Shrew Soft VPN Client Configuration for GTA Firewalls ShrewVPN201003-01 Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817 Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com Web: www.gta.com
Configuring the Shrew Soft VPN Client for Connection to a GTA Firewall This document provides an outline for configuring the Shrew Soft VPN Client to establish a VPN connection to a GTA Firewall, using pre-shared keys. This document was prepared using the Shrew Soft Client version 2.1.5 for Windows. The firewall configuration uses GTA Standard VPN for Mobile Clients. For more information on GTA firewall configuration please go to http://www.gta.com/support/documents/. Figure 1: Standard IPSec Settings for Mobile Clients Install the Shrew Soft VPN Client Figure 2: Standard Encryption, HASH and Key B Group The Shrew Soft VPN Client supports both Windows and Linux installations. The configuration is similar for both Windows and Linux. Please see Shrew Soft documentation for client installation on Windows and Linux operating systems. Shrew Soft VPN Client Administrators Guide - http://www.shrew.net/static/help-2.1.x/vpnhelp.htm 2
Shrew Soft VPN Site Configuration After installation of the Shrew Soft Client, open the client and click ADD. Figure 3: Shrew Soft VPN Access Manager The VPN Site Configuration dialogue will display. In the General tab, enter the following information: Table 1: Shrew Soft VPN Site Configuration - General Remote Host Host Name or IP Address Port Default value is 500. Auto Configuration Local Host Address Method Enter the IP address or Fully Qualified Domain Name (FQDN) for the remote VPN gateway or firewall. Select disabled from the pull down menu. MTU Default value is 1380. Address Netmask Enter 255.255.255.255 Select Use a virtual adapter and assigned address from the pull down menu. Enter the IP address assigned to the remote client in the firewall configuration. Figure 4: VPN Site Configuration General Tab 3
Next, select the Client tab and enter the following information: Table 2: Shrew Soft VPN Site Configuration - Client Firewall Options NAT Traversal Select enable from the pull down menu. NAT Traversal Port Enter port 4500. Keep-alive packet rate Enter 15 secs. IKE Fragmentation Select enable from the pull down menu. Maximum packet size Enter 540 bytes. Other Options Enable Dead Peer Detection Check to enable. Enable ISAKMP Failure Notification Check to enable. Figure 5: VPN Site Configuration - Client Tab 4
Select the Name Resolution tab and enter the following information: Table 3: Shrew Soft VPN Site Configuration - Name Resolution WINS/DNS Enable WINS Enabling provides WINS service via VPN. WINS Server Address Enter the IP address of the WINS server. Enable DNS Enabling provides DNS resolution for the remote network via VPN. DNS Server Address Enter the DNS server address. DNS Suffix Enter the DNS suffix. Enable Split DNS Enable if the client will use split DNS scheme. Figure 6: VPN Site Configuration - Name Resolution 5
Configure the following for the Authentication tab: Table 4: Shrew Soft VPN Site Configuration - Authentication Authentication Method Select Mutual PSK from the pull down menu. Local Identity Identification Type UFFQDN Setting Remote Identity Identification Type Address String Credentials Pre Shared Key Select User Fully Qualified Domain Name (email address). Enter the user email address from the firewall configuration. Select IP Address from the pull down menu. Enter the IP address of the firewall or VPN gateway. Enter the pre-shared key used on the firewall. Figure 7: VPN Site Configuration - Local Identity Figure 8: VPN Site Configuration - Remote Identity 6
Figure 9: VPN Site Configuration - Credentials Next, set the Phase 1 and Phase 2 VPN settings. These should match your GTA Firewall configurations. Proposal Parameters Exchange Type DH Exchange Cipher Algorithm Cipher Hash Algorithm Key Life Time Key Life Data Limit Table 5: Shrew Soft VPN Site Configuration - Phase 1 Select aggressive from the pull down menu. Select group 2 from the pull down menu. Select aes from the pull down menu. Select 192 from the pull down menu. Select sha1 from the pull down menu. Enter a key life time that is less than or equal to the firewall configured Phase 1 IPSec Object lifetime. Enter 0 (zero). Figure 10: VPN Site Configuration Phase 1 7
Proposal Parameters Transform Algorithm Transform Key Length HMAC Algorithm PFS Exchange Group Compress Algorithm Key Life Time Limit Key Life Data Limit Table 6: Shrew Soft VPN Site Configuration - Phase 2 Select esp-aes from the pull down menu. Select 192 from the pull down menu. Select auto from the pull down menu. Select group 2 from the pull down menu. Select deflate from the pull down menu. Enter a key life time that is less than or equal to the firewall configured Phase 2 IPSec Object lifetime. Enter 0 (zero). Figure 11: VPN Site Configuration Phase 2 Lastly, select the Policy tab and enter a remote network as follows: IPSEC Policy Configuration Maintain Persistent Security Association Obtain Topology Automatically or Tunnel All Add a Remote Network Resource Table 7: Shrew Soft VPN Site Configuration - Policy Leave box unchecked. Leave box unchecked. The Remote resource should match the Protected Network on the remote firewall or VPN gateway. Figure 12: Topology 8 Figure 13: Remote Network
