-character lines (default). Choose this format for easiest reading and printing. Comma Delimited = Each entry is a single record with fields separated by commas.
10 Events Severity to Console Click the drop-down menu button and select the range of event severity levels to display on the console by default. Choices are: None, 1, 1-2, 1-3, ..., 1-13. The default is 1-3: all events of severity level 1 through severity level 3 are displayed on the console. Severity to Syslog Click the drop-down menu button and select the range of event severity levels to send to a UNIX syslog server by default. Choices are: None, 1, 1-2, 1-3, ..., 1-6.
Configuration | System | Events | FTP Backup Apply / Cancel To include your settings for default event handling in the active configuration, click Apply. The Manager returns to the Configuration | System | Events screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events screen.
10 Events Verify Re-enter the FTP password to verify it. The field displays only asterisks. Apply / Cancel To include your FTP backup system settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Events screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events screen.
Configuration | System | Events | Classes | Add or Modify order by class number and name. If no classes have been configured for special handling, the list shows --Empty--. Add / Modify / Delete To configure and add a new event class for special handling, click Add. See Configuration | System | Events | Classes | Add. To modify an event class that has been configured for special handling, select the event class from the list and click Modify. See Configuration | System | Events | Classes | Modify.
10 Events Class Name Add screen: Click the drop-down menu button and select the event class you want to add and configure for special handling. (Please note that Select Class is an instruction reminder, not a class.) Table 10-1 describes the event classes. Modify screen: The field shows the configured event class you are modifying. You cannot change this field. All subsequent parameters on this screen apply to this event class only.
Configuration | System | Events | Classes | Add or Modify Severity to Email Click the drop-down menu button and select the range of event severity levels to send to recipients via email. Choices are: None, 1, 1-2, 1-3. The default is None: no events are sent via email.
10 Events Configuration | System | Events | Trap Destinations This section of the Manager lets you configure SNMP network management systems as destinations of event traps. Event messages sent to SNMP systems are called “traps.” If you configure any event handling—default or special—with values in Severity to Trap fields, you must configure trap destinations in this section. To configure default event handling, click the highlighted link that says “Click here to configure general event parameters.
Configuration | System | Events | Trap Destinations | Add or Modify Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. Configuration | System | Events | Trap Destinations | Add or Modify These screens let you: Add an SNMP destination system for event trap messages. Modify a configured SNMP destination system for event trap messages.
10 Events Port Enter the UDP port number by which you access the destination SNMP server. Use a decimal number from 0 to 65535. The default is 162, which is the well-known port number for SNMP traps. Add or Apply / Cancel To add this system to the list of SNMP trap destinations, click Add. Or to apply your changes to this trap destination, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Trap Destinations screen.
Configuration | System | Events | Syslog Servers | Add or Modify Syslog Servers The Syslog Servers list shows the UNIX syslog servers that have been configured as recipients of event messages. You can configure a maximum of five syslog servers. If no syslog servers have been configured, the list shows --Empty--. Add / Modify / Delete To configure a new syslog server, click Add. See Configuration | System | Events | Syslog Servers | Add.
10 Events Port Enter the UDP port number by which you access the syslog server. Use a decimal number from 0 to 65535. The default is 514, which is the well-known port number. Facility Click the drop-down menu button and select the syslog facility tag for events sent to this server. The facility tag lets the syslog server sort messages into different files or destinations. The choices are: User = Random user-process messages. Mail = Mail system. Daemon = System daemons.
Configuration | System | Events | SMTP Servers Figure 10-10: Configuration | System | Events | SMTP Servers screen SMTP Servers The SMTP Servers list shows the configured SMTP servers in the order in which the system accesses them. You can configure two prioritized SMTP servers so that you have a backup server in case the primary server is offline, congested, etc. If no SMTP servers have been configured, the list shows --Empty--. Add / Modify / Delete / Move To configure a new SMTP server, click Add.
10 Events Configuration | System | Events | SMTP Servers | Add or Modify These screens let you: Add an SMTP server to the list of configured SMTP servers. You can configure two SMTP servers: a primary and a backup. Modify the IP address or hostname of a configured SMTP server. Figure 10-11: Configuration | System | Events | SMTP Servers | Add or Modify screen SMTP Server Enter the IP address or hostname of the SMTP server.
Configuration | System | Events | Email Recipients To configure default event handling, click the highlighted link that says “Click here to configure general event parameters.” To configure special event handling, see the Configuration | System | Events | Classes screens. Figure 10-12: Configuration | System | Events | Email Recipients screen Email Recipients The Email Recipients list shows configured event message email recipients in the order they were configured.
10 Events Configuration | System | Events | Email Recipients | Add or Modify These screens let you: Add and configure an event message email recipient. You can configure a maximum of five email recipients. Modify the parameters for a configured email recipient. Figure 10-13: Configuration | System | Events | Email Recipients | Add or Modify screen Email Address Enter the recipient’s complete email address; e.g., bob@altiga.com.
Configuration | System | Events | Email Recipients | Add or Modify Add or Apply / Cancel To add this recipient to the list of email recipients, click Add. Or to apply your changes to this email recipient, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Email Recipients screen. Any new recipient appears at the bottom of the Email Recipients list.
C H A P T E R 11 General General configuration parameters include VPN 3000 Concentrator environment items: system identification, time, and date. Configuration | System | General This section of the Manager lets you configure general VPN Concentrator parameters. • Identification: system name, contact person, system location. • Time and Date: system time and date.
11 General Configuration | System | General | Identification This screen lets you configure system identification parameters that are stored in the standard MIB-II system object. Network management systems using SNMP can retrieve this object and identify the system. Configuring this information is optional. Figure 11-2: Configuration | System | General | Identification screen System Name Enter a system name that uniquely identifies this VPN Concentrator on your network; e.g., VPN01.
Configuration | System | General | Time and Date Configuration | System | General | Time and Date This screen lets you set the time and date on the VPN Concentrator. Setting the correct time is very important so that logging and accounting information is accurate. Figure 11-3: Configuration | System | General | Time and Date screen Current Time The screen shows the current date and time on the VPN Concentrator at the time the screen displays. You can refresh this by redisplaying the screen.
C H A P T E R 12 User Management Groups and users are core concepts in managing the security of VPNs and in configuring the VPN 3000 Concentrator. Groups and users have attributes, configured via parameters, that determine their access to and use of the VPN. Users are members of groups, and groups are members of the base group. This section of the VPN 3000 Concentrator Series Manager lets you configure those parameters. Groups simplify system management.
12 User Management Some additional points to note: • Base-group parameters are the default, or system-wide, parameters. • A user can be a member of only one group. • Users who are not members of a specific group are, by default, members of the base group. Therefore, to ensure maximum security and control, you should assign all users to appropriate groups, and you should configure base-group parameters carefully.
Configuration | User Management Configuration | User Management This section of the Manager lets you configure base-group, group, and individual user parameters. These parameters determine access and use of the VPN Concentrator. Figure 12-1: Configuration | User Management screen Configuration | User Management | Base Group This Manager screen lets you configure the default, or base-group, parameters.
12 User Management Figure 12-2: Configuration | User Management | Base Group screen, General tab General Parameters tab This tab lets you configure general security, access, performance, and protocol parameters that apply to the base group. Access Hours Click the drop-down menu button and select the named hours when remote-access users can access the VPN Concentrator. Configure access hours on the Configuration | Policy Management | Access Hours screen.
Configuration | User Management | Base Group Simultaneous Logins Enter the number of simultaneous logins permitted for a single user. The minimum is 0, which disables login and prevents user access; default is 3. While there is no maximum limit, allowing several could compromise security and affect performance. Minimum Password Length Enter the minimum number of characters for user passwords. The minimum is 1, the default is 8, and the maximum is 32. To protect security, we strongly recommend 8 or higher.
12 User Management Primary DNS Enter the IP address, in dotted decimal notation, of the primary DNS server for base-group users. The system sends this address to the client as the first DNS server to use for resolving hostnames. If the base group doesn’t use DNS, leave this field blank. See the Note on DNS and WINS entries under Configuration | User Management | Groups | Add on page 12-22. Secondary DNS Enter the IP address, in dotted decimal notation, of the secondary DNS server for base-group users.
Configuration | User Management | Base Group client specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. L2TP over IPSec = L2TP using IPSec for security (not checked by default). L2TP packets are encapsulated within IPSec, thus providing an additional authentication and encryption layer for security.
12 User Management To use IPSec with remote-access clients, you must assign an SA. With IPSec LAN-to-LAN connections, the system ignores this selection and uses parameters from the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens. The VPN Concentrator supplies these default selections: --None-- = No SA assigned. Select this option if you need to configure groups with several different SAs.
Configuration | User Management | Base Group Authentication Click the drop-down menu button and select the user authentication method (authentication server type) to use with remote-access IPSec clients. This selection identifies the authentication method, not the specific server. Configure authentication servers on the Configuration | System | Servers | Authentication screens. Selecting any authentication method (other than None) enables ISAKMP Extended Authentication, also known as XAuth.
12 User Management Allow Password Storage on Client Check the box to allow IPSec clients to store their login passwords on their local client systems. If you do not allow password storage (the default), IPSec users must enter their password each time they seek access to the VPN. For maximum security, we recommend that you not allow password storage. Split Tunneling Network List Click the drop-down menu button and select the Network List to use for split tunneling.
Configuration | User Management | Base Group Default Domain Name Enter the default domain name that the VPN Concentrator passes to the IPSec client, for the client’s TCP/ IP stack to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. For example, if this entry is xyzcorp.com, a DNS query for mail becomes mail.xyzcorp.com. Maximum is 255 characters. The Manager checks the domain name for valid syntax.
12 User Management Figure 12-4: Configuration | User Management | Base Group screen, PPTP/L2TP tab PPTP/L2TP Parameters tab This tab lets you configure PPTP and L2TP parameters that apply to the base group. During tunnel establishment, the client and server negotiate access and usage based on these parameters. Only clients that meet these criteria are allowed access. If you checked PPTP, L2TP, or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure these parameters.
Configuration | User Management | Base Group These choices specify the allowable authentication protocols in order from least secure to most secure. PAP = Password Authentication Protocol. This protocol passes cleartext username and password during authentication and is not secure. We strongly recommend that you not allow this protocol (the default). CHAP = Challenge-Handshake Authentication Protocol.
12 User Management L2TP Authentication Protocols Check the boxes for the authentication protocols that L2TP clients can use. To establish and use a VPN tunnel, users should be authenticated according to some protocol. Caution: Unchecking all authentication options means that no authentication is required. That is, L2TP users can connect with no authentication. This configuration is allowed so you can test connections, but it is not secure.
Configuration | User Management | Base Group 40-bit = L2TP clients are allowed to use the RSA RC4 encryption algorithm with a 40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE) uses this algorithm. This option is not checked by default. If you check Required, you must check this option and/or the 128-bit option. 128-bit = L2TP clients are allowed to use the RSA RC4 encryption algorithm with a 128-bit key. Microsoft encryption (MPPE) uses this algorithm.
12 User Management Configuration | User Management | Groups This section of the Manager lets you configure access and usage parameters for specific groups. A group is a collection of users treated as a single entity. Groups inherit parameters from the base group. See the discussion of groups and users under User Management at the beginning of this chapter. Configuring internal groups in this section means configuring them on the VPN Concentrator internal authentication server.
Configuration | User Management | Groups Add / Modify / Delete To configure and add a new group, click Add. The Manager opens the Configuration | User Management | Groups | Add screen. To modify parameters for a group that has been configured, select the group from the list and click Modify. The Manager opens the appropriate internal or external Configuration | User Management | Groups | Modify screen. To remove a group that has been configured, select the group from the list and click Delete.
12 User Management Configuration | User Management | Groups | Add or Modify (Internal) These screens let you: Add: Configure and add a new group. Modify: Change parameters for a group that you have previously configured on the internal server. The screen title identifies the group you are modifying. For many of these parameters, you can simply specify that the group “inherit” parameters from the base group, which you should configure first.
Configuration | User Management | Groups | Add or Modify (Internal) Group Name Enter a unique name for this specific group. Maximum is 32 characters, case-sensitive. Changing a group name automatically updates the group name for all users in the group. See the note about configuring the RADIUS Class attribute under Configuration | User Management | Groups on page 12-16. Password Enter a unique password for this group. Minimum is 4, maximum is 32 characters, case-sensitive.
12 User Management Figure 12-7: Configuration | User Management | Groups | Add or Modify (Internal) screen, General tab General Parameters tab This tab lets you configure general security, access, performance, and tunneling protocol parameters that apply to this internally configured group.
Configuration | User Management | Groups | Add or Modify (Internal) setting, clear the check box. If you clear the check box, you must also enter or change any corresponding Value field; do not leave the field blank. • The Value column thus shows either base-group parameter settings that also apply to this group (Inherit? checked), or unique parameter settings configured for this group (Inherit? cleared). Note: The setting of the Inherit? check box takes priority over an entry in a Value field.
12 User Management Maximum Connect Time Enter the group’s maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1, and the maximum is 2147483647 minutes (over 4000 years). To allow unlimited connection time, enter 0. Filter Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol.
Configuration | User Management | Groups | Add or Modify (Internal) Primary WINS Enter the IP address, in dotted decimal notation, of the primary WINS server for this group’s users. The system sends this address to the client as the first WINS server to use for resolving hostnames under Windows NT. See note above. Secondary WINS Enter the IP address, in dotted decimal notation, of the secondary WINS server for this group’s users.
