Astaro Security Linux v5 & NCP Secure Entry Client A quick configuration guide to setting up NCP's Secure Entry Client and Astaro Security Linux v5

Similar documents
Secure Entry CE Client & Watchguard Firebox 700 A quick configuration guide to setting up the NCP Secure Entry CE Client in a simple VPN scenario

Securepoint Security Systems Version 2007nx Release 3 & NCP Secure Entry Client

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

NCP Secure Entry macos Client Release Notes

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

NCP Secure Enterprise macos Client Release Notes

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

NCP Secure Enterprise macos Client Release Notes

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Data Sheet NCP Exclusive Remote Access Client Windows

Data Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology

NCP Secure Client Juniper Edition (Win32/64) Release Notes

QuickStart. NCP Secure Enterprise Server. Configuration Guide

Automated Mobile Security (ESUKOM)

In the event of re-installation, the client software will be installed as a test version (max 10 days) until the required license key is entered.

Case 1: VPN direction from Vigor2130 to Vigor2820

NCP Secure Client Juniper Edition Release Notes

Data Sheet. NCP Exclusive Entry Client. Next Generation Network Access Technology

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Service Managed Gateway TM. Configuring IPSec VPN

Teldat Secure IPSec Client - for professional application Teldat IPSec Client

NCP Secure Managed Android Client Release Notes

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Example - Configuring a Site-to-Site IPsec VPN Tunnel

IKEv2 Roadwarrior VPN. thuwall 2.0 with Firmware & 2.3.4

VPN Tracker for Mac OS X

Data Sheet. NCP Secure Entry Client Windows. Next Generation Network Access Technology. Universal VPN Client Suite for Windows 32/64 bit

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

NCP Secure Entry Client Release Notes

VPN Tracker for Mac OS X

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Configuration of an IPSec VPN Server on RV130 and RV130W

R&S GP-U gateprotect Firewall How-to

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

VPN Auto Provisioning

VPN Tracker for Mac OS X

VPNC Scenario for IPsec Interoperability

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

Table of Contents 1 IKE 1-1

Connecting the DI-804V Broadband Router to your network

V7610 TELSTRA BUSINESS GATEWAY

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Data Sheet. NCP Secure Enterprise Client Windows. Next Generation Network Access Technology

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Integration Guide. Oracle Bare Metal BOVPN

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

NCP Secure Entry Client Release Notes

How to set up a VPN connection between EAGLE20 and the LANCOM Advanced VPN Client (NCP client)?

HOW TO CONFIGURE AN IPSEC VPN

VPN Tracker for Mac OS X

Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

The EN-4000 in Virtual Private Networks

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

VPN Setup for CNet s CWR g Wireless Router

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Sample excerpt. Virtual Private Networks. Contents

Using a VPN with Niagara Systems. v0.3 6, July 2013

Remote Access via Cisco VPN Client

Configuring the VPN Client

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Chapter 5 Virtual Private Networking

NCP Secure Entry Client (Win32/64) Release Notes

VII. Corente Services SSL Client

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Configuring a Hub & Spoke VPN in AOS

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

Virtual Private Networks

VPN Configuration Guide. NETGEAR FVG318 / FVS318G / FVS336G / FVS338 / DGFV338 FVX538 / SRXN3205 / SRX5308 / ProSecure UTM Series

User Manual. SSV Remote Access Gateway. Web ConfigTool

CHAPTER 7 ADVANCED ADMINISTRATION PC

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Proxicast IPSec VPN Client Example

Data Sheet NCP Secure Enterprise Management

VI. Corente Services Client

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Site-to-Site VPN with SonicWall Firewalls 6300-CX

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Sophos UTM. Remote Access via IPsec Configuring UTM and Client. Product version: Document date: Tuesday, December 13, 2016

Release Notes. NCP Secure Enterprise Client (Win32/64) 1. New Features and Enhancements. 2. Changes Made and Problems Resolved

VPN Tracker for Mac OS X

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

Viola M2M Gateway. OpenVPN Application Note. Document version 1.0 Modified September 24, 2008 Firmware version 2.4

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Using Microsoft Certificates with HP-UX IPSec A.03.00

VPN Tracker for Mac OS X

VPN Tracker for Mac OS X

Transcription:

Astaro Security Linux v5 & NCP Secure Entry Client A quick configuration guide to setting up NCP's Secure Entry Client and Astaro Security Linux v5 Document version 2.00 Using NCP Secure Entry Client v8.12 (build 34) & Astaro Security Linux version 5 Prepared by: NCP Engineering GmbH Dombuehler Strasse 2, 90449 Nürnberg, Germany Phone: +49-911-99.68.0 Fax: +49-911-99.68.299

Disclaimer Considerable care has been taken in the preparation of this quick guide, errors in content, typographical or otherwise may occur. If you have any comments or recommendations concerning the accuracy, then please contact NCP as desired. NCP makes no representations or warranties with respect to the contents or use of this quick guide, and explicitly disclaims all expressed or implied warranties of merchantability or use for any particular purpose. Furthermore, NCP reserves the right to revise this publication and to make amendments to the content, at any time, without obligation to notify any person or entity of such revisions and changes. Copyright This quick guide is the sole property of NCP and may not be copied for resale, commercial distribution or translated to another language without the express written permission of NCP engineering GmbH, Dombühler Str.2, D-90449 Nürnberg, Germany. Trademarks All trademarks or registered trademarks appearing in this manual belong to their respective owners. 2004 NCP Engineering GmbH. All rights reserved. v2.00 Page 2 of 37 10.Feb.05

NCP Quick Configuration Guide: Secure Entry Client & ASLv5 Objective of this document is to show how to setup a VPN connection between a Secure Entry (IPsec) Client and the Astaro Security Linux "ASLv5" as VPN Gateway. For more in depth information please refer to the respective manuals; as this document will only touch on features. Goal is to merely assist in setting up a connection for demonstration purposes. The configuration (derived from the VPN Consortium's scenarios) example setup is as follows: A Secure Entry client is installed on a host with a unknown / dynamic IP address, as is often found with remote users requiring access. The ASL firewall is configured with two network interfaces, "External" and "Internal". The external interface has been assigned an IP address of 22.23.24.25, and the internal interface uses 172.23.9.1. The client will establish a connection and gain access to (at least) the internal LAN (172.23.9.1/24) of the ASL firewall. 172.23.9.0/24 -- +-----------+ /-^-^-^-^--\ +-----------+ Client ===== Internet ===== ASLv5 ----- +-----------+ \--v-v-v-v-/ +-----------+ Dynamically assigned 22.23.24.25 172.23.9.1 -- This document outlines two common setups: the first section connecting with the use of pre-shared keys, and the second section outlines the setup using x509v3 certificates (PKIX). Section 1: Configuring a VPN connection using pre-shared keys 1.1: Configuring the Astaro Security Linux v5 with pre-shared keys 1.1.1: IPSec VPN -> Remote Keys 1.1.2: IPSec VPN -> Policies 1.1.3: IPSec VPN -> Connections 1.2: Configuring the NCP Secure Entry Client with pre-shared keys. 1.2.1: Configuration Assistant: Creating a new profile 1.2.2: Configuration: Checking/Modifying the profile 1.3: Establishing the connection with pre-shared keys Section 2: Configuring a VPN connection using certificates (PKI) 2.1: Configuring the Astaro Security Linux v5 with certificates (PKI) 2.1.1: IPSec VPN -> CA Management 2.1.2: IPSec VPN -> Remote Keys 2.1.3: IPSec VPN -> Local Keys 2.1.4: IPSec VPN -> Policies 2.1.5: IPSec VPN -> Connections 2.2: Configuring the NCP Secure Entry Client with certificates (PKI) 2.2.1: Configuration Assistant: Creating a new profile 2.2.2: Configuration: Checking/Modifying the profile 2.2.3: Configuration: Using certificates 2.3: Establishing the connection with certificates v2.00 Page 3 of 37 10.Feb.05

1. Configuring a VPN connection using pre-shared keys. 1.1 Configuring the Astaro Security Linux v5 with pre-shared keys. The following section will describe the steps needed to define a VPN link on the ASLv5. Please refer to the documentation for an excellent description and for more details. 1.1.1 IPSec VPN -> Remote Keys First a pre-shared key must be defined. This Remote IPSec Key can be given a name; as shown below, in this example it's named VPN-PSK-User01. Additionally, an IP Address that the connection host will be assigned can be defined. Select PSK (Pre-Shared Key) as Key Type, and enter in a secret that is going to be shared between the connecting host and this machine. Figure 1.1.1: IPSec VPN -> Remote Keys: New Remote IPSec Key Click Add to activate and make this remote key available. Figure 1.1.2: IPSec VPN -> Remote Keys: Remote Keys Confirm the Remote Key is available to use when defining a connection. v2.00 Page 4 of 37 10.Feb.05

