QuickStart. NCP Secure Enterprise Server. Configuration Guide

Transcription

1 QuickStart NCP Secure Enterprise Server QuickStart Guide

2 Secure Enterprise Server QuickStart Guide

3 QUICKSTART CONFIGURATION GUIDE Support NCP offers support for all international users by means of Fax and Internet Mail. Fax Hotline Number +49 (911) (650) Europe - USA Addresses helpdesk@ncp-e.com support for English language customers support@ncp-e.com support for German language customers When contacting NCP about your problems or queries, please include the following information: exact product name serial number version number an accurate description of your problem, and any error message(s). NCP will do its best to respond as soon as possible, but we do not guarantee a fixed response time. GENERAL Network Communications Products engineering GmbH GERMANY: NCP engineering GmbH Dombühler Straße 2 D Nuremberg Phone: +49 (911) Fax: +49 (911) USA: NCP engineering, Inc. 444 Castro Street, Suite 711 Mountain View, CA Phone: +1 (650) Fax: +1 (650) Internet info@ncp-e.com Notices While considerable care has been taken in the preparation and publication of this manual, errors in content, typo-graphical or otherwise, may occur. If you have any comments or recommendations concerning the accuracy, then please contact NCP. NCP makes no representations or warranties with respect to the contents or use of this manual, and explicitly- disclaims all expressed or implied warranties of merchantability or suitability of use for any particular purpose. Furthermore, NCP reserves the right to revise this publication and to make amendments to the contents, at any time, without obligation to notify any person or entity of such revisions or changes. This manual is the sole property of NCP and may not be copied for resale, commercial distribution or translated to another language without the express written permission of NCP engineering GmbH. All trademarks or registered trademarks appearing in this manual belong to their respective owners NCP engineering GmbH. All rights reserved. NCP engineering GmbH / V1.0

4 QUICKSTART CONFIGURATION GUIDE GENERAL Revision History Version Description of Changes Date Revision Completed V1.0 First version TBA V1.1 Client Included Document split into sections: General, SecS, Client, Appendices Product Version Described Document Version Product version described V1.0 NCP Secure Enterprise Server: NCP engineering GmbH / V 1.0 Linux: Version 8.02 Build 029 Windows: Version 8.03 Build 024 Page 4

5 QUICKSTART CONFIGURATION GUIDE GENERAL NCP Secure Server QuickStart Guide Preparation...6 Abbreviations, Terminology and Conventions...6 Introduction...9 Information Security, the Internet and the NCP Secure Server The Secure Server Web Interface GUI...11 How to use this QuickStart Guide...15 Selecting and Configuring Security Policies Selecting the Algorithms for an IKE Policy Selecting the Algorithms for an IPsec Policy a. Adding Policies and Proposals a. Adding Policies and Proposals Defining and Configuring the Local System Configuring the Domain Group Default Group Defining and Configuring the Link Profiles Configuring a Client Appendix Parameter Sheet...47 Appendix Automatic IKE Proposal Negotiation Appendix Automatic IPsec Proposal Negotiation...52 NCP engineering GmbH / V 1.0 Page 5

6 QUICKSTART CONFIGURATION GUIDE Preparation GENERAL Abbreviations, Terminology and Conventions Abbreviations DMZ De-militarized Zone. DNS Domain Name Service ESP Encapsulating Security Payload GUI Graphical User Interface IKE Internet Key Exchange NAT Network Address Translation VPN Virtual Private Network LH left hand RH right hand ID identifier IS Internet Society (typically) the body responsible for all Internet protocols Terminology Client NCP Secure Enterprise Client (or NCP Secure Entry Client restricted functionality). Also referred to as a VPN client. Client Monitor The NCP Secure Enterprise Client GUI, used to configure the Client and manage tunnel establishment and teardown. Also referred to as the Monitor. Secure Server NCP Secure Enterprise Server. Also referred to as a VPN gateway. NCP Secure Enterprise Solution A collection of NCP Clients, NCP Secure Server and optionally, the NCP Secure Management Server, designed to provide a comprehensive, scalable and fully manageable VPN solution. Network Address Translation A protocol suite, defined by the IS, that enables private LANs, i.e. constructed with private IP address subnets, to be connected with the Internet. Usually implemented in a router. VPN gateway A system to or from which a VPN is established. In this document, the VPN gateway is the NCP Secure Server, used to terminate VPN connections originated by one or more NCP Secure Clients. NCP engineering GmbH / V 1.0 Page 6

