Firebox X55E-W | User manual | 2 WatchGuard Firebox® X Edge e-Series VPN

Add to my manuals
18 Pages

advertisement

Firebox X55E-W | User manual | 2 WatchGuard Firebox® X Edge e-Series VPN | Manualzz

TheGreenBow IPSec VPN Client

Configuration Guide

Watchguard Firebox

X Edge e-Series

WebSite:

Contact: http://www.thegreenbow.com

[email protected]

Configuration Guide written by:

Writer: Anastassios Stafilidis

Company: ASCS GmbH, Ihr IT-Partner, www.ascs.de

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 1/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

Table of content

1 Introduction .................................................................................................................................................... 3

1.1 Goal of this document ............................................................................................................................ 3

1.2 VPN Network topology ........................................................................................................................... 3

1.3 WatchGuard Firebox® X Edge e-Series Restrictions............................................................................. 3

1.4 WatchGuard Firebox® X Edge e-Series VPN Gateway ......................................................................... 3

1.5 WatchGuard Firebox® X Edge e-Series VPN Gateway product info ..................................................... 3

2 WatchGuard Firebox® X Edge e-Series VPN configuration .......................................................................... 5

2.1 Preparations ........................................................................................................................................... 5

2.2 WatchGuard Firebox® X Edge e-Series VPN configuration .................................................................. 5

3 TheGreenBow IPSec VPN Client configuration ........................................................................................... 10

3.1 VPN Client Phase 1 (IKE) Configuration .............................................................................................. 10

3.2 Phase 1 Advanced settings.................................................................................................................. 10

3.3 VPN Client Phase 2 (IPSec) Configuration .......................................................................................... 11

3.4 Open IPSec VPN tunnels ..................................................................................................................... 12

4 Tools in case of trouble ................................................................................................................................ 13

4.1 A good network analyser: Wireshark ................................................................................................... 13

5 VPN IPSec Troubleshooting ........................................................................................................................ 14

5.1 « PAYLOAD MALFORMED » error (wrong Phase 1 [SA]) ................................................................. 14

5.2 « INVALID COOKIE » error.................................................................................................................. 14

5.3 « no keystate » error ............................................................................................................................ 14

5.4 « received remote ID other than expected » error................................................................................ 14

5.5 « NO PROPOSAL CHOSEN » error .................................................................................................... 15

5.6 « INVALID ID INFORMATION » error .................................................................................................. 15

5.7 I clicked on “Open tunnel”, but nothing happens. ................................................................................. 15

5.8 The VPN tunnel is up but I can’t ping ! ................................................................................................. 15

6 Contacts ....................................................................................................................................................... 17

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 2/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

1 Introduction

1.1 Goal of this document

This configuration guide describes how to configure TheGreenBow IPSec VPN Client software with a

WatchGuard Firebox® X Edge e-Series VPN router to establish VPN connections for remote access to corporate network

1.2 VPN Network topology

In our VPN network example (diagram hereafter), we will connect TheGreenBow IPSec VPN Client software to the LAN behind the WatchGuard Firebox® X Edge e-Series router. The VPN client is connected to the Internet with a DSL connection or through a LAN. All the addresses in this document are given for example purpose.

IPSec VPN Client as seen on LAN

(192.168.146.120) mygateway.dyndns.org

192.168.146.254

Internet

192.168.146.40

IPSec VPN Client

(Remote)

WatchGuard

Firebox® X

Edge e-Series 192.168.146.55

1.3 WatchGuard Firebox® X Edge e-Series Restrictions

There are no known restrictions regarding the WatchGuard Firebox® X Edge e-Series. Please make sure you use one of the latest firmware releases from Watchguard. You can see your firmware version on the main site just below “Device Information”. For more details visit http://www.watchguard.com/ .

1.4 WatchGuard Firebox® X Edge e-Series VPN Gateway

Our tests and VPN configuration have been conducted with a WatchGuard Firebox® X55e box and a firmware release 11.2.3.B267784 (Fireware XTM OS).

