H3C SecPoint User Manual

Transcription

1 Hangzhou Huawei-3Com Technology Co., Ltd Manual Version: T Q C-1.01

2 Copyright 2006, Hangzhou Huawei-3Com Technology Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou Huawei-3Com Technology Co., Ltd. Trademarks H3C, Aolynk,, IRF, H 3 Care,, Neocean,, TOP G, SecEngine, SecPath, COMWARE, VVG, V 2 G, V n G, PSPT, NetPilot, and XGbus are trademarks of Hangzhou Huawei-3Com Technology Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners. Notice The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. To obtain the latest information, please access: Technical Support customer_service@huawei-3com.com

3 About This Manual Related Documentation In addition to this manual, each H3C SecPath Series Security Products documentation set includes the following: Manual H3C SecKey Manager User Manual Content Introduces the installation and usage of the SecKey Manager. Organization is organized as follows: 1 Overview Chapter 2 SecPoint Installation and Removal 3 Use of SecPoint 4 Certificate Management Tool Contents Profiles the system characteristics and applications. Focuses on system installation and precautions. Elaborates on how to establish VPN connection with the SecPoint (supporting SecKey dedicated connection). Introduces how to apply for and manage certificates by using the certificate management tool.

4 5 FAQ Chapter Contents Lists common problems encountered in system installation and use. Conventions The manual uses the following conventions: I. Command conventions Convention Boldface italic [ ] { x y... } [ x y... ] { x y... } * [ x y... ] * Description The keywords of a command line are in Boldface. Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. One is selected. Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected. # A line starting with the # sign is comments.

5 II. GUI conventions < > [ ] / Convention Description Button names are inside angle brackets. For example, click <OK>. Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window. Multi-level menus are separated by forward slashes. For example, [File/Create/Folder]. III. Symbols Convention Warning Caution Note Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description.

6 Table of Contents Table of Contents Chapter 1 Overview Introduction System Features Application Chapter 2 SecPoint Installation and Removal Configuration Requirement Installing/Uninstalling SecPoint Rules for Installation Installing SecPoint Uninstalling SecPoint Chapter 3 Use of SecPoint Main Window of SecPoint Window Description Menu Description General Application Procedures Creating a VPN Connection Creating a VPN Connection Manually Creating a VPN Connection Automatically Configuring VPN Connection Attributes Login Selecting Common VPN Connection Login Selecting SecKey Connection Login Displaying VPN Connection State Disconnecting a VPN connection i

7 Table of Contents 3.8 Deleting a VPN Connection Chapter 4 Certificate Management Tool Main Window of the Certificate Management Tool Window Description Main Functions of the Window Chapter 5 FAQ ii

8 Chapter 1 Overview 1.1 Introduction Chapter 1 Overview Huawei-3Com SecPoint (referred to as SecPoint) is VPN client software used on PCs. This software allows VPN interconnection between PCs and network devices, such as Huawei-3Com SecPath Series Security products and routers, in many approaches, thus enabling remote PCs to access the VPN of enterprise headquarters through the Internet safely and promptly. SecPoint can act as an L2TP client. If remote users are able to access the Internet, no matter using dial-up access, ADSL, or broadband service provided in the community, they can build L2TP tunnels with the VPN gateway of the company headquarters to access the resources on the intranet. SecPoint also provides powerful safety features, including IPSec, Internet Key Exchange (IKE), and NAT traversal, which significantly improve the security performance of the VPN system. IPSec ensures privacy, integrality, authenticity, and anti-replay of datagrams transmitted on a network by enabling both parties in communication to encrypt data and authenticate data source at the IP layer. SecPoint can work with the SecKey device. The user name and password are saved in the SecKey device so that the data can be protected well. All the configuration information about VPN connection is encrypted and saved in the SecKey device, so that the system automatically reads during connection. The corresponding SecKey Manager software can manage the SecKey device. 1-1

9 Chapter 1 Overview The following figure shows a typical networking using SecPoint client software: LAC Internet backbone network LNS VPN Client L2TP tunnel Internal Server Figure 1-1 Typical application of VPN client software As shown in the figure, a PC can work as L2TP Access Concentrator (LAC) and provide PPP point-to-point system and L2TP processing capability after installed with the VPN client software. L2TP Network Server (LNS) is the server device used to handle L2TP in the PPP point-to-point system; it can be a SecPath Series Security Gateway or Router. 1.2 System Features to: The SecPoint-based VPN client management system allows you Create one or more VPN connections with different settings. Start VPN connections automatically based on the configuration. 1-2

10 Chapter 1 Overview Create and configure VPN connections automatically by importing configuration files in addition to manual creation of VPN connections. Configure security policies, including IKE, IPSec, and NAT traversal. Apply the data hiding function on an L2TP link. Back up LNS at the client end, so that the client can initiate a new connection to the backup LNS when LAC cannot connect to the default LNS. Use a dynamic key mechanism RSA SecurID, which can better authenticate users identity and protect your VPN against unauthorized users. Establish security associations (SAs) using IKE. Access the public network when connected to a VPN. Save the user name and password in the SecKey device. Encrypt and save the configuration information about VPN connection in the SecKey device. Bind the SecKey USB device with the hardware information of the PC. One SecKey device can only be used on one PC, thus provides a more reliable and secure access. Simple and common operations. 1.3 Application At present, you can install SecPoint on PCs that need to be connected in VPN mode to H3C SecPath Series Security products. 1-3

