Slides - Global Technology Associates, Inc.
Transcription
Slides - Global Technology Associates, Inc.
REMOTE ACCESS IPSEC Course 4002 5/14/2014 Global Technology Associates, Inc. 1 Remote Access Features ! ! ! ! 5/14/2014 Granular Network Access and Authorization based on groups and policies. Windows, Linux, and MAC client support. Windows – ShrewSoft Client MAC – IPSecuritas Linux – ShrewSoft IPSec Cleint Client installer and configurations files downloaded from Remote Access Portal or from the firewall Admin Interface Includes ability to download iPhone IPSec Supports LDAP and Radius Hybrid +Xauth Users Global Technology Associates, Inc. 2 IPSec Tunnels Per Device ! Number of IPSec Tunnels and Mobile Users connected are based on each product. 5/14/2014 Global Technology Associates, Inc. 3 Requirements ! ! ! ! ! ! GB-OS 5.3.1 or above Xauth support GTA recommends you are always on the latest GB-OS If your firewall is on v5.3 we will request you to upgrade. Host OS for IPSec Windows and Linux - Shrew Soft VPN Client MAC - IPSecuritas IPSec Client 3.4 or above iPhone/iPad OS 3 or 4.1 and above User Access Permission for Remote Access to a GTA Firewall. Client configuration files – downloadable from the firewall remote access interface. Signed Certificates – IPsec Client – User. Firewall VPN Certificate. IPsec Client – permissions to run client on host 5/14/2014 Global Technology Associates, Inc. 4 Certificates ! ! ! ! IPSec Clients connections using Xauth require both firewall and the IPSec client have signed certificates. GB-OS 5.3 and above supports the creation of signed certificates using a CA created on the firewall. All firewalls updated to GB-OS 5.3 will have a CA created automatically. If no CA exists it can be created in the Certificates Section and used to create VPN and User Certificates. For more information on Certificate management please see GB-OS users Guide and VPN Option Guide. 5/14/2014 Global Technology Associates, Inc. 5 Mobile IPSec Configuration Using XAuth ! ! Enable and configure VPN Remote Access for IPSec in [Configure -> VPN -> Remote Access -> IPSec] Define a Group which has IPSec Enabled - [Configure -> Accounts -> Groups] If using Radius or LDAP Authentication you will need to select LDAP or Radius group and enabled IPSec or create a group on firewall which matches a user group on the LDAP server. ! ! ! Define User, if not using LDAP or Radius. - [Configure -> Accounts -> Users] If using LDAP or Radius configure the Authentication in [Configure -> Accounts -> Authentication] Configure Security Policies based on Corporate Policy. 5/14/2014 Global Technology Associates, Inc. 6 [Configure -> VPN -> Remote Access -> IPSec] Enable Default – disabled IPSec Object Default – IPSec Mobile Local Network Object FW Network - Local Pool Network Name Server IP Address Default – Pool-IPSec! Pool of IP Address assigned to GTA Default is 192.168.73.0/24 clients use Xauth User Defined DNS server(s) pushed to client. Win Server IP Address User Defined 5/14/2014 Global Technology Associates, Inc. Allows dynamic connections to the firewall. Encryption method, and authentication methods used for Default Protected DynamicLocal connections to Networks. the firewall WINS server pushed to client. 7 [Configure -> VPN -> Remote Access -> IPSec] Advanced Advanced Override Hostname Blank Allows an administrator to override default firewall host name, which is configured in Network Settings. Entry can be an IP address or a fully qualified host name. Local Identity Default - Certificate Firewalls Identity used for mobile VPN client connections. <IP Address> <Domain> <Email> <Certificate> Method Hybrid + XAuth Default Requires User Login and Password Pre-Shared Key Unchecked Requires Pre-shared Key only. Firewall local identity must be IP address, Domain or Email address. RSA Unchecked Requires User has signed certificate RSA + XAuth Unchecked Requires User has signed certificate and requires User name and password. LDAP Unchecked Enables LDAP users. Radius Unchecked Enables Radius users. Authentication Hybrid + XAuth 5/14/2014 Global Technology Associates, Inc. 8 Advanced Login Banner Login Banner 5/14/2014 Default - Disabled Global Technology Associates, Inc. Displays a User Defined login message to XAuth clients connecting to the firewall. 