|
The Syswan VPN Client provides a Configuration
Wizard which enables the creation of a VPN configuration in three easy steps.
This Configuration Wizard is designed either for remote computers that need to
get connected to a corporate LAN through a VPN gateway or Peer-to-Peer mode.
Lets take the following example:
The remote computer has a
dynamically provided public IP address.
It tries to connect to the
corporate LAN behind a VPN gateway that has a DNS address
"gateway.mydomain.com".
The Corporate LAN address is
192.168.1.xxx. e.g. the remote computer wants to reach a server with the IP
address: 192.168.1.100.
Remote computer Corporate
VPN Gateway
Corporate network
For configuring this connection, open the
wizard window by selecting menu "Configuration > Wizard"
You must specify the type of the equipment at the end of the tunnel: VPN gateway.
You must specify the following information:
The public (Wide Area
Network) address of the remote gateway
The preshared key you will
use for this tunnel (this preshared key must be the same in the gateway)
The IP address of your
company LAN (e.g. specify 192.168.1.0)
The third step summarizes your new VPN
configuration. Other parameters may be further configured directly via the
'Configuration Panel' (e.g. Certificates, virtual IP address, etc..).
To create a VPN tunnel from the Configuration
Panel (without using the Configuration Wizard), you must follow these steps:
1. Reset Configuration Panel to
remove any prior configurations.
2. Right-click on 'Configuration'
in the tree list window and select 'New Phase 1'.
3. Configure Authentication Phase
(Phase 1).
4. Right-click on the 'new Phase 1'
in the tree control and select 'Add Phase 2'.
5. Configure IPSec Phase (Phase 2).
6. Once the parameters are set,
click on 'Save & Apply' to save the new configuration. The IKE service will
run with these new parameters.
7. Click on the ‘Open Tunnel’
button available on the "IPSec Configuration" window to
establish an IPSec VPN tunnel .
Please refer to Phase 1 and Phase 2 for setting descriptions.
Several Authentication Phases (Phase 1) can be
configured. Therefore, one computer can establish IPSec VPN connections with
several gateways or other computers (Peer-to-Peer).
Similarly, several IPSec Configuration (Phase
2) can be created for a same Authentication Phase (Phase 1).
Advanced features and parameters can be defined
for Phase 1 and Phase 2.
Those defined in Phase 1 apply to all Phase 2
created in current VPN Configuration:
Enable/Disable Config-Mode
Enable/Disable NAT-T Agressive Mode
Enable/Disable Redundant Gateway
Select NAT-T mode (Forced, Disabled or
Automatic)
Set X-Auth Login/password with pop up option
Those defined in Phase 2 only apply to the
associated Phase 2:
Automatic Open Mode
Choose Script/Application to be launched when tunnel
opens
Manual settings of DNS/WINS server addresses
'Authentication' or 'Phase 1' window concerns
settings for Authentication Phase or Phase 1. It is also called IKE Negotiation
Phase.
The purpose of Phase 1' is to negotiate IKE
policy sets, authenticate the peers, and set up a secure channel between the
peers. As part of Phase 1, each end system must identify and authenticate
itself to the other.
|
Name |
Label
used only for reference in the configuration user interface. This value is
never used during IKE negotiation. It is possible to change this name after
initial configuration. No two Phase 1 can have the same name. |
|
Interface |
IP
address of the network interface of the computer, through which VPN
connection is established. If the IP address changes (ie when it is received
dynamically from an ISP), select "Any". |
|
Remote Gateway |
IP address or DNS address
of the remote gateway (example: 10.20.0.1 or myrouter.mycompany.com). This
field is mandatory. |
|
Pre-shared key |
Password
or key shared with the remote gateway. |
|
Certificate |
X509 certificate used by
the VPN Client . Click on 'Certificate Import..' to choose the certificate
source: PEM files, PKCS#21 file or SmartCard (see section How to configure Certificates).
One Certificate per tunnel can be configured. |
|
IKE encryption |
Encryption
algorithm used during Authentication phase (3DES, AES, ...). |
|
IKE authentication |
Authentication
algorithm used during Authentication phase (MD5, SHA, ...). |
|
IKE key group |
Diffie-Hellman
key length. |
For more advanced settings, click on 'P1
Advanced'.
