TeamF1 V-IPSecure - Virtual Private Network Consortium
Contents
1. Ey K Ce Sy lt T r gt 7 oa y T oo a ea gm om _ Ca aoe E ww or ce 3 le V IPSecu Car le a Ln X Do S Z See I e ONYO VAX lt a7 RONSON SOO Configuration Guide www TeamF1 com Bry Enabling Embedded Innovations User Manual V IPSecure Embedded IPsec IKE Configuration Guide 2006 TeamFi1 Inc Reproduction in whole or part without written permission is prohibited www TeamF1 com E ewe V IPSecure Configuration Guide Enabling Embedded Innovations V IPSecure Embedded IPsec IKE Configuration Guide for Example Scenarios V IPSecure is a high performance lean and flexible implementation of the IPsec protocol suite which provides IP extensions needed for security services at the network layer V IPSecure provides a high quality cryptography based secure communication channel on embedded systems Its end to end securing of IP datagrams prevents access or modification of any information from above the IP layer when passing through intermediate nodes in a public network This enables secure virtual private networks VPN to be carved out of a public and or insecure network Designed exclusively for embedded use V IPSecure s robust and configurable implementation makes it an ideal fit for embedded devices such as Internet appliances VPNs gateways secure terminals routers and other net2. CRL Certificate Revocation List files show Certificates which are active and certificates which have been revoked and are no longer valid Each CA issues their own CRLs You may obtain the CRL for each CA and upload it Certificate Revocation Lists CRL CA Identity Last Update Next Update Q select all G delete Figure 16 Setting up a CRL 24
3. Choose the Local IP type from the drop list Any Specifies that the policy being created is for traffic from the given end point local or remote Note that selecting ANY for both local and remote end points is not valid Single Limit to one host Requires the IP address of the host that will be part of the VPN Range Select it you want to allow computers within an IP address range to connect to the VPN Requires Start IP address and End IP address Subnet Requires network address and subnet mask of a subnet Manual Policy Parameters SPI Incoming SPI Outgoing Takes a hexadecimal value between 3 and 8 characters For example 0x1234 Encryption Algorithm The algorithm used to encrypt the data 9 E team V IPSecure Configuration Guide Enabling Embedded Innovations Integrity Algorithm Algorithm used to verify the integrity of the data Encryption Key In Encryption key of the inbound policy The length of the key depends on the algorithm chosen Encryption Key Out Encryption key of the outbound policy The length of the key depends on the algorithm chosen Integrity Key In This is the integrity key for ESP with Integrity mode for the inbound policy and depends on the algorithm chosen Integrity Key Out This is the integrity key for ESP with Integrity mode for the outbound policy and depends on the algorithm chosen Auto Policy parameters SA Lifetime The lifetime of a Security Association can either be
4. VPN Consortium s VPNC recommendations The values can be viewed by clicking on the VPN Wizard Default Values link at the top of the page The following parameters can be setup on the V IPSecure enabled target and corresponding values entered on the other side of the tunnel the remote gateway or client Connection Type This VPN tunnel can connect to another peer gateway or to a client Select Gateway to create a tunnel to another VPN gateway Select Client IPsec Host to setup this router for access by remote PCs running VPN client software Connection Name and Remote IP Type Name Enter a name for the connection The name is used for management only Pre shared Key The length of the pre shared key is between 8 characters and 49 characters and must be entered exactly the same here and on the remote VPN Gateway or Client 2 ewe V IPSecure Configuration Guide Enabling Embedded Innovations Remote IP Address or the Internet Name Remote WAN s IP Address or Internet Name Enter the IP address of the Remote peer Alternatively you can also specify the Internet name of the peer The Internet name is defined as the Fully Qualified Domain Name FQDN e g vpn TeamF1 com Local WAN IP Address or Internet Name Enter the IP address or Internet name of the local WAN port This field can be left blank if you are not using a different FQDN or IP address than the one specified in the WAN port s configuration To use a differ
