Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux



Similar documents
Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Configuring a VPN between a Sidewinder G2 and a NetScreen

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

How To Industrial Networking

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Interconnection between the Windows Azure

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Chapter 4 Virtual Private Networking

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

REMOTE ACCESS VPN NETWORK DIAGRAM

Lab a Configure Remote Access Using Cisco Easy VPN

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

VPN. VPN For BIPAC 741/743GE

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Lab Configure a PIX Firewall VPN

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

Cisco RV 120W Wireless-N VPN Firewall

Using IPSec in Windows 2000 and XP, Part 2

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Ingate Firewall. TheGreenBow IPSec VPN Client Configuration Guide.

Cisco SA 500 Series Security Appliance

ISG50 Application Note Version 1.0 June, 2011

Juniper NetScreen 5GT

Linksys RV042. TheGreenBow IPSec VPN Client. Configuration Guide.

GNAT Box VPN and VPN Client

Watchguard Firebox X Edge e-series

ZyXEL ZyWALL P1 firmware V3.64

Windows XP VPN Client Example

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

How to configure VPN function on TP-LINK Routers

This section provides a summary of using network location profiles to identify network connection types. Details include:

3. Connect to the Resnet and classnet by using the file we provided. 1. Download racoon, ppp, dhcp-client,

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

Configure IPSec VPN Tunnels With the Wizard

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

VPN Wizard Default Settings and General Information

How to configure VPN function on TP-LINK Routers

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

VPN SECURITY POLICIES

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Chapter 8 Virtual Private Networking

Configuring a FortiGate unit as an L2TP/IPsec server

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

Chapter 6 Basic Virtual Private Networking

Lab Configure Remote Access Using Cisco Easy VPN

Lecture 17 - Network Security

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

How To Configure An Ipsec Tunnel On A Network With A Network Gateways (Dfl-800) On A Pnet 2.5V2.5 (Dlf-600) On An Ipse Vpn

What information will you find in this document?

Cisco QuickVPN Installation Tips for Windows Operating Systems

Symantec Firewall/VPN 200

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

IPSec Pass through via Gateway to Gateway VPN Connection

VPNC Interoperability Profile

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

LAN-Cell to Cisco Tunneling

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

SSL SSL VPN

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

How To Set Up Checkpoint Vpn For A Home Office Worker

Configuring SSH Sentinel VPN client and D-Link DFL-500 Firewall

F-SECURE MESSAGING SECURITY GATEWAY

VPN Tracker for Mac OS X

IP Office Technical Tip

BorderWare Firewall Server 7.1. Release Notes

Implementing and Managing Security for Network Communications

VPN Tracker for Mac OS X

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

Greenbow VPN Client with Teldat VPN Server. Configuration Highlights

HOWTO: How to configure IPSEC gateway (office) to gateway

Virtual Private Network (VPN)

Configuring Remote Access IPSec VPNs

Virtual Private Network and Remote Access Setup

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Chapter 5 Virtual Private Networking Using IPsec

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

z/os Firewall Technology Overview

Technical Notes TN 1 - ETG FactoryCast Gateway TSX ETG 3021 / 3022 modules. How to Setup a GPRS Connection?

Scenario: Remote-Access VPN Configuration

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

VPN Configuration Guide. Cisco ASA 5500 Series

Transcription:

A PPLICATION N O T E Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux This application note describes how to set up an IPsec VPN connection between a Linux host and a Sidewinder G2 Security Appliance. www.securecomputing.com

Table of Contents Overview... 3 Preparing your gateways... 4 Preparing the Linux gateway... 4 Preparing the Sidewinder G2... 4 Configuring your gateways... 5 Configuring your Sidewinder G2... 5 Configuring your Linux gateway... 7 Activating your VPN...10 2 86-0945497-A

Overview Overview Sidewinder G2 Security Appliance's VPN implementation is based on the welldefined IPSec and ISAKMP protocols, giving it the ability to establish VPN connections with a wide variety of clients, operating systems, and devices. This application note describes how to set up an IPsec VPN connection between a Linux host and a Sidewinder G2 Security Appliance. Beginning with the 2.6 series of kernels, Linux offers built-in, kernelspace IPsec encryption/decryption. This built-in IPSec capability, with the help of userspace programs from the KAME project ported from NetBSD, makes it possible to set up IPsec VPN connections to and from a Linux host with minimal configuration changes. This application note describes how to set up a gateway to gateway, fixed IP VPN connection between a Linux server and a Sidewinder G2. The configuration presented here is a basic configuration; the example uses shared-password authentication and IP addresses as identities. Also, this configuration assumes that the Linux machine has a static IP address. Figure 1 shows a network diagram of this scenario. Figure 1: Gateway to gateway, fixed IP VPN 192.168.1.2 172.27.10.20 Internet Sidewinder G2 Linux network A 10.10.1.0/24 = VPN tunnel = data network B 172.17.1.0/24 86-0945497-A 3

