Previous|Next  

6. Configuration Panel

 

6.1 Configuration Wizard

 

6.1.1 Three step Configuration Wizard

 

The Syswan VPN Client provides a Configuration Wizard which enables the creation of a VPN configuration in three easy steps. This Configuration Wizard is designed either for remote computers that need to get connected to a corporate LAN through a VPN gateway or Peer-to-Peer mode.

 

Lets take the following example:

  The remote computer has a dynamically provided public IP address.

  It tries to connect to the corporate LAN behind a VPN gateway that has a DNS address "gateway.mydomain.com".

  The Corporate LAN address is 192.168.1.xxx. e.g. the remote computer wants to reach a server with the IP address: 192.168.1.100.

 

Remote computer                                                                                                                        Corporate VPN Gateway

Corporate network

 

 

For configuring this connection, open the wizard window by selecting menu "Configuration > Wizard"

 

6.1.2 Step 1 of 3: Choice of remote equipment

 

You must specify the type of the equipment at the end of the tunnel: VPN gateway.

 

 

 

 

6.1.3 Step 2 of 3: VPN tunnel parameters

 

You must specify the following information:

  The public (Wide Area Network) address of the remote gateway

  The preshared key you will use for this tunnel (this preshared key must be the same in the gateway)

  The IP address of your company LAN (e.g. specify 192.168.1.0)

 

 

6.1.4 Step 3 of 3: Summary

 

The third step summarizes your new VPN configuration. Other parameters may be further configured directly via the 'Configuration Panel' (e.g. Certificates, virtual IP address, etc..).

 

 

 

 

6.2 VPN Tunnel Configuration

 

6.2.1 How to create a VPN Tunnel ?

 

To create a VPN tunnel from the Configuration Panel (without using the Configuration Wizard), you must follow these steps:

 

1. Reset Configuration Panel to remove any prior configurations.

 

 

2. Right-click on 'Configuration' in the tree list window and select 'New Phase 1'.

 

 

 

3. Configure Authentication Phase (Phase 1).

4. Right-click on the 'new Phase 1' in the tree control and select 'Add Phase 2'.

 

 

5. Configure IPSec Phase (Phase 2).

6. Once the parameters are set, click on 'Save & Apply' to save the new configuration. The IKE service will run with these new parameters.

7. Click on the ‘Open Tunnel’ button available on the "IPSec Configuration" window to establish an IPSec VPN tunnel .

 

Please refer to Phase 1 and Phase 2 for setting descriptions.

 

 

6.2.2 Multiple Authentication or IPSec Configuration Phase

 

Several Authentication Phases (Phase 1) can be configured. Therefore, one computer can establish IPSec VPN connections with several gateways or other computers (Peer-to-Peer).

 

Similarly, several IPSec Configuration (Phase 2) can be created for a same Authentication Phase (Phase 1).

 

 

6.2.3 Advanced Features

 

Advanced features and parameters can be defined for Phase 1 and Phase 2.

 

Those defined in Phase 1 apply to all Phase 2 created in current VPN Configuration:

  Enable/Disable Config-Mode

  Enable/Disable NAT-T Agressive Mode

  Enable/Disable Redundant Gateway

  Select NAT-T mode (Forced, Disabled or Automatic)

  Set X-Auth Login/password with pop up option

Those defined in Phase 2 only apply to the associated Phase 2:

  Automatic Open Mode

  Choose Script/Application to be launched when tunnel opens

  Manual settings of DNS/WINS server addresses

 

 

6.3 Authentication or Phase 1

 

6.3.1 What is Phase 1 ?

 

'Authentication' or 'Phase 1' window concerns settings for Authentication Phase or Phase 1. It is also called IKE Negotiation Phase.

 

The purpose of Phase 1' is to negotiate IKE policy sets, authenticate the peers, and set up a secure channel between the peers. As part of Phase 1, each end system must identify and authenticate itself to the other.

 

6.3.2 Phase 1 Settings Description

 

 

 

Name

Label used only for reference in the configuration user interface. This value is never used during IKE negotiation. It is possible to change this name after initial configuration. No two Phase 1 can have the same name.