For advanced features & parameters, click
on 'P1 Advanced' button in the Phase 1 panel.
|
Config-Mode |
When
checked, the VPN Client will activate Config-Mode for this tunnel.
Config-Mode allows to the VPN Client to fetch some VPN Configuration
information from the VPN gateway. If Config-Mode is enabled, and provided
that the remote Gateway supports Config-Mode, the following parameters will
be negotiated between the VPN Client and the remote Gateway during the IKE
exchange (Phase 1): Virtual IP address
of the VPN Client DNS server address
(optional) WINS server address
(optional) In
case Config-Mode is not available on the remote gateway, you may refer to
section 'Phase2 Advanced' settings to manually set DNS and WINS server
addresses into the Syswan VPN Client. |
|
Aggressive Mode |
When
checked, the VPN Client will use aggressive mode as the negotiation mode with
the remote gateway. |
|
Redundant GW |
This allows the VPN Client to open an IPSec tunnel with an alternate
gateway in case the primary gateway is down or not responding. Enter either
the IP address or the url of the Redundant Gateway (e.g. router.dyndns.com). Syswan VPN Client will contact the primary gateway to establish a
tunnel. If it fails after several tries (default is 5 tries, configurable in
"Parameters" panel > "Retransmissions" field) the Redundant
Gateway is used as the new tunnel endpoint. Delay between two retries is
about 10 seconds. If the primary gateway can be reached but tunnel establishment fails
(e.g. VPN configuration problems) then the VPN Client will not try to
establish tunnels with the redundant gateway. Check your configuration. If a tunnel is successfully established to the primary gateway with
the DPD feature (i.e.
Dead Peer Detection)
negotiated on both sides, when the primary gateway stops responding (e.g. DPD
detects non-responding remote gateway) the VPN Client immediately starts
opening a new tunnel towards the Redundant Gateway. The same behavior will apply to the redundant gateway. This means that
the VPN Client will try to open primary and redundant gateways until the user
exits the software or clicks on 'Save & Apply'. |
|
NAT-T mode |
The
NAT-T mode allows Forced, Disabled and Automatic. The
NAT-T "Disabled" prevents the IPSec VPN Client and the VPN gateway
to start NAT-Traversal. The
NAT-T "Automatic" mode leaves the VPN Gateway and VPN Client
negotiate the NAT-Traversal. In NAT-T "Forced" mode Syswan VPN Client will force NAT-T
by encapsulating IPSec packets into UDP frames to solve traversal with
intermediate NAT routers. |
|
Local ID |
Local
ID is the identity the VPN Client is sending during Phase 1 to VPN gateway.
This identity can be: an IP address (type
= IP address), for example: 195.100.205.101 a domain name (type
= DNS), e.g. mydomain.com an email address
(type = Email), e.g. support@Syswan.com a string (type =
KEY ID), e.g. 123456 a certificate
issuer (type=DER ASN1 DN) (see Certificates configuration) If this identity
is not set, VPN Client's IP address is used. |
|
Remote ID |
Remote
ID is the identity the VPN Client is expecting to receive during Phase 1 from
the VPN gateway. This identity can be: an IP address (type
= IP address), for example: 80.2.3.4 a domain name (type
= DNS), e.g. gateway.mydomain.com an email address
(type = Email), e.g. admin@mydomain.com a string (type =
KEY ID), e.g. 123456 a certificate
issuer (type=DER ASN1 DN) (see Certificates configuration) If this identity
is not set, VPN gateway's IP address is used. |
|
X-Auth |
Define
the login and password of an X-Auth IPSec negotiation. If "X-Auth
popup" is selected, a popup window asking for a login and a password
will appear each time an authentication is required to open a tunnel with the
remote gateway. The end user has 20 seconds to enter its login and password
before X-Auth authentication fails. If
X-Auth authentication fails then the tunnel establishment will fail too. |
|
Hybrid Authentication Mode |
The Hybrid mode is a specific authentication
method used within IKE Phase 1. This method assumes an asymmetry between the
authenticating entities. One entity, typically an Edge Device (e.g.
firewall), authenticates using standard public key techniques (in signature
mode), while the other entity, typically a remote User, authenticates using
challenge response techniques. These authentication methods are used to
establish, at the end of Phase 1, an IKE SA which is uni-directionally
authenticated. To make this IKE bi-directionally authenticated, this Phase 1
is immediately followed by an X-Auth Exchange [XAUTH]. The X-Auth Exchange is
used to authenticate the remote user. The use of these authentication methods
is referred to as Hybrid Authentication mode. Syswan IPSec VPN Client
implements the RFC 'draft-ietf-ipsec-isakmp-hybrid-auth-05.txt'. |
The 'IPSec Configuration' or 'Phase 2' window
concerns settings for Phase 2.
The purpose of Phase 2 is to negotiate the
IPSec security parameters that are applied to the traffic going through tunnels
negotiated during Phase 1.
|
Name |
Label
used only for reference in the configuration user interface. This parameter
is never transmitted during IPSec Negotiation. It is possible to change this
name after initial configuration. No two Phase 2 can have the same name. |
|
VPN Client address |
Virtual IP address used by
the VPN Client inside the remote LAN: The computer will appear in the LAN
with this IP address. It is important that this IP address does not to
belong to the remote LAN. (Example : You should avoid an IP address like
192.168.192.138 if your remote LAN address is 192.168.192.0 and the Subnet
Mask is 255.255.255.0). |
|
Address type |
The
remote endpoint may be a LAN or a single computer, In
case the remote endpoint is a LAN, choose "Subnet address" or
"IP Range". When choosing "Subnet address", the two
fields "Remote LAN address" and "Subnet mask" become available.
When choosing "IP Range", the two fields "Start address"
and "End address" become available, enabling the Syswan VPN Client
to establish a tunnel only within the range of predefined IP addresses. The
range of IP addresses can be just one IP address. In
case the remote end point is a single computer, choose "Single
Address". When choosing "Single address", only the field
"Remote host address" is available. |
|
Remote address |
This
field may be "Remote host address" or "Remote LAN
address" depending on the address type. It is the remote IP address, or
LAN network address of the gateway, that opens the VPN tunnel. |
|
Subnet mask |
Subnet
mask of the remote LAN. Only available when address type is equal to
"Subnet address". |
|
ESP encryption |
Encryption
algorithm negotiated during IPSec phase (3DES, AES, ...) |
|
ESP authentication |
Authentication
algorithm negotiated during IPSec phase (MD5, SHA, ...) |
|
ESP mode |
IPSec encapsulation mode: tunnel or
transport. |
|
PFS group |
Diffie-Hellman
key length. |
|
Open Tunnel |
This
button opens the selected tunnel. As soon as the tunnel is opened, this
button changes to "Close Tunnel". |
|
Scripts |
Scripts may be configured
in the Script configuration
window. |
Note:
"IP Range" feature combined with "Open tunnel when traffic"
feature allows to automatically open tunnel when traffic is detected for a
specific range of IP addresses. However, the range of IP addresses must be
authorized in the configuration of VPN gateway.
For more advanced settings, click on 'P2
Advanced'.
Once the parameters are set, click on 'Save
& Apply' to save and to take into account the new configuration.
For advanced features & parameters, click
on 'P2 Advanced' button into Phase 2 panel.
|
Automatic Open Mode |
The
VPN Client can automatically open the specified tunnel (Phase 2) on specific
events such as: Auto open this
tunnel when the VPN Client starts up. Auto open this
tunnel when USB stick is inserted (see section "USB Mode"). Auto open this
tunnel when the VPN Client detect traffic towards remote LAN. If selected,
the Phase 2 icon in the Configuration Panel tree list
changes its shape/color to reflect that this feature is now active:
|
|
Alternate Servers |
DNS
and/or WINS server IP addresses of the remote LAN can be entered here, to
help users resolve intranet addressing. The DNS or WINS addresses are taken
into account as soon as the tunnel is opened, and for as long as it remains
open. |
Scripts may be configured in the Script configuration window. This window can be opened through the button 'Scripts' of a Phase 2 Settings window.
Scripts or applications can be enabled for each
step of a VPN tunnel opening and closing process:
Before tunnel is opened
Right after the tunnel is
opened
Before tunnel closes
Right after tunnel is closed
This feature enables to execute scripts
(batches, scripts, applications...) at each step of a tunnel connection for a
variety of purposes e.g. to check current software release, to check database
availability before launching backup application, to check a software is running...
