Virtual Private Networking | SnapGear 2.0.1 guide

Set up LMHOST files on remote hosts to resolve names to IP adresses.

∙Symptom: Tunnel comes up but the application does not work across the tunnel.

Possible cause: There may be a firewall device blocking IPSec packets. The MTU of the IPSec interface may be too large.

The application uses broadcasts packets to work.

Solution: Confirm that the problem is the VPN tunnel and not the application being run. These are the steps you can try to find where the problem is (it is assumed that a network to network VPN is being used):

Ping from your PC to the Internet IP address of the remote party (it assumed that the remote party is configured to accept incoming pings)

Ping from your PC to the LAN IP address of the remote party.

Ping from your PC to a PC on the LAN behind the remote party that the tunnel has been configured to combine.

If you cannot ping the Internet IP address of the remote party, either the remote party is not online or your computer does not have its default gateway as the CyberGuard SG appliance. If you can ping the Internet IP address of the remote party but not the LAN IP address, then the remote party's LAN IP address or its default gateway has not been configured properly. Also check your network configuration for any devices filtering IPSec packets (protocol 50) and whether your Internet Service Provider is filtering IPSec packets. If you can ping the LAN IP address of the remote party but not a host on the remote network, then either the local and/or remote subnets of the tunnel settings have been misconfigured or the remote host does not have its default gateway as the remote party.

If you can ping across the tunnel, then check if the MTU of the IPSec interface is allowing packets to go through. Reduce the MTU if large packets are not being sent through the tunnel.

If the application is still not working across the tunnel, then the problem is with the application. Check that the application uses IP and does not use broadcast packets since these will not be sent through the CyberGuard SG appliance. You should contact the producer of the application for support.

150

Virtual Private Networking

Image 154

SnapGear 2.0.1 user manual Virtual Private Networking

Contents

Revision June 7 Contents Firewall 104 170 159169 177 CyberGuard SG Gateway Appliances IntroductionIntroduction CyberGuard SG PCI Appliances Bridged mode Secure by default Text like this highlights important issues Document Conventions Front panel LEDs Your CyberGuard SG Gateway ApplianceSG300 model includes two blue straight through UTP cables Virtual Private Networking is enabled Rear panel LAN link features CyberGuard SG Gateway Appliance FeaturesInternet link features DMZ link features SG570, SG575 only Your CyberGuard SG PCI Appliance LEDs Network link features CyberGuard SG PCI Appliance FeaturesEnvironmental features Getting Started 192.168.0.1 255.255.255.0Page Right click on Local Area Connection and select Properties Set up the Password and LAN Connection Settings 192.168.0.100 Root Getting Started Getting Started Analog modem Set up Internet Connection SettingsCable modem DSL modem Set up the PCs on your LAN to Access the Internet LAN with a Dhcp server LAN with no Dhcp server To manually set up each Windows PC on your network Select Dhcp Server from the Networking menu Getting Started Install the Network Driver on your PC Set up your PC to Connect to the Web Management Console Select Internet Protocol TCP/IP and click Properties Select Use the following DNS server addresses and enter Set up the Password and Network Connection Settings Network Setup Connections page will display Click Apply and Reboot Ensure Dhcp assigned is unchecked Getting Started Click Apply and Reboot Getting Started Page Connections Network ConnectionsNetwork Connections LAN Bridging Internet Physically connect modem device Internet Connection MethodsCable Direct Internet Bridged Internet Failover Direct/Cable/ADSL Internet COM/ModemDialout Internet Field Description ISP. The Password and Confirm Password fields mustOptional Direct DMZ Dialin accessBridged DMZ Bridged LAN Services on the DMZ NetworkDirect LAN DMZ as a second Internet connection Load Balancing DMZ as a backup/failover Internet connectionInternet Failover Enable the primary connection for failover Set up a secondary backup Internet connection Network Connections Additional routes RoutesRoute management Hostname AdvancedDNS Proxy Network Address Translation NAT/masquerading Dynamic DNS Interface aliases QoS Traffic Shaping Change MAC address Dialin Setup Dialin Setup Dialin Setup Following table describes the fields on the Dial-In Setup Dialin User Accounts Account list Page Remote User Configuration Windows 95/98/Me Dialin Setup Windows 2000/XP Dialin Setup Page Dhcp Server Dhcp Server ConfigurationDhcp Server Dhcp Server Interface Enable/DisableSubnet List Subnet Dhcp Server Dhcp Proxy Firewall Incoming AccessFirewall Administration services CyberGuard SG Administrative Web Server SSL/HTTPS Secure Http SSL Certificate Setup Add Local and Private Certificates Outgoing Interface Packet FilteringIncoming Interface Action Addresses Service groups Rules Destination NAT/port forwarding EnableDescriptive Name Source Address Destination ServicesSource NAT Destination Address To-1 NAT Rules Access Control and Content Filtering User authenticationPage Browser setup Click Advanced IP lists Web lists Content Reports Categories ZoneAlarm Intrusion Detection Intrusion Detection Benefits of using an IDS Basic Intrusion Detection and Blocking Page Advanced Intrusion Detection Advanced Intrusion Detection configuration Intrusion Detection Setting up the analysis server Page Web cache is only available on SG575 models Web CacheWeb Cache Web Cache Setup Cache size Create a new user account Network Shares100 Web Cache Create the network share 101 Web Cache Set the CyberGuard SG appliance to use the network share 102 Web Cache Peers Set up LAN PCs to Use the Web Cache103 Web Cache Virtual Private Networking 104 Virtual Private Networking Pptp Client Setup 106 Virtual Private Networking Pptp Server Setup 107 Virtual Private Networking Enable and configure the Pptp VPN server 108 Virtual Private Networking Encryption is strongly recommended. This keeps your Data private as well as providing secure authentication109 Virtual Private Networking Configuring user accounts for VPN server 111 Virtual Private Networking Configuring the remote VPN client 112 Virtual Private Networking Windows 95, Windows 98 and Windows Me Windows 114 Virtual Private Networking 115 Virtual Private Networking Windows XP 116 Virtual Private Networking Connecting the remote VPN client 117 Virtual Private Networking CyberGuard SG appliance to CyberGuard SG appliance IPSec SetupSet up the Branch Office Enabling IPSec 119 Virtual Private Networking Tunnel settings Configure a tunnel to connect to the headquarters office120 Virtual Private Networking 121 Virtual Private Networking 122 Virtual Private Networking Local endpoint settings 123 Virtual Private Networking 124 Virtual Private Networking Other options 125 Virtual Private Networking 126 Virtual Private Networking 127 Virtual Private Networking Tcgid 128 Virtual Private Networking Kept confidential Phase 1 settings129 Virtual Private Networking 130 Virtual Private Networking Phase 2 settings 131 Virtual Private Networking Configuring the Headquarters 132 Virtual Private Networking 133 Virtual Private Networking Leave the Enable IP Payload Compression checkbox unchecked Remote endpoint settings134 Virtual Private Networking 135 Virtual Private Networking Remote party Tunnel ListConnection 136 Virtual Private Networking Status 137 Virtual Private Networking 138 Virtual Private Networking 139 Virtual Private Networking Dynamic DNS Support NAT Traversal Support140 Virtual Private Networking Extracting certificates Certificate Management141 Virtual Private Networking Creating certificates 142 Virtual Private Networking Create the self-signed root CA certificate 143 Virtual Private Networking Adding certificates 144 Virtual Private Networking Adding a CA or CRL certificate 145 Virtual Private Networking Adding a local certificate 146 Virtual Private Networking Troubleshooting 147 Virtual Private Networking 148 Virtual Private Networking 149 Virtual Private Networking 150 Virtual Private Networking LAN address Setting up a GRE tunnelCyberGuard SG appliance in Brisbane Internet address CyberGuard SG appliance in Slough Internet address Remote subnet/netmask 10.1.0.0 GRE over IPSec 154 Virtual Private Networking Local Internal Address Place on Ethernet Bridge 155 Virtual Private Networking Troubleshooting 156 Virtual Private Networking L2TP VPN client 157 Virtual Private Networking L2TP server 158 Virtual Private Networking Set date and time SystemDate and Time NTP time server Locality 160 System Users 161 System Encrypted save/restore all AdministrationDiagnostic User settings Password DiagnosticsInternet access via access controls Diagnostics Network tests 164 System System log Configuration files165 System Flash upgrade Reboot Reset button Technical Support B.c.d B.c.d-e B.c.d-e.f.g.h B.c.d/e Appendix a IP Address Ranges169 Appendix a IP Address Ranges Term Meaning Appendix B Terminology170 Appendix B Terminology DNS 171 Appendix B Terminology IDB 172 Appendix B Terminology Isakmp 173 Appendix B Terminology NTP 174 Appendix B Terminology SHA 175 Appendix B Terminology 176 Access Logging Appendix C System Log Eth1 Default DenyEth0 Ppp Creating Custom Log Rules 179 Appendix C System Log 180 Appendix C System Log Iptables -I Forward -j LOG -i eth0 -p tcp 181 Appendix C System Log Rate Limiting 182 Appendix C System Log Boot Log Messages Administrative Access Logging183 Appendix C System Log Appendix D Firmware Upgrade Practices and Precautions 184 Appendix D Firmware Upgrade Practices and Precaut ions