GB-OS - TotemGuard Software para departamentos TI y ... GTA VPN Option Guide Setup Setup This chapter explains configuration steps for an IPSec VPN on both the firewall and a client

GB-OSVPN Gateway & GTA Mobile VPN Client

Version 3.11

Option Guidefor GB-OS 4.0

VPNOG200608-01

ii GTA VPN Option Guide Contents

ContentsIntroductIon 1

WhatisaVPn? …………………………………………………………………………………………………………………………… 1AboutIPSecVPnonGtAFirewalls …………………………………………………………………………………………………… 1

The VPN Gateway (Firewall) Component …………………………………………………………………………………………… 2Features ……………………………………………………………………………………………………………………………… 2

The Client Component ………………………………………………………………………………………………………………… 2Features ……………………………………………………………………………………………………………………………… 2Minimum Requirements …………………………………………………………………………………………………………… 3

InstallationSupport ……………………………………………………………………………………………………………………… 3Support Options ………………………………………………………………………………………………………………………… 3

documentation …………………………………………………………………………………………………………………………… 3Additional Documentation …………………………………………………………………………………………………………… 3

SetuP 4ontheGtAFirewall(VPnGateway)…………………………………………………………………………………………………… 4

Entering Feature Codes ……………………………………………………………………………………………………………… 4Running the VPN Setup Wizard ……………………………………………………………………………………………………… 5

Configuring Gateway to Gateway Connections ………………………………………………………………………………… 6Configuring Gateway to GTA Mobile VPN Client Connections ………………………………………………………………… 9

Configuring a VPN Connection Manually …………………………………………………………………………………………… 12Creating VPN Configuration Objects ……………………………………………………………………………………………… 12Selecting the IPSec Key Mode …………………………………………………………………………………………………… 12Creating the VPN Connection ……………………………………………………………………………………………………… 13Configuring a Custom VPN Object ………………………………………………………………………………………………… 17Configuring a Custom Encryption Object ………………………………………………………………………………………… 18Configuring VPN Policies …………………………………………………………………………………………………………… 20

Creating Authorization ………………………………………………………………………………………………………………… 21Creating Groups ……………………………………………………………………………………………………………………… 21Creating Users ……………………………………………………………………………………………………………………… 22

ontheclientcomputer(GtAMobileVPnclient)…………………………………………………………………………………… 23Installing the GTA Mobile VPN Client ………………………………………………………………………………………………… 23Activating the GTA Mobile VPN Client ……………………………………………………………………………………………… 23Configuring the VPN Client Software ………………………………………………………………………………………………… 26

Running the Configuration Wizard ………………………………………………………………………………………………… 26Manually Configuring the GTA Mobile VPN Client ……………………………………………………………………………… 28Entering Preferences (Parameters) ……………………………………………………………………………………………… 28Configuring Phase I (IKE) …………………………………………………………………………………………………………… 28Configuring Phase II (IPSec) ……………………………………………………………………………………………………… 30

Starting and Stopping VPN Client Connections …………………………………………………………………………………… 31

AdVAncedSetuP 32Advanced Phase 1 Configuration ……………………………………………………………………………………………………… 32Advanced Phase 2 Configuration ……………………………………………………………………………………………………… 33HiddenMode ……………………………………………………………………………………………………………………………… 34uSBdriveMode…………………………………………………………………………………………………………………………… 35Preferences………………………………………………………………………………………………………………………………… 36

Startup Modes ………………………………………………………………………………………………………………………… 36Miscellaneous ………………………………………………………………………………………………………………………… 36

Console and Configuration Tools ……………………………………………………………………………………………………… 37Configuration Management …………………………………………………………………………………………………………… 37Console / Logs ………………………………………………………………………………………………………………………… 37

reFerenceA:GtAMoBIleVPnclIentuSerInterFAce 40Menuoverview …………………………………………………………………………………………………………………………… 40

File ……………………………………………………………………………………………………………………………………… 40VPN Configuration ……………………………………………………………………………………………………………………… 41Tools ……………………………………………………………………………………………………………………………………… 41? (Help) ………………………………………………………………………………………………………………………………… 41Left Hand Menu Icons ………………………………………………………………………………………………………………… 41

Configuration Menu Tree………………………………………………………………………………………………………………… 42StatusBar…………………………………………………………………………………………………………………………………… 42Systemtray………………………………………………………………………………………………………………………………… 42

reFerenceB:VPnconcePtS 44elementsofIPSecVPnSecurity ……………………………………………………………………………………………………… 44

iiiGTA VPN Option Guide Contents

Verifying Authorization ………………………………………………………………………………………………………………… 45Verifying Data Integrity ………………………………………………………………………………………………………………… 45Ensuring Data Privacy ………………………………………………………………………………………………………………… 46

PacketStructure:IPSecVPn …………………………………………………………………………………………………………… 46GTA Firewall VPN Packet Processing ………………………………………………………………………………………………… 47

reFerencec:exAMPleVPnconFIGurAtIonS 48Client to Gateway: Dynamic/Static IP Addresses & IKE …………………………………………………………………………… 48Client to Gateway: Dynamic IP Addresses & IKE …………………………………………………………………………………… 52Gateway to Gateway: Dynamic/Static IP Addresses & IKE ……………………………………………………………………… 57Gateway to Gateway: Static/Static IP Addresses & IKE …………………………………………………………………………… 59Gateway to Gateway: Static/Static IP Addresses and Manual Key Exchange ………………………………………………… 61

reFerenced:trouBleSHootInG 64ontheGtAFirewall ……………………………………………………………………………………………………………………… 64

FAQ ……………………………………………………………………………………………………………………………………… 64Mobile VPN clients cannot connect to the firewall. Why? ……………………………………………………………………… 64

Log Messages ………………………………………………………………………………………………………………………… 64Security Associations………………………………………………………………………………………………………………… 65Mobile Client VPN Authentication and Connection ……………………………………………………………………………… 65

ontheGtAMobileVPnclient ………………………………………………………………………………………………………… 65FAQ ……………………………………………………………………………………………………………………………………… 65

My GTA Mobile VPN Client says it is in a 30-day evaluation mode. …………………………………………………………… 65I receive an error when trying to activate the GTA Mobile VPN Client. Why? ………………………………………………… 66My Internet connection does not work when I return to the office. …………………………………………………………… 67Why won’t the GTA Mobile VPN Client start a VPN on Windows XP? ………………………………………………………… 67Can I use an address range for my Address Type when configuring Phase 1 settings? …………………………………… 67When should I set NAT-T to Forced when configuring advanced Phase 1 settings? ………………………………………… 67Why would I disable NAT-T when configuring advanced Phase 1 settings? ………………………………………………… 67

Log Messages ………………………………………………………………………………………………………………………… 68Incorrect Remote Gateway ………………………………………………………………………………………………………… 68Incorrect Pre-shared Key …………………………………………………………………………………………………………… 68Incorrect Local ID Value …………………………………………………………………………………………………………… 68Incorrect Local ID Type ……………………………………………………………………………………………………………… 68Incorrect Remote ID Value ………………………………………………………………………………………………………… 68Incorrect Remote ID Type …………………………………………………………………………………………………………… 69Incorrect Phase I Settings…………………………………………………………………………………………………………… 69Incorrect Phase II Settings ………………………………………………………………………………………………………… 69Incorrect Phase II Authentication Settings ………………………………………………………………………………………… 69Incorrect Phase II Key Group Settings …………………………………………………………………………………………… 70Incorrect Filter Configuration ……………………………………………………………………………………………………… 70

�GTA VPN Option Guide Introduction

I n t r o d u c t i o n

W h a t i s a V P n ?A VPN is a Virtual Private Network.

• What makes it private? You can access resources on your network as if you were a second private network attached to the private (trusted) part of your network.

• What makes it virtual? You’re not really accessing your private network from the private network: you’re accessing it from a public or other untrusted network, such as the Internet. A combination of authentication, encryption and tunneling technologies are used to make sure that your data is transmitted securely, so you can trust your connection as if you would trust your normal private network connection.

VPN connections provide a way to access your protected data from an insecure location, all without compromising your network security.

VPNs vs. Standard NAT TunnelsStandard NAT tunnels can provide external access to your internal network. So why use a VPN?

VPNs provide more secure access than standard NAT tunnels. VPN tunnels provide methods to assure authorization, data integrity and privacy. As a result, VPN tunnels can secure even connections that normally do not provide encryption, authorization or integrity checking on their own.

Standard tunnels do not provide these VPN safety mechanisms!

VPNs are an ideal secure network solution for employees that travel or work from home. They also can serve to securely connect branch offices to a main office or data center.

GTA firewalls support the IPSec VPN standard; this provides interoperability with many third-party VPN products. IPSec VPNs can use a defined combination of authentication keys, anti-tampering hashes, data encryption and IP packet encapsulation to ensure the identity, integrity, and privacy of your data transfers over public, untrusted networks. For more information, see Elements of IPSec VPN Security.

A b o u t I P S e c V P n o n G tA F i r e w a l l sGTA firewalls provide IPSec controls for both mobile client (commuter-to-office) and gateway-to-gateway (office-to-office) VPN connections.

GTA firewall VPNs are a security gateway version of the IPSec standard; the GTA Mobile VPN Client provides the host version. For specific information on the GTA implementations of the IPSec standard, see Elements of IPSec VPN Security.

� GTA VPN Option Guide Introduction

t h e V P n G a t e w a y ( F i r e w a l l ) c o m p o n e n tGTA firewalls can function as VPN gateways, handling authentication and encryption for VPN tunnels.

The VPN gateway is configured on the firewall directly using the web administrative interface. VPN configurations are created in Configuration>VPN>IPSec Tunnels, and bound to an incoming authorization channel in either Configuration>Accounts>Users and Configuration>Accounts>Groups (for mobile VPN clients or a second VPN gateway with a dynamic IP address) or Configuration>VPN>IPSec Tunnels (where both VPN gateways have a static IP address).

GTA firewalls can interoperate with either another GTA firewall (for office-to-office VPNs) or a mobile VPN client (for commuter-to-office VPNs).

Because GTA firewalls support the IPSec VPN standard, GTA firewall VPNs are also interoperable with third-party products that also support the IPSec VPN standard. For information on creating a VPN between a GTA firewall and another VPN gateway, see additional documentation located on GTA’s web site (http://gta.com/support/documents/).

Features

• NAT traversal

• Easy application of security policies

• Easy creation and revision of VPNs using VPN configuration objects

• Quickly enable and disable VPN authorizations

• AES-��8, AES-�9� and AES-�56, 3DES, DES and Blowfish methods for confidentiality

• MD5, SHA-� and SHA-� one-way hash methods for data integrity

• Up to 4,096-bit Diffie-Hellman keys for authenticity

t h e c l i e n t c o m p o n e n tWith the GTA Mobile VPN Client option, GTA firewalls can also provide VPN protection to travelling employees or employees working from home.

Your mobile VPN client software is installed on the client computer. It serves to locally perform the authentication, encryption and other services that would normally be performed by a second VPN gateway. Mobile VPN client software negotiates the connection with your GTA firewall VPN gateway.

The GTA Mobile VPN Client is Microsoft® Windows®-compatible VPN software.

Features

• NAT traversal

• Easy VPN setup

• Client-to-client and client-to-gateway VPNs

• Compatible with most versions of Microsoft® Windows®

• DES, 3DES, and AES encryption methods for confidentiality

• MD5 and SHA-� one-way hash methods for data integrity

• Up to �,048-bit Diffie-Hellman keys for authenticity

• USB mode allows easy start/stop of VPN with insertion/removal of a USB drive

• VPN DNS configuration

• Redundant gateway

http://gta.com/support/documents/

3GTA VPN Option Guide Introduction

Minimumrequirements

• Microsoft® Windows® 98, Me, NT 4 (Service Pack 6 or greater), �000, XP

• Intel® Pentium® class or greater processor

• �0 MB unused hard disk space

• ��8 MB RAM

• 56K dial-up modem, wireless (WiFi), Ethernet or other compatible network card

I n s t a l l a t i o n S u p p o r tInstallation (“up and running”) support is available to registered users. See GTA’s website for more information. If you need installation assistance, be sure to register your product and then contact the GTA Technical Support team by email at [email protected]. Please include your serial number and a brief description of the problem in the body of the email.

S u p p o r t o p t i o n sIf you need support for GTA Products, a variety of support contracts are available. Contact GTA Sales staff by email at [email protected] for more information. Contracts range from support by the incident to full coverage for a year. Other assistance is available through the GNAT Box Mailing List or an authorized GTA Channel Partner.

d o c u m e n t a t i o nA few conventions are used throughout this guide to help you recognize specific elements of the text. If you are viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and new sections.

Bold Italics Emphasis

Italics Publications

Blue Underline Clickable hyperlink (email address, web site or in-PDF link)

Small CapS On-screen field namesMonospace Font On-screen text

Condensed Bold On-screen menus, menu items

BoldSMAllcAPS On-screen buttons, links

A d d i t i o n a l d o c u m e n t a t i o nFor instructions on installation, registration and setup of a GTA Firewall, see your GTA Firewall’s Product Guide. For optional features, see the appropriate Feature Guide. Manuals and other documentation can be found on the GTA website (www.gta.com).

