You are on page 1of 21

Creating IPSec VPNs with the OfficeConnect Cable/DSL Secure Gateway

This document will describe in detail the steps needed to configure the OfficeConnect Cable/DSL Secure Gateway to interoperate with • OfficeConnect Cable/DSL Secure Gateway • SuperStack 3 Firewall • Safenet SoftPK VPN Client • SSH Sentinel VPN Client • 3Com Firewall VPN application (allows XP VPN client to be used) Configuring VPN tunnels should not be done until it has been ensured that both ends of the tunnel are correctly configured for Internet access. (I.e. both sites can access the Internet)

Configuring a VPN tunnel between two OfficeConnect Cable/DSL Secure Gateways

Gateway 1 Network 1

Internet

Gateway 2 Network 2

Figure 1 – Two OfficeConnect Cable/DSL Secure Gateways connecting via the Internet Configuring Gateway 1

Figure 2 – IPSec Connections on the OfficeConnect Cable/DSL Secure Gateway

1

1. Select the IPSec Server radio button. The screen will change to reflect this selection. 2. Click on the IPSec Connections tab at the top of the page 3. Click on the New button on the right of the screen, a pop-up window will appear

Figure 3 – Configuring an IPSec VPN on the OfficeConnect Cable/DSL Secure Gateway 4. Enter the WAN IP address of Gateway 2 in the connection name field. !This is important as it will ensure that the Gateway will work in the correct mode! 5. Enter a description of the Security Association to remind you what the connection is (up to 128 characters) 6. Select Gateway-to-Gateway as the Connection Type 7. If the Gateway ID has not already been specified, enter the WAN IP address of the gateway as the ID. !This is important as it will ensure that the Gateway will work in the correct mode! 8. Enter the WAN IP address of Gateway 2 in the Remote IPSec Server Address field 9. Enter the private network that you wish to reach through the VPN. This will be the first IP address of the network, e.g. 192.168.2.0 10. Enter the Shared Secret that will be used to create the tunnel (up to 64 characters). Ideally this should be a long, un-memorable key to provide higher security. 11. Select either DES or 3DES as the encryption type 12. Select either MD5 or SHA-1 as the hash algorithm 13. Select either Diffie-Hellman Group 1 or Group 2 to use for exchanging keys 14. Leave Perfect Forward Secrecy unchecked. (Perfect Forward Secrecy increases the security of the tunnel by changing keys for every message sent, but to ensure that the VPN tunnel is configured correctly it is recommended that this is left unchecked during the initial configuration – it may be checked later if required)

2

This must be identical to Gateway 1. but to ensure that the VPN tunnel is configured correctly it is recommended that this is left unchecked during the initial configuration – it may be checked later if required) 15. Select either Diffie-Hellman Group 1 or Group 2 to use for exchanging keys.g. 192. as they will be required to configure the other end of the VPN tunnel (Gateway 2) 15. 1. If the VPN tunnel has been successful then on the IPSec connection screen. 13. Enter the private network that you wish to reach through the VPN.g.2.0 10. To test the tunnel form the Start Menu. If the Gateway ID has not already been specified.168. !This is important as it will ensure that the Gateway will work in the correct mode! 8. e. 14. a pop-up window will appear 4. it will indicate that the VPN tunnel is active. Select either MD5 or SHA-1 as the hash algorithm.168. enter the WAN IP address of the gateway as the ID. If it is not active then refer to the Log on both units for information on why it has failed. This must be identical to Gateway 1. 3 . Click Apply Configuring Gateway 2 This configuration will be very similar to the Gateway 1 configuration.xxx.1. Enter a description of the Security Association to remind you what the connection is (up to 128 characters) 6.Take note of all the settings in this configuration. (Perfect Forward Secrecy increases the security of the tunnel by changing keys for every message sent. This will be the first IP address of the network.xxx.xxx. 192.xxx. Select the IPSec Server radio button. 2. Select Gateway-to-Gateway as the Connection Type 7. The screen will change to reflect this selection. This must be identical to the shared secret entered in Gateway 1 11. select Run.xxx is a PC on the Remote Network that you are trying to access via the VPN. Click on the New button on the right of the screen. Select either DES or 3DES as the encryption type. Leave Perfect Forward Secrecy unchecked. Enter the WAN IP address of Gateway 1 in the connection name field. Enter the WAN IP address of Gateway 1 in the Remote IPSec Server Address field 9. !This is important as it will ensure that the Gateway will work in the correct mode! 5. This must be identical to Gateway 1. type ping xxx. Enter the Shared Secret that will be used to create the tunnel (up to 64 characters). Click on the IPSec Connections tab at the top of the page 3.1) and hit return. 12. Click Apply Figure 4 – VPN configurations for both ends of a VPN tunnel The VPN connection should now be configured.xxx (where xxx. e.

