VPNOG200810-01
VPN Option Guide
GB- OS
Version 4.20
®
VPN Gateway &
GTA Mobile VPN Client
ii
VPN Option Guide Contents
iii
VPN Option Guide Contents
Contents
IntroductIon
1
What is a VPn? ……………………………………………………………………………………………………………………………
1
About IPSec VPn on GtA Firewalls ……………………………………………………………………………………………………
1
The VPN Gateway (Firewall) Component ……………………………………………………………………………………………2
Features ………………………………………………………………………………………………………………………………2
The Client Component …………………………………………………………………………………………………………………2
Features ………………………………………………………………………………………………………………………………2
Minimum Requirements ……………………………………………………………………………………………………………3
Installation Support ………………………………………………………………………………………………………………………
3
Support Options …………………………………………………………………………………………………………………………
3
documentation ……………………………………………………………………………………………………………………………
3
Additional Documentation ………………………………………………………………………………………………………………3
GtA FIreWAll utM APPlIAnce SetuP
4
entering Feature codes
…………………………………………
…………………………………………
……………………………
4
running the VPn Setup Wizard
…………………………………………
…………………………………………
……………………
5
Configuring Gateway to Gateway Connections ……………………………………………………………………………………6
Configuring Gateway to GTA Mobile VPN Client Connections ……………………………………………………………………
9
Configuring a VPN Connection Manually ……………………………………………………………………………………………12
Authentication …………………………………………………………………………………………………………………………12
Creating VPN Configuration Objects ………………………………………………………………………………………………12
Selecting the IPSec Key Mode ……………………………………………………………………………………………………13
Creating the VPN Connection using IKE IPSec Key Mode ………………………………………………………………………13
Creating a VPN Connection using Manual IPSec Key Mode ……………………………………………………………………15
Configuring a Custom VPN Object …………………………………………………………………………………………………16
Configuring a Custom Encryption Object …………………………………………………………………………………………18
Configuring VPN Policies ……………………………………………………………………………………………………………20
Creating Authorization …………………………………………………………………………………………………………………21
Creating Groups ………………………………………………………………………………………………………………………21
Creating Users ………………………………………………………………………………………………………………………22
Using VPN Certificates ………………………………………………………………………………………………………………23
Exporting VPN Certificates …………………………………………………………………………………………………………25
Importing VPN Certificates …………………………………………………………………………………………………………27
GtA MobIle VPn clIent SetuP
28
Installing the GTA Mobile VPN Client …………………………………………………………………………………………………28
Activating the GTA Mobile VPN Client ………………………………………………………………………………………………29
Configuring the VPN Client Software …………………………………………………………………………………………………31
Running the Configuration Wizard …………………………………………………………………………………………………31
Manually Configuring the GTA Mobile VPN Client ………………………………………………………………………………
33
Entering Preferences (Parameters) ………………………………………………………………………………………………33
Configuring Phase 1 (Authentication) ………………………………………………………………………………………………34
Configuring Phase 2 (IPSec Configuration) ………………………………………………………………………………………36
Starting and Stopping VPN Client Connections ……………………………………………………………………………………37
Advanced GtA Mobile VPn client Setup ………………………………………………………………………………………………
38
Advanced Phase 1 Configuration ……………………………………………………………………………………………………38
Advanced Phase 2 Configuration ……………………………………………………………………………………………………39
Launching Scripts ……………………………………………………………………………………………………………………40
Configuring Access Control ……………………………………………………………………………………………………………41
USB Drive Mode ………………………………………………………………………………………………………………………42
Preferences ……………………………………………………………………………………………………………………………43
Startup Modes ………………………………………………………………………………………………………………………43
Miscellaneous …………………………………………………………………………………………………………………………43
Console and Configuration Tools ……………………………………………………………………………………………………44
Configuration Management …………………………………………………………………………………………………………44
Console / Logs ………………………………………………………………………………………………………………………45
reFerence A: GtA MobIle VPn clIent uSer InterFAce
46
Configuration Panel ………………………………………………………………………………………………………………………
46
Menu Overview …………………………………………………………………………………………………………………………46
File ……………………………………………………………………………………………………………………………………47
VPN Configuration ……………………………………………………………………………………………………………………47
View ……………………………………………………………………………………………………………………………………47
Tools ……………………………………………………………………………………………………………………………………47
iv
VPN Option Guide Contents
? (Help) ………………………………………………………………………………………………………………………………47
Left Hand Menu Icons ………………………………………………………………………………………………………………48
Configuration Menu Tree ………………………………………………………………………………………………………………48
Phase 2 Traffic Detection Icon ………………………………………………………………………………………………………48
Status Bar ………………………………………………………………………………………………………………………………48
connection Panel …………………………………………………………………………………………………………………………
49
System t
ray …………………………………………………………………………………………………………………………………
50
System Tray Menu ………………………………………………………………………………………………………………………50
reFerence b: VPn concePtS
52
elements of IPSec VPn Security ………………………………………………………………………………………………………
52
Verifying Authorization …………………………………………………………………………………………………………………53
Verifying Data Integrity …………………………………………………………………………………………………………………53
Ensuring Data Privacy …………………………………………………………………………………………………………………54
Packet Structure: IPSec VPn
…………………………………………
…………………………………………
………………………
54
GtA Firewall VPn Packet Processing …………………………………………………………………………………………………
55
reFerence c: exAMPle VPn conFIGurA
tIonS
56
Example VPN Configurations Using IKE IPSec Mode and Pre-shared Secrets ………………………………………………
57
Client to Gateway: Dynamic/Static IP Addresses ……………………………………………………………………………………57
Client to Gateway: Dynamic IP Addresses …………………………………………………………………………………………61
Gateway to Gateway: Dynamic/Static IP Addresses ………………………………………………………………………………
65
Gateway to Gateway: Static/Static IP Addresses ……………………………………………………………………………………67
Example VPN Configurations Using IKE IPSec Mode and VPN Certificates ……………………………………………………
69
Client to Gateway: Dynamic/Static IP Addresses ……………………………………………………………………………………69
Gateway to Gateway: Dynamic/Static IP Addresses ………………………………………………………………………………
74
Gateway to Gateway: Static/Static IP Addresses ……………………………………………………………………………………77
Example VPN Configurations Using Manual IPSec Mode …………………………………………………………………………
79
Gateway to Gateway: Static/Static IP Addresses and Manual Key Exchange …………………………………………………79
reFerence d: troubleShootInG
82
on the GtA Firewall ………………………………………………………………………………………………………………………
82
FAQ ………………………………………………………………………………………………………………………………………82
Mobile VPN clients cannot connect to the firewall. Why? ………………………………………………………………………82
Log Messages …………………………………………………………………………………………………………………………82
Security Associations …………………………………………………………………………………………………………………82
Mobile Client VPN Authentication and Connection ………………………………………………………………………………
83
on the GtA Mobile VPn client …………………………………………………………………………………………………………
84
FAQ ………………………………………………………………………………………………………………………………………84
My GTA Mobile VPN Client says it is in a 30-day evaluation mode. ……………………………………………………………84
I receive an error when trying to activate the GTA Mobile VPN Client. Why? …………………………………………………84
How can I activate the GTA Mobile VPN Client when I need to connect to the Internet using a proxy server? ……………85
I cannot activate the GTA Mobile VPN Client online. How do I activate the client manually? ………………………………
86
My Internet connection does not work when I return to the office. ……………………………………………………………86
Why won't the GTA Mobile VPN Client start a VPN on Windows XP? …………………………………………………………86
Can I use an address range for my Address Type when configuring Phase 1 settings? ……………………………………
87
When should I set NAT-T to Forced when configuring advanced Phase 1 settings? …………………………………………87
Log Messages …………………………………………………………………………………………………………………………87
Incorrect Remote Gateway …………………………………………………………………………………………………………87
Incorrect Pre-shared Key ……………………………………………………………………………………………………………87
Incorrect Local ID Value ……………………………………………………………………………………………………………87
Incorrect Local ID Type ………………………………………………………………………………………………………………87
Incorrect Remote ID Value …………………………………………………………………………………………………………88
Incorrect Remote ID Type ……………………………………………………………………………………………………………88
Incorrect Phase 2 Settings …………………………………………………………………………………………………………88
Incorrect Phase 2 Settings …………………………………………………………………………………………………………88
Incorrect Phase 2 Authentication Settings …………………………………………………………………………………………88
Incorrect Phase 2 Key Group Settings ……………………………………………………………………………………………89
Incorrect Filter Configuration ………………………………………………………………………………………………………89
1
VPN Option Guide Introduction
Introduction
What is a VPn?
A VPN is a Virtual Private Network.
What makes it virtual?
•*
You're not really accessing your private network from the private
network: you're accessing it from a public or other untrusted network, such as the Internet. A
combination of authentication, encryption and tunneling technologies are used to make sure
that your data is transmitted securely, so you can trust your connection as if you would trust
your normal private network connection.
What makes it private?
•*
You can access resources on your network as if you were a second
private network attached to the private (trusted) part of your network.
VPN connections provide a way to access your protected data from an insecure location, all
without compromising your network security.
VPNs vs. Standard NAT Tunnels
Standard NAT tunnels can provide external access to your internal network. So why use a VPN?
VPNs provide more secure access than standard NAT tunnels. VPN tunnels provide methods to assure
authorization, data integrity and privacy. As a result, VPN tunnels can secure even connections that
normally do not provide encryption, authorization or integrity checking on their own.
Standard tunnels do not provide these VPN safety mechanisms!
VPNs are an ideal secure network solution for employees that travel or work from home. They also
can serve to securely connect branch offices to a main office or data center.
GTA firewalls support the IPSec VPN standard; this provides interoperability with many third-party
VPN products. IPSec VPNs can use a defined combination of authentication keys, anti-tampering
hashes, data encryption and IP packet encapsulation to ensure the identity, integrity, and privacy
of your data transfers over public, untrusted networks. For more information, see Elements of
IPSec VPN Security .
About IPSec VPn on GtA Firewalls
GTA firewalls provide IPSec controls for both mobile client (commuter-to-office) and gateway-to-
gateway (office-to-office) VPN connections.
GTA firewall VPNs are a security gateway version of the IPSec standard; the GTA Mobile VPN
Client provides the host version. For specific information on the GTA implementations of the IPSec
standard, see Elements of IPSec VPN Security .
2
VPN Option Guide Introduction
the VPn Gateway (Firewall) component
GTA Firewall UTM Appliances can function as VPN gateways, handling authentication and
encryption for VPN tunnels.
The VPN gateway is configured on the firewall directly using the Web administrative interface. VPN
configurations are created in Configure>VPN>IPS ec Tunnels , and bound to an incoming authorization
channel in either Configure>Accounts>Users and Configure>Accounts>Groups (for mobile VPN clients or a
second VPN gateway with a dynamic IP address) or Configure>VPN>IPS ec Tunnels (where both VPN
gateways have a static IP address).
GTA firewalls can interoperate with either another GTA Firewall UTM Appliance (for office-to-office
VPNs) or a mobile VPN client (for commuter-to-office VPNs).
Because GTA firewalls support the IPSec VPN standard, GTA firewall VPNs are also interoperable
with third-party products that also support the IPSec VPN standard. For information on creating a
VPN between a GTA firewall and another VPN gateway, see additional documentation located on
GTA's Web site ( http://gta.com/support/documents/ ).
Features
NAT traversal
•
Easy application of security
•
policies
Easy creation and revision of
•
VPNs using VPN configuration objects
Quickly enable and disable VPN authorizations
•
• AES-128, AES-192 and AES-256, 3DES, DES and Blowfish methods for confidentiality
• MD5, SHA-1 and SHA-2 one-way hash methods for data integrity
Up to 4,096-bit
•
Diffie-Hellman keys for authenticity
Authentication using either VPN certificates or pre-shared secrets
•
the client component
With the GTA Mobile VPN Client option, GTA firewalls can also provide VPN protection to travelling
employees or remote workers.
Your mobile VPN client software is installed on the client computer. It serves to locally perform
the authentication, encryption and other services that would normally be performed by a second
VPN gateway. Mobile VPN client software negotiates the connection with your GTA firewall VPN
gateway.
The GTA Mobile VPN Client is Microsoft® Windows®-compatible VPN software.
Features
• NAT traversal
• Easy VPN setup
• Client-to-client and client-to-gateway VPNs
• Compatible with Microsoft® Windows®
• DES, 3DES, and AES encryption methods for confidentiality
• MD5 and SHA-1 one-way hash methods for data integrity
• Up to 2,048-bit Diffie-Hellman keys for authenticity
• USB mode allows easy start/stop of VPN with insertion/removal of a USB drive
• VPN DNS configuration
• Redundant gateway
Authentication using either VPN certificates or pre-shared secrets
•
3
VPN Option Guide Introduction
Minimum requirements
• Microsoft® Windows® 2000, XP, Server 2003, or Vista (32-bit only)
• Intel® Pentium® class or greater processor
• 10 MB unused hard disk space
• 128 MB RAM
• 56K dial-up modem, wireless (WiFi), Ethernet or other compatible network card
Installation Support
Installation ("up and running") support is available to registered users. See GTA's Website for more
information. If you need installation assistance, be sure to register your product and then contact
the GTA Technical Support team by email at support@gta.com . Please include your serial number
and a brief description of the problem in the body of the email.
Support options
If you need support for GTA Products, a variety of support contracts are available. Contact GTA
Sales staff by email at sales@gta.com for more information. Contracts range from support by the
incident to full coverage for a year. Other assistance is available through the GB-Users Mailing List,
GTA Firewall User Forum, or an authorized GTA Channel Partner.
documentation
A few conventions are used throughout this guide to help you recognize specific elements of the
text. If you are viewing this guide in PDF format, color variations may also be used to emphasize
notes, warnings and new sections.
Bold Italics
Emphasis
Italics
Publications
Blue Underline
Clickable hyperlink (email address, Web site or in-PDF link)
Small CapS
On-screen field names
Monospace Font
On-screen text
Condensed Bold
On-screen menus, menu items
bold SMAll cAPS
On-screen buttons, links
Additional documentation
For instructions on installation, registration and setup of a GTA Firewall, see the GB-OS
User's Guide . For optional features, see the appropriate Feature Guide. Manuals and other
documentation can be found on the GTA Website ( www.gta.com ).
Documents on the Website are either in plain text (*.txt) or Portable Document Format (*.pdf),
which requires Adobe Acrobat Reader. A free copy of the program can be obtained from Adobe at
www.adobe.com .
4
VPN Option Guide GTA Firewall UTM Appliance Setup
GTA Firewall UTM Appliance
Setup
This chapter explains configuration steps for an IPSec Virtual Private Network (VPN) on the GTA
Firewall UTM Appliance. It also provides a worksheet to help with initial configuration.
Each GTA firewall VPN requires two points: an initiator and a responder. The responder must be a
GTA firewall, while the initiator can be either a second VPN gateway or a GTA Mobile VPN client.
GTA*firewall*VPN*setup*requires*configuration*of*both:
A GTA firewall
•
A
• GTA Mobile VPN Client or a second VPN gateway (such as another GTA Firewall UTM Appli-
ance)
Feature activation codes are required to be entered into the GTA firewall if optional VPN features
have been purchased, before using the VPN Wizard or if the VPN connection is defined manually.
For more information on IPSec VPNs, see Elements of IPSec VPN Security .
entering Feature codes
When a VPN option or GTA Mobile VPN Client license package has been purchased, feature
activation codes are required for client-to-gateway VPNs. If you have purchased a mobile VPN
client license package, navigate to Configure>System>Activation Codes to enter its feature activation code.
Click
SAVe .
The feature activation code can be retrieved from the GTA Support Center ( https://www.gta. com/
support/center/ ). Once logged in, click on View Your Registered Products and select your firewall's serial
number. Your feature activation code will be displayed.
If a gateway-to-gateway VPN is not a standard feature for your GTA Firewall UTM Appliance, and
you have purchased a VPN option, enter the VPN option's feature activation code and click
SAVe .
Note
Feature activation codes for gateway-to-gateway VPNs are required only for GTA firewalls that are not
sold with VPN as a standard feature. See your firewall's specifications for more information.
5
VPN Option Guide GTA Firewall UTM Appliance Setup
running the VPn Setup Wizard
The VPN Setup Wizard is designed to help configure a simple Virtual Private Network (VPN). The
wizard will automatically create security policies to accept connections using ESP (protocol 50)
and UDP (ports 500 and 4500) protocols.
Note
All connections through the VPN are controlled by VPN policies, located at Configure>Security Policies>Policy
Editor>VPN Policies .
To run the VPN Wizard, navigate to Wizards>VPN Setup . Before running the wizard, it may be helpful to
print out and fill in the following worksheet:
Table 2.1: VPN Wizard Worksheet
Field
Description
Value
Local*Network
Gateway
Select the logical interface that acts as the gateway to the
local network. Typically, this will be the external interface.
Network
Select the address object of the configured network you
wish to be able to connect to using the VPN. Select <USER
DEFINED> to enter the local network's IP address manually.
. . .
Identity
The identity for the local network. The identity should be
a fully qualified domain name or email address. This field
is only required if the local network is behind a dynamic IP
address.
Remote*Network
Gateway Type
(circle one)
Select the type of the remote network's gateway.
This field is only required if the local network is behind a
dynamic IP address.
DynamiC
StatiC
User Name
The user name that will be used to connect to the remote
network. This field is only required if the local network is
behind a dynamic IP address.
Identity
The identity for the remote network. This field is only
required if the local network is behind a dynamic IP
address.
Group
The user group that will be connecting to the remote
network.
IP Address / Identity
If the remote network's gateway is Static, enter its IP
address. If the gateway is dynamic, enter an IP address,
email address or valid DNS resolvable host name to associate
the remote gateway with a pre-shared secret key.
Network
The destination IP address of that network that resides
behind the remote firewall.
Select <USER DEFINED> to enter the IP address manually.
. . .
Pre-shared*Secret
Pre-shared Secret
Format (circle one)
The format of the pre-shared secret to be used by the
VPN.
ASCII
Hex
Pre-shared Secret
The pre-shared secret to be used by the VPN. This same
secret needs to be entered in the GTA Mobile VPN Client
when configuring the security policy. This field is case
sensitive.
6
VPN Option Guide GTA Firewall UTM Appliance Setup
configuring Gateway to Gateway connections
The first screen of the wizard will prompt you to enter a brief description of the VPN. For example,
Orlando to New York.