Documents on the website are either in plain text (*.txt) or Portable Document Format (*.pdf), which requires Adobe Acrobat Reader 5.0 or greater. A free copy of the program can be obtained from Adobe at www.adobe.com.

mailto: [email protected]

mailto: [email protected]

http://www.gta.com

http://www.adobe.com

4 GTA VPN Option Guide Setup

S e t u p

This chapter explains configuration steps for an IPSec VPN on both the firewall and a client computer. It also provides a worksheet to help with initial configuration.

Each GTA firewall VPN requires a minimum of two points: an initiator and a responder. The responder must be a GTA firewall, while the initiator can be either a second VPN gateway or a GTA Mobile VPN client.

GTA firewall VPN setup requires configuration of both:

• GTA firewall

• GTA Mobile VPN Client or a second VPN gateway (e.g. GTA firewall)

Setup times will vary according to your VPN components, but can be completed in as little as �5 minutes.

Instructions for VPN setup with Macintosh computers, third party firewalls and non-IPSec VPNs are available at the GTA web site (http://gta.com/support/documents/).

For more information on IPSec VPNs, see Elements of IPSec VPN Security.

o n t h e G tA F i r e w a l l ( V P n G a t e w a y )GB-OS includes a VPN Wizard, which is designed to help configure a simple Virtual Private Network (VPN) quickly and easily. When setting up a VPN connections, consider using the VPN Wizard.

Feature activation codes are required to be entered into the GTA firewall if optional VPN features have been purchased, before using the VPN Wizard or if the VPN connection is defined manually.

E n t e r i n g F e a t u r e C o d e sWhen a VPN option or GTA Mobile VPN Client licenses package has been purchased, feature acti-vation codes are required for client-to-gateway VPNs. If you have purchased a mobile VPN client license package, navigate to Configuration>System>Activation Codes enter its feature activation code. Click SAVe.

The feature activation code necessary for activation can be retrieved from the GTA Support Center (https://www.gta.com/support/center/). Once logged in, click on View Products and select your firewall’s serial number. Your feature activation code will be displayed.

If a gateway-to-gateway VPN is not a standard feature of your firewall, and you have purchased a VPN option, also enter the VPN option’s feature activation code and click SAVe.

NoteFeature activation codes for gateway-to-gateway VPNs are required only for GTA firewalls that are not sold with VPN as a standard feature. See your firewall’s specifications for more information.

http://gta.com/support/documents/

https://www.gta.com/support/center/

5GTA VPN Option Guide Setup

R u n n i n g t h e V P N S e t u p W i z a r dThe VPN Setup Wizard is designed to help configure a simple Virtual Private Network (VPN) quickly and easily. The wizard will automatically create security policies to accept connections using the ESP (protocol 50) and UDP (ports 500 and 4500) protocols. These automatic policies can be turned off in the Configuration>VPN>IPSec Tunnels screen under the advanCed tab.

NoteAll connections through the VPN are controlled by VPN policies, located at Configuration>Security Policies>Policy Editor>VPN Policies.

To run the VPN Wizard, navigate to Wizards>VPN Setup. Before running the wizard, it may be helpful to print out the following worksheet:

Table 2.1: VPN Wizard Worksheet

Field Description Value

Local Network

Gateway Select the logical interface that acts as the gateway to the local network. Typically, this will be the external interface.

Network Select the address object of the configured network you wish to be able to connect to using the VPN. Select <USER DEFINED> to enter the local network’s IP address manually.

. . .

Identity Enter the identity for the local network. The identity should be a fully qualified domain name or email address. This field is only required if the local network is behind a dynamic IP address.

Remote Network

Gateway Type (circle one)

Select the type of the remote network’s gateway. This field is only required if the local network is behind a dynamic IP address.

dynamiC

StatiC

User Name Enter the user name for that will be used to connect to the remote network. This field is only required if the local network is behind a dynamic IP address.

Identity Enter the identity for the remote network. This field is only required if the local network is behind a dynamic IP address.

Group The user group that will be connecting to the remote network.

IP Address / Identity If the remote network’s gateway is Static, enter its IP address. If the gateway is dynamic, enter an IP address, email address or valid DNS resolvable host name to asso-ciate the remote gateway with a pre-shared secret key.

Network The destination IP address of that network that resides behind the remote firewall. Select <USER DEFINED> to enter the IP address manually.

. . .

Pre-shared Secret

Pre-shared Secret Format (circle one)

The format of the pre-shared secret to be used by the VPN.

ASCII

Hex

Pre-shared Secret The pre-shared secret to be used by the VPN. This same secret needs to be entered in the GTA Mobile VPN Client when configuring the security policy. This field is case sensitive.


Configuring Gateway to Gateway Connections

The first screen of the wizard will prompt you to enter a brief description of the VPN. For example, Orlando to New York.

Click the Next Arrow to continue.

Figure 2.1: Entering the VPN’s Description

Once a description has been entered, it will then be necessary to define the local network that will be establishing the VPN. For the local network’s Gateway, select the logical interface assigned to the external network. In most cases, this will be <EXTERNAL>.

For the network, select the local network that is to be accessible via the VPN. If the desired local network is not listed, you may define it manually be selecting <USER DEFINED> and entering the network’s IP address in the corresponding field.

If the selected Gateway is dynamic, enter the identity to be used. The identity should be a fully qualified domain name or email address.


Figure 2.2: Defining the Local Network (Static Gateway)

Figure 2.3: Defining the Local Network (Dynamic Gateway)

�GTA VPN Option Guide Setup

To define the remote network that the VPN will be connecting to, it is necessary to select the nature of the IP address of the external network’s Gateway.

If it is a static (fixed) IP address, select the StatiC radio button and enter the gateway’s IP address in the network field.

If the remote gateway is dynamiC, enter an IP address, email address or valid DNS resolvable host name in the USer name and identity fields to associate the remote gateway with a pre-shared secret key. The Group field defaults to Firewalls, which sets the appropriate VPN settings for the connec-tion.


Figure 2.4: Defining the Remote Network (Static Gateway)

Figure 2.5: Defining the Remote Network (Dynamic Gateway)


A pre-shared secret is used to ensure a secure, trusted connection between host computers and the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the pre-shared secret must match the pre-shared secret defined in this step in order to establish a connection.

Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The pre-Shared SeCret field is case sensitive.


Figure 2.6: Entering the Pre-shared Secret

The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review the VPN’s setup prior to committing the displayed configuration. To make changes to your basic setup, select the BAck button to return to the appropriate screen.

Click the SAve icon to save the displayed configuration, or select the cANcel icon to abort.

Figure 2.7: Reviewing the VPN’s Setup

9GTA VPN Option Guide Setup

Configuring Gateway to GTA Mobile VPN Client Connections

To allow users to connect to the GTA firewall’s protected networks remotely using the GTA Mobile VPN Client, the GTA firewall’s external gateway must have a static IP address. That is, it cannot obtain its IP address using DHCP or PPP.

NoteThe VPN Setup Wizard will only configure the GTA firewall to allow connections from the GTA Mobile VPN Client. For instructions on configuring the GTA Mobile VPN Client to connect to the GTA firewall, please refer to the GB-OS VPN Gateway & GTA Mobile VPN Client Option Guide.

To run the VPN Setup Wizard, navigate to Wizards>VPN Setup.

The first screen of the wizard will prompt you to enter a brief description of the nature of the VPN. For example, Mobile VPN Connections.


Figure 2.8: Entering the VPN’s Description

Once a description has been entered, it will then be necessary to define the local network that will be accessible to users using the GTA Mobile VPN Client. For the local network’s Gateway, select the logical interface assigned to the external network. In most cases, this will be <EXTERNAL>.

For the network, select the local network that is to be accessible via the VPN. If the desired local network is not listed, you may define it manually be selecting <USER DEFINED> and entering the network’s IP address in the corresponding field.

Figure 2.9: Defining the Local Network (Static Gateway)

�0 GTA VPN Option Guide Setup

To define the remote network, where the Mobile VPN Client will be connecting from, set the Gateway type to dynamiC.

Enter the Mobile VPN Client’s USer name and identity in the appropriate fields. The identity must be in the form of an email address. Set the GroUp to <Users>. For the network, enter the IP address the GTA Mobile VPN Client should use.


Figure 2.10: Defining the Remote Network for GTA Mobile VPN Client Connections

A pre-shared secret is used to ensure a secure, trusted connection between host computers and the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the pre-shared secret must match the pre-shared secret defined in this step in order to establish a connection.

Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The pre-Shared SeCret field is case sensitive.


Figure 2.11: Entering the Pre-shared Secret

��GTA VPN Option Guide Setup

The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review the VPN’s setup prior to committing the displayed configuration. To make changes to your basic setup, select the BAck button to return to the appropriate screen.

Click the SAve icon to save the displayed configuration, or select the cANcel icon to abort.

Figure 2.12: Reviewing the VPN’s Setup

�� GTA VPN Option Guide Setup

C o n f i g u r i n g a V P N C o n n e c t i o n M a n u a l l yTo manually configure an IPSec VPN with a GTA firewall, six firewall aspects must be configured in order:

�. Feature activation codes

�. IPSec Tunnels

3. VPN objects (optional)

4. Encryption objects (optional)

5. VPN or GTA Mobile VPN Client authorization

6. VPN Policies (located at Configuration>Security Policies>Policy Editor>VPN Policies) (optional)

Additionally, the second VPN gateway (GTA firewall or third-party VPN gateway) or mobile VPN client must be configured to reflect the same settings.

Creating VPN Configuration Objects

VPN objects determine how incoming VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be acceptable by your GTA firewall.

Defaul t VPN Objects

By default, GB-OS has two VPN objects:

Standard Dynamic

Standard Static

Which VPN Object Should I Use?

Depending on whether your GTA firewall has a static or dynamic (DHCP/PPP) IP address, different VPN objects will be used.

If both VPN gateways have static IP addresses:

Each will use the Standard StatiC VPN object.

If an initiating VPN gateway (or mobile VPN client) has a dynamic IP address:

The dynamically addressed initiator will use the Standard dynamiC VPN object.

Selecting the IPSec Key Mode

Key exchange, essential to authentication during IPSec VPN construction, can be accomplished either automatically using IKE or manually.

Using IKE (automatic key exchange), Phase I of the connnection establishes an IKE security association (SA) that is later used to securely create an IPSec SA; it negotiates the VPN terms and authorizes the peer. Phase II establishes SAs for IPSec, providing source authentication, integrity and confidentiality.

Using manual key exhange, Phase I settings will be ignored by the GTA firewall.

•

•

�3GTA VPN Option Guide Setup

Creating the VPN Connection

Presuming that you use the default VPN objects, navigate to Configuration>VPN>IPSec Tunnels.

Creat ing a VPN Connect ion us ing IKE IPSec Key Mode

Select the VPN object to be used for dynamic incoming connections from the dynamiC inCominG ConneCtionS pulldown. The default VPN object is Standard Dynamic.

Under the AdvANced tab, ensure the Automatic Policies checkbox is enabled. This option will automatically configure the necessary VPN policies to allow ESP protocol 50/UDP ports 500 and 4500 on the configured VPN. To create more restrictive VPN policies, navigate to Configuration>Security Policies>Policy Editor>VPN Policies.

Select New to create a new IPSec Tunnel.

Select the ipSeC key mode. For this example, select Ike (automatic key mode) To create a Manual VPN, see Creating a VPN Using Manual IPSec Key Mode.

Complete the VPN settings fields as described on the following page:

�.

�.

3.

4.

5.


Table 2.3: Creating a VPN Using IKE IPSec Key Mode

Field Description

Disable Check to disable all access for the configured IPSec tunnel.

Description A description of the IPSec Tunnel.

IPSec Key Mode IKE (automatic key exchange)

VPN Object A selection for the VPN object used to define this VPN. See Which VPN Object Should I Use? for more information.

Pre-shared Secret ASCII or HEX format value preshared secret as defined in the VPN. This same key needs to be entered in the GTA Mobile VPN Client when configuring the security policy.

Local

Gateway Select an IP address, alias or H�A group assigned to an external network interface on the local firewall that will serve as the VPN gateway. (For the second VPN gateway or mobile client, this IP address is the remote gateway.) This is the visible, non-encapsulated, non-encrypted IP address.

Network Select the host/subnetwork that should be accessible from the VPN. Typi-cally this is the protected network or PSN. Alternatively, select <USE IP ADDRESS> and enter the IP address(es) in the ip addreSS field.

Advanced

Identity User IP address, domain name or email address for user authentication. This field is used to associate the local identity with a preshared secret key. Typically, this is <IP Address>.

Remote

Gateway The IP address of the remote end of the VPN tunnel, the gateway to the remote network. If the remote network is behind a firewall, then this will be assigned to the external network interface. This IP address will also help determine the routing of the encapsulated packet.