7 QUICKSTART CONFIGURATION GUIDE GENERAL Preparation Abbreviations, Terminology and Conventions IPsec The protocol suite defined by the IS's RFC 4301 Security Architecture for the Internet Protocol. Encapsulating Security Payload A component of IPsec: a protocol that defines how IP segments are encapsulated for transfer, encrypted, over a VPN tunnel. Internet Key Exchange (IKE) A component of IPsec: a protocol that defines how keys are exchanged during the first phase of tunnel establishment between two parties Public IP address A public IP address is an address that is reachable on the global Internet Private internets and private IP address spaces According to RFC 1918: The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: to (10/8 prefix) to (172.16/12 prefix) to ( /16 prefix) Tunnel-endpoint IP Address The public IP address of the VPN gateway, i.e. the IP address which is visible to IP traffic outside the VPN tunnel. The following terminology definitions relate solely to their use under cryptographics Digital Certificate An electronic document, issued by a trusted party, that verifies the credentials of the possessor of that certificate. The trusted party, also known as the root, is responsible for verifying the credentials of parties who apply for certificates. Public Key Infrastructure (PKI) A set of technologies that handles the management and distribution of digital certificates. Conventions Italic text NCP engineering GmbH / V 1.0 Used to identify character sequences in a string that are replaced by a specific sequence, e.g. version numbers, parameter strings etc. All file names of files, distributed by NCP engineering, that include version dependent code always include the version number and build number in the file name, e.g.: ncp_ses_linux_major_num_buildnum.i586.sh e.g. ncp_ses_linux_8_02_034.i586.sh Page 7

8 QUICKSTART CONFIGURATION GUIDE Preparation GENERAL Abbreviations, Terminology and Conventions Secure Server Web Interface GUI navigation: IKE Policies [PRE Shared Key] Meaning: in the menu directory, navigate to the IKE Policies sub-directory and then select PRE Shared Key from the Item list in the LH frame. Windows GUI navigation Server Manager Meaning: press the Start button and navigate the Server Manager, menus. Client Monitor menu navigation: Profiles [Profile Name] Linux commands NCP engineering GmbH / V 1.0 Meaning: in the Monitor menu bar, select the tab, Profiles tab and then select the profile Profile Name to be modified. printed in 10 point Courier new. Page 8

9 Introduction Information Security, the Internet and the NCP Secure Server The data transferred between computers via the Internet is potentially open to eavesdropping or manipulation; the Internet is specifically designed like this to ensure that it can be used in the widest possible variety of ways. However, the Internet's architects did not overlook the requirement to move data securely and without the risk of being compromised; the architected approach to securing data while it is in transit on the Internet is to construct a Virtual Private Network (VPN). The Internet Society's Security Architecture for the Internet Protocol (IPsec) specifies the architecture for a VPN and NCP's Secure Enterprise Solution product range is a full implementation of IPsec. NCP's Secure Enterprise Solution is designed to ensure that the information stored in your organization's corporate network is securely available to all, regardless of how the services provided by today's Internet are used. Naturally you are able to limit, within your organization, who should have access to what information. In many cases, though, even when access permissions have been set correctly, the route to the location where the information is needed may, potentially, be insecure itself. Regardless of whether the person requiring the information is using a PDA, mobile phone, a PC or a Server, a VPN will ensure that the sensitive information is always secure while in transit over the Internet. Access to the VPN and hence to your corporate network is governed by authentication user or Client and Secure Server start a conversation or, in technical terms, establish a VPN tunnel, by first exchanging a piece of information that has been shared between the two, via a separate route. This information could be just username and password, pre-shared key, a one time password or a security certificate; the degree of security inherent in this initial authentication depends on the security of the out-of-band route but all techniques are aimed at ensuring both parties to the conversation are 100% certain of who they are talking to. This QuickStart guide starts with using the simple pre-shared key approach but will give examples of how a more secure implementation can be built. Ensuring your information is secure while in transit over the Internet is the task handled by encryption transforming the information using codes that are agreed between the Client and Secure Server during the start-up conversation. Encryption and the cryptographic science behind it use mathematical algorithms to hide that information by encoding it in a secret way by means of a secret key. Those algorithms have been designed to give different degrees of security and the term cryptographic strength1 is a benchmark for measuring the relative strengths of different algorithms but how are those degrees measured? Essentially in the difference between months, years and centuries it would take an eavesdropper who had most of the right information required to decode the encoded information assuming he did not have that secret key. As computer performance increases than the elapsed time may decrease; however, the algorithms are designed such that the key strength can be increased while preserving the same basic algorithm. Your investment is protected by this approach; implement an NCP Secure Enterprise Solution and your information will be secure well into this, the 21st century. This QuickStart Guide gives you a brief overview of how to set up an NCP Secure Server so that it can be the secure gateway, the VPN gateway, between those users connected via that insecure Internet and your secure, corporate information systems. The guide is intended to help you quickly configure the Secure Server and, therefore, recommends making extensive use of default 1 Cryptographic strength see section Encryption Algorithms in the companion Preparation and Installation manual for a discussion of this topic. Page 9

10 Introduction Information Security, the Internet and the NCP Secure Server parameters. Only change parameters in a live, operational environment when you have tested them extensively and are sure you understand all their impacts. The standard Secure Server documentation set, delivered with the product, includes extensive descriptions of all Secure Server parameters. Once installed and configured, the only way to test a Secure Server is to attempt to establish a VPN tunnel between a VPN client and the Secure Server. To simplify this task this guide includes details of how to configure a Secure Enterprise Client, installed according to the installation procedures described in the accompanying Preparation and Installation Guide. The Client would then form part of the basic configuration from which you will grow your VPN infrastructure. This QuickStart Guide is divided into two major sections: Secure Enterprise Server Secure Enterprise Client and pages in each section are marked accordingly in the top RH corner. When your configuration, based on these guides, is complete and working, you will be in a better position to evaluate how to expand the various aspects of the infrastructure, such as its security or the networking or how additional Clients can be added to the configuration. Page 10