 

Interface

IP address of the network interface of the computer, through which VPN connection is established. If the IP address changes (ie when it is received dynamically from an ISP), select "Any".

 

Remote Gateway

IP address or DNS address of the remote gateway (example: 10.20.0.1 or myrouter.mycompany.com). This field is mandatory.

 

Pre-shared key

Password or key shared with the remote gateway.

 

Certificate

X509 certificate used by the VPN Client . Click on 'Certificate Import..' to choose the certificate source: PEM files, PKCS#21 file or SmartCard (see section How to configure Certificates). One Certificate per tunnel can be configured.

 

IKE encryption

Encryption algorithm used during Authentication phase (3DES, AES, ...).

 

IKE authentication

Authentication algorithm used during Authentication phase (MD5, SHA, ...).

 

IKE key group

Diffie-Hellman key length.

 

For more advanced settings, click on 'P1 Advanced'.

 

6.3.3 Phase1 Advanced Settings Description

 

For advanced features & parameters, click on 'P1 Advanced' button in the Phase 1 panel.

 

 

 

 

Config-Mode

When checked, the VPN Client will activate Config-Mode for this tunnel. Config-Mode allows to the VPN Client to fetch some VPN Configuration information from the VPN gateway. If Config-Mode is enabled, and provided that the remote Gateway supports Config-Mode, the following parameters will be negotiated between the VPN Client and the remote Gateway during the IKE exchange (Phase 1):

  Virtual IP address of the VPN Client

  DNS server address (optional)

  WINS server address (optional)

 

In case Config-Mode is not available on the remote gateway, you may refer to section 'Phase2 Advanced' settings to manually set DNS and WINS server addresses into the Syswan VPN Client.

 

Aggressive Mode

When checked, the VPN Client will use aggressive mode as the negotiation mode with the remote gateway.

 

 

Redundant GW

This allows the VPN Client to open an IPSec tunnel with an alternate gateway in case the primary gateway is down or not responding. Enter either the IP address or the url of the Redundant Gateway (e.g. router.dyndns.com).

  Syswan VPN Client will contact the primary gateway to establish a tunnel. If it fails after several tries (default is 5 tries, configurable in "Parameters" panel > "Retransmissions" field) the Redundant Gateway is used as the new tunnel endpoint. Delay between two retries is about 10 seconds.

  If the primary gateway can be reached but tunnel establishment fails (e.g. VPN configuration problems) then the VPN Client will not try to establish tunnels with the redundant gateway. Check your configuration.

  If a tunnel is successfully established to the primary gateway with the DPD feature (i.e. Dead Peer Detection) negotiated on both sides, when the primary gateway stops responding (e.g. DPD detects non-responding remote gateway) the VPN Client immediately starts opening a new tunnel towards the Redundant Gateway.

  The same behavior will apply to the redundant gateway. This means that the VPN Client will try to open primary and redundant gateways until the user exits the software or clicks on 'Save & Apply'.

 

NAT-T mode

The NAT-T mode allows Forced, Disabled and Automatic.

The NAT-T "Disabled" prevents the IPSec VPN Client and the VPN gateway to start NAT-Traversal.

The NAT-T "Automatic" mode leaves the VPN Gateway and VPN Client negotiate the NAT-Traversal.

In NAT-T "Forced" mode Syswan VPN Client will force NAT-T by encapsulating IPSec packets into UDP frames to solve traversal with intermediate NAT routers.

 

Local ID

Local ID is the identity the VPN Client is sending during Phase 1 to VPN gateway. This identity can be:

  an IP address (type = IP address), for example: 195.100.205.101

  a domain name (type = DNS), e.g. mydomain.com 

  an email address (type = Email), e.g. support@Syswan.com

  a string (type = KEY ID), e.g. 123456

  a certificate issuer (type=DER ASN1 DN) (see Certificates configuration) If this identity is not set, VPN Client's IP address is used.

