GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

Transcription

1 GB-OS VPN Gateway & GTA Mobile VPN Client Version 4.01 Option Guide for GB-OS 4.0 VPNOG

2 Contents Introduction 1 What is a VPN? 1 About IPSec VPN on GTA Firewalls 1 The VPN Gateway (Firewall) Component 2 Features 2 The Client Component 2 Features 2 Minimum Requirements 3 Installation Support 3 Support Options 3 Documentation 3 Additional Documentation 3 GTA Firewall Setup 4 Entering Feature Codes 4 Running the VPN Setup Wizard 5 Configuring Gateway to Gateway Connections 6 Configuring Gateway to GTA Mobile VPN Client Connections 9 Configuring a VPN Connection Manually 12 Creating VPN Configuration Objects 12 Default VPN Objects 12 Which VPN Object Should I Use? 12 Selecting the IPSec Key Mode 12 Creating the VPN Connection 13 Creating a VPN Connection using IKE IPSec Key Mode 13 Creating a VPN Connection using Manual IPSec Key Mode 14 Configuring a Custom VPN Object 16 About Phase I 17 About Phase II 17 Configuring a Custom Encryption Object 17 Encryption Methods 18 Hash Algorithm 18 Key Group 19 Configuring VPN Policies 19 Creating Authorization 20 Creating Groups 20 Creating Users 21 GTA Mobile VPN Client Setup 22 Installing the GTA Mobile VPN Client 22 Activating the GTA Mobile VPN Client 23 Configuring the VPN Client Software 25 Running the Configuration Wizard 25 VPN Settings Worksheet 26 Manually Configuring the GTA Mobile VPN Client 27 Entering Preferences (Parameters) 27 Configuring Phase 1 (Authentication) 28 Starting and Stopping VPN Client Connections 30 Advanced GTA Mobile VPN Client Setup 31 Advanced Phase 1 Configuration 31 Advanced Phase 2 Configuration 32 Launching Scripts 33 Configuring Access Control 34 USB Drive Mode 35 Preferences 36 Startup Modes 36 Miscellaneous 36 Console and Configuration Tools 37 Configuration Management 37 Console / Logs 38 ii GTA VPN Option Guide Contents

3 Reference A: GTA Mobile VPN Client User Interface 40 Configuration Panel 40 Menu Overview 40 File 41 VPN Configuration 41 Tools 41? (Help) 41 Left Hand Menu Icons 41 Configuration Menu Tree 42 Status Bar 42 Connection Panel 43 System Tray 44 System Tray Menu 44 Reference B: VPN Concepts 46 Elements of IPSec VPN Security 46 Verifying Authorization 47 Verifying Data Integrity 47 Ensuring Data Privacy 48 Packet Structure: IPSec VPN 48 GTA Firewall VPN Packet Processing 48 Reference C: Example VPN Configurations 50 Client to Gateway: Dynamic/Static IP Addresses & IKE 51 Client to Gateway: Dynamic IP Addresses & IKE 55 Gateway to Gateway: Dynamic/Static IP Addresses & IKE 59 Gateway to Gateway: Static/Static IP Addresses & IKE 61 Gateway to Gateway: Static/Static IP Addresses and Manual Key Exchange 62 Reference D: Troubleshooting 64 On the GTA Firewall 64 FAQ 64 Mobile VPN clients cannot connect to the firewall. Why? 64 Log Messages 64 Security Associations 65 Mobile Client VPN Authentication and Connection 65 On the GTA Mobile VPN Client 66 FAQ 66 My GTA Mobile VPN Client says it is in a 30-day evaluation mode. 66 I receive an error when trying to activate the GTA Mobile VPN Client. Why? 66 How can I activate the GTA Mobile VPN Client when I need to connect to the Internet using a proxy server? 67 I cannot activate the GTA Mobile VPN Client online. How do I activate the client manually? 68 My Internet connection does not work when I return to the office. 68 Why won t the GTA Mobile VPN Client start a VPN on Windows XP? 68 Can I use an address range for my Address Type when configuring Phase 1 settings? 69 When should I set NAT-T to Forced when configuring advanced Phase 1 settings? 69 Why would I disable NAT-T when configuring advanced Phase 1 settings? 69 Log Messages 69 Incorrect Remote Gateway 69 Incorrect Pre-shared Key 69 Incorrect Local ID Value 69 Incorrect Local ID Type 70 Incorrect Remote ID Value 70 Incorrect Remote ID Type 70 Incorrect Phase I Settings 70 Incorrect Phase II Settings 70 Incorrect Phase II Authentication Settings 71 Incorrect Phase II Key Group Settings 71 Incorrect Filter Configuration 71 GTA VPN Option Guide Contents iii

4 I n t r o d u c t i o n W h a t i s a V P N? A VPN is a Virtual Private Network. What makes it private? You can access resources on your network as if you were a second private network attached to the private (trusted) part of your network. What makes it virtual? You re not really accessing your private network from the private network: you re accessing it from a public or other untrusted network, such as the Internet. A combination of authentication, encryption and tunneling technologies are used to make sure that your data is transmitted securely, so you can trust your connection as if you would trust your normal private network connection. VPN connections provide a way to access your protected data from an insecure location, all without compromising your network security. VPNs vs. Standard NAT Tunnels Standard NAT tunnels can provide external access to your internal network. So why use a VPN? VPNs provide more secure access than standard NAT tunnels. VPN tunnels provide methods to assure authorization, data integrity and privacy. As a result, VPN tunnels can secure even connections that normally do not provide encryption, authorization or integrity checking on their own. Standard tunnels do not provide these VPN safety mechanisms! VPNs are an ideal secure network solution for employees that travel or work from home. They also can serve to securely connect branch offices to a main office or data center. GTA firewalls support the IPSec VPN standard; this provides interoperability with many third-party VPN products. IPSec VPNs can use a defined combination of authentication keys, anti-tampering hashes, data encryption and IP packet encapsulation to ensure the identity, integrity, and privacy of your data transfers over public, untrusted networks. For more information, see Elements of IPSec VPN Security. A b o u t I P S e c V P N o n G TA F i r e w a l l s GTA firewalls provide IPSec controls for both mobile client (commuter-to-office) and gateway-togateway (office-to-office) VPN connections. GTA firewall VPNs are a security gateway version of the IPSec standard; the GTA Mobile VPN Client provides the host version. For specific information on the GTA implementations of the IPSec standard, see Elements of IPSec VPN Security. GTA VPN Option Guide Introduction

5 T h e V P N G a t e w a y ( F i r e w a l l ) C o m p o n e n t GTA firewalls can function as VPN gateways, handling authentication and encryption for VPN tunnels.the VPN gateway is configured on the firewall directly using the web administrative interface. VPN configurations are created in Configuration>VPN>IPSec Tunnels, and bound to an incoming authorization channel in either Configuration>Accounts>Users and Configuration>Accounts>Groups (for mobile VPN clients or a second VPN gateway with a dynamic IP address) or Configuration>VPN>IPSec Tunnels (where both VPN gateways have a static IP address). GTA firewalls can interoperate with either another GTA firewall (for office-to-office VPNs) or a mobile VPN client (for commuter-to-office VPNs). Because GTA firewalls support the IPSec VPN standard, GTA firewall VPNs are also interoperable with third-party products that also support the IPSec VPN standard. For information on creating a VPN between a GTA firewall and another VPN gateway, see additional documentation located on GTA s web site ( Features NAT traversal Easy application of security policies Easy creation and revision of VPNs using VPN configuration objects Quickly enable and disable VPN authorizations AES-128, AES-192 and AES-256, 3DES, DES and Blowfish methods for confidentiality MD5, SHA-1 and SHA-2 one-way hash methods for data integrity Up to 4,096-bit Diffie-Hellman keys for authenticity T h e C l i e n t C o m p o n e n t With the GTA Mobile VPN Client option, GTA firewalls can also provide VPN protection to travelling employees or employees working from home. Your mobile VPN client software is installed on the client computer. It serves to locally perform the authentication, encryption and other services that would normally be performed by a second VPN gateway. Mobile VPN client software negotiates the connection with your GTA firewall VPN gateway. The GTA Mobile VPN Client is Microsoft Windows -compatible VPN software. Note Microsoft Windows Vista is currently not supported by the GTA Mobile VPN Client. Microsoft Windows Vista support will be included in a future release. Features NAT traversal Easy VPN setup Client-to-client and client-to-gateway VPNs Compatible with most versions of Microsoft Windows DES, 3DES, and AES encryption methods for confidentiality MD5 and SHA-1 one-way hash methods for data integrity Up to 2,048-bit Diffie-Hellman keys for authenticity USB mode allows easy start/stop of VPN with insertion/removal of a USB drive VPN DNS configuration Redundant gateway GTA VPN Option Guide Introduction

6 Minimum Requirements Microsoft Windows 98, Me, NT 4 (Service Pack 6 or greater), 2000, XP Intel Pentium class or greater processor 10 MB unused hard disk space 128 MB RAM 56K dial-up modem, wireless (WiFi), Ethernet or other compatible network card I n s t a l l a t i o n S u p p o r t Installation ( up and running ) support is available to registered users. See GTA s website for more information. If you need installation assistance, be sure to register your product and then contact the GTA Technical Support team by at [email protected]. Please include your serial number and a brief description of the problem in the body of the . S u p p o r t O p t i o n s If you need support for GTA Products, a variety of support contracts are available. Contact GTA Sales staff by at [email protected] for more information. Contracts range from support by the incident to full coverage for a year. Other assistance is available through the GNAT Box Mailing List or an authorized GTA Channel Partner. D o c u m e n t a t i o n A few conventions are used throughout this guide to help you recognize specific elements of the text. If you are viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and new sections. Bold Italics Italics Blue Underline Small Caps Monospace Font Condensed Bold Bold Small Caps Emphasis Publications Clickable hyperlink ( address, web site or in-pdf link) On-screen field names On-screen text On-screen menus, menu items On-screen buttons, links A d d i t i o n a l D o c u m e n t a t i o n For instructions on installation, registration and setup of a GTA Firewall, see your GTA Firewall s Product Guide. For optional features, see the appropriate Feature Guide. Manuals and other documentation can be found on the GTA website ( Documents on the website are either in plain text (*.txt) or Portable Document Format (*.pdf), which requires Adobe Acrobat Reader 5.0 or greater. A free copy of the program can be obtained from Adobe at GTA VPN Option Guide Introduction 3

7 G TA F i r e w a l l S e t u p This chapter explains configuration steps for an IPSec VPN on both the firewall and a client computer. It also provides a worksheet to help with initial configuration. Each GTA firewall VPN requires a minimum of two points: an initiator and a responder. The responder must be a GTA firewall, while the initiator can be either a second VPN gateway or a GTA Mobile VPN client. GTA firewall VPN setup requires configuration of both: GTA firewall GTA Mobile VPN Client or a second VPN gateway (e.g. GTA firewall) Instructions for VPN setup with Macintosh computers, third party firewalls and non-ipsec VPNs are available at the GTA web site ( For more information on IPSec VPNs, see Elements of IPSec VPN Security. E n t e r i n g F e a t u r e C o d e s When a VPN option or GTA Mobile VPN Client licenses package has been purchased, feature activation codes are required for client-to-gateway VPNs. If you have purchased a mobile VPN client license package, navigate to Configuration>System>Activation Codes enter its feature activation code. Click Save. The feature activation code necessary for activation can be retrieved from the GTA Support Center ( Once logged in, click on View Products and select your firewall s serial number. Your feature activation code will be displayed. If a gateway-to-gateway VPN is not a standard feature of your firewall, and you have purchased a VPN option, also enter the VPN option s feature activation code and click Save. Note Feature activation codes for gateway-to-gateway VPNs are required only for GTA firewalls that are not sold with VPN as a standard feature. See your firewall s specifications for more information. 4 GTA VPN Option Guide Setup

