Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall



Similar documents
Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TDVPNWGSOHO

Configuring GTA Firewalls for Remote Access

GB-OS Version 6.2. Configuring IPv6. Tel: Fax Web:

Installing the IPSecuritas IPSec Client

GB-OS. Certificate Management. Tel: Fax Web:

Installing the Shrew Soft VPN Client

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

Technical Document. Creating a VPN. GTA Firewall to Cisco PIX 501 TDVPNPIX

Technical Document. Creating a VPN. GTA Firewall to Linksys Cable/DSL Router TDVPNLINKSYS

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

GNAT Box VPN and VPN Client

GTA SSL Client & Browser Configuration

Installing the SSL Client for Linux

GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

Shrew Soft VPN Client Configuration for GTA Firewalls

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Configuring a VPN between a Sidewinder G2 and a NetScreen

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

VPN Wizard Default Settings and General Information

How To Industrial Networking

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

VPNC Interoperability Profile

Windows XP VPN Client Example

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

HOWTO: How to configure IPSEC gateway (office) to gateway

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Configure IPSec VPN Tunnels With the Wizard

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

TABLE OF CONTENTS NETWORK SECURITY 2...1

Chapter 8 Virtual Private Networking

Configuring IKEv2 VPN for Mac OS X Remote Access to a GTA Firewall

What information will you find in this document?

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

axsguard Gatekeeper IPsec XAUTH How To v1.6

Chapter 4 Virtual Private Networking

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Understanding the Cisco VPN Client

Scenario: Remote-Access VPN Configuration

Branch Office VPN Tunnels and Mobile VPN

FortiOS Handbook IPsec VPN for FortiOS 5.0

Chapter 5 Virtual Private Networking Using IPsec

Connecting Remote Offices by Setting Up VPN Tunnels

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

ISG50 Application Note Version 1.0 June, 2011

VPN. VPN For BIPAC 741/743GE

Firewall Troubleshooting

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

VPN Configuration Guide. Dell SonicWALL

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Lab Configure a PIX Firewall VPN

FortiOS Handbook - IPsec VPN VERSION 5.2.2

IPSec Pass through via Gateway to Gateway VPN Connection

Virtual Private Network (VPN)

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Introduction. Quick Configuration Guide (QCG) Configuring a VPN for Multiple Subnets in AOS

CCNA Security 1.1 Instructional Resource

This topic discusses Cisco Easy VPN, its two components, and its modes of operation. Cisco VPN Client > 3.x

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Cyberoam IPSec VPN Client Configuration Guide Version 4

7. Configuring IPSec VPNs

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

SingTel VPN as a Service. Quick Start Guide

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Interoperability Guide

IP Office Technical Tip

VPN Quick Configuration Guide. Astaro Security Gateway V8

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

SonicOS Enhanced 3.2 IKE Version 2 Support

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

CA Nimsoft Monitor Snap

Juniper NetScreen 5GT

VPN Configuration Guide. Cisco Small Business (Linksys) WRV210

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

IPSec XAUTH How To. Version 8.0.0

Transcription:

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall S2SVPN201102-02 Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817 Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com Web: www.gta.com

Table of Contents Site-to-Site VPN to Non-GTA Firewall Introduction 1 Important Compatibility Requirements and Notes 1 Default GTA Settings for Standard Static IPSec VPNs 2 Phase 1 2 Phase 2 2 Creating Custom Encryption Objects 2 Creating a Custom IPSec Object on GTA Firewall 3 About Phase I 3 About Phase II 3 Creating a Site-to-Site IPSec VPN Tunnel on a GTA Firewall 5 Creating IPSec Security Policies for VPN Connection 6 VPN Work Sheet 7 Table of Contents iii