Network Previously defined address object or an IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the pro-tected network, PSN or a subnet of either.) Use a subnet mask to define the class of network.

Advanced

Identity User IP address, domain name or email address for user authentication. This field is used to associate the remote identity with a preshared secret key. Typically, this is <IP Address>.


Creat ing a VPN Connect ion us ing Manual IPSec Key Mode

Select the VPN object to be used for dynamic incoming connections from the dynamiC inCominG ConneCtionS pulldown. The default VPN object is Standard Dynamic.

Under the AdvANced tab, ensure the Automatic Policies checkbox is enabled. This option will automatically configure the necessary security policies to allow inbound and outbound access on the configured VPN.

Select New to create a new IPSec Tunnel.

Select the ipSeC key mode. For this example, select MANuAl.

Complete the VPN settings fields as described below.

Table 2.2: Creating a VPN Using Manual IPSec Key Mode

Field Description

Disable Check to disable all access for the selected VPN.

Description A description of the VPN.

IPSec Key Mode Manual

VPN Object A selection for the VPN object used to define this VPN. See Which VPN Object Should I Use? for more information.

Local

Gateway Select an IP address, alias or H�A group assigned to an external network interface on the local firewall that will server as the VPN gateway. (To the second VPN gateway or mobile client, this IP address is the remote gateway.) This is the visible, non-encapsulated, non-encrypted IP address.

Network Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. Alternatively, select <USER DEFINED> and enter the IP address in the IP Address field.

Remote

Gateway The IP address of the remote end of the VPN tunnel, the gateway to the remote network. If the remote network is behind a firewall, then this will be assigned to the external network interface. This IP address will also help determine the routing of the encapsulated packet. Default is 0.0.0.0.

Network Previously defined address object or an IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the pro-tected network, PSN or a subnet of either.) Use a subnet mask to define the class of network.

Manual

Encryption Key Select the format for the encryption key value: ASCII or HEX

Hash Key ASCII or HEX fomat value hash algorithm for the authentication transformation.

Security Parameter Index

Inbound SPI Default value is 256.

Outbound SPI Default value is 256.

�.

�.

3.

4.

5.


Encrypt ion Key Length

Blowfish encryption transformations use variable key lengths, while AES, DES and 3DES use a fixed length key. If you exceed the maximum key length in these fields, you will generate an error and not be able to save the configuration until it is corrected. You may enter a shorter length key; the system will pad it to the minimum key size. Higher-bit key size generally results in stronger encryption.

Table 2.3: Encryption Key Length

Algorithm Key Size ASCII and Hexidecimal Characters

AES-128 ��8 bits �6 ASCII or 3� Hex

AES-192 �9� bits �4 ASCII or 48 Hex

AES-256 �56 bits 3� ASCII or 64 Hex

Blowfish 40-448 bits 5-56 ASCII or �0-�� Hex

DES 64 bits 8 ASCII or �6 Hex

3DES �9� bits �4 ASCII or 48 Hex

Hash Key Length

The key length for the MD5 transformation is ��8 bits, which is �6 ASCII characters or 3� hexa-decimal characters. The key length for the SHA-� transformations is �60 bits, which is �0 ASCII (40 hexadecimal) characters; it provides 80 bits of security. The key length for the SHA-� (SHA-�56) transformations is �56 bits, which is 3� ASCII (60 hexadecimal) characters; it provides ��8 bits of security against mid-transport data tampering. Generally, larger keys are more secure.

Secur i ty Parameter Index (SPI )

The Inbound and Outbound Security Parameter Index are arbitrary numbers used to uniquely iden-tify a security association on a Manual VPN. The Inbound SPI will be the Outbound SPI on the remote side of the VPN; also, the Outbound SPI will be the Inbound SPI on the remote side of the VPN. The SPI should be unique for each SA, although the Inbound and Outbound SPI may have the same value. The minimum SPI value is �56.


Configuring a Custom VPN Object

VPN objects configure how incoming VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be acceptable by your GTA firewall. Appropriate VPN configuration objects vary with the type of VPN connection and your security policies.

Encryption objects are used to easily reference encryption settings when configuring a VPN object. For more information, see Configuring an Encryption Object.

To create or configure an existing VPN object, navigate to Configuration>System>Object Editor>VPN Objects.

Table 2.4: Configuring a VPN Object

Field Name Description

Disable Disables the VPN object for use in a VPN configuration.

Name A unique name for the VPN object to reference it throughout the firewall’s configuration.

Description A brief description to describe the use of the VPN object.

Phase I

Exhange Mode Specify flexible (<main>) or forced (<aggressive>) negotiation of acceptable encryption algorithms for IKE. Aggressive mode is required if one component of the VPN has a dynamic (DHCP or PPP) IP address, such as with a dynamically-addressed VPN gateway or mobile VPN client.

Encryption Object A selection for the level of encryption to be used by the VPN object. For more information on configuring encryption objects, see Configuring a Custom Encryption Object.

Advanced

Force Mobile Protocol A toggle used to switch forced negotiation suited to VPNs involving dynamic IP addresses, including VPN gateways with dynamic (DHCP or PPP) IP addresses.

Force NAT-T Protocol A toggle used to switch forced use of NAT-T (Network Address Translation - Transversal) for connections that do not require NAT-T (are not using NAT that denies VPN IKE connections) on or off.

Lifetime Specify the length of time in minutes before the Phase I (IKE) security associations must be renewed. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the con-nection.

DPD Interval Specify the interval in seconds between checks for continued viability of the VPN connection (also known as dead peer detection). To disable DPD queries made by this firewall, set the interval to 0; the firewall will still respond to DPD signals from other VPN gateways and clients, but will not initiate any signals of its own.

Phase II

Encryption Object Specify the encryption algorithm that this firewall should accept for VPN data transfers (ESP). Strong encryption means that any algorithm except None and Null will be accepted from the VPN initiator. (Null provides IP encapsulation, but no encryption. None provides neither encryption nor encapsulation.). Null provides no security benefits, but is useful to trans-port non-IP protocols when using NAT between firewalls. GTA firewalls initiate connections using AES-��8 by default.

Advanced

Lifetime Specify the length of time in minutes before the Phase II security associa-tions must be renewed. The entered value must be smaller than the Phase I Lifetime. Shorter times are generally more secure, but may reduce perfor-mance by adding renewal overhead time to the connection.


About Phase I

Phase I establishes VPN peer identities (keys) that can be tested for authenticity and establishes initial security associations (SAs) correlating hosts to encryption methods, securing further VPN negotiation/setup communications, and not actual transfers of user data.

During Phase I, the Diffie-Hellman cryptographic technique uses random and prime numbers to generate a secondary number. These secondary numbers are then exchanged, and each host uses a combination of these secondary numbers as keys. Because predicting random numbers and determining prime numbers are both computationally difficult, knowledge of the random and prime numbers behind the generation of a key can be used to prove host authenticity. Increased computational power means that a key may eventually be computed, this is the reason why key-based security such as VPN phases must be periodically regenerated to guarantee authenticity of a packet’s source.

Once Diffie-Hellman key exchanges have been performed, (automatically with IKE or manually), these temporary keys are used to prove authenticity of hosts requesting encryption and hash methods to be used during Phase II negotiations.

Automatic key exchange (IKE) uses Phase I settings during its automatic negotiations. Manual key exhange does not use Phase I settings, because the firewall does not provide automatic negotia-tions in manual mode.

About Phase I I

Phase II uses the host authenticity and agreed initial hash and encryption established in Phase I to protect secondary negotiations for authenticity, data integrity and confidentiality setings. These secondary settings are used in the actual transfer of user data.

Using the temporary protection mechanisms devised during Phase I, Phase II again performs negotiations for keys, hashes and encryption that will be used to protect the transfer of actual user data.

Configuring a Custom Encryption Object

Encryption objects are used to easily reference encryption settings when configuring a VPN object. By default, GB-OS ships with five built-in encryption objects that are pre-configured with varying levels of encryption. They can be viewed and duplicated, but cannot be edited or deleted.

Table 2.5: Configuring a Custom Encryption Object

Field Description

Disable Disables the configured encryption object.

Name A unique name for the encryption object to reference it throughout the firewall’s configuration.

Description A brief description to describe the use of the encryption object.

Encryption Method Select the encryption algorithm that the firewall should accept for VPN data transfers. Default is <AES-192>.

For more information on what encryption method to select, see Encryption Method.

Hash Algorithm Select the hash algorithm that should be used to provide provide checks for packet tampering. Default is <HMAC-SHA1>.

For more information on what hash algorithm to select, see Hash Algorithm.

Key Group Select the Diffie-Hellman key group (bit size of the key) to use in authenticity keys. Default is <Diffie-Hellman Group 2>.For more information on what key group to select, see Key Group.


encrypt ion Methods

Different encryption methods use proprietary methods for generating keys used to verify VPN data transfers. GTA firewalls support the following encryption methods:

Table 2.6: Encryption Methods

Field Description

None None provides neither encryption nor encapsulation when establishing a VPN connection.

Null Null provides IP encapsulation, but no encryption. There are no security benefits when <Null> is selected, but it is useful to transport non-IP proto-cols when using NAT between firewalls.

AES 128-256 Advanced Encryption Standard; AES has become the new United States federal standard for encrypting commercial and government data. AES, with a key strength of �9� bits, is the default encryption level used by GB-OS encryption objects.

Blowfish Blowfish is fast, supports long keys and is widely recognized throughout the security industry. Blowfish has been known to perform nearly twenty times faster than DES encryption.

DES Data Encryption Standard; an algorithm used for encryption which was the official algorithm of the United States Government. DES has since been replaced by the AES algorithm.

3DES 3DES, often referred to as Triple DES, is three rounds of DES encryption. Each round uses a different permutation of your key. 3DES is a secure algorithm, yet can impact performance.

Strong Selecting <Strong> allows use of any encryption algorithm, a suitable selec-tion when the VPN object’s Phase I exChanGe mode is set to <Main>.

Hash Algor i thm

The encryption object’s haSh alGorithm is used to perform packet tampering checks in the Phase I and Phase II authentication headers. GTA firewalls support the following hash algorithms:

Table 2.7: Hash Algorithms

Field Description

None <None> provides no authenticity checks on the connection.

HMAC-MD5 A one-way hash function that creates a �6-byte (��8-bit) hash or message digest to authenticate packet data.

HMAC-SHA1 A one-way hash function that creates a �0-byte (�60-bit) hash or message digest to authenticate packet data. SHA� is more resistant to attacks than MD5, but slower to compute.

HMAC-SHA2 Blowfish is fast, support long keys and is widely recognized throughout the security industry. Blowfish has been known to perform nearly twenty times faster than DES encryption.

All <All> allows for the use of any hash algorithm.


Key Group

The encryption object’s key GroUp is used to exchange the VPN’s pre-shared secret using a Diffie-Hellman exchange. In a Diffie-Hellman exchange, two parties independently generate random public and private values. Each sends their public value to the other (using authentication to foil man-in-the-middle attacks); the private values remain secret. Each then combines the public key received with their own private key. The resulting key is the pre-shared secret and it is identical for both sides.

When selecting the bit size Diffie-Hellman group, keep in mind that while a larger bit size is gener-ally more secure, it can significantly increase the amount of time it takes to decrypt content. GB-OS encryption objects default to <Diffie-Hellman Group 2 (1024 bits)>.

Configuring VPN Policies

By default, GB-OS will automatically configure the necessary security policies to allow inbound and outbound access for all configured VPNs. If this has been toggled off (the setting is available under the AdvANced tab located on the Configuration>VPN>IPSec Tunnels) it is necessary to manually define VPN policies to allow VPN traffic (ESP (protocol 50) and UDP (ports 500 and 4500)) .

NoteIt is recommended to have automatic policies enabled on the Configuration>VPN>IPSec Tunnels screen to simplify the VPN configuration process.

Use VPN policies (Configuration>Security Policies>VPN Policies) to control access through the VPN . Make modifications to your VPN policy as per your local security policy.


C r e a t i n g A u t h o r i z a t i o nIf the configured IPSec Tunnel is to be used by mobile users using the GTA Mobile VPN Client, it is necessary to define how the mobile users will be authenticating with the firewall.

After configuring a VPN connection, use the Configuration>Accounts section to configure mobile users by assigning them to groups and defining their user accounts. User groups are used to assign users to a VPN object and local network. User accounts, pooled in user groups, are used to define the identity and password to be entered when authenticating with the firewall.

Creating Groups

Groups are used to define the VPN object and local network that GTA Mobile VPN Client users will be using.

When defining a group, additional groups can also be added to the group being defined to pool additional users. This can be useful if a policy is being defined that is required to affect multiple groups.

Groups are configured under Configuration>Accounts>Groups.

Table 2.8: Creating Groups


Disable Disables the group.

Name The name for the group.

Description A short description to identify the use of the group.

Mobile VPN

Disable Disables VPN access for the user group.

