Slides - Global Technology Associates, Inc.

Transcription

Slides - Global Technology Associates, Inc.
REMOTE ACCESS IPSEC
Course 4002
5/14/2014
Global Technology Associates, Inc.
1
Remote Access Features
!
!
!
!
5/14/2014
Granular Network Access and Authorization based on groups and policies.
Windows, Linux, and MAC client support.
Windows – ShrewSoft Client
MAC – IPSecuritas
Linux – ShrewSoft IPSec Cleint
Client installer and configurations files downloaded from Remote Access
Portal or from the firewall Admin Interface
Includes ability to download iPhone IPSec Supports LDAP and Radius
Hybrid +Xauth Users
Global Technology Associates, Inc.
2
IPSec Tunnels Per Device
!
Number of IPSec Tunnels and Mobile Users connected are
based on each product.
5/14/2014
Global Technology Associates, Inc.
3
Requirements
!
!
!
!
!
!
GB-OS 5.3.1 or above Xauth support
GTA recommends you are always on the latest GB-OS
If your firewall is on v5.3 we will request you to upgrade.
Host OS for IPSec
Windows and Linux - Shrew Soft VPN Client
MAC - IPSecuritas IPSec Client 3.4 or above
iPhone/iPad OS 3 or 4.1 and above
User Access Permission for Remote Access to a GTA Firewall.
Client configuration files – downloadable from the firewall remote access
interface.
Signed Certificates –
IPsec Client – User.
Firewall VPN Certificate.
IPsec Client – permissions to run client on host
5/14/2014
Global Technology Associates, Inc.
4
Certificates
!
!
!
!
IPSec Clients connections using Xauth require both
firewall and the IPSec client have signed certificates.
GB-OS 5.3 and above supports the creation of signed
certificates using a CA created on the firewall.
All firewalls updated to GB-OS 5.3 will have a CA
created automatically. If no CA exists it can be
created in the Certificates Section and used to create
VPN and User Certificates.
For more information on Certificate management
please see GB-OS users Guide and VPN Option
Guide.
5/14/2014
Global Technology Associates, Inc.
5
Mobile IPSec Configuration Using XAuth
!
!
Enable and configure VPN Remote Access for IPSec in
[Configure -> VPN -> Remote Access -> IPSec]
Define a Group which has IPSec Enabled - [Configure ->
Accounts -> Groups]
If using Radius or LDAP Authentication you will need to select
LDAP or Radius group and enabled IPSec or create a group on
firewall which matches a user group on the LDAP server.
!
!
!
Define User, if not using LDAP or Radius. - [Configure ->
Accounts -> Users]
If using LDAP or Radius configure the Authentication in [Configure -> Accounts -> Authentication]
Configure Security Policies based on Corporate Policy.
5/14/2014
Global Technology Associates, Inc.
6
[Configure -> VPN -> Remote Access ->
IPSec]
Enable
Default – disabled
IPSec Object
Default – IPSec Mobile
Local Network Object
FW Network - Local
Pool Network
Name Server IP Address
Default – Pool-IPSec!
Pool of IP Address assigned to
GTA Default is 192.168.73.0/24 clients use Xauth
User Defined
DNS server(s) pushed to client.
Win Server IP Address
User Defined
5/14/2014
Global Technology Associates, Inc.
Allows dynamic connections to the
firewall.
Encryption method, and
authentication methods used for
Default
Protected
DynamicLocal
connections
to Networks.
the firewall
WINS server pushed to client.
7
[Configure -> VPN -> Remote Access -> IPSec]
Advanced
Advanced
Override Hostname
Blank
Allows an administrator to override default
firewall host name, which is configured in
Network Settings. Entry can be an IP
address or a fully qualified host name.
Local Identity
Default - Certificate
Firewalls Identity used for mobile VPN
client connections.
<IP Address>
<Domain>
<Email>
<Certificate>
Method
Hybrid + XAuth
Default
Requires User Login and Password
Pre-Shared Key
Unchecked
Requires Pre-shared Key only. Firewall local
identity must be IP address, Domain or Email
address.
RSA
Unchecked
Requires User has signed certificate
RSA + XAuth
Unchecked
Requires User has signed certificate and requires
User name and password.
LDAP
Unchecked
Enables LDAP users.
Radius
Unchecked
Enables Radius users.
Authentication
Hybrid + XAuth
5/14/2014
Global Technology Associates, Inc.