11 Chapter 2 SecPoint Installation and Removal Chapter 2 SecPoint Installation and Removal 2.1 Configuration Requirement I. Hardware SecPoint can be installed and run on common PCs, with the basic hardware requirements: 667 MHz CPU or above CD-ROM drive 64 MB memory or above 20 MB space or more on the disk Standard USB port (optional) II. Software The operating systems supported by SecPoint include: Windows 98 Windows 2000 Windows XP 2.2 Installing/Uninstalling SecPoint Rules for Installation Before installing SecPoint, make sure that: Your PC has not been installed with other VPN client software, packet capturing tool, and especially, firewall, in 2-1

12 Chapter 2 SecPoint Installation and Removal case unsuccessful installation or system breakdown after installation. If you install antivirus software (such as Rising antivirus software) on your computer, disable <Monitor memory> and <Monitor file> on the antivirus software before you install/uninstall SecPoint. Enable <Monitor memory> and <Monitor file> again after you finish installing/uninstalling SecPoint. Adequate disk space is available. For example, if the destination disk (it defaults to disk C) has a remaining space less than 20 MB, install SecPoint in another disk that has a larger remaining space. After completing the installation, Do not change SecPoint-related information in the register or the configuration files under the directory where you installed SecPoint unless necessary. Otherwise, unpredictable errors might occur. Restart the PC to use the software right after installation. To reinstall the software after uninstalling it, restart the PC. If you want SecPoint operating in the non-administrator (common user) mode on Windows 2000/XP operating system, select non-system directory as SecPoint installation directory. In general, the C:\WINNT, C:\Windows and C:\ Program Files are system directories. The common user is prohibited from accessing SecPoint in the installation directory. 2-2

13 Chapter 2 SecPoint Installation and Removal Installing SecPoint Note: The installations of SecPoint in Win98/2000/XP might be slightly different in interfaces and menu functions. The pictures in this manual are only for reference. Installation procedure of SecPoint is shown in Figure 2-1. SecPoint installation Virtual network adapter installed successfully? N Manual install virtual network adapter Y End Figure 2-1 Installation procedure of SecPoint I. Installing SecPoint in Windows 98/2000/XP 1) Insert the installation CD-ROM into the CD-ROM drive. Double-click the icon. 2) In the popup Select Language dialog box, choose Chinese or English and click <OK>. If you choose Chinese, the 2-3

14 Chapter 2 SecPoint Installation and Removal system starts installing the SecPoint of Chinese language; if you choose English, the system starts installing the SecPoint of English language. The installation of the SecPoint of the two languages are similar, but the prompt language during and after the installation is different. 3) Click <Next> in the popup InstallShield Wizard interface. 4) The License Agreement interface (see Figure 2-2) is displayed. This interface shows the terms that you must observe in order to use SecPoint. Click <Yes> to enter the Customer Information interface if you agree to abide by all the terms. Click <No> if you do not agree. In this case, a dialog box pops up indicating you to quit the setup. Figure 2-2 License Agreement interface 2-4

15 Chapter 2 SecPoint Installation and Removal 5) In the Customer Information interface, type your name, company name, and the correct software serial number (refer to software license certificate), and click <Next>. Figure 2-3 Customer Information interface 6) In the Choose Destination Location interface (see Figure 2-4), install the software to the default location C:\Program Files\SecPoint, or click <Browse> to change the destination folder. Click <Next>. 2-5

16 Chapter 2 SecPoint Installation and Removal Figure 2-4 Choose Destination Location interface 7) In the Select Program Folder interface (see Figure 2-5), use the default program folder SecPoint, select an existing folder, or type a new folder name. Click <Next>. 2-6

17 Chapter 2 SecPoint Installation and Removal Figure 2-5 Select Program Folder interface 8) The Setup Status interface (see Figure 2-6) pops up. If the disk you choose to install the software does not have enough space, the system prompts Inadequate disk space! Click <OK> to re-enter the Choose Destination Location interface (see Figure 2-4). 2-7

18 Chapter 2 SecPoint Installation and Removal Figure 2-6 Setup Status interface 9) When the installation is completed, a dialog box pops up, prompting whether SecPoint operates automatically when Windows is enabled. If you select <OK>, SecPoint operates automatically when Windows starts. The system establishes a VPN connection automatically according to the configuration. Figure 2-7 Auto-run SecPoint dialog box 2-8

19 Chapter 2 SecPoint Installation and Removal 10) The system displays InstallShield Wizard Complete interface when it has installed the software to your PC. Click <Finish>. Figure 2-8 InstallShield Wizard Complete interface 2-9

20 Chapter 2 SecPoint Installation and Removal Caution: During installation, at the prompt that the device does not pass Windows logo test, just click <Continue Anyway> to proceed. This may repeat several times. Clicking <Stop Installation> might complete the SecPoint program installation, but will cause abnormal operation of the SecPoint and your PC. During installation, executing the other operation such as play movies, music, or open a word file causes the improper installation. Therefore, close other applications in SecPoint installation. In case of any improper installation, delete the installed SecPoint software and reinstall it. Note: After SecPoint is installed, the system automatically adds the program name SecPoint to the Start menu. You can click <Cancel> to quit the setup or <Back> to go back to the previous step. II. Verifying the installation of virtual network adaptor 1) Verify the installation of virtual network adaptor in Windows 98 Reboot the computer after the software installation. In Windows 98, select [Start/Settings/Control Panel] and [Network] in the Control 2-10

21 Chapter 2 SecPoint Installation and Removal Panel window. VPN Virtual Network Adaptor is shown if the installation succeeds. Otherwise, you have to install the virtual network adaptor manually. 2) Verify the installation of virtual network adaptor in Windows 2000/XP Reboot the computer after installation. Select [Start/Settings/Control Panel] and [Management Tool/Computer Management] in the Control Panel window, then select [Device Manager/Network Adaptor] in the Computer Management window. VPN Virtual Network Adaptor appears if the installation succeeds. Otherwise, you need to install the virtual network adaptor manually. Figure 2-9 Verify installation of virtual network adaptor in Windows 2000/XP 2-11

22 Chapter 2 SecPoint Installation and Removal III. Installing the virtual network adaptor manually 1) Install the virtual network adaptor manually in Windows 98 Select [Start/Settings/Control Panel] and [Network] in the Control Panel window. The Network dialog box pops up (see Figure 2-10) Click <Add> to display the Select Network Component Type interface (see Figure 2-11) and choose Adaptor. Click <Add> to display the Select Network Adapters interface (see Figure 2-12). Click <Have Disk> to display the Install From Disk interface (see Figure 2-13). Click <Browse>. Select C:\Program Files\SecPoint or you specify a destination directory for SecPoint installation. Select the netvdv.inf file. Click <OK> to display the Select Network Adaptor interface (see Figure 2-14) and click <OK >. Then click <OK > in the popup interface (see Figure 2-10). The Copying Files and Insert Disk boxes pop up together (see Figure 2-15 and Figure 2-16). Insert Windows 98 second edition CD in the CD-ROM and click <OK> in the Insert Disk dialog box (see Figure 2-16). After the files are copied, the System Settings Change interface (see Figure 2-17) pops up. Click <Yes> to restart your computer and validate the new virtual network adapter. 2-12

23 Chapter 2 SecPoint Installation and Removal Figure 2-10 Install virtual network adaptor in Windows 98 (I) 2-13

24 Chapter 2 SecPoint Installation and Removal Figure 2-11 Install network adaptor in Windows 98 (II) Figure 2-12 Install virtual network adaptor in Windows 98 (III) 2-14

25 Chapter 2 SecPoint Installation and Removal Figure 2-13 Install virtual network adaptor in Windows 98 (IV) Figure 2-14 Install virtual network adaptor in Windows 98 (V) 2-15

26 Chapter 2 SecPoint Installation and Removal Figure 2-15 Install virtual network adaptor (VI) Figure 2-16 Install virtual network adaptor in Windows 98 (VII) Figure 2-17 Install virtual network adaptor in Windows 98 (VIII) 2) Install virtual network adaptor manually in Windows 2000/XP 2-16

27 Chapter 2 SecPoint Installation and Removal Select [Start/Settings/Control Panel] and [Add/Remove Hardware] in the Control Panel window. The Add/Remove Hardware Wizard pops up (see Figure 2-18). Click <Next> and the Choose a Hardware Task interface pops up (see Figure 2-19). Select Add/Troubleshoot a device. Click <Next> and select Add a new device in the popup interface (see Figure 2-20). Click <Next> and select No, I want to select the hardware from a list in the popup interface (see Figure 2-21). Click <Next> and choose Network adaptors among hardware types (see Figure 2-22). Click <Next> to display the Select Network Adaptor interface (see Figure 2-23). Then click <Have Disk> to install from disk (see Figure 2-24). Click <Browse>. Select C:\Program Files\SecPoint or the destination directory of SecPoint installation. Select the netvdev,inf file. Click <OK>. Then click <Next> in the popup interface (see Figure 2-25). Then again click <Next> to begin the hardware installation (see Figure 2-26). After the files are copied, the Completing Add/Remove Hardware Wizard dialog box pops up (see Figure 2-27). Click <Finish> to restart your computer and validate the new virtual network adapter. 2-17

28 Chapter 2 SecPoint Installation and Removal Figure 2-18 Install the virtual network adapter in Windows 2000/XP (I) 2-18

29 Chapter 2 SecPoint Installation and Removal (II) Figure 2-19 Install virtual network adaptor in Windows 2000/XP 2-19

30 Chapter 2 SecPoint Installation and Removal (III) Figure 2-20 Install virtual network adaptor in Windows 2000/XP 2-20

31 Chapter 2 SecPoint Installation and Removal (IV) Figure 2-21 Install virtual network adaptor in Windows 2000/XP 2-21

32 Chapter 2 SecPoint Installation and Removal (V) Figure 2-22 Install virtual network adaptor in Windows 2000/XP 2-22

33 Chapter 2 SecPoint Installation and Removal (VI) Figure 2-23 Install virtual network adaptor in Windows 2000/XP (VII) Figure 2-24 Install virtual network adaptor in Windows 2000/XP 2-23

34 Chapter 2 SecPoint Installation and Removal (VIII) Figure 2-25 Install virtual network adaptor in Windows 2000/XP 2-24

35 Chapter 2 SecPoint Installation and Removal (IX) Figure 2-26 Install virtual network adaptor in Windows 2000/XP 2-25

36 Chapter 2 SecPoint Installation and Removal (X) Figure 2-27 Install virtual network adaptor in Windows 2000/XP Uninstalling SecPoint You can uninstall the SecPoint automatically by the system or manually as needed. If the SecPoint runs on a PC with a complex software environment, manual approach is recommended. Manual approach is also applicable when automatic uninstall fails. I. Auto-uninstalling the SecPoint To uninstall SecPoint, programs before uninstall. you must close the running SecPoint 2-26

37 Chapter 2 SecPoint Installation and Removal Double-click on Add/Remove Programs in the Control Panel window. Select SecPoint in the popup interface. The uninstall program automatically removes all the SecPoint-related files. Caution: Make sure to remove the virtual network adapter when you uninstall SecPoint from Windows 98. Select [Start/Settings/Control Panel/Network] in Windows 98 environment. Select the existing VPN Virtual Network Adapter and click <Remove>. II. Uninstalling the SecPoint manually The uninstall process is based on Windows XP and you can refer to these steps for other operating systems. The manual uninstall proc ess includes uninstalling H3C SFilter service, uninstalling VPN virtual network adapter, running the delete registry program, deleting the SecPoint installation directory. 1) Uninstalling H3C SFilter service Choose [Network and Internet Connections] on the control panel and [Network Connections] in the popup interface. Then choose and right-click any a network adapter in the LAN and High-speed Internet option on the Network Connections interface. Select the Properties Menu to enter the Internet Property page as shown in Figure

38 Chapter 2 SecPoint Installation and Removal Figure 2-28 Internet properties Select H3C SFilter in the Internet Properties page, click <Uninstall> button and <Yes> in the confirmation dialog box to uninstall the H3C SFilter service. 2) Uninstalling VPN virtual network adapter Right-click the My Computer icon on the desktop and choose the Manage menu to enter the Computer Management page. Select the Device Management option on the left window of the page and the VPN Virtual Network Adapter under the Network Adapters option on the right window. Right-click the VPN Virtual Network Adapter, choose 2-28

39 Chapter 2 SecPoint Installation and Removal the Uninstall menu (as shown in Figure 2-29) and click <OK> in the confirmation dialog box to uninstall the VPN virtual network adapter. Figure 2-29 Choose the network adapter to be uninstalled 3) Running delete registry program Enter the SecPoint installation directory (the destination directory specified in Figure 2-4) and choose the DelSecPointRegEdit.exe file as shown in Figure Double-click the program to delete the SecPoint information in the registry. 2-29

40 Chapter 2 SecPoint Installation and Removal Figure 2-30 Run delete registry program 4) Deleting the SecPoint installation directory Choose the SecPoint installation directory and delete it. See Figure

41 Chapter 2 SecPoint Installation and Removal Figure 2-31 Delete the SecPoint installation directory 2-31

42 Chapter 3 Use of SecPoint Chapter 3 Use of SecPoint 3.1 Main Window of SecPoint The following figure shows the main window of SecPoint: Figure 3-1 Main window of SecPoint Window Description I. Menu bar You can use the functions provided by SecPoint through the menu bar, including establishing/deleting/disconnecting a VNP 3-1

43 Chapter 3 Use of SecPoint connection, logging into the VPN, displaying the configuration information, modifying the parameters of VPN client, and enabling Online Help. II. Toolbar The toolbar provides shortcuts of the VPN client functions in common use. Currently, the icons on the toolbar offer manual connection creation, configuration files import, VPN connection deletion, attributes display, login, VPN disconnection, and access to Online Help. III. Operating area In this area you can create a VPN connection, log into the VPN, disconnect, view, and edit the connection. Figure 3-2 Main window of SecPoint 3-2

44 Chapter 3 Use of SecPoint 1) New Connection_Manual Connection: Double-click on this icon to create a VPN connection manually. 2) vpn1: An existing VPN connection. In Figure 3-2, the three lighting computers in the vpn1 icon indicate that the current connection is completed. Right-click on this icon and operate in the popup menu. 3) New Connection_File Import: Double-click on this icon to enable automatic VPN connection creation by importing the existing configuration files. 4) SecKey VPN connection: VPN connection for working with the SecKey device. Right-click on this icon and you can operate in the popup menu Menu Description The menu bar on the main window of SecPoint contains File, Operation, and Help menus, which provide various commands. You can use the VPN client functions by executing the commands in these menus (see Figure 3-3). 3-3

45 Chapter 3 Use of SecPoint Figure 3-3 Menus in the main window 3-4

46 Chapter 3 Use of SecPoint Figure 3-4 Menus in the main window II By selecting different commands in the menus, you can use different functions, as shown in the following table: 3-5

47 Chapter 3 Use of SecPoint Table 3-1 Description of commands in the menus Command Function New Manual Creation Import Configuration File Displays a Manual Creation Wizard interface to guide you to create a new VPN connection manually. Displays a Select File dialog box allowing you to select a configuration file. The program creates a VPN connection by reading the configuration file. File Operation Delete Rename Property Modify SecKey PIN Import SecKey Config Exit Login Disconnect Status Deletes the selected VPN connection. Renames the selected VPN connection. Displays the properties of the selected VPN connection. Modify the user PIN of the SecKey device. Import SecKey configuration into SecPoint. Quits SecPoint program. Logs into the selected VPN in the popup VPN Connection Login interface. Disconnects the established VPN connection. Displays the state of an existing VPN connection 3-6

48 Command Chapter 3 Use of SecPoint Function Help Subject About SecPoint Displays the Online Help of SecPoint. Displays the version and copyright information of SecPoint. 3.2 General Application Procedures Create a VPN connection Configure VPN connection attributes 配置 Login Execute the application Display VPN connection state Disconnect a VPN connection Delete a VPN connection Figure 3-5 General application procedures 3-7

49 Chapter 3 Use of SecPoint Note: Before creating a VPN connection, make sure that your PC is connected to the Internet. For more information on each step, refer to the following sections. 3.3 Creating a VPN Connection If you have just installed the VPN client software, you must input the required VPN gateway information according to the system administrator s requirements. Otherwise, you cannot create a VPN connection. You must first connect your PC to the Internet and in the SecPoint operation area create a site or a VPN connection. You can create a new VPN connection manually or by importing configuration files Creating a VPN Connection Manually 1) Select [File/New/Manual Creation]. The Manual Creation Wizard interface pops up (see Figure 3-6). 3-8

50 Chapter 3 Use of SecPoint Figure 3-6 Manual Creation Wizard: Step 1 LNS Server IP Address: It must be a complete and valid IP address in dotted decimal notation. Backup LNS Server IP Address: It is not supported currently. <Back>: To go back to the previous step. <Cancel>: To quit the connection creation and goes back to the main window of SecPoint. 2) Click <Next>. The following interface (see Figure 3-7) pops up. 3-9

51 Chapter 3 Use of SecPoint Figure 3-7 Manual Creation Wizard: Step 2 Enable IPSEC: You can enable or disable IPSec. If you check this box, Identity Authentication Key, Use LNS Server's IP, and Use Other IPSEC Server become available. If you uncheck the box, those items become unavailable. Authentication Method: Authentication confirms identities of the two parties in communication. Currently, pre-shared-key and rsa-singature are the authentication methods available for IKE proposals. If the latter one is chosen, you need to use SecKey certificate management tool to prepare usable digital certificate in the SecKey device first. Refer to Chapter 4 Certificate Management Tool for details about the SecKey certificate management tool. 3-10

52 Chapter 3 Use of SecPoint Identity Authentication Key: When IPSEC is enabled and the pre-shared-key authentication method is chosen, you must type an authentication key no more than 128 characters in the box, excluding blank spaces, question marks (?), exclamation points (!) and Chinese characters. IPSEC Server IP: Select Use LNS Server s IP if you choose LNS server as the IPSec server; select Use Other IPSEC Server and type the IP address of the IPSec server in the box below if you choose another server as the IPSec server. <Back>: To go back to the previous step. <Cancel>: To quit the connection creation and goes back to the main window of SecPoint. 3) Click <Next>. The following interface (see Figure 3-8) pops up. 3-11

53 Chapter 3 Use of SecPoint Figure 3-8 Manual Creation Wizard: Step 3 You must type VPN connection name in the box. The name can comprise up to 32 characters excluding blank spaces,?, and! and cannot be empty or the same as any of the existing VPN connection names. 4) Click <Finish> to complete the VPN connection creation. Click <Back> to go back to the previous step. Click <Cancel> to quit the connection creation and go back to the main window of SecPoint Creating a VPN Connection Automatically Double-click on the New Connection_File Import icon the popup window, select a configuration file and click <Open>.. In 3-12

54 Chapter 3 Use of SecPoint Figure 3-9 Import file to create a VPN connection The program reads VPN connection configuration information from the selected valid configuration file and creates a VPN connection. 3-13

55 Chapter 3 Use of SecPoint Note: You need to request the administrator for the configuration file if you want to create a VPN connection by importing files. You are not allowed to modify the configuration files used by SecPoint for VPN connection directly. Otherwise, the SecPoint program reports the invalid configuration file and the file cannot be used or imported. The configuration backup files (such as VPNConfig_Backup.ini) that SecPoint uses for VPN connection saves the configuration before your last operation of the files for restoring configuration and going back to the previous configuration. Thus, when you use the backup configuration files to create a VPN connection in case of the ruined configuration files, you last operation of the files may not be saved and effective. 3.4 Configuring VPN Connection Attributes In the main window of SecPoint (see Figure 3-1), right-click on a VPN connection. In the popup menu choose Attribute to enter the VPN Connection Attribute interface. The attributes are shown as follows: 3-14

56 Chapter 3 Use of SecPoint 1) Basic Setting Figure 3-10 Basic Setting Attribute description: The Basic Setting section displays the basic attributes of the selected VPN connection. You can change some of the basic parameters used in the VPN connection by configuring these attributes. LNS Server IP: It must be a complete and valid IP address in dotted decimal notation. 3-15

57 Chapter 3 Use of SecPoint Backup LNS Server IP: It is optional. To set a backup IP address, you must input a complete and valid IP address in dotted decimal notation. Adapter Select: To select a network adapter for VPN connection from the drop-down list box. Enable IPSEC: Checked or unchecked to enable or disable IPSec. Authentication Method: Authentication confirms identities of the two parties in communication. Currently, pre-shared-key and rsa-singature are the authentication methods available for IKE proposals. If the latter one is chosen, you need to use SecKey certificate management tool to prepare usable digital certificate in the SecKey device first. Refer to Chapter 4 Certificate Management Tool for details about the SecKey certificate management tool. Identity Authentication Key: When IPSEC is enabled and pre-shared-key authentication method is chosen, you must type in the box an authentication key comprising 1 to 128 characters, excluding blank spaces,?,! and Chinese characters. The authentication key is pre-allocated by the system administrator. With the authentication using pre-shared keys, authentication keys are input to produce shared-keys. It is impossible for two parties to have the same shared-key if their authentication keys are not the same. Authentication key is fundamental to the authentication between two parties. IPSEC Server IP: When IPSec is enabled, you can select Use LNS Server IP or Use Other IPSEC Server. If you 3-16