Authentication Required A toggle for whether users configured under the group should be required to authenticate with the firewall using the GTA Mobile VPN Client or not.

VPN Object The VPN object to be used by the user group.

Local Network The local network on which the user organized within the configured user can access.

Groups

Sub Group Select a previously defined group to reference additional groups.

Description A short description to explain why this group is included.

�� GTA VPN Option Guide Setup

Creating Users

User accounts are used to define the identity and password to be entered when mobile users authenticated with the firewall.

Table 2.9: Creating User Accounts


Disable Disables the account.

Name The name for the account.

Description A short description to identify the use of the account.

Identity Used for authentication purposes, this is typically the user’s email account.

Group A selection for the user’s user group. Selecting ??? means no user group has been selected.

See Creating Groups for more information.

Authentication

Method Select the method for authentication.

Password The password for user authentication.

Mobile VPN

Disable Disables VPN access for the account.

Remote Network The IP address or address object of the remote network.

IP Address If <USER DEFINED> is selected as the remote network, then enter the IP address here.

Pre-shared Secret The ASCII or HEX value pre-shared secret.


o n t h e c l i e n t c o m p u t e r ( G tA M o b i l e V P nc l i e n t )If laptop computers and other non-gateway servers and computers will connect to your GTA firewall VPN, install and configure GTA Mobile VPN Client software on those computers.

Additional Mobile VPN client software is available for purchase separately from an authorized GTA Channel Partner or GTA sales.

NoteThese instructions assume that your VPN client computer is not behind a router that requires modification.

I n s t a l l i n g t h e G TA M o b i l e V P N C l i e n tThe installation process for the GTA Mobile VPN Client is typical for Windows®-compatible soft-ware.

To install the GTA Mobile VPN Client software:

Login to the Windows computer under an administrative account.

Start the installer. Click the Next button to read the license agreement. If you agree to the terms, click YeS to continue the installation.

Select an installation path for the software, e.g. C:\Program Files\GTA\Mobile VPN Client. Complete the installation wizard.

After completing the wizard, you will be prompted to reboot your computer. Rebooting the computer completes the installation process.

A c t i v a t i n g t h e G TA M o b i l e V P N C l i e n tThe GTA Mobile VPN Client requires activation for any use beyond the initial thirty day evalua-tion period. The license number necessary for activation can be retrieved from the GTA Support Center (https://www.gta.com/support/center/). Once logged in, click on View Products and select your firewall’s serial number. Your license number will be displayed.

NoteShould your license number not be displayed, make sure your GTA firewall is running GB-OS version 3.7 or greater. If you have a current support contract, please upgrade your GTA firewall and then retrieve the activation code. If you do not have a current support contract you will need to contact GTA’s sales department or your local GTA Channel Partner.

To activate the GTA Mobile VPN Client:

�. Open the GTA Mobile VPN Client to start the activation wizard. If the client is already open and running, navigate to ?(Help)>Activation Wizard.

�.

�.

3.

4.




Figure 2.13: Activation Wizard

�. Click the ActIvAte button. Doing so will display the following screen:

Figure 2.14: Entering the License Number

3. The license number needs to be entered either as a single string of twenty characters (12345678901234567890) or four sets of six characters (123456-123456-123456-123456). If your license number is a four sets of six characters, you will need to switch the format of the liCenSe nUmber field to allow entry of your data. To do so, select the Click here to enter... link.


Figure 2.15: Switching the License Number Format

4. Enter the license number and click Next. A successful activation will display the following screen:

Figure 2.16: Completing the Activation Wizard.

NoteIf an error message is displayed during activation, refer to Table D.�: Activation Errors for troubleshooting.


C o n f i g u r i n g t h e V P N C l i e n t S o f t w a r eTo connect your computer with the GTA firewall VPN, you must first provide your mobile VPN client software with the required VPN settings.

You may use the Configuration Wizard to configure your software. It will configure the client for a connection compatible with default GB-OS firewall settings. If you elect to use the VPN client configuration wizard, you do not need to complete the manual configuration instructions further in this section. For more information, see Running the Configuration Wizard.

Use the included worksheet to collect settings for your VPN client. Enter them if required by tunnel, Phase I or Phase II setup. Once your VPN client is configured, start/stop your VPN connection as desired.

For more information on advanced mobile VPN client features such as automatic start/stop of your VPN connection, see Advanced Mobile Client Setup.

Running the Configuration Wizard

Running the configuration wizard will configure the GTA Mobile VPN Client for a connection compatible with default GB-OS firewall settings. Settings for your GTA Mobile VPN Client must match your firewall’s VPN configuration object and authorization settings. Contact your network administrator to obtain matching VPN settings.

To run the configuration wizard, navigate to VPN Configuration>Config. Wizard and complete the avail-able fields. Once complete, click Next. The next screen will allow you to review your settings. If correct, click FINISh.

Figure 2.17: Running the Configuration Wizard


VPN Set t ings Worksheet

Print and fill out the below fields for assistance when configuring the GTA Mobile VPN Client.

Table 2.10: VPN Settings Worksheet

Field Value

Firewall IP Address 000.000.000.

Phase 1

Name

Interface 000.000.000.

Remote Gateway 000.000.000.

Preshared Key

IKE

Encryption (circle one) DES 3DES AES ��8 AES �9� AES �56

Authentication (circle one) MD5 SHA

Key Group (circle one) DH�68 DH�0�4 DH�536 DH�048

Phase 2

Name

VPN Client Address 000.000.000.

Address Type (circle one) Single Address Subnet Address

Remote LAN Address 000.000.000.

Subnet Mask 000.000.000.

ESP

Encryption (circle one) DES 3DES AES ��8 AES �9� AES �56

Authentication (circle one) MD5 SHA

Mode (circle one) Tunnel

PFS (circle one) DH�68 DH�0�4 DH�536 DH�048


Manually Configuring the GTA Mobile VPN Client

If you wish to manually configure the GTA Mobile VPN Client, configure the client using the following sections.

Entering Preferences (Parameters)

Parameters for phase lifetime and dead peer detection (DPD) do not need to match the settings of your GTA firewall, but agreement between the two is beneficial.

To enter lifetimes and DPD intervals for Phase I and II of your VPN:

1. Start the GTA Mobile VPN Client software (or click its icon in the system tray to show a configu-ration window).

�. Click the PArAMeterS icon located in the left hand menu.

3. Enter your IKE and IPSec (Phase I and II) lifetimes in the lifetime fields. Values entered are in seconds. Times specify when keys should be renewed and security associations recreated. Smaller times are generally more secure, although they can add performance overhead to the VPN.

NoteThe maximum lifetimes for the GTA Mobile VPN Client must be less than the lifetime indicated by the firewall.

4. Enter your check interval for dead peer detection (DPD). Do not enter a value of 0.

5. Leave bloCk non-Ciphered ConneCtion unchecked unless you wish to force all connections, includ-ing traffic with a non-VPN destination, through the VPN tunnel.

6. Click SAve & APPlY.

Configuring Phase I ( IKE)

Phase I settings must match your GTA firewall settings. Defaults for Phase I are AES-192 encryp-tion, SHA-� hashes and Group � (�,0�4-bit) keys.

To enter Phase I settings of your VPN:

1. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration window).

�. Right-click the Configuration menu item and select New Phase I. A new sub-item to the Configuration tree will appear. It will be given a default name, such as CnxVpn1, that you may change by edit-ing the name field.

3. Enter a new name, if desired, with no spaces or special characters (e.g., Office_Phase_I).

4. Select the interfaCe (network card) that will be used (select * to indicate all available network cards).

5. Enter the remote Gateway, which should be the external IP address or domain name of your GTA firewall.

6. Enter the preShared key (secret) for your VPN connections and then Confirm it.


NoteCertificate-based authentication is not currently supported by GTA firewalls, but may be used if you are connecting to another GTA Mobile VPN Client. Consult your network administrator to determine if certificates can be used.

�. Enter appropriate IKE settings such as enCryption, aUthentiCation and key GroUp.

8. Click the P1 AdvANced button.

Check the Aggressive Mode checkbox. Add ike port 500. Set nat-t to <Automatic>. Enter your loCal id. The valUe will be the email address indicated in your firewall’s Users configu-ration, so select the Type indicating <Email>. Enter the remote id of the firewall. The value should be the external IP address of the firewall, so select the type indicating “IP address”. Click ok.

Figure 2.18: Configuring Phase I (IKE)


Configuring Phase I I ( IPSec)

Phase II settings must match your GTA firewall settings. Default for Phase II are AES-192 encryp-tion, SHA-� hashes and Group � (�,0�4-bit) keys.

To enter Phase II settings of your VPN:

1. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration window).

2. Right-click on the previously created Phase I configuration. Select Add Phase II. A new sub-item to the Configuration tree will appear, underneath the Phase I configuration. It will be given a default name, such as CnxVpn1, that you may change be editing the name field.

3. Enter a new name, if desired, with no spaces or special characters (e.g., Office_Phase_II).

4. Enter the vpn Client addreSS, which is the IP address your computer will use when attached to the firewall’s internal network.

5. Select the addreSS type. This will be a subnet address if you are connecting to the firewall’s internal network. It will be a single IP address if you are connecting to only one host such as another GTA Mobile VPN Client.

Enter the remote lan addreSS. This will be the IP address of the firewall’s internal network with subnet mask if you are connecting to the firewall’s internal network. If you are connecting to only one host, it will be the IP address of that host.

If you are connecting to the firewall’s internal network, also enter the SUbnet maSk for that net-work.

6. Enter ESP settings such as enCryption, aUthentiCation and tUnnel mode. Note that these settings may be different than those used in Phase I.

�. Check the PFS (perfect forward secrecy) checkbox.

8. Select the Diffie-Hellman key GroUp.

9. Click SAve & APPlY. If you wish to open your VPN connection immediately, click oPeN tuNNel.

Figure 2.19: Configuring Phase II (IPSec)

NoteCreating a complete VPN configuration does not automatically open that VPN connection. To start or stop a VPN connection, see Starting or Stopping VPN Client Connections.

3�GTA VPN Option Guide Setup

S t a r t i n g a n d S t o p p i n g V P N C l i e n t C o n n e c t i o n sYour VPN client software can be configured to automatically start or stop your VPN connection. This can be particularly useful if your primary network traffic must use the VPN, or if you always use the same VPN settings. You can also select to start and stop your VPN connections manually.

For a fully automated VPN solution, you may also elect to automatically start your VPN client soft-ware, which can then automatically start or stop your VPN connection. For more information on automatic startup of your VPN client, see Startup Modes.

To automatically start your VPN connection:

�. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration window).

�. Select a Phase II configuration item in the Configuration tree and click the P2 AdvANced button.

3. If you wish your VPN connection to start automatically upon start of the VPN client software, check the aUtomatiCally open thiS tUnnel when vpn Client StartS check box.

4. If you wish your VPN connection to start automatically upon insertion of a USB drive/stick con-taining a VPN client configuration, check the aUtomatiCally open thiS tUnnel when USb StiCk iS inSerted check box.

5. Click SAve & APPlY.

6. If you are using automatic connection startup that occurs upon insertion of a USB drive/stick, insert the USB drive/stick. Select File then Export VPN Configuration from the menu. Choose the loca-tion of the USB drive/stick and save the exported configuration there.

To manually start and stop your VPN connection:

�. Start the GTA Mobile VPN Client software (or click its item in the system tray to show a configu-ration window).

�. Click a Phase II configuration item in the Configuration tree. Click oPeN tuNNel to start the VPN con-nection.

3. Click the coNNectIoNS icon in the left hand menu to view your open VPN connections.

4. To stop a VPN connection, click the VPN connection and click cloSe tuNNel.

NoteIf you are using automatic connection startup that occurs upon insertion of a USB drive / stick, you may also choose to automatically stop your VPN connection when you remove the USB drive. For more information, see USB Drive Mode.

3� GTA VPN Option Guide Advanced Setup

A d v a n c e d S e t u p

The GTA Mobile VPN Client has several features to enable use on servers, desktop or laptop computers.

A d v a n c e d P h a s e 1 C o n f i g u r a t i o nFor advanced features and parameters when configuring Phase I, click the P1 AdvANced button.

Figure 3.1: Phase 1 Advanced

33GTA VPN Option Guide Advanced Setup

Table 3.1: Advanced Phase 1 Configuration

Field Value

Config Mode Config Mode allows the GTA Mobile VPN Client to fetch VPN configura-tion information from the VPN gateway such as DNS or WINS server IP addresses. Config Mode is currently not supported on GTA firewalls. Please refer to Advanced Phase 2 Configuration for configuring DNS or WINS server IP addresses manually.

Aggressive Mode Aggressive Mode creates a more efficient connection, and it is recom-mended that it be enabled.

Redundant GW This field allows the GTA Mobile VPN Client to open an IPSec tunnel with an alternate gateway in case the primary gateway is down or is no longer responding. Enter either the IP address or DNS resolvable host name of the redundant gateway (e.g., router.gta.com)

IKE Port The negotiation port used for IKE. The default value is 500.

NAT-T A selection for when Network Address Translation Tranversal should be used. Typically, <Automatic> should be used. Other options include <Forced> and <Disabled>.

X-Auth Popup If x-aUth popUp is enabled, a popup window asking for the loGin and paSSword will appear each time an authentication is required to open a tunnel with the remote gateway. The user has �0 seconds to enter the login and password for authentication before X-Auth authentication fails. X-Auth is currently not supported on GTA firewalls and should remain disabled.

Local ID The Local ID is the identity the VPN client is sending during Phase I to the VPN gateway. This value can be an IP Address, domain name (DNS), string of characters (KEY ID), email address (Email) or a certificate issuer (DER ASN1 DN).

Remote ID The Remote ID is the identity the VPN client is expecting to receive during Phase I from the VPN gateway. This value can be an IP Address, domain name (DNS), string of characters (KEY ID), email address (Email) or a certificate issuer (DER ASN1 DN).

A d v a n c e d P h a s e 2 C o n f i g u r a t i o nFor advanced features and parameters when configuring Phase II, click the P2 AdvANced button.

Figure 3.2: Phase 2 Advanced

34 GTA VPN Option Guide Advanced Setup

Table 3.2: Advanced Phase 2 Configuration

Field Value

Automatic Open Mode The GTA Mobile VPN Client can automatically open the specified tunnel on the following specific events:

Automatically open the tunnel when the GTA Mobile VPN Client starts.

Automatically open the tunnel when a USB Drive is inserted. If the VPN configuration file location is not set to USb StiCk, then this field is ignored. See USB Drive Mode

Automatically open the tunnel on traffic detection.

•

•

•

Open Script Provides a means to run a script or launch an application when the tunnel opens.

Alternate Servers Allows one to specify DNS and/or WINS server IP addresses when the client is active.

H i d d e n M o d eThe VPN client software can be configured to run as a service that cannot be user-modified.

When “hidden”, the VPN client software will still have an icon visible in the system tray; however, clicking the icon will not show a configuration window.

The GTA Mobile VPN Client VPN Hide Utility must be used to set the visibility.

To hide/unhide the VPN client software:

�. Download the GTA Mobile VPN Client VPN Hide Utility from the GTA Support Center.

• Log in to the GTA Support Center.

• Navigate to Downloads>Additional Software.

• Under GTA Mobile VPN Client, click the GTA Mobile VPN Client VPN Hide Utility to start the download.

�. After the download is complete, start VpnHide.exe.

3. Click VISIBle or InVISIBle.

4. Click OK.

Figure 3.3: Selecting the Display Mode

mailto:[email protected]


u S B d r i v e M o d eThe VPN client software can be configured to open and close your VPN connection when a USB drive containing the VPN configuration is inserted or removed.

To use the USB-activated VPN connection handling:

�. Insert the USB drive (also sometimes called a pen drive or USB stick).

�. Start the VPN client software.

3. Select File then VPN Configuration File from the menu.

4. Click USB STICK (PLUG-IN AUTOMATIC DETECTION).

6. Click OK.

7. Configure your VPN as usual, or copy / export your current VPN configuration onto the USB drive.

8. To start your VPN connection, plug in your USB drive. To stop the connection, eject / remove the USB drive. (Your VPN client software must remain running to automatically start and stop your VPN.)

The VPN client software can be returned to normal operation at any time by clicking locAl(locAl

drIVe,clASSIcMode) in Configuration Mode.

Figure 3.4: Selecting USB Drive Mode


P r e f e r e n c e sThe Preferences window allows the user to define the startup mode of the software as well as enable or disable detection of the network interface’s disconnection.

The Preferences window can be accessed by navigating to File>Preferences.

S t a r t u p M o d e sThe VPN client software can be configured to start a VPN connection upon boot, login, or manually.

These different startup modes can provide the VPN connection upon boot (e.g. when a service on your server requires a VPN), or upon login (e.g. when VPN connection is part of your enforced usage policy). The GTA Mobile VPN Client is set to start manually by default (which requires the user to actively open the client).

To set the startup mode of the GTA Mobile VPN Client:

�. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration window).

�. Navigate to File>Preferences.

3. Select the startup mode. Click Start VPN Client before Windows Logon to start a VPN connection upon boot. Click Start VPN Client after Windows Logon to start a VPN connection upon user login. Click Don’t start VPN client when I start Windows to start a VPN connection manually when needed.

4. Click ok to commit the change.

M i s c e l l a n e o u sBy disabling detection of the network interface’s disconnection, the VPN tunnel will remain open. This feature is useful if the user is connecting with an unstable connection that disconnects and reconnects often.

Figure 3.3: Entering Preferences

3�GTA VPN Option Guide Advanced Setup

C o n s o l e a n d C o n f i g u r a t i o n To o l s

C o n f i g u r a t i o n M a n a g e m e n tThe GTA Mobile VPN Client allows configurations to be imported and exported.

Importing and exporting configurations facilitates configuration deployment and troubleshooting. Administrators may configure VPN settings on their computer and then send that configuration to the VPN user. VPN users can also export their configurations for troubleshooting by the network administrator.

To export or import a VPN configuration:


�. Select File then Import VPN Configuration or Export VPN Configuration.

2a. If exporting the configuration, enter a password if desired. Password protected configuration files provide greater security.

3. Select a location for the file. A VPN client configuration file will have a file extention of “.tgb”.

4. Click oPen or SAVe.

Figure 3.6: Export Password Protection

C o n s o l e / L o g sThe GTA Mobile VPN Client maintains a console which allows you to view current VPN activity. This activity may contain useful debugging information by providing feedback messages and component status.

Optionally, you can save the output of the console to a log file for viewing in a text editor such as Notepad.

To view the console/log:


�. Select Tools the Console from the menu.

3. If the console has been stopped, click StArt to begin logging.

4. To save the log to a text file, click SAVeFIle.

The console messages/log can be filtered in the console. By selecting the oPtIoNS button, a series of pull-down menus become available to allow less or more log information to be displayed. The default information (level 0 for each setting) is usually sufficient for debugging purposes.


Figure 3.5: VPN Console

Table 3.3 Console Debug Levels

Label Name Description

Misc Miscellaneous The degree of logging detail for low-level messages.

Trpt Transport The degree of logging detail for UDP trans-port mode.

Msg Message The degree of logging detail for IKE decod-ing.

Cryp Crypto The degree of logging detail for crypto-graphic exchanges.

Timr Timer The degree of logging detail for timers.

Sdep Sysdep The degree of logging detail for IKE inter-faces with IPSec

SA Security Associations The degree of logging detail for SA man-agement.

Exch Exchange The degree of logging detail for IKE exchanges.

Nego Negotiation The degree of logging detail for Phase I and Phase II negotiation.

Plcy Policy Not used.

All All The degree of logging detail for all subsys-tems.


40 GTA VPN Option Guide Reference A: User Interface

R e f e r e n c e A : G TA M o b i l e V P N C l i e n t U s e r I n t e r f a c e

The GTA Mobile VPN Client’s user interface remains consistent throughout the application, providing an intuitive, easy to use operating environment. The main menu contains general options available for configuration and review. Select options are also available as clickable icons or by using context-sensitive right-click menus.

Figure A.1: The GTA Mobile VPN Client

M e n u o v e r v i e wThe GTA Mobile VPN Client’s main window will display four dropdown menus: File, VPN Configuration, Tools and ?.

Figure A.2: Menu Overview

F i l eThe File menu contains import/export functions, a selection for the storage location of the VPN configuration file, as well preferences for the application.

Figure A.3: File Menu

4�GTA VPN Option Guide Reference A: User Interface

V P N C o n f i g u r a t i o nThe VPN Configuration menu contains functions for adding and removing VPN phases, a Configuration Wizard as well as adjustments for parameters.

Figure A.4: VPN Configuration Menu

to o l sThe Tools menu contains functions for viewing the VPN Console as well as active connections.

Figure A.5: Tools Menu

? ( H e l p )To utilize online help and support, see the Help and Online Support menu items. Check For Update informs if a new version has become available. Activation Wizard allows for activation if the GTA Mobile VPN Client is running under a 30 day trial. Find the version number of the GTA Mobile VPN Client as well as the license number it is registered under in the About dialog.

Figure A.6: ? (Help) Menu

l e f t H a n d M e n u I c o n sThe following icons are found along the left hand side of the GTA Mobile VPN Client.

Table A.1: Left Hand Menu Icons

Icon Icon Action

Opens the VPN Console.

Allows for the configuration of the VPN’s parameters.

Allows for the viewing of currently open tunnels.

4� GTA VPN Option Guide Reference A: User Interface

C o n f i g u r a t i o n M e n u Tr e eThe configuration menu tree displays a visual representation of the GTA Mobile VPN Client’s configuration.

Figure A.7: Configuration Menu Tree

S t a t u s B a rThe status bar displays the following information:

The left box contains an icon which indicates the location of the VPN configuration file. For example, if USB mode is selected for the location, the icon will be a USB stick.

The center box displays information about the GTA Mobile VPN Client’s status (e.g., VPN ready)

The right box contains an icon which indicates if a tunnel is open or not. If one or more tunnels are open, it will be indicated by a green “light”. If no tunnels are open, the light will be grayed out.

Figure A.8: Status Bar

S y s t e m tr a yThe GTA Mobile VPN Client can be launched by clicking the system tray icon. Once the applica-tion has been launched, the system tray icon will indicate whether a VPN tunnel is open or not, depending on its state.

Table A.2: System Tray Icon States

Icon Icon State

The GTA Mobile VPN Client is running, but no VPN tunnel is open. The icon will be grey.

The GTA Mobile VPN Client is running and a VPN tunnel is open. The icon will be red.

Right-clicking on the system tray icon will cause the following menu to appear:

Figure A.9: System Tray Right-Click Menu

Open tunnel... Opens the configured tunnel. When open, the menu item will change to Close Tunnel...

Save & Apply will close any established VPN tunnels, apply the latest VPN configuration and re-open all VPN tunnels.

Console opens the console.

Connections opens Tunnels View, which provides a means to view open connections.

Quit will close any established VPN tunnels and close the GTA Mobile VPN Client.

•

•

•

•

•

•

•

•

43GTA VPN Option Guide Reference A: User Interface

44 GTA VPN Option Guide Reference B: VPN Concepts

R e f e r e n c e B : V P N C o n c e p t s

e l e m e n t s o f I P S e c V P n S e c u r i t yIPSec, a secure network connection standard (RFC �40�) designed by IETF (Internet Engineering Task Force), provides two implementations: transport mode and tunnel mode. The tunnel mode implementation applies to VPN gateways, such as GTA firewall VPNs.

GTA firewall VPNs provide:

• Authorization

• Data integrity

• Data privacy

GB-OS IPSec tunnels (VPNs) cause the original IP packet to be:

�. Encrypted to hide contents from interceptors.

�. Hashed to resist tampering.

3. Authorized with keys and/or authentication to validate transmission according to your security policies.

4. Encapsulated within another IP packet to provide routing for the “sealed” original packet.

GTA firewall VPN is essentially a tunnel and a security processing service for your IP traffic, both tunneling and securing packet contents. All GTA firewall VPN-secured traffic receives encapsula-tion by a secondary IP packet layer after it is secured.

All IP protocols can be secured with GTA firewall VPN, including TCP (and its higher-level proto-cols like HTTP or SSH), UDP, ICMP and others.

CautionVarying degrees of data integrity and confidentiality are provided by the hashes, keys and encryption algorithms you elect to use. GTA recommends that you carefully select each one based upon the strength and performance needs of your VPN.

IPSec’s security benefits arise from the secure creation of authorized, encrypted connections. IPSec connections utilize some auxiliary TCP and UDP connections to negotiate a secure connection before actual transmission of user data occurs.

During the creation of an IPSec VPN connection:

�. Hosts (including clients or gateways) exchange keys.

�. Hash and encryption methods are negotiated with identities being assured by the keys from step �.

3. Security associations (SAs) are created on each host to contain the agreed security transforma-tions and associated keys for each VPN destination from step �.

4. Data transmission receives the protection designated by the established rules of the SAs from step 3 until they expire or are deleted.

http://www.ietf.org/rfc/rfc2401.txt

45GTA VPN Option Guide Reference B: VPN Concepts

Automatic IPSec key exchange and IPSec SA initialization is provided using the IKE standard (RFC �40� and RFC �409). (Manual key exchange is supported, but not recommended because of the security risks inherent in overexposed keys.)

IPSec VPNs on GTA firewalls require the use of AH and ESP protocols (IP protocols 5� and 50). Key exchange and other IKE negotiations may also require the use of UDP port 500. If ESP traffic is blocked, GTA firewall VPNs will use NAT traversal (RFC 394� and RFC 3948) to tunnel ESP traffic using UDP port 4500.

