2 Replies Latest reply on Feb 2, 2010 8:53 AM by Mike

    Requesting assistance with VPN configuration for use with Macs

      PPtP doesn't fill our needs, so I'm looking for L2TP over IPSec or just a plain IPSec VPN, client to UTM. I've had some help from a few people, but still never gotten this to work (I always get a Phase 1 unable to authenticate error). All suggestions have been using IPSecuritas so far.

       

      Is there any chance McAfee could:

      - Work with Lobotomo to get a known good configuration documented for IPSecuritas?

      - Set up a step-by-step knowledge base document on how to set up the VPN to be compatible with the OS X built-in VPN client?

       

      It seems like this sort of client integration/evangelism would be an opportunity to raise awareness of the UTM line, and focus on a market niche where there aren't as many established go-to companies. It would also make it a lot easier for me to recommend UTM firewalls to my clients (we have deployed 9-10 already, but would be able to make the case to many more if this part of the configuration were a solved problem). I'm sure others would also be able to take advantage as well.

        • 1. Re: Requesting assistance with VPN configuration for use with Macs

          We have L2TP from a windows-nat and iphone to UTM working - in the lab. Hope to be releasing this soon.

           

          Ipsecuritas to UTM basic configuration advice attached as a series of screen shots.

           

          Hopefully that'll get you over the line with other Mac clients as well.

           

          Regards

          tom

          • 2. Re: Requesting assistance with VPN configuration for use with Macs

            So we sort of got this working- with the following issues that prevent it from being used in our ideal fashion:

             

            - The remote host or network must be defined within the UTM. (The source network of the IPsec connection must be previously defined. Permitting access from the MC LAN is easy enough, but it is not practical or even possible to add all possible source networks. Defining the source network as anywhere breaks the connection. This apparent increase in security can be easily spoofed. Instead of increasing security, it complicates implementation and flexibility without adding any real security.)
            - Despite the settings mismatches all over the place, the connection works. (Clearly the UTM is not rigorous in its inspection of the phase proposal requests.)

             

            Here was the process:

            Configure UTM SG580:

            • Add Tunnel, Advanced.
            • Tunnel name: test (can be customized as desired)
            • Enabled tunnel: checked
            • Local interface: default gateway interface
            • Keying: Main mode
            • Local address: static IP address
            • Remote address: dynamic IP Address
            • Authentication: Preshared Secret
            • Require XAUTH authentication: unchecked
            • Local Endpoint Settings
            • Optional Endpoint ID: left blank
            • IP Payload Compression: disabled
            • Dead Peer Detection: disabled
            • Initiate Phase 1&2 rekeying: enabled
            • Remote Endpoint Settings
            • Required Endpoint ID: USERNAME (this is required and must match Local Identifier FQDN within IPSecuritas ID profile)
            • Phase 1 Settings
            • Key lifetime (sec): 3600
            • Rekey margin (sec): 600
            • Rekey fuzz (%): 100
            • Preshared secret: supersecretpassword (of course can be set to anything)
            • Phase 1 Proposal: 3DES-SHA-Diffie Hellman Group 2 (1024bit)
            • Phase 2 Settings
            • Local Network: Select Network of LAN Switch A from pulldown. (Network of whichever switch port has been defined to be the LAN gateway within Network Setup.)
            • Remote Network: 192.168.17.0/24 (This can be set to support any remote network or host. Must match IPSecuritas Endpoint Mode and Network Address within IPSecuritas General.)
            • Add. The Local and Remote Network definitions must be added before moving on.
            • Key lifetime (sec): 3600
            • Phase 2 Proposal: 3DES-SHA
            • Perfect Forward Secrecy: enabled
            • Diffie Hellman Group 2 (1024 bit)
            • Finish.
            • IPSec General Settings
            • Enable IPSec: enabled
            • IPSec MTU: 1400
            • Hide TOS: enabled
            • Submit

             

            Configure IP Securitas profile:

            • General
            • Remote IPSec Device: Public IP Address of destination McAfee UTM endpoint.
            • Local Side
            • Endpoint Mode: Network (can be set to host if UTM Remote Network was defined as host)
            • Network Address: 192.168.17.0 (or host IP address, the local IP address of the machine initiating the IPsec tunnel)
            • Network Mask (CIDR): 24
            • Remote Side
            • Endpoint Mode: Network
            • Network Address: 192.168.xxx.0 (destination network. LAN network address of the destination)
            • Network Mask (CIDR): 24
            • Phase 1
            • Lifetime: 8 hours
            • DH Group: 1024(2)
            • Encryption: 3DES
            • Authentication: SHA-1
            • Exchange Mode: Main
            • Proposal Check: Obey
            • Nonce Size: 16
            • Phase 2
            • Lifetime: 8 hours
            • PFS Group: 1024 (2)
            • Encryption: uncheck all but 3DES
            • Authentication: uncheck all but HMAC SHA-1
            • ID
            • Local Identifier: FQDN, USERNAME (Identifier must match Required Endpoint ID as set in McAfee UTM)
            • Remote Identifier: Address
            • Authentication Method: Preshared Key
            • Preshared Key: supersecretpassword (of course must match key set on UTM)
            • DNS
            • leave domain specific DNS disabled
            • Options
            • Enable: IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, Request Certificate, Send Certificate, Unique SAs, IKE Fragmentation
            • Leave all other options disabled
            • NAT-T: Enable (if IPSecuritas machine is not within a NAT, set to disable)
            • Enable Connection Check: disabled
            • Action after connection timeout: Give up

             

             

            Message was edited by: Mike on 2/2/10 8:52:43 AM CST

             

             

            Message was edited by: Mike on 2/2/10 8:53:31 AM CST