Page 1
VPN Client User Guide for Mac OS X Release 4.6 August 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: Text Part Number: OL-5490-01...
Page 2
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA,...
C H A P T E R Verifying System Requirements Gathering Information You Need Obtaining the VPN Client Software Preconfiguring the VPN Client OL-5490-01 viii viii viii C O N T E N T S VPN Client User Guide for Mac OS X...
Page 4
Right-Click Menus Connection Entries Tab Right-Click Menu Certificates Tab Right-Click Menu Configuring Connection Entries C H A P T E R Creating a Connection Entry Authentication Methods Group Authentication VPN Client User Guide for Mac OS X 2-12 2-12 3-10 OL-5490-01...
Page 5
Changing the Password on an Enrollment Request Retrying an Enrollment Request Importing a Certificate Viewing a Certificate Exporting a Certificate Deleting a Certificate Verifying a Certificate Changing the Password on a Personal Certificate OL-5490-01 6-10 6-11 6-12 Contents VPN Client User Guide for Mac OS X...
Page 6
Modifying a Connection Entry Deleting a Connection Entry Event Logging Enable Logging Clear Logging Set Logging Options Opening the Log Window Viewing Statistics Tunnel Details Route Details Notifications N D E X VPN Client User Guide for Mac OS X 7-10 7-11 OL-5490-01...
Chapter 6, “Enrolling and Managing Certificates.” certificates to use for authentication and how to manage these certificates in the VPN Client certificate store. OL-5490-01 This chapter describes how the VPN Client software This chapter describes how to install the VPN Client...
Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note publication. Cautions use the following conventions: VPN Client User Guide for Mac OS X viii This chapter describes how to manage VPN Client font—Describes information that you must enter. About This Guide OL-5490-01...
Obtaining Documentation Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm...
• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387). Documentation Feedback You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files. OL-5490-01 Obtaining Technical Assistance VPN Client User Guide for Mac OS X...
Information about Cisco products, technologies, and network solutions is available from various online and printed sources. The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as • ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/products/products_catalog_links_launch.html...
DSL (Digital Subscriber Line)—Uses a DSL modem; always connected. • You can also use the VPN Client on a PC with a direct LAN connection. OL-5490-01 C H A P T E R VPN Client User Guide for Mac OS X...
Decrypts the message so you can read it on your remote PC – Uses IPSec to process and return the message to the private network through the Cisco VPN – device. VPN Client User Guide for Mac OS X Chapter 1 Understanding the VPN Client OL-5490-01...
The VPN Client supports the Program features listed in Table 1-2 Program Features Program Feature Servers Supported Interfaces supported Online Help Local LAN access OL-5490-01 Description Mac OS Version 10.2 or later • async serial PPP Internet-attached Ethernet • •...
The ability to support a single security association (SA) per VPN connection. Rather than creating a host-to-network SA pair for each split-tunneling network, this feature provides a host-to-ALL approach, creating one tunnel for all appropriate network traffic apart from whether split-tunneling is in use. Understanding the VPN Client OL-5490-01...
Tunnel Protocol Transparent tunneling Key Management protocol IKE Keepalives OL-5490-01 Description This feature lets a user connect to the default user profile when starting the VPN Client. You can enable this feature on the Preferences menu under the VPN Client tab.
Group 5 = 1536 prime modulus See the Cisco VPN Client Administrator Guide for more Note information about DH Group 5. • 56-bit DES (Data Encryption Standard) 168-bit Triple-DES • AES 128-bit and 256-bit • Understanding the VPN Client OL-5490-01...
Page 19
Extended Authentication (XAUTH) Mode Configuration Tunnel Encapsulation Modes IP compression (IPCOMP) using OL-5490-01 Description The capability of authenticating a user within IKE. This authentication is in addition to the normal IKE phase 1 authentication, where the IPSec devices authenticate each other.
Page 20
Chapter 1 Understanding the VPN Client VPN Client Features VPN Client User Guide for Mac OS X OL-5490-01...