For more information on the IP packet transformations that occur during a GTA firewall VPN connection, see TCP/IP Packets: IPSec VPN Packet Structure. For more information on IPSec packet processing specific to GTA firewalls, see GTA firewall VPN Packet Processing. For more information on the IETF standards applying to IPSec or IKE, see the applicable RFCs: RFC �40� (IPSec), RFC �409 (IKE), RFC �40� (IKE’s role in IPSec), RFC �40� (AH) and RFC �406 (ESP).

Ve r i f y i n g A u t h o r i z a t i o nVerifying identity through authentication is an important step of secure computing. Identity allows policies to be applied based on the trustworthiness and relevance of the data source. For example, an incoming connection may have both privacy and tamper-proofness (data integrity), but unless you know the sender and authorize their activities, you don’t truly know what data you are allowing onto your network.

IPSec VPN can provide authorization during the Phase I (IKE) part of VPN initialization. The GTA firewall implementation of IPSec VPN requires authorization; VPN will not activate without an authorization that references a VPN configuration object.

The source of the authorization can be provided in two separate areas of GTA firewall configuration. For gateway-to-gateway GTA firewall VPNs, the identity is checked by VPNs; for mobile client GTA firewall VPNs, identity is checked by Users.

Ve r i f y i n g D a t a I n t e g r i t yVerifying data integrity (tamper-proofing) is also an important part of secure computing. Integrity assures that the data has not been tampered with to introduce unwanted data, including trojans and viruses. For example, you may intend to accept the sender and content of a packet, but unless you can assure that a third party has not altered it, you don’t truly know what data you are allowing onto your network.

Data integrity is ensured during both Phase I and Phase II of IPSec VPN creation by keys and hashes. Separate keys and hashes may be selected for either phase. Key and hash preferences for a GTA firewall VPN connection are configured in VPN Objects.

NoteKeys uniquely identify the host establishing the connection; hashes are computed using the data and the key, and therefore a hash of a packet’s data is only verifiable by a destination who knows the secret of the sender’s original key.

The selection of a key and a hash method is generally a balance between performance, technical requirements, and strength. Larger keys are generally considered better, but come at the price of performance. GTA firewalls provides reasonable defaults for many VPNs, but you may wish to select a greater key length or a different hash algorithm to suit your needs.











46 GTA VPN Option Guide Reference B: VPN Concepts

E n s u r i n g D a t a P r i v a c yEnsuring data privacy is usually a part of secure computing. Privacy allows sensitive data to be hidden from unauthorized parties. For example, you may trust the source and integrity of data, but don’t want others to be able to read it while in transit to your network. Common reasons for data privacy include the transmission of financial and personal data.

Privacy is ensured during both Phase I and Phase II of VPN creation by encryption algorithms. Separate encryption methods may be selected for either phase.

IPSec VPN provides data privacy with encryption. Encryption methods for a GTA firewall VPN connection are configured in VPN Objects.

P a c k e t S t r u c t u r e : I P S e c V P nIPSec VPN uses encrypted, encapsulated IP packets to transfer data.

The original IP packet contents are prevented from interception and tampering by application of the ESP protocol, which applies selected encryption, hashes and authenticity checks to contents. The resulting packet is then re-wrapped in an external IP packet layer.

Only hosts containing matching IPSec information (SAs and keys) are able to decrypt the ESP-encapsulated contents.

Figure B.1: IPSec VPN Packets

4�GTA VPN Option Guide Reference B: VPN Concepts

G TA F i r e w a l l V P N P a c k e t P r o c e s s i n gWhen a packet arrives at a GTA firewall, many evaluation sequences are performed to determine structure correctness and permissibility before a route is created to deliver the packet. These checks, plus some special additional transformations, are performed on all GTA firewall VPN packets.

Failing a check causes the packet to be denied and, by default, logged.

The generalized packet processing sequence of VPN packets includes:

�. Check for valid IP packet structure.

�. Check for spoofed packets and other network attacks.

3. Check for filters allowing, denying or transforming packet transmission (such as traffic shaping rules). For IPSec VPN packets, checks occur for a valid existing IPSec VPN SA as well as an outbound or remote access filter.

4. Check for routing instructions delivering the packet to its indicated destination. For IPSec VPN packets, checks occur for a passthrough filter.

IPSec initialization packets (packets for IKE and IPSec SA setup) are not subjected to the routing check, as the firewall is their destination; however, these initialization packets do require firewall access permission from remote access filters. Then checks are performed for authorization and VPN configuration data to create the IKE and IPSec SAs required by all further IPSec VPN packets.

48 GTA VPN Option Guide Reference C: Example VPN Configurations

R e f e r e n c e C : E x a m p l e V P N C o n f i g u r a t i o n s

The VPN configuration you choose will vary based upon the answer to two questions:

• Do both initiator and responder have static IP addresses?

• Is key exchange manual or automatic (IKE)?

The following examples show configuration cases for manual vs. IKE key exchange and dynamic vs. static IP addresses.

All listed objects and configurations should be enabled. Any other options, if not listed, may be defined but are not necessary to achieve a functional configuration.

NoteIt is assumed that automatic policies are enabled on the Configuration>VPN>IPSec Tunnels screen. Automatic policies allow all VPN traffic by default. If disabled, it is necessary to create VPN policies (Configuration>Security Policies>Policy Editor>VPN Policies) that allow ESP protocol 50 and UDP ports 500/4500. VPN policies are used to control access through the IPSec tunnel.

For information on manually defining VPN policies, see the GB-OS User’s Guide.

NoteExample configurations contain fictional descriptions, IP addresses and subnet masks. Internal or private network IP addresses that will be connected to the VPN are listed as the protected network, with IP addresses of �9�.�68.*.* as an example. In your implementation, those settings may contain different IP addresses, or connect to your PSN rather than your protected network.

To use the following examples, replace IP addresses and subnet masks with your own network settings.

NoteBefore manually configuring a VPN, consider running the VPN Setup Wizard, located at Wizards>VPN Setup. The VPN Setup Wizard is designed to help configure a simple VPN quickly and easily.

c l i e n t t o G a t e w a y : d y n a m i c / S t a t i c I P A d d r e s s e s &I K EThe identifying characteristics of this type of VPN include:

• Static external IP address on the firewall, as set in Configuration>Network>Settings, but dynamic external IP address on the VPN client

• Firewall-compatible settings in the VPN client, and mobile VPN objects selected in Configuration>Accounts>Users and Configuration>Accounts>Accounts for the statically-addressed firewall

49GTA VPN Option Guide Reference C: Example VPN Configurations

Table C.1: Client to Gateway: Dynamic/Static IP Addresses & IKE

Field Name Responder: GTA firewall with static IP address

External IP Address �00.�00.�00.�00

In Configuration>System>Object Editor>Address Objects:

Disable Unchecked

Name Protected Networks

Description Protected networks

Type All

Object <USER DEFINED>

Address �9�.�68.�.0/�4 (local hosts that should be attached to your VPN)

In Configuration>System>Object Editor>VPN Objects:

Disable Unchecked

Name MOBILE

Description Mobile VPNs

Phase I

Exchange Mode <aggressive>

Encryption Object AES-192, sha1, grp2 (default object)

Advanced

Force Mobile Protocol Unchecked

Force NAT-T Unchecked

Lifetime 90 minutes

DPD Interval 30

Phase II


Advanced

Lifetime 60 minutes

In Configuration>Accounts>Groups:

Disable Unchecked

Name Mobile Users

Description GTA Mobile VPN Client users

Mobile VPN

Disable Unchecked

Authentication Required Unchecked

VPN Object MOBILE (VPN object, as defined above)

Local Network Protected Networks (address object, as defined above)




In Configuration>Accounts>Users:

Disable Unchecked

Name Example User

Description Database administrator

Remote Identity [email protected]

Group Mobile Users (configured user group, as defined above)

Authentication

Method n/a

Password n/a

Mobile VPN

Disable Unchecked

Remote Network <USER DEFINED> �9�.�68. �.� (the IP address the attached GTA Mobile VPN Client should use)

Pre-shared Secret $%�3Aty! (a long, randomized series of characters that must be identical to the preShared key in the GTA Mobile VPN Client)

In Configuration>VPN>IPSec Tunnels

Dynamic Incoming Connections Standard Dynamic (default object)

Advanced

Automatic Policies Checked

Identity <IP Address>

5�GTA VPN Option Guide Reference C: Example VPN Configurations


Field Name Initiator: GTA Mobile VPN Client with dynamic IP address

External IP Address dynamically assigned (DHCP, PPPoE, etc.)

In Parameters:

Authentication (IKE) [Default Lifetime]

�800 (seconds)

Authentication (IKE) [Minimal Lifetime]

��0 (seconds)

Authentication (IKE) [Maximal Lifetime]

�8800 (seconds; must be less than lifetime in the GTA firewall’s VPN Object’s phaSe i)

Encryption (IPSec) [Default Lifetime]

��00 (seconds)

Encryption (IPSec) [Minimal Lifetime]

��0 (seconds)

Encryption (IPSec) [Maximal Lifetime]

�8800 (seconds; must be less than lifetime in the GTA firewall’s VPN Object’s phaSe ii)

Check Interval [DPD] 30 (dead peer detection in seconds)

In Configuration>Phase I (Authentication):

Name OfficePhaseI (a descriptor for your VPN; may not contain spaces or non-alpha-numeric characters; changing this value will change its name in the Configuration menu tree)

Interface * (network cards or modems that the VPN will use)

Remote Gateway �00.�00.�00.�00 (the external IP address of the VPN gateway in Configuration>Network>Settings)

Preshared Key $%�3Aty! (a long, randomized series of characters that must be identical to the pre-Shared SeCret in the GTA firewall’s Users; this password value will be obscured, and only character length will be visible)

Confirm $%�3Aty! (re-enter the preShared key to confirm correct entry; this password value will be obscured, and only character length will be visible)

Encryption 3DES (equivalent to the IKE encryption in the GTA firewall’s VPN Object’s phaSe i)

Authentication SHA (equivalent to the IKE HMAC-SHA� hash in the GTA firewall’s VPN Object’s phaSe i)

Key Group DH�0�4 (equivalent to the IKE group � Diffie-Hellman key in the GTA firewall’s VPN Object’s phaSe i)

Aggressive Mode [Advanced] checked (equivelent to exChanGe mode in the GTA firewall’s VPN Object’s phaSe i)

5� GTA VPN Option Guide Reference C: Example VPN Configurations



Value [Advanced Local ID] [email protected] (equivalent to the Identity in the GTA firewall’s Users)

Type [Advanced Local ID] Email

Value [Advanced Remote ID] �00.�00.�00.�00 (the external IP address of the VPN gateway in Configuration>Network>Settings)

Type [Advanced Remote ID] IP Address

IKE Port [Advanced] 500

In Configuration>Phase II (IPSec Configuration):

Name OfficePhaseII (a descriptor for your VPN; may not contain spaces or non-alpha-numeric characters; changing this value will change its name in the Configuration menu tree)

VPN Client Address �9�.�68. �.� (the IP address the attached GTA Mobile VPN Client should use, listed in the GTA firewall’s Users remote network)

Address Type Subnet Address (only use the Single Address option if the GTA firewall’s attached network will consist of a single host)

Remote LAN Address �9�.�68.�.0 (the GTA firewall’s attached network, such indicated by the pro-tected networks address object)

Subnet Mask �55.�55.�55.0 (the GTA firewall’s subnetwork mask, such indicated by the pro-tected networks address object)

Encryption 3DES (equivalent to the IPSec encryption in the GTA firewall’s Encryption Object)

Authentication SHA (equivalent to the IPSec HMAC-SHA� hash in the GTA firewall’s Encryption Object)

Mode Tunnel

PFS checked (perfect forward secrecy is automatically used on GTA firewalls)

Group DH�0�4 (equivalent to the IPSec group � Diffie-Hellman key in the GTA firewall’s Encryption Object)

c l i e n t t o G a t e w a y : D y n a m i c I P A d d r e s s e s & I K EThe identifying characteristics of this type of VPN include:

• Dynamic external IP addresses on both the GTA firewall, as set in Configuration>Network>Settings , and the GTA Mobile VPN Client

• Default or edited Mobile VPN Objects selected in Users

• Dynamic DNS service on the GTA firewall must be configured; this enables the GTA Mobile VPN Client to connect through a domain name, without knowing the current IP address of the GTA firewall

• Firewall-compatible settings in the VPN client, and mobile VPN objects selected in Users for the statically-addressed firewall


Table C.3: Client to Gateway: Dynamic IP Addresses & IKE


External IP Address Dynamically assigned

In Configuration>System>Object Editor>Address Objects:

Disable Unchecked

Name Protected Networks

Description Protected networks

Type All

Object <USER DEFINED>

Address �9�.�68.�.0/�4 (hosts that should be attached to your VPN)

In Configuration>Services>Dynamic DNS:

Disable Unchecked

Description Dynamic DNS Service

Host Name examplefirewall.dyndns.org (the domain name your GTA Mobile VPN Client will use)

Interface <EXTERNAL> (the interface that will have the dynamic DNS service applied to it and that the GTA Mobile VPN Client will use.

