Vous êtes sur la page 1sur 21

Creating IPSec VPNs with the OfficeConnect Cable/DSL Secure Gateway

This document will describe in detail the steps needed to configure the OfficeConnect Cable/DSL Secure Gateway to interoperate with OfficeConnect Cable/DSL Secure Gateway SuperStack 3 Firewall Safenet SoftPK VPN Client SSH Sentinel VPN Client 3Com Firewall VPN application (allows XP VPN client to be used) Configuring VPN tunnels should not be done until it has been ensured that both ends of the tunnel are correctly configured for Internet access. (I.e. both sites can access the Internet)

Configuring a VPN tunnel between two OfficeConnect Cable/DSL Secure Gateways

Gateway 1 Network 1

Internet

Gateway 2 Network 2

Figure 1 Two OfficeConnect Cable/DSL Secure Gateways connecting via the Internet Configuring Gateway 1

Figure 2 IPSec Connections on the OfficeConnect Cable/DSL Secure Gateway

1. Select the IPSec Server radio button. The screen will change to reflect this selection. 2. Click on the IPSec Connections tab at the top of the page 3. Click on the New button on the right of the screen, a pop-up window will appear

Figure 3 Configuring an IPSec VPN on the OfficeConnect Cable/DSL Secure Gateway 4. Enter the WAN IP address of Gateway 2 in the connection name field. !This is important as it will ensure that the Gateway will work in the correct mode! 5. Enter a description of the Security Association to remind you what the connection is (up to 128 characters) 6. Select Gateway-to-Gateway as the Connection Type 7. If the Gateway ID has not already been specified, enter the WAN IP address of the gateway as the ID. !This is important as it will ensure that the Gateway will work in the correct mode! 8. Enter the WAN IP address of Gateway 2 in the Remote IPSec Server Address field 9. Enter the private network that you wish to reach through the VPN. This will be the first IP address of the network, e.g. 192.168.2.0 10. Enter the Shared Secret that will be used to create the tunnel (up to 64 characters). Ideally this should be a long, un-memorable key to provide higher security. 11. Select either DES or 3DES as the encryption type 12. Select either MD5 or SHA-1 as the hash algorithm 13. Select either Diffie-Hellman Group 1 or Group 2 to use for exchanging keys 14. Leave Perfect Forward Secrecy unchecked. (Perfect Forward Secrecy increases the security of the tunnel by changing keys for every message sent, but to ensure that the VPN tunnel is configured correctly it is recommended that this is left unchecked during the initial configuration it may be checked later if required)

Take note of all the settings in this configuration, as they will be required to configure the other end of the VPN tunnel (Gateway 2) 15. Click Apply Configuring Gateway 2 This configuration will be very similar to the Gateway 1 configuration. 1. Select the IPSec Server radio button. The screen will change to reflect this selection. 2. Click on the IPSec Connections tab at the top of the page 3. Click on the New button on the right of the screen, a pop-up window will appear 4. Enter the WAN IP address of Gateway 1 in the connection name field. !This is important as it will ensure that the Gateway will work in the correct mode! 5. Enter a description of the Security Association to remind you what the connection is (up to 128 characters) 6. Select Gateway-to-Gateway as the Connection Type 7. If the Gateway ID has not already been specified, enter the WAN IP address of the gateway as the ID. !This is important as it will ensure that the Gateway will work in the correct mode! 8. Enter the WAN IP address of Gateway 1 in the Remote IPSec Server Address field 9. Enter the private network that you wish to reach through the VPN. This will be the first IP address of the network, e.g. 192.168.1.0 10. Enter the Shared Secret that will be used to create the tunnel (up to 64 characters). This must be identical to the shared secret entered in Gateway 1 11. Select either DES or 3DES as the encryption type. This must be identical to Gateway 1. 12. Select either MD5 or SHA-1 as the hash algorithm. This must be identical to Gateway 1. 13. Select either Diffie-Hellman Group 1 or Group 2 to use for exchanging keys. This must be identical to Gateway 1. 14. Leave Perfect Forward Secrecy unchecked. (Perfect Forward Secrecy increases the security of the tunnel by changing keys for every message sent, but to ensure that the VPN tunnel is configured correctly it is recommended that this is left unchecked during the initial configuration it may be checked later if required) 15. Click Apply