Click the Next Arrow to continue.
Figure*2.1: Entering the VPN's Description
Once a description has been entered, it will then be necessary to define the local network that will
be establishing the VPN. For the local network's Gateway , select the logical interface assigned to
the external network. In most cases, this will be <EXTERNAL> .
For the n
et work
, select the local network that is to be accessible via the VPN. If the desired local
network is not listed, you may define it manually by selecting <USER DEFINED> and entering the
network's IP address in the corresponding field.
If the selected Gateway is dynamic, enter the i
Dent it y
to be used. The i
Dent it y
should be a fully
qualified domain name or email address.
Click the Next Arrow to continue.
Figure*2.2: Defining the Local Network (Static Gateway)
Figure*2.3: Defining the Local Network (Dynamic Gateway)
7
VPN Option Guide GTA Firewall UTM Appliance Setup
To define the remote network that the VPN will be connecting to, it is necessary to select the
nature of the IP address of the external network's Gateway .
If it is a static (fixed) IP address, select the StatiC radio button and enter the gateway's IP address
in the n
et work
field.
If the remote gateway is DynamiC , enter an IP address, email address or a valid DNS resolvable
host name in the US er n
a me
and i
Dent it y
fields to associate the remote gateway with a pre-shared
secret key. The Group field defaults to Firewalls , which sets the appropriate VPN settings for the
connection.
Click the Next Arrow to continue.
Figure*2.4: Defining the Remote Network (Static Gateway)
Figure*2.5: Defining the Remote Network (Dynamic Gateway)
8
VPN Option Guide GTA Firewall UTM Appliance Setup
A pre-shared secret is used to ensure a secure, trusted connection between host computers and
the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the
pre-shared secret must match the pre-shared secret defined in this step in order to establish a
connection.
Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2,
3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The
p
re - ShareD
Se Cret field is case sensitive.
Click the Next Arrow to continue.
Figure*2.6: Entering the Pre-shared Secret
The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review
the VPN's setup prior to committing the displayed configuration. To make changes to your setup,
select the BA ck button to return to the appropriate screen.
Click the SA ve icon to save the displayed configuration, or select the c
AN cel
icon to abort.
Figure*2.7: Reviewing the VPN's Setup
9
VPN Option Guide GTA Firewall UTM Appliance Setup
configuring Gateway to Gt
A Mobile VPn client connections
To allow users to connect to the GTA firewall's protected networks remotely using the GTA
Mobile VPN Client, the GTA firewall's external gateway must have a static IP address. That is,
it cannot obtain its IP address using DHCP or PPP.
Note
The VPN Setup Wizard will only configure the GTA firewall to allow connections from the GTA Mobile
VPN Client. For instructions on configuring the GTA Mobile VPN Client to connect to the GTA firewall,
see Configuring the VPN Client Software .
To run the VPN Setup Wizard, navigate to Wizards>VPN Setup .
The first screen of the wizard will prompt you to enter a brief description of the nature of the VPN.
For example, Mobile VPN Connections.
Click the Next Arrow to continue.
Figure*2.8: Entering the VPN's Description
Once a description has been entered, it will then be necessary to define the local network that will
be accessible to users using the GTA Mobile VPN Client. For the local network's Gateway , select
the logical interface assigned to the external network. In most cases, this will be <EXTERNAL> .
For the n
et work
, select the local network that is to be accessible via the VPN. If the desired local
network is not listed, you may define it manually be selecting <USER DEFINED> and entering the
network's IP address in the corresponding field.
Figure*2.9: Defining the Local Network (Static Gateway)
10
VPN Option Guide GTA Firewall UTM Appliance Setup
To define the remote network, where the Mobile VPN Client will be connecting from, set the
Gateway t
ype
to DynamiC .
Enter the Mobile VPN Client's US er n
a me
and i
Dent it y
in the appropriate fields. The i
Dent it y
must be
in the form of an email address. Set the Gro Up to <Users> . For the n
et work
, enter the IP address the
GTA Mobile VPN Client should use.
Click the Next Arrow to continue.
Figure*2.10: Defining the Remote Network for GTA Mobile VPN Client Connections
A pre-shared secret is used to ensure a secure, trusted connection between host computers and
the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the
pre-shared secret must match the pre-shared secret defined in this step in order to establish a
connection.
Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2,
3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The
p
re - ShareD
Se Cret field is case sensitive.
Click the Next Arrow to continue.
Figure*2.11: Entering the Pre-shared Secret
11
VPN Option Guide GTA Firewall UTM Appliance Setup
The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review
the VPN's setup prior to committing the displayed configuration. To make changes to your setup,
select the BA ck button to return to the appropriate screen.
Click the SA ve icon to save the displayed configuration, or select the c
AN cel
icon to abort.
Figure*2.12: Reviewing the VPN's Setup
12
VPN Option Guide GTA Firewall UTM Appliance Setup
configuring a VPn connection Manually
To manually configure an IPSec VPN with a GTA Firewall UTM Appliance, six aspects must be
configured in order:
Authentication
1.
2. VPN objects (optional)
Encryption objects (optional)
3.
IPSec Tunnels
4.
VPN or GTA Mobile VPN Client authorization
5.
VPN Policies (located at
6.
Configure>Security Policies>Policy Editor>VPN Policies )
Additionally, the second VPN gateway (GTA firewall or third-party VPN gateway) or mobile VPN
client must be configured to reflect the same settings in order to establish the connection.
Authentication
When a VPN is being configured using IPSec key mode, authentication is performed with either
pre-shared secrets or VPN certificates. GB-OS supports both methods of authentication for IPSec
key mode VPNs.
A pre-shared secret is used to identify a party during the authentication phase of the VPN
connection. By its definition, a pre-shared secret is shared with the other party before the VPN
connection can be established.
VPN certificates, which contain a public key, can be distributed to parties that wish to connect
to the VPN. During the authentication phase of the connection, the requesting party then
authenticates using the VPN certificate and the private key. To create VPN certificates for
authentication, see Using VPN Certificates .
creating VPn configuration objects
VPN objects determine how incoming VPN connections will be negotiated by defining what client
or VPN gateway initiation behavior should be acceptable by your GTA firewall.
default VPn objects
By default, GB-OS has two VPN objects:
Standard Dynamic
•
Standard Static
•
Which VPn object Should I use?
Depending on whether your GTA firewall has a static or dynamic (DHCP/PPP) IP address, different
VPN objects will be used.
If*both*VPN*gateways*have*a*static*IP*address:
Each will use the Stan DarD StatiC VPN object.
If*an*initiating*VPN*gateway* (or*mobile*VPN*client)*has*a*dynamic*IP*address:
The dynamically addressed initiator will use the Stan DarD DynamiC VPN object.
13
VPN Option Guide GTA Firewall UTM Appliance Setup
Selecting the IPSec Key Mode
Key exchange, essential to authentication during IPSec VPN construction, can be accomplished
either automatically using IKE or manually.
Using IKE (automatic key exchange), Phase 2 of the connnection establishes an IKE security
association (SA) that is later used to securely create an IPSec SA; it negotiates the VPN terms and
authorizes the peer. Phase 2 establishes SAs for IPSec, providing source authentication, integrity
and confidentiality.
Using manual key exhange, Phase 1 settings will be ignored by the GTA firewall.
Creating the VPN Connection using IKE IPSec Key Mode
Presuming that you use the default VPN objects, navigate to Configure>VPN>IPS ec Tunnels .
In the
1.
ipSeC t
UnnelS
section, open the Adv ANced tab.
Ensure the
2.
a
Ut om at i C
p
oliCieS
checkbox is enabled. This option will automatically configure the
necessary VPN policies to allow ESP protocol 50/UDP ports 500 and 4500 on the configured
VPN.
To create more restrictive VPN policies, navigate to Configure>Security Policies>Policy Editor>VPN Policies .
In the
3.
DynamiC i
nCominG
Conn e CtionS section, select the a
Ut hent i Cation
method.
If Pre-shared secret is selected, enter the default local identity. Typically, this is <IP Address> .
If Certificates is selected, see Using VPN Certificates for more information.
In the
4.
DynamiC i
nCominG
Conn e CtionS section, select the VPN object to be used for dynamic incoming
connections from the Vpn o
bjeCt
pulldown. The default VPN object is Standard Dynamic .
In the
5.
ipSeC t
UnnelS
section, select New to create a new IPSec Tunnel.
Select the
6.
ipSeC k
ey
m
oDe
. For this example, select Ike (automatic key mode).
To create a Manual VPN, see Creating a VPN Using Manual IPSec Key Mode .
Complete the VPN settings fields as described on the following page:
7.
14
VPN Option Guide GTA Firewall UTM Appliance Setup
Table 2.1: Creating a VPN Using IKE IPSec Key Mode
Field
Description
Disable
Check to disable all access for the configured IPSec tunnel.
Description
A description of the IPSec Tunnel.
IPSec Key Mode
IKE (automatic key exchange)
VPN Object
A selection for the VPN object used to define this VPN. See Which VPN
Object Should I Use? for more information.
Authentication
Method
Select the method in which authentication will be performed. If Certificates is
selected, see Using VPN Certificates for more information.
Pre-shared Secret
If the authentication method is set to Pre-shared Secret , enter the secret in
a ASCII or HEX format. This same key needs to be entered in the VPN's
endpoint or GTA Mobile VPN Client.
Options
Send Keep Alives
To prevent the VPN connection from closing prematurely, select the SenD
k
eep
a
liVeS
checkbox to have GB-OS automatically send a keep alive
packet every 20 seconds.
Host
If the SenD k
eep
a
liVeS
toggle is enabled, select a host on the remote
network that the GTA Firewall UTM Appliance should ping.
Local
Gateway
Select an IP address, alias or H
2
A group assigned to an external network
interface on the local firewall that will serve as the VPN gateway. (For
the second VPN gateway or mobile client, this IP address is the remote
gateway.) This is the visible, non-encapsulated, non-encrypted IP address.
NAT
Select the NAT checkbox to apply network address translation to traffic
originating from the GTA Firewall UTM Appliance to the VPN connection.
Network
Select the host/subnetwork that should be accessible from the VPN.
Typically this is the protected network or PSN. Alternatively, select <USER
DEFINED> and enter the IP address(es) in the ip a
DDreSS
field. If the NAT
checkbox has been selected, this field will not be available since it is not
required.
Identity
This field is used to associate the local identity with a preshared secret key.
Select the user IP address, domain name or email address for user authentication.
Typically, this is <IP Address> .
Remote
Gateway
The IP address of the remote end of the VPN tunnel, the gateway to the
remote network. If the remote network is behind a firewall, then this will be
assigned to the external network interface. This IP address will also help
determine the routing of the encapsulated packet.
NAT
When the NAT checkbox is selected, the remote network will be the same
as the remote gateway.
Network
Previously defined address object or an IP address of the network that
resides behind the remote firewall. This can be just the part of the network
to which access is desired. (On a firewall, typically this will be the protected
network, PSN or a subnet of either.) Use a subnet mask to define
the class of network. If the NAT checkbox has been selected, this field will
not be available since it is not required.
Advanced
Identity
User IP address, domain name or email address for user authentication.
This field is used to associate the remote identity with a preshared secret
key. Typically, this is <IP Address> .
15
VPN Option Guide GTA Firewall UTM Appliance Setup
Creating a VPN Connection using Manual IPSec Key Mode
Presuming that you use the default VPN objects, navigate to Configure>VPN>IPS ec Tunnels .
In the
1.
ipSeC t
UnnelS
section, open the Adv ANced tab.
Ensure the
2.
a
Ut om at i C
p
oliCieS
checkbox is enabled. This option will automatically configure the
necessary VPN policies to allow ESP protocol 50/UDP ports 500 and 4500 on the configured
VPN.
To create more restrictive VPN policies, navigate to Configure>Security Policies>Policy Editor>VPN Policies .
In the
3.
DynamiC i
nCominG
Conn e CtionS section, select the a
Ut hent i Cation
method.
If Pre-shared secret is selected, enter the default local identity. Typically, this is <IP Address> .
If Certificates is selected, see Using VPN Certificates for more information.
In the
4.
DynamiC i
nCominG
Conn e CtionS section, select the VPN object to be used for dynamic incoming
connections from the Vpn o
bjeCt
pulldown. The default VPN object is Standard Dynamic .
In the
5.
ipSeC t
UnnelS
section, select New to create a new IPSec Tunnel.
Select the
6.
ipSeC k
ey
m
oDe
. For this example, select MANuAl .
Complete the VPN settings fields as described below:
7.
Table 2.2: Creating a VPN Using Manual IPSec Key Mode
Field
Description
Disable
Check to disable all access for the selected VPN.
Description
A description of the VPN.
IPSec Key Mode
Manual
VPN Object
A selection for the VPN object used to define this VPN. See Which VPN
Object Should I Use? for more information.
Local
Gateway
Select an IP address, alias or H
2
A group assigned to an external network
interface on the local firewall that will serve as the VPN gateway. (To
the second VPN gateway or mobile client, this IP address is the remote
gateway.) This is the visible, non-encapsulated, non-encrypted IP address.
Network
Select the host/subnetwork that should be accessible from the VPN.
Typically this is the protected network or PSN. Alternatively, select <USER
DEFINED> and enter the IP address in the IP Address field. If the NAT
checkbox has been selected, this field will not be available since it is not
required.
Remote
Gateway
The IP address of the remote end of the VPN tunnel, the gateway to the
remote network. If the remote network is behind a firewall, then this will be
assigned to the external network interface. This IP address will also help
determine the routing of the encapsulated packet. Default is 0.0.0.0.
Network
Previously defined address object or an IP address of the network that
resides behind the remote firewall. This can be just the part of the network
to which access is desired. (On a firewall, typically this will be the protected
network, PSN or a subnet of either.) Use a subnet mask to define
the class of network. If the NAT checkbox has been selected, this field will
not be available since it is not required.
Manual
Encryption Key
Select the format for the encryption key value: ASCII or HEX
Hash Key
ASCII or HEX fomat value hash algorithm for the authentication transformation.
Security*Parameter*Index
Inbound SPI
Default value is 256.
Outbound SPI
Default value is 256.
16
VPN Option Guide GTA Firewall UTM Appliance Setup
Encryption Key Length
Blowfish encryption transformations use variable key lengths, while AES, DES, 3DES and Camellia
use a fixed length key. If you exceed the maximum key length in these fields, you will generate an
error and not be able to save the configuration until it is corrected. You may enter a shorter length
key; the system will pad it to the minimum key size. Higher-bit key size generally results in stronger
encryption.
Table 2.3: Encryption Key Length
Algorithm
Key Size
ASCII and Hexidecimal Characters
AES-128
128 bits
16 ASCII or 32 Hex
AES-192
192 bits
24 ASCII or 48 Hex
AES-256
256 bits
32 ASCII or 64 Hex
Blowfish
40-448 bits5-56 ASCII or 10-112 Hex
DES
64 bits
8 ASCII or 16 Hex
3DES
192 bits
24 ASCII or 48 Hex
Camellia-128
128 bits
16 ASCII or 32 Hex
Camellia-192
192 bits
24 ASCII or 48 Hex
Camellia-256
256 bits
32 ASCII or 64 Hex
Hash Key Length
The key length for the MD5 transformation is 128 bits, which is 16 ASCII characters or 32
hexadecimal characters. The key length for the SHA-1 transformations is 160 bits, which is 20
ASCII (40 hexadecimal) characters; it provides 80 bits of security. The key length for the SHA-2
(SHA-256) transformations is 256 bits, which is 32 ASCII (60 hexadecimal) characters; it provides
128 bits of security against mid-transport data tampering. Generally, larger keys are more secure.
Security Parameter Index (SPI)
The Inbound and Outbound Security Parameter Index (SPI) are arbitrary numbers used to uniquely
identify a security association on a Manual VPN. The Inbound SPI will be the Outbound SPI on the
remote side of the VPN; also, the Outbound SPI will be the Inbound SPI on the remote side of the
VPN. The SPI should be unique for each SA, although the Inbound and Outbound SPI may have
the same value. The minimum SPI value is 256.
17
VPN Option Guide GTA Firewall UTM Appliance Setup
configuring a custom VPn object
VPN objects configure how incoming VPN connections will be negotiated by defining what client
or VPN gateway initiation behavior should be acceptable by your GTA firewall. Appropriate VPN
configuration objects vary with the type of VPN connection and your security policies.
Encryption objects are used to easily reference encryption settings when configuring a VPN object.
For more information, see Configuring an Encryption Object .
To create or configure an existing VPN object, navigate to Configure>System>Objects>VPN Objects .
Table 2.4: Configuring a VPN Object
Field Name
Description
Disable
Disables the VPN object for use in a VPN configuration.
Name
A unique name for the VPN object to reference it throughout the firewall's
configuration.
Description
A brief description to describe the use of the VPN object.
Phase*1
Exhange Mode
Specify flexible ( <main> ) or forced ( <aggressive> ) negotiation of acceptable
encryption algorithms for IKE. Aggressive mode is required if one
component of the VPN has a dynamic (DHCP or PPP) IP address, such as
with a dynamically-addressed VPN gateway or mobile VPN client.
Encryption Object
A selection for the level of encryption to be used by the VPN object. For
more information on configuring encryption objects, see Configuring a
Custom Encryption Object .
Advanced
NAT-T
A selection for the use of NAT-T (Network Address Translation - Transversal)
for connections that do not require NAT-T (are not using NAT that
denies VPN IKE connections). <Automatic> automatically uses NAT-T where
applicable, <Disable> disables the use of NAT-T, while <Force> forces the use
of NAT-T.
Lifetime
Specify the length of time in minutes before the Phase 1 (IKE) security
associations must be renewed. Shorter times are generally more secure,
but may reduce performance by adding renewal overhead time to the con-
nection.
DPD Interval
Specify the interval in seconds between checks for continued viability
of the VPN connection (also known as dead peer detection). To disable
DPD queries made by this firewall, set the interval to 0; the firewall will still
respond to DPD signals from other VPN gateways and clients, but will not
initiate any signals of its own.
Phase*2
Encryption Object
Specify the encryption algorithm that this firewall should accept for VPN
data transfers (ESP). Strong encryption means that any algorithm except
None and Null will be accepted from the VPN initiator. ( Null provides IP
encapsulation, but no encryption. None provides neither encryption nor
encapsulation.). Null provides no security benefits when using NAT between
firewalls. GTA firewalls initiate connections using AES-128 by default.
