|
The Syswan VPN Client provides a Configuration
Wizard which enables the creation of a VPN configuration in three easy steps.
This Configuration Wizard is designed either for remote computers that need to
get connected to a corporate LAN through a VPN gateway or Peer-to-Peer mode.
Lets take the following example:
The remote computer has a
dynamically provided public IP address.
It tries to connect to the
corporate LAN behind a VPN gateway that has a DNS address
"gateway.mydomain.com".
The Corporate LAN address is
192.168.1.xxx. e.g. the remote computer wants to reach a server with the IP
address: 192.168.1.100.
Remote computer Corporate
VPN Gateway
Corporate network
For configuring this connection, open the
wizard window by selecting menu "Configuration > Wizard"
You must specify the type of the equipment at the end of the tunnel: VPN gateway.
You must specify the following information:
The public (Wide Area
Network) address of the remote gateway
The preshared key you will
use for this tunnel (this preshared key must be the same in the gateway)
The IP address of your
company LAN (e.g. specify 192.168.1.0)
The third step summarizes your new VPN
configuration. Other parameters may be further configured directly via the
'Configuration Panel' (e.g. Certificates, virtual IP address, etc..).
To create a VPN tunnel from the Configuration
Panel (without using the Configuration Wizard), you must follow these steps:
1. Reset Configuration Panel to
remove any prior configurations.
2. Right-click on 'Configuration'
in the tree list window and select 'New Phase 1'.
3. Configure Authentication Phase
(Phase 1).
4. Right-click on the 'new Phase 1'
in the tree control and select 'Add Phase 2'.
5. Configure IPSec Phase (Phase 2).
6. Once the parameters are set,
click on 'Save & Apply' to save the new configuration. The IKE service will
run with these new parameters.
7. Click on the ‘Open Tunnel’
button available on the "IPSec Configuration" window to
establish an IPSec VPN tunnel .
Please refer to Phase 1 and Phase 2 for setting descriptions.
Several Authentication Phases (Phase 1) can be
configured. Therefore, one computer can establish IPSec VPN connections with
several gateways or other computers (Peer-to-Peer).
Similarly, several IPSec Configuration (Phase
2) can be created for a same Authentication Phase (Phase 1).
Advanced features and parameters can be defined
for Phase 1 and Phase 2.
Those defined in Phase 1 apply to all Phase 2
created in current VPN Configuration:
Enable/Disable Config-Mode
Enable/Disable NAT-T Agressive Mode
Enable/Disable Redundant Gateway
Select NAT-T mode (Forced, Disabled or
Automatic)
Set X-Auth Login/password with pop up option
Those defined in Phase 2 only apply to the
associated Phase 2:
Automatic Open Mode
Choose Script/Application to be launched when tunnel
opens
Manual settings of DNS/WINS server addresses
'Authentication' or 'Phase 1' window concerns
settings for Authentication Phase or Phase 1. It is also called IKE Negotiation
Phase.
The purpose of Phase 1' is to negotiate IKE
policy sets, authenticate the peers, and set up a secure channel between the
peers. As part of Phase 1, each end system must identify and authenticate
itself to the other.
|
Name |
Label
used only for reference in the configuration user interface. This value is
never used during IKE negotiation. It is possible to change this name after
initial configuration. No two Phase 1 can have the same name. |
|
Interface |
IP
address of the network interface of the computer, through which VPN
connection is established. If the IP address changes (ie when it is received
dynamically from an ISP), select "Any". |
|
Remote Gateway |
IP address or DNS address
of the remote gateway (example: 10.20.0.1 or myrouter.mycompany.com). This
field is mandatory. |
|
Pre-shared key |
Password
or key shared with the remote gateway. |
|
Certificate |
X509 certificate used by
the VPN Client . Click on 'Certificate Import..' to choose the certificate
source: PEM files, PKCS#21 file or SmartCard (see section How to configure Certificates).
One Certificate per tunnel can be configured. |
|
IKE encryption |
Encryption
algorithm used during Authentication phase (3DES, AES, ...). |
|
IKE authentication |
Authentication
algorithm used during Authentication phase (MD5, SHA, ...). |
|
IKE key group |
Diffie-Hellman
key length. |
For more advanced settings, click on 'P1
Advanced'.
For advanced features & parameters, click
on 'P1 Advanced' button in the Phase 1 panel.
|
Config-Mode |
When
checked, the VPN Client will activate Config-Mode for this tunnel.
Config-Mode allows to the VPN Client to fetch some VPN Configuration
information from the VPN gateway. If Config-Mode is enabled, and provided
that the remote Gateway supports Config-Mode, the following parameters will
be negotiated between the VPN Client and the remote Gateway during the IKE
exchange (Phase 1): Virtual IP address
of the VPN Client DNS server address
(optional) WINS server address
(optional) In
case Config-Mode is not available on the remote gateway, you may refer to
section 'Phase2 Advanced' settings to manually set DNS and WINS server
addresses into the Syswan VPN Client. |
|
Aggressive Mode |
When
checked, the VPN Client will use aggressive mode as the negotiation mode with
the remote gateway. |
|
Redundant GW |
This allows the VPN Client to open an IPSec tunnel with an alternate
gateway in case the primary gateway is down or not responding. Enter either
the IP address or the url of the Redundant Gateway (e.g. router.dyndns.com). Syswan VPN Client will contact the primary gateway to establish a
tunnel. If it fails after several tries (default is 5 tries, configurable in
"Parameters" panel > "Retransmissions" field) the Redundant
Gateway is used as the new tunnel endpoint. Delay between two retries is
about 10 seconds. If the primary gateway can be reached but tunnel establishment fails
(e.g. VPN configuration problems) then the VPN Client will not try to
establish tunnels with the redundant gateway. Check your configuration. If a tunnel is successfully established to the primary gateway with
the DPD feature (i.e.
Dead Peer Detection)
negotiated on both sides, when the primary gateway stops responding (e.g. DPD
detects non-responding remote gateway) the VPN Client immediately starts
opening a new tunnel towards the Redundant Gateway. The same behavior will apply to the redundant gateway. This means that
the VPN Client will try to open primary and redundant gateways until the user
exits the software or clicks on 'Save & Apply'. |
|
NAT-T mode |
The
NAT-T mode allows Forced, Disabled and Automatic. The
NAT-T "Disabled" prevents the IPSec VPN Client and the VPN gateway
to start NAT-Traversal. The
NAT-T "Automatic" mode leaves the VPN Gateway and VPN Client
negotiate the NAT-Traversal. In NAT-T "Forced" mode Syswan VPN Client will force NAT-T
by encapsulating IPSec packets into UDP frames to solve traversal with
intermediate NAT routers. |
|
Local ID |
Local
ID is the identity the VPN Client is sending during Phase 1 to VPN gateway.
This identity can be: an IP address (type
= IP address), for example: 195.100.205.101 a domain name (type
= DNS), e.g. mydomain.com an email address
(type = Email), e.g. support@Syswan.com a string (type =
KEY ID), e.g. 123456 a certificate
issuer (type=DER ASN1 DN) (see Certificates configuration) If this identity
is not set, VPN Client's IP address is used. |
|
Remote ID |
Remote
ID is the identity the VPN Client is expecting to receive during Phase 1 from
the VPN gateway. This identity can be: an IP address (type
= IP address), for example: 80.2.3.4 a domain name (type
= DNS), e.g. gateway.mydomain.com an email address
(type = Email), e.g. admin@mydomain.com a string (type =
KEY ID), e.g. 123456 a certificate
issuer (type=DER ASN1 DN) (see Certificates configuration) If this identity
is not set, VPN gateway's IP address is used. |
|
X-Auth |
Define
the login and password of an X-Auth IPSec negotiation. If "X-Auth
popup" is selected, a popup window asking for a login and a password
will appear each time an authentication is required to open a tunnel with the
remote gateway. The end user has 20 seconds to enter its login and password
before X-Auth authentication fails. If
X-Auth authentication fails then the tunnel establishment will fail too. |
|
Hybrid Authentication Mode |
The Hybrid mode is a specific authentication
method used within IKE Phase 1. This method assumes an asymmetry between the
authenticating entities. One entity, typically an Edge Device (e.g.
firewall), authenticates using standard public key techniques (in signature
mode), while the other entity, typically a remote User, authenticates using
challenge response techniques. These authentication methods are used to
establish, at the end of Phase 1, an IKE SA which is uni-directionally
authenticated. To make this IKE bi-directionally authenticated, this Phase 1
is immediately followed by an X-Auth Exchange [XAUTH]. The X-Auth Exchange is
used to authenticate the remote user. The use of these authentication methods
is referred to as Hybrid Authentication mode. Syswan IPSec VPN Client
implements the RFC 'draft-ietf-ipsec-isakmp-hybrid-auth-05.txt'. |
The 'IPSec Configuration' or 'Phase 2' window
concerns settings for Phase 2.
The purpose of Phase 2 is to negotiate the
IPSec security parameters that are applied to the traffic going through tunnels
negotiated during Phase 1.
|
Name |
Label
used only for reference in the configuration user interface. This parameter
is never transmitted during IPSec Negotiation. It is possible to change this
name after initial configuration. No two Phase 2 can have the same name. |
|
VPN Client address |
Virtual IP address used by
the VPN Client inside the remote LAN: The computer will appear in the LAN
with this IP address. It is important that this IP address does not to
belong to the remote LAN. (Example : You should avoid an IP address like
192.168.192.138 if your remote LAN address is 192.168.192.0 and the Subnet
Mask is 255.255.255.0). |
|
Address type |
The
remote endpoint may be a LAN or a single computer, In
case the remote endpoint is a LAN, choose "Subnet address" or
"IP Range". When choosing "Subnet address", the two
fields "Remote LAN address" and "Subnet mask" become available.
When choosing "IP Range", the two fields "Start address"
and "End address" become available, enabling the Syswan VPN Client
to establish a tunnel only within the range of predefined IP addresses. The
range of IP addresses can be just one IP address. In
case the remote end point is a single computer, choose "Single
Address". When choosing "Single address", only the field
"Remote host address" is available. |
|
Remote address |
This
field may be "Remote host address" or "Remote LAN
address" depending on the address type. It is the remote IP address, or
LAN network address of the gateway, that opens the VPN tunnel. |
|
Subnet mask |
Subnet
mask of the remote LAN. Only available when address type is equal to
"Subnet address". |
|
ESP encryption |
Encryption
algorithm negotiated during IPSec phase (3DES, AES, ...) |
|
ESP authentication |
Authentication
algorithm negotiated during IPSec phase (MD5, SHA, ...) |
|
ESP mode |
IPSec encapsulation mode: tunnel or
transport. |
|
PFS group |
Diffie-Hellman
key length. |
|
Open Tunnel |
This
button opens the selected tunnel. As soon as the tunnel is opened, this
button changes to "Close Tunnel". |
|
Scripts |
Scripts may be configured
in the Script configuration
window. |
Note:
"IP Range" feature combined with "Open tunnel when traffic"
feature allows to automatically open tunnel when traffic is detected for a
specific range of IP addresses. However, the range of IP addresses must be
authorized in the configuration of VPN gateway.
For more advanced settings, click on 'P2
Advanced'.
Once the parameters are set, click on 'Save
& Apply' to save and to take into account the new configuration.
For advanced features & parameters, click
on 'P2 Advanced' button into Phase 2 panel.
|
Automatic Open Mode |
The
VPN Client can automatically open the specified tunnel (Phase 2) on specific
events such as: Auto open this
tunnel when the VPN Client starts up. Auto open this
tunnel when USB stick is inserted (see section "USB Mode"). Auto open this
tunnel when the VPN Client detect traffic towards remote LAN. If selected,
the Phase 2 icon in the Configuration Panel tree list
changes its shape/color to reflect that this feature is now active:
|
|
Alternate Servers |
DNS
and/or WINS server IP addresses of the remote LAN can be entered here, to
help users resolve intranet addressing. The DNS or WINS addresses are taken
into account as soon as the tunnel is opened, and for as long as it remains
open. |
Scripts may be configured in the Script configuration window. This window can be opened through the button 'Scripts' of a Phase 2 Settings window.
Scripts or applications can be enabled for each
step of a VPN tunnel opening and closing process:
Before tunnel is opened
Right after the tunnel is
opened
Before tunnel closes
Right after tunnel is closed
This feature enables to execute scripts
(batches, scripts, applications...) at each step of a tunnel connection for a
variety of purposes e.g. to check current software release, to check database
availability before launching backup application, to check a software is running...
It also enables to configure various network
configuration before, during and after a tunnel connection.
Global Parameters are generic settings that
apply to all created VPN tunnels. Once modified, click on 'Save & Apply' to
take into account your modifications.
|
Lifetime
(sec.) |
IKE default lifetime |
Default
lifetime for IKE rekeying. |
|
|
IKE minimal lifetime |
Minimal
lifetime for IKE rekeying. |
|
|
IKE maximal lifetime |
Maximal
lifetime for IKE rekeying. |
|
|
IPSec minimal lifetime |
Default
lifetime for IPSec rekeying. |
|
|
IPSec maximal lifetime |
Maximal
lifetime for IPSec rekeying. |
|
|
IPSec minimal lifetime |
Minimal
lifetime for IPSec rekeying. |
|
Dead
Peer Detection (DPD) |
Check interval (sec.) |
Interval between DPD messages. |
|
|
Max number of retries |
Number
of DPD messages sent. |
|
|
Delay between retries
(sec.) |
Interval
between DPD messages when no reply from remote gateway. |
|
Miscellaneous |
Retransmissions |
How
many times a message should be retransmitted before giving up. |
|
|
Delay between retries |
Minimum
time before any attempts by user to restart IKE negotiation. |
|
|
Block non-ciphered
connection |
When
this option is checked, only encrypted traffic is authorized. |
|
|
|
User
can change port number for IKE negotiation. Exchanges are still on UDP but
they can be on another port other than 500 as some firewalls do not allow IKE
Port 500. The remote gateway must support this feature. |
Dead Peer Detection (i.e. DPD) is an Internet
Key Exchange (IKE) extension (i.e. RFC3706) for detecting a dead IKE peer.
Syswan IPSec VPN Client uses DPD:
to delete opened SA in the
VPN Client when a peer has been detected dead.
to re-start IKE negotiations
with the Redundant Gateway if activated in the 'Phase 1 Advanced' Configuration Panel.
Once the parameters are set, click on 'Save
& Apply' to retain the new configuration.
'Tunnel View' screen shows VPN tunnels that are
currently open. This screen may also be used to close opened tunnels. To close
a VPN tunnel, select the tunnel in the list and click on 'Close Tunnel'.
Tunnels may also be viewed, opened and closed directly from the context menu of
the system tray icon and from the Connection Panel.
The Connection Panel can be opened with the
button "Connection Panel". It is possible to switch between the
Connection Panel and the Configuration Panel with the shortcut key
"Ctrl+Enter" (see section 'Shortcuts').
The Syswan VPN Client gives the possibility to
secure VPN configurations and security elements (e.g. PreShared key,
Certificates…) by the use of an USB Stick.
When you select "USB mode", the VPN
configuration and security elements contained into the configuration are stored
onto the USB Stick the first time you plug it in.
When complete, you just need to insert the USB
Stick to automatically open tunnels. And then unplug the USB Stick to
automatically close any established tunnels.
The USB Mode can be set by clicking on the 'USB Stick' icon in the status bar of the Configuration Panel or via the menu:
Select menu 'File' > 'VPN
Configuration File...'
Select 'USB Stick'
Note: At
this stage, if an USB Stick containing a VPN configuration and security
elements is already plugged in, the associated drive will be automatically
recognized. Please note also that it is not necessary to insert an USB Stick
during this step. In case no USB Stick is plugged in, the following warning
window will appear:
Once USB mode is set, the left side box in the
status bar shows a USB stick icon.
The USB Stick icon is blue when a USB Stick is
plugged in: 
The USB Stick icon is gray when no USB Stick is plugged in: 
A blank USB Stick (new or freshly formated) is
enabled by copying VPN configuration and security elements onto it.
When you insert a new USB Stick, the IPSec VPN
Client automatically proposes to enable the USB Stick through the following
options:
Copying the VPN configuration and security elements onto the USB Stick: the VPN
Client will copy the security information onto the USB Stick and leave a copy
in the computer. This feature is specially designed for IT managers to enable
multiple USB Sticks for multiple users in no time.
Moving the configuration onto the USB Stick: the IPSec VPN Client will copy the
security information onto the USB Stick and remove all security information
from the computer. This method is used to secure a computer once the VPN
configuration has been setup.
Each and every tunnels may be configured
individually:
In the IPSec Configuration (Phase 2) of the relevant tunnel, click on 'P2 Advanced' button
Select the 'Automatically
open this tunnel when USB stick is inserted' mode
The Syswan VPN Client can use Certificates from
PEM files, PKCS#12 file or SmartCard.
Note:
Syswan VPN Client does not allow creation of Certificates. Certificates must be
created (and stored on SmartCard) by a third party software. You wll find
additional support documents on "How to generate Certificates" or
"How to convert Certificate formats" on our web site.
PKCS#12 certificates are supported by a lot of
gateways. Syswan IPSec VPN Client can import PKCS#12 certificates into the VPN
Configuration, directly from the main interface. One PKCS#12 certificate can be
defined per tunnel. Therefore, it is possible to connect to several gateways
that do not use the same PKI (Public Key Infrastructure).
Here are the steps to configure the IPSec VPN
Client with PKCS#12 Certificates:
Step
1: Select radio button 'Certificate' in the 'Phase 1'
window and click on 'Certificates Import...'
Step
2: Select 'Certificate from a PKCS#12 file' in the list
box, then click on the 'Import...' button.
Step
3: Select the PKCS#12 Certificates you want to import.
If the PKCS#12 Certificate is protected, enter the password in the password pop
up window. Once the Certificate is correctly imported, its subject is
automatically displayed in the top fields of the 'Certificates Import ...'
window. Also, key icons are displayed next to each certificate component (root certificate, user certificate, private
key) as shown below.
Step
4: PKCS#12 Certificates will be stored in the VPN
Configuration file as soon as you click on "Save & Apply".
Note: Once the Certificate is imported, its
subject is used for the local ID of the associated Phase 1. This is shown in
the P1 Advanced window with the following indication:
Syswan IPSec VPN Client can import PEM
Certificates into the VPN Configuration directly from the Configuration Panel.
One PEM Certificate can be defined per tunnel. Therefore, it is possible to
connect to several gateways that do not use the same PKI (Public Key
Infrastructure).
Here are the steps to configure the IPSec VPN
Client with PEM Certificate
Step
1: Select radio button 'Certificate' in the Phase 1
window and click on 'Certificates import...'
Step 2: Choose "Certificate from a PEM
file" in the list box
Step 3:
Import the Root Certificate, the User Certificate and the Private Key by
clicking on the associated button. Once the certificate is correctly imported,
its subjects are filled in the 'Certificate Import...' window.
Step 4:
PEM Certificates will be stored in the VPN Configuration file as soon as you
click on "Save & Apply".
Once the Certificate is imported, its subject
is used for the local ID of the associated Phase1. This is shown in the P1
Advanced window with the following indication:
Note: The
PEM file enclosing the private key must not be encrypted or protected with a
password.
The Syswan VPN Client can read Certificates
from Smart Cards. Smart Cards can be used for securing X509 certificates that
can be protected by a PIN code.
Here are the steps to configure a tunnel using
Certificates from Smart Cards:
Step 1:
Select radio button 'Certificate' in the 'Phase 1' window and click on
'Certificates Import...'
Step 2:
Select 'Certificate from a Smart Card' in the list box. The bottom part of the
window shows a list of Smart Card Reader.
Step 3:
Select the Smart Card Reader you want to use. The Smart Card Reader
identification process starts and a PIN code may be required. Enter your 'Smart
Card PIN code' and click 'OK'.
Once the Smart Card is successfully read,
information about the Smart Card Reader and the Smart Card are displayed in the
text area below the list box, while the subjects of the Certificates are
displayed in the top two fields of the window:
Step 4:
Smard Card Reader information will be stored in the VPN Configuration file as
soon as you click on "Save & Apply".
When a tunnel is configured to use Certificates
from a Smart Card, the PIN code of the Smart Card is required each time the
tunnel is opened (excepted on automatic VPN renegotiations).
To open a tunnel with Certificates from a Smart
Card, it is required to have:
1. The Smart Card Reader correctly installed
and configured in the IPSec VPN Client
3. The correct PIN code for reading the Smart
Card.
Each problem encountered when using a Smart Card is displayed in the Software Console. See section 'Smart Card TroubleShooting' below.
Users may encounter issues while configuring
Smart Card and Smart Card Readers.
|
Smart Card Trouble |
|
Message displayed (*) |
|
No Smart Card Reader is found |
|
No smart card found |
|
If
no Smart Card is found, it is probably because the SmartCard Reader
middleware is missing. The procedure to easily add a Smart Card Reader
middleware is displayed in the text area below the list box. |
|
No ATR Unknown ATR: this smart card may not
be supported. No PKCS#11 middleware for this smart
card was found. You can set PKCS#11 middleware with
the command line: Vpnconf.exe /addmiddleware:path_to_the_dll |
|
The Smart Card cannot be read |
|
ATR =
3B:7B:18:00:00:00:31:C0:64:77:E3:03:00:82:90:00 Using IDOne Lite PKCS#11 middleware found Error 0x00000015 |
|
The PIN code is wrong |
|
ATR =
3B:7B:18:00:00:00:31:C0:64:77:E3:03:00:82:90:00 Using IDOne Lite PKCS#11 middleware found Wrong PIN code |
|
No
certificate can be found in the Smart Card |
|
ATR =
3B:7B:18:00:00:00:31:C0:64:77:E3:03:00:82:90:00 Using IDOne Lite PKCS#11 middleware found No configuration or no certificate
found in the smart card |
(*)
Message displayed in the text area below the Smart Card listbox.
Users may encounter issues while opening a
tunnel which requires Certificates on a Smart Card.
|
Smart Card Trouble |
Message displayed in the Console. |
|
No Smart Card Reader is found |
Missing Smart Card Reader |
|
The PIN code is wrong |
Wrong PIN code |
|
No certificate can be found in the Smart Card
or The Smart Card cannot be read |
Empty or unreadable Smart Card |
The Syswan VPN Client can import or export a
VPN Configuration. With this feature, IT managers can prepare a configuration
and deliver it to other users.
Importing a configuration,
select menu "File > Import VPN Configuration".
Exporting a configuration,
select menu "File > Export VPN Configuration".
An exported VPN configuration file will have a
".tgb" extension.
The exported VPN Configuration can be protected
with a password. When the user wants to export a configuration, a pop up window
automatically asks if the exported VPN configuration must be protected with a
password or not.
When a VPN Configuration is protected with a
password, its importation will automatically ask the user to enter the
password. An exported VPN Configuration which is not protected with a password
will be automatically imported without any request to the user.
Note: Import/Export in 'USB Mode'
When the Syswan VPN Client is configured in
"USB Mode" and when a USB stick is inserted, the importation of a VPN
Configuration is directly written on the USB stick. If the VPN Client is
configured in "USB mode" but no USB stick is inserted (the USB icon
in the bottom left corner of the GUI is disabled), the exportation and
importation of a VPN Configuration are disabled.
Note: A
VPN Configuration file can also be imported via the command line.
Syswan IPSec VPN Client can import one or several tunnels into an existing VPN Configuration. With this feature, IT managers can merge a new VPN Configuration with new gateways into an existing VPN Configuration and deliver it to users or group of users.
Merging VPN Configurations can be done in
several ways.
1. Import new VPN Configuration via
menu 'File'>'Import VPN Configuration' and then select 'Add' instead of
'Replace'.
2. Drag & drop a new VPN
Configuration into the software with an existing VPN Configuration already
opened. The exact same popup window (see above) will appear asking if the user
wants to 'Add' or 'Replace' existing VPN Configuration.
3. Import new VPN Configuration via
command line.
" [path]\vpnconf.exe /add:[file.tgb] " where [path] is the VPN Client installation directory, and [file.tgb] is
the VPN Configuration file. This command does not handle relative paths (e.g.
"..\..\file.tgb"). For more details, see import command line section.
Any way you choose to import a VPN
Configuration, here are some common behaviors:
Global parameters are not imported in case at
least one tunnel was already configured prior to import and user selects 'Add'
VPN Configuration in the popup.
Global parameters are imported in case the
user selects 'Replace' or no tunnel was configured prior to import.
Tunnel name conflict
between existing and imported VPN Configurations are solved by software
automatically by adding an increment between bracket e.g. tunnel_office(1) to
the imported tunnel names (i.e. both Phase1 and Phase 2).
The Syswan VPN Client can export one tunnel
from an existing VPN Configuration. With this feature, IT managers can split
existing VPN Configuration into smaller VPN Configuration and deliver it to
users or group of users.
To export a single tunnel, you must follow the
following steps:
1. Right click on any tunnel Phase 2 from your VPN Configuration, then select 'Export Tunnel'.
Note:
Export of a Phase 2
will export the associated Phase 1 as well. This means also export of Certificates that might have been
defined in this Phase 1.
Export of a Phase 2
will export the Global Parameters as well.
|