1.1.2 IPSec VPN -> Policies Next step is to define the policies that will be applied to the incoming IPsec connections. This too is given a name: NCP-demo Policy. The configuration below is but an example, one is free to choose other combinations as is best suited for the scenario where this is to be applied. Figure 1.1.3: IPSec VPN -> Policies: New IPSec Policy NOTE: IPCOMP (Compression) may also be enabled, as the NCP client supports both ZLIB [DEFLATE], and LZS [STAC]. Remember to click on Add to add this to the list of available proposals. v2.00 Page 5 of 37 10.Feb.05

1.1.3 IPSec VPN -> Connections Figure 1.1.4: IPSec VPN -> Connections: New IPSec Connection The screenshot above shows how to configure an incoming IPsec connection. Note that the policy defined in the previous section is selected and applicable to this incoming connection. Furthermore, the VPN-PSK-User01 remote key is the valid key for the incoming requests. For more in depth details please refer to the Astaro help pages. Figure 1.1.5: IPSec VPN -> Connections: IPSec Connections Finally, remember to enable this connection! v2.00 Page 6 of 37 10.Feb.05

1.2. Configuring the NCP Secure Entry Client with pre-shared keys. 1.2.1 Configuration Assistant: Creating a new profile The first time you start up the NCP Entry Client you will be prompted to create a profile. You can either use the assistant or modify an existing profile as shown in section 1.2.2. Figure 1.2.1: Configuration Assistant: Connection Type Select Link to Corporate Network using IPSec to create a profile with the parameters needed to establish a connection to the Astaro Security Linux box. Click Next >. Figure 1.2.2: Configuration Assistant: Connection Name Several profiles can be created and each given different name. In this example, this profile is created and given the name VPN using PSK. v2.00 Page 7 of 37 10.Feb.05

Click Next >. Figure 1.2.3: Configuration Assistant: Link type (Dial up configuration) The NCP Secure Entry Client supports different media types; the integrated dialer for example, can be used to establish a connection to the ISP with a modem (if available to the system) prior to building the VPN Tunnel. In this example, select LAN (over IP) and then click Next >. Figure 1.2.4: Configuration Assistant: VPN gateway parameters Enter in the ASLv5's public IP address or DNS name. The client can first resolve names to IP addresses if these are used. Click Next >. v2.00 Page 8 of 37 10.Feb.05

Figure 1.2.5: Configuration Assistant: IPSec Configuration This example will use Main Mode and Perfect Forward Secrecy seamless re-keying, employing DH-Group2 (1024 Bit). Enable the Use IP compression, and the compression will automatically be negotiated. Click Next >. Figure 1.2.6: Configuration Assistant: Pre-shared keys In this example, a pre-shared key or shared secret is used, identical passwords on the IPSec communicating peers. The Next > button will not be available until the Shared Secrets have been entered in, confirmed and match. v2.00 Page 9 of 37 10.Feb.05

Figure 1.2.7: Configuration Assistant: IPSec Configuration IP addresses The ASLv5 is configured to assign a Virtual IP Address to the incoming connection (see figure 1.1.1). (The NCP Secure Entry client supports three options, manual IP address assignment, IKE-Config Mode, or using the IP address assigned to the physical network interface). Optionally enter in the addresses where the (internal/external) DNS and WINS servers can be found. Click Next > to continue. Figure 1.2.8: Configuration Assistant: Firewall settings The NCP Secure Entry Client also comes with a (stateful inspection) personal firewall that can be enabled to provide protection against attacks from the local LAN (for example an environment at a public wlan hotspot). For additional configurable parameters see also Configuration -> Extended Firewall Settings. Click Finish to save the setting to this profile. v2.00 Page 10 of 37 10.Feb.05

1.2.2 Configuration: Checking/Modifying the profile Open the Profile Settings to review/modify the connection parameters. Figure 1.2.9: Configuration -> Profile Settings Either double click on the profile that is going to be modified, or select the profile and then click on Configure. Figure 1.2.10: Profile Settings v2.00 Page 11 of 37 10.Feb.05

