Creating Ipsec Vpns With the Officeconnect Secure Gateway

7/27/2019 Creating Ipsec Vpns With the Officeconnect Secure Gateway

1/21

Creating IPSec VPNs with the OfficeConnectCable/DSL Secure Gateway

This document will describe in detail the steps needed to configure the OfficeConnectCable/DSL Secure Gateway to interoperate with

OfficeConnect Cable/DSL Secure Gateway SuperStack 3 Firewall

Safenet SoftPK VPN Client

SSH Sentinel VPN Client

3Com Firewall VPN application (allows XP VPN client to be used)

Configuring VPN tunnels should not be done until it has been ensured that both ends of thetunnel are correctly configured for Internet access. (I.e. both sites can access the Internet)

Configuring a VPN tunnel between two OfficeConnect Cable/DSL SecureGateways

Network 1Internet

Gateway 1Network 2

Gateway 2

Figure 1 Two OfficeConnect Cable/DSL Secure Gateways connecting via the Internet

Configuring Gateway 1

Figure 2 IPSec Connections on the OfficeConnect Cable/DSL Secure Gateway

1


2/21

1. Select the IPSec Server radio button. The screen will change to reflect this selection.2. Click on the IPSec Connections tab at the top of the page3. Click on the New button on the right of the screen, a pop-up window will appear

Figure 3 Configuring an IPSec VPN on the OfficeConnect Cable/DSL Secure Gateway

4. Enter the WAN IP address of Gateway 2 in the connection name field. !This is important asit will ensure that the Gateway will work in the correct mode!5. Enter a description of the Security Association to remind you what the connection is (up to128 characters)6. Select Gateway-to-Gateway as the Connection Type7. If the Gateway ID has not already been specified, enter the WAN IP address of the

gateway as the ID. !This is important as it will ensure that the Gateway will work in the correctmode!8. Enter the WAN IP address of Gateway 2 in the Remote IPSec Server Address field9. Enter the private network that you wish to reach through the VPN. This will be the first IPaddress of the network, e.g. 192.168.2.010. Enter the Shared Secret that will be used to create the tunnel (up to 64 characters).Ideally this should be a long, un-memorable key to provide higher security.11. Select either DES or 3DES as the encryption type12. Select either MD5 or SHA-1 as the hash algorithm13. Select either Diffie-Hellman Group 1 or Group 2 to use for exchanging keys14. Leave Perfect Forward Secrecy unchecked. (Perfect Forward Secrecy increases thesecurity of the tunnel by changing keys for every message sent, but to ensure that the VPNtunnel is configured correctly it is recommended that this is left unchecked during the initial

configuration it may be checked later if required)

2


3/21

Take note of all the settings in this configuration, as they will be required to configure theother end of the VPN tunnel (Gateway 2)15. Click Apply

Configuring Gateway 2This configuration will be very similar to the Gateway 1 configuration.

1. Select the IPSec Server radio button. The screen will change to reflect this selection.2. Click on the IPSec Connections tab at the top of the page3. Click on the New button on the right of the screen, a pop-up window will appear4. Enter the WAN IP address of Gateway 1 in the connection name field. !This is important asit will ensure that the Gateway will work in the correct mode!5. Enter a description of the Security Association to remind you what the connection is (up to128 characters)6. Select Gateway-to-Gateway as the Connection Type7. If the Gateway ID has not already been specified, enter the WAN IP address of thegateway as the ID. !This is important as it will ensure that the Gateway will work in the correctmode!8. Enter the WAN IP address of Gateway 1 in the Remote IPSec Server Address field

9. Enter the private network that you wish to reach through the VPN. This will be the first IPaddress of the network, e.g. 192.168.1.010. Enter the Shared Secret that will be used to create the tunnel (up to 64 characters). Thismust be identical to the shared secret entered in Gateway 111. Select either DES or 3DES as the encryption type. This must be identical to Gateway 1.12. Select either MD5 or SHA-1 as the hash algorithm. This must be identical to Gateway 1.13. Select either Diffie-Hellman Group 1 or Group 2 to use for exchanging keys. This must beidentical to Gateway 1.14. Leave Perfect Forward Secrecy unchecked. (Perfect Forward Secrecy increases thesecurity of the tunnel by changing keys for every message sent, but to ensure that the VPNtunnel is configured correctly it is recommended that this is left unchecked during the initialconfiguration it may be checked later if required)15. Click Apply