Advanced
Lifetime
Specify the length of time in minutes before the Phase 2 security associations
must be renewed. The entered value must be smaller than the Phase
2 Lifetime. Shorter times are generally more secure, but may reduce performance
by adding renewal overhead time to the connection.
18
VPN Option Guide GTA Firewall UTM Appliance Setup
About Phase 1
Phase 1 establishes VPN peer identities (keys) that can be tested for authenticity and establishes
initial security associations (SAs) correlating hosts to encryption methods, securing further VPN
negotiation/setup communications, and not actual transfers of user data.
During Phase 1, the Diffie-Hellman cryptographic technique uses random and prime numbers to
generate a secondary number. These secondary numbers are then exchanged, and each host
uses a combination of these secondary numbers as keys. Because predicting random numbers
and determining prime numbers are both computationally difficult, knowledge of the random
and prime numbers behind the generation of a key can be used to prove host authenticity.
Increased computational power means that a key may eventually be computed, this is the reason
why key-based security such as VPN phases must be periodically regenerated to guarantee
authenticity of a packet's source.
Once Diffie-Hellman key exchanges have been performed, (automatically with IKE or manually),
these temporary keys are used to prove authenticity of hosts requesting encryption and hash
methods to be used during Phase 2 negotiations.
Automatic key exchange (IKE) uses Phase 1 settings during its automatic negotiations. Manual
key exhange does not use Phase 1 settings, because the firewall does not provide automatic
negotiations in manual mode.
About Phase 2
Phase 2 uses the host authenticity and agreed initial hash and encryption established in Phase 2
to protect secondary negotiations for authenticity, data integrity and confidentiality setings. These
secondary settings are used in the actual transfer of user data.
Using the temporary protection mechanisms devised during Phase 2, Phase 2 again performs
negotiations for keys, hashes and encryption that will be used to protect the transfer of actual user
data.
configuring a custom encryption object
Encryption objects are used to easily reference encryption settings when configuring a VPN object.
By default, GB-OS ships with five built-in encryption objects that are pre-configured with varying
levels of encryption. They can be viewed and duplicated, but cannot be edited or deleted.
Table 2.5: Configuring a Custom Encryption Object
Field
Description
Disable
Disables the configured encryption object.
Name
A unique name for the encryption object to reference it throughout the
firewall's configuration.
Description
A brief description to describe the use of the encryption object.
Encryption Method
Select the encryption algorithm that the firewall should accept for VPN
data transfers. Default is <AES-192> .
For more information on what encryption method to select, see Encryption
Method .
Hash Algorithm
Select the hash algorithm that should be used to provide provide checks
for packet tampering. Default is <HMAC-SHA1> .
For more information on what hash algorithm to select, see Hash
Algorithm .
Key Group
Select the Diffie-Hellman key group (bit size of the key) to use in
authenticity keys. Default is <Diffie-Hellman Group 2> .For more information on
what key group to select, see Key Group .
19
VPN Option Guide GTA Firewall UTM Appliance Setup
encryption Methods
Different encryption methods use proprietary means for generating keys used to verify VPN data
transfers. GTA firewalls support the following encryption methods:
Table 2.6: Encryption Methods
Field
Description
None
None provides neither encryption nor encapsulation when establishing a
VPN connection.
Null
Null provides IP encapsulation, but no encryption. There are no security
benefits when <Null> is selected, but it is useful to transport non-IP protocols
when using NAT between firewalls.
AES 128-256
Advanced Encryption Standard; AES has become the new United States
federal standard for encrypting commercial and government data. AES,
with a key strength of 192 bits, is the default encryption level used by
GB-OS encryption objects.
Blowfish
Blowfish is fast, supports long keys and is widely recognized throughout
the security industry. Blowfish has been known to perform nearly twenty
times faster than DES encryption.
DES
Data Encryption Standard; an algorithm used for encryption which had
been the official algorithm of the United States Government.
3DES
3DES, often referred to as Triple DES, is three rounds of DES encryption.
Each round uses a different permutation of your key. 3DES is a secure
algorithm, yet can impact performance.
Strong
Selecting <Strong> allows use of any encryption algorithm, a suitable selection
when the VPN object's Phase 2 e
xChan Ge
m
oDe
is set to <Main> .
Camellia
Camellia has a block size of 128 bits, and can use 128-bit, 192-bit or
256-bit keys. Camellia can be implemented at high performance by software
on various platforms and has many similarities to AES.
hash Algorithm
The encryption object's h
aSh
a
lGorithm
is used to perform packet tampering checks in the Phase 1
and Phase 2 authentication headers. GTA firewalls support the following hash algorithms:
Table 2.7: Hash Algorithms
Field
Description
None
<None> provides no authenticity checks on the connection.
HMAC-MD5
A one-way hash function that creates a 16-byte (128-bit) hash or message
digest to authenticate packet data.
HMAC-SHA1
A one-way hash function that creates a 20-byte (160-bit) hash or message
digest to authenticate packet data. SHA1 is more resistant to attacks than
MD5, but slower to compute.
HMAC-SHA2
Since the inception of SHA1, four more variants have been issued with
increased output ranges and a slightly different design: SHA-224, SHA-256,
SHA-384, and SHA-512; collectively referred to as SHA-2.
All
<All> allows for the use of any hash algorithm .
20
VPN Option Guide GTA Firewall UTM Appliance Setup
Key Group
The encryption object's k
ey
Gro Up is used to exchange the VPN's pre-shared secret using a Diffie-
Hellman exchange. In a Diffie-Hellman exchange, two parties independently generate random
public and private values. Each sends their public value to the other (using authentication to foil
man-in-the-middle attacks); the private values remain secret. Each then combines the public key
received with their own private key. The resulting key is the pre-shared secret and it is identical for
both sides.
When selecting the bit size Diffie-Hellman group, keep in mind that while a larger bit size is
generally more secure, it can significantly increase the amount of time it takes to decrypt content.
GB-OS encryption objects default to <Diffie-Hellman Group 2 (1024 bits)> .
configuring VPn Policies
By default, GB-OS will automatically configure the necessary security policies to allow inbound
and outbound access for all configured VPNs. If this has been toggled off (the setting is available
under the Adv ANced tab located on the Configure>VPN>IPS ec Tunnels ) it is necessary to manually define
VPN policies to allow VPN traffic (ESP (protocol 50) and UDP (ports 500 and 4500)) .
Note
It is recommended to have automatic policies enabled on the Configure>VPN>IPSec Tunnels screen to simplify
the VPN configuration process.
Use VPN policies ( Configure>Security Policies>VPN Policies) to control access through the VPN . Make
modifications to your VPN policy as per your local security policy.
21
VPN Option Guide GTA Firewall UTM Appliance Setup
creating Authorization
If the configured IPSec Tunnel is to be used by GTA Mobile VPN Client users, it is necessary to
define how the mobile users will be authenticating with the firewall.
After configuring a VPN connection, navigate to the Configure>Accounts section to configure mobile
users by assigning them to groups and defining their user accounts. User groups are used to
assign users to a VPN object and local network. User accounts, pooled in user groups, define the
identity and password to be entered when authenticating with the firewall.
creating Groups
Groups are used to define the VPN object and local network that GTA Mobile VPN Client users will
be using.
When defining a group, additional groups can also be added to the group being defined to pool
additional users. This can be useful if a policy is being defined that is required to affect multiple
groups.
Groups are configured under Configure>Accounts>Groups .
Table 2.8: Creating Groups
Field Name
Description
Disable
Disables the group.
Name
The name for the group.
Description
A short description to identify the purpose of the group.
Mobile*VPN
Disable
Disables VPN access for the user group.
Authentication Required
A toggle for whether or not users configured under the group should be
required to authenticate with the firewall using the GTA Mobile VPN Client.
VPN Object
The VPN object to be used by the user group.
Local Network
The local network on which the user organized within the configured user
group can access.
Groups
Sub Group
Select a previously defined group to reference additional groups.
Description
A short description to explain why this group is included.
22
VPN Option Guide GTA Firewall UTM Appliance Setup
creating users
User accounts define the identity and password to be entered when mobile users authenticate
with the firewall. By default, the Mobile VPN section of the user's configuration settings are
disabled. The m
obile
Vpn section must be enabled to allow the connection of mobile users.
Table 2.9: Creating User Accounts
Field Name
Description
Disable
Disables the account.
Name
The name for the account.
Description
A short description to identify the use of the account.
Remote Identity
Used for authentication purposes, this is typically the user's email address.
Group
A selection for the user's user group. Selecting ??? means no user group
has been selected.
See Creating Groups for more information.
Authentication
Method
Select the method for authentication. This field is used for GBAuth authentication
with the GTA Firewall UTM Appliance, and is not necessary for the
configuration of a GTA Mobile VPN Client user.
Password
The password for GBAuth authentication.
Mobile*VPN
Disable
Disables VPN access for the account.
Remote Network
The IP address or address object of the remote network. If <USER DEFINED> is
selected to identify the r
emote
n
et work
, then enter the IP address here.
Authentication
Select the method the mobile user will use to authenticate with the GTA
Firewall UTM Appliance. Options are either Certificates or Pre-shared Secret .
Certificate
If the a
Ut hent i Cation
method is set to c
ertIf IcAte
, then select the VPN certificate
that identifies the remote user. For more information on VPN Certificates,
see Using VPN Certficates .
Pre-shared Secret
If p
re - ShareD
Se Cret is selected for the method for authentication, enter the
ASCII or HEX value pre-shared secret.
23
VPN Option Guide GTA Firewall UTM Appliance Setup
using VPn certificates
VPN certificates are based on public-key cryptography, a method of authentication in which one
party verifies another party's identity using a pair of keys (private and public). The public key is
embedded in the VPN certificate, and is used to authenticate parties that have the corresponding
private key.
GB-OS administrators have the choice to create either a self-signed certificate or a Certificate
Signing Request (CSR). A CSR is an unsigned certificate that is meant to be submitted to a
Certificate Authority (CA), which is a reputable third party that verifies the identity of the certificate
holder. Upon receiving the CSR, the CA will then contact the administrator to verify their identity.
Once the CA has verified that the administrator is who they claim to be, the CA will generate a
certificate using data provided in the CSR and encrypt it using the CA's own private key.
A VPN certificate generated by GB-OS contains, at a minimum:
A name
•
An email address
•
A country of origin
•
An organization
•
The duration until the certificate expires
•
A public key
•
how VPn certificates Work
VPN certificates can be used for firewall to firewall or mobile client to firewall VPN connections.
Firewall to Firewall VPns
To create a secure firewall to firewall VPN connection using VPN certificates for authentication,
administrators for each GTA Firewall UTM Appliance define certificates for their firewalls and
assign them as the local certificate. The local certificate is used to identify their GTA Firewall UTM
Appliance during Phase 1 of the VPN connection.
After the administrators have set the local certificate on their firewalls, they then export their
certificate and send it to the administrator of the other firewall. Next, each administrator then
imports the other administrator's exported certificate into their own configuration.
Now that each administrator has both created and imported VPN certificates, they can create a
secure VPN connection using VPN certificates for authentication.
Mobile client to Firewall VPns
To create a secure VPN connection between a GTA Firewall UTM Appliance and a mobile user
running the GTA Mobile VPN Client using VPN certificates, the GTA Firewall UTM Appliance
administrator must define two certificates. The first certificate is to be used as the local certificate,
which identifies the GTA Firewall UTM Appliance during Phase 1 of the VPN connection. The
second certificate is to identify the mobile user.
After the administrator has defined and set the firewall's local certificate, the firewall administrator
must also define a VPN certificate for the user of the GTA Mobile VPN Client. After the certificates
have been created, they must be exported along with the private key for the GTA Mobile VPN
Client and then imported into the client's configuration.
After the administrator has both created the certificates for the GTA Firewall UTM Appliance and
the mobile user, the local certificate as well as the mobile user's certificate and private key must
be exported and imported it into the GTA Mobile VPN Client. Now the GTA Firewall UTM Appliance
administrator and the mobile user can create a secure VPN connection using VPN certificates for
authentication.
24
VPN Option Guide GTA Firewall UTM Appliance Setup
Generating VPn certificates
To use VPN certificates for authentication, a local certificate must be created to identify the GTA
Firewall UTM Appliance during the authentication phase of the VPN connection.
To generate a VPN certificate, navigate to Configure>VPN>Certificates and select the New icon. The
Edit Certificate screen will then be displayed. Enter settings as described below:
Figure*2.2.35: Generating VPN Certificates
Table 2.10: Generating VPN Certificates
Field
Description
Disable
A toggle to disable the configured VPN certificate.
Name
A unique name used to identify the VPN certificate.
Description
A brief description to describe the function of the VPN certificate.
Certificate
Select the Generate toggle to generate a new certificate.
Generate
Type
A selection for the VPN certificate's type. Select Certifi Cate to generate a
self-signed certificate, or CSr to generate a certificate signing requesting
for submission to a certificate authority.
Common Name
Typically, this is the firewall's host name or the name of the GTA Mobile
VPN Client user.
Email Address
The email address of the firewall administrator or GTA Mobile VPN Client
user.
Country
The country where the firewall or GTA Mobile VPN Client user is physically
located.
State/Region
The state or region where the firewall or GTA Mobile VPN Client user is
physically located.
City/Locality
The city or locality where the firewall or GTA Mobile VPN Client user is
physically located.
Organization
The organization or company that the firewall or GTA Mobile VPN Client
user belongs to.
Organizational Unit
The organizational unit that the firewall or GTA Mobile VPN Client user
belongs to.
Duration
The amount of time, in years, that the certificate is valid for until it expires.
Key Size
A selection for the key size of the VPN certificate. A larger key size is generally
more secure, but is more processor intensive.
25
VPN Option Guide GTA Firewall UTM Appliance Setup
Setting the local VPn certificate
The firewall's VPN certificate is used to identify the firewall during the authentication phase of a
VPN connection. To set the firewall's VPN certificate, navigate to Configure>VPN>IPS ec Tunnels and
select the previously defined VPN certificate for the GTA Firewall UTM Appliance from the Vpn
Cert if i Cate pulldown.
If the l
oCal
Cert if i Cate field has not been set, and no certificates have been defined, clicking
d
efAult
will cause GB-OS to generate and assign a local certificate for the firewall using the
firewall's host name and data entered in the Configure>System>Contact Information screen.
Note
Changing the local certificate used by your firewall will cause it to automatically generate a new SSL
certificate using data from the local certificate. Once a new SSL certificate has been generated, the
firewall will prompt the user to re-approve the certificate.
Figure*2.3.36: Setting the Local VPN Certificate
exporting VPn certificates
In order to send the local VPN certificate to the administrator of the VPN's endpoint or import a
VPN certificate into a GTA Mobile VPN Client's configuration, the certificate must be exported.
When exporting VPN certificates from GB-OS, three file formats are available:
PEM
•
: The VPN certificate and its private key are exported as separate PEM files. VPN certificates
have a .crt file extension and private keys have a .key file extension.
DER
•
: The VPN certificate and its private key are exported as separate DER files. VPN certificates
have a .der file extension and private keys have a .key file extension.
PKCS#12
•
: The VPN certificate and its private key are exported as a single PKCS#12 file.
PKCS#12 can be password protected for additional security. PKCS#12 files have a .p12 file
extension.
To export the local VPN certificate, navigate to Configure>VPN>VPN Certificates and select the previously
defined VPN certificate that is being used as the GTA Firewall UTM Appliance's certificate in
Configure>VPN>IPS ec Tunnels . Then, click the e
dIt
button to bring up the Edit Certificate screen and select
the desired file formats for the VPN certficate and its private key. Click the d
owN loAd
buttons to
export the files.
26
VPN Option Guide GTA Firewall UTM Appliance Setup
Figure*2.3.36: Exporting VPN Certificates
Table 2.2.42 : Exporting the Local VPN Certificate
Field
Description
Disable
A toggle to disable the configured VPN certificate.
Name
A unique name used to identify the configured VPN certificate.
Description
A brief description to describe the function of the configured VPN certifi-
cate.
Certificate
Export
Select the file format for the VPN certificate. Click the d
owN loAd
button to
export the file.
Update
Toggle the Up Date checkbox if you wish to update the VPN certificate's
definition with an existing VPN certificate.
PKCS#12 Password
If the VPN certificate is to be exported as a PKCS#12 file, an optional
password can be set to secure the certificate. The pkCS#12 p
aS SworD
field
is case sensitive.
Private*Key
Export
Select the file format for the private key. Click the d
owN loAd
button to
export the file.
If the VPN certificate is to be exported as a PKCS#12 file, this field will not
be available.
Update
Toggle the Up Date checkbox if you wish to update the private key with an
existing private key.
27
VPN Option Guide GTA Firewall UTM Appliance Setup
Importing VPn certificates
To import a VPN certificate into GB-OS for use in a VPN's configuration or user account definition,
navigate to Configure>VPN>Certificates and select the New icon. The Edit Certificate screen will then be
displayed. Select the Import toggle in the Certifi Cate field to import a VPN certificate.
Note
See Importing VPN Certificates in GTA Mobile VPN Client Setup for instructions on importing VPN
certificates into the GTA Mobile VPN Client's configuration.
Figure*2.2.36: Importing VPN Certificates
Table 2.2.42 : Importing VPN Certificates
Field
Description
Disable
A toggle to disable the configured VPN certificate.
Name
A unique name used to identify the VPN certificate.
Description
A brief description to describe the function of the VPN certificate.
Certificate
Import
Certificate
File
Select the Brow Se button to locate the certificate file.
PKCS#12 Password
If the VPN certificate is PKCS#12 file, enter the file's password (if appli-
cable).
Private*Key
File
Select the Brow Se button to locate the associated private key.
28
VPN Option Guide GTA Mobile VPN Client Setup
GTA Mobile VPN Client Setup
If laptop computers and other non-gateway servers and computers will connect to your GTA
Firewall UTM Appliance's VPN, install and configure GTA Mobile VPN Client software on those
computers.
Additional Mobile VPN Client licenses are available for purchase separately from an authorized
GTA Channel Partner or GTA sales .
Note
Installation and configuration instructions assume that the client computer is not behind a router that
requires modification.
Installing the GtA Mobile VPn client
The installation process for the GTA Mobile VPN Client is typical for Windows®-compatible
software.
To *install*the*GTA*Mobile*VPN*Client*software:
Login to the Windows computer under an administrative account.
1.
Start the installer. Click the
2.