11 The Secure Server Web Interface GUI All Secure Server configuration work is carried out via the Web Interface and before starting to configure the Secure Server, it is important that you are familiar with the this GUI. The following steps take you through the first log on and then help you to understand the logic associated with the GUI and how it in turn provides the interface between you, the System Administrator and the Secure Server programs running under the respective operating systems. Logging on Log in to the Web Interface by calling up the following address on your browser: where aaa.bbb.ccc.ddd is the IP address or fully qualified name of the Secure Server public IP address. Enter your username and password and press Login The menu structure (see image on next page) Assuming that this is the first time you have ever logged into the Web Service, let's take a walk through the pages displayed (bullet numbers match the numbering on diagrams on this and the next page). 1. Regardless of where your browser is hosted, the first page displayed on the Secure Server Web Interface is the 1 Current System Information. The graphical details are self explanatory, take a look for yourself. The important point to note is that displaying them at this point means you immediately have an overview of how the Secure Server is performing, right after login. 2. When configuring the system you will be navigate the menu system in the LH frame. There are five main directories: System,, Statistics, History and Log. This QuickStart guide is primarily concerned with the directory and subdirectories: in the GUI, click on any entry in the directory hierarchy to select and open it. 3. Configuring the Secure Server involves selecting the appropriate Page 11

12 The Secure Server Web Interface GUI sub-directory in the sub-directory menu frame and then, 4. if present, selecting a List entry to open it, followed by 5. in the folder frame, selecting the appropriate folder where the individual parameters are held. 6. The individual parameters, specific to a folder, are displayed in the edit frame and can be edited there Directories, subdirectories, folders and List entries Due to the complexity of the VPN Security Policy Database structure, two types of hierarchy are required in the Web Interface: with or without an intervening List entry. Without an intervening List entry With an intervening List entry 2 directory / menu frame 3 sub-directory / sub-menu frame 5 folder / folder frame 6 (parameter) edit frame 2 directory / menu frame 3 sub-directory / sub-menu frame 4 List entry 5 folder / folder frame 6 (parameter) edit frame Whether there is just one folder or a number of folders under a subdirectory, or whether there are individual, intervening List entries is dependent on the sub-directory concerned; all, in turn, are dependent on the configuration parameters concerned. However, sub-directories, List entries and the associated folders are totally context sensitive so you only need to understand the general concept behind the hierarchy. Page 12

13 The Secure Server Web Interface GUI Control Buttons and List entries The GUI includes a set of standard buttons for saving or deleting parameters in the parameter folders or adding or deleting List entries or parameter sets. The screen shot below illustrates the position of these buttons on the GUI, together with their actions. Example of a parameter folder, illustrating position of context sensitive buttons All Control Buttons display a title hint when the mouse is over the button for more than one second. 1 Create a List entry or Delete a List entry Manage List entries listed in the sub-directory / sub-menu frame with these context-sensitive buttons: create a List entry with a set of appropriate default values delete the List entry currently selected (highlighted). 2 List entries If a sub-directory has been designed to include List entries, then these are listed in the sub-directory / sub-menu frame and can be clicked to open the respective folder. All folders include the same, standard set of parameters. The current value of each parameter in a folder is displayed against the parameter's name in the edit frame. 3 Save changes or Delete changes Manage parameter folders with these buttons. Note: Parameter changes are actioned by the Secure Server processes immediately after the Save changes button is pressed. 4 Create parameter list or Delete parameter list These buttons in the edit frame are context-sensitive and are used to manage the parameter lists specific to the folder displayed. Page 13

14 How to use this QuickStart Guide Folders used in QuickStart Guide: 1 IKE Policies 2 IPsec Policies 3 Local System 4 Domain Groups 5 Link Profiles As a first step, it's useful to familiarize yourself with the Web Interface, how to navigate around the different folders and, in particular, the five folders where parameters will need to be entered. The numbers against the entries in the opposite column define the sequence in which folders will be accessed during the configuration sequence and the sections in the guide. This QuickStart Guide refers to the Parameter Sheet in appendix 1 (repeated in the Preparation and Installation (P&I) guide) that will have been completed when preparing for the VPN gateway. The format/layout of the Server column in the parameter sheet maps onto the structure displayed in the screen shot below Page 14

15 How to use this QuickStart Guide Navigating the Web Interface menu: In this guide, the icon in the LH column highlights the menu steps to be traversed to reach the corresponding screen, displayed in the RH column. The next image is annotated with pointers to the fields to be entered - see the example on the following page. The first screen image illustrates all default parameters, the second the parameters that require changing. The parameters that you will need to alter in the edit frame are listed between the two images. Defining the pre-shared key IKE Policies [PRE Shared Key] [marketing_1] IKE Policy List entries Parameter in: List entries and navigation Lifetime of the proposal Pre-configured List entries are enclosed in square brackets in the menu selector string. List entries created while configuring the system are shown in italics, enclosed in square brackets - see example above. Page 15