Service <DynDNS> or <ChangeIP>

(the dynamic DNS service provider you use)

Login User Name dyndnsuser (the account’s user name for your dynamic DNS service provider)

Login Password m453G34HY�� (the account’s password for your dynamic DNS service provider)

In Configuration>System>Object Editor>VPN Objects:

Disable Unchecked

Name MOBILE

Description Mobile VPNs

Phase I

Exchange Mode aggressive


Advanced

Force Mobile Protocol Unchecked

Force NAT-T Unchecked

Lifetime 90 minutes

DPD Interval 30

Phase II


Advanced

Lifetime 60 minutes




In Configuration>Accounts>Groups:

Disable Unchecked

Name Mobile Users

Description GTA Mobile VPN Client users

Mobile VPN

Disable Unchecked

Authentication Required Unchecked

VPN Object MOBILE (VPN object, as defined above)

Local Network Protected Networks (address object, as defined above)

In Configuration>Accounts>Users:

Disable Unchecked

Name Example User

Description Database administrator


Method <Password>

Authentication

Method n/a

Password n/a

Mobile VPN

Disable Unchecked

Remote Network <USER DEFINED> �9�.�68. �.� (the IP address the attached GTA Mobile VPN Client should use)

Pre-shared Secret <ASCII> $%�3Aty! (a long, randomized series of characters that must be identical to the preShared key in the GTA Mobile VPN Client)

In Configuration>VPN>IPSec Tunnels


Advanced

Automatic Policies Checked

Identity <Domain Name> / examplefirewall.dyndns.org (The hoSt name entered in Configuration>Services>Dynamic DNS)




External IP Address dynamically assigned (DHCP, PPPoE, etc.)

In Parameters:

Authentication (IKE) [Default Lifetime]

�800 (seconds)

Authentication (IKE) [Minimal Lifetime]

��0 (seconds)

Authentication (IKE) [Maximal Lifetime]

�8800 (seconds; must be less than lifetime in the GTA firewall’s VPN Objects phaSe i)

Encryption (IPSec) [Default Lifetime]

��00 (seconds)

Encryption (IPSec) [Minimal Lifetime]

��0 (seconds)

Encryption (IPSec) [Maximal Lifetime]

�8800 (seconds; must be less than lifetime in the GTA firewall’s VPN Objects phaSe ii)

Check Interval [DPD] 30 (dead peer detection in seconds)

In Configuration>Phase I (Authentication):

Name OfficePhaseI (a descriptor for your VPN; may not contain spaces or non-alpha-numeric characters; changing this value will change its name in the Configuration menu tree)

Interface * (network cards or modems that the VPN will use)

Remote Gateway examplefirewall.dyndns.org (the domain name of the VPN gateway in Network Information)

Preshared Key $%�3Aty! (a long, randomized series of characters that must be identical to the pre-Shared SeCret in the GTA firewall’s Users; this password value will be obscured, and only character length will be visible)

Confirm $%�3Aty! (re-enter the preShared key to confirm correct entry; this password value will be obscured, and only character length will be visible)

Encryption 3DES (equivalent to the IKE encryption in the GTA firewall’s VPN Objects phaSe i)

Authentication SHA (equivalent to the IKE HMAC-SHA� hash in the GTA firewall’s VPN Objects phaSe i)




Key Group DH�0�4 (equivalent to the IKE group � Diffie-Hellman key in the GTA firewall’s VPN Objects phaSe i)

Aggressive Mode [Advanced] checked (equivelent to exChanGe mode in the GTA firewall’s VPN Objects phaSe i)

Value [Advanced Local ID] [email protected] (equivalent to the Identity in the GTA firewall’s Users)

Type [Advanced Local ID] Email

Value [Advanced Remote ID] examplefirewall.dyndns.org (the domain name of the VPN gateway in Configuration>Network>Settings)

Type [Advanced Remote ID] DNS

IKE Port [Advanced] 500

In Configuration>Phase II (IPSec Configuration):

Name OfficePhaseII (a descriptor for your VPN; may not contain spaces or non-alpha-numeric characters; changing this value will change its name in the Configuration menu tree)

VPN Client Address �9�.�68. �.� (the IP address the attached GTA Mobile VPN Client should use, listed in the GTA firewall’s Users remote network)

Address Type Subnet Address (only use the Single Address option if the GTA firewall’s attached network will consist of a single host)

Remote LAN Address �9�.�68.�.0 (the GTA firewall’s attached network, such indicated by the pro-tected networks address object)

Subnet Mask �55.�55.�55.0 (the GTA firewall’s subnetwork mask, such indicated by the pro-tected networks address object)

Encryption 3DES (equivalent to the IPSec encryption in the GTA firewall’s VPN Objects phaSe ii)

Authentication SHA (equivalent to the IPSec HMAC-SHA� hash in the GTA firewall’s VPN Objects phaSe ii)

Mode Tunnel

PFS checked (perfect forward secrecy is automatically used on GTA firewalls)

Group DH�0�4 (equivalent to the IPSec group � Diffie-Hellman key in the GTA firewall’s VPN Objects phaSe ii)


G a t e w a y t o G a t e w a y : d y n a m i c / S t a t i c I P A d d r e s s e s &I K EThe identifying characteristics of this type of VPN include:

• Static external IP address on one firewall, but dynamic external IP address on the second firewall, as set in Configuration>Network>Settings

• Default or edited objects selected in IPSec Tunnels for the dynamically-addressed firewall, but mo-bile VPN objects selected in Configuration>Accounts>Groups for the statically-addressed firewall


Table C.5: Gateway to Gateway: Dynamic/Static IP Addresses & IKE

Field Name Initiator: GTA firewall with dynamic IP

address

Responder: GTA firewall with static IP address

External IP Address Dynamically assigned �00.�00.�00.�00

In System>Object Editor>Address Objects

Disable Unchecked Unchecked

Name Protected Networks Protected Networks

Description DEFAULT: Protected networks DEFAULT: Protected networks

Type All All

Object <USER DEFINED> <USER DEFINED>

Address �9�.�68. �.0/�4 (hosts that should be attached to your VPN)

�9�.�68.�.0/�4 (hosts that should be attached to your VPN)

In Configuration>VPN>IPSec Tunnels:


Standard Dynamic (default object)

Advanced

Automatic Policies Checked Checked

Identity <IP Address> <IP Address>

In Configuration>VPN>IPSec Tunnels>Edit IPSec Tunnel:

Disable Unchecked No Entry in IPSec Tunnels. Equivalent infomation is entered in Configuration>Accounts>Users.

Description Dynamic firewall

IPSec Key Mode IKE

VPN Object Standard Dynamic (default object)

Pre-shared Secret $%�3Aty! (a long, randomized series of characters that must be identical on both VPN gateways)

Local

Gateway <EXTERNAL>

Network Protected Networks (or the address object as defined above)

Advanced

Identity <EMAIL ADDRESS>, [email protected]


Table C.5: Gateway to Gateway: Dynamic/Static IP Addresses & IKE

Field Name Initiator: GTA firewall with dynamic IP

address


Remote

Gateway �00.�00.�00.�00

Network <USER DEFINED> �9�.�68.�.0/�4 (the attached hosts on the other VPN gateway)

Advanced

Identity <IP ADDRESS>

In Authorization>Users:

Disable (no entry in Authorization>Users; equivalent information is entered in Authorization>VPNs)

Unchecked

Name Home Firewall �

Description Home-to-office VPN


Group Firewalls (default object)

Authentication

Method n/a

Password n/a

Mobile VPN

Disable Unchecked

Remote Network <USER DEFINED> �9�.�68. �.0/�4 (the attached hosts on the other VPN gateway)


G a t e w a y t o G a t e w a y : S t a t i c / S t a t i c I P A d d r e s s e s &I K EThe identifying characteristics of this type of VPN include:

• Static external IP addresses on both firewalls, as set in Configuration>Network>Settings

• Default or edited IKE VPN Objects selected in VPNs

• loCal identity is not necessary, since static IP addresses serve as a constant element for identity


Table C.6: Gateway to Gateway: Static/Static IP Addresses & IKE

Field Name Initiator: GTA firewall with static IP address


External IP Address �00.�00.�00.�00 �00.�00.�00.�00

In System>Object Editor>Address Objects:




Type All All




In VPN>IPSec Tunnels:


Description IKE VPN IKE VPN

IPSec Key Mode IKE IKE

VPN Object Standard Static (default object)

Standard Static (default object)


$%�3Aty! (a long, randomized series of characters that must be identical on both VPN gateways)

Local


Gateway <EXTERNAL> <EXTERNAL>


Protected Networks (or the address object as defined above)

Advanced


Remote

Gateway �00.�00.�00.�00 (the external IP address of the other VPN gateway)

�00.�00.�00.�00 (the external IP address of the other VPN gateway)


<USER DEFINED> �9�.�68.�.0/�4 (the attached hosts on the other VPN gateway)

Advanced



G a t e w a y t o G a t e w a y : S t a t i c / S t a t i c I P A d d r e s s e s a n dM a n u a l K e y E x c h a n g eThe identifying characteristics of this type of VPN include:

• Static external IP addresses on both firewalls, as set in Network Information

• Default or edited manual VPN Objects selected in VPNs

• Only Phase II settings of the manual VPN object are used (Phase I may be entered, but it is not used; instead, Phase I from the dynamic VPN object is used)

• loCal identity is not necessary, since static IP addresses serve as a constant element for identity

6� GTA VPN Option Guide Reference C: Example VPN Configurations

Table C.7: Gateway to Gateway: Static/Static IP Addresses & Manual Key Exchange



External IP Address �00.�00.�00.�00 �00.�00.�00.�00

In System>Object Editor>Address Objects:




Type All All




In System>Object Editor>VPN Objects:


Name Manual Manual

Description IKE VPN object IKE VPN object

Phase I

Exchange Mode n/a n/a

Encryption Object n/a n/a

Advanced

Force Mobile Protocol n/a n/a

Force NAT-T n/a n/a

Lifetime n/a n/a

DPD Interval n/a n/a

Phase II

Encryption Object <AES-�9�, sha�, grp�> (default) <AES-�9�, sha�, grp�> (default)

Advanced

Lifetime n/a n/a

In VPN>IPSec Tunnels:


Description Office-to-office VPN Office-to-office VPN

IPSec Mode Manual Manual

VPN Object Manual (or the VPN configuration object, as defined above)

Manual (or the VPN configuration object, as defined above)

Local

Gateway <EXTERNAL> <EXTERNAL>


Protected Networks (or the address object as defined above)

Remote


Table C.7: Gateway to Gateway: Static/Static IP Addresses & Manual Key Exchange



Gateway �00.�00.�00.�00 (the external IP address of the other VPN gateway)

�00.�00.�00.�00 (the external IP address of the other VPN gateway)


<USER DEFINED> �9�.�68.�.0/�4 (the attached hosts on the other VPN gateway)

Manual

Encryption Key <ASCII> $%�3Aty! (a long, randomized series of characters that must be identical on both VPN gateways)

<ASCII> $%�3Aty! (a long, randomized series of characters that must be identical on both VPN gateways)

Hash Key <ASCII> GHij43#e@t! (a long, randomized series of characters that must be identical on both VPN gateways)

<ASCII> GHij43#e@t (a long, randomized series of characters that must be identical on both VPN gateways)

Security Parameter Index (SPI)

Inbound SPI �56 (an integer, �56 or greater, that must be identical on both VPN gateways)

�56 (an integer, �56 or greater, that must be identical on both VPN gateways)

Outbound SPI �56 (an integer, �56 or greater, that must be identical on both VPN gateways)

�56 (an integer, �56 or greater, that must be identical on both VPN gateways)

64 GTA VPN Option Guide Reference D: Troubleshooting

R e f e r e n c e D : Tr o u b l e s h o o t i n g

o n t h e G tA F i r e w a l l

FA Q

MobileVPnclientscannotconnecttothef irewall . Why?

First use ping and/or traceroute to verify that VPN client connections can reach the firewall without use of the VPN. Then check that you have correctly configured the required remote access and pass through filters. Finally, check that all mobile VPN clients have accounts with VPN configura-tion set up in Users, referencing a valid VPN configuration object in VPN Objects.

L o g M e s s a g e sGTA firewalls log common problems such as denied VPN connections.

VPN connections tunnel network traffic over untrusted networks using authentication and encryp-tion for security. If an IKE type of VPN is used, IKE messages may appear in the log (“IKE server”); another key identifier is “type=mgmt, vpn”.

When the IKE service starts up due to firewall reboot or saving a VPN configuration section, the startup is logged, along with the number of allowed concurrent mobile users.

Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”firewall” pri=5 msg=”WWWadmin: Starting IKE server.” type=mgmt src=192.168.71.2 srcport=2206 dst=192.168.71.254 dstport=80 duration=2

Mar 4 21:06:44 firewall.example.com id=firewall time=”2002-08-30 14:12:18” fw=”ipsec” pri=5 msg=”Licensed for 100 mobile client connections. type=mgmt,vpn

Failed VPN authentications are logged with the account name.

Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”firewall” pri=5 msg=”RMCauth: Accepted connection” type=mgmt src=199.120.225.78 srcport=2197 dst=199.120.225.200 dstport=76

Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”firewall” pri=4 msg=”RMCauth: Authentication failure for ‘[email protected]’.” type=mgmt src=199.120.225.78 srcport=2197 dst=199.120.225.200 dstport=76 duration=4

65GTA VPN Option Guide Reference D: Troubleshooting

SecurityAssociations

By default, each IPSec security association (SA) creation is logged. Most VPN connections require two SAs.

Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”firewall” pri=5 msg=”IPsec-SA established type=mgmt,vpn src=199.120.225.200 dst=24.170.164.183

Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”firewall” pri=5 msg=”IPsec-SA established type=mgmt,vpn src=24.170.164.183 dst=199.120.225.200

Security associations may expire. After expiration, they must be renewed or the connection will be closed.

Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”ipsec” pri=5 msg=”IPsec-SA established type=mgmt,vpn src=199.120.225.200 dst=24.170.164.183

Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”ipsec” pri=5

msg=”IPsec-SA expired type=mgmt,vpn src=199.120.225.200 dst=24.170.164.183

MobileclientVPnAuthenticationandconnection

Mobile clients must authenticate first before establishing a connection.

Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”firewall” pri=5 msg=”RMCauth: Accepted connection” type=mgmt src=199.120.225.78 srcport=2170 dst=199.120.225.200 dstport=76

Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”firewall” pri=6 msg=”RMCauth: Authentication successful for ‘[email protected]’.” type=mgmt src=199.120.225.78 srcport=2170 dst=199.120.225.200 dstport=76 duration=4

Attempts to connect without authentication will be denied.

Mar 4 21:06:44 pri=4 msg=”Authentication needed, access for ‘[email protected]’ denied.” type=mgmt,vpn src=65.33.234.134 dst=199.120.225.78

If the user is already authenticated from one IP address and they attempt to authenticate from a second IP address, the connection will be denied. The user’s VPN lease must expire before login will be permitted.

Mar 4 21:06:44 pri=4 msg=”Unable to aquire license, access for ‘[email protected]’ denied.” type=mgmt,vpn src=200.200.200.200 dst=100.100.100.100


o n t h e G tA M o b i l e V P n c l i e n t

FA Q

MyGtAMobileVPnclientsaysit is ina30-day evaluation mode.

If the GTA Mobile VPN Client license number was not correctly entered during installation, or if you clicked trIAl during installation instead of entering a license number, the VPN client software will function for 30 days in an evaluation mode.

Enter the VPN client license number you received with your mobile VPN option purchase for the VPN client software to exit evaluation mode.

I receive an error when trying to activate the GTA Mobile VPN client. Why?

In case an error is returned by the online activation server, as shown below, click on the Help icon for more information on how to resolve the issue.

If you are unable to resolve any of the error messages on your own, please contact GTA Technical Support by emailing [email protected]. Please include your license number and firewall serial number in the body of the email. Failure to send this information may result in a delay in assis-tance.

Figure D.1: Receiving an Activation Error


6�GTA VPN Option Guide Reference D: Troubleshooting

Table D.1: Activation Errors

Code Message Description

031 License not found The license number does not exist in the activation server data-base. Recheck your license number. The GTA Mobile VPN client only accepts license numbers specific for GTA Mobile VPN Clients. Other TheGreenBow license numbers will not work.

032 Reserved Reserved.

033 Activation quota exceeded Too many installations and activations have been processed for this specific license number. License numbers can not be used more than allowed by your IT department.

034, 035

Wrong product code The license number entered is not allowed. GTA Mobile VPN Client requires a specific license number that is provided by GTA.

036 Not allowed to activate this device

Maintenance period is expired. In this case, you are not allowed to process any software upgrade. However, you are still allowed to continue using the previous version installed and activated on your computer.

050, 051, 052

Impossible to complete acti-vation process

Activation server can not generate activation code for this license number at the moment of generation.

053, 054

Cannot connect activation server

The activation server cannot be reached. Reasons for this can be a broken Internet connection, the activation server being down or firewall policies. The host PC must be able to resolve tgbosa.com and be able to connect to TCP ports 80 and 443. Failure to resolve tgbosa.com may result in this error.

055 Activation code error The activation code may have been modified after activation.

HowcanI activatetheGtAMobileVPnclientwhenI needtoconnect to the Internet using a proxy server?

To activate the GTA Mobile VPN Client when a proxy server is used to connect to the Internet, run the Activation Wizard and click the IF You Are uSINg A ProxY, clIck here link to open the Proxy Configuration screen.

Figure D.2: The “If You Are Using a Proxy, Click Here” Link

Enter the proxy server’s IP address or fully qualified domain name in the proxy addreSS field and the port number in the port nUmber field. Once complete, click the uSe ProxY button.


Figure D.3: Entering Proxy Settings

Once the proxy server’s information has been configured, enter the GTA Mobile VPN Client’s acti-vation code.

I cannotactivatetheGtAMobileVPnclientonline. HowdoIactivatethecl ientmanually?

If it is not possible to activate the GTA Mobile VPN Client online or if the online activation fails, the client can be activated manually.

To manually activate the GTA Mobile VPN Client:

If an error is displayed during activation, this error is logged in the prodaCt.dat file, which is located in the user’s My Documents folder. The prodaCt.dat file contains information such as the license number, email address and the computer’s hardware information. Email this file to GTA Technical Support ([email protected]) with your firewall’s serial number in the body of the email.

You will receive an email from GTA Technical Support with an attached file. The file, named tGbCod_xxxxx.dat, contains the activation code for the GTA Mobile VPN Client. Save this file in the user’s My Documents folder.

Restart the GTA Mobile VPN Client. The software activation is now complete.

MyInternetconnectiondoesnotworkwhenI returntotheoff ice.

Your VPN connection may still be active, even though it is not necessary while inside your office LAN. Stop the VPN connection. You might also need to restart your browser or other network application before you can use the non-VPN connection on your office LAN.

Whywon’t theGtAMobileVPnclientstart aVPnonWindowsxP?

Windows XP has a feature called fast user switching. This means that multiple users may be logged in and running programs at the same time (including VPN software), even when only one user is actively using the mouse and keyboard.

If another user is logged in to Windows XP and has started a VPN connection, you will not be able to start a VPN; the other user is already using those VPN resources.

To start your VPN, first ask the other user to log in and stop their VPN connection. Then you may log in to your own account and start your own VPN.

�.

�.

3.


69GTA VPN Option Guide Reference D: Troubleshooting

Can I use an address range for my Address Type when configuring Phase 1 sett ings?

Address ranges are not supported by GTA firewalls.

When should I set NAT-T to Forced when configuring advanced Phase 1 sett ings?

When configuring advanced Phase 1 settings for the the VPN connection, you may wish to set NAT-T to forced if you have been given a public IP address that has the ESP protocol blocked. By forcing NAT-T, the client will use the protocol even when it has a non-NAT’ed IP address.

Why would I disable NAT-T when configuring advanced Phase 1 sett ings?

In most cases you would not disable NAT-T. It should be set to <Automatic>.

L o g M e s s a g e s

IncorrectremoteGateway

An incorrect value was used for the external IP address of the GTA firewall (VPN gateway). This should match the remote gateway in the GTA firewall’s mobile VPN Objects.103901 Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [NAT _ D] [NAT _ D] [VID] [VID]

103906 Default ipsec _ get _ keystate: no keystate in ISAKMP SA 00D9CBC8

IncorrectPre-shared Key

An incorrect value was used for the pre-shared secret (key). This value must match the pre-shared secret specified for the account in the GTA firewall’s Users.101901 Default message _ recv: invalid cookie(s) 303a3fce1772c7b7 8505c95b1034c3c6

101901 Default dropped message from 199.120.225.117 due to notification type INVALID _ COOKIE

101901 Default SEND Informational [NOTIFY] with INVALID _ COOKIE error

` Incorrectlocal IdValue

An incorrect value for the local identity of the VPN client was used. In most cases, this should be the email address specified for the account in the GTA firewall’s Users.101202 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID]

[VID] [VID] [VID]

�0 GTA VPN Option Guide Reference D: Troubleshooting

Incorrectlocal Idtype

An incorrect type for the local identity of the VPN client was used. In most cases, the type should be Email.100731 Default ike _ phase _ 1 _ send _ ID: invalid ip address: Bad file descriptor WSA(11001)

100731 Default exchange _ run: doi->initiator (00D95C58) failed

IncorrectremoteIdValue

An incorrect value for the remote identity of the GTA firewall was used. In most cases, this should be the IP address specified in the GTA firewall’s mobile VPN Objects.101325 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID]

101325 Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [NAT _ D] [NAT _ D] [VID] [VID]

101325 Default ike _ phase _ 1 _ recv _ ID: received remote ID other than expected 200.200.200.200

IncorrectremoteIdtype

An incorrect type for the remote identity of the GTA firewall was used. In most cases, the type should be IP Address.101447 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID]


101448 Default ike _ phase _ 1 _ recv _ ID: received remote ID other than expected 199.120.225.117

101455 Default ipsec _ get _ keystate: no keystate in ISAKMP SA 00F7BD40

Incorrect Phase I Sett ings

An incorrect Phase I (IKE) setting was used. These settings should match the GTA firewall’s dynamic VPN Objects phaSe i settings.104041 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID]

104041 Default transport _ send _ messages: giving up on message 00DAF350

104041 Default recvfrom (164, 0011FD70, 65536, 0, 0011FCEC, 0011FCE8): WSA(10054)

Incorrect Phase I I Sett ings

An incorrect encryption, authentication or key group was used in Phase II settings. These settings should match the GTA firewall’s mobile VPN Objects phaSe ii settings.104401 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID]


104402 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [HASH] [NAT _ D] [NAT _ D]

104402 Default phase 1 done: initiator id [email protected], responder id 200.200.200.200

104402 Default (SA VPN-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY _ EXCH] [NONCE] [ID] [ID] [NAT _ OA]

104402 Default RECV Informational [HASH] [NOTIFY]

104402 Default RECV Informational [HASH] [NOTIFY] with NO _ PROPOSAL _ CHOSEN error

��GTA VPN Option Guide Reference D: Troubleshooting

Incorrect Phase I I Authentication Sett ings

An incorrect value was used for Phase II authentication (hash) settings. This value should match the GTA firewall’s mobile VPN Objects phaSe ii settings.

105935 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID]






Incorrect Phase I I Key Group Sett ings

An incorrect value was used for Phase II key group (Diffie-Hellman) settings. This value should match the GTA firewall’s mobile VPN Objects phaSe ii settings.

110213 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY _ EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID]






Incorrect Fi l ter Configuration

A misconfigured or missing filter for UDP port 4500 on the GTA firewall. Add a remote access filter that accepts UDP port 4500 on the GTA firewall.

Description 130059 Default message _ recv: bad message length

130059 Default dropped message from 216.9.84.83 due to notification type

UNEQUAL _ PAYLOAD _ LENGTHS

130059 Default SEND Informational [NOTIFY] with UNEQUAL _ PAYLOAD _ LENGTHS

error

130059 Default (SA GBPhase1-GBPhase2-P2) SEND phase 2 Quick Mode [HASH]

�� GTA VPN Option Guide

Copyright

© 1996-2006, Global Technology Associates, Incorporated (GTA). All rights reserved.

Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated.

Technical Support

GTA includes 30 days “up and running” installation support from the date of purchase. See GTA’s web site for more information. GTA’s direct customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local GTA authorized channel partner.

Tel: +1.407.380.0220 Email: [email protected]

Disclaimer

Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and docu-mentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifica-tions of the program and contents of the manual without obligation to notify any person or organization of such changes.

Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products.

Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors.

Trademarks & Copyrights

GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated. GB Commander is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA are service marks of Global Technology Associates, Incorporated.

The GTA Mobile VPN Client is licensed from TheGreenBow.

Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.

Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

UNIX is a registered trademark of The Open Group.

Linux is a registered trademark of Linus Torvalds.

BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley.

WELF and WebTrends are trademarks of NetIQ.

Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.

Java software may include software licensed from RSA Security, Inc.

Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/.

SurfControl is a registered trademark of SurfControl plc. Some products contain technology licensed from SurfControl plc.

Some products include software developed by the OpenSSL Project (http://www.openssl.org/).

Kaspersky Lab and Kaspersky Anti-Virus is licensed from Kaspersky Lab Int. Some products contain technology licensed from Kaspersky Lab Int.

Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated.

All other products are trademarks of their respective companies.

Global Technology Associates, Inc.

3505 Lake Lynda Drive, Suite 109 • Orlando, FL 32817 USA Tel: +1.407.380.0220 • Fax: +1.407.380.6080 • Web: http://www.gta.com • Email: [email protected]