Next button to read the license agreement. If you agree to the terms,
click YeS to continue the installation.
Select an installation path for the software, the default path is
3.
C:Program FilesGTAMobile
VPN Client. Complete the installation wizard.
After completing the installation wizard, you will be prompted to reboot the computer. Reboot-
4.
ing the computer completes the installation process.
29
VPN Option Guide GTA Mobile VPN Client Setup
Activating the GtA Mobile VPn client
The GTA Mobile VPN Client requires activation for any use beyond the initial thirty day evaluation
period. The license number necessary for activation can be retrieved from the GTA Support Center
( https://www.gta. com/support/center/ ). Once logged in, click on the View Your Registered Products
link and select your firewall's serial number. Your GTA Mobile VPN Client license number will be
displayed in the a
Cti Vation
Co DeS section.
Note
Should your GTA Mobile VPN Client license number not be displayed in the a
Cti Vation
Co DeS section,
make sure your GTA Firewall UTM Appliance is running GB-OS version 3.7 or greater. If you have a
current support contract, please upgrade your GTA firewall and then retrieve the activation code. If you
do not have a current support contract, you will need to contact GTA's sales department or your local
GTA Channel Partner.
To *activate*the*GTA*Mobile*VPN*Client:
1. Open the GTA Mobile VPN Client to start the activation wizard. If the client is already open and
running, navigate to ? (Help)> Activation Wizard .
Figure*2.13: Activation Wizard
2. Click the Act IvAte button. Doing so will display the following screen:
Figure*2.14: Entering the License Number
3. The GTA Mobile VPN Client license number needs to be entered either as a single
string of twenty characters (1234567890123456
7890) or four sets of six characters
(123456-123456-123456-123456). If your license number is four sets of six characters, you
30
VPN Option Guide GTA Mobile VPN Client Setup
will need to switch the format of the l
iCe n Se
n
Umber
field to allow entry of your license number.
To do so, select the Click here to enter... link.
Figure*2.15: Switching the License Number Format
4. Enter the GTA Mobile VPN Client license number and click Next . A successful activation will
display the following screen:
Figure*2.16: Completing the Activation Wizard .
Note
If an error message is displayed during activation, refer to Table D.1: Activation Errors for
troubleshooting.
31
VPN Option Guide GTA Mobile VPN Client Setup
configuring the VPn client Software
To connect your computer to the GTA Firewall UTM Appliance's VPN, you must first input
connection settings into the GTA Mobile VPN Client. The wizard will configure the client for a
connection compatible with default GB-OS firewall settings. If you elect to use the VPN client
configuration wizard, you do not need to complete the manual configuration instructions later in
this section.
Use the included worksheet on the following page to collect settings for your VPN client. Enter the
settings as required by tunnel, Phase 1, or Phase 2 setup. Once your VPN client is configured, you
can start or stop your VPN connection as desired.
running the configuration Wizard
Running the configuration wizard will configure the GTA Mobile VPN Client for a connection
compatible with default GB-OS firewall settings. Settings for your GTA Mobile VPN Client must
match your firewall's VPN configuration object and authorization settings. Contact your network
administrator to obtain matching VPN settings.
Note
The Configuration Wizard only accepts PKCS#12 VPN certificates. See Exporting VPN Certificates for
more information on exporting a VPN certificate in a PKCS#12 format.
To *run*the*configuration*wizard:
Navigate to
•
VPN Configure>Config. Wizard
Complete the available fields
•
Click
•
Next .
The next screen will allow you to review your settings. If correct, click
•
f
INI Sh
.
Figure*2.17: Running the Configuration Wizard
Upon completion of the configuration wizard, you will be prompted to either Add the new settings
to the existing configuration or r
eplAce
the existing configuration with the new settings.
32
VPN Option Guide GTA Mobile VPN Client Setup
Caution
Selecting r
eplAce
will overwrite previously saved configuration settings.
VPn Settings Worksheet
Print and fill out the below fields for assistance when configuring the GTA Mobile VPN Client.
Table 2.10: VPN Settings Worksheet
Field
Value
Firewall IP Address
000 . 000 . 000 .
Phase*1
Name
Interface
000 . 000 . 000 .
Remote Gateway
000 . 000 . 000 .
VPN Certificate or
Preshared Key
IKE
Encryption (circle one)
DES 3DES AES 128 AES 192 AES 256
Authentication (circle one)
MD5 SHA
Key Group (circle one)
DH768 DH1024 DH1536 DH2048
Phase*2
Name
VPN Client Address
000 . 000 . 000 .
Address Type (circle one)
Single Address Subnet Address
Remote LAN Address
000 . 000 . 000 .
Subnet Mask
000 . 000 . 000 .
ESP
Encryption (circle one)
DES 3DES AES 128 AES 192 AES 256
Authentication (circle one)
MD5 SHA
Mode (circle one)
Tunnel
PFS (circle one)
DH768 DH1024 DH1536 DH2048
33
VPN Option Guide GTA Mobile VPN Client Setup
Manually configuring the GtA Mobile VPn client
If you wish to manually configure the GTA Mobile VPN Client, configure the client using the
following instructions.
entering Preferences (Parameters)
Parameters for phase lifetime and dead peer detection (DPD) do not need to match the settings of
your GTA firewall, but agreement between the two is beneficial.
To *enter*lifetimes*and*DPD*intervals*for*Phase*1*and*2*of*your*VPN:
1. Start the GTA Mobile VPN Client software (or click its icon in the system tray to display the Configuration
Panel).
2. Click the p
Ar AMeterS
icon located in the left hand menu.
3. Enter your IKE and IPSec (Phase 1 and 2) lifetimes in the l
ifetime
fields. Values entered are in
seconds. Times specify when keys should be renewed and security associations recreated.
Shorter times are generally more secure, although they can add performance overhead to the
VPN.
Note
The maximum lifetimes for the GTA Mobile VPN Client must be less than the lifetime indicated by the
firewall.
4. Enter your Che Ck i
nterVal
for dead peer detection (DPD). Do not enter a value of 0.
5. Configure m
iS CellaneoUS
settings as desired. r
etranSmi SSionS
defines how many times the client
will attempt to retransmit a message before giving up. Delay between retrieS defines the amount
of time, in seconds, before the client will attempt to retry opening a connection. Leave the ike
p
ort
field blank.
6. Leave b
loCk non - CiphereD ConneCtion
unchecked unless you wish to force all connections, including
traffic with a non-VPN destination, through the VPN tunnel.
7. Click SA ve & ApplY .
34
VPN Option Guide GTA Mobile VPN Client Setup
configuring Phase 1 (Authentication)
Phase 1 settings must match your GTA firewall settings. Defaults for Phase 1 are AES-192
encryption, SHA hashes and Diffie Hellman Group 2 (1,024-bit) keys.
To *enter*Phase*1*settings*of*your*VPN:
1. Start the GTA Mobile VPN Client (or click its icon in the system tray to display the configuration
window).
2. Right-click the Configuration menu item and select New Phase 1 . A new sub-item to the Configuration
tree will appear. It will be given a default name, such as CnxVpn1, that you may change by editing
the n
a me
field.
3. Enter a new n
a me
, if desired, with no spaces or special characters (e.g., Office_Phase_1).
4. Select the i
nterfaCe
(network card) that will be used (select ANY to indicate all available network
cards).
5. Enter the r
emote
Gateway , which should be the external IP address or domain name of your GTA
firewall.
6. If authenticating using pre-shared secrets, enter the p
re - ShareD
k
ey
(secret) for your VPN and
then Confirm it.
If authenticating using VPN certificates, select the VPN Certificate toggle and click the
c
ertIf IcAte
IM port button to import the VPN certificate. See Importing VPN Certificates for more
information.
7. Enter appropriate IKE settings such as e
nCryption
, a
Ut hent i Cation
and k
ey
Gro Up .
8. Click the p1 Adv ANced button.
Check the Aggressive Mode checkbox. Set nat-t to <Automatic> .
Enter your l
oCal
iD. The Val Ue will be the email address indicated in your firewall's Users configuration,
so select the t
ype
indicating <Email> .
Enter the r
emote
iD of the firewall. The value should be the external IP address of the firewall, so
select the t
ype
indicating <IP address> .
Click ok .
9. Click SA ve & ApplY to complete Phase 1 configuration.
Figure*2.18: Configuring Phase 1 (Authentication)
35
VPN Option Guide GTA Mobile VPN Client Setup
Importing VPn certificates
VPN certificates can be used as an authentication method that uses the exchange of self-signed
or certificate authority certified certificates to guarantee the authenticity of members attempting a
VPN connection. VPN certificates to be imported into the GTA Mobile VPN Client's configuration
are generated by GB-OS and need to be exported from the firewalls configuration. For more
information on generating and exporting VPN certificates in GB-OS, see Using VPN Certificates in
the GTA Firewall UTM Appliance Setup section.
Note
Self-signed certificates, such as those generated by GB-OS, must be imported into the GTA Mobile
VPN Client as PEM files.
To *import*VPN*certificates*into*the*GTA*Mobile*VPN*Client:
Start the GTA Mobile VPN Client software (or click its icon in the system tray to display the
1.
configuration window).
Open the Phase 1 section of the configuration, select the
2.
Cert ifi CateS toggle, and click the c
er -
tIf IcAteS
IM port button. This will display the Certificates Import screen.
From the pulldown menu, select the file format of the VPN certificate to be imported. Valid op-
3.
tions are Certificate from a PKCS#12 file and Certificate from a PEM file . VPN certificates stored on a
Smartcard are currently not supported by the GTA Mobile VPN Client.
After the selection for the VPN certificate's file format has been made, click the
4.
Import button(s)
to import the VPN certificate into the GTA Mobile VPN Client's configuration. If the VPN certificate
is a PEM file, a root certificate, user certificate, and private key will need to be imported. If
the VPN certificate is a PKCS#12 file, only one certificate will need to be imported and it may
require a password.
Note
When importing VPN certificates from GB-OS, the PEM root and PEM user certificates
are the same file.
Click
5.
o
k
to apply the VPN certificate to the Phase 1 configuration settings and close the c
ertIf I -
cAteS
IM port screen. On the Phase 1 section of the configuration, click SA ve & ApplY to update
the Phase 1 configuration.
Figure*2.19: Importing VPN Certificates
36
VPN Option Guide GTA Mobile VPN Client Setup
configuring Phase 2 (IPSec configuration)
Phase 2 settings must match your GTA Firewall UTM Appliance's settings. Defaults for Phase 2 are
3DES encryption, SHA hashes and Diffie Hellman Group 2 (1,024-bit) keys.
To *enter*Phase*2*settings*of*your*VPN:
1. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration
window).
2. Right-click on the previously created Phase 1 configuration. Select Add Phase 2 . A new sub-item
to the Configuration tree will appear, underneath the Phase 2 configuration. It will be given a
default name, such as CnxVpn1, that you may change be editing the n
a me
field.
3. Enter a new n
a me
, if desired, with no spaces or special characters (e.g., Office_Phase_2).
4. Enter the Vpn Client a
DDreSS
, which is the IP address your computer will use when attached to
the firewall's internal network.
5. Select the a
DDreSS
t
ype
. This will be a subnet address if you are connecting to the firewall's
internal network. It will be a single IP address if you are connecting to only one host such as
another GTA Mobile VPN Client.
Enter the r
emote
h
oSt
a
DDreSS
. This will be the IP address of the firewall's internal network with
subnet mask if you are connecting to the firewall's internal network.
6. Enter ESP settings such as e
nCryption
, a
Ut hent i Cation
and t
Un ne l
m
oDe
. Note that these settings
may be different than those used in Phase 1.
7. Check the PFS (perfect forward secrecy) checkbox.
8. Select the Diffie-Hellman key Gro Up .
9. Click SA ve & ApplY . If you wish to open your VPN connection immediately, click o
peN
t
uN Nel
.
Figure*2.19: Configuring Phase 2 (IPSec)
Note
Creating a complete VPN configuration does not automatically open that VPN connection. To start or
stop a VPN connection, see Starting or Stopping VPN Client Connections .
37
VPN Option Guide GTA Mobile VPN Client Setup
Starting and Stopping VPn client connections
Your VPN client software can be configured to automatically start or stop your VPN connection.
This can be particularly useful if your primary network traffic must use the VPN, or if you always
use the same VPN settings. You can also select to start and stop your VPN connections manually.
For a fully automated VPN solution, you may also elect to automatically start your VPN client
software. For more information on automatic startup of your VPN client, see Startup Modes .
To *automatically*start*your*VPN*connection:
1. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration
window).
2. Select a Phase 2 configuration item in the Configuration tree and click the p2 Adv ANced button.
3. If you wish your VPN connection to begin automatically upon start of the VPN client software,
check the a
Ut om at i Cally
o
pen
t
hiS
t
Un ne l
w
hen
Vpn Client StartS check box.
4. If you wish your VPN connection to start automatically upon insertion of a USB drive containing
a VPN client configuration, check the a
Ut om at i Cally
o
pen
t
hiS
t
Un ne l
w
hen
US b Sti Ck i
S
i
nSerteD
check box.
5. Click SAve
& ApplY
.
6. If you are using automatic connection startup that occurs upon insertion of a USB drive, insert
the USB drive. Select File > Export VPN Configuration from the menu to save the exported configuration
to the USB drive.
To *manually*start*and*stop*your*VPN*connection:
1. Start the GTA Mobile VPN Client software (or click its item in the system tray to show a configuration
window).
2. Click a Phase 2 configuration item in the Configuration tree. Click o
peN
t
uN Nel
to start the VPN con-
nection.
3. Click the c
oN NectIoNS
icon in the left hand menu to view your open VPN connections.
4. To stop a VPN connection, click the VPN connection and click c
loSe
t
uN Nel .
Note
If you are using automatic connection startup that occurs upon insertion of a USB drive, you may also
choose to automatically stop your VPN connection when you remove the USB drive. For more information,
see USB Drive Mode .
38
VPN Option Guide GTA Mobile VPN Client Setup
Advanced GtA Mobile VPn client Setup
The GTA Mobile VPN Client has several features to enable use on servers, desktop or laptop
computers.
Advanced Phase 1 configuration
For advanced features and parameters when configuring Phase 1, click the p1 Adv ANced button.
Figure*2.20: Phase 1 Advanced
Table 2.11: Advanced Phase 1 Configuration
Field
Value
Config Mode
Config Mode is currently not supported on GTA firewalls.
Aggressive Mode
Aggressive Mode creates a more efficient connection, and it is recommended
that it be enabled.
Redundant GW
This field allows the GTA Mobile VPN Client to open an IPSec tunnel
with an alternate gateway in case the primary gateway is down or is not
responding. Enter either the IP address or DNS resolvable host name of
the redundant gateway (e.g., router.gta.com)
NAT-T
A selection for when Network Address Translation Tranversal should be
used. Typically, <Automatic> should be selected. Other options include
<Forced> and <Disabled> .
X-Auth Popup
X-Auth is currently not supported and should remain disabled.
Hybrid Mode
Hybrid Mode is currently not supported and should remain disabled.
Local ID
The Local ID is the identity the VPN client is sending during Phase 2 to the
VPN gateway. This value can be an IP Address , domain name ( DNS ), string of
characters ( KEY ID ), email address ( Email ) or a certificate issuer.
Remote ID
The Remote ID is the identity the VPN client is expecting to receive during
Phase 2 from the VPN gateway. This value can be an IP Address , domain
name ( DNS ), string of characters ( KEY ID ), or an email address ( Email ).
39
VPN Option Guide GTA Mobile VPN Client Setup
Advanced Phase 2 configuration
For advanced features and parameters when configuring Phase 2, click the p2 Adv ANced button.
Figure*2.21: Phase 2 Advanced
Table 2.12: Advanced Phase 2 Configuration
Field
Value
Automatic Open Mode
The GTA Mobile VPN Client can automatically open the specified tunnel on
the following specific events:
When the GTA Mobile VPN Client starts.
•
When a USB Drive is inserted. If the VPN configuration file location is
•
not set to USb Sti Ck , then this field is ignored.
See USB Drive Mode
Upon traffic detection.
•
Alternate Servers
Allows one to specify DNS and/or WINS server IP addresses when the
client is active.
40
VPN Option Guide GTA Mobile VPN Client Setup
launching Scripts
The GTA Mobile VPN Client can be configured to launch a script or application when a certain
action is performed by the user. For example. this feature can be used to launch a program that
requires resources available on the remote network, or to display an acceptable use policy when
the tunnel is opened.
To configure scripts or applications to launch, click the Scr IptS button when configuring Phase 2
settings.
Scripts*can*be*configured*to*launch:
When the user attempts to open a tunnel.
•
When the tunnel is successfully opened.
•
When the user attempts to close the tunnel.
•
When the tunnel is successfully closed.
•
Figure*2.22: Launching Scripts
41
VPN Option Guide GTA Mobile VPN Client Setup
configuring Access control
The GTA Mobile VPN Client can be configured to allow varying amounts of access to the client's
Configuration Panel. This feature is useful for system administrators or managers who wish to
install the GTA Mobile VPN Client on a computer but do not want users on the computer to have
the ability to modify their VPN connection settings.
When access to the GTA Mobile VPN Client's configuration settings has been locked, users will be
prompted to enter a password when they click on the client's systray icon or when they attempt to
switch from the Connection Panel to the Configuration Panel.
To lock access to the GTA Mobile VPN Client, navigate to View>Configuration .
Figure*2.23: Configuring Access Control
Table 2.13: Configuring Access Control
Field
Value
Lock GUI Access
Enter and confirm the password required to access the configuration
settings. If the p
aS SworD
and Confirm fields are left blank, no password is
required to access the configuration settings.
Show in Systray menu
Save & Apply
A toggle to show or hide the Sa Ve & a
pply
option when the user clicks on
the GTA Mobile VPN Client's systray icon. The Sa Ve & a
pply
option saves
and applies any changes made to the configuration.
Console
A toggle to show or hide the Con Sole option when the user clicks on the
GTA Mobile VPN Client's systray icon. The Con Sole option opens the
console window.
Connection Panel
A toggle to show or hide the Conne Ction p
an el
option when the user clicks
on the GTA Mobile VPN Client's systray icon. The Conne Ction p
an el
option
opens the connection panel to view the status of VPN connections.
Quit
The QU it toggle cannot be modified.
