HOWTO: How to configure SSL VPN tunnel gateway (office) to gateway



Similar documents
ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

HOWTO: How to configure IPSEC gateway (office) to gateway

TECHNICAL BULLETIN. Title: Remote Access Via Internet Date: 12/21/2011 Version: 1.1 Product: Hikvision DVR Action Required: Information Only

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

MaaS360 Cloud Extender

PBX Remote Line Extension using Mediatrix 4104 and 1204 June 22, 2011

Corente Cloud Services Exchange (CSX) Corente Cloud Services Gateway Site Survey Form

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

TaskCentre v4.5 MS SQL Server Trigger Tool White Paper

Configuring an Client for your Hosting Support POP/IMAP mailbox

Configuring and Monitoring AS400 Servers. eg Enterprise v5.6

TaskCentre v4.5 File Transfer (FTP) Tool White Paper

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall

TaskCentre v4.5 Send Message (SMTP) Tool White Paper

Configuring and Monitoring Network Elements

TaskCentre v4.5 SMTP Tool White Paper

Remote Desktop Tutorial. By: Virginia Ginny Morris

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)

Configuring and Integrating LDAP

ScaleIO Security Configuration Guide

Setup Instructions Glion Online

Regions File Transmission

Traffic monitoring on ProCurve switches with sflow and InMon Traffic Sentinel

Remote Setup and Configuration of the Outlook Program Information Technology Group

Blue Link Solutions Terminal Server Configuration How to Install Blue Link Solutions in a Terminal Server Environment

Pexip Infinity and Cisco UCM Deployment Guide

Configuring BMC AREA LDAP Using AD domain credentials for the BMC Windows User Tool

Helpdesk Support Tickets & Knowledgebase

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

Ten Steps for an Easy Install of the eg Enterprise Suite

AVG AntiVirus Business Edition

The ad hoc reporting feature provides a user the ability to generate reports on many of the data items contained in the categories.

STIOffice Integration Installation, FAQ and Troubleshooting

Best Practice - Pentaho BA for High Availability

Click Studios. Passwordstate. RSA SecurID Configuration

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

Installation Guide Marshal Reporting Console

Configuring and Monitoring SysLog Servers

CallRex 4.2 Installation Guide

Setup PPD IT How-to Guides June 2010

Instructions for Configuring a SAFARI Montage Managed Home Access Expansion Server

Setup O365 mailbox access on MACs

Serv-U Distributed Architecture Guide

FOCUS Service Management Software Version 8.5 for Passport Business Solutions Installation Instructions

CenterPoint Accounting for Agriculture Network (Domain) Installation Instructions

How To Install Fcus Service Management Software On A Pc Or Macbook

ABELMed Platform Setup Conventions

Connector for Microsoft Dynamics Installation Guide

Durango Merchant Services QuickBooks SyncPay

Software Distribution

User Guide. Sysgem SysMan Remote Control. By Sysgem AG

Lab 12A Configuring Single Sign On Service

Readme File. Purpose. Introduction to Data Integration Management. Oracle s Hyperion Data Integration Management Release 9.2.

FOCUS Service Management Software Version 8.5 for CounterPoint Installation Instructions

Simmons GMAIL Client Setup

.Net Strong Authentication API

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Exchanging Files Securely with Gerstco Using gpg4win Public Key Encryption

BackupAssist SQL Add-on

Licensing Windows Server 2012 for use with virtualization technologies

Access to the Ashworth College Online Library service is free and provided upon enrollment. To access ProQuest:

Installation Guide Marshal Reporting Console

A Beginner s Guide to Building Virtual Web Servers

NETWRIX CHANGE NOTIFIER

Licensing Windows Server 2012 R2 for use with virtualization technologies

Connecting to

Junos Pulse Instructions for Windows and Mac OS X

Attunity RepliWeb SSL Guide

Readme File. Purpose. What is Translation Manager 9.3.1? Hyperion Translation Manager Release Readme

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn

Emulation Tech Note 12 Testing XDS560V2 STM Emulator s Ethernet Port on Wi-Fi

BRILL s Editorial Manager (EM) Manual for Authors Table of Contents

Citrix XenServer from HP Getting Started Guide

How To Upgrade A Crptocard To A 6.4 Migratin Tl (Cpl) For A 6Th Generation Of A Crntl (Cypercoder) On A Crperd (Cptl) 6.

SQL 2005 Database Management Plans

NASDAQ BookViewer 2.0 User Guide

2. When logging is used, which severity level indicates that a device is unusable?

Webalo Pro Appliance Setup

Getting Started Guide

SITE APPLICATIONS USER GUIDE:

AvePoint High Speed Migration Supplementary Tools

Deployment Overview (Installation):

Configure the correct IP ranges to enable a VPN Firewall to work in conjunction with an existing Router.

A COMPLETE GUIDE TO ORACLE BI DISCOVERER END USER LAYER (EUL)

Excel Contact Reports

How To Edit A Subscriber On From A Newsletter On A Pc Or Mac Or Mac (For Pc Or Ipa) On A Mac Or Ipad Or Macorcha (For Macorca) On An From An (For Ip

HP Connected Backup Online Help. Version October 2012

Mobile Device Manager Admin Guide. Reports and Alerts

KronoDesk Migration and Integration Guide Inflectra Corporation

Safe PST Backup Enterprise Edition Administrator Guide

HarePoint HelpDesk for SharePoint. For SharePoint Server 2010, SharePoint Foundation User Guide

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

FINRA Regulation Filing Application Batch Submissions

Transcription:

HOWTO: Hw t cnfigure SSL VPN tunnel gateway (ffice) t gateway Hw-t guides fr cnfiguring VPNs with GateDefender Integra Panda Security wants t ensure yu get the mst ut f GateDefender Integra. Fr this reasn, we ffer yu all the infrmatin yu need abut the characteristics and cnfiguratin f the prduct. Refer t http://www.pandasecurity.cm/ and http://www.pandasecurity.cm/enterprise/supprt/ fr mre infrmatin. Hw-t guides fr Panda GateDefender Integra The sftware described in this dcument is delivered under the terms and cnditins f the end user license agreement and can nly be used after accepting the terms and cnditins f said agreement. The anti-spam technlgy in this prduct is prvided by Mailshell. The web filtering technlgy in this prduct is prvided by Cbin. Cpyright ntice Panda 2007. All rights reserved. Neither the dcuments nr the prgrams that yu may access may be cpied, reprduced, translated r transferred t any electrnic r readable media withut prir written permissin frm Panda, c/ Buens Aires, 12 48001 Bilba (Biscay) Spain. Registered Trademarks Panda Security. TruPrevent: Registered in U.S.A Patent and Trademark Office. Windws Vista and the Windws lg are trademarks r registered trademarks f Micrsft Crpratin in the United States and ther cuntries. All ther prduct names may be registered trademarks f their respective wners. D. L. BI-1915-07 Panda 2007. All rights reserved.

INDEX HOW TO CONFIGURE SSL VPNS GATEWAY-TO-GATEWAY... 3 1.1 SCENARIO SETUP... 3 1.2 CONFIGURATION USING STATIC KEYS... 5 1.2.1 Gateway A Setup... 5 1.2.2 Gateway B Setup... 8 1.3 CONFIGURATION USING TLS FOR VALIDATION... 10 1.3.1 Gateway A Setup (Server mde)... 10 1.3.2 Gateway B Setup (Client mde)... 15 1.4 ESTABLISHING A VPN CONNECTION... 18 1.5 FURTHER CONSIDERATIONS... 19 1.6 CONFIGURATION CHECKING... 20 Symbls and styles used in this dcumentatin Symbls used in this dcumentatin: Nte. Clarificatin and additinal infrmatin. Imprtant. Highlights the imprtance f a cncept. Tip. Ideas t help yu get the mst frm yur prgram. Reference. Other references with mre infrmatin f interest. Fnts and styles used in the dcumentatin: Bld: Names f menus, ptins, buttns, windws r dialg bxes. Cdes style: Names f files, extensins, flders, cmmand line infrmatin r cnfiguratin files, fr example, scripts. Italics: Names f ptins related with the perating system and prgrams r files with their wn name. Panda GateDefender Integra Page 2 f 21

