How to install and configure Netscreen Remote 8.0 for Roadwarrior VPN (x.

509) for secure connection to Trustix Enterprise Firewall 4

-1-

Table of contents
Chapter 1 - Installing NS Remote 8.0 VPN Client .................................................................... 3 1.2 System prerequisites......................................................................................................... 3 1.2 Installation........................................................................................................................ 4 Chapter 2 Configuring VPN Client for Trustix Firewall 3.0 .................................................. 8 2.1 Adding your VPN certificates.......................................................................................... 8 2.2 Creating the Connection Policy...................................................................................... 11 A. Notices ........................................................................................................................... 16

NOTE: Before using this information and the product it supports, be sure to read the general information under Appendix A Notices, page 16.

-2-

Chapter 1 - Installing NS Remote 8.0 VPN Client

NetScreen Remote 8.0 is a virtual private network (VPN) client that you can use to communicate securely over the Internet. NetScreen Remote is certified by the International Computer Security Association (ICSA) as an IPSec-compliant VPN solution. NetScreen Remote starts automatically each time the computer starts and will run transparently at all times, unle ss specifically configured otherwise. This chapter describes following topics: System prerequisites Installation

1.2 System prerequisites

System Requirements: IBM compatible computer with a Pentium (or equivalent) processor Microsoft Windows 95/98, ME, Windows NT 4.0, Windows 2000, Windows XP 35 MB hard disk space, 40 MB for NetScreen-Remote Security Client 16 MB RAM for Windows 95/98 32 MB RAM for Windows 98/NT 64 MB for Windows ME/2000/XP Ethernet or Wireless Ethernet interface with NDIS compliant driver and/or dial- up networking using an internal or external modem, ISDN adapter or PPPOE adapter Standards and RFCs Supported L2TP: Layer 2 Tunneling Protocol (RFC2661) ESP and AH: Encapsulating Security Payload and Authentication Header (RFC2406, 2402) IKE (ISAKMP/Oakley): Internet Key Exchange (RFC2407-2409) PPPoE: PPP over Ethernet (RFC2516) NAT traversal (draft-ietf- ipsec- nat-t- ike, draft- ietfipsec-udp-encaps- main) X.509 v3 certificates: (RFC2459) CEP: Certificate Enrollment Protocol PKCS #7: Cryptographic Message Syntax Standard (RFC2315) PKCS #10: Certification Request Syntax Standard (RFC2986) PKCS #12: Personal Information Exchange Syntax Standard MSCAPI: Microsoft Certificate API Certifications ICSA IPSec ICSA PC Firewall (NetScreen-Remote Security Client) FIPS PUB 46-1: Data Encryption Standard FIPS PUB 180-1: Secure Hash Standard FIPS 140-1: Cryptographic Modules

-3-

1.2 Installation
Make sure that you have uninstalled any earlier versions of NetScreen Remote before proceeding with this installation. 1. Insert the NetScreen Remote 8.0 CD-Rom into your laptop or home computer. A HTML cover page appears and it contains important information that you should read, as well as a link to the release notes. These notes describe, among other things, compatibility and known and addressed software issues. 2. Start Windows Explorer as seen in figure 1 and double-click on the Setup.exe.

Figure 1. Locating Setup.exe in order to begin installing the NS Remote 8.0. 3. The Install Shield Wizard starts, as shown in figure 2.

Figure 2. NS Remote 8.0 Welcome screen, click Next to continue. -4-

4. The Software License Agreement appears, as shown in figure 3. After reading the Agreements, click Yes to continue.

Figure 3. Software License Agreement, click Yes to continue.

5. The Setup Type appears, as shown in figure 4. Chose Custom and then Next to continue.

Figure 4. Chose Custom Setup Type and click Next to proceed.

-5-

6. The Select Components appears, as shown in figure 5. Chose components as seen in figure 5.

Figure 5. Chose components and click Next to proceed.

7. The Setup Start Copying Files appears, as shown in figure 6.

Figure 6. Start Copying Files, click Next to proceed.

-6-

8. The NetScreen Remote 8.0 files will be installed onto your system. When the install procedure has successfully completed, your computer needs to be restarted in order to successfully start NetScreen Remote. The NetScreen Remote icon will appear in the right corner of your Windows task bar, as seen in figure 7, when the computer have been restarted.

Figure 7. NetScreen Remote icon.

-7-

Chapter 2 Configuring VPN Client for Trustix Firewall 3.0

To start using NetScreen Remote 8.0 for use with Trustix Firewall one must first import needed x.509 certificates into NetScreen Remote and then create a Connection Policy. This chapter describes following topics: Importing the needed certificates into NetScreen Remote Creating a Connection Policy with NetScreen Remote

2.1 Adding your VPN certificates

The first thing you need to do is to export the certificates from the Trustix Firewall, using the Trustix Firewall management client. You will need the root certificate (CA) exported as *.cser file, and you will need the user certificate (PKCS#12) exported as *.p12 along with a password. When you have these certificates copied onto your client computer, where NetScreen Remote 8.0 is installed, you should start the Certificate Manager as seen in figure 8 below. 1. Right-click over the NetScreen Remote icon and start Certificate Manager as seen in figure 8.

Figure 8. Starting the Certificate Manager.

-8-

2. Start to import the (PKCS#12) user certificate using the Certificate Manager My Certificates, as shown in figure 9.

Figure 9 Start importing the user certificate by clicking on Import Certificate.

3. Locate the (PKCS#12) user certificate and enter the password, as shown in figure 10. Answer Yes to Add this certificate when asked.

Figure 10. Locating and filling in a valid password for user certificate.

-9-

4. Start to import the (CA) certificate using the Certificate Manager Root CA Certificates, as shown in figure 11.

Figure 11. Start importing the (CA) certificate by clicking on Import Certificate.

5. Locate the (CA) certificate and click import, as shown in figure 11. Answer Yes to Add this certificate when asked.

Figure 11. Locating and importing the (CA) certificate.

Now the needed certificates should have been imported successfully and the next step would be to create a Connection Policy using the NetScreen Remote, see chapter 2.2.

- 10 -

2.2 Creating the Connection Policy

Assuming that you have imported the needed certificates into NetScreen Remote, as described in chapter 2.1, one can proceed by starting the Policy Editor in order to create a Connection Policy, as seen in figure 12 below.

1. Double-click on the NetScreen Remote icon in the Windows task bar, as shown in figure 12 below.

Figure 12. Double-click on NetScreen Remote icon to start Policy Ed itor.

2. Right-click over My Connection to Add a new Connection, as shown in figure 13 below.

Figure 13. Starting to create a new Connection using the Policy Editor.

- 11 -

3. A new window inside Policy Editor appears, as seen in figure 14. Give the new connection a proper name and continue filling in the proper values in Remote Party Identity and Addressing.

Figure 14. Configuring the new Corporate LAN connection.

4. Important entries that needs to be configured: ID Type: Subnet: Mask: This has to be set to IP Subnet This is the local network address behind the remote Trustix Firewall. Subnet mask for the local network behind the remote Trustix Firewall.

Connect using: This has to be selected and set to Secure Gateway Tunnel. ID Type: This has to be set to Distinguished Name , and you can use Gateway Hostname or Gateway IP address depending on the info you have about the remote Trustix Firewall, and then fill in the IP or Hostname (fw.Trustix.com). When you click on this button, a new window appears, as shown in figure 15 on following page.

Edit name:

- 12 -

Figure 15. Edit Distinguished Name. Its very important that you fill in the Name field with connection. This is a reference to a certificate that should have been created on the Trustix Firewall by the administrator.

5. Now click on the My Identity in the Policy Editor, as shown in figure 16.

Figure 16. Select proper (PKCS#12) user certificate under My Identity.

- 13 -

6. Then click on the Security Policy in the Policy Editor, as shown in figure 17.

Figure 17. Make sure that Security Policy is similar to this figure.

7. Configure Authentication (Phase 1) Proposal 1 as shown in figure 20.

Figure 20. Make sure that your configuration is similar to this figure.

- 14 -

8. Configure Key Exchange (Phase 2) Proposal 1 as shown in figure 21.

Figure 21. Make sure that your configuration is similar to this figure. 9. Now you should save your setting before making them active. This can be done by accessing the menu system of the Policy Editor; File Save Changes. 10. Now try to Reload Security Policy by right-clicking over the NetScreen Remote icon as shown in figure 22.

Figure 22. Reloading the newly saved Security Policy.

- 15 -

Try to access a host behind the remote Trustix Firewall over the VPN tunnel and youll see a green light over the NetScreen Remote icon when the VPN tunnel has been established.

A. Notices
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS HOWTO IS SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS HOWTO ARE BELIEVED TO BE ACCURATE, BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE COMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET SHIPPED WITH THE PRODUCT, AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT TRUSTIX OR A TRUSTIX REPRESENTATIVE FOR A COPY. Copyright 2003 by Trustix AS. All rights reserved. No part of the contents of this how-to may be reproduced or transmitted in any form or by any means without prior written permission of Trustix AS. Trustix and Trustix Firewall are trademarks of Trustix AS. All other brands and product names are trademarks or registered trademarks of their respective holders.

- 16 -