Cisco VPN Client Overview

The Cisco VPN Client is a VPN remote access client that runs on Microsoft Windows PCs, Linux PCs (Intel-based), Macintoshes (Mac OS X), and Sun UltraSPARC workstations (Solaris). Of the four, the Microsoft and Macintosh clients support a graphical user interface (GUI); the other two use a command-line interface (CLI). The Cisco VPN Client uses IPsec to establish a remote access VPN session to an Easy VPN Server using Cisco Easy VPN technology. Supported servers include the VPN 3000 series concentrators, IOS-based routers, and PIX and ASA security appliances. Other VPN connection methods, such as PPTP, L2TP/IPsec, and WebVPN, are not supported with Cisco VPN Client software. The following sections will discuss the features and installation of the VPN Client for Microsoft Windows.

Note

There are two basic versions of the Cisco software client for Windows: Versions 3.x and 4.x. The GUI interfaces between the two are different; however, how you perform tasks within each client is very similar. Therefore, this book will focus on using the 4.6 Windows client and I'll point out differences between the 3.x and 4.x clients as I proceed through the chapter. Because of space constraints, I will not be covering the non-Windows versions of the client. Also, Cisco used to offer two other clients, but these have been discontinued: the Cisco Secure VPN Client (discontinued in 2003) and the Cisco VPN 5000 Client (discontinued in 2002).

 

Cisco VPN Client Features

The Cisco VPN Client for Windows (Version 4.6) supports Windows 98, Windows NT 4.0, Windows ME, Windows 2000, and Windows XP platforms. It can be used to establish a secure IPsec session using either a dialup connection via PPP, a wireless connection, or even a LAN-based connection, such as Ethernet. Because the software implements client features, the VPN Client can have only one session active at a time.

There are many, many features that the VPN Client provides; some are based on open standards and some are proprietary to Cisco. For IPsec, it supports both main and aggressive modes for ISAKMP/IKE Phase 1; MD5 and SHA-1 HMAC functions; pre-shared keys, mutual group authentication, digital certificates, and XAUTH user authentication; DH group 1, 2, and 5 keys; and DES, 3DES, AES-128, and AES-256 (AES is new in version 3.6) encryption. To list all of the features would take about a dozen or so pages; therefore, I'll briefly cover some of the VPN Client's more important features in Table 12-1. More information on the Cisco VPN Client can be found at http://www.cisco.com/en/US/products/sw/secursw/ps2308/tsd_products_support_series_home.html.

Table 12-1. Cisco VPN Client features

Feature

Version

Description

Application Launcher

3.0

Launches an application when establishing an IPsec session to an Easy VPN Server

Auto-Initiation

3.6

Automatically initiates an IPsec session during bootup of the PC or when an IPsec session is dropped

Automatic Dialup Connection

3.0

Automatically dials an ISP or access server using Microsoft's or a third party's dialup software to establish an IPsec session

Automatic Start Before Login and Automatic Disconnect

3.0

Allows the VPN Client to bring up an IPsec session first before the user logs in to the Windows domain; likewise, allows the VPN session to terminate if the user logs out of the domain

Automatic Updates

4.6

Allows Windows 2000 and XP clients to download and install a software update automatically; versions earlier than this only receive a notification, and then the user must manually download and install the VPN Client software update

Automatic VPN Client Configuration

3.0

Imports a pre-configured connection profile(s) during the software client installation

Browser Proxy Configuration

4.6

Allows VPN Clients with Internet Explorer installed to obtain their proxy settings automatically from an Easy VPN Server such as a concentrator

Co-Existence

4.0

Allows multiple third-party VPN software clients from Checkpoint, Intel, Microsoft, Nortel, and others to be installed along with the Cisco VPN client (only supported on Windows 2000 and XP platforms); however, only one VPN session can be up at a time

Compression

3.0

Can use LZS compression for dialup users to increase throughput

Dynamic DNS

3.6

Sends a VPN Client PC's hostname and DHCP address to a DNS server for dynamic DNS updates

Event Logging

3.0

Collects events to assist in troubleshooting

Firewall Integration

3.1

Allows the client to integrate with software-based firewall solutions such as Cisco Security Agent, Black Ice, Sygate, and others; the VPN Client comes with an integrated firewall from Zone Labs, which is a DLL program that provides a simple stateful firewall function. Please note that Cisco has enhanced this feature as software updates were introduced (like the Cisco Integrated Client, or CIC, firewall being introduced in 3.5, allowing firewall access control lists to be pushed by the concentrator to the client's firewall in 3.5, or the support for Sygate's firewalls in 4.0).

IPsec over TCP

3.5

Tunnels packets using TCP as a wrapper to work with firewall devices

IPsec over UDP

3.0

Tunnels packets using UDP as a wrapper to work with devices performing PAT

NAT-T

3.6

Tunnels packets using UDP as a wrapper to work with devices performing PAT

Peer Certificate DN Verification

3.6

Prevents the client from connecting to a VPN gateway that has an unexpected certificate: the VPN Client first verifies the domain name of the peer, which can be used to mitigate man-in-the-middle attacks

Set MTU Size

3.0

Automatically adjusts the MTU size for remote access VPNs during the installation of the client

Split DNS

3.6

Allows for DNS resolutions for corporate devices to be sent to corporate DNS servers and other resolutions to the ISP DNS servers

Split Tunneling

2.x

Allows packets to be sent protected to the Easy VPN Server and in clear text to other destinations

Virtual Adapter

4.0

Allows for better application compatibility support, especially for applications like H.323 that embed addressing information in IP payloads (remember that the client has two addresses: an internal, from the Easy VPN Server, and its NIC address)

 

Cisco VPN Client Installation

The following sections will discuss the installation of the Cisco VPN Client version 4.6 on a Windows platform. I'll discuss the requirements, the actual installation process, and how you, as an administrator, can affect the installation.

Before the Installation

To install the Windows client on your PC, you'll need to be running Windows 98 or later. Depending on the operating system, you'll need either 32MB of RAM for Windows 98, 64MB for Windows NT, ME, and 2000, or 128MB for Windows XP. You'll also need 50MB of disk space.

Note

The Cisco VPN 4.6 client doesn't support Windows 95 and doesn't officially support Windows Server products, including Windows NT, 2000, XP, .NET, and 2003 server platforms; however, I have successfully installed and used the client on the Windows NT and 2000 Server platformsjust don't call Cisco asking for help if you install it on a server platform and have a problem.

To download the Cisco VPN Client installation file from Cisco, you'll need a CCO account with the appropriate privileges. You can freely download the client if you've purchased a Cisco Easy VPN Server product, like a concentrator, a PIX or ASA security appliance, or an IOS-based router (with IPsec support). There are two Windows client installation files you can download from Cisco: one begins with "vpnclient-win-msi-" and the other with "vpnclient-win-is-." The MSI (Microsoft Windows Installer) file is for Windows 2000- and XP-only installations, whereas the IS (InstallShield) file is for all Windows platforms.

Before you begin the installation, you'll need to log in to your PC using an account with Administrator privileges. The client must be installed locally on the hardware; network drive installations are not supported. You also might have to have the correct service pack installed for the operating system; otherwise, the installation will give you an error message and abort the install. For example, the 4.6 client requires that Windows NT have SP6 installed.

You'll also need to gather information to build an IPsec session to an Easy VPN Server, such as the IP address of the Server and the IPsec group name and password for pre-shared keys or installing a certificate for certificate authentication.

Caution

Unless you're running the 4.6 or later client, you should first uninstall any old Cisco VPN Client before installing a new version. If you don't, the new version probably will become corrupted. If you see two lock icons in the Windows taskbar when establishing a VPN connection, then you know you didn't follow my advice and probably will experience strange problems with the software client. In this situation, try uninstalling both clients and then re-install the newer one; however, I have had problems in the past where I've had to contact TAC to assist me with this problem (when I didn't follow my own advice).

 

Installation Process

Once you have downloaded the necessary client file from the Cisco site, you'll need to uncompress it into a temporary directory. If you're using the InstallShield file to perform the installation, you'll need to run the "setup.exe" program to perform the installation; if you're using the MSI file, you'll need to run the "vpclient_en.exe" program. During the installation, you'll need to:

1.

Accept the Cisco licensing agreement

 

2.

Specify an installation directory; the default is "C:Program FilesCisco SystemsVPN Client"

 

3.

Reboot your PC at the end

 

Note

If you'll be using hybrid or mutual authentication for your IPsec sessions, your PC will need a root certificate installed. Obtain the root certificate manually from the CA and call it "rootcert," with no extension. Place this file in the installation direction and it will be copied to the correct location on your hard drive. Optionally, you can create a pre-configured installation package that includes this; but the user still will need to install the root certificate. I discuss the installation of certificates in the "Creating Connections Using Certificates" section later in the chapter.

 

Installation Files

There are four files that can affect the installation process, and three that are used during normal operation of the VPN Client:

For example, if you don't want users to be prompted for anything during the installation, and you don't want them to configure the connection profile to connect to the corporate site after the installation, you can pre-configure the above four files and put them in the same directory as the setup.exe or vpclient_en.exe file. During installation, the oem.ini file is used to control the installation process and the vpnclient.ini and any .pcf and .png files are copied into the client's installation directory. Then, when the user starts up the Cisco VPN Client software, the pre-configured vpnclient.ini, .pcf, and .png files will automatically be used. The following sections will briefly discuss some of the parameters used in these files.

oem.ini File

Example 12-1 shows a sample oem.ini file for the InstallShield process, which can be edited with a text editor. Here are some of the parameters and values found in this file:

Example 12-1. Sample oem.ini File

[Main] ; This section determines whether Kerberos uses TCP or UDP (UDP is ; the default); this is only found in the InstallShield ; installation process DisableKerberosOverTCP = 1 ; [Brand] ; This section controls window titles during installation process ; and in the installation destination folder for the VPN Client CompanyText = The Deal Group ProductText = VPN Client ; CompanyText defaults to "Cisco Systems" and ProductText ; defaults to "VPN Client" ; [Default] ; This section defines the default bitmaps and icons to use as well ; as setting up a silent installation. The following parameters ; are only found in the Install Shield installation SilentMode = 1 ; When set to 1, specifies that the user is not prompted ; for anything during the installation. A 0 indicates the user ; will be prompted for information during the installation InstallPath = C:Program FilesCisco Systems ; Specifies where the VPN Client should be installed on ; the hard drive DefGroup = VPN Client ; Specifies the name of the folder that will have the ; client software installed Reboot = 1 ; Specifies whether or not the PC should automatically ; reboot itself at the end of the installation. Setting this ; to 0 causes a reboot dialog window to appear. Setting it to ; 1, and if SilentMode is 1, causes the PC to automatically ; reboot when the installation is done. Setting it to 2, and if ; SilentMode is 2, causes the PC to not reboot upon finishing ; the installation ; [Dialer] ; This section specifies the bitmaps and icons used by the VPN ; Client software MainIcon = is_install.ico ; Used by Install Shield only, it specifies shortcuts to the ; vpngui.exe application AppNameText = Deal Group Dialer ; Specifies the name of the dialer application AllowSBLLaunches = 0 ; Specifies if the client is allowed to launch a third-party ; application before logging in to Windows (1 is yes and 0 is no) ; [Set MTU] ; This section defines settings for the Set MTU application, which ; allows you to control the MTU settings for NICs ; AppNameText = MTU Setter Application ; Specifies the name of the Set MTU application MainIcon = MtuIcon.ico ; Specifies the icon file for the title bar for this application. ; It can be 32x32 or 16x16 pixels with 256 colors. AutoSetMtu = 1 ; Used by Install Shield only, it specifies the setup of the NIC ; automatically with the value defined by SetMtuValue. Setting ; this to 0 does do not do this, while setting it to 1 says to ; do this SetMtuValue = 1300 ; Used by Install Shield only, it specifies the default MTU size ; for NICs for the Set MTU application. The default value is ; 1,300, but it can range from 64 to 1,500 VAMtu=1252 ; Allows the software to retrieve the value for the VA MTU from ; the oem.ini file. It defaults to 1,500, but can range from 68 ; to 1,500. VA stands for Virtual Adapter and is specific to ; Windows 2000 and XP platforms. MTUAdjustmentOverride = 200 ; Used by InstallShield only on Windows NT-based systems, it ; specifies the amount the NIC's MTU is reduced. This can range ; from 0 to 1,300 bytes

In Example 12-1, each section and parameter are explained using comments.

Tip

Normally, the variables in the oem.ini file you would be setting if you didn't want the user to play an active role in the installation are:

Note

For MSI installations, the process is more complex. You need Microsoft ORCA installed on your administrator PC. ORCA is a Windows database table editor for creating and editing Windows Installer packages.

Within ORCA, you must create an oem.mst transform and an oem.ini file with a text editor (the latter was previously described). The configuration of the oem.mst file is beyond the scope of this book. Because this configuration process is more complex than the InstallShield method, I prefer the use of the latter because I can update the installation files easily with a text editor. However, many large Microsoft customers use MSI because it allows for better rollback for system changes, especially those with SMS or Altiris software distribution systems.

 

vpnclient.ini File

The vpnclient.ini file contains the global profile settings for the VPN Client. If you have created one and placed it into the setup.exe or vpclient_en.exe directory, during installation, it is copied automatically to the software installation directory (where the vpngui.exe program is located).

Example 12-2 shows a sample vpnclient.ini file. The format is the same as the oem.ini, in that you have sections, variables, and comments. There are many more parameters than the ones you see in this example, but these are the most common (I've included additional comments to explain some of the parameters).

Example 12-2. Sample vpnclient.ini File

[Main] RunAtLogon=1 ; Specifies that the VPN tunnel is brought up before users ; log in to the Microsoft network. This only applies to Windows ; NT 4.0, 2000, and XP platforms. See the "Windows Login ; Properties" section later for configuration of this in the GUI StatefulFirewall=0 ; The stateful firewall feature is disabled when set to 0. I ; discuss this parameter in more depth in the "Stateful ; Firewall" section later. AutoInitiationEnable=0 AutoInitiationRetryInterval=1 AutoInitiationList=Corporate ; Auto-initiation is used in wireless environments and ; other environments to dynamically bring up a VPN tunnel. ; This is discussed in more depth in the "Automatic ; Initiation" section later. EnableLog=1 ; Enables the logging functionality for debugging (this is ; enabled by default) ConnectOnOpen=0 ; Initiates a VPN session using the default user profile ; (defined by the DefaultConnectionEntry parameter), when the ; user starts the VPN Client software [Corporate] Network=192.168.101.0 Mask=255.255.255.0 Connect=1 ConnectionEntry=POD6 ; The above defines a connection profile to use with ; auto-initiation, discussed in the 'Automatic Initiation' ; section later. [GUI] ; This section defines the properties in the GUI interface of the ; client MinimizeOnConnect=1 ; Minimizes the GUI to a system tray icon when a VPN session ; is made. 1 means don't minimize and 0 minimize. UseWindowSettings=1 ; Specifies to save the current window settings for the client. ShowTooltips=0 ShowConnectHistory=1 AccessibilityOption=1 DefaultConnectionEntry=corporate ; Specifies the default connection ".pcf" file to use to connect ; to an Easy VPN Server. In this example, the file is ; "corporate.pcf" output omittedimages/U2192.jpg border=0> ; The following "Log" parameters set the default properties of the ; client's Log application. I discuss this later in the "Log ; Viewer" section. LogWindowWidth=450 LogWindowHeight=500 LogWindowX=155 LogWindowY=5 [LOG.IKE] LogLevel=1 [LOG.CM] LogLevel=1 output omittedimages/U2192.jpg border=0>

Tip

One additional feature is that if you place a exclamation mark ("!") before a parameter, the user cannot change this parameter in the GUI interface of the client; the user can only view it. This feature is referred to as GUI Locking. This feature is also available for the connection profile files (.pcf files). Of course, a user could always use a text editor to manipulate the contents of these files. Also, I recommend that you create a template file from the client's GUI interface and then manipulate this with a text editor, because you'll be less likely to make an irreversible editing mistake using this approach.

 

.pcf Files

User profiles are files you create that specify the session properties to use to connect to an Easy VPN Server. Users will need one profile for each destination site they want to connect to. Each profile is stored in a separate file. The name of the file is the name of the session you give it in the GUI, like "corporate," and the file has a ".pcf" extension. These files are stored in a subdirectory called "Profiles" of the client installation.

Tip

You also can create the user profiles manually with a text editor, but I recommend that you create the files from the client's GUI. However, you might want to put a "!" before parameters, within the text file, that you don't want users to change from the GUI.

Example 12-3 shows a sample user profile called "corporate.pcf." Please note that the parameters found in a user profile will differ based on the user's platform, the type of device authentication, the type of access (LAN versus dialup), and other items. Also, if you want to distribute a .pcf file across multiple platforms, the file name cannot contain any spaces.

Example 12-3. Sample User Profile

[main] Description=Corporate Office Connection Host=192.1.1.1 ; This is the IP address of the Easy VPN Server AuthType=1 ; This specifies the type of authentication: 1 is pre-shared ; keys, 3 is RSA certificates, and 5 is mutual authentication GroupName=Executives ; This is the group name for pre-shared key authentication ; that the user belongs to GroupPwd= enc_GroupPwd=7D34952605CE0882117EB8BF7649FFED7D50F43DDF0EEDFAE0A885A6 F0103F0C49CC44D5B15A64A93508B81F17853FF17C79069DEDC062AD ; This is the encrypted password for the group ("enc_GroupPWD") EnableISPConnect=0 ; Connect to the Internet via a dialup connection (1 enables ; this option). In this example I'm using my Ethernet NIC for ; Internet connectivity ISPConnectType=0 ; If set to 0, the ISPConnect parameter is used; if set to 1, the ; ISPCommand parameter is used ISPConnect=RoadRunner ; This is the name of the Dial-Up Networking Phonebook Entry ; in Microsoft Windows to use for dialup to the Internet ISPPhonebook=C:Documents and SettingsAll UsersApplication DataMicrosoftNetworkConnectionsPbk asphone.pbk ISPCommand= Username= ; This is the name of the user for remote access SaveUserPassword=0 UserPassword= enc_UserPassword= ; This is the user's encrypted password (you should define a ; policy for the group on the Easy VPN Server to disallow the ; user from saving their user password locally on their PC NTDomain= ; This is the name of the NT domain the user belongs to. It is ; only necessary if the user's group authenticates via a Windows ; NT Domain server EnableBackup=0 BackupServer= ; These two parameters enable a list of backup servers. Currently ; it is disabled EnableMSLogon=1 ; Specifies that the PC running Windows 98 or ME will log in to a ; Microsoft Network MSLogonType=0 ; If set to 0, the saved Windows login username and password are ; used. If set to 1, the user is prompted for the Windows ; username and password. This only applies to Windows 98 and ME. EnableNat=1 ; If set to 1, transparent tunneling is used to handle IPsec ; traffic through a PAT device TunnelingMode=0 ; If EnableNAT is set to 1 and this is 0, then UDP encapsulation ; is used. Otherwise, if this is set to 1, then TCP is used TcpTunnelingPort=10000 ; This is the TCP port used for transparent tunneling with TCP CertStore=0 CertName= CertPath= CertSubjectName= CertSerialHash=00000000000000000000000000000000 SendCertChain=0 VerifyCertDN= ; The above parameters are used to specify certificate ; information if the device authentication type is ; certificates PeerTimeout=90 ; With DPD, this is the amount of seconds the VPN Client will ; wait for a DPD response from the gateway before declaring the ; Server dead EnableLocalLAN=0 ; This allows the user to access the local LAN if it is set to 1. ; Otherwise, the user cannot access the local LAN segment while a ; VPN session is up (the group must also be set up for split ; tunneling to allow local LAN access) DHGroup=2 ; This specifies the Diffie-Hellman group to use: 1, 2, or 5 EnableSplitDNS=0 ; If this is set to 1, then split DNS is used: the Easy VPN ; Server will send the DNS server address to use, as well as the ; domain names that will be resolved with it output omittedimages/U2192.jpg border=0>

Caution

Because of security reasons, you should not include any security parameters like a clear-text pre-shared key for the group name, a username, or a clear-text user password in pre-configured .pcf files. These parameters should be pre-configured from the GUI, which, in turn, will encrypt them. Then use this pre-configured file to distribute for the installation process.

 

Image Files

There are many image files the VPN Client uses to display graphical information. These files are located in the "Resources" subdirectory of the installation. You can change any of them, but you must keep the same names. The one most often changed is called "splash_screen.png," which displays an image for 25 seconds when the client starts. The installed file shows a Cisco logo and copyright information; some versions also display the product name and the client version. You can replace this file with a company logo if you choose.

Категории