5124609 The Greenbow IPSec VPN Client User Guide

Property of TheGreenBow© - Sistech SA 2001-2009

TheGreenBow IPSec VPN Client

User Guide

Contact: [email protected]

Website: www.thegreenbow.com

All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, ormechanical, including photocopying, recording, taping, or information storage and retrieval systems - without the writtenpermission of the publisher.

Products that are referred to in this document may be either trademarks and/or registered trademarks of the respectiveowners. The publisher and the author make no claim to these trademarks.

While every precaution has been taken in the preparation of this document, the publisher and the author assume noresponsibility for errors or omissions, or for damages resulting from the use of information contained in this documentor from the use of programs and source code that may accompany it. In no event shall the publisher and the author beliable for any loss of profit or any other commercial damage caused or alleged to have been caused directly or indirectlyby this document.

Printed: August 2009 in San Francisco.

TheGreenBow IPSec VPN Client - User Guide


I


Table of Contents

Part I Introducing TheGreenBow IPSec VPN Client 2

................................................................................................................................... 21 What is TheGreenBow IPSec VPN Client?

................................................................................................................................... 22 Multi VPN Gateway solution

................................................................................................................................... 23 Multi USB Token and SmartCard solution

................................................................................................................................... 24 Linux Appliance Support

................................................................................................................................... 35 TheGreenBow IPSec VPN Client Features

................................................................................................................................... 46 OEM and Software rebranding

Part II Installing TheGreenBow IPSec VPN Client 6

................................................................................................................................... 61 Software Installation

.......................................................................................................................................................... 6Access rights

................................................................................................................................... 72 Software Evaluation

................................................................................................................................... 73 Temporary Software License

................................................................................................................................... 84 Software Activation

.......................................................................................................................................................... 8Software Activation Wizard

.......................................................................................................................................................... 8Step 1 of 2: Enter License Number

.......................................................................................................................................................... 9Step 2 of 2: Online Activation

.......................................................................................................................................................... 10Activation Troubleshooting

................................................................................................................................... 115 Software Upgrade

................................................................................................................................... 126 Software Uninstallation

Part III Quick HowTo's 14

................................................................................................................................... 141 HowTo open VPN tunnel?

................................................................................................................................... 142 HowTo Troubleshoot VPN tunnel?

................................................................................................................................... 143 HowTo import with double click on VPN Configuration icon?

................................................................................................................................... 144 HowTo use Certificate for User Authentication

................................................................................................................................... 165 HowTo open VPN tunnel before Windows Logon?

Part IV Navigating the User Interface 20

................................................................................................................................... 201 User interface elements

................................................................................................................................... 202 System Tray Icon

................................................................................................................................... 213 System Tray Popup

................................................................................................................................... 224 Keyboard Shortcuts

................................................................................................................................... 225 Connection Panel

................................................................................................................................... 236 Configuration Panel

.......................................................................................................................................................... 23Main Menus

.......................................................................................................................................................... 24Status Bar

.......................................................................................................................................................... 24Windows "About"

.......................................................................................................................................................... 24Access Control & Hidden Interface

.......................................................................................................................................................... 26Wizards

.......................................................................................................................................................... 27Preferences

IITheGreenBow IPSec VPN Client - User Guide

TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2009

Part V Connection Panel 29

................................................................................................................................... 291 Connection Panel basics

................................................................................................................................... 302 More info about Connections

Part VI Configuration Panel 32

................................................................................................................................... 321 VPN Configuration Overview

.......................................................................................................................................................... 32How to create a VPN Tunnel?

.......................................................................................................................................................... 32Multiple Authentication or IPSec Configuration Phase

.......................................................................................................................................................... 33Advanced Features

................................................................................................................................... 332 Configuration Wizard

.......................................................................................................................................................... 33Three step Configuration Wizard

.......................................................................................................................................................... 34Step 1 of 3: Choice of remote equipment

.......................................................................................................................................................... 34Step 2 of 3: VPN tunnel parameters

.......................................................................................................................................................... 35Step 3 of 3: Summary

................................................................................................................................... 363 Authentication or Phase 1

.......................................................................................................................................................... 36What is Phase 1 ?

.......................................................................................................................................................... 36Phase 1 Settings Description

.......................................................................................................................................................... 37Phase1 Advanced Settings Description

......................................................................................................................................................... 39Using X-Auth

................................................................................................................................... 404 IPSec Configuration or Phase 2

.......................................................................................................................................................... 40What is Phase 2?

.......................................................................................................................................................... 41Phase 2 Settings Description

.......................................................................................................................................................... 42Phase2 Advanced Settings Description

.......................................................................................................................................................... 44Script configuration

................................................................................................................................... 445 Global Parameters

.......................................................................................................................................................... 44Global Settings Description

................................................................................................................................... 466 VPN Tunnel View

.......................................................................................................................................................... 46How to view opened tunnels?

................................................................................................................................... 477 USB Mode

.......................................................................................................................................................... 47What is USB Mode?

.......................................................................................................................................................... 47How to enable a new USB Drive?

.......................................................................................................................................................... 50How to automatically open tunnels when an USB Drive is plugged in?

................................................................................................................................... 518 Certificate Management

.......................................................................................................................................................... 51Certificate Management overview

......................................................................................................................................................... 52Sources of Certificates

......................................................................................................................................................... 53View Certificate details

......................................................................................................................................................... 54Controls on Certificates

.......................................................................................................................................................... 54How to configure a tunnel with Certificate from a PKCS#12 Certificate file

.......................................................................................................................................................... 56How to configure a tunnel with Certificate from a PEM Certificate file

.......................................................................................................................................................... 57How to configure a tunnel with Certificates from USB Token or SmartCard

.......................................................................................................................................................... 58How to open a tunnel with Certificates from USB Token or SmartCard

.......................................................................................................................................................... 59Certificate Troubleshooting

................................................................................................................................... 609 Configuration Management

.......................................................................................................................................................... 60Import or Export VPN Configuration via menu

.......................................................................................................................................................... 61Merge of VPN Configurations

.......................................................................................................................................................... 61Split of VPN Configuration

.......................................................................................................................................................... 62Embed your own VPN Configuration into IPSec VPN Client Setup

.......................................................................................................................................................... 63Demo VPN Configuration

Part VII Deployment 65

................................................................................................................................... 651 Embedded VPN Configuration

................................................................................................................................... 652 Setup options

III


.......................................................................................................................................................... 65Setup option overview

.......................................................................................................................................................... 65Setup option for GUI mode

.......................................................................................................................................................... 66Setup option for GUI mode access control

.......................................................................................................................................................... 66Setup option for systray menu items

.......................................................................................................................................................... 67Other Setup options

................................................................................................................................... 683 Command line

.......................................................................................................................................................... 68Command line options

.......................................................................................................................................................... 68Opening or closing VPN Tunnel options

.......................................................................................................................................................... 69Stopping IPSec VPN Client: option "/stop"

.......................................................................................................................................................... 69Import or Export VPN Configuration options

................................................................................................................................... 704 Support for new ATR code (i.e. SmartCard)

Part VIII Console and Logs 73

................................................................................................................................... 731 Console Windows

Part IX Software Localization 75

Part X Contacts 77

Index 78

Introducing TheGreenBow IPSec VPN Client

Part

I



2


1 Introducing TheGreenBow IPSec VPN Client

1.1 What is TheGreenBow IPSec VPN Client?

TheGreenBow IPSec VPN Client is an IPSec VPN software for all Windows versions that allows toestablish secure connections over the Internet usually between a remote worker and theCorporate Intranet. IPSec is the most secure way to connect to the enterprise as it provides stronguser authentication, strong tunnel encryption with ability to cope with existing network and firewallsettings.TheGreenBow IPSec VPN Client is the result of many years of experience in network security andWindows network driver development, as well as extensive research in related areas.The IPSec VPN Client completes our range of network security products and like all our productsis extremely easy to use and to install.

1.2 Multi VPN Gateway solution

TheGreenBow strategy is to support as many VPN gateway and appliance vendors as possible,available right now on the market in order to offer a true multi vendor solution to its customers.New IPSec VPN gateways or appliances are tested in our labs. The list of certified gateways isavailable on our web site and is increasing daily, thus do not hesitate to regularly check for newcertified VPN gateways.

1.3 Multi USB Token and SmartCard solution

There are many USB Tokens and SmartCards available on the market. It is our mission to supportas many USB Token and SmartCard vendors as possible, in order to offer a true multi vendorsolution to our customers. New USB Token and SmartCard devices are tested in our labs. The listof certified USB Tokens is available on our web site and is increasing daily, thus do not hesitate toregularly check for new certified USB Tokens.

In case your USB Token is not listed, please contact our TechSupport and we'll work with you tocertified it.

1.4 Linux Appliance Support

TheGreenBow supports several implementations of Linux IPSec VPN like StrongS/WAN andFreeS/WAN. Therefore TheGreenBow IPSec VPN Client is compatible with most of the IPSecrouters/appliances based on those Linux implementations. We will support more Linuximplementations in the future. The list of supported Linux VPN appliance is available on our website.

http://www.thegreenbow.com/vpn_gateway.html

http://www.thegreenbow.com/vpn_token.html

http://www.thegreenbow.com/vpn_token.html

http://www.thegreenbow.com/form.html




3


1.5 TheGreenBow IPSec VPN Client Features

Windows versions Windows 2000 32-bit, Windows XP 32-bit,Windows Server 2003 32-bit,Windows Server 2008 32/64-bit,Windows Vista 32/64-bit,Windows Seven 32-bit (RC).

Languages Arabic, Chinese (simplified), Dutch, English, Finnish, French,German, Greek, Hindi, Italian, Japanese, Polish, Portuguese,Russian, Serbian, Slovenian, Spanish, Thai & Turkish.

Connection Mode It operates as a peer-to-peer VPN as well as "point – to – multiple"mode, without a gateway or server. All connections types like Dialup, DSL, Cable, GSM/GPRS and WiFi are supported.Allow IP Range networking.It can run in an RDP session (Remote Desktop connection).

Tunneling Protocol Full IKE support: Our IKE implementation is based on theOpenBSD 3.1 implementation (ISAKMPD), thus providing bestcompatibility with existing IPSec routers and gateways.Full IPSec support:

· Main mode and Aggressive mode· MD5 and SHA1-SHA2 hash algorithms· Change IKE port

NAT Traversal NAT Traversal Draft 1 (enhanced), Draft 2 and 3 (fullimplementation)

· Including NAT_OA support· Including NAT keepalive· Including NAT T Aggressive Mode

Forced NAT-Traversal mode.

Encryption It provides several encryption algorithms:· 3DES, DES and AES 128/192/256bits encryption. · Support of Group 1, 2, 5 and 14 (i.e. 768, 1024, 1536 and

2048).