If authenticating through a token vendor, your username and PIN • • If you are configuring backup server connections, the hostnames or IP addresses of the backup servers OL-5490-01 C H A P T E R VPN Client User Guide for Mac OS X...
Figure 2-2 shows the vpnclient installer directory. This directory contains the installer package and any preconfigured files in the Profiles and Resources folders. VPN Client User Guide for Mac OS X Chapter 2 (Figure 2-1). Installing the VPN Client OL-5490-01...
If you do not preconfigure a global profile, the vpnclient.ini file is populated with default settings. Each time you make changes, the vpnclient.ini file is updated and stored. OL-5490-01 Preconfiguring the VPN Client VPN Client User Guide for Mac OS X...
VPN Client User Guide for Mac OS X for more information. “Uninstalling the VPN Client” section on page Figure 2-2). (Figure 2-3). You must have an administrator password to install the Chapter 2 Installing the VPN Client “Choosing the Installation 2-12. OL-5490-01...
Page 25
Step 3 Step 4 Click OK. If the authentication is successful, continue to the installation process. Contact your network administrator if you cannot authenticate for installation. OL-5490-01 Installing the VPN Client (Figure 2-4). VPN Client User Guide for Mac OS X...
Figure 2-5 Cisco VPN Client—Introduction Window Click Continue. VPN Client User Guide for Mac OS X 2-5) lists system requirements. The left pane displays each of the installation steps. As Chapter 2 Installing the VPN Client OL-5490-01...
To continue with the installation, click Agree. Selecting the Application Destination If your workstation has more than one disk drive, you can select the destination volume to install the VPN Client on your workstation. OL-5490-01 Figure 2-6). Figure 2-7 shows the Select Destination window.
The VPN Client application binaries and the VPN Client kernel extension must be part of your installation. However, installing the other three packages is optional. To install all packages, click Install on the Easy Install window VPN Client User Guide for Mac OS X Chapter 2 Installing the VPN Client (Figure 2-8). OL-5490-01...
Page 29
Custom Install Window The packages with the blue check box are optional. To make a package part of your installation, check the blue box. To remove a package from your installation, uncheck the blue box. OL-5490-01 Installing the VPN Client (Figure VPN Client User Guide for Mac OS X 2-9).
Page 30
A progress bar lists the installation steps as they occur (Figure 2-10). Figure 2-10 Install Software Progress Window When the installation is finished, a window appears to indicate whether the installation was successful (Figure 2-11). VPN Client User Guide for Mac OS X 2-10 OL-5490-01...
Page 31
To begin using the Client, double-click the VPN Client application icon located in the Applications directory (Figure 2-12). VPN Client User Guide for Mac OS X 2-11 OL-5490-01...
You must have administrator privileges to uninstall the VPN Client. If you do not have administrator Note privileges, you must have someone with administrator privileges uninstall the product for you. VPN Client User Guide for Mac OS X 2-12 Chapter 2 Installing the VPN Client OL-5490-01...
Page 33
If you answer no, all binaries and startup scripts are removed, but certificates, profiles, and the • vpnclient.ini file remain. OL-5490-01 Uninstalling the VPN Client VPN Client User Guide for Mac OS X 2-13...
Page 34
Chapter 2 Installing the VPN Client Uninstalling the VPN Client VPN Client User Guide for Mac OS X 2-14 OL-5490-01...
Preferences—Sets VPN Client window preferences • Figure 3-2 VPN Client Window Preferences OL-5490-01 C H A P T E R (Figure 3-1) to manage the VPN Client application and main window settings. (Figure VPN Client User Guide for Mac OS X...
VPN Client Window—Simple Mode When you run in simple mode, you are presented with a scaled-down version of the VPN Client user interface (Figure VPN Client User Guide for Mac OS X 3-3). Chapter 3 Navigating the User Interface OL-5490-01...
Simple Mode Status Menu Statistics—Open the Statistics window to view tunnel details and route details. • Notifications—Open the Notifications window to view notices from the VPN device. • OL-5490-01 Operating in Simple Mode VPN Client User Guide for Mac OS X...