Figure*2.24: Systray Menus With Options Displayed and Hidden
42
VPN Option Guide GTA Mobile VPN Client Setup
uSb drive Mode
The VPN client software can be configured to open and close your VPN connection when a USB
drive containing the VPN configuration is inserted or removed.
To *use*the*USB-activated*VPN*connection*handling:
Insert the
1.
USB drive (also sometimes called a pen drive or USB stick).
Start the VPN client
2.
software.
Select
3.
File then VPN Configuration File from the menu.
Click
4.
USB StICK (PLUG-IN aUtoMatIC dEtECtIoN)
.
Click
5.
oK
.
Configure your VPN as usual, or copy/
6.
export your current VPN configuration onto the USB drive.
To start your VPN connection, plug in your
7.
USB drive. To stop the connection, eject / remove
the USB drive. (Your VPN client software must remain running to automatically start and stop
your VPN connection.)
The VPN client software can be returned to normal operation at any time by clicking
locAl (locAl
drIVe, clASSIc Mode)
in Configuration Mode .
Figure*2.25: Selecting USB Drive Mode
43
VPN Option Guide GTA Mobile VPN Client Setup
Preferences
The Preferences window allows the user to define the startup mode of the software as well as
enable or disable detection of the network interface's disconnection.
The Preferences window can be accessed by navigating to File>Preferences .
Startup Modes
The GTA Mobile VPN Client can be configured to start a VPN connection upon boot, login, or
manually.
The GTA Mobile VPN Client is set to start manually by default (which requires the user to actively
open the client). Alternatively, other different startup modes can provide the VPN connection upon
boot (e.g. when a service on your server requires a VPN), or upon login (e.g. when VPN connection
is part of your enforced usage policy).
To *set*the*startup*mode*of*the*GTA*Mobile*VPN*Client:
1. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration
window).
2. Navigate to File>Preferences .
3. Select the startup mode.
Click Start VPN Client before Windows Logon to start a VPN connection upon boot.
Click Start VPN Client after Windows Logon to start a VPN connection upon user login.
Click Don't start VPN client when I start Windows to start a VPN connection manually when needed.
4. Click ok to commit the change.
Miscellaneous
By disabling detection of the network interface's disconnection, the VPN tunnel will remain open.
This feature is useful if the user is connecting with an unstable connection that disconnects and
reconnects often.
Figure*2.26: Entering Preferences
44
VPN Option Guide GTA Mobile VPN Client Setup
console and configuration tools
configuration Management
The GTA Mobile VPN Client allows configurations to be imported and exported. Importing and
exporting configurations facilitates configuration deployment and troubleshooting. Administrators
may configure VPN settings on their computer and then send that configuration to the VPN user.
VPN users can also export their configurations for troubleshooting by the network administrator.
To export*or*import*a*VPN*configuration:
1. Start the VPN client software.
2. From the File menu, select Import VPN Configuration or Export VPN Configuration .
• If importing the configuration, browse to the location of the file. A GTA Mobile VPN Client
configuration file will have a file extention of ".tgb".
• If exporting the configuration, enter a password if desired. Password protected
configuration files provide greater security.
3. Click oPen or oK .
Figure*2.27: Export Password Protection
Note
Exported configuration files can also be imported into the GTA Mobile VPN Client's configuration by
dragging and dropping the file into the client's Configuration tree.
After a configuration file has been dropped into the Configuration tree or imported , you will be
prompted to either Add the new settings to the existing configuration or r
eplAce
the existing
configuration with the new settings.
Caution
Selecting r
eplAce
will overwrite all previously saved configuration settings.
45
VPN Option Guide GTA Mobile VPN Client Setup
console / logs
The GTA Mobile VPN Client maintains a console that allows you to view current VPN activity.
This activity may contain useful debugging information by providing feedback messages and
component status.
Optionally, you can save the output of the console to a log file for viewing in a text editor.
To *view*the*console/log:
Start the VPN client
1.
software.
From the
2.
Tools menu, select the Console menu item.
If the console has been stopped, click
3.
St Art
to begin logging.
To save the
4.
log to a text file, click SAVe FIle .
Console messages and logs can be filtered. By selecting the o
ptIo NS
button, a series of pull-down
menus become available to control the types of messages displayed. The default messages
displayed (level 0 for each setting) is usually sufficient for debugging purposes.
Figure*2.28: VPN Console
Table 2.14 Console Debug Levels
Label
Name
Description
Misc
Miscellaneous
The degree of logging detail for low-level messages.
Trpt
Transport
The degree of logging detail for UDP transport mode.
Msg
Message
The degree of logging detail for IKE decoding.
Cryp
Crypto
The degree of logging detail for cryptographic
exchanges.
Timr
Timer
The degree of logging detail for timers.
Sdep
Sysdep
The degree of logging detail for IKE interfaces with
IPSec
SA
Security Associations
The degree of logging detail for SA management.
Exch
Exchange
The degree of logging detail for IKE exchanges.
Nego
Negotiation
The degree of logging detail for Phase 1 and Phase 2
negotiation.
Plcy
Policy
Not used.
All
All
The degree of logging detail for all subsystems.
46
VPN Option Guide Reference A: GTA Mobile VPN Client User Interface
Reference A: GTA Mobile VPN
Client User Interface
The GTA Mobile VPN Client's user interface remains consistent throughout the application,
providing an intuitive, easy-to-use operating environment. The GTA Mobile VPN Client consists of
two "panels": the Configuration Panel and the Connection Panel. The Configuation Panel's main
menu contains general options available for configuration and review. Select options are also
available as clickable icons or by using context-sensitive right-click menus.
Figure*A.1: The GTA Mobile VPN Client
configuration Panel
The Configuration Panel allows for the entry of VPN connection settings. The Configuration Panel
contains:
A menu containing items for configuration of the GTA Mobile VPN Client and VPN connection
•
settings
A series of icons which provide shortcuts to VPN configuration settings
•
A VPN configuration menu tree that contains all VPN configurations.
•
A status bar which displays the status of the GTA Mobile VPN Client.
•
Menu overview
The GTA Mobile VPN Client's main window will display five pulldown menus: File , VPN Configuration ,
View , Tools and ? .
Figure*A.2: The GTA Mobile VPN Client Menu
47
VPN Option Guide Reference A: GTA Mobile VPN Client User Interface
File
The File menu contains import/export functions, a selection for the storage location of the VPN
configuration file, as well preferences for the application.
Figure*A.3: File Menu
VPn configuration
The VPN Configuration menu contains functions for adding and removing VPN phases, a configuration
wizard as well as adjustments for parameters.
Figure*A.4:* VPN Configuration Menu
View
The View menu contains selections for viewing the Connection Panel as well as configuration
options.
Figure*A.5: View Menu
tools
The Tools menu contains functions for viewing the VPN Console as well as active connections.
Figure*A.6: Tools Menu
? (help)
To utilize online help and support, see the Help and Online Support menu items. Check For Update informs
if a new version has become available. Activation Wizard allows for activation if the GTA Mobile VPN
Client is running under a 30 day trial. Find the version number of the GTA Mobile VPN Client as
well as the license number it is registered under in the About dialog.
Figure*A.7:* ? (Help) Menu
48
VPN Option Guide Reference A: GTA Mobile VPN Client User Interface
left hand Menu Icons
The following icons are found along the left hand side of the GTA Mobile VPN Client.
Table A.1: Left Hand Menu Icons
Icon
Icon Action
Opens the VPN Console.
Allows for the configuration of the VPN's parameters.
Allows for the viewing of currently open tunnels.
configuration Menu tree
The configuration menu tree displays a visual representation of the GTA Mobile VPN Client's
configuration.
Figure*A.8: Configuration Menu Tree
Phase 2 traffic detection Icon
Phase 2 menu tree items that belong to a VPN configuration that is configured to open a tunnel
upon traffic detection will display an icon with green edges.
Figure*A.9: Configuration Menu Tree
Status bar
The status bar, located along the bottom of the screen, displays the following information:
The left box contains an icon which indicates the location of the VPN configuration file. For
•
example, if USB mode is selected for the location, the icon will be a USB stick.
The center box displays information about the GTA Mobile VPN Client's status (e.g.,
•
VPN
ready)
The right box contains an icon which indicates if a tunnel is open or not. If one or more tunnels
•
are open, it will be indicated by a green "light". If no tunnels are open, the light will be grayed
out.
Figure*A.10: Status Bar
49
VPN Option Guide Reference A: GTA Mobile VPN Client User Interface
connection Panel
The Connection Panel enables users to open, close and view information for every configured VPN
connection. The Connection Panel consists of:
An animated network diagram that displays the status of the current VPN connection.
•
A list of all configured VPN connections with an
•
o
peN
/ c
loSe
button.
Note
Users can toggle between the Connection Panel and the Configuration Panel using the "CTRL + P"
key combination.
Figure*A.11:* The Connection Panel
50
VPN Option Guide Reference A: GTA Mobile VPN Client User Interface
System t
ray
The GTA Mobile VPN Client can be launched by clicking the system tray icon. Once the application
has been launched, the system tray icon will indicate whether a VPN tunnel is open or not,
depending on its state. A popup window will also display to indicate the VPN tunnel's status and
any potential warnings or errors.
Table A.2: System Tray Icon States
Icon
Icon State
The GTA Mobile VPN Client is running, but no VPN tunnel is open. The icon will be grey.
The GTA Mobile VPN Client is running and a VPN tunnel is open. The icon will be red.
System t
ray Menu
Right-clicking on the system tray icon will display a menu with the following options:
• Open tunnel... Opens the configured tunnel. When open, the menu item will change to Close Tunnel...
• Save & Apply will close any established VPN tunnels, apply the latest VPN configuration and
reopen all VPN tunnels.
• Console opens the console.
• Connection Panel opens the Connection Panel, which provides a means to view open connections.
• Quit will close any established VPN tunnels and close the GTA Mobile VPN Client.
Note
Menu items can be shown or hidden to restrict access to the GTA Mobile VPN Client's Configuration
Panel. See Configuring Access Control for more information.
Figure*A.12:* System Tray Right-Click Menu
51
VPN Option Guide Reference A: GTA Mobile VPN Client User Interface
52
VPN Option Guide Reference B: VPN Concepts
Reference B: VPN Concepts
elements of IPSec VPn Security
IPSec, a secure network connection standard ( RFC 2401 ) designed by IETF (Internet Engineering
Task Force), provides two implementations: transport mode and tunnel mode. The tunnel mode
implementation applies to VPN gateways, such as GTA firewall VPNs.
GTA*firewall*VPNs*provide:
• Authorization
• Data integrity
• Data privacy
GB-OS*IPSec*tunnels* (VPNs)*cause the original*IP*packet*to*be:
Encrypted to hide contents from interceptors
•
Hashed to resist
•
tampering
Authorized with
•
keys and/or authentication to validate transmission according to your security
policies
• Encapsulated within another IP packet to provide routing for the "sealed" original packet
A GTA Firewall UTM Appliance's VPN is essentially a tunnel and a security processing service
for IP traffic, both tunneling and securing packet contents. All GTA Firewall UTM Appliance
VPN-secured traffic receives encapsulation by a secondary IP packet layer after it is secured.
All IP protocols can be secured with a VPN, including TCP (and its higher-level protocols like HTTP
or SSH), UDP, ICMP, and others.
Caution
Varying degrees of data integrity and confidentiality are provided by the hashes, keys and encryption
algorithms you elect to use. GTA recommends that you carefully select each one based upon the
strength and performance needs of your VPN.
IPSec's security benefits arise from the secure creation of authorized, encrypted connections.
IPSec connections utilize some auxiliary TCP and UDP connections to negotiate a secure
connection before actual transmission of user data occurs.
During*the*creation*of*an*IPSec*VPN*connection:
Hosts (including clients or gateways)
1.
exchange pre-shared keys or VPN certificates.
Hash and
2.
encryption methods are negotiated with identities being assured by the keys from
step 1.
Security associations (
3.
SAs) are created on each host to contain the agreed security transformations
and associated keys for each VPN destination from step 2.
Data transmission receives the protection designated by the established rules of the
4.
SAs from
step 3 until they expire or are deleted.
Automatic IPSec key exchange and IPSec SA initialization is provided using the IKE standard ( RFC
2407 and RFC 2409 ). Manual key exchange is supported, but not recommended because of the
security risks inherent in overexposed keys.
53
VPN Option Guide Reference B: VPN Concepts
IPSec VPNs on GTA firewalls require the use of AH and ESP protocols (IP protocols 51 and 50).
Key exchange and other IKE negotiations may also require the use of UDP port 500. If ESP traffic
is blocked, GTA firewall VPNs will use NAT traversal ( RFC 3947 and RFC 3948 ) to tunnel ESP
traffic using UDP port 4500.
For more information on the IP packet transformations that occur during a GTA firewall VPN
connection, see TCP/IP Packets: IPSec VPN Packet Structure . For more information on IPSec
packet processing specific to GTA firewalls, see GTA firewall VPN Packet Processing . For more
information on the IETF standards applying to IPSec or IKE, see the applicable RFCs: RFC 2401
(IPSec), RFC 2409 (IKE), RFC 2407 (IKE's role in IPSec), RFC 2402 (AH) and RFC 2406 (ESP).
Verifying Authorization
Verifying identity through authentication is an important step of secure computing. Identity allows
policies to be applied based on the trustworthiness and relevance of the data source. For example,
an incoming connection may have both privacy and tamper-proofness (data integrity), but unless
you know the sender and authorize their activities, you don't truly know what data you are allowing
onto your network.
IPSec VPN can provide authorization during the Phase 2 (IKE) part of VPN initialization. The GTA
firewall*implementation*of*IPSec*VPN*requires*authorization;*VPNs*will*not*activate*without*
an*authorization*that*references*a*VPN*configuration*object.
The source of the authorization can be provided in two separate areas of GTA firewall configuration.
For gateway-to-gateway GTA firewall VPNs, the identity is checked by VPNs ; for mobile client GTA
firewall VPNs, identity is checked by Users .
Verifying data Integrity
Verifying data integrity (tamper-proofing) is also an important part of secure computing. Integrity
assures that the data has not been tampered with to introduce unwanted data, including trojans
and viruses. For example, you may intend to accept the sender and content of a packet, but
unless you can assure that a third party has not altered it, you don't truly know what data you are
allowing onto your network.
Data integrity is ensured during both Phase 2 and Phase 2 of IPSec VPN creation by keys and
hashes. Separate keys and hashes may be selected for either phase. Key and hash preferences
for a GTA firewall VPN connection are configured in Configure>System>Objects>VPN Objects .
Note
Keys uniquely identify the host establishing the connection; hashes are computed using the data and
the key, and therefore a hash of a packet's data is only verifiable by a destination who knows the secret
of the sender's original key.
The selection of a key and a hash method is generally a balance between performance, technical
requirements, and strength. Larger keys are generally considered better, but come at the price
of performance. GTA firewalls provides reasonable defaults for many VPNs, but you may wish to
select a greater key length or a different hash algorithm to suit your needs.
54
VPN Option Guide Reference B: VPN Concepts
ensuring data Privacy
Ensuring data privacy is typically a part of secure computing. Privacy allows sensitive data to be
hidden from unauthorized parties. For example, you may trust the source and integrity of data, but
don't want others to be able to read it while in transit to your network. Common reasons for data
privacy include the transmission of financial and personal data.
Privacy is ensured during both Phase 2 and Phase 2 of VPN creation using encryption algorithms.
Separate encryption methods may be selected for either phase.
IPSec VPNs provide data privacy with encryption. Encryption methods for a GTA firewall VPN
connection are configured in Configure>System>Objects>VPN Objects .
Packet Structure: IPSec VPn
IPSec VPNs use encrypted, encapsulated IP packets to transfer data.
The original IP packet's contents are prevented from interception and tampering by application of
the ESP protocol, which applies selected encryption, hashes and authenticity checks to contents.
The resulting packet is then re-wrapped in an external IP packet layer.
Only hosts containing matching IPSec information (SAs and keys) are able to decrypt the
ESP-encapsulated contents.
Figure*B.1: IPSec VPN Packets
55
VPN Option Guide Reference B: VPN Concepts
GtA Firewall VPn Packet Processing
When a packet arrives at a GTA Firewall UTM Appliance, evaluation sequences are performed to
determine structure correctness and permissibility before a route is created to deliver the packet.
These checks, plus some special additional transformations, are performed on all VPN packets.
Failing a check causes the packet to be denied and, by default, logged.
The*generalized*packet*processing*sequence*of*VPN*packets*includes:
1. Check for valid IP packet structure.
2. Check for spoofed packets and other network attacks.
3. Check for security policies allowing, denying or transforming packet transmission (such as traffic
shaping rules). For IPSec VPN packets, checks occur for a valid existing IPSec VPN SA as
well as an outbound or remote access filter.
4. Check for routing instructions delivering the packet to its indicated destination. For IPSec VPN
packets, checks occur for a passthrough filter.
IPSec initialization packets (packets for IKE and IPSec SA setup) are not subjected to the routing
check, as the firewall is their destination; however, these initialization packets do require firewall
access permission from remote access filters. Then checks are performed for authorization and
VPN configuration data to create the IKE and IPSec SAs required by all further IPSec VPN packets.
56
VPN Option Guide Reference C: Example VPN Configurations
Reference C: Example VPN
Configurations
The VPN configuration you choose will vary based upon the answer the following questions:
Do both
•
initiator and responder have static IP addresses?
Is
• key exchange manual or automatic (IKE)?
If the IKE key exchange is used, is authentication handled using pre-shared secrets or VPN
•
certificates?
The following examples show configuration cases for manual vs. IKE key exchange and dynamic
vs. static IP addresses.
All listed objects and configurations should be enabled. Any other options, if not listed, may be
defined but are not necessary to achieve a functional configuration.
This reference is divided into three sections:
1. Example VPN Configurations Using IKE IPSec Mode and Pre-shared Secrets
2. Example VPN Configurations Using IKE IPSec Mode and VPN Certificates
3. Example VPN Configurations Using Manual IPSec Mode
Note
It is assumed that automatic policies are enabled on the Configure>VPN>IPS ec Tunnels screen. Automatic
policies allow all VPN traffic by default. If disabled, it is necessary to create security policies that allow
ESP protocol 50 and UDP ports 500/4500.
For information on manually defining security policies, see the GB-OS User's Guide .
Note
Example configurations contain fictional descriptions, IP addresses and subnet masks. Internal or
private network IP addresses that will be connected to the VPN are listed as the protected network,
with IP addresses of 192.168.*.* as an example. In your implementation, those settings may contain
different IP addresses, or connect to your PSN rather than your protected network.