Figure 1.2.11: Profile Settings: Basic Settings Review the parameters and ensure they are correct. Select Line Management to continue Figure 1.2.12: Profile Settings: Line Management The Connection Mode can be set to connect automatically, meaning that any time a packet is destined for ASLv5's internal LAN, the VPN Tunnel can automatically be established. In this example however, one manually establishes the connection. The Inactivity Timeout is set to 100 seconds. Select IPSec General Settings to continue v2.00 Page 12 of 37 10.Feb.05

Figure 1.2.13: Profile Settings: IPSec General Settings Verify the IP address or DNS name of the ASLv5 is correctly configured. When automatic mode is selected for both the IKE (Phase 1) and IPSec (Phase 2) Policies, the client will submit a range of different commonly used proposals and the ASLv5 can then select the one that matches the policy defined in section 1.1.2 and assigned to the connection in section 1.1.3. The selected settings as shown in section 1.1.2 will work automatically, thereby not necessitating the definition of custom proposals. Click on Identities to move to the next dialog box. Figure 1.2.14: Profile Settings: Identities Confirm that the pre-shared key has been filled in correctly. Click on IP Address Assignment to continue v2.00 Page 13 of 37 10.Feb.05

Figure 1.2.15: Profile Settings: IP Address Assignment Confirm the settings as entered in figure 1.1.1 (Virtual IP = Manual IP address). Then click on Remote Networks to move to the next dialog box. Figure 1.2.16: Profile Settings: Remote Networks Enter in the Network address(es) (depending on the subnet masks defined, these can be individual hosts or network segments) that are to be reached. This is used in the Phase 2 negotiation and often the cause for configuration mistakes. In this scenario, the ASL is set to ANY (see subnet definition figure 1.1.4) so no subnets need to be defined here. If you choose however, to set subnets in the configuration as shown in figure 1.1.4, then these need to match the values entered here. Skip Certificate Check, because this example does not call for the use of certificates, select the Firewall Settings instead v2.00 Page 14 of 37 10.Feb.05

Figure 1.2.17: Profile Settings: Firewall Settings Confirm the settings here as entered in figure 1.2.8. For more details also refer to the manual, and look at the Configuration -> Extended Firewall Settings. Click on OK to return to the main Profile Settings dialog box. Figure 1.2.18: Profile Settings Select OK to return to the monitor (the graphical user interface to configure the VPN Client) v2.00 Page 15 of 37 10.Feb.05

1.3 Establishing the connection with pre-shared keys Seeing as the connection is set to be established manually, click on Connect to create the tunnel. figure 1.3.1: NCP Secure Entry Client Monitor: Established connection Then open a dos box/command prompt, and ping the internal network interface of the ASLv5 to confirm the connection has been successfully established. Depending on the VPN Gateway's configuration other hosts on the ASLv5 internal LAN can be reached. (See ASLv5's filtering and routing settings; this is beyond the scope of this quick installation guide). figure 1.3.2: Command Prompt: Ping response v2.00 Page 16 of 37 10.Feb.05

2. Configuring a VPN connection using certificates (PKI) 2.1 Configuring the Astaro Security Linux v5 with certificates (PKI) 2.1.1 IPSec VPN -> CA Management First step is to create a Certification Authority and generate the certificates needed. Figure 2.1.1: IPSec VPN -> CA Management In order to create certificates, a CA or Certification Authority needs to be created that in turn can issue certificates. This is done by creating a "Signing CA", a self signed certificate: This will be the root CA certificate. Once this certificate is created; all other subsequent certificates can be generated using the key-pair belonging to this certificate. Click on New and then Generate and enter in the values for the Certification Authority. Figure 2.1.2: IPSec VPN -> CA Management: Creating a Certification Authority The self-signed root CA certificate will be referred to as ASLv5-DemoCA. Next, two "Host CSR"s (Certificate Signing Requests) are to be created, and these then signed to create two host certificates. Figure 2.1.3: IPSec VPN -> CA Management: Host CSRs and Certificates We will create one certificate for the VPN Gateway itself "VPN-GW01"(the certificate the VPN Gateway will present to the user) and a certificate for a user "VPN-User01"(the certificate the user will present to the VPN Gateway). Click New IMPORTANT NOTE: please select X509 DN as the VPN ID as shown below! v2.00 Page 17 of 37 10.Feb.05