Figure 4 VPN configurations for both ends of a VPN tunnel The VPN connection should now be configured. To test the tunnel form the Start Menu, select Run, type ping xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is a PC on the Remote Network that you are trying to access via the VPN, e.g. 192.168.2.1) and hit return. If the VPN tunnel has been successful then on the IPSec connection screen, it will indicate that the VPN tunnel is active. If it is not active then refer to the Log on both units for information on why it has failed.

Configuring the a VPN tunnel between the OfficeConnect Cable/DSL Secure Gateway and the SuperStack 3 Firewall
The configuration of the OfficeConnect Cable/DSL Secure Gateway is exactly the same as described above. The configuration on both sides of the tunnel must still contain identical information about encryption type, has algorithm, shared secret and Diffie-Hellman Group. Configuring the SuperStack 3 Firewall

Figure 5 VPN Summary on SuperStack 3 Firewall 1. Click on the VPN tab 2. If it is not already configured enter the Unique Firewall Identifier. Ensure that this is the WAN IP address of the Firewall 3. Click on VPN configure tab at the top of the screen

Figure 6 Configuring a VPN connection on a SuperStack 3 Firewall 4. Choose New SA from the Security Association pull-down menu. 5. Select IKE using pre-shared key from the IPSec Keying Mode pull-down menu 6. Leave the Disable this SA checkbox unchecked 7. Enter the WAN IP address of the OfficeConnect Cable/DSL Secure Gateway as the Connection Name. 8. Enter the WAN IP address of the OfficeConnect Cable/DSL Secure Gateway as the IPSec Gateway address 9. Leave all checkboxes in the Security Policy section unchecked* SuperStack 3 only 10. Set the SA lifetime to 600 seconds 11. Select either Encrypt and Authenticate or Strong Encrypt and Authenticate. Encrypt should be chosen when DES is required. Strong Encrypt should be chosen when 3DES is required. 12. Take note of the acronyms on the right of the pull-down menu. 13. If MD5 was chosen as the hash algorithm on the OfficeConnect Cable/DSL Secure Gateway then either ESP DES HMAC MD5 or ESP 3DES HMAC MD5 will need to chosen. If SHA-1 was chosen, then ESP DES HMAC SHA-1 or ESP 3DES HMAC SHA-1 should be chosen. 14. Enter the shared secret. This must be identical at both ends of the tunnel 15. At the bottom of the screen select Add New Network. A pop-up window will appear

. Figure 7 Specifying a remote network 16. Enter the private network address and subnet that you wish to connect to through the VPN tunnel. This will be the LAN of the OfficeConnect Cable/DSL Secure Gateway and can be found on the LAN settings page of the OfficeConnect Cable/DSL Secure Gateway Management interface. 17. Click on the Update button 18. Click on the Update button on the main VPN Configure screen 19. Restart the firewall as required The VPN is now configured and will automatically initiate when traffic is sent between the two private networks.

Configuring the OfficeConnect Cable/DSL Secure Gateway to connect with SSH Sentinel VPN client or Safenet Soft-PK VPN client

Gateway Network

Internet

Cable or DSL modem

PC running VPN client software

Figure 8 PC running VPN client software and an OfficeConnect Secure Gateway connecting via the Internet Configuring the Gateway

Figure 9 Configuring a VPN client connection on the OfficeConnect Cable/DSL Secure Gateway 1. Click on the VPN tab on the left of the screen 2. Enable IPSec VPN connections by selecting the IPSec radio button 3. Click on the IPSec connections tab that appears on the top of the page 4. Click on the New button to create a new Security Association Connection Name - enter the name by which the connection will be known, a good example of this is to make it the name of the user that will be connecting Description - add a description that will make the connection easily identifiable Connection Type click on the Remote User Access radio button This Gateways ID the ID of the gateway should be entered here. This ID will be the same for all IPSec connections and must be the WAN IP address of the gateway

