Page: 1

RSA Keon Ready Implementation Guide For VPN Products Last Modified June 20, 2002

1. Partner Information

Partner Name Stonesoft Corp. Web Site www.stonesoft.com Product Name StoneGate Firewall Version & Platform 1.7.2 Product Description StoneGate is the first firewall and VPN solution offering high security,

high performance and availability. It features: An embedded OS for increased security. Multiple ISP and VPN load balancing to ensure continuous network connectivity. Advanced centralized administration tools for enterprise-wide management of the firewall infrastructure.

Product Category Virtual Private Networks (VPN) Interaction with Keon Certificate Authority

2. Contact Information

Sales contact Support Contact Email sales@stonesoft.com support@stonesoft.com Web www.stonesoft.com www.stonesoft.com

Page: 2

3. Product Requirements

Hardware requirements

Component Name: StoneGate Management System CPU make/speed required Pentium processor, suggested minimum processor speed

500 MHz Memory 256 MB or more recommended HD space 4GB for evaluation (20 GB or more for production use).

Component Name: StoneGate Firewall Engine CPU make/speed required Pentium processor, suggested minimum processor speed

500 MHz Memory 256 MB or more recommended HD space 4GB for evaluation (20 GB or more for production use).

Software requirement

Component Name: StoneGate Management System Operating System Version (Patch-level) Windows NT 4.0 Service Pack 6a Windows 2000 Service Pack 2 Sun Solaris 2.6 & 2.7 RedHat Linux RedHat Linux 7.0, 7.1and 7.2

Component Name: StoneGate Firewall Engine Operating System Version (Patch-level) Linux–based, provided with product

1.7.2

Stonegate System Architecture

Page: 3

4. Product Configuration

Keon CA’s installable elements required for interoperability. RSA Keon CA (KCA) requires no extra software or hardware for use with the StoneGate Firewall

Keon CA’s configurable elements required for interoperability. The StoneGate Firewall uses the manual PKCS#10 certificate Enrollment method.

The signing algorithm for this CA may be either RSA / MD5 or RSA / SHA1.

The KCA signing CA’s extension profile may contain any number of extensions, chosen from a collection defined in the CA’s “Extension Profile” list.

CA creation: To create a new CA you must first select an issuer and a jurisdiction. The following instructions will describe how to create both a CA and Jurisdiction with the appropriate attributes to sign a StoneGate Firewall certificate requests.

1. From the CA Operations Workbench select create from the Local CAs option list and click Next>. See Figure 1.

Figure 1.

2. Select Extension Profiles from the Sections drop-down menu on the Jurisdiction Configuration page. See Figure 2.

Figure 2.

Page: 4

3. For the General Profile Policy options:

a. Select the Request can select checkbox b. Select the Vettor can override checkbox

For the Profile Choices: Select at least the VPN/Ipsec profile. See Figure 3.

Figure 3.

4. Click Save and Exit. Note: Both the Certificates Attributes and External Publishing Configuration default values can remain as they are. Please see the KCA Administrators Guide for further information on creating CAs and Extension Profiles. 5. Complete the remainder of the CA creation tasks:

a. Define the CA’s Distinguished Name. See Figure 4.

Figure 4.

b. Select the appropriate Signing Algorithm (RSA/SHA1 or RSA/MD5) and Key Size.

c. Select a desired CA certificate profile and additional extensions. These are optional i.e. not required to achieve interoperability with the StoneGate Firewall.

d. Provide an Encryption Passphrase to protect the newly generated CA private key.

Page: 5

RSA Keon CA (KCA) Local CRL publishing settings The StoneGate Firewall supports user certificate status checking via Certificate Revocation Lists (CRLs), published to the KCA’s local LDAP repository. The following steps define how to configure the CA, created in the previous section, to publish it’s CRL to the local directory. 1. From the CA Operations Workbench, select your VPN’s CA from the drop-down menu.

2. Scroll down to the CA Configuration: options and click on the CRL publishing button.

Figure 5.

3. Select Enable local CRL publishing: from the configuration screen.

4. Select the Publish to LDAP server radio button.

5. Click the Modify Configuration button to save the changes.

StoneGate Firewall CRL Retrieval Configuration

1. Via the StoneGate Management System edit the Security Gateway Settings. See Figure 6.

Figure 6.

2. Click on the Add LDAP…. button and add the URL of your RSA Keon CA LDAP server.

Page: 6

Extension Profile Settings

StoneGate Firewall Gateway and Client end entity certificates require a number of additional extensions, which are not assigned with the default VPN/IPsec profile. To enable the assignment of these extensions, to certificates generated by KCA, you must either amend the default VPN/IPsec profile or create a new profile based on the default one and then add the required extensions. The following instructions describe the amendment of the default VPN/IPsec profile. Note: If you choose to create a new profile you will need to revisit your CA’s Jurisdiction Configuration page and add the new profile as one of your Profile Choices: see Figure 3.

1. Select the System Configuration Workbench and select Extension Profiles from the General option list. See Figure 7.

Figure 7.

2. Select the VPN/IPsec profile from the Existing Profiles: and click on the Profile Operations: Edit button.

3. Ensure either the End Entity or Both Profile Type: radio button are checked. 4. Check the M (for Mandatory) Extension Name radio button for the following Extensions:

a. CRL Distribution Points – Figure 8.

Figure 8.

b. Subject Alternative Names – Figure 9.

Figure 9.

5. Finally click Save to accept changes.

Page: 7

5. Product Operation

Keon CA’s operational elements

Adding trusted CA to the StoneGate Firewall security gateway: Use the following steps to import the signing CA certificate from the KCA enrollment server to StoneGate Firewall’s trusted CA list. 1. Browse to the your KCA enrollment page and select CA Options from the General Operations:

list. See Figure 10.

Figure 10.

2. From the resulting RSA Keon CA Signer Options: page scroll down to the Save the CA, CRL Signer, or OCSP Signer Certificate to a File section. See Figure 11.

Figure 11.

3. Select PEM of DER-encoded certificate format and click on Save CA Cert…

Page: 8

From the StoneGate Management System Import the KCA signing CA certificate via the Certificate Authorities interface.

1. Define an appropriate name for the KCA CA Certificate to be imported in the Name: field. 2. Click on Import and select the CA certificate file created in the previous three steps. See Figure

12.

Figure 12.

3. Click on Add to store this CA certificate within the StoneGate Management System.

Finally define the KCA CA as one of the StoneGate Gateway’s Trusted Certificate Authorities.

1. From the Security Gateway Properties screen, select the Keon CA and click Add. See Figure 13.

Figure 13.

Page: 9

Making a PKCS#10 certificate request for the Security Gateway

To generate a new certificate request: 1. Via the VPN Manager screen, select the Security Gateway View. See Figure 14.

2. Select the appropriate gateway and right-click on the highlighted icon to display it’s associate contextual menu.

Figure 14.

3. Select New > Certificate Request. The New Certificate Request dialog box opens. See Figure

15.

Figure 15.

4. Enter the name of your organization in the Organization: field.

5. Specify the country code in the Country field.

6. Specify a certificate name in the Common Name field. For a user certificate, it can be Firstname Lastname.. For VPN gateways, it can be any descriptive name (i.e., Enterprise Cluster).

7. Modify the requested key length in the Key Length field if necessary. By default, a 1024-bit key is requested.

8. Select the type of requested key with the Key Type radio buttons. Type RSA with SHA-1. 9. Click OK to validate the request. The firewall generates the certificate request for the selected

security gateway and displays the certificate request icon under its security gateway.

Page: 10

10. Select the Certificate Request icon under its security gateway and right-click to display the contextual menu.

11. Select Properties from the menu and click on Export to save the certificate request to a file. See Figure 16.

Figure 16.

Submitting StoneGate Security Gateway PKCS#10 Certifcate Request for KCA signing: Use the following steps to submit the gateway’s PKCS#10 request to the KCA enrollment server:

1. Browse to the your KCA enrollment page and select your CA from the Jurisdiction Operation dropdown list. Select Continue. See Figure 17.

Figure 17.

2. Click Make a PKCS#10 Certificate request.

Page: 11

3. Either Browse.. to the file saved during step 11 on page 10 or cut and paste the certificate request’s PEM encoded information into the text message field. See Figure 18.

Figure 18.

4. Finally complete the certifcate enrollment process by selecting the Submit PKCS#10 Request button. If successful, the following screen will inform you that your request has been accepted.

Approval of StoneGate Security Gateway PKCS#10 Certifcate Request: 1. From the KCA Administration Console select the Certificate Operations Workbench.

2. View your jurisdictions active requests.

3. Select the active request that you have just generated in the previous steps. See Figure 19.

Figure 19.

Page: 12

4. Enter the Certificates name and the validity details. See Figure 20.

Figure 20.

5. Select the VPN/IPsec from the profile dropdown menu list and click Issue Certificate. See Figure 21.

Figure 21.

6. On the following screen (See Figure 22.) specify:

a. extKeyUsage: Specify the number of the object identifiers to be indicated in the extension.

b. SubjectAltNames: Specify the number of names to be included in the sequence. In this example two is entered as there are two external Cluster IP-addresses assigned to the security gateway.

Page: 13

Figure 22.

7. On the Client Certificate Extension Values page, select the correct type for the SubjectAltNames value. As this certificate is for the security gateway select iP Address and click Next. See Figure 23.

The Type value depends on the identity of the host. Use the e-mail identity (rfc822Name) for the VPN clients and IP address identity (iP address) for the security gateway. Click Next.

Figure 23.

Page: 14

8. Select the following keyUsage: digital signature is mandatory. See Figure 24

9. Select the subjectAltNames as critical and input the IP-addresses of your security gateways. See Figure 24. Accept the remaining user prompts to complete the certificate issuance.

Figure 24.

10. Select view Certificate (PEM format): and copy and paste the PEM encoded certificate data into a text editor such as MS Notepad. Save this then as a *.pem file. See Figure 25.

Figure 25.

Importing the requested Security Gateway Certificate: 1. Via the StoneGate VPN Manager, click the Gateways and Sites tab. See Figure 14.

2. In the Security Gateway View, select the Certificate Request icon under your security gateway and right-click to display the contextual menu.

3. Choose Properties to open the Certificate Request properties screen.

4. Click Import and select the signed certificate (*.pem file) created in step 10. See figure 26.

Page: 15

Figure 26.

5. From the Signed By: pull-down menu select your trusted KCA signing CA certificate, which you defined on page 8.

6. Click OK to validate. The signed certificate is displayed with an icon under the gateway it was signed for. See figure 27.

Figure 27.

7. Reboot all firewall nodes to ensure that they share the same certificate information.

Page: 16

Configuring the Mobile User VPN for Certificate Authentication The following section assumes that you have already configured the basic components of your Mobile User VPN. For more information, please refer to the StoneGate manual.

To set the Mobile User VPN for certificate authentication: 1. In the VPN Manager, click the VPNs tab. See Figure 28. 2. In the VPN View, select the Mobile User VPN and right-click to display the contextual menu.

Figure 28.

3. Choose Properties to open the VPN Editor and set VPN properties. 4. Double click on the IKE cell in the left panel to specify the IKE Phase 1 settings. See Figure 29.

Figure 29.

Note: In the Mode column, determine which tunnel must be active between the Client and one of the security gateway end-points. Click on the Mode icon and select Normal. The tunnel icon is displayed as active on the table. Only one end-point to end-point tunnel can be active at the same time for mobile VPN. If you try to enable another tunnel, the active one is automatically switched to disabled Mode. 5. Uncheck the Allow Hybrid Authentication box. This is mandatory to enable certificate

authentication with roaming users. Click OK to validate the settings. See Figure 30.

Page: 17

Figure 30.

To define individual users and their authentication service: 1. Open the User Manager to define all users that need remote access through the VPN.

2. Select the StoneGate internal domain and right-click to display the contextual menu.

3. Choose New>User. See Figure 31.

Figure 31.