Figure 2.1.4: IPSec VPN -> CA Management: Defining a Certificate Signing Request (CSR) for gateway The above screenshot shows the creation of a CSR for a certificate that will be used for the VPN Gateway to present to incoming requests. Figure 2.1.5: IPSec VPN -> CA Management: CSR for gateway awaiting to be signed Next create a CSR for a VPN user, click New v2.00 Page 18 of 37 10.Feb.05

Figure 2.1.6: IPSec VPN -> CA Management: Defining a Certificate Signing Request (CSR) for a user Figure 2.1.7: IPSec VPN -> CA Management: CSRs pending to be signed These CSR then can be signed to create certificates. Figure 2.1.8: IPSec VPN -> CA Management: submitting the CSR to be signed Select the CSR, and then select Issue CERT from CSR, enter the signing CA's password, and proceed to sign them, and thereby creating usable certificates. v2.00 Page 19 of 37 10.Feb.05

Figure 2.1.9: IPSec VPN -> CA Management: submitting the CSR to be signed Repeat this process to create a certificate for the VPN-User01. Once completed, you will have two certificates: Figure 2.1.10: IPSec VPN -> CA Management: Issued certificates overview Next step is to transfer the VPN-User01 and the rootca ASLv5-DemoCA certificates to the host where the client software is installed on. Simply select the certificate and download. (see also section 2.2.3) Figure 2.1.11: IPSec VPN -> CA Management: Downloading the rootca certificate In the case of the CA certificate; you will get a zipped file containing two files: CERT_ASLv5-DemoCA.pem and KEY_ASLv5-DemoCA.pem. We will only require the use of the CERT_ASLv5-DemoCA.pem, so KEY_ASLv5-DemoCA.pem can (and should!) be deleted immediately. It is not good practice to keep this file on the client machine. Place this certificate in (for example windows 2000 systems) c:\winnt\ncple\cacerts\ directory (see figure 2.2.22) Figure 2.1.12: IPSec VPN -> CA Management: Downloading the certificate for the user Also select the CERT+KEY bearing the name VPN-User01 and download this as P12 (PKCS#12) which then also contains the private-key used for the signing operations. A password is requested which will be used to open the container (PKCS#12 file) in which the private-key is stored. v2.00 Page 20 of 37 10.Feb.05

2.1.2 IPSec VPN -> Remote Keys Define authentication parameters of your IPsec peer. In this example we will use the x509(v3) certificate we generated to authenticate the VPN client with to the VPN Gateway. Figure 2.1.13: IPSec VPN -> Remote Keys: New Remote IPSec Key Click Add to activate and make this remote key available. Figure 2.1.14: IPSec VPN -> Remote Keys: Remote Keys Confirm the Remote Key is available to use when defining a connection. 2.1.3 IPSec VPN -> Local Keys Next the VPN Gateway needs to be given a certificate: we'll use the VPN-GW01 we created earlier. Figure 2.1.15: IPSec VPN -> Local Keys: Defining the gateway's certificate Provided the password is correctly entered, the ASLv5 will now load the certificate and reflect this by showing the CN we assigned it. Figure 2.1.16: IPSec VPN -> Local Keys: Confirming the gateway's certificate This is then the certificate that the ASLv5 will use to present to incoming VPN connection requests and authenticate itself to the client. 2.1.4 IPSec VPN -> Policies Although one is free to choose from a whole host of combinations; the screenshot below simply illustrate one combination. (It is however advisable to select AES instead of 3DES because of a dramatic performance increase. AES was designed with performance in mind, and therefore is faster than 3DES.) v2.00 Page 21 of 37 10.Feb.05

Figure 2.1.17: IPSec VPN -> Policies: New IPSec Policy v2.00 Page 22 of 37 10.Feb.05

2.1.5 IPSec VPN -> Connections Now we bring all the components together and define a VPN connection. Figure 2.1.18: IPSec VPN -> Connections: New IPSec Connection Figure 2.1.19: IPSec VPN -> Connections: IPSec Connections Be sure to enable the profile, and then proceed with configuring the NCP Secure Entry Client. v2.00 Page 23 of 37 10.Feb.05

