axsguard Gatekeeper IPsec XAUTH How To v1.6

axsguard Gatekeeper IPsec XAUTH How To v1.6

Legal Notice VASCO Products VASCO data Security, Inc. and/or VASCO data Security International GmbH are referred to in this document as 'VASCO'. VASCO Products comprise Hardware, Software, Services and Documentation. This document addresses potential and existing VASCO customers and has been provided to you and your organization for the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to use VASCO Software or a contractual agreement to use VASCO Products. Disclaimer of Warranties and Limitations of Liabilities VASCO Products are provided as is without warranty or conditions of any kind, whether implied, statutory, or related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, merchantability, title, non-infringement or fitness for a particular purpose. VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF data) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS. Intellectual Property and Copyright VASCO Products contain proprietary and confidential information. VASCO data Security, Inc. and/or VASCO data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights. No part of these Products may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing. This document is protected under US and international copyright law as an unpublished work of authorship. No part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized licensee. Trademarks VASCO, VACMAN, IDENTIKEY, axsguard, DIGIPASS, and are registered or unregistered trademarks of VASCO data Security, Inc. and/or VASCO data Security International GmbH in the U.S. and other countries. Other company brand or product names or other designations, denominations, labels and/or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks or registered trademarks or be part of any other entitlement of their respective owners. Radius Disclaimer Information on the RADIUS server provided in this document relates to its operation in the axsguard Gatekeeper environment. We recommend that you contact your NAS/RAS vendor for further information. Copyright 2009 VASCO data Security, Inc, VASCO data Security International GmbH All rights reserved. 2

Table of Contents Table of Contents 1 Introduction...8 1.1 Audience and Purpose of this document...8 1.2 What is the axsguard Gatekeeper?...10 1.3 About VASCO...10 2 Road Warrior Concept...11 2.1 Overview...11 2.2 What are Road Warriors?...11 2.3 Host Authentication...12 2.4 User Authentication: XAUTH...12 2.5 DHCP and IPsec...14 3 IPsec Server Configuration...15 3.1 Overview...15 3.2 IPsec General Settings...15 3.3 User Authentication Settings: XAUTH...17 4 IPsec Client with PSK Authentication...18 4.1 Overview...18 4.2 Server-Side Configuration...18 4.2.1 General Settings...19 4.2.2 Authentication Settings...20 4.2.3 IKE Definition...21 4.2.4 ESP Definition...21 4.2.5 Tunnel Definition...22 4.2.6 User Account with DIGIPASS...24 4.3 Client-Side Configuration...25 4.3.1 Installation...25 4.3.2 Settings...25 4.3.3 Testing your Connection...33 5 IPsec Client with X.509 Authentication and PFS...35 5.1 Overview...35 5.2 Server-Side Configuration...35 5.2.1 X.509 Certificates...36 5.2.2 IPsec General Settings...39 5.2.3 Authentication Settings...39 3

Table of Contents 5.2.4 IKE Definition...40 5.2.5 ESP Definition with PFS...41 5.2.6 Tunnel Definition...42 5.2.7 User Account with DIGIPASS...43 5.3 Client-Side Configuration...44 5.3.1 Installation...44 5.3.2 Configuration...44 5.3.3 Testing your Connection...52 6 Certificate Revocation...54 6.1 Overview...54 6.2 Revoking a Client Certificate...54 7 Troubleshooting...55 8 Support...57 8.1 Overview...57 8.2 If you encounter a problem...57 8.3 Return procedure if you have a hardware failure...57 4

Table of Contents Illustration Index Image 1: Road Warrior Configuration...11 Image 2: IPsec XAUTH...13 Image 3: DHCP with IPsec Clients...14 Image 4: IPsec General Settings...16 Image 5: IPsec Service authentication Settings...17 Image 6: IPsec General Settings...19 Image 7: Overview of Services...20 Image 8: Extended authentication Settings...20 Image 9: SA Settings IPsec with PSK - Local Parameters...22 Image 10: SA Settings IPsec with PSK - Remote Parameters...23 Image 11: DIGIPASS Assignment...24 Image 12: Shrew Soft VPN Access Manager...25 Image 13: Shrew Soft VPN General Tab...26 Image 14: Shrew Soft VPN Client Tab...27 Image 15: Shrew Soft Name Resolution Tab...28 Image 16: Shrew Soft Authentication Tab...29 Image 17: Shrew Soft Phase 1 Tab...30 Image 18: Shrew Soft Phase 2 Tab...31 Image 19: Policy Tab...32 Image 20: Topology...32 Image 21: Connection to IPsec Endpoint...33 Image 22: Tunnel Enabled...33 Image 23: Testing your IPsec Connection...34 Image 24: Initializing the CA...36 Image 25: Generating a Server Certificate...37 Image 26: Generating a Client Certificate...37 Image 27: Exporting a Client Certificate Step 1...38 Image 28: Exporting a Client Certificate Step 2...38 Image 29: IKE Definition...40 Image 30: ESP Definition...41 Image 31: IPsec with X.509 and PFS - Local Settings...42 Image 32: IPsec with X.509 and PFS - Remote Settings...43 Image 33: GreenBow VPN Client Configuration Screen...45 Image 34: Creating a new Phase 1 with GreenBow IPsec Client...45 Image 35: Greenbow General Phase 1 Settings...46 Image 36: Importing a Client Certificate...47 5

Table of Contents Image 37: Phase 2 - Advanced Settings...48 Image 38: Creating a new Phase 2 in GreenBow IPsec Client...49 Image 39: Phase 2 Configuration in GreenBow IPsec Client...50 Image 40: Phase 2 Advanced Settings...51 Image 41: Starting an IPsec Tunnel with GreenBow...52 Image 42: GreenBow IPsec Client authentication Window...52 Image 43: Tunnel Status...53 Image 44: Revocation of a Certificate...54 Image 45: User Login Enabled...56 6

Table of Contents Index of Tables Table 1: IPsec General Settings: VPN&RAS > IPsec > General...16 7

1 Introduction 1.1 Audience and Purpose of this document Introduction This guide serves as a reference source for technical personnel and / or system administrators to configure IPsec Clients to connect to the axsguard Gatekeeper IPsec VPN Server, version 7.5.0, revision 1 or a later version. The setups explained in this guide have been configured on Windows XP Pro, SP2. Details about the terminology used in this guide is available in the axsguard Gatekeeper IPsec How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. Caution The IPsec client software used in this guide is available on the Internet and is merely used to provide configuration examples for user convenience. VASCO does not endorse or provide support for any particular brand / type of client software. Contact the software's manufacturer for support and documentation. In sections 1.2 and 1.3, we introduce the axsguard Gatekeeper and VASCO. In section 2, we explain the concept of Road Warriors. In section 3, we explain the general IPsec configuration settings on the axsguard Gatekeeper which are required to successfully connect Road Warriors. In section 4 we explain how to download, install and configure an IPsec Client with PSK and Extended authentication (XAUTH) based on an axsguard Gatekeeper configuration example. In section 5 we explain how to download, install and configure an IPsec Client with an X.509 client Certificate, Perfect Forward Secrecy (PFS) and Extended authentication (XAUTH) based on an axsguard Gatekeeper configuration example. In section 6, we explain how to revoke an issued X.509 client Certificate on the axsguard Gatekeeper to prevent a connection from a user who is not longer authorized to use the VPN. In section 7, some solutions are offered to solve difficulties. In section 8, we explain how to request support, and return hardware for replacement. An index at the end of the document will help you to find specific information you are searching for. 8

Introduction Other documents in the set of axsguard Gatekeeper documentation include: axsguard Gatekeeper Installation Guide, which explains how to set up the axsguard Gatekeeper, and is intended for technical personnel and / or system administrators. 'How to guides', which provide detailed information on configuration of each of the features available as 'add-on' modules (explained in the next section). These guides cover specific features such as: axsguard Gatekeeper authentication axsguard Gatekeeper Firewall axsguard Gatekeeper Single Sign-On axsguard Gatekeeper VPN axsguard Gatekeeper Reverse Proxy axsguard Gatekeeper Directory Services Access to axsguard Gatekeeper guides is provided through the permanently on-screen Documentation button in the axsguard Gatekeeper Administrator Tool. Further resources available include: Context-sensitive help, which is accessible in the axsguard Gatekeeper Administrator Tool through the Help button. This button is permanently available and displays information related to the current screen. Training courses covering features in detail. These courses address all levels of expertise. Please see www.vasco.com for further information. Welcome to axsguard Gatekeeper security. 9

1.2 Introduction What is the axsguard Gatekeeper? The axsguard Gatekeeper is an authentication appliance, intended for small and medium sized enterprises. In addition to strong authentication, the axsguard Gatekeeper has the potential to manage all of your Internet security needs. Its modular design means that optional features can be purchased at any time to support, for example, e-mail, Web access and VPN management. The axsguard Gatekeeper can easily be integrated into existing IT infrastructures as a stand-alone authentication appliance or as a gateway providing both authentication services and Internet Security. authentication and other features such as firewall, e-mail and Web access, are managed by security policies, which implement a combination of rules, for example, whether a user must use a DIGIPASS One-Time Password in combination with a static password for authentication. Security Policies are applied to specific users or groups of users and can also be applied to specific computers and the entire system. 1.3 About VASCO VASCOTM is a leading supplier of strong authentication and Electronic Signature solutions and services specializing in Internet Security applications and transactions. VASCO has positioned itself as a global software company for Internet Security serving customers in more than 100 countries, including many international financial institutions. VASCO s prime markets are the financial sector, enterprise security, e-commerce and egovernment. Over 50 of VASCO s client authentication technologies, products and services are based on VASCO s one and unique core authentication platform: VACMANTM. VASCO solutions comprise combinations of the VACMAN core authentication platform, IDENTIKEYTM authentication server, axsguard authentication appliances, DIGIPASSTM client Password and Electronic Signature software and DIGIPASS PLUS authentication services. For further information on these security solutions, please see www.vasco.com. 10

Road 2 Road Warrior Concept 2.1 Overview Warrior Concept In this section we explain the term Road Warrior and how Road Warriors are authenticated with the axsguard Gatekeeper IPsec VPN server. Details about the IPsec framework, such as authentication, data integrity and encryption are available in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2.2 What are Road Warriors? IPsec provides a versatile framework to set up an axsguard Gatekeeper VPN server to accept secure connections from roaming clients. This is commonly called a "Road Warrior" configuration, because the clients are typically laptops with dedicated IPsec client software being used from remote locations, e.g. a hotel or an airport, which are connected to the (insecure) Internet (see image below). IPsec Road Warrior configurations allow authorized users to securely connect to the corporate network, while providing data integrity, confidentiality and authentication. Image 1: Road Warrior Configuration 11

2.3 Road Warrior Concept Host Authentication Host authentication guarantees that the host sending data is the host it claims to be and not another host or device. Several methods are available to authenticate IPsec clients (hosts): PSK: A Pre-Shared Key (PSK) is a method to authenticate hosts using of the Public Key Infrastructure (PKI) and its inherent intensive calculations. The Pre-Shared Key is only known by the client and the server and should never be divulged; otherwise data authenticity and integrity can no longer be ensured. RSA Authentication:RSA is an asymmetric encryption algorithm, which is also used to authenticate hosts. The authentication mechanism uses the Public Keys of the communicating hosts to verify hashed messages, thus authenticating the hosts to each other. PKI: The Public Key Infrastructure is a networked infrastructure, which allows safe creation, organization, storing and distribution of Public Keys (in Digital Certificates). PKI provides identity inspection and assurance via a Digital Certificate, such as X.509. Detailed information about host authentication is available in the axsguard Gatekeeper IPsec How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. 2.4 User Authentication: XAUTH Extended authentication or XAUTH provides an additional level of authentication (in addition to those described above) in that the IPsec gateway requests user credentials before any data transfer can take place. This extended authentication phase, which we call Phase 1.5 for the sake of clarity, takes place between the IPsec Phase 1 and Phase 2 negotiation (see Image 2 on page 13). Detailed information about IPsec phases is outside the scope of this guide and is available in the axsguard Gatekeeper IPsec How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. Following is a brief description of the IPsec Phases: Phase 1: Negotiates how IKE should be protected. encryption, integrity and authentication algorithms are negotiated. Peers are authenticated and the SAs are set up. In short, a Control Channel is initiated. Phase 2: Negotiates how IPsec should be protected. Phase 2 uses the SAs from Phase 1 and sets up the unidirectional SAs for ESP. Some fresh keying material is derived from the key exchange in Phase 1 to provide session keys to be used in the encryption and authentication of the VPN (IPsec) data flow. In short, a Data Channel is set up. 12

Road Warrior Concept Advantage The advantage of XAUTH is that only a single server-side Tunnel Definition needs to be configured to allow connections for multiple Road Warriors, as opposed to tunnels between IPsec servers, which require separate Tunnel Definitions. The axsguard Gatekeeper allows the implementation of various extended authentication methods for IPsec, such as DIGIPASS authentication and RADIUS back-end authentication. More information about supported authentication methods is available in the axsguard Gatekeeper authentication How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. Image 2: IPsec XAUTH 13

Road 2.5 Warrior Concept DHCP and IPsec The Dynamic Host Configuration Protocol (DHCP) is a network application protocol used by devices (DHCP clients) to automatically obtain configuration information (e.g. an IP address) for operation in an Internet Protocol (IP) network. This protocol considerably reduces system administration workload, allowing devices to be added to the network with little or no manual intervention. There are two possible ways to configure DHCP for IPsec clients on the axsguard Gatekeeper : DHCP over IPsec: The connecting client automatically receives its IP address and other DHCP information from the axsguard Gatekeeper IPsec DHCP server. This option is currently not supported. DHCP server: The DHCP requests from IPsec client are handled by a dedicated server in the LAN of the axsguard Gatekeeper, as shown below. Image 3: DHCP with IPsec Clients 14

3 IPsec Server Configuration 3.1 Overview IPsec Server Configuration This section explains how to prepare the axsguard Gatekeeper IPsec VPN server to receive secure connections from Road Warriors. Details about the IPsec framework (creating Tunnel Definitions) are available in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. Topics covered in this section include: IPsec general settings, such as DHCP settings for Road Warriors. Extended authentication (XAUTH) settings for the IPsec service. 3.2 IPsec General Settings This section explains the general IPsec configuration settings, such as the server Certificate, NAT Traversal and DHCP settings to be used by Road Warriors (see section 2.2). Details about NAT Traversal and Certificates are available in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. To configure the general settings for IPsec Road Warriors on the axsguard Gatekeeper: 1. Log on to the axsguard Gatekeeper as explained in the axsguard Gatekeeper System Administration How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to VPN&RAS > IPsec > General. A screen similar to Image 4 is displayed. 3. Enter the settings as explained in Table 1. 4. Click on Update. 15

IPsec Server Configuration Image 4: IPsec General Settings Table 1: IPsec General Settings: VPN&RAS > IPsec > General IPsec Setting Specify Interfaces (applies to all connections) Interfaces to bind IPsec (applies to all connections) Enable NAT Traversal (applies to all connections) Server Certificate Serial (only applies to Road Warriors) DHCP for IPsec (only applies to Road Warriors) Description This option allows you to specify on which Internet / DMZ interface IPsec tunnels can be defined. (e.g. if you have multiple Internet lines) This field only appears if the previous option, Specify Interfaces, is enabled. Check the Internet / DMZ interface to be used for IPSec tunnels. Enables NAT Traversal as explained in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. Select the desired X.509 server Certificate. This server Certificate is used by Road Warriors to identify the axsguard Gatekeeper IPsec server. Deny DHCP with IPsec connections This is the default configuration. This option refuses DHCP requests. Use axsguard Gatekeeper DHCP for IPsec connections This option is currently not supported. Use another LAN DHCP server for IPsec connections This option forwards IPsec DHCP requests to another DHCP server in the LAN. If selected, a field appears to enter the IP address of the DHCP server (see section 2.5). 16

IPsec 3.3 Server Configuration User Authentication Settings: XAUTH This section explains how to change the user authentication policy for the IPsec service (see section 2.4). An authentication policy determines how users should authenticate for a service, e.g. DIGIPASS authentication. For detailed information about authentication, consult the axsguard Gatekeeper authentication How To, accessible by clicking on the permanently available Documentation button in the Administrator Tool. To set the authentication policy for IPsec XAUTH: 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to authentication > Services. 3. Click on IPsec XAUTH. 4. Click on Select and set the authentication Policy to DIGIPASS VASCO DIGIPASS (see below). 5. Click on Update. Image 5: IPsec Service authentication Settings Caution The IPsec client setups in this How To are configured with the settings as shown above. Configure your clients with the settings specific to your network. 17

IPsec Client with PSK 4 IPsec Client with PSK Authentication 4.1 Overview Authentication Caution The IPsec client software used in this guide is freely available on the Internet and is merely used to provide configuration examples for user convenience. VASCO does not endorse or provide support for any particular brand / type of client software. Contact the software's manufacturer for support and documentation. In this section, we explain: How to prepare the axsguard Gatekeeper (server side) to receive Road Warrior (client side) connections using PSK and DIGIPASS authentication. How to download and install the free Shrew Soft IPsec client side software. How to configure this IPsec client with PSK and DIGIPASS authentication (using the Shrew Soft IPsec client, version 2.1.4) in Windows XP (SP2) and the axsguard Gatekeeper version 7.5.0, revision 1 or a later version. 4.2 Server-Side Configuration If you are already familiar with the axsguard Gatekeeper IPsec server configuration, you may skip to section 4.3. In this How To, we assume that you have a single axsguard Gatekeeper LAN to which IPsec clients are allowed to connect. The setup / configuration for multiple secure LANs is outside the scope of this manual. For detailed information about the axsguard Gatekeeper IPsec server configuration, consult the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. Notes The client software is configured in accordance with the axsguard Gatekeeper IPsec VPN server setup example shown in the following sections. Other settings, such as the Network, DNS and authentication settings are fully explained in the axsguard Gatekeeper System Administration How To and the authentication How To. These manuals can be accessed by clicking on the permanently available Documentation button in the Administrator Tool. 18

IPsec Client with PSK 4.2.1 Authentication General Settings In this section, we explain how to configure some general IPsec server settings, such as NAT Traversal and DHCP. Detailed information about PKI, X.509, NAT Traversal and general IPsec configuration settings is available in the axsguard Gatekeeper IPsec How To, accessible by clicking on the permanently available Documentation button in the Administrator Tool. To configure general IPsec settings: 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to VPN&RAS > IPsec > General. 3. Enter the settings as shown below: Enable NAT Traversal Select Deny DHCP with IPsec connections Click on Update Image 6: IPsec General Settings 19

IPsec Client with PSK 4.2.2 Authentication Authentication Settings In this example, we explain how to configure DIGIPASS authentication for IPsec. For detailed information about other authentication Mehods, consult the axsguard Gatekeeper authentication How To, accessible by clicking on the permanently available Documentation button in the Administrator Tool. To configure authentication settings: 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to Authentication > Services. Image 7: Overview of Services 3. Click on IPsec XAUTH. 4. Click on Select and set the authentication Policy to DIGIPASS VASCO DIGIPASS (see below). 5. Click on Update. Image 8: Extended authentication Settings 20

4.2.3 IPsec Client with PSK Authentication IKE Definition Caution The IKE Definitions on the server and the client must match, otherwise the connection irrevocably fails. Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic keys are derived. Detailed information about IKE and ESP Definitions is available in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button. In our example, we use a predefined IKE Definition with MD5 and AES (see section 4.2.5). Tip You can easily create a new IKE Definition by selecting a predefined IKE Definition and clicking on Edit as New. 4.2.4 ESP Definition Caution The ESP Definitions on the server and the client must match, otherwise the connection irrevocably fails. Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides origin authenticity, integrity, and ensures the confidentiality of data. Detailed information about IKE and ESP Definitions is available in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button. In our example, we use a predefined ESP Definition with AES and SHA1 (see section 4.2.5). Tip You can easily create a new ESP Definition by selecting a predefined ESP Definition and clicking on Edit as New. 21

4.2.5 IPsec Client with PSK Authentication Tunnel Definition This section explains how to configure the Tunnel Definition, which contains the Local and Remote Parameters for use with the Shrew Soft IPsec client. Detailed information about Tunnel Definitions and the associated IPsec configuration settings is available in the axsguard Gatekeeper IPsec How To, accessible by clicking on the permanently available Documentation button in the Administrator Tool. To configure the local parameters: 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to VPN&RAS > IPsec > Tunnels. 3. Click on Add New. 4. Enter the settings as shown below. Image 9: SA Settings IPsec with PSK - Local Parameters 22

IPsec Client with PSK Authentication Note The CIDR notation (192.168.11.0/24 ) used on the axsguard Gatekeeper is the same as: Network Address: 192.168.11.0 Netmask: 255.255.255.0 To configure the remote parameters: 1. Click on the Remote Parameters Tab. 2. Enter the settings as shown below. 3. Click on Save. Image 10: SA Settings IPsec with PSK - Remote Parameters Caution The IPsec client setups in this How To are configured with the settings as shown above. Configure your Tunnel Definition and clients with the settings specific to your network. When using PSK, VASCO recommends using long, complex Keys. 23

IPsec Client with PSK 4.2.6 Authentication User Account with DIGIPASS Before a user can authenticate with a DIGIPASS to access the IPsec VPN, you need to make sure that: The user account exists on the axsguard Gatekeeper. The user has been assigned a DIGIPASS. The user is allowed access to the axsguard Gatekeeper IPsec VPN. To create a user account: 1. Log on to the axsguard Gatekeeper, as explained in the axsguard Gatekeeper System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to Users&Groups > Users. 3. Click on Add New. 4. Enter the user settings (see the image below), as explained in the axsguard Gatekeeper System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. To assign a DIGIPASS to a user: 5. Check the Has VASCO DIGIPASS option. 6. Select a DIGIPASS serial number from the list, as explained in the in the axsguard Gatekeeper authentication How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. Image 11: DIGIPASS Assignment 24

IPsec Client with PSK 4.3 Authentication Client-Side Configuration Caution The IPsec client software used in this guide is freely available on the Internet and is merely used to provide configuration examples for user convenience. VASCO does not endorse or provide support for any particular brand / type of client software. Contact the software's manufacturer for support and documentation. 4.3.1 Installation The installation of the Shrew Shoft IPsec client is simple and similar to any other Windows program: 1. Log on to Windows with administrator privileges. 2. Download the Shrew Soft IPsec Client from: http://www.shrew.net/download 3. Start the installation by double-clicking the installation executable and follow the on-screen instructions. No reboot is required after installation. 4.3.2 Settings To start the Shrew Soft IPsec Client: 1. Click on Start. 2. Navigate to All Programs > Shrew Soft VPN Client. 3. Click on Access Manager. A screen similar to the image below appears. Image 12: Shrew Soft VPN Access Manager 25

IPsec Client with PSK Authentication To add an IPsec connection: 1. Click on Add. 2. Enter the settings as shown further for each tab. General Tab 1. Enter the Public IP address or host name of the axsguard Gatekeeper you are connecting to, e.g. 195.0.83.11 or axsguard.yourdomain.com. 2. Leave the Port number unchanged (500). 3. Set the Auto Configuration to disabled. 4. Set the Address Method to Use a virtual adapter and assigned address. 5. Leave the MTU unchanged (1380). 6. Enter the virtual adapter's IP address, e.g. 192.168.11.100. Make sure this IP address is not used in the LAN of the axsguard Gatekeeper you are connecting to. If you are unsure about the IP address, use one in another range, e.g. 10.0.0.5. 7. Enter the virtual adapter's netmask, e.g. 255.255.255.255. Image 13: Shrew Soft VPN General Tab 26

IPsec Client with PSK Authentication Client Tab 1. Enable NAT Traversal. 2. Leave the NAT Traversal port unchanged (4500). 3. Leave the Keep-alive packet rate unchanged (15). 4. Leave the IKE Fragmentation unchanged (enable). 5. Leave the Maximum packet size unchanged (540). 6. Enable Dead Peer Detection. 7. Enable ISAKMP Failure Notifications. Image 14: Shrew Soft VPN Client Tab 27

IPsec Client with PSK Authentication Name Resolution Tab 1. Do not enable WINS. 2. Enable DNS. 3. Enter the DNS server's IP address. This is the LAN IP address of the axsguard Gatekeeper, e.g. 192.168.11.254 (see tip below). 4. Enter the DNS Suffix of the domain used in your network (see tip below). 5. Do not enable Split DNS. Image 15: Shrew Soft Name Resolution Tab Tips To view the LAN IP address of your axsguard Gatekeeper, navigate to: Network > Devices > Eth and click on the appropriate secure device You may also use the Active Directory DNS in your network, if available. 28

IPsec Client with PSK Authentication Authentication Tab 1. Set the authentication Method to Mutual PSK + XAUTH. 2. In the Local Identity Tab, set the Identification Type to IP address. 3. Check Use a discovered local host address. 4. In the Remote Identity Tab, set the Identification Type to IP address. 5. Enter the Public IP address of the axsguard Gatekeeper you are connecting to. This is the same IP address as entered in the General Tab (see page 26). 6. Do not check Use a discovered remote host address. 7. Enter the Pre-Shared Key in the Credentials Tab. This is the same Key as entered on the axsguard Gatekeeper (see section 4.2.5). Image 16: Shrew Soft Authentication Tab Tip Use long and complex strings when using PSK authentication (see section 4.2.5). 29

IPsec Client with PSK Authentication Phase 1 Tab 1. Set the Exchange Type to main. 2. Set the DH Exchange to auto. 3. Set the Cipher Algorithm to AES. 4. Set the Cipher Key Length to auto. 5. Set the Hash Algorithm to MD5. 6. Leave the Key Life Time limit unchanged (86400). 7. Leave the Key Life data limit unchanged (0). 8. Do not check Enable Check Point Compatible Vendor ID. Image 17: Shrew Soft Phase 1 Tab 30

IPsec Client with PSK Authentication Phase 2 Tab 1. Set the Transform Algorithm to ESP-AES. 2. Set the Transform Key Length to 128 bits. 3. Set the HMAC Algorithm to SHA1. 4. Set the PFS Exchange to auto. 5. Set the Compress Algorithm to disabled. 6. Leave the Key Life Time limit unchanged (3600). 7. Leave the Key Life data limit unchanged (0). Image 18: Shrew Soft Phase 2 Tab 31

IPsec Client with PSK Authentication Policy Tab 1. Check Maintain Persistent Security Associations. 2. Do not check Obtain Topology Automatically or Tunnel All. Image 19: Policy Tab 3. Click on Add. A screen as shown in Image 20 is displayed. 4. Set the Type to Include. 5. Enter the LAN IP Network address of the axsguard Gatekeeper, e.g. 192.168.11.0 (see section 4.2.5). 6. Enter the LAN Netmask of the axsguard Gatekeeper, e.g. 255.255.255.0 (see section 4.2.5). 7. Click on OK. Image 20: Topology 32

IPsec Client with PSK 4.3.3 Authentication Testing your Connection 1. Start the Shrew Soft VPN Access Manager as explained on page 25. 2. Select the Connection you have created. 3. Click on Connect. A screen as shown below appears. Image 21: Connection to IPsec Endpoint 4. Enter the axsguard Gatekeeper user name. 5. Generate and enter the DIGIPASS code. 6. Press enter or click on Connect. Information about the connection is displayed as shown below. Image 22: Tunnel Enabled 33

IPsec Client with PSK Authentication 7. Once the tunnel is up, open a Windows command prompt (Navigate to Start > Run and type cmd followed by enter). 8. Ping the LAN IP address of the axsguard Gatekeeper, e.g. ping 192.168.11.254 (see below). 9. Test your DNS settings by pinging the internal DNS name of the axsguard Gatekeeper (see below). Image 23: Testing your IPsec Connection Notes If you can ping the IP address of the axsguard Gatekeeper, but not the DNS name, the problem is DNS-related. Verify the DNS configuration settings of your client if necessary. If you are using an Active Directory (AD) DNS server, make sure the internal DNS name of the axsguard Gatekeeper is added to its DNS repository. Consult the documentation of your AD server if necessary. 34

IPsec Client with X.509 Authentication and PFS 5 IPsec Client with X.509 Authentication and PFS 5.1 Overview Caution The IPsec client software used in this guide is freely available on the Internet and is merely used to provide configuration examples for user convenience. VASCO does not endorse or provide support for any particular brand / type of client software. Contact the software's manufacturer for support and documentation. In this section, we explain: How to prepare the axsguard Gatekeeper to receive Road Warrior connections using X.509 Certificates and DIGIPASS authentication. How to download the commercial GreenBow IPsec client software. The software may be tested free of charge for a period of 30 days. How to configure an IPsec client with an X.509 client Certificate and DIGIPASS authentication (using the GreenBow IPsec client, release 4.51.001) in Windows XP (SP2) and the axsguard Gatekeeper as of version 7.5.0, revision 1 or a later version. 5.2 Server-Side Configuration If you are already familiar with the axsguard Gatekeeper IPsec server configuration, you may skip to section 5.3. In this How To, we assume that you have a single axsguard Gatekeeper LAN to which IPsec clients are allowed to connect. The setup / configuration for multiple secure LANs is outside the scope of this manual. For detailed information about the axsguard Gatekeeper IPsec server configuration, consult the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. Notes The client software is configured in accordance with the axsguard Gatekeeper IPsec VPN server setup example shown in the following sections. The Network and authentication settings are explained in the axsguard Gatekeeper System Administration How To and the authentication How To, respectively. 35

IPsec 5.2.1 Client with X.509 Authentication and PFS X.509 Certificates The use and configuration of the axsguard Gatekeeper Certificate Authority (CA), X.509 server and client Certificates is explained in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. Follow the steps below to: Initialize the axsguard Gatekeeper CA. Generate a server Certificate. Generate a client Certificate. Export the client Certificate. The client Certificate is needed to configure the GreenBow IPsec client later on (see page 47). To initialize the axsguard Gatekeeper CA: Note If you previously initialized the axsguard Gatekeeper CA, you may skip this step and continue to page 37 (Generate a Server Certificate). 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to PKI > CA. 3. Enter the requested settings (see image below). REMEMBER THE PASSPHRASE AS THIS IS NEEDED TO CREATE AND IMPORT ANY ADDITIONAL CLIENT CERTIFICATES. 4. Click on Initialize. Image 24: Initializing the CA 36

IPsec Client with X.509 Authentication and PFS To generate a Server Certificate: 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to PKI > Certificates. 3. Click on Issue New Certificate. 4. Set the Certificate Use to Server. 5. Enter the requested settings (see image below). 6. Click on Sign. Image 25: Generating a Server Certificate To generating a Client Certificate: 1. Follow steps 1 to 3, as explained above. 2. Set the Certificate Use to Client (Sentinel / L2TP). 3. Select the user to which the Certificate should be assigned, e.g. John. 4. Enter the requested settings (see image below). 5. Click on Sign. Image 26: Generating a Client Certificate 37

IPsec Client with X.509 Authentication and PFS To export a Client Certificate: The client Certificate is needed to configure the GreenBow IPsec client later on (see page 47). 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to PKI > Certificates. 3. Click on the Floppy icon to export the Client Certificate (see below). This is the Client Certificate as created on page 37. Image 27: Exporting a Client Certificate Step 1 4. Enter a password to protect the Client Certificate (see below). REMEMBER THIS PASSWORD AS IT IS REQUIRED TO IMPORT THE CLIENT CERTIFICATE TO THE GREENBOW IPSEC CLIENT. THIS IS NOT THE SAME PASSWORD USED TO INITIALIZE THE CA AND GENERATE CERTIFICATES. 5. Select a location to store the Client Certificate. Image 28: Exporting a Client Certificate Step 2 38

5.2.2 IPsec Client with X.509 Authentication and PFS IPsec General Settings More information about PKI, X.509, NAT Traversal and general IPsec configuration settings is available in the axsguard Gatekeeper IPsec How To, accessible by clicking on the permanently available Documentation button in the Administrator Tool. Use the same settings as explained in section 4.2.1. Select the correct Server Certificate (as created on page 37). Caution Configure your clients with the settings specific to your network. 5.2.3 Authentication Settings Use the same settings as explained in section 4.2.2. For detailed information about authentication, consult the axsguard Gatekeeper authentication How To, accessible by clicking on the permanently available Documentation button in the Administrator Tool. 39

IPsec 5.2.4 Client with X.509 Authentication and PFS IKE Definition Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic keys are derived. Detailed information about IKE and ESP Definitions is available in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button. In our example, we create a new IKE Definition using MD5, AES and DH Group 5: 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to VPN&RAS > IPsec > IKE. 3. Click on Add New. 4. Enter the settings as shown in the image below. 5. Click on Save. Image 29: IKE Definition Tip You can easily create a new IKE Definition by selecting a predefined IKE Definition and clicking on Edit as New. 40

IPsec 5.2.5 Client with X.509 Authentication and PFS ESP Definition with PFS Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides origin authenticity, integrity, and ensures the confidentiality of data. In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised. Detailed information about IKE and ESP Definitions is available in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button. In our example, we create a new ESP Definition using AES, SHA1 and PFS: 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to VPN&RAS > IPsec > ESP. 3. Click on Add New. 4. Enter the settings as shown in the image below. 5. Click on Save. Image 30: ESP Definition Tip You can easily create a new ESP Definition by selecting a predefined ESP Definition and clicking on Edit as New. 41

5.2.6 IPsec Client with X.509 Authentication and PFS Tunnel Definition This section explains how to configure the necessary Tunnel Definitions, containing the Local and Remote Parameters for use with the GreenBow IPsec client. Detailed information about Tunnel Definitions and IPsec configuration settings is available in the axsguard Gatekeeper IPsec How To, accessible by clicking on the permanently available Documentation button in the Administrator Tool. To configure local parameters: 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to VPN&RAS > IPsec > Tunnels. 3. Click on Add New. 4. Enter the settings as shown below. Image 31: IPsec with X.509 and PFS - Local Settings 42

IPsec Client with X.509 Authentication and PFS Note The CIDR notation (192.168.11.0/24 ) used on the axsguard Gatekeeper is the same as: Network Address: 192.168.11.0 Netmask: 255.255.255.0 To configure remote parameters: 1. Click on the Remote Parameters Tab. 2. Enter the settings as shown below. 3. Click on Save. Image 32: IPsec with X.509 and PFS - Remote Settings Caution The IPsec client setups in this How To are configured with the settings as shown above. Configure your Tunnel Definition and clients with the settings specific to your network. 5.2.7 User Account with DIGIPASS Before a user can authenticate with a DIGIPASS to access the IPsec VPN, you need to make sure that: The user account exists on the axsguard Gatekeeper. The user has been assigned a DIGIPASS. The user is allowed access to the axsguard Gatekeeper IPsec VPN (User login enabled). Follow the same procedure as explained on page 24. 43

5.3 IPsec Client with X.509 Authentication and PFS Client-Side Configuration Caution The IPsec client software used in this guide is freely available on the Internet and is merely used to provide configuration examples for user convenience. VASCO does not endorse or provide support for any particular brand / type of client software. Contact the software's manufacturer for support and documentation. 5.3.1 Installation The installation of the clients is simple and similar to any other Windows program: 1. Log on to Windows XP with administrator privileges. 2. Download the GreenBow IPsec Client from: http://www.thegreenbow.com/vpn_down.html 3. Start the installation by double-clicking on the installation executable and follow the on-screen instructions. 4. Reboot your system. 5.3.2 Configuration To start the GreenBow IPsec Client: 1. Click on Start. 2. Navigate to All Programs > The GreenBow > The GreenBow VPN. 3. Click on The GreenBow IPsec VPN Client. A screen similar to Image 33 is displayed. 44

IPsec Client with X.509 Authentication and PFS Image 33: GreenBow VPN Client Configuration Screen To add an IPsec connection: 1. Click on the Root icon as shown below. 2. Right click and select New Phase 1. Image 34: Creating a new Phase 1 with GreenBow IPsec Client 45

IPsec Client with X.509 Authentication and PFS To add an IPsec connection (Phase 1 configuration): 1. Enter a name for the new connection. 2. Set the Interface to Any. 3. Enter the Public IP address or Public host name of the axsguard Gatekeeper you are connecting to, e.g. 195.0.83.11 or axsguard.yourdomain.com, in the Remote Gateway field. 4. Check the Certificate option. 5. Set the IKE encryption to AES 128. 6. Set the IKE authentication to MD5. 7. Select DH Group 5. Image 35: Greenbow General Phase 1 Settings 46

IPsec Client with X.509 Authentication and PFS To import a Client Certificate: 1. Click on the Certificates Import button (see Image 35). 2. Set the Certificate location and type to Certificate from a PKCS#12 file. 3. Click on Import. A window will open to browse for the certificate. 4. Select the location where your stored the user's X.509 Client Certificate (see section 5.2.1). 5. Click once on the Certificate file. 6. Click on Open. 7. Enter the same Password (passphrase) as explained on page 38. 8. Click on OK. Image 36: Importing a Client Certificate 47

IPsec Client with X.509 Authentication and PFS Phase 1 Advanced Settings: 1. Click on the P1 Advanced button (see Image 35). 2. Do not enable Config Mode. 3. Do not enable Aggressive Mode (insecure). 4. Do not enter a Redundant Gateway. 5. Set NAT-T (NAT Traversal) to Automatic. 6. Enable X-Auth Popup. 7. Do not enable Hybrid Mode. 8. Select Subject from X509 as the Local ID and set the value to local. 9. Select any Remote ID, e.g. KEY ID or leave this field blank (default). Do not set a value for the ID. 10. Click on OK. 11. Click on Save&Apply (see Image 35). Image 37: Phase 2 - Advanced Settings 48

IPsec Client with X.509 Authentication and PFS Creating a new Phase 2: 1. In the main screen (see Image 35), select the created Phase 1 Definition. 2. Right-click on the Phase 1 Definition. 3. Click on Add Phase 2 as shown below. Image 38: Creating a new Phase 2 in GreenBow IPsec Client 49

IPsec Client with X.509 Authentication and PFS Phase 2 Configuration: 1. Enter a name for the Phase 2 Definition, e.g. Tunnel 1. 2. Enter a VPN Client IP Address, e.g. 192.168.1.110. Make sure this IP address is not used in the LAN of the axsguard Gatekeeper you are connecting to. If you are unsure about the IP address, use one in another range, e.g. 10.0.0.5. 3. Enter the Remote LAN IP address (network address) of the axsguard Gatekeeper as entered in section 5.2.6, e.g. 192.168.11.0. 4. Enter the subnet mask of the axsguard Gatekeeper LAN as entered in section 5.2.6, e.g. 255.255.255.0 5. Set the ESP encryption to AES 128. 6. Set the ESP authentication to SHA-1. 7. Set the Mode to Tunnel. 8. Enable PFS. 9. Set the DH Group to DH5. 10. Click on Save&Apply. Image 39: Phase 2 Configuration in GreenBow IPsec Client 50

IPsec Client with X.509 Authentication and PFS Phase 2 Advanced Settings: 1. Click on the P2 Advanced button (see Image 39). 2. Do not check any option under Automatic Open Mode. 3. Enter the IP address of the DNS server, e.g. 192.168.11.254. This is the LAN IP address of the axsguard Gatekeeper (see Tip below). 4. Do not enter a WINS Server. 5. Click on OK. 6. Click on Save&Apply (see Image 39). Image 40: Phase 2 Advanced Settings Tips To view the LAN IP address of your axsguard Gatekeeper, navigate to: Network > Devices > Eth and click on the appropriate secure device. You may also use the Active Directory DNS in your network, if available. 51

5.3.3 IPsec Client with X.509 Authentication and PFS Testing your Connection 1. Start the GreenBow IPsec Client as explained on page 44. 2. Click once on the Phase 2 Definition, e.g. Tunnel1 as shown below. 3. Click on Open Tunnel (see image below). Image 41: Starting an IPsec Tunnel with GreenBow 4. Enter your user credentials (i.e. user name and DIGIPASS code) in the authentication screen as shown below. The tunnel should open almost immediately. Image 42: GreenBow IPsec Client authentication Window 52

IPsec Client with X.509 Authentication and PFS 5. Once the tunnel is up (see below), open a Windows command prompt (Navigate to Start > Run and type cmd followed by enter). 6. Ping the LAN IP address or DNS name of the axsguard Gatekeeper, e.g. ping 192.168.11.254, as explained on page 34. 7. Test your DNS settings by pinging the internal DNS name of the axsguard Gatekeeper. Image 43: Tunnel Status Notes If you can ping the IP address of the axsguard Gatekeeper, but not the DNS name, the problem is DNS-related. Verify the DNS configuration settings of your client if necessary. If you are using an Active Directory (AD) DNS server, make sure the internal DNS name of the axsguard Gatekeeper is added to its DNS repository. Consult the documentation of your AD server if necessary. 53

Certificate 6 Certificate Revocation 6.1 Overview Revocation This section explains how to refuse a connection from a particular client (configured with an X.509 client Certificate), simply by the revocation of the client Certificate on the axsguard Gatekeeper. The procedure is also explained in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. Note To refuse clients which are not authenticating with an X.509 Certificate, you must create an authentication Restriction as explained in the axsguard Gatekeeper authentication How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 6.2 Revoking a Client Certificate To revoke a client Certificate: 1. Log on to the axsguard Gatekeeper as explained in the System Administration How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Navigate to PKI > Certificates. 3. Click on the Valid link of the Certificate you wish to revoke. 4. Enter the CA passphrase used during the CA initialization (see section 5.2.1). 5. Select a Revocation Reason. 6. Click on Revoke. Image 44: Revocation of a Certificate 54

7 Troubleshooting Troubleshooting I cannot start the tunnel or the tunnel does not open. 1. Check the axsguard Gatekeeper IPsec logs, as explained in the axsguard Gatekeeper IPsec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 2. Check the Windows firewall settings. Check that the Firewall it is not blocking traffic towards UDP ports 500 and 4500. 3. If a dedicated software firewall is installed on the client, e.g. ZoneAlarm, make sure it is not blocking traffic towards UDP ports 500 and 4500 and that TCP protocol 50 (ESP) is allowed. Consult your firewall Troubleshooting Documentation if necessary. 4. Check the firewall settings of your client's gateway. The gateway should allow traffic to the following UDP ports: 500, 4500. (Some gateways refer to this as VPN Passthrough). 5. Make sure NAT traversal is enabled on the client's gateway (VPN Passthrough). 6. Check the allowed protocols on the client's gateway. Access should be allowed to TCP protocol 50 ( ESP). 7. Check the Phase 1 (IKE) parameters. They should match the Phase 1 parameters of the axsguard Gatekeeper, e.g. the encryption Algorithm, the Hashing Algorithm, the authentication Method (X.509), etc. If you are prompted for authentication, but are unable to proceed, it is more than likely that your Phase 2 parameters contain errors. 8. Check the Phase 2 (ESP) parameters. They should match the Phase 2 parameters of the axsguard Gatekeeper, e.g. the DH Group, the encryption Algorithm, etc. 9. The local parameters on the axsguard Gatekeeper are the remote parameters of the IPsec Client and vice versa. Make sure they are properly crossed. 10. If using DIGIPASS authentication, make sure the user has been assigned a DIGIPASS and is allowed to authenticate for IPsec, as explained in the axsguard Gatekeeper authentication How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool. 11. If you purchased and enabled the axsguard Gatekeeper IPS Module, check the IPS logs for blocked traffic on UDP ports 4500 and 500. Cautions The axsguard Gatekeeper only supports IPsec in Tunnel Mode. This is the most secure option. AH (TCP Protocol 51) is not supported. Some countries, Internet Sevice Providers and intermediate networks do not allow IPsec traffic. You will not be able to establish a connection if this is the case. 55

Troubleshooting I can start the tunnel, but I am unable to access the remote LAN (Shrew Soft Client) 1. Make sure you entered the correct network resource in the Policy (see page 32). Refer to the Shrew Soft IPsec Client's documentation if necessary. 2. Once the network resource has been updated, start the tunnel again and verify whether you can ping the axsguard Gatekeeper LAN IP (see page 34). 3. Verify the Virtual Adapter's IP Address (Shrew Soft, see page 26). Try an IP address in a different range than the axsguard Gatekeeper LAN. 4. Verify the Firewall settings on the axsguard Gatekeeper. 5. If the problem persists, consult the Shrew Soft online Documentation. I can start the tunnel, but I am unable to access the remote LAN (GreenBowClient) 1. Verify the VPN Client Address (GreenBow, see page 44). Try an IP address in a different range than the axsguard Gatekeeper LAN. 2. Verify the Firewall settings on the axsguard Gatekeeper. 3. If the problem persists, consult the GreenBow online Documentation. The user cannot authenticate 1. Make sure the is no Authentication Restriction for the user (see the axsguard Gatekeeper Authentication How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool). 2. If DIGIPASS Authentication is enforced, test the user's DIGIPASS (Authentication > VASCO DIGIPASS > DIGIPASS). 3. Make sure the user can log in (User login enabled, as shown below). Image 45: User Login Enabled 56

8 Support 8.1 Overview Support In this section we provide instructions on what to do if you have a problem, or experience a hardware failure. 8.2 If you encounter a problem If you encounter a problem with a VASCO product, please follow the steps below: 8.3 1. Check whether your problem has already been solved and reported in section 7 or in the Knowledge Base at the following URL: http://www.vasco.com/support. 2. If there is no solution in the Knowledge Base, please contact the company which supplied you with the VASCO product. 3. If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO expert. If necessary, VASCO experts can access your axsguard Gatekeeper remotely to solve any problems. Return procedure if you have a hardware failure If you experience a hardware failure, please contact your VASCO supplier. 57

Support Alphabetical Index Accessing Documents...9 IKE...21, 40p., 55 AES...21, 30p., 40p., 46, 50 NAT Traversal...15p., 27 authentication...8pp., 15, 17p., 20, 24, 29, 35, 39, 46, 50, 52, 54p. PFS...31 Authentication...12, 17p., 20, 29, 35, 39 Phase 1...12, 30, 45p., 55 axs GUARD Gatekeeper...10 Phase 2...12, 49pp., 55 DHCP...14pp., 19 Road Warriors...15 DIGIPASS...2, 10, 13, 17p., 20, 24, 33, 35, 43, 52, 55 SA...12 Directory Services...9 Security Associations...32 DNS...18, 28, 34, 51, 53 VPN...18, 35 Documents...9 XAUTH...29 Firewall...9p., 55 MD5...30 Identity... Netmask...23, 32, 43 Certificate...8, 12, 15p., 35pp., 46p., 54 Ping...34, 53 PKI...12, 19, 36pp., 54 Return Procedure...57 PSK...8, 12, 18, 23, 29 Reverse Proxy...9 RSA...12 RSA Authentication...12 X.509...8, 12, 16, 19, 35p., 39, 42p., 47, 48, 54p. Single Sign-On...9 XAUTH...8, 12p., 15, 17, 20, 29 Support...57 IPsec...11 Training Courses...9 Dead Peer Detection...27 Troubleshooting...55 DH Exchange...30 Tunnel Definition...13 DHCP...15 VPN...9, 11, 15 ESP...2, 12, 21, 31, 40p., 50, 55 58