 

Remote ID

Remote ID is the identity the VPN Client is expecting to receive during Phase 1 from the VPN gateway. This identity can be:

  an IP address (type = IP address), for example: 80.2.3.4

  a domain name (type = DNS), e.g. gateway.mydomain.com

  an email address (type = Email), e.g. admin@mydomain.com

  a string (type = KEY ID), e.g. 123456

  a certificate issuer (type=DER ASN1 DN) (see Certificates configuration) If this identity is not set, VPN gateway's IP address is used.

 

X-Auth

Define the login and password of an X-Auth IPSec negotiation. If "X-Auth popup" is selected, a popup window asking for a login and a password will appear each time an authentication is required to open a tunnel with the remote gateway. The end user has 20 seconds to enter its login and password before X-Auth authentication fails.

If X-Auth authentication fails then the tunnel establishment will fail too.

 

 

Hybrid Authentication Mode

The Hybrid mode is a specific authentication method used within IKE Phase 1. This method assumes an asymmetry between the authenticating entities. One entity, typically an Edge Device (e.g. firewall), authenticates using standard public key techniques (in signature mode), while the other entity, typically a remote User, authenticates using challenge response techniques. These authentication methods are used to establish, at the end of Phase 1, an IKE SA which is uni-directionally authenticated. To make this IKE bi-directionally authenticated, this Phase 1 is immediately followed by an X-Auth Exchange [XAUTH]. The X-Auth Exchange is used to authenticate the remote user. The use of these authentication methods is referred to as Hybrid Authentication mode. Syswan IPSec VPN Client implements the RFC 'draft-ietf-ipsec-isakmp-hybrid-auth-05.txt'.

 

6.4 IPSec Configuration or Phase 2

6.4.1 What is Phase 2 ?

 

The 'IPSec Configuration' or 'Phase 2' window concerns settings for Phase 2.

 

The purpose of Phase 2 is to negotiate the IPSec security parameters that are applied to the traffic going through tunnels negotiated during Phase 1.

 

 

6.4.2 Phase 2 Settings Description

 

 

Name

Label used only for reference in the configuration user interface. This parameter is never transmitted during IPSec Negotiation. It is possible to change this name after initial configuration. No two Phase 2 can have the same name.

VPN Client address

Virtual IP address used by the VPN Client inside the remote LAN: The computer will appear in the LAN with this IP address. It is important that this IP address does not to belong to the remote LAN. (Example : You should avoid an IP address like 192.168.192.138 if your remote LAN address is 192.168.192.0 and the Subnet Mask is 255.255.255.0).

 

 

Address type

The remote endpoint may be a LAN or a single computer,

In case the remote endpoint is a LAN, choose "Subnet address" or "IP Range". When choosing "Subnet address", the two fields "Remote LAN address" and "Subnet mask" become available. When choosing "IP Range", the two fields "Start address" and "End address" become available, enabling the Syswan VPN Client to establish a tunnel only within the range of predefined IP addresses. The range of IP addresses can be just one IP address.

 

In case the remote end point is a single computer, choose "Single Address". When choosing "Single address", only the field "Remote host address" is available.

 

Remote address

This field may be "Remote host address" or "Remote LAN address" depending on the address type. It is the remote IP address, or LAN network address of the gateway, that opens the VPN tunnel.

 

Subnet mask

Subnet mask of the remote LAN. Only available when address type is equal to "Subnet address".

 

ESP encryption

Encryption algorithm negotiated during IPSec phase (3DES, AES, ...)

 

ESP authentication

Authentication algorithm negotiated during IPSec phase (MD5, SHA, ...)

 

ESP mode

IPSec encapsulation mode: tunnel or transport.

 

PFS group

Diffie-Hellman key length.

 

Open Tunnel

This button opens the selected tunnel. As soon as the tunnel is opened, this button changes to "Close Tunnel".

 

Scripts

Scripts may be configured in the Script configuration window.

 

 

Note: "IP Range" feature combined with "Open tunnel when traffic" feature allows to automatically open tunnel when traffic is detected for a specific range of IP addresses. However, the range of IP addresses must be authorized in the configuration of VPN gateway.

 

For more advanced settings, click on 'P2 Advanced'.

 

Once the parameters are set, click on 'Save & Apply' to save and to take into account the new configuration.

 

6.4.3 Phase2 Advanced Settings Description

 

For advanced features & parameters, click on 'P2 Advanced' button into Phase 2 panel.

 

 

 

Automatic Open Mode

The VPN Client can automatically open the specified tunnel (Phase 2) on specific events such as:

  Auto open this tunnel when the VPN Client starts up.

  Auto open this tunnel when USB stick is inserted (see section "USB Mode").

  Auto open this tunnel when the VPN Client detect traffic towards remote LAN. If selected, the Phase 2 icon in the Configuration Panel tree list changes its shape/color to reflect that this feature is now active:

 

 

Alternate Servers

DNS and/or WINS server IP addresses of the remote LAN can be entered here, to help users resolve intranet addressing. The DNS or WINS addresses are taken into account as soon as the tunnel is opened, and for as long as it remains open.

 

 

 

6.4.4 Script configuration

 

Scripts may be configured in the Script configuration window. This window can be opened through the button 'Scripts' of a Phase 2 Settings window.

 

 

Scripts or applications can be enabled for each step of a VPN tunnel opening and closing process:

 

  Before tunnel is opened

  Right after the tunnel is opened

  Before tunnel closes

  Right after tunnel is closed

 

This feature enables to execute scripts (batches, scripts, applications...) at each step of a tunnel connection for a variety of purposes e.g. to check current software release, to check database availability before launching backup application, to check a software is running...

 

It also enables to configure various network configuration before, during and after a tunnel connection.

 

6.5 Global Parameters

 

6.5.1 Global Settings Description

 

Global Parameters are generic settings that apply to all created VPN tunnels. Once modified, click on 'Save & Apply' to take into account your modifications.

 

 

 

    Lifetime (sec.)

IKE default lifetime

Default lifetime for IKE rekeying.

 

 

IKE minimal lifetime

Minimal lifetime for IKE rekeying.

 

 

IKE maximal lifetime

Maximal lifetime for IKE rekeying.

 

 

IPSec minimal lifetime

Default lifetime for IPSec rekeying.

 

 

IPSec maximal lifetime

Maximal lifetime for IPSec rekeying.

 

 

IPSec minimal lifetime

Minimal lifetime for IPSec rekeying.

 

    Dead Peer Detection (DPD)

Check interval (sec.)

Interval between DPD messages.

 

Max number of retries

Number of DPD messages sent.

 

 

 

Delay between retries (sec.)

Interval between DPD messages when no reply from remote gateway.

 

    Miscellaneous

Retransmissions

How many times a message should be retransmitted before giving up.

 

Delay between retries

 

Minimum time before any attempts by user to restart IKE negotiation.

 

 

Block non-ciphered connection

When this option is checked, only encrypted traffic is authorized.

 

 

IKE Port

User can change port number for IKE negotiation. Exchanges are still on UDP but they can be on another port other than 500 as some firewalls do not allow IKE Port 500. The remote gateway must support this feature.

 

 

Dead Peer Detection (i.e. DPD) is an Internet Key Exchange (IKE) extension (i.e. RFC3706) for detecting a dead IKE peer. Syswan IPSec VPN Client uses DPD:

 

  to delete opened SA in the VPN Client when a peer has been detected dead.

  to re-start IKE negotiations with the Redundant Gateway if activated in the 'Phase 1 Advanced' Configuration Panel.

 

Once the parameters are set, click on 'Save & Apply' to retain the new configuration.

 

6.6 VPN Tunnel View

 

6.6.1 How to view opened tunnels ?

 

'Tunnel View' screen shows VPN tunnels that are currently open. This screen may also be used to close opened tunnels. To close a VPN tunnel, select the tunnel in the list and click on 'Close Tunnel'. Tunnels may also be viewed, opened and closed directly from the context menu of the system tray icon and from the Connection Panel.

 

The Connection Panel can be opened with the button "Connection Panel". It is possible to switch between the Connection Panel and the Configuration Panel with the shortcut key "Ctrl+Enter" (see section 'Shortcuts').