User Authentication Supported User Authentication methods:· PreShared keying and X509 Certificates support. It is

compatible with most of the currently available IPSecgateways.

· X-Auth support· Flexible Certificate support: PEM, PKCS#12... Certificates

can be directly imported from the user interface. Ability toconfigure one Certificate per tunnel.

· Hybrid Authentication Method support.Certificate storage capabilities:

· USB Token & SmartCard support· Windows Certificate Store support· VPN Configuration file

Remote login:· Vista Credential Providers support (aka GINA on W2K/WXP)

to enable Windows logon via VPN tunnel or choose to logonon local machine.

Dead Peer Detection (DPD) DPD is an Internet Key Exchange (IKE) extension (i.e. RFC3706)for detecting a dead IKE peer.

Redundant Gateway Redundant Gateway can offer to remote users a highly reliablesecure connection to the corporate network. Redundant Gatewayfeature allows TheGreenBow VPN Client to open an IPSec tunnelwith an alternate gateway in case the primary gateway is down ornot responding.



4


Mode Config "Mode Config" is an Internet Key Exchange (IKE) extension thatenables the IPSec VPN gateway to provide LAN configuration tothe remote user's machine (i.e. IPSec VPN Client). With Config-Mode the end-user is able to address all servers on the remotenetwork by using their network name (e.g. //myserver/marketing/budget) instead of their IP Address.

USB Drive VPN Configurations and security elements (certificates, presharedkey,…) can be saved into an USB Drive in order to remove securityinformation (e.g.user authentication) from the computer.Automatically open and close tunnels when plugging in orremoving USB Drive. Ability to attach a VPN Configuration to aspecific computer or to a specific USB drive.

Smart Card and USB Token TheGreenBow IPSec VPN Client can read Certificates from SmartCards to make full use of existing corporate ID card or employeecards that may carry Digital credentials.Easy import of Smartcard ATR codes which enables easily andquickly new Smartcard and USB Token models that have not beenembedded in software yet.

Log console All phase messages are logged for testing or staging purposes toeasily narrow the view on specific aspects.

Flexible User Interface Silent install and invisible graphical interface allow IT managers todeploy solutions while preventing user to misuse configurations.Tiny Connection Panel and VPN Configuration Panel can beavailable to end-users separately with Access Control.Drag & drop VPN Configurations into the IPSec VPN Client.Multiple keyboard shortcuts to easily navigate the IPSec VPN Client

Scripts Scripts or applications can be launched automatically on severalevents (e.g. before and after a tunnel opens, before and after atunnel is closed).

Configuration Management User Interface and Command Line.Password protected VPN configuration file.Specific VPN configuration file can be provided within the setup.Embedded demo VPN Configuration to test and debug with onlineTheGreenBow servers.Ability to prevent software upgrade or un-installation if softwareusage has been protected by password.

Live update Ability to check for online update.

Licensing Lifetime, Temporary, Release based Licensing are available.

1.6 OEM and Software rebranding

Our offer is specially designed to target OEM clients and System Integrators. We provide a fullyfunctional VPN Client solution to complete existing offers. Our IPSec VPN Client can be re-branded.

Installing TheGreenBow IPSec VPN Client

Part

II



6


2 Installing TheGreenBow IPSec VPN Client

2.1 Software Installation

TheGreenBow VPN Client installation is a classical Windows installation that does not requirespecific information. After completing the installation, you will be asked to reboot your computer.After reboot and session login, a window appears with several options:

· "Quit' will close this window and software.· "Evaluate' allows you to continue software evaluation. Evaluation period left is displayed

into the orange bar above.· "Activate' allows you to activate the software online. This requires a License Number. When

clicking on 'Activate' button, an Activation Wizard pops up.· "Buy' allows you to go online and purchase a Software License in TheGreenBow online

shop.

Caution: On Windows 2000, XP, Vista and Windows7, you must have administrator rights. If it isnot the case, the installation stops after the language choice with an error message.

Shortcuts: After software installation, TheGreenBow VPN window can be launched:· from user desktop, by double-clicking on TheGreenBow VPN shortcut· from VPN Client icon available in the taskbar· from menu Start > Programs > TheGreenBow > TheGreenBow VPN > TheGreenBow VPN

Client

Note: Software Installation can be customized with several parameter options in command line.Please refer to the "Deployment Guide" document available on our website.

2.1.1 Access rights

A user might have restricted access rights on a given Windows computer. Here is what users canhave access to:

http://www.thegreenbow.fr/doc/tgbvpn_ug_deployment_en.pdf



7


Actions Admin UsersSoftware install yes noSoftware activation yes yesSoftware use yes yes

To make it even easier, TheGreenBow IPSec VPN Client creates new rules into the WindowsFirewall (Vista and further) so that IPSec VPN traffic is enabled. Here are the Windows Firewallrules:

Windows Firewall rule names ActionsTheGreenBow IPSec VPN Client phase1 authorize UDP 500 TheGreenBow IPSec VPN Client phase2 authorize UDP 4500

2.2 Software Evaluation

It is possible to use TheGreenBow IPSec VPN Client during the evaluation period (i.e. limited to30 days) by clicking on 'Evaluate' button. When the IPSec VPN Client is on "Evaluation" mode, theregister window appears at each start of the IPSec VPN Client. Evaluation period is displayed intothe orange bar above.

Once evaluation period expires, 'Evaluation' button is no longer available and the software isdisabled.

2.3 Temporary Software License

A Temporary Software License Number may be provided, for test purpose. The period of validity isbetween 1 and 9 weeks. To receive a Temporary Software License Number, you can contact oursales team: [email protected].

The validity period of the Temporary Software License Number and the remaining time of use are



8


shown in the first popup window of the IPSec VPN Client. At the end of the validity period, the software cannot be run.

During all the time a Temporary Software License Number is used, the activation window isavailable from the Configuration Panel. It enables the user to activate a new license, for example alife time License Number instead of a temporary one.

During that period, the remaining time is available through the 'About' menu.

When the Temporary Software License Number expires, the 'Evaluate' button is disabled. Theuser can 'Buy' and 'Activate' a life time software license.

2.4 Software Activation

2.4.1 Software Activation Wizard

For use beyond the evaluation period, TheGreenBow IPSec VPN Client software must beactivated on your computer. To use a License Number on new computer, you need to un-installthe software from the previous computer, and deactivation will be done automatically. TheSoftware Activation is a two step process which requires a License Number and an email address.

The 'Activation Wizard' can be launched from the VPN Client software as followed:· Click on the 'Activate' button in the startup windows when you start the VPN Client.· Click on the '?' menu once the software is started, and then click on "Activation Wizard...".

2.4.2 Step 1 of 2: Enter License Number

Software Activation requires a License Number.

Enter your License Number, your email address and click 'Next' as shown below:



9


Warning: if you have a 20 character License Number, switch to the 20character "License Number" field by clicking on the link "Click here toenter a 20 character License".

Note: Be careful the email address is correct, it will be used to send you back the activationconfirmation.

Note: The email address may not be required: IT Managers can force this value during the setup,then it will not be displayed by the Software Activation Wizard. This feature can be used tocentralize all the Software Activation confirmation emails to a single email address.

2.4.3 Step 2 of 2: Online Activation

The 'Activation Wizard' will automatically connect to the online software activation server toactivate the VPN Client Software. You can go back at anytime to change the License Number butyou need to un-install first.

The 'Activation Wizard' will end with a successful Activation.



10


It is important to remember that a License Number is attached to one computer after installation.However, the license number can be activated again on another computer after softwareuninstallation.

2.4.4 Activation Troubleshooting

Errors may occurred during the activation process. Each activation error is briefly explained on thestep 2 activation window. The link "More information about this error" below the progress barprovides online full explanations and recommendations on how to proceed next.

http://www.thegreenbow.com/help.html?subject=osa&id=001



11


Most of errors encountered may be fixed by carefully checking the following points:

1. Check you entered the correct License Number (error 031).2. The communication with our activation server may be filtered by a proxy (error 053 or

error 054). You should configure the proxy in the step 1 of the Software ActivationWizard by clicking the link at the bottom of the window.

3. The communication with our activation server may be filtered by a firewall (error 053 orerror 054). Check if a personal firewall or a corporate firewall is filteringcommunications.

4. Our activation server may be temporarily unreachable. Try to activate the software afew minutes later.

5. Your License Number is already activated (error 033). Contact our sales team:[email protected].

All activation errors are detailed online on our website: www.thegreenbow.com/support_flow.html?page=11

Note: If you didn't succeed to activate the software despite the previousrecommendations, it is always possible to manually activate the softwareon our website: www.thegreenbow.com/activation/osa_manual.html. Thisenables users to immediately fully activate the software.

2.5 Software Upgrade

Warning: The VPN Client software needs to be activated after eachsoftware upgrade. It takes couple of seconds only. Depending on yourmaintenance contract, a software upgrade activation might be rejected.Please read carefully the following recommendations and check currentstatus of your maintenance and your software release by clicking on themenu "?" then "Check for update" on the Configuration Panel.







http://www.thegreenbow.com/support_flow.html?page=11

http://www.thegreenbow.com/activation/osa_manual.html



12


The success of a software upgrade activation depends on your maintenance contract:1. During your maintenance period (which starts from your first activation), all software

upgrades are allowed.2. Once your maintenance period is expired (or if you have no maintenance contract), only

maintenance software upgrades are allowed. Maintenance software upgrades areidentified by the last digit of a version.

Example: My maintenance period is expired and my current software release is 3.12. I only canupgrade to release 3.13 till 3.19. I cannot upgrade to release 3.20, 3.30 or 4.00.

If you want to subscribe or extend your maintenance period, please contact our sales team:[email protected]

Note: The VPN Configuration is saved during a Software Upgrade and automatically enabledagain within the new release.

Note: Software upgrade requires the password that has been set in 'Access Control'. If nopassword has been set, software upgrade does not require any password.

2.6 Software Uninstallation

TheGreenBow IPSec VPN Client can be uninstalled:· from Windows Control Panel by selecting 'Add/Remove programs'· from Start Menu > Programs > TheGreenBow > VPN > 'Uninstall IPSec VPN Client'

Quick HowTo's

Part

III

Quick HowTo's


14


3 Quick HowTo's

3.1 HowTo open VPN tunnel?

How to open a tunnel (once VPN configuration is set):· Connection panel > Open· SystemTray > click on 'Open xxx'· 'Automatic as soon as traffic' is detected· 'Automatic as soon as USB Drive is plugged in'· 'Automatic as soon as software starts' (before or after logon)· Double click on a VPN Configuration (e.g. icon on desktop, email attachment)· Command lines allows to open or close tunnels

3.2 HowTo Troubleshoot VPN tunnel?

How to troubleshoot a VPN tunnel?You will be able to find all troubleshooting issues, listed in the following documents on our website:· TroubleShooting Document (pdf).· Online help (html).· Online Software Activation (html).· Use the Demo VPN Configuration to test you network.· IPSec VPN Client VPN Client FAQs.