Configuring the a VPN tunnel between the OfficeConnect Cable/DSL Secure Gateway and the SuperStack 3 Firewall The configuration of the OfficeConnect Cable/DSL Secure Gateway is exactly the same as described above. has algorithm. The configuration on both sides of the tunnel must still contain identical information about encryption type. shared secret and Diffie-Hellman Group. Click on VPN configure tab at the top of the screen 4 . Ensure that this is the WAN IP address of the Firewall 3. If it is not already configured enter the Unique Firewall Identifier. Click on the VPN tab 2. Configuring the SuperStack 3 Firewall Figure 5 – VPN Summary on SuperStack 3 Firewall 1.

12. If MD5 was chosen as the hash algorithm on the OfficeConnect Cable/DSL Secure Gateway then either ESP DES HMAC MD5 or ESP 3DES HMAC MD5 will need to chosen.Figure 6 – Configuring a VPN connection on a SuperStack 3 Firewall 4. Leave the Disable this SA checkbox unchecked 7. Set the SA lifetime to 600 seconds 11. Strong Encrypt should be chosen when 3DES is required. Leave all checkboxes in the Security Policy section unchecked* SuperStack 3 only 10. Enter the shared secret. At the bottom of the screen select Add New Network. This must be identical at both ends of the tunnel 15. Choose New SA from the Security Association pull-down menu. A pop-up window will appear 5 . 8. 5. 13. then ESP DES HMAC SHA-1 or ESP 3DES HMAC SHA-1 should be chosen. Select either Encrypt and Authenticate or Strong Encrypt and Authenticate. 14. Take note of the acronyms on the right of the pull-down menu. Select IKE using pre-shared key from the IPSec Keying Mode pull-down menu 6. If SHA-1 was chosen. Enter the WAN IP address of the OfficeConnect Cable/DSL Secure Gateway as the Connection Name. Enter the WAN IP address of the OfficeConnect Cable/DSL Secure Gateway as the IPSec Gateway address 9. Encrypt should be chosen when DES is required.

This will be the LAN of the OfficeConnect Cable/DSL Secure Gateway and can be found on the LAN settings page of the OfficeConnect Cable/DSL Secure Gateway Management interface.. Figure 7 – Specifying a remote network 16. 17. Click on the Update button on the main VPN Configure screen 19. Restart the firewall as required The VPN is now configured and will automatically initiate when traffic is sent between the two private networks. Click on the Update button 18. Enter the private network address and subnet that you wish to connect to through the VPN tunnel. 6 .

Configuring the OfficeConnect Cable/DSL Secure Gateway to connect with SSH Sentinel VPN client or Safenet Soft-PK VPN client Gateway Network Internet Cable or DSL modem PC running VPN client software Figure 8 – PC running VPN client software and an OfficeConnect Secure Gateway connecting via the Internet Configuring the Gateway Figure 9 – Configuring a VPN client connection on the OfficeConnect Cable/DSL Secure Gateway 1. a good example of this is to make it the name of the user that will be connecting Description . Click on the New button to create a new Security Association Connection Name . Enable IPSec VPN connections by selecting the IPSec radio button 3.enter the name by which the connection will be known. Click on the VPN tab on the left of the screen 2.add a description that will make the connection easily identifiable Connection Type – click on the Remote User Access radio button This Gateway’s ID – the ID of the gateway should be entered here. Click on the IPSec connections tab that appears on the top of the page 4. This ID will be the same for all IPSec connections and must be the WAN IP address of the gateway 7 .

This must be the same on both ends of the VPN tunnel to allow connection. The policy editor window will appear on the screen 8 . Make a note of all information used in the configuration. Group 2 will provide a higher level of security but might cause the initiation of a VPN tunnel to take slightly longer. Configuring the SSH Sentinel VPN Client Figure 10 – SSH Sentinel Policy Editor 1. as it will be required to configure the VPN client. Once the PC has restarted go to the Start Menu -> Programs -> SSH Sentinel -> Policy Editor.enter an alphanumeric string that will be used to authenticate the tunnel (up to 64 characters) Encryption Type – select either DES or 3DES. Install the VPN client.Remote User ID . 3DES will give a higher level of security but might reduce data throughput. complete this and once installation is complete restart your PC. Tunnel Shared Key . 2. (Perfect Forward Secrecy increases the security of the tunnel by changing keys for every message sent.enter a username that the remote user will use to authenticate the connection. Perfect Forward Secrecy – leave unchecked. This must be the same on both ends of the VPN tunnel to allow connection. During the installation you will be required to create a security certificate by moving the mouse pointer around a pop-up window. Exchange Keys Using – select either Diffie-Hellman Group 1 or 2. but to ensure that the VPN tunnel is configured correctly it is recommended that this is left unchecked during the initial configuration – it may be checked later if required) The OfficeConnect Cable/DSL Secure Gateway is now ready to accept a connection from a remote VPN client.

Click this Add Figure 11 – Configuring an Authentication Key 3. A new pop-up window will appear. double click on Add. 9 . Click on the key management tab at the top of the screen 4. Under the My Keys..

Click OK The key that was just created will appear in the menu list. Choose Create a preshared Key 6.Figure 12 – Configuring a preshared key on the SSH Sentinel VPN client 5. Give the key a descriptive name 7.Click on the new key and choose Properties 10 . Enter exactly the same text as was entered in the Tunnel Shared Key in the OfficeConnect Cable/DSL Secure Gateway configuration. 9. 8.

Click New 11 . 14. Click OK 15. Click on the Identity tab at the top of the new pop-up window 11. Gateway configuration in the blank field for both Local and Remote.Figure 13 – Configuring a remote user ID 10. For both Local and Remote choose Administrator E-mail from the Primary Identifier pulldown menu 12. Click on the Security Policy tab at the top of the screen 16. Enter the Remote User ID that was entered in the OfficeConnect Cable/DSL Secure 13. Enter the WAN IP address of the OfficeConnect Cable/DSL Secure Gateway 19. Click on the … button (directly below the IP button) 20. Click on VPN connection and then select Add… a new pop-up window will appear Figure 14 – Configuring a new VPN connection 17. Click on the IP button on the top tight of the screen 18.

23. select the new key from the Authentication Key drop down menu 25. Enter a descriptive name for the network in the Network Name field 22. Click OK 24. Next. Click Properties… 12 . This would normally be the Local Network behind the OfficeConnect Cable/DSL Secure Gateway. Check the Use legacy proposal checkbox 26. Enter the private network address and subnet mask that you wish to access through the VPN tunnel.Figure 15 – Adding a new remote network 21.

Click on the Settings button under IPSec/IKE Proposal.Figure 16 – General information about VPN connection 27. Ensure that the correct Authentication key is selected. Figure 17 – Specific details of VPN connection 13 . a new pop-up window will appear. 28.

To disconnect a VPN tunnel using the SSH Sentinel VPN Client Right click on the Sentinel icon in the System tray at the bottom right of the screen (blue square with three smaller white squares inside). Choose Select VPN Highlight the VPN that you wish to disconnect and click the left mouse button The VPN will then disconnect. The same group must be configured at both ends of the tunnel. 31. Choose Select VPN Highlight the VPN that you wish to initiate and click the left mouse button The VPN will then connect. select HMAC-MD5. The VPN client will attempt to connect to the OfficeConnect Cable/DSL Secure Gateway and will give either a pass or fail. Select both an IKE and an IPSec proposal IKE Proposal Encryption Algorithm – select either DES or 3DES. If there is a failure.29. go to VPN Connection and highlight the newly configured VPN. If SHA-1 was selected in the IKE Proposal select HMAC – SHA-1 IPSec Mode – greyed out as tunnel is the only option PFS Group – Select none 30. IPSec Proposal Encryption algorithm – select the same as specified for the IKE Proposal and the OfficeConnect Cable/DSL Secure Gateway Integrity Algorithm – if MD5 was selected in the IKE Proposal. Click OK until the main Policy Editor screen is visible. This is the equivalent to the Diffie Hellman group specified in the OfficeConnect Cable/DSL Secure Gateway. Click the Diagnostics button in the bottom right of the screen. This MUST match what was selected for the OfficeConnect Cable/DSL Secure Gateway configuration. The VPN connection should now be configured. Click on Apply to save the VPN configuration 32. check that both the VPN client and OfficeConnect Cable/DSL Secure Gateway configurations are correct. To initiate a VPN tunnel using the SSH Sentinel VPN Client Right click on the Sentinel icon in the System tray at the bottom right of the screen (blue square with three smaller white squares inside). Click on the Apply button to save the configuration. If the diagnostics pass then the tunnel is configured correctly. Integrity Function – select either MD5 or SHA-1 IKE Mode – select aggressive mode IKE group – select either MODP Group 1 or 2. To test the VPN connection. 14 .

15 . Subnet Mask and WAN IP Address can be found by looking at the LAN Settings and Internet settings page of the Secure Gateway Web GUI. The security policy may be renamed by highlighting New Connection in the Network Security Policy box and typing the desired security policy name. select SafeNet Soft-PK from the Windows Start menu and select Security Policy Editor. 8 Enter the Remote Gateway WAN IP Address in the IP Address field. 4 Type the LAN Subnet Mask in the Port field. Information such as the Gateway LAN Network Address. 7 Select IP Address in the ID Type menu at the bottom of the Security Policy Editor window. 3 Type the Gateway LAN Network Address in the field immediately below ID Type.Configuring the Safenet SoftPK VPN Client Launching the VPN Client 1 To launch the VPN client. 2 Select New Connection in the File menu at the top of the Security Policy Editor window. 2 Select IP Subnet in the ID Type menu. 5 Select All in the Protocol field to permit all IP traffic through the VPN tunnel. 6 Check the Connect using Secure Gateway Tunnel checkbox. Figure 18 – Safenet SoftPK VPN Client Configuring Connection Security and Remote Identity 1 Select Secure in the Connection Security box on the right side of the Security Policy Editor window.

2 Click Security Policy in the Network Security Policy box. A window similar to Figure 10 will be displayed. 4 Leave the Enable Perfect Forward Secrecy (PFS) checkbox unchecked. 16 . 5 Check the Enable Replay Detection checkbox to redisplay auditing. My Identity and Security Policy should appear below New Connection. 3 Select Aggressive Mode in the Select Phase 1 Negotiation Mode box.Figure 19 – Configuring a VPN connection Configuring VPN Client Security Policy 1 Click New Connection in the Network Security Policy box on the left side of the Security Policy Editor window.

Note that this field is case sensitive. 6 Click the Pre-Shared Key button. Then enter the Gateway’s Shared Secret in the Pre-Shared Key field and click OK. 5 Select PPP Adapter in the Name menu if you have a dial-up Internet account. ISDN or DSL line. 4 Type the Remote User ID (as specified in the Secure Gateway) in the field below the ID Type menu. 3 Select E-Mail Address in the ID Type menu. Select your Ethernet adapter if you have dedicated Cable. A window similar to Figure 11 appears. 2 Choose None in the Select Certificate menu on the right side of the VPN client window.Figure 20 – Configuring authentication for VPN tunnel Configuring the VPN Client Identity 1 Click My Identity in the Network Security Policy box on the left side of the Security Policy Editor window. Figure 21 – Entering a preshared key 17 . 7 Click the Enter Key button in the Pre-Shared Key dialog box.

4 Select DES or 3DES in the Encrypt Alg menu. 5 Select MD5 or SHA-1 in the Hash Alg menu. This must be identical to what is entered in the Gateway. 2 Double click Authentication.Figure 22 – Configuring the authentication encryption level of the VPN connection Configuring VPN Client Authentication Proposal 1 Double click Security Policy in the Network Security Policy box to display Authentication and Key Exchange. This must be identical to what is entered in the Gateway. 18 . depending which encryption method you chose in the Gateway Security Association. 3 Select Pre-Shared key in the Authentication Method menu. 6 Select Seconds in the SA Life menu and enter 600 7 Select Diffie-Hellman Group 1or Group 2 in the Key Group menu. Then select Proposal 1 below Authentication.

After completing the VPN client configuration. This must be identical to what is entered in the Gateway. 7 Select Tunnel in the Encapsulation Method menu. 2 Select Seconds and specify 600 in the SA Life menu. 19 . Now save all your changes You have now set up the VPN Tunnel. Then select Proposal 1 below Key Exchange. The Gateway VPN Client may also access remote resources by locating servers' or workstations' by their remote IP addresses. the Administrator may securely manage the remote Gateway by entering the Gateway LAN IP Address in a browser on the computer running the VPN client software. 5 Select DES or 3DES in the Encrypt Alg menu. 3 Select None in the Compression menu. 4 Check the Encapsulation Protocol (ESP) checkbox. 6 Select MD5 or SHA-1 in the Hash Alg menu. depending which encryption method you chose in the Gateway VPN configuration.Figure 23 – Configuring the data encryption level of the VPN connection Configuring VPN Client Key Exchange Proposal 1 Double click Key Exchange in the Network Security Policy box. 8 Leave the Authentication Protocol (AH) checkbox unchecked.

The IP address of the XP machine must be known to enable this connection.com) Once installed. The application will then launch. If connecting from a dynamic IP address using an XP machine. use the SSH Sentinel VPN client. (3cxpvpn. launch the application from the Start Menu by selecting Programs -> 3Com > 3Com Firewall VPN. Configuring the 3Com Firewall VPN client application for Windows XP Install the application.exe can be downloaded from www. therefore this solution is not recommended for remote connections that have a dynamic IP address.3com.Configuring the OfficeConnect Cable/DSL Secure Gateway to connect with the 3Com Firewall VPN client application for Windows XP To configure the OfficeConnect Cable/DSL Secure Gateway to connect with the 3Com Firewall VPN client for Windows XP the same configuration steps must be taken as for a Gateway-to-Gateway connection as described in “Configuring a VPN tunnel between two OfficeConnect Cable/DSL Secure Gateways” above. Figure 24 – 3Com Windows XP VPN client Click on the Show Configuration button Figure 25 – Details of VPN connection Enter the WAN IP address of the Secure Gateway in the Firewall IP address field 20 .

To connect to the remote network through the VPN tunnel you must first enable the configuration that has been saved. Launch the 3Com Firewall VPN client application. This is to ensure that only authorised users can access the VPN. This must be the same as is specified on the OfficeConnect Cable/DSL Secure Gateway VPN configuration. Select a password and click OK.Select Network Address and Mask from the pull down menu under Private LAN IP Enter the LAN network address and subnet mask. Select either MD5 or SHA-1 from the pull-down menu as the Authentication type. Once you are sure that the configuration is correct click on the Save button A pop-up window will appear asking for a local password. This information can be found on the LAN settings page of the OfficeConnect Cable/DSL Secure Gateway Web Interface. This must be the same as is specified on the OfficeConnect Cable/DSL Secure Gateway VPN configuration. Select either DES or 3DES from the pull-down menu for encryption type. Enter 600 as the SA Lifetime Enter the Shared Secret as specified in the OfficeConnect Cable/DSL Secure Gateway VPN configuration. 21 . Enter the password in the empty field and click Connect. The next time you try to connect to the remote network the VPN tunnel will automatically be initiated. This will appear in clear text and so will not be visible.