 

 

 

 

6.7 USB Mode

 

6.7.1 What is USB Mode ?

 

The Syswan VPN Client gives the possibility to secure VPN configurations and security elements (e.g. PreShared key, Certificates…) by the use of an USB Stick.

 

When you select "USB mode", the VPN configuration and security elements contained into the configuration are stored onto the USB Stick the first time you plug it in.

 

When complete, you just need to insert the USB Stick to automatically open tunnels. And then unplug the USB Stick to automatically close any established tunnels.

 

 

6.7.2 How to set USB Mode ?

 

The USB Mode can be set by clicking on the 'USB Stick' icon in the status bar of the Configuration Panel or via the menu:

  Select menu 'File' > 'VPN Configuration File...'

  Select 'USB Stick'

 

 

 

 

 

 

Note: At this stage, if an USB Stick containing a VPN configuration and security elements is already plugged in, the associated drive will be automatically recognized. Please note also that it is not necessary to insert an USB Stick during this step. In case no USB Stick is plugged in, the following warning window will appear:

 

 

Once USB mode is set, the left side box in the status bar shows a USB stick icon.

 

The USB Stick icon is blue when a USB Stick is plugged in:        

The USB Stick icon is gray when no USB Stick is plugged in:      

 

 

6.7.3 How to enable a new USB Stick ?

 

A blank USB Stick (new or freshly formated) is enabled by copying VPN configuration and security elements onto it.

 

When you insert a new USB Stick, the IPSec VPN Client automatically proposes to enable the USB Stick through the following options:

  Copying the VPN configuration and security elements onto the USB Stick: the VPN Client will copy the security information onto the USB Stick and leave a copy in the computer. This feature is specially designed for IT managers to enable multiple USB Sticks for multiple users in no time.

  Moving the configuration onto the USB Stick: the IPSec VPN Client will copy the security information onto the USB Stick and remove all security information from the computer. This method is used to secure a computer once the VPN configuration has been setup.

 

 

 

6.7.4 How to automatically open tunnels when a USB Stick is plugged in ?

 

Each and every tunnels may be configured individually:

  In the IPSec Configuration (Phase 2) of the relevant tunnel, click on 'P2 Advanced' button

  Select the 'Automatically open this tunnel when USB stick is inserted' mode

 

 

6.8 Certificate Management

 

6.8.1 Certificate Management overview

 

The Syswan VPN Client can use Certificates from PEM files, PKCS#12 file or SmartCard.

 

Note: Syswan VPN Client does not allow creation of Certificates. Certificates must be created (and stored on SmartCard) by a third party software. You wll find additional support documents on "How to generate Certificates" or "How to convert Certificate formats" on our web site.

 

 

6.8.2 How to configure IPSec VPN Client with PKCS#12 Certificates

 

PKCS#12 certificates are supported by a lot of gateways. Syswan IPSec VPN Client can import PKCS#12 certificates into the VPN Configuration, directly from the main interface. One PKCS#12 certificate can be defined per tunnel. Therefore, it is possible to connect to several gateways that do not use the same PKI (Public Key Infrastructure).

 

Here are the steps to configure the IPSec VPN Client with PKCS#12 Certificates:

 

Step 1: Select radio button 'Certificate' in the 'Phase 1' window and click on 'Certificates Import...'

 

 

Step 2: Select 'Certificate from a PKCS#12 file' in the list box, then click on the 'Import...' button.

Step 3: Select the PKCS#12 Certificates you want to import. If the PKCS#12 Certificate is protected, enter the password in the password pop up window. Once the Certificate is correctly imported, its subject is automatically displayed in the top fields of the 'Certificates Import ...' window. Also, key icons are displayed next to each certificate component  (root certificate, user certificate, private key) as shown below.

 

 

Step 4: PKCS#12 Certificates will be stored in the VPN Configuration file as soon as you click on "Save & Apply".