8 R u n n i n g t h e V P N S e t u p W i z a r d The VPN Setup Wizard is designed to help configure a simple Virtual Private Network (VPN) quickly and easily. The wizard will automatically create security policies to accept connections using the ESP (protocol 50) and UDP (ports 500 and 4500) protocols. These automatic policies can be turned off in the Configuration>VPN>IPSec Tunnels screen under the Advanced tab. Note All connections through the VPN are controlled by VPN policies, located at Configuration>Security Policies>Policy Editor>VPN Policies. To run the VPN Wizard, navigate to Wizards>VPN Setup. Before running the wizard, it may be helpful to print out the following worksheet: Table 2.1: VPN Wizard Worksheet Field Description Value Local Network Gateway Network Identity Remote Network Gateway Type (circle one) User Name Identity Group IP Address / Identity Network Pre-shared Secret Pre-shared Secret Format (circle one) Pre-shared Secret Select the logical interface that acts as the gateway to the local network. Typically, this will be the external interface. Select the address object of the configured network you wish to be able to connect to using the VPN. Select <USER DEFINED> to enter the local network s IP address manually. Enter the identity for the local network. The identity should be a fully qualified domain name or address. This field is only required if the local network is behind a dynamic IP address. Select the type of the remote network s gateway. This field is only required if the local network is behind a dynamic IP address. Enter the user name for that will be used to connect to the remote network. This field is only required if the local network is behind a dynamic IP address. Enter the identity for the remote network. This field is only required if the local network is behind a dynamic IP address. The user group that will be connecting to the remote network. If the remote network s gateway is Static, enter its IP address. If the gateway is dynamic, enter an IP address, address or valid DNS resolvable host name to associate the remote gateway with a pre-shared secret key. The destination IP address of that network that resides behind the remote firewall. Select <USER DEFINED> to enter the IP address manually. The format of the pre-shared secret to be used by the VPN. The pre-shared secret to be used by the VPN. This same secret needs to be entered in the GTA Mobile VPN Client when configuring the security policy. This field is case sensitive. Dynamic Static ASCII Hex GTA VPN Option Guide Setup 5

9 Configuring Gateway to Gateway Connections The first screen of the wizard will prompt you to enter a brief description of the VPN. For example, Orlando to New York. Click the Next Arrow to continue. Figure 2.1: Entering the VPN s Description Once a description has been entered, it will then be necessary to define the local network that will be establishing the VPN. For the local network s Gateway, select the logical interface assigned to the external network. In most cases, this will be <EXTERNAL>. For the Network, select the local network that is to be accessible via the VPN. If the desired local network is not listed, you may define it manually be selecting <USER DEFINED> and entering the network s IP address in the corresponding field. If the selected Gateway is dynamic, enter the Identity to be used. The Identity should be a fully qualified domain name or address. Click the Next Arrow to continue. Figure 2.2: Defining the Local Network (Static Gateway) Figure 2.3: Defining the Local Network (Dynamic Gateway) 6 GTA VPN Option Guide Setup

10 To define the remote network that the VPN will be connecting to, it is necessary to select the nature of the IP address of the external network s Gateway. If it is a static (fixed) IP address, select the Static radio button and enter the gateway s IP address in the Network field. If the remote gateway is Dynamic, enter an IP address, address or valid DNS resolvable host name in the User Name and Identity fields to associate the remote gateway with a pre-shared secret key. The Group field defaults to Firewalls, which sets the appropriate VPN settings for the connection. Click the Next Arrow to continue. Figure 2.4: Defining the Remote Network (Static Gateway) Figure 2.5: Defining the Remote Network (Dynamic Gateway) GTA VPN Option Guide Setup

11 A pre-shared secret is used to ensure a secure, trusted connection between host computers and the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the pre-shared secret must match the pre-shared secret defined in this step in order to establish a connection. Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The Preshared Secret field is case sensitive. Click the Next Arrow to continue. Figure 2.6: Entering the Pre-shared Secret The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review the VPN s setup prior to committing the displayed configuration. To make changes to your basic setup, select the Back button to return to the appropriate screen. Click the Save icon to save the displayed configuration, or select the Cancel icon to abort. Figure 2.7: Reviewing the VPN s Setup 8 GTA VPN Option Guide Setup

12 Configuring Gateway to GTA Mobile VPN Client Connections To allow users to connect to the GTA firewall s protected networks remotely using the GTA Mobile VPN Client, the GTA firewall s external gateway must have a static IP address. That is, it cannot obtain its IP address using DHCP or PPP. Note The VPN Setup Wizard will only configure the GTA firewall to allow connections from the GTA Mobile VPN Client. For instructions on configuring the GTA Mobile VPN Client to connect to the GTA firewall, please refer to the GB-OS VPN Gateway & GTA Mobile VPN Client Option Guide. To run the VPN Setup Wizard, navigate to Wizards>VPN Setup. The first screen of the wizard will prompt you to enter a brief description of the nature of the VPN. For example, Mobile VPN Connections. Click the Next Arrow to continue. Figure 2.8: Entering the VPN s Description Once a description has been entered, it will then be necessary to define the local network that will be accessible to users using the GTA Mobile VPN Client. For the local network s Gateway, select the logical interface assigned to the external network. In most cases, this will be <EXTERNAL>. For the Network, select the local network that is to be accessible via the VPN. If the desired local network is not listed, you may define it manually be selecting <USER DEFINED> and entering the network s IP address in the corresponding field. Figure 2.9: Defining the Local Network (Static Gateway) GTA VPN Option Guide Setup 9

13 To define the remote network, where the Mobile VPN Client will be connecting from, set the Gateway Type to Dynamic. Enter the Mobile VPN Client s User Name and Identity in the appropriate fields. The Identity must be in the form of an address. Set the Group to <Users>. For the Network, enter the IP address the GTA Mobile VPN Client should use. Click the Next Arrow to continue. Figure 2.10: Defining the Remote Network for GTA Mobile VPN Client Connections A pre-shared secret is used to ensure a secure, trusted connection between host computers and the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the pre-shared secret must match the pre-shared secret defined in this step in order to establish a connection. Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The Preshared Secret field is case sensitive. Click the Next Arrow to continue. Figure 2.11: Entering the Pre-shared Secret 10 GTA VPN Option Guide Setup

14 The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review the VPN s setup prior to committing the displayed configuration. To make changes to your basic setup, select the Back button to return to the appropriate screen. Click the Save icon to save the displayed configuration, or select the Cancel icon to abort. Figure 2.12: Reviewing the VPN s Setup GTA VPN Option Guide Setup 11

15 C o n f i g u r i n g a V P N C o n n e c t i o n M a n u a l l y To manually configure an IPSec VPN with a GTA firewall, six firewall aspects must be configured in order: 1. Feature activation codes 2. IPSec Tunnels 3. VPN objects (optional) 4. Encryption objects (optional) 5. VPN or GTA Mobile VPN Client authorization 6. VPN Policies (located at Configuration>Security Policies>Policy Editor>VPN Policies) (optional) Additionally, the second VPN gateway (GTA firewall or third-party VPN gateway) or mobile VPN client must be configured to reflect the same settings. C r e a t i n g V P N C o n f i g u r a t i o n O b j e c t s VPN objects determine how incoming VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be acceptable by your GTA firewall. Default VPN Objects By default, GB-OS has two VPN objects: Standard Dynamic Standard Static Which VPN Object Should I Use? Depending on whether your GTA firewall has a static or dynamic (DHCP/PPP) IP address, different VPN objects will be used. If both VPN gateways have static IP addresses: Each will use the Standard Static VPN object. If an initiating VPN gateway (or mobile VPN client) has a dynamic IP address: The dynamically addressed initiator will use the Standard Dynamic VPN object. S e l e c t i n g t h e I P S e c K e y M o d e Key exchange, essential to authentication during IPSec VPN construction, can be accomplished either automatically using IKE or manually. Using IKE (automatic key exchange), Phase I of the connnection establishes an IKE security association (SA) that is later used to securely create an IPSec SA; it negotiates the VPN terms and authorizes the peer. Phase II establishes SAs for IPSec, providing source authentication, integrity and confidentiality. Using manual key exhange, Phase I settings will be ignored by the GTA firewall. 12 GTA VPN Option Guide Setup

16 C r e a t i n g t h e V P N C o n n e c t i o n Presuming that you use the default VPN objects, navigate to Configuration>VPN>IPSec Tunnels. Creating a VPN Connection using IKE IPSec Key Mode Select the VPN object to be used for dynamic incoming connections from the Dynamic Incoming Connections pulldown. The default VPN object is Standard Dynamic. Under the Advanced tab, ensure the Automatic Policies checkbox is enabled. This option will automatically configure the necessary VPN policies to allow ESP protocol 50/UDP ports 500 and 4500 on the configured VPN. To create more restrictive VPN policies, navigate to Configuration>Security Policies>Policy Editor>VPN Policies. Select New to create a new IPSec Tunnel. Select the IPSec Key Mode. For this example, select IKE (automatic key mode) To create a Manual VPN, see Creating a VPN Using Manual IPSec Key Mode. Complete the VPN settings fields as described on the following page: Table 2.3: Creating a VPN Using IKE IPSec Key Mode Field Disable Description IPSec Key Mode VPN Object Pre-shared Secret Local Gateway Network Advanced Identity Remote Gateway Network Advanced Identity GTA VPN Option Guide Setup Description Check to disable all access for the configured IPSec tunnel. A description of the IPSec Tunnel. IKE (automatic key exchange) A selection for the VPN object used to define this VPN. See Which VPN Object Should I Use? for more information. ASCII or HEX format value preshared secret as defined in the VPN. This same key needs to be entered in the GTA Mobile VPN Client when configuring the security policy. Select an IP address, alias or H 2 A group assigned to an external network interface on the local firewall that will serve as the VPN gateway. (For the second VPN gateway or mobile client, this IP address is the remote gateway.) This is the visible, non-encapsulated, non-encrypted IP address. Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. Alternatively, select <USE IP ADDRESS> and enter the IP address(es) in the IP Address field. User IP address, domain name or address for user authentication. This field is used to associate the local identity with a preshared secret key. Typically, this is <IP Address>. The IP address of the remote end of the VPN tunnel, the gateway to the remote network. If the remote network is behind a firewall, then this will be assigned to the external network interface. This IP address will also help determine the routing of the encapsulated packet. Previously defined address object or an IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the protected network, PSN or a subnet of either.) Use a subnet mask to define the class of network. User IP address, domain name or address for user authentication. This field is used to associate the remote identity with a preshared secret key. Typically, this is <IP Address>. 13

17 Creating a VPN Connection using Manual IPSec Key Mode Select the VPN object to be used for dynamic incoming connections from the Dynamic Incoming Connections pulldown. The default VPN object is Standard Dynamic. Under the Advanced tab, ensure the Automatic Policies checkbox is enabled. This option will automatically configure the necessary security policies to allow inbound and outbound access on the configured VPN. Select New to create a new IPSec Tunnel. Select the IPSec Key Mode. For this example, select Manual. Complete the VPN settings fields as described below. Disable Description Field IPSec Key Mode VPN Object Local Gateway Network Remote Gateway Network Manual Encryption Key Hash Key Security Parameter Index Table 2.2: Creating a VPN Using Manual IPSec Key Mode Description Check to disable all access for the selected VPN. A description of the VPN. Manual Inbound SPI Default value is 256. Outbound SPI Default value is 256. A selection for the VPN object used to define this VPN. See Which VPN Object Should I Use? for more information. Select an IP address, alias or H 2 A group assigned to an external network interface on the local firewall that will server as the VPN gateway. (To the second VPN gateway or mobile client, this IP address is the remote gateway.) This is the visible, non-encapsulated, non-encrypted IP address. Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. Alternatively, select <USER DEFINED> and enter the IP address in the IP Address field. The IP address of the remote end of the VPN tunnel, the gateway to the remote network. If the remote network is behind a firewall, then this will be assigned to the external network interface. This IP address will also help determine the routing of the encapsulated packet. Default is Previously defined address object or an IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the protected network, PSN or a subnet of either.) Use a subnet mask to define the class of network. Select the format for the encryption key value: ASCII or HEX ASCII or HEX fomat value hash algorithm for the authentication transformation. 14 GTA VPN Option Guide Setup

18 Encryption Key Length Blowfish encryption transformations use variable key lengths, while AES, DES and 3DES use a fixed length key. If you exceed the maximum key length in these fields, you will generate an error and not be able to save the configuration until it is corrected. You may enter a shorter length key; the system will pad it to the minimum key size. Higher-bit key size generally results in stronger encryption. Table 2.3: Encryption Key Length Algorithm Key Size ASCII and Hexidecimal Characters AES bits 16 ASCII or 32 Hex AES bits 24 ASCII or 48 Hex AES bits 32 ASCII or 64 Hex Blowfish bits 5-56 ASCII or Hex DES 64 bits 8 ASCII or 16 Hex 3DES 192 bits 24 ASCII or 48 Hex Hash Key Length The key length for the MD5 transformation is 128 bits, which is 16 ASCII characters or 32 hexadecimal characters. The key length for the SHA-1 transformations is 160 bits, which is 20 ASCII (40 hexadecimal) characters; it provides 80 bits of security. The key length for the SHA-2 (SHA- 256) transformations is 256 bits, which is 32 ASCII (60 hexadecimal) characters; it provides 128 bits of security against mid-transport data tampering. Generally, larger keys are more secure. Security Parameter Index (SPI) The Inbound and Outbound Security Parameter Index are arbitrary numbers used to uniquely identify a security association on a Manual VPN. The Inbound SPI will be the Outbound SPI on the remote side of the VPN; also, the Outbound SPI will be the Inbound SPI on the remote side of the VPN. The SPI should be unique for each SA, although the Inbound and Outbound SPI may have the same value. The minimum SPI value is 256. GTA VPN Option Guide Setup 15

19 C o n f i g u r i n g a C u s t o m V P N O b j e c t VPN objects configure how incoming VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be acceptable by your GTA firewall. Appropriate VPN configuration objects vary with the type of VPN connection and your security policies. Encryption objects are used to easily reference encryption settings when configuring a VPN object. For more information, see Configuring an Encryption Object. To create or configure an existing VPN object, navigate to Configuration>System>Object Editor>VPN Objects. Table 2.4: Configuring a VPN Object Field Name Disable Name Description Phase I Exhange Mode Encryption Object Advanced Force Mobile Protocol Force NAT-T Protocol Lifetime DPD Interval Phase II Encryption Object Advanced Lifetime Description Disables the VPN object for use in a VPN configuration. A unique name for the VPN object to reference it throughout the firewall s configuration. A brief description to describe the use of the VPN object. Specify flexible (<main>) or forced (<aggressive>) negotiation of acceptable encryption algorithms for IKE. Aggressive mode is required if one component of the VPN has a dynamic (DHCP or PPP) IP address, such as with a dynamically-addressed VPN gateway or mobile VPN client. A selection for the level of encryption to be used by the VPN object. For more information on configuring encryption objects, see Configuring a Custom Encryption Object. A toggle used to switch forced negotiation suited to VPNs involving dynamic IP addresses, including VPN gateways with dynamic (DHCP or PPP) IP addresses. A toggle used to switch forced use of NAT-T (Network Address Translation - Transversal) for connections that do not require NAT-T (are not using NAT that denies VPN IKE connections) on or off. Specify the length of time in minutes before the Phase I (IKE) security associations must be renewed. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection. Specify the interval in seconds between checks for continued viability of the VPN connection (also known as dead peer detection). To disable DPD queries made by this firewall, set the interval to 0; the firewall will still respond to DPD signals from other VPN gateways and clients, but will not initiate any signals of its own. Specify the encryption algorithm that this firewall should accept for VPN data transfers (ESP). Strong encryption means that any algorithm except None and Null will be accepted from the VPN initiator. (Null provides IP encapsulation, but no encryption. None provides neither encryption nor encapsulation.). Null provides no security benefits, but is useful to transport non-ip protocols when using NAT between firewalls. GTA firewalls initiate connections using AES-128 by default. Specify the length of time in minutes before the Phase II security associations must be renewed. The entered value must be smaller than the Phase I Lifetime. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection. 16 GTA VPN Option Guide Setup

20 About Phase I Phase I establishes VPN peer identities (keys) that can be tested for authenticity and establishes initial security associations (SAs) correlating hosts to encryption methods, securing further VPN negotiation/setup communications, and not actual transfers of user data. During Phase I, the Diffie-Hellman cryptographic technique uses random and prime numbers to generate a secondary number. These secondary numbers are then exchanged, and each host uses a combination of these secondary numbers as keys. Because predicting random numbers and determining prime numbers are both computationally difficult, knowledge of the random and prime numbers behind the generation of a key can be used to prove host authenticity. Increased computational power means that a key may eventually be computed, this is the reason why keybased security such as VPN phases must be periodically regenerated to guarantee authenticity of a packet s source. Once Diffie-Hellman key exchanges have been performed, (automatically with IKE or manually), these temporary keys are used to prove authenticity of hosts requesting encryption and hash methods to be used during Phase II negotiations. Automatic key exchange (IKE) uses Phase I settings during its automatic negotiations. Manual key exhange does not use Phase I settings, because the firewall does not provide automatic negotiations in manual mode. About Phase II Phase II uses the host authenticity and agreed initial hash and encryption established in Phase I to protect secondary negotiations for authenticity, data integrity and confidentiality setings. These secondary settings are used in the actual transfer of user data. Using the temporary protection mechanisms devised during Phase I, Phase II again performs negotiations for keys, hashes and encryption that will be used to protect the transfer of actual user data. C o n f i g u r i n g a C u s t o m E n c r y p t i o n O b j e c t Encryption objects are used to easily reference encryption settings when configuring a VPN object. By default, GB-OS ships with five built-in encryption objects that are pre-configured with varying levels of encryption. They can be viewed and duplicated, but cannot be edited or deleted. Table 2.5: Configuring a Custom Encryption Object Field Disable Name Description Encryption Method Hash Algorithm Key Group Description Disables the configured encryption object. A unique name for the encryption object to reference it throughout the firewall s configuration. A brief description to describe the use of the encryption object. Select the encryption algorithm that the firewall should accept for VPN data transfers. Default is <AES-192>. For more information on what encryption method to select, see Encryption Method. Select the hash algorithm that should be used to provide provide checks for packet tampering. Default is <HMAC-SHA1>. For more information on what hash algorithm to select, see Hash Algorithm. Select the Diffie-Hellman key group (bit size of the key) to use in authenticity keys. Default is <Diffie-Hellman Group 2>.For more information on what key group to select, see Key Group. GTA VPN Option Guide Setup 17

21 Encryption Methods Different encryption methods use proprietary methods for generating keys used to verify VPN data transfers. GTA firewalls support the following encryption methods: None Null AES Field Table 2.6: Encryption Methods Description None provides neither encryption nor encapsulation when establishing a VPN connection. Null provides IP encapsulation, but no encryption. There are no security benefits when <Null> is selected, but it is useful to transport non-ip protocols when using NAT between firewalls. Advanced Encryption Standard; AES has become the new United States federal standard for encrypting commercial and government data. AES, with a key strength of 192 bits, is the default encryption level used by GB-OS encryption objects. Blowfish Blowfish is fast, supports long keys and is widely recognized throughout the security industry. Blowfish has been known to perform nearly twenty times faster than DES encryption. DES 3DES Strong Data Encryption Standard; an algorithm used for encryption which was the official algorithm of the United States Government. DES has since been replaced by the AES algorithm. 3DES, often referred to as Triple DES, is three rounds of DES encryption. Each round uses a different permutation of your key. 3DES is a secure algorithm, yet can impact performance. Selecting <Strong> allows use of any encryption algorithm, a suitable selection when the VPN object s Phase I Exchange Mode is set to <Main>. Hash Algorithm The encryption object s Hash Algorithm is used to perform packet tampering checks in the Phase I and Phase II authentication headers. GTA firewalls support the following hash algorithms: Table 2.7: Hash Algorithms None HMAC-MD5 Field Description <None> provides no authenticity checks on the connection. A one-way hash function that creates a 16-byte (128-bit) hash or message digest to authenticate packet data. HMAC-SHA1 A one-way hash function that creates a 20-byte (160-bit) hash or message digest to authenticate packet data. SHA1 is more resistant to attacks than MD5, but slower to compute. HMAC-SHA2 Blowfish is fast, support long keys and is widely recognized throughout the security industry. Blowfish has been known to perform nearly twenty times faster than DES encryption. All <All> allows for the use of any hash algorithm. 18 GTA VPN Option Guide Setup

22 Key Group The encryption object s Key Group is used to exchange the VPN s pre-shared secret using a Diffie- Hellman exchange. In a Diffie-Hellman exchange, two parties independently generate random public and private values. Each sends their public value to the other (using authentication to foil man-in-the-middle attacks); the private values remain secret. Each then combines the public key received with their own private key. The resulting key is the pre-shared secret and it is identical for both sides. When selecting the bit size Diffie-Hellman group, keep in mind that while a larger bit size is generally more secure, it can significantly increase the amount of time it takes to decrypt content. GB-OS encryption objects default to <Diffie-Hellman Group 2 (1024 bits)>. C o n f i g u r i n g V P N P o l i c i e s By default, GB-OS will automatically configure the necessary security policies to allow inbound and outbound access for all configured VPNs. If this has been toggled off (the setting is available under the Advanced tab located on the Configuration>VPN>IPSec Tunnels) it is necessary to manually define VPN policies to allow VPN traffic (ESP (protocol 50) and UDP (ports 500 and 4500)). Note It is recommended to have automatic policies enabled on the Configuration>VPN>IPSec Tunnels screen to simplify the VPN configuration process. Use VPN policies (Configuration>Security Policies>VPN Policies) to control access through the VPN. Make modifications to your VPN policy as per your local security policy. GTA VPN Option Guide Setup 19

23 C r e a t i n g A u t h o r i z a t i o n If the configured IPSec Tunnel is to be used by mobile users using the GTA Mobile VPN Client, it is necessary to define how the mobile users will be authenticating with the firewall. After configuring a VPN connection, use the Configuration>Accounts section to configure mobile users by assigning them to groups and defining their user accounts. User groups are used to assign users to a VPN object and local network. User accounts, pooled in user groups, are used to define the identity and password to be entered when authenticating with the firewall. C r e a t i n g G r o u p s Groups are used to define the VPN object and local network that GTA Mobile VPN Client users will be using. When defining a group, additional groups can also be added to the group being defined to pool additional users. This can be useful if a policy is being defined that is required to affect multiple groups. Groups are configured under Configuration>Accounts>Groups. Table 2.8: Creating Groups Field Name Disable Name Description Mobile VPN Disable Authentication Required VPN Object Local Network Groups Sub Group Description Disables the group. The name for the group. Description A short description to identify the use of the group. Disables VPN access for the user group. A toggle for whether users configured under the group should be required to authenticate with the firewall using the GTA Mobile VPN Client or not. The VPN object to be used by the user group. The local network on which the user organized within the configured user can access. Select a previously defined group to reference additional groups. A short description to explain why this group is included. 20 GTA VPN Option Guide Setup

24 C r e a t i n g U s e r s User accounts are used to define the identity and password to be entered when mobile users authenticated with the firewall. Table 2.9: Creating User Accounts Field Name Disable Name Description Identity Group Authentication Method Password Mobile VPN Disable Remote Network IP Address Pre-shared Secret Disables the account. The name for the account. Description A short description to identify the use of the account. Used for authentication purposes, this is typically the user s account. A selection for the user s user group. Selecting??? means no user group has been selected. See Creating Groups for more information. Select the method for authentication. The password for user authentication. Disables VPN access for the account. The IP address or address object of the remote network. If <USER DEFINED> is selected as the Remote Network, then enter the IP address here. The ASCII or HEX value pre-shared secret. GTA VPN Option Guide Setup 21

25 G TA M o b i l e V P N C l i e n t S e t u p If laptop computers and other non-gateway servers and computers will connect to your GTA Firewall s VPN, install and configure GTA Mobile VPN Client software on those computers. Additional Mobile VPN Client licenses are available for purchase separately from an authorized GTA Channel Partner or GTA sales. Note Installation and configuration instructions assume that the client computer is not behind a router that requires modification. I n s t a l l i n g t h e G TA M o b i l e V P N C l i e n t The installation process for the GTA Mobile VPN Client is typical for Windows -compatible software. Note Microsoft Windows Vista is currently not supported by the GTA Mobile VPN Client. Microsoft Windows Vista support will be included in a future release. To install the GTA Mobile VPN Client software: Login to the Windows computer under an administrative account. Start the installer. Click the Next button to read the license agreement. If you agree to the terms, click Yes to continue the installation. Select an installation path for the software, the default path is C:\Program Files\GTA\Mobile VPN Client. Complete the installation wizard. After completing the installation wizard, you will be prompted to reboot the computer. Rebooting the computer completes the installation process. 22 GTA VPN Option Guide Setup

26 A c t i v a t i n g t h e G TA M o b i l e V P N C l i e n t The GTA Mobile VPN Client requires activation for any use beyond the initial thirty day evaluation period. The license number necessary for activation can be retrieved from the GTA Support Center ( Once logged in, click on the View Your Registered Products link and select your firewall s serial number. Your GTA Mobile VPN Client license number will be displayed in the Activation Codes section. Note Should your GTA Mobile VPN Client license number not be displayed in the Activation Codes section, make sure your GTA Firewall is running GB-OS version 3.7 or greater. If you have a current support contract, please upgrade your GTA firewall and then retrieve the activation code. If you do not have a current support contract, you will need to contact GTA s sales department or your local GTA Channel Partner. To activate the GTA Mobile VPN Client: 1. Open the GTA Mobile VPN Client to start the activation wizard. If the client is already open and running, navigate to?(help)>activation Wizard. Figure 3.1: Activation Wizard 2. Click the Activate button. Doing so will display the following screen: Figure 3.2: Entering the License Number GTA VPN Option Guide Setup 23

27 3. The GTA Mobile VPN Client license number needs to be entered either as a single string of twenty characters ( ) or four sets of six characters ( ). If your license number is four sets of six characters, you will need to switch the format of the License Number field to allow entry of your license number. To do so, select the Click here to enter... link. Figure 3.3: Switching the License Number Format 4. Enter the GTA Mobile VPN Client license number and click Next. A successful activation will display the following screen: Figure 3.4: Completing the Activation Wizard. Note If an error message is displayed during activation, refer to Table D.1: Activation Errors for troubleshooting. 24 GTA VPN Option Guide Setup

28 C o n f i g u r i n g t h e V P N C l i e n t S o f t w a r e To connect your computer to the GTA Firewall s VPN, you must first input connection settings into the GTA Mobile VPN Client. You may use the Configuration Wizard to configure the software. It will configure the client for a connection compatible with default GB-OS firewall settings. If you elect to use the VPN client configuration wizard, you do not need to complete the manual configuration instructions later in this section. For more information, see Running the Configuration Wizard. Use the included worksheet on the following page to collect settings for your VPN client. Enter the settings as required by tunnel, Phase 1 or Phase 2 setup. Once your VPN client is configured, start/stop your VPN connection as desired. For more information on advanced mobile VPN client features such as automatic start/stop of your VPN connection, see Advanced Mobile Client Setup. R u n n i n g t h e C o n f i g u r a t i o n W i z a r d Running the configuration wizard will configure the GTA Mobile VPN Client for a connection compatible with default GB-OS firewall settings. Settings for your GTA Mobile VPN Client must match your firewall s VPN configuration object and authorization settings. Contact your network administrator to obtain matching VPN settings. To run the configuration wizard, navigate to VPN Configure>Config. Wizard and complete the available fields. Once complete, click Next. The next screen will allow you to review your settings. If correct, click Finish. Figure 3.5: Running the Configuration Wizard GTA VPN Option Guide Setup 25

29 VPN Settings Worksheet Print and fill out the below fields for assistance when configuring the GTA Mobile VPN Client. Table 3.1: VPN Settings Worksheet Field Value Firewall IP Address Phase 1 Name Interface Remote Gateway Preshared Key IKE Encryption (circle one) DES 3DES AES 128 AES 192 AES 256 Authentication (circle one) MD5 SHA Key Group (circle one) DH768 DH1024 DH1536 DH2048 Phase 2 Name VPN Client Address Address Type (circle one) Single Address Subnet Address Remote LAN Address Subnet Mask ESP Encryption (circle one) DES 3DES AES 128 AES 192 AES 256 Authentication (circle one) MD5 SHA Mode (circle one) Tunnel PFS (circle one) DH768 DH1024 DH1536 DH GTA VPN Option Guide Setup

30 M a n u a l l y C o n f i g u r i n g t h e G TA M o b i l e V P N C l i e n t If you wish to manually configure the GTA Mobile VPN Client, configure the client using the following instructions. Entering Preferences (Parameters) Parameters for phase lifetime and dead peer detection (DPD) do not need to match the settings of your GTA firewall, but agreement between the two is beneficial. To enter lifetimes and DPD intervals for Phase 1 and 2 of your VPN: 1. Start the GTA Mobile VPN Client software (or click its icon in the system tray to display the Configuration Panel). 2. Click the Parameters icon located in the left hand menu. 3. Enter your IKE and IPSec (Phase 1 and 2) lifetimes in the Lifetime fields. Values entered are in seconds. Times specify when keys should be renewed and security associations recreated. Shorter times are generally more secure, although they can add performance overhead to the VPN. Note The maximum lifetimes for the GTA Mobile VPN Client must be less than the lifetime indicated by the firewall. 4. Enter your Check Interval for dead peer detection (DPD). Do not enter a value of Configure Miscellaneous settings as desired. Retransmissions defines how many times the client will attempt to retransmit a message before giving up. Delay between retries defines the amount of time, in seconds, before the client will attempt to retry opening a connection. Leave the IKE Port field blank. 6. Leave Block non-ciphered connection unchecked unless you wish to force all connections, including traffic with a non-vpn destination, through the VPN tunnel. 7. Click Save & Apply. GTA VPN Option Guide Setup 27

31 Configuring Phase 1 (Authentication) Phase 1 settings must match your GTA firewall settings. Defaults for Phase 1 are AES-192 encryption, SHA hashes and Diffie Hellman Group 2 (1,024-bit) keys. To enter Phase 1 settings of your VPN: 1. Start the GTA Mobile VPN Client (or click its icon in the system tray to display the configuration window). 2. Right-click the Configuration menu item and select New Phase 1. A new sub-item to the Configuration tree will appear. It will be given a default name, such as CnxVpn1, that you may change by editing the Name field. 3. Enter a new Name, if desired, with no spaces or special characters (e.g., Office_Phase_1). 4. Select the Interface (network card) that will be used (select Any to indicate all available network cards). 5. Enter the Remote Gateway, which should be the external IP address or domain name of your GTA firewall. 6. Enter the Pre-shared Key (secret) for your VPN and then Confirm it. 7. Enter appropriate IKE settings such as Encryption, Authentication and Key Group. 8. Click the P1 Advanced button. Check the Aggressive Mode checkbox. Set NAT-T to <Automatic>. Enter your Local ID. The Value will be the address indicated in your firewall s Users configuration, so select the Type indicating < >. Enter the Remote ID of the firewall. The value should be the external IP address of the firewall, so select the Type indicating <IP address>. Click OK. 9. Click Save & Apply to complete Phase 1 configuration. Figure 3.6: Configuring Phase 1 (Authentication) 28 GTA VPN Option Guide Setup

32 Configuring Phase 2 (IPSec Configuration) Phase 2 settings must match your GTA Firewall s settings. Defaults for Phase 2 are 3DES encryption, SHA hashes and Diffie Hellman Group 2 (1,024-bit) keys. To enter Phase 2 settings of your VPN: 1. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration window). 2. Right-click on the previously created Phase 1 configuration. Select Add Phase 2. A new sub-item to the Configuration tree will appear, underneath the Phase 2 configuration. It will be given a default name, such as CnxVpn1, that you may change be editing the Name field. 3. Enter a new Name, if desired, with no spaces or special characters (e.g., Office_Phase_2). 4. Enter the VPN Client Address, which is the IP address your computer will use when attached to the firewall s internal network. 5. Select the Address Type. This will be a subnet address if you are connecting to the firewall s internal network. It will be a single IP address if you are connecting to only one host such as another GTA Mobile VPN Client. Enter the Remote Host Address. This will be the IP address of the firewall s internal network with subnet mask if you are connecting to the firewall s internal network. 6. Enter ESP settings such as Encryption, Authentication and Tunnel Mode. Note that these settings may be different than those used in Phase Check the PFS (perfect forward secrecy) checkbox. 8. Select the Diffie-Hellman key Group. 9. Click Save & Apply. If you wish to open your VPN connection immediately, click Open Tunnel. Figure 3.7: Configuring Phase 2 (IPSec) Note Creating a complete VPN configuration does not automatically open that VPN connection. To start or stop a VPN connection, see Starting or Stopping VPN Client Connections. GTA VPN Option Guide Setup 29

33 S t a r t i n g a n d S t o p p i n g V P N C l i e n t C o n n e c t i o n s Your VPN client software can be configured to automatically start or stop your VPN connection. This can be particularly useful if your primary network traffic must use the VPN, or if you always use the same VPN settings. You can also select to start and stop your VPN connections manually. For a fully automated VPN solution, you may also elect to automatically start your VPN client software. For more information on automatic startup of your VPN client, see Startup Modes. To automatically start your VPN connection: 1. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration window). 2. Select a Phase 2 configuration item in the Configuration tree and click the P2 Advanced button. 3. If you wish your VPN connection to begin automatically upon start of the VPN client software, check the Automatically Open This Tunnel When VPN Client Starts check box. 4. If you wish your VPN connection to start automatically upon insertion of a USB drive/stick containing a VPN client configuration, check the Automatically Open This Tunnel When Usb Stick Is Inserted check box. 5. Click Save & Apply. 6. If you are using automatic connection startup that occurs upon insertion of a USB drive/stick, insert the USB drive/stick. Select File then Export VPN Configuration from the menu. Choose the location of the USB drive/stick and save the exported configuration there. To manually start and stop your VPN connection: 1. Start the GTA Mobile VPN Client software (or click its item in the system tray to show a configuration window). 2. Click a Phase 2 configuration item in the Configuration tree. Click Open Tunnel to start the VPN connection. 3. Click the Connections icon in the left hand menu to view your open VPN connections. 4. To stop a VPN connection, click the VPN connection and click Close Tunnel. Note If you are using automatic connection startup that occurs upon insertion of a USB drive / stick, you may also choose to automatically stop your VPN connection when you remove the USB drive. For more information, see USB Drive Mode. 30 GTA VPN Option Guide Setup

34 A d v a n c e d G TA M o b i l e V P N C l i e n t S e t u p The GTA Mobile VPN Client has several features to enable use on servers, desktop or laptop computers. A d v a n c e d P h a s e 1 C o n f i g u r a t i o n For advanced features and parameters when configuring Phase 1, click the P1 Advanced button. Figure 3.8: Phase 1 Advanced Table 3.2: Advanced Phase 1 Configuration Field Config Mode Aggressive Mode Redundant GW NAT-T X-Auth Popup Hybrid Mode Local ID Remote ID Value Config Mode is currently not supported on GTA firewalls. Aggressive Mode creates a more efficient connection, and it is recommended that it be enabled. This field allows the GTA Mobile VPN Client to open an IPSec tunnel with an alternate gateway in case the primary gateway is down or is not responding. Enter either the IP address or DNS resolvable host name of the redundant gateway (e.g., router.gta.com) A selection for when Network Address Translation Tranversal should be used. Typically, <Automatic> should be selected. Other options include <Forced> and <Disabled>. X-Auth is currently not supported and should remain disabled. Hybrid Mode is currently not supported and should remain disabled. The Local ID is the identity the VPN client is sending during Phase 2 to the VPN gateway. This value can be an IP Address, domain name (DNS), string of characters (KEY ID) or address ( ). The Remote ID is the identity the VPN client is expecting to receive during Phase 2 from the VPN gateway. This value can be an IP Address, domain name (DNS), string of characters (KEY ID) or address ( ). GTA VPN Option Guide Setup 31

35 A d v a n c e d P h a s e 2 C o n f i g u r a t i o n For advanced features and parameters when configuring Phase 2, click the P2 Advanced button. Figure 3.9: Phase 2 Advanced Table 3.3: Advanced Phase 2 Configuration Field Automatic Open Mode Alternate Servers Value The GTA Mobile VPN Client can automatically open the specified tunnel on the following specific events: When the GTA Mobile VPN Client starts. When a USB Drive is inserted. If the VPN configuration file location is not set to USB Stick, then this field is ignored. See USB Drive Mode Upon traffic detection. Allows one to specify DNS and/or WINS server IP addresses when the client is active. 32 GTA VPN Option Guide Setup

36 Launching Scripts The GTA Mobile VPN Client can be configured to launch a script or application when a certain action is performed by the user. For example, this feature can be used to launch a program that requires resources available on the remote network, or to display an acceptable use policy when the tunnel is opened. To launch scripts or applications, click the Scripts button when configuring Phase 2 settings. Scripts can be configured to launch: When the user attempts to open a tunnel, When the tunnel is successfully opened, When the user attempts to close the tunnel, When the tunnel is successfully closed. Figure 3.10: Launching Scripts GTA VPN Option Guide Setup 33

37 C o n f i g u r i n g A c c e s s C o n t r o l The GTA Mobile VPN Client can be configured to allow varying amounts of access to the client s Configuration Panel. This feature is useful for system administrators or managers who wish to install the GTA Mobile VPN Client on a computer but do not want users on the computer to have the ability to modify their VPN connection settings. When access to the GTA Mobile VPN Client s configuration settings has been locked, users will be prompted to enter a password when they click on the client s systray icon or when they attempt to switch from the Connection Panel to the Configuration Panel. To lock access to the GTA Mobile VPN Client, navigate to View>Configuration. Figure 3.11: Configuring Access Control Table 3.4: Configuring Access Control Field Lock GUI Access Show in systray menu Save & Apply Console Connection Panel Quit Value Enter and confirm the password required to access the configuration settings. If the Password and Confirm fields are left blank, no password is required to access the configuration settings. A toggle to show or hide the Save & Apply option when the user clicks on the GTA Mobile VPN Client s systray icon. The Save & Apply option saves and applies any changes made to the configuration. A toggle to show or hide the Console option when the user clicks on the GTA Mobile VPN Client s systray icon. The Console option opens the console window. A toggle to show or hide the Connection Panel option when the user clicks on the GTA Mobile VPN Client s systray icon. The Connection Panel option opens the connection panel to view the status of VPN connections. The Quit toggle cannot be modified. Figure 3.12: Systray Menus With Options Displayed and Hidden 34 GTA VPN Option Guide Setup

38 U S B D r i v e M o d e The VPN client software can be configured to open and close your VPN connection when a USB drive containing the VPN configuration is inserted or removed. To use the USB-activated VPN connection handling: Insert the USB drive (also sometimes called a pen drive or USB stick). Start the VPN client software. Select File then VPN Configuration File from the menu. Click USB stick (plug-in automatic detection). Click OK. Configure your VPN as usual, or copy/export your current VPN configuration onto the USB drive. To start your VPN connection, plug in your USB drive. To stop the connection, eject / remove the USB drive. (Your VPN client software must remain running to automatically start and stop your VPN connection.) The VPN client software can be returned to normal operation at any time by clicking Local (local drive, classic mode) in Configuration Mode. Figure 3.13: Selecting USB Drive Mode GTA VPN Option Guide Setup 35

39 P r e f e r e n c e s The Preferences window allows the user to define the startup mode of the software as well as enable or disable detection of the network interface s disconnection. The Preferences window can be accessed by navigating to File>Preferences. Startup Modes The GTA Mobile VPN Client can be configured to start a VPN connection upon boot, login, or manually. The GTA Mobile VPN Client is set to start manually by default (which requires the user to actively open the client). Alternatively, other different startup modes can provide the VPN connection upon boot (e.g. when a service on your server requires a VPN), or upon login (e.g. when VPN connection is part of your enforced usage policy). To set the startup mode of the GTA Mobile VPN Client: 1. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration window). 2. Navigate to File>Preferences. 3. Select the startup mode. Click Start VPN Client before Windows Logon to start a VPN connection upon boot. Click Start VPN Client after Windows Logon to start a VPN connection upon user login. Click Don t start VPN client when I start Windows to start a VPN connection manually when needed. 4. Click OK to commit the change. Miscellaneous By disabling detection of the network interface s disconnection, the VPN tunnel will remain open. This feature is useful if the user is connecting with an unstable connection that disconnects and reconnects often. Figure 3.14: Entering Preferences 36 GTA VPN Option Guide Setup

40 C o n s o l e a n d C o n f i g u r a t i o n To o l s Configuration Management The GTA Mobile VPN Client allows configurations to be imported and exported. Importing and exporting configurations facilitates configuration deployment and troubleshooting. Administrators may configure VPN settings on their computer and then send that configuration to the VPN user. VPN users can also export their configurations for troubleshooting by the network administrator. To export or import a VPN configuration: 1. Start the VPN client software. 2. From the File menu, select Import VPN Configuration or Export VPN Configuration. If importing the configuration, browse to the location of the file. A GTA Mobile VPN Client configuration file will have a file extention of.tgb. If exporting the configuration, enter a password if desired. Password protected configuration files provide greater security. 3. Click Open or Ok. Figure 3.15: Export Password Protection GTA VPN Option Guide Setup 37

41 Console / Logs The GTA Mobile VPN Client maintains a console that allows you to view current VPN activity. This activity may contain useful debugging information by providing feedback messages and component status. Optionally, you can save the output of the console to a log file for viewing in a text editor. To view the console/log: Start the VPN client software. From the Tools menu, select the Console menu item. If the console has been stopped, click Start to begin logging. To save the log to a text file, click Save File. Console messages and logs can be filtered. By selecting the Options button, a series of pull-down menus become available to control the types of messages displayed. The default messages displayed (level 0 for each setting) is usually sufficient for debugging purposes. Figure 3.16: VPN Console Table 3.5: Console Debug Levels Label Name Description Misc Miscellaneous The degree of logging detail for low-level messages. Trpt Transport The degree of logging detail for UDP transport mode. Msg Message The degree of logging detail for IKE decoding. Cryp Crypto The degree of logging detail for cryptographic exchanges. Timr Timer The degree of logging detail for timers. Sdep Sysdep The degree of logging detail for IKE interfaces with IPSec SA Security Associations The degree of logging detail for SA management. Exch Exchange The degree of logging detail for IKE exchanges. Nego Negotiation The degree of logging detail for Phase 1 and Phase 2 negotiation. Plcy Policy Not used. All All The degree of logging detail for all subsystems. 38 GTA VPN Option Guide Setup

42 GTA VPN Option Guide Setup 39

43 R e f e r e n c e A : G TA M o b i l e V P N C l i e n t U s e r I n t e r f a c e The GTA Mobile VPN Client s user interface remains consistent throughout the application, providing an intuitive, easy-to-use operating environment. The GTA Mobile VPN Client consists of two panels : the Configuration Panel and the Connection Panel. The Configuation Panel s main menu contains general options available for configuration and review. Select options are also available as clickable icons or by using context-sensitive right-click menus. Figure A.1: The GTA Mobile VPN Client C o n f i g u r a t i o n P a n e l The Configuration Panel allows for the entry of VPN connection settings. The Configuration Panel contains: A menu containing items for configuration of the GTA Mobile VPN Client and VPN connection settings A series of icons which provide shortcuts to VPN configuration settings A VPN configuration menu tree that contains all VPN configurations. A status bar which displays the status of the GTA Mobile VPN Client. M e n u O v e r v i e w The GTA Mobile VPN Client s main window will display four dropdown menus: File, VPN Configuration, View, Tools and?. Figure A.2: The GTA Mobile VPN Client Menu 40 GTA VPN Option Guide Reference A: User Interface

44 File The File menu contains import/export functions, a selection for the storage location of the VPN configuration file, as well preferences for the application. Figure A.3: File Menu VPN Configuration The VPN Configuration menu contains functions for adding and removing VPN phases, a configuration wizard as well as adjustments for parameters. Figure A.4: VPN Configuration Menu View The View menu contains selections for viewing the Connection Panel as well as configuration options. Figure A.5: View Menu Tools The Tools menu contains functions for viewing the VPN Console as well as active connections. Figure A.6: Tools Menu? (Help) To utilize online help and support, see the Help and Online Support menu items. Check For Update informs if a new version has become available. Activation Wizard allows for activation if the GTA Mobile VPN Client is running under a 30 day trial. Find the version number of the GTA Mobile VPN Client as well as the license number it is registered under in the About dialog. Figure A.7:? (Help) Menu GTA VPN Option Guide Reference A: User Interface 41

45 Left Hand Menu Icons The following icons are found along the left hand side of the GTA Mobile VPN Client. Table A.1: Left Hand Menu Icons Icon Opens the VPN Console. Icon Action Allows for the configuration of the VPN s parameters. Allows for the viewing of currently open tunnels. C o n f i g u r a t i o n M e n u Tr e e The configuration menu tree displays a visual representation of the GTA Mobile VPN Client s configuration. Figure A.8: Configuration Menu Tree S t a t u s B a r The status bar, located along the bottom of the screen, displays the following information: The left box contains an icon which indicates the location of the VPN configuration file. For example, if USB mode is selected for the location, the icon will be a USB stick. The center box displays information about the GTA Mobile VPN Client s status (e.g., VPN ready) The right box contains an icon which indicates if a tunnel is open or not. If one or more tunnels are open, it will be indicated by a green light. If no tunnels are open, the light will be grayed out. Figure A.9: Status Bar 42 GTA VPN Option Guide Reference A: User Interface

46 C o n n e c t i o n P a n e l The Connection Panel enables users to open, close and view information for every configured VPN connection. The Connection Panel consists of: An animated network diagram that displays the status of the current VPN connection. A list of all configured VPN connections with an Open/Close button. Note Users can toggle between the Connection Panel and the Configuration Panel using the CTRL + P key combination. Figure A.10: The Connection Panel GTA VPN Option Guide Reference A: User Interface 43

47 S y s t e m Tr a y The GTA Mobile VPN Client can be launched by clicking the system tray icon. Once the application has been launched, the system tray icon will indicate whether a VPN tunnel is open or not, depending on its state. Table A.2: System Tray Icon States Icon Icon State The GTA Mobile VPN Client is running, but no VPN tunnel is open. The icon will be grey. The GTA Mobile VPN Client is running and a VPN tunnel is open. The icon will be red. S y s t e m Tr a y M e n u Right-clicking on the system tray icon will display a menu with the following options: Open tunnel... Opens the configured tunnel. When open, the menu item will change to Close Tunnel... Save & Apply will close any established VPN tunnels, apply the latest VPN configuration and reopen all VPN tunnels. Console opens the console. Connection Panel opens the Connection Panel, which provides a means to view open connections. Quit will close any established VPN tunnels and close the GTA Mobile VPN Client. Note Menu items can be shown or hidden to restrict access to the GTA Mobile VPN Client s Configuration Panel. See Configuring Access Control for more information. Figure A.11: System Tray Right-Click Menu 44 GTA VPN Option Guide Reference A: User Interface

48 GTA VPN Option Guide Reference A: User Interface 45

49 R e f e r e n c e B : V P N C o n c e p t s E l e m e n t s o f I P S e c V P N S e c u r i t y IPSec, a secure network connection standard (RFC 2401) designed by IETF (Internet Engineering Task Force), provides two implementations: transport mode and tunnel mode. The tunnel mode implementation applies to VPN gateways, such as GTA firewall VPNs. GTA firewall VPNs provide: Authorization Data integrity Data privacy GB-OS IPSec tunnels (VPNs) cause the original IP packet to be: 1. Encrypted to hide contents from interceptors. 2. Hashed to resist tampering. 3. Authorized with keys and/or authentication to validate transmission according to your security policies. 4. Encapsulated within another IP packet to provide routing for the sealed original packet. GTA firewall VPN is essentially a tunnel and a security processing service for your IP traffic, both tunneling and securing packet contents. All GTA firewall VPN-secured traffic receives encapsulation by a secondary IP packet layer after it is secured. All IP protocols can be secured with GTA firewall VPN, including TCP (and its higher-level protocols like HTTP or SSH), UDP, ICMP and others. Caution Varying degrees of data integrity and confidentiality are provided by the hashes, keys and encryption algorithms you elect to use. GTA recommends that you carefully select each one based upon the strength and performance needs of your VPN. IPSec s security benefits arise from the secure creation of authorized, encrypted connections. IPSec connections utilize some auxiliary TCP and UDP connections to negotiate a secure connection before actual transmission of user data occurs. During the creation of an IPSec VPN connection: 1. Hosts (including clients or gateways) exchange keys. 2. Hash and encryption methods are negotiated with identities being assured by the keys from step Security associations (SAs) are created on each host to contain the agreed security transformations and associated keys for each VPN destination from step Data transmission receives the protection designated by the established rules of the SAs from step 3 until they expire or are deleted. 46 GTA VPN Option Guide Reference B: VPN Concepts

50 Automatic IPSec key exchange and IPSec SA initialization is provided using the IKE standard (RFC 2407 and RFC 2409). (Manual key exchange is supported, but not recommended because of the security risks inherent in overexposed keys.) IPSec VPNs on GTA firewalls require the use of AH and ESP protocols (IP protocols 51 and 50). Key exchange and other IKE negotiations may also require the use of UDP port 500. If ESP traffic is blocked, GTA firewall VPNs will use NAT traversal (RFC 3947 and RFC 3948) to tunnel ESP traffic using UDP port For more information on the IP packet transformations that occur during a GTA firewall VPN connection, see TCP/IP Packets: IPSec VPN Packet Structure. For more information on IPSec packet processing specific to GTA firewalls, see GTA firewall VPN Packet Processing. For more information on the IETF standards applying to IPSec or IKE, see the applicable RFCs: RFC 2401 (IPSec), RFC 2409 (IKE), RFC 2407 (IKE s role in IPSec), RFC 2402 (AH) and RFC 2406 (ESP). Ve r i f y i n g A u t h o r i z a t i o n Verifying identity through authentication is an important step of secure computing. Identity allows policies to be applied based on the trustworthiness and relevance of the data source. For example, an incoming connection may have both privacy and tamper-proofness (data integrity), but unless you know the sender and authorize their activities, you don t truly know what data you are allowing onto your network. IPSec VPN can provide authorization during the Phase I (IKE) part of VPN initialization. The GTA firewall implementation of IPSec VPN requires authorization; VPN will not activate without an authorization that references a VPN configuration object. The source of the authorization can be provided in two separate areas of GTA firewall configuration. For gateway-to-gateway GTA firewall VPNs, the identity is checked by VPNs; for mobile client GTA firewall VPNs, identity is checked by Users. Ve r i f y i n g D a t a I n t e g r i t y Verifying data integrity (tamper-proofing) is also an important part of secure computing. Integrity assures that the data has not been tampered with to introduce unwanted data, including trojans and viruses. For example, you may intend to accept the sender and content of a packet, but unless you can assure that a third party has not altered it, you don t truly know what data you are allowing onto your network. Data integrity is ensured during both Phase I and Phase II of IPSec VPN creation by keys and hashes. Separate keys and hashes may be selected for either phase. Key and hash preferences for a GTA firewall VPN connection are configured in VPN Objects. Note Keys uniquely identify the host establishing the connection; hashes are computed using the data and the key, and therefore a hash of a packet s data is only verifiable by a destination who knows the secret of the sender s original key. The selection of a key and a hash method is generally a balance between performance, technical requirements, and strength. Larger keys are generally considered better, but come at the price of performance. GTA firewalls provides reasonable defaults for many VPNs, but you may wish to select a greater key length or a different hash algorithm to suit your needs. GTA VPN Option Guide Reference B: VPN Concepts 47