16 Page 16

17 Selecting and Configuring Security Policies The VPN tunnel establishment process has been very carefully designed to ensure that a Client and the Secure Server secretly negotiate specific algorithms. These algorithms cover: 1. how messages between Client and Secure Server will be authenticated (referred to as a Hash or message authentication code (MAC) ), 2. how the data will be encrypted in the tunnel, and 3. the Diffie Hellman group to be used to exchange the public keys used in the asymmetrical encryption algorithms. 2 After all, handing out these parameters to an eavesdropper would be very counterproductive, it would mean that all communication via the tunnel would then be compromised. Tunnel establishment is a two phase process: the IKE Proposal phase followed by the IPsec Proposal phase. At the start of each phase the Client proposes the use of specific cryptographic algorithms to the Secure Server. The Secure Server accepts or rejects these proposals based on the policies defined in the IKE and IPsec policy settings for the Local System. In order for a proposal from a Client to be accepted by the Secure Server, the exact algorithm proposed must have been configured in the policy associated with that phase. Sections 1 and 2 of this guide illustrate how to configure the Secure Server to use the default IKE and IPsec policies; these handle most security requirements adequately and hence should not be altered. However, the degree of security of the VPN gateway is heavily influenced by these settings and hence the guide also illustrates how additional proposals can be added to these policies or how new policies can be created. The configuration process at the Clients can be simplified considerably if use is made of the Automatic mode for IKE and IPsec proposals negotiation. The exact mechanism behind this feature is described in the Preparation and Installation manual and the proposals suggested by the client are listed in Appendix 2 of this manual. 2 see appendix Policy Algorithm Details for a detailed description of the various cryptographic algorithms supported by the Secure Server Page 17

18 1. Selecting the Algorithms for an IKE Policy QuickStart IKE Policy: PRE Shared Key This section helps you to configure the Secure Server to use the predefined PRE Shared Key IKE policy during the IKE phase. The detailed list of algorithm combinations that make up the proposals stored under the PRE Shared Key policy are listed in detail later in this section. The lifetime of a proposal, i.e. the length of time before a keys are renegotiated is also entered here. Important: if your company security requirements demand that you use a different IKE policy then the modifications will be entered via this folder, see section 2a. Adding Policies and Proposals for detailed instructions. Changing the name of the policy here will mean that you will have to select this new name in the Local System see section 3. Defining and Configuring the Local System Configure Lifetime of proposal (and, if necessary, proposal/policy details) IKE Policies [PRE Shared Key] IKE Policy List List entries Parameters in: 1 1. Use the default PRE Shared Key policy if that is sufficient for your security requirements see above 2. Details of how the lifetime of the policy (referred to as Lifetype) is to be configured, by time or by data transfer volume. Page 18

19 Leave 1 Policy name 1. Selecting the Algorithms for an IKE Policy unchanged Enter 2 Proposal lifetime details see below and 3 Save changes Policy Name The policy name PRE Shared Key is the name you will use to reference this IKE policy from the Local System. Important: if you change this name you will also need to change the IKE policy selected in the Local System. Life Type Duration kbytes These three parameters define how the lifetime of the proposal negotiated is to be measured: in either duration, kilobytes or both. Select the Life Type you require from the pull down tab and then enter: Duration in days:hours:mins:secs for time, or kbytes volume, or both, dependent on which Life Type is selected. Algorithms Proposals PRE Shared Key proposals: algorithm combinations NCP has chosen a set of five different IKE phase proposals appropriate for most configurations and are grouped together under the IKE Policy named PRE Shared Key. The individual algorithms that make up that default policy are listed above: five different combinations of Authentication, Encryption, Hash and DH Group algorithms. Each of the four sets of algorithm types are selectable from pull-down tabs and each combination of four is referred to as an IKE proposal. As a complete list, they are referred to as an IKE policy and during the IKE Phase, Client and Secure Server will negotiate the use of one of the proposals. Page 19

20 1. Selecting the Algorithms for an IKE Policy The different algorithms available under the four categories are: Finish or Continue? If you don't need to add more IKE proposals to the list, simply go to the next section. Continue Either add a new proposal to an existing policy, or create a new policy first. For each new proposal, select the algorithm(s) required from the relevant pull-down tabs. Parameters out Either PRE Shared Key or name of the IKE policy you will use when configuring the Local System Page 20

21 2. Selecting the Algorithms for an IPsec Policy QuickStart IPsec policy ESP AES3DES-MD5 This section helps you to configure the Secure Server to use the predefined ESP AES-3DES-MD5 IPsec policy during the IPsec negotiation phase. The detailed list of algorithm combinations that make up the proposals stored under the ESP AES-3DES-MD5 policy are listed in detail later in this section. The lifetime of a proposal, i.e. the length of time before a keys are renegotiated is also entered here. Important: if your company security requirements demand that you use a different IPsec policy then the modifications will be entered via this folder, see section 2a. Adding Policies and Proposals for detailed instructions. Changing the name of the policy here will mean that you must select this new name when defining and configuring the Local System see section 3. Defining and Configuring the Local System Configure Lifetime of proposal (and, if necessary, proposal/policy details) IPsec Policies [ESP AES-3DES-MD5] IPsec Policy List List entry Parameters in: 1. IPsec policy proposals to be used, if different from the default. 2. How the lifetime of the policy (referred to as Lifetype) is to be configured, by time or by data transfer volume. Page 21