To *use*the*following*examples,*replace*IP*addresses*and*subnet*masks*with*your*own*network*
settings.
Note
Before manually configuring a VPN, consider running the VPN Setup Wizard, located at Wizards>VPN
Setup . The VPN Setup Wizard is designed to help configure a simple VPN quickly and easily.
57
VPN Option Guide Reference C: Example VPN Configurations
Example VPN Configurations Using IKE
IPSec Mode and Pre-shared Secrets
The section provides example VPN configurations using IKE IPSec mode using pre-shared secrets
for authentication.
client to Gateway: dynamic/Static IP Addresses
The identifying characteristics of this type of VPN include:
Static external IP address on the firewall, as set in
•
Configure>Network>Interfaces>Settings , but dynamic
external IP address on the VPN client
Firewall-compatible settings in the VPN
•
client, and mobile VPN objects selected in
Configure>Accounts>Users and Configure>Accounts>Accounts for the statically-addressed firewall
Authentication using pre-shared secrets
•
Table C.1: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Responder :
GTA firewall with static IP address
External IP Address
200.200.200.200
In Configure>System>Objects > Address Objects :
Disable
Unchecked
Name
Protected Networks
Description
Protected networks
Type
All
Object
<USER DEFINED>
Address
192.168.2.0/24
(local hosts that should be attached to your VPN)
In Configure>Accounts>Groups :
Disable
Unchecked
Name
Users
Description
GTA Mobile VPN Client users
Mobile VPN
Disable
Unchecked
Authentication Required
Unchecked
VPN Object
Standard Dynamic (default object)
Local Network
Protected Networks (address object, as defined above)
In Configure>Accounts > Users :
Disable
Unchecked
Name
Example User
Description
Database administrator
Remote Identity
vpnuser@example. com
Group
Users
(configured user group, as defined above)
58
VPN Option Guide Reference C: Example VPN Configurations
Table C.1: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Responder :
GTA firewall with static IP address
Authentication
Method
n/a
Password
n/a
Mobile VPN
Disable
Unchecked
Remote Network
<USER DEFINED> 192.168.1.1
(the IP address the attached GTA Mobile VPN Client should use)
Pre-shared Secret
$%23Aty!
(a long, randomized series of characters that must be identical to
the p
re ShareD
k
ey
in the GTA Mobile VPN Client)
In Configure>VPN>IPSec Tunnels
VPN Certificate
Default
Advanced
Automatic Policies
Checked
Dynamic Incoming Connections
Authentication
Pre-shared Secret
Identity
<IP Address>
VPN Object
Standard Dynamic (default object)
Table C.2: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Initiator:
GTA Mobile VPN Client with dynamic IP address
External IP Address
Dynamically assigned (DHCP, PPPoE, etc.)
In Parameters :
Authentication (IKE) [Default
Lifetime]
1800
(seconds)
59
VPN Option Guide Reference C: Example VPN Configurations
Table C.2: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Initiator:
GTA Mobile VPN Client with dynamic IP address
Authentication (IKE) [Minimal
Lifetime]
120
(seconds)
Authentication (IKE) [Maximal
Lifetime]
28800
(seconds; must be less than l
ifetime
in the GTA firewall's VPN Object 's
p
haS e
2)
Encryption (IPSec) [Default
Lifetime]
1200
(seconds)
Encryption (IPSec) [Minimal
Lifetime]
120
(seconds)
Encryption (IPSec) [Maximal
Lifetime]
28800
(seconds; must be less than l
ifetime
in the GTA firewall's VPN Object 's
p
haS e
2)
Check Interval [DPD]
30
(dead peer detection in seconds)
In Configure>Phase 1 (Authentication) :
Name
OfficePhaseI
(a descriptor for your VPN; may not contain spaces or non-alphanumeric
characters; changing this value will change its name in the
Configuration menu tree)
Interface
*
(network cards or modems that the VPN will use)
Remote Gateway
200.200.200.200
(the external IP address of the VPN gateway in
Configure>Network>Settings )
Preshared Key
$%23Aty!
(a long, randomized series of characters that must be identical to
the p
re - ShareD
Se Cret in the GTA firewall's Users ; this password value
will be obscured, and only character length will be visible)
Confirm
$%23Aty!
(re-enter the p
re ShareD
k
ey
to confirm correct entry; this password
value will be obscured, and only character length will be visible)
Encryption
AES-192
(equivalent to the IKE encryption in the GTA firewall's VPN Object 's
p
haS e
1)
Authentication
SHA
(equivalent to the IKE HMAC-SHA1 hash in the GTA firewall's VPN
Object 's p
haS e
1)
Key Group
DH1024
(equivalent to the IKE group 2 Diffie-Hellman key in the GTA fire-
wall's VPN Object 's p
haS e
1)
Aggressive Mode [Advanced]
Checked
(equivalent to e
xChan Ge
m
oDe
in the GTA firewall's VPN Object 's p
haS e
1)
Value [Advanced Local ID]
vpnuser@example. com
(equivalent to the Identity in the GTA firewall's Users )
Type [Advanced Local ID]
Email
60
VPN Option Guide Reference C: Example VPN Configurations
Table C.2: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Initiator:
GTA Mobile VPN Client with dynamic IP address
Value [Advanced Remote ID]
200.200.200.200
(the external IP address of the VPN gateway in
Configure>Network>Settings )
Type [Advanced Remote ID]
IP Address
In Configure>Phase 2 (IPSec Configuration) :
Name
OfficePhaseII
(a descriptor for your VPN; may not contain spaces or non-alphanumeric
characters; changing this value will change its name in the
Configuration menu tree)
VPN Client Address
192.168.1.1
(the IP address the attached GTA Mobile VPN Client should use,
listed in the GTA firewall's Users r
emote
n
et work
)
Address Type
Subnet Address
(only use the Single Address option if the GTA firewall's attached
network will consist of a single host)
Remote LAN Address
192.168.2.0
(the GTA firewall's attached network, such indicated by the protected
networks address object)
Subnet Mask
255.255.255.0
(the GTA firewall's subnetwork mask, such indicated by the protected
networks address object)
Encryption
AES-192
(equivalent to the IPSec encryption in the GTA firewall's Encryption
Object )
Authentication
SHA
(equivalent to the IPSec HMAC-SHA1 hash in the GTA firewall's
Encryption Object )
Mode
Tunnel
PFS
Checked
(perfect forward secrecy is automatically used on GTA firewalls)
Group
DH1024
(equivalent to the IPSec group 2 Diffie-Hellman key in the GTA fire-
wall's Encryption Object )
client to Gateway: dynamic IP Addresses
The identifying characteristics of this type of VPN include:
• Dynamic external IP addresses on both the GTA firewall, as set in Configure>Network>Interfaces>Setti
ngs , and the GTA Mobile VPN Client
Default or edited Mobile
•
VPN Objects selected in Users
• Dynamic DNS service on the GTA firewall must be configured; this enables the GTA Mobile VPN
Client to connect through a domain name, without knowing the current IP address of the GTA
firewall
• Firewall-compatible settings in the VPN client, and mobile VPN objects selected in Users for the
statically-addressed firewall
Authentication using pre-shared secrets.
•
61
VPN Option Guide Reference C: Example VPN Configurations
Table C.3: Client to Gateway: Dynamic IP Addresses
Field Name
Responder :
GTA firewall with static IP address
External IP Address
Dynamically assigned
In Configure>System>Objects > Address Objects :
Disable
Unchecked
Name
Protected Networks
Description
Protected networks
Type
All
Object
<USER DEFINED>
Address
192.168.2.0/24
(hosts that should be attached to your VPN)
In Configure>Services>Dynamic DNS :
Disable
Unchecked
Description
Dynamic DNS Service
Host Name
examplefirewall.dyndns.org
(the domain name your GTA Mobile VPN Client will use)
Interface
<EXTERNAL>
(the interface that will have the dynamic DNS service applied to it
and that the GTA Mobile VPN Client will use.
Service
<DynDNS> or <ChangeIP>
(the dynamic DNS service provider you use)
Login User Name
dyndnsuser
(the account's user name for your dynamic DNS service provider)
Login Password
m453G34HY12
(the account's password for your dynamic DNS service provider)
In Configure>Accounts>Groups :
Disable
Unchecked
Name
Users
Description
GTA Mobile VPN Client users
Mobile VPN
Disable
Unchecked
Authentication Required
Unchecked
VPN Object
Standard Dynamic (default object)
Local Network
Protected Networks (address object, as defined above)
62
VPN Option Guide Reference C: Example VPN Configurations
Table C.3: Client to Gateway: Dynamic IP Addresses
Field Name
Responder :
GTA firewall with static IP address
In Configure>Accounts > Users :
Disable
Unchecked
Name
Example User
Description
Database administrator
Remote Identity
vpnuser@example. com
Method
<Password>
Authentication
Method
n/a
Password
n/a
Mobile VPN
Disable
Unchecked
Remote Network
<USER DEFINED> 192.168.1.1
(the IP address the attached GTA Mobile VPN Client should use)
Pre-shared Secret
<ASCII> $%23Aty!
In Configure>VPN>IPSec Tunnels
VPN Certificate
Default
Advanced
Automatic Policies
Checked
Dynamic Incoming Connections
Authentication
Pre-shared Secret
Identity
<Domain Name>
VPN Object
Standard Dynamic (default object)
63
VPN Option Guide Reference C: Example VPN Configurations
Table C.4: Client to Gateway: Dynamic IP Addresses
Field Name
Initiator:
GTA Mobile VPN Client with dynamic IP address
External IP Address
Dynamically assigned (DHCP, PPPoE, etc.)
In Parameters :
Authentication (IKE) [Default
Lifetime]
1800
(seconds)
Authentication (IKE) [Minimal
Lifetime]
120
(seconds)
Authentication (IKE) [Maximal
Lifetime]
28800
(seconds; must be less than l
ifetime
in the GTA firewall's VPN Objects
p
haS e
2)
Encryption (IPSec) [Default
Lifetime]
1200
(seconds)
Encryption (IPSec) [Minimal
Lifetime]
120
(seconds)
Encryption (IPSec) [Maximal
Lifetime]
28800
(seconds; must be less than l
ifetime
in the GTA firewall's VPN Objects
p
haS e
2)
Check Interval [DPD]
30
(dead peer detection in seconds)
In Configure>Phase 1 (Authentication) :
Name
OfficePhaseI
(a descriptor for your VPN; may not contain spaces or non-alphanumeric
characters; changing this value will change its name in the
Configuration menu tree)
Interface
*
(network cards or modems that the VPN will use)
Remote Gateway
examplefirewall.dyndns.org
(the domain name of the VPN gateway in Network Information )
Preshared Key
$%23Aty!
(a long, randomized series of characters that must be identical to
the p
re - ShareD
Se Cret in the GTA firewall's Users ; this password value
will be obscured, and only character length will be visible)
Confirm
$%23Aty!
(re-enter the p
re ShareD
k
ey
to confirm correct entry; this password
value will be obscured, and only character length will be visible)
Encryption
AES-192
(equivalent to the IKE encryption in the GTA firewall's VPN Objects
p
haS e
1)
Authentication
SHA
(equivalent to the IKE HMAC-SHA1 hash in the GTA firewall's VPN
Objects p
haS e
1)
Key Group
DH1024
(equivalent to the IKE group 2 Diffie-Hellman key in the GTA fire-
wall's VPN Objects p
haS e
1)
Aggressive Mode [Advanced]
Checked
(equivalent to e
xChan Ge
m
oDe
in the GTA firewall's VPN Objects p
haS e
1)
Value [Advanced Local ID]
vpnuser@example. com
(equivalent to the Identity in the GTA firewall's Users )
Type [Advanced Local ID]
Email
64
VPN Option Guide Reference C: Example VPN Configurations
Table C.4: Client to Gateway: Dynamic IP Addresses
Field Name
Initiator:
GTA Mobile VPN Client with dynamic IP address
Value [Advanced Remote ID]
examplefirewall.dyndns.org
(the domain name of the VPN gateway)
Type [Advanced Remote ID]
DNS
In Configure>Phase 2 (IPSec Configuration) :
Name
OfficePhaseII
(a descriptor for your VPN; may not contain spaces or non-alphanumeric
characters; changing this value will change its name in the
Configuration menu tree)
VPN Client Address
192.168.1.1
(the IP address the attached GTA Mobile VPN Client should use,
listed in the GTA firewall's Users r
emote
n
et work
)
Address Type
Subnet Address
(only use the Single Address option if the GTA firewall's attached
network will consist of a single host)
Remote LAN Address
192.168.2.0
(the GTA firewall's attached network, such indicated by the protected
networks address object)
Subnet Mask
255.255.255.0
(the GTA firewall's subnetwork mask, such indicated by the protected
networks address object)
Encryption
AES-192
(equivalent to the IPSec encryption in the GTA firewall's VPN Objects
p
haS e
2)
Authentication
SHA
(equivalent to the IPSec HMAC-SHA1 hash in the GTA firewall's VPN
Objects p
haS e
2)
Mode
Tunnel
PFS
Checked
(perfect forward secrecy is automatically used on GTA firewalls)
Group
DH1024
(equivalent to the IPSec group 2 Diffie-Hellman key in the GTA fire-
wall's VPN Objects p
haS e
2)
65
VPN Option Guide Reference C: Example VPN Configurations
Gateway to Gateway: dynamic/Static IP Addresses
The identifying characteristics of this type of VPN include:
Static external IP address on
•
one firewall, but dynamic external IP address on the second
firewall, as set in Configure>Network>Interfaces>Settings
Default or edited objects
•
selected in IPSec Tunnels for the dynamically-addressed firewall, but mobile
VPN objects selected in Configure>Accounts>Groups for the statically-addressed firewall
Authentication using pre-shared secrets
•
Table C.5: Gateway to Gateway: Dynamic/Static IP Addresses & IKE
Field Name
Initiator :
GTA firewall with dynamic IP
address
Responder :
GTA firewall with static IP address
External IP Address
Dynamically assigned
200.200.200.200
In System>Objects>Address Objects
Disable
Unchecked
Unchecked
Name
Protected Networks
Protected Networks
Description
DEFAULT: Protected networks
DEFAULT: Protected networks
Type
All
All
Object
<USER DEFINED>
<USER DEFINED>
Address
192.168.1.0/24
(hosts that should be attached to
your VPN)
192.168.2.0/24
(hosts that should be attached to
your VPN)
In Configure>VPN>IPS ec Tunnels :
VPN Certificate
Default
Default
Advanced
Automatic Policies
Checked
Checked
Dynamic Incoming Connections
Authentication
Pre-shared Secret
Pre-shared Secret
Identity
<IP Address>
<IP Address>
VPN Object
Standard Dynamic
(default object)
Standard Dynamic
(default object)
In Configure>VPN>IPS ec Tunnels>Edit IPSec Tunnel :
Disable
Unchecked
No Entry in IPSec Tunnels . Equivalent
infomation is entered in Configure>
Accounts>Users .
Description
Dynamic firewall
IPSec Key Mode
IKE
VPN Object
Standard Dynamic
(default object)
Authentication
Method
Pre-shared Secret
Pre-shared Secret
$%23Aty!
(a long, randomized series of
characters that must be identical
on both VPN gateways)
66
VPN Option Guide Reference C: Example VPN Configurations
Table C.5: Gateway to Gateway: Dynamic/Static IP Addresses & IKE
Field Name
Initiator :
GTA firewall with dynamic IP
address
Responder :
GTA firewall with static IP address
Options
Send Keep Alives
Unchecked
Unchecked
Local
Gateway
<EXTERNAL>
NAT
Unchecked
Network
Protected Networks
(or the address object as defined
above)
Identity
<EMAIL ADDRESS>, firewall1@
example.com
Remote
Gateway
200.200.200.200
NAT
Unchecked
Network
<USER DEFINED> 192.168.2.0/24
(the attached hosts on the other
VPN gateway)
Advanced
Identity
<EMAIL ADDRESS>, firewall2@
example.com
In Configure>Accounts > Users :
Disable
(no entry in Accounts > Users )
Unchecked
Name
Home Firewall 1
Description
Home-to-office VPN
Remote Identity
firewall1@example.com
Group
Firewalls
(default object)
Authentication
Method
n/a
Password
n/a
Mobile VPN
Disable
Unchecked
Remote Network
<USER DEFINED> 192.168.1.0/24
(the attached hosts on the other
VPN gateway)
Pre-shared Secret
$%23Aty!
(a long, randomized series of
characters that must be identical
on both VPN gateways)
67
VPN Option Guide Reference C: Example VPN Configurations
Gateway to Gateway: Static/Static IP Addresses
The identifying characteristics of this type of VPN include:
Static external IP addresses on
•
both firewalls, as set in Configure>Network>Settings
Default or edited IKE
•
VPN Objects selected in VPNs
• l
oCal
i
Dent it y
is not necessary, since static IP addresses serve as a constant element for identity
Authenication using pre-shared secrets
•
Table C.6: Gateway to Gateway: Static/Static IP Addresses & IKE
Field Name
Initiator :
GTA firewall with static IP address
Responder :
GTA firewall with static IP address
External IP Address
100.100.100.100
200.200.200.200
In System>Objects>Address Objects :
Disable
Unchecked
Unchecked
Name
Protected Networks
Protected Networks
Description
DEFAULT: Protected networks
DEFAULT: Protected networks
Type
All
All
Object
<USER DEFINED>
<USER DEFINED>
Address
192.168.1.0/24
(hosts that should be attached to
your VPN)
192.168.2.0/24
(hosts that should be attached to
your VPN)
In VPN>IPSec Tunnels :
Disable
Unchecked
Unchecked
Description
IKE VPN
IKE VPN
IPSec Key Mode
IKE
IKE
VPN Object
Standard Static
(default object)
Standard Static
(default object)
Authentication
Method
Pre-shared Secret
Pre-shared Secret
Pre-shared Secret
$%23Aty!
(a long, randomized series of
characters that must be identical
on both VPN gateways)
$%23Aty!