Preparing your gateways Preparing your gateways Before setting up the VPN between your Sidewinder G2 and a Linux host, each system must meet the requirements described in the respective sections. Preparing the Linux gateway The first step in setting up a Linux to Sidewinder G2 VPN is to make sure the Linux gateway s kernel and software are configured properly. Check that you have the following enabled, configured, and/or installed on your Linux gateway: Kernel On a Linux host running a 2.6 series kernel, enable the following options: PF_KEY sockets (NET_KEY) IP: AH transformation (INET_AH) IP: ESP transformation (INET_ESP) IP: IPsec user conf. interface (XFRM_USER) HMAC support (CRYPTO_HMAC) Null algorithm (CRPT_NULL) MD5 digest algorithm (CRYPTO_MD5) SHA1 digest algorithm (CRYPTO_SHA1) DES/3DES cipher algorithm (CRYPTO_DES) Note: This document uses SHA1 and 3DES encryption algorithms, but you can choose to use or include other encryption algorithms. Enable and configure the kernel's packet forwarding features. Software Install the setkey and racoon programs from the KAME project. Most Linux distributions make these programs available in a package called ipsectools. Preparing the Sidewinder G2 Before creating the necessary Security Associations, do the following: Configure IKE for the appropriate burbs (VPN -> ISAKMP Server). Enable the ISAKMP server (Services Configuration > Servers > isakmp). Create a proxy rule allowing inbound ISAKMP traffic to the ISAKMP server (Policy Configuration > Rules). You should also plan out this VPN s security policy. See the VPN chapter of the Sidewinder G2 Administration Guide and the Configuring a VPN when using Proxy and IP Filter Rules application note for more information. They can be found at www.securecomputing.com/goto/manuals and www.securecomputing.com/goto/appnotes, respectively. 4 86-0945497-A

Configuring your gateways Configuring your gateways This section covers what parameters need to be set on each end of the gateway to gateway VPN. Configuring your Sidewinder G2 At this point, your ISAKMP server is enabled and its associated proxy rule is set up. The next step is to create a new Security Association for this VPN by doing the following: Figure 2: Security Association General tab for the example VPN 1 Log into the Admin Console. 2 Select VPN Configuration > Security Associations. 3 Click New. A window similar to the following appears: 4 On the General tab, enter the following information: Field name Name Enabled Encapsulation Burb Mode Client Address Pool Local IP Value site specific Yes Tunnel site specific - select burb associated with this VPN s local network Fixed IP <disabled> localhost Local Network/IP 10.10.1.0/24 More... 86-0945497-A 5

Configuring your gateways Field name Value Remote IP 172.27.10.20 Remote Network/IP 172.17.1 0/24; 172.27.10.20/32 Note: The 172.27.10.20/32 address is listed in the remote network section so that the Linux gateway (as opposed to its internal network) can send traffic to Sidewinder G2 s private network. If it does not need to, this additional Remote Network/IP entry is not necessary. 5 On the Authentication tab, set the Authentication Method to Password. The following window appears. Figure 3: Authentication tab s General sub-tab for the example VPN 6 On the General sub-tab, enter and confirm a password. This password is to be shared with the administrator of the Linux gateway. 7 Select the Identities sub-tab. A window similar to the following appears: Figure 4: Authentication tab s Identities sub-tab for the example 8 On the Identities sub-tab, you should not need to change anything. Verify that the identity values are correct. In the example, these would be Type = IP Address, Value = localhost for the Firewall Identity, and Gateway IP Address (172.27.10.20) for the Remote Identity. 6 86-0945497-A

Configuring your gateways 9 On the Crypto and Advanced tabs, you may leave the default values. If you plan to use algorithms other than 3DES and SHA1 (the defaults), configure the new values on the Crypto tab. The values on the Advanced tab rarely need modification. 10 Click Add. 11 Click the Save icon to save the new Security Association. The Sidewinder G2 side of the VPN is now configured. Configuring your Linux gateway Configuring the Linux gateway takes place in three parts: 1 Configuring the security policy, which the setkey program uses to enforce encryption requirements. 2 Configuring the ISAKMP key exchange, which the racoon program uses to establish communication and verify identities with Sidewinder G2. 3 Configuring the pre-shared key to use for the connection. Security policy Define the security policy by creating a script using setkey -f as an interpreter. Make sure the file is executable. File contents are as follows (script continues on next page): Note: Most distributions put this script in /etc/ipsec.conf. Your Linux system may already have a file named /etc/ipsec.conf. In this case, either overwrite the current file with the following script or save the script to another file and verify the Linux server uses the new file. #!/usr/sbin/setkey -f # Change the above line to point to your setkey program # Flush any existing security policy flush; spdflush; # Add policy entries: # Require ESP for outbound packets: spdadd localnetwork remotenetwork any -P out ipsec esp/tunnel/localip-remoteip/require; # Require ESP for inbound packets: spdadd remotenetwork localnetwork any -P in ipsec esp/tunnel/remoteip-localip/require; 86-0945497-A 7

