Support /
Knowledge Base

Client Configuration

Check Point VPN

Check the Check Point VPN Debugging Guide.

Shrewsoft VPN Client for Windows

Shrew Soft VPN Client for Windows is a free IPsec Client for Windows 2000 and Windows XP. This product can be used to communicate with a Open Source Operating system running ipsec-tools to provide an alternative to expensive commercial VPN solutions. This section attempts to detail the way to create a VPN connection between a Windows host and Syneto UTM using the Shrew Soft VPN client for Windows.

Prerequisites

  • Synchronize time on both computers. Using the same NTP server would greatly reduce the probability of having time skews that create problems.
  • Log onto the Syneto UTM
  • Navigate to X509 Certificates > Manage Local CA menu and create a CA named ‘synetoca’
  • Navigate X509 Certificates > Manage Local Certificates menu and create a certificate shrewtest
  • Navigate to Virtual Private Networking menu, enable VPN and apply the configuration

 

Create a VPN tunnel on Syneto UTM

  • ‘Tunnel type’: RoadWarrior
  • ‘Name’: test
  • ‘Tunnel mode’: listen
  • ‘Local IP’: eth0
  • ‘Local Network’: eth1
  • ‘Encryption method’: aes
  • ‘Authentication method’: sha1
  • ‘X.509 Certificate’: local shrewtest
  • ‘Subject’: /C=US/ST=….. (automatically filled by the web interface)

 

Prepare the Windows Client

  • Verify connectivity between client and Syneto appliance (ex. ping 10.1.1.1).
  • On Syneto UTM, go to X509 Certificates > Manage Local Certificates menu and download shrewtest certificate.
  • !!! NOTE: Even though you are configuring a windows platform, Shrewsoft requires the “linux” certificate, not the “windows” certificate. Clicking the “linux” link on the page will download an archive containing the files you will need later on (CA.pem, SpiderCert.pem and SpiderKey.pem).
  • Copy the certificate archive to the Windows client and uncompress it

 

Configure Shrew Soft VPN Client

  • General:
    • Remote Host’s host name or IP address: 10.1.1.1, port 500
    • Use and existing adapter and current address
  • Client:
    • NAT Traversal: enable
    • NAT Traversal port: 4500
    • Keepalive packet rate: 15 sec
    • IKE Fragmentation: disable
    • Enable Dead Peer Detection
    • Enable ISAKMP Failure Notifications
  • Authentication:
    • Authentication method: Mutual RSA
    • Local Identity: ASN.1 Distinguished Name, Use the subject in the certificate
    • Remote Identity: ASN.1 Distinguished Name, Use the subject in the certificate
    • Credentials: Load keys from the certificate archive downloaded from Syneto:
      • Server Certificate Authority File: CA.pem
      • Client Certificate File: SpiderCert.pem
      • Client Private Key File: SpiderKey.pem
  • Phase 1:
    • Exchange type: main
    • DH Exchange: auto
    • Cypher algorithm: aes
    • Hash algorithm: sha1
    • Key Life Time Limit: 86400 Secs
    • Key Life Data Limit: 0 Kbytes
  • Phase 2:
    • Transform algorithm: auto
    • HMAC algorithm: auto
    • PFS Exchange: group 5
    • Compress algorithm: disabled
    • Key Life Time Limit: 3600 sec
    • Key Life Data Limit: 0 Kbytes
  • Policy:
    • Do not maintain persistent Security Associations
    • Do not obtain topology automatically on Tunnel All
    • Add remote network resource: 10.1.2.0/255.255.255.0

 

Test tunnel operation

The VPN tunnel should now be up and running. To test that it functions, try to ping from the Windows client an IP from Syneto UTM’s internal network (in this case an IP from the 10.1.2.0/24 network). If a successful connection is done, the VPN client will display information similar to the following screenshot:

Figure 8-5

FreeSWAN/StrongSWAN/OpenSWAN for Linux

Linux configuration is not for the faint of heart, so if you are knowledgeable enough to setup IPSec using command line, then all we need to tell you is that Syneto uses internally the StrongSWAN linux implementation. All tunnels configured using the web interface have corresponding tunnel definitions (/etc/ipsec.tunnels.conf).

For every tunnel defined using the web interface, the administrator may download a configuration template that may be used for one of these IPSec implementations:

  • FreeSWAN
  • StrongSWAN
  • OpenSWAN

 

Al these IPSec implementations derive from the same code base initially implemented in FreeSWAN, so the configuration downloaded from Syneto will likely be a very good starting point.