5. given in the previous scenario with the exception that the identification is done with signatures authenticated by PKIX certificates 21 E ewe V IPSecure Configuration Guide Enabling Embedded Innovations help Encryption Algorithm 3DES v Authentication Algorithm SHA 1 M Authentication Method Pre shared key Pre shared key Diffie Hellman DH Group Group 1 768 bit SA Lifetime sec 28800 Figure 12 IKE Policy with RSA Signature Authentication PKIX certificates are used to authenticate the identity of the VPN peer and are issued by various Certification Authorities CAs When a remote VPN gateway or client presents a digital certificate the authentication process verifies that the presented certificate is issued by one of the trusted authorities The first step in creating a certificate for the gateway is to generate a certificate request The Certificate Signing Request CSR file needs to be submitted to the CA who will then generate a certificate for this gateway Generating a self certificate request 1 In the Generate Self Certificate Request section of the Certificates page enter the required data e Name Enter a name that will identify this certificate e Subject This is the name which other organizations will see as the owner of the certificate The Subject field will populate the CN Common Name entry of the generated certificate Subject names are usually defined in
6. specified in seconds or kilobytes If specified as time it is the interval after which the Security Association becomes invalid The SA is renegotiated after this interval If specified in kilobytes the SA is renegotiated after the specified number of kilobytes of data is transferred over the SA It is recommended that the lifebyte specifications be very large numbers or be left blank Encryption Algorithm The algorithm used to encrypt the data Integrity Algorithm Algorithm used to verify the integrity of the data PFS Key Group Enable Perfect Forward Secrecy PFS to improve security While this is slower it will ensure that a Diffie Hellman exchange is performed for every phase 2 negotiation Select IKE Policy Choose the IKE policy that will define the characteristics of phase 1 of the negotiation Example Setup The screenshots below show the setup for a sample VPN policy using the VPN Policy Editor using the following parameters for an auto policy corresponding to the IKE policy shown in the earlier example 10 ING fi V IPSecure Configuration Guide Enabling Embedded Innovations General Name 5 vami Type 2 auto polieg Remote Endpoint sron els SO Traffic Selection local TP Subnet Start IP address 8 I 16s 1 60 Subnet Mask S 25S 2595520960 Remote IP Subnet Start TE 8 MOA 1662 0 Subnet Mask 8 29025 AAA Auto Policy Parameters SA lifetime 3600 sec EncrAlg JODES AuthAlg g Smas DH Group EOeo
7. the following format CN lt device name gt OU lt department gt O lt organization gt L lt city gt ST lt state gt C lt country gt For example CN router1 OU my_company O mydept L SFO C US e Choose the following values Hash Algorithm MD5 or SHA2 Signature Algorithm RSA Signature Key Length 512 1024 2048 2 Complete the optional fields if desired with the following information e IP Address If you have a fixed IP address you may enter it here Otherwise you should leave this field blank e Domain Name If you have a Domain name you can enter it here Otherwise you should leave this field blank e E mail Address Enter your e mail address in this field 22 E eg V IPSecure Configuration Guide Enabling Embedded Innovations 3 Click the Generate button A new certificate request is created and added to the Self Certificate requests table 4 Click View under the Action column to view the request copy the contents of the Data to supply to CA text box and save it in a file 3 Generate Self Certificate Request name ooo E swt ooo Hash Algorithm MD5 a Signature Algorithm RSA a Signature Key Length 512 a IP Address Optional E U E Domain Name Optional _ gt i E mail Address Optional Sy generate Self Certificate Requests Name Status Action Q select all amp delete Figure 13 Generating Self C
