Cisco Systems VPN 3000 Client -- Solaris

Uninstalling an Old Client

This section describes how to uninstall the VPN client.

You must uninstall an old VPN client for Solaris before you install a new VPN client.

Uninstalling a VPN Client for Solaris

To uninstall the VPN client for Solaris:

If a VPN client for Solaris was previously installed, you must remove the old VPN client before you install a new one.

To uninstall a package, use the pkgrm command. For example:

pkgrm vpnclient

Solaris System Requirements

The VPN client for Solaris runs on any UltraSPARC computer running a 32-bit or 64-bit Solaris kernel OS Version 2.6 or later.

Changing a Kernel Version

You can install the VPN client running the 32-bit or 64-bit version of the kernel (referred to as 32-bit mode and 64-bit mode). If you experience problems installing or running the VPN client in one mode, try the other one.

To see which mode the system is running in, enter this command:

isainfo -kv

Oct 29 11:09:54 sol-2062 cipsec: [ID 952494 kern.notice] Cisco Unity IPSec Module Load OK

---------------------------------------------------------------------------------------------------
Note If the dmesg log does not show the cipsec log message, you should switch to the other mode.
---------------------------------------------------------------------------------------------------

To switch to 32-bit mode:

Temporarily Enter the following command (ok is the system prompt):
ok boot kernel/unix
Permanently Enter the following command as root, then restart your computer:
eeprom boot-file=/platform/sun4u/kernel/unix

To switch to 64-bit mode:

Temporarily Enter the following command (ok is the system prompt):
ok boot kernel/sparcv9/unix
Permanently Enter the following command as root, then restart your computer:
eeprom boot-file=/platform/sun4u/kernel/sparcv9/unix


Unpacking the VPN Client Files

The VPN client is shipped as a compressed tar file.

For Solaris, there are two available VPN client files. Make sure that you have the correct installation file for your operating system.

The installation file for Solaris 5.6 and Solaris 7 is named:

vpnclient-solaris5.6-3.5.xxx-K9.tar.Z

The installation file for Solaris 8 is named:

vpnclient-solaris5.8-3.5.xxx-K9.tar.Z

To unpack the files

Step 1 Download the packed files, either from your internal network or the Cisco website, to a directory of your choice.

Step 2 Copy the VPN client file to a selected directory.

Step 3 Unpack the file using the zcat and tar commands.

For example, the command for Linux is:

The command for SPARC Solaris is:

zcat vpnclient-solaris5.8-3.5.xxx-K9.tar.Z | tar xvf -

This command creates the vpnclient directory in the current directory.


Installing the VPN Client for Solaris

Before you install a new version of the VPN client, or before you re-install your current version, you must uninstall the old VPN client.

To install the VPN client for Solaris

Step 1 Obtain superuser privileges to run the install script.

Step 2 Enter the following command:

pkgadd -d . vpnclient

Step 3 At the prompt, choose a directory in which to install the VPN client applications.

Use the default directory (by pressing Enter), or choose a directory in your user's path.

Step 4 Respond Yes to any other prompts to complete the installation.

Step 5 Reboot your computer.

1. The following line is added to the /etc/iu.ap file to enable the autopush facility at startup:

hme -1 0 cipsec

2. The VPN module is copied to the /kernel/strmod directory, which is in the system's module search path.

The pkginfo command provides information about the installed packages. For more information on other package-related commands, enter:

man pkgadd

Use a text editor to modify the sample profile that comes with the VPN client installer and rename it.

Create a unique user profile using a text editor.

User profiles have a .pcf file extension and reside in the default location /etc/CiscoSystemsVPNClient/Profiles/ directory.

There is only one user profile per connection.

Tip: User profiles for the VPN client are interchangeable between platforms.


Sample Profile

The VPN client software is shipped with a sample user profile. The file is named sample.pcf. and is located in /etc/CiscoSystemsVPNClient/Profiles/

The following is an example of a sample user profile that might be shipped with your installer.

[main]
Description= MCCCD VPN
Host=10.7.44.1 (Change to the MCCCD VPN Host name)
AuthType=1
GroupName= MCCCD VPN Group Name
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=gawf
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=0
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0

Step 1 Using a text editor, open the sample user profile.

Step 2 Modify the keywords you want to change.

See your administrator for IP addresses, user name, and any security information.

Step 3 Save your new profile with a unique name in the /etc/CiscoSystemsVPNClient/Profiles/ directory.