Hw t cnfigure SSL VPNs gateway-t-gateway (Secure Scket Layer) Security prtcl safeguards access t infrmatin circulating thrugh Internet prtcls (HTTP, SMTP, FTP, etc.) symmetrically encrypting the data. Access t this data is nly pssible with the crrect key. Panda GateDefender Integra allws yu t create and mdify SSL VPNs with remte users and ffices. Panda GateDefender Integra includes a VPN system t create yur wn virtual private netwrks, widening the reach f yur netwrk and ensuring cnfidential cnnectins. The purpse f this guide is t describe the steps t create a SSL virtual private netwrk (VPN) with Panda GateDefender Integra, using real data. Nte: It is taken fr granted that the Panda GateDefender Integra appliance is already cnfigured, at least basically, and wrking. Fr further infrmatin abut hw t install and cnfigure Panda GateDefender Integra, refer t the Installatin Guide. Imprtant: Panda GateDefender Integra must be wrking in Ruter mde. Otherwise, yu will nt be able t use the VPN system. 1.1 Scenari Setup The illustratin belw shws a typical gateway-t-gateway SSL VPN scenari: Figure 4.1 SSL gateway-t-gateway VPN Panda GateDefender Integra Page 3 f 21

This kind f cnfiguratin requires that ne f the gateways perates as a server and anther ne in client mde. In this hw-t, gateway A will have the server rle and its external lcal IP will be 62.14.249.65. The server will listen n UDP prt 1194 fr an incming cnnectin frm clients (sub-ffices). The figure shws that the eth0 interface has been assigned a public IP. In the mst cmmn cnfiguratins,, Integra s eth0/wan interface will usually have a private IP address and will be ne f the devices with the NAT ptin enabled lcated between Integra and the ISP cnnectin (fr example ADSL ruter/mdem, cable mdem, etc.), which will have a public IP (dynamic r static). This apprach has been used t simplify the dcument and fcus n the VPN cnfiguratin. Fr mre infrmatin, refer t the Hw-t guides available abut SNAT and DNAT cnfiguratins and prt mapping. Hsts that belng t lcal subnet A (192.168.10.0/24 in this hw-t) must have cnfigured Integra A LAN IP 192.168.10.1 as a gateway t lcal subnet B (192.168.20.0/24). The same is valid fr the hsts n lcal subnet B; their gateway t lcal subnet A will be 192.168.20.1. The rute culd be defined as a default gateway r implicit rute. Fr the fllwing hw-t, we assume that Integra s LAN IP is the default gateway fr the crrespnding hsts n INTEGRA s lcal subnets. In rder t authenticate each ther, there are tw pssibilities t cnfigure the SSL VPN gateway t gateway cnnectin: t use static keys r t use certificates (TLS) Index Panda GateDefender Integra Page 4 f 21