8. to the Internet Gateway B s WAN Internet interface has the address 22 23 24 25 Gateway B s LAN interface address 172 23 9 1 can be used for testing IPsec but is not needed for configuring Gateway A The IKE Phase 1 parameters used in Scenario 1 are e Main mode e TripleDES e SHA 1 e MODP group 2 1024 bits e pre shared secret of hr5xb84l6aa9r6 e SA lifetime of 28800 seconds eight hours with no kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are e TripleDES e SHA 1 e ESP tunnel mode e MODP group 2 1024 bits e Perfect forward secrecy for rekeying e SA lifetime of 3600 seconds one hour with no kbytes rekeying e Selectors for all IP protocols all ports between 10 5 6 0 24 and 172 23 9 0 24 using IPv4 subnets 18 www TeamF1 com INC fi V IPSecure Configuration Guide Enabling Embedded Innovations To set up Gateway A assumed to be running V IPSecure software for this scenario use the steps described below If Gateway B is also running V IPSecure similar steps may be employed to configure it with gateway specific parameters appropriately exchanged Step 1 Setup an IKE Policy using the IKE Policy Editor using the following parameters as explained in the screenshot below General Name 3 COMMI Direction 5 BOCA Mode Main Local Identifier typ Local WAN IP Identifier s 14 15 16 17 Remote Identifier typ Remote WAN IP Identifier Be ees Pa bree eal IKE SA
9. 50 Remote IP Subnet Start IP 8 i92 168 2 0 Subnet Mask 2 255 255 25 5160 Auto Policy Parameters SA lifetime 3600 sec EncrAlg 3DES AuthAlg E SEVA iL DH Group RB CeoujaZ A second example below shows the setup for a sample VPN policy using the VPN Policy Editor using the following parameters for a manual policy 12 l I Ds fi Enabling Embedded Innovations General Name IVRE Remote Endpoint Traffic Selection Local IP Start IP address Subnet Mask Remote IP Sicaicc Ie Subnet Mask Manual Policy Parameters SPI Incoming EncrAlg Keyp Liat KEYT ON SEL TON IntAlg key iat Key Out Cr er going venu auto policy 10563 SO Subnet IQ2 GE 5 1 10 BSS 52 3 3 5239 50 Subnet 192 16 2 50 255 255 255 0 0x1234 DES testtest testtest 0x1234 MD5 testtestabcdabcd testtestabcdabcd V IPSecure Configuration Guide v 4s x Google el A A dh E Page Toos Edit VPN Policy Operation succeeded i General Traffic Selection Policy Name vpni Policy Type Manual Policy Remote Endpoint IP Address 10 p1 O FQDN CO Enable NetBIos Local IP Start IP Address 192 End IP Address C Subnet Remote IP 168 1 oO Start IP Address mG E E End IP Address Sub
10. IP address then negotiation is only possible in Aggressive Mode If FQDN User FQDN or DER ASN1 DN is selected the router will disable Main Mode and set the default to Aggressive Mode 6 E ewe V IPSecure Configuration Guide Enabling Embedded Innovations Local Local Identifier Type The ISAKMP identifier for the V IPSecure target It can be one of the following a IP Address WAN IP address of this router Q Internet Address FQDN a User FQDN a DER ASNi DN Local Identifier The value of the respective option chosen in the Identifier Type drop list for this router Remote Remote Identifier Type The ISAKMP identifier for the remote device It can be one of the following ua IP Address WAN IP address of the remote machine Q Internet Address FQDN Q User FQDN a DER ASN1 DN Remote Identifier The value of the respective option chosen in the Identifier Type drop list for remote host IKE SA Parameters The Security Association SA parameters define the strength and the mode for negotiating the SA The fields in the SA are Encryption Algorithm The algorithm used to negotiate the SA E g DES 3DES AES 128 AES 192 and AES 256 Authentication Type Select Pre shared Key for a simple password based key Selecting RSA Signature will disable the Pre shared key text box and uses the Active Self Certificate uploaded in the Certificates page In that case a certificate must be configured in order for RSA Sig
