VPN Configuration, Overview | Barracuda Networks VERSION SP4

Chapter 8

VPN Configuration

8.1Overview

Virtual Private Networks are an efficient and cost-saving way to use the internet as a transport alternative to dedicated lines or dial-up RAS overcoming the security risks of internet communications.

There are two well-established technologies for data encryption: IPSec and SSL (Secure Socket Layer).

Most VPN implementations rely solely on IPSec, which has several disadvantages in modern network topologies. Barracuda NG VPN has incorporated both technology standards and hence improves the VPN connectivity substantially.

Fig. 8–1Structure of a VPN tunnel

NG	NG
VPN client	Firewall	HQ LAN





						Destination
VPN client		Client IP	Server Tunnel			Destination
IP Address		Address	IP Address			IP Address
=		=	=			=
Source		Peer	VPN Server				DST

Barracuda Networks provides two types of VPN client licenses:

•Barracuda NG VPN Client

•Barracuda NG SSL VPN and NAC

For detailed information concerning the different features of the two licenses, have a look at 8.2 Facts and Figures, page 83.

8.2Facts and Figures

•VPN Licensing

The Barracuda NG VPN Client license is included with every appliance. On box appliances, it allows for unlimited users, while on virtual appliances it is limited to the virtual appliance’s capacity.

83 VPN Configuration

Image 85

Barracuda Networks VERSION SP4 manual VPN Configuration, Overview, Facts and Figures

Contents

Page Copyright Notice Barracuda NG Network Access Client Uninstall Update or MigrationVPN Configuration VPN Component Configuration Example Configuration Pre-Connector and Remote VPNWarranty and Software License Agreement 802.1X Technical Guideline Introduction to Barracuda NG Network Access Client Endpoint Security and Network Access ControlIntroduction Barracuda NG Personal Firewall Client software consists of the following subsystems 1Barracuda NG Network Access Client environment What can Barracuda NG Network Access Client be used for? Barracuda NG Network Access Client Administrator’s Guide Policy Matching Procedure What is a Policy Rule Set?Healthy Limited Access VPN Offline Licensing Aspects Barracuda NG Network Access Client Administrator’s Guide Probation actions Healthy Current User context Local Machine contextVPN context Matching Criteria Local Machine Current User Health Matching Health State Probation Health State UntrustedHealth State Healthy Health State Unhealthy Health State Requirements Analyse Enforce Monitor Border Patrol 3Trust Relationships Access Control Service Settings Server Config Access Control ServiceGeneral System Health Validator ParameterDescription Trustzone-Border Remediation Service Log Level AdvancedNumber of used Threads General Access Control Objects Pictures Welcome Messages Personal Firewall Rules 3Access Control Objects Access Control Service Bitmaps Registry Check Objects Click clipboard, import the adequate registry fileImport of a registry file 7Access Control Service Trustzone Configuration tree Access Control Service Trustzone Servername Assigned Services servicename ACS Rules 9Access Control Service Trustzone Rules Deactivate Policy Policy NameClient Connection External Ignore Internal Time Restriction User Login Net BiosPolicy Matching All-of-following One-of-following Group Patterns Microsoft X509 IssuerX509 Subject X509 Required Health State Basic Antispyware Required Scanner On Last AV Scan Action Manual Auto Remediation AS Engine Required Ignore Latest default Previous Last-2Tries to execute a full system scan automatically Last AS Scan Action Manual Auto Remediation AV Engine/Pattern Manual Action Auto Remediation Update automatically Parameter Description Software Yes Update No default Required Yes-Even-Major Personal Ruleset Name Firewall SettingsServer Message 802.1X Use SettingsUse Dhcp renew Healthy Vlan Id Ruleset Name Limited Access Message Limited AccessBitmap Verification Key Health PassportPassport Verification Key 802.1X Support Chart Rule Set Name Tab Server Config Personal Firewall RulesDouble-click the appropriate VPN Firewall Rule Set 1Rules Incoming Rules Incoming / Outgoing Delete New…Copy Paste Item / Parameter Description Select New… from the context menu to create a new ruleComment Inactive Section Description Tester Tester view allows testing rule sets for consistency Test Report Following entities are available for rule testing Options Icmp Parameters Port Protocol Service Name DescriptionConnect to the Internet With Adsl Pptp Adapters PreconfiguredListing is divided into the following columns Following objects assigned with status multi are available Name Specify a name for the adapter object Following further adapter objects are available Status Trust TypeIPs Adapter/Ref 10User Object dialog User Objects 11Network Objects window Net Objects This object includes the Multicast network 239.255.0.0/16 12Net Object dialog Click New… to open the Net Object dialog 13Service Object dialog Service Objects Application Objects Service Name Port Protocol Connection DescriptionKerberos 14Application Object dialog Application Connection Description HKEYLOCALMACHINE\Services registry key Box Monitoring and Real-time Information Operating & Monitoring Barracuda NG NACAvailable Columns Filtering Possible values are Access, Not Restricted, or ProbationName of the matching policy rule Clients MAC address as reported by the NG client Context Menus Visualize this Computer… 3Box Monitoring and Real-time Information Show time in UTC Status Tab Status VPN Tab Access TabQuarantine Tab Double-click setup.exe to start the installation routine Client InstallationInstallation routine offers three basic ways of setup See 5.3 Unattended Setup, Complete InstallationSee 5.4 Customer Setup, Unattended Setup Custom InstallationParameter Default 802.1x Enable Dhcp Renew See description for parameter Windows File Sharing, See description for parameter Trusted Network, This option prevents deactivating the NG Personal Firewall This parameter defines the Access Control Server to be used Proceed as follows to prepare a completely customized setup Customer SetupCustomer.inf See 5.4.1 customer.inf, Directive Comment Optionally, the following file-directives may be detailed 0x00000008 0x000008000x00000010 0x00001000 Subkey Reg-rootValue-entry-name Flags Edit profile name Filename Silent.cmdDiskid Subdir For an overview of specific properties see -1, Refer to the OS help for details System Restore Update or Migration Procedure Uninstall Overview VPN ConfigurationFacts and Figures Function Comment Function Supported Usage Scenario Architecture Barracuda NG Personal Firewall All Programs Barracuda NG Network Access Client NG Firewall 1Windows 7 Windows Firewall and Action Center screens Integration within Windows 2Rule set selection Rule Set Selection 3Graphical Interface of the Barracuda NG Personal Firewall User Interface Firewall Menu General Firewall Settings and Tasks Menu Bar Disable Windows Firewall This tab allows you to configure blocking of Icmp packetsAutomatic Adapter Assignment Block all IP Fragments Connect Close Block View Menu Load Display Security Mode Menu Summary NG Control Center Monitoring Firewall Activities Events 11NG Control Center History window History Resolve Source/Destination IP Show DetailsSend to Rule Tester Add Pass Rule Filters the source IP address of the connection Filters the connection’s Traffic PolicyFilters the application which has attempted to connect Filters incoming or outgoing connections Live Activity view details all currently active connections Live Activity Disconnect Filter Conditions Configuration Current State Setting the Security Mode Show Destination Addresses… Show Source Addresses…Show Adapters Show Users Paste Pastes the selected rules from the clipboard ItemDescription Inactive checkbox Select Action Name CommentSource / Destination Application optional 18Time restriction dialog Monitor Connections Yes 19Adapter objects window Adapters Control Network Connections Network Connection name for example, Local Area Connection Following options are available NetworksUntrusted Secured Routes are