58 Chapter 3 Use of SecPoint select the first, the program uses the LNS server IP as the IPSec server IP. Forbid Internet After Login: Check this box to forbid the local device to access the Internet when accessing VPN. The system defaults to check this box. Enable ADSL: If you use SecPoint to set up a VPN connection through ADSL in Window 98 environment, you must check this box to enable the ADSL software provided by SecPoint. If you use Windows 2000/XP, you can directly use the ADSL software provided by Windows or your ISP. The system defaults to check this box. <Advanced>: To display the Advanced Configuration interface about L2TP, IPSec, IKE, and VPN router. Caution: If you use SecPoint to set up a VPN connection through ADSL in Window 98 environment, you must use the ADSL software provided by SecPoint. That means you only need to check the Enable ADSL box in the interface shown in Figure 3-10, and type the username and password in the dialog box that pops up before you log onto VPN. 3-17

59 Chapter 3 Use of SecPoint 2) L2TP Setting Figure 3-11 L2TP Setting Attribute description: The L2TP Setting section displays L2TP-related parameters used in VPN connection. You can modify the parameters required to build an L2TP tunnel by configuring these attributes: Tunnel Name: Name of the new VPN tunnel, in the range of 0 to 30 characters, excluding blank spaces,?,! and Chinese characters. The tunnel name should be consistent with the peer name of the receive-tunnel configured at the LNS end. The default is the host name. 3-18

60 Chapter 3 Use of SecPoint Select Authentication Mode: PAP plain text authentication and CHAP ciphertext authentication are available. The default is PAP authentication. HELLO Interval: The client and the LNS send Hello messages to each other regularly, in order to check the connectivity of the tunnel between them. The receiver responds in receipt of a Hello message. The Hello interval is in the range of 60 (default) to 1000 seconds. Use Tunnel Authentication Password: You can decide whether to enable tunnel authentication before creating a tunnel connection. The tunnel authentication password, which is pre-allocated by the system administrator, comprises 1 to 16 character(s). Both VPN client and LNS can request for tunnel authentication. The tunnel can be set up between them only when both of them have enabled tunnel authentication and have the same password (cannot be null). Otherwise, the tunnel disconnects automatically. If tunnel authentication is disabled at both sides, the consistency in password is insignificant. By default, the system disables tunnel authentication. Use AVP Hidden: L2TP uses Attribute Value Pair (AVP) to transfer and negotiate some parameter attributes. By default, AVPs are transferred in plain text. To ensure security, you can choose to transmit hidden AVPs. AVP hidden makes sense only when tunnel authentication is enabled at both ends. Enable IP Header Compression: You can enable or disable IP header compression. By default, the system disables IP header compression. 3-19

61 Chapter 3 Use of SecPoint 3) IPSec Setting Figure 3-12 IPSec Setting Attribute description: The IPSEC Setting section displays parameters used in IPSec. You can modify the parameters required to build an IPSec tunnel by configuring these attributes. Encapsulation Mode: Transport or tunnel. In terms of security, tunnel mode is superior to transport mode, because it can completely authenticate and encrypt raw IP data, as well as hide the client IP address using IP address 3-20

62 Chapter 3 Use of SecPoint of the IPSec peer. In terms of performance, however, tunnel mode consumes more bandwidth, since it has an extra IP header. Selecting mode is hence a security versus performance trade-off. By default, the system uses the tunnel mode, so as to hide the IP addresses of source and destination in communication. Note: Tunnel mode is a must if you do not use the LNS IP address as IPSec server address. IPSEC SA Global Duration: When IKE negotiates to set up SAs for IPSec, the SA duration proposed by either the local or the peer applies, whichever is smaller. You can type an integer in the range 30 to in the box to specify the SA duration, and the default is 3600 seconds. Security Protocol in Use: You can select a security protocol to be used in the security proposal. It can be AH, ESP, or both. Both ends of the security tunnel must adopt the same security protocol. By default, the system uses ESP. ESP Encryption Algorithm Protocol: ESP encrypts data in IP packets and protects them against eavesdropping en route. The encryption algorithm utilizes the symmetric-key system, where the same key is used to encrypt and decrypt data. Usually, IPSec uses two encryption algorithms: DES and 3DES. The default is DES. 3-21

63 Chapter 3 Use of SecPoint ESP and AH Authentication Algorithm Protocol: Both AH and ESP can check the integrity of IP packets, judging whether they are tampered with en route. Generally, IPSec uses two authentication algorithms: MD5 and SHA. By default, both ESP and AH use MD5. PFS Group Required in Negotiation: With Perfect Forward Secrecy (PFS), the compromise of a key does not threaten the secrecy of other keys, because they are not derivative. If the local end enables PFS, the peer must conduct PFS exchange when initiating a negotiation. The same Diffie-Hellman (DH) group must be specified at both ends to ensure a successful negotiation. Compared with the 768-bit DH group, the 1024-bit DH group offers superior security but requires more time to calculate. By default, the system disables PFS. Enable NAT Traversal: If there is a NAT device in the VPN tunnel built by IPSec/IKE, you must enable NAT traversal for IPSec/IKE. By default, the system disables NAT traversal. In, Figure 3-13 and Figure 3-14 Security Protocol in Use is respectively set to AH and ESP-AH. 3-22

64 Chapter 3 Use of SecPoint Figure 3-13 IPSec Setting 3-23

65 Chapter 3 Use of SecPoint Figure 3-14 IPSec Setting 3-24

66 Chapter 3 Use of SecPoint 4) IKE Setting Figure 3-15 IKE Setting Attribute description: The IKE Setting section shows the parameters used when IKE applies, which are user configurable. Negotiation Mode: Main or aggressive. If you select the main mode, you can only set ID type to IP address. If IP address of the client device is dynamic, you need to select aggressive mode. IKE aggressive mode is more flexible 3-25

67 Chapter 3 Use of SecPoint than the main mode, able to look for the corresponding identity authentication key by initiator s IP address or ID and finally complete the negotiation. The default is main mode. ID Type: IP address or name. If you set negotiation mode to main, you can only select IP address. If you select aggressive, you can select IP address or name. The default is IP address. Encryption Algorithm: DES-CBC or 3DES-CBC. DES uses a 56-bit key to encrypt data while 3DES uses a 168-bit key. A longer key means a more complicated algorithm, and the encrypted data is better protected, but more resources are consumed. By default, the system uses DES. AH Algorithm: SHA or MD5. The default is SHA. Diffie-Hellman Group: Group 1 (768 bits) or Group 2 (1024 bits). The default is Group 1. ISAKMP-SA Global Duration: IKE negotiates a key and establishes SAs for IPSec in two phases. Phase I is where a secured channel (ISAKMP SA) is established after passing identity authentication. Phase II is where IPSec SAs are established under the protection of the Phase I ISAKMP SA for the purpose of secure IP data transmission. The default ISAKMP-SA duration (lifetime) is seconds (24 hours). Local Name: Name of the local security gateway, in the range of 1 to 32 characters, excluding blank spaces,?,! and Chinese characters. If you select IP address as the ID type, this text box grays out. Remote Name: Name of the remote security gateway, in the range of 1 to 32 characters, excluding blank spaces,?,! and Chinese characters. It should be the same name of the 3-26

68 Chapter 3 Use of SecPoint remote security gateway. If you select IP address as the ID type, this text box grays out. IKE SA Keepalive-timer: IKE sends Keepalive messages to the peer through ISAKMP SA to maintain the status of the ISAKMP SA link. If no Keepalive message is received within the configured timeout time, the peer deletes the ISAKMP SA as well as the negotiated IPSec SAs if the ISAKMP SA carries a TIMEOUT flag. If the ISAKMP SA does not carry the TIMEOUT flag, the peer tags it. You can enable IKE SA Keepalive-timer. By default, the system disables this timer. Interval Seconds: Interval in the range of 20 to seconds. If you do not check the IKE SA Keepalive-timer box, this text box grays out. Timeout Seconds: Timeout time in the range of 20 to seconds. If you do not check the IKE SA Keepalive-timer box, this text box grays out. 3-27

69 Chapter 3 Use of SecPoint 5) Route Setting Figure 3-16 Route Setting Add a route: Click <Add>. A dialog box pops up for you to add the IP address and subnet mask of a route. Click <OK> after you type the complete and valid IP address and subnet mask. The system adds this route. Edit a route: Select an existing route (it is highlighted) and click <Edit>. A dialog box pops up for you to edit the IP address and subnet mask of the route. Click <OK> after you edit the route (IP address and subnet mask must be complete and valid). 3-28

70 Chapter 3 Use of SecPoint Delete a route: Click <Delete> after you select an existing route (it is highlighted). The system displays a dialog box asking you to confirm the delete and deletes it with your confirmation. 3.5 Login After creating a VPN connection, you can initiate the VPN connection to the peer using Login Selecting Common VPN Connection Login 1) Right-click on a common VPN connection in the main window; in the popup menu choose Login. The following interface appears. 3-29

71 Chapter 3 Use of SecPoint Figure 3-17 VPN Connection Login interface Note: If you use the ADSL software provided by SecPoint to access the VPN in Windows 98 environment, an ADSL connection dialog box pops up before the VPN Connection Login interface appears. Type the correct username and password for ADSL connection to enter the VPN connection login process. 3-30

72 Chapter 3 Use of SecPoint 2) Type the correct username, password, and authentication code in the text boxes. To enhance user identity authentication and protect the VPN against unauthorized users, SecPoint introduced a dynamic key mechanism RSA SecurID. The password of a dynamic key changes every minute and is consistent with the password used by the gateway-side device in the VPN tunnel. Type the RSA SecurID dynamic password in the Authentication Code text box. The username is a string consisting of 1 to 32 character(s). The password is a string consisting of 1 to 16 character(s). Blank spaces,?,! and Chinese characters are not allowed in both of them. Username and password are pre-allocated by the system administrator, and they cannot be null. When a password contains 1 to 10 character(s), you can input an authentication code containing 6 characters; when a password contains more than 10 characters, you are not allowed to input the authentication code. Note: When using RSA SecurID dynamic password to log in, you cannot type the same password to log in twice within one minute. 3) SecPoint supports automatically enabling. Select the Auto Run Config System Starup check box. As shown in Figure 3-18, when enabling again, the system automatically initiates the connection. 3-31

73 Chapter 3 Use of SecPoint 4) Click <Login> to initiate a VPN connection. Figure 3-19 appears to show the interface of connection status. (To quit the login to the VPN, click <Cancel>.) Figure 3-18 Auto-run VPN connections Figure 3-19 Connection status 3-32

74 Chapter 3 Use of SecPoint Click <Cancel> to quit the VPN connecting process (see Figure 3-19) Selecting SecKey Connection Login 1) Right-click on SecKey VPN Connection in the main window; in the popup menu choose Login. The following interface appears. Figure 3-20 Input SecKey user PIN 2) Input the SecKey user PIN correctly, enter the following login interface, and then click Login for a VPN connection. 3-33

75 Chapter 3 Use of SecPoint Figure 3-21 Login interface Caution: Use caution to disable the virtual network adapter after the SecPoint sets up a connection. Disable the virtual network adapter after you tear down the connection and exit from the SecPoint program. 3-34

76 Chapter 3 Use of SecPoint 3.6 Displaying VPN Connection State Right-click on a VPN icon in the main window (see Figure 3-2); in the popup shortcut menu choose State. The following interface appears to show the state of the existing VPN connection. Figure 3-22 State (VPN connection) 3.7 Disconnecting a VPN connection Right-click on a VPN icon in the main window (see Figure 3-2); in the popup shortcut menu choose Disconnect. The system disconnects the existing VPN connection. 3-35

77 Chapter 3 Use of SecPoint Caution: If the operation system finds the SecPoint connection is disconnected or the connection is abnormal, you must reboot SecPoint for connection creation. 3.8 Deleting a VPN Connection Right-click on a VPN icon in the main window (see Figure 3-2); in the popup shortcut menu choose Delete. A prompt box pops up asking for your confirmation. With your confirmation, the system removes the selected VPN connection and the corresponding configuration information from the configuration file. Note that this operation cannot be undone. 3-36

78 Chapter 4 Certificate Management Tool Chapter 4 Certificate Management Tool The certificate management tool is installed in the directory where SecPoint (or SecKey Manager) is installed. With this tool, you can apply for and implement management on certificates. For details, refer to the PKI-related section in H3C SecPath Series Security Products Operation Manual and H3C SecPath Series Security Products Command Manual. 4.1 Main Window of the Certificate Management Tool See Figure 4-1for the main window of the SecKey certificate management tool. Figure 4-1 Main window of the certificate management tool 4-1

79 Chapter 4 Certificate Management Tool Window Description I. Tool bar The six buttons in the tool bar provide PIN login, logout, certificate import, certificate application, deletion and refreshing functions respectively. II. Certificate list bar The left part of the main window is the certificate list bar, which lists certificates already exist in the SecKey device. III. Certificate information bar The certificate information bar locates at the right part of the main window. You can choose a certificate from the certificate list bar, and then corresponding information is displayed in detail in the certificate information bar Main Functions of the Window I. PIN login Click <login> and input correct PIN code to log in the SecKey device. After login, you are authorized to import, apply for and delete certificates. II. Logout Click <Cancel> to log out of the SecKey device. 4-2

80 Chapter 4 Certificate Management Tool III. Certificate import Click <Import> and select to import CA or Local certificate in the dialog box, as shown in Figure 4-2. Figure 4-2 Select a certificate type The CA certificate must be DER encoded and comply with X.509 standard. Select a CA certificate to be imported, and then the SecKey certificate management tool automatically stores the certificate into the SecKey device. The Local certificate can be P12 or PFX encapsulated and X.509 standard-compliant certificate containing private key. Select a Local certificate to be imported, and input the correct password into the dialog box, and then the SecKey certificate management tool automatically stores the certificate into the SecKey device. IV. Certificate enrollment Click <Enroll> and input correct IP address of the CA server in the dialog box, as shown in Figure 4-3. Then, click <Advance> and input detailed ID information of the applicant into the dialog box, as shown in Figure 4-4. If the detail is not input, the system automatically 4-3

81 Chapter 4 Certificate Management Tool generates a temporary ID information. The CA server will add the ID information into the certificate for the applicant. Currently, the SecKey certificate management tool only supports online certificate application from Windows CA. To apply for certificates provided by other CA/RA, you need to import the certificate manually. Figure 4-3 Certificate enrollment 4-4

82 Chapter 4 Certificate Management Tool Figure 4-4 Advanced enrollment V. Certificate deletion Click <Delete> to delete the CA or Local certificate in the SecKey device. Before deletion, you are recommended to use the certificate management tool to refresh the certificate storage area of the SecKey device in case that the certificate has already been modified or deleted. VI. Certificate refreshing Click <Refresh> to refresh the certificate storage area of the SecKey device. 4-5

83 Chapter 5 FAQ Chapter 5 FAQ I. The system did not respond when I tried to start a VPN connection that had been created. Answer: make sure that IP address of the physical network adapter is correct. Ping the LNS IP address in MS-DOS environment. If it does not respond, the problem might result from hardware failure. Contact your network administrator in this case. II. I used an existing VPN connection to log in. The system did not respond in several minutes and returned unknown error. Answer: use the netstat/e command in MS-DOS environment. If the physical network adapter does not send a message, the problem might be caused as the result of the presence of other VPN client software, winpcap-supported packet capturing tool, or firewall. Remove them, restart the PC, and log in again. III. I used an existing VPN connection to log in. The system prompted Unable to connect to LNS. Connection failed." Answer: Check that the client-end L2TP tunnel name is consistent with the tunnel name set on the LNS. IV. The monitor was bluescreen or the system was unable to detect the network adapter when I installed SecPoint. Answer: Kill virus on your PC before installing SecPoint. 5-1