11. Parameters EncrAlg eo DES AuthAlg SHA I Auth Method Pre shared key Key hroxb84l6 aa9r6 Life Time 28800 sec Mode Config Record i General fe Do you want to use Mode Config Record O Yes No Select Mode Config Record EF J view selected Policy Name bont Direction Type Exchange Mode Identifier Type Local Wan IP Identifier Type Remote Wan IP wi Identifier fi4 15 16 17 Identifier 22 23 24 25 IKE SA Parameters 2 Encryption Algorithm Authentication Algorithm Authentication Method Pre shared key O RSA Signature Pre shared key Key Length 8 49 Char Diffie Hellman DH Group SA Lifetime sec Extended Authentication XAUTH Configuration Authentication Type User Database j None R Username Password Ce Edge Device O IPSec Host Apply Reset Figure 10 Configuring IKE Policy for VPNC Example Scenario 1 19 V IPSecure Configuration Guide Tra Enabling Embedded Innovations Step 2 Setup a VPN Policy using the VPN Policy Editor with the following parameters for an auto policy corresponding to the IKE policy in Step 1 as explained in the screenshot below General Name E exatia Il Type E AVEO POLLCY Remote Endpoint 22023 524k 25 Traffic Selection local TP Subnet Start IP address 10 5565 0 Subnet Mask 255 255 255 0 Remote IP Subnet Start TE 1765235 9 0 Sub
12. ation Algorithm SHA 1 s Identifier a Authentication Method Pre shared key RSA Signature Pre shared key 12345678 Key Length 8 49 Char Diffie Hellman DH Group Group 2 1024 bit SA Lifetime sec 28800 Figure 4 IKE Policy Editor Corresponding to the above example the following parameters will have to be set on the remote gateway using the configuration tools for that gateway V IPSecure Configuration Guide Bre Enabling Embedded Innovations General Name ikel Direction both Mode main Local Identifier typ Local WAN IP Identifier ORs 0 Remote Identifier typ Remote WAN IP Identifier TOITA IKE SA Parameters EncrAlg 3DES AuthAlg SHA 1 Auth Method Pre shared key Key 12345678 Life Time 28800 sec VPN Policies General The fields in this section are Policy Name A unique name for identifying of the policy Policy Type Policy can be either Manual or Automatic Remote End Point The IP address or Internet Name FQDN of the remote gateway or client PC Enable NetBIOS Check this to allow NetBIOS broadcasts to travel over the VPN tunnel Traffic Selection Select the IP addresses on the remote and local side that will be part of the tunnel This can be either a single IP address several IP addresses in a range an entire subnet or any IP address that wants to connect
13. crecy PFS to improve security While this is slower it will ensure that a Diffie Hellman exchange is performed for every phase 2 negotiation Encryption Algorithm The algorithm used to negotiate the SA Authentication Algorithm Specify the authentication algorithm for the VPN header Diffie Hellman DH Group The Diffie Hellman algorithm is used when exchanging keys The DH Group sets the strength of the algorithm in bits This setting must match that of the Remote VPN Local IP Address IP Address of the local LAN subnet If it is not specified it defaults to LAN subnet corresponding to the LAN IP of the device Local Subnet Mask Subnet Mask of the local LAN subnet Example Setup The screenshots below show the setup for the following ModeConfig record 15 ING fi V IPSecure Configuration Guide Enabling Embedded Innovations Record Name mode_config Bilesic Oo cartine 1e g TOMO oO Ending IP IO 10 10 10C PFS Key group E growozZ SA Life time 3600 seconds Encr Alg ES Integrity Alg S SHAN Local IP g 0 0 0 Local Subnet Mask Or OP ORO Mode Config Record Name 10 10 10 1 110 10 10 100 mode_config 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 select all delete add 2006 Copyright TeamF1 Inc Figure 7 A ModeConfig Record A ModeConfig record may be selected from the IKE policy page to specify the IP addresses to be allocated to the peer
14. dit Client Policy select all delete enable D disable add 2006 Copyright TeamF1 Inc Figure 3 Wizard generated VPN Policy Corresponding to the above example the following parameters will have to be set on the remote gateway using the configuration tools for that gateway Note the correspondence between the Remote and Local WAN IP address and that the pre shared keys are the same s5 E ewe V IPSecure Configuration Guide Enabling Embedded Innovations Peer Gateway Connection Name vpn _wizard Pre shared key g 12949076 Remote WAN IP s g 10 5 il ik 1G Local WAN IP s E IO sv Remote LAN IP eel Oe elke Oieeleeal Remote LAN subnet Mask g 255 2555255 50 2 Configuration Using the Policy Editors There are two types of policies that are used for IPsec VPN tunnel setup IKE Policies IKE Internet Key Exchange is used in IPsec VPNs for automatically negotiating the core IPsec parameters called Auto Mode including session keys encryption algorithms etc IKE policies are optional if automatic negotiation is not required only a VPN policy needs to be setup also called Manual mode VPN Policies A VPN Policy defines the primary tunnel parameters If the settings for the VPN tunnel are manually entered on each endpoint of the tunnel a Manual VPN policy is required If some parameters for the VPN tunnel are to be generated automatically an Auto VPN policy should b
