Cisco VPN Client Readme file ============================ This file describes the contents of the Cisco VPN Client files for the Linux platform Refer to the Bug Navigator on Cisco Connection Online for open issues: http://www.cisco.com/support/bugtools/bugtool.shtml Revision: Release 4.7.00.0640 Files: vpnclient-linux-4.7.00.0640-k9.tar.gz vpnclient-linux-x86_64-4.7.00.0640-k9.tar.gz Contents: New Features: Two new Certificate features have been added to dynamically map a Certificate to a profile without manual selection by the user. See the Certificate notes at the end of this document for details. Versioning Notes: This release is a Beta for the VPN Client installed on biarch* linux systems for x86_64 platforms. The client is NOT compatible with pure 64-bit operating systems. The client operates on both 32-bit i386 and biarch x86_64 operating systems. On i386 32-bit operating systems, this release is not cosidered a Beta. The VPN Client now requires GLIBC_2.2 and libstdc++.so.5. Distributions like RedHat 9 and SuSe 9 comply with these requirements. * biarch = 64-bit kernel that allows execution of 32-bit applications. This is expected to be the last release of the non-x86 version of the Linux VPN Client. The non-x86 version supports platforms that do not have the GLIBC_2.2 and libstdc++.so.5 (such as versions prior to RedHat 9 and SuSe 9). Resolved Issues CSCei11123 unity autoinit does not close files CSCei30280 unity certificate fall through for profile attributes failover CSCei43419 unity nonwindows append split dns list to search list option Unresolved Issues CSCei03756 unity application unable to communicate error message Revision: Release 4.6 Rel Files: vpnclient-linux-x86_64-4.6.03.0190.Rel-k9.tar.gz Contents: - See Release Notes for Release 4.6 Rel at: http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/index.htm Certificate Matching Details: 1. Certificate Distinguished Name Matching Profile Keyword: CertMatchDN Description: This parameter specifies the wildcard string to match and select a particular certificate by its Distinguished Name, in the given certificate store, during a connection attempt. If multiple certificates are matched by the wildcard string, the first certificate that satisfies the wildcard string will be chosen. The value of this parameter is a pseudo-regular expression, the format of which is exactly identical to that of the VerifyCertDN profile keyword. Valid keywords for the wildcard string are: "CN" SubjectCommonName "SN" SubjectSurName "GN" SubjectGivenName "N" SubjectUnstructName "I" SubjectInitials "GENQ" SubjectGenQualifier "DNQ" SubjectDnQualifier "C" SubjectCountry "L" SubjectCity "SP" SubjectState "ST" SubjectState "O" SubjectCompany "OU" SubjectDept "T" SubjectTitle "EA" SubjectEmailAddr "ISSUER-CN" IssuerCommonName "ISSUER-SN" IssuerSurName "ISSUER-GN" IssuerGivenName "ISSUER-N" IssuerUnstructName "ISSUER-I" IssuerInitials "ISSUER-GENQ" IssuerGenQualifier "ISSUER-DNQ" IssuerDnQualifier "ISSUER-C" IssuerCountry "ISSUER-L" IssuerCity "ISSUER-SP" IssuerState "ISSUER-ST" IssuerState "ISSUER-O" IssuerCompany "ISSUER-OU" IssuerDept "ISSUER-T" IssuerTitle "ISSUER-EA" IssuerEmailAddr Example: CertMatchDN=CN="ID Cert",OU*"Cisco",ISSUER-CN!="Entrust",ISSUER-OU!*"wonderland" CN="ID Cert"--Specifies an exact match on the CN. OU*"Cisco"--Specifies any OU that contains the string "Cisco". ISSUER-CN!"Entrust"--Specifies that the Issuer CN must not equal "Entrust". ISSUER-OU!*"wonderland"--Specifies that the Issuer OU must not contain "wonderland". 2. Certificate Key Usage vpnclient.ini [Main] keyword: CertificateKeyUsage Description: This global parameter restricts the usage of Certificates from all stores to only those with the following Certificate Key Usage parameters: Digital Signature or Non-Repudiation. If the "CertificateKeyUsage=1" when the client is launched, only Certificates with the proper key usage will be displayed under the Certificates tab. Also, profiles configured to use Certificates that do not have the proper key usage will receive an error that the Certificate cannot be found. The default for this keyword is "CertificateKeyUsage=0" which allows all available Certificates to be selected and used. This keyword overrides all other Certificate matching criteria, such as CertMatchDN. 3. Certificate Fall Through. This behavior is implicit and does not have any profile keyword associated with it. For a given connection attempt, a certificate can be selected using one or more of four keywords given below (in order of precedence). a) CertSerialHash b) CertMatchDN c) CertSubjectName d) CertName If the client cannot find a cert in the given cert store using all four Certificate keywords noted above, the connection attempt fails. Sample profile: [Main] Host=10.10.10.10 AuthType=3 CertStore=2 !UserName= !UserPassword= CertMatchDN=issuer-ou*"vpn group",ea*"Cisco.com" !CertSerialHash= # Firewall configuration written by Cisco Systems # Designed for the Linux VPN Client 4.7.00.0640 Virtual Adapter # Blocks ALL traffic on eth0 except for tunneled traffic *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Allow all traffic in both directions through the VA adapter -A INPUT -i cipsec0 -j ACCEPT -A OUTPUT -o cipsec0 -j ACCEPT # Accept all encrypted VPN Client traffic in either direction on eth0 -A INPUT -i eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT -A OUTPUT -o eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT -A INPUT -i eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT -A OUTPUT -o eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT -A OUTPUT -o eth0 -p udp -s 0/0 --sport 1024: -d 0/0 --dport 29747 -j ACCEPT # Block all other traffic in either direction on eth0 -A INPUT -i eth0 -j REJECT -A OUTPUT -o eth0 -j REJECT COMMIT