Introduction Site-to-Site VPN to Non-GTA Firewall The purpose of this document is to assist a firewall administrator in the configuration of an IPSec Site-to- Site VPN to non-gta firewalls and VPN capable devices using pre-shared keys. GTA does not guarantee compatibility to all devices. For complete IPSec Site-to-Site configuration and firewall configuration documentation for GTA firewalls please see the GTA website at http://www.gta.com/support/documents/. For non-gta firewalls, consult your specific firewall VPN documentation for configuration options or settings. Known or reported working VPN configurations have been set up with the following firewalls: Astaro Checkpoint Cisco ASA Draytek Fortinet Netgear Netscreen Sonicwall Other firewall and VPN devices may work. However, they have not been reported to work or tested by GTA. Important Compatibility Requirements and Notes Security Association (SA) Key Lifetimes: GB-OS firewalls will accept a key lifetime up to the configured lifetime in the IPSec Object. This configuration setting is located at Configure>Objects>IPsec Objects. The default SA lifetime is 90 minutes for Phase I and 60 minutes for Phase II. Mismatched SA key times can effect VPN negotiation and re-key. Perfect Forward Secrecy (PFS) is enabled by default on all GTA firewalls and is the key group configured in Phase II of the IPSec Object. Most non-gta devices do not have PFS enabled. Be sure PFS is enabled on remote firewall or create a new encryption object for Phase II with Key Group set to None. IKE Proposal or ISAKMP Policy is equivalent to Phase I configuration. IPSec Proposal or Crypto Map is equivalent to Phase II configuration. Dead Peer Detection (DPD) is enabled by default on all GTA firewalls and is configured at Configure>Objects>IPsec Objects. Setting the DPD interval to zero (0) will stop the firewall from sending a DPD request. However, the firewall will still respond to remote DPD requests. The default for GTA firewalls is 30 seconds. Identities: Use IP Address as the identity when setting up a Site-to-Site VPN. If the remote firewall has a dynamic IP address and is using a Dynamic DNS service, the remote gateway field should be set as the Dynamic DNS service host name (FQDN). The identity should be set to IP Address. The firewall will resolve the name to an IP address and use this for the identity. Policy Compatibility Option This option is located in the advanced section of an IPSec Tunnel. This option makes the firewall behave the same as older GB-OS versions below version 5.3.0. Usually this is only required when connecting to a Draytek router with multiple subnets or firewalls that are not compatible with unique policies. GTA firewalls do not allow for the use of ranges in IPSec Tunnels. All VPN networks must be hosts or networks. 1

Site-to-Site VPN to Non-GTA Firewall Default GTA Settings for Standard Static IPSec VPNs Standard Static IPSec Object settings: Phase I Mode: Main Encryption: AES-192 Hash: hmac-sha1 Key Group: Diffie-Hellman group 2 (1024 bits) NAT-T: Automatic Lifetime: 90 minutes DPD Interval: 30 seconds Phase II Encryption: AES-192 Hash: hmac-sha1 Key Group: Diffie-Hellman group 2 (1024 bits) Lifetime: 60 minutes Creating Custom Encryption Objects Encryption objects are used to easily reference encryption settings when configuring an IPSec Object. By default, GB-OS ships with five built-in encryption objects that are pre-configured with varying levels of encryption. They can be viewed and duplicated, but cannot be edited or deleted. Multiple encryption objects may also be combined. To create or configure an existing encryption object, navigate to Configure>Objects>Encryption Objects. Select NEW and enter the Encryption Method, Hash Algorithm and Key Groups to be implemented in a VPN. Figure 1: Configuring a Custom Encryption Object Field Disable Name Encryption Method Hash Algorithm Key Group Table 1: Configuring a Custom Encryption Object Disables the configured encryption object. A unique name for the encryption object to reference it throughout the firewall s configuration. A brief description to describe the use of the encryption object. Select the encryption algorithm that the firewall should accept for VPN data transfers. Default is <AES-192>. Select the hash algorithm that should be used to provide checks for packet tampering. Default is <HMAC-SHA1>. Select the Diffie-Hellman key group (bit size of the key) to use in authenticity keys. Default is <Diffie-Hellman Group 2>. Enter a short description of the encryption object. 2

Creating a Custom IPSec Object on GTA Firewall Site-to-Site VPN to Non-GTA Firewall IPSec Objects configure how incoming IPSec VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be acceptable by your GTA firewall. Appropriate IPSec configuration objects vary with the type of IPSec VPN connection and your security policies. Encryption objects are used to easily reference encryption settings when configuring an IPSec Object. About Phase I Phase I establishes VPN peer identities (keys) that can be tested for authenticity and establish initial security associations (SAs) that correlate hosts to encryption methods, securing further VPN negotiation/setup communications, and not actual transfers of user data. During Phase I, the Diffie-Hellman cryptographic technique uses random and prime numbers to generate a secondary number. These secondary numbers are then exchanged, and each host uses a combination of these secondary numbers as keys. Because predicting random numbers and determining prime numbers are both computationally difficult, knowledge of the random and prime numbers behind the generation of a key can be used to prove host authenticity. Increased computational power means that a key may eventually be computed, which is why key-based security such as VPN phases must be periodically regenerated to guarantee authenticity of a packet s source. Once Diffie-Hellman key exchanges have been performed, (automatically with IKE or manually), these temporary keys are used to prove authenticity of hosts requesting encryption and hash methods to be used during Phase II negotiations. Internet Key Exchange (IKE) uses Phase I settings during its automatic negotiations. Manual key exchange does not use Phase I settings, because the firewall does not provide automatic negotiations in manual mode. About Phase II Phase II uses the host authenticity and agreed initial hash and encryption established in Phase I to protect secondary negotiations for authenticity, data integrity and confidentiality settings. These secondary settings are used in the actual transfer of user data. Using the temporary protection mechanisms devised during Phase I, Phase II again performs negotiations for keys, hashes and encryption that will be used to protect the transfer of actual user data. To create or configure an existing IPSec object, navigate to Configure>Objects>IPSec Objects. Select NEW and enter the name, descriptions, mode (Main), and select your encryption objects. Figure 2: Configuring an IPSec Object 3

Site-to-Site VPN to Non-GTA Firewall Field Name Disable Name Phase I Exchange Mode Encryption Object Advanced NAT-T Lifetime DPD Interval Phase II Encryption Object Advanced Lifetime Table 2: Configuring an IPSec Object Disables the IPSec Object for use in a VPN configuration. A unique name for the IPSec Object to reference it throughout the firewall s configuration. A brief description to describe the use of the IPSec Object. Main A selection for the level of encryption to be used by the IPSec Object. Recommended - Automatic <Automatic> automatically uses NAT-T where applicable; <Disable> disables the use of NAT-T; <Force> forces the use of NAT-T. Specify the length of time in minutes before the Phase I (IKE) security associations must be renewed. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection. Specify the interval in seconds between checks for continued viability of the VPN connection (also known as dead peer detection). To disable DPD queries made by this firewall, set the interval to 0; the firewall will still respond to DPD signals from other VPN gateways and clients, but will not initiate any signals of its own. Specify the encryption algorithm that this firewall should accept for VPN data transfers (ESP). Specify the length of time in minutes before the Phase II security associations must be renewed. The entered value must be smaller than the Phase I Lifetime. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection. 4

Site-to-Site VPN to Non-GTA Firewall Creating a Site-to-Site IPSec VPN Tunnel on a GTA Firewall To configure an IPSec Site-to-Site VPN navigate to Configure>VPN>Site-to-Site and, if disabled, enable Siteto-Site VPN. Figure 3: Enable Site-to-Site VPN Select NEW or select EDIT to modify an existing VPN. Enter the VPN information for IPSec Key Mode (IKE). Pre-shared key, Local Gateway, Remote Gateway, and Local Network(s) and remote Network(s): Figure 4: Creating a VPN Using IPSec Key Mode Field Disable IPSec Object Advanced IPSec Key Mode Notifications Email, SMS, SNMP Trap Authentication Method Pre-shared Secret Options Failover Send Keep Alives Advanced Policy Compatibility Table 3: Creating a VPN Using IPSec Key Mode Check to disable all access for the configured Site-to-Site IPSec VPN. A description of the Site-to-Site IPSec VPN. Built-in or custom defined object. IKE (automatic key exchange) Select the checkbox(es) for the desired notifications to be sent. Pre-Shared Secret If you are authenticating using a pre-shared secret, enter the ASCII or HEX format value pre-shared secret as defined by the VPN. This same key must match the key entered by the VPN s other party. Select the Failover checkbox to enable VPN failover. To prevent the VPN connection from closing prematurely, select the Send Keep Alives checkbox to have GB-OS automatically send a keep alive packet every 20 seconds. Enter the IP address of hot or firewall to ping. A toggle for firewalls that are not compatible with unique policies. Typically used when a VPN involves two or more subnets on one side or the other. 5

Site-to-Site VPN to Non-GTA Firewall Field Table 3: Creating a VPN Using IPSec Key Mode Gateway (A Primary field will always be available. A Secondary field will be available if Failover is enabled above.) Local Remote Identity Local NAT Network Identity Remote NAT Network The name of the interface for the local firewall that will serve as the VPN gateway. The IP address of the remote gateway. Set to IP address. Select the NAT checkbox to apply network address translation to traffic originating from the GTA Firewall UTM Appliance to the VPN connection. By default, the connections are NAT ed to the External Interface IP. Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. Alternatively, select <USER DEFINED> and enter the IP address or network address in the IP Address field. If the NAT checkbox has been selected, this field will not be available since it is not required. Set to IP address. When the NAT checkbox is selected, the remote network will be the same as the remote gateway. Select a previously defined address object for the network(s) that reside behind the remote firewall. Alternatively, select <USER DEFINED> and enter the IP address or network address in the IP Address field. If the NAT checkbox has been selected, this field will not be available since it is not required. Creating IPSec Security Policies for VPN Connection By default, GB-OS will automatically configure the necessary security policies to allow inbound and outbound access for all configured VPNs. If this has been disabled, it will be necessary to manually define inbound and IPSec policies to allow VPN traffic. The Automatic Policies setting is available under the Advanced tab located at Configure>VPN>Preferences. To define the necessary Inbound policies, navigate to Configure>Security Policies>Policy Editor>Inbound. Create a new inbound policy, of type Accept, that allows VPN traffic [ESP (protocol 50) and UDP (ports 500 and 4500)]. 6

Site-to-Site VPN to Non-GTA Firewall To define the necessary IPSec policies, navigate to Configure>Security Policies>Policy Editor>VPN>IPSec. VPN Work Sheet Table 4: VPN Work Sheet Field Name GTA Firewall Non-GTA Firewall Local Gateway Local Network (s) Local Network (s) Local Network (s) Identity IP Address Phase I Mode Main Encryption Hash Algorithm Key Group SA Lifetime DPD Phase II Encryption Hash Algorithm Key Group (PFS) SA Lifetime Other Options IPSec Key Mode Pre-Shared Secret Pre-Shared Secret 7

Site-to-Site VPN to Non-GTA Firewall Copyright 1996-2011, Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated. Technical Support GTA includes 30 days up and running installation support from the date of purchase. See GTA s Web site for more information. GTA s direct customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local Authorized GTA Channel Partner. Tel: +1.407.380.0220 Email: support@gta.com Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products. Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors. Trademarks & Copyrights GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated. GB Commander is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA are service marks of Global Technology Associates, Incorporated. Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ. Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. Java software may include software licensed from RSA Security, Inc. Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/. Some products include software developed by the OpenSSL Project (http://www.openssl.org/). Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated. All other products are trademarks of their respective companies. Global Technology Associates, Inc. 3505 Lake Lynda Drive, Suite 109 Orlando, FL 32817 USA Tel: +1.407.380.0220 Fax: +1.407.380.6080 Web: http://www.gta.com Email: info@gta.com 8 Copyright

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information