4. Add the Username. Select the validity of user properties. Check the Always Active box.

5. Click on the Authentication tab to start defining authentication settings. See Figure 32.

Page: 18

Figure 32. 6. Select IPsec certificate in the Authentication Service panel and click Add to bind this

authentication service to the user. Add also your Alternative Subject Name. See Figure 33.

Figure 33.

Defining Access Rules for Mobile VPN Users

To define an access rule for mobile VPN users: 1. Open the Security Policy Manager and choose Policy>New... in the menus to create a Mobile

User Policy. See Figure 34.

2. In Source cell, drag and drop the selected network element from the Repository View.

3. In Destination cell, drag and drop the network(s) and/or host(s) you used to define the VPN site of the security gateway.

4. In Service cell, select Any or any other service.

5. In Action cell, choose Enforce VPN action to select which VPN to use.

Page: 19

Figure 34.

Specifying Users and Authentication Parameters for Access Rules

To apply access rules to a user or group: Drag and drop the users or group of users you want to specify onto the Users cell.

To set authentication parameters: 1. Double-click on the Authentication cell of the rule to configure the authentication parameters of a

rule for the mobile user VPN.

2. Set the Authentication method:

Check Require Authentication box. The rule allows traffic if there was successful client-initiated authentication from a remote client to the security gateway. See Figure 35.

3. Set the Authorization method:

Select Client IP to allow any connection from a determined IP address until time-out expiration.

Set the Time-out. Once the time-out has expired, the client is prompted again for authentication before the remote VPN session can continue. This time-out must be set to ensure that the rule remains valid in case the negotiation of VPN tunnels would be delayed.

Figure 35.

4. Click Authentication Services tab to select the authentication services that are available with this rule. See Figure 36.

Page: 20

Figure 36.

5. Click OK to validate the parameters for the rule.

6. Click Save and Install button to download the policy on the security gateway.

Client (End User) Download of StoneGate VPN Configuration

To download and activate a VPN configuration: 1. Click Configuration on the main page of the VPN Client to display the VPN Configuration page.

See Figure 37.

Figure 37.

2. Click Download Client Configuration to display the Download Configuration page. See Figure 38.

Figure 38.

Page: 21

3. Specify the IP address of the security gateway you want to reach and click Continue... to initiate

the configuration download. See Figure 39.

Figure 39.

4. The VPN Client displays the Authentication Required page where you answer to the security

gateway request for authentication. See Figure 40.

5. Specify your username in the Username field.

6. Specify the domain name in the Domain field. It is required if you do not belong to the default domain of the management server. Please ask more information from you network administrator.

Figure 40.

7. Specify your password in the Password field. If you are using a SecurID card, you enter the digits generated by your SecurID Token.

8. Click Submit. Once authentication succeeds, the VPN Client confirms that the configuration was downloaded successfully and automatically opens the Activate VPN page. See Figure 41.

9. Select the VPN configuration you want to activate: on your VPN Client.

10. The StoneGate VPN Client confirms that the Policy Manager is being restarted before returning to the main page.

Page: 22

Figure 41.

Client (End User) Certificate Request Generation Note: When the certificate request, generated in the following steps, is submitted to KCA for signing, it will be listed as anonymous in the KCA Active Request queue.

To generate a certificate request: 1. Click Create a New Certificate Request on the VPN Configuration page. See Figure 42.

Figure 42.

2. Specify the User Name based on the typical user@domain syntax. Specify a passphrase in the Passphrase field. See Figure 43.

Figure 43.

3. Click the Generate Certificate Request... button to create the certificate request and a private key. The Download Certificate Request page opens to confirm the successful generation of both private key and certificate request.

Page: 23

4. Click Download Private Key and store the private key file in the following directory C:\ProgramFiles\Stonesoft\StoneGate VPN Client\cfg\client-privatekey.pem. See Figure 44.

5. Click Download Certificate Request to open a Save As window and save the file. Deliver the request file to your Certificate Authority for signing and after that Store the CA signed certificate into: C:\Program Files\Stonesoft\StoneGate VPN Client\cfg\client-certificate.pem.