12 User Management Figure 12-8: Configuration | User Management | Groups | Add or Modify (Internal) screen, IPSec tab IPSec Parameters tab This tab lets you configure IP Security Protocol parameters that apply to this internally configured group. If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure this section.
Configuration | User Management | Groups | Add or Modify (Internal) Value / Inherit? On this tabbed section: • The Inherit? check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, clear the check box. If you clear the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
12 User Management Tunnel Type Click the drop-down menu button and select the type of IPSec tunnel that this group’s clients use: LAN-to-LAN = IPSec LAN-to-LAN connections between two VPN Concentrators (or between a VPN Concentrator and another protocol-compliant security gateway). See Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN. If you select this type, ignore the rest of the parameters on this tab. Remote Access = Remote IPSec client connections to the VPN Concentrator.
Configuration | User Management | Groups | Add or Modify (Internal) Notes: IPSec uses Mode Configuration to pass all configuration parameters to a client: IP address, DNS and WINS addresses, etc. You must check this box to use Mode Configuration. Otherwise, those parameters—even if configured with entries—are not passed to the client. The Cisco VPN 3000 Client (IPSec client) supports Mode Configuration, but other IPSec clients may not.
12 User Management IPSec through NAT Check the box to allow the Cisco VPN 3000 Client (IPSec client) to connect to the VPN Concentrator via UDP through a firewall or router using NAT. IPSec through NAT UDP Port Enter the UDP port number to use if you allow IPSec through NAT. Enter a number in the range 4001 through 49151; default is 10000. See the discussion About IPSec through NAT under Configuration | User Management | Base Group on page 12-11.
Configuration | User Management | Groups | Add or Modify (Internal) Value / Inherit? On this tabbed section: • The Inherit? check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, clear the check box. If you clear the check box, you must also enter or change any corresponding Value field; do not leave the field blank.
12 User Management and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption). If you check Required under PPTP Encryption below, you must allow one or both MSCHAP protocols and no other. MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is even more secure than MSCHAPv1.
Configuration | User Management | Groups | Add or Modify (Internal) CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the client returns the encrypted [challenge plus password], with a cleartext username. It is more secure than PAP. EAP = Extensible Authentication Protocol. This protocol supports -MD5 (MD5-Challenge) authentication, which is analogous to the CHAP protocol, with the same level of security.
12 User Management Configuration | User Management | Groups | Modify (External) This screen lets you change identity parameters for an external group that you have previously configured. The screen title identifies the group you are modifying. Figure 12-10: Configuration | User Management | Groups | Modify (External) screen Group Name Enter a unique name for this specific group. You can edit this field as desired. Maximum is 32 characters, case-sensitive.
Configuration | User Management | Users Apply / Cancel When you finish changing these parameters, click Apply to include your settings in the active configuration. The Manager returns to the Configuration | User Management | Groups screen and refreshes the Current Groups list. However, if you change group type to Internal, the Manager displays the Configuration | User Management | Groups | Modify (Internal) screen so you can configure all the parameters.
12 User Management Current Users The Current Users list shows configured users in alphabetical order. If no users have been configured, the list shows --Empty--. Add / Modify / Delete To configure a new user, click Add. The Manager opens the Configuration | User Management | Users | Add screen. To modify a user that has been configured, select the user from the list and click Modify. The Manager opens the Configuration | User Management | Users | Modify screen.
Configuration | User Management | Users | Add or Modify Figure 12-12: Configuration | User Management | Users | Add or Modify screen, Identity tab Identity Parameters tab This tab lets you configure the name, password, group, and IP address for this user. User Name Enter a unique name for this user. Maximum is 32 characters, case-sensitive. If you change this name, this user profile replaces the existing profile. Password Enter a unique password for this user.
12 User Management IP Address Enter the IP address, in dotted decimal notation, assigned to this user. Enter this address only if you assign this user to the base group or an internally configured group, and if you configure Use Address from Authentication Server on the Configuration | System | Address Management | Assignment screen. Otherwise, leave this field blank. Subnet Mask Enter the subnet mask, in dotted decimal notation, assigned to this user.
Configuration | User Management | Users | Add or Modify Value / Inherit? On this tabbed section: • The Inherit? check box refers to group parameters: Does this specific user inherit the given setting from the group? – Add screen = inherit base-group parameter setting. – Modify screen = inherit assigned-group parameter setting, which can be the base group or a configured group. To inherit the group setting, check the box (default). To override the group setting, clear the box.
12 User Management Maximum Connect Time Enter this user’s maximum connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1, and the maximum is 2147483647 minutes (over 4000 years). To allow unlimited connection time, enter 0. Filter Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol.
Configuration | User Management | Users | Add or Modify specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. L2TP over IPSec = L2TP using IPSec for security. L2TP packets are encapsulated within IPSec, thus providing an additional authentication and encryption layer for security.
12 User Management Note: The setting of the Inherit? check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent. IPSec SA Click the drop-down menu button and select the IPSec Security Association (SA) assigned to this IPSec user. During tunnel establishment, the user client and server negotiate a Security Association that governs authentication, encryption, encapsulation, key management, etc.
Configuration | User Management | Users | Add or Modify Figure 12-15: Configuration | User Management | Users | Add or Modify screen, PPTP/L2TP tab PPTP/L2TP Parameters tab This tab lets you configure PPTP and L2TP parameters that apply to this user. During tunnel establishment, the user client and server negotiate access and usage based on these parameters. Only clients that meet these criteria are allowed access.
12 User Management Note: The setting of the Inherit? check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent. Use Client Address Check the box to accept and use an IP address that this user (client) supplies. A client must have an IP address to function as a tunnel endpoint; but for maximum security, we recommend that you control IP address assignment and not allow client-specified IP addresses.
Configuration | User Management | Users | Add or Modify L2TP Authentication Protocols Check the boxes for the authentication protocols that this L2TP user (client) can use. To establish and use a VPN tunnel, users should be authenticated according to some protocol. Caution: Unchecking all authentication options means that no authentication is required. That is, L2TP users can connect with no authentication. This configuration is allowed so you can test connections, but it is not secure.
C H A P T E R 13 Policy Management Managing a VPN, and protecting the integrity and security of network resources, includes carefully designing and implementing policies that govern who can use the VPN, when, and what data traffic can flow through it. User management deals with “who can use it”; see the User Management section for that discussion. Policy management deals with “when” and “what data traffic can flow through it”; this section covers those topics.
13 Policy Management Configuration | Policy Management This section of the Manager lets you configure policies that apply to groups, users, and VPN Concentrator Ethernet interfaces. Policies govern: • Access Hours: when remote users can access the VPN Concentrator. • Traffic Management: what data traffic can flow through the VPN Concentrator, as governed by: – Network Lists: lists of networks grouped as single objects. – Rules: detailed parameters that govern the handling of data packets.
Configuration | Policy Management | Access Hours Current Access Hours The Current Access Hours list shows the names of configured access times. The Cisco-supplied default access times are: Never = Never. No access at any time. Business Hours = Monday through Friday, 9 a.m. to 5 p.m. Additional access times that you configure appear in the list. Add / Modify / Delete To configure and add a new access time to the list, click Add.
13 Policy Management Configuration | Policy Management | Access Hours | Add or Modify These Manager screens let you: Add: Configure and add a new access time to the list of configured access times. Modify: Modify a configured access time. Changing an access time has no effect on connected users, since the parameter is checked only when the tunnel is established. The change affects subsequent connections, however.
Configuration | Policy Management | Traffic Management Add or Apply / Cancel To add this access time to the list, click Add. Or to apply your changes for this access time, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Access Hours screen. Any new entry appears in the Current Access Times list.
13 Policy Management Configuration | Policy Management | Traffic Management | Network Lists This section of the Manager lets you configure network lists, which are lists of networks that are grouped as single objects. Network lists make configuration easier: for example, you can use a network list to configure one filter rule for a set of networks rather than configuring separate rules for each network.
Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy action to take before you can delete the list. Otherwise, there is no confirmation or undo. The Manager deletes the list, refreshes the screen, and shows the remaining network lists. Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
13 Policy Management List Name Enter a unique name for this network list. Maximum 48 characters, case-sensitive. Spaces are allowed. If you use the Generate Local List feature on the Add screen, enter this name after the system generates the network list. Network List Enter the networks in this network list. Enter each network on a single line using the format n.n.n.n/ w.w.w.w, where n.n.n.n is a network IP address and w.w.w.w is a wildcard mask.
Configuration | Policy Management | Traffic Management | Rules Configuration | Policy Management | Traffic Management | Rules This section of the Manager lets you add, configure, modify, copy, and delete filter rules. You use rules to construct filters. Caution: The Cisco-supplied default rules are intended as templates that you should examine and modify to fit your network and security needs. Unmodified, or incorrectly applied, they could present security risks.
13 Policy Management For all the default rules except VRRP In and Out, these parameters are identical: Action = Forward Source Address = Use IP Address/Wildcard-Mask = 0.0.0.0/255.255.255.255 = any address Destination Address = Use IP Address/Wildcard-Mask = 0.0.0.0/255.255.255.255 = any address For maximum security and control, we recommend that you change the Source Address and Destination Address to fit your network addressing and security scheme.
Configuration | Policy Management | Traffic Management | Rules Table 13-1: Cisco-supplied default filter rules (continued) Filter Rule Name Direction Protocol TCP Connection TCP/UDP Source Port TCP/UDP Destination Port Outgoing HTTPS In Inbound TCP Don’t Care HTTPS (443) Range 0-65535 Outgoing HTTPS Out Outbound TCP Don’t Care Range 0-65535 HTTPS (443) PPTP In Inbound TCP Don’t Care Range 0-65535 PPTP (1723) PPTP Out Outbound TCP Don’t Care PPTP (1723) Range 0-65535 RIP In Inb
13 Policy Management Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy These Manager screens let you: Add: Configure and add a new filter rule to the list of filter rules. Modify: Modify a previously configured filter rule. Copy: Copy a configured rule, modify its parameters, save it with a new name, and add it to the list of filter rules.
Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy Figure 13-8: Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy screen VPN 3000 Concentrator Series User Guide 13-13
13 Policy Management Rule Name Enter a unique name for this rule. Maximum is 48 characters. Direction Click the drop-down menu button and select the data direction to which this rule applies: Inbound = Into the VPN Concentrator interface; or into the VPN tunnel from the remote client or host. (This is the default selection.) Outbound = Out of the VPN Concentrator interface; or out of the VPN tunnel to the remote client or host.
Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy Click the drop-down menu button and select the protocol to which this rule applies. Any = Any protocol [255] (the default selection). ICMP = Internet Control Message Protocol [1] (used by ping, for example). If you select this protocol, you should also configure ICMP Packet Type. TCP = Transmission Control Protocol [6] (connection-oriented; e.g., FTP, HTTP, SMTP, and Telnet).
13 Policy Management Note: An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask; i.e., the wildcard mask has 1s in bit positions to ignore, 0s in bit positions to match. For example: 0.0.0.0/255.255.255.255 = any address 10.10.1.35/0.0.0.0 = only 10.10.1.35 10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses IP Address Enter the source IP address in dotted decimal notation. Default is 0.0.0.0.
Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy Assigned Numbers Authority (IANA) manages port numbers and classifies them as Well Known, Registered, and Dynamic (or Private). The Well Known ports are those from 0 through 1023; the Registered Ports are those from 1024 through 49151; and the Dynamic ports are those from 49152 through 65535. Port or Range Click the drop-down menu button and select the process (port number): ECHO (7) = Used by ping for network testing.
13 Policy Management Range = To specify a range of port numbers, or to specify a port not on the Cisco-supplied list, select Range here (the default selection) and enter—in the Range [start] to [end] fields—the inclusive range of port numbers that this rule applies to. To specify a single port number, enter the same number in both fields. Defaults are 0 to 65535 (all ports). The Range fields are ignored if you select a specific port from the drop-down list.
Configuration | Policy Management | Traffic Management | Rules | Delete Configuration | Policy Management | Traffic Management | Rules | Delete This screen asks you to confirm deletion of a rule that is being used in a filter. Doing so deletes the rule from all filters that use it, and deletes it from the VPN Concentrator active configuration.
13 Policy Management You apply SAs to filter rules that are configured with an Apply IPSec action, for LAN-to-LAN traffic. See Configuration | Policy Management | Traffic Management | Rules. The VPN Concentrator automatically creates and applies appropriate rules when you create a LAN-to-LAN connection; see Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN.
Configuration | Policy Management | Traffic Management | Security Associations IPSec SAs The IPSec SAs list shows the configured SAs that are available. The SAs are listed in the order they are configured. Cisco supplies default SAs that you can use or modify; see Table 13-2. See Configuration | Policy Management | Traffic Management | Security Associations | Add for explanations of the parameters.
13 Policy Management To delete a configured SA, select the SA from the list and click Delete. • If the SA has not been assigned to a filter rule—even if it has been assigned to a group or user—the Manager deletes the SA, refreshes the screen, and shows the remaining SAs in the list. There is no confirmation or undo. • If the SA has been assigned to a filter rule, the Manager asks you to confirm the deletion.
Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify Figure 13-11: Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify screen SA Name Enter a unique name for this Security Association. Maximum is 48 characters. Inheritance This parameter specifies the granularity, or how many tunnels to build for this connection. Each tunnel uses a unique key.
13 Policy Management IPSec Parameters These parameters apply to IPSec SAs, which are Phase 2 SAs negotiated under IPSec, where the two parties establish conditions for use of the tunnel. Authentication Algorithm This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as “data integrity” in VPN literature.
Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify Perfect Forward Secrecy This parameter specifies whether to use Perfect Forward Secrecy, and the size of the numbers to use, in generating Phase 2 IPSec keys. Perfect Forward Secrecy is a cryptographic concept where each new key is unrelated to any previous key. In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless Perfect Forward Secrecy is specified.
13 Policy Management IKE Parameters These parameters govern IKE SAs, which are Phase 1 SAs negotiated under IPSec, where the two parties establish a secure tunnel within which they then negotiate the IPSec SAs. In this IKE SA they exchange automated key management information under the IKE (Internet Key Exchange) protocol (formerly called ISAKMP/Oakley). All these parameters (except IKE Peer) must be configured the same on both parties; the IKE Peer entries must mirror each other.
Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify IKE Proposal This parameter specifies the set of attributes that govern Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. When the VPN Concentrator is acting as an IPSec initiator, this is the only IKE proposal it negotiates.
13 Policy Management Configuration | Policy Management | Traffic Management | Security Associations | Delete This screen asks you to confirm deletion of a Security Association that is assigned to a rule in a filter. Doing so deletes the SA from the VPN Concentrator active configuration, deletes the SA from all rules that use it, and removes those rules from filters.
Configuration | Policy Management | Traffic Management | Filters Configuring a filter involves two steps: 1 Configuring its basic parameters (name, default action, etc.) by clicking Add Filter, Modify Filter, or Copy Filter, and 2 Assigning rules to a filter by clicking Assign Rules to Filter. You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for security since they govern all traffic through an interface.
13 Policy Management Filter List The Filter List shows configured filters, listed in the order they are configured. Cisco supplies default filters that you can use and modify; see Table 13-3.
Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy Copy Filter To create a new filter by copying the basic parameters and rules from a filter that has been configured, click Copy Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Copy screen. Delete Filter To delete a configured filter, select the filter from the list and click Delete Filter. See notes below.
13 Policy Management Figure 13-14: Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy screen Filter Name Enter a unique name for this filter. Maximum is 48 characters. Default Action Click the drop-down menu button and select the action that this filter takes if a data packet does not match any of the rules on this filter. The choices are: Drop = Discard the packet (the default selection). Forward = Allow the packet to pass.
Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy Source Routing Check this box to allow IP source routed packets to pass. A source routed packet specifies its own route through the network and does not rely on the system to control forwarding. This box is not checked by default, because source-routed packets can present a security risk. Fragments Check this box to allow fragmented IP packets to pass.
13 Policy Management Configuration | Policy Management | Traffic Management | Assign Rules to Filter This section of the Manager lets you add, remove, and prioritize the rules in a filter, and assign Security Associations to rules that are configured with an Apply IPSec action. A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a rule matches, the system takes the Action specified in the rule.
Configuration | Policy Management | Traffic Management | Assign Rules to Filter Current Rules in Filter This list shows the rules currently assigned to the filter. Use the scroll controls (if present) to see all the rules in the list. If no rules have been assigned, the list shows --Empty--. Each entry shows the rule name and the action/direction in parentheses; Apply IPSec rules include their Security Association. Available Rules This list shows all the rules currently configured on the system (i.e.
13 Policy Management Move Up / Move Down To change the order in which a rule is applied within the filter, select the rule from the Current Rules in Filter list and click Move Up or Move Down. The Manager reorders the current rules, modifies the active configuration, refreshes the screen, and shows the reordered list. If you try to move a rule out of its direction group (inbound or outbound), the Manager displays an error message.
Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule Add SA to Rule on Filter: The Manager shows the name of filter to which you are adding a rule that has an Apply IPSec action configured. You cannot change this name here. See Configuration | Policy Management | Traffic Management | Filters | Modify. IPSec SAs The IPSec SAs list shows the configured SAs that are available; i.e., all the SAs in the active configuration.
13 Policy Management Figure 13-17: Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule screen Change SA on Rule in Filter: The Manager shows the name of the filter to which the IPSec rule is assigned. You cannot change this name here. See Configuration | Policy Management | Traffic Management | Filters | Modify. IPSec SAs The IPSec SAs list shows the configured SAs that are available; i.e., all the SAs in the active configuration.
Configuration | Policy Management | Traffic Management | NAT Configuration | Policy Management | Traffic Management | NAT This section of the Manager lets you configure and enable NAT (Network Address Translation). NAT translates private network addresses into an IANA-assigned public network address, and vice versa, and thus allows traffic routing between the networks.
13 Policy Management Configuration | Policy Management | Traffic Management | NAT | Enable This screen lets you enable system-wide NAT operation, which applies NAT to all configured traffic flowing through the public interface. We recommend that you configure NAT rules before you enable the function. Figure 13-19: Configuration | Policy Management | Traffic Management | NAT | Enable screen Enabled Check the box to enable NAT, or clear it to disable NAT. By default, the box is not checked.
Configuration | Policy Management | Traffic Management | NAT | Rules Figure 13-20: Configuration | Policy Management | Traffic Management | NAT | Rules screen NAT Rules The NAT Rules list shows NAT rules that have been configured. If no rules have been configured, the list shows --Empty--. The format of each rule is: Private Address/ Subnet-Mask-1s on Interface (Action); for example, 10.0.0.0/ 8 on Ethernet 2 (Public) (map TCP/UDP).
13 Policy Management Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add a NAT rule. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled. You should designate only one VPN Concentrator interface as a public interface.
Configuration | Policy Management | Traffic Management | NAT | Rules | Add or Modify Figure 13-22: Configuration | Policy Management | Traffic Management | NAT | Rules | Add or Modify screen Interface Add screen: Click the drop-down menu button and select the configured public interface for this NAT rule. The list shows all interfaces (Ethernet or WAN) that have the Public Interface parameter enabled. See Configuration | Interfaces.
13 Policy Management Action Click the drop-down menu button and select the translation action for this NAT rule: No Port Mapping = Translate addresses for packets with protocols that don’t use ports and thus don’t involve port mapping (default). For example, this action supports ping, which uses ICMP. Map TCP/UDP = Map ports within outbound TCP and UDP packets to dynamic ports (49152 to 65535) on the public IP address, and vice versa. This is the most common type of mapping.
C H A P T E R 14 Administration Administering the VPN 3000 Concentrator Series involves activities that keep the system operational and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN device, but administration involves higher level activities such as who is allowed to configure the system, and what software runs on it. Only administrators can use the VPN Concentrator Manager.
14 Administration Figure 14-1: Administration screen 14-2 VPN 3000 Concentrator Series User Guide
Administration | Sessions Administration | Sessions This screen shows comprehensive statistics for all active sessions on the VPN Concentrator. You can also click a session’s name to see detailed parameters and statistics for that session. See Administration | Sessions | Detail. Figure 14-2: Administration | Sessions screen Refresh To refresh the statistics, click Refresh.
14 Administration Logout All: PPTP | L2TP | IPSec User | L2TP/IPSec | IPSec/NAT | IPSec/LAN-to-LAN These active labels let you log out all active sessions of a given tunnel type at once: • PPTP • L2TP • IPSec User = IPSec remote-access users • L2TP/IPSec = L2TP over IPSec • IPSec/NAT = IPSec through NAT • IPSec/LAN-to-LAN = IPSec LAN-to-LAN To log out the sessions, click the appropriate label. The Manager displays a prompt to confirm the action.
Administration | Sessions Total Active Sessions The total number of sessions of all types that are currently active. Peak Concurrent Sessions The highest number of sessions of all types that were concurrently active since the VPN Concentrator was last booted or reset. Concurrent Sessions Limit The maximum number of concurrently active sessions permitted on this VPN Concentrator. This number is model-dependent; e.g., Model 3060 = 5000 sessions.
14 Administration Remote Access Sessions table This table shows parameters and statistics for all active remote-access sessions. Each session is a single-user connection from a remote client to the VPN Concentrator. Remote-access sessions include PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions. [ LAN-to-LAN Sessions | Management Sessions ] Click these active links to go to the other session tables on this Manager screen.
Administration | Sessions IP Address The IP address of the manager workstation that is accessing the system. Local indicates a direct connection through the Console port on the system. Protocol, Encryption, Login Time, Duration, Actions See Table 14-1 for definitions of these parameters. Table 14-1: Parameter definitions for Administration | Sessions screen Parameter Definition Protocol The protocol this session is using. Console indicates a direct connection through the Console port on the system.
14 Administration Administration | Sessions | Detail These Manager screens show detailed parameters and statistics for a specific remote-access or LAN-to-LAN session. The parameters and statistics differ depending on the session protocol.
Administration | Sessions | Detail Figure 14-5: Administration | Sessions | Detail screen: IPSec remote access user VPN 3000 Concentrator Series User Guide 14-9
14 Administration Figure 14-6: Administration | Sessions | Detail screen: IPSec through NAT Figure 14-7: Administration | Sessions | Detail screen: L2TP 14-10 VPN 3000 Concentrator Series User Guide
Administration | Sessions | Detail Figure 14-8: Administration | Sessions | Detail screen: L2TP over IPSec Figure 14-9: Administration | Sessions | Detail screen: PPTP VPN 3000 Concentrator Series User Guide 14-11
14 Administration Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back to Sessions To return to the Administration | Sessions screen, click Back to Sessions. Administration | Sessions | Detail parameters Table 14-2: Parameter definitions for Administration | Sessions | Detail screens Parameter Definition Assigned IP Address The private IP address assigned to the remote client for this session.
Administration | Sessions | Detail Table 14-2: Parameter definitions for Administration | Sessions | Detail screens (continued) Parameter Definition IPSec Sessions: The total number of IPSec (Phase 2) sessions, which are data traffic sessions through the tunnel. Each IPSec remote-access session may have two IPSec sessions: one showing the tunnel endpoints, and one showing the private networks reachable through the tunnel.
14 Administration Administration | Software Update This screen lets you update the VPN Concentrator executable system software (the software image). This process uploads the file to the VPN Concentrator, which then verifies the integrity of the file. The new image file must be accessible by the workstation you are using to manage the VPN Concentrator. Software image files ship on the Cisco VPN 3000 Concentrator CD-ROM. Updated or patched versions are available from the Cisco Website, www.cisco.
Administration | Software Update Browse... Enter the complete pathname of the new image file, or click Browse... to find and select the file from your workstation or network. Cisco-supplied VPN 3000 Concentrator software image files are named: Model 3005 = vpn3005....bin; e.g., vpn3005.2.5.bin. Models 3015, 3030, 3060, and 3080 = vpn3000....bin; e.g., vpn3000.2.5.bin.
14 Administration If the upload or verification is not successful, the progress window displays a failure message. Figure 14-13: Administration | Software Update Failure window Click OK to close the progress window. Try the upload again. Software Update Success This window confirms that the software upload and verification completed successfully. To go to the Administration | System Reboot screen, click the highlighted link.
Administration | System Reboot Administration | System Reboot This screen lets you reboot or shutdown (halt) the VPN Concentrator with various options. We strongly recommend that you shut down the VPN Concentrator before you turn power off. If you just turn power off without shutting down, you may corrupt flash memory and affect subsequent operation of the system. If you are logged in the Manager when the system reboots or halts, it automatically logs you out and displays the main login screen.
14 Administration Action Click a radio button to select the desired action. You can select only one action. Reboot = Reboot the VPN Concentrator. Rebooting terminates all sessions, resets the hardware, loads and verifies the software image, executes system diagnostics, and initializes the system. A reboot takes about 60-75 seconds. (This is the default selection.) Shutdown without automatic reboot = Shut down the VPN Concentrator; that is, bring the system to a halt so you can turn off the power.
Administration | Ping To cancel your settings on this screen, click Cancel. The Manager returns to the main Administration screen. (Note that this Cancel button does not cancel a scheduled reboot or shutdown.) Administration | Ping This screen lets you use the ICMP ping (Packet Internet Groper) utility to test network connectivity. Specifically, the VPN Concentrator sends an ICMP Echo Request message to a designated host.
14 Administration Error (Ping) If the system is unreachable for any reason—host down, ICMP not running on host, route not configured, intermediate router down, network down or congested, etc.—the Manager displays an Error screen with the name of the tested host. To troubleshoot the connection, try to Ping other hosts that you know are working. Figure 14-19: Administration | Ping | Error screen To return to the Administration | Ping screen, click Retry the operation.
Administration | Access Rights Apply / Cancel To save your settings in the active configuration, click Apply. The Manager goes to the main Administration screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager goes to the main Administration screen.
14 Administration Note: The VPN Concentrator saves Administrator parameter settings from this screen and the Modify Properties screen in nonvolatile memory, not in the active configuration (CONFIG) file. Thus, these settings are retained even if the system loses power. These settings are also retained even if you reboot the system with the factory configuration file. Figure 14-22: Administration | Access Rights | Administrators screen Group Number This is a reference number for the administrator.
Administration | Access Rights | Administrators | Modify Properties Administrator To assign “system administrator” privileges to one administrator, click the radio button. Only the “system administrator” can access and configure properties in this section. You can select only one. By default, admin is selected. Enabled Check the box to enable, or clear the box to disable, an administrator. Only enabled administrators can log in to, and use, the VPN Concentrator Manager.
14 Administration Table 14-3 shows the matrix of Cisco-supplied default rights for the five administrators.
Administration | Access Rights | Administrators | Modify Properties Authentication This area consists of VPN Concentrator Manager functions that affect authentication: • • • • Configuration | User Management Configuration | Policy Management | Access Hours Configuration | Policy Management | Traffic Management | Filters Configuration | System | Servers | Authentication and Accounting. General This area consists of all VPN Concentrator Manager functions except authentication and administration.