1.5 WatchGuard Firebox® X Edge e-Series VPN Gateway product info

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 3/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

It is critical that users find all necessary information about WatchGuard VPN Gateways. All product info, User

Guide and knowledge base for the WatchGuard Firebox® X Edge e-Series VPN Gateway can be found on the

WatchGuard website: http://www.watchguard.com/ .

WatchGuard Firebox Product page http://www.watchguard.com/international/de/products/index.asp?t=main

WatchGuard Firebox User Guide http://www.watchguard.com/help/documentation/edge.asp

WatchGuard FAQ/Knowledge Base http://www.watchguard.com/help/documentation/xtm.asp

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 4/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

2 WatchGuard Firebox® X Edge e-Series VPN configuration

This section describes how to build an IPSec VPN configuration with your WatchGuard Firebox® X Edge e-Series

VPN router.

2.1 Preparations

To connect to your WatchGuard Firebox® X Edge e-Series from the internet by a host or domain name, you might configure a dynamic name resolution service. You will find more detailed information about this topic in your

WatchGuard documentation or on the user guide website: http://www.watchguard.com/help/documentation/edge.asp

.

2.2 WatchGuard Firebox® X Edge e-Series VPN configuration

Once connected to your WatchGuard Firebox® X Edge e-Series VPN gateway adimistration interface, you must select “VPN”. Now choose „Mobile VPN with IPSec“ from the left side. Enter a name for the group policy, e.g.

“GREENBOW” as in the example below. In the tab “General” enter the preshared key into the field

Passphrase”. In the “Firebox IP Addresses” section, enter your hostname or static IP nto the field “External IP

address” and klick “Save” to apply these changes.

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 5/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

Now, choose the “IPSec Tunnel” tab and select the option „Use the passphrase of the end user profile as the

pre-shared key”. Now select settings like shown in the screenshots below:

Klick the button “Advanced” in the “Phase 1 Settings” section:

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 6/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

Klick the button “Advanced” in the “Phase 2 Settings” section:

Now select the tab “Ressources”. Enter the subnet to which the VPN client(s) shall have access to and add it to the “Allowed Resources” list. In this example, the subnet behind the gateway is 192.168.146.0/24.

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 7/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

In the “Virtual IP Address Pool” list, you can assign IP addresses for the VPN client(s). These addresses shall not be within the same subnet range as the subnet(s) defined in the “Allowed Resources” list. Neither they shall be within the range of the dynamic IP pool which is assigned to the machine where the vpn client is installed. In this example, we use 192.168.50.1 bis 192.168.50.10 as virtual client addresses.

Now select the tab “Advanced”. No changes are necessary here.

Apply all changes with “Save”. You can check the settings by klicking “Firewall” and then „Mobile VPN Policies” if VPN rules have been set for the group “GREENBOW”. Usually, no additional rules are necessary for the firewall.

Important: To establih a VPN tunnel successfully, it is necessary that the person who likes to use the VPN client has either an active local user account on the WatchGuard Firebox® or - in case you have configured an Active

Directory environment – an active AD user account.

In this example, we’ll create a user on the WatchGuard Firebox® called “VPNUser” . To do that, select “VPN” and

Authentication” on the left menu. Now klick on “Servers” and select the tab “Firebox”. Click on “Add” to apply a new user to the Firebox user database.

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 8/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

In that window, you can define user name and password. In the section “Firebox Authentication Groups”, you can apply a VPN Group to that particular user, in our case GREENBOW. Save changes by klicking “OK”.

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 9/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

3 TheGreenBow IPSec VPN Client configuration

This section describes the required configuration to connect to a WatchGuard Firebox® VPN router via VPN connections.

To download the latest release of TheGreenBow IPSec VPN Client software, please go to http://www.thegreenbow.com/vpn_down.html

.

3.1 VPN Client Phase 1 (IKE) Configuration

The remote VPN

Gateway IP address is either an explicit IP address or a DNS Name

Preshared Key as configured as

“passphrase” in the

Fiebox.