 

 

Note: Once the Certificate is imported, its subject is used for the local ID of the associated Phase 1. This is shown in the P1 Advanced window with the following indication:

 

 

 

6.8.3 How to configure IPSec VPN Client with PEM Certificates

 

Syswan IPSec VPN Client can import PEM Certificates into the VPN Configuration directly from the Configuration Panel. One PEM Certificate can be defined per tunnel. Therefore, it is possible to connect to several gateways that do not use the same PKI (Public Key Infrastructure).

 

Here are the steps to configure the IPSec VPN Client with PEM Certificate

 

Step 1: Select radio button 'Certificate' in the Phase 1 window and click on 'Certificates import...'

 

 

Step 2: Choose "Certificate from a PEM file" in the list box

 

Step 3: Import the Root Certificate, the User Certificate and the Private Key by clicking on the associated button. Once the certificate is correctly imported, its subjects are filled in the 'Certificate Import...' window.

 

 

 

Step 4: PEM Certificates will be stored in the VPN Configuration file as soon as you click on  "Save & Apply".

 

Once the Certificate is imported, its subject is used for the local ID of the associated Phase1. This is shown in the P1 Advanced window with the following indication:

 

 

Note: The PEM file enclosing the private key must not be encrypted or protected with a password.

 

 

 

6.8.4 Smart Card and Token Management

 

How to configure a tunnel with Certificates from a Smart Card

 

The Syswan VPN Client can read Certificates from Smart Cards. Smart Cards can be used for securing X509 certificates that can be protected by a PIN code.

 

Here are the steps to configure a tunnel using Certificates from Smart Cards:

 

Step 1: Select radio button 'Certificate' in the 'Phase 1' window and click on 'Certificates Import...'

 

 

Step 2: Select 'Certificate from a Smart Card' in the list box. The bottom part of the window shows a list of Smart Card Reader.

 

 

 

 

 

Step 3: Select the Smart Card Reader you want to use. The Smart Card Reader identification process starts and a PIN code may be required. Enter your 'Smart Card PIN code' and click 'OK'.

 

 

 

Once the Smart Card is successfully read, information about the Smart Card Reader and the Smart Card are displayed in the text area below the list box, while the subjects of the Certificates are displayed in the top two fields of the window:

 

 

Step 4: Smard Card Reader information will be stored in the VPN Configuration file as soon as you click on "Save & Apply".

 

 

How to use a tunnel with Certificates from a Smart Card

 

When a tunnel is configured to use Certificates from a Smart Card, the PIN code of the Smart Card is required each time the tunnel is opened (excepted on automatic VPN renegotiations).

 

To open a tunnel with Certificates from a Smart Card, it is required to have:

 

1. The Smart Card Reader correctly installed and configured in the IPSec VPN Client

2. A readable Smart Card inserted in the Smart Card Reader

3. The correct PIN code for reading the Smart Card.

 

Each problem encountered when using a Smart Card is displayed in the Software Console. See section 'Smart Card TroubleShooting' below.

 

Smart Card Troubleshooting

 

Users may encounter issues while configuring Smart Card and Smart Card Readers.

 

 

Smart Card Trouble

 

Message displayed (*)

No Smart Card Reader is found

 

No smart card found

 

If no Smart Card is found, it is probably because the SmartCard Reader middleware is missing. The procedure to easily add a Smart Card Reader middleware is displayed in the text area below the list box.

 

No ATR

Unknown ATR: this smart card may not be supported.

No PKCS#11 middleware for this smart card was found.

You can set PKCS#11 middleware with the command line:

Vpnconf.exe /addmiddleware:path_to_the_dll

 

The Smart Card cannot be read

 

ATR = 3B:7B:18:00:00:00:31:C0:64:77:E3:03:00:82:90:00

Using IDOne Lite

PKCS#11 middleware found

Error 0x00000015

 

The PIN code is wrong

 

ATR = 3B:7B:18:00:00:00:31:C0:64:77:E3:03:00:82:90:00

Using IDOne Lite

PKCS#11 middleware found

Wrong PIN code

 

No certificate can be found in the Smart Card

 

ATR = 3B:7B:18:00:00:00:31:C0:64:77:E3:03:00:82:90:00

Using IDOne Lite

PKCS#11 middleware found

No configuration or no certificate found in the smart card

 

 (*) Message displayed in the text area below the Smart Card listbox.