9 Group Configuration [Configure -> Accounts -> Groups] Field Default Description Disable Unchecked Disables the group. Name User Defined Name used to reference the group for permissions. Unchecked Enables IPSec Client connections for the Group Authentication Required Unchecked Local Network Unchecked User must authenticate using GBAuth prior to establishing the VPN. Over ride for local networks defined in [Configure -> VPN -> Remote Access -> IPSec]. Mobile IPSec Enable Advanced 5/14/2014 Global Technology Associates, Inc. 10 Security Policies [Configure -> Security Policies -> Policy Editor -> VPN -> IPSec] 5/14/2014 Global Technology Associates, Inc. 11 Manually Configure a User Configure>Accounts>Users 5/14/2014 Global Technology Associates, Inc. 12 Manually Configure a User Download Policy 5/14/2014 Global Technology Associates, Inc. 13 VPN Wizard ! For users defined on the firewall using the Set up Wizard for Mobile clients the firewall will prompt to download the client policy. 5/14/2014 Global Technology Associates, Inc. 14 Distributing the Client for Manually defined users and LDAP or Radius Users ! ! Open the Alternate Port to download the SSL Client LDAP & Radius requires the Authentication Option to be enabled. 5/14/2014 Global Technology Associates, Inc. 15 Getting Installer and Client Policies From the Remote Access Portal Login using the host name or IP address of the firewall on the specified port. 5/14/2014 Global Technology Associates, Inc. 16 IPSec Client Download Client installers and configurations can be downloaded directly from the firewall interface. Windows MAC Linux iPhone 5/14/2014 Global Technology Associates, Inc. 17 Install Instructions Available in Support Section of GTA Web Site ! Run installer for your specific OS. ! Linux ! Windows ! MAC 5/14/2014 Global Technology Associates, Inc. 18 Connecting with the Client Example Open VPN Client software Import the configuration files or certificates (MAC). Select the policy to use and click connect Enter Username and password and click connect. 5/14/2014 Global Technology Associates, Inc. 19 Using Client" ! Once the client is open and connected the firewall will assign an IP Address from the IPSec Pool to the client and push routes to the client for the local networks to the client. 5/14/2014 Global Technology Associates, Inc. 20 Connections IPSec Connections will display Type of IPSec 5/14/2014 Global Technology Associates, Inc. 21 Authenticated Users ! ! ! ! ! ! Name: User Name configured Groups – All Groups User is member of Type – Type of Authentication, Should be in most cases IPSec indicating the IPSec VPN IP Address – Source IP User is coming from. Active – How long client has been connected Lease Duration – How long until client re-negotiate lease, and how long the firewall reserves the lease. 5/14/2014 Global Technology Associates, Inc. 22 Special Case VPN configurations ! ! ! ! ! ! Custom IPSec Objects /Encryption Objects Hub & Spoke. All Connections via VPN. Over riding local networks for IPSec Groups. iPhone VPN Using Main Mode instead of Aggressive Mode for Mobile Clients 5/14/2014 Global Technology Associates, Inc. 23 Custom Objects ! ! 5/14/2014 [Configure -> Objects -> Encryption Objects] [Configure -> Objects -> IPSec Objects] Global Technology Associates, Inc. 24 Hub & Spoke VPN Using Client Mobile Client access resources via Site to Site IPSec Tunnel after accessing the first firewall. 5/14/2014 Global Technology Associates, Inc. 25 Hub & Spoke VPN Using Client Mobile IPSec Configuration Firewalls IPSec Client configuration will contain both Local Network and the Remote Network Reach able via the Site to Site Tunnel 5/14/2014 Global Technology Associates, Inc. 26 Hub & Spoke VPN Using Client Hub Firewall - IPSec Site to Site Configuration The IPSec Site to Site Configuration will reference an object which contains Both mobile client and local network for the Hub firewall. Remote Firewall will use both IPSec Client and Hub Firewall LAN as the remote networks. 