22 2. Selecting the Algorithms for an IPsec Policy Leave 1 Policy name unchanged Enter: 2 Proposal lifetime details and 3 Save changes Policy Name The policy name ESP AES-3DES-MD5 is the name you will use to reference this IPsec policy when configuring the Local System Important: if you change this name you will also need to change the IKE policy selected in the Local System,. Life Type Duration kbytes These three parameters define how the lifetime of the policy is to be measured, in either duration, kilobytes or both. Select the Life Type you require from the pull down tab and then enter: Duration in days:hours:mins:secs for time, or kbytes volume for volume, or both, dependent on which Life Type is selected. ESP AES-3DES-MD5 Proposals Proposals Algorithms Algorithm combinations and proposals NCP has chosen a set of three different IPsec phase proposals that define the algorithm combinations core to the IPsec phase negotiations. These are appropriate for most configurations and are grouped together under the IPsec Policy named ESP AES-3DES-MD5. The individual algorithms that make up that default policy are listed above: five different combinations of Protocol, Transform, Authentication, DH Group and Compression as shown. Each of the five sets of algorithm types are selectable from pull-down tabs and each combination of five is referred to as an IPsec proposal. As a complete list, they are referenced as an IPsec policy and during the IPsec Page 22

23 2. Selecting the Algorithms for an IPsec Policy phase, Client and Secure Server will negotiate the use of one of the proposals. The only protocol that can be chosen is ESP, hence this tab is not shown, the four different algorithms available under the five categories are: Finish or continue? If you do not wish to add proposals to the list simply Save changes and go to the next section. Continue Either add and modify a new proposal or modify an existing one by selecting the algorithm(s) required from the relevant pull-down tabs. Parameter out: Either ESP AES-3DES-MD5 or name of the IPsec policy you will use when configuring the Local System. Page 23

24 2a. Adding Policies and Proposals This section describes how to tailor policies and proposals to meet your specific requirements. Although example illustrations are taken from the IKE Policy folder, the same general procedure also applies for the IPsec policies. Important: only tailor existing policies or add new proposals if the security requirements of your company can not be met with the default policies. To add more proposals to an existing policy Use the following procedure to add proposals to an existing policy naturally the prompts will differ for IPsec policies but same concept applies. IKE Policies (or IPsec Policies) [Policy Name] 1. Add an IKE proposal 2. Select algorithms for each additional proposal displayed Repeat steps 1 and 2 until all additional proposals have been added. 3 Save changes Save changes saves the proposals under the original policy name PRE Shared Key in the example case. Page 24

25 Policy name to be used in Local System 2a. Adding Policies and Proposals Use this IKE or IPsec policy name when configuring the Local System Page 25

26 2a. Adding Policies and Proposals To create a new policy Use the following procedure to add a new policy and then add and add proposals proposals naturally the prompts will differ for IPsec policies but same concept applies. IKE Policies (or IPsec Policies) 1 1 Add list entry 2 Enter Policy Name and Life Type details 2 4a 3 Select algorithms for first proposal 4 Add an IKE proposal 3 6 4b 5 Select algorithms for each additional proposal 6 Save changes Policy name to be used in Local System Repeat steps 4 and 5 until all proposals have been5entered and the policy is complete. The new policy is displayed in the policy list. Use this new name, entered under the Policy Name field, when configuring the Local System. Page 26

27 Page 27

28 3. Defining and Configuring the Local System The Local System folder contains all the VPN tunnel parameters that are common to a VPN gateway. Parameters in: 1. As this QuickStart VPN will use the standard IPsec protocol, the IPsec option must be selected 2. IKE policy, pre-shared key and IPsec policy to be used for all incoming requests for tunnel establishment. Use the policy name parameters you defined in the IKE and IPsec Policy folders (Parameters out from IKE Policy and IPsec Policy sections). Use the pre-shared key defined during the Preparation & Installation steps. Select IPsec protocol Local System General Do not alter any fields in this folder! Only check IPsec option is enabled! Configure IKE and IPsec policies and pre-shared key Local System VPN/IPsec Select from pull down tab: 1 IKE Policy 2 IPsec Policy Enter: 3 Pre-shared key (see below) and 4 Save changes when finished Page 28

29 3. Defining and Configuring the Local System IKE Policy The PRE Shared Key default policy is already selected, leave this selection unless you have defined an alternative IKE policy. The list under the pull-down tab also includes RSA Signature ; any other IKE policies that you have created will also be selectable via the pull-down tab. IPsec Policy The ESP AES-3DES-MD5 default policy is already selected, leave this selection unless you have defined an alternative IPsec policy. The list under the pull-down tab only includes ESP AES-3DES-MD5 ; any other IPsec policies that you create will be selectable via the pulldown tab. Pre-shared Key Enter the pre-shared key chosen (refer to the Parameter Sheet) in the Pre-shared Key field the key characters are not displayed. Leave all other fields with their default values. Parameters Out: None Page 29

30 4. Configuring the Domain Group Default Group The Default Group Domain Group folder holds all IP address details that will be assigned to Clients using the IKECFG protocol when the Client to Secure Server tunnel is being established. Important: when following the guidelines in this QuickStart guide do NOT to create any other Domain Groups: when more than one Domain Group exists, the Domain Group used as source of the DNS, WINS and Virtual IP Pool addresses is selected using the VPN user_id and domain suffix. If these parameters are not correctly configured, Clients will not be able to successfully establish tunnels. Parameters in 1. Primary and secondary DNS and WINS server IP addresses 2. A range of IP addresses (referred to as the Virtual IP Pool) from which each Client will be allocated its private IP address. 3. Lease time for the private IP address see Pool IP address Leasetime in. Configure DNS Server, WINS Server, DNS Suffix etc. Domain Groups [Default Group] General Default Group List entry Page 30