15. e used and it should be accompanied by its corresponding IKE policy specifying the parameters for negotiation While the VPN Wizard in the previous section is intended to simplify configuration more advanced use of V IPSecure including authentication types other than pre shared key authentication require direct editing of the VPN and IKE policies either created from scratch or ones generated by the wizard If the policies are generated by the wizard the name used for the VPN Tunnel connection name in the wizard is used to identify both the VPN Policy and IKE Policy The following IKE and VPN policy parameters can be setup on the V IPSecure enabled target and corresponding values entered on the other side of the tunnel the remote gateway or client IKE Policies General Policy Name A unique name given to the policy for identification and management purposes Direction Type The connection methods for V IPSecure can be one of the following Q Initiator The router will initiate the connection to the remote end Q Responder The router will wait passively and respond to remote IKE requests Q Both The router will work in either Initiator or Responder mode Exchange Mode There are two negotiation modes supported Main Mode negotiates the tunnel with higher security but is slower whereas Aggressive Mode establishes a faster connection but with lower security xW Note If either the Local or Remote identifier type defined below is not an
16. ent IP address or FQDN enter it in this field XW Both local and remote ends should be defined as either IP addresses or Internet Names FQDN A combination of IP address and Internet Name is not permissible Secure Connection Remote Accessibility These parameters are required only for a Remote Gateway connection Enter the LAN side subnet IP address and the associated subnet mask of the remote gateway A subnet IP address is one that gives the network number of the IP range For example a network address of 192 168 1 10 with a subnet mask of 255 255 255 0 would have a network number or subnet IP address of 192 168 1 0 Example Setup The screenshots below show the setup for the following configuration using the Wizard mode for a gateway gateway connection with pre shared keys authentication using the following parameters Peer Gateway Connection Name g vom wiz Pre shared key S493 76 Remote WAN IP s GO 5 al ak SHG Local WAN IP s soe O Remote LAN IP BAO sek 2e Remote LAN subnet Mask B25 6250 25560 ee ae TEAM V IPSecure Configuration Guide Enabling Embedded Innovations TeamF1 VPN Wizard Windows Internet Explorer Go http 192 168 1 1 vpn_wizard htm ltal soge ej M Do R Pee r Goo 6 VPN Wizard Default Values ii About VPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assu
17. ertificate Requests Submitting a certificate request to a CA for signing Follow the instructions of the CA to complete the certificate signing process Typically this involves the following 1 Connect to the website of the CA 2 Start the certificate request procedure 3 When prompted for the requested data copy the data from your saved data file including BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST 4 Submit the CA form If no problems ensue a certificate will be issued Uploading a CA signed Certificate File After obtaining the signed certificate file from the CA go to the Certificates page click Browse locate the signed certificate file on your computer and use the Upload button to upload the certificate 23 E eve V IPSecure Configuration Guide Enabling Embedded Innovations Upload certificate corresponding to a request above Figure 14 Uploading a signed certificate Setting up Trusted CAs For each CA that is to be trusted by the gateway Trusted Certification Authority a CA identity certificate is required to be uploaded as shown in the following screenshot Certificates i Trusted Certificates CA Certificate CA Identity Subject Name Issuer Name Expiry Time Y select all delete Upload Trusted Certificate Figure 15 Uploading Trusted CA certificates Managing your Certificate Revocation List CRL
