1 2 Previous Next 15 Replies Latest reply on Jul 14, 2011 2:04 AM by Nishant Shah

    Basic VPN Configuration help

      Greetings all! I'm trying to set up a very basic VPN on our sidewinder and I cannot seem to get it working for the life of me. I'm hoping that perhaps one of you may be able to assist me.

       

      As it says in the title I am trying to set up a very basic VPN where any employee outside the network can VPN in using only a password. While not the most secure, it is the way that our current PIX is operating in and we are trying to replicate it via the sidewinder so that we can replace the PIX.

       

      I have my VPN Definition set up, and I am attempting to use a client address pool. I do not know what is hanging it up but I believe that it is a rule or service that is either missing or mis-configured.

       

      Does anyone use a similar configuration that might be able to help me out?

       

      I'd be happy to respond to any questions any of you may have.

       

      Thank you.

       

       

      Message was edited by: jk2010 on 4/19/10 7:59:23 AM CDT
        • 1. Re: Basic VPN Configuration help
          oreeh

          What you need:

           

          • IPsec SA
          • configured remote IDs
          • configured IP pool
          • isakmp policy rule

           

          The following example works with Sidewinder 7 and the Softremote client

           

          1. IPsec SA (using 3DES and SHA1)
            cf ipsec add name=Clients type=password encapsulation=tunnel active=1 authalgorithm=sha1 burb=internal
            encryptalgorithm=3des fwauthmethod=password ippoolid=VPN options=INITIAL_CONTACT p1auth=sha1
