GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

Transcription

1 GB-OS VPN Gateway & GTA Mobile VPN Client Version 4.01 Option Guide for GB-OS 4.0 VPNOG

2 Contents Introduction 1 What is a VPN? 1 About IPSec VPN on GTA Firewalls 1 The VPN Gateway (Firewall) Component 2 Features 2 The Client Component 2 Features 2 Minimum Requirements 3 Installation Support 3 Support Options 3 Documentation 3 Additional Documentation 3 GTA Firewall Setup 4 Entering Feature Codes 4 Running the VPN Setup Wizard 5 Configuring Gateway to Gateway Connections 6 Configuring Gateway to GTA Mobile VPN Client Connections 9 Configuring a VPN Connection Manually 12 Creating VPN Configuration Objects 12 Default VPN Objects 12 Which VPN Object Should I Use? 12 Selecting the IPSec Key Mode 12 Creating the VPN Connection 13 Creating a VPN Connection using IKE IPSec Key Mode 13 Creating a VPN Connection using Manual IPSec Key Mode 14 Configuring a Custom VPN Object 16 About Phase I 17 About Phase II 17 Configuring a Custom Encryption Object 17 Encryption Methods 18 Hash Algorithm 18 Key Group 19 Configuring VPN Policies 19 Creating Authorization 20 Creating Groups 20 Creating Users 21 GTA Mobile VPN Client Setup 22 Installing the GTA Mobile VPN Client 22 Activating the GTA Mobile VPN Client 23 Configuring the VPN Client Software 25 Running the Configuration Wizard 25 VPN Settings Worksheet 26 Manually Configuring the GTA Mobile VPN Client 27 Entering Preferences (Parameters) 27 Configuring Phase 1 (Authentication) 28 Starting and Stopping VPN Client Connections 30 Advanced GTA Mobile VPN Client Setup 31 Advanced Phase 1 Configuration 31 Advanced Phase 2 Configuration 32 Launching Scripts 33 Configuring Access Control 34 USB Drive Mode 35 Preferences 36 Startup Modes 36 Miscellaneous 36 Console and Configuration Tools 37 Configuration Management 37 Console / Logs 38 ii GTA VPN Option Guide Contents

3 Reference A: GTA Mobile VPN Client User Interface 40 Configuration Panel 40 Menu Overview 40 File 41 VPN Configuration 41 Tools 41? (Help) 41 Left Hand Menu Icons 41 Configuration Menu Tree 42 Status Bar 42 Connection Panel 43 System Tray 44 System Tray Menu 44 Reference B: VPN Concepts 46 Elements of IPSec VPN Security 46 Verifying Authorization 47 Verifying Data Integrity 47 Ensuring Data Privacy 48 Packet Structure: IPSec VPN 48 GTA Firewall VPN Packet Processing 48 Reference C: Example VPN Configurations 50 Client to Gateway: Dynamic/Static IP Addresses & IKE 51 Client to Gateway: Dynamic IP Addresses & IKE 55 Gateway to Gateway: Dynamic/Static IP Addresses & IKE 59 Gateway to Gateway: Static/Static IP Addresses & IKE 61 Gateway to Gateway: Static/Static IP Addresses and Manual Key Exchange 62 Reference D: Troubleshooting 64 On the GTA Firewall 64 FAQ 64 Mobile VPN clients cannot connect to the firewall. Why? 64 Log Messages 64 Security Associations 65 Mobile Client VPN Authentication and Connection 65 On the GTA Mobile VPN Client 66 FAQ 66 My GTA Mobile VPN Client says it is in a 30-day evaluation mode. 66 I receive an error when trying to activate the GTA Mobile VPN Client. Why? 66 How can I activate the GTA Mobile VPN Client when I need to connect to the Internet using a proxy server? 67 I cannot activate the GTA Mobile VPN Client online. How do I activate the client manually? 68 My Internet connection does not work when I return to the office. 68 Why won t the GTA Mobile VPN Client start a VPN on Windows XP? 68 Can I use an address range for my Address Type when configuring Phase 1 settings? 69 When should I set NAT-T to Forced when configuring advanced Phase 1 settings? 69 Why would I disable NAT-T when configuring advanced Phase 1 settings? 69 Log Messages 69 Incorrect Remote Gateway 69 Incorrect Pre-shared Key 69 Incorrect Local ID Value 69 Incorrect Local ID Type 70 Incorrect Remote ID Value 70 Incorrect Remote ID Type 70 Incorrect Phase I Settings 70 Incorrect Phase II Settings 70 Incorrect Phase II Authentication Settings 71 Incorrect Phase II Key Group Settings 71 Incorrect Filter Configuration 71 GTA VPN Option Guide Contents iii