18. eters Encryption Algorithm DES zj Authentication Algorithm sHa 1 z Authentication Method Pre shared key C RSA Signature Pre shared key 12345678 Key Length 8 49 Char Diffie Hellman DH Group Group 2 1024 bit zj SA Lifetime sec 28800 2 Extended Authentication xl EA E E Figure 8 Selecting a ModeConfig Record in an IKE Policy 4 Example VPNC Interoperability Test Setup This section describes how to configure V IPSecure to implement the scenarios described in the VPN Consortium s interoperability specification http www vpnc org InteropProfiles Intero 17 E ewe V IPSecure Configuration Guide Enabling Embedded Innovations 01 html These scenarios were developed by the VPN Consortium to help users understand how to set up their systems and to understand the vocabulary used in their system documentation Scenario 1 Gateway to gateway with preshared secrets The following is a typical gateway to gateway VPN that uses a preshared secret for authentication 10 5 6 0 24 172 23 9 0 24 Internet Gateway A Gateway B 10 5 6 1 14 15 16 17 22 23 24 25 172 23 9 1 Figure 9 Network setup for configuring VPNC Scenario 1 Gateway A connects the internal LAN 10 5 6 0 24 to the Internet Gateway A s LAN interface has the address 10 5 6 1 and its WAN Internet interface has the address 14 15 16 17 Gateway B connects the internal LAN 172 23 9 0 24
19. mes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This VPN tunnel will connect to the following peers vpn Client Gateway i Connection Name and Remote IP Type What is the new Connection Name vpn_wiz What is the pre shared key 12349876 key Length 8 49 Char End Point Information What is the Remote WAN s IP Address or Internet Name 10 1 1 30 What is the Local WAN s IP Address or Internet Name 10 1 1 10 cure Connection Remote Accessibility What is the remote LAN IP Address 192 168 J2 SES What is the remote LAN Subnet Mask Figure 1 Configuration using wizard mode This automatically generates the VPN and IKE policies shown below These policies can then be edited to make use of more advanced features in V IPSecure such as other authentication types or different IKE modes 4 www TeamF1 com Secure Configuration Guide Enabling Embedded Innovations IKE Policies ist of IKE Policies Sa Stee tee Aamo 10 1 1 10 10 1 1 30 Group 2 1024 bit Client Policy amp select all delete add E e E ole vpn_viz Auto Policy 192 168 1 0 255 255 255 0 192 168 2 1 255 255 255 0 SHA 1 3DES e
20. nature to work Diffie Hellman DH Group The Diffie Hellman algorithm is used when exchanging keys The DH Group sets the strength of the algorithm in bits xW Note Ensure that the DH Group is configured identically on both sides Example Setup The screenshots below show the setup for a sample IKE policy using the IKE Policy Editor using the following parameters 7 l Ds fi Enabling Embedded Innovations V IPSecure Configuration Guide General Name ikel Direction both Mode main Local Identifier typ Local WAN IP Identifier IO Gal alls Aa Remote Identifier typ Remote WAN IP Identifier 10 i 1 350 IKE SA Parameters EncrAlg eS DES AuthAlg SHA 1 Auth Method Pre shared key Key S I2SVA6 is Life Time 28800 sec TeamF1 Edit IKE Policy Windows Internet Explorer EES http 192 168 1 1 platform cgi 4 21 coo ej Edt IKE l M D h v E Page G Toos Edit IKE Policy Add New VPN Policy Operation succeeded Policy Name ike1 i Mode Config Record Do you want to use Mode Config Record O Yes no Select Mode Config Record Direction Type Both i Exchange Mode Main Identifier Type Remote Wan IP view selected Identifier Type Local Wan IP Identifier 01 110 ii IKE SA Parameters G Encryption Algorithm 3DES Authentic