Remote User ID - enter a username that the remote user will use to authenticate the connection. Tunnel Shared Key - enter an alphanumeric string that will be used to authenticate the tunnel (up to 64 characters) Encryption Type select either DES or 3DES. 3DES will give a higher level of security but might reduce data throughput. This must be the same on both ends of the VPN tunnel to allow connection. Exchange Keys Using select either Diffie-Hellman Group 1 or 2. Group 2 will provide a higher level of security but might cause the initiation of a VPN tunnel to take slightly longer. This must be the same on both ends of the VPN tunnel to allow connection. Perfect Forward Secrecy leave unchecked. (Perfect Forward Secrecy increases the security of the tunnel by changing keys for every message sent, but to ensure that the VPN tunnel is configured correctly it is recommended that this is left unchecked during the initial configuration it may be checked later if required) The OfficeConnect Cable/DSL Secure Gateway is now ready to accept a connection from a remote VPN client. Make a note of all information used in the configuration, as it will be required to configure the VPN client. Configuring the SSH Sentinel VPN Client

Figure 10 SSH Sentinel Policy Editor 1. Install the VPN client. During the installation you will be required to create a security certificate by moving the mouse pointer around a pop-up window, complete this and once installation is complete restart your PC. 2. Once the PC has restarted go to the Start Menu -> Programs -> SSH Sentinel -> Policy Editor. The policy editor window will appear on the screen

Click this Add

Figure 11 Configuring an Authentication Key 3. Click on the key management tab at the top of the screen 4. Under the My Keys, double click on Add.. A new pop-up window will appear.

Figure 12 Configuring a preshared key on the SSH Sentinel VPN client 5. Choose Create a preshared Key 6. Give the key a descriptive name 7. Enter exactly the same text as was entered in the Tunnel Shared Key in the OfficeConnect Cable/DSL Secure Gateway configuration. 8. Click OK The key that was just created will appear in the menu list. 9.Click on the new key and choose Properties

10

Figure 13 Configuring a remote user ID 10. Click on the Identity tab at the top of the new pop-up window 11. For both Local and Remote choose Administrator E-mail from the Primary Identifier pulldown menu 12. Enter the Remote User ID that was entered in the OfficeConnect Cable/DSL Secure 13. Gateway configuration in the blank field for both Local and Remote. 14. Click OK 15. Click on the Security Policy tab at the top of the screen 16. Click on VPN connection and then select Add a new pop-up window will appear

Figure 14 Configuring a new VPN connection 17. Click on the IP button on the top tight of the screen 18. Enter the WAN IP address of the OfficeConnect Cable/DSL Secure Gateway 19. Click on the button (directly below the IP button) 20. Click New

11

Figure 15 Adding a new remote network 21. Enter a descriptive name for the network in the Network Name field 22. Enter the private network address and subnet mask that you wish to access through the VPN tunnel. This would normally be the Local Network behind the OfficeConnect Cable/DSL Secure Gateway. 23. Click OK 24. Next, select the new key from the Authentication Key drop down menu 25. Check the Use legacy proposal checkbox 26. Click Properties

12

Figure 16 General information about VPN connection 27. Ensure that the correct Authentication key is selected. 28. Click on the Settings button under IPSec/IKE Proposal, a new pop-up window will appear.