(a long, randomized series of
characters that must be identical
on both VPN gateways)
Options
Send Keep Alives
Unchecked
Unchecked
Local
Gateway
<EXTERNAL>
<EXTERNAL>
NAT
Unchecked
Unchecked
Network
Protected Networks
(or the address object as defined
above)
Protected Networks
(or the address object as defined
above)
Identity
<IP Address>
<IP Address>
68
VPN Option Guide Reference C: Example VPN Configurations
Table C.6: Gateway to Gateway: Static/Static IP Addresses & IKE
Field Name
Initiator :
GTA firewall with static IP address
Responder :
GTA firewall with static IP address
Remote
Gateway
200.200.200.200
(the external IP address of the
other VPN gateway)
100.100.100.100
(the external IP address of the
other VPN gateway)
NAT
Unchecked
Unchecked
Network
<USER DEFINED> 192.168.1.0/24
(the attached hosts on the other
VPN gateway)
<USER DEFINED> 192.168.2.0/24
(the attached hosts on the other
VPN gateway)
Advanced
Identity
<IP Address>
<IP Address>
69
VPN Option Guide Reference C: Example VPN Configurations
Example VPN Configurations Using IKE
IPSec Mode and VPn certificates
The section provides example VPN configurations using IKE IPSec mode using VPN certificates for
authentication.
client to Gateway: dynamic/Static IP Addresses
The identifying characteristics of this type of VPN include:
Static
•
external IP address on the firewall, as set in Configure>Network>Interfaces>Settings , but dynamic
external IP address on the VPN client
Firewall-compatible settings in the VPN
•
client, and mobile VPN objects selected in
Configure>Accounts>Users and Configure>Accounts>Accounts for the statically-addressed firewall
Authentication using VPN Certificates
•
Table C.7: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Responder :
GTA firewall with static IP address
External IP Address
200.200.200.200
In Configure>System>Objects > Address Objects :
Disable
Unchecked
Name
Protected Networks
Description
Protected networks
Type
All
Object
<USER DEFINED>
Address
192.168.2.0/24
(local hosts that should be attached to your VPN)
In Configure>VPN>Certificates>Edit Certificate
Disable
Unchecked
Name
Local certificate
Description
Local Certificate
Certificate
Generate
Generate
Type
<Certificate>
Common Name
firewall.example. com
The unique host name of the firewall.
Email Address
fwadmin@example. com
The email address belonging to the firewall administrator.
Country
<United States [US]>
The country the firewall is located.
State/Region
The state the firewall is located.
City/Locality
The city or location the firewall is located.
Organization
The firewall's organization.
Organizational Unit
The firewall's organizational unit.
70
VPN Option Guide Reference C: Example VPN Configurations
Table C.7: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Responder :
GTA firewall with static IP address
Duration
1
Key Size
<1024> Bits
In Configure>VPN>Certificates>Edit Certificate
Disable
Unchecked
Name
Remote Certificate
Description
Remote certificate
Certificate
Generate
Generate
Type
<Certificate>
Common Name
The remote user's unique name.
Email Address
vpnuser@example. com
Country
The country the remote user is located.
State/Region
The state the remote user is located.
City/Locality
The city or location the remote user is located.
Organization
The remote user's organization.
Organizational Unit
The remote user's organizational unit
Duration
1
Key Size
<1024> Bits
In Configure>VPN>Certificates>
Local
Local Certificate
<Local Certificate>
(The local VPN certificate for the firewall defined above)
In Configure>Accounts>Groups :
Disable
Unchecked
Name
Users
Description
GTA Mobile VPN Client users
Mobile VPN
Disable
Unchecked
Authentication Required
Unchecked
VPN Object
Standard Dynamic (default object)
Local Network
Protected Networks (address object, as defined above)
In Configure>Accounts > Users :
Disable
Unchecked
Name
Example User
Description
Database administrator
Remote Identity
vpnuser@example. com
71
VPN Option Guide Reference C: Example VPN Configurations
Table C.7: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Responder :
GTA firewall with static IP address
Group
Users
(configured user group, as defined above)
Authentication
Method
n/a
Password
n/a
Mobile VPN
Disable
Unchecked
Remote Network
<USER DEFINED> 192.168.1.1
(the IP address the attached GTA Mobile VPN Client should use)
Certificate
<Remote Certificate> (the remote VPN certificate for the remote
user as defined above)
In Configure>VPN>IPSec Tunnels
VPN Certificate
<Local Certificate>
(The local VPN certificate for the firewall defined above)
Advanced
Automatic Policies
Checked
Dynamic Incoming Connections
Authentication
Certificates
VPN Object
Standard Dynamic (default object)
Table C.8: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Initiator:
GTA Mobile VPN Client with dynamic IP address
External IP Address
dynamically assigned (DHCP, PPPoE, etc.)
72
VPN Option Guide Reference C: Example VPN Configurations
Table C.8: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Initiator:
GTA Mobile VPN Client with dynamic IP address
In Parameters :
Authentication (IKE) [Default
Lifetime]
1800
(seconds)
Authentication (IKE) [Minimal
Lifetime]
120
(seconds)
Authentication (IKE) [Maximal
Lifetime]
28800
(seconds; must be less than l
ifetime
in the GTA firewall's VPN Object 's
p
haS e
2)
Encryption (IPSec) [Default
Lifetime]
1200
(seconds)
Encryption (IPSec) [Minimal
Lifetime]
120
(seconds)
Encryption (IPSec) [Maximal
Lifetime]
28800
(seconds; must be less than l
ifetime
in the GTA firewall's VPN Object 's
p
haS e
2)
Check Interval [DPD]
30
(dead peer detection in seconds)
In Configure>Phase 1 (Authentication) :
Name
OfficePhaseI
(a descriptor for your VPN; may not contain spaces or non-alphanumeric
characters; changing this value will change its name in the
Configuration menu tree)
Interface
*
(network cards or modems that the VPN will use)
Remote Gateway
200.200.200.200
(the external IP address of the VPN gateway in
Configure>Network>Settings )
Certificate
Import the VPN Certificate named "Remote Certificate" created on
the GTA Firewall UTM Appliance.
Encryption
AES-192
(equivalent to the IKE encryption in the GTA firewall's VPN Object 's
p
haS e
1)
Authentication
SHA
(equivalent to the IKE HMAC-SHA1 hash in the GTA firewall's VPN
Object 's p
haS e
1)
Key Group
DH1024
(equivalent to the IKE group 2 Diffie-Hellman key in the GTA fire-
wall's VPN Object 's p
haS e
1)
Aggressive Mode [Advanced]
Checked
(equivalent to e
xChan Ge
m
oDe
in the GTA firewall's VPN Object 's p
haS e
1)
Value [Advanced Local ID]
This field will be prepopulated with date from the local VPN certifi-
cate.
Type [Advanced Local ID]
<Subject from X509>
Value [Advanced Remote ID] Leave blank
Type [Advanced Remote ID]
Leave blank
73
VPN Option Guide Reference C: Example VPN Configurations
Table C.8: Client to Gateway: Dynamic/Static IP Addresses
Field Name
Initiator:
GTA Mobile VPN Client with dynamic IP address
In Configure>Phase 2 (IPSec Configuration) :
Name
OfficePhaseII
(a descriptor for your VPN; may not contain spaces or non-alphanumeric
characters; changing this value will change its name in the
Configuration menu tree)
VPN Client Address
192.168.1.1
(the IP address the attached GTA Mobile VPN Client should use,
listed in the GTA firewall's Users r
emote
n
et work
)
Address Type
Subnet Address
(only use the Single Address option if the GTA firewall's attached
network will consist of a single host)
Remote LAN Address
192.168.2.0
(the GTA firewall's attached network, such indicated by the protected
networks address object)
Subnet Mask
255.255.255.0
(the GTA firewall's subnetwork mask, such indicated by the protected
networks address object)
Encryption
AES-192
(equivalent to the IPSec encryption in the GTA firewall's Encryption
Object )
Authentication
SHA
(equivalent to the IPSec HMAC-SHA1 hash in the GTA firewall's
Encryption Object )
Mode
Tunnel
PFS
Checked
(perfect forward secrecy is automatically used on GTA firewalls)
Group
DH1024
(equivalent to the IPSec group 2 Diffie-Hellman key in the GTA fire-
wall's Encryption Object )
74
VPN Option Guide Reference C: Example VPN Configurations
Gateway to Gateway: dynamic/Static IP Addresses
The identifying characteristics of this type of VPN include:
Static
•
external IP address on one firewall, but dynamic external IP address on the second
firewall, as set in Configure>Network>Interfaces>Settings
Default or edited objects
•
selected in IPSec Tunnels for the dynamically-addressed firewall, but mobile
VPN objects selected in Configure>Accounts>Groups for the statically-addressed firewall
Authentication using VPN certificates
•
Table C.9: Gateway to Gateway: Dynamic/Static IP Addresses
Field Name
Initiator :
GTA firewall with dynamic IP
address
Responder :
GTA firewall with static IP address
External IP Address
Dynamically assigned
200.200.200.200
In Configure>VPN>Certificates>Edit Certficate
Disable
Unchecked
Unchecked
Name
Firewall 1
Firewall 2
Description
Firewall 1 local certificate
Firewall 2 local certificate
Certificate
Generate
Generate
Generate
Type
Certificate
Certificate
Common Name
firewall1.example.com
The host name of the firewall.
firewall2.example.com
The host name of the firewall.
Email Address
fwadmin1@example.com
The email address belonging to
the firewall administrator.
fwadmin2@example.com
The email address belonging to
the firewall administrator.
Country
The country the remote user is
located.
The country the remote user is
located.
State/Region
The state the remote user is
located.
The state the remote user is
located.
City/Locality
The city or location the remote
user is located.
The city or location the remote
user is located.
Organization
The remote user's organization. The remote user's organization.
Organizational Unit
The remote user's organizational
unit.
The remote user's organizational
unit.
Duration
1
1
Key Size
<1024> Bits
<1024> Bits
In Configure>VPN>Certificates
Local
Local Certificate
Firewall 1
Firewall 2
In Configure>VPN>Certificates>Edit Certficate
Disable
Unchecked
Unchecked
Name
Leave blank
Leave blank
Description
Leave blank
Leave blank
Certificate
Import
Import
75
VPN Option Guide Reference C: Example VPN Configurations
Table C.9: Gateway to Gateway: Dynamic/Static IP Addresses
Field Name
Initiator :
GTA firewall with dynamic IP
address
Responder :
GTA firewall with static IP address
Certificate
File [Type]
PKCS #12
For this example, PKCS #12 certificates
will be used.
PKCS #12
For this example, PKCS #12 certificates
will be used.
File {Browse]
Select the VPN certificate
exported from Firewall 2.
Select the VPN certificate
exported from Firewall 1.
PKCS #12 Password
Enter the PKCS #12 password for
Firewalll 2's certificate, if any.
Enter the PKCS #12 password for
Firewall 1's certificate, if any.
Private Key
File
Ignore
Ignore
In Configure>Accounts>Users
Disable
(no entry in Accounts > Users )
Unchecked
Name
Firewall 1
Description
Firewall 1 user account
Remote Identity
firewall1@example.com
Group
Firewalls (default object)
Authentication
Method
n/a
Password
n/a
Mobile VPN
Disable
Unchecked
Remote Network
<USER DEFINED> 192.168.1.0/24
(the attached hosts on the other
VPN gateway)
Authentication
Certificates
Certificate
Firewall 1
In System>Objects>Address Objects
Disable
Unchecked
Unchecked
Name
Protected Networks
Protected Networks
Description
DEFAULT: Protected networks
DEFAULT: Protected networks
Type
All
All
Object
<USER DEFINED>
<USER DEFINED>
Address
192.168.1.0/24
(hosts that should be attached to
your VPN)
192.168.2.0/24
(hosts that should be attached to
your VPN)
In Configure>VPN>IPS ec Tunnels :
VPN Certificate
Firewall 1
Firewall 2
Advanced
Automatic Policies
Checked
Checked
76
VPN Option Guide Reference C: Example VPN Configurations
Table C.9: Gateway to Gateway: Dynamic/Static IP Addresses
Field Name
Initiator :
GTA firewall with dynamic IP
address
Responder :
GTA firewall with static IP address
Dynamic Incoming Connections
Authentication
Certificates
Certificates
VPN Object
Standard Dynamic
(default object)
Standard Dynamic
(default object)
In Configure>VPN>IPS ec Tunnels>Edit IPSec Tunnel :
Disable
Unchecked
No Entry in IPSec Tunnels . Equivalent
infomation is entered in
Configure>Accounts>Users .
Description
Dynamic firewall
IPSec Key Mode
IKE
VPN Object
Standard Dynamic
(default object)
Authentication
Method
Certificates
Options
Send Keep Alives
Unchecked
Local
Gateway
<EXTERNAL>
NAT
Unchecked
Network
Protected Networks
(or the address object as defined
above)
Remote
Gateway
200.200.200.200
NAT
Unchecked
Network
<USER DEFINED> 192.168.2.0/24
(the attached hosts on the other
VPN gateway)
Certificate
FIrewall 2
Select the VPN certificate
imported from the other firewall
Gateway to Gateway: Static/Static IP Addresses
The identifying characteristics of this type of VPN include:
Static
•
external IP addresses on both firewalls, as set in Configure>Network>Settings
Default or edited IKE
•
VPN Objects selected in VPNs
• l
oCal
i
Dent it y
is not necessary, since static IP addresses serve as a constant element for identity
Authenication using VPN certificates
•
77
VPN Option Guide Reference C: Example VPN Configurations
Table C.10: Gateway to Gateway: Static/Static IP Addresses
Field Name
Initiator :
GTA firewall with static IP address
Responder :
GTA firewall with static IP address
External IP Address
100.100.100.100
200.200.200.200
In Configure>VPN>Certificates>Edit Certficate
Disable
Unchecked
Unchecked
Name
Firewall 1
Firewall 2
Description
Firewall 1 local certificate
Firewall 2 local certificate
Certificate
Generate
Generate
Generate
Type
Certificate
Certificate
Common Name
firewall1.example.com
The host name of the firewall.
firewall2.example.com
The host name of the firewall.
Email Address
fwadmin1@example.com
The email address belonging to
the firewall administrator.
fwadmin2@example.com
The email address belonging to
the firewall administrator.
Country
The country the remote user is
located.
The country the remote user is
located.
State/Region
The state the remote user is
located.
The state the remote user is
located.
City/Locality
The city or location the remote
user is located.
The city or location the remote
user is located.
Organization
The remote user's organization. The remote user's organizational.
Organizational Unit
The remote user's organizational
unit.
The remote user's organizational
unit.
Duration
1
1
Key Size
<1024> Bits
<1024> Bits
In Configure>VPN>Certificates
Local
Local Certificate
Firewall 1
Firewall 2
In Configure>VPN>Certificates>Edit Certficate
Disable
Unchecked
Unchecked
Name
Leave blank
Leave blank
Description
Leave blank
Leave blank
Certificate
Import
Import
Certificate
File [Type]
PKCS #12
For this example, PKCS #12 certificates
will be used.
PKCS #12
For this example, PKCS #12 certificates
will be used.
File {Browse]
Select the VPN certificate
exported from Firewall 2.
Select the VPN certificate
exported from Firewall 1.
PKCS #12 Password
Enter the PKCS #12 password for
Firewalll 2's certificate, if any.
Enter the PKCS #12 password for
Firewall 1's certificate, if any.
Private Key
File
n/a
n/a
78
VPN Option Guide Reference C: Example VPN Configurations
Table C.10: Gateway to Gateway: Static/Static IP Addresses
Field Name
Initiator :
GTA firewall with static IP address
Responder :
GTA firewall with static IP address
In System>Objects>Address Objects :
Disable
Unchecked
Unchecked
Name
Protected Networks
Protected Networks
Description
DEFAULT: Protected networks
DEFAULT: Protected networks
Type
All
All
Object
<USER DEFINED>
<USER DEFINED>
Address
192.168.1.0/24
(hosts that should be attached to
your VPN)
192.168.2.0/24
(hosts that should be attached to
your VPN)
In Configure>VPN>IPS ec Tunnels :
VPN Certificate
Firewall 1
Firewall 2
Advanced
Automatic Policies
Checked
Checked
Dynamic Incoming Connections
Authentication
Certificates
Certificates
VPN Object
Standard Dynamic
(default object)
Standard Dynamic
(default object)
In VPN>IPSec Tunnels>Edit IPSec Tunnel
Disable
Unchecked
Unchecked
Description
IKE VPN
IKE VPN
IPSec Key Mode
IKE
IKE
VPN Object
Standard Static (default object)
Standard Static (default object)
Authentication
Method
Certificates
Certificates
Options
Send Keep Alives
Unchecked
Unchecked
Local
Gateway
<EXTERNAL>
<EXTERNAL>
NAT
Unchecked
Unchecked
Network
Protected Networks
Protected Networks
Remote
Gateway
200.200.200.200
(the external IP address of the
other VPN gateway)
100.100.100.100
(the external IP address of the
other VPN gateway)
NAT
Unchecked
Unchecked
Network
<USER DEFINED> 192.168.2.0/24
(the attached hosts on the other
VPN gateway)
<USER DEFINED> 192.168.1.0/24
(the attached hosts on the other
VPN gateway)
Certificate
FIrewall 2
Select the VPN certificate
imported from the other firewall
FIrewall 1
Select the VPN certificate
imported from the other firewall
79
VPN Option Guide Reference C: Example VPN Configurations
example VPn configurations using Manual
IPSec Mode
The section provides example VPN configurations using Manual IPSec mode.