31 4. Configuring the Domain Group Default Group Configure DNS and WINS IP addresses and DNS Suffix all optional These are the DNS and WINS IP addresses and DNS suffix that will be assigned with every address assigned from the virtual IP pool. The parameters to be entered here will depend entirely on the configuration of that part of your company's networking infrastructure that will support the VPN Clients. The details entered below match the sample networking diagram in the Preparation and Installation manual that accompanies this QuickStart guide. Only enter values for the parameters illustrated below. Enter: 4 1 DNS server details 2 (WINS server details) 3 (DNS suffix) and Save changes Page 31

32 4. Configuring the Domain Group Default Group Configure Pool of private IP addresses Domain Groups [Default Group] Pools 1 Click: 1 Add a pool entry Enter: 1 Pool number 2 Pool Begin and Pool End addresses Leasetime and 4 Save changes Repeat the above procedure to add as many Virtual IP pools as necessary. Parameters out: 1. Pool No. for reference by the Link Profile/Pools folders. Page 32

33 5. Defining and Configuring the Link Profiles A link profile must be created for each individual combination of the following parameters. A link profile can be viewed as a way of defining the parameters that will form the unique Security Association created when the tunnel between the associated Client and the Secure Server is established. Parameters that must be defined are: username (referred to in this section as User ID) and password; these are the details that will be authenticated using the XAUTH protocol. Important: these must match each separate Client's VPN Tunneling/User ID and VPN Tunneling/Password parameters. various line management parameters, and IP address pool i.e. the list from which the Client's IP address will be allocated. Each address range includes a figure for the maximum duration of the lease (Leasetime) of each IP address. A numbered list of pools can be created, with each entry referenced, using the number, from the Default Domain Domain Group Pools folder to the IP pool start and end IP addresses and the lease time. Each link profile must have an individual name. When created, each link profile is listed, in alphabetic order, in the configuration sub-directory / menu frame. Add a new Link Profile Link Profile Click: 1 1 Add a List entry Parameters in: 1. First profile name (or next in the list of profile names) to be created Page 33

34 5. Defining and Configuring the Link Profiles Check the following: 1 State: 2 Filtergroup: 3 Direction: 4 Link Type: 5 VPN Mode: enabled none incoming IPsec Native VPN enter 4 6 the Profile Name chosen and 7 Save changes Configure Line Management Link Profile [Profile Name] Line Management Profile Name List entry Parameters in: Inactivity timeout value Timeout direction Max connection time (if required) Max Rx Bandwidth (if required) Max Tx bandwidth (if required) Page 34

35 5. Defining and Configuring the Link Profiles Enter values for: Inactivity Timeout Timeout Direction Max Connection Time (if required) Max Rx Bandwidth (if required) Max Tx bandwidth (if required) and Save changes Configure XAUTH username and password Link Profile [Profile Name] Authentication Parameters in: 1. User ID (Client = username) and 2. password Page 35

36 5. Defining and Configuring the Link Profiles Under Incoming Connections enter: 3 1 User ID 2 Password 1 and 2 3 Save changes Configure IP Pool Link Profile [Profile Name] Routing Parameters in: 1. Pool number of IP Address Pool defined in Default Group Page 36

37 5. Defining and Configuring the Link Profiles Enter: 1 IP Address Pool number and 2 2 Save changes 1 Configure XAUTH Authentication of Client username and password Link Profile [Profile Name] IPsec Options Parameters in: Extended Authentication (XAUTH) to be used to authenticate username and password during tunnel establishment. Page 37

38 5. Defining and Configuring the Link Profiles Ensure 1 Extended Authentication (XAUTH) is enabled. 2 and 2 Save changes 1 Example of link profiles folder after three profiles have been created Link Profile List entries Repeat for each profile Parameters out: For each separate profile required, repeat all the steps in this section. None Page 38

39 5. Defining and Configuring the Link Profiles complete, check that Secure Server processes are running Your Secure Server is now configured and ready to be used. Check that the Secure Server processes are all running Linux Enter rcncpses status at root prompt and check response is as shown Windows Call up the Windows Task Manager (CTRL ALT DEL) and check that the processes shown are running Page 39

40 SECURE ENTERPRISE CLIENT Configuring a Client This guide is designed to help you quickly configure a Client with the aim of establishing a VPN tunnel from that Client to the Secure Server being installed and configured. It is not intended to provide a detailed description of all the capabilities of the Client and how those capabilities are configured using the Client Monitor. For such information, please refer to the NCP Secure Enterprise Client (Win 32/64) manual set. In particular, refer to the Client-Side Profile Creation section in the Enterprise Client Monitor manual (Enterprise-CL-Monitor-e.pdf) for details behind the concept of profiles and their use in the Monitor. The Client Monitor provides a New Profile Wizard to assist creating new profiles and this guide maps the parameters you noted in the Parameter Sheet (collected during the Secure Server preparation task) onto the various screens displayed in sequence by that wizard. The headings highlighted in yellow correspond to the Client column in the Parameter Sheet. Important: the following screen shots show the default settings. The details to be entered are listed in the LH column and the screen shot highlighted where appropriate. Important: If parameters to be entered in a screen are also to be validated (for presence or validity) then the Next button will remain disabled/grayed out until the parameters have been successfully validated. Create a new profile Profiles Page 40