21. net Mask 255 Subnet Mask Manual Policy Parameters Subnet 192 168 J2 cS CO H255 N o SPI Incoming 0x1234 Hex 3 8 Chars Encryption Algorithm DES v Key In testtest SPI Outgoing Integrity Algorithm Key In 0x1234 Hex 3 8 Chars MDS S testtestabcdabed Figure 6 VPN Policy Editor for Manual Policy 13 Bre Enabling Embedded Innovations V IPSecure Configuration Guide Corresponding to the above example the following parameters will have to be set on the remote gateway using the configuration tools for that gateway General Name vpnl Type manual policy Remote Endpoint 10 1 1 10 Traffic Selection local TP Subnet Start IP address Cy IGS 2 oO Subnet Mask AS 5 SOn ZSR Remote IP Subnet Start TE 12 ete 5 0 Subnet Mask Manual Policy Parameters 255 295 299 50 SPI Incoming 0x1234 EncrAlg DES Kew iat CSSIETSSIE Key Out ESSIELSSIC SPI ONEGA 0x1234 IntAlg MD5 Key In testtestabcdabcd Key Out testtestabcdabcd 3 Configuration For Remote Access Users To simplify the process of connecting remote VPN clients to a V IPSecure enabled target ModeConfig can be used to assign IP addresses to remote users including a network access IP address subnet mask and name server addresses from the router Remote users are gi
22. net Mask 283 5253 5 235 50 Auto Policy Parameters SA lifetime 3600 sec EncrAlg 3DES AuthAlg SHA 1 DH Group Gmeuls 2 PFS Enabled Policy Namesfeonnt Policy Type Auto Policy Select Local Gateway want O wanz Remote Endpoint ip Address e2 Jes Jes les O Fonn M Enable NetBIOS Enable Rollover ii Traffic Selection This field is not editable because netbios is selected Local IP Remote IP Start IP Address fo Je e Start IP Address five Jes e lo End IP Address b jo o jo End IP Address ST Subnet Mask fess ess Jess o Subnet Mask fess Jess Jess Jo i Manual Policy Parameters SPI Incoming as Hex 3 8 Chars Encryption Algorithm key In key Out DES 8 Char amp 3DES 24 Char SPI Outgoing Hex 3 8 Chars Integrity Algorithm Key In oo Key Out Jn MDS 16 Char amp SHA 1 20 Char 2 Auto Policy Parameters SA Lifetime 600 Encryption Algorithm Integrity Algorithm M PFs Key Group DH Group 2 1024 bit W Select IKE Policy P view selected Figure 11 Configuring VPN Policy for VPNC Example Scenario 1 20 TEAM V IPSecure Configuration Guide Enabling Embedded Innovations This completes the configuration for Scenario 1 At this point the traffic between Gateway A and Gateway B is encrypted and can be tested with a utility such as ping from Gateway A s LAN to Gateway B s LAN or vice ve
23. rsa xW If using pre shared keys and using the VPN Consortium s default parameters you can also use the simplified setup offered by the VPN Wizard for automatically creating the IKE and VPN Policies described above VPN Wizard Default Values 2 About YPN Wizard 2 The Wizard sets most parameters to defaults as proposed by the VPN Consortium PNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the Parameters through the Policies menu This PN tunnel will connect to the following peers e Gateway 5 VPN Client i Connection Name and Remote IP Type What is the new Connection Name gateway1 What is the pre shared key hrSxb84l6aa9r6 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN 1 C WAN 2 End Point Information What is the Remote WAN s IP Address or Internet Name 22 23 24 25 What is the Local WAN s IP Address or Internet Name 14 15 16 17 2 Secure Connection Remote Accessibility What is the remote LAN IP Address ii7z es Je jo what is the remote LAN Subnet Mask 255 255 less Jo Scenario 2 Gateway to gateway with certificates The following is a typical gateway to gateway VPN that uses PKIX certificates for authentication The network setup is identical to the one given in the previous scenario The IKE Phase 1 and Phase 2 parameters are identical to the ones
24. s matching the policy When a VPN client matching the policy negotiates a connection the VPN allocates a virtual adapter with IP address gateway etc specified in the ModeConfig record Example Setup The screenshots below show the setup for the IKE Policy referring to the ModeConfig record 16 TEAM V IPSecure Configuration Guide Enabling Embedded Innovations Select Mode Config Record mode config Policy name ikel Mode aggressive Local Identifier Typ FODN Local Identifier remote com Remote Indentifier Type FODN Remote Indentifier g8 locell Gem Encr Alg DES Auth Alg 8 SHAN Authentication Method Preshared key Pre shared key g IZSASo Ts Group 2 GEOL SA Life time g ASO a TeamF 1 Edit IKE Policy Microsoft Internet Explorer Fie Edt View Favorites Tools Help aa ae o ooo Ea HBBak gt O A A Reach GaFavorites Bristory hy S He d Address 4 http 192 168 2 1 platform coi z so Links Edit IKE Policy IKE Policy Add New VPN Policy Operation succeeded Do you want to use Mode Config Record Yes C No Select Mode Config Record mode_config P view selected Policy Name ike1 Direction Type Responder zj Exchange Mode Aggressive z Identifier Type FQDN zj Identifier Type FQDN zj Identifier remote com Identifier local com i IKE SA Param