14 Administration Administration | Access Rights | Access Control List This section of the Manager lets you configure and prioritize the systems (workstations) that are allowed to access the VPN Concentrator Manager. For example, you might want to allow access only from one or two PCs that are in a locked room. If no systems are listed, then anyone who knows the VPN Concentrator IP address and the administrator username/password combination can gain access.
Administration | Access Rights | Access Control List | Add or Modify Reminder: The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. Administration | Access Rights | Access Control List | Add or Modify These screens let you: Add a manager workstation to the list of those that are allowed to access the VPN Concentrator Manager.
14 Administration IP Mask Enter the mask for the IP address in dotted decimal notation. This mask lets you restrict access to a single IP address, a range of addresses, or all addresses. To restrict access to a single IP address, enter 255.255.255.255 (the default). To allow all IP addresses, enter 0.0.0.0. To allow a range of IP addresses, enter the appropriate mask. For example, to allow IP addresses 10.10.1.32 through 10.10.1.35, enter the mask 255.255.255.252.
Administration | File Management The Manager resets the inactivity timer only when you click an action button (Apply, Add, Cancel, etc.) or a link on a screen—that is, when you invoke a different screen. Entering values or setting parameters on a given screen does not reset the timer. Session Limit Enter the maximum number of simultaneous administrative sessions allowed. Minimum is 1, default is 10, and maximum is 50 sessions.
14 Administration Administration | File Management | Files This screen lets you manage files in VPN Concentrator flash memory. (Flash memory acts like a disk.) Such files include CONFIG, CONFIG.BAK, LOGNNNNN.TXT files, and copies of them that you have saved under different names. The screen shows a table listing all files in flash memory, one file per table row. Use the frame scroll controls (if present) to display more files in the table.
Administration | File Management | Files Actions For a selected file, click the desired action link. The actions available to you depend on your Access Rights to Files; see the Administration | Access Rights | Administrators | Modify Properties screen. View (Save) To view the selected file, click View. The Manager opens a new browser window to display the file, and the browser address bar shows the filename. You can also save a copy of the file on the PC that is running the browser.
14 Administration Administration | File Management | Swap Configuration Files This screen lets you swap the boot configuration file with the backup configuration file. Every time you save the active configuration, the system writes it to the CONFIG file, which is the boot configuration file; and it saves the previous CONFIG file as CONFIG.BAK, the backup configuration file. To reload the boot configuration file and make it the active configuration, you must reboot the system.
Administration | File Management | TFTP Transfer Concentrator File Enter the name of the file on the VPN Concentrator. This filename must conform to the 8.3 naming convention. Action Click the drop-down menu button and select the TFTP action: GET << = Get a file from the remote system; i.e., copy a file from the remote system to the VPN Concentrator. PUT >> = Put a file on the remote system; i.e., copy a file from the VPN Concentrator to the remote system.
14 Administration Success (TFTP) If the TFTP transfer is successful, the Manager displays a Success screen. Figure 14-31: Administration | File Management | TFTP Transfer | Success screen Continue To return to the Administration | File Management | TFTP Transfer screen, click Continue. Error (TFTP) If the TFTP transfer is unsuccessful for any reason—no such file, incorrect action, remote system unreachable, TFTP server not running, incorrect server address, etc.—the Manager displays an Error screen.
Administration | Certificate Management specific systems or hosts. There must be at least one identity certificate (and its root certificate) on a given VPN Concentrator; there may be more than one root certificate. During IKE (IPSec) Phase 1 authentication, the communicating parties exchange certificate and key information, and they use the public-key / private-key pairs to generate a hash value; if the hash values match, the client is authenticated. The VPN Concentrator supports X.
14 Administration Installing digital certificates on the VPN Concentrator Installing a digital certificate on the VPN Concentrator requires these steps: 1 Use the Administration | Certificate Management | Enrollment screen to generate a certificate request. Save the request as a file, or copy it to the clipboard. 2 Send the certificate request to a CA, usually using the CA’s Web interface. Most CAs let you submit the request by pasting from the clipboard; otherwise, you can send a file.
Administration | Certificate Management | Enrollment Figure 14-34: Administration | Certificate Management | Enrollment screen Common Name (CN) Enter the name for this VPN Concentrator that identifies it in the PKI; e.g., Engineering VPN. Spaces are allowed. You must enter a name in this field. If you are requesting an SSL certificate, enter the IP address or domain name you use to connect to this VPN Concentrator; e.g., 10.10.147.2.
14 Administration Locality (L) Enter the city or town where this VPN Concentrator is located; e.g., Franklin. Spaces are allowed. State/Province (SP) Enter the state or province where this VPN Concentrator is located; e.g., Massachusetts. Spell out completely, do not abbreviate. Spaces are allowed. Country (C) Enter the country where this VPN Concentrator is located; e.g., US. Use two characters, no spaces, and no periods. This two-character code must conform to ISO 3166 country abbreviations.
Administration | Certificate Management | Enrollment | Request Generated Administration | Certificate Management | Enrollment | Request Generated The Manager displays this screen when the system has successfully generated a certificate request. The request is a Base-64 encoded file in PKCS-10 format (Public Key Certificate Syntax-10), which most CAs recognize or require. The system automatically saves this file in flash memory with the filename shown in the screen (pkcsNNNN.txt).
14 Administration Enrolling with a Certificate Authority To send the certificate request to a CA, enroll, and receive your digital certificates, follow these steps. (These are cut-and-paste steps; your CA may follow different procedures. In any case, you must end up with certificates saved as text files on your PC or other reachable network host.) 1 Select and copy the certificate request from the browser window to your clipboard. 2 Use a browser to connect to the CA’s Web site.
Administration | Certificate Management | Installation Figure 14-37: Administration | Certificate Management | Installation screen Certificate Type Click the drop-down menu button and select the type of digital certificate to install. (Please note that --Select a Certificate Type-- is an instruction reminder, not a choice.) Issuing or Root Certificate Authority = Root and subordinate certificates obtained via enrollment with a CA in a PKI.
14 Administration Local File / Browse Enter the complete path and filename of the certificate you are installing; e.g., d:\certs\ca_root.txt. Or click Browse to navigate to the file on your PC or other reachable network host. Apply / Cancel To install the certificate, click Apply. The Manager displays the Administration | Certificate management | Certificates screen. If you select the Server Identity (import with Private Key) certificate type, the Manager displays a warning message and asks you confirm.
Administration | Certificate Management | Certificates SSL Certificate / [ Generate ] This table shows the SSL server certificate installed on the VPN Concentrator. The system can have only one SSL server certificate installed: either a self-signed certificate or one issued in a PKI context. To generate a self-signed SSL server certificate, click Generate. The system uses parameters set on the Configuration | System | Management Protocols | SSL screen and generates the certificate.
14 Administration Administration | Certificate Management | Certificates | View The Manager displays this screen of certificate details when you click View for a certificate on the Administration | Certificate Management | Certificates screen. The details vary depending on the certificate content. The content and format for certificate details are governed by ITU (International Telecommunication Union) X.509 standards, specifically RFC 2459. The Subject and Issuer fields conform to ITU X.520.
Administration | Certificate Management | Certificates | View For the VPN Concentrator self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated. SSL compares this CN with the address you use to connect to the VPN Concentrator via HTTPS, as part of its validation. OU= Organizational Unit: the subgroup within the organization (O). O= Organization: the name of the company, institution, agency, association, or other entity.
14 Administration MD5 Thumbprint A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate’s authenticity, you can check this value with the issuer. SHA1 Thumbprint A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is unique for every certificate, and it positively identifies the certificate.
Administration | Certificate Management | Certificates | CRL serial number. Enabling CRL checking means that every time the VPN Concentrator uses the certificate for authentication, it also checks the latest CRL to ensure that the certificate has not been revoked. CAs use LDAP databases to store and distribute CRLs. They may also use other means, but the VPN Concentrator relies on LDAP access.
14 Administration Server Port Enter the port number for the CRL server. Enter 0 (the default) to have the system supply the default port number, 389 (LDAP). Update Period Enter the frequency in minutes to poll for updated CRLs. Enter 0 (the default) to have the system fetch the CRL on demand; i.e., only when the certificate is used for authentication. Filter Enter the filename filter (wildcard) to use with the Base DN to select the appropriate CRLs in the database. Maximum 128 characters.
Administration | Certificate Management | Certificates | Delete Administration | Certificate Management | Certificates | Delete The Manager displays this confirmation screen when you click Delete for a certificate on the Administration | Certificate Management | Certificates screen. The screen shows the same certificate details as on the Administration | Certificate Management | Certificates | View screen.
C H A P T E R 15 Monitoring The VPN 3000 Concentrator tracks many statistics and the status of many items essential to system administration and management. This section of the Manager lets you view all those status items and statistics. You can even see the state of LEDs that show the status of hardware subsystems in the device. You can also see statistics that are stored and available in standard MIB-II data objects.
15 Monitoring Figure 15-1: Monitor screen Monitor | Routing Table This screen shows the VPN Concentrator routing table at the time the screen displays. The IP routing subsystem examines the destination IP address of packets coming through the VPN Concentrator and forwards or drops them according to configured parameters.
Monitor | Routing Table Valid Routes The total number of current valid routes that the VPN Concentrator knows about. This number includes all valid routes, and it may be greater than the number of rows in the routing table, which shows only the best routes with duplicates removed. Address The packet destination IP address that this route applies to. This address is combined with the subnet mask to determine the destination route. 0.0.0.0 indicates the default gateway.
15 Monitoring Age The number of seconds since this route was last updated or otherwise validated. The age is relative to the screen display time; e.g., 25 means the route was last validated 25 seconds before the screen was displayed. 0 indicates a static, local, or default route. Metric The metric, or cost, of this route. 1 is lowest, 16 is highest. Monitor | Event Log This screen shows the events in the current event log, and lets you manage the event log file.
Monitor | Event Log Select Filter Options You can select any or all of the following five options for displaying the event log. After selecting the option(s), click any one of the four Page buttons. The Manager refreshes the screen and displays the event log according to your selections. Your filter options remain in effect as long as you continue working within and viewing Monitor | Event Log screens.
15 Monitoring First Page To display the first page (screen) of the event log, click this button. By default, the Manager displays the first page of the event log when you first open this screen. Previous Page To display the previous page (screen) of the event log, click this button. Next Page To display the next page (screen) of the event log, click this button. Last Page To display the last page (screen) of the event log, click this button.
Monitor | Event Log Clear Log To clear the current event log from memory, click this button. The Manager then refreshes the screen and shows the empty log. Caution: The Manager immediately erases the event log from memory without asking for confirmation. There is no undo. Event log format Each entry (record) in the event log consists of eight or nine fields: Sequence Date Time Severity Class/Number Repeat (IPAddress) String (The IPAddress field appears in only certain events.
15 Monitoring Event class / number The class—or source—of the event, and the internal reference number associated with the specific event within the event class. For example: HTTP/47 identifies that an administrator logged in to the VPN Concentrator using HTTP to connect to the Manager. Table 10-1 under Configuration | System | Events describes the event classes. The internal reference number assists Cisco support personnel if they need to examine a log file.
Monitor | System Status Monitor | System Status This screen shows the status of several software and hardware variables at the time the screen displays. From this screen you can also display the status and statistics for SEP modules, system power supplies, and network interfaces.
15 Monitoring Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. VPN Concentrator Type The type, or model number, of this VPN Concentrator. Bootcode Rev The version name, number, and date of the VPN Concentrator bootcode software file. When you boot or reset the system, the bootcode software runs system diagnostics, and it loads and executes the system software image.
Monitor | System Status Fan 1, Fan 2 The VPN Concentrator includes two cooling fans. In the Model 3005, they are on the rear of the chassis, with Fan 1 on the left as you face the rear. In the Model 3015–3080, they are on the right side of the chassis as you face the front, with Fan 1 closest to the front. This table shows the RPM for both fans. The nominal value is 5000 RPM for the Model 3005 and 3800 RPM for the Model 3015–3080, with an acceptable minimum of 3000 RPM for both.
15 Monitoring Monitor | System Status | Ethernet Interface This screen displays status and statistics for a VPN Concentrator Ethernet interface. To configure an interface, see Configuration | Interfaces. Figure 15-5: Monitor | System Status | Ethernet Interface screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back To return to the Monitor | System Status screen, click Back.
Monitor | System Status | Ethernet Interface Testing = in test mode; no regular data traffic can pass. Dormant = configured and enabled but waiting for an external action, such as an incoming connection. Not Present = missing hardware components. Lower Layer Down = not operational because a lower-layer interface is down. Unknown = not configured. Rx Unicast The number of unicast packets that were received by this interface since the VPN Concentrator was last booted or reset.
15 Monitoring Monitor | System Status | Dual T1/E1 WAN Slot N This screen displays status and statistics for a VPN Concentrator WAN module. To configure a WAN module interface, see Configuration | Interfaces. Figure 15-6: Monitor | System Status | Dual T1/E1 WAN Slot N screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back To return to the Monitor | System Status screen, click Back.
Monitor | System Status | Dual T1/E1 WAN Slot N Port The interface port on the WAN module (A or B). Status The current status of this port: Up = (Green) Configured, enabled, and operational; synchronized with the network and ready to pass data traffic. Red = (Red) Red alarm: Port has lost synchronization or signal. This alarm indicates out of frame errors or a mismatched framing format, or a disconnected line.