Figure 17 Specific details of VPN connection

13

29. Select both an IKE and an IPSec proposal IKE Proposal Encryption Algorithm select either DES or 3DES. This MUST match what was selected for the OfficeConnect Cable/DSL Secure Gateway configuration. Integrity Function select either MD5 or SHA-1 IKE Mode select aggressive mode IKE group select either MODP Group 1 or 2. This is the equivalent to the Diffie Hellman group specified in the OfficeConnect Cable/DSL Secure Gateway. The same group must be configured at both ends of the tunnel. IPSec Proposal Encryption algorithm select the same as specified for the IKE Proposal and the OfficeConnect Cable/DSL Secure Gateway Integrity Algorithm if MD5 was selected in the IKE Proposal, select HMAC-MD5. If SHA-1 was selected in the IKE Proposal select HMAC SHA-1 IPSec Mode greyed out as tunnel is the only option PFS Group Select none 30. Click OK until the main Policy Editor screen is visible. 31. Click on Apply to save the VPN configuration 32. The VPN connection should now be configured. Click on the Apply button to save the configuration. To test the VPN connection, go to VPN Connection and highlight the newly configured VPN. Click the Diagnostics button in the bottom right of the screen. The VPN client will attempt to connect to the OfficeConnect Cable/DSL Secure Gateway and will give either a pass or fail. If there is a failure, check that both the VPN client and OfficeConnect Cable/DSL Secure Gateway configurations are correct. If the diagnostics pass then the tunnel is configured correctly. To initiate a VPN tunnel using the SSH Sentinel VPN Client Right click on the Sentinel icon in the System tray at the bottom right of the screen (blue square with three smaller white squares inside). Choose Select VPN Highlight the VPN that you wish to initiate and click the left mouse button The VPN will then connect. To disconnect a VPN tunnel using the SSH Sentinel VPN Client Right click on the Sentinel icon in the System tray at the bottom right of the screen (blue square with three smaller white squares inside). Choose Select VPN Highlight the VPN that you wish to disconnect and click the left mouse button The VPN will then disconnect.

14

Configuring the Safenet SoftPK VPN Client Launching the VPN Client 1 To launch the VPN client, select SafeNet Soft-PK from the Windows Start menu and select Security Policy Editor. 2 Select New Connection in the File menu at the top of the Security Policy Editor window. The security policy may be renamed by highlighting New Connection in the Network Security Policy box and typing the desired security policy name.

Figure 18 Safenet SoftPK VPN Client Configuring Connection Security and Remote Identity 1 Select Secure in the Connection Security box on the right side of the Security Policy Editor window. 2 Select IP Subnet in the ID Type menu. 3 Type the Gateway LAN Network Address in the field immediately below ID Type. 4 Type the LAN Subnet Mask in the Port field. 5 Select All in the Protocol field to permit all IP traffic through the VPN tunnel. 6 Check the Connect using Secure Gateway Tunnel checkbox. 7 Select IP Address in the ID Type menu at the bottom of the Security Policy Editor window. 8 Enter the Remote Gateway WAN IP Address in the IP Address field. Information such as the Gateway LAN Network Address, Subnet Mask and WAN IP Address can be found by looking at the LAN Settings and Internet settings page of the Secure Gateway Web GUI.

15

Figure 19 Configuring a VPN connection Configuring VPN Client Security Policy 1 Click New Connection in the Network Security Policy box on the left side of the Security Policy Editor window. My Identity and Security Policy should appear below New Connection. 2 Click Security Policy in the Network Security Policy box. A window similar to Figure 10 will be displayed. 3 Select Aggressive Mode in the Select Phase 1 Negotiation Mode box. 4 Leave the Enable Perfect Forward Secrecy (PFS) checkbox unchecked. 5 Check the Enable Replay Detection checkbox to redisplay auditing.

16

Figure 20 Configuring authentication for VPN tunnel Configuring the VPN Client Identity 1 Click My Identity in the Network Security Policy box on the left side of the Security Policy Editor window. A window similar to Figure 11 appears. 2 Choose None in the Select Certificate menu on the right side of the VPN client window. 3 Select E-Mail Address in the ID Type menu. 4 Type the Remote User ID (as specified in the Secure Gateway) in the field below the ID Type menu. 5 Select PPP Adapter in the Name menu if you have a dial-up Internet account. Select your Ethernet adapter if you have dedicated Cable, ISDN or DSL line. 6 Click the Pre-Shared Key button. 7 Click the Enter Key button in the Pre-Shared Key dialog box. Then enter the Gateways Shared Secret in the Pre-Shared Key field and click OK. Note that this field is case sensitive.

