Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Configure | 289

The Add PPTP Member page allows you to select users who are to be allowed remote access through PPTP.

1. Go to Configure > VPN > PPTP (Remote Access) and click Add Member(s) to add users or user groups. A new window is displayed showing a list of users and user groups.

2. Select users or user groups who are to be allowed remote access through PPTP. You can add a single or multiple users or user groups.

3. Click Apply to add these users and user groups to the PPTP members list.

PPTP Members

The PPTP Members page allows you to view list of PPTP members and remove members for whom remote access through PPTP is to be disabled.

1. Go to Configure > VPN > PPTP (Remote Access) and click Show Members to view a list of PPTP members. A new window is displayed showing a list of PPTP users who who are allowed access through the PPTP connection.

2. Select the users for whom you want to disable PPTP access. You can select multiple users or user groups.

3. Click Delete.

IPsec Profiles

This IPsec Profiles page displays a list of all preconfigured and custom IPsec policies.

A policy describes the security parameters used for negotiations to establish and maintain a secure tunnel between two peers.

Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the policy parameters for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels.

Click Show Configuration to show all configuration tabs.

Authentication mode

To ensure secure communication, there are two phases to every IKE (Internet Key Exchange) negotiation - Phase 1

(Authentication) and Phase 2 (Key exchange).

The Phase 1 negotiation establishes a secure channel between peers and determines a specific set of cryptographic protocols, exchanges shared secret keys and encryption and authentication algorithm that will be used for generating keys.

The Phase 2 negotiation establishes a secure channel between peers to protect data. During Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after which to negotiate.

Key life

Lifetime of key is specified as key life.

Once the connection is established after exchanging authenticated and encrypted keys, connection is not dropped till the key life. If the key life of both the peers is not same then negotiation will take place whenever the key life of any one peer is over. This means intruder has to decrypt only one key to break in your system.

Key generation and key rotation are important because the longer the life of the key, the larger the amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis.

Perfect Forward Secrecy (PFS)

It becomes difficult for a network intruder to get the big picture if keys are changing and they have to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting PFS, new key will be generated for every negotiation and a new DH key exchange is included. So every time intruder will have to break yet another key even though he already knows the key. This enhances security.

| Configure | 290

Diffie-Hellman (DH) Group (IKE group)

Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret over an insecure communications channel. Diffie-Hellman Key Exchange uses a complex algorithm and public and private keys to encrypt and then decrypt the data.

The Diffie-Hellmann Group describes the key length used in encryption. Group number is also termed as Identifiers.

14

15

16

2

5

DH Group

1

Key length (bits)

768

1024

1536

2048

3072

4096

If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched during the negotiation.

Re-key Margin

Time before the next key is exchanged. Time is calculated by subtracting the time elapsed since the last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts automatically without interrupting service before key expiry.

Dead Peer Detection settings

Use to check whether device is able to connect the IP Address or not. Set time interval after which the status of peer is to be checked and what action to take, if peer is not alive.

Tunnel Negotiation

Negotiation process starts to establish the connection when local or remote peer wants to communicate with each other. Depending on the connection parameters defined, the key is generated which is used for negotiations. Lifetime of key is specified as Key life. Once the connection is established, connection is alive/active and data can be transferred up to the specified key life. Connection will be closed/deactivated once the key expires.

If the connection is to be activated again then the entire negotiation process is to be started all over again. Negotiation process can be started again automatically by either local or remote peer only if Allow Re-keying is set to ‘Yes’.

Set the re-keying time in terms of the remaining key life when negotiation is to be started automatically without interrupting the communication before key expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes of key usage.

Negotiation process will generate new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’. PFS will generate a new key from scratch and there will be no dependency between old and new key.

Re-keying

Yes

No

Result

Local and remote peer both will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.

Only remote peer will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.

Device provides 5 default policies and you can also create a custom policy to meet your organization’s requirement.

| Configure | 291

To make VPN connection configuration an easy task, following five preconfigured VPN policies are included for the frequently used VPN deployment scenarios:

• Road warrior

• L2TP

• Head office connectivity

• Branch office connectivity

• Default

It also provides option to add a new policy, update the parameters of an existing policy, or delete the policy. Instead of creating a policy from scratch, you can also create a new policy based on the already created policy by duplicating its parameters.

Duplicate - Click the icon in the Manage column against the VPN Policy to be duplicated. The Add VPN Policy window is displayed which has the same values for parameters as the existing policy. Click OK to add a new policy with modification in values for parameters.