15 Monitoring Severely Errored Framing Seconds The number of seconds during which one or more out-of-frame defects or an AIS defect were detected on this port. Unavailable Seconds The number of seconds during which this port has not been available. Basically, unavailable seconds begin with 10 contiguous severely errored seconds, or with a condition leading to failure. Line Errored Seconds The number of seconds during which one or more line coding violations were detected on this port.
Monitor | System Status | Dual T1/E1 WAN Slot N Slot The physical slot in the VPN Concentrator (1 through 4) that houses the WAN module. Port The interface port on the WAN module (A or B). IfIndex The unique interface index (an integer) that identifies this WAN port. For WAN ports, the index integers start at 8. Status The current operational status of the port: Initializing = Coming up. Running = Finished initializing; waiting to transition to the Up state.
15 Monitoring Received Frame Too Long The number of received frame too long errors on this interface port. The size of the packets received exceeds the MTU (Maximum Transmission Unit). These errors could indicate that the T1/E1 line is not configured correctly; for example, if you are using a fractional T1/E1 line, the timeslots configured might not match those of the T1/E1 provider. Transmit Frame Too Long The number of transmit frame too long errors on this interface port.
Monitor | System Status | Power Monitor | System Status | Power This screen displays status and data for VPN Concentrator power supplies and voltage sensors in the system. To configure alarm thresholds for system voltages, see the Configuration | Interfaces | Power screen. Figure 15-7: Monitor | System Status | Power screen Model 3005 Model 3015–3080 Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
15 Monitoring Board Voltages and status for the 3.3- and 5-volt sensors on the main circuit board. 1.9/2.5V Status, 3.3V Status, 5V Status The status of voltages relative to the configured thresholds: OK = within low and high threshold limits. ALARM = outside of low or high threshold limit. Not Installed = power supply not installed.
Monitor | System Status | SEP Figure 15-8: Monitor | System Status | SEP screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back To return to the Monitor | System Status screen, click Back. SEP The chassis slot number where this SEP is inserted, and the type of hardware in this SEP: CryptSet = first-release hardware using a set of integrated circuits. CryptIC = second-release hardware using a single integrated circuit.
15 Monitoring Status The functional state of this SEP module: Operational = module is operating correctly. Not Operational = module has failed during operation. This is an error condition; please contact Cisco Customer Support. Found = module is installed but is not yet operational. If this condition persists after the VPN Concentrator finishes initializing, it is an error. Please contact Cisco Customer Support. Not Found = module could not be found.
Monitor | System Status | SEP Hash Decrypted: Packets The number of packets that this SEP processed using both hashing (authentication) and decryption algorithms. Drops: Packets The number of packets intended for processing by this SEP, but dropped due to the SEP being overloaded. Random Requests The number of requests to this SEP to generate random numbers. When needed (requested), the SEP generates a 2-KB block of random numbers and caches them on the VPN Concentrator.
15 Monitoring RSA Digital Signings The number of times this SEP has generated an RSA (Rivest, Shamir, Adelman algorithm) digital signature. The VPN Concentrator generates a digital signature when it creates a digital certificate. RSA Digital Verifications The number of times this SEP has verified an RSA digital signature.
Monitor | System Status | LED Status Monitor | System Status | LED Status Model 3015–3080 only This screen shows the status of VPN Concentrator front-panel LED indicators, exactly as they appear on the unit itself. LED indicators on the VPN Concentrator are normally green, and the usage graph LEDs are blue. LEDs that are amber, red, or off may indicate an error condition. See Appendix A, Errors and troubleshooting for descriptions of the LEDs.
15 Monitoring Monitor | Sessions This screen shows comprehensive data for all active user and administrator sessions on the VPN Concentrator. Figure 15-10: Monitor | Sessions screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Session Summary table This table shows summary totals for LAN-to-LAN, remote access, and management sessions. A session is a VPN tunnel established with a specific peer.
Monitor | Sessions Active LAN-to-LAN Sessions The number of IPSec LAN-to-LAN sessions that are currently active. Active Remote Access Sessions The number of PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions that are currently active. Active Management Sessions The number of administrator management sessions that are currently active. Total Active Sessions The total number of sessions of all types that are currently active.
15 Monitoring IP Address The IP address of the remote peer VPN Concentrator or other secure gateway that initiated this LAN-to-LAN connection. Protocol, Encryption, Login Time, Duration, Bytes Tx, Bytes Rx See Table 15-1 on page 15-29 for definitions of these parameters. Remote Access Sessions table This table shows parameters and statistics for all active remote-access sessions. Each session is a single-user connection from a remote client to the VPN Concentrator.
Monitor | Sessions Management Sessions table This table shows parameters and statistics for all active administrator management sessions on the VPN Concentrator. [ LAN-to-LAN Sessions | Remote Access Sessions ] Click these active links to go to the other session tables on this Manager screen. Administrator The administrator username or login name for the session. IP Address The IP address of the manager workstation that is accessing the system.
15 Monitoring Monitor | Sessions | Detail These Manager screens show detailed parameters and statistics for a specific remote-access or LAN-to-LAN session. The parameters and statistics differ depending on the session protocol.
Monitor | Sessions | Detail Figure 15-12: Monitor | Sessions | Detail screen: IPSec remote access user VPN 3000 Concentrator Series User Guide 15-31
15 Monitoring Figure 15-13: Monitor | Sessions | Detail screen: IPSec through NAT Figure 15-14: Monitor | Sessions | Detail screen: L2TP 15-32 VPN 3000 Concentrator Series User Guide
Monitor | Sessions | Detail Figure 15-15: Monitor | Sessions | Detail screen: L2TP over IPSec Figure 15-16: Monitor | Sessions | Detail screen: PPTP VPN 3000 Concentrator Series User Guide 15-33
15 Monitoring Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back to Sessions To return to the Monitor | Sessions screen, click Back to Sessions. Monitor | Sessions | Detail parameters Table 15-2: Parameter definitions for Monitor | Sessions | Detail screens Parameter Definition Assigned IP Address The private IP address assigned to the remote client for this session.
Monitor | Sessions | Detail Table 15-2: Parameter definitions for Monitor | Sessions | Detail screens (continued) Parameter Definition IPSec Sessions: The total number of IPSec (Phase 2) sessions, which are data traffic sessions through the tunnel. Each IPSec remote-access session may have two IPSec sessions: one showing the tunnel endpoints, and one showing the private networks reachable through the tunnel.
15 Monitoring Monitor | Sessions | Protocols This screen graphically displays the protocols used by currently active user and administrator sessions on the VPN Concentrator. Figure 15-17: Monitor | Sessions | Protocols screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Active Sessions The number of currently active sessions. Total Sessions The total number of sessions since the VPN Concentrator was last booted or reset.
Monitor | Sessions | Protocols L2TP = Layer 2 Tunneling Protocol. IPSec = Internet Protocol Security tunneling protocol (remote-access users). HTTP = Hypertext Transfer Protocol (Web browser). FTP = File Transfer Protocol. Telnet = terminal emulation protocol. SNMP = Simple Network Management Protocol. TFTP = Trivial File Transfer Protocol. Console = directly connected console; no protocol. Debug/Telnet = debugging via Telnet (Cisco use only). Debug/Console = debugging via console (Cisco use only).
15 Monitoring Monitor | Sessions | SEPs Model 3015–3080 only This screen graphically displays the SEP (Scalable Encryption Processing) modules used by currently active user and administrator sessions on the VPN Concentrator. SEP modules perform data encryption functions in hardware. Figure 15-18: Monitor | Sessions | SEPs screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Active Sessions The number of currently active sessions.
Monitor | Sessions | Encryption Bar Graph The percentage of sessions using this SEP module relative to the total active sessions, as a horizontal bar graph. Each segment of the bar in the column heading represents 25%. Percentage The percentage of sessions using this SEP module relative to the total active sessions, as a number. The sum of this column equals 100% (rounded).
15 Monitoring Encryption The data encryption algorithm that the sessions are using: Other = other than listed below. None = no data encryption. DES-56 = Data Encryption Standard algorithm with a 56-bit key. DES-40 = DES encryption with a 56-bit key, 40 bits of which are private. 3DES-168 = Triple-DES encryption with a 168-bit key. RC4-40 Stateless = RSA RC4 encryption with a 40-bit key, and with keys changed on every packet.
Monitor | Sessions | Top Ten Lists Monitor | Sessions | Top Ten Lists This section of the Manager shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by: • Data: total bytes transmitted and received. • Duration: total time connected. • Throughput: average throughput (bytes/sec).
15 Monitoring IP Address The IP address of the session user. This is the address assigned to or supplied by a remote user, or the host address of a networked user. Local identifies the console directly connected to the VPN Concentrator. Protocol The protocol that the session is using. Console = directly connected console; no protocol. Debug/Console = debugging via console (Cisco use only). Debug/Telnet = debugging via Telnet (Cisco use only). FTP = File Transfer Protocol.
Monitor | Sessions | Top Ten Lists | Duration Login Time The date and time that this session logged in: MM/DD/YYYY HH:MM:SS. Time is in 24-hour notation. Total Bytes The total number of bytes transmitted and received by this session. N/A = the session is not passing data; e.g., it is an administrator session. Monitor | Sessions | Top Ten Lists | Duration This screen shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by duration: total time connected.
15 Monitoring Protocol The protocol that the session is using. Console = directly connected console; no protocol. Debug/Console = debugging via console (Cisco use only). Debug/Telnet = debugging via Telnet (Cisco use only). FTP = File Transfer Protocol. HTTP = Hypertext Transfer Protocol (Web browser). IPSec = Internet Protocol Security tunneling protocol (remote-access user). IPSec/LAN-to-LAN = IPSec LAN-to-LAN connection. IPSec/NAT = IPSec through NAT (Network Address Translation).
Monitor | Sessions | Top Ten Lists | Throughput Duration The total amount of time that this session has been connected: HH:MM:SS. Monitor | Sessions | Top Ten Lists | Throughput This screen shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by average throughput (bytes/sec). Figure 15-23: Monitor | Sessions | Top Ten Lists | Throughput screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
15 Monitoring FTP = File Transfer Protocol. HTTP = Hypertext Transfer Protocol (Web browser). IPSec = Internet Protocol Security tunneling protocol (remote-access user). IPSec/LAN-to-LAN = IPSec LAN-to-LAN connection. IPSec/NAT = IPSec through NAT (Network Address Translation). L2TP = Layer 2 Tunneling Protocol. L2TP/IPSec = L2TP over IPSec. Other = protocol other than those listed here. PPTP = Point-to-Point Tunneling Protocol. SNMP = Simple Network Management Protocol.
Monitor | Statistics Monitor | Statistics This section of the Manager shows statistics for traffic and activity on the VPN Concentrator since it was last booted or reset, and for current tunneled sessions, plus statistics in standard MIB-II objects for interfaces, TCP/UDP, IP, ICMP, and the ARP table. • PPTP: total tunnels, sessions, received and transmitted control and data packets; and detailed current session data.
15 Monitoring Monitor | Statistics | PPTP This screen shows statistics for PPTP activity on the VPN Concentrator since it was last booted or reset, and for current PPTP sessions. The Monitor | Sessions | Detail screens also show PPTP data. To configure system-wide PPTP parameters, see the Configuration | System | Tunneling Protocols | PPTP screen. To configure PPTP parameters for users and groups, see Configuration | User Management.
Monitor | Statistics | PPTP Total Sessions The total number of user sessions through PPTP tunnels since the VPN Concentrator was last booted or reset. Active Sessions The number of user sessions that are currently active through PPTP tunnels. The PPTP Sessions table shows statistics for these sessions. Maximum Sessions The maximum number of user sessions that have been simultaneously active through PPTP tunnels on the VPN Concentrator since it was last booted or reset.
15 Monitoring Peer IP The IP address of the peer host that established the PPTP tunnel for this session; i.e., the tunnel endpoint IP address. The Monitor | Sessions screen shows the IP address assigned to the client using the tunnel. Username The username for the session within a PPTP tunnel. This is typically the login name of the remote user. Receive Octets The total number of PPTP data octets (bytes) received by this session.
Monitor | Statistics | L2TP Flow The state of packet flow control for this PPTP session: Local = the local buffer is full; i.e., packet flow for the local end of the session is OFF because the number of outstanding unacknowledged packets received from the peer is equal to the local window size. Peer = the peer buffer is full; i.e., packet flow for the peer end of the session is OFF because the number of outstanding unacknowledged packets sent to the peer is equal to the peer’s window size.
15 Monitoring Total Tunnels The total number of L2TP tunnels successfully established since the VPN Concentrator was last booted or reset. Active Tunnels The number of L2TP tunnels that are currently active. Maximum Tunnels The maximum number of L2TP tunnels that have been simultaneously active on the VPN Concentrator since it was last booted or reset. Failed Tunnels The number of L2TP tunnels that failed to become established since the VPN Concentrator was last booted or reset.
Monitor | Statistics | L2TP Rx Packets Control / Data The number of L2TP control / data channel packets received by the VPN Concentrator since it was last booted or reset. Rx Discards Control / Data The number of L2TP control / data channel packets received and discarded by the VPN Concentrator since it was last booted or reset. Tx Octets Control / Data The number of L2TP control / data channel octets (bytes) transmitted by the VPN Concentrator since it was last booted or reset.
15 Monitoring Receive Packets The total number of L2TP data packets received by this session. Receive Discards The total number of L2TP data packets received and discarded by this session. Receive ZLB The total number of L2TP Zero Length Body acknowledgement data packets received by this session. ZLB packets are sent as acknowledgement packets when there is no data packet on which to piggyback an acknowledgement. Transmit Octets The total number of L2TP data octets (bytes) transmitted by this session.
