Secure Computing SafeNet manual Configuring ACL & proxies entries for VPN connections

Page 33

Configuring ACL & proxies entries for VPN connections

Configuring ACL & proxies entries for VPN connections

Depending on where you decide to terminate your VPN tunnel, you must ensure that you have the appropriate ACL entries set up to allow ISAKMP traffic and allow/deny the appropriate proxy traffic. At a minimum, you must define and enable an ACL entry that allows ISAKMP traffic from the Internet to the external IP address of Sidewinder.

1.Define (or ensure you have) an ACL entry that allows external-to- external ISAKMP traffic. Select Policy Configuration -> Access Control List. Check for these attributes:

￿Agent = Server

￿Service = ISAKMP

￿Action = Allow

￿Enabled = Enable

￿Source burb = Internet (all source addresses, *)

￿Destination burb = Internet burb (external IP of Sidewinder)

Note 1: Ensure you have defined appropriate network objects/groups. To view the current network object configuration, select Shortcut to Network Objects from the Source/Destination tab.

Note 2: For details about configuring and managing network objects, see Chapter 4 in the Sidewinder Administration Guide.

2.[Configuration dependent] Define (or ensure you have) ACL entries that allow access to and from any virtual burbs you may have. The virtual burb should be specified as either the source or destination burb, depending on the type of ACL entry being defined.

Note: For details about configuring and managing ACL entries, see Chapter 4 in the

Sidewinder Administration Guide.

3.[Configuration dependent] Enable the desired proxies in the appropriate virtual burb(s). Select Services Configuration -> Proxies.

Configuring Sidewinder for Soft-PK Clients

3-3

 

 

Page 32 Page 34
Image 33
Page 32 Page 34
Contents VPN Administration Guide Page Copyright Notice Printing History B L E O F C O N T E N T S Installing and Working with Soft-PK Who should read this guide? About this GuideOrganized How this guide isAbout Sidewinder About Soft-PKAbout digital certificates Viewing and printing this document onlineViii About this chapter Getting StartedAbout Soft-PK & Sidewinder VPNs Sidewinder and other network requirements RequirementsSoft-PK requirements Roadmap to deploying your VPNs 4c1 Define remote identities within Sidewinder Sidewinder systemSatisfy Sidewinder, network, & system requirements Plan your VPN configurationCreate/Request the digital certificates If using pre-shared keys passwordsConfigure the VPN connections on the Sidewinder Troubleshoot any connection problems Planning Your VPN Configuration Identifying basic VPN connection needs Using digital certificate authentication Identifying authentication requirementsPrivate key file Certificate file with public keyNo CA needed Closer look at self-signed certificatesFor a small number of VPN ClientsCloser look at CA-based certificates Understanding pre-shared key authenticationExtended authentication VPN tunnel terminating on trusted burb Determining where you will terminate your VPNsSelect Firewall Administration Burb Configuration More about virtual burbs and VPNsDefining a virtual burb Sidewinder Understanding Sidewinder client address poolsUnderstanding Sidewinder client address pools Configuring Sidewinder for Soft-PK Clients Click Apply Configure the Isakmp server Enable the cmd, egd, and isakmp serversEnable Select VPN Configuration Isakmp ServerConfiguring ACL & proxies entries for VPN connections Creating & exporting a firewall certificate Managing Sidewinder self- signed certsSpecify the following Firewall Certificate settings Click OK when doneMail Address Select Services Configuration Certificate Management Creating & exporting remote certificatesSelect the Remote Certificates tab. Click New Click Add to add the certificate to the Certificates list Specify the following Remote Certificate settingsKey File GeneratedReturn to for each remote client Defining a CA to use and obtaining the CA root cert Managing CA- based certificatesRequesting a certificate for the firewall Specify the firewall certificate information Click Add to send the enrollment requestRetrieve the key, revoke, etc Determining identifying information for client certificates Certificate Identities defined on the firewall Defining remote client identities in SidewinderManaging pre- shared keys passwords Configuring the VPN on the Sidewinder Enabled Select Yes Burb Field Setting Local Network/IPNew button to specify the IP Address / Hostname Example, if you specify 24 with an IP addressCertificate VPN from the list provided Firewall Identity Require Extended Enable this checkbox AuthenticationType Firewall to the remote client Value This field cannot be editedType ClientEdited Save your settings!4. Click Add to save the settings Click CloseRemote Identity Page Installing and Working with Soft-PK Soft-PK installation notes Determining Soft-PK status from icon variations Starting Soft-PKRight-click the Soft-PK tray icon to access menu Activating/Deactivating Soft-PKMeans Soft-PK security policy is currently active Certificate Manager About the Soft-PK program optionsSecurity Policy Editor Log ViewerManaging certificates on Soft-PK Setting up Sidewinder self-signed certificatesSetting up CA-based certificates Click Advanced to select a certificate service provider Get your CA administrator to approve your requestSelect the Generate Exportable Key check box Importing certificate in Soft-PK Verification window Importing a personal certificate into Soft-PK Import Certificate Password WindowCertificate file Select Options Secure Specified Connections Configuring a security policy on the Soft-PKEnable the Connect using Secure Gateway Tunnel box If using digital certificatesSpecify the interface information New connection Named SecureVPNConfiguring a security policy on the Soft-PK Encryption and Data Integrity/Algorithms fields Optional Click Save to save the policy on this system SA Life Select Unspecified to default to Sidewinder settingsPage Deploying Soft-PK to Your End Users Overview WordFormat Soft-PK setup.exe file and supporting files Security policyCannot modify Specifying installation instructions Customizing the user worksheetSpecifying dial-up network instructions Specifying certificate import/request instructions Specifying basic connection information Specifying security policy instructionsAbout this appendix Soft-PK Log ViewerSoft-PK Connection Monitor To view the details More about the Connection MonitorSidewinder troubleshooting commands Page Part Number 86-0935037-A
Top Page Image Contents