Note: The default policy can be updated but cannot be deleted.

Create a New IPsec Policy

This page describes how to quickly configure a new IPsec policy.

The Add IPsec Policy menu allows you to manually enter details to add a IPsec policy.

1. Go to Configure > VPN > IPsec Profiles and click Add.

2. Specify the General Settings details.

Name

Enter a unique name for the IPsec policy.

Description

Enter a description for the IPsec policy.

Allow Re-keying

Enable Re-Keying to start the negotiation process automatically before key expiry. The process will start automatically at the specified time in re-key margin.

If enabled, the negotiation process can be initiated by both the local or remote peer. Depending on

PFS, the negotiation process will use the same key or generate a new key.

Key Negotiation Tries

Specify maximum key negotiation trials allowed. Set 0 for an unlimited number of trials.

Authentication Mode

Select an authentication mode. It is used for exchanging authentication information.

Available Options:Main Mode - Consists of 6 messages. It processes and validates the diffiehellman in 3 exchanges.Aggressive Mode - Consists of 3 messages. With Aggressive Mode, a tunnel can be established faster than using Main Mode as less number of messages are exchanged during authentication and no cryptographic algorithm is used to encrypt the authentication information. Use Aggressive Mode when remote peer has dynamic IP addresses.

Depending on Authentication Mode, the phase 1 parameters are exchanged for authentication purpose.

In Main Mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information while in Aggressive Mode phase1 parameters are exchanged in single messages without encrypted information.

Pass Data In Compressed Format

Enable to pass data in compressed format to increase throughput.

Figure 296: General Settings

3. Specify the Phase 1 details.

Encryption Algorithm

Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

Supported Encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.

3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.

AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.

Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.

Serpent is faster than DES and more secure than Triple DES.

BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.

TwoFish – TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.

Authentication Algorithm

Select an authentication algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.

Maximum three combinations of encryption and authentication algorithms can be selected. The remote peer must be configured to use at least one of the defined combinations.

Click the icon to add more than one combination of encryption and authentication algorithms.

Default: MD5

| Configure | 292

Note: We strongly recommend to use AES and SHA2 256 to reduce potential vulnerability.

DH Group (Key Group)

Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.

• DH Group 1 uses 768-bit encryption

• DH Group 2 uses 1024-bit encryption

• DH Group 5 uses 1536-bit encryption

• DH Group 14 uses 2048-bit encryption

• DH Group 15 uses 3072-bit encryption

• DH Group 16 uses 4096-bit encryption

The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.

Key Life

Specify the key life in terms of seconds. Key life is the amount of time that will be allowed to pass before the key expires.

Default: 3600 seconds

Re-Key Margin

Specify the re-key margin. Set time in terms of the remaining key life. Re-key margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.

For example, if Key Life is 8 hours and Re-key Margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of key life.

Default: 120 seconds

Randomize Re-Keying Margin By

Specify the randomize re-keying time.

For example, if Key Life is 8 hours, Re-Key Margin is 10 minutes and Randomize Re-Keying time is 20% then the re-key margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.

Default: 0%

Dead Peer Detection

Enable to check at regular interval whether peer is live or not.

Default: Enabled

Check Peer After Every (only if the Dead Peer Detection option is enabled)

Specify time after which the peer should be checked for its status. Once the connection is established, peer which initiated the connection checks whether another peer is live or not.

Default: 30 seconds

Wait For Response Upto (only if the Dead Peer Detection option is enabled)

Specify till what time (seconds) initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive.

Default: 120 seconds

Action When Peer Unreachable (only if the Dead Peer Detection option is enabled)

Specify what action should be taken if peer is not active.

Available Options:Hold - Holds the connectionDisconnect - Closes the connectionRe-initiate -

Re-establishes the connection

| Configure | 293

Default: Disconnect

Figure 297: Phase 1

4. Specify the Phase 2 details.

Encryption Algorithm

Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

Supported encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.

3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.

AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.

Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The serpent algorithm uses 32 rounds, or iterations of the main algorithm.

Serpent is faster than DES and more secure than Triple DES.

BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.

TwoFish – TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.

Authentication Algorithm

Select an authentication algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.

Supported Authentication algorithms: MD5, SHA1

Maximum three combinations of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.

Click the icon to add more than one combination of encryption and authentication algorithm.

Default: MD5

| Configure | 294