Howto Sidewinder v6

From Shrew Soft Inc
Jump to: navigation, search

Introduction

By following these directions, you will be able to create an ISAKMP/IPSec connection from the shrew VPN client to a Sidewinder 6.1 firewall.

This configuration is to set it up the most secure method available. Windows Domain Authentication w/ Certificates.

Overview

The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the pull configuration method to acquire the following parameters automatically from the gateway.

  • IP Address
  • IP Netmask
  • DNS Servers
  • WINS Servers
  • PFS Group
  • Remote Network Topology

The Sidewinder does not have a place to define the DNS Domains, so we need to define them manually in the Shrew client.

  • DNS Default Domain Suffix
  • DNS Split Network Domain List

Configuring the Sidewinder

Enable ISAKMP Service

Services Configuration / Servers / isakmp

  • Enable this server to allow ISAKMP connections

Create a Proxy Rule to allow inbound traffic to ISAKMP

Policy Configuration / Rules

This rule should already exist, but may need to be enabled. This is where you setup the isakmp server to listen on the specific external burbs ip.

  • Service type - Server
  • Service - isakmp
  • Control - Enable
  • Source Burb - Internet
  • Specify sources or "All Source Addresses" for the entire internet
  • Destination Burb - Internet
  • Destination IP - IP of your sidewinder external interface where you will be terminating the ISAKMP clients.

Client Address Pools

VPN Configuration / Client Access Pools

This is where you define your IP setting for your client. Sidewinder calls it an access pool, but think of it as DHCP

  • Create a new pool, call it "All", this is be the rule that allows access to all internal networks
  • Virtual Subnet
  • Define the subnet of the address you will be handing out to your clients. Your clients will land on the defined Burb with any ip in this subnet. There are no routes needed.
  • Local Subnet List
  • Include all of the subnets of your internal network.
  • DNS/WINS Servers
  • List your DNS/WINS servers

Authentication

Services Configuration / Authentication

This is where you will connect the sidewinder to the windows domain controllers.

  • Check the box for Windows Domain to enable
  • Click on the box to configure Windows Domain
  • IP Address of you Domain Controller
  • Port - 139
  • Add a name to each item to identify it
  • Logon Prompt - Username:
  • Password Prompt - Password:

ISAKMP Server

VPN Configuration / ISAKMP Server

  • Define the interface you want to receive connections on
  • Check Password (This is used for direct Point to Point static ISAKMP connections with a shared password, that we are not defining here)
  • Check Windows Domain
  • Change Default to Windows Domain

Certificates

Services Configuration / Certificate Management

In this example, we will use self signed certificates. Configuring the DN is up to you, but here, we stick to standards based setup.

  • Remote certificate
  • Add new certificate
  • DN - CN=Remote-Certname,O=Company,L=City,ST=State,C=US
  • Export to File, enter Remote.pem - X.509(PEM)
  • Export Certificate and private key
  • Export to File, enter Remote.p12 and enter password to assign to certificate
  • Firewall Certificate
  • Add new certificate
  • DN - CN=Firewall-Certname,O=Company,L=City,ST=State,C=US
  • Export to File, enter Firewall.pem - X.509(PEM)

Security Associations

VPN Configuration / Security Association

 This is where you build the connection from the client to the client access pool, and assign a termination burb.
  • General
    • Add a new Association
    • Type - Tunnel
    • Dynamic IP Restricted Client
    • Local IP - Use Local IP
    • Burb - Select the burb that you want to terminate the client
    • Client Access Pool - Select the pool that you want to assign to this group
  • Authentication method
    • Single Certificate
    • Select a firewall certificate
    • Select a remote certificate
    • Firewall Identity type - Distinguished name
  • Crypto
    • IPSec Crypto Algorithms
    • Accept - 3des, des, cast128
    • IPSec Hashing Algorithms
    • Accept - sha1, md5
  • Advanced
    • Phase 1 (ISAKMP) Rekey
    • Hard Limits - 3600 seconds
    • 0 Kb
    • Soft Percentage - 85%
    • Uncheck Force Xauth on Rekey
    • Uncheck Relax Strict Identity Matching
    • Phase 2 (IPSec) Rekey
    • Hard Lifetimes - 700 seconds
    • 0 Kb
    • Uncheck PFS (This will be tested again soon)
    • Uncheck Negotiate as a single host
    • Check Forced Rekey

Client Configuration

General Tab

  • Remote host - External IP address that you defined in your proxy rule
  • Port - 500
  • Auto Configuration - ike config pull
  • Address Method - Use Virtual Adapter and assigned Address
  • Obtain Automatically

Client Tab

  • Nat-t enable

Name Resolution

Testing here needs to be done yet. There is no place in the sidewinder to define the DNS Suffix to pass to the client, so manual intervention is needed.

  • Wins Enable, Obtain Automatically
  • Dns Enable, Do not check Obtain Automatically
  • Define a DNS server address and DNS Suffix
  • Enable Split Tunnel, Obtain Automatically

Authentication

  • Authentication Method - Mutual RSA + XAuth

Local Identity

  • ASN.1 Distinguished Name
  • Check use the Subject in the client certificate

Remote Identity

  • ASN.1 Distinguished Name
  • Check use the Subject in the client certificate

Credentials Tab

  • Server Certificate Authority File - Firewall.pem
  • Client Certificate File - Remote.pem
  • Client Private Key File - Remove.p12

Phase 1 Tab

  • Exchange Type - Aggressive
  • DH Exchange - group 2
  • CA - 3des, HA - sha1
  • Key life time limit - 3600 Seconds
  • Key life data limit - 0 Kbytes (We don't use this)

Phase 2 Tab

  • Transport Algorithm - esp-3des
  • HMAC Algorithm - sha1
  • PFS Exchange - Disabled (This will be tested again soon)
  • Compression Algorithm - Disabled
  • Key lifetime limit - 700 Seconds
  • Key life data limit - 0 Kbytes (We don't use this)

Policy Tab

IPSec Policy Configuration:

  • Uncheck Maintain Persistent Security Associations
  • Check Obtain Topology Automatically or Tunnel All

Connecting with the Shrew Client

  • Open Access Manager
  • Highlight the connection, and press connect
  • Supply your windows domain username and password
  • Supply the password that you assigned when you exported your .p12 certificate.

Credits

This wiki article was contributed by Mark Jenks.

Namespaces

Variants
Actions