41 SECURE ENTERPRISE CLIENT Configuring a Client The Available Profiles screen is displayed Add New Profile Add a new profile Basic Settings Basic Settings screen displayed: Select IPsec Enable Link to Corporate Network Using IPsec and click Next Profile Name screen displayed: Enter Profile name marketing_1 in this QuickStart guide Click Next (Note: Next only enabled after Profile name has been entered) Page 41

42 SECURE ENTERPRISE CLIENT Configuring a Client Communication Medium screen displayed: Select Communication Medium: LAN (over IP) LAN (over IP) is the default setting and should be left unchanged until you are familiar with the other settings available. and click Next VPN Tunneling VPN Gateway Parameters screen displayed: Enter Gateway / Tunnel Endpoint address Address= in this configuration guide Ensure XAUTH is enabled and click Next Certificate Usage screen displayed: PKI not being used As PKI is not being used in the QuickStart configuration, the settings on this screen can be left unchanged. Click Next Page 42

43 SECURE ENTERPRISE CLIENT Configuring a Client Connection Information for VPN Gateway screen displayed: Enter VPN User ID and VPN Password Enter VPN User ID = mkt_user1 in this configuration guide. and click Next. Security Static Key (Pre-shared Key) screen displayed: Enter pre-shared key Enter pre-shared key chosen and repeat to ensure correctly typed. Click Next N/A Link Firewall screen displayed: Set Stateful Inspection off Pull the Stateful Inspection pull down bar and set Stateful Inspection to off. and click Finish This is the last screen in the profile creation wizard. Page 43

44 SECURE ENTERPRISE CLIENT Configuring a Client Available Profiles screen displayed with new profile now listed: Profiles now available: Profile can now be used The new profile has been created and stored and can now be used. Connect using marketing_1 profile Ensure new profile is selected and click Connect VPN Credentials screen displayed Enter VPN Password and click OK Connection established Page 44

45 Appendix 1 APPENDICES Parameter Sheet This parameter sheet is designed to give an overview of the parameters to be collected during the preparation phase. To assist you when configuring Clients and the Secure Server, the entries below are arranged to show which parameter name on the Client matches the equivalent on the Secure Server. The value columns list: the default values, marked with underline. You are advised to adopt these defaults during the initial configuration of the Secure Server. the parameters, in italics, that must be defined during the Preparation & Installation phase. Parameters that must match in both Client and Secure Server are listed in both columns. Cells in the Server column highlighted in blue are hyper-linked to the corresponding sections (number in brackets) within this document. Cells in the Client column highlighted in yellow correspond to the menu entries in the Client profile management menus Note: hyperlinks are only enabled in Guide. Parameter Sheet Client Value N/A N/A N/A N/A N/A N/A Basic Settings Profile name Communication Medium LAN (Over IP) Line Management See Configuring a Client in Manual (to be provided) Value Server (1) IKE Policies [PRE Shared Key] Lifetype Duration kbytes/time (1) IPsec Policies [ESP AES-3DES-MD5] Lifetype Duration kbytes/time N/A NA NA NA Page 45

46 APPENDICES Parameter Sheet Client Security Value Value Server IPsec (3) Local System General VPN Protocols Security Mode (gray) Certificate configuration(gray) IPsec IKE Policy Automatic mode3 NA (3) Local System VPN/IPsec IPsec IKE Policy PRE Shared Key IPsec Policy Automatic mode4 Pre-shared key param ESP AES-3DESMD5 Pre-shared key param Pre-shared Key Exchange Mode Advanced Pre-authentication VPN Tunneling None Main or Aggressive VPN Protocol IPsec Tunneling VPN User ID VPN Password6 Gateway (Tunnel Endpoint) VPN Tunnel Authentication Data Advanced IPsec Options User ID param Disable DPD Password param Public IP address IPsec Policy Pre-shared Key Both main and aggressive modes are accepted by the Secure Server5 Not considered in this QS Guide Not considered in this QS Guide (3) Local System General VPN Protocols IPsec (5) Link Profile [profile name] Authentication Incoming Connection/User ID User ID param Incoming Connection/Password Password param Not Specified in Secure Server but required by Client. From configuration entries above Not Specified in Secure Server No (unticked) (5) Link Profile [profile name] IPsec Option Extended Auth (XAUTH) Y or N Standard IPsec UDP Encapsulation Port VPN Path Finder NA Y Yes No Y Extended Authentication (XAUTH) No (5) Link Profile [profile name] Routing IP Address Pool Pool Number 3 See section Client IKE and IPsec Policy Automatic Mode description in Preparation and Installation Guide 4 See section Client IKE and IPsec Policy Automatic Mode description in Preparation and Installation Guide 5 Note that the Secure Server accepts either Main mode or Aggressive mode for the IKE phase 1 negotiations the mode required must be set in the Client. 6 If VPN Password is not stored in the Client profile, ithe Client will prompt for it on every attempt to establish a VPN tunnel this prompting scenario is the method illustrated in this QuickStart Installation Guide. Page 46

