Cisco VPN Client Version 4.0

As of this writing, the exam focuses on the later 3.x releases of the Cisco Unity Client. However, it is worth mentioning that the new 4.x versions of the Cisco VPN Client for Windows contain a different user interface than its predecessor. This new graphical interface is comparable in appearance to the Cisco VPN Client for Mac OSx introduced in version 3.7. This section briefly explores some of the alterations that were made to the Unity Client's interface for future revisions of the CSVPN exam.

Aside from the capability to coexist with other OEM VPN clients and the addition of a Cisco virtual adapter that appears in the station's network properties, there are not too many functional enhancements to the earlier releases of the 4.x Unity Client. However, the display and location of the client's utilities are considerably different from the 3.x versions of the Cisco VPN Client for Windows. To illustrate this point, Figure 10.14 displays the new graphical user interface of the 4.x client.

The first noticeable difference is that the connection entry application is now simply called VPN Client, as opposed to the VPN Dialer application of old. Here you are presented with all your created connection profiles with the default profile (the one that will be used when you hit the Connect button, unless otherwise specified) displayed in bold text. Also, notice that the Certificate Manager and the Log Viewer applications are now incorporated into the VPN Client user interface application in the additional Certificates and Log tabs.

When creating or modifying a new connection entry, the configuration screen displayed has the same functions as previous versions; however, the locations of the fields have been altered as illustrated in Figure 10.15.

Note that there are now four connection entry tabs: Authentication, Transport, Backup Servers, and Dial-Up. The top of the Properties windows enables you to create the connection entry name and description (formerly located in the General tab), as well as the hostname or IP address of the IPSec gateway to which the client will connect. The Authentication tab is practically identical to the Authentication tab of the 3.x Unity Clients, in which you either specify a group name and password for preshared keys, or choose an existing identity certificate in the pull-down menu. The remaining parameters from the 3.x General tab reside on the new Transport tab.

Here you can define the preferred NAT Transparency method, local LAN access, and DPD timer. Lastly, the Connection tab of old has been spilt into the Backup Servers tab and the Dial-up tab. As their names state, the Backup Servers tab contains the backup concentrator list that is manually configured or supplied by the concentrator, and the Dial-Up tab holds the fields to specify a DUN entry or a third-party dialing entry for connectivity to the Internet.

After you are connected, you can still view statistics for that session by selecting the VPN Client's Statistics option (as opposed to Status) in the systray icon or in the VPN Client window. Again, you are presented with a similar output, but the naming convention for the statistics tabs has changed, as shown in Figure 10.16. The three Connection Status tabs (General, Statistics, and Firewall) have been changed to Tunnel Details, Route Details, and Firewall, respectively.

Recall that verion 4.x actually installs a virtual interface on the operating system. As such, these versions enable you to display VPN addresses and networks in the computer's routing table and the output of the ipconfig or winipcfg utilities.

One of the most significant changes in the 4.x version of the Cisco VPN Client resides behind the scenes in the vpnclient.ini global profile. There are several residual entries in this file that are similar to the previous versions (auto-initiate, stateful firewall, and so on); however, you can configure several new options in this file that cannot be manipulated in the GUI configuration windows. You can modify the settings in this file and make them part of a standard client installation (with the oem.ini file). To illustrate some of these additions, Listing 10.3 displays a modified output of a 4.x vpnclient.ini file.

Listing 10.3 Sample Output of 4.x vpnclient.ini

 [main] RunAtLogon=1 DialerDisconnect=1 AutoInitiationEnable=1 AutoInitiationRetryInterval=1 AutoInitiationList=techsupport StatefulFirewall=0 StatefulFirewallAllowICMP=1 [techsupport] Network=192.168.100.0 Mask=255.255.255.0 ConnectionEntry=The Farm [NetLogin] Force=1 Wait=15 DefaultMsg=You will be logged off in 15 seconds Separator=************************************** [GUI] WindowWidth=578 WindowHeight=367 WindowX=324 WindowY=112 VisibleTab=0 ConnectionAttribute=0 AdvancedView=1 DefaultConnectionEntry=ACME MinimizeOnConnect=1 UseWindowSettings=1 ShowToolTips=1 ShowConnectHistory=1 

In this example, the VPN client still auto-initiates a VPN tunnel by using the The Farm profile when it receives an IP address in the 192.168.100.0 network. Notice that the integrated CIC stateful firewall contains an additional entry (StatefulFirewallAllowICMP=1) that allows ICMP through the firewall. In addition, the [NetLogin] section of this file enables a feature called Force Network Login, which forces Windows NT, 2000, and XP users to log off the PC and log back in. After they log back into the PC, the VPN tunnel reestablishes itself automatically. This is a very useful utility that ensures that the user connecting the tunnel to the network has a valid account on the PC. This prevents "piggy backers" from initiating a tunnel connection if the station's user is away and did not lock his or her PC. Finally, notice that the [GUI] division of this file contains attributes in which you can change the appearance setting of the GUI interface. Namely, the AdvancedView=1 line entry allows the default GUI to be the Advanced View interface (refer back to Figure 10.14), or a condensed interface called Simple View (Figure 10.17), which presents users with the minimum options necessary to get them to connect the tunnel. This handy feature enables administrators to make tunnel connections easier for non-technical users, as well as to keep them out of trouble by hiding options that could cause users to "accidentally" change or delete entries. This view can be toggled in the GUI; however, the vpnclient.ini global profile can make this the default when users open the VPN Client application.