Secure Computing SafeNet, Sidewinder Version 5.1.0.02 Create/Request the digital certificates

Page 18

Roadmap to deploying your VPNs

❒ISAKMP ACL entry: At a minimum, you must define and enable an ACL entry that allows ISAKMP traffic from the Internet to the Internet burb on Sidewinder (external IP address of Sidewinder).

❒Other ACL entries: Depending on where you terminate your VPN connections on Sidewinder (e.g., in a virtual burb), you may need to create ACL entries to allow traffic between burbs.

❒Proxies: Depending on where you terminate your VPN connections on Sidewinder (e.g., in a virtual burb), you may need to enable proxies to allow traffic between burbs.

4 — Create/Request the digital certificates

If using Sidewinder self-signed certificates:

❒Use Cobra to create and export a firewall certificate. See "Creating & exporting a firewall certificate" on page 3-4 for details.

❒Use Cobra to create and export remote certificates for each end user. See "Creating & exporting remote certificate(s)" on page 3-6 for details.

❒Use a command-line utility on Sidewinder to convert the key/file certificate pair to pkcs12 format. See "Converting the certificate file/private key file pair to pkcs12 format" on page 3-8 for details.

If using a CA -assigned certificates:

❒Use Cobra to define a CA and obtain the CA root certificate and export it for sending to client(s). See "Defining a CA to use and obtaining the CA root cert" on page 3-9 for details.

❒Use Cobra to request a certificate for the firewall from the CA. See "Requesting a certificate for the firewall" on page 3-10 for details.

❒Determine the identifying information (e.g., Distinguished Name settings) your clients will use in their personal certificates. See "Determining identifying information for client certificates" on page 3-12.

❒Use Cobra to specify the client certificate identity information to within Sidewinder. See "Defining remote client identities in Sidewinder" on page 3-13 for details.

If using pre-shared keys (passwords):

❒Use Cobra to specify the client identity information to within Sidewinder. See "Managing pre-shared keys (passwords)" on page 3-14 for details.

More...

1-8

Getting Started

Image 18

Contents VPN Administration Guide Page Copyright Notice Printing History B L E O F C O N T E N T S Installing and Working with Soft-PK About this Guide Who should read this guide?How this guide is OrganizedAbout digital certificates About Soft-PKAbout Sidewinder Viewing and printing this document onlineViii Getting Started About this chapterAbout Soft-PK & Sidewinder VPNs Requirements Sidewinder and other network requirementsSoft-PK requirements Roadmap to deploying your VPNs Sidewinder system 4c1 Define remote identities within SidewinderPlan your VPN configuration Satisfy Sidewinder, network, & system requirementsIf using pre-shared keys passwords Create/Request the digital certificatesConfigure the VPN connections on the Sidewinder Troubleshoot any connection problems Planning Your VPN Configuration Identifying basic VPN connection needs Private key file Identifying authentication requirementsUsing digital certificate authentication Certificate file with public keyFor a small number of VPN Closer look at self-signed certificatesNo CA needed ClientsUnderstanding pre-shared key authentication Closer look at CA-based certificatesExtended authentication Determining where you will terminate your VPNs VPN tunnel terminating on trusted burbSelect Firewall Administration Burb Configuration More about virtual burbs and VPNsDefining a virtual burb Understanding Sidewinder client address pools SidewinderUnderstanding Sidewinder client address pools Configuring Sidewinder for Soft-PK Clients Enable Enable the cmd, egd, and isakmp serversClick Apply Configure the Isakmp server Select VPN Configuration Isakmp ServerConfiguring ACL & proxies entries for VPN connections Managing Sidewinder self- signed certs Creating & exporting a firewall certificateSpecify the following Firewall Certificate settings Click OK when doneMail Address Select Services Configuration Certificate Management Creating & exporting remote certificatesSelect the Remote Certificates tab. Click New Key File Specify the following Remote Certificate settingsClick Add to add the certificate to the Certificates list GeneratedReturn to for each remote client Managing CA- based certificates Defining a CA to use and obtaining the CA root certRequesting a certificate for the firewall Specify the firewall certificate information Click Add to send the enrollment requestRetrieve the key, revoke, etc Determining identifying information for client certificates Defining remote client identities in Sidewinder Certificate Identities defined on the firewallManaging pre- shared keys passwords Configuring the VPN on the Sidewinder New button to specify the IP Address / Hostname Field Setting Local Network/IPEnabled Select Yes Burb Example, if you specify 24 with an IP addressType Firewall to the remote client Value Require Extended Enable this checkbox AuthenticationCertificate VPN from the list provided Firewall Identity This field cannot be editedType ClientEdited Save your settings!4. Click Add to save the settings Click CloseRemote Identity Page Installing and Working with Soft-PK Soft-PK installation notes Starting Soft-PK Determining Soft-PK status from icon variationsRight-click the Soft-PK tray icon to access menu Activating/Deactivating Soft-PKMeans Soft-PK security policy is currently active Security Policy Editor About the Soft-PK program optionsCertificate Manager Log ViewerSetting up Sidewinder self-signed certificates Managing certificates on Soft-PKSetting up CA-based certificates Click Advanced to select a certificate service provider Get your CA administrator to approve your requestSelect the Generate Exportable Key check box Importing certificate in Soft-PK Verification window Import Certificate Password Window Importing a personal certificate into Soft-PKCertificate file Configuring a security policy on the Soft-PK Select Options Secure Specified ConnectionsSpecify the interface information If using digital certificatesEnable the Connect using Secure Gateway Tunnel box New connection Named SecureVPNConfiguring a security policy on the Soft-PK Encryption and Data Integrity/Algorithms fields SA Life Select Unspecified to default to Sidewinder settings Optional Click Save to save the policy on this systemPage Deploying Soft-PK to Your End Users Overview WordFormat Soft-PK setup.exe file and supporting files Security policyCannot modify Specifying installation instructions Customizing the user worksheetSpecifying dial-up network instructions Specifying certificate import/request instructions Specifying security policy instructions Specifying basic connection informationSoft-PK Log Viewer About this appendixSoft-PK Connection Monitor More about the Connection Monitor To view the detailsSidewinder troubleshooting commands Page Part Number 86-0935037-A