4 I n t r o d u c t i o n W h a t i s a V P N? A VPN is a Virtual Private Network. What makes it private? You can access resources on your network as if you were a second private network attached to the private (trusted) part of your network. What makes it virtual? You re not really accessing your private network from the private network: you re accessing it from a public or other untrusted network, such as the Internet. A combination of authentication, encryption and tunneling technologies are used to make sure that your data is transmitted securely, so you can trust your connection as if you would trust your normal private network connection. VPN connections provide a way to access your protected data from an insecure location, all without compromising your network security. VPNs vs. Standard NAT Tunnels Standard NAT tunnels can provide external access to your internal network. So why use a VPN? VPNs provide more secure access than standard NAT tunnels. VPN tunnels provide methods to assure authorization, data integrity and privacy. As a result, VPN tunnels can secure even connections that normally do not provide encryption, authorization or integrity checking on their own. Standard tunnels do not provide these VPN safety mechanisms! VPNs are an ideal secure network solution for employees that travel or work from home. They also can serve to securely connect branch offices to a main office or data center. GTA firewalls support the IPSec VPN standard; this provides interoperability with many third-party VPN products. IPSec VPNs can use a defined combination of authentication keys, anti-tampering hashes, data encryption and IP packet encapsulation to ensure the identity, integrity, and privacy of your data transfers over public, untrusted networks. For more information, see Elements of IPSec VPN Security. A b o u t I P S e c V P N o n G TA F i r e w a l l s GTA firewalls provide IPSec controls for both mobile client (commuter-to-office) and gateway-togateway (office-to-office) VPN connections. GTA firewall VPNs are a security gateway version of the IPSec standard; the GTA Mobile VPN Client provides the host version. For specific information on the GTA implementations of the IPSec standard, see Elements of IPSec VPN Security. GTA VPN Option Guide Introduction

5 T h e V P N G a t e w a y ( F i r e w a l l ) C o m p o n e n t GTA firewalls can function as VPN gateways, handling authentication and encryption for VPN tunnels.the VPN gateway is configured on the firewall directly using the web administrative interface. VPN configurations are created in Configuration>VPN>IPSec Tunnels, and bound to an incoming authorization channel in either Configuration>Accounts>Users and Configuration>Accounts>Groups (for mobile VPN clients or a second VPN gateway with a dynamic IP address) or Configuration>VPN>IPSec Tunnels (where both VPN gateways have a static IP address). GTA firewalls can interoperate with either another GTA firewall (for office-to-office VPNs) or a mobile VPN client (for commuter-to-office VPNs). Because GTA firewalls support the IPSec VPN standard, GTA firewall VPNs are also interoperable with third-party products that also support the IPSec VPN standard. For information on creating a VPN between a GTA firewall and another VPN gateway, see additional documentation located on GTA s web site ( Features NAT traversal Easy application of security policies Easy creation and revision of VPNs using VPN configuration objects Quickly enable and disable VPN authorizations AES-128, AES-192 and AES-256, 3DES, DES and Blowfish methods for confidentiality MD5, SHA-1 and SHA-2 one-way hash methods for data integrity Up to 4,096-bit Diffie-Hellman keys for authenticity T h e C l i e n t C o m p o n e n t With the GTA Mobile VPN Client option, GTA firewalls can also provide VPN protection to travelling employees or employees working from home. Your mobile VPN client software is installed on the client computer. It serves to locally perform the authentication, encryption and other services that would normally be performed by a second VPN gateway. Mobile VPN client software negotiates the connection with your GTA firewall VPN gateway. The GTA Mobile VPN Client is Microsoft Windows -compatible VPN software. Note Microsoft Windows Vista is currently not supported by the GTA Mobile VPN Client. Microsoft Windows Vista support will be included in a future release. Features NAT traversal Easy VPN setup Client-to-client and client-to-gateway VPNs Compatible with most versions of Microsoft Windows DES, 3DES, and AES encryption methods for confidentiality MD5 and SHA-1 one-way hash methods for data integrity Up to 2,048-bit Diffie-Hellman keys for authenticity USB mode allows easy start/stop of VPN with insertion/removal of a USB drive VPN DNS configuration Redundant gateway GTA VPN Option Guide Introduction

6 Minimum Requirements Microsoft Windows 98, Me, NT 4 (Service Pack 6 or greater), 2000, XP Intel Pentium class or greater processor 10 MB unused hard disk space 128 MB RAM 56K dial-up modem, wireless (WiFi), Ethernet or other compatible network card I n s t a l l a t i o n S u p p o r t Installation ( up and running ) support is available to registered users. See GTA s website for more information. If you need installation assistance, be sure to register your product and then contact the GTA Technical Support team by at support@gta.com. Please include your serial number and a brief description of the problem in the body of the . S u p p o r t O p t i o n s If you need support for GTA Products, a variety of support contracts are available. Contact GTA Sales staff by at sales@gta.com for more information. Contracts range from support by the incident to full coverage for a year. Other assistance is available through the GNAT Box Mailing List or an authorized GTA Channel Partner. D o c u m e n t a t i o n A few conventions are used throughout this guide to help you recognize specific elements of the text. If you are viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and new sections. Bold Italics Italics Blue Underline Small Caps Monospace Font Condensed Bold Bold Small Caps Emphasis Publications Clickable hyperlink ( address, web site or in-pdf link) On-screen field names On-screen text On-screen menus, menu items On-screen buttons, links A d d i t i o n a l D o c u m e n t a t i o n For instructions on installation, registration and setup of a GTA Firewall, see your GTA Firewall s Product Guide. For optional features, see the appropriate Feature Guide. Manuals and other documentation can be found on the GTA website ( Documents on the website are either in plain text (*.txt) or Portable Document Format (*.pdf), which requires Adobe Acrobat Reader 5.0 or greater. A free copy of the program can be obtained from Adobe at GTA VPN Option Guide Introduction 3

7 G TA F i r e w a l l S e t u p This chapter explains configuration steps for an IPSec VPN on both the firewall and a client computer. It also provides a worksheet to help with initial configuration. Each GTA firewall VPN requires a minimum of two points: an initiator and a responder. The responder must be a GTA firewall, while the initiator can be either a second VPN gateway or a GTA Mobile VPN client. GTA firewall VPN setup requires configuration of both: GTA firewall GTA Mobile VPN Client or a second VPN gateway (e.g. GTA firewall) Instructions for VPN setup with Macintosh computers, third party firewalls and non-ipsec VPNs are available at the GTA web site ( For more information on IPSec VPNs, see Elements of IPSec VPN Security. E n t e r i n g F e a t u r e C o d e s When a VPN option or GTA Mobile VPN Client licenses package has been purchased, feature activation codes are required for client-to-gateway VPNs. If you have purchased a mobile VPN client license package, navigate to Configuration>System>Activation Codes enter its feature activation code. Click Save. The feature activation code necessary for activation can be retrieved from the GTA Support Center ( Once logged in, click on View Products and select your firewall s serial number. Your feature activation code will be displayed. If a gateway-to-gateway VPN is not a standard feature of your firewall, and you have purchased a VPN option, also enter the VPN option s feature activation code and click Save. Note Feature activation codes for gateway-to-gateway VPNs are required only for GTA firewalls that are not sold with VPN as a standard feature. See your firewall s specifications for more information. 4 GTA VPN Option Guide Setup

8 R u n n i n g t h e V P N S e t u p W i z a r d The VPN Setup Wizard is designed to help configure a simple Virtual Private Network (VPN) quickly and easily. The wizard will automatically create security policies to accept connections using the ESP (protocol 50) and UDP (ports 500 and 4500) protocols. These automatic policies can be turned off in the Configuration>VPN>IPSec Tunnels screen under the Advanced tab. Note All connections through the VPN are controlled by VPN policies, located at Configuration>Security Policies>Policy Editor>VPN Policies. To run the VPN Wizard, navigate to Wizards>VPN Setup. Before running the wizard, it may be helpful to print out the following worksheet: Table 2.1: VPN Wizard Worksheet Field Description Value Local Network Gateway Network Identity Remote Network Gateway Type (circle one) User Name Identity Group IP Address / Identity Network Pre-shared Secret Pre-shared Secret Format (circle one) Pre-shared Secret Select the logical interface that acts as the gateway to the local network. Typically, this will be the external interface. Select the address object of the configured network you wish to be able to connect to using the VPN. Select <USER DEFINED> to enter the local network s IP address manually. Enter the identity for the local network. The identity should be a fully qualified domain name or address. This field is only required if the local network is behind a dynamic IP address. Select the type of the remote network s gateway. This field is only required if the local network is behind a dynamic IP address. Enter the user name for that will be used to connect to the remote network. This field is only required if the local network is behind a dynamic IP address. Enter the identity for the remote network. This field is only required if the local network is behind a dynamic IP address. The user group that will be connecting to the remote network. If the remote network s gateway is Static, enter its IP address. If the gateway is dynamic, enter an IP address, address or valid DNS resolvable host name to associate the remote gateway with a pre-shared secret key. The destination IP address of that network that resides behind the remote firewall. Select <USER DEFINED> to enter the IP address manually. The format of the pre-shared secret to be used by the VPN. The pre-shared secret to be used by the VPN. This same secret needs to be entered in the GTA Mobile VPN Client when configuring the security policy. This field is case sensitive. Dynamic Static ASCII Hex GTA VPN Option Guide Setup 5

9 Configuring Gateway to Gateway Connections The first screen of the wizard will prompt you to enter a brief description of the VPN. For example, Orlando to New York. Click the Next Arrow to continue. Figure 2.1: Entering the VPN s Description Once a description has been entered, it will then be necessary to define the local network that will be establishing the VPN. For the local network s Gateway, select the logical interface assigned to the external network. In most cases, this will be <EXTERNAL>. For the Network, select the local network that is to be accessible via the VPN. If the desired local network is not listed, you may define it manually be selecting <USER DEFINED> and entering the network s IP address in the corresponding field. If the selected Gateway is dynamic, enter the Identity to be used. The Identity should be a fully qualified domain name or address. Click the Next Arrow to continue. Figure 2.2: Defining the Local Network (Static Gateway) Figure 2.3: Defining the Local Network (Dynamic Gateway) 6 GTA VPN Option Guide Setup

10 To define the remote network that the VPN will be connecting to, it is necessary to select the nature of the IP address of the external network s Gateway. If it is a static (fixed) IP address, select the Static radio button and enter the gateway s IP address in the Network field. If the remote gateway is Dynamic, enter an IP address, address or valid DNS resolvable host name in the User Name and Identity fields to associate the remote gateway with a pre-shared secret key. The Group field defaults to Firewalls, which sets the appropriate VPN settings for the connection. Click the Next Arrow to continue. Figure 2.4: Defining the Remote Network (Static Gateway) Figure 2.5: Defining the Remote Network (Dynamic Gateway) GTA VPN Option Guide Setup

11 A pre-shared secret is used to ensure a secure, trusted connection between host computers and the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the pre-shared secret must match the pre-shared secret defined in this step in order to establish a connection. Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The Preshared Secret field is case sensitive. Click the Next Arrow to continue. Figure 2.6: Entering the Pre-shared Secret The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review the VPN s setup prior to committing the displayed configuration. To make changes to your basic setup, select the Back button to return to the appropriate screen. Click the Save icon to save the displayed configuration, or select the Cancel icon to abort. Figure 2.7: Reviewing the VPN s Setup 8 GTA VPN Option Guide Setup

12 Configuring Gateway to GTA Mobile VPN Client Connections To allow users to connect to the GTA firewall s protected networks remotely using the GTA Mobile VPN Client, the GTA firewall s external gateway must have a static IP address. That is, it cannot obtain its IP address using DHCP or PPP. Note The VPN Setup Wizard will only configure the GTA firewall to allow connections from the GTA Mobile VPN Client. For instructions on configuring the GTA Mobile VPN Client to connect to the GTA firewall, please refer to the GB-OS VPN Gateway & GTA Mobile VPN Client Option Guide. To run the VPN Setup Wizard, navigate to Wizards>VPN Setup. The first screen of the wizard will prompt you to enter a brief description of the nature of the VPN. For example, Mobile VPN Connections. Click the Next Arrow to continue. Figure 2.8: Entering the VPN s Description Once a description has been entered, it will then be necessary to define the local network that will be accessible to users using the GTA Mobile VPN Client. For the local network s Gateway, select the logical interface assigned to the external network. In most cases, this will be <EXTERNAL>. For the Network, select the local network that is to be accessible via the VPN. If the desired local network is not listed, you may define it manually be selecting <USER DEFINED> and entering the network s IP address in the corresponding field. Figure 2.9: Defining the Local Network (Static Gateway) GTA VPN Option Guide Setup 9

13 To define the remote network, where the Mobile VPN Client will be connecting from, set the Gateway Type to Dynamic. Enter the Mobile VPN Client s User Name and Identity in the appropriate fields. The Identity must be in the form of an address. Set the Group to <Users>. For the Network, enter the IP address the GTA Mobile VPN Client should use. Click the Next Arrow to continue. Figure 2.10: Defining the Remote Network for GTA Mobile VPN Client Connections A pre-shared secret is used to ensure a secure, trusted connection between host computers and the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the pre-shared secret must match the pre-shared secret defined in this step in order to establish a connection. Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The Preshared Secret field is case sensitive. Click the Next Arrow to continue. Figure 2.11: Entering the Pre-shared Secret 10 GTA VPN Option Guide Setup

14 The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review the VPN s setup prior to committing the displayed configuration. To make changes to your basic setup, select the Back button to return to the appropriate screen. Click the Save icon to save the displayed configuration, or select the Cancel icon to abort. Figure 2.12: Reviewing the VPN s Setup GTA VPN Option Guide Setup 11

15 C o n f i g u r i n g a V P N C o n n e c t i o n M a n u a l l y To manually configure an IPSec VPN with a GTA firewall, six firewall aspects must be configured in order: 1. Feature activation codes 2. IPSec Tunnels 3. VPN objects (optional) 4. Encryption objects (optional) 5. VPN or GTA Mobile VPN Client authorization 6. VPN Policies (located at Configuration>Security Policies>Policy Editor>VPN Policies) (optional) Additionally, the second VPN gateway (GTA firewall or third-party VPN gateway) or mobile VPN client must be configured to reflect the same settings. C r e a t i n g V P N C o n f i g u r a t i o n O b j e c t s VPN objects determine how incoming VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be acceptable by your GTA firewall. Default VPN Objects By default, GB-OS has two VPN objects: Standard Dynamic Standard Static Which VPN Object Should I Use? Depending on whether your GTA firewall has a static or dynamic (DHCP/PPP) IP address, different VPN objects will be used. If both VPN gateways have static IP addresses: Each will use the Standard Static VPN object. If an initiating VPN gateway (or mobile VPN client) has a dynamic IP address: The dynamically addressed initiator will use the Standard Dynamic VPN object. S e l e c t i n g t h e I P S e c K e y M o d e Key exchange, essential to authentication during IPSec VPN construction, can be accomplished either automatically using IKE or manually. Using IKE (automatic key exchange), Phase I of the connnection establishes an IKE security association (SA) that is later used to securely create an IPSec SA; it negotiates the VPN terms and authorizes the peer. Phase II establishes SAs for IPSec, providing source authentication, integrity and confidentiality. Using manual key exhange, Phase I settings will be ignored by the GTA firewall. 12 GTA VPN Option Guide Setup

16 C r e a t i n g t h e V P N C o n n e c t i o n Presuming that you use the default VPN objects, navigate to Configuration>VPN>IPSec Tunnels. Creating a VPN Connection using IKE IPSec Key Mode Select the VPN object to be used for dynamic incoming connections from the Dynamic Incoming Connections pulldown. The default VPN object is Standard Dynamic. Under the Advanced tab, ensure the Automatic Policies checkbox is enabled. This option will automatically configure the necessary VPN policies to allow ESP protocol 50/UDP ports 500 and 4500 on the configured VPN. To create more restrictive VPN policies, navigate to Configuration>Security Policies>Policy Editor>VPN Policies. Select New to create a new IPSec Tunnel. Select the IPSec Key Mode. For this example, select IKE (automatic key mode) To create a Manual VPN, see Creating a VPN Using Manual IPSec Key Mode. Complete the VPN settings fields as described on the following page: Table 2.3: Creating a VPN Using IKE IPSec Key Mode Field Disable Description IPSec Key Mode VPN Object Pre-shared Secret Local Gateway Network Advanced Identity Remote Gateway Network Advanced Identity GTA VPN Option Guide Setup Description Check to disable all access for the configured IPSec tunnel. A description of the IPSec Tunnel. IKE (automatic key exchange) A selection for the VPN object used to define this VPN. See Which VPN Object Should I Use? for more information. ASCII or HEX format value preshared secret as defined in the VPN. This same key needs to be entered in the GTA Mobile VPN Client when configuring the security policy. Select an IP address, alias or H 2 A group assigned to an external network interface on the local firewall that will serve as the VPN gateway. (For the second VPN gateway or mobile client, this IP address is the remote gateway.) This is the visible, non-encapsulated, non-encrypted IP address. Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. Alternatively, select <USE IP ADDRESS> and enter the IP address(es) in the IP Address field. User IP address, domain name or address for user authentication. This field is used to associate the local identity with a preshared secret key. Typically, this is <IP Address>. The IP address of the remote end of the VPN tunnel, the gateway to the remote network. If the remote network is behind a firewall, then this will be assigned to the external network interface. This IP address will also help determine the routing of the encapsulated packet. Previously defined address object or an IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the protected network, PSN or a subnet of either.) Use a subnet mask to define the class of network. User IP address, domain name or address for user authentication. This field is used to associate the remote identity with a preshared secret key. Typically, this is <IP Address>. 13

17 Creating a VPN Connection using Manual IPSec Key Mode Select the VPN object to be used for dynamic incoming connections from the Dynamic Incoming Connections pulldown. The default VPN object is Standard Dynamic. Under the Advanced tab, ensure the Automatic Policies checkbox is enabled. This option will automatically configure the necessary security policies to allow inbound and outbound access on the configured VPN. Select New to create a new IPSec Tunnel. Select the IPSec Key Mode. For this example, select Manual. Complete the VPN settings fields as described below. Disable Description Field IPSec Key Mode VPN Object Local Gateway Network Remote Gateway Network Manual Encryption Key Hash Key Security Parameter Index Table 2.2: Creating a VPN Using Manual IPSec Key Mode Description Check to disable all access for the selected VPN. A description of the VPN. Manual Inbound SPI Default value is 256. Outbound SPI Default value is 256. A selection for the VPN object used to define this VPN. See Which VPN Object Should I Use? for more information. Select an IP address, alias or H 2 A group assigned to an external network interface on the local firewall that will server as the VPN gateway. (To the second VPN gateway or mobile client, this IP address is the remote gateway.) This is the visible, non-encapsulated, non-encrypted IP address. Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. Alternatively, select <USER DEFINED> and enter the IP address in the IP Address field. The IP address of the remote end of the VPN tunnel, the gateway to the remote network. If the remote network is behind a firewall, then this will be assigned to the external network interface. This IP address will also help determine the routing of the encapsulated packet. Default is Previously defined address object or an IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the protected network, PSN or a subnet of either.) Use a subnet mask to define the class of network. Select the format for the encryption key value: ASCII or HEX ASCII or HEX fomat value hash algorithm for the authentication transformation. 14 GTA VPN Option Guide Setup

18 Encryption Key Length Blowfish encryption transformations use variable key lengths, while AES, DES and 3DES use a fixed length key. If you exceed the maximum key length in these fields, you will generate an error and not be able to save the configuration until it is corrected. You may enter a shorter length key; the system will pad it to the minimum key size. Higher-bit key size generally results in stronger encryption. Table 2.3: Encryption Key Length Algorithm Key Size ASCII and Hexidecimal Characters AES bits 16 ASCII or 32 Hex AES bits 24 ASCII or 48 Hex AES bits 32 ASCII or 64 Hex Blowfish bits 5-56 ASCII or Hex DES 64 bits 8 ASCII or 16 Hex 3DES 192 bits 24 ASCII or 48 Hex Hash Key Length The key length for the MD5 transformation is 128 bits, which is 16 ASCII characters or 32 hexadecimal characters. The key length for the SHA-1 transformations is 160 bits, which is 20 ASCII (40 hexadecimal) characters; it provides 80 bits of security. The key length for the SHA-2 (SHA- 256) transformations is 256 bits, which is 32 ASCII (60 hexadecimal) characters; it provides 128 bits of security against mid-transport data tampering. Generally, larger keys are more secure. Security Parameter Index (SPI) The Inbound and Outbound Security Parameter Index are arbitrary numbers used to uniquely identify a security association on a Manual VPN. The Inbound SPI will be the Outbound SPI on the remote side of the VPN; also, the Outbound SPI will be the Inbound SPI on the remote side of the VPN. The SPI should be unique for each SA, although the Inbound and Outbound SPI may have the same value. The minimum SPI value is 256. GTA VPN Option Guide Setup 15

19 C o n f i g u r i n g a C u s t o m V P N O b j e c t VPN objects configure how incoming VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be acceptable by your GTA firewall. Appropriate VPN configuration objects vary with the type of VPN connection and your security policies. Encryption objects are used to easily reference encryption settings when configuring a VPN object. For more information, see Configuring an Encryption Object. To create or configure an existing VPN object, navigate to Configuration>System>Object Editor>VPN Objects. Table 2.4: Configuring a VPN Object Field Name Disable Name Description Phase I Exhange Mode Encryption Object Advanced Force Mobile Protocol Force NAT-T Protocol Lifetime DPD Interval Phase II Encryption Object Advanced Lifetime Description Disables the VPN object for use in a VPN configuration. A unique name for the VPN object to reference it throughout the firewall s configuration. A brief description to describe the use of the VPN object. Specify flexible (<main>) or forced (<aggressive>) negotiation of acceptable encryption algorithms for IKE. Aggressive mode is required if one component of the VPN has a dynamic (DHCP or PPP) IP address, such as with a dynamically-addressed VPN gateway or mobile VPN client. A selection for the level of encryption to be used by the VPN object. For more information on configuring encryption objects, see Configuring a Custom Encryption Object. A toggle used to switch forced negotiation suited to VPNs involving dynamic IP addresses, including VPN gateways with dynamic (DHCP or PPP) IP addresses. A toggle used to switch forced use of NAT-T (Network Address Translation - Transversal) for connections that do not require NAT-T (are not using NAT that denies VPN IKE connections) on or off. Specify the length of time in minutes before the Phase I (IKE) security associations must be renewed. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection. Specify the interval in seconds between checks for continued viability of the VPN connection (also known as dead peer detection). To disable DPD queries made by this firewall, set the interval to 0; the firewall will still respond to DPD signals from other VPN gateways and clients, but will not initiate any signals of its own. Specify the encryption algorithm that this firewall should accept for VPN data transfers (ESP). Strong encryption means that any algorithm except None and Null will be accepted from the VPN initiator. (Null provides IP encapsulation, but no encryption. None provides neither encryption nor encapsulation.). Null provides no security benefits, but is useful to transport non-ip protocols when using NAT between firewalls. GTA firewalls initiate connections using AES-128 by default. Specify the length of time in minutes before the Phase II security associations must be renewed. The entered value must be smaller than the Phase I Lifetime. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection. 16 GTA VPN Option Guide Setup

20 About Phase I Phase I establishes VPN peer identities (keys) that can be tested for authenticity and establishes initial security associations (SAs) correlating hosts to encryption methods, securing further VPN negotiation/setup communications, and not actual transfers of user data. During Phase I, the Diffie-Hellman cryptographic technique uses random and prime numbers to generate a secondary number. These secondary numbers are then exchanged, and each host uses a combination of these secondary numbers as keys. Because predicting random numbers and determining prime numbers are both computationally difficult, knowledge of the random and prime numbers behind the generation of a key can be used to prove host authenticity. Increased computational power means that a key may eventually be computed, this is the reason why keybased security such as VPN phases must be periodically regenerated to guarantee authenticity of a packet s source. Once Diffie-Hellman key exchanges have been performed, (automatically with IKE or manually), these temporary keys are used to prove authenticity of hosts requesting encryption and hash methods to be used during Phase II negotiations. Automatic key exchange (IKE) uses Phase I settings during its automatic negotiations. Manual key exhange does not use Phase I settings, because the firewall does not provide automatic negotiations in manual mode. About Phase II Phase II uses the host authenticity and agreed initial hash and encryption established in Phase I to protect secondary negotiations for authenticity, data integrity and confidentiality setings. These secondary settings are used in the actual transfer of user data. Using the temporary protection mechanisms devised during Phase I, Phase II again performs negotiations for keys, hashes and encryption that will be used to protect the transfer of actual user data. C o n f i g u r i n g a C u s t o m E n c r y p t i o n O b j e c t Encryption objects are used to easily reference encryption settings when configuring a VPN object. By default, GB-OS ships with five built-in encryption objects that are pre-configured with varying levels of encryption. They can be viewed and duplicated, but cannot be edited or deleted. Table 2.5: Configuring a Custom Encryption Object Field Disable Name Description Encryption Method Hash Algorithm Key Group Description Disables the configured encryption object. A unique name for the encryption object to reference it throughout the firewall s configuration. A brief description to describe the use of the encryption object. Select the encryption algorithm that the firewall should accept for VPN data transfers. Default is <AES-192>. For more information on what encryption method to select, see Encryption Method. Select the hash algorithm that should be used to provide provide checks for packet tampering. Default is <HMAC-SHA1>. For more information on what hash algorithm to select, see Hash Algorithm. Select the Diffie-Hellman key group (bit size of the key) to use in authenticity keys. Default is <Diffie-Hellman Group 2>.For more information on what key group to select, see Key Group. GTA VPN Option Guide Setup 17

21 Encryption Methods Different encryption methods use proprietary methods for generating keys used to verify VPN data transfers. GTA firewalls support the following encryption methods: None Null AES Field Table 2.6: Encryption Methods Description None provides neither encryption nor encapsulation when establishing a VPN connection. Null provides IP encapsulation, but no encryption. There are no security benefits when <Null> is selected, but it is useful to transport non-ip protocols when using NAT between firewalls. Advanced Encryption Standard; AES has become the new United States federal standard for encrypting commercial and government data. AES, with a key strength of 192 bits, is the default encryption level used by GB-OS encryption objects. Blowfish Blowfish is fast, supports long keys and is widely recognized throughout the security industry. Blowfish has been known to perform nearly twenty times faster than DES encryption. DES 3DES Strong Data Encryption Standard; an algorithm used for encryption which was the official algorithm of the United States Government. DES has since been replaced by the AES algorithm. 3DES, often referred to as Triple DES, is three rounds of DES encryption. Each round uses a different permutation of your key. 3DES is a secure algorithm, yet can impact performance. Selecting <Strong> allows use of any encryption algorithm, a suitable selection when the VPN object s Phase I Exchange Mode is set to <Main>. Hash Algorithm The encryption object s Hash Algorithm is used to perform packet tampering checks in the Phase I and Phase II authentication headers. GTA firewalls support the following hash algorithms: Table 2.7: Hash Algorithms None HMAC-MD5 Field Description <None> provides no authenticity checks on the connection. A one-way hash function that creates a 16-byte (128-bit) hash or message digest to authenticate packet data. HMAC-SHA1 A one-way hash function that creates a 20-byte (160-bit) hash or message digest to authenticate packet data. SHA1 is more resistant to attacks than MD5, but slower to compute. HMAC-SHA2 Blowfish is fast, support long keys and is widely recognized throughout the security industry. Blowfish has been known to perform nearly twenty times faster than DES encryption. All <All> allows for the use of any hash algorithm. 18 GTA VPN Option Guide Setup

22 Key Group The encryption object s Key Group is used to exchange the VPN s pre-shared secret using a Diffie- Hellman exchange. In a Diffie-Hellman exchange, two parties independently generate random public and private values. Each sends their public value to the other (using authentication to foil man-in-the-middle attacks); the private values remain secret. Each then combines the public key received with their own private key. The resulting key is the pre-shared secret and it is identical for both sides. When selecting the bit size Diffie-Hellman group, keep in mind that while a larger bit size is generally more secure, it can significantly increase the amount of time it takes to decrypt content. GB-OS encryption objects default to <Diffie-Hellman Group 2 (1024 bits)>. C o n f i g u r i n g V P N P o l i c i e s By default, GB-OS will automatically configure the necessary security policies to allow inbound and outbound access for all configured VPNs. If this has been toggled off (the setting is available under the Advanced tab located on the Configuration>VPN>IPSec Tunnels) it is necessary to manually define VPN policies to allow VPN traffic (ESP (protocol 50) and UDP (ports 500 and 4500)). Note It is recommended to have automatic policies enabled on the Configuration>VPN>IPSec Tunnels screen to simplify the VPN configuration process. Use VPN policies (Configuration>Security Policies>VPN Policies) to control access through the VPN. Make modifications to your VPN policy as per your local security policy. GTA VPN Option Guide Setup 19

23 C r e a t i n g A u t h o r i z a t i o n If the configured IPSec Tunnel is to be used by mobile users using the GTA Mobile VPN Client, it is necessary to define how the mobile users will be authenticating with the firewall. After configuring a VPN connection, use the Configuration>Accounts section to configure mobile users by assigning them to groups and defining their user accounts. User groups are used to assign users to a VPN object and local network. User accounts, pooled in user groups, are used to define the identity and password to be entered when authenticating with the firewall. C r e a t i n g G r o u p s Groups are used to define the VPN object and local network that GTA Mobile VPN Client users will be using. When defining a group, additional groups can also be added to the group being defined to pool additional users. This can be useful if a policy is being defined that is required to affect multiple groups. Groups are configured under Configuration>Accounts>Groups. Table 2.8: Creating Groups Field Name Disable Name Description Mobile VPN Disable Authentication Required VPN Object Local Network Groups Sub Group Description Disables the group. The name for the group. Description A short description to identify the use of the group. Disables VPN access for the user group. A toggle for whether users configured under the group should be required to authenticate with the firewall using the GTA Mobile VPN Client or not. The VPN object to be used by the user group. The local network on which the user organized within the configured user can access. Select a previously defined group to reference additional groups. A short description to explain why this group is included. 20 GTA VPN Option Guide Setup

24 C r e a t i n g U s e r s User accounts are used to define the identity and password to be entered when mobile users authenticated with the firewall. Table 2.9: Creating User Accounts Field Name Disable Name Description Identity Group Authentication Method Password Mobile VPN Disable Remote Network IP Address Pre-shared Secret Disables the account. The name for the account. Description A short description to identify the use of the account. Used for authentication purposes, this is typically the user s account. A selection for the user s user group. Selecting??? means no user group has been selected. See Creating Groups for more information. Select the method for authentication. The password for user authentication. Disables VPN access for the account. The IP address or address object of the remote network. If <USER DEFINED> is selected as the Remote Network, then enter the IP address here. The ASCII or HEX value pre-shared secret. GTA VPN Option Guide Setup 21

25 G TA M o b i l e V P N C l i e n t S e t u p If laptop computers and other non-gateway servers and computers will connect to your GTA Firewall s VPN, install and configure GTA Mobile VPN Client software on those computers. Additional Mobile VPN Client licenses are available for purchase separately from an authorized GTA Channel Partner or GTA sales. Note Installation and configuration instructions assume that the client computer is not behind a router that requires modification. I n s t a l l i n g t h e G TA M o b i l e V P N C l i e n t The installation process for the GTA Mobile VPN Client is typical for Windows -compatible software. Note Microsoft Windows Vista is currently not supported by the GTA Mobile VPN Client. Microsoft Windows Vista support will be included in a future release. To install the GTA Mobile VPN Client software: Login to the Windows computer under an administrative account. Start the installer. Click the Next button to read the license agreement. If you agree to the terms, click Yes to continue the installation. Select an installation path for the software, the default path is C:\Program Files\GTA\Mobile VPN Client. Complete the installation wizard. After completing the installation wizard, you will be prompted to reboot the computer. Rebooting the computer completes the installation process. 22 GTA VPN Option Guide Setup

26 A c t i v a t i n g t h e G TA M o b i l e V P N C l i e n t The GTA Mobile VPN Client requires activation for any use beyond the initial thirty day evaluation period. The license number necessary for activation can be retrieved from the GTA Support Center ( Once logged in, click on the View Your Registered Products link and select your firewall s serial number. Your GTA Mobile VPN Client license number will be displayed in the Activation Codes section. Note Should your GTA Mobile VPN Client license number not be displayed in the Activation Codes section, make sure your GTA Firewall is running GB-OS version 3.7 or greater. If you have a current support contract, please upgrade your GTA firewall and then retrieve the activation code. If you do not have a current support contract, you will need to contact GTA s sales department or your local GTA Channel Partner. To activate the GTA Mobile VPN Client: 1. Open the GTA Mobile VPN Client to start the activation wizard. If the client is already open and running, navigate to?(help)>activation Wizard. Figure 3.1: Activation Wizard 2. Click the Activate button. Doing so will display the following screen: Figure 3.2: Entering the License Number GTA VPN Option Guide Setup 23

27 3. The GTA Mobile VPN Client license number needs to be entered either as a single string of twenty characters ( ) or four sets of six characters ( ). If your license number is four sets of six characters, you will need to switch the format of the License Number field to allow entry of your license number. To do so, select the Click here to enter... link. Figure 3.3: Switching the License Number Format 4. Enter the GTA Mobile VPN Client license number and click Next. A successful activation will display the following screen: Figure 3.4: Completing the Activation Wizard. Note If an error message is displayed during activation, refer to Table D.1: Activation Errors for troubleshooting. 24 GTA VPN Option Guide Setup

28 C o n f i g u r i n g t h e V P N C l i e n t S o f t w a r e To connect your computer to the GTA Firewall s VPN, you must first input connection settings into the GTA Mobile VPN Client. You may use the Configuration Wizard to configure the software. It will configure the client for a connection compatible with default GB-OS firewall settings. If you elect to use the VPN client configuration wizard, you do not need to complete the manual configuration instructions later in this section. For more information, see Running the Configuration Wizard. Use the included worksheet on the following page to collect settings for your VPN client. Enter the settings as required by tunnel, Phase 1 or Phase 2 setup. Once your VPN client is configured, start/stop your VPN connection as desired. For more information on advanced mobile VPN client features such as automatic start/stop of your VPN connection, see Advanced Mobile Client Setup. R u n n i n g t h e C o n f i g u r a t i o n W i z a r d Running the configuration wizard will configure the GTA Mobile VPN Client for a connection compatible with default GB-OS firewall settings. Settings for your GTA Mobile VPN Client must match your firewall s VPN configuration object and authorization settings. Contact your network administrator to obtain matching VPN settings. To run the configuration wizard, navigate to VPN Configure>Config. Wizard and complete the available fields. Once complete, click Next. The next screen will allow you to review your settings. If correct, click Finish. Figure 3.5: Running the Configuration Wizard GTA VPN Option Guide Setup 25

29 VPN Settings Worksheet Print and fill out the below fields for assistance when configuring the GTA Mobile VPN Client. Table 3.1: VPN Settings Worksheet Field Value Firewall IP Address Phase 1 Name Interface Remote Gateway Preshared Key IKE Encryption (circle one) DES 3DES AES 128 AES 192 AES 256 Authentication (circle one) MD5 SHA Key Group (circle one) DH768 DH1024 DH1536 DH2048 Phase 2 Name VPN Client Address Address Type (circle one) Single Address Subnet Address Remote LAN Address Subnet Mask ESP Encryption (circle one) DES 3DES AES 128 AES 192 AES 256 Authentication (circle one) MD5 SHA Mode (circle one) Tunnel PFS (circle one) DH768 DH1024 DH1536 DH GTA VPN Option Guide Setup

30 M a n u a l l y C o n f i g u r i n g t h e G TA M o b i l e V P N C l i e n t If you wish to manually configure the GTA Mobile VPN Client, configure the client using the following instructions. Entering Preferences (Parameters) Parameters for phase lifetime and dead peer detection (DPD) do not need to match the settings of your GTA firewall, but agreement between the two is beneficial. To enter lifetimes and DPD intervals for Phase 1 and 2 of your VPN: 1. Start the GTA Mobile VPN Client software (or click its icon in the system tray to display the Configuration Panel). 2. Click the Parameters icon located in the left hand menu. 3. Enter your IKE and IPSec (Phase 1 and 2) lifetimes in the Lifetime fields. Values entered are in seconds. Times specify when keys should be renewed and security associations recreated. Shorter times are generally more secure, although they can add performance overhead to the VPN. Note The maximum lifetimes for the GTA Mobile VPN Client must be less than the lifetime indicated by the firewall. 4. Enter your Check Interval for dead peer detection (DPD). Do not enter a value of Configure Miscellaneous settings as desired. Retransmissions defines how many times the client will attempt to retransmit a message before giving up. Delay between retries defines the amount of time, in seconds, before the client will attempt to retry opening a connection. Leave the IKE Port field blank. 6. Leave Block non-ciphered connection unchecked unless you wish to force all connections, including traffic with a non-vpn destination, through the VPN tunnel. 7. Click Save & Apply. GTA VPN Option Guide Setup 27