IPSecuritas 3.x. Configuration Instructions. Collax Platform Server. for

Transcription

1 IPSecuritas 3.x Configuration Instructions for Collax Platform Server Lobotomo Software 28. juillet 2010

2 Legal Disclaimer Contents Lobotomo Software (subsequently called "Author") reserves the right not to be responsible for the topicality, correctness, completeness or quality of the information provided. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. All offers are not-binding and without obligation. Parts of the document or the complete publication including all offers and information might be extended, changed or partly or completely deleted by the author without separate announcement. Referrals The author is not responsible for any contents referred to or any links to pages of the World Wide Web in this document. If any damage occurs by the use of information presented there, only the author of the respective documents or pages might be liable, not the one who has referred or linked to these documents or pages. Copyright The author intended not to use any copyrighted material for the publication or, if not possible, to indicate the copyright of the respective object. The copyright for any material created by the author is reserved. Any duplication or use of such diagrams, sounds or texts in other electronic or printed publications is not permitted without the author's agreement. Legal force of this disclaimer This disclaimer is to be regarded as part of this document. If sections or individual formulations of this text are not legal or correct, the content or validity of the other parts remain uninfluenced by this fact. Acknowledgments Many thanks to for providing setup information, screenshots and support for writing this document.

3 Table of contents Introduction 1 Collax Server Setup 1 Requirements 1 Example Configuration 1 NAT traversal 1 Generate Ceritifcate Authority (CA) 2 Generate Local Server Certificate 2 Generate Non-local Server Certificate 3 Export Certificate 4 Create Virtual VPN Network 4 Routing 4 IPSec Proposals 4 VPN Dialinlink 5 IPSecuritas Setup 6 Start IPSecuritas 6 Import Certificate 6 Create Connection 7

4

5 Introduction This document describes the steps necessary to establish a protected VPN connection between a Mac client and a Collax Server router/firewall. All information in this document is based on the following assumed network. Collax Server Setup This section describes the necessary steps to setup a Collax Server router/firewall to accept incoming connections. For Encryption, X.509 certificates are beeing used. These are much easier to handle than RSA keys and much more secure than PSK authentication. Requirements (One of the following) - - Collax Security Gateway - Collax Platform Server incl. Module Net Security Installation Media can be downloaded from Example Configuration Hostname : cbs.collax.com Localnet : /24 Certificate : VPN_CBS IPSecuritas VPN-Client Virtual Address : Certificate: VPN_MAC NAT traversal. NAT traversal is a technology with which a VPN client behind a masquerading router can establish a VPN tunnel. For this purpose, the IPSec packets are wrapped in UDP packets, which can be masqueraded without any risk. If enabled, this global option will be checked individually every time a connection is established and used where appropriate. 1

6 To enable NAT traversal, you have to enter the dialog for configuring general link settings. This dialog is located under «Settings Networking Links General» Generate Certificate Authority (CA) Before you generate your own certificates, you may want to generate your own CA certificate first. The CA certificate is used to sign other certificates. This dialog is located under «Settings Usage Policy Certificates X.509 Certificates» As certificates signed by the CA certificate expire when the CA certificate expires, be sure to set a sufficiently long period (e.g. 5 years) Generate Local Server Certificate Next we generate a local server certificate and select the CA certificate to be used for signing the new certificate. 2

7 Generate Non-local Server Certificate Next we generate a non-local server certificate and select the CA certificate to be used for signing the new certificate. Important: Do not set a passphrase (Section Identity) 3

8 Export Certificate To be able to use the non-local certificate for the client, it must be downloaded from the Collax Server. The certificate is exported in the PKCS#12 format. The password is used to encrypt the export file. The password is needed again when importing the certificate on the client. Create Virtual VPN Network Before creating a VPN dialin link, we need to setup an additional network for the VPN client. This dialog is located under «Settings Networking Networks Configuration» Routing To to able to reach the LocalNet, we have to allow connections from the virtualvpnnet. This dialog is located under «Settings Networking Firewall Matrix» The firewall matrix is a visual representation of the integrated firewall. This matrix determines which network connections are allowed or blocked. IPSec Proposals This dialog deals with the definition of encryption methods and hash algorithms for the various stages of VPN connections. These predefined IPSec proposals can be assigned to the desired VPN connections 4

9 This dialog is located under «Settings Networking Links IPSec Proposals» VPN Dialinlink We have to create a VPN dialin link, to wait for the remote party to establish a connection. This dialog is located under «Settings Networking Links Configuration» 1

10 IPSecuritas Setup This section describes the necessary steps to setup IPSecuritas to connect to the Collax Server router/firewall. Start IPSecuritas Unless it is already running, you should start IPSecuritas now. Import Certificate We import the Clientcertificate by changeing to the menu Certificates Import and choose the previously exported certificate file. The password is used to decrypt the export file. 2

11 After import it is in the list of certificates. Create Connection Change to Connections menu and select Edit Connections (or press AppleKey-E). General Settings 3

12 Phase 1 Settings Phase 2 Settings ID Settings 4

13 DNS Settings Options2 5