The left side indicates the connection • entry name and connection status. The right side lists the amount of time for • this session, the client IP address, and the number of bytes through the VPN tunnel. Chapter 3 Navigating the User Interface OL-5490-01...
Log tab—Displays event messages from all processes that contribute to the client-peer connection, including enabling logging, clearing the event log, viewing the event log in an external window, and setting logging levels. Refer to OL-5490-01 Figure 3-6). If the Certificates tab is forward, Chapter 4, “Configuring Connection Entries”...
Import—Import a connection entry from a file. • To configure a new connection entry, see VPN Client User Guide for Mac OS X Chapter 3 (Figure 3-9) as a shortcut to frequently-used connection entry Chapter 4, “Configuring Connection Entries.” Navigating the User Interface OL-5490-01...
Delete—Delete the selected certificate. Change Certificate Password—Change the password used to protect the certificate while it is in the • VPN Client certificate store. OL-5490-01 (Figure 3-10) to display the tunnel and route statistics or to view notifications from (Figure 3-11) as a shortcut to frequently-used certificate operations.
VPN Client operations. If your mouse has only one button, use Ctrl-Click to access the right-click menus. VPN Client User Guide for Mac OS X (Figure 3-12) to enable, disable, view or clear the event log, or to adjust the log (Figure Chapter 3 Navigating the User Interface 3-13). OL-5490-01...
Erase Saved User Password—Erases the user password that is saved on the VPN Client workstation, forcing the VPN Client to prompt you for a password each time you establish a connection. OL-5490-01 Operating in Advanced Mode VPN Client User Guide for Mac OS X...
Change Certificate Password—Change the password used to protect the certificate while it is in the • VPN Client certificate store. Retry Certificate Enrollment—Retry a previously started certificate enrollment. • VPN Client User Guide for Mac OS X 3-10 Chapter 3 Navigating the User Interface OL-5490-01...
You can create multiple connection entries if you use your VPN Client to connect to multiple networks (though not simultaneously) or if you belong to more than one IPSec group. OL-5490-01 C H A P T E R VPN Client User Guide for Mac OS X...
Click New at the top of the VPN Client window. The Create New VPN Connection Entry dialog box Step 3 appears (Figure Figure 4-2 Create New VPN Connection Entry VPN Client User Guide for Mac OS X 4-2). Chapter 4 Configuring Connection Entries (Figure 4-1). OL-5490-01...
Use this procedure if you plan to use group authentication for this connection entry. To configure group authentication: Step 1 From the Authentication tab, click the Group Authentication radio button OL-5490-01 for more information. “Transport Parameters” section on page 4-6 for more information.
To configure this connection entry for a digital certificate: From the Authentication tab, click the Certificate Authentication radio button Step 1 VPN Client User Guide for Mac OS X Chapter 4 Configuring Connection Entries Importing a Certificate. Group Authentication. (Figure 4-4). OL-5490-01...
This feature provides flexibility because the intermediate CA certificates do not need to be installed on the peer. Click Save. The Connection Entry dialog box closes and you return to the Connection Entries tab. Step 4 OL-5490-01 “Enrolling Certificates” section on page 6-2 for more information. Authentication Methods “Importing a Certificate”...
Click Save. The VPN Client Properties dialog box closes and you return to the Connection Entries tab. Step 6 VPN Client User Guide for Mac OS X (Figure 4-5) to display the existing transport parameters configured for this Chapter 4 Configuring Connection Entries OL-5490-01...
If enabled on the VPN Client and permitted on the central-site VPN device, you can see a list – of the local LANs that are available by choosing Statistics from the Status menu and clicking the Route Details tab. For more information, see the OL-5490-01 Transport Parameters “Route Details” section on page 7-10.
Click Modify at the top of the VPN Client window. The VPN Client Properties dialog box appears. Step 3 Click the Backup Servers tab Step 4 VPN Client User Guide for Mac OS X Chapter 4 (Figure 4-6). Configuring Connection Entries OL-5490-01...
Page 53
Click the Add button on the Backup Servers tab. The VPN Client dialog box appears Figure 4-7 Add Backup Server Enter the hostname or IP address of the backup server to add. Step 2 OL-5490-01 Backup Servers (Figure 4-7). VPN Client User Guide for Mac OS X...
Page 54
Click OK. The backup server is added to the list of available backup servers. Step 3 To remove a backup server, return to the Backup Server tab, select a server from the list, and click Remove. VPN Client User Guide for Mac OS X 4-10 OL-5490-01...
Step 1 you created an alias, you can double-click the VPN Client icon on the Desktop or in the dock (Figure 5-1). OL-5490-01 C H A P T E R for more information. VPN Client User Guide for Mac OS X...
Page 56
Respond to all user authentication prompts. Step 4 The user authentication prompts that appear depend on the configuration for this connection entry. VPN Client User Guide for Mac OS X Chapter 5 Establishing a VPN Connection for more information on simple mode and advanced OL-5490-01...
(Figure 5-4). The shared key password must be the same as the shared key password configured on the VPN device that is providing the connection to the private network. OL-5490-01 Choosing Authentication Methods “VPN Client Menu”. An administrator configures this feature “Creating a Connection...
The first prompt is for the VPN group name and password, and the RADIUS user authentication prompt follows VPN Client User Guide for Mac OS X Chapter 5 Establishing a VPN Connection (Figure 5-6). (Figure 5-5). OL-5490-01...
In most configurations, you use RSA SecurID with VPN group authentication. With this type of authentication, two prompts appear. The first prompt is for the VPN group name and password, and the RSA SecurID user authentication prompt follows OL-5490-01 Choosing Authentication Methods (Figure 5-7).
Figure 5-8 Certificate Password Enter the certificate password and click OK. For more information on digital certificates, see VPN Client User Guide for Mac OS X Chapter 5 Establishing a VPN Connection Chapter 6, “Enrolling and Managing Certificates.” (Figure 5-8). OL-5490-01...
Simple Certificate Enrollment Protocol (SCEP), and certificates that have been imported from a file. The Certificates tab on the main VPN Client window displays the list of certificates in your certificate store (Figure 6-1). OL-5490-01 C H A P T E R VPN Client User Guide for Mac OS X...
If you choose File, the VPN Client generates an enrollment request file that you can email to a CA • or post into a webpage form. Figure 6-2 shows the Certificate Enrollment Dialog Box. VPN Client User Guide for Mac OS X Chapter 6 Enrolling and Managing Certificates OL-5490-01...
Page 63
New Password—The password for this certificate. Each digital certificate is protected by a – password. If you create a connection entry that requires a digital certificate for authentication, you must enter the certificate password each time you attempt a connection. OL-5490-01 Enrolling Certificates VPN Client User Guide for Mac OS X...
Page 64
VPN 3000 Series Concentrator, for example. The company name for the certificate. The state for the certificate. The 2-letter country code for your country. For example, US. This two-letter country code must conform to ISO 3166 country abbreviations. Enrolling and Managing Certificates OL-5490-01...
To delete an enrollment request Step 1 Select the enrollment request from the certificate store. Step 2 Choose Delete from the Certificates menu. The VPN Client prompts you for a password. OL-5490-01 Enrolling Certificates (Figure 6-4). VPN Client User Guide for Mac OS X...
The VPN Client prompts you to enter a password. This password must match the password you are using to protect the certificate’s private key, if any. Enter the password and click OK to resume the enrollment request. Step 3 VPN Client User Guide for Mac OS X Chapter 6 Enrolling and Managing Certificates (Figure 6-5). OL-5490-01...
Select the certificate to view. Step 2 Click View at the top of the VPN Client window or double-click the certificate. The Certificate Step 3 Properties window appears OL-5490-01 (Figure 6-7). VPN Client User Guide for Mac OS X Importing a Certificate...
Page 68
A typical subject includes the following fields: common name (cn) – – organizational unit, or department (ou) organization or company (o) – locality, city, or town (l) – VPN Client User Guide for Mac OS X Chapter 6 Enrolling and Managing Certificates OL-5490-01...
Verify the exported certificate file password. Step 7 Step 8 Click Export. The certificate is copied to the selected directory and a prompt whether the export is successful. OL-5490-01 Exporting a Certificate (Figure 6-9) indicates VPN Client User Guide for Mac OS X...
Click Do not Delete to return to the VPN Client window without deleting the selected certificate. To delete an enrollment certificate Click the Certificates tab. Step 1 Select the enrollment certificate to delete. Step 2 VPN Client User Guide for Mac OS X 6-10 Chapter 6 Enrolling and Managing Certificates (Figure 6-10). OL-5490-01...
Figure 6-12 Verify Certificate Click OK to return to the VPN Client window. Step 3 If your certificate is invalid, contact the network administrator for instructions. OL-5490-01 Verifying a Certificate 6-2. (Figure 6-12) to indicate the...
In the New field, type the new password. Step 3 In the Confirm field, type the same password again. Step 4 Click OK. Step 5 VPN Client User Guide for Mac OS X 6-12 Chapter 6 Enrolling and Managing Certificates OL-5490-01...
Click the Connection Entries tab. Click Import at the top of the VPN Client window. The Import VPN Connection dialog box appears Step 2 (Figure 7-1). OL-5490-01 C H A P T E R VPN Client User Guide for Mac OS X...
Select the connection entry to modify. Click Modify at the top of the VPN Client window. The VPN Client Properties dialog box appears Step 3 (Figure 7-2). VPN Client User Guide for Mac OS X Chapter 7 Managing the VPN Client OL-5490-01...
Select the connection entry to delete. Step 2 Click Delete at the top of the VPN Client window. You are prompted to confirm the connection entry to Step 3 delete (Figure OL-5490-01 7-3). Managing Connection Entries VPN Client User Guide for Mac OS X...
To enable logging, click Enable at the top of the VPN Client window. Alternately, you can choose Enable from the Log menu. The event logging window displays VPN Client User Guide for Mac OS X Chapter 7 Managing the VPN Client (Figure 7-4). OL-5490-01...
To set logging options for the VPN Client: Step 1 Click the Log tab. Step 2 Click Options at the top of the VPN Client window. The Log Settings dialog box appears OL-5490-01 Event Logging (Figure VPN Client User Guide for Mac OS X 7-5).
Page 78
VPN Client graphical user interface. The VPN Client for Mac OS X user interface. Chapter 7 Managing the VPN Client Module Connection Manager Daemon (cvpnd) eXtended AUTHentication Certificates IPSec Command Line Graphical User Interface OL-5490-01...
Step 4 Opening the Log Window To display the events log in a separate window, click Log Window at the top of the VPN Client window. The VPN Client Log Window appears OL-5490-01 Figure 7-6 shows the logging levels. (Figure 7-7).
VPN session, including: IP addresses assigned for this session • Byte and packet transfer statistics • Encryption and authentication algorithms • VPN Client User Guide for Mac OS X Chapter 7 Managing the VPN Client OL-5490-01...
Bytes Sent Packets Encrypted Packets Decrypted Packets Discarded Packets Bypassed OL-5490-01 (Figure 7-8) displays the IP addresses assigned for this session and byte and Description IP address assigned to the client for this VPN session IP address of the VPN device you are connected to.
Displays whether transparent tunneling is enabled; if enabled, lists the protocol and port number. Displays whether Local LAN access (split tunneling) is enabled. Displays what type of data compression is used, if any. 7-9). Chapter 7 Managing the VPN Client OL-5490-01...
Other notifications might include messages from your network administrator about upgrades to the VPN Client software or information regarding the specific VPN device you are connected to. OL-5490-01 7-10), choose Notifications from the Status menu. Viewing Statistics...
Page 84
Some notifications contain a URL which directs you to the location of more current versions of the VPN Client. If the URL exists, the Launch button becomes active. If you click the Launch button, a browser open on your workstation. VPN Client User Guide for Mac OS X 7-12 OL-5490-01...
RADIUS SecurID shared key VPN group name authenticity OL-5490-01 backup servers change order list base-64 encoding type binaries, application binary encoding type bytes received CA (Certificate Authority) cable modem CA URL certificate...