Best Practices: Provisioning of Mobile VPN certificate based policy from Nokia DM server for accessing Nokia IP VPN gateway

Transcription

1 Best Practices: Provisioning of Mobile VPN certificate based policy from Nokia DM server for accessing Nokia IP VPN gateway December 2008

2 Nokia 2

3 1. Introduction This document describes how to provision from Nokia Intellisync Device Management OMA DM server a certificate based VPN policy to Nokia Mobile VPN Client for accessing Nokia IP VPN gateway. Mobile VPN client authenticates itself with a certificate which is signed by the IP VPN internal Certificate Authority (CA). No external CA is needed in this sample for issuing the certificates. The provisioning consists of the following steps: Install Nokia Mobile VPN Client (optional, needed if no Mobile VPN Client pre-installed in the mobile device) Retrieve certificate request from Mobile VPN Client Sign the certificate request by the IP VPN internal Certificate Authority (CA) Deliver the client certificate and IP VPN CA certificate to the mobile device Create VPN policy for Mobile VPN Client with Nokia Mobile VPN Client Policy Tool Deliver the VPN policy to Mobile VPN Client This document is based on the following product versions: Nokia IP VPN gateway 6.3(134) Nokia IP VPN Manager v6.3( ) Nokia E66 mobile device v Mobile VPN client v3_1_ (MVPN_S60_v3_1_ sisx) Nokia Mobile VPN Client Policy Tool v1.04 Nokia Intellisync Device Management OMA DM server The document applies also for the other Nokia mobile devices supporting the Mobile VPN client v3.1. Mobile VPN Client v3.1 is currently available for the following S60 3rd Edition Feature Pack 1 devices: E51 E66 E71 E90

4 2. Device Management configuration The following Device Management publications are created in this sample: 1. Mobile VPN Client installation (highest priority) (see section 2.1) 2. Retrieve certificate request from Mobile VPN Client for signing by CA (2 nd highest priority) (see section 2.2) 3. Deliver signed client certificate and CA certificate to mobile device (3 rd highest priority) (see section 2.4) 4. Deliver WLAN access point and VPN policy to mobile device and create VPN access point (4 th highest priority) (see section 2.6) The publications 1 and 2 are run in a sequence and the publications 3 and 4 in their own sequence after the client certificate has been signed. Because manual operation is needed to sign the client certificate, the publications cannot be run all at the same time. The administrator needs to assign first the publications 1-2 to the user and then the publications 3-4 after the certificate request has been signed. The priority order needs to be set in the way that publication 1 has a higher priority than publication 2 and the publication 3 has a higher priority than the publication 4. WLAN access point is created in this sample for VPN connection but the VPN connection could also be established over an GPRS access point. The certificate request is created by Mobile VPN Client, meaning that the private keys never leave the device. This is more secure than creating a private key / certificate bundle in an external CA (e.g. PKCS#12) and passing it to the Mobile VPN Client. This is also the only possibility with IP VPN gateway when using the gateway s internal CA, the gateway doesn t have the option to create PKCS#12 certificate bundles. The certificates are stored in the device certificate store of the mobile device to avoid the prompting of the key store password when establishing the VPN connection. This is not as secure as using the user certificate store where the user is prompted for the key store password every time the client certificate is needed. The device store is, however, easier for the users because then the VPN connection is established automatically without any user prompting.

5 2.1 Install Mobile VPN client If the Nokia Mobile VPN Client is not pre-installed in the mobile device or if the client version needs to be upgraded, create the Mobile VPN Client content and the DM publication to install the client Create Mobile VPN Client content Go to Content/Files menu and select: Select New Select Nokia Mobile VPN Client

6 Define the content name and version number (free format text) and select Create new to attach the client sis-file.

7 Browse to the Mobile VPN client sis-file and select: MIME Type = Symbian installation file, signed Device groups = Nokia Mobile VPN devices

8 Save the content :

9 2.1.2 Create Mobile VPN Client installation publication Create a new publication of type Device configuration : Select application = Nokia Mobile VPN Select «Install»

