1 Use an IPsec IKEv2 client-to-site VPN to let mobile workers connect securely to your Barracuda NextGen F-Series Firewall with a standard compliant I...
1 Table 57. IP addressing for VPNs in dual WAN port systems (continued) Configuration and WAN IP address Rollover mode a Load balancing mode VPN Telec...
1 Stonesoft IPsec VPN Client Release Notes for Version Updated: April 14, 20142 Table of Contents What s New... 3 Enhancements... 3 Fixes... 3 System ...
1 TheGreenBow IPsec VPN Client Configuration Guide Palo Alto Website: Contact:2 Table of Contents 1 Introduction Goal of this document VPN Network t...
1 TheGreenBow IPSec VPN Client Configuration Guide Vigor 29102 Table of contents 1 Introduction 1.1 Goal of this document 1.2 VPN network topology 2 I...
Configuration Guide SuperStack 3 Firewall – L2TP/IPSec VPN Client Overview This guide is used as a supplement to the SuperStack 3 Firewall manual, and details how to configure the native Windows VPN client to work with the Firewall, via the Microsoft recommended Layer 2 Tunneling Protocol with IP Security or L2TP/IPSec. In order to support this capability, you will require SuperStack Firewall firmware v22.214.171.124 or later. This supports an integrated L2TP/IPSec server. Note that v126.96.36.199 also supports a mechanism to connect to the Internet using L2TP – this is not covered in this document. IPSec, L2TP and PPTP Overview IPSec is the protocol used to secure IP traffic. IPSec supports a mode that can be used to “tunnel” IP traffic over a public network such as the Internet – IPSec tunnel-mode. Alternatively, a tunneling protocol such as L2TP or PPTP can be used to achieve secure access to a Corporate LAN over the Internet. This tunneling protocol can optionally be secured itself using IPSec. IPSec tunnel-mode is used for site-to-site connections and can also be used for individual Internet users with VPN client software. L2TP and PPTP are only used for VPN clients – in particular, native Windows VPN clients. SuperStack 3 Firewall firmware v6.3.3 supports L2TP termination only when secured by IPSec. (This is the default on Windows XP but on Windows 2000, the default configuration is to use L2TP without IPSec.) V6.3.3 firmware for the SuperStack 3 Firewall is also backward compatible with older firmware – it continues to support the Safenet Soft-PK VPN client supplied with the Firewall. This VPN client is an IPSec tunnel-mode client; it does not use L2TP. SuperStack 3 Firewall can support both IPSec tunnel mode clients and L2TP/IPSec clients simultaneously. The standard Microsoft VPN client before Windows 2000 was PPTP. SuperStack 3 Firewall does not support a PPTP server. However Microsoft now also supplies a L2TP/IPSec VPN client for older versions of Windows (except Windows 95).
SafeNet Soft-PK VPN client using IPSec only SafeNet Soft-PK VPN client using IPSec only
* A L2TP/IPSec integrated VPN client for Windows NT4, 98 & Me is available from Microsoft website www.microsoft.com/vpn ** Windows 2000 requires a registry change in order to support shared secret IKE, 3Com has provided a utility to complete this task. L2TP and IPSec are separate components on Windows 2000 and need to be configured individually. The 3Com utility configures the IPSec component. *** The Safenet Soft-PK VPN client provided with the SuperStack 3 Firewall does not support Windows XP. Safenet (www.safenetinc.com) provide a commercial version of this VPN client that supports Windows XP and is compatible with the SuperStack 3 Firewall.
Certificates SuperStack 3 Firewall firmware v6.3.3 supports X.509 certificates but these are not supported for either IPSec tunnelmode or L2TP VPN clients – they are only supported for site-to-site connections. If a VPN client requests a certificate or says that a certificate cannot be found, the Windows PC has not been properly configured to use the GroupVPN shared secret.