When you use the vpnclient connect command to establish a connection, use your new profilename.

Displaying a List of VPN Client Commands

To display a list of available VPN client commands, go to the directory that contains the VPN client software and enter the vpnclient command at the command line prompt.

The following example shows the command and the information that is displayed.

%vpnclient
Cisco Systems VPN Client Version 3.0.7
Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686

Usage:
vpnclient connect profilename [nocertpwd] [eraseuserpwd]
vpnclient disconnect
vpnclient stat [reset] [traffic] [tunnel] [route] [repeat]

To establish a connection, enter the following command:

vpnclient connect profilename [nocertpwd] [eraseuserpwd]

Profilename is the name of the user profile configured for this user (.pcf file). This parameter is required. Enter your profilename without the .pcf file extension. If your profilename contains spaces, enclose it in double quotation marks on the command line.

If your user profile is configured with the SaveUserPassword keyword set to the default, the password is saved locally. The eraseuserpwd keyword erases the user password that is saved on the VPN client workstation, forcing the VPN client to prompt you for a password. The eraseuserpwd keyword is an optional parameter that returns the VPN client to a state that requires you to enter a password each time you try to establish a connection.

The nocertpwd is a keyword that suppresses the prompt for a certificate password.

For more information on profilename keywords, see the "User Profile Keywords" section.

Depending on the parameters that have been configured in your user profile, you are prompted for the following passwords:

Group password

User name

User password

If your VPN client has been configured to use SecurID or RADIUS authentication, you are prompted for those passwords.

See your administrator for any security information.

When the connection is established, the VPN Client window stays in the foreground to allow the VPN client to be reauthenticated during a rekey by the VPN device. To send the VPN Client window to the background, press Ctrl-Z followed by the bg command at the command line prompt.

Disconnecting the VPN Client

To disconnect from your session, use one of the following methods:

Enter the following command:

vpnclient disconnect

The following example shows the command that disconnects you from your secure connection and the prompt that appears when you are not connected.

vpnclient disconnect
Disconnecting the IPSEC link.
Your IPSec link is not connected.

Press Crtl-C while you are in the VPN Client window.

Displaying VPN Client Statistics

To generate status information about your connection, enter the following command:

vpnclient stat [reset][traffic][tunnel][route][repeat]

If youenter this command without any of the optional parameters, the vpnclient stat command displays all status information. The optional parameters are described in Table 4-1.

Examples

This section shows examples of output from the different options for the vpnclient stat command.

No Options
The following is a sample output from the vpnclient stat command with no
options.

vpnclient stat
IPSec tunnel information.
Client address: 209.154.64.50
Server address: 10.10.32.32
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port 5000

VPN traffic summary.
Time connected: 0 day<s>, 00:18.32
Bytes out: 3420
Bytes in: 3538
Packets encrypted: 23
Packets decrypted: 57
Packets bypassed: 102
Packets discarded: 988

Configured routes
Secured Network Destination Netmask Bytes
* 10.10.32.32 255.255.255.255 7638
* 0.0.0.0 0.0.0.0 1899

Reset Option
To reset all connection counters, use the vpnclient stat reset command.

vpnclient stat reset
Tunnel statistics have been reset.

Traffic Option
The following is a sample output from the vpnclient stat command with the
traffic option.

vpnclient stat traffic
VPN traffic summary
Time connected: 0 day<s>, 00:30:04
Bytes out: 5460
Bytes in: 6090
Packets encrypted: 39
Packets decrypted: 91
Packets bypassed: 159
Packets discarded: 1608

Tunnel Option
The following is a sample output from the vpnclient stat command with the
tunnel option. The vpnclient stat tunnel command shows only tunneling
information.

vpnclient stat tunnel
IPSec tunnel information.
Client address: 220.111.22.30
Server address: 10.10.10.1
Encryption: 168-bit 3-DES
Authentication: HMAC-MD5
IP Compression: None
NAT passthrough is active on port 5000

Route Option
The following is a sample output from the vpnclient stat command with the
route option.

vpnclient stat route
Configured routes
Secured Network Destination Netmask Bytes
* 10.10.02.02 255.255.255.255 17638
* 0.0.0.0 0.0.0.0 18998

Getting Additional Help

Please contact the Help Desk if you have any questions, via email at helpdesk@domail.maricopa.edu or by calling (480) 731-8632.