2.2. Configuring the NCP Secure Entry Client with certificates (PKI) In this scenario, the client requires two certificates: one of the CA that issued the certificates, known in this example as the ASLv5-DemoCA filename: CERT_ASLv5-DemoCA.pem, and a client certificate referred to as VPN-User01.p12 (see figure 2.1.6 & 2.1.12). Copy the CERT_ASLv5-DemoCA.pem file into the CaCerts subdirectory within the ncple directory. Any CA certificates placed here can be then set to be trusted; please refer to the manual for more details. 2.2.1 Configuration Assistant: Creating a new profile Figure 2.2.1: Configuration Assistant: Connection Type Select Link to Corporate Network using IPSec to create a profile with the parameters needed to establish a connection to the ASLv5 VPN Gateway. Click Next >. Figure 2.2.2: Configuration Assistant: Connection Name v2.00 Page 24 of 37 10.Feb.05

Several profiles can be created and each given different name. In this example, this profile is created and given the name ASLv5VPN-GW01. Click Next >. Figure 2.2.3: Configuration Assistant: Link type (Dial up configuration) The NCP Secure Entry Client supports different media types; the integrated dialer for example, can be used to establish a connection to the ISP with a modem (if available to the system) prior to building the VPN Tunnel. In this example, select LAN (over IP). Click Next >. Figure 2.2.4: Configuration Assistant: VPN gateway parameters Enter in the gateway's IP address or DNS name. (XAUTH as defined in draft-beaulieu-ike-xauth- 02 is not supported by the ASLv5.) Click Next >. v2.00 Page 25 of 37 10.Feb.05

Figure 2.2.5: Configuration Assistant: IPSec Configuration This example will use Main Mode and Perfect Forward Secrecy for seamless re-keying, employing DH- Group2 (1024 Bit). Enable the Use IP compression to increase the throughput. Click Next >. Figure 2.2.6: Configuration Assistant: Identities In this scenario, a certificate is used. The ASN1 Distinguished Name is used from the certificate. v2.00 Page 26 of 37 10.Feb.05

Figure 2.2.7: Configuration Assistant: IPSec Configuration IP addresses The ASLv5 VPN Gateway is configured to designate a virtual IP address to the incoming VPN connection (see figure 2.1.13). The NCP Secure Entry client supports three options, manual IP address assignment, IKE-Config Mode, or using the IP address assigned to the physical network interface. In this example, the IP address and the appropriate subnet mask is manually assigned to the client as illustrated in the screenshot above. Click Next > to continue. Figure 2.2.8: Configuration Assistant: Firewall settings The NCP Secure Entry Client also comes with a (stateful inspection) personal firewall that can be enabled to provide protection against attacks from the local LAN (for example an environment at a public wlan hotspot). Click Finish to save the setting to this profile. v2.00 Page 27 of 37 10.Feb.05

2.2.2 Configuration: Checking/Modifying the profile Figure 2.2.9: Configuration -> Profile Settings Open the Profile Settings to modify/review the parameters Figure 2.2.10: Profile Settings Either double click on the profile that is going to be modified, or select the profile and then click on Configure. Figure 2.2.11: Profile Settings: Basic Settings v2.00 Page 28 of 37 10.Feb.05

Review the parameters and ensure they are correct. Select Line Management to continue Figure 2.2.12: Profile Settings: Line Management The Connection Mode can be set to connect automatically, meaning that any time a packet is destined for ASLv5's LAN, the VPN Tunnel can automatically be established. In this example however, one manually establishes the connection. The Inactivity Timeout is set to 360 seconds. Select IPSec General Settings to continue Figure 2.2.13: Profile Settings: IPSec General Settings When automatic mode is selected for both the IKE (Phase 1) and IPSec (Phase 2) Policies, the client will submit a range of different commonly used proposals and the ASLv5 can then select the one that matches the policy defined in section 2.1.4 and assigned to the connection in section 2.1.18. The selected settings as shown in section 1.1.2 will work automatically, thereby not necessitating the definition of custom proposals. Click on Identities to move to the next dialog box. v2.00 Page 29 of 37 10.Feb.05