25. up TeamF1 Edit VPN Policy Windows Internet Explorer Go http 192 168 1 1 platform cgi 4 x cooate ej A B teh BE Page G Toos Edit VPN Policy Operation succeeded Policy Name vpni Policy Type Auto Policy Remote Endpoint IP Address fo Je Ia Eo O FQDN ARRA CO Enable NetB105 ii Traffic Selection Local IP Subnet Remote IP Subnet Start IP Address 192 J168 J1 10 Start IP Address 192 J168 12 10 End IP Address D P End IP Address i JO 00nd J Subnet Mask 2 Subnet Mask Manual Policy Parameters SPI Incoming Hex 3 8 Chars SPI Outgoing zz Hex 3 8 Chars Encryption Algorithm 3095S Integrity Algorithm SHA 1 key In nn Key In nn Key Out nn key out Td Figure 5 VPN Policy Editor for Auto Policy Corresponding to the above example the following parameters will have to be set on the remote gateway using the configuration tools for that gateway i11 T EN V IPSecure Configuration Guide Enabling Embedded Innovations General Name 5 vami Type 2 auto polieg Remote Endpoint sron els SO Traffic Selection Toca lMTE Subnet Start IP address G12 5 ISS 5 I 40 Subnet Mask 8 2995253 5200
26. ven IP addresses available in secured network space so that remote users appear as seamless extensions of the network ModeConfig is similar to DHCP and is used to assign IP addresses to remote VPN clients A ModeConfig record may be selected during IKE policy specification VPN clients connecting using an IKE policy with a Mode Config record will be assigned an IP address from the pools specified in the selected ModeConfig record One or more IKE policies may use the same Mode Config record The following parameters can be setup on the V IPSecure enabled target for ModeConfig configuration ModeConfig General Record Name A unique name given to the record for identification and management First IP Pool Starting IP The first address to be allocated in this pool Ending IP The last address to be allocated in this pool Second IP Pool Starting IP The first address to be allocated in this pool 14 E team V IPSecure Configuration Guide Enabling Embedded Innovations Ending IP The last address to be allocated in this pool Third IP Pool Starting IP The first address to be allocated in this pool Ending IP The last address to be allocated in this pool WINS Server Primary The primary WINS Server IP Address Secondary The secondary WINS Server IP Address DNS Server Primary The primary DNS Server IP Address Secondary The secondary DNS Server IP Address Traffic Tunnel Security Level PFS Key Group Enable Perfect Forward Se
27. work equipment Embedded features such as CPU independence leveraging platform resources OS processor and specialized hardware accelerators and providing a feature rich yet modular implementation to enable trade offs in constrained environments is a design goal of V IPSecure This configuration guide discusses how to setup and configure V IPSecure for interoperability in common VPN environments It also includes specific VPN example scenarios recommended by VPNC in Section 4 Example VPNC Interoperability Test Setup V IPSecure can be configured using its APIs configuration files and when embedded in a managed application through an external management interface such as a web based GUI or CLI In the following examples a web based management interface is used to configure V IPSecure in various scenarios 1 Configuration Using Wizard Mode The VPN Wizard is a web based configuration facility that assists with setting up a VPN tunnel from the V IPSecure enabled target to another gateway or to a VPN client using pre shared key authentication Further the generated policies can be used as a starting point for creating more advanced VPN and IKE policies that allow a choice of authentication methods including XAUTH local user database or RADIUS authentication and digital certificates Running the wizard generates the IPsec VPN policy as well as the associated IKE policy VPN with the parameters both IKE phase 1 and phase 2 chosen based on the
Download Pdf Manuals
Related Search