3.3 HowTo import with double click on VPN Configuration icon?

Also known as 'Dial up mode': A tunnel may be opened via a double-click on a VPN Configuration(i.e. extension '.tgb' file). This feature enables to create various VPN Configuration on the windowsdesktop, and to open tunnels by clicking on these VPN Configuration shortcut icon.

To create a VPN Configuration shortcut icon on the desktop:Step 1: Configure the tunnel in 'Configuration Panel'Step 2: In 'Phase2 Advanced Settings', configure the tunnel to 'Automatically open this tunnelwhen the VPN Client starts'Step 3: Export the VPN Configuration onto your computer desktop.

Note: You may protect the VPN Configuration with a password as it is exported. This passwordwill be asked each time the tunnel is clicked on.

3.4 HowTo use Certificate for User Authentication

1. Create a 'Phase1' and adjust 'P1 Advanced settings':

http://www.thegreenbow.fr/doc/vpn_troubleshooting_en.pdf

http://www.thegreenbow.com/support

http://www.thegreenbow.com/support_flow.html?page=11

http://www.thegreenbow.com/vpn_faq.html

Quick HowTo's


15


2. Create a 'Phase2' and adjust 'P2 Advanced settings':

3. Go back to 'Phase 1' of that tunnel, click on 'Certificate' and then click on 'CertificatesManagement...'.

4. Select one Certificate in the list displayed, or click on 'Import Certificate..' from a Certificatefile, then click 'Ok'.

Quick HowTo's


16


3.5 HowTo open VPN tunnel before Windows Logon?

It is possible to open one or several VPN tunnels, manually or automatically, before WindowsLogon using a Windows logon technology called Credential Providers on Vista (aka GINA onW2K/WXP).

Here are several possible use cases with their settings to trigger Credential Providers:

1. User wants to open VPN tunnel manually before Windows logon

Quick HowTo's


17


Settings IPSec VPN Client behavior

Go to 'Phase2 Advanced Settings':· 'Select 'Enable before Windows Logon'· Do not select 'Automatically open on traffic

detection'

Before Windows logon, the tiny window below willappear to allow the user to open whatever VPNtunnel is required.

The popup will list all VPN tunnels configuredwith the option 'Enable before Windows Logon'.

2. User wants to open VPN tunnel automatically before Windows logon

Settings IPSec VPN Client behavior

Go to 'Phase2 Advanced Settings':· Select 'Enable before Windows Logon'· Select 'Automatically open on traffic

detection'

Before Windows logon, the tiny window below willappear and the VPN tunnels listed there will startopening automatically.

The popup will list all VPN tunnels configured withthe option 'Enable before Windows Logon'.

Here are the features that are disabled for tunnels with the option 'Enable before Windows Logon':

· The tiny window appearing before Windows logon is always visible. It is not possible to hideit.

· In case 2 tunnels have been configured to 'Automatically open on traffic detection' and onlyone of them with the option 'Enable before Windows Logon', it is possible that both wouldopen automatically before Windows Logon as the IKE services is running.

Quick HowTo's


18


· 'Scripts' that might have been configured are disabled for tunnels with the option 'Enablebefore Windows Logon'.

· IPSec VPN Client can not be in 'USB Mode' (i.e. VPN Configuration moved to an USBDrive) for tunnels with the option 'Enable before Windows Logon'.

· Config-Mode is disabled. DNS/WINS Server Address must be configured here.

Note for advanced 'User Authentication' methods:· Using X-Auth Authentication: In case tunnels have been configured to use X-Auth, a popup will

appear when tunnels open to ask the X-Auth login/password to the user.· Using USB Token or SmartCard: In case tunnels have been configured to use USB Tokens or

Smartcards, a popup will appear when tunnels open to ask PIN code to the user. The samepopup will display error message (Token locked, PIN code error, ..).

Note: To enable a VPN tunnel to 'Automatically open on traffic detection' after windows logon, theoption 'Enable before Windows Logon' must not be selected.

Navigating the User Interface

Part

IV



20


4 Navigating the User Interface

4.1 User interface elements

TheGreenBow IPSec VPN Client is fully autonomous and can start and stop tunnels without userintervention, depending on traffic to certain destinations. However it requires a VPN configuration.

The IPSec VPN Client configuration is defined in a VPN Configuration file. The software userinterface allows creating, modifying, saving, exporting or importing the VPN configurationstogether with security elements (e.g. Preshared key, Certificates, ...).

The user interface is made of several elements:· Configuration Panel· Connection Panel· Main menus· System Tray Icon & Popup· Status bar· Wizards· Preferences

4.2 System Tray Icon

The VPN Client software can be launched via a double click on application icon (Desktop orWindows Start menu) or by single click on application icon in system tray. Once launched, theVPN Client software shows an icon in the system tray that indicates whether a tunnel is opened ornot, using color code.

VPN Client application color code is the following

Blue icon: no VPN tunnel is opened

Green icon: at least one VPN tunnel is opened

A left-button click on VPN icon opens configuration user interface.

A right-button click shows the following menu:· "Quit' will close established VPN tunnels, then quit the IPSec VPN Client software.



21


· "Save & Apply' will close established VPN tunnels, will apply latest VPN configurationmodification and reopen VPN tunnels which are configured to be started automatically.

· "Console' shows IPSec-IKE log window.· "Connection Panel" opens the Connection Panel which enables to open, close and get

information about tunnels.· "Configuration Panel" opens the Configuration Panel which enables to create and configure

tunnels.· List of configured tunnels with current status. Tunnels can be opened or closed from this

menu as well.

Tooltips over the systray VPN Client icon shows the connection status of the VPN tunnel:· "Tunnel <tunnelname>' when one or more tunnels are established.· "Wait VPN ready...' when the IKE service is reinitializing.· "TheGreenBow VPN Client' when the VPN Client is up but with no opened tunnel.

4.3 System Tray Popup

A tiny popup coming out from the systray icon shows up each time a tunnel is opening up orclosing.

This tiny popup has a very simple behavior:

1. The popup shows tunnel opening w/ different phases and disappears after 6 sec unless themouse is moved over.

2. The popup shows tunnel closing as well.

3. In case the tunnel can not open, it displays a warning with a link to more information on ourwebsite.



22


4.4 Keyboard Shortcuts

This feature improves the most common manipulations.

Shortcut ActionCtrl + Enter Switches back and forth between the 'Configuration Panel' and the 'Connection

Panel'.Note: in case, the Configuration Panel is protected with a password, the user will beasked for this password when he tries to switch to the Configuration Panel.

Ctrl + D Opens the VPN 'Console' for network 'Debug'.Ctrl + S 'Save & Apply' a VPN Configuration.

4.5 Connection Panel

The Connection Panel enables users to open, close and get clear information about every tunnelthat have been configured. This is all the end-user needs to open and close tunnels.This feature clearly help both IT Managers (who configure the VPN connections) and users (whoonly open or close VPN connections) with their own usage.

The Connection Panel is made of several elements:· An animated network diagram showing information on current tunnel (top)· A list of all configured tunnels with 'open/close' button (below diagram)· A link back to the 'Configuration Panel' (bottom left)

It's possible to switch back and forth between the 'Connection Panel' and the 'Configuration Panel'by using the shortcut 'Ctrl + Enter' (see section 'Shortcuts').



23


4.6 Configuration Panel

The Configuration Panel enables to create VPN Configuration and is made of several elements:· Three buttons 'Console', 'Parameters' et 'Connections' (left column)· A tree list window (left column) that contains all the IKE and IPSec configurations· A configuration window (right column) that shows the associated parameters for every tree

level.

A VPN Configuration file (i.e. extension '.tgb') can be drag and dropped onto the ConfigurationPanel. This feature enables to easily apply a new VPN configuration. If a tunnel is configured to be'opened when the VPN Client starts' (see section 'Phase2 Advanced Settings'), it will beimmediately opened as soon as the new VPN Configuration is applied ('Save & Apply').

4.6.1 Main Menus

There are several menus as followed:· 'File' menu is used to Import or Export a configuration. It is also used to choose the location

of the VPN Configuration: locally stored on computer or on USB Drive. It is finally used toconfigure miscellaneous preferences such as the way the VPN Client may start.

· 'VPN Configuration' menu contains all actions from tree control right-click menu.'Configuration' menu gives also access to the 'Configuration Wizard'.

· 'View' menu contains the 'Configuration' of what the user can have access to.· 'Tools' menu contains 'Console', 'Connections' and 'reset IKE' choice.



24


· '?' menu gives access to 'check for update', 'online help' and window 'About'. '?' menu alsogives access to the 'Activation Wizard' when the software is not activated yet.

4.6.2 Status Bar

The status bar displays several information:

· The central box gives some information about VPN Client Software status (e.g. "openingtunnel in progress", "saving configuration rules in progress", "VPN Client start up inprogress", …)

· The light box (right side) gives some information about tunnels (e.g. Green light

means at least one tunnel is opened, Gray light meansno tunnel opened)

4.6.3 Windows "About"

The 'About' window provides the VPN Client software release number and software activationinformation. There is also an URL to our web site.

4.6.4 Access Control & Hidden Interface

This feature is especially designed for IT Managers. It enables to lock the access to the 'Configuration Panel', and to restrict with password the use of the IPSec VPN Client to the'Connection Panel' and/or to the 'systray menu'. Therefore, users cannot modify the VPN



25


Configuration anymore, and misconfiguration are avoided.

The Access Control with a password only concerns the 'Configuration Panel'. The access to the'Connection Panel' is never controlled by password.

Once configured, the user will be asked for the password:1. when he clicks (or double-clicks) on the systray IPSec VPN Client icon.2. when he switches from the "Connection Panel" to the "Configuration Panel".3. when he starts a 'Software upgrade'.

This password may be configured as an option of the setup (see section 'Setup options').

The Access Control window, available through the menu 'View > Configuration..' in theConfiguration Panel, also enables to configure the systray menu items. Thus, the IT Manager canrestrict the software access, from a full access to a completely hidden interface.



26


To remove the Access Control, just empty both fields 'Password' and 'Confirm' then click 'OK'.

Note: The 'Quit' item for the systray menu is disabled in the standard version of the software. Itcan nevertheless be removed during the software setup, through the setup option "-menuitem"(see section 'Setup option')

In case Access Control has been set, the 'Configuration Panel' can not be opened and showed bydouble-clicking on desktop icon, by selecting Start menu. Right-click over the systray icon intaskbar is limited to "Console" access, quitting the software, and opening/closing the configuredtunnels.