Configuring your gateways # The following entries are necessary if you want the Linux # host itself to be able to use the VPN to the remote private # network: # Require ESP for outbound packets: spdadd localip remotenetwork any -P out ipsec esp/tunnel/localip-remoteip/require; # Require ESP for inbound packets: spdadd remotenetwork localip any -P in ipsec esp/tunnel/remoteip-localip/require; In this script, the variables represent the following: localip is the external IP address of the Linux server. In Figure 1 on page 3, this is 172.27.10.20. localnetwork is the IP address and network mask of the Linux server s internal network. In Figure 1, this is 172.17.1.0/24. remoteip is the external IP address of Sidewinder G2. In Figure 1, this is 192.168.1.2. remotenetwork is Sidewinder G2 s internal network. In Figure 1, this is 10.10.1.0/24. ISAKMP key exchange The racoon program handles the key exchange and authentication. Most distributions put racoon's configuration files in the /etc/racoon directory. You will be altering, and therefore need to locate, the files racoon.conf and psk.txt. psk.txt contains the pre-shared keys, which will be explained in the next section. The racoon program has many configuration options, but the defaults work in this scenario. For this reason the example configuration below will probably be much smaller than the default file included in your distribution. It should be safe to leave the default contents and simply add the remote and sainfo sections given below. File contents are as follows (script continues on next page): path include "/etc/racoon"; # Above line should point to the directory where racoon.conf # lives path pre_shared_key "/etc/racoon/psk.txt"; # Above line should point to your psk.txt file # Define key exchange settings 8 86-0945497-A

Configuring your gateways # Modify the hash_algorithm setting if you want, but make # sure the Sidewinder G2 supports it. remote remoteip { exchange_mode aggressive; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } # Define encryption info for the SA # Modify the encryption_algorithm and # authentication_algorithm if you want, but make sure # Sidewinder G2 supports it. sainfo address localnetwork any address remotenetwork any { encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } where localnetwork is the IP address and network mask of the Linux server s internal network. In Figure 1, this is 172.17.1.0/24. remoteip is the external IP address of Sidewinder G2. In Figure 1, this is 192.168.1.2. remotenetwork is Sidewinder G2 s internal network. In Figure 1, this is 10.10.1.0/24. Pre-shared key Since this scenario uses a pre-shared key (Sidewinder G2 calls it a password) to authenticate this connection, make sure the Linux server knows the key. The racoon configuration file contains the path to the pre-shared key file, which most distributions store as /etc/racoon/psk.txt. Save the file in any location, but be sure to edit racoon.conf to point to that location. Also ensure that the file has permissions of 600. The file contents are as follows: remoteip <enter password set in the Sidewinder G2 SA> where remoteip is Sidewinder G2 s external IP address. In this file, the left-hand side is an ID, and the right-hand side is the password. This scenario uses IP addresses for IDs, so the ID field is simply Sidewinder G2 s IP address. 86-0945497-A 9

Activating your VPN Activating your VPN Once the IPSec information, ISAKMP key exchange, and the pre-shared key are configured, activate your VPN by doing the following: 1 On the Linux host, load the security policy with setkey by executing the newly created ipsec.conf script. 2 Verify that the policy applied by running setkey -DP 3 Start racoon. It starts in daemon mode by default; for testing, it may be helpful to run it in the foreground with racoon -F. Once the policy is loaded and racoon is running, you are ready to test the VPN. 4 From a workstation on the Linux host s local network, ping an IP address in the remote network (10.10.1.0/24). racoon s output will show the kickoff of the Linux server and Sidewinder G2 key exchange. The ping command will probably return connect: Resource temporarily unavailable until the tunnel is fully established. Once the ping command shows a reply from Sidewinder G2, your Linux gateway to Sidewinder G2 gateway VPN is complete. 10 86-0945497-A

Activating your VPN 86-0945497-A 11

Product names used within are trademarks of their respective owners. Copyright 2005 Secure Computing Corporation. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information