Configuration Guide SuperStack 3 Firewall – L2TP/IPSec VPN Client Safenet L2TP Adapter The Safenet VPN client includes a L2TP adapter component. This L2TP/IPSec client can be used with the SuperStack 3 Firewall instead of the Microsoft L2TP clients. However, if the XAUTH feature (user authentication) is enabled on the GroupVPN SA, these clients will authenticate users twice – once for XAUTH and once for L2TP. This document does not describe how to configure and use the Safenet IPSec tunnel-mode or Safenet L2TP/IPSec client. NAT-traversal Support SuperStack 3 Firewall v6.3.3 supports NAT-traversal but this feature only works when used with a VPN client that also supports NAT-traversal. Windows 2000 and XP IPSec do not currently support NAT-traversal, i.e. a device performing NAT cannot be used between the Windows PC and its Internet connection or between the SuperStack 3 Firewall and its Internet connection when using these VPN clients. The Microsoft integrated L2TP/IPSec client for Win9x/NT4 and the Safenet VPN client do support NAT-traversal.
Firewall Configuration Network Configuration The SuperStack 3 Firewall can either be configured in “Standard” or “NAT enabled” network addressing mode with a static public (WAN) IP address to allow VPN termination. Note that in “Standard” mode, L2TP clients that have terminated on the SuperStack 3 Firewall will not be able to access the Internet via the VPN tunnel.
VPN Configuration Select the VPN button on the SuperStack 3 Firewall web interface to configure VPN and L2TP. The GroupVPN security association configuration used for IPSec tunnel-mode clients is also for L2TP users. The GroupVPN SA must be enabled for L2TP. (By default, it is disabled.) The L2TP server itself must also be enabled on the L2TP tab. (By default it is disabled.) The following GroupVPN configurations are recommended for the SuperStack 3 Firewall when using Windows L2TP/IPSec clients: Phase 1 DH Group
Phase 1 Encryption / Authentication
Phase 2 Encryption / Authentication
Firewall Encryption Level
User Authentication User authentication is optional for IPSec tunnel-mode VPN clients (such as the Safenet Soft-PK client). Selecting the XAUTH feature on the GroupVPN SA Advanced Settings enables user authentication – VPN clients must supply a valid username and password before they can connect to the SuperStack 3 Firewall. These username and passwords are configured on the Firewall or a RADIUS server. VPN user authentication is disabled by default.
Configuration Guide SuperStack 3 Firewall – L2TP/IPSec VPN Client When using the Microsoft L2TP/IPSec client on Windows NT4, 98 and Me, the GroupVPN XAUTH feature must be disabled on the SuperStack 3 Firewall otherwise the client will fail to connect. For Windows 2000 and XP, you can enable the Firewall GroupVPN XAUTH without these clients being prompted for IPSec tunnel-mode authentication – they will only be prompted for L2TP authentication. This allows you to enforce user authentication for all clients; use L2TP/IPSec for Windows 2000 and XP; use Safenet Soft-PK for other versions of Windows with GroupVPN XAUTH enabled. User authentication is not optional for L2TP and must be configured on the Firewall by selecting the Policy button and the User Privileges tab. L2TP users supply a username and password within the VPN client to allow them to connect to the SuperStack 3 Firewall. These username/passwords must be configured for each user either locally on the Firewall or by selecting “Use RADIUS” to use a RADIUS server. If there are more than 100 users, RADIUS must be used. RADIUS is configured on the Firewall using the RADIUS tab – the v6.3.3 firmware provides a RADIUS test button to confirm successful configuration. Firewall L2TP Users On the Firewall web interface, click the Policy button and then the User Privileges tab. For each L2TP user configured on the Firewall, provide the username, password and then click the “Access from L2TP VPN Client” checkbox before selecting the “Update User” button. For IPSec tunnel-mode clients, select the “Access from VPN Client with XAUTH” checkbox. (A user can have both checkboxes enabled.) RADIUS L2TP Users When using RADIUS, select the “Access from L2TP VPN Client“ checkbox on the RADIUS tab under Privileges for all Users. The Firewall will authenticate all L2TP clients with the configured RADIUS server. If authentication is successful, the Firewall will grant access to the LAN. It is also possible to configure the RADIUS server to indicate which particular users are allowed and not allowed L2TP access – a separate document, the Funk Dictionary file, on the 3Com support web site details this procedure for the Funk Steel-belted RADIUS server. To integrate the SuperStack 3 Firewall with Microsoft Active Directory for user authentication, enable and configure the Windows Internet Authentication Service (IAS) – this is the Windows RADIUS server. Refer to the Windows documentation for configuration of IAS. The Firewall must be configured with the IP address and shared secret of the Windows IAS server. IP Address Configuration As well as username/password configuration, L2TP users must also be provided with an internal LAN IP address, which they obtain when they connect to the SuperStack 3 Firewall. Configure the “L2TP Local IP Pool Settings” with an appropriately sized IP address pool for the number of L2TP users. The pool of IP addresses is typically a subset of the Firewall’s LAN IP subnet but it can be any set of unused IP addresses. Alternatively, if RADIUS is being used, you can select “IP Address provided by RADIUS server” and configure the RADIUS server to provide IP addresses for L2TP clients.