Here is an example:

4.6.5 Wizards

There are several Wizards available:· VPN Configuration Wizard can be launched from Menu 'VPN Configuration' > 'Config

Wizard'.· Software Activation Wizard can be launched from Menu '?' > 'Activation Wizard'.· USB Drive mode Wizard can be launched from Menu 'File' > 'Move VPN Configuration to



27


USB Drive..'.

4.6.6 Preferences

'Preferences' window allows to define:· Start up mode of the software. Those modes can be configured in the software setup (see

section 'Setup options').· Enable/Disable the detection of interface disconnection feature.

Preferences are available via Menu 'File' and click 'Preferences'.

VPN Client start modeTheGreenBow IPSec VPN Client software has several start up mode, such as:

· Start IPSec VPN Client software after MS Windows logon· Don't start IPSec VPN Client when I start MS Windows: IPSec VPN Client is launched by

user or from a script ("manual" mode)

MiscellaneousDisable detection of interface disconnection allows the IPSec VPN Client maintain tunnels openedwhile the network interface disconnects momentarily but very often. This type of behavior occurswhen the interface used to open tunnels is unstable such as WiFi, GPRS and all 3G interfaces.

Connection Panel

Part

V

Connection Panel


29


5 Connection Panel

5.1 Connection Panel basics

The Connection Panel enables users to open, close and get clear information about every tunnelthat have been configured. This is all the end-user needs to open and close tunnels.

The Connection Panel is made of several elements:· An animated network diagram showing information on current tunnel (top)· A list of all configured tunnels with 'open/close' button (below diagram)

The user simply clicks on the 'Open' button of a tunnel to open this tunnel. The 'Open' buttonautomatically switch to 'Close' when the tunnel is opened. One click on the name of the tunnelautomatically opens the Configuration Panel, enabling to change the tunnel configuration. Thisfeature is disabled when the Connection Panel is protected with a password (see section 'AccessControl').

It's possible to switch back and forth between the 'Connection Panel' and the 'Configuration Panel'by using the shortcut 'Ctrl + Enter' (see section 'Shortcuts').

It is also possible to automatically apply a new VPN Configuration by a drag & drop of a VPNConfiguration onto the Connection Panel. If a tunnel is configured to be automatically openedwhen VPN Client starts (see section 'Phase2 Advanced Settings'), it will be immediately opened.

Connection Panel


30


5.2 More info about Connections

If problems occur during the tunnel opening process, a warning is shown on the right of the tunnellist.

A link associated to the warning automatically opens the 'Warning' popup and shows a detailedmessage about the problem. Explicit warning messages help users and IT Managers to find theVPN issue. These popups are also linked ("more information" link) to our online help web pagesthat detail symptoms and give clues for troubleshooting.

Configuration Panel

Part

VI

Configuration Panel


32


6 Configuration Panel

6.1 VPN Configuration Overview

6.1.1 How to create a VPN Tunnel?

To create a VPN tunnel from the 'Configuration Panel' (without using the Configuration Wizard),you must follow the following steps:

1. Reset Configuration Panel to remove any prior configurations.

2. Right-click on 'Root' in the tree list window and select 'New Phase 1'.

3. Configure Authentication Phase (Phase 1).4. Right-click on the 'new Phase 1' in the tree control and select 'Add Phase 2'.

5. Configure IPSec Phase (Phase 2).6. Once the parameters are set, click on 'Save & Apply' to take into account the new

configuration. That way the IKE service will run with the new parameters.7. Click on 'Open Tunnel' for establishing the IPSec VPN tunnel (only in "IPSec

Configuration" window).

Please refer to Phase 1 and Phase 2 for more settings descriptions.

6.1.2 Multiple Authentication or IPSec Configuration Phase

Several Authentication Phases (Phase1) can be configured. Therefore, one computer canestablish IPSec VPN connections with several gateways or other computers (peer to peer).

Similarly, several IPSec Configuration (Phase 2) can be created for a same Authentication Phase(Phase 1).

Configuration Panel


33


6.1.3 Advanced Features

Advanced features and parameters can be defined for Phase 1 and Phase 2.

Those defined in Phase 1 apply to all Phase 2 created in current VPN Configuration:· Enable/Disable Config-Mode· Enable/Disable NAT-T Agressive Mode· Enable/Disable Redundant Gateway· Select NAT-T mode (Forced, Disabled or Automatic)· Set X-Auth Login/password with pop up option· Enable/Disable Hybrid Mode which is an Hybrid Authentication Method

Those defined in Phase 2 only apply to the associated Phase 2:· Automatic Open Mode · Choose Script/Application to be launched when tunnel opens· Manual settings of DNS/WINS server addresses· Enable Windows logon via VPN tunnel using Vista Credential Providers (aka GINA on

W2K/WXP).

6.2 Configuration Wizard

6.2.1 Three step Configuration Wizard

TheGreenBow IPSec VPN Client provides a Configuration Wizard which enables the creation ofVPN configuration in three easy steps. This Configuration Wizard is designed either for remotecomputers that need to get connected to a corporate LAN through a VPN gateway or Peer to Peermode.

Let take the following example:· The remote computer has a dynamically provided public IP address.· It tries to connect the Corporate LAN behind a VPN gateway that has a DNS address

"gateway.mydomain.com".· The Corporate LAN address is 192.168.1.xxx. e.g. the remote computer want to reach a

server with the IP address: 192.168.1.100.

Configuration Panel


34


For configuring this connection, open the Configuration Wizard's window by selecting menu 'VPNConfiguration' > 'Config. Wizard'.

6.2.2 Step 1 of 3: Choice of remote equipment

You must specify the type of the equipment at the end of the tunnel: VPN gateway.

6.2.3 Step 2 of 3: VPN tunnel parameters

You must specify the following information:· The public (Wide Area Network side) address of the remote gateway· The preshared key you will use for this tunnel (this preshared key must be the same in the

gateway)· The IP address of your company LAN (e.g. specify 192.168.1.0)

Configuration Panel


35


6.2.4 Step 3 of 3: Summary

The third step summaries your new VPN configuration. Other parameters may be furtherconfigured directly via the 'Configuration Panel' (e.g. Certificates, virtual IP address, etc..).

The tunnel has been created and you can open it.

Configuration Panel


36


6.3 Authentication or Phase 1

6.3.1 What is Phase 1 ?

'Authentication' or 'Phase 1' window will concern settings for Authentication Phase or Phase 1. It isalso called IKE Negotiation Phase.

Phase 1's purpose is to negotiate IKE policy sets, authenticate the peers, and set up a securechannel between the peers. As part of Phase 1, each end system must identify and authenticateitself to the other.

6.3.2 Phase 1 Settings Description

Name Label for Authentication phase used only the configuration userinterface. This value is never used during IKE negotiation. It is possibleto change this name at any time and read it in the tree control. TwoPhase 1 can not have the same name.

Interface IP address of the network interface of the computer, through which VPNconnection is established. If the IP address may change (when it isreceived dynamically by an ISP or router), select "Any". In case he IPaddress configured into the VPN Configuration file refers to an IP

Configuration Panel


37


address that does not exist on the computer then the default "Any" isforced upon this parameter.

Remote Gateway IP address or DNS address of the remote gateway (in our example:gateway.mydomain.com). This field is mandatory.

Pre-shared key Password or key shared with the remote gateway.

Certificate X509 certificate used by the VPN Client . Click on 'CertificateManagement..' to choose the certificate source: PEM files, PKCS#21file, SmartCard and tokens, or the Windows Certificate Store (seesection How to configure Certificates). One Certificate per tunnel can beconfigured.

IKE encryption Encryption algorithm used during Authentication phase (3DES, AES, ...).

IKE authentication Authentication algorithm used during Authentication phase (MD5,SHA, ...).SHA1 and SHA2-256bit are supported.

IKE key group Diffie-Hellman key length.

For more advanced settings, click on 'P1 Advanced'.

6.3.3 Phase1 Advanced Settings Description

For advanced features & parameters, click on 'P1 Advanced' button into Phase1 panel.

Config-Mode If checked, the VPN Client will activate Config-Mode for this tunnel. Config-Mode allows to the VPN Client to fetch some VPN Configurationinformation from the VPN gateway. If Config-Mode is enabled, andprovided that the remote Gateway supports Config-Mode, the following

Configuration Panel


38


parameters will be negotiated between the VPN Client and the remoteGateway during the IKE exchange (Phase 1):

· Virtual IP address of the VPN Client· DNS server address (optional)· WINS server address (optional)

In case Config-Mode is not available on the remote gateway, you mayrefer to section 'Phase2 Advanced' settings to manually set DNS andWINS server addresses into the IPSec VPN Client.

Aggressive Mode If checked, the VPN Client will used aggressive mode as negotiation modewith the remote gateway.

Redundant GW This allows the VPN Client to open an IPSec tunnel with an alternategateway in case the primary gateway is down or not responding. Entereither the IP address or the url of the Redundant Gateway (e.g. router.dyndns.com).

· TheGreenBow VPN Client will contact the primary gateway toestablish a tunnel. If it fails after several tries (default is 5 tries,configurable in "Parameters" panel > "Retransmissions" field) theRedundant Gateway is used as the new tunnel endpoint. Delaybetween two retries is about 10 seconds.

· In case primary gateway can be reached but tunnel establishmentfails (e.g. VPN configuration problems) then the VPN Client won't tryto establish tunnels with the redundant gateway. Configurations needmodifications.

· If a tunnel is successfully established to the primary gateway with DPD feature (i.e. Dead Peer Detection) negotiated on both sides,when the primary gateway stops responding (e.g. DPD detects non-responding remote gateways) the VPN Client immediately startsopening a new tunnel with the Redundant Gateway.

· The exact same behaviour will apply to the redundant gateway. Thismeans that the VPN Client will try to open primary and redundantgateway until the user exits software or click on 'Save & Apply'.

NAT-T mode The NAT-T mode allows Forced, Disabled and Automatic. The NAT-T "Disabled" prevents the IPSec VPN Client and the VPNgateway to start NAT-Traversal. The NAT-T "Automatic" mode leaves the VPN Gateway and VPN Clientnegotiate the NAT-Traversal. In NAT-T "Forced" mode TheGreenBow IPSec VPN Client will force NAT-Tby encapsulating IPSec packets into UDP frames to solve traversal withintermediate NAT routers.

Local ID Local ID is the identity the VPN Client is sending during Phase 1 to VPNgateway. This identity can be:

· an IP address (type = IP address), for example: 195.100.205.101 · a domain name (type = DNS), e.g. mydomain.com · an email address (type = Email), e.g. [email protected]· a string (type = KEY ID), e.g. 123456 · a certificate issuer (type=DER ASN1 DN) (see Certificates

configuration) If this identity is not set, VPN Client's IP address isused.

Remote ID Remote ID is the identity the VPN Client is expecting to receive duringPhase 1 from the VPN gateway. This identity can be:

· an IP address (type = IP address), for example: 80.2.3.4 · a domain name (type = DNS), e.g. gateway.mydomain.com · an email address (type = Email), e.g. [email protected] · a string (type = KEY ID), e.g. 123456 · a certificate issuer (type=DER ASN1 DN) (see Certificates

configuration) If this identity is not set, VPN gateway's IP address isused.

X-Auth Define the login and password of an X-Auth IPSec negotiation. If "X-Auth

Configuration Panel


39


Popup" is selected, a popup window asking for a login and a password willappear each time an authentication is required to open a tunnel with theremote gateway. For more details go to Using X-Auth section.If X-Auth authentication fails then the tunnel establishment will fail too.

HybridAuthentication Mode

The Hybrid mode is a specific authentication method used within IKEPhase 1. This method assumes an asymmetry between the authenticatingentities. One entity, typically an Edge Device (e.g. firewall), authenticatesusing standard public key techniques (in signature mode), while the otherentity, typically a remote User, authenticates using challenge responsetechniques. These authentication methods are used to establish, at theend of Phase 1, an IKE SA which is unidirectionally authenticated. Tomake this IKE bi-directionally authenticated, this Phase 1 is immediatelyfollowed by an X-Auth Exchange [XAUTH]. The X-Auth Exchange is usedto authenticate the remote User. The use of these authentication methodsis referred to as Hybrid Authentication mode. TheGreenBow IPSec VPNClient implements the RFC 'draft-ietf-ipsec-isakmp-hybrid-auth-05.txt'.

6.3.3.1 Using X-Auth

X-Auth are extensions to the Internet Key Exchange (IKE) protocol. IKE is an important element ofPKI (Public Key Infrastructure) that defines how security credentials are exchanged over IPSectunneling protocol.

It requires the definition of the login and password for the X-Auth IPSec negotiation.

1. Define X-Auth credentials in Phase1 Advanced Settings

Login and password can be defined in Phase1 Advanced Settings and will be used each time aVPN tunnel need to open without requesting user approval. Although it is not recommended toleave login and password, this offers obvious easiness to the user.

2. Request X-Auth credentials to open VPN tunnel

If "X-Auth popup" is selected in Phase1 Advanced Settings, a popup window asking for a X-Authlogin and a password will appear each time an authentication is required to open a tunnel with theremote gateway. The name of the VPN tunnel appears on the popup window to enter the right X-Auth credentials in case of multiple VPN tunnel configuration.

The user has some times to enter his X-Auth credentials. But if the time allowed to enter X-Authcredentials expires, a window warning appears and the user has to re-open VPN tunnel.

Configuration Panel


40


The management of login / password verification differs depending on the VPN gateways. In caseof wrong login or wrong password, the action can be either of the following:

· The X-Auth window for entering the login / password is displayed again, with the number ofattempts.

· A window warning alerts the user to try again to open the VPN tunnel similar to the oneabove or below.

6.4 IPSec Configuration or Phase 2

6.4.1 What is Phase 2?

'IPSec Configuration' or 'Phase 2' window will concern settings for Phase 2.

The purpose of Phase 2 is to negotiate the IPSec security parameters that are applied to the trafficgoing through tunnels negotiated during Phase 1.

Configuration Panel


41


6.4.2 Phase 2 Settings Description

Name Label for IPSec Configuration only used by the VPN Client. Thisparameter is never transmitted during IPSec Negotiation. It is possibleto change this name at any time and read it in the tree list window. TwoPhases can not have the same name.

VPN Client address Virtual IP address used by the VPN Client inside the remote LAN: Thecomputer will appear in the LAN with this IP address. This IP addresscan belong to the same remote LAN subnet (e.g., in the example,you have an IP address like 192.168.204.10). In this case, it isimportant to read the note below.

Address type The remote endpoint may be a LAN or a single computer, In case the remote endpoint is a LAN, choose "Subnet address" or "IPRange". When choosing "Subnet address", the two fields "Remote LANaddress" and "Subnet mask" become available. When choosing "IPRange", the two fields "Start address" and "End address" becomeavailable, enabling TheGreenBow IPSec VPN Client to establish atunnel only within a range of a predefined IP addresses. The range of IPaddresses can be just one IP address.

Incase the remote end point is a single computer, choose "SingleAddress". When choosing "Single address", only the field "Remote hostaddress" is available.

Remote address This field may be "Remote host address" or "Remote LAN address"depending of the address type. It is the remote IP address, or LAN

Configuration Panel


42


network address of the gateway, that opens the VPN tunnel.

Subnet mask Subnet mask of the remote LAN. Only available when address type isequal to "Subnet address".

ESP encryption Encryption algorithm negotiated during IPSec phase (3DES, AES, ...)

ESP authentication Authentication algorithm negotiated during IPSec phase (MD5,SHA, ...).SHA1 and SHA2-256bit are supported.

ESP mode IPSec encapsulation mode: tunnel or transport

PFS group Diffie-Hellman key length.

Open Tunnel This button allows to open the tunnel. This button changes to "CloseTunnel" as soon as the tunnel is opened.

Scripts Scripts may be configured in the Script configuration window.

Note1: "IP Range" feature combined with "Open tunnel when traffic" feature allows toautomatically open tunnel when traffic is detected for a specific range of IP Addresses. However,the range of IP addresses must be authorized in the configuration of VPN gateway.

Note2: It is possible to have both local IP address of your computer and remote LAN as part of thesame subnet. To be able to do so, you must select "Auto open this tunnel on traffic detection" ('P2Advanced'). Once the VPN tunnel opened in this configuration, all the traffic with remote LAN isallowed but communication with local network becomes impossible.

For more advanced settings, click on 'P2 Advanced'.

Once the parameters are set, click on 'Save & Apply' to save and to take into account the newconfiguration.You'll find a set of useful VPN Client configuration documents available for each of the VPNgateway we support. Please go to our knowledge base on our website.

6.4.3 Phase2 Advanced Settings Description

For advanced features & parameters, click on 'P2 Advanced' button into Phase2 panel.


Configuration Panel


43


Automatic OpenMode

The VPN Client can automatically open the specified tunnel (Phase2) onspecific events such as:

· Auto open this tunnel when the VPN Client starts up.· Auto open this tunnel when USB Drive is plugged in (see section "

USB Mode").· Auto open this tunnel when the VPN Client detect traffic towards

remote LAN. If selected, the Phase 2 icon in the Configuration Paneltree list changes its shape/color to reflect that this feature is nowactive:

Gina Mode If Gina Mode selected, this tunnel can be used by Vista CredentialProviders (aka GINA on W2K/WXP) to process Windows logon. This isuseful when using a corporate employee Dbase for logon and the remotecomputer need to connect to the corporate network before processing theWindows logon. See 'HowTo open VPN tunnel before Windows Logon'.

Alternate Servers DNS and WINS server IP addresses of the remote LAN can be enteredhere, to help users to resolve intranet addressing. The DNS or WINSaddresses are taken into account as soon as the tunnel is opened, and aslong as it is opened.Those parameters are not required when working with 'Config-Mode'.

Configuration Panel


44


6.4.4 Script configuration

Scripts may be configured in the Script configuration window. This window can be opened throughthe button 'Scripts' of a Phase 2 Settings window.

Scripts or applications can be enabled for each step of a VPN tunnel opening and closingprocess:

· Before tunnel is opened· Right after the tunnel is opened· Before tunnel closes· Right after tunnel is closed

This feature enables to execute scripts (batches, scripts, applications...) at each step of a tunnelconnection for a variety of purposes e.g. to check current software release, to check databaseavailability before launching backup application, to check a software is running, a logon is set... .

It also enables to configure various network configuration before, during and after tunnelconnections.

6.5 Global Parameters

6.5.1 Global Settings Description

Global Parameters are generic settings that apply to all created VPN tunnels. Once modified, clickon 'Save&Apply' to take into account your modifications.

Configuration Panel


45


· Lifetime (sec.) IKE default lifetime Default lifetime for IKE rekeying.

IKE minimal lifetime Minimal lifetime for IKE rekeying.

IKE maximal lifetime Maximal lifetime for IKE rekeying.

IPSec minimal lifetime Default lifetime for IPSec rekeying.

IPSec maximal lifetime Maximal lifetime for IPSec rekeying.

IPSec minimal lifetime Minimal lifetime for IPSec rekeying.

· Dead PeerDetection (DPD)

Check interval (sec.) Interval between DPD messages.

Max number of retries Number of DPD messages sent.

Delay between retries(sec.)

Interval between DPD messages when noreply from remote gateway.

· Miscellaneous Retransmissions How many times a message should beretransmitted before giving up.

IKE Port UDP port 500 is the port used by defaultduring Phase1 IKE negotiation. User canchange port number for IKE negotiation.Exchanges are still on UDP but they can beon another port than port 500 as somefirewalls do not allow IKE Port 500 or outgoingtraffic on Port 500 might not be allowed insome places. The remote gateway mustsupport this feature and reroute the incomingtraffic associated with the new selected IKEports onto the default UDP 500 so that it is

Configuration Panel


46


properly routed to the IPSec service.

NAT Port UDP port 4500 is the port used by defaultduring Phase2 IPSec negotiation. User canchange port number for IPsec negotiation.Exchanges are still on UDP but they can beon another port than port 4500 as somefirewalls do not allow IPsec Port 4500 oroutgoing traffic on Port 4500 might not beallowed in some places. The remote gatewaymust support this feature and reroute theincoming traffic associated with the newselected IPSec port onto the default UDP4500 so that it is properly routed to the IPSecservice.

X-Auth timeout Time allowed to the user to enter X-Authcredentials.

Block non-cipheredconnection

When this option is checked, only encryptedtraffic is authorized therefore all traffic goesthrough VPN tunnels once opened.

Dead Peer Detection (i.e. DPD) is an Internet Key Exchange (IKE) extension (i.e. RFC3706) fordetecting a dead IKE peer. TheGreenBow IPSec VPN Client is using DPD:

· to delete opened SA in the VPN Client when peer has been detected dead.· to re-start IKE negotiations with the Redundant Gateway if activated in the 'Phase1

Advanced' Configuration Panel.

Once the parameters are set, click on 'Save & Apply' to save and to take into account the newconfiguration.

6.6 VPN Tunnel View

6.6.1 How to view opened tunnels?

'Tunnel View' screen shows VPN tunnels currently opened This screen may also be used to closeopened tunnels. To close a VPN tunnel, select the tunnel in the list and click on 'Close Tunnel'.Tunnels may also be viewed, opened and closed directly from the context menu of the system trayicon and from the Connection Panel.

The Connection Panel can be opened with the button 'Connection Panel'. It's possible to switchback and forth between the 'Connection Panel' and the 'Configuration Panel' by using the shortcut'Ctrl + Enter' (see section 'Shortcuts').

Configuration Panel


47


6.7 USB Mode

6.7.1 What is USB Mode?

TheGreenBow VPN Client brings the capability to secure VPN configurations and VPN securityelements (e.g. PreShared key, Certificates, …) onto an USB Drive and out of the computer. Thisgives users the ability to attach a VPN Configuration:

· to a specific computer: therefore the VPN tunnels defined in the VPN configuration can onlybe used on that specific computer, or,

· to a specific USB drive: therefore the VPN tunnels defined in the VPN configuration can onlybe used with specific USB Drive.

When you select 'File' > 'Move VPN Configuration to USB Drive..', the VPN configuration andsecurity elements contained into the configuration are moved onto the USB Drive the first time youplug it in.

Once done, you just need to plug in the USB Drive to automatically open tunnels. And you justneed to unplug the USB Drive to automatically close all opened tunnels.

6.7.2 How to enable a new USB Drive?

A new USB Drive (no data) is enabled by copying VPN configuration and security elements onto it.There are several ways to do that:

Configuration Panel


48


· Export VPN Configuration via menu 'File' > 'Export VPN Configuration' and then copy theVPN Configuration file onto the USB Drive.

· Use the 'USB Mode Wizard' via menu 'File' > 'Move VPN Configuration to USB Drive..'.

Here is how the 'USB Mode Wizard' works.

1. The 'USB Mode Wizard' starts with 'USB Mode Wizard' step1.

In case an USB drive is already plugged in, the IPSec VPN Client will detect it as shown below.Eventually the Wizard will ask to select one USB Drive, because several USB Drives could beplugged in at the same time:

Note: if an USB Drive is plugged in while in 'USB Mode Wizard' step1 and it appears to be the onlyone, the IPSec VPN Client will also detect it and jump to 'USB Mode Wizard' step2.

Note: if an USB Drive containing a VPN Configuration is plugged-in while a first USB drive withanother VPN Configuration is already plugged-in, a warning message asks the user to unplugone of them before continuing.

2. 'USB Mode Wizard' step2

The wizard proposes to enable the USB Drive through the following options:· 'With this computer only': therefore the VPN tunnels defined in the VPN configuration can

only be used on this specific computer· 'On any computer': therefore the VPN tunnels defined in the VPN configuration can be used

with specific USB Drive only, on any computer.

The VPN Configuration can be protected (not mandatory) by a password so that the USB Drivewould be lost without compromising company security.

Configuration Panel


49


Note: At this step, if the USB Drive is unplugged, the wizard automatically go back to step1.

Note: The IPSec VPN Client software doesn't enable to change the password or the computerassociation with the USB Drive. Nevertheless, it is always possible to plug the USB Drivecontaining the VPN Configuration, export the VPN Configuration to a local disk, unplug the USBDrive, import the VPN Configuration, and start the 'USB Mode Wizard' all over again to set newpassword or new association with computer.


Then the wizard proposes to selected the VPN tunnels that need to be opened next time the USBDrive is plugged in. The same 'Phase2 Advanced settings' option 'Auto open this tunnel whenUSB Drive is plugged in' is used here for every tunnel.

Configuration Panel


50



Step4 is a summary of previous settings. Upon confirmation, the IPSec VPN Client will copy theVPN Configuration onto the USB Drive and remove all security information from the computer andthe IPSec VPN Client is considered in 'USB Mode'.

Note: Once moved to the USB Drive, the VPN Configuration is kept as long as the USB Drive isplugged-in. As soon as the USB Drive is unplugged, the VPN Configuration is reset (an emptyconfiguration is shown in the 'Configuration Panel'). Next time the IPSec VPN Client starts, theVPN Configuration will be empty.

6.7.3 How to automatically open tunnels when an USB Drive is plugged in?

Each and every tunnels may be configured individually using the option 'Auto open tunnels whenUSB Drive is plugged in'.

If an USB Drive containing a VPN Configuration is plugged in, all VPN tunnels set with this featurewill open automatically. They will close when the USB Drive is un-plugged. Same behavior if theUSB Drive is already plugged-in when the IPSec VPN Client starts.

Obviously, if a USB Drive without any VPN Configuration is plugged-in or if no USB Drive isplugged in, the IPSec VPN Client starts in local mode (using whatever VPN Configurationavailable on local disk).

This option can be configured in the 'Configuration Panel':· IPSec Configuration (Phase 2) of the relevant tunnel, click on 'P2 Advanced' button, · Select the 'Automatically open this tunnel when USB Drive is inserted' option.

Configuration Panel


51


See also 'USB Mode Wizard' to enable an USB Drive via menu 'File' > 'Move VPN Configurationto USB Drive..'.

Note: The option 'Automatically open this tunnel when USB Drive is inserted' is disabled beforeWindows logon.

6.8 Certificate Management

6.8.1 Certificate Management overview

TheGreenBow IPSec VPN Client can use Certificates from various sources:· PEM format files, · PKCS#12 format file, · Windows Certificate Store, · USB Tokens or SmartCard.

The Certificate Management Panel allows to see all those Certificate sources in one single placeand to select the right Certificate for a particular tunnel.

To assign a Certificate to a specific tunnel, proceed as followed:

1. Go to 'Phase 1' window of that tunnel, click on 'Certificate' and then click on 'CertificatesManagement...'.

2. Select one Certificate in the list displayed, then click 'Ok'.

Configuration Panel


52


Note: Only one Certificate can be selected and assigned to one tunnel.

Note: TheGreenBow VPN Client software doesn't create Certificates. Certificates must be created(and stored on SmartCard/Tokens or Windows Certificate Store) by third party software. You'll findadditional support documents on "How to generate Certificates" or "How to convert Certificateformats" on our website.

6.8.1.1 Sources of Certificates

Here are the possible sources of Certificates to choose from:

1. TheGreenBow Configuration File:

Certificates here are located on the VPN Configuration file used by the VPN Client software. Itmeans that this Certificate has been imported at some point from another source like a Certificatefile or the Microsoft Certificate Store.

Note: In case no Certificate has been configured into the VPN Configuration, this section will notappear. However, if a Certificate has previously been configured in the VPN Configuration file butit is not present anymore, then this section is disabled.

2. Microsoft Certificate Store:

Those Certificates are located into Microsoft Certificate Store. To be visible and usable, aCertificate has to follow those rules:

· Certificate has to be certified by a certificate authority and the Certificate status must'Ok' (see 'Certificate troubleshooting')

· Certificate has to be located into the 'Personal' Certificate Store as it represents thepersonal identity of the user trying to connect to its corporate network.

http://www.thegreenbow.com/vpn_doc.html

http://www.thegreenbow.com/vpn_tool.html

http://www.thegreenbow.com/vpn_tool.html

Configuration Panel


53


3. USB token or SmartCard (e.g. Feitian ePass2000-FT21):

Several USB Tokens and SmartCards can be plugged in and all the Certificates they contain willall be displayed in this section.

Note: If the Certificate is not available into one of the Certificate Stores displayed, it is alwayspossible to import Certificates from files using 'Import Certificate..' button.

6.8.1.2 View Certificate details

Details of any Certificates can be viewed including all properties like 'Issuer', 'Valid from', Valid to'and 'Subject'.

Select the Certificate you want and click 'View Certificate..' as shown below:

Configuration Panel


54


6.8.1.3 Controls on Certificates

TheGreenBow IPSec VPN Client controls on User Certificate are as such:

Event Certificate ControlWhen importing .. User Certificate

Root CertificateNone

When opening VPN tunnel .. User Certificate None

6.8.2 How to configure a tunnel with Certificate from a PKCS#12 Certificate file

PKCS#12 certificates are supported by a lot of gateways. TheGreenBow IPSec VPN Client canimport PKCS#12 certificates into the VPN Configuration, from the Configuration Panel. OnePKCS#12 Certificate can be defined per tunnel. Therefore, it is possible to connect to severalgateways that do not use the same PKI software (Public Key Infrastructure).

Here are the steps to configure the IPSec VPN Client with a PKCS#12 Certificate file:

Step 1: Select radio button 'Certificate' in the 'Phase 1' window, click on 'CertificatesManagement...' and then click on 'Import Certificate..'

Step 2: Select the 'PKCS#12 format' check box, then click 'Next'

Step 3: Select the PKCS#12 Certificate file you want to import. If the PKCS#12 Certificate isprotected, enter the password in the password pop up window. Once the Certificate iscorrectly imported, it will be displayed into the Certificate Management Panel underTheGreenBow Configuration File section.

Configuration Panel


55


Step 4: Click 'Ok', PKCS#12 Certificates will be stored in the VPN Configuration file. No need toclick on "Save&Apply".

Note: Once the Certificate is imported, its subject is used for the local ID of the associatedPhase1. This is shown in the P1 Advanced window with the following indication:

Configuration Panel


56


6.8.3 How to configure a tunnel with Certificate from a PEM Certificate file

TheGreenBow IPSec VPN Client can import PEM Certificates into the VPN Configuration, directlyfrom the Configuration Panel. One PEM Certificate can be defined per tunnel. Therefore, it ispossible to connect to several gateways that do not use the same PKI (Public Key Infrastructure).

Here are the steps to configure the IPSec VPN Client with PEM Certificate.

Step 1: Select radio button 'Certificate' in the 'Phase 1' window, click on 'CertificatesManagement...' and then click on 'Import Certificate..'

Step 2: Select the 'PEM format' check box, then click 'Next'

Step 3: Import the Root Certificate, the User Certificate and the Private Key by clicking on theassociated button. Once the Certificate is correctly imported, it will be displayed into theCertificate Management Panel under 'TheGreenBow Configuration File' section.

Configuration Panel


57


Step 4: Click 'Ok', PEM Certificates will be stored in the VPN Configuration file. No need to clickon "Save&Apply".

Note: Once the Certificate is imported, its subject is used for the local ID of the associatedPhase1. This is shown in the P1 Advanced window with the following indication:

Note: The PEM file enclosing the private key must not be encrypted or protected with a password.

6.8.4 How to configure a tunnel with Certificates from USB Token or SmartCard

TheGreenBow IPSec VPN Client can read Certificates from USB Tokens or Smart Cards. SmartCards can be used for securing X509 certificates that can be protected by a PIN code.

Here are the steps to configure a tunnel using Certificates from USB Tokens or Smart Cards:

Step 1: Select on 'Certificate' into the 'Phase 1' window of that tunnel, and click on 'CertificatesManagement...'.

Configuration Panel


58


Step 2: Select the Certificate from the Certificate Management Panel which shows a list of allUSB Tokens or Smart Cards accessible and their Certificates. Insert your USB Token orSmart Card at this time if not done so already, and it will show up in the list. The (USBtoken or SmartCard Reader) identification process starts and a PIN code may berequired. Enter your 'PIN code' and click 'OK'. Once the USB token or SmartCard issuccessfully read and the Certificate is correctly imported, it will be displayed into the Certificate Management Panel under 'TheGreenBow Configuration File' section.

Step 3: Click 'Ok'.

6.8.5 How to open a tunnel with Certificates from USB Token or SmartCard

When a tunnel is configured to use Certificates from USB Token or SmartCard, the PIN code ofthe USB Token or SmartCard is asked to the user each time the tunnel must be opened (exceptedon automatic VPN renegotiations).

Thus, to open a tunnel with Certificates from USB Token or SmartCard, it is required to have:1. The SmartCard reader (middleware) correctly installed2. A readable SmartCard inserted in the SmartCard reader or USB Token plugged in3. The correct PIN code for reading the USB Token or SmartCard

Configuration Panel


59


Then click 'Open tunnel 'tunnel1''..

Each issues while using SmartCard is displayed in the Console.

6.8.6 Certificate Troubleshooting

1. Interface with USB Token or SmartCard:

Several errors may occur while connected to a USB Token or SmartCard and it is notified by asmall warning icon next to the Token name with a popup for more info when clicking on this icon:

· Token not found: previously plugged in but not at this time.· Token found but no middleware to access it (often required when using smartcard readers)· Token and Store found but no Certificate found

2. Microsoft Certificate Store:

Configuration Panel


60


Certificates located into Microsoft Certificate Store has to follow those rules:· Certificate has to be certified by a certificate authority and the Certificate status must

'Ok' (see 'Certificate troubleshooting')· Certificate has to be located into the 'Personal' Certificate Store as it represents the

personal identity of the user trying to connect to its corporate network.

Note: Windows provides a Certificate Management tool you can use to troubleshot Certificateissues: Go to 'Windows Start' > 'Run' > 'CERTMGR.MSC'

6.9 Configuration Management

6.9.1 Import or Export VPN Configuration via menu

TheGreenBow VPN Client can import or export a VPN Configuration. With this feature, ITmanagers can prepare a configuration and deliver it to other users.

· Importing a configuration, select menu 'File' > 'Import VPN Configuration'.· Exporting a configuration, select menu 'File' > 'Export VPN Configuration'.

An exported VPN configuration file will have a ".tgb" extension.

Exported VPN Configuration can be protected by a password. When the user wants to export aconfiguration, a window automatically asks if the exportated VPN configuration must be protectedwith a password or not.

When a VPN Configuration is protected with a password, its importation will automatically ask theuser to enter the password. An exported VPN Configuration which is not protected with apassword will be automatically imported without any request to the user.

Note: Import/Export in 'USB Mode'When the VPN Client is configured in "USB Mode" and when a USB Drive is plugged in, theimportation of a VPN Configuration is directly written on the USB Drive. If the VPN Client isconfigured in "USB mode" but no USB Drive is plugged in, the exportation and importation of aVPN Configuration are disabled.

Note: A VPN Configuration file can also be imported via the command line.

Configuration Panel


61


6.9.2 Merge of VPN Configurations

TheGreenBow IPSec VPN Client can import one or several tunnels into an existing VPNConfiguration. With this feature, IT managers can merge a new VPN Configuration with newgateways into an existing VPN Configuration and deliver it to users or group of users.

Merge of VPN Configurations can be done in several ways.

1. Import new VPN Configuration via menu 'File' > 'Import VPN Configuration' and then select'Add' instead of 'Replace'.

2. Drag&drop a new VPN Configuration into the software with an existing VPN Configurationalready opened. The exact same popup window (see above) will appear asking if the userwants to 'Add' or 'Replace' existing VPN Configuration.

3. Import new VPN Configuration via command line.

" [path]\vpnconf.exe /add:[file.tgb] " where [path] is the VPN Clientinstallation directory, and [file.tgb] is the VPN Configuration file. This commanddoesn't handle relative paths (e.g. "..\..\file.tgb"). For more details, see import commandline section.

Anyway you choose to import VPN Configuration, here are common behaviors:· Global parameters are not imported in case at least one tunnel was already configured prior to

import and user selects 'Add' VPN Configuration in the popup. · Global parameters are imported in case the user selects 'Replace' or no tunnel was configured

prior to import.· Tunnel name conflict between existing and imported VPN Configurations are solved by software

automatically by adding an increment between bracket e.g. tunnel_office(1) to the importedtunnel names (i.e. both Phase1 and Phase 2).

6.9.3 Split of VPN Configuration

TheGreenBow IPSec VPN Client can export one tunnel from an existing VPN Configuration. Withthis feature, IT managers can split existing VPN Configuration into smaller VPN Configuration anddeliver it to users or group of users.

To export a single tunnel, you must follow the following steps:

1. Right click on any tunnel Phase 2 from your VPN Configuration, then select 'Export

Configuration Panel


62


Tunnel'.

2. A popup windows appears to ask for VPN Configuration password protection.

3. Once exported, the VPN Configuration can be sent to users or you can double click onit to start TheGreenBow IPSec VPN Client.

Note:· Export of a Phase 2 will export the associated Phase 1 as well. This means also export of

Certificates that might have been defined in this Phase 1.· Export of a Phase 2 will export the Global Parameters as well.

6.9.4 Embed your own VPN Configuration into IPSec VPN Client Setup

A (pre-created) VPN Configuration may be enclosed into the IPSec VPN Client Setup. EnclosingVPN Configuration within the IPSec VPN Client Setup enables IT Manager to deploy

Configuration Panel


63


pre-configured IPSec VPN Client software in a single package to all company users.

6.9.5 Demo VPN Configuration

The IPSec VPN Client Setup embeds a Demo VPN Configuration. This Demo VPN Configurationenables to open a tunnel to our TheGreenBow Demo Server as soon as the IPSec VPN Clientsoftware is installed.

It is particularly useful to check if a tunnel can be opened from my computer to an operationalremote network for test – and eventually for debug – purpose.

This Demo VPN Configuration can be found on our website: www.thegreenbow.com/vpn_faq.html#VPN19

Deployment

Part

VII

Deployment


65


7 Deployment

7.1 Embedded VPN Configuration

A VPN Configuration ".tgb" file embedded within the IPSec VPN Client Setup (unzipped, see'Deployment Guide' description on our website) is automatically imported by the IPSec VPN Clientduring software installation.

The process to create a setup with a VPN Configuration is the following:1. Create the VPN Configuration that need to be embedded into the Setup. This step must be

processed from a formerly installed IPSec VPN Client, from which the VPN Configuration isexported (e.g. "myconfig.tgb").

2. Create a silent installation, or simply unzip the IPSec VPN Client Setup.3. Add the VPN Configuration (e.g. "myconfig.tgb") file into the unzipped setup directory.4. Deploy the package to the user (the VPN Configuration will be used during the setup)

Important note: the Setup cannot import and use an encrypted (protected) VPN Configuration.When creating your VPN Configuration make sure it is exported without being encrypted (withoutbeing protected with a password).

7.2 Setup options

7.2.1 Setup option overview

Several options are available with the IPSec VPN Client Setup.1. Configuration of the GUI mode: 'full', 'user' or 'hidden'.2. Protection of the GUI mode Access Control with a password.3. Configuration of the Systray menu items.4. Other options for Software Start, License Number, Auto Software Activation, no trial

windows, languages and Activation email.

Syntax example:Setup.exe /S --license=0123456789ABCDEF0123 [email protected]

Warning: all the switches '--guidefs', '--menuitem', '--license', '--start', '--activmail', '--password, '--autoactiv','--noactiv', '--lang' can only be used with the switch '/S' (silent modeinstall, case sensitive).

For more details, please see the 'Deployment Guide' on our website.

7.2.2 Setup option for GUI mode

Syntax: --guidefs=full|user|hiddenenables to define the GUI appearance when the IPSec VPN Client starts.

"full": [Default] The Configuration Panel is displayed."user": The Connection Panel is displayed."hidden": Both VPN Configuration Panel and Connection Panel are not displayed. Only thesystray menu can be opened. Tunnels can be opened from the systray menu.

Here is an example using --guidefs=hidden



Deployment


66


7.2.3 Setup option for GUI mode access control

Syntax: --password=mypwdEnables to control the access to the 'Configuration Panel' with a password. See 'Access Control &Hidden Interface' for more info.

The user will be asked for the password:· When the user clicks or double-clicks on the VPN systray icon· When the user wants to switch from the Connection Panel to the Configuration Panel.

Example: --guidefs=user --password=admin01These 2 options enable the IPSec VPN Client to be locked in "Connection Panel" mode only, whilethe access to the Configuration Panel is protected with a password.

7.2.4 Setup option for systray menu items

Syntax: --menuitem=[0...31]Enables to specify the items of the systray menu that the IT manager wants to keep.

The value is a 'bitfield': 1 = Quit, 2 = Connection panel, 4 = Console, 8 =Save&Apply, 16 = Configuration panel, Default is 31: All menus.

Example: --menuitem=5 will configure a systray menu with the items: Quit + Console.

Note 1: the tunnels are always shown in the systray menu, and can always be opened and closed

Deployment


67


from this systray menu.

Note 2: 'menuitem' and 'guidefs=hidden'.By default, guidefs=hidden set the systray menu item list to Quit + Console. (The items'Save&Apply' and 'Connection Panel' are not visible). However the use of 'menuitem'overrides 'guidefs'.That means the following: "--guidefs=hidden --menuitem=1" will set a systray menuwith only the 'Quit' item.

7.2.5 Other Setup options

Here are the other installation parameters for the setup command line:

Syntax: /S ("S" must be preceded by only 1 slash, case sensitive)Usage: Enables a silent installation (no dialog are displayed to the user during the installation)Example: “TheGreenBow_VPN_Client.exe /S”

Syntax: /D=[install path] ("D" must be preceded by only 1 slash, case sensitive)Usage: [install path] is the path where to install the software. No quotation marks even if space inthe path.Warning: This options must be used with the option “/S" (silent mode) and must be placed at theend of the command line, as the last option if any others.

Syntax: --license=[license_number]Allows to configure the license number. The License Number is a set of 24 hexadecimalcharacters. Old License Numbers might be 20 hexadecimal characters.

Syntax: --start=[1|2] Allows to configure the start mode for the VPN Client: after the logon windows [1] or manually [2].Default is [1].