8
Advanced Login Banner
Login Banner
5/14/2014
Default - Disabled
Global Technology Associates, Inc.
Displays a User Defined login message to
XAuth clients connecting to the firewall.
9
Group Configuration
[Configure -> Accounts -> Groups]
Field
Default
Description
Disable
Unchecked
Disables the group.
Name
User Defined
Name used to reference the group for
permissions.
Unchecked
Enables IPSec Client connections for
the Group
Authentication Required
Unchecked
Local Network
Unchecked
User must authenticate using
GBAuth prior to establishing the
VPN.
Over ride for local networks defined
in [Configure -> VPN -> Remote
Access -> IPSec].
Mobile IPSec
Enable
Advanced
5/14/2014
Global Technology Associates, Inc.
10
Security Policies
[Configure -> Security Policies -> Policy Editor -> VPN -> IPSec]
5/14/2014
Global Technology Associates, Inc.
11
Manually Configure a User
Configure>Accounts>Users
5/14/2014
Global Technology Associates, Inc.
12
Manually Configure a User
Download Policy
5/14/2014
Global Technology Associates, Inc.
13
VPN Wizard
!
For users defined on the
firewall using the Set up
Wizard for Mobile clients
the firewall will prompt
to download the client
policy.
5/14/2014
Global Technology Associates, Inc.
14
Distributing the Client for Manually
defined users and LDAP or Radius Users
!
!
Open the Alternate
Port to download
the SSL Client
LDAP & Radius
requires the
Authentication
Option to be
enabled.
5/14/2014
Global Technology Associates, Inc.
15
Getting Installer and Client Policies From the Remote Access Portal
Login using the host name or IP address of the firewall on the specified port.
5/14/2014
Global Technology Associates, Inc.
16
IPSec Client Download
Client installers and configurations can be downloaded directly from the firewall interface.
Windows
MAC
Linux
iPhone
5/14/2014
Global Technology Associates, Inc.
17
Install Instructions
Available in Support Section of GTA Web Site
! Run installer for your specific OS.
! Linux
! Windows
! MAC
5/14/2014
Global Technology Associates, Inc.
18
Connecting with the Client Example
Open VPN Client software
Import the configuration files
or certificates (MAC).
Select the policy to use and
click connect
Enter Username and password
and click connect.
5/14/2014
Global Technology Associates, Inc.
19
Using Client"
!
Once the client is open
and connected the
firewall will assign an
IP Address from the
IPSec Pool to the client
and push routes to the
client for the local
networks to the client.
5/14/2014
Global Technology Associates, Inc.
20
Connections
IPSec Connections will display Type of IPSec
5/14/2014
Global Technology Associates, Inc.
21
Authenticated Users
!
!
!
!
!
!
Name: User Name configured
Groups – All Groups User is member of
Type – Type of Authentication, Should be in most cases IPSec
indicating the IPSec VPN
IP Address – Source IP User is coming from.
Active – How long client has been connected
Lease Duration – How long until client re-negotiate lease, and how
long the firewall reserves the lease.
5/14/2014
Global Technology Associates, Inc.
22
Special Case VPN configurations
!
!
!
!
!
!
Custom IPSec Objects /Encryption Objects
Hub & Spoke.
All Connections via VPN.
Over riding local networks for IPSec Groups.
iPhone VPN
Using Main Mode instead of Aggressive Mode
for Mobile Clients
5/14/2014
Global Technology Associates, Inc.
23
Custom Objects
!
!
5/14/2014
[Configure -> Objects -> Encryption Objects]
[Configure -> Objects -> IPSec Objects]
Global Technology Associates, Inc.
24
Hub & Spoke VPN Using Client
Mobile Client access resources via Site to Site IPSec
Tunnel after accessing the first firewall.
5/14/2014
Global Technology Associates, Inc.
25
Hub & Spoke VPN Using Client
Mobile IPSec Configuration
Firewalls IPSec Client configuration will contain both Local Network
and the Remote Network Reach able via the Site to Site Tunnel
5/14/2014
Global Technology Associates, Inc.
26
Hub & Spoke VPN Using Client
Hub Firewall - IPSec Site to Site Configuration
The IPSec Site to Site Configuration will reference an object which contains
Both mobile client and local network for the Hub firewall. Remote Firewall
will use both IPSec Client and Hub Firewall LAN as the remote networks.
5/14/2014
Global Technology Associates, Inc.