 

Users may encounter issues while opening a tunnel which requires Certificates on a Smart Card.

 

Smart Card Trouble

Message displayed in the Console.

No Smart Card Reader is found

Missing Smart Card Reader

 

The PIN code is wrong

Wrong PIN code

 

No certificate can be found in the Smart Card or

The Smart Card cannot be read

Empty or unreadable Smart Card

 

6.9 Configuration Management

 

6.9.1 Import or Export VPN Configuration via menu

 

The Syswan VPN Client can import or export a VPN Configuration. With this feature, IT managers can prepare a configuration and deliver it to other users.

  Importing a configuration, select menu "File > Import VPN Configuration".

  Exporting a configuration, select menu "File > Export VPN Configuration".

 

An exported VPN configuration file will have a ".tgb" extension.

 

The exported VPN Configuration can be protected with a password. When the user wants to export a configuration, a pop up window automatically asks if the exported VPN configuration must be protected with a password or not.

 

 

When a VPN Configuration is protected with a password, its importation will automatically ask the user to enter the password. An exported VPN Configuration which is not protected with a password will be automatically imported without any request to the user.

 

Note: Import/Export in 'USB Mode'

When the Syswan VPN Client is configured in "USB Mode" and when a USB stick is inserted, the importation of a VPN Configuration is directly written on the USB stick. If the VPN Client is configured in "USB mode" but no USB stick is inserted (the USB icon in the bottom left corner of the GUI is disabled), the exportation and importation of a VPN Configuration are disabled.

 

Note: A VPN Configuration file can also be imported via the command line.

 

 

6.9.2 Merging VPN Configurations

 

Syswan IPSec VPN Client can import one or several tunnels into an existing VPN Configuration. With this feature, IT managers can merge a new VPN Configuration with new gateways into an existing VPN Configuration and deliver it to users or group of users.

 

Merging VPN Configurations can be done in several ways.

 

1. Import new VPN Configuration via menu 'File'>'Import VPN Configuration' and then select 'Add' instead of 'Replace'.

 

 

 

2. Drag & drop a new VPN Configuration into the software with an existing VPN Configuration already opened. The exact same popup window (see above) will appear asking if the user wants to 'Add' or 'Replace' existing VPN Configuration.

 

3. Import new VPN Configuration via command line.

 

" [path]\vpnconf.exe /add:[file.tgb] " where [path] is the VPN Client installation directory, and [file.tgb] is the VPN Configuration file. This command does not handle relative paths (e.g. "..\..\file.tgb"). For more details, see import command line section.

 

Any way you choose to import a VPN Configuration, here are some common behaviors:

 

    Global parameters are not imported in case at least one tunnel was already configured prior to import and user selects 'Add' VPN Configuration in the popup.

    Global parameters are imported in case the user selects 'Replace' or no tunnel was configured prior to import.

    Tunnel name conflict between existing and imported VPN Configurations are solved by software automatically by adding an increment between bracket e.g. tunnel_office(1) to the imported tunnel names (i.e. both Phase1 and Phase 2).

 

 

 

6.9.3 Spliting a VPN Configuration

 

The Syswan VPN Client can export one tunnel from an existing VPN Configuration. With this feature, IT managers can split existing VPN Configuration into smaller VPN Configuration and deliver it to users or group of users.

 

To export a single tunnel, you must follow the following steps:

 

1. Right click on any tunnel Phase 2 from your VPN Configuration, then select 'Export Tunnel'.

 

 

2. A popup windows appears to ask for VPN Configuration password protection.

 

 

3. Once exported, the VPN Configuration can be sent to users. Any VPN Configuration can be double clicked to directly launch the Syswan IPSec VPN Client.

 

 

Note:

    Export of a Phase 2 will export the associated Phase 1 as well. This means also export of Certificates that might have been defined in this Phase 1.

    Export of a Phase 2 will export the Global Parameters as well.

 


  Previous|Next