Virtual Private Networking | SnapGear 2.0.1 specs

Diffie Hellman Groups Loaded lists the Diffie Hellman groups and Oakley group extensions that can be configured for both Phase 1 and Phase 2 negotiations.

Connection Details lists an overview of the tunnel's configuration. It contains the following information:

∙An outline of the tunnel's network setup. In this example, it is 192.168.2.0/24===209.0.0.2(branch@office)...209.0.0.1===192.168.1.0/24

∙Phase 1 and Phase 2 key lifetimes (ike_life and ipsec_life respectively). In this example, they are both 3600s.

∙Type of automatic (IKE) keying. In this example, the policy line has: AGGRESSIVE. For Main mode, it will read MAIN.

∙Type of authentication used. In this example, the policy line has: PSK (Preshared Key). For RSA Digital Signatures or x.509 certificates, it will read RSA.

∙Whether Perfect Forward Secrecy is used. In this example, the policy line has the PFS keyword. If PFS is disabled, then the keyword will not appear.

∙Whether IP Payload Compression is used. In this example, the policy line does not have the COMPRESS keyword since it has not been enabled.

∙The interface on which the tunnel is going out. In this example, the interface line has eth1, which is the Internet interface.

∙The current Phase 1 key. This is the number that corresponds to the newest ISAKMP SA field. In this example, phase 1 has not be successfully negotiated, so there is no key yet.

∙The current Phase 2 key. This is the number that corresponds to the newest IPSec SA field. In this example, phase 1 has not be successfully negotiated, so there is no key yet.

∙The Phase 1 proposal wanted. The line IKE algorithms wanted reads 5_000-2- 2. The 5_000 refers to cipher 3DES (where 3DES has an id of 5, see Phase 1 Ciphers Loaded), the first 2 refer to hash SHA (where SHA has an id of 2, see Phase 1 Hashes Loaded) and the second 2 refer to the Diffie Hellman Group 2 (where Diffie Hellman Group 2 has an id of 2).

139

Virtual Private Networking

Image 143

SnapGear 2.0.1 user manual Virtual Private Networking

Contents

Revision June 7 Contents 104 Firewall 177 159169 170 Introduction IntroductionCyberGuard SG Gateway Appliances CyberGuard SG PCI Appliances Secure by default Bridged mode Document Conventions Text like this highlights important issues SG300 model includes two blue straight through UTP cables Your CyberGuard SG Gateway ApplianceFront panel LEDs Rear panel Virtual Private Networking is enabled DMZ link features SG570, SG575 only CyberGuard SG Gateway Appliance FeaturesInternet link features LAN link features LEDs Your CyberGuard SG PCI Appliance Environmental features CyberGuard SG PCI Appliance FeaturesNetwork link features Getting Started 255.255.255.0 192.168.0.1Page Right click on Local Area Connection and select Properties 192.168.0.100 Set up the Password and LAN Connection Settings Root Getting Started Getting Started DSL modem Set up Internet Connection SettingsCable modem Analog modem Set up the PCs on your LAN to Access the Internet LAN with no Dhcp server LAN with a Dhcp server To manually set up each Windows PC on your network Select Dhcp Server from the Networking menu Getting Started Set up your PC to Connect to the Web Management Console Install the Network Driver on your PC Select Use the following DNS server addresses and enter Select Internet Protocol TCP/IP and click Properties Set up the Password and Network Connection Settings Network Setup Connections page will display Ensure Dhcp assigned is unchecked Click Apply and Reboot Getting Started Click Apply and Reboot Getting Started Page Network Connections Network ConnectionsConnections Bridging LAN Internet Cable Internet Connection MethodsPhysically connect modem device Direct Internet Bridged Internet Dialout Internet COM/ModemFailover Direct/Cable/ADSL Internet Optional ISP. The Password and Confirm Password fields mustField Description Bridged DMZ Dialin accessDirect DMZ DMZ as a second Internet connection Services on the DMZ NetworkDirect LAN Bridged LAN Internet Failover DMZ as a backup/failover Internet connectionLoad Balancing Set up a secondary backup Internet connection Enable the primary connection for failover Network Connections Route management RoutesAdditional routes DNS Proxy AdvancedHostname Network Address Translation NAT/masquerading Dynamic DNS Interface aliases Change MAC address QoS Traffic Shaping Dialin Setup Dialin Setup Dialin Setup Following table describes the fields on the Dial-In Setup Dialin User Accounts Account list Page Windows 95/98/Me Remote User Configuration Dialin Setup Windows 2000/XP Dialin Setup Page Dhcp Server Dhcp Server ConfigurationDhcp Server Dhcp Server Subnet Enable/DisableSubnet List Interface Dhcp Server Dhcp Proxy Firewall Incoming AccessFirewall Administration services CyberGuard SG Administrative Web Server SSL/HTTPS Secure Http Add Local and Private Certificates SSL Certificate Setup Action Packet FilteringIncoming Interface Outgoing Interface Addresses Service groups Rules Descriptive Name EnableDestination NAT/port forwarding Destination Address Destination ServicesSource NAT Source Address To-1 NAT Rules User authentication Access Control and Content FilteringPage Click Advanced Browser setup IP lists Web lists Content Categories Reports ZoneAlarm Intrusion Detection Intrusion Detection Benefits of using an IDS Basic Intrusion Detection and Blocking Page Advanced Intrusion Detection Advanced Intrusion Detection configuration Intrusion Detection Setting up the analysis server Page Web Cache Web CacheWeb cache is only available on SG575 models Cache size Web Cache Setup 100 Web Cache Network SharesCreate a new user account 101 Web Cache Create the network share 102 Web Cache Set the CyberGuard SG appliance to use the network share 103 Web Cache Set up LAN PCs to Use the Web CachePeers 104 Virtual Private Networking Virtual Private Networking Pptp Client Setup 106 Virtual Private Networking 107 Virtual Private Networking Pptp Server Setup 108 Virtual Private Networking Enable and configure the Pptp VPN server 109 Virtual Private Networking Data private as well as providing secure authenticationEncryption is strongly recommended. This keeps your Configuring user accounts for VPN server 111 Virtual Private Networking 112 Virtual Private Networking Configuring the remote VPN client Windows 95, Windows 98 and Windows Me 114 Virtual Private Networking Windows 115 Virtual Private Networking 116 Virtual Private Networking Windows XP 117 Virtual Private Networking Connecting the remote VPN client Enabling IPSec IPSec SetupSet up the Branch Office CyberGuard SG appliance to CyberGuard SG appliance 119 Virtual Private Networking 120 Virtual Private Networking Configure a tunnel to connect to the headquarters officeTunnel settings 121 Virtual Private Networking 122 Virtual Private Networking 123 Virtual Private Networking Local endpoint settings 124 Virtual Private Networking 125 Virtual Private Networking Other options 126 Virtual Private Networking 127 Virtual Private Networking 128 Virtual Private Networking Tcgid 129 Virtual Private Networking Phase 1 settingsKept confidential 130 Virtual Private Networking 131 Virtual Private Networking Phase 2 settings 132 Virtual Private Networking Configuring the Headquarters 133 Virtual Private Networking 134 Virtual Private Networking Remote endpoint settingsLeave the Enable IP Payload Compression checkbox unchecked 135 Virtual Private Networking 136 Virtual Private Networking Tunnel ListConnection Remote party 137 Virtual Private Networking Status 138 Virtual Private Networking 139 Virtual Private Networking 140 Virtual Private Networking NAT Traversal SupportDynamic DNS Support 141 Virtual Private Networking Certificate ManagementExtracting certificates 142 Virtual Private Networking Creating certificates 143 Virtual Private Networking Create the self-signed root CA certificate 144 Virtual Private Networking Adding certificates 145 Virtual Private Networking Adding a CA or CRL certificate 146 Virtual Private Networking Adding a local certificate 147 Virtual Private Networking Troubleshooting 148 Virtual Private Networking 149 Virtual Private Networking 150 Virtual Private Networking CyberGuard SG appliance in Slough Internet address Setting up a GRE tunnelCyberGuard SG appliance in Brisbane Internet address LAN address Remote subnet/netmask 10.1.0.0 GRE over IPSec 154 Virtual Private Networking 155 Virtual Private Networking Local Internal Address Place on Ethernet Bridge 156 Virtual Private Networking Troubleshooting 157 Virtual Private Networking L2TP VPN client 158 Virtual Private Networking L2TP server NTP time server SystemDate and Time Set date and time 160 System Locality 161 System Users User settings AdministrationDiagnostic Encrypted save/restore all Diagnostics DiagnosticsInternet access via access controls Password 164 System Network tests 165 System Configuration filesSystem log Flash upgrade Reset button Reboot Technical Support 169 Appendix a IP Address Ranges Appendix a IP Address RangesB.c.d B.c.d-e B.c.d-e.f.g.h B.c.d/e 170 Appendix B Terminology Appendix B TerminologyTerm Meaning 171 Appendix B Terminology DNS 172 Appendix B Terminology IDB 173 Appendix B Terminology Isakmp 174 Appendix B Terminology NTP 175 Appendix B Terminology SHA 176 Appendix C System Log Access Logging Ppp Default DenyEth0 Eth1 179 Appendix C System Log Creating Custom Log Rules 180 Appendix C System Log 181 Appendix C System Log Iptables -I Forward -j LOG -i eth0 -p tcp 182 Appendix C System Log Rate Limiting 183 Appendix C System Log Administrative Access LoggingBoot Log Messages 184 Appendix D Firmware Upgrade Practices and Precaut ions Appendix D Firmware Upgrade Practices and Precautions