Establishing a VPN Connection In order to establish the VPN once the client is configured, perform the following steps: Configuring the Shrew Soft VPN Client 1. Open the Shrew Soft Access Manager. 2. Select the firewall or gateway in which to connect. 3. Click on CONNECT. 4. Click CONNECT again when the Shrew Soft Connect dialogue appears. The client will now initiate the connection to the firewall. Figure 14: Shrew Soft Access Manager Figure 15: Shrew Soft VPN Connect Figure 16: Tunnel Enabled Connect Tab Figure 17: Tunnel Enabled Network Tab 9
Testing the Connection The VPN to remote gateway is now established. To check the connection, try pinging the internal interface of the remote gateway or a host on the remote network. The Shrew VPN Client will add a Virtual Adapter for each host when active, and will route to the remote network. Figure 18: Virtual Adapter Figure 19: Routing Table with routes added by client Closing the VPN Connection Click DISCONNECT on the Shrew Soft VPN Connect dialogue window. Figure 20: Shrew Soft VPN Connect - Disconnect Figure 21: Disconnected Client 10
Using Certificates with the Shrew Soft VPN Client Configuring the Shrew Soft VPN Client The Shrew Soft VPN Client also supports the use of signed certificates for a VPN. GB-OS version 5.3.0 and above allows an administrator to create signed certificates. To use certificates with the Shrew Soft VPN Client the firewall VPN certificate must be a signed certificate and the client certificate must be signed. 1. Download the PEM files for the Firewall CA, user certificate and users key file from the GTA Firewall Web Interface. Import these into the Shrew Soft VPN Client. 2. Set the Authentication Method to be Mutual RSA. 3. Set the Local Identity as ASN.1 Distinguished Name 4. Set the Remote Identity as ASN.1 Distinguished Name Figure 22: Local Identity Using Certificates Figure 23: Remote Identity Using Certificates Figure 24: Credentials for Certificates 11
Disclaimer The Shrew Soft VPN Client is a product of Shrew Soft Inc. Copyright (c) 2007 Shrew Soft Inc. All rights reserved. Redistribution in binary form is permitted for both personal and commercial use provided that the following conditions are met: 1) Modification or removal of any portion of this software package prior to redistribution is prohibited. This may include but is not limited to any binary programs, loadable modules, documentation or license agreement files. 2) This software package must not be represented as your own product. If you advertise the availability of this software package or the potential use of this software package in concert with another product or an affiliate s product, you agree to also advertise that the software package is an asset of the legitimate copyright holder, Shrew Soft, Inc. 3) Only a nominal fee may be charged to cover the cost of media and/or delivery fees for providing a reproduced machine-readable copy of this software package. 4) A third party may not be charged any fee associated with the installation, support or continued operation of this software package regardless of whether or not the software was provided by you or an affiliate. Waiver; Construction. Failure by Licensor to enforce any provision of this License will not be deemed a waiver of future enforcement of that or any other provision. Any law or regulation which provides that the language of a contract shall be construed against the drafter will not apply to this License. Severability. If for any reason a court of competent jurisdiction finds any provision of this License, or portion thereof, to be unenforceable, that provision of the License will be enforced to the maximum extent permissible so as to affect the economic benefits and intent of the parties, and the remainder of this License will continue in full force and effect. Dispute Resolution. Any litigation or other dispute resolution between You and Licensor relating to this License shall take place in the Western District of Texas, and You and Licensor hereby consent to the personal jurisdiction of, and venue in, the state and federal courts within that District with respect to this License. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Entire Agreement; Governing Law. This License constitutes the entire agreement between the parties with respect to the subject matter hereof. This License shall be governed by the laws of the United States and the State of Texas, except that body of Texas law concerning conflicts of law. Termination. This License and the rights granted hereunder will terminate automatically if You fail to comply with terms herein and fail to cure such breach within 30 days of becoming aware of the breach. All sublicenses to the Covered Code which are properly granted shall survive any termination of this License. Provisions which, by their nature, must remain in effect beyond the termination of this License shall survive. Disclaimer of Warranty. THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL LICENSOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) Copyright 2008, Shrew Soft Inc 12