Phase 1 configuration

To authenticate the user, in this example we’re using a combination between Preshared Key and X-Auth.

Enter a name for your VPN connection, e.g. GREENBOW_VPN. Enter your gateway host name or IP address and leave Interface to “all”. Please match the values of the IKE section with the settings you have already done on the firebox.

You may as well use either Preshared key, Certificates, USB Tokens, OTP Token (One Time Password) or X-

Auth combined with RADIUS Server for User Authentication with your WatchGuard Firebox® router. This configuration is one example of what can be accomplished in term of User Authentication. You may want to refer to either the WatchGuard Firebox® router user guide or TheGreenBow IPSec VPN Client software User Guide for more details on different User Authentication options.

3.2 Phase 1 Advanced settings

Klick the button “P1 Advanced” to adjust more settings.

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 10/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

Select the options “Aggressive mode” and “X-Auth Popup”. As local ID, enter the VPN Group name

(GREENBOW) and select “eMail” as ID type. Remote ID type and value can be left blank. Apply changes with

“OK”.

3.3 VPN Client Phase 2 (IPSec) Configuration

VPN Client Virtual IP address from “Virtual IP

Address Pool”.

Enter the IP address (and subnet mask) of the remote LAN.

IPSec VPN Router Configuration

Phase 2 Configuration

Property of TheGreenBow Sistech SA - © 2001-2010 11/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

Klick “Save & Apply” to save all configuration settings.

3.4 Open IPSec VPN tunnels

Once both WatchGuard Firebox® router and TheGreenBow IPSec VPN Client software have been configured accordingly, you are ready to open VPN tunnels. First make sure you enable your firewall with IPSec traffic.

1. Click on "Save & Apply" to take into account all modifications we've made on your VPN Client configuration

2. Click on "Open Tunnel", or generate traffic that will automatically open a secure IPSec VPN Tunnel (e.g. ping,

IE browser). Once the tunnel starts, a popup window will ask you for your user name and password.

3. Select "Connections" to see opened VPN Tunnels

4. Select "Console" if you want to access to the IPSec VPN logs and adjust filters to display less IPSec messaging. The following example shows a successful connection between TheGreenBow IPSec VPN Client and a WatchGuard Firebox® VPN router.

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 12/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

4 Tools in case of trouble

Configuring an IPSec VPN tunnel can be a hard task. One missing parameter can prevent a VPN connection from being established. Some tools are available to find source of troubles during a VPN establishment.

4.1 A good network analyser: Wireshark

Wireshark is a free software that can be used for packet and traffic analysis. It shows IP or TCP packets received on a network card. This tool is available on website http://www.wireshark.org

. It can be used to follow protocol exchange between two devices. For installation and use details, read its specific documentation

( http://www.wireshark.org/docs/ ).

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 13/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

5 VPN IPSec Troubleshooting

5.1 « PAYLOAD MALFORMED » error (wrong Phase 1 [SA])

114920 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]

114920 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [NOTIFY]

114920 Default exchange_run: exchange_validate failed

114920 Default dropped message from 195.100.205.114 port 500 due to notification type PAYLOAD_MALFORMED

114920 Default SEND Informational [NOTIFY] with PAYLOAD_MALFORMED error

If you have an « PAYLOAD MALFORMED » error you might have a wrong Phase 1 [SA], check if the encryption algorithms are the same on each side of the VPN tunnel.

5.2 « INVALID COOKIE » error

115933 Default message_recv: invalid cookie(s) 5918ca0c2634288f 7364e3e486e49105

115933 Default dropped message from 195.100.205.114 port 500 due to notification type INVALID_COOKIE

115933 Default SEND Informational [NOTIFY] with INVALID_COOKIE error

If you have an « INVALID COOKIE » error, it means that one of the endpoint is using a SA that is no more in use.

Reset the VPN connection on each side.

5.3 « no keystate » error

115315 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]

115317 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID]

115317 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE]

115319 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE]

115319 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]

115319 Default ipsec_get_keystate: no keystate in ISAKMP SA 00B57C50

Check if the preshared key is correct or if the local ID is correct (see « Advanced » button). You should have more information in the remote endpoint logs.

5.4 « received remote ID other than expected » error

120348 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]

120349 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID]

120349 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE]

120351 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE]

120351 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]

120351 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY]

120351 Default ike_phase_1_recv_ID: received remote ID other than expected [email protected]

The « Remote ID » value (see « Advanced » Button) does not match what the remote endpoint is expected.

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 14/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

5.5 « NO PROPOSAL CHOSEN » error

115911 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]

115913 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID]

115913 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE]

115915 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE]

115915 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]

115915 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY]

115915 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72: 195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114

115915 Default (SA CNXVPN1-CNXVPN1-P2) SEND phase 2 Quick Mode

[SA][KEY][ID][HASH][NONCE]

115915 Default RECV Informational [HASH][NOTIFY] with NO_PROPOSAL_CHOSEN error

115915 Default RECV Informational [HASH][DEL]

115915 Default CNXVPN1-P1 deleted

If you have an « NO PROPOSAL CHOSEN » error, check that the « Phase 2 » encryption algorithms are the same on each side of the VPN Tunnel.

Check « Phase 1 » algorithms if you have this:

115911 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]

115911 Default RECV Informational [NOTIFY] with NO_PROPOSAL_CHOSEN error

5.6 « INVALID ID INFORMATION » error

122623 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]

122625 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID]

122625 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE]

122626 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE]

122626 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]

122626 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY]

122626 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72: 195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114

122626 Default (SA CNXVPN1-CNXVPN1-P2) SEND phase 2 Quick Mode

[SA][KEY][ID][HASH][NONCE]

122626 Default RECV Informational [HASH][NOTIFY] with INVALID_ID_INFORMATION error

122626 Default RECV Informational [HASH][DEL]

122626 Default CNXVPN1-P1 deleted

If you have an « INVALID ID INFORMATION » error, check if « Phase 2 » ID (local address and network address) is correct and match what is expected by the remote endpoint.

Check also ID type (“Subnet address” and “Single address”). If network mask is not check, you are using a

IPV4_ADDR type (and not a IPV4_SUBNET type).

5.7 I clicked on “Open tunnel”, but nothing happens.

Read logs of each VPN tunnel endpoint. IKE requests can be dropped by firewalls. An IPSec Client uses UDP port 500 and protocol ESP (protocol 50).

5.8 The VPN tunnel is up but I can’t ping !

If the VPN tunnel is up, but you still cannot ping the remote LAN, here are a few guidelines:

• Check Phase 2 settings: VPN Client address and Remote LAN address. Usually, VPN Client IP address should not belong to the remote LAN subnet

• Once VPN tunnel is up, packets are sent with ESP protocol. This protocol can be blocked by firewall.

Check that every device between the client and the VPN server does accept ESP

• Check your VPN server logs. Packets can be dropped by one of its firewall rules.

• Check your ISP support ESP

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 15/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

• If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN computer interface

(with Wireshark for example). You will have an indication that encryption works.

• Check the “default gateway” value in VPN Server LAN. A target on your remote LAN can receive pings but does not answer because there is a no “Default gateway” setting.

• You cannot access to the computers in the LAN by their name. You must specify their IP address inside the LAN.

• We recommend you to install Wireshark (http://www.wireshark.org) on one of your target computer. You can check that your pings arrive inside the LAN.

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 16/18

Doc.Ref tgbvpn-cg-watchgard-firebox-edge-en

Doc.version 1.0 –

VPN version 4.x

May 2010

6 Contacts

News and updates on TheGreenBow web site: http://www.thegreenbow.com

Technical support by email at [email protected]

Sales contacts by email at [email protected]

IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © 2001-2010 17/18

Secure, Strong, Simple.

TheGreenBow Security Software

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertisement