VPNC Interoperability Profile

VPNC Interoperability Profile Valid for Barracuda NG Firewall 5.0 Revision 1.1 Barracuda Networks Inc. 3175 S. Winchester Blvd Campbell, CA 95008 http://www.barracuda.com

Copyright Notice Copyright 2004-2010, Barracuda Networks www.barracuda.com v4.x-090623-06-1119 All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice. Trademarks Barracuda NG Firewall is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or trademarks of their respective holders. 2 VPNC Interoperability Profile

Contents Chapter 1 - Overview Scenario 1................... 5 General........................................ 6 VPNC Scenario 1 Overview............................. 6 Chapter 2 - Connecting the Hardware............... 7 General........................................ 8 Chapter 3 - Barracuda NG Admin................... 9 General....................................... 10 Logging In...................................... 10 Barracuda NG Admin User Interface........................ 10 Chapter 6 - Server and Services.................. 19 What is a Server?.................................. 20 What is a Service?................................. 20 Introducing a Server................................ 20 Introducing a Service................................ 20 Chapter 7 - Firewall Configuration................. 23 General....................................... 24 Firewall Rule for Traffic Between 10.5.6.0/24 and 172.23.9.0/24......... 24 Chapter 8 - VPN Configuration.................... 27 Creating a Server Certificate............................ 28 Introducing the IPSec Tunnel............................ 28 Chapter 9 - Testing and Diagnostics............... 31 Global Status.................................... 32 Network Status................................... 32 VPN Status..................................... 33 Network ICMP Ping................................. 33 Analyzing the Log Files............................... 34 3

4 VPNC Interoperability Profile Increasing the Log Level.............................. 34

Chapter 1 Overview Scenario 1 General... 6 VPNC Scenario 1 Overview... 6 Overview Scenario 1 5

1.1 General The procedures described within this document may not accurately apply to boxes running older versions of Barracuda NG Firewall. Barracuda Networks recommends to use this only with the latest Barracuda NG Firewall firmware 5.0. This document describes how to configure a Barracuda NG Firewall 5.0 to implement the scenarios described by the VPN Consortium s Interoperability specification. The specification scenarios were developed by the VPN Consortium. Please refer to Documentation Profiles for IPsec Interoperability (http://www.vpnc.org/interopprofiles/interop-01.html). 1.2 VPNC Scenario 1 Overview Fig. 1 1 Scenario 1 Overview Gateway A (Barracuda NG Firewall) Internal interface: eth0 External interface: eth1 Internal IP address of interface eth0: 10.5.6.1 External IP address of interface eth1: 14.15.16.17 VPN network behind gateway A: 10.5.6.0/24 Gateway B (interoperable device) Internal IP address of interface eth0: 172.23.9.1 External IP address of interface eth1: 22.23.24.25 VPN network behind gateway B: 172.23.9.0/24 WAN Connection Gateway A reaches the internet via a gateway with the IP address: 14.15.16.1 6 VPNC Interoperability Profile

Chapter 2 Connecting the Hardware General... 8 Connecting the Hardware 7

2.1 General Based on the guidelines of the VPNC Interoperability Profile, the Barracuda NG Firewall 5.0 uses the following configuration: Management IP address: 10.5.6.10 Management interface: eth0 External interface: eth1 1. Connect one end of a crossover CAT5 ethernet cable to the management port (eth0) of the Barracuda NG Firewall. 2. Connect the other end of the CAT5 ethernet cable to the workstation used to manage the Barracuda NG Firewall. 3. Modify the network settings of the workstation in order to rely in the same subnet as the Barracuda NG Firewall Once the hardware is connected, proceed to the configuration processes. 8 VPNC Interoperability Profile

Chapter 3 Barracuda NG Admin General... 10 Logging In... 10 Barracuda NG Admin User Interface... 10 Barracuda NG Admin 9

3.1 General The Barracuda NG Admin application (delivered with your Barracuda NG Firewall software) is the tool to administer Barracuda NG Firewall gateways as well as Barracuda NG Control Centers. It acts as a stand-alone executable and does not need to be installed at the workstation. 3.2 Logging In 1. Launch the Barracuda NG Admin application. 2. Select Box in the upper area of the login dialog. 3. Type 10.5.6.10 within the Box-Address field. 4. Type root within the Login field. 5. Enter the root password into the Password field. Click the Login button. In case this is the first login to the Barracuda NG Firewall, proceed by clicking Trust Key within the appearing window. 3.3 Barracuda NG Admin User Interface The User Interface is divided into five functional sections. Box Tabs The Box Tabs allow switching between all currently connected Barracuda NG Firewall boxes or Control Centers Ribbon Bar The Ribbon Bar is the main navigation and operation utility for the currently connected Barracuda NG Firewall or Control Center. Main Window Mini Map The mini map is minimized by default, click on the star-icon to open the mini map. 10 VPNC Interoperability Profile

Status Bar Fig. 3 2 Barracuda NG Admin Interface Box Tabs Ribbon Bar Main Window Mini Map Status Bar Barracuda NG Admin 11

12 VPNC Interoperability Profile

Chapter 4 Network Configuration Interfaces... 14 Routing... 14 Gateway Route for the WAN Network... 15 Network Configuration 13

4.1 Interfaces In this scenario, the internal and external interfaces are defined as listed below: Internal interface: eth0 (the internal interface additionally acts as the management interface) External interface: eth1 4.1.1 Internal Interface (Management Interface / eth0) The management interface may, if necessary, be configured by following these steps: 1. Navigate to Config > Network. 2. Click Lock to enable configuration mode. 3. Modify the Management IP (MIP) and the Associated Netmask. 4. Confirm the modifications by clicking Send Changes, followed by Activate. 5. Navigate to Control, then open the Box tab. Click Activate New within the Network Configuration view and click Force within the appearing window. 4.2 Routing 4.2.1 Device Route for the External Interface (eth1) 1. Connect the external interface (eth1) of the Barracuda NG Firewall to the internet. 2. Navigate to Config > Network. 3. Click Lock to enable configuration mode. 4. Click the Network Routes link on the left side of the window. 5. Click Insert to introduce routes to the Main Routing Table. 6. Type a Name for the route within the appearing window (e.g.: 14-15-16-0) and confirm it by clicking OK... 7. In the appearing window, set the following values: Target Network Address: 14.15.16.0/24 Route Type: direct Interface Name: eth1 8. Confirm the modifications by clicking Send Changes, followed by Activate. 14 VPNC Interoperability Profile

9. Navigate to Control and open the Box tab. 10. Click Activate New in the Network Configuration view and click Force within the appearing window. 4.3 Gateway Route for the WAN Network 1. Navigate to Config > Network. 2. Click Lock to enable configuration mode. 3. Click the Network Routes link on the left side of the window. 4. Click Insert to introduce routes to the Main Routing Table. 5. Insert a Name for the route within the appearing window (e.g.: 22-23-24-0) and confirm by clicking OK... 6. In the appearing window, set the following values: Target Network Address: 22.23.24.0/24 Route Type: gateway Gateway: IP Address of the default gateway (in this scenario, the default gateway is 14.15.16.1) 7. Confirm the modifications by clicking Send Changes followed by Activate. 8. Navigate to Control and open the Box tab. Network Configuration 15

9. Click Activate New within the Network Configuration view and click Force within the appearing window. Fig. 4 3 Network User Interface The procedures described within this document may not accurately apply to boxes running older versions of Barracuda NG Firewall. Barracuda Networks recommends to use this only with the latest Barracuda NG Firewall firmware 5.0. 16 VPNC Interoperability Profile

Chapter 5 Licensing General... 18 License Import... 18 Licensing 17

5.1 General Operating a Barracuda NG Firewall without a valid license allows only an encryption level of DES or no encryption at all. 5.2 License Import 1. Navigate to Config > Box Licenses. 2. Click Lock to enable configuration mode. 3. Click Import and choose Import from File... in the appearing list. 4. Use the appearing file browser to navigate to the location of the license (*.lic) file. 5. Confirm the Certificate View window by clicking OK. Accept the End User License Agreement by selecting I Agree and then clicking OK. Fig. 5 4 License Import 6. After installing all necessary licences, navigate to Config > Box Properties and set the Encryption Level to Full-Featured-Encryption. 7. Move to Control > Box and click the button Barracuda Restart. This command restarts all modules to guarantee that the installed licences are loaded correctly by each module of the Barracuda NG Firewall. 18 VPNC Interoperability Profile

Chapter 6 Server and Services What is a Server?...20 What is a Service?...20 Introducing a Server...20 Introducing a Service...20 Server and Services 19

6.1 What is a Server? The so-called Virtual Servers represent the network addresses under which certain services are available. Since a server may, for high availability purposes, be assigned to more than one box, the traditional notion of a server as a piece of hardware is extended by this concept. The server entity belongs to what we refer to as the logical layer. 6.2 What is a Service? A service provides the required functionality and the services make use of software modules. For example the VPN service, responsible for all kinds of VPN functionality, is a typical service within the server-and-service concept of Barracuda NG Firewalls. 6.3 Introducing a Server 1. Navigate to Config > Virtual Servers. 2. Right-click the Virtual Servers configuration node and choose Create Server... within the context menu. 3. In the appearing window, set the following values: Server Name: vpnc Active Box: This-Box Backup Box: No-Backup Encryption Level: Full-Featured-Encryption First-IP [S1]: 14.15.16.17 (IP address of the external interface eth1) Second-IP [S2]: 10.5.6.1 (IP address of the internal interface eth0) For troubleshooting purposes it is recommended to enable Reply to Ping for both IP addresses. 4. Click Finish to complete the server configuration. 5. Confirm the modifications by clicking Send Changes followed by Activate. 6.4 Introducing a Service A successfully introduced virtual server is mandatory to be able to introduce a specific service. In this scenario, a Firewall and a VPN service are needed to set up a working IPSec VPN connection between two peers. 20 VPNC Interoperability Profile

6.4.1 Create a Firewall Service 1. Navigate to Config > Virtual Servers > vpnc > Assigned Services. 2. Right-click the Assigned Services configuration node, then choose Create Service... within the context menu. 3. In the appearing window, set the following values: Disable Service: no Service Name: FW Software Module: Firewall Service Availability: All-IPs 4. Click Finish to complete the service configuration. 5. Confirm the modifications by clicking Send Changes followed by Activate. 6.4.2 Create a VPN Service 1. Navigate to Config > Virtual Servers > vpnc > Assigned Services. 2. Right-click the Assigned Services configuration node, then choose Create Service... within the context menu. 3. In the appearing window, set the following values: Disable Service: no Service Name: VPN Software Module: VPN-Service Service Availability: First+Second-IP 4. Click Finish to complete the service configuration. 5. Confirm the modifications by clicking Send Changes followed by Activate. Server and Services 21

22 VPNC Interoperability Profile

Chapter 7 Firewall Configuration General... 24 Firewall Rule for Traffic Between 10.5.6.0/24 and 172.23.9.0/2424 Firewall Configuration 23

7.1 General By default, the firewall service is configured to block all traffic reaching the Barracuda NG Firewall. In order to allow specific traffic to pass, the firewall ruleset needs to be adjusted. 7.2 Firewall Rule for Traffic Between 10.5.6.0/24 and 172.23.9.0/24 1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > FW (firewall) > Forwarding Rules. 2. Double-click the Forwarding Rules configuration node to open the Forwarding Firewall Ruleset. 3. Click Lock to enable configuration mode. 4. Right-click into the firewall ruleset table and choose New... within the appearing context menu. 5. In the appearing window, set the following values: Rule Type: Pass Source: <explicit-src> Right click within the Source table and choose Edit... in the appearing context menu. Type 10.5.6.0/24 into the IP field (Entry section) and click New and close the window by clicking OK. Service: ALL Destination: <explicit-dest> Right click within the Destination table and choose Edit... in the appearing context menu. Type 172.23.9.0/24 into the IP field (Entry section) and click New and close the window by clicking OK. Policy: Activate the 2-Way checkbox Connection: No Src NAT (Client) Click OK to finish the rule configuration. 24 VPNC Interoperability Profile

6. Drag the newly created firewall rule on top of the firewall ruleset. 7. Confirm the modifications by clicking Send Changes, followed by Activate. Fig. 7 5 Firewall Rule Firewall Configuration 25

26 VPNC Interoperability Profile

Chapter 8 VPN Configuration Creating a Server Certificate... 28 Introducing the IPSec Tunnel... 28 VPN Configuration 27

8.1 Creating a Server Certificate 1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > VPN(vpnserver) > VPN Settings. 2. Click Lock to enable configuration mode. 3. Open the Settings tab, then click the Click here for Server Settings link. 4. In the Default Server Certificate section, click Ex/Import, then choose New/Edit Certificate. 5. Fill in all editable information in the appearing Certificate View dialogue according to your organisation. Then confirm the form by clicking OK. 6. Generate a Default Key by clicking Ex/Import. Choose New 1024-Bit RSA Key. 7. Assign the public key to the self-signed certificate and generate the key by confirming the appearing window with Yes. 8. Confirm the modifications by clicking Send Changes, followed by Activate. 8.2 Introducing the IPSec Tunnel 1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > VPN(vpnserver) > Site to Site. 2. Click Lock to enable configuration mode. 3. Open the IPSEC Tunnels tab. 4. Right-click into the IPSec tunnels list and choose New IPSec tunnel from the context menu. 8.2.1 General Tunnel Settings 5. Name: e.g.: ipsectunnel 6. Local Address: 14.15.16.17 7. Remote Address: 22.23.24.25 8. Direction: Active 28 VPNC Interoperability Profile

8.2.2 IPSec Phase1 9. Encryption: 3DES 10. Hash Meth.: SHA 11. DH-Group: Group2 12. Lifetime [sec]: 28800 8.2.3 IPSec Phase2 13. Encryption: 3DES 14. Hash Meth.: SHA 15. DH-Group: Group2 16. Lifetime [sec]: 3600 8.2.4 Networks 17. Enter 10.5.6.0/24 into the Network Address field and insert it to the Local list by clicking the Add button on the left side. 18. Enter 172.23.9.0/24 into the Network Address field and insert it to the Remote list by clicking the Add button on the right side. 8.2.5 Authentication 19. Open the Authentication tab of the IPSec Tunnel dialogue. 20. Set Identification Type to Shared Passphrase. 21. Within the Partner Identification section, type hr5xb8416aa9r6 into the Passphrase text box. 22. Finish the IPSec tunnel configuration by clicking OK. VPN Configuration 29

23. Confirm the modifications by clicking Send Changes, followed by Activate. Fig. 8 6 IPSec Tunnel Configuration 30 VPNC Interoperability Profile

Chapter 9 Testing and Diagnostics Global Status... 32 Network Status... 32 VPN Status... 33 Network ICMP Ping... 33 Analyzing the Log Files... 34 Increasing the Log Level... 34 Testing and Diagnostics 31

9.1 Global Status The Control window provides a general overview over the box and the status of its most important basic functions. Table 9 1 Status Icons Line Overview Description Displays an overview of the system by using a color code (<blank> - everything is OK; yellow - something is not working properly and a check is recommended; red - something is not working properly and a check is mandatory) and the following icons: Status of the servers Status of the network Status of the processes Disk usage Validity of certificates/licenses) Status of the box Status of the operative-relevant event monitoring Status of the security-relevant event monitoring 9.2 Network Status The Config > Network tab provides an overview of all configured network interfaces, active IP addresses and routing tables. Fig. 9 7 Network Status 32 VPNC Interoperability Profile

9.3 VPN Status The VPN status user interface provides an overview of the currently active VPN tunnels and double clicking the listed tunnel displays all available tunnel details. The status User Interface is accessible via the VPN button on the left side of the Barracuda NG Admin administration tool. Fig. 9 8 VPN Status 9.4 Network ICMP Ping 9.4.1 Ping: Outside Interface to Outside Interface The following steps describe how to test the IPSec tunnel by sending five ICMP packets from the outside interface of gateway A to the outside interface of gateway B. 1. Navigate to SSH to open the command line interface of gateway A. If this is the first time you connect to the command line interface, you will be prompted to accept the authentication check. Do this by clicking the Trust Key button in the respective dialog window. 2. Log in as root user, therefore type the appropriate password. 3. Type the following string at the command line, followed by pressing the Enter key: ping 22.23.24.25 -c 5 Testing and Diagnostics 33

9.4.2 Ping: Inside Interface to Inside Interface The following steps describe how to test the IPSec tunnel by sending five ICMP packets from the inside interface of gateway A to the inside interface of gateway B. 1. Navigate to SSH to open the command line interface of gateway A. If this is the first time you connect to the command line interface, you will be prompted to accept the authentication check. Do this by clicking the Trust Key button in the respective dialog window. 2. Login as root user, therefore type the appropriate password. 3. Type the following string at the command line, followed by pressing Enter: ping -I 10.5.6.1 172.23.9.1 -c 5 9.5 Analyzing the Log Files For troubleshooting tunnel connection problems, the most significant information is accessible by analysing the VPN log files. Navigate to Logs to open the Log Viewer. 9.5.1 IKE Log The IKE log file is accessible by navigating within the log-tree to vpnc > VPN > ike. 9.5.2 VPN Log The general VPN log file is accessible by navigating within the log-tree to vpnc > VPN > VPN. 9.6 Increasing the Log Level For a more detailed log output, it is possible to increase the log level of the VPN service. 1. Navigate to SSH to open the command line interface of the Barracuda NG Firewall. If this is the first time you connect to the command line interface, you will be prompted to accept the authentication check. Do this by clicking the Trust Key button in the respective dialog window. 34 VPNC Interoperability Profile

2. Type the following string at the command line followed by pressing Enter: ipsecctrl isakmpd buglevel <log level> Replace <log level> by a number between 0 and 99, whereas 0 is the lowest and 99 the highest possible log level. 3. Confirm the modifications by clicking Send Changes, followed by Activate. Testing and Diagnostics 35

36 VPNC Interoperability Profile

Chapter 10 Overview IPSec Client to Site General... 38 VPNC Scenario 1 Overview... 38 Overview IPSec Client to Site 37

10.1 General The procedures described within this document may not accurately apply to boxes running older versions of Barracuda NG Firewall. Barracuda Networks recommends to use this only with the latest Barracuda NG Firewall firmware 5.0. This document describes how to configure a Barracuda NG Firewall 5.0 to implement the scenarios described by the VPN Consortium s Interoperability specification. The specification scenarios were developed by the VPN Consortium. Please refer to Documentation Profiles for IPsec Interoperability (http://www.vpnc.org/interopprofiles/interop-01.html). 10.2 VPNC Scenario 1 Overview Fig. 1 9 Scenario 1 Overview Barracuda NG Firewall Internal interface: Port2 External interface: Port3 Internal IP address of interface Port2: 10.5.6.1 External IP address of interface Port3: 14.15.16.17 VPN network behind gateway A: 10.5.6.0/24 IPSec VPN Client The IPSec VPN Client connects to the corporate network through the VPN point of entry at: 14.15.16.17 38 VPNC Interoperability Profile

Chapter 11 Basic Configuration For the basic configuration of a Barracuda NG Firewall, to fit the requirements needed in the following description in these document, please have a look at the following chapters: What is a Server?... 20 What is a Service?... 20 Introducing a Server... 20 Introducing a Service... 20 Basic Configuration 39

40 VPNC Interoperability Profile

Chapter 12 VPN Server Configuration Basic Server Configuration... 42 Introducing the IPSec Tunnel... 42 Firewall Rule... 43 Introducing the IPSec Tunnel... 42 VPN Server Configuration 41

12.1 Basic Server Configuration 1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > VPN(vpnserver) > VPN Settings. 2. Click Lock to enable configuration mode. 3. Open the Settings tab, then click the Click here for Server Settings... link. 4. In the Default Server Certificate section, click Ex/Import. Depending on the format of the available certificate, choose either Import PEM from file... or Import from PKCS12... 5. Generate a Default Key by clicking Ex/Import. Choose New 2048-Bit RSA Key. 6. Assign the public key to the certificate and generate the key by confirming the appearing window with Yes. 7. Click OK. 8. Open the Root Certificates tab, right-click to open the context menu and select either Import PEM from file... or Import CER from file... to import the client root certificate. 9. Open the Personal Networks tab. 10. Right click and select New VPN Network... in the context menu. 11. In the appearing window enter the following values: Name: Name for the VPN network Network Address: 192.168.1.0 Network Mask: 24 Gateway: 192.168.1.254 Type: routed (Static Route) 12. Confirm the modifications by clicking Send Changes, followed by Activate 12.2 Introducing the IPSec Tunnel 1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > VPN(vpnserver) > Client to Site. 2. Click Lock to enable configuration mode. 3. Open the External CA tab, followed by the IPSec tab. 4. Double-click the default Phase 1 entry and enter the following values: Encryption: AES Hash Meth.: SHA DH-Group: Group2 Time: 3600 Minimum: 1200 Maximum: 4800 42 VPNC Interoperability Profile

5. Right-click into the Phase 2 table and select New phase II... and enter the following values: Encryption: AES Hash Meth.: SHA DH-Group: Group2 Time: 3600 Minimum: 1200 Maximum: 4800 6. Open the Group Policy tab and then click Click here for options... 7. Mark the X509 Certificate checkbox and click OK. 8. Right click and select New Group Policy... in the context menu. 9. In the appearing window enter the following values: Name: Name for Group Policy Network: select the previously created personal network Network Routes: right click, select Insert IP... and enter 10.5.6.0/24 10. Open the IPSec tab (within the Edit Group Policy window) 11. Disable the checkbox next to the IPSec Phase II - Settings to enable the drop down menu and select the previously created phase 2. 12. Right click into the Group Policy Condition table and select New Rule... 13. In the appearing window, click Edit/Show within the X509 Certificate Conditions section. 14. Select emailaddress(email Address) (or any other condition of the drop-down menu), enter the desired Subject, click Add/Change and close by clicking OK. 15. Be sure to have the IPSec Client checkbox enabled. 16. Close the Group Policy Condition window and the Edit Group Policy window by clicking OK. 12.3 Firewall Rule 1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > FW (firewall) > Forwarding Rules. 2. Double-click the Forwarding Rules configuration node to open the Forwarding Firewall Ruleset. 3. Click Lock to enable configuration mode. 4. Right-click into the firewall ruleset table and choose New... within the appearing context menu. 5. In the appearing window, set the following values: Rule Type: Pass Source: <explicit-src> Right click within the Source table and choose Edit... in the appearing context menu. Type 10.5.6.0/24 into the IP field (Entry section) and click New and close the window by clicking OK. Service: ALL VPN Server Configuration 43

Destination: <explicit-dest> Right click within the Destination table and choose Edit... in the appearing context menu. Type 192.168.1.0/24 into the IP field (Entry section) and click New and close the window by clicking OK. Policy: Activate the 2-Way checkbox Connection Method: No Src NAT (Client) Click OK to finish the rule configuration. 6. Drag the newly created firewall rule on top of the firewall ruleset. 7. Confirm the modifications by clicking Send Changes, followed by Activate. Fig. 3 10 Firewall Rule 44 VPNC Interoperability Profile

Chapter 13 VPN Client Configuration: NCP Secure Client Configuring the Client... 46 Establish a Client to Site IPSec Connection... 47 VPN Client Configuration: NCP Secure Client 45

13.1 Configuring the Client 1. Copy the self-signed server certificate or a server certificate to the following folder: program files > ncp > secure client > cacerts 2. Launch the NCP Secure Client. 3. Navigate to Configuration > Profiles 4. Click Add/Import to create a new profile. 5. Select Link to Corporate Network Using IPsec. 6. Enter a Profile Name. 7. Select the desired Communication Media. 8. Enter the following Gateway (Tunnel Endpoint): 14.15.16.17. 9. Select main mode in the Exchange Mode drop-down menu. 10. Select DH-Group 2 (1024 Bit) in the PFS Group drop-down menu. 11. Select Fully Qualified Username as Local identity (IKE) Type and the ID: client@barracuda.com (this string needs to match the SubAltName string of the client certificate) 12. Select IKE Config Mode in the IP Address Assignment drop-down menu. 13. Finish the configuration wizard. 14. Launch the NCP Secure Client. 15. Click Configuration > Profiles. 16. Select your profile and click Edit. 17. Select IPSec General Settings and set IKE Policy to RSA Signature, IPsec Policy to ESP-AES128-MD5, Exch. Mode to main mode and PFS Group to DH-Group 2 (1024 Bit). 18. Click Policy Lifetimes... and set the following values: IKE Policy - Life Time: 000:01:00:00 IPsec Policy - Life Type: Life Time IPsec Policy - Life Time: 00:01:00:00 19. Click Policy Editor... and set the following values: RSA Signature: RSA-Signature / AES 128 Bit / SHA DH-Group 2 (1024 Bit) ESP-AES128-MD5: ESP / AES128 / SHA 20. Open the Identities settings, disable the Pre-shared Key checkbox and select Standard certificate configuration in the Certificate configuration drop-down menu. 21. Close the Profile Configuration. 46 VPNC Interoperability Profile

22. In the NCP Secure Client main window, click Configuration > Certificates. 23. Select Standard certificate configuration and click Edit. In the Certificate drop-down menu, select the desired certificate format and import your certificate. Make sure the PIN of the certificate has at least a length of 4 digits. 13.2 Establish a Client to Site IPSec Connection 1. Launch the NCP Secure Client. 2. Select the desired profile and click the Connection button. 3. Enter the correct certificate PIN. VPN Client Configuration: NCP Secure Client 47

48 VPNC Interoperability Profile