The VPN client certificate request can then be submitted to the KCA server for signing. The submission method used is identical to the steps used to enroll for the security gateway certificate. See pages 10 to 14 of this guide for further details. Note: The only difference between the security gateway and client certificate creation is that the client certificate requires a subjectAltName value of rfc822Name rather that iP Address.

Figure 44.

Using unique certificates with each VPN configuration

In case the security gateways you connect to do not trust the same Certificate Authority (CA), it is possible to store the certificate signed by each CA and the private key of your client into the configuration folders downloaded from each security gateway.

To install a certificate and private key for each configuration: 1. Store the private key file in the following directory:

C:\Program Files\Stonesoft\StoneGate VPN Client\cfg\<gateway ip addr >\client-privatekey.pem

2. Store the CA signed certificate into:

C:\Program Files\Stonesoft\StoneGate VPN Client\cfg\<gateway ip addr >\client-certificate.pem.

Creating Advanced Certificate Requests You can also generate certificates that can be used for purposes other than authenticating yourself to StoneGate security gateways. If required, you need to generate an advanced certificate request where you can tune several settings. To learn more about Creating Advanced Certificate Requests, please refer to StoneGate manual.

Page: 24

VPN Connection Testing

To authenticate when certificate exchange is used: 1. Connect to a protected site behind the StoneGate gateway via telnet, http, ftp etc ....

2. The VPN Client Enter Passphrase page will be displayed. See Figure 45.

3. Enter the Passphrase and click submits.

Figure 45.

4. The VPN Client displays Private key loaded successfully and VPN tunnel is ready for use. See Figure 46.

Figure 46.

Checking the VPN Status Indicator The VPN Status Indicator integrated into the web browser of the VPN Client provides access to status and statistical information on active VPN connections.

Accessing Status Summary Information A summary of statistics related to negotiated IKE SAs and to the volume of encrypted traffic exchanged via the tunnels is available on your VPN Client web browser.

To access VPN Client status summary information: 1. Click VPN Status on the main page to access the summary information page on IKE SA and

traffic statistics.

2. Click Reset Counters to clear all summary information from this page.

3. Click Show Certificate to display the certificate information.

Page: 25

Figure 46.

Clustered multi-link site to site VPN load balancing To enable StoneGate Firewall’s site-to-site VPN tunnel using certificates, please refer to the StoneGate manual.

The certificate enrollment method used is the same as that used for obtaining certificates for the security gateway for the VPN clients.

Each end-point must use a certificate signed by the same CA.

It should be noted that each StoneGate site is configured with it’s own independent connection to the same KCA’s CRL server.

Page: 26

6. Certification Checklist for VPNs

Date Tested: <May/23/2002>

Product Tested Version Keon Certificate Authority 6.0 StoneGate Firewall & VPN Client 1.7.2

Test Case Gateway Partner’s Client

Enrollment Certificate Enrollment:

P10 Certificate Request P P P7 Response installed correctly N/A N/A SCEP Certificate Request N/A N/A SCEP Response installed correctly N/A N/A

Importation: Import certificate via P12 N/A N/A V3 certificate installed correctly P P

CA Trust: Install v3 Root CA via cut/paste P P Install v3 SubCA via cut/paste P P Install v3 Root CA via SCEP N/A N/A Install v3 SubCA via SCEP N/A N/A Verify cert chain is installed P P

GJC *P=Pass or Yes F=Fail N/A=Non-available function

Test Case Gateway Partner’s Client

Connectivity (w/ status check) Connectivity:

Basic level Use certificate (authentication) P P Use certificate for IPSec tunnel P P

Advanced level IP Address assignment P P DNS address assignment N/A N/A WINS address assignment N/A N/A Access resources on network (web) P P

Status Check (w/IPSec tunnel):

Success with a valid certificate P P Fails - revoked certificate P P Fails - suspended certificate F F Success - reinstated certificate F F

*P=Pass or Yes F=Fail N/A=Non-available function

Page: 27

7. Known Issues

If the StoneGate product certificate has been signed by a subordinate CA, the associated Root CA certificate must also be imported into the StoneGate Trusted CA list.