Figure 4 VPN configurations for both ends of a VPN tunnel

The VPN connection should now be configured. To test the tunnel form the Start Menu, selectRun, type ping xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is a PC on the Remote Network thatyou are trying to access via the VPN, e.g. 192.168.2.1) and hit return. If the VPN tunnel hasbeen successful then on the IPSec connection screen, it will indicate that the VPN tunnel isactive. If it is not active then refer to the Log on both units for information on why it has failed.

3


4/21

Configuring the a VPN tunnel between the OfficeConnect Cable/DSLSecure Gateway and the SuperStack 3 FirewallThe configuration of the OfficeConnect Cable/DSL Secure Gateway is exactly the same asdescribed above. The configuration on both sides of the tunnel must still contain identicalinformation about encryption type, has algorithm, shared secret and Diffie-Hellman Group.

Configuring the SuperStack 3 Firewall

Figure 5 VPN Summary on SuperStack 3 Firewall

1. Click on the VPN tab2. If it is not already configured enter the Unique Firewall Identifier. Ensure that this is theWAN IP address of the Firewall3. Click on VPN configure tab at the top of the screen

4


5/21

Figure 6 Configuring a VPN connection on a SuperStack 3 Firewall

4. Choose New SA from the Security Association pull-down menu.5. Select IKE using pre-shared key from the IPSec Keying Mode pull-down menu6. Leave the Disable this SA checkbox unchecked7. Enter the WAN IP address of the OfficeConnect Cable/DSL Secure Gateway as the

Connection Name.8. Enter the WAN IP address of the OfficeConnect Cable/DSL Secure Gateway as the IPSecGateway address9. Leave all checkboxes in the Security Policy section unchecked* SuperStack 3 only

10. Set the SA lifetime to 600 seconds11. Select either Encrypt and Authenticate or Strong Encrypt and Authenticate. Encryptshould be chosen when DES is required. Strong Encrypt should be chosen when 3DES isrequired.12. Take note of the acronyms on the right of the pull-down menu.13. If MD5 was chosen as the hash algorithm on the OfficeConnect Cable/DSL SecureGateway then either ESP DES HMAC MD5 or ESP 3DES HMAC MD5 will need to chosen.If SHA-1 was chosen, then ESP DES HMAC SHA-1 or ESP 3DES HMAC SHA-1 should be

chosen.14. Enter the shared secret. This must be identical at both ends of the tunnel

15. At the bottom of the screen select Add New Network. A pop-up window will appear

5


6/21

.Figure 7 Specifying a remote network

16. Enter the private network address and subnet that you wish to connect to through theVPN tunnel. This will be the LAN of the OfficeConnect Cable/DSL Secure Gateway and canbe found on the LAN settings page of the OfficeConnect Cable/DSL Secure GatewayManagement interface.

17. Click on the Update button18. Click on the Update button on the main VPN Configure screen19. Restart the firewall as required

The VPN is now configured and will automatically initiate when traffic is sent between the twoprivate networks.

6


7/21

Configuring the OfficeConnect Cable/DSL Secure Gateway to connect with SSHSentinel VPN client or Safenet Soft-PK VPN client

PC running VPN

client software

Cable or DSL

modem

NetworkInternet

Gateway

Figure 8 PC running VPN client software and an OfficeConnect Secure Gatewayconnecting via the Internet

Configuring the Gateway

Figure 9 Configuring a VPN client connection on the OfficeConnect Cable/DSLSecure Gateway

1. Click on the VPN tab on the left of the screen2. Enable IPSec VPN connections by selecting the IPSec radio button3. Click on the IPSec connections tab that appears on the top of the page4. Click on the New button to create a new Security Association

Connection Name - enter the name by which the connection will be known, a good exampleof this is to make it the name of the user that will be connectingDescription - add a description that will make the connection easily identifiableConnection Type click on the Remote User Access radio buttonThis Gateways ID the ID of the gateway should be entered here. This ID will be the same

for all IPSec connections and must be the WAN IP address of the gateway

7


8/21

Remote User ID - enter a username that the remote user will use to authenticate theconnection.Tunnel Shared Key - enter an alphanumeric string that will be used to authenticate thetunnel (up to 64 characters)Encryption Type select either DES or 3DES. 3DES will give a higher level of security butmight reduce data throughput. This must be the same on both ends of the VPN tunnel to

allow connection.Exchange Keys Using select either Diffie-Hellman Group 1 or 2. Group 2 will provide ahigher level of security but might cause the initiation of a VPN tunnel to take slightly longer.This must be the same on both ends of the VPN tunnel to allow connection.Perfect Forward Secrecy leave unchecked. (Perfect Forward Secrecy increases thesecurity of the tunnel by changing keys for every message sent, but to ensure that the VPNtunnel is configured correctly it is recommended that this is left unchecked during the initialconfiguration it may be checked later if required)

The OfficeConnect Cable/DSL Secure Gateway is now ready to accept a connection from aremote VPN client. Make a note of all information used in the configuration, as it will berequired to configure the VPN client.

Configuring the SSH Sentinel VPN Client

Figure 10 SSH Sentinel Policy Editor

1. Install the VPN client. During the installation you will be required to create a securitycertificate by moving the mouse pointer around a pop-up window, complete this and onceinstallation is complete restart your PC.

2. Once the PC has restarted go to the Start Menu -> Programs -> SSH Sentinel -> PolicyEditor. The policy editor window will appear on the screen

8


9/21

Click this Add

Figure 11 Configuring an Authentication Key

3. Click on the key management tab at the top of the screen4. Under the My Keys, double click on Add.. A new pop-up window will appear.

9


10/21

Figure 12 Configuring a preshared key on the SSH Sentinel VPN client

5. Choose Create a preshared Key6. Give the key a descriptive name7. Enter exactly the same text as was entered in the Tunnel Shared Key in the OfficeConnectCable/DSL Secure Gateway configuration.8. Click OK

The key that was just created will appear in the menu list.

9.Click on the new key and choose Properties

10


11/21

Figure 13 Configuring a remote user ID

10. Click on the Identity tab at the top of the new pop-up window11. For both Local and Remote choose Administrator E-mail from the Primary Identifier pull-down menu12. Enter the Remote User ID that was entered in the OfficeConnect Cable/DSL Secure 13.Gateway configuration in the blank field for both Local and Remote.14. Click OK

15. Click on the Security Policy tab at the top of the screen16. Click on VPN connection and then select Add a new pop-up window will appear

Figure 14 Configuring a new VPN connection

17. Click on the IP button on the top tight of the screen18. Enter the WAN IP address of the OfficeConnect Cable/DSL Secure Gateway19. Click on the button (directly below the IP button)20. Click New

11


12/21

Figure 15 Adding a new remote network

21. Enter a descriptive name for the network in the Network Name field22. Enter the private network address and subnet mask that you wish to access through theVPN tunnel. This would normally be the Local Network behind the OfficeConnect Cable/DSLSecure Gateway.23. Click OK

24. Next, select the new key from the Authentication Key drop down menu25. Check the Use legacy proposal checkbox26. Click Properties

12


13/21

Figure 16 General information about VPN connection

27. Ensure that the correct Authentication key is selected.28. Click on the Settings button under IPSec/IKE Proposal, a new pop-up window will appear.

Figure 17 Specific details of VPN connection

13


14/21

29.Select both an IKE and an IPSec proposalIKE ProposalEncryption Algorithm select either DES or 3DES. This MUST match what was selectedfor the OfficeConnect Cable/DSL Secure Gateway configuration.

Integrity Function select either MD5 or SHA-1IKE Mode select aggressive modeIKE group select either MODP Group 1 or 2. This is the equivalent to the Diffie Hellmangroup specified in the OfficeConnect Cable/DSL Secure Gateway. The same group must beconfigured at both ends of the tunnel.