Gateway to Gateway: Static/Static IP Addresses and
Manual Key Exchange
The identifying characteristics of this type of VPN include:
• Static external IP addresses on both firewalls, as set in Network Information
• Default or edited manual VPN Objects selected in VPNs
• Only*Phase*2*settings*of*the*manual*VPN*object*are*used (Phase 1 may be entered, but it is
not used; instead, Phase 2 from the VPN object is used)
• l
oCa l
i
Dent it y
is not necessary, since static IP addresses serve as a constant element for identity
Table C.7: Gateway to Gateway: Static/Static IP Addresses & Manual Key Exchange
Field Name
Initiator :
GTA firewall with static IP address
Responder :
GTA firewall with static IP address
External IP Address
100.100.100.100
200.200.200.200
In System>Objects > Address Objects :
Disable
Unchecked
Unchecked
Name
Protected Networks
Protected Networks
Description
DEFAULT: Protected networks
DEFAULT: Protected networks
Type
All
All
Object
<USER DEFINED>
<USER DEFINED>
Address
192.168.1.0/24
(hosts that should be attached to
your VPN)
192.168.2.0/24
(hosts that should be attached to
your VPN)
In System>Objects > VPN Objects :
Disable
Unchecked
Unchecked
Name
Manual
Manual
Description
IKE VPN object
IKE VPN object
Phase 1
Exchange Mode
n/a
n/a
Encryption Object
n/a
n/a
Advanced
Force Mobile Protocol
n/a
n/a
NAT-T
n/a
n/a
Lifetime
n/a
n/a
DPD Interval
n/a
n/a
80
VPN Option Guide Reference C: Example VPN Configurations
Table C.7: Gateway to Gateway: Static/Static IP Addresses & Manual Key Exchange
Field Name
Initiator :
GTA firewall with static IP address
Responder :
GTA firewall with static IP address
Phase 2
Encryption Object
<AES-192, sha1, grp2> (default) <AES-192, sha1, grp2> (default)
Advanced
Lifetime
n/a
n/a
In VPN>IPSec Tunnels :
Disable
Unchecked
Unchecked
Description
Office-to-office VPN
Office-to-office VPN
IPSec Mode
Manual
Manual
VPN Object
Manual
(the VPN configuration object, as
previously defined)
Manual
(the VPN configuration object, as
previously defined)
Local
Gateway
<EXTERNAL>
<EXTERNAL>
NAT
Unchecked
Unchecked
Network
Protected Networks
(or the address object as defined
above)
Protected Networks
(or the address object as defined
above)
Identity
<IP Address>
<IP Address>
Remote
Gateway
200.200.200.200
(the external IP address of the
other VPN gateway)
100.100.100.100
(the external IP address of the
other VPN gateway)
NAT
Unchecked
Unchecked
Network
<USER DEFINED> 192.168.2.0/24
(the attached hosts on the other
VPN gateway)
<USER DEFINED> 192.168.1.0/24
(the attached hosts on the other
VPN gateway)
Manual
Encryption Key
<ASCII> $%23Aty!
(a long, randomized series of
characters that must be identical
on both VPN gateways)
<ASCII> $%23Aty!
(a long, randomized series of
characters that must be identical
on both VPN gateways)
Hash Key
<ASCII> GHij43#e@t!
(a long, randomized series of
characters that must be identical
on both VPN gateways)
<ASCII> GHij43#e@t
(a long, randomized series of
characters that must be identical
on both VPN gateways)
Security Parameter Index (SPI)
Inbound SPI
256
(an integer, 256 or greater, that must
be identical on both VPN gateways)
256
(an integer, 256 or greater, that must
be identical on both VPN gateways)
Outbound SPI
256
(an integer, 256 or greater, that must
be identical on both VPN gateways)
256
(an integer, 256 or greater, that must
be identical on both VPN gateways)
81
VPN Option Guide Reference C: Example VPN Configurations
Reference D: Troubleshooting
on the GtA Firewall
FAQ
Mobile VPn clients cannot connect to the firewall. Why?
First use ping and/or traceroute to verify that VPN client connections can reach the firewall without
use of the VPN. Then check that you have correctly configured the required remote access and
pass through security policies. Finally, check that all GTA Mobile VPN Clients have accounts with
their VPN configuration set up in Configure>Accounts>Users , referencing a valid VPN configuration
object in Configure>System>Objects>VPN Objects .
log Messages
GTA firewalls log common problems such as denied VPN connections.
VPN connections tunnel network traffic over untrusted networks using authentication and
encryption for security. If an IKE VPN tis used, IKE messages may appear in the log ("
IKE server
");
another key identifier is "
type=mgmt, vpn
".
When the IKE service starts up due to a firewall reboot or saving a VPN configuration section, the
startup is logged, along with the number of allowed concurrent mobile users.
Mar 4 21:06:44 firewall.example. com id=firewall time="2005-03-04 21:06:44" fw="firewall"
pri=5 msg="WWWadmin: Starting IKE server." type=mgmt src=192.168.71.2 srcport=2206
dst=192.168.71.2
54 dstport=80 duration=2
Mar 4 21:06:44 firewall.example. com id=firewall time="2002-08-30
14:12:18" fw="ipsec" pri=5
msg="Licensed for 100 mobile client connections. type=mgmt,vpn
Failed VPN authentications are logged with the account name.
Mar 4 21:06:44 firewall.example. com id=firewall time="2005-03-04 21:06:44" fw="firewall"
pri=5 msg="RMCauth: Accepted connection" type=mgmt src=199.120.225.
78 srcport=2197
dst=199.120.225.
200 dstport=76
Mar 4 21:06:44 firewall.example. com id=firewall time="2005-03-04 21:06:44" fw="firewall" pri=4
msg="RMCauth: Authentication failure for 'support@gta.com'." type=mgmt src=199.120.225.
78
srcport=2197 dst=199.120.225.
200 dstport=76 duration=4
82
VPN Option Guide Reference D: Troubleshooting
Security Associations
By default, each IPSec security association (SA) creation is logged. Most VPN connections require
two SAs.
Mar 4 21:06:44 firewall.example. com id=firewall time="2005-03-04 21:06:44" fw="firewall" pri=5
msg="IPsec-SA established type=mgmt,vpn src=199.120.225.
200 dst=24.170.164.1
83
Mar 4 21:06:44 firewall.example. com id=firewall time="2005-03-04 21:06:44" fw="firewall" pri=5
msg="IPsec-SA established type=mgmt,vpn src=24.170.164.1
83 dst=199.120.2
25.200
Security associations may expire. After expiration, they must be renewed or the connection will be
closed.
Mar 4 21:06:44 firewall.example. com id=firewall time="2005-03-04 21:06:44" fw="ipsec" pri=5
msg="IPsec-SA established type=mgmt,vpn src=199.120.225.
200 dst=24.170.164.1
83
Mar 4 21:06:44 firewall.example. com id=firewall time="2005-03-04 21:06:44" fw="ipsec" pri=5
msg="IPsec-SA expired type=mgmt,vpn src=199.120.225.
200 dst=24.170.164.1
83
Mobile client VPn Authentication and connection
Mobile clients must authenticate first before establishing a connection.
Mar 4 21:06:44 firewall.example. com id=firewall time="2005-03-04 21:06:44" fw="firewall"
pri=5 msg="RMCauth: Accepted connection" type=mgmt src=199.120.225.
78 srcport=2170
dst=199.120.225.
200 dstport=76
Mar 4 21:06:44 firewall.example. com id=firewall time="2005-03-04 21:06:44" fw="firewall" pri=6
msg="RMCauth: Authentication successful for 'support@gta.com'." type=mgmt src=199.120.225.
78
srcport=2170 dst=199.120.225.
200 dstport=76 duration=4
Attempts to connect without authentication will be denied.
Mar 4 21:06:44 pri=4 msg="Authentication needed, access for 'support@gta.com' denied."
type=mgmt,vpn src=65.33.234.13
4 dst=199.120.22
5.78
If the user is already authenticated from one IP address and they attempt to authenticate from a
second IP address, the connection will be denied. The user's VPN lease must expire before login
will be permitted.
Mar 4 21:06:44 pri=4 msg="Unable to aquire license, access for 'user@example.co
m' denied."
type=mgmt,vpn src=200.200.200.
200 dst=100.100.100.
100
on the GtA Mobile VPn client
FAQ
My GtA Mobile VPn client says it is in a 30-day evaluation
mode.
If the GTA Mobile VPN Client license number was not correctly entered during installation, or if you
clicked
trIAl
during installation instead of entering a license number, the VPN client software will
function for 30 days in an evaluation mode.
Enter the VPN client license number you received with your mobile VPN option purchase for the
VPN client software to exit evaluation mode.
83
VPN Option Guide Reference D: Troubleshooting
I receive an error when trying to activate the Gt
A Mobile VPn
client. Why?
In case an error is returned by the online activation server, as shown below, click on the Help icon
for more information on how to resolve the issue.
If you are unable to resolve any of the error messages on your own, please contact GTA Technical
Support by emailing support@gta.com . Please include your license number and firewall serial
number in the body of the email. Failure to send this information may result in a delay in
assistance.
Figure*D.1: Receiving an Activation Error
Table D.1: Activation Errors
Code
Message
Description
031
License not found
The license number does not exist in the activation server database.
Recheck your license number. The GTA Mobile VPN client
only accepts license numbers specific for GTA Mobile VPN Clients.
Other TheGreenBow license numbers will not work.
032
Reserved
Reserved.
033
Activation quota exceeded
Too many installations and activations have been processed for
this specific license number. License numbers can not be used
more than allowed by your IT department.
034,
035
Wrong product code
The license number entered is not allowed. GTA Mobile VPN Client
requires a specific license number that is provided by GTA.
036
Not allowed to activate this
device
Maintenance period is expired. In this case, you are not allowed to
process any software upgrade. However, you are still allowed to
continue using the previous version installed and activated on your
computer.
050,
051,
052
Impossible to complete activation
process
Activation server can not generate activation code for this license
number at the moment of generation.
053,
054
Cannot connect activation
server
The activation server cannot be reached. Reasons for this can be
a broken Internet connection, the activation server being down or
firewall policies. The host PC must be able to resolve
tgbosa.com and be able to connect to TCP ports 80 and 443.
Failure to resolve tgbosa.com may result in this error.
055
Activation code error
The activation code may have been modified after activation.
84
VPN Option Guide Reference D: Troubleshooting
how can I activate the G
tA Mobile VPn client when I need to
connect to the Internet using a proxy server?
To activate the GTA Mobile VPN Client when a proxy server is used to connect to the Internet,
run the Activation Wizard and click the If You Are uS INg A p
roxY
,
clIck here
link to open the Proxy
Configuration screen.
Figure*D.2: The "If You Are Using a Proxy, Click Here" Link
Enter the proxy server's IP address or fully qualified domain name in the p
roxy
a
DDreSS
field and
the port number in the p
ort
n
Umber
field. Once complete, click the u
Se
p
roxY
button.
Figure*D.3: Entering Proxy Settings
Once the proxy server's information has been configured, enter the GTA Mobile VPN Client's
activation code.
I cannot activate the GtA Mobile VPn client online. how do I
activate the client manually?
If it is not possible to activate the GTA Mobile VPN Client online or if the online activation fails, the
client can be activated manually.
To *manually*activate*the*GTA*Mobile*VPN*Client:
If an error is displayed during activation, this error is logged in the
1.
proD aCt . Dat
file, which is
located in the user's My Documents folder. The
proD aCt . Da t
file contains information such as the
license number, email address and the computer's hardware information. Email this file to GTA
Technical Support ( support@gta.com ) with your firewall's serial number in the body of the email.
You will receive an email from GTA Technical Support with an attached file. The file, named
2.
tGb CoD _ xxxxx . Dat
, contains the activation code for the GTA Mobile VPN Client. Save this file in
the user's My Documents folder.
Restart the GTA Mobile VPN Client. The software activation is now complete.
3.
85
VPN Option Guide Reference D: Troubleshooting
My Internet connection does not work when I return to the
office.
Your VPN connection may still be active, even though it is not necessary while inside your office
LAN. Stop the VPN connection. You might also need to restart your browser or other network
application before you can use the non-VPN connection on your office LAN.
Why won't the Gt
A Mobile VPn client start a VPn on Windows
xP?
Windows XP has a feature called fast user switching. This means that multiple users may be
logged in and running programs at the same time (including VPN software), even when only one
user is actively using the mouse and keyboard.
If another user is logged in to Windows XP and has started a VPN connection, you will not be able
to start a VPN; the other user is already using those VPN resources.
To start your VPN, first ask the other user to log in and stop their VPN connection. Then you may
log in to your own account and start your own VPN.
can I use an address range for my Address t
ype when
configuring Phase 1 settings?
Address ranges are not supported by GTA firewalls.
When should I set Nat-t to Forced when configuring advanced
Phase 1 settings?
When configuring advanced Phase 1 settings for the the VPN connection, you may wish to set
NAT-T to forced if you have been given a public IP address that has the ESP protocol blocked. By
forcing NAT-T, the client will use the protocol even when it has a non-NAT'ed IP address.
86
VPN Option Guide Reference D: Troubleshooting
log Messages
Incorrect remote Gateway
An incorrect value was used for the external IP address of the GTA firewall (VPN gateway). This
should match the remote gateway in the GTA firewall's mobile VPN Objects .
103901 Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID]
[NAT_D] [NAT_D] [VID] [VID]
103906 Default ipsec_get_keystate: no keystate in ISAKMP SA 00D9CBC8
Incorrect Pre-shared Key
An incorrect value was used for the pre-shared secret (key). This value must match the pre-shared
secret specified for the account in the GTA firewall's Users .
101901 Default message_recv: invalid cookie(s) 303a3fce1772c7b7
8505c95b1034c3c
6
101901 Default dropped message from 199.120.225.117
due to notification type INVALID_COOKIE
101901 Default SEND Informational [NOTIFY] with INVALID_COOKIE error
`
Incorrect local Id Value
An incorrect value for the local identity of the VPN client was used. In most cases, this should be
the email address specified for the account in the GTA firewall's Users .
101202 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID]
[VID] [VID] [VID]
Incorrect local Id type
An incorrect type for the local identity of the VPN client was used. In most cases, the type should
be Email .
100731 Default ike_phase_1_send_ID: invalid ip address: Bad file descriptor WSA(11001)
100731 Default exchange_run: doi->initiator (00D95C58) failed
Incorrect remote Id Value
An incorrect value for the remote identity of the GTA firewall was used. In most cases, this should
be the IP address specified in the GTA firewall's mobile VPN Objects .
101325 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID]
[VID] [VID] [VID]
101325 Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID]
[NAT_D] [NAT_D] [VID] [VID]
101325 Default ike_phase_1_recv_ID: received remote ID other than expected
200 .200.200.200
87
VPN Option Guide Reference D: Troubleshooting
Incorrect remote Id type
An incorrect type for the remote identity of the GTA firewall was used. In most cases, the type
should be IP Address .
101447 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID]
[VID] [VID] [VID]
101447 Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID]
[NAT_D] [NAT_D] [VID] [VID]
101448 Default ike_phase_1_recv_ID: received remote ID other than expected
199.120.225.117
101455 Default ipsec_get_keystate: no keystate in ISAKMP SA 00F7BD40
Incorrect Phase 2 Settings
An incorrect Phase 2 (IKE) setting was used. These settings should match the GTA firewall's
dynamic VPN Objects p
haS e
2 settings.
104041 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID]
[VID] [VID] [VID]
104041 Default transport_send_messages: giving up on message 00DAF350
104041 Default recvfrom (164, 0011FD70, 65536, 0, 0011FCEC, 0011FCE8): WSA(10054)
Incorrect Phase 2 Settings
An incorrect encryption, authentication or key group was used in Phase 2 settings. These settings
should match the GTA firewall's mobile VPN Objects p
haS e
2 settings.
104401 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID]
[VID] [VID] [VID]
104401 Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID]
[NAT_D] [NAT_D] [VID] [VID]
104402 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
104402 Default phase 1 done: initiator id vpnuser@example.com, responder id 200.200.200.2
00
104402 Default (SA VPN-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE]
[ID] [ID] [NAT_OA]
104402 Default RECV Informational [HASH] [NOTIFY]
104402 Default RECV Informational [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
Incorrect Phase 2 Authentication Settings
An incorrect value was used for Phase 2 authentication (hash) settings. This value should match
the GTA firewall's mobile VPN Objects p
haS e
2 settings.
105935 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID]
[VID] [VID] [VID]
105935 Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID]
[NAT_D] [NAT_D] [VID] [VID]
105935 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
105935 Default phase 1 done: initiator id support-GB2@gta. com, responder id 199.120.225.1
17
105935 Default (SA VPN-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE]
[ID] [ID] [NAT_OA]
105935 Default RECV Informational [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
88
VPN Option Guide Reference D: Troubleshooting
Incorrect Phase 2 Key Group Settings
An incorrect value was used for Phase 2 key group (Diffie-Hellman) settings. This value should
match the GTA firewall's mobile VPN Objects p
haS e
2 settings.
110213 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID]
[VID] [VID] [VID]
110213 Default (SA VPN-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID]
[NAT_D] [NAT_D] [VID] [VID]
110213 Default (SA VPN-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
110213 Default phase 1 done: initiator id support-GB2@gta. com, responder id 199.120.225.1
17
110213 Default (SA VPN-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE]
[ID] [ID] [NAT_OA]
110213 Default RECV Informational [HASH] [NOTIFY] with NO_PROPOSAL_CHOSEN error
Incorrect Filter configuration
A misconfigured or missing filter for UDP port 4500 on the GTA firewall. Add a remote access filter
that accepts UDP port 4500 on the GTA firewall.
Description 130059 Default message_recv: bad message length
130059 Default dropped message from 216.9.84.83 due to notification type
UNEQUAL _PAYLOAD_LENGTHS
130059 Default SEND Informational [NOTIFY] with UNEQUAL_PAYLOAD_LENGTHS
error
130059 Default (SA GBPhase1-GBPhase2-P2) SEND phase 2 Quick Mode [HASH]
89
VPN Option Guide
Copyright
© 1996-2008, Global Technology Associates, Incorporated (GTA). All rights reserved.
Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior
permission of Global Technology Associates, Incorporated.
Technical Support
GTA includes 30 days "up and running" installation support from the date of purchase. See GTA's Web site for more information. GTA's direct
customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local GTA
authorized channel partner.
Tel: +1.407.380.0220 Email: support@gta.com
Disclaimer
Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation,
including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose.
GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others
resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications
of the program and contents of the manual without obligation to notify any person or organization of such changes.
Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use.
GTA assumes no responsibility with regard to the performance or use of these products.
Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors.
Trademarks & Copyrights
GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated. GB Commander
is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA are service marks of Global Technology
Associates, Incorporated.
The GTA Mobile VPN Client is licensed from TheGreenBow.
Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United
States and/or other countries.
Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or
other countries.
UNIX is a registered trademark of The Open Group.
Linux is a registered trademark of Linus Torvalds.
BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley.
WELF and WebTrends are trademarks of NetIQ.
Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other
countries.
Java software may include software licensed from RSA Security, Inc.
Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/.
Some products include software developed by the OpenSSL Project (http://www.openssl.org/).
Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell
Incorporated.
All other products are trademarks of their respective companies.
Global t
echnology Associates, Inc.
3505 Lake Lynda Drive, Suite 109 • Orlando, FL 32817 USA
Tel : +1.407.380.0220 • Fax : +1.407.380.6080 • Web : http://www.gta.com • Email : info@gta.com
pdf