Syntax: --activmail=[activation_email]Allows to force the email used for activation confirmation. During the activation process, the editbox used for entering this email will be disabled

Syntax: --autoactiv=1In case of software upgrade (i.e. license number and activation email have already been enteredin previous installation) and --autoactiv=1 option is added, the software will try to activate softwareautomatically when starting if network is available or when requesting to open a tunnel if networkwas not available at startup.

Syntax: --noactiv=1No display of the ‘Trial window’ once software started until trial period ends. User doesn’t know heis in trial period and software will be disabled at the end of trial period. It means that if the usertries to launch the software after the end of trial period, the software will start and open the ‘Trialwindow’ but the ‘Evaluate’ button will be disabled.

Syntax: --lang=[language code]This option specifies the language for the TheGreenBow IPSec VPN Client software andinstallation software. Available languages are listed below.

ISO 639-2 code Language code English name

EN 1033 (default) English

FR 1036 French

ES 1034 Spanish

Deployment


68


PT 2070 Portuguese

DE 1031 German

NL 1043 Dutch

IT 1040 Italian

ZH 2052 Chinese simplified

SL 1060 Slovenian

TR 1055 Turkish

PL 1045 Polish

EL 1032 Greek

RU 1049 Russian

JA 1041 Japanese

FI 1035 Finnish

SR 2074 Serbian

TH 1054 Thai

AR 1025 Arabic

HI 1081 Hindi

Example:TheGreenBow_VPN_Client.exe /S --license=0123456789ABCDEF0123--start=2 [email protected]

7.3 Command line

7.3.1 Command line options

Several command lines are available, they are meant to be used by IT managers to adapt theIPSec VPN Client behavior to their needs and to help integration with other applications.

· Stopping IPSec VPN Client· Importing or Exporting VPN Configuration· Opening or Closing VPN tunnels

For more details, please see the 'Deployment Guide' on our website.

7.3.2 Opening or closing VPN Tunnel options

TheGreenBow VPN Client can open or close a VPN tunnel by the command line. Both commandlines can be invoked while TheGreenBow IPSec VPN Client is running:

" [path]\vpnconf.exe /open:[phase1-phase2] " where [path] is the VPN Clientinstallation directory, and [phase1-phase2] are the Phase1 and the Phase2 names in theVPN Configuration file.In case the specified tunnel is already open, this command line has no effect.


Deployment


69


" [path]\vpnconf.exe /close:[phase1-phase2] " where [path] is the VPNClient installation directory, and [phase1-phase2] are the Phase1 and the Phase2 names inthe VPN Configuration file.In case the specified tunnel is already close, this command line has no effect.

Both arguments "open" and "close" are exclusives and cannot be used together.

Restriction note:· Execution of those command lines will open the Software Graphical User Interface (GUI). This

restriction will be removed in further software release.

7.3.3 Stopping IPSec VPN Client: option "/stop"

TheGreenBow VPN Client can be stopped at any time by the command line:

" [path]\vpnconf.exe /stop " where [path] is the IPSec VPN Client installationdirectory.

If there is several active tunnels, they will close properly.

This feature can be used, for example, in a script that launch the VPN Client after establishing adialup connection and exit it just before the disconnection.

7.3.4 Import or Export VPN Configuration options

TheGreenBow VPN Client can import a specific configuration file by the command line:

" [path]\vpnconf.exe /import:[file.tgb] " where [path] is the VPN Clientinstallation directory, and [file.tgb] is the VPN Configuration file. This command doesn'thandle relative paths (e.g. "..\..\file.tgb"). Double-quotes are supported allowing paths containingspaces.

" /import: " may be used either if the VPN Client is running or not. When the VPN Client isalready running, it imports dynamically the new configuration and automatically applies it (i-e:restarts the IKE service). If the VPN Client is not running, it is launched with the new configuration.

" /importonce: " enables to import a VPN configuration file without running the VPN Client.This command is especially useful in installation scripts: it allows to run a silent installation and toimport a configuration automatically.

" /export: " enables to export the current VPN Configuration (including certificates) in thespecified file. This command start the VPN Client if it is not already running.

" /exportonce: " enables to export the current VPN Configuration (including Certificates) inthe specified file. This command doesn't start the VPN Client if it is not running already.

" /add: " enables to import a new VPN Configuration into an existing VPN Configuration andmerge both into a single VPN Configuration. This command line may be used either if the VPNClient is running or not. This command doesn't start the VPN Client if it is not running already.

" /replace: " enables to replace the current configuration by a new VPN Configuration. Thisfeature is available in software release 4.1 and older, and may be used instead of the /importonceoption to import a VPN configuration file without running the VPN Client.

Deployment


70


" /pwd:[password]" enables to set a password for import operations. This option can be usedtogether with the /import, /importonce, /export, /exportonce, /add and /replace options but it mustbe placed after one of those options.

All 6 arguments "import", "importonce", "export", "exportonce", "add" and "replace"are exclusives and cannot be used together.

7.4 Support for new ATR code (i.e. SmartCard)

TheGreenBow VPN Client always includes the latest list of ATR code available from Token andSmardCard vendors. However, new ATR code appears every day and this feature allows to addone or several new ATR codes without waiting for a new software release.

TheGreenBow VPN Client can take into account new Token ATR code as soon as they aredeclared in an initialization file called "vpnconf.ini". This file "vpnconf.ini" must be a text file andmust be saved in the same install folder as tgbike.exe.

Here is the syntax of the 'vpnconf.ini' file:

[3B:65:00:00:9C:02:02:07:02]mask="FF:FF:00:00:FF:FF:FF:FF:FF"scname="My token"manufacturer="Token Manufacturer"pkcs11DllName="pkcs11.dll"registry="HKEY_LOCAL_MACHINE:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\TgbIke.exe:DllPath"

[3B:65:00:00:9C:02:02:07:03]mask="FF:FF:00:00:FF:FF:FF:FF:FF"scname="My token2"manufacturer="Token Manufacturer"pkcs11DllName="pkcs11.dll"registry="HKEY_LOCAL_MACHINE:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\TgbIke.exe:DllPath"

where parameters are as followed:

[atr] Token ATR code. This the delimiter to separate several ATR codes.mask Token mask codescname Token namemanufacturer Token manufacturer's namepkcs11DllName PKCS#11 middleware fileregistry Value in the registry that points to the complete path of the DLL

Note: If the PKCS#11 DLL (here as pkcs11.dll) is not in c:\windows\system32\ then "registry" mustbe set.

Note: Registry is the value in the registry that points to the complete path of the DLL. The syntax isHKEY_LOCAL_MACHINE:<registry key>:<value in the registry key>.For example, if a value "DllPath" with content "C:\Program Files\TheGreenBow\TheGreenBowVPN\pkcs11.dll" is created in "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\

Deployment


71


\CurrentVersion\\App Paths\\TgbIke.exe", registry line is : "HKEY_LOCAL_MACHINE:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\TgbIke.exe:DllPath".

Console and Logs

Part

VIII

Console and Logs


73


8 Console and Logs

8.1 Console Windows

The 'Console' window is available from the context menu of the systray icon or from 'Console'button in the Configuration Panel. This window can be used to analyze VPN tunnels. This tool isparticularly useful for IT managers in setting up their network.

Button Description

Save Save current logs in a file. Future logs won't be saved in the selectedfile.

Start/Stop Start/Stop collecting logs.

Clear Clear console window content

Reset IKE Restart IKE process.

Software Localization

Part

IX

Software Localization


75


9 Software Localization

The localization (L10N) of the IPSec VPN Client is now possible, even by a third party company.All the strings used by the VPN Client are listed in a Translation tool, ready for translation.

Step1: Download the VPN Client Translation tool from our website.Step2: Translate the strings into your own languageStep3: Send us back the translated VPN Client string file to: [email protected]: We will include your language into the next Generally Available (GA) Product release ofthe IPSec VPN Client. See on our website who is contributing already.

The whole translation process is also described at www.thegreenbow.com/vpn_local.html.

http://www.thegreenbow.com/vpn_local.html

http://www.thegreenbow.com/vpn_local.html.

http://www.thegreenbow.com/vpn_local.html

Contacts

Part

X

Contacts


77


10 Contacts

Information and update are available at: www.thegreenbow.comTechnical support by email at: [email protected] support by email at: [email protected]

Index 78


Index- A -About 24

Activation errors 10

Activation Wizard 8

- C -Certificate from PEM file 51, 56

Certificate from PKCS#12 file 51, 54

Certificate from SmartCard 51

Certificate Management14, 51, 52, 53, 54, 56, 57, 58, 59

Command line 68, 69

Configuration Panel 23

Configuration Wizard 34, 35

Configuration Wizard to create VPNtunnels

33

Connection Panel 22, 29, 30

Console 73

- D -Default VPN Configuration 63

- E -Embed VPN Configuration 62

Evaluation period 7

Export VPN Configuration 60, 61

- F -Features 3

- G -Global parameters 44

- H -Hidden user interface 24

How to automatically open tunnels whenan USB Stick is plugged in ?

50

How to create a VPN Tunnel ? 32

How to enable a new USB Stick ? 47

How to install ? 6

How to view opened tunnels ? 46

- I -IKE Port 44

Import Command line 69

Import VPN Configuration 14, 60, 61

Import with double click on VPNConfiguration icon

14

- L -License Number 8

Linux appliance compatibility 2

Localization 75

- M -Maintenance 11

Menu 23

Multi Gateway Compatibility 2

- N -NAT Port 44

- O -OEM Partners 4

Open tunnel before Wndows logon 16

- P -PEM 51, 56

Phase1 Advanced Settings 37

Phase1 Settings 36

Phase2 Advanced Settings 42

Phase2 Settings 41

PKCS#12 51, 54

Ports 44

Preferences 27

Proxy 8

- R -RDP session 3

Remote Desktop 3

79


Index

- S -Sales contact 77

Script 44

Setup 62

Setup options 65, 66, 67

Shortcut 22

SmartCard 57, 58

Software Activation 8, 9, 10

Software upgrade 11

Status Bar 24

Stop software 69

Support contact 77

System tray icon 20

- T -Temporary Software License 7

- U -Uninstall 12

USB Token 57, 58

- V -View Certificate details 52, 53

VPN Configuration 60, 61, 62, 63, 65, 69

VPN Configuration merge 61

VPN Configuration split 61

VPN Configuration with Certificates14, 52, 53, 54, 56, 57, 58, 59

- W -What is IKE Phase 1 ? 36

What is IKE Phase 2 ? 40

What is USB Mode ? 47

What's the IPSec VPN Client for ? 2

Wizard 26

TheGreenBow Security Software

Secure, Strong, Simple.


Documents

5124609 The Greenbow IPSec VPN Client User Guide