1.2 Cnfiguratin using static keys 1.2.1 Gateway A Setup The first step when cnfiguring this kind f SSL VPN will be t define a grup f IP addresses that crrespnd t the SSL remte subnet (that reside n ther gateway); the ne yu want hsts frm the SSL lcal subnet t be able t cnnect t. In rder t define the SSL remte subnet, fllw the steps belw: 1. Access the Definitins sectin f the main Panda GateDefender Integra cnsle menu. 2. Select IP addresses. 3. In the Grups sectin, click n Add. A descriptive name f the grup must be prvided (ssl remte subnet will be used in this hw-t) in the Name field and the IP range (192.168.20.0/24 will be used in this hwt) in the IP/Mask radi buttn sectin. 4. Click n Add IP. Finally, click n Add t save the changes. IMPORTANT: Remember that SSL remte subnets must be different frm SSL lcal subnets r any ther subnets that are already used in any ther VPN cnfiguratin (including ther kinds f prtcls). If nt, ruting frm lcal subnet A t lcal subnet B wuld nt be pssible. The steps belw describe hw t cnfigure SSL VPN gateway A using previusly defined elements. 1. G t the Panda GateDefender Integra administratin cnsle. 2. Click n VPN in the panel n the left. 3. Then, select VPN management. 4. Click n SSL VPN management and select the Remte ffices tab. 5. Click n Add t define the new VPN. There yu will find the parameters required t cnfigure a VPN in Panda GateDefender Integra using the SSL prtcl in server mde (as shwn in figure 4.2): Mde: select the ptin Server mde. Name: enter a descriptive name fr the VPN (VPN SSL server STATIC will be used fr this hw-t). Server prt: enter the cnnectin server prt (default prt 1194 will be used fr this hw-t). Prtcl: chse the prtcl that will be used fr encapsulatin (default prtcl UDP will be used in this hw-t). Nte that the TCP prtcl is cnsidered mre secure, but slws dwn cmmunicatins. UDP makes fewer checks and is therefre faster. Validatin type: Chse the Static key as a type f validatin t use fr the VPN. Panda GateDefender Integra Page 5 f 21

Static key: Enter a static key t use in this textbx (use the same static key fr gateway B). External lcal IP: Select the type f lcal IP thrugh which it will listen, DHCP r fixed IP (fr purpse f this hw-t chse fixed IP) and enter the fixed IP address 62.14.249.65 Lcal IP: Enter the lcal private IP address (10.9.8.1 will be used fr this hw-t). Remte IP: Enter the remte private IP address (10.9.8.2 will be used fr this hw-t). Remte subnets: Enter lcal subnet B (remte subnet frm the gateway A pint f view). The previusly defined SSL remte subnet will be used fr this hw-t, which is 192.168.20.0/24). Figure 4.2 Click n Add t save the changes. Then, select the Active checkbx t enable the server side cnfiguratin, as shwn in figure 4.3. Panda GateDefender Integra Page 6 f 21

Figure 4.3 Index Panda GateDefender Integra Page 7 f 21

1.2.2 Gateway B Setup Again, the first step in the gateway B side cnfiguratin will be t define a grup f IP addresses that crrespnd t the SSL remte subnet (that reside n gateway A), the ne yu want hsts frm the SSL lcal subnet be able t cnnect t. T define the SSL remte subnet fllw the steps described belw: 1. Access the Definitins sectin f the main Panda GateDefender Integra cnsle menu. 2. Select IP addresses. 3. In the Grups sectin, click n Add. A descriptive name f the grup must be prvided (ssl remte subnet will be used fr this hw-t) in the Name field and the IP range (192.168.10.0/24 will be used in this hw-t) in IP/Mask radi buttn sectin. 4. Click n Add IP. Finally, click n Add t save the changes. IMPORTANT: Remember that SSL remte subnets must be different frm SSL lcal subnets r any ther subnets that are already used in ther VPN cnfiguratins (including ther kinds f prtcls). If nt, ruting frm lcal subnet B t lcal subnet A wuld nt be pssible. The steps belw describe hw t cnfigure an SSL VPN gateway B using previusly defined elements. 1. G t the Panda GateDefender Integra administratin cnsle. 2. Click n VPN in the panel n the left. 3. Then, select VPN management. 4. Click n SSL VPN management and select the Remte ffices tab. 5. Click n Add t define the new VPN. There yu will find the parameters required t cnfigure a VPN in Panda GateDefender Integra using the SSL prtcl in client mde (as shwn in figure 4.4): Mde: select the ptin Client mde. Name: enter a descriptive name fr the VPN (VPN SSL client STATIC will be used fr this hw-t). Public IP f the server: Enter the remte public IP f the server (65.14.249.65 will be used fr this hw-t). Server prt: enter cnnectin server prt (default prt 1194 will be used fr this hw-t). Prtcl: Chse the prtcl that will be used fr encapsulatin (default prtcl UDP will be used in this hw-t). Nte that the TCP prtcl is cnsidered mre secure, but slws dwn cmmunicatins. UDP makes fewer checks and is therefre faster. Validatin type: Chse the Static key as a type f validatin t use fr the VPN. Panda GateDefender Integra Page 8 f 21