47 APPENDICES Parameter Sheet Client IPsec Address Assignment Value Assignment of the Private Address IKE Config Mode (DNS Server IP Address) (WINS IP Address) (Domain Suffix) NA IP Address (gray) Subnet Mask (gray) NA Value Server (4) Domain Groups [Default Domain] General NA DNS Server (primary & secondary) IP addresses IP addresses WINS Server (primary & secondary) Domain suffix Domain Suffix (4) Domain Groups [Default Domain] Pools Pool number used to reference the pool to be used by the Link Profile (see Link Profile above) Pool number Pool Begin & Pool End IP addresses Time (seconds) Pool begin and end addresses (Assigned by Secure Server) Leasetime Page 47

48 Appendix 2 APPENDICES Automatic IKE Proposal Negotiation These two appendices list the proposals that are defined for negotiation when Automatic mode is set for IKE (this appendix) or IPsec (appendix 3) proposal negotiations. Note that Client and Secure Server will only agree to use a proposal when there is 100% agreement for all the individual algorithms. The proposals that would be used for the Secure Server IKE defaults are marked in green. Diffie Key Encryption Hash Lifetype Lifetime Authentication ** Hellman Length Group 256 SHA SECONDS XAUTH_RSA 256 MD5 SECONDS XAUTH_RSA 256 SHA SECONDS RSA 256 MD5 SECONDS RSA 256 SHA SECONDS XAUTH_RSA DH2 256 MD5 SECONDS XAUTH_RSA DH2 256 SHA SECONDS RSA DH2 256 MD5 SECONDS RSA DH2 192 SHA SECONDS XAUTH_RSA 192 MD5 SECONDS XAUTH_RSA 192 SHA SECONDS RSA 192 MD5 SECONDS RSA 128 SHA SECONDS XAUTH_RSA 128 MD5 SECONDS XAUTH_RSA 128 SHA SECONDS RSA 128 MD5 SECONDS RSA 128 SHA SECONDS XAUTH_RSA DH2 128 MD5 SECONDS XAUTH_RSA DH2 128 SHA SECONDS RSA DH2 128 MD5 SECONDS RSA DH2 DES3 0 SHA SECONDS XAUTH_RSA DES3 0 MD5 SECONDS XAUTH_RSA DES3 0 SHA SECONDS RSA DES3 0 MD5 SECONDS RSA DES3 0 SHA SECONDS XAUTH_RSA DH2 DES3 0 MD5 SECONDS XAUTH_RSA DH2 DES3 0 SHA SECONDS RSA DH2 256 SHA SECONDS XAUTH_PSK 256 MD5 SECONDS XAUTH_PSK 256 SHA SECONDS PSK 256 MD5 SECONDS PSK 256 SHA SECONDS XAUTH_PSK DH2 256 MD5 SECONDS XAUTH_PSK DH2 256 SHA SECONDS PSK DH2 256 MD5 SECONDS PSK DH2 192 SHA SECONDS XAUTH_PSK 192 MD5 SECONDS XAUTH_PSK 192 SHA SECONDS PSK Page 48

49 Appendix 2 ** Automatic IKE Proposal Negotiation 192 MD5 SECONDS 128 SHA SECONDS 128 MD5 SECONDS 128 SHA SECONDS 128 MD5 SECONDS 128 SHA SECONDS 128 MD5 SECONDS 128 SHA SECONDS 128 MD5 SECONDS DES3 0 SHA SECONDS DES3 0 MD5 SECONDS DES3 0 SHA SECONDS DES3 0 MD5 SECONDS DES3 0 SHA SECONDS DES3 0 MD5 SECONDS DES3 0 SHA SECONDS DES3 0 MD5 SECONDS PSK = pre-shared key XAUTH=Extended Authentication APPENDICES PSK XAUTH_PSK XAUTH_PSK PSK PSK XAUTH_PSK XAUTH_PSK PSK PSK XAUTH_PSK XAUTH_PSK PSK PSK XAUTH_PSK XAUTH_PSK PSK PSK DH2 DH2 DH2 DH2 DH2 DH2 DH2 DH2 Page 49

50 QUICKSTART CONFIGURATION GUIDE Automatic IPsec Proposal Negotiation Appendix 3 Protocol Encryption ESP ESP ESP ESP ESP ESP ESP ESP ESP ESP ESP ESP ESP ESP AES AES AES AES AES AES AES AES AES AES AES AES DES3 DES3 GENERAL Key Length NCP engineering GmbH / V 1.0 Hash Lifetype Lifetime MD5 SHA MD5 SHA MD5 SHA MD5 SHA MD5 SHA MD5 SHA MD5 MD5 SECONDS SECONDS SECONDS SECONDS SECONDS SECONDS SECONDS SECONDS SECONDS SECONDS SECONDS SECONDS SECONDS SECONDS Compression LZS Yes Yes No No Yes Yes No No Yes Yes No No Yes No Yes Yes No No Yes Yes No No Yes Yes No No Yes No Page 50