Virtual Private Networking | SnapGear 2.0.1 specs

Note

This option will not be available when the CyberGuard SG appliance has a static IP address and the remote party has a dynamic IP address.

Enter the Required Endpoint ID of the CyberGuard SG appliance. This ID is used to authenticate the CyberGuard SG appliance to the remote party. It is required because the CyberGuard SG appliance in this example has a dynamic IP address. This field will also be required if RSA Digital Signatures are used for authentication.

It becomes optional if the CyberGuard SG appliance has a static IP address and is using Preshared Secrets for authentication. If it is optional and the field is left blank, the Endpoint ID defaults to the static IP address. If the remote party is a CyberGuard SG appliance, the ID must have the form abcd@efgh. If the remote party is not a CyberGuard SG appliance, refer the interoperability documents on the CyberGuard SG knowledge base web site (http://www.cyberguard.com/snapgear/knowledgebase.html) to determine what form it must take. In this example, enter: branch@office

Leave the Enable IP Payload Compression checkbox unchecked. If compression is selected, IPComp compression is applied before encryption.

Check the Enable Dead Peer Detection checkbox. This allows the tunnel to be restarted if the remote party stops responding. This option is only used if the remote party supports Dead Peer Detection. It operates by sending notifications and waiting for acknowledgements.

Enter the Delay and Timeout values for Dead Peer Detection. The default times for the delay and timeout options are 9 and 30 seconds respectively. This means that a Dead Peer Detection notification will be sent every 9 seconds (Delay) and if no response is received in 30 seconds (Timeout) then the CyberGuard SG appliance will attempt to restart the tunnel. In this example, leave the delay and timeout as their default values.

Leave the Enable Phase 1 & 2 rekeying to be initiated from my end checkbox checked. This enables automatic renegotiation of the tunnel when the keys are about to expire.

Click the Continue button to configure the Remote Endpoint Settings.

124

Virtual Private Networking

Image 128

SnapGear 2.0.1 user manual Virtual Private Networking

Contents

Revision June 7 Contents Firewall 104 159 169170 177 Introduction IntroductionCyberGuard SG Gateway Appliances CyberGuard SG PCI Appliances Bridged mode Secure by default Text like this highlights important issues Document Conventions SG300 model includes two blue straight through UTP cables Your CyberGuard SG Gateway ApplianceFront panel LEDs Virtual Private Networking is enabled Rear panel CyberGuard SG Gateway Appliance Features Internet link featuresLAN link features DMZ link features SG570, SG575 only Your CyberGuard SG PCI Appliance LEDs Environmental features CyberGuard SG PCI Appliance FeaturesNetwork link features Getting Started 192.168.0.1 255.255.255.0Page Right click on Local Area Connection and select Properties Set up the Password and LAN Connection Settings 192.168.0.100 Root Getting Started Getting Started Set up Internet Connection Settings Cable modemAnalog modem DSL modem Set up the PCs on your LAN to Access the Internet LAN with a Dhcp server LAN with no Dhcp server To manually set up each Windows PC on your network Select Dhcp Server from the Networking menu Getting Started Install the Network Driver on your PC Set up your PC to Connect to the Web Management Console Select Internet Protocol TCP/IP and click Properties Select Use the following DNS server addresses and enter Set up the Password and Network Connection Settings Network Setup Connections page will display Click Apply and Reboot Ensure Dhcp assigned is unchecked Getting Started Click Apply and Reboot Getting Started Page Network Connections Network ConnectionsConnections LAN Bridging Internet Cable Internet Connection MethodsPhysically connect modem device Direct Internet Bridged Internet Dialout Internet COM/ModemFailover Direct/Cable/ADSL Internet Optional ISP. The Password and Confirm Password fields mustField Description Bridged DMZ Dialin accessDirect DMZ Services on the DMZ Network Direct LANBridged LAN DMZ as a second Internet connection Internet Failover DMZ as a backup/failover Internet connectionLoad Balancing Enable the primary connection for failover Set up a secondary backup Internet connection Network Connections Route management RoutesAdditional routes DNS Proxy AdvancedHostname Network Address Translation NAT/masquerading Dynamic DNS Interface aliases QoS Traffic Shaping Change MAC address Dialin Setup Dialin Setup Dialin Setup Following table describes the fields on the Dial-In Setup Dialin User Accounts Account list Page Remote User Configuration Windows 95/98/Me Dialin Setup Windows 2000/XP Dialin Setup Page Dhcp Server Dhcp Server ConfigurationDhcp Server Dhcp Server Enable/Disable Subnet ListInterface Subnet Dhcp Server Dhcp Proxy Firewall Incoming AccessFirewall Administration services CyberGuard SG Administrative Web Server SSL/HTTPS Secure Http SSL Certificate Setup Add Local and Private Certificates Packet Filtering Incoming InterfaceOutgoing Interface Action Addresses Service groups Rules Descriptive Name EnableDestination NAT/port forwarding Destination Services Source NATSource Address Destination Address To-1 NAT Rules Access Control and Content Filtering User authenticationPage Browser setup Click Advanced IP lists Web lists Content Reports Categories ZoneAlarm Intrusion Detection Intrusion Detection Benefits of using an IDS Basic Intrusion Detection and Blocking Page Advanced Intrusion Detection Advanced Intrusion Detection configuration Intrusion Detection Setting up the analysis server Page Web Cache Web CacheWeb cache is only available on SG575 models Web Cache Setup Cache size 100 Web Cache Network SharesCreate a new user account Create the network share 101 Web Cache Set the CyberGuard SG appliance to use the network share 102 Web Cache 103 Web Cache Set up LAN PCs to Use the Web CachePeers Virtual Private Networking 104 Virtual Private Networking Pptp Client Setup 106 Virtual Private Networking Pptp Server Setup 107 Virtual Private Networking Enable and configure the Pptp VPN server 108 Virtual Private Networking 109 Virtual Private Networking Data private as well as providing secure authenticationEncryption is strongly recommended. This keeps your Configuring user accounts for VPN server 111 Virtual Private Networking Configuring the remote VPN client 112 Virtual Private Networking Windows 95, Windows 98 and Windows Me Windows 114 Virtual Private Networking 115 Virtual Private Networking Windows XP 116 Virtual Private Networking Connecting the remote VPN client 117 Virtual Private Networking IPSec Setup Set up the Branch OfficeCyberGuard SG appliance to CyberGuard SG appliance Enabling IPSec 119 Virtual Private Networking 120 Virtual Private Networking Configure a tunnel to connect to the headquarters officeTunnel settings 121 Virtual Private Networking 122 Virtual Private Networking Local endpoint settings 123 Virtual Private Networking 124 Virtual Private Networking Other options 125 Virtual Private Networking 126 Virtual Private Networking 127 Virtual Private Networking Tcgid 128 Virtual Private Networking 129 Virtual Private Networking Phase 1 settingsKept confidential 130 Virtual Private Networking Phase 2 settings 131 Virtual Private Networking Configuring the Headquarters 132 Virtual Private Networking 133 Virtual Private Networking 134 Virtual Private Networking Remote endpoint settingsLeave the Enable IP Payload Compression checkbox unchecked 135 Virtual Private Networking Tunnel List ConnectionRemote party 136 Virtual Private Networking Status 137 Virtual Private Networking 138 Virtual Private Networking 139 Virtual Private Networking 140 Virtual Private Networking NAT Traversal SupportDynamic DNS Support 141 Virtual Private Networking Certificate ManagementExtracting certificates Creating certificates 142 Virtual Private Networking Create the self-signed root CA certificate 143 Virtual Private Networking Adding certificates 144 Virtual Private Networking Adding a CA or CRL certificate 145 Virtual Private Networking Adding a local certificate 146 Virtual Private Networking Troubleshooting 147 Virtual Private Networking 148 Virtual Private Networking 149 Virtual Private Networking 150 Virtual Private Networking Setting up a GRE tunnel CyberGuard SG appliance in Brisbane Internet addressLAN address CyberGuard SG appliance in Slough Internet address Remote subnet/netmask 10.1.0.0 GRE over IPSec 154 Virtual Private Networking Local Internal Address Place on Ethernet Bridge 155 Virtual Private Networking Troubleshooting 156 Virtual Private Networking L2TP VPN client 157 Virtual Private Networking L2TP server 158 Virtual Private Networking System Date and TimeSet date and time NTP time server Locality 160 System Users 161 System Administration DiagnosticEncrypted save/restore all User settings Diagnostics Internet access via access controlsPassword Diagnostics Network tests 164 System 165 System Configuration filesSystem log Flash upgrade Reboot Reset button Technical Support 169 Appendix a IP Address Ranges Appendix a IP Address RangesB.c.d B.c.d-e B.c.d-e.f.g.h B.c.d/e 170 Appendix B Terminology Appendix B TerminologyTerm Meaning DNS 171 Appendix B Terminology IDB 172 Appendix B Terminology Isakmp 173 Appendix B Terminology NTP 174 Appendix B Terminology SHA 175 Appendix B Terminology 176 Access Logging Appendix C System Log Default Deny Eth0Eth1 Ppp Creating Custom Log Rules 179 Appendix C System Log 180 Appendix C System Log Iptables -I Forward -j LOG -i eth0 -p tcp 181 Appendix C System Log Rate Limiting 182 Appendix C System Log 183 Appendix C System Log Administrative Access LoggingBoot Log Messages Appendix D Firmware Upgrade Practices and Precautions 184 Appendix D Firmware Upgrade Practices and Precaut ions