51 E n s u r i n g D a t a P r i v a c y Ensuring data privacy is usually a part of secure computing. Privacy allows sensitive data to be hidden from unauthorized parties. For example, you may trust the source and integrity of data, but don t want others to be able to read it while in transit to your network. Common reasons for data privacy include the transmission of financial and personal data. Privacy is ensured during both Phase I and Phase II of VPN creation by encryption algorithms. Separate encryption methods may be selected for either phase. IPSec VPN provides data privacy with encryption. Encryption methods for a GTA firewall VPN connection are configured in VPN Objects. P a c k e t S t r u c t u r e : I P S e c V P N IPSec VPN uses encrypted, encapsulated IP packets to transfer data. The original IP packet contents are prevented from interception and tampering by application of the ESP protocol, which applies selected encryption, hashes and authenticity checks to contents. The resulting packet is then re-wrapped in an external IP packet layer. Only hosts containing matching IPSec information (SAs and keys) are able to decrypt the ESPencapsulated contents. Figure B.1: IPSec VPN Packets G TA F i r e w a l l V P N P a c k e t P r o c e s s i n g When a packet arrives at a GTA firewall, many evaluation sequences are performed to determine structure correctness and permissibility before a route is created to deliver the packet. These checks, plus some special additional transformations, are performed on all GTA firewall VPN packets. 48 GTA VPN Option Guide Reference B: VPN Concepts

52 Failing a check causes the packet to be denied and, by default, logged. The generalized packet processing sequence of VPN packets includes: 1. Check for valid IP packet structure. 2. Check for spoofed packets and other network attacks. 3. Check for filters allowing, denying or transforming packet transmission (such as traffic shaping rules). For IPSec VPN packets, checks occur for a valid existing IPSec VPN SA as well as an outbound or remote access filter. 4. Check for routing instructions delivering the packet to its indicated destination. For IPSec VPN packets, checks occur for a passthrough filter. IPSec initialization packets (packets for IKE and IPSec SA setup) are not subjected to the routing check, as the firewall is their destination; however, these initialization packets do require firewall access permission from remote access filters. Then checks are performed for authorization and VPN configuration data to create the IKE and IPSec SAs required by all further IPSec VPN packets. GTA VPN Option Guide Reference B: VPN Concepts 49

53 R e f e r e n c e C : E x a m p l e V P N C o n f i g u r a t i o n s The VPN configuration you choose will vary based upon the answer to two questions: Do both initiator and responder have static IP addresses? Is key exchange manual or automatic (IKE)? The following examples show configuration cases for manual vs. IKE key exchange and dynamic vs. static IP addresses. All listed objects and configurations should be enabled. Any other options, if not listed, may be defined but are not necessary to achieve a functional configuration. Note It is assumed that automatic policies are enabled on the Configuration>VPN>IPSec Tunnels screen. Automatic policies allow all VPN traffic by default. If disabled, it is necessary to create VPN policies (Configuration>Security Policies>Policy Editor>VPN Policies) that allow ESP protocol 50 and UDP ports 500/4500. VPN policies are used to control access through the IPSec tunnel. For information on manually defining VPN policies, see the GB-OS User s Guide. Note Example configurations contain fictional descriptions, IP addresses and subnet masks. Internal or private network IP addresses that will be connected to the VPN are listed as the protected network, with IP addresses of *.* as an example. In your implementation, those settings may contain different IP addresses, or connect to your PSN rather than your protected network. To use the following examples, replace IP addresses and subnet masks with your own network settings. Note Before manually configuring a VPN, consider running the VPN Setup Wizard, located at Wizards>VPN Setup. The VPN Setup Wizard is designed to help configure a simple VPN quickly and easily. 50 GTA VPN Option Guide Reference C: Example VPN Configurations

54 C l i e n t t o G a t e w a y : D y n a m i c / S t a t i c I P A d d r e s s e s & I K E The identifying characteristics of this type of VPN include: Static external IP address on the firewall, as set in Configuration>Network>Settings, but dynamic external IP address on the VPN client Firewall-compatible settings in the VPN client, and mobile VPN objects selected in Configuration>Accounts>Users and Configuration>Accounts>Accounts for the statically-addressed firewall Field Name Table C.1: Client to Gateway: Dynamic/Static IP Addresses & IKE External IP Address In Configuration>System>Object Editor>Address Objects: Disable Name Description Type Object Unchecked Protected Networks Protected networks All <USER DEFINED> Responder: GTA firewall with static IP address Address /24 (local hosts that should be attached to your VPN) In Configuration>System>Object Editor>VPN Objects: Disable Name Description Phase I Unchecked MOBILE Mobile VPNs Exchange Mode Encryption Object <aggressive> AES-192, sha1, grp2 (default object) Advanced Force Mobile Protocol Force NAT-T Lifetime Unchecked Unchecked 90 minutes DPD Interval 30 Phase II Encryption Object AES-192, sha1, grp2 (default object) Advanced Lifetime 60 minutes In Configuration>Accounts>Groups: Disable Name Description Unchecked Mobile Users GTA Mobile VPN Client users GTA VPN Option Guide Reference C: Example VPN Configurations 51

55 Mobile VPN Disable Field Name Authentication Required VPN Object Local Network In Configuration>Accounts>Users: Disable Name Description Remote Identity Group Authentication Method Password Mobile VPN Disable Table C.1: Client to Gateway: Dynamic/Static IP Addresses & IKE Unchecked Unchecked Responder: GTA firewall with static IP address MOBILE (VPN object, as defined above) Protected Networks (address object, as defined above) Unchecked Example User Database administrator Mobile Users (configured user group, as defined above) n/a n/a Unchecked Remote Network <USER DEFINED> (the IP address the attached GTA Mobile VPN Client should use) Pre-shared Secret In Configuration>VPN>IPSec Tunnels Dynamic Incoming Connections Advanced Automatic Policies Identity $%23Aty! (a long, randomized series of characters that must be identical to the Preshared Key in the GTA Mobile VPN Client) Standard Dynamic (default object) Checked <IP Address> 52 GTA VPN Option Guide Reference C: Example VPN Configurations

56 Field Name External IP Address In Parameters: Authentication (IKE) [Default Lifetime] Authentication (IKE) [Minimal Lifetime] Authentication (IKE) [Maximal Lifetime] Encryption (IPSec) [Default Lifetime] Encryption (IPSec) [Minimal Lifetime] Encryption (IPSec) [Maximal Lifetime] Table C.2: Client to Gateway: Dynamic/Static IP Addresses & IKE Initiator: GTA Mobile VPN Client with dynamic IP address dynamically assigned (DHCP, PPPoE, etc.) 1800 (seconds) 120 (seconds) (seconds; must be less than Lifetime in the GTA firewall s VPN Object s Phase I) 1200 (seconds) 120 (seconds) Check Interval [DPD] 30 (dead peer detection in seconds) In Configuration>Phase I (Authentication): Name (seconds; must be less than Lifetime in the GTA firewall s VPN Object s Phase II) OfficePhaseI (a descriptor for your VPN; may not contain spaces or non-alphanumeric characters; changing this value will change its name in the Configuration menu tree) Interface * (network cards or modems that the VPN will use) Remote Gateway (the external IP address of the VPN gateway in Configuration>Network> Settings) Preshared Key Confirm Encryption Authentication Key Group Aggressive Mode [Advanced] $%23Aty! (a long, randomized series of characters that must be identical to the Pre-shared Secret in the GTA firewall s Users; this password value will be obscured, and only character length will be visible) $%23Aty! (re-enter the Preshared Key to confirm correct entry; this password value will be obscured, and only character length will be visible) 3DES (equivalent to the IKE encryption in the GTA firewall s VPN Object s Phase I) SHA (equivalent to the IKE HMAC-SHA1 hash in the GTA firewall s VPN Object s Phase I) DH1024 (equivalent to the IKE group 2 Diffie-Hellman key in the GTA firewall s VPN Object s Phase I) checked (equivelent to Exchange Mode in the GTA firewall s VPN Object s Phase I) GTA VPN Option Guide Reference C: Example VPN Configurations 53

57 Field Name Value [Advanced Local ID] Type [Advanced Local ID] Table C.2: Client to Gateway: Dynamic/Static IP Addresses & IKE Initiator: GTA Mobile VPN Client with dynamic IP address (equivalent to the Identity in the GTA firewall s Users) Value [Advanced Remote ID] (the external IP address of the VPN gateway in Configuration>Network> Settings) Type [Advanced Remote ID] IKE Port [Advanced] 500 In Configuration>Phase II (IPSec Configuration): Name IP Address OfficePhaseII (a descriptor for your VPN; may not contain spaces or non-alphanumeric characters; changing this value will change its name in the Configuration menu tree) VPN Client Address (the IP address the attached GTA Mobile VPN Client should use, listed in the GTA firewall s Users Remote Network) Address Type Subnet Address (only use the Single Address option if the GTA firewall s attached network will consist of a single host) Remote LAN Address (the GTA firewall s attached network, such indicated by the protected networks address object) Subnet Mask (the GTA firewall s subnetwork mask, such indicated by the protected networks address object) Encryption Authentication Mode PFS Group 3DES (equivalent to the IPSec encryption in the GTA firewall s Encryption Object) SHA (equivalent to the IPSec HMAC-SHA1 hash in the GTA firewall s Encryption Object) Tunnel checked (perfect forward secrecy is automatically used on GTA firewalls) DH1024 (equivalent to the IPSec group 2 Diffie-Hellman key in the GTA firewall s Encryption Object) 54 GTA VPN Option Guide Reference C: Example VPN Configurations

58 C l i e n t t o G a t e w a y : D y n a m i c I P A d d r e s s e s & I K E The identifying characteristics of this type of VPN include: Dynamic external IP addresses on both the GTA firewall, as set in Configuration>Network>Settings, and the GTA Mobile VPN Client Default or edited Mobile VPN Objects selected in Users Dynamic DNS service on the GTA firewall must be configured; this enables the GTA Mobile VPN Client to connect through a domain name, without knowing the current IP address of the GTA firewall Firewall-compatible settings in the VPN client, and mobile VPN objects selected in Users for the statically-addressed firewall Field Name External IP Address Table C.3: Client to Gateway: Dynamic IP Addresses & IKE In Configuration>System>Object Editor>Address Objects: Disable Name Description Type Object Dynamically assigned Unchecked Protected Networks Protected networks All <USER DEFINED> Responder: GTA firewall with dynamic IP address Address /24 (hosts that should be attached to your VPN) In Configuration>Services>Dynamic DNS: Disable Description Host Name Interface Service Login User Name Login Password Unchecked In Configuration>System>Object Editor>VPN Objects: Disable Name Description Phase I Dynamic DNS Service examplefirewall.dyndns.org (the domain name your GTA Mobile VPN Client will use) <EXTERNAL> (the interface that will have the dynamic DNS service applied to it and that the GTA Mobile VPN Client will use. <DynDNS> or <ChangeIP> (the dynamic DNS service provider you use) dyndnsuser (the account s user name for your dynamic DNS service provider) m453g34hy12 (the account s password for your dynamic DNS service provider) Unchecked MOBILE Mobile VPNs Exchange Mode Encryption Object aggressive AES-192, sha1, grp2 (default object) Advanced Force Mobile Protocol Unchecked GTA VPN Option Guide Reference C: Example VPN Configurations 55