Configuration Guide SuperStack 3 Firewall – L2TP/IPSec VPN Client Debugging L2TP/IPSec server To help debug problems with L2TP/IPSec, enable the Network Debug category in the Log Settings on the Firewall. The following provides the log output from a successful L2TP/IPSec connection with comments: RECEIVED<<< ISAKMP OAK MM (MsgID: 0x0)
Firewall receives VPN client request. If this log entry is missing, check that the client is configured with the WAN IP address of the Firewall. Alternatively the Internet router may be blocking the IKE protocol that is used to negotiate IPSec keys. IKE uses UDP port 500. IKE Responder: Begin Main Mode Phase 1 SENDING>>>> ISAKMP OAK MM (MsgID: 0x0) (SA) RECEIVED<<< ISAKMP OAK MM (MsgID: 0x0) (KE, NON) NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
Some VPN clients such as Windows XP do not support NAT traversal – the ability to work through NAT devices. This warning can be ignored if there are no NAT devices between the VPN client and SuperStack 3 Firewall. SENDING>>>> ISAKMP OAK MM (MsgID: 0x0) (KE, NON, VID, VID, VID) RECEIVED<<< ISAKMP OAK MM (MsgID: 0x0) *(ID, HASH) IKE Responder: Main Mode Phase 1 Done SENDING>>>> ISAKMP OAK MM (MsgID: 0x0) *(ID, HASH) IKE Responder: Begin Phase 2 RECEIVED<<< ISAKMP OAK QM (MsgID: 0x1A14E711) *(HASH, SA, NON, ID, ID) IKE Responder: Accepting IPSec proposal SENDING>>>> ISAKMP OAK QM (MsgID: 0x11E7141A) *(HASH, SA, NON, ID, ID) Loading IPSec SA (Message ID = 0x1a14e711, Local SPI = 0xe98d3fed, Remote SPI = 0xdf1a63f7) RECEIVED<<< ISAKMP OAK QM (MsgID: 0x1A14E711) *(HASH) IKE negotiation complete. Adding IPSec SA. Phase 2 Done
IKE has completed successfully. Start of L2TP negotiation over IPSec. If the following logging does not appear, the Internet router may block IPSec traffic. IPSec traffic normally uses IP protocol number 50 (ESP). (Note: not UDP port number.) lifeSeconds=3600 remote range: (188.8.131.52 - 184.108.40.206) L2TP Server : L2TP Tunnel Established. Source:220.127.116.11, 1701 Destination:18.104.22.168, 1701 LocalTunnelID=0xe0c5, RemoteTunnelId=0x2, RemoteHostName=test-laptop.3com.com – L2TP Server : L2TP Session Established. Source:22.214.171.124, 1701 Destination:126.96.36.199, 1701 LocalSessionID=0xd9cf, RemoteSessionId=0x1 L2TP Server: Local Authentication Success. Source:188.8.131.52, 1701 Destination:184.108.40.206, 1701 Host Name :test-laptop.3com.com, User Name :test, Auth Algorithm :MD5 CHAP -
L2TP has completed successfully. You should be able to “ping” the Firewall’s LAN IP address and access the LAN. If this fails, check the L2TP configuration page on the Firewall for a valid IP address pool or check the configuration on the RADIUS server, if used. The following log entries indicate common problems: SENDING>>>> ISAKMP OAK INFO (MsgID: 0x4F68AE7F) *(HASH, NOTIFY:PAYLOAD_MALFORMED)
The shared secret did not match. L2TP Server: Local Authentication Failure
Configuration Guide SuperStack 3 Firewall – L2TP/IPSec VPN Client Windows XP VPN Client 3Com recommends using the Windows XP native L2TP/IPSec VPN client. The following describes how to configure this.
Step 1 – New Connection Wizard
Step 2 – New Connection Wizard
From the Windows Start button, select Settings>Network Connections>New Connection Wizard
Click Next and select Connect to the network at my workplace
Step 3 – New Connection Wizard
Step 4 – New Connection Wizard
Click Next and select Virtual Private Network connection
Click Next and enter a name for the VPN connection:
Click IPSec settings… and tick the Use pre-shared key for authentication Enter the Firewall GroupVPN shared secret. Click OK.
Select the Networking Tab and change the Type of VPN to L2TP IPSec VPN. Click OK.
Establishing a Connection From the Windows Start button, select Settings>Network Connections and choose the connection that was configured to access the SuperStack 3 Firewall. Enter the Username and password and press Connect. If selecting the connection does not present the username and password dialogue, click the connection with the right button and select Properties. Under the Options tab, tick the Prompt for name and password checkbox.
Configuration Guide SuperStack 3 Firewall – L2TP/IPSec VPN Client Windows 98, Me & NT4 VPN Client Microsoft has provided a freely available L2TP/IPSec VPN client for pre-Windows 2000 operating systems (not Windows 95). The installation file msl2tp.exe is available from the Microsoft web site http://www.microsoft.com/vpn. This client requires XAUTH to be disabled on the SuperStack 3 Firewall, configured under GroupVPN advanced features. Note that this implies that a user with Safenet Soft-PK VPN client can connect to the SuperStack 3 Firewall with no user authentication. To force user authentication for all users, enable XAUTH on the SuperStack 3 Firewall and use Safenet SoftPK VPN client for Windows 98, Me and NT users. This is the 3Com recommended configuration. However, if you wish to use the Microsoft VPN client, the following instructions will help you configure this. Windows 98 / 98SE In addition to the above Microsoft VPN client, Windows 98 requires the latest version of dial-up networking to be installed for Windows 98 / 98SE which can be found at http://support.microsoft.com/default.aspx?scid=KB;EN-US;q285189& It also requires the latest version of Internet Explorer to be installed (although this does not need to be used as the default browser). Windows NT4 In addition to the above Microsoft VPN client, Windows NT4 requires Service Pack 6A, which can be found at: http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp For NT4 only, you will need to install the Point to Point Tunneling Protocol by using the following procedure if it is not already installed: •
Step 1 – From Control Panel, Open the network folder
Step 2 – Network Configuration
Step 3 – Select Network Protocol
Select the Protocols tab. If the Network Protocols list does not include the Point to Point Tunneling Protocol, click Add. Otherwise Cancel the dialog and proceed to installation of the VPN client.
Select the Point to Point Tunneling Protocol and click OK.
Step 1 – From My Computer, Open Dial-Up Networking Step 2 – Double click Make New Connection
Step 3 – New Connection Wizard
Step 4 – New Connection Wizard
Enter a name for the connection and set the device to be the Microsoft L2TP/IPSec VPN adapter
Click Next and enter the public (WAN) IP address of the SuperStack 3 Firewall as the VPN server
Step 5 – New Connection Wizard
Step 6 – Dial-up Configuration
Click Finish to complete the wizard
From My Computer, open up Dial-Up Networking. Select the new L2TP connection with the right mouse button and select Properties, On the Server Types tab, uncheck the NetBEUI and IPX/SPX Compatible tick boxes.
Establishing a Connection From My Computer, open up Dial-up Networking. Open the connection that you’ve just created to access the SuperStack 3 Firewall, enter the username and password and press Connect.
Configuration Guide SuperStack 3 Firewall – L2TP/IPSec VPN Client Windows NT4 Configuration After installing the VPN client on NT4 you will need to reboot the PC. After this, you will first need to reconfigure Remote Access. •
Step 1 – From Control Panel, Open the network folder
Step 2 – Network Configuration
Step 3 – Select Network Protocol
Select the Protocols tab. Select Point to Point Tunneling Protocol and click Properties.
Change the Number of Virtual Private Networks to 2.
Step 4 – Remote Access Setup Add the RASL2TPM device. Click Continue and then close all the dialogs. Windows will need to restart.
Click Next. Leave your IP address as 0.0.0.0. SuperStack 3 Firewall will provide this.
Click Next. You must manually configure the DNS server with the correct IP address otherwise the NT4 VPN client will not connect. Also configure a WINS server if required. Obtain the DNS and WINS information from the SuperStack 3 Firewall administrator. Click Next and Finish.
Step 8 – DNS Server
Step 9 – DNS Server
Select More and Edit Entry and modem properties.
Select the Server tab and ensure that the settings are as below. Click TCP/IP Settings.
Step 10 – TCP/IP Settings Check the DNS (and WINS if required) are manually configured. If you wish to access Internet sites directly (not via the VPN connection), untick “Use default gateway on remote network”. However, you will need to leave this ticked if your VPN connection is to a site with multiple IP subnets. Click OK and OK again.
Configuration Guide SuperStack 3 Firewall – L2TP/IPSec VPN Client Establishing a Connection From My Computer, select Dial-Up Networking and choose the phonebook entry that was configured to access the SuperStack 3 Firewall. Click Dial, enter the username and password and then click OK.
Windows 2000 The L2TP VPN client is a pre-installed component of the Windows 2000 operating system. However configuring its use with a shared secret and defining the IPSec policies to allow L2TP over IPSec can be quite complex. 3Com has provided a utility in order to simplify this configuration, and only supports this deployment when configured using this utility. The 3Com Windows 2000 L2TP/IPSec VPN client configuration utility 3c2kl2tp.hta is freely available and can be downloaded from http://www.3com.com/ssfirewall
Run the 3Com Windows 2000 L2TP/IPSec configuration utility 3c2kl2tp.hta and click Download IPSec tool from Microsoft
Click Open and follow the instructions on installing the ipsecpol.exe utility to its default installation directory.
Click Enter Shared Secret and configure IPSec
Enter the SuperStack 3 Firewall GroupVPN shared secret and click OK
Step 5 – You must now REBOOT your PC
The IPSec configuration is now complete, you now need to create a new VPN connection in the Windows Dial-up Networking Connection Wizard
Note – You can use the 3Com 3c2kl2tp.hta utility at any time in order to change the shared secret or remove the IPSec policy configuration. You may not need to reboot your PC for a new shared secret to take affect, but it is recommended that you always do so.
Configuration Guide SuperStack 3 Firewall – L2TP/IPSec VPN Client Step 7 – New Connection Wizard Click Next, enter a name for the VPN connection, then click Finish
Step 1 – Dial up Configuration
Step 2 – Dial up Configuration
From the Windows Start button, select Settings>Network and Dial-up Connections and choose the connection that was configured to access the Firewall. Select Properties
Select the Networking tab and change the Type of VPN server to Layer-2 Tunneling Protocol (L2TP) The click OK
Establishing a Connection From the Windows Start button, select Settings>Network and Dial-up Connections and choose the connection that was configured to access the SuperStack 3 Firewall. Enter the Username and password and press Connect.