 

Strongswan on Ubuntu Linux

Prerequisites

Before following this guide, you need to make sure that strongswan is installed and not openswan - another IPSec implementation. To make sure this is the case, execute these commands as root or using sudo on the Ubuntu machine:
  • apt-get remove openswan libppl7 ipsec-tools libcloog-ppl0 libgmpxx4ldbl libppl-c2
  • apt-get install strongswan

This is the sample output from these commands – yours may differ:

root@bubuntu:/home/dan# apt-get remove openswan libppl7 ipsec-tools libcloog-ppl0 libgmpxx4ldbl libppl-c2
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package openswan is not installed, so not removed
Package libppl7 is not installed, so not removed
Package ipsec-tools is not installed, so not removed
Package libcloog-ppl0 is not installed, so not removed
Package libgmpxx4ldbl is not installed, so not removed
Package libppl-c2 is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@bubuntu:/home/dan# apt-get install strongswan
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  ipsec-tools
Suggested packages:
  curl
The following NEW packages will be installed:
  ipsec-tools strongswan
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/1,262kB of archives.
After this operation, 3,453kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Preconfiguring packages ...
Selecting previously deselected package ipsec-tools.
(Reading database ... 137270 files and directories currently installed.)
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.5ubuntu4_i386.deb) ...
Selecting previously deselected package strongswan.
Unpacking strongswan (from .../strongswan_4.2.9-1_i386.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up ipsec-tools (1:0.7.1-1.5ubuntu4) ...

Setting up strongswan (4.2.9-1) ...
Error: /etc/ipsec.d/certs/bubuntuCert.pem or /etc/ipsec.d/private/bubuntuKey.pem already exists.
Please remove them first an re-run dpkg-reconfigure to create a new keypair.
update-rc.d: warning: ipsec start runlevel arguments (S) do not match LSB Default-Start values (2 3 4 5)
update-rc.d: warning: ipsec stop runlevel arguments (0 6) do not match LSB Default-Stop values (0 1 6)
Disabling opportunistic encryption (OE) in config file ... already disabled
 * Restarting strongswan IPsec services ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 4.2.9 IPsec [starter]...
   ...done.
Starting strongSwan 4.2.9 IPsec [starter]...
pluto is already running (/var/run/pluto.pid exists) -- skipping pluto start
charon is already running (/var/run/charon.pid exists) -- skipping charon start
starter is already running (/var/run/starter.pid exists) -- no fork done

Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@bubuntu:/home/dan#
Having installed strongswan we proceed to the next steps:
  1. Installing the X.509 certificate generated on Syneto UTM
  2. Configuring IPSec

Installing the X.509 certificate generated on Syneto UTM

You will have to uncompress the certificate_x509_ClientName.tar.gz file downloaded from Syneto UTM on the Ubuntu Machine and copy the certificate files to their appropriate locations:

root@bubuntu:/home/dan# tar -zxvf certificate_x509_OpenSwan.tar.gz 
Cert/
Cert/CA.pem
Cert/crl.pem
Cert/SpiderCert.pem
Cert/SpiderKey.pem
Cert/id.txt
root@bubuntu:/home/dan# cp Cert/CA.pem /etc/ipsec.d/cacerts/CA.pem 
root@bubuntu:/home/dan# cp Cert/crl.pem /etc/ipsec.d/crls/synetoCRL.pem 
root@bubuntu:/home/dan# cp Cert/SpiderCert.pem /etc/ipsec.d/certs/Client.pem 
root@bubuntu:/home/dan# cp Cert/SpiderKey.pem /etc/ipsec.d/private/ClientKey.pem

Configuring IPSec by editing its configuration files

Edit the /etc/ipsec.secrets file (using nano -w /etc/ipsec.secrets):

192.168.1.234 192.168.1.1: RSA /etc/ipsec.d/private/ClientKey.pem ""

Edit the /etc/ipsec.conf file (using nano -w /etc/ipsec.conf):

config setup
	charonstart=yes
	plutostart=yes

conn syneto
	left=192.168.1.234
	leftrsasigkey=%cert
	leftcert=Openswan.pem
	right=192.168.1.1
	rightid="/C=RO/ST=Timis/L=Timisoara/O=MFDLabs/OU=Development/CN=Spiderwall/Email=office@spidernet.co.ro"
	rightsubnet=81.196.33.96/28
	rightrsasigkey=%cert
	authby=rsasig
	auto=start
Once Strongswan is configured, we have to start IPSec and watch the tunnel establish:
root@bubuntu:/home/dan# /etc/init.d/ipsec start
Starting strongSwan 4.2.9 IPsec [starter]…
root@bubuntu:/home/dan#
On Ubuntu, you will have to watch these files for more information if some thing fails. This is an example of connection successfully established (look for: QI2, IPsec SA established):
root@bubuntu:/home/dan# tail -f /var/log/user.log /var/log/kernel.log /var/log/auth.log
==> /var/log/user.log <==
Jun 10 13:33:41 bubuntu 50mounted-tests: debug: /dev/sda5 is a swap partition; skipping
Jun 10 13:33:41 bubuntu os-prober: debug: os detected by /usr/lib/os-probes/50mounted-tests
Jun 10 13:41:47 bubuntu pluto: adjusting ipsec.d to /etc/ipsec.d
Jun 10 14:11:47 bubuntu pluto: adjusting ipsec.d to /etc/ipsec.d
Jun 10 14:15:32 bubuntu pluto: adjusting ipsec.d to /etc/ipsec.d
Jun 10 14:17:26 bubuntu pluto: adjusting ipsec.d to /etc/ipsec.d
Jun 10 14:18:50 bubuntu pluto: last message repeated 2 times
Jun 10 14:25:55 bubuntu pluto: adjusting ipsec.d to /etc/ipsec.d
Jun 10 14:27:06 bubuntu pluto: adjusting ipsec.d to /etc/ipsec.d
Jun 10 14:28:03 bubuntu pluto: adjusting ipsec.d to /etc/ipsec.d