Monitor | Statistics | IPSec Monitor | Statistics | IPSec This screen shows statistics for IPSec activity—including current IPSec tunnels—on the VPN Concentrator since it was last booted or reset. These statistics conform to the IETF draft for the IPSec Flow Monitoring MIB. The Monitor | Sessions | Detail screens also show IPSec data. To configure system-wide IPSec parameters and LAN-to-LAN connections, see the Configuration | System | Tunneling Protocols | IPSec screens.
15 Monitoring IKE (Phase 1) Statistics This table provides IPSec Phase 1 (IKE: Internet Key Exchange) global statistics. During IPSec Phase 1 (IKE), the two peers establish control tunnels through which they negotiate Security Associations. Active Tunnels The number of currently active IKE control tunnels, both for LAN-to-LAN connections and remote access. Total Tunnels The cumulative total of all currently and previously active IKE control tunnels, both for LAN-to-LAN connections and remote access.
Monitor | Statistics | IPSec Received Notifies The cumulative total of notify packets received by all currently and previously active IKE tunnels. A notify packet is an informational packet that is sent in response to a bad packet or to indicate status; e.g., error packets, keepalive packets, etc. Sent Notifies The cumulative total of notify packets sent by all currently and previously active IKE tunnels. See comments for Received Notifies above.
15 Monitoring Phase-2 SA Delete Requests Sent The cumulative total of requests to delete IPSec Phase-2 Security Associations sent by all currently and previously active IKE tunnels. Initiated Tunnels The cumulative total of IKE tunnels that this VPN Concentrator initiated. The VPN Concentrator initiates tunnels only for LAN-to-LAN connections. Failed Initiated Tunnels The cumulative total of IKE tunnels that this VPN Concentrator initiated and that failed to activate.
Monitor | Statistics | IPSec IPSec (Phase 2) Statistics This table provides IPSec Phase 2 global statistics. During IPSec Phase 2, the two peers negotiate Security Associations that govern traffic within the tunnel. Active Tunnels The number of currently active IPSec Phase-2 tunnels, both for LAN-to-LAN connections and remote access. Total Tunnels The cumulative total of all currently and previously active IPSec Phase-2 tunnels, both for LAN-to-LAN connections and remote access.
15 Monitoring Sent Packets Dropped The cumulative total of packets dropped during send processing by all currently and previously active IPSec Phase-2 tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support. Inbound Authentications The cumulative total number of inbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels.
Monitor | Statistics | HTTP System Capability Failures The total number of system capacity failures that occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures indicate that the system has run out of memory or some other critical resource; check the event log. No-SA Failures The cumulative total of nonexistent-Security Association failures which occurred during processing of all currently and previously active IPSec Phase-2 tunnels.
15 Monitoring Packets Sent The total number of HTTP packets sent since the VPN Concentrator was last booted or reset. Packets Received The total number of HTTP packets received since the VPN Concentrator was last booted or reset. Active Connections The number of currently active HTTP connections. Max Connections The maximum number of HTTP connections that have been simultaneously active on the VPN Concentrator since it was last booted or reset.
Monitor | Statistics | Telnet Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Use the scroll controls (if present) to view the entire table. Event Class Event class denotes the source of the event and refers to a specific hardware or software subsystem within the VPN Concentrator. Table 10-1 under Configuration | System | Events describes the event classes.
15 Monitoring Active Sessions The number of active Telnet sessions. The Telnet Sessions table shows statistics for these sessions. Attempted Sessions The total number of attempts to establish Telnet sessions on the VPN Concentrator since it was last booted or reset. Successful Sessions The total number of Telnet sessions successfully established on the VPN Concentrator since it was last booted or reset. Telnet Sessions This table shows statistics for active Telnet sessions on the VPN Concentrator.
Monitor | Statistics | DNS Monitor | Statistics | DNS This screen shows statistics for DNS (Domain Name System) activity on the VPN Concentrator since it was last booted or reset. To configure the VPN Concentrator to communicate with DNS servers, see the Configuration | System | Servers | DNS screen. Figure 15-31: Monitor | Statistics | DNS screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
15 Monitoring Monitor | Statistics | Authentication This screen shows statistics for user authentication activity on the VPN Concentrator since it was last booted or reset. To configure the VPN Concentrator to communicate with authentication servers, see the Configuration | System | Servers | Authentication screens. Figure 15-32: Monitor | Statistics | Authentication screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
Monitor | Statistics | Authentication Rejects The number of authentication rejection packets received from this server. Challenges The number of authentication challenge packets received from this server. Malformed Responses The number of malformed authentication response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators are not included in this number.
15 Monitoring Monitor | Statistics | Accounting This screen shows statistics for RADIUS user accounting activity on the VPN Concentrator since it was last booted or reset. To configure the VPN Concentrator to communicate with RADIUS accounting servers, see the Configuration | System | Servers | Accounting screens. Figure 15-33: Monitor | Statistics | Accounting screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
Monitor | Statistics | Filtering Bad Authenticators The number of accounting response packets received from this server that contained invalid authenticators. Pending Requests The number of accounting request packets sent to this RADIUS accounting server that have not yet timed out or received a response. Timeouts The number of accounting timeouts to this RADIUS server. After a timeout the system may retry the same server, send to a different server, or give up.
15 Monitoring Interface The VPN Concentrator network interface through which the filtered traffic has passed. 1 = Ethernet 1 (Private) interface. 2 = Ethernet 2 (Public) interface. 3 = Ethernet 3 (External) interface. 8 or greater = WAN interface. Inbound Packets Pre-Filter The total number of inbound packets received on this interface. Inbound Packets Filtered The number of inbound packets that have been filtered and dropped on this interface.
Monitor | Statistics | VRRP Monitor | Statistics | VRRP This screen shows status and statistics for VRRP (Virtual Router Redundancy Protocol) activity on the VPN Concentrator since it was last booted or reset. To configure VRRP, see the Configuration | System | IP Routing | Redundancy screen. Figure 15-35: Monitor | Statistics | VRRP screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
15 Monitoring VRID Errors The total number of VRRP packets received with an invalid VRRP Group ID number for this VPN Concentrator. VRID The identification number that uniquely identifies the group of virtual routers to which this VPN Concentrator belongs. Not Configured = VRRP has not been configured or enabled. Virtual Routers This table shows statistics for the virtual router on each configured VRRP interface on this VPN Concentrator.
Monitor | Statistics | VRRP Time-to-Live Errors The total number of VRRP packets received by this interface with IP TTL (Time-To-Live) not equal to 255. All VRRP packets must have TTL = 255. Priority 0 Packets Received The total number of VRRP packets received by this interface with a priority of 0. Priority 0 packets indicate that the current Master router has stopped participating in VRRP. Priority 0 Packets Sent The total number of VRRP packets sent by this interface with a priority of 0.
15 Monitoring Monitor | Statistics | SSL This screen shows statistics for SSL (Secure Sockets Layer) protocol traffic on the VPN Concentrator since it was last booted or reset. To configure SSL, see Configuration | System | Management Protocols | SSL. Figure 15-36: Monitor | Statistics | SSL screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
Monitor | Statistics | DHCP Active Sessions The number of currently active SSL sessions. Max Active Sessions The maximum number of SSL sessions simultaneously active at any one time. Monitor | Statistics | DHCP This screen shows statistics for DHCP (Dynamic Host Configuration Protocol) activity on the VPN Concentrator since it was last booted or reset. Each row of the table shows data for each session using an IP address via DHCP.
15 Monitoring Time Left The time remaining until the current IP address lease expires, shown as HH:MM:SS. DHCP Server Address The IP address of the DHCP server that leased this IP address. Monitor | Statistics | Address Pools This screen shows statistics for address pool activity on the VPN Concentrator since it was last booted or reset. This data appears if the VPN Concentrator is configured to assign IP addresses to clients from an internal address pool.
Monitor | Statistics | MIB-II Max Allocated Addresses The maximum number of IP addresses assigned from this pool at any one time. Monitor | Statistics | MIB-II This section of the Manager lets you view statistics that are recorded in standard MIB-II objects on the VPN Concentrator. MIB-II (Management Information Base, version 2) objects are variables that contain data about the system.
15 Monitoring Monitor | Statistics | MIB-II | Interfaces This screen shows statistics in MIB-II objects for VPN Concentrator interfaces since the system was last booted or reset. This screen also shows statistics for VPN tunnels as logical interfaces. RFC 2233 defines interface MIB objects. Figure 15-40: Monitor | Statistics | MIB-II | Interfaces screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
Monitor | Statistics | MIB-II | Interfaces Unicast In The number of unicast packets that were received by this interface. Unicast packets are those addressed to a single host. Unicast Out The number of unicast packets that were routed to this interface for transmission, including those that were discarded or not sent. Unicast packets are those addressed to a single host. Multicast In The number of multicast packets that were received by this interface.
15 Monitoring Monitor | Statistics | MIB-II | TCP/UDP This screen shows statistics in MIB-II objects for TCP and UDP traffic on the VPN Concentrator since it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 defines UDP MIB objects. Figure 15-41: Monitor | Statistics | MIB-II | TCP/UDP screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
Monitor | Statistics | MIB-II | TCP/UDP TCP Timeout Max The maximum value permitted for TCP retransmission timeout, measured in milliseconds. TCP Connection Limit The limit on the total number of TCP connections that the system can support. A value of -1 means there is no limit. TCP Active Opens The number of TCP connections that went directly from an unconnected state to a connection-synchronizing state, bypassing the listening state. These connections are allowed, but they are usually in the minority.
15 Monitoring UDP Errored Datagrams The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port (UDP No Port). Datagram is the official UDP name for what is casually called a data packet. UDP No Port The total number of received UDP datagrams that could not be delivered because there was no application at the destination port. Datagram is the official UDP name for what is casually called a data packet.
Monitor | Statistics | MIB-II | IP Packets Received (Header Errors) The number of IP data packets received and discarded due to errors in IP headers, including bad checksums, version number mismatches, other format errors, etc. Packets Received (Address Errors) The number of IP data packets received and discarded because the IP address in the destination field was not a valid address for the VPN Concentrator. This count includes invalid addresses (e.g., 0.0.0.0) and addresses of unsupported classes (e.g.
15 Monitoring Packets Transmitted (Requests) The number of IP data packets that local IP user protocols (including ICMP) supplied to transmission requests. This number does not include any packets counted in Packets Forwarded. Fragments Needing Reassembly The number of IP fragments received by the VPN Concentrator that needed to be reassembled. Reassembly Successes The number of IP data packets successfully reassembled.
Monitor | Statistics | MIB-II | RIP Monitor | Statistics | MIB-II | RIP This screen shows statistics in MIB-II objects for RIP version 2 traffic on the VPN Concentrator since it was last booted or reset. RFC 1724 defines RIP version 2 MIB objects. To configure RIP on interfaces, see Configuration | Interfaces. Figure 15-43: Monitor | Statistics | MIB-II | RIP screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
15 Monitoring Received Bad Routes The number of routes in valid RIP packets received by this interface that were ignored for any reason (e.g., unknown address family, invalid metric). Sent Updates The number of triggered RIP updates actually sent by this interface. This number does not include full updates sent containing new information.
Monitor | Statistics | MIB-II | OSPF Monitor | Statistics | MIB-II | OSPF This screen shows statistics in MIB-II objects for OSPF version 2 traffic on the VPN Concentrator since it was last booted or reset. RFC 1850a defines OSPF version 2 MIB objects. To configure OSPF on interfaces, see Configuration | Interfaces. To configure system-wide OSPF parameters, see Configuration | System | IP Routing.
15 Monitoring Router ID The VPN Concentrator OSPF router ID. This ID uniquely identifies the VPN Concentrator to other OSPF routers in its domain. While the format is that of an IP address, it functions only as an identifier and not an address. By convention, however, this identifier is the same as the IP address of the interface that is connected to the OSPF router network. 0.0.0.0 means no router is configured. Version The current version number of the OSPF protocol running on the VPN Concentrator.
Monitor | Statistics | MIB-II | OSPF Interface Address The IP address of the VPN Concentrator interface that communicates with its area. Interface Name The VPN Concentrator interface that communicates with its area. Ethernet 1 (Private) = Ethernet 1 (Private) interface. Ethernet 2 (Public) = Ethernet 2 (Public) interface. Ethernet 3 (External) = Ethernet 3 (External) interface. WAN 1.A = WAN interface module in Slot 1, Port A WAN 1.B = WAN interface module in Slot 1, Port B WAN 2.
15 Monitoring State The state of the relationship with this neighboring OSPF router: Down = (Red) The VPN Concentrator has received no recent information from this neighbor. The neighbor may be out of service, or it may not have been in service long enough to establish its presence (at startup). Initializing = The VPN Concentrator has received a Hello packet from this neighbor, but it has not yet established bidirectional communication.
Monitor | Statistics | MIB-II | OSPF Area LSA Count The total number of Link-State Advertisements in this area’s link-state database, excluding AS external LSAs. Area LSA Checksum The sum of the checksums of the Link-State Advertisements in this area’s link-state database. This sum excludes external LSAs. You can use this sum to determine if there has been a change in the area’s link-state database, and to compare its database with other routers.
15 Monitoring Monitor | Statistics | MIB-II | ICMP This screen shows statistics in MIB-II objects for ICMP traffic on the VPN Concentrator since it was last booted or reset. RFC 2011 defines ICMP MIB objects. Figure 15-45: Monitor | Statistics | MIB-II | ICMP screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Total Received / Transmitted The total number of ICMP messages that the VPN Concentrator received / sent.
Monitor | Statistics | MIB-II | ICMP Time Exceeded Received / Transmitted The number of ICMP Time Exceeded messages received / sent. Time Exceeded messages indicate that the lifetime of the packet has expired, or that a router cannot reassemble a packet within a time limit. Parameter Problems Received / Transmitted The number of ICMP Parameter Problem messages received / sent. Parameter Problem messages indicate a syntactic or semantic error in an IP header.
15 Monitoring Address Mask Requests Received / Transmitted The number of ICMP Address Mask Request messages received / sent. Address Mask Request messages ask for the address (subnet) mask for the LAN to which a router connects. Address Mask Replies Received / Transmitted The number of ICMP Address Mask Reply messages received / sent. Address Mask Reply messages respond to Address Mask Request messages by supplying the address (subnet) mask for the LAN to which a router connects.
Monitor | Statistics | MIB-II | ARP Table Interface The VPN Concentrator network interface on which this mapping applies: 1 = Ethernet 1 (Private) interface. 2 = Ethernet 2 (Public) interface. 3 = Ethernet 3 (External) interface. 8 or greater = WAN interface. 1000 and up = VPN tunnels, which are treated as logical interfaces. Physical Address The hardwired MAC (Medium Access Control) address of a physical network interface card, in 6-byte hexadecimal notation, that maps to the IP Address.
15 Monitoring Monitor | Statistics | MIB-II | Ethernet This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN Concentrator since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC 1650 defines Ethernet interface MIB objects. To configure Ethernet interfaces, see Configuration | Interfaces. Figure 15-47: Monitor | Statistics | MIB-II | Ethernet screen Refresh To update the screen and its data, click Refresh.
Monitor | Statistics | MIB-II | Ethernet SQE Test Errors The number of times that the SQE (Signal Quality Error) Test Error message was generated for this interface. The SQE message tests the collision circuits on an interface. Frame Too Long Errors The number of frames received on this interface that exceed the maximum permitted frame size. Deferred Transmits The number of frames for which the first transmission attempt on this interface is delayed because the medium is busy.
15 Monitoring Speed (Mbps) This interface’s nominal bandwidth in megabits per second. Duplex The current LAN duplex transmission mode for this interface: Full = Full-Duplex: transmission in both directions at the same time. Half = Half-Duplex: transmission in only one direction at a time. Monitor | Statistics | MIB-II | SNMP This screen shows statistics in MIB-II objects for SNMP traffic on the VPN Concentrator since it was last booted or reset. RFC 1907 defines SNMP version 2 MIB objects.
Monitor | Statistics | MIB-II | SNMP Bad Community String The total number of SNMP messages received that used an SNMP community string the VPN Concentrator did not recognize. See Configuration | System | Management Protocols | SNMP Communities to configure permitted community strings. To protect security, the VPN Concentrator does not include the usual default public community string.
C H A P T E R 16 Using the Command Line Interface The VPN 3000 Concentrator Series Command Line Interface (CLI) is a menu- and command-line-based configuration, administration, and monitoring system built into the VPN Concentrator. You use it via the system console or a Telnet (or Telnet over SSL) session. You can use the CLI to completely manage the system. You can access and configure the same parameters as the HTML-based VPN 3000 Concentrator Series Manager, except for IPSec LAN-to-LAN configuration.
16 Using the Command Line Interface 3 Press Enter on the PC keyboard until you see the login prompt. (You may see a password prompt and error messages as you press Enter; ignore them and stop at the login prompt.) Login: _ Telnet or Telnet/SSL access To access the CLI via a Telnet or Telnet/SSL client: 1 Enable the Telnet or Telnet/SSL server on the VPN Concentrator. (They are both enabled by default.
Using the CLI Using the CLI This section explains how to: • Choose menu items. • Enter values for parameters and options. • Specify configured items by number or name. • Navigate quickly—using shortcuts—through the menus. • Display a brief help message. • Save entries to the system configuration file. • Stop the CLI. • Understand CLI administrator access rights. The CLI displays menus or prompts at every level to guide you in choosing configurable options and setting parameters.
16 Using the Command Line Interface Specifying configured items Many menus give choices that act on configured items—such as groups, users, filter rules, etc.—and the CLI lists those items with a number and their name. To specify an item, you can usually enter either its number or its name. The CLI indicates when you must use a specific identifier (usually the item’s number).
Using the CLI Navigating quickly through the CLI There are two ways to move quickly through the CLI: shortcut numbers, and the Back/Home options. Both ways work only when you are at a menu, not when you are at a value entry. Using shortcut numbers Once you become familiar with the structure of the CLI—which parallels the HTML-based VPN Concentrator Manager—you can quickly access any level by entering a series of numbers separated by periods.
16 Using the Command Line Interface As a shortcut, you can just enter 1.3.1.1 at the Main-> prompt, and move directly to the Base Group General Parameters menu: 1) 2) 3) 4) 5) 6) Configuration Administration Monitoring Save changes to Config file Help Information Exit Main -> 1.3.1.1 1) 2) 3) 4) Access Parameters Tunneling Protocols SEP Config Back Base Group -> _ The prompt always shows the current context in the menu structure. Using Back and Home Most menus include a numbered Back choice.
Using the CLI Saving the configuration file Configuration and administration entries take effect immediately and are included in the active, or running, configuration. However, if you reboot the VPN Concentrator without saving the active configuration, you lose any changes. To save changes to the system configuration (CONFIG) file, navigate to the main menu. At the prompt, enter 4 for Save changes to Config file.
16 Using the Command Line Interface CLI menu reference This section shows all the menus in the first three levels below the CLI main menu. (There are many additional menus below the third level; and within the first three levels, there are some non-menu parameter settings. To keep this chapter at a reasonable size, we show only the menus here.) The numbers in each heading are the keyboard shortcut to reach that menu from the main menu. For example, entering 1.3.
CLI menu reference 1.1 Configuration > Interface Configuration Model 3015–3080 only This table shows current IP addresses. . . . 1) Configure Ethernet #1 (Private) 2) Configure Ethernet #2 (Public) 3) Configure Ethernet #3 (External) 4) Configure Power Supplies 5) Configure Expansion Cards 6) Back Interfaces -> _ Model 3005 only 1) 2) 3) 4) 5) Configure Configure Configure Configure Back Ethernet #1 (Private) Ethernet #2 (Public) Power Supplies Expansion Cards Interfaces -> _ 1.1.1, 1.1.2, or 1.1.
16 Using the Command Line Interface 1.1.3 Configuration > Interface Configuration > Configure Power Supplies Model 3005 only Alarm Thresholds in centivolts (e.g. 361 = 3.61V) Voltages will be adjusted to conform to the hardware. 1) 2) 3) 4) Configure CPU voltage thresholds Configure Power Supply voltage thresholds Configure Board voltage thresholds Back Interfaces -> _ 1.1.
CLI menu reference 1.2.1 Configuration > System Management > Servers 1) 2) 3) 4) 5) 6) Authentication Servers Accounting Servers DNS Servers DHCP Servers NTP Servers Back Servers -> _ 1.2.2 Configuration > System Management > Address Management 1) Address Assignment 2) Address Pools 3) Back Address -> _ 1.2.3 Configuration > System Management > Tunneling Protocols 1) 2) 3) 4) PPTP L2TP IKE Proposals Back Tunnel -> _ Note: The CLI does not include IPSec LAN-to-LAN configuration. 1.2.
16 Using the Command Line Interface 1.2.5 Configuration > System Management > Management Protocols Network Protocol Summary Table . . . 1) 2) 3) 4) 5) 6) 7) 8) Configure Configure Configure Configure Configure Configure Configure Back FTP HTTP/HTTPS TFTP Telnet SNMP SNMP Community Strings SSL Network -> _ 1.2.6 Configuration > System Management > Event Configuration 1) 2) 3) 4) 5) 6) 7) 8) General FTP Backup Classes Trap Destinations Syslog Servers SMTP Servers Email Recipients Back Event -> _ 1.2.
CLI menu reference 1.3.1 Configuration > User Management > Base Group 1) 2) 3) 4) 5) General Parameters Server Parameters IPSec Parameters PPTP/L2TP Parameters Back Base Group -> _ 1.3.2 Configuration > User Management > Groups Current User Groups . . . 1) Add a Group 2) Modify a Group 3) Delete a Group 4) Back Groups -> _ 1.3.3 Configuration > User Management > Users Current Users . . . 1) Add a User 2) Modify a User 3) Delete a User 4) Back Users -> _ 1.
16 Using the Command Line Interface 1.4.1 Configuration > Policy Management > Access Hours Current Access Hours . . . 1) Add Access Hours 2) Modify Access Hours 3) Delete Access Hours 4) Back Access Hours -> _ 1.4.
CLI menu reference 2.3 Administration > System Reboot 1) 2) 3) 4) Cancel Scheduled Reboot/Shutdown Schedule Reboot Schedule Shutdown Back Admin -> _ 2.3.2 Administration > System Reboot > Schedule Reboot 1) 2) 3) 4) Save active Configuration and use it at Reboot Reboot without saving active Configuration file Reboot with Factory/Default Configuration Back Admin -> _ 2.3.
16 Using the Command Line Interface 2.5.2 Administration > Access Rights > Access Control List This is the Current Access List . . . 1) Add Manager Workstation 2) Modify Manager Workstation 3) Delete Manager Workstation 4) Move Manager Workstation Up 5) Move Manager Workstation Down 6) Back Admin -> _ 2.5.3 Administration > Access Rights > Access Settings 1) 2) 3) 4) Set Session Timeout Set Session Limit Enable/Disable Encrypt Config File Back Admin -> _ 2.
CLI menu reference 2.7 Administration > Certificate Management 1) 2) 3) 4) 5) 6) Enrollment Installation Certificate Authorities Identity Certificates SSL Certificate Back Certificates -> _ 2.7.2 Administration > Certificate Management > Installation 1) 2) 3) 4) 5) 6) Install Install Install Install Install Back Certificate Authority SSL Certificate (from Enrollment) SSL Certificate (with private key) Identity Certificate (from Enrollment) Identity Certificate (with private key) Certificates -> _ 2.
16 Using the Command Line Interface 2.7.5 Administration > Certificate Management > SSL Certificate Subject . . ’q’ to Quit, ’’ to Continue -> . Issuer . . ’q’ to Quit, ’’ to Continue -> . Serial Number . . 1) Delete Certificate 2) Generate Certificate 3) Back Certificates -> _ 3 Monitoring 1) 2) 3) 4) 5) 6) Routing Table Event Log System Status Sessions General Statistics Back Monitor -> _ 3.1 Monitoring > Routing Table Routing Table . . ’q’ to Quit, ’’ to Continue -> . .
CLI menu reference 3.2 Monitoring > Event Log 1) 2) 3) 4) 5) Configure Log viewing parameters View Event Log Save Log Clear Log Back Log -> _ 3.2.2 Monitoring > Event Log > View Event Log [Event Log entries] . . . 1) First Page 2) Previous Page 3) Next Page 4) Last Page 5) Back Log -> _ 3.3 Monitoring > System Status System Status . . . 1) Refresh System Status 2) View Card Status 3) Back Status -> _ 3.3.
16 Using the Command Line Interface 3.4 Monitoring > Sessions Model 3015–3080 only 1) 2) 3) 4) 5) 6) View View View View View Back Session Top Ten Session Session Session Statistics Lists Protocols SEPs Encryption Sessions -> _ Model 3005 only 1) 2) 3) 4) 5) View View View View Back Session Top Ten Session Session Statistics Lists Protocols Encryption Sessions -> _ 3.4.1 Monitoring > Sessions > View Session Statistics Active Sessions . . .
CLI menu reference 3.4.4 Monitoring > Sessions > View Session SEPs Model 3015–3080 only Session SEPs . . . 1) Refresh Session SEPs 2) Back Sessions -> _ 3.4.5* Monitoring > Sessions > View Session Encryption * 3.4.5 on Model 3015–3080, 3.4.4 on Model 3005 Session Encryption . . . 1) Refresh Session Encryption 2) Back Sessions -> _ 3.5 Monitoring > General Statistics 1) 2) 3) 4) 5) Protocol Statistics Server Statistics Event Statistics MIB II Statistics Back General -> _ 3.5.
16 Using the Command Line Interface 3.5.2 Monitoring > General Statistics > Server Statistics 1) 2) 3) 4) 5) 6) Authentication Statistics Accounting Statistics Filtering Statistics DHCP Statistics Address Pool Statistics Back General -> _ 3.5.3 Monitoring > General Statistics > Event Statistics Event Statistics . . ’q’ to Quit, ’’ to Continue -> . . 1) Refresh Event Statistics 2) Back General -> _ 3.5.
A P P E N D I X A Errors and troubleshooting This appendix describes common errors that may occur while configuring and using the system, and how to correct them. It also describes LED indicators on the system and its expansion modules. Files for troubleshooting The VPN 3000 Concentrator creates several files that you can examine, and that can assist Cisco support engineers, when troubleshooting errors and problems: • Event log. • SAVELOG.
A Errors and troubleshooting Configuration files The VPN Concentrator saves the current boot configuration file (CONFIG) and its predecessor (CONFIG.BAK) as files in flash memory. These files may be useful for troubleshooting. See Administration | File Management | Files for information on managing files in flash memory. VPN Concentrator Manager errors These errors may occur while using the HTML-based VPN Concentrator Manager with a browser.
VPN Concentrator Manager errors Invalid Login or Session Timeout The Manager displays the Invalid Login or Session Timeout screen Problem Possible cause Solution You entered an invalid administrator login name / password combination. • Typing error. Re-enter the login name and password, and click the Login button. Use a valid login name and password. Type carefully. The Manager session has been idle longer than the configured timeout interval. • No activity for (interval) seconds.
A Errors and troubleshooting Error / An error has occurred while attempting to perform... The Manager displays a screen with the message: Error / An error has occurred while attempting to perform the operation. An additional error message describes the erroneous operation. Problem Possible cause Solution You tried to perform some operation that is not allowed. • The screen displays a message that describes the cause.
VPN Concentrator Manager errors You are using an old browser or have disabled JavaScript The Manager displays a screen with the message: You are using an old browser or have disabled JavaScript... Problem Possible cause Solution The VPN Concentrator Manager cannot work with the browser that you have invoked. • You are using the Manager with an unsupported browser. Use Microsoft Internet Explorer version 4.0 or higher. • You are using the Manager with an obsolete browser.
A Errors and troubleshooting Not Allowed / You do not have sufficient authorization... The Manager displays a screen with the message: Not Allowed / You do not have sufficient authorization to access the specified page. Problem Possible cause Solution You tried to access an area of the Manager that you do not have authorization to access. • You logged in using an administrator login name that has limited privileges. Log in using the system administrator login name and password.
VPN Concentrator Manager errors Not Found / An error has occurred while attempting to access... The Manager displays a screen with the message: Not Found / An error has occurred while attempting to access the specified page. The screen includes additional information that identifies system activity and parameters. Problem Possible cause Solution The Manager could not find a screen. • You updated the software image and did not clear the browser’s cache.
A Errors and troubleshooting Command Line Interface errors These errors may occur while using the menu-based Command Line Interface from a console or Telnet session. ERROR:-- Bad IP Address/Subnet Mask/Wildcard Mask/Area ID. Problem Possible cause Solution The system expected a valid 4-byte dotted decimal entry, and the entry wasn’t in that format. • You entered something other than a 4-byte dotted decimal number.
LED indicators LED indicators LED indicators on the VPN Concentrator and its expansion modules are normally green. The usage gauge LEDs are normally blue. LEDs that are amber or off may indicate an error condition. NA = not applicable; i.e., the LED does not have that state. Contact Cisco support if any LED indicates an error condition.
A Errors and troubleshooting VPN Concentrator LEDs (front) LED Indicator (Front) Green Amber Off System Power on. Normal System has crashed and halted. Error. (Power off. All other LEDs are off.) Blinking Green (Model 3005 only) = System is in a shutdown (halted) state, ready to power off. The LEDs below are present only on Models 3015–3080 Ethernet Link Status 123 Connected to network and enabled. NA Not connected to network or not enabled.
LED indicators Usage Gauge LEDs (Front) (Model 3015–3080 only) Steady or Intermittent Blue Blinking Blue Left to right sequential segments, varying number Normal operation. NA All 10 segments NA VPN Concentrator is in a shutdown (halted) state, ready to power off. VPN Concentrator LEDs (rear) LED Indicator (Rear) Green Amber Off Link Carrier detected. Normal. NA No carrier detected. Error. Tx Transmitting data. Normal. Intermittent on. NA Not transmitting data. Idle. Intermittent off.
A Errors and troubleshooting WAN Interface Module LEDs WAN module LEDs are visible from the rear of the VPN Concentrator. A-12 WAN Module LED On Blinking Off Power Normal operation. NA Power is not reaching the module. It may not be seated correctly. Error. Status Module has passed diagnostics and is operational. Normal. Module failed diagnostics. Error. Module has failed. Error.
LED indicators This table shows all possible combinations for the LEDs on each WAN Port. WAN Port LEDs Alrm Alarm CD Carrier Detect Sync Synchronization LpBk Loopback Condition Off On On Off Normal operation. Carrier detected, line in synchronization. Off Off Off On Line is in loopback mode. This mode occurs, for example, when you install the line and the carrier is testing the signal. You can also set loopback mode by pressing the LpBk switch.
A P P E N D I X B Copyrights, licenses, and notices Software License Agreement of Cisco Systems, Inc. CISCO SYSTEMS, INC. IS WILLING TO LICENSE TO YOU THE SOFTWARE CONTAINED IN THE ACCOMPANYING CISCO PRODUCT ONLY IF YOU ACCEPT ALL OF THE TERMS AND CONDITIONS IN THIS LICENSE AGREEMENT. PLEASE READ THIS AGREEMENT CAREFULLY BEFORE YOU OPEN THE PACKAGE BECAUSE, BY OPENING THE SEALED PACKAGE, YOU ARE AGREEING TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT.
B Copyrights, licenses, and notices 4. You may permanently transfer the Software and accompanying written materials (including the most recent update and all prior versions) only in conjunction with a transfer of the entire Cisco product, and only if you retain no copies and the transferee agrees to be bound by the terms of this Agreement. Any transfer terminates your license.
Other licenses 16. This Agreement is governed by the laws of the State of Massachusetts. 17. If you have any questions concerning this Agreement or wish to contact Cisco Systems for any reason, please call (508) 541-7300, or write to Cisco Systems, Inc. 124 Grove Street, Suite 205 Franklin, Massachusetts 02038. 18. U.S. Government Restricted Rights. The Software and accompanying documentation are provided with Restricted Rights.
B Copyrights, licenses, and notices DHCP client Copyright © 1995, 1996, 1997 The Internet Software Consortium. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Other licenses Portions Copyright © 1993 by Digital Equipment Corporation. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies, and that the name of Digital Equipment Corporation not be used in advertising or publicity pertaining to distribution of the document or software without specific, written prior permission.
B Copyrights, licenses, and notices NRL grants permission for redistribution and use in source and binary forms, with or without modification, of the software and documentation created at NRL provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Other licenses RSA software Copyright © 1995-1998 RSA Data Security, Inc. All rights reserved. This work contains proprietary information of RSA Data Security, Inc. Distribution is limited to authorized licensees of RSA Data Security, Inc. Any unauthorized reproduction or distribution of this document is strictly prohibited. BSAFE is a trademark of RSA Data Security, Inc. The RSA Public Key Cryptosystem is protected by U.S. Patent #4,405,829. SecureID SecureID is a product of RSA Security Inc.
B Copyrights, licenses, and notices SSL Plus Certicom, the Certicom logo, SSL Plus, and Security Builder are trademarks of Certicom Corp. Copyright © 1997-1999 Certicom Corp. Portions are Copyright © 1997-1998, Consensus Development Corporation, a wholly owned subsidiary of Certicom Corp. All rights reserved. Contains an implementation of NR signatures, licensed under U.S. patent 5,600,725. Protected by U.S. patents 5,787,028; 4,745,568; 5,761,305. Patents pending.
Regulatory Agency Notices Regulatory Agency Notices U.S. Federal Communications Commission (FCC) Compliance Notice NOTE: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
B Copyrights, licenses, and notices (1) -------------------------------(2) Before connecting your unit, you must inform the telephone company of the following information: Port ID REN/SOC FIC USOC Port 0, 1 6.0N 04DU9-1SN RJ48C (3) If the unit appears to be malfunctioning, it should be disconnected from the telephone lines until you learn if your equipment or the telephone line is the source of the trouble. If your equipment needs repair, it should not be reconnected until it is repaired.
Regulatory Agency Notices • If the telephone company requests that you supply the FCC Certification number and REN of the device you are connecting, please supply the FCC Certification numbers from all component and host devices that have a direct PSTN connection (i.e. have a REN stated on the label) and the highest REN. • If at any time the ownership of this component device is transferred to someone else (whether independently or as part of a system), supply this manual to the new owner.
B Copyrights, licenses, and notices WAN Module: CS03 Canadian Requirements— Equipment Attachment Limitations NOTICE: The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operational and safety requirements. The Industry Canada does not guarantee the equipment will operate to the user’s satisfaction.
I N D E X Numerics Index 100 LED (Ethernet) A-11 A about this manual xxxvii access control list, administration 14-26 add 14-27 modify 14-27 access hours, configuring 13-2 add 13-4 modify 13-4 access rights, configuring for administrators 14-24 access rights section, administration 14-21 access settings, general, for administrators 14-28 accessing the CLI 16-1 accounting record attributes, RADIUS 5-12 accounting servers configuring 5-11 add 5-13 modify 5-13 accounting statistics 15-68 Active Sessions LED
Index autodiscovery, network 7-8, 7-14 automatic switchover (redundancy) 8-12 B back panel display (monitoring) 15-10 Bad IP Address (error) A-8 base group, configuring (user management) 12-3 bibliography xxxix bootcode filename 15-10 version 15-10 browser Back or Forward button displays incorrect screen or incorrect data A-2 clear cache after software update 14-16 installing SSL certificate 1-3 navigation toolbar, don’t use with Manager 1-2 Refresh / Reload button logs out the Manager A-2 requirements 1-
Index delete digital certificate 14-49 filter rule (traffic management) 13-19 group (user management) 12-17 internal authentication server 5-8 security association (traffic management) 13-28 user on internal server (user management) 12-34 DHCP functions within the VPN Concentrator, configuring 8-10 servers, configuring 5-16 add 5-18 modify 5-18 statistics 15-75 digital certificates Certificate Revocation List (CRL) checking 14-46 CRL distribution point 14-47 deleting 14-42, 14-49 display all 14-42 enrollin
Index Expansion Modules Insertion Status LEDs A-10 Expansion Modules Run Status LEDs A-10 Extended Authentication, IPSec 12-9, 12-26 F Fan Status LED A-10 fans, cooling (monitoring) 15-11 file access rights, administrators’ 14-25 file management on VPN Concentrator 14-29, 14-30 file transfer, TFTP 14-32 filenames, format xl filter 13-1 add security association to rule on 13-36 add (traffic management) 13-31 assign rules to (traffic management) 13-34 configuring on base group 12-5 configuring on group 12-2
Index IKE proposals (continued) default, table 7-20 in IPSec LAN-to-LAN 7-14 in security association 13-19 inactive 7-21 IKE security association See security associations image, software filenames 14-15 update 14-14 indicators, LED A-9 Install SSL Certificate (screen) 1-4 installing digital certificates 14-36, 14-40 installing SSL certificate with Internet Explorer 1-4 with Netscape 1-10 interfaces configuring 3-2 dual T1/E1 (WAN) 3-16 Ethernet, configuring 3-7 OSPF 3-11 RIP 3-10 speed 3-9 transmission mo
Index LAN-to-LAN See IPSec LAN-to-LAN LED indicators 100 (Ethernet) A-11 Active Sessions A-10 Alrm (WAN) A-13 CD (WAN) A-13 Coll (Ethernet) A-11 CPU Utilization A-10 Ethernet Link Status A-10 Expansion Modules Insertion Status A-10 Expansion Modules Run Status A-10 Fan Status A-10 Link (Ethernet) A-11 LpBk (WAN) A-13 Power (SEP) A-11 Power Supplies (front panel) A-10 Power (WAN) A-12 status, front panel 15-25 Status (SEP) A-11 Status (WAN) A-12 Sync (WAN) A-13 System A-10 table A-9 Throughput A-10 Tx (Ethe
Index mouse pointer and tips in Manager window 1-20 multilink PPP (MP), configuring 3-25 N NAT configuring 13-39 enable 13-40 many-to-one translation 13-39 no public interfaces screen 13-42 NAT rules, configuring 13-40 add 13-42 modify 13-42 navigating CLI menus 16-5 the VPN Concentrator Manager 1-24 Netscape Navigator, requirements 1-1 network autodiscovery 7-8, 7-14 network lists 13-1 and split tunneling 12-10 configuring 13-6 add 13-7 automatic generation 13-8 copy 13-7 modify 13-7 IPSec LAN-to-LAN 7-1
Index refresh Monitoring screens 14-20 refreshing screen content 1-22 regulatory agency notices B-9 requirements browser 1-1 cookies 1-2 Internet Explorer 1-1 JavaScript 1-1 Netscape Navigator 1-1 RIP 3-1, 3-2 configuring on Ethernet interface 3-10 configuring on WAN interface 3-18 MIB-II statistics 15-85 root certificates 14-34 routing table (monitoring) 15-2 rules 13-1 add security association to, on filter 13-36 assign to filter (traffic management) 13-34 change security association on 13-37 filter, con
Index static routes, configuring for IP routing 8-2 add 8-3 modify 8-3 statistics 15-47 accounting 15-68 address pools 15-76 authentication 15-66 DHCP 15-75 DNS 15-65 events 15-62 filtering 15-69 HTTP 15-61 IPSec 15-55 L2TP 15-51 MIB-II 15-77 ARP table 15-94 Ethernet 15-96 ICMP 15-92 interfaces 15-78 IP traffic 15-82 OSPF 15-87 RIP 15-85 SNMP 15-98 TCP/UDP 15-80 PPTP 15-48 sessions (administration) 14-3 SSL 15-74 synchronous 15-14 T1/E1 15-14 Telnet 15-63 VRRP 15-71 WAN 15-14 status bar in Manager window 1
Index tunneling protocols configuring 7-2 section of Manager 7-1 Tx LED (Ethernet) A-11 type (model number), system 15-10 typographic conventions xxxix U understanding the VPN Concentrator Manager window 1-19 update software on VPN Concentrator 14-14 usage graph LEDs (monitoring) 15-11 LEDs (table) A-11 selector button 15-25 user attributes, default See base group 12-3 user management configuring 12-3 section of Manager 12-1 users, configuring on internal server (user management) 12-33 add 12-34 delete 12