assigned to the Net-NGVPNObject 22Net Object dialog Services Example Applications 24Application Object dialog 10Applications required in Microsoft Windows domains 25User Object dialog Users Rule Tester Rule Tester view allows testing rule sets for consistency 27Test Report window Test Reports Following options are available for customisation Administration Firewall Settings Wizard However, it will not pop up if Automatic Adapter Configuration 28Security Alert windows Automatic Rule Configuration Restrictive rule set only 29Security Alert Advanced Policy Create a New Profile Using the Profile Wizard VPN Component Configuration 2VPN Profile Wizard Profile Wizard 4VPN Profile Wizard Enter personal License 6VPN Profile Wizard Modify Existing Profile Using the Wizard Configure a New Profile Manually 8NG VPN client Connect dialog Field where characters need to be inserted 11Editing options of the VPN client dialog Shows the version information 13Close NG VPN Client informational window Barracuda NG VPN Client’s Menu Bar Closes the NG VPN Client window Connection DialogNG VPN Client can be started in the following ways Click Connect to establish a connection to the VPN server Assigned domain Status DialogAssigned DNS IP address for the VPN connection Assigned Wins address Uptime for the current connection Enable or disable compressionVPN server to which the client currently is connected Local time on the VPN server 16Message dialog window Message Dialog Configured VPN server to connect to VPN Profiles Configuration WindowBarracuda Networks Control / Preferences Dialog Name of the profile Store into which the certificate was saved Certification Authorities Configuration WindowModify, copy or delete an existing profile Use this menu item to terminate a connection Opens a window with detailed certificate information Configure specific Barracuda NG VPN adapter settings hereDeletes the selected certificate from the certificate store General VPN Settings section Direct Access 19Connection Entries tab Connection Entries Tab Following parameters are available for X509 authentication Barracuda Authentication DescriptionDescription Advanced Settings TabExternal File Path to the external X.509 certificate Default Direct assignment Virtual Adapter ConfigurationUse Access Control Service Default Yes Enable MS Logon Disconnecting. Recommended value NoFallback Profile Be established IP address of the VPN server User name possibly needed for proxy authenticationURL or IP address of the proxy server Log entry’s time stamp Log Window Module the respective log entry refers to Access Monitor Barracuda NG Access MonitorPort Security Health Agent Monitoring Property Description Advanced Status information State Description 5Connection error using Icmp connectivity checking see Barracuda NG Network Access Client Administrator’s Guide Task Description 11.2.6 802.1X Authentication Port Security Column Description EAP Tracer Access Control Server IPs from Dhcp Access Control Server IPs from RegistryUse Basic Authentication Use Ntml Authentication Item Description Health Agent Connectivity Value Key Health Agent Authentication Ieee 802.1X Authentication 11.3.9 802.1X Settings Capture 802.1X Traffic EAP Log Files Log Settings16 Log Files Description Connect.xml Client.xmlDownload.xml DownloadLocal.xml VPN Connector Pre-Connector and Remote VPNCreate a connector to achieve following Thereafter rename the default profile Creating a Connector Remote Domain Logon Pre-Logon Remote VPN rvpn Same example with 10 retries for connecting -c Connection Procedure Dhcp 1Example configuration environment Example Configuration Personal Firewall Rule Set Introduce Access Control Objects Next create and edit the unrestricted rule set Introduce an Access Control Service TrustzonePage Policy Rule dialog is split up into these views Configure an Access Control Service Trustzone Barracuda NG Network Access Client Administrator’s Guide Parameter Value Page Example Configuration Configure Forwarding Firewall Rule Set Example Configuration Authentication Server Switch802.1X Technical Guideline Client computer Disabled Enabled Access Control ServerStatus Monitoring EAP Packet Tracer Command Description Using the Barracuda NG Access Monitor for AnalysisLog Files on the Client Computer Supplicant console interface These values are described in more details on Switch Web InterfaceKey Logging Path See 14.3.11 Authentication Message Exchange, See 14.3.9 Periodic client re-authentication by the switch, Switch Console Interface AuthenticationExample enabling debug output Ethernet Start up Operational SequenceToken Ring Point-to-Point WZO prior to Windows Vista Service Friendly Name Service NameDot3svc Windows Vista Wpa-supplicant configuration Runtime To resolve this problem proceed following stepsYou will require elevated privileges to perform this step Successful start of the wpa-supplicant can be verified by Return to privileged Exec mode Enter global configuration modeVerify your entries Example Re-authentication started by the switch is illustrated Enter the global configuration mode CommandSee for the Eapol packet frames Condition Description Dhcp Renew Return to the privileged Exec mode Resetting the 802.1X Authentication process 14 phions.log Output Shutdown15 phions.log Output Packets AddendumWPA Supplicant Log File Identifiers Table shows an Eapol packet frame 200 802.1X Technical Guideline Sending / receiving commands over pipe 202 802.1X Technical Guideline Wireshark Known Issues using Cisco Catalyst 3750-E SwitchEngineering Environment Additionally following tools have been used for analysis No aaa accounting dot1x default group radius Appendix Customer Install Files Appendix Barracuda NG Network Access Client Administrator’s Guide Appendix VPN Profile Registry Keys VPN Profile Registry Keys 3DES AES Profile Registry Keys FAQs Appendix Configuration Parameters 214 Reconnect immidiately 10 X509 Altnames 2 X509 Issuer 2 X509 Subject 2 15.6 Parameter Lists Introduction Server Config Access Control Service Barracuda NG Access Monitor Figures 220 802.1X Technical Guideline Barracuda Networks Software License Agreement Barracuda Networks Limited Hardware Warranty Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Software License Agreement Appendix Page Page No Warranty Terms and Conditions Page Page Page Page Limitation of Liability Page Page Page 238 Page Page Page Page Disclaimer of Warranty Miscellaneous Page Limits Terms and Conditions for USE, REPRODUCTION, and Distribution Page Page Page Page 252 Page Page Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Warranty and Software License Agreement Page Page Issue Date Aug 6 262 Page 264