10 Select the Mobile VPN client content created above Select Use OMA download Select Reconnect after installation (NOTE: This option needs to be selected to be able to automatically continue with the certificate request publication after the client installation)

11 2.2 Retrieve certificate request from Mobile VPN Client Create the publication to retrieve certificate request for signing by IP VPN CA. The publication contains the following action: Application = Nokia Mobile VPN certificate management Select «Retrieve certificate request»

12 Define the parameters below in the certificate request settings. Use a variable name in Subject Name, RFC822 name and file name to be able to use the same action for retrieving certificate request from all users. Variable name ${user_auth_id_no_suffix} is used in this sample which will replace the variable name with the user s authentication name (omitting the eventual domain part in DM tenant configurations). Certificate store = Device certificate store Key store = Device key store Subject name: CN=${user_auth_id_no_suffix} RFC822 name: ${user_auth_id_no_suffix}@nokiagss.com Key length = 1024 Local file path = certs_dir Local filename: ${user_auth_id_no_suffix}.p10 The domain name ( nokiagss.com ) in RFC822 name can be freely chosen but needs to match with the definitions in Nokia Mobile VPN Client Policy tool and IP VPN gateway. Note that the device certificate store and device key store are selected here instead of the user store to avoid the prompting of the key store password every time the certificate is used.

13 The certificate request file can be found under the given folder ( certs_dir in above sample) in the following directory in DM server after the publication has been run: /opt/ims/in e.g. /opt/ims/in/certs_dir or if a DM tenant configuration: /opt/ims/tenants/tenant_x/in e.g. /opt/ims/tenants/tenant_x/in/certs_dir

14 2.3 Certificate operations in IP VPN Manager CA Sign the client certificate The certificate request received in the previous step needs to be converted from DER to PEM (base 64) format before importing to IP VPN Manager, e.g. with the following Openssl command in DM server: /opt/ims/lib/external/ssl/linux/bin/openssl req in user1.p10 inform DER out user1_pem.p10 outform PEM where user1.p10 = original request file (DER format) user1_pem.p10 = converted request file (PEM base 64) The converted request file can then be imported and signed by IP VPN Manager as described below. In IP VPN Manager go to VPN Global Properties menu Right-click the internal Certification Authority (CA) Select Issue certificate using external CSR

15 Browse to the certificate request file obtained above (PEM-format file): Define the validity time of the certificate:

16 When the certificate has been signed, export it into a file with Export command for storing in the DM server file system and delivery to the mobile device.

17 2.3.2 Import IP VPN CA certificate The Mobile VPN Client needs also the IP VPN CA certificate for authenticating the gateway certificate during the VPN negotiation. In IP VPN Manager go to VPN Global Properties menu, select the internal CA and export the CA certificate in a file:

18 2.4 Deliver certificates to the mobile device Store the certificates in DM server file system Copy the signed client certificates and the CA certificate obtained in the previous step in the following directory in the DM server: /opt/ims/out/certs (where certs is the path given in the delivery action below in URL parameter) OR if using DM server with tenants: /opt/ims/tenants/tenant_x/out/certs Copy the client certificates to the file names <user name>.cer, e.g. user1.cer if the user authenticates with name user1. In this way the certificates can be accessed with the same variable name which was used when retrieving the certificate request Deliver client certificate to Mobile VPN Client Create an action to deliver the certificate to the Mobile VPN client. The certificate is stored in the DM server file system. Variable names are used in the certificate filename to be able to use the same DM action for all the users. The certificate received from VPN Manager can be delivered as such, no conversion is needed. Select application = Nokia Mobile VPN Certificate Management Select Deliver certificate

19 In certificate settings define: Certificate store = Device certificate store Certificate type = User certificate Install from = File system or internet URL = file:certs/${user_auth_id_no_suffix}.cer Certificate applicability = VPN NOTE: DM has some issues in handling of the file names with upper case letters. Use lower case letters in the file name in URL definition!