IPSec ProposalEncryption algorithm select the same as specified for the IKE Proposal and theOfficeConnect Cable/DSL Secure GatewayIntegrity Algorithm if MD5 was selected in the IKE Proposal, select HMAC-MD5. If SHA-1was selected in the IKE Proposal select HMAC SHA-1IPSec Mode greyed out as tunnel is the only optionPFS Group Select none

30. Click OK until the main Policy Editor screen is visible.31. Click on Apply to save the VPN configuration

32. The VPN connection should now be configured. Click on the Apply button to save theconfiguration.

To test the VPN connection, go to VPN Connection and highlight the newly configured VPN.Click the Diagnostics button in the bottom right of the screen. The VPN client will attempt toconnect to the OfficeConnect Cable/DSL Secure Gateway and will give either a pass or fail.

If there is a failure, check that both the VPN client and OfficeConnect Cable/DSL SecureGateway configurations are correct. If the diagnostics pass then the tunnel is configured

correctly.

To initiate a VPN tunnel using the SSH Sentinel VPN Client

Right click on the Sentinel icon in the System tray at the bottom right of the screen (bluesquare with three smaller white squares inside).Choose Select VPNHighlight the VPN that you wish to initiate and click the left mouse buttonThe VPN will then connect.

To disconnect a VPN tunnel using the SSH Sentinel VPN Client

Right click on the Sentinel icon in the System tray at the bottom right of the screen (blue

square with three smaller white squares inside).Choose Select VPNHighlight the VPN that you wish to disconnect and click the left mouse buttonThe VPN will then disconnect.

14


15/21

Configuring the Safenet SoftPK VPN ClientLaunching the VPN Client1 To launch the VPN client, select SafeNet Soft-PKfrom the Windows Startmenu and selectSecurity Policy Editor.2 Select New Connection in the File menu at the top of the Security Policy Editorwindow.

The security policy may be renamed by highlighting New Connection in the Network SecurityPolicy box and typing the desired security policy name.

Figure 18 Safenet SoftPK VPN Client

Configuring Connection Security and Remote Identity1 Select Secure in the Connection Security box on the right side of the Security Policy Editorwindow.2 Select IP Subnetin the ID Type menu.3 Type the Gateway LAN Network Address in the field immediately below ID Type.4 Type the LAN Subnet Maskin the Portfield.5 SelectAllin the Protocolfield to permit all IP traffic through the VPN tunnel.

6 Check the Connect using Secure Gateway Tunnelcheckbox.7 Select IP Address in the ID Type menu at the bottom of the Security Policy Editor window.8 Enter the Remote Gateway WAN IP Address in the IP Address field.

Information such as the Gateway LAN Network Address, Subnet Mask and WAN IP Addresscan be found by looking at the LAN Settings and Internet settings page of the SecureGateway Web GUI.

15


16/21

Figure 19 Configuring a VPN connection

Configuring VPN Client Security Policy1 Click New Connection in the Network Security Policy box on the left side of the SecurityPolicy Editor window. My Identityand Security Policyshould appear below New Connection.

2 Click Security Policyin the Network Security Policy box. A window similar to Figure 10 willbe displayed.3 SelectAggressive Mode in the Select Phase 1 Negotiation Mode box.4 Leave the Enable Perfect Forward Secrecy (PFS) checkbox unchecked.5 Check the Enable Replay Detection checkbox to redisplay auditing.

16


17/21

Figure 20 Configuring authentication for VPN tunnel

Configuring the VPN Client Identity1 Click My Identityin the Network Security Policy box on the left side of the Security PolicyEditor window. A window similar to Figure 11 appears.

2 Choose None in the Select Certificate menu on the right side of the VPN client window.3 Select E-Mail Address in the ID Type menu.4 Type the Remote User ID (as specified in the Secure Gateway)in the field below the IDType menu.5 Select PPP Adapterin the Name menu if you have a dial-up Internet account. Select yourEthernet adapter if you have dedicated Cable, ISDN or DSL line.6 Click the Pre-Shared Keybutton.7 Click the Enter Keybutton in the Pre-Shared Key dialog box. Then enter the GatewaysShared Secretin the Pre-Shared Keyfield and click OK. Note that this field is case sensitive.

