This document describes how to use VPN Clients. Since the number of VPN Tunnels using PPTP is limited to 4, this is your way to connect up to 10 parallel tunnels using VPN/IPSEC technology. The method for using PPTP tunnel technology is described in the manual for Firetunnel. For PPTP tunnelling no extra client software is needed. That functionality is already built into Windows 2000, XP and Vista. Using IPSEC technology requires extra software. A good and free open source software is the ShrewSoft VPN Client, which can be downloaded for free at www.shrew.net The OpenVPN Client is not compatible with Firetunnel. There are other VPN Clients on the market available which need to be licensed and purchased. The purpose of this document is to cover only the ShrewSoft VPN Client. Before you begin you need to setup your Firetunnel. Check the manual on how to do that. The manual for Firetunnel can be downloaded from ftp://www.all-about-kvm.com/firmware%20downloads/networking/lre10x0e/ Additionally you need to download the ShrewSoft VPN Client. Check www.shrew.net, click on Download and select the appropriate Client and latest version that meets your requirement. While there is also a Client Software from Shrew available for Linux, this document only covers the installation on Windows platforms. This because of the fact that Linux environments may require additional work to do (use the appropriate kernel and support files) and know how on maintaining Linux systems, which definitively would go beyond the scope of this document. The steps to do for setting up VPN IPSEC technology with Shrew and Firetunnel and Windows starts at the point where you have setup your Firetunnel product with a valid Internet connection and with the Shrew Client downloaded and installed. In these steps we assume that your Firetunnel has a Local LAN IP Address of 192.168.181.254 with a subnetting of 255.255.255.0. If your setup is different this may require changing from the examples shown here. Furthermore this examples states some Security items to set up for the VPN tunnel. It is strongly recommended to not use these values or terms. If everybody would use the same setup here, there is less security since every Firetunnel accepts every incoming connection according to this document. Page 1 V1.00-Jan 2009
Step 1 Setting up the Firetunnel for VPN/IPSEC Log in to the web administration page of Firetunnel. Click on Configuration in the menu on the right and then select VPN. Two new menu items will come up (See right picture). Click on IPSec Policy to get the following screen: Click on Create to define a new connection for VPN/IPSEC. For connection name select any name. Since you are creating connections for users singularly and not one connection for the entire company, it is a good idea to select a name that identifies the owner of the connection. For Local ID select IP Address and the IP Address of the LAN interface of the Firetunnel, 192.168.181.254 in this example. For Network select what that users is allowed to address. In this example we select Subnet to make the whole subnet available. For Remote select what is shown here, but select 10.10.10.1 for the first IPSEC connection, and 10.10.10.2 for Page 2 V1.00-Jan 2009
the second etc etc. The shown example prohibits that VPN user 1 can communicate with VPN user 2. The other settings configure like shown in this example. For PreShared key select a per connection unique keyword. The more complex the keyword is, the better the security. Proceed with the settings for the Keep Alive Function. If your provider disconnects you every 24 hours giving you a new WAN IP Adress, you should use DynDNS services and the Keep Alive Function to have a stable ongoing VPN connection. At the end click on Apply and Save the Settings. Do not forget to Click on SAVE CONFIG to save your changes into flash memory of Firetunnel. You are done with Step 1 Page 3 V1.00-Jan 2009
Step 2 Setting up the Shrew Client After downloading and installing the client you will find a new program group in your Start Menu. In there you can find the Access Manager. Start that one to get the window on the right. Click on Add to define a new connection. You will find some tabs where you need to enter information for your connection. Enter the following information pieces: GENERAL: Remote Host: Host Name or IP Address: Enter the IP Address or DynDNS Address of your Firetunnel. Port: 500 Configuration: disabled Local Host : Address Method : Use a virtual adapter and assigned address MTU: 1380 Obtain matically: Address: Enter IP of Remote IP from Firetunnel setup, e.g. 10.10.10.1 for first connection, 10.10.10.2 for second connection etc. Netmask: 255.255.255.0 Page 4 V1.00-Jan 2009
Jump to the second Tab Client: CLIENT: Firewall Options: NAT Traversal: enable NAT Traversal Port: 4500 Keep alive packet rate : 15 IKE Fragmentation: disable Other options: Enable Dead Peer Detection Check Enable ISAKMP Failure Notifications Check Enable Client Login Banner Jump to the third Tab Name Resolution: NAME RESOLUTION: WINS/DNS Enable WINS if you do not need Netbios Drive Mappings, Check if you need them, but then enter the IP Address of your Domain Controller Enable DNS Check and manually enter the LAN IP Address of your Firetunnel, e.g. 192.168.181.254. For DNS Suffix you can enter almost anything that fits your domain, e.g. myfiretunnel.com Enable Split DNS Page 5 V1.00-Jan 2009
Jump to the fourth Tab Authentication AUTHENTICATION Authentication Method: Mutual PSK Local Identity: Identification Type: IP Address Use a discovered remote host address Address String: Again the Remote IP in the Firetunnel Setup, e.g. 10.10.10.1 for the first connection, 10.10.10.2 for the second etc etc. Remote Identity: Identification Type: IP Address Use a discovered remote host address Check Credentials: Enter the Key your entered in the Firetunnel Setup Jump to the fifth Tab Phase 1 PHASE 1 EXCHANGE Type: aggressive DH Exchange: Group 2 Cipher Algorithm : Hash Algorithm: Key Life Time Limit: 86400 Key Life Data limit: 0 Enable Check Point Compatible Vendor ID: Page 6 V1.00-Jan 2009
Jump to the sixth Tab Phase 2 PHASE 2 Transform Algorithm: HMAC Algorithm: PFS Exchange: Group 2 Compress Algorithm: Disabled Key Life Time limit: 3600 Key Life Data limit: 0 Jump to the seventh Tab Policy. Pay 100% attention here, the most errors why VPN is not working are made here POLICY ALL Buttons like Maintain and Obtain Click on Add in the field Remote Network Resource A new window is popping up, for Type select Include, for Address the Subnet Address of the Local Network behind the Firetunnel needs to be entered. This means that in this example with Firetunnel having 192.168.181.254 you enter 192.168.181.0. For Netmask enter 255.255.255.0 Click on Ok to make this settings happen. Finally click on Save on the very bottom of the window and test your connection. If you have done everything accordingly to this HOWTO, it will work. Nobody prevents you from testing other settings to see what happens, but at first do it like described here. Page 7 V1.00-Jan 2009