==> /var/log/kern.log <==
Jun 10 14:28:03 bubuntu kernel: [ 2898.862672] NET: Unregistered protocol family 15
Jun 10 14:28:03 bubuntu kernel: [ 2898.920448] NET: Registered protocol family 15
Jun 10 14:28:03 bubuntu kernel: [ 2899.038111] Initializing XFRM netlink socket
Jun 10 14:28:03 bubuntu kernel: [ 2899.045335] padlock: VIA PadLock not detected.
Jun 10 14:28:03 bubuntu kernel: [ 2899.051336] padlock: VIA PadLock Hash Engine not detected.
Jun 10 14:28:03 bubuntu kernel: [ 2899.058675] padlock: VIA PadLock not detected.
Jun 10 14:41:48 bubuntu kernel: [ 3724.133097] NET: Unregistered protocol family 15
Jun 10 14:43:59 bubuntu kernel: [ 3854.726974] NET: Registered protocol family 15
Jun 10 14:43:59 bubuntu kernel: [ 3854.765405] Initializing XFRM netlink socket
Jun 10 14:50:43 bubuntu kernel: [ 4258.263066] alg: No test for authenc(hmac(sha1),cbc(aes)) (authenc(hmac(sha1-generic),cbc(aes-asm)))

==> /var/log/auth.log <==
Jun 10 15:20:45 bubuntu pluto[7185]: "syneto" #1: received Vendor ID payload [Dead Peer Detection]
Jun 10 15:20:45 bubuntu pluto[7185]: "syneto" #1: we have a cert and are sending it upon request
Jun 10 15:20:45 bubuntu pluto[7185]: "syneto" #1: Peer ID is ID_DER_ASN1_DN: 'C=RO, ST=Timis, L=Timisoara, O=MFDLabs, OU=Development, CN=Spiderwall, E=office@spidernet.co.ro'
Jun 10 15:20:45 bubuntu pluto[7185]: "syneto" #1: ISAKMP SA established
Jun 10 15:20:45 bubuntu pluto[7185]: "syneto" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jun 10 15:20:45 bubuntu ipsec_starter[7260]: Starting strongSwan 4.2.9 IPsec [starter]...
Jun 10 15:20:45 bubuntu ipsec_starter[7260]: pluto is already running (/var/run/pluto.pid exists) -- skipping pluto start
Jun 10 15:20:45 bubuntu ipsec_starter[7260]: charon is already running (/var/run/charon.pid exists) -- skipping charon start
Jun 10 15:20:45 bubuntu ipsec_starter[7260]: starter is already running (/var/run/starter.pid exists) -- no fork done
Jun 10 15:20:46 bubuntu pluto[7185]: "syneto" #2: sent QI2, IPsec SA established {ESP=>0x3248e1cc <0x212cc25f}

VPN Tracker for MacOS X

VPN Tracker is an easy to use and very powerful IPSec client for MacOS X. To illustrate VPN Tracker’s way of configuring a Roadwarrior tunnel we’ll use this network diagram:

Figure 8-6

Figure 8-7 shows all the information you’ll need in order to setup a VPN connection:

  • Syneto appliance’s public IP address
  • The LAN to where you want to gain access to
  • Optional: Virtual IP to configure once connected to the company LAN
  • Optional: DNS server that will resolve names internal to the company’s domain

 

We recommend choosing as a starting point the Linux > FreeSWAN > X.509 Certificates as connection template.

Configure VPN Tracker using the following steps:

  • Network:
    • ‘VPN Gateway’: 1.1.1.1
    • ‘Local Address’: 192.168.1.100
    • ‘Remote Network’: 192.168.1.0/24
  • Authentication:
    • ‘Certificates’: press ‘Edit’
    • ‘Local Certificate’: select your certificate loaded into Mac OS X Keychain
    • ‘Remote Certificate’: use certificate supplied by peer
  • Identifiers:
    • ‘Local’: Local Certificate
    • ‘Remote’: Remote Certificate
    • Check ‘Verify remote identifier’
  • DNS (optional):
    • Use remote DNS Server
    • ‘DNS Servers’: 192.168.1.2
    • ‘Search domains’: intranet.example.com
    • ‘Use DNS Server for’: Specified Domains (split DNS)

Figure 8-7

VPN Tracker uses Mac OS X’s Keychain application to store X.509 certificates. If you need to authenticate to Syneto using a certificate issued by Syneto, the easiest way to do this is to export it in PKS12 format (also known as “Windows” format on the Syneto’s Web Management Interface).

Figure 8-8