Figure 21 Entering a preshared key

17


18/21

Figure 22 Configuring the authentication encryption level of the VPN connection

Configuring VPN Client Authentication Proposal1 Double click Security Policyin the Network Security Policybox to displayAuthentication and

Key Exchange.2 Double clickAuthentication. Then select Proposal 1 belowAuthentication.3 Select Pre-Sharedkey in theAuthentication Methodmenu.4 Select DES or3DES in the Encrypt Algmenu, depending which encryption method youchose in the Gateway Security Association.5 Select MD5 or SHA-1 in the Hash Algmenu. This must be identical to what is entered in theGateway.6 Select Seconds in the SA Life menu and enter 6007 Select Diffie-Hellman Group 1or Group 2in the Key Group menu. This must be identical towhat is entered in the Gateway.

18


19/21

Figure 23 Configuring the data encryption level of the VPN connection

Configuring VPN Client Key Exchange Proposal1 Double click Key Exchange in the Network Security Policy box. Then select Proposal 1below Key Exchange.

2 Select Seconds and specify 600in the SA Life menu.3 Select None in the Compression menu.4 Check the Encapsulation Protocol (ESP) checkbox.5 Select DES or3DES in the Encrypt Algmenu, depending which encryption method youchose in the Gateway VPN configuration.6 Select MD5 or SHA-1 in the Hash Algmenu. This must be identical to what is entered in theGateway.7 Select Tunnelin the Encapsulation Methodmenu.8 Leave theAuthentication Protocol (AH) checkbox unchecked.

Now save all your changes

You have now set up the VPN Tunnel. After completing the VPN client configuration, the

Administrator may securely manage the remote Gateway by entering the Gateway LAN IPAddress in a browser on the computer running the VPN client software. The GatewayVPN Client may also access remote resources by locating servers' or workstations' by theirremote IP addresses.

19


20/21

Configuring the OfficeConnect Cable/DSL Secure Gateway to connect with the 3ComFirewall VPN client application for Windows XP

To configure the OfficeConnect Cable/DSL Secure Gateway to connect with the 3ComFirewall VPN client for Windows XP the same configuration steps must be taken as for aGateway-to-Gateway connection as described in Configuring a VPN tunnel between two

OfficeConnect Cable/DSL Secure Gateways above.

The IP address of the XP machine must be known to enable this connection, therefore thissolution is not recommended for remote connections that have a dynamic IP address. Ifconnecting from a dynamic IP address using an XP machine, use the SSH Sentinel VPNclient.

Configuring the 3Com Firewall VPN client application for Windows XP

Install the application. (3cxpvpn.exe can be downloaded from www.3com.com)Once installed, launch the application from the Start Menu by selecting Programs -> 3Com -> 3Com Firewall VPN. The application will then launch.

Figure 24 3Com Windows XP VPN client

Click on the Show Configuration button

Figure 25 Details of VPN connection

Enter the WAN IP address of the Secure Gateway in the Firewall IP address field

20
http://www.3com.com/http://www.3com.com/


21/21

Select Network Address and Mask from the pull down menu under Private LAN IPEnter the LAN network address and subnet mask. This information can be found on the LANsettings page of the OfficeConnect Cable/DSL Secure Gateway Web Interface.Select either DES or 3DES from the pull-down menu for encryption type. This must be thesame as is specified on the OfficeConnect Cable/DSL Secure Gateway VPN configuration.Select either MD5 or SHA-1 from the pull-down menu as the Authentication type. This must

be the same as is specified on the OfficeConnect Cable/DSL Secure Gateway VPNconfiguration.Enter 600 as the SA LifetimeEnter the Shared Secret as specified in the OfficeConnect Cable/DSL Secure Gateway VPNconfiguration. This will appear in clear text and so will not be visible.

Once you are sure that the configuration is correct click on the Save buttonA pop-up window will appear asking for a local password. This is to ensure that onlyauthorised users can access the VPN. Select a password and click OK.

To connect to the remote network through the VPN tunnel you must first enable theconfiguration that has been saved.Launch the 3Com Firewall VPN client application.

Enter the password in the empty field and click Connect.The next time you try to connect to the remote network the VPN tunnel will automatically beinitiated.

Documents

Creating Ipsec Vpns With the Officeconnect Secure Gateway