Static key: Enter a static key t use in this textbx (cpy the same static key that was used n gateway A side). Lcal IP: Enter the lcal private IP address (10.9.8.2 will be used fr this hw-t). Remte IP: Enter the remte private IP address (10.9.8.1 will be used fr this hw-t). Remte subnets: Enter lcal subnet A (remte subnet frm the gateway B pint f view). The previusly defined SSL remte subnet will be used fr this hw-t: 192.168.10.0/24). Figure 4.4 Index Panda GateDefender Integra Page 9 f 21

1.3 Cnfiguratin using TLS fr validatin 1.3.1 Gateway A Setup (Server mde) This sectin will fcus nly n a part f the cnfiguratin f SSL VPN using TLS and which is different frm the ne using a static key. The part f the cnfiguratin regarding hw t define an SSL remte subnet will be the same as explained in the previus sectin fr cnfiguratin f gateway A with a static key. The first step t fllw when cnfiguring an SSL VPN that uses TLS fr validatin will be t imprt the required certificates. Certificates are required fr authenticatin purpses. Yu need t imprt the public certificate f CA which signed the certificate f the remte peer. It is als necessary t imprt the Integra VPN gateway A lcal certificate. In rder t imprt CA, fllw the prcedure belw: 1. G t the VPN sectin f the main Panda GateDefender Integra cnsle menu. 2. Select Digital certificate management. 3. In the CA certificates sectin, click n the Imprt buttn. Enter the Certificate name (ca will be used in this hw-t). Click n Brwse t select the certificate yu want t imprt. Click n Imprt nce yu have chsen a CA certificate that yu wish t imprt. Figure 4.5 Panda GateDefender Integra Page 10 f 21

In rder t imprt the lcal gateway A certificate, fllw the prcedure belw: 1. G t the VPN sectin f the main Panda GateDefender Integra cnsle menu. 2. Select Digital certificate management and, in the Lcal certificates sectin, click n the Imprt buttn. Select if yu want t Imprt a certificate pending signing r Imprt a certificate with private key issued by a CA. If yu select Imprt certificate with private key, enter the PKCS12 Certificate Name (server will be used in this hw-t) and, ptinally, the Passwrd. 3. Click n Brwse t select the certificate yu want t imprt. 4. Click n Imprt nce yu have chsen a certificate. Figure 4.6 Once the CA and lcal gateway A certificates have been imprted successfully, a screen similar t the ne shwn belw (figure 4.7) is displayed. Panda GateDefender Integra Page 11 f 21

Figure 4.7 Nte that if yu select Imprt certificate with private key, yu can nly imprt lcal certificates that cnfrm with PKCS12 frmat (file has p12 r pfx extensin). The steps belw describe hw t cnfigure SSL VPN gateway A with TLS using previusly defined elements. 1. G t the Panda GateDefender Integra administratin cnsle. 2. Click n VPN in the panel n the left. 3. Then, select VPN management. 4. Click n SSL VPN management and select the Remte ffices tab. 5. Click n Add t define new VPN. There yu will find the parameters required t cnfigure a VPN in Panda GateDefender Integra using the SSL prtcl in server mde (as shwn in figure 4.8): Panda GateDefender Integra Page 12 f 21

Figure 4.8 Mde: select the ptin Server mde. Name: enter a descriptive name fr the VPN (SSL VPN server TLS will be used fr this hw-t). Server prt: enter cnnectin server prt (default prt 1194 will be used fr this hw-t). Prtcl: chse the prtcl that will be used fr encapsulatin (default prtcl UDP will be used in this hw-t). Nte that the TCP prtcl is cnsidered mre secure, but slws dwn cmmunicatins. UDP makes fewer checks and is therefre faster. Validatin type: Chse TLS as a type f validatin t use fr the VPN. Lcal certificate: Use the drp-dwn menu t select the certificate yu want (server will be used in this hw-t). Validatin CA f the remte certificate: The remte ffice identified with a certificate must present the CA signature. Use the drp-dwn menu t select the CA certificate yu want. (ca will be used in this hw-t). Panda GateDefender Integra Page 13 f 21

Server Cmmn Name:. In this field it is cmpulsry t enter the CN (Cmmn name) f the ther gateway, in this case, the client. The CN field f the certificate can be btained frm the client s.crt. External lcal IP: Select the type f lcal IP thrugh which it will listen, DHCP r fixed IP (fr purpse f this hw-t, chse fixed IP) and enter the fixed IP address 62.14.249.65 Lcal IP: Enter the lcal private IP address (10.9.8.1 will be used fr this hw-t). Remte IP: Enter the remte private IP address (10.9.8.2 will be used fr this hw-t). Remte subnets: Enter lcal subnet B (remte subnet frm the gateway A pint f view). The previusly defined SSL remte subnet will be used fr this hw-t which is 192.168.20.0/24). Index Panda GateDefender Integra Page 14 f 21

1.3.2 Gateway B Setup (Client mde) This sectin will fcus nly n a part f the cnfiguratin f an SSL VPN using TLS and which is different frm the ne using a static key. The part f cnfiguratin referring t defining an SSL remte subnet will be the same as explained abve in crrespnding sectin fr a cnfiguratin f gateway B with a static key. The first step when cnfiguring an SSL VPN that uses TLS fr validatin will be t imprt the required certificates. Certificates are required fr authenticatin purpses. Yu need t imprt the public CA certificate which signed the certificate f the remte peer. It is als necessary t imprt the Integra VPN gateway B lcal certificate. Nte: This Gateway B certificate must be a client certificate, nt anther Server certificate. In rder t imprt CA and lcal gateway B certificates (remember that gateway B will act as a client in this cnfiguratin), fllw the prcedures already explained when cnfiguring gateway A. Once the CA and lcal gateway B certificates have been imprted successfully, yu will see a screen similar t the ne shwn belw (figure 4.9). Figure 4.9 Panda GateDefender Integra Page 15 f 21

The steps belw describe hw t cnfigure an SSL VPN gateway B with TLS using previusly defined elements. a. G t the Panda GateDefender Integra administratin cnsle. b. Click n VPN in the panel n the left. c. Then, select VPN management. d. Click n SSL VPN management and select the Remte ffices tab. e. Click n Add t define the new VPN. There yu will find the parameters required t cnfigure a VPN in Panda GateDefender Integra using the SSL prtcl in client mde (as shwn in figure 4.10): Figure 4.10 Mde: select the ptin Client mde. Name: enter a descriptive name fr the VPN (VPN SSL client TLS will be used fr this hw-t). Public IP f the server: Enter the remte public IP f the server (62.14.249.65 will be used in this hw-t). Panda GateDefender Integra Page 16 f 21