5/14/2014 Global Technology Associates, Inc. 27 Hub & Spoke VPN Using Client Remote Firewall - IPSec Site to Site Configuration The IPSec Site to Site Configuration will reference an object which contains Both mobile client and local network for the Hub firewall. Remote Firewall will use both IPSec Client and Hub Firewall LAN as the remote networks. 5/14/2014 Global Technology Associates, Inc. 28 Forcing All Connections VIA VPN 5/14/2014 Global Technology Associates, Inc. 29 Forcing All Connections VIA VPN ! ! Set the Local Network to be ANY_IPv4. Create IPSec and Pass Through Policies to allow the client outbound access. If you wish to allow client access to the Internet via the firewall. 5/14/2014 Global Technology Associates, Inc. 30 Connections ! Connections will display Incoming packets from IPSec client. Outgoing NAT Packets 5/14/2014 Global Technology Associates, Inc. 31 Over riding Local Networks for IPSec Clients ! ! If corporate policies requires different Local Networks based on user Groups for IPSec Access this can be configured in the User Groups Mobile IPSec Advanced Section Create a new group and In Mobile IPSec Advance enable Local Network ands Specify the Network to use. 5/14/2014 Global Technology Associates, Inc. 32 Main Mode vs Aggressive Mode ! Recommend configuration is to use Aggressive mode for IPSec client connections. However, corporate policy may require all IPSec VPN’s to use Main mode. Main Mode – Hosts with Static IP Addresses Aggressive Mode – Host with dynamic IP Addresses. ! ! In this case a you need an IPSec Object using Main mode. Requirement – Using Main Mode for mobile clients requires all IPSec clients to use certificates for the VPN. 5/14/2014 Global Technology Associates, Inc. 33 Assigning IP Addresses Statically ! ! Must use a User defined on the firewall. User Must use an Authentication Method of Pre-shared Key or Certificate. 5/14/2014 Global Technology Associates, Inc. 34 Client Address ! ! 5/14/2014 Client Address assigned is the first address in the Pool that is available. For some users this will be a #.#.#.0 address. Global Technology Associates, Inc. 35 Shrew Client Options ! Access Manager Windows Style ! VPN Connect Minimize when connected Remember Login Name Automatic Reconnect ! 5/14/2014 Software Updates Global Technology Associates, Inc. 36 Shrew Client Install Options ! ! 5/14/2014 Professional Edition – Paid Standard Edition - Free Global Technology Associates, Inc. 37 Shrew Client Professionals vs Standard Standard Professional XAuth Yes Yes Mode Config Yes Yes Split Tunneling Yes Yes Split DNS No Yes AD / Domain Login No Yes For more information on the Professional version to to https:// www.shrew.net/shop 5/14/2014 Global Technology Associates, Inc. 38 Trouble Shooting Windows Wireless 5/14/2014 Global Technology Associates, Inc. 39 Shrew Client Configuration Issue ! ! ! Policy generation level must be unique. If not set to unique it may LOOK like client connects to firewall and not passing traffic. If you are on latest client and GB-OS this is handle automatically. 5/14/2014 Global Technology Associates, Inc. 40 Shrew Trace Utility Shrew Soft VPN Trace Utility will allow an administrator to gather additional client side logs from the client. These can be compared with the GTA firewall logs. 5/14/2014 Global Technology Associates, Inc. 41 Firewall IPSec Error Logs ! msg="IKE: Unable to aquire license User Licenses has been reached for mobile IPSec connections. ! ETC…. 5/14/2014 Global Technology Associates, Inc. 42 Client Log messages ! invalid message from gateway Firewall authentication / ID is different from what is expected by the client. Check that [Configure -> VPN -> Remote Access -> IPSec] section is different ! Etc.. 5/14/2014 Global Technology Associates, Inc. 43 References ! http://www.lobotomo.com/products/IPSecuritas/ http://www.shrew.net/ ! Users Guides - https://www.gta.com/support/documents/ ! 5/14/2014 Global Technology Associates, Inc. 44 If you require additional assistance or have additional questions please contact GTA Technical Support. Email: support @gta.com Phone: 1.407.482.6925 Free User Support – ▫ http://forum.gta.com ▫ Mailing List - gb-users@gta.com 5/14/2014 Global Technology Associates, Inc. 45