Figure 21 Entering a preshared key

17

Figure 22 Configuring the authentication encryption level of the VPN connection Configuring VPN Client Authentication Proposal 1 Double click Security Policy in the Network Security Policy box to display Authentication and Key Exchange. 2 Double click Authentication. Then select Proposal 1 below Authentication. 3 Select Pre-Shared key in the Authentication Method menu. 4 Select DES or 3DES in the Encrypt Alg menu, depending which encryption method you chose in the Gateway Security Association. 5 Select MD5 or SHA-1 in the Hash Alg menu. This must be identical to what is entered in the Gateway. 6 Select Seconds in the SA Life menu and enter 600 7 Select Diffie-Hellman Group 1or Group 2 in the Key Group menu. This must be identical to what is entered in the Gateway.

18

Figure 23 Configuring the data encryption level of the VPN connection Configuring VPN Client Key Exchange Proposal 1 Double click Key Exchange in the Network Security Policy box. Then select Proposal 1 below Key Exchange. 2 Select Seconds and specify 600 in the SA Life menu. 3 Select None in the Compression menu. 4 Check the Encapsulation Protocol (ESP) checkbox. 5 Select DES or 3DES in the Encrypt Alg menu, depending which encryption method you chose in the Gateway VPN configuration. 6 Select MD5 or SHA-1 in the Hash Alg menu. This must be identical to what is entered in the Gateway. 7 Select Tunnel in the Encapsulation Method menu. 8 Leave the Authentication Protocol (AH) checkbox unchecked. Now save all your changes You have now set up the VPN Tunnel. After completing the VPN client configuration, the Administrator may securely manage the remote Gateway by entering the Gateway LAN IP Address in a browser on the computer running the VPN client software. The Gateway VPN Client may also access remote resources by locating servers' or workstations' by their remote IP addresses.

19

Configuring the OfficeConnect Cable/DSL Secure Gateway to connect with the 3Com Firewall VPN client application for Windows XP To configure the OfficeConnect Cable/DSL Secure Gateway to connect with the 3Com Firewall VPN client for Windows XP the same configuration steps must be taken as for a Gateway-to-Gateway connection as described in Configuring a VPN tunnel between two OfficeConnect Cable/DSL Secure Gateways above. The IP address of the XP machine must be known to enable this connection, therefore this solution is not recommended for remote connections that have a dynamic IP address. If connecting from a dynamic IP address using an XP machine, use the SSH Sentinel VPN client. Configuring the 3Com Firewall VPN client application for Windows XP Install the application. (3cxpvpn.exe can be downloaded from www.3com.com) Once installed, launch the application from the Start Menu by selecting Programs -> 3Com > 3Com Firewall VPN. The application will then launch.

Figure 24 3Com Windows XP VPN client Click on the Show Configuration button

Figure 25 Details of VPN connection Enter the WAN IP address of the Secure Gateway in the Firewall IP address field

20

Select Network Address and Mask from the pull down menu under Private LAN IP Enter the LAN network address and subnet mask. This information can be found on the LAN settings page of the OfficeConnect Cable/DSL Secure Gateway Web Interface. Select either DES or 3DES from the pull-down menu for encryption type. This must be the same as is specified on the OfficeConnect Cable/DSL Secure Gateway VPN configuration. Select either MD5 or SHA-1 from the pull-down menu as the Authentication type. This must be the same as is specified on the OfficeConnect Cable/DSL Secure Gateway VPN configuration. Enter 600 as the SA Lifetime Enter the Shared Secret as specified in the OfficeConnect Cable/DSL Secure Gateway VPN configuration. This will appear in clear text and so will not be visible. Once you are sure that the configuration is correct click on the Save button A pop-up window will appear asking for a local password. This is to ensure that only authorised users can access the VPN. Select a password and click OK. To connect to the remote network through the VPN tunnel you must first enable the configuration that has been saved. Launch the 3Com Firewall VPN client application. Enter the password in the empty field and click Connect. The next time you try to connect to the remote network the VPN tunnel will automatically be initiated.

21