It also enables to configure various network
configuration before, during and after a tunnel connection.
Global Parameters are generic settings that
apply to all created VPN tunnels. Once modified, click on 'Save & Apply' to
take into account your modifications.
|
Lifetime
(sec.) |
IKE default lifetime |
Default
lifetime for IKE rekeying. |
|
|
IKE minimal lifetime |
Minimal
lifetime for IKE rekeying. |
|
|
IKE maximal lifetime |
Maximal
lifetime for IKE rekeying. |
|
|
IPSec minimal lifetime |
Default
lifetime for IPSec rekeying. |
|
|
IPSec maximal lifetime |
Maximal
lifetime for IPSec rekeying. |
|
|
IPSec minimal lifetime |
Minimal
lifetime for IPSec rekeying. |
|
Dead
Peer Detection (DPD) |
Check interval (sec.) |
Interval between DPD messages. |
|
|
Max number of retries |
Number
of DPD messages sent. |
|
|
Delay between retries
(sec.) |
Interval
between DPD messages when no reply from remote gateway. |
|
Miscellaneous |
Retransmissions |
How
many times a message should be retransmitted before giving up. |
|
|
Delay between retries |
Minimum
time before any attempts by user to restart IKE negotiation. |
|
|
Block non-ciphered
connection |
When
this option is checked, only encrypted traffic is authorized. |
|
|
|
User
can change port number for IKE negotiation. Exchanges are still on UDP but
they can be on another port other than 500 as some firewalls do not allow IKE
Port 500. The remote gateway must support this feature. |
Dead Peer Detection (i.e. DPD) is an Internet
Key Exchange (IKE) extension (i.e. RFC3706) for detecting a dead IKE peer.
Syswan IPSec VPN Client uses DPD:
to delete opened SA in the
VPN Client when a peer has been detected dead.
to re-start IKE negotiations
with the Redundant Gateway if activated in the 'Phase 1 Advanced' Configuration Panel.
Once the parameters are set, click on 'Save
& Apply' to retain the new configuration.
'Tunnel View' screen shows VPN tunnels that are
currently open. This screen may also be used to close opened tunnels. To close
a VPN tunnel, select the tunnel in the list and click on 'Close Tunnel'.
Tunnels may also be viewed, opened and closed directly from the context menu of
the system tray icon and from the Connection Panel.
The Connection Panel can be opened with the
button "Connection Panel". It is possible to switch between the
Connection Panel and the Configuration Panel with the shortcut key
"Ctrl+Enter" (see section 'Shortcuts').
The Syswan VPN Client gives the possibility to
secure VPN configurations and security elements (e.g. PreShared key,
Certificates…) by the use of an USB Stick.
When you select "USB mode", the VPN
configuration and security elements contained into the configuration are stored
onto the USB Stick the first time you plug it in.
When complete, you just need to insert the USB
Stick to automatically open tunnels. And then unplug the USB Stick to
automatically close any established tunnels.
The USB Mode can be set by clicking on the 'USB Stick' icon in the status bar of the Configuration Panel or via the menu:
Select menu 'File' > 'VPN
Configuration File...'
Select 'USB Stick'
Note: At
this stage, if an USB Stick containing a VPN configuration and security
elements is already plugged in, the associated drive will be automatically
recognized. Please note also that it is not necessary to insert an USB Stick
during this step. In case no USB Stick is plugged in, the following warning
window will appear:
Once USB mode is set, the left side box in the
status bar shows a USB stick icon.
The USB Stick icon is blue when a USB Stick is
plugged in: 
The USB Stick icon is gray when no USB Stick is plugged in: 
A blank USB Stick (new or freshly formated) is
enabled by copying VPN configuration and security elements onto it.
When you insert a new USB Stick, the IPSec VPN
Client automatically proposes to enable the USB Stick through the following
options:
Copying the VPN configuration and security elements onto the USB Stick: the VPN
Client will copy the security information onto the USB Stick and leave a copy
in the computer. This feature is specially designed for IT managers to enable
multiple USB Sticks for multiple users in no time.
