REMOTE ACCESS IPSEC Course 4002 1
Remote Access Features! Granular Network Access and Authorization based on groups and policies.! Windows, Linux, and MAC client support. Windows ShrewSoft Client MAC IPSecuritas Linux ShrewSoft IPSec Cleint! Client installer and configurations files downloaded from Remote Access Portal or from the firewall Admin Interface! Includes ability to download iphone IPSec Supports LDAP and Radius Hybrid +Xauth Users 2
IPSec Tunnels Per Device! Number of IPSec Tunnels and Mobile Users connected are based on each product. 3
Requirements! GB-OS 5.3.1 or above Xauth support GTA recommends you are always on the latest GB-OS If your firewall is on v5.3 we will request you to upgrade.! Host OS for IPSec Windows and Linux - Shrew Soft VPN Client MAC - IPSecuritas IPSec Client 3.4 or above iphone/ipad OS 3 or 4.1 and above! User Access Permission for Remote Access to a GTA Firewall.! Client configuration files downloadable from the firewall remote access interface.! Signed Certificates IPsec Client User. Firewall VPN Certificate.! IPsec Client permissions to run client on host 4
Certificates! IPSec Clients connections using Xauth require both firewall and the IPSec client have signed certificates.! GB-OS 5.3 and above supports the creation of signed certificates using a CA created on the firewall.! All firewalls updated to GB-OS 5.3 will have a CA created automatically. If no CA exists it can be created in the Certificates Section and used to create VPN and User Certificates.! For more information on Certificate management please see GB-OS users Guide and VPN Option Guide. 5
Mobile IPSec Configuration Using XAuth! Enable and configure VPN Remote Access for IPSec in [Configure -> VPN -> Remote Access -> IPSec]! Define a Group which has IPSec Enabled - [Configure -> Accounts -> Groups] If using Radius or LDAP Authentication you will need to select LDAP or Radius group and enabled IPSec or create a group on firewall which matches a user group on the LDAP server.! Define User, if not using LDAP or Radius. - [Configure -> Accounts -> Users]! If using LDAP or Radius configure the Authentication in - [Configure -> Accounts -> Authentication]! Configure Security Policies based on Corporate Policy. 6
[Configure -> VPN -> Remote Access -> IPSec] Enable Default disabled Allows dynamic connections to the firewall. IPSec Object Default IPSec Mobile Encryption method, and authentication methods used for Local Network Object FW Network - Local Default Local Protected Networks. Pool Network Default Pool-IPSec! Pool of IP Address assigned to GTA Default is 192.168.73.0/24 clients use Xauth Name Server IP Address User Defined DNS server(s) pushed to client. Win Server IP Address User Defined WINS server pushed to client. 7
[Configure -> VPN -> Remote Access -> IPSec] Advanced Advanced Override Hostname Blank Allows an administrator to override default firewall host name, which is configured in Network Settings. Entry can be an IP address or a fully qualified host name. Authentication Local Identity Default - Certificate Firewalls Identity used for mobile VPN client connections. <IP Address> <Domain> <Email> <Certificate> Method Hybrid + XAuth Default Requires User Login and Password Pre-Shared Key Unchecked Requires Pre-shared Key only. Firewall local identity must be IP address, Domain or Email address. RSA Unchecked Requires User has signed certificate RSA + XAuth Unchecked Requires User has signed certificate and requires User name and password. Hybrid + XAuth LDAP Unchecked Enables LDAP users. Radius Unchecked Enables Radius users. 8
Advanced Login Banner Login Banner Default - Disabled Displays a User Defined login message to XAuth clients connecting to the firewall. 9
Group Configuration [Configure -> Accounts -> Groups] Field Default Description Disable Unchecked Disables the group. Name User Defined Name used to reference the group for permissions. Mobile IPSec Enable Unchecked Enables IPSec Client connections for the Group Advanced Authentication Required Unchecked User must authenticate using GBAuth prior to establishing the VPN. Local Network Unchecked Over ride for local networks defined in [Configure -> VPN -> Remote Access -> IPSec]. 10
Security Policies [Configure -> Security Policies -> Policy Editor -> VPN -> IPSec] 11
Manually Configure a User Configure>Accounts>Users 12
Manually Configure a User Download Policy 13
VPN Wizard! For users defined on the firewall using the Set up Wizard for Mobile clients the firewall will prompt to download the client policy. 14
Distributing the Client for Manually defined users and LDAP or Radius Users! Open the Alternate Port to download the SSL Client! LDAP & Radius requires the Authentication Option to be enabled. 15
Getting Installer and Client Policies From the Remote Access Portal Login using the host name or IP address of the firewall on the specified port. 16
IPSec Client Download Client installers and configurations can be downloaded directly from the firewall interface. Windows MAC Linux iphone 17
Install Instructions Available in Support Section of GTA Web Site! Run installer for your specific OS.! Linux! Windows! MAC 18