Figure 2.2.14: Profile Settings: Identities In this scenario, the IKE-ID type is taken from the certificate, in the form of the ASN1 Distinguished Name. Other IKE-ID types can be used, but are beyond the scope of this document; please refer to the manual for more details. Click on IP Address Assignment to continue Figure 2.2.15: Profile Settings: IP Address Assignment Confirm the settings as entered in figure 2.1.13. Then click on Remote Networks to move to the next dialog box. v2.00 Page 30 of 37 10.Feb.05

Figure 2.2.16: Profile Settings: Remote Networks Enter in the Network address(es) (depending on the subnet masks defined, these can be individual hosts or network segments) that are to be reached. This is used in the Phase 2 negotiation and often the cause for configuration mistakes. By not specifying any networks/hosts here, all traffic will be pushed through the tunnel. If you do not wish this to be the case, you can specify networks and the appropriate net- or hostmasks. In this scenario, the ASLv5 gateway is set to ANY (see subnet definition figure 2.1.18) so no subnets need to be defined here. If you choose however, to set subnets in the configuration, then these need to match the values entered here. Figure 2.2.17: Profile Settings: Certificate Check Additional security can be applied by entering the appropriate values here that will then be compared to the values in the certificate presented by the VPN gateway. In other words, additional checks are done on the certificate that the ASLv5 presents when establishing a connection. See the manual for more details. v2.00 Page 31 of 37 10.Feb.05

Figure 2.2.18: Profile Settings: Firewall Settings Confirm the settings here. Click on OK to return to the main Profile Settings dialog box and select OK to return to the monitor (the graphical user interface of the VPN Client) v2.00 Page 32 of 37 10.Feb.05

2.2.3 Configuration: Using certificates Finally, point the client to the certificates that are to be used. These can be downloaded using the browser or simply copied to the appropriate locations. In this example the rootca ASLv5-DemoCA certificate is placed in c:\winnt\ncple\cacerts. (see figure 2.1.11) Figure 2.2.19: Connection -> Certificates -> Display CA certificates To verify that this has been done correctly; check to see if the CA certificate is listed in Connection -> Certificates Display CA Certificates. Figure 2.2.20: Certificates -> Trusted CA certificates The green tick denotes that this Certification Authority is to be trusted. Next define where the client can find the user certificate VPN-User01.p12. In the same way, place the certificate to be used to authenticate the client in a directory where it can easily be found. For the sake of this example, soft certificates are used. These are encrypted files containing the user's private- and public-keys. These keys could optionally, to obtain a higher security level be generated and stored exclusively on external devices such as smart cards or USB cryptographic devices. These then can be accessed using the PKCS#11 interface that comes with the Secure Client. v2.00 Page 33 of 37 10.Feb.05

Figure 2.2.21: Configuration -> Certificates To define which and where the certificate that is to be used; one needs to configure the location of the (soft)certificate to be used. Configuration -> Certificates brings up the following dialog box: Figure 2.2.22: Configuration -> Defining user certificate Select from PKCS#12 File, to set the use of 'soft certificates'. Then the appropriate path and file name are to be filled in where the certificate is located. Figure 2.2.23: Connection -> Enter PIN (to open user certificate) v2.00 Page 34 of 37 10.Feb.05

To verify that this has been done correctly; check to see if the user certificate is listed in Connection -> Enter PIN, Figure 2.2.24: Connection -> Enter PIN (to open user certificate) Enter the PIN, and if it is correct; this is indicated by a little green tick in the corner of the Monitor; then then allows you to view the client certificate. Figure 2.2.25: NCP Secure Entry Client Monitor: Confirm correct PIN Connection -> Certificates View Client Certificate. Figure 2.2.26: Connection -> Certificates -> View Client Certificate v2.00 Page 35 of 37 10.Feb.05

Figure 2.2.27: Connection -> Certificates -> View Client Certificate If there is any problem this will be highlighted in red. The example above shows a client certificate generated by the ASLv5_DemoCA used in this example. v2.00 Page 36 of 37 10.Feb.05

2.3. Establishing the connection with certificates Figure 2.3.1: NCP Secure Entry Client Monitor: Established connection When this has been completed a connection can be established. Seeing as the connection is set to be established manually, click on Connect to create the tunnel. If the certificate has not been accessed yet, you will be prompted to enter in the PIN to open and use the certificate. Figure 2.3.2: Command Prompt: Ping response v2.00 Page 37 of 37 10.Feb.05

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback