Howto Sidewinder v6
Contents
- 1 Introduction
- 2 Overview
- 2.1 Configuring the Sidewinder
- 2.1.1 Enable ISAKMP Service
- 2.1.2 Services Configuration / Servers / isakmp
- 2.1.3 Create a Proxy Rule to allow inbound traffic to ISAKMP
- 2.1.4 Policy Configuration / Rules
- 2.1.5 Client Address Pools
- 2.1.6 VPN Configuration / Client Access Pools
- 2.1.7 Authentication
- 2.1.8 Services Configuration / Authentication
- 2.1.9 ISAKMP Server
- 2.1.10 VPN Configuration / ISAKMP Server
- 2.1.11 Certificates
- 2.1.12 Services Configuration / Certificate Management
- 2.1.13 Security Associations
- 2.1.14 VPN Configuration / Security Association
- 2.1 Configuring the Sidewinder
- 3 Client Configuration
- 4 Connecting with the Shrew Client
- 5 Credits
Introduction
By following these directions, you will be able to create an ISAKMP/IPSec connection from the shrew VPN client to a Sidewinder 6.1 firewall. This configuration is to set it up the most secure method available. Windows Domain Authentication w/ Certificates.
Overview
The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the pull configuration method to acquire the following parameters automatically from the gateway.
- IP Address
- IP Netmask
- DNS Servers
- WINS Servers
- PFS Group
- Remote Network Topology
The Sidewinder does not have a place to define the DNS Domains, so we need to define them manually in the Shrew client.
- DNS Default Domain Suffix
- DNS Split Network Domain List
Configuring the Sidewinder
Enable ISAKMP Service
Services Configuration / Servers / isakmp
- Enable this server to allow ISAKMP connections
Create a Proxy Rule to allow inbound traffic to ISAKMP
Policy Configuration / Rules
This rule should already exist, but may need to be enabled. This is where you setup the isakmp server to listen on the specific external burbs ip.
- Service type - Server
- Service - isakmp
- Control - Enable
- Source Burb - Internet
- Specify sources or "All Source Addresses" for the entire internet
- Destination Burb - Internet
- Destination IP - IP of your sidewinder external interface where you will be terminating the ISAKMP clients.
Client Address Pools
VPN Configuration / Client Access Pools
This is where you define your IP setting for your client. Sidewinder calls it an access pool, but think of it as DHCP
- Create a new pool, call it "All", this is be the rule that allows access to all internal networks
- Virtual Subnet
- Define the subnet of the address you will be handing out to your clients. Your clients will land on the defined Burb with any ip in this subnet. There are no routes needed.
- Local Subnet List
- Include all of the subnets of your internal network.
- DNS/WINS Servers
- List your DNS/WINS servers
Authentication
Services Configuration / Authentication
This is where you will connect the sidewinder to the windows domain controllers.
- Check the box for Windows Domain to enable
- Click on the box to configure Windows Domain
- IP Address of you Domain Controller
- Port - 139
- Add a name to each item to identify it
- Logon Prompt - Username:
- Password Prompt - Password:
ISAKMP Server
VPN Configuration / ISAKMP Server
- Define the interface you want to receive connections on
- Check Password (This is used for direct Point to Point static ISAKMP connections with a shared password, that we are not defining here)
- Check Windows Domain
- Change Default to Windows Domain
Certificates
Services Configuration / Certificate Management
In this example, we will use self signed certificates. Configuring the DN is up to you, but here, we stick to standards based setup.
- Remote certificate
- Add new certificate
- DN - CN=Remote-Certname,O=Company,L=City,ST=State,C=US
- Export to File, enter Remote.pem - X.509(PEM)
- Export Certificate and private key
- Export to File, enter Remote.p12 and enter password to assign to certificate
- Firewall Certificate
- Add new certificate
- DN - CN=Firewall-Certname,O=Company,L=City,ST=State,C=US
- Export to File, enter Firewall.pem - X.509(PEM)
Security Associations
VPN Configuration / Security Association
This is where you build the connection from the client to the client access pool, and assign a termination burb.
- General
- Add a new Association
- Type - Tunnel
- Dynamic IP Restricted Client
- Local IP - Use Local IP
- Burb - Select the burb that you want to terminate the client
- Client Access Pool - Select the pool that you want to assign to this group
- Authentication method
- Single Certificate
- Select a firewall certificate
- Select a remote certificate
- Firewall Identity type - Distinguished name
- Crypto
- IPSec Crypto Algorithms
- Accept - 3des, des, cast128
- IPSec Hashing Algorithms
- Accept - sha1, md5
- Advanced
- Phase 1 (ISAKMP) Rekey
- Hard Limits - 3600 seconds
- 0 Kb
- Soft Percentage - 85%
- Uncheck Force Xauth on Rekey
- Uncheck Relax Strict Identity Matching
- Phase 2 (IPSec) Rekey
- Hard Lifetimes - 700 seconds
- 0 Kb
- Uncheck PFS (This will be tested again soon)
- Uncheck Negotiate as a single host
- Check Forced Rekey
Client Configuration
General Tab
- Remote host - External IP address that you defined in your proxy rule
- Port - 500
- Auto Configuration - ike config pull
- Address Method - Use Virtual Adapter and assigned Address
- Obtain Automatically
Client Tab
- Nat-t enable
Name Resolution
Testing here needs to be done yet. There is no place in the sidewinder to define the DNS Suffix to pass to the client, so manual intervention is needed.
- Wins Enable, Obtain Automatically
- Dns Enable, Do not check Obtain Automatically
- Define a DNS server address and DNS Suffix
- Enable Split Tunnel, Obtain Automatically
Authentication
- Authentication Method - Mutual RSA + XAuth
Local Identity
- ASN.1 Distinguished Name
- Check use the Subject in the client certificate
Remote Identity
- ASN.1 Distinguished Name
- Check use the Subject in the client certificate
Credentials Tab
- Server Certificate Authority File - Firewall.pem
- Client Certificate File - Remote.pem
- Client Private Key File - Remove.p12
Phase 1 Tab
- Exchange Type - Aggressive
- DH Exchange - group 2
- CA - 3des, HA - sha1
- Key life time limit - 3600 Seconds
- Key life data limit - 0 Kbytes (We don't use this)
Phase 2 Tab
- Transport Algorithm - esp-3des
- HMAC Algorithm - sha1
- PFS Exchange - Disabled (This will be tested again soon)
- Compression Algorithm - Disabled
- Key lifetime limit - 700 Seconds
- Key life data limit - 0 Kbytes (We don't use this)
Policy Tab
IPSec Policy Configuration:
- Uncheck Maintain Persistent Security Associations
- Check Obtain Topology Automatically or Tunnel All
Connecting with the Shrew Client
- Open Access Manager
- Highlight the connection, and press connect
- Supply your windows domain username and password
- Supply the password that you assigned when you exported your .p12 certificate.
Credits
This wiki article was contributed by Mark Jenks.