Connecting with the Client Example Open VPN Client software Import the configuration files or certificates (MAC). Select the policy to use and click connect Enter Username and password and click connect. 19
Using Client"! Once the client is open and connected the firewall will assign an IP Address from the IPSec Pool to the client and push routes to the client for the local networks to the client. 20
Connections IPSec Connections will display Type of IPSec 21
Authenticated Users! Name: User Name configured! Groups All Groups User is member of! Type Type of Authentication, Should be in most cases IPSec indicating the IPSec VPN! IP Address Source IP User is coming from.! Active How long client has been connected! Lease Duration How long until client re-negotiate lease, and how long the firewall reserves the lease. 22
Special Case VPN configurations! Custom IPSec Objects /Encryption Objects! Hub & Spoke.! All Connections via VPN.! Over riding local networks for IPSec Groups.! iphone VPN! Using Main Mode instead of Aggressive Mode for Mobile Clients 23
Custom Objects! [Configure -> Objects -> Encryption Objects]! [Configure -> Objects -> IPSec Objects] 24
Hub & Spoke VPN Using Client Mobile Client access resources via Site to Site IPSec Tunnel after accessing the first firewall. 25
Hub & Spoke VPN Using Client Mobile IPSec Configuration Firewalls IPSec Client configuration will contain both Local Network and the Remote Network Reach able via the Site to Site Tunnel 26
Hub & Spoke VPN Using Client Hub Firewall - IPSec Site to Site Configuration The IPSec Site to Site Configuration will reference an object which contains Both mobile client and local network for the Hub firewall. Remote Firewall will use both IPSec Client and Hub Firewall LAN as the remote networks. 27
Hub & Spoke VPN Using Client Remote Firewall - IPSec Site to Site Configuration The IPSec Site to Site Configuration will reference an object which contains Both mobile client and local network for the Hub firewall. Remote Firewall will use both IPSec Client and Hub Firewall LAN as the remote networks. 28
Forcing All Connections VIA VPN 29
Forcing All Connections VIA VPN! Set the Local Network to be ANY_IPv4.! Create IPSec and Pass Through Policies to allow the client outbound access. If you wish to allow client access to the Internet via the firewall. 30
Connections! Connections will display Incoming packets from IPSec client. Outgoing NAT Packets 31
Over riding Local Networks for IPSec Clients! If corporate policies requires different Local Networks based on user Groups for IPSec Access this can be configured in the User Groups Mobile IPSec Advanced Section! Create a new group and In Mobile IPSec Advance enable Local Network ands Specify the Network to use. 32
Main Mode vs Aggressive Mode! Recommend configuration is to use Aggressive mode for IPSec client connections. However, corporate policy may require all IPSec VPN s to use Main mode. Main Mode Hosts with Static IP Addresses Aggressive Mode Host with dynamic IP Addresses.! In this case a you need an IPSec Object using Main mode.! Requirement Using Main Mode for mobile clients requires all IPSec clients to use certificates for the VPN. 33
Assigning IP Addresses Statically! Must use a User defined on the firewall.! User Must use an Authentication Method of Pre-shared Key or Certificate. 34
Client Address! Client Address assigned is the first address in the Pool that is available.! For some users this will be a #.#.#.0 address. 35
Shrew Client Options! Access Manager Windows Style! VPN Connect Minimize when connected Remember Login Name Automatic Reconnect! Software Updates 36
Shrew Client Install Options! Professional Edition Paid! Standard Edition - Free 37
Shrew Client Professionals vs Standard Standard Professional XAuth Yes Yes Mode Config Yes Yes Split Tunneling Yes Yes Split DNS No Yes AD / Domain Login No Yes For more information on the Professional version to to https:// www.shrew.net/shop 38
Trouble Shooting Windows Wireless 39
Shrew Client Configuration Issue! Policy generation level must be unique.! If not set to unique it may LOOK like client connects to firewall and not passing traffic.! If you are on latest client and GB-OS this is handle automatically. 40
Shrew Trace Utility Shrew Soft VPN Trace Utility will allow an administrator to gather additional client side logs from the client. These can be compared with the GTA firewall logs. 41
Firewall IPSec Error Logs! msg="ike: Unable to aquire license User Licenses has been reached for mobile IPSec connections.! ETC. 42
Client Log messages! invalid message from gateway Firewall authentication / ID is different from what is expected by the client. Check that [Configure -> VPN -> Remote Access -> IPSec] section is different! Etc.. 43
References! http://www.lobotomo.com/products/ipsecuritas/! http://www.shrew.net/! Users Guides - https://www.gta.com/support/documents/ 44
If you require additional assistance or have additional questions please contact GTA Technical Support. Email: support @gta.com Phone: 1.407.482.6925 Free User Support http://forum.gta.com Mailing List - gb-users@gta.com 45