59 Force NAT-T Lifetime Field Name DPD Interval 30 Phase II Encryption Object Advanced Lifetime In Configuration>Accounts>Groups: Disable Name Description Mobile VPN Disable Authentication Required VPN Object Local Network In Configuration>Accounts>Users: Disable Name Description Remote Identity Method Authentication Method Password Mobile VPN Disable Table C.3: Client to Gateway: Dynamic IP Addresses & IKE Unchecked 90 minutes Responder: GTA firewall with dynamic IP address AES-192, sha1, grp2 (default object) 60 minutes Unchecked Mobile Users GTA Mobile VPN Client users Unchecked Unchecked MOBILE (VPN object, as defined above) Protected Networks (address object, as defined above) Unchecked Example User Database administrator <Password> n/a n/a Unchecked Remote Network <USER DEFINED> (the IP address the attached GTA Mobile VPN Client should use) Pre-shared Secret In Configuration>VPN>IPSec Tunnels Dynamic Incoming Connections Advanced Automatic Policies Identity <ASCII> $%23Aty! (a long, randomized series of characters that must be identical to the Preshared Key in the GTA Mobile VPN Client) Standard Dynamic (default object) Checked <Domain Name> / examplefirewall.dyndns.org (The Host Name entered in Configuration>Services>Dynamic DNS) 56 GTA VPN Option Guide Reference C: Example VPN Configurations

60 Field Name External IP Address In Parameters: Authentication (IKE) [Default Lifetime] Authentication (IKE) [Minimal Lifetime] Authentication (IKE) [Maximal Lifetime] Encryption (IPSec) [Default Lifetime] Encryption (IPSec) [Minimal Lifetime] Encryption (IPSec) [Maximal Lifetime] Table C.4: Client to Gateway: Dynamic IP Addresses & IKE Initiator: GTA Mobile VPN Client with dynamic IP address dynamically assigned (DHCP, PPPoE, etc.) 1800 (seconds) 120 (seconds) (seconds; must be less than Lifetime in the GTA firewall s VPN Objects Phase I) 1200 (seconds) 120 (seconds) (seconds; must be less than Lifetime in the GTA firewall s VPN Objects Phase II) Check Interval [DPD] 30 (dead peer detection in seconds) In Configuration>Phase I (Authentication): Name OfficePhaseI (a descriptor for your VPN; may not contain spaces or non-alphanumeric characters; changing this value will change its name in the Configuration menu tree) Interface * (network cards or modems that the VPN will use) Remote Gateway Preshared Key Confirm Encryption Authentication Key Group Aggressive Mode [Advanced] Value [Advanced Local ID] examplefirewall.dyndns.org (the domain name of the VPN gateway in Network Information) $%23Aty! (a long, randomized series of characters that must be identical to the Pre-shared Secret in the GTA firewall s Users; this password value will be obscured, and only character length will be visible) $%23Aty! (re-enter the Preshared Key to confirm correct entry; this password value will be obscured, and only character length will be visible) 3DES (equivalent to the IKE encryption in the GTA firewall s VPN Objects Phase I) SHA (equivalent to the IKE HMAC-SHA1 hash in the GTA firewall s VPN Objects Phase I) DH1024 (equivalent to the IKE group 2 Diffie-Hellman key in the GTA firewall s VPN Objects Phase I) checked (equivelent to Exchange Mode in the GTA firewall s VPN Objects Phase I) [email protected] (equivalent to the Identity in the GTA firewall s Users) GTA VPN Option Guide Reference C: Example VPN Configurations 57

61 Field Name Type [Advanced Local ID] Value [Advanced Remote ID] Type [Advanced Remote ID] Table C.4: Client to Gateway: Dynamic IP Addresses & IKE Initiator: GTA Mobile VPN Client with dynamic IP address examplefirewall.dyndns.org (the domain name of the VPN gateway in Configuration>Network>Settin gs) DNS IKE Port [Advanced] 500 In Configuration>Phase II (IPSec Configuration): Name OfficePhaseII (a descriptor for your VPN; may not contain spaces or non-alphanumeric characters; changing this value will change its name in the Configuration menu tree) VPN Client Address (the IP address the attached GTA Mobile VPN Client should use, listed in the GTA firewall s Users Remote Network) Address Type Subnet Address (only use the Single Address option if the GTA firewall s attached network will consist of a single host) Remote LAN Address (the GTA firewall s attached network, such indicated by the protected networks address object) Subnet Mask (the GTA firewall s subnetwork mask, such indicated by the protected networks address object) Encryption Authentication Mode PFS Group 3DES (equivalent to the IPSec encryption in the GTA firewall s VPN Objects Phase II) SHA (equivalent to the IPSec HMAC-SHA1 hash in the GTA firewall s VPN Objects Phase II) Tunnel checked (perfect forward secrecy is automatically used on GTA firewalls) DH1024 (equivalent to the IPSec group 2 Diffie-Hellman key in the GTA firewall s VPN Objects Phase II) 58 GTA VPN Option Guide Reference C: Example VPN Configurations

62 G a t e w a y t o G a t e w a y : D y n a m i c / S t a t i c I P A d d r e s s e s & I K E The identifying characteristics of this type of VPN include: Static external IP address on one firewall, but dynamic external IP address on the second firewall, as set in Configuration>Network>Settings Default or edited objects selected in IPSec Tunnels for the dynamically-addressed firewall, but mobile VPN objects selected in Configuration>Accounts>Groups for the statically-addressed firewall Field Name Table C.5: Gateway to Gateway: Dynamic/Static IP Addresses & IKE Initiator: GTA firewall with dynamic IP address External IP Address Dynamically assigned In System>Object Editor>Address Objects Disable Unchecked Unchecked Responder: GTA firewall with static IP address Name Protected Networks Protected Networks Description DEFAULT: Protected networks DEFAULT: Protected networks Type All All Object <USER DEFINED> <USER DEFINED> Address /24 (hosts that should be attached to your VPN) In Configuration>VPN>IPSec Tunnels: Dynamic Incoming Connections Advanced Standard Dynamic (default object) Automatic Policies Checked Checked /24 (hosts that should be attached to your VPN) Standard Dynamic (default object) Identity <IP Address> <IP Address> In Configuration>VPN>IPSec Tunnels>Edit IPSec Tunnel: Disable Unchecked No Entry in IPSec Tunnels. Equivalent infomation is entered in Configuratio n>accounts>users. Description IPSec Key Mode VPN Object Pre-shared Secret Local Gateway Network Dynamic firewall IKE Standard Dynamic (default object) $%23Aty! (a long, randomized series of characters that must be identical on both VPN gateways) <EXTERNAL> Protected Networks (or the address object as defined above) GTA VPN Option Guide Reference C: Example VPN Configurations 59

63 Advanced Identity Remote Field Name Table C.5: Gateway to Gateway: Dynamic/Static IP Addresses & IKE Initiator: GTA firewall with dynamic IP address < ADDRESS>, Gateway Network <USER DEFINED> /24 (the attached hosts on the other VPN gateway) Advanced Identity In Authorization>Users: Disable <IP ADDRESS> (no entry in Authorization>Users; equivalent information is entered in Authorization>VPNs) Responder: GTA firewall with static IP address Unchecked Name Home Firewall 1 Description Remote Identity Group Authentication Method Password Mobile VPN Disable Home-to-office VPN [email protected] Firewalls (default object) n/a n/a Unchecked Remote Network <USER DEFINED> /24 (the attached hosts on the other VPN gateway) Pre-shared Secret $%23Aty! (a long, randomized series of characters that must be identical on both VPN gateways) 60 GTA VPN Option Guide Reference C: Example VPN Configurations

64 G a t e w a y t o G a t e w a y : S t a t i c / S t a t i c I P A d d r e s s e s & I K E The identifying characteristics of this type of VPN include: Static external IP addresses on both firewalls, as set in Configuration>Network>Settings Default or edited IKE VPN Objects selected in VPNs Local Identity is not necessary, since static IP addresses serve as a constant element for identity. Field Name Table C.6: Gateway to Gateway: Static/Static IP Addresses & IKE Initiator: GTA firewall with static IP address External IP Address In System>Object Editor>Address Objects: Disable Unchecked Unchecked Responder: GTA firewall with static IP address Name Protected Networks Protected Networks Description DEFAULT: Protected networks DEFAULT: Protected networks Type All All Object <USER DEFINED> <USER DEFINED> Address /24 (hosts that should be attached to your VPN) In VPN>IPSec Tunnels: Disable Unchecked Unchecked Description IKE VPN IKE VPN IPSec Key Mode IKE IKE VPN Object Pre-shared Secret Local Standard Static (default object) $%23Aty! (a long, randomized series of characters that must be identical on both VPN gateways) /24 (hosts that should be attached to your VPN) Standard Static (default object) Identity <IP Address> <IP Address> Gateway <EXTERNAL> <EXTERNAL> Network Advanced Protected Networks (or the address object as defined above) Identity <IP Address> <IP Address> Remote Gateway (the external IP address of the other VPN gateway) Network <USER DEFINED> /24 (the attached hosts on the other VPN gateway) $%23Aty! (a long, randomized series of characters that must be identical on both VPN gateways) Protected Networks (or the address object as defined above) (the external IP address of the other VPN gateway) <USER DEFINED> /24 (the attached hosts on the other VPN gateway) GTA VPN Option Guide Reference C: Example VPN Configurations 61

65 Advanced Field Name Table C.6: Gateway to Gateway: Static/Static IP Addresses & IKE Initiator: GTA firewall with static IP address Identity <IP Address> <IP Address> Responder: GTA firewall with static IP address G a t e w a y t o G a t e w a y : S t a t i c / S t a t i c I P A d d r e s s e s a n d M a n u a l K e y E x c h a n g e The identifying characteristics of this type of VPN include: Static external IP addresses on both firewalls, as set in Network Information Default or edited manual VPN Objects selected in VPNs Only Phase II settings of the manual VPN object are used (Phase I may be entered, but it is not used; instead, Phase I from the dynamic VPN object is used) Local Identity is not necessary, since static IP addresses serve as a constant element for identity Table C.7: Gateway to Gateway: Static/Static IP Addresses & Manual Key Exchange Field Name Initiator: GTA firewall with static IP address External IP Address In System>Object Editor>Address Objects: Disable Unchecked Unchecked Responder: GTA firewall with static IP address Name Protected Networks Protected Networks Description DEFAULT: Protected networks DEFAULT: Protected networks Type All All Object <USER DEFINED> <USER DEFINED> Address /24 (hosts that should be attached to your VPN) In System>Object Editor>VPN Objects: Disable Unchecked Unchecked Name Manual Manual Description IKE VPN object IKE VPN object Phase I Exchange Mode n/a n/a Encryption Object n/a n/a Advanced Force Mobile Protocol n/a n/a Force NAT-T n/a n/a Lifetime n/a n/a DPD Interval n/a n/a /24 (hosts that should be attached to your VPN) 62 GTA VPN Option Guide Reference C: Example VPN Configurations

66 Phase II Table C.7: Gateway to Gateway: Static/Static IP Addresses & Manual Key Exchange Field Name Initiator: GTA firewall with static IP address Responder: GTA firewall with static IP address Encryption Object <AES-192, sha1, grp2> (default) <AES-192, sha1, grp2> (default) Advanced Lifetime n/a n/a In VPN>IPSec Tunnels: Disable Unchecked Unchecked Description Office-to-office VPN Office-to-office VPN IPSec Mode Manual Manual VPN Object Local Manual (or the VPN configuration object, as defined above) Gateway <EXTERNAL> <EXTERNAL> Network Remote Protected Networks (or the address object as defined above) Gateway (the external IP address of the other VPN gateway) Network <USER DEFINED> /24 (the attached hosts on the other VPN gateway) Manual Encryption Key Hash Key Security Parameter Index (SPI) <ASCII> $%23Aty! (a long, randomized series of characters that must be identical on both VPN gateways) <ASCII> (a long, randomized series of characters that must be identical on both VPN gateways) Inbound SPI 256 (an integer, 256 or greater, that must be identical on both VPN gateways) Outbound SPI 256 (an integer, 256 or greater, that must be identical on both VPN gateways) Manual (or the VPN configuration object, as defined above) Protected Networks (or the address object as defined above) (the external IP address of the other VPN gateway) <USER DEFINED> /24 (the attached hosts on the other VPN gateway) <ASCII> $%23Aty! (a long, randomized series of characters that must be identical on both VPN gateways) <ASCII> (a long, randomized series of characters that must be identical on both VPN gateways) 256 (an integer, 256 or greater, that must be identical on both VPN gateways) 256 (an integer, 256 or greater, that must be identical on both VPN gateways) GTA VPN Option Guide Reference C: Example VPN Configurations 63

67 R e f e r e n c e D : Tr o u b l e s h o o t i n g O n t h e G TA F i r e w a l l FA Q M o b i l e V P N c l i e n t s c a n n o t c o n n e c t t o t h e f i r e w a l l. W h y? First use ping and/or traceroute to verify that VPN client connections can reach the firewall without use of the VPN. Then check that you have correctly configured the required remote access and pass through filters. Finally, check that all mobile VPN clients have accounts with VPN configuration set up in Users, referencing a valid VPN configuration object in VPN Objects. L o g M e s s a g e s GTA firewalls log common problems such as denied VPN connections. VPN connections tunnel network traffic over untrusted networks using authentication and encryption for security. If an IKE type of VPN is used, IKE messages may appear in the log ( IKE server ); another key identifier is type=mgmt, vpn. When the IKE service starts up due to firewall reboot or saving a VPN configuration section, the startup is logged, along with the number of allowed concurrent mobile users. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= WWWadmin: Starting IKE server. type=mgmt src= srcport=2206 dst= dstport=80 duration=2 Mar 4 21:06:44 firewall.example.com id=firewall time= :12:18 fw= ipsec pri=5 msg= Licensed for 100 mobile client connections. type=mgmt,vpn Failed VPN authentications are logged with the account name. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= RMCauth: Accepted connection type=mgmt src= srcport=2197 dst= dstport=76 Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= RMCauth: Authentication failure for [email protected]. type=mgmt src= srcport=2197 dst= dstport=76 duration=4 64 GTA VPN Option Guide Reference D: Troubleshooting

68 Security Associations By default, each IPSec security association (SA) creation is logged. Most VPN connections require two SAs. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= IPsec-SA established type=mgmt,vpn src= dst= Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= IPsec-SA established type=mgmt,vpn src= dst= Security associations may expire. After expiration, they must be renewed or the connection will be closed. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= ipsec pri=5 msg= IPsec-SA established type=mgmt,vpn src= dst= Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= ipsec pri=5 msg= IPsec-SA expired type=mgmt,vpn src= dst= Mobile Client VPN Authentication and Connection Mobile clients must authenticate first before establishing a connection. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= RMCauth: Accepted connection type=mgmt src= srcport=2170 dst= dstport=76 Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=6 msg= RMCauth: Authentication successful for [email protected]. type=mgmt src= srcport=2170 dst= dstport=76 duration=4 Attempts to connect without authentication will be denied. Mar 4 21:06:44 pri=4 msg= Authentication needed, access for [email protected] denied. type=mgmt,vpn src= dst= If the user is already authenticated from one IP address and they attempt to authenticate from a second IP address, the connection will be denied. The user s VPN lease must expire before login will be permitted. Mar 4 21:06:44 pri=4 msg= Unable to aquire license, access for [email protected] denied. type=mgmt,vpn src= dst= GTA VPN Option Guide Reference D: Troubleshooting 65

69 O n t h e G TA M o b i l e V P N C l i e n t FA Q My GTA Mobile VPN Client says it is in a 30-day evaluation mode. If the GTA Mobile VPN Client license number was not correctly entered during installation, or if you clicked Trial during installation instead of entering a license number, the VPN client software will function for 30 days in an evaluation mode. Enter the VPN client license number you received with your mobile VPN option purchase for the VPN client software to exit evaluation mode. I receive an error when trying to activate the GTA Mobile VPN Client. Why? In case an error is returned by the online activation server, as shown below, click on the Help icon for more information on how to resolve the issue. If you are unable to resolve any of the error messages on your own, please contact GTA Technical Support by ing [email protected]. Please include your license number and firewall serial number in the body of the . Failure to send this information may result in a delay in assistance. Figure D.1: Receiving an Activation Error 66 GTA VPN Option Guide Reference D: Troubleshooting

70 Table D.1: Activation Errors Code Message Description 031 License not found The license number does not exist in the activation server database. Recheck your license number. The GTA Mobile VPN client only accepts license numbers specific for GTA Mobile VPN Clients. Other TheGreenBow license numbers will not work. 032 Reserved Reserved. 033 Activation quota exceeded Too many installations and activations have been processed for this specific license number. License numbers can not be used more than allowed by your IT department. 034, 035 Wrong product code 036 Not allowed to activate this device 050, 051, , 054 Impossible to complete activation process Cannot connect activation server The license number entered is not allowed. GTA Mobile VPN Client requires a specific license number that is provided by GTA. Maintenance period is expired. In this case, you are not allowed to process any software upgrade. However, you are still allowed to continue using the previous version installed and activated on your computer. Activation server can not generate activation code for this license number at the moment of generation. The activation server cannot be reached. Reasons for this can be a broken Internet connection, the activation server being down or firewall policies. The host PC must be able to resolve tgbosa.com and be able to connect to TCP ports 80 and 443. Failure to resolve tgbosa.com may result in this error. 055 Activation code error The activation code may have been modified after activation. How can I activate the GTA Mobile VPN Client when I need to connect to the Internet using a proxy server? To activate the GTA Mobile VPN Client when a proxy server is used to connect to the Internet, run the Activation Wizard and click the If you are using a Proxy, click here link to open the Proxy Configuration screen. Figure D.2: The If You Are Using a Proxy, Click Here Link Enter the proxy server s IP address or fully qualified domain name in the Proxy Address field and the port number in the Port Number field. Once complete, click the Use Proxy button. GTA VPN Option Guide Reference D: Troubleshooting 67

71 Figure D.3: Entering Proxy Settings Once the proxy server s information has been configured, enter the GTA Mobile VPN Client s activation code. I cannot activate the GTA Mobile VPN Client online. How do I activate the client manually? If it is not possible to activate the GTA Mobile VPN Client online or if the online activation fails, the client can be activated manually. To manually activate the GTA Mobile VPN Client:.. 3. If an error is displayed during activation, this error is logged in the prodact.dat file, which is located in the user s My Documents folder. The prodact.dat file contains information such as the license number, address and the computer s hardware information. this file to GTA Technical Support ([email protected]) with your firewall s serial number in the body of the . You will receive an from GTA Technical Support with an attached file. The file, named tgbcod_xxxxx.dat, contains the activation code for the GTA Mobile VPN Client. Save this file in the user s My Documents folder. Restart the GTA Mobile VPN Client. The software activation is now complete. My Internet connection does not work when I return to the office. Your VPN connection may still be active, even though it is not necessary while inside your office LAN. Stop the VPN connection. You might also need to restart your browser or other network application before you can use the non-vpn connection on your office LAN. Why won t the GTA Mobile VPN Client start a VPN on Windows XP? Windows XP has a feature called fast user switching. This means that multiple users may be logged in and running programs at the same time (including VPN software), even when only one user is actively using the mouse and keyboard. If another user is logged in to Windows XP and has started a VPN connection, you will not be able to start a VPN; the other user is already using those VPN resources. To start your VPN, first ask the other user to log in and stop their VPN connection. Then you may log in to your own account and start your own VPN. 68 GTA VPN Option Guide Reference D: Troubleshooting

72 Can I use an address range for my Address Type when c o n f i g u r i n g P h a s e 1 s e t t i n g s? Address ranges are not supported by GTA firewalls. When should I set NAT-T to Forced when configuring advanced Phase 1 settings? When configuring advanced Phase 1 settings for the the VPN connection, you may wish to set NAT-T to forced if you have been given a public IP address that has the ESP protocol blocked. By forcing NAT-T, the client will use the protocol even when it has a non-nat ed IP address. Why would I disable NAT-T when configuring advanced Phase 1 settings? In most cases you would not disable NAT-T. It should be set to <Automatic>. L o g M e s s a g e s Incorrect Remote Gateway An incorrect value was used for the external IP address of the GTA firewall (VPN gateway). This should match the remote gateway in the GTA firewall s mobile VPN Objects Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [NAT _ D] [NAT _ D] [VID] [VID] Default ipsec _ get _ keystate: no keystate in ISAKMP SA 00D9CBC8 Incorrect Pre-shared Key An incorrect value was used for the pre-shared secret (key). This value must match the pre-shared secret specified for the account in the GTA firewall s Users Default message _ recv: invalid cookie(s) 303a3fce1772c7b7 8505c95b1034c3c Default dropped message from due to notification type INVALID _ COOKIE Default SEND Informational [NOTIFY] with INVALID _ COOKIE error ` Incorrect Local ID Value An incorrect value for the local identity of the VPN client was used. In most cases, this should be the address specified for the account in the GTA firewall s Users Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] GTA VPN Option Guide Reference D: Troubleshooting 69

73 Incorrect Local ID Type An incorrect type for the local identity of the VPN client was used. In most cases, the type should be Default ike _ phase _ 1 _ send _ ID: invalid ip address: Bad file descriptor WSA(11001) Default exchange _ run: doi->initiator (00D95C58) failed Incorrect Remote ID Value An incorrect value for the remote identity of the GTA firewall was used. In most cases, this should be the IP address specified in the GTA firewall s mobile VPN Objects Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [NAT _ D] [NAT _ D] [VID] [VID] Default ike _ phase _ 1 _ recv _ ID: received remote ID other than expected Incorrect Remote ID Type An incorrect type for the remote identity of the GTA firewall was used. In most cases, the type should be IP Address Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [NAT _ D] [NAT _ D] [VID] [VID] Default ike _ phase _ 1 _ recv _ ID: received remote ID other than expected Default ipsec _ get _ keystate: no keystate in ISAKMP SA 00F7BD40 Incorrect Phase I Settings An incorrect Phase I (IKE) setting was used. These settings should match the GTA firewall s dynamic VPN Objects Phase I settings Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] Default transport _ send _ messages: giving up on message 00DAF Default recvfrom (164, 0011FD70, 65536, 0, 0011FCEC, 0011FCE8): WSA(10054) Incorrect Phase II Settings An incorrect encryption, authentication or key group was used in Phase II settings. These settings should match the GTA firewall s mobile VPN Objects Phase II settings Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [NAT _ D] [NAT _ D] [VID] [VID] Default (SA VPN-P1) SEND phase 1 Aggressive Mode [HASH] [NAT _ D] [NAT _ D] Default phase 1 done: initiator id [email protected], responder id Default (SA VPN-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [ID] [NAT _ OA] Default RECV Informational [HASH] [NOTIFY] Default RECV Informational [HASH] [NOTIFY] with NO _ PROPOSAL _ CHOSEN error 70 GTA VPN Option Guide Reference D: Troubleshooting

74 I n c o r r e c t P h a s e I I A u t h e n t i c a t i o n S e t t i n g s An incorrect value was used for Phase II authentication (hash) settings. This value should match the GTA firewall s mobile VPN Objects Phase II settings Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [NAT _ D] [NAT _ D] [VID] [VID] Default (SA VPN-P1) SEND phase 1 Aggressive Mode [HASH] [NAT _ D] [NAT _ D] Default phase 1 done: initiator id [email protected], responder id Default (SA VPN-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [ID] [NAT _ OA] Default RECV Informational [HASH] [NOTIFY] with NO _ PROPOSAL _ CHOSEN error Incorrect Phase II Key Group Settings An incorrect value was used for Phase II key group (Diffie-Hellman) settings. This value should match the GTA firewall s mobile VPN Objects Phase II settings Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [NAT _ D] [NAT _ D] [VID] [VID] Default (SA VPN-P1) SEND phase 1 Aggressive Mode [HASH] [NAT _ D] [NAT _ D] Default phase 1 done: initiator id [email protected], responder id Default (SA VPN-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [ID] [NAT _ OA] Default RECV Informational [HASH] [NOTIFY] with NO _ PROPOSAL _ CHOSEN error Incorrect Filter Configuration A misconfigured or missing filter for UDP port 4500 on the GTA firewall. Add a remote access filter that accepts UDP port 4500 on the GTA firewall. Description Default message _ recv: bad message length Default dropped message from due to notification type UNEQUAL _ PAYLOAD _ LENGTHS Default SEND Informational [NOTIFY] with UNEQUAL _ PAYLOAD _ LENGTHS error Default (SA GBPhase1-GBPhase2-P2) SEND phase 2 Quick Mode [HASH] GTA VPN Option Guide Reference D: Troubleshooting 71

75 Copyright , Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated. Technical Support GTA includes 30 days up and running installation support from the date of purchase. See GTA s web site for more information. GTA s direct customers in the USA should call or GTA using the telephone and address below. International customers should contact a local GTA authorized channel partner. Tel: [email protected] Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products. Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors. Trademarks & Copyrights GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated. GB Commander is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA are service marks of Global Technology Associates, Incorporated. The GTA Mobile VPN Client is licensed from TheGreenBow. Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ. Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Java software may include software licensed from RSA Security, Inc. Some products contain software licensed from IBM are available at SurfControl is a registered trademark of SurfControl plc. Some products contain technology licensed from SurfControl plc. Some products include software developed by the OpenSSL Project ( Kaspersky Lab and Kaspersky Anti-Virus is licensed from Kaspersky Lab Int. Some products contain technology licensed from Kaspersky Lab Int. Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated. All other products are trademarks of their respective companies. Global Technology Associates, Inc Lake Lynda Drive, Suite 109 Orlando, FL USA Tel: Fax: Web: [email protected] 72 GTA VPN Option Guide