27
Hub & Spoke VPN Using Client
Remote Firewall - IPSec Site to Site Configuration
The IPSec Site to Site Configuration will reference an object which contains
Both mobile client and local network for the Hub firewall. Remote Firewall
will use both IPSec Client and Hub Firewall LAN as the remote networks.
5/14/2014
Global Technology Associates, Inc.
28
Forcing All Connections VIA VPN
5/14/2014
Global Technology Associates, Inc.
29
Forcing All Connections VIA VPN
!
!
Set the Local Network to be
ANY_IPv4.
Create IPSec and Pass Through
Policies to allow the client outbound
access. If you wish to allow client
access to the Internet via the
firewall.
5/14/2014
Global Technology Associates, Inc.
30
Connections
!
Connections will display
Incoming packets from IPSec client.
Outgoing NAT Packets
5/14/2014
Global Technology Associates, Inc.
31
Over riding Local Networks for IPSec
Clients
!
!
If corporate policies requires different Local
Networks based on user Groups for IPSec Access this
can be configured in the User Groups Mobile IPSec
Advanced Section
Create a new group and In Mobile IPSec Advance
enable Local Network ands Specify the Network to
use.
5/14/2014
Global Technology Associates, Inc.
32
Main Mode vs Aggressive Mode
!
Recommend configuration is to use Aggressive mode
for IPSec client connections. However, corporate
policy may require all IPSec VPN’s to use Main mode.
Main Mode – Hosts with Static IP Addresses
Aggressive Mode – Host with dynamic IP Addresses.
!
!
In this case a you need an IPSec Object using Main
mode.
Requirement – Using Main Mode for mobile clients
requires all IPSec clients to use certificates for the
VPN.
5/14/2014
Global Technology Associates, Inc.
33
Assigning IP Addresses Statically
!
!
Must use a User defined on the firewall.
User Must use an Authentication Method of
Pre-shared Key or Certificate.
5/14/2014
Global Technology Associates, Inc.
34
Client Address
!
!
5/14/2014
Client Address assigned is the first address in
the Pool that is available.
For some users this will be a #.#.#.0 address.
Global Technology Associates, Inc.
35
Shrew Client Options
!
Access Manager
Windows Style
!
VPN Connect
Minimize when
connected
Remember Login
Name
Automatic
Reconnect
!
5/14/2014
Software
Updates
Global Technology Associates, Inc.
36
Shrew Client Install Options
!
!
5/14/2014
Professional Edition – Paid
Standard Edition - Free
Global Technology Associates, Inc.
37
Shrew Client Professionals vs Standard
Standard
Professional
XAuth
Yes
Yes
Mode Config
Yes
Yes
Split Tunneling
Yes
Yes
Split DNS
No
Yes
AD / Domain Login
No
Yes
For more information on the Professional version to to https://
www.shrew.net/shop
5/14/2014
Global Technology Associates, Inc.
38
Trouble Shooting
Windows Wireless
5/14/2014
Global Technology Associates, Inc.
39
Shrew Client Configuration Issue
!
!
!
Policy generation level
must be unique.
If not set to unique it
may LOOK like client
connects to firewall
and not passing traffic.
If you are on latest
client and GB-OS this
is handle
automatically.
5/14/2014
Global Technology Associates, Inc.
40
Shrew Trace Utility
Shrew Soft VPN Trace Utility will allow an administrator to
gather additional client side logs from the client. These can be
compared with the GTA firewall logs.
5/14/2014
Global Technology Associates, Inc.
41
Firewall IPSec Error Logs
!
msg="IKE: Unable to aquire license
User Licenses has been reached for mobile IPSec
connections.
!
ETC….
5/14/2014
Global Technology Associates, Inc.
42
Client Log messages
!
invalid message from gateway
Firewall authentication / ID is different from what is
expected by the client. Check that [Configure -> VPN
-> Remote Access -> IPSec] section is different
!
Etc..
5/14/2014
Global Technology Associates, Inc.
43
References
!
http://www.lobotomo.com/products/IPSecuritas/
http://www.shrew.net/
!
Users Guides - https://www.gta.com/support/documents/
!
5/14/2014
Global Technology Associates, Inc.
44
If you require additional assistance or have
additional questions please contact GTA
Technical Support.
Email: support @gta.com
Phone: 1.407.482.6925
Free User Support –
▫ http://forum.gta.com
▫ Mailing List - gb-users@gta.com
5/14/2014
Global Technology Associates, Inc.
45