20 2.4.3 Deliver CA certificate to Mobile VPN client Create an action to deliver the CA certificate from the DM server file system to Mobile VPN Client. The CA certificate received from IP VPN Manager can be used as such, no conversion needed. Select application = Nokia Mobile VPN Certificate Management Select Deliver certificate

21 In certificate settings define: Certificate store = User certificate store Certificate type = CA certificate Install from = File system or internet URL = file:certs/ipvpn_ca_der.cer Certificate applicability = VPN Note that there s no need to use a variable name in the CA certificate because it is common for all the client devices and the same CA certificate is delivered to all the devices. The user certificate store is selected here (only option available for CA certificate) but it doesn t require any key store password entered by the user because no private keys are associated with the CA certificate. NOTE: DM has some issues in handling of the file names with upper case letters. Use lower case letters in the file name in URL definition!

22 2.5 Create VPN policy with Nokia Mobile VPN Client Policy Tool Create VPN policy with Nokia Mobile VPN Client Policy Tool and extract the policy file from the *.vpn file created by the VPN Client Policy Tool. The *.vpn type of policy bundle can be installed manually in the mobile device but not via DM server. DM server uses instead the *.pol type of policy file which is included in the *.vpn bundle. The configuration settings need to match with the IP VPN gateway definitions. The following parameter values are used in this sample: IKE phase 1: Authentication method = RSA Signatures Encryption algorithm = 3DES-CBC Hash algorithm = SHA1 Oakley group = MOD-1024 Lifetime = 28800s (8h) IKE phase 2 (IPSec): Encryption algorithm = 3DES Hash algorithm = SHA1 Perfect Forward Secrecy = not selected Lifetime = 3600s (1h) The following two protected host groups are defined in this sample (host groups to which the VPN connection is allowed): / /

23 2.5.1 Create VPN policy Load the pre-defined policy template for Nokia IP VPN gateway certificate policy (can be found in directory C:\Program Files\Nokia\Nokia Mobile VPN Client Policy Tool\GatewayProfiles\Nokia): Select Nokia_IP_VPN_63_cert.pol

24 In the main menu define the following: Policy name = free format name VPN gateway address = public ip address of IP VPN gateway Certtificate Authority o Format: Name o Data: CN=IPVPN_10i CA (Subject name of the CA certificate) RFC822NAME (FQDN): nokiagss.com (match with the domain name given in the client certificate request and with the domain name given in IP VPN configuration) Key length = 1024

25 The correct CA subject name in the above configuration can be checked by viewing the contents of the CA certificate Subject name field (IP VPN CA certificate imported from IP VPN gateway in the previous steps):

26 Change to advanced configuration mode by selecting: View / Advanced view In menu IPSec / SAs, match the IPSec parameters with the IP VPN gateway configuration: Encryption algorithm = 3DES Hash algorithm = SHA1 Perfect Forward Secrecy = Off Lifetime = 3600s

27 Add a second IPSec SA with the same settings. The second IPSec SA is needed because there are two separate host groups, or remote selectors, configured in this sample ( / and / ) which both need an own IPSec SA definition. (This is a limitation in Nokia Mobile VPN Policy Tool v1.04, the same IPSec SA cannot be properly assigned to two remote selectors.)

28 Create remote selector for the first protected host group / : Type = remote Address = Netmask = IPSec SA = SA1 (first SA defined in the IPSec SA definitions above)

29 Create remote selector for the second protected host group / : Type = remote Address = Netmask = IPSec SA = IP_VPN_cert_1 (second SA defined in the IPSec SA definitions above)

30 Set the Inbound and Outbound selectors to allow the access to internet while the VPN connection is active (bypass VPN policy mode in Mobile VPN Client). If the Inbound and Outbound selectors are missing, the Mobile VPN Client enforces drop policy and allows only the VPN access while the VPN connection is active.

31 Go to IKE menu and check the General parameters (should match with IP VPN gateway IKE settings): VPN gateway address = IP VPN gateway address Identity type = RFC822_NAME Cert store = DEVICE Send notification = TRUE Perfect forward secrecy = MODP_1024 Initial contact = TRUE Use internal addressing = TRUE NAT Keepalive = 30s (the default is 0, meaning that no NAT keepalive is used but NAT Keepalive may be needed for maintaining the NAT mapping to allow the data to be sent from the gateway side to the client, e.g. when the data transfer is initiated by a server in the inside network ) NOTE: Be sure to select Cert store = DEVICE. This parameter field is empty by default and will cause the Mobile VPN client fail to find its certificate if the cert store is not properly selected.

32 In IKE / IKEv1 menu the default values can usually be used: Nokia IP VPN gateway is using in this sample IKEv1 authentication method and the other menus (IKEv2, PSK, CRACK) are not relevant in this case.

33 Go to IKE / Proposals menu and define the following parameter values for the IKE phase 1 proposal (match with IP VPN gateway definitions): Encryption algorithm = 3DES-CBC Hash algorithm = SHA1 OAKLEY group = MODP_1024 Pseudo random function = Same as used in hash algorithm Lifetime in seconds = 28800

34 2.5.2 Extract VPN policy file Create VPN Policy by running the Generate VPN Policy command. The command creates *.vpn type of policy bundle which can be opened with WinZip tool program to extract the policy file for DM delivery (*.pol): Run Generate VPN Policy command Open the resulting *.vpn file with WinZip Extract the file with extension *.pol

35 2.5.3 Sample VPN policy file The policy file (*.pol) is a text-based configuration file. A sample file is shown below: IP_VPN_cert [POLICY] sa SA1 = { esp encrypt_alg 3 auth_alg 3 identity_remote /16 src_specific hard_lifetime_bytes 0 hard_lifetime_addtime 3600 hard_lifetime_usetime 3600 soft_lifetime_bytes 0 soft_lifetime_addtime 3600 soft_lifetime_usetime 3600 replay_win_len 0 } sa IP_VPN_cert_1 = { esp encrypt_alg 3 auth_alg 3 identity_remote /16 src_specific hard_lifetime_bytes 0 hard_lifetime_addtime 3600 hard_lifetime_usetime 3600 soft_lifetime_bytes 0 soft_lifetime_addtime 3600 soft_lifetime_usetime 3600 replay_win_len 0 } remote = { SA1( ) } remote = { IP_VPN_cert_1( ) } inbound = { } outbound = { } [IKE] ADDR: IKE_VERSION: MODE: Main SEND_NOTIFICATION: TRUE ID_TYPE: 3 GROUP_DESCRIPTION_II: MODP_1024 USE_COMMIT: FALSE IPSEC_EXPIRE: TRUE SEND_CERT: FALSE INITIAL_CONTACT: TRUE RESPONDER_LIFETIME: TRUE REPLAY_STATUS: FALSE USE_INTERNAL_ADDR: TRUE USE_NAT_PROBE: FALSE ESP_UDP_PORT: 0 DPD_HEARTBEAT: 0 NAT_KEEPALIVE: 30 REKEYING_THRESHOLD: 0 OWN_CERT_TYPE: DEVICE PROPOSALS: 1 ENC_ALG: 3DES-CBC AUTH_METHOD: RSA_SIGNATURES HASH_ALG: SHA1 GROUP_DESCRIPTION: MODP_1024 GROUP_TYPE: DEFAULT

36 LIFETIME_KBYTES: 0 LIFETIME_SECONDS: PRF: NONE CAs: 1 FORMAT: NAME DATA: CN=IPVPN_10i CA OWN_CERTS: IDENTITY_AS_RFC822NAME: 1 RFC822NAME_FQDN: nokiagss.com PRIVATE_KEY_LENGTH: 1024

37 2.6 Deliver VPN Policy to Mobile VPN Client Create VPN Policy content in DM server Use the policy file (*.pol) obtained in the previous step and import it as content to DM server: Select Nokia Mobile VPN Policy

38 Browse to the VPN policy file (*.pol) and define: MIME Type = Symbian VPN Policy Device groups = Nokia Mobile VPN Devices

39 Save the content:

40 2.6.2 Create VPN Policy delivery publication Create internet access point WLAN access point is created in this sample to be used with VPN connections. Create an action to deliver internet access point WLAN_AP :

41 Define the settings for the internet access point:

42 Deliver VPN Policy Create an action to deliver the VPN policy and to create the VPN access point. The VPN access point is using the WLAN access point WLAN_AP created above. Select application = Nokia Mobile VPN Select Deliver settings

43 Define the Mobile VPN settings: Install from = Database Nokia Mobile VPN policy name = VPN policy content created in the previous steps VPN Access point name = VPN1 (free format name for the VPN access point to be created in the mobile device) Internet access point = WLAN_AP (WLAN access point created in the previous steps)

44 3. Nokia IP VPN gateway configuration Here s a sample IP VPN gateway configuration matching with the above Mobile VPN Client configuration. 3.1 Client Policy Go to Client Access / IPSec Clients / Client Policy menu and define the following: Select IPVPN_10i CA as the CA for IKE authentication (internal IP VPN CA) Select IPSec policy Encryption and integrity

45 Press the Settings button to check the IKE phase 1 parameters (match with the parameters in IKE menus of Nokia Mobile VPN Client Policy Tool program): Use integrity algorithm = SHA1 Use encryption algorithm = TRIPLE DES Use Diffie-Hellman group description = Group #2 (MODP 1024-bit) Include ISAKMP VENDOR-ID = Yes Enable INITIAL-CONTACT payload processing = Yes Lifetime setting = 8 hours (=28800s)

46 Select Edit for the Encryption and integrity IPSec policy and match the settings with the IPSec SA settings in Nokia Mobile VPN Policy Tool: Enable privacy = TRIPLE DES Enable integrity and replay prevention = HMAC SHA1 Implement integrity using the IPSec protocol = ESP Press Advanced button to set the rest of the parameters: Enable PFS to protect session keys = No Enable ISAKMP COMMIT processing = Yes Include REPLAY-STATUS notify payload = Yes Include RESPONDER-LIFETIME notify payload = Yes Keying lifetime = 1 hour

47 Go to Client Access / IPSec clients / Client Policy / Access menu and define: Allow incoming clients to access = The gateway s protected host groups (the host groups defined in VPN participation menu)

48 3.2 Client access Go to Client access / IPSec Clients / Client Access menu and define: Select Allow clients to connect using certificate based authentication Click Add to add a filter for the certificate clients (see next section) Settings in Challenge Response Clients can be left undefined, they are not relevant for the certificate based authentication used in this sample

49 Define the access filters for certificate based clients: Specify client or domain = *@nokiagss.com (allows access only for the clients with the certificate where the domain name matches with this domain name) Protect traffic with IPSec = Yes It is also possible to define Any client as the filter. In this case the access is allowed for all the clients having a valid certificate signed by the internal IP VPN CA, no matter what RFC 822 subject alternate name is given in the certificate.

50 3.3 Internal address pool Go to Client Access / IPSec Clients / Internal Addressing menu and define the internal address pool from which the Mobile VPN clients obtain their internal address when accessing the resources in the inside network. Note that the selection of the internal addresses is a gateway specific configuration issue. The addresses don t need to match with any Mobile VPN Client configuration settings. The clients will obtain the internal address from the VPN gateway every time when connecting. 3.4 Protected host groups Go to Traffic Filters / VPN Participation and check the host groups protected by the gateway. Match the protected host groups with the remote selectors defined in Nokia Mobile VPN Client Policy Tool program ( / and / in this sample)..

51 4. Using Mobile VPN Client VPN connections can be established by selecting the VPN access point as the access point, e.g. with web browser: The VPN policy and VPN access point settings can be checked in menu Tools / Settings / Connection / VPN. The following submenus are shown:

52 VPN Policy can be found in menu VPN Management / VPN Policies: VPN access point settings can be checked in menu VPN access points. The access point settings contain the following parameters: VPN Policy = name of the VPN policy in use Internet access point = physical access point through which the VPN connection is established Proxy settings = optional HTTP/HTTPS proxy in the inside network