Server prt: enter cnnectin server prt (default prt 1194 will be used fr this hw-t). Prtcl: chse the prtcl that will be used fr encapsulatin (default prtcl UDP will be used in this hw-t). Nte that the TCP prtcl is cnsidered mre secure, but slws dwn cmmunicatins. UDP makes fewer checks and is therefre faster. Validatin type: Chse TLS as a type f validatin t use fr the VPN. Lcal certificate: Use the drp-dwn menu t select the certificate yu want (client1 will be used in this hw-t). Validatin CA f the remte certificate: The remte ffice identified with a certificate must present the CA signature. Use the drp-dwn menu t select the CA certificate yu want. (ca will be used in this hw-t). Remte gateway Cmmn Name: It is cmpulsry t enter the CN (Cmmn name) f thegateway A-, in this case, server. The certificate can be btained frm the CN field f the server s.crt. Cmmn Name del gateway remt. En este camp se debe intrducir el CN (Cmmn name) del gateway A- en este cas server. Se puede btener del camp CN del certificad.crt del servidr IP: Enter the lcal private IP address (10.9.8.2 will be used fr this hwt). Remte IP: Enter the remte private IP address (10.9.8.1 will be used fr this hw-t). Remte subnets: Enter lcal subnet A (remte subnet frm the gateway B pint f view). The previusly defined SSL remte subnet will be used fr this hw-t which is 192.168.10.0/24). Index Panda GateDefender Integra Page 17 f 21

1.4 Establishing a VPN cnnectin In rder t initiate SSL VPN between tw gateways, fllw these instructins: Select the Active checkbx n bth gateways t enable the server and client side cnfiguratin, as shwn in figures 4.11 and 4.12. Figure 4.11 Figure 4.12 In rder t discnnect, just unselect the Active checkbx n any side f tunnel and then click n OK. Index Panda GateDefender Integra Page 18 f 21

1.5 Further cnsideratins If Panda GateDefender Integra s firewall capabilities are used, then all the crrespnding cnfiguratin rules f its firewall will be autmatically entered. If there are ruters r firewalls between the tw gateways, the fllwing prt and prtcl must be enabled fr SSL VPN t wrk prperly: Prt / Prtcl 1194/UDP. If the SNAT ptin is enabled fr the lcal netwrk that intervenes in the VPN in any f the GateDefender Integra cnfiguratins -the Static key r certificates-, yu need t add a SNAT rule with a higher pririty than the previus rule. This rule shuld ensure that the change f surce IP header belnging t SNAT is nt applied t the VPN traffic befre the packets are ruted t the tunnel. T d this, the Keep riginal address check bx must be selected: Figure 4.13 The example in the screensht shws the rule t add t ensure that traffic frm netwrk 192.168.10.0 can be crrectly ruted thrugh the VPN tunnel t the radwarrirs netwrk 192.168.20.0. Index Panda GateDefender Integra Page 19 f 21

1.6 Cnfiguratin checking T check yur SSL VPN cnfiguratin, please fllw the prcedure described belw: 1. Access the Panda GateDefender Integra administratin cnsle. 2. Click n VPN in the panel n the left. Then select VPN Mnitr which will allw yu t see the status f all established VPN cnnectins (figure 4.14 shws the status f the gateway A mnitr windw). Figure 4.14 Once the VPN tunnel has been established between the tw gateways, the fllwing test shuld be perfrmed n each lcal VPN sub-netwrk in rder t reach the remte ne. In rder t carry ut such a task, the cmmand prmpt that shuld be used is: ping n 10 192.168.20.100 When running this cmmand, it pings frm the hst that belngs t the gateway A VPN subnetwrk t the hst that resides n the internal netwrk behind VPN gateway B and, hst that belngs t the gateway A shuld see the icmp respnse message. Panda GateDefender Integra Page 20 f 21

Nte that nly thse packets ging frm a lcal VPN subnet t a remte ne r vice-versa will be encrypted. This means that if yu ping between hsts that belng t ne f the gateways internal VPN sub-netwrks and an external IP address f anther gateway, the traffic will nt be encrypted at all because the purpse f gateway t gateway (r as described abve, subnet t subnet) VPN tunnel is t ensure privacy nly between tw subnets. Index Panda 2007 0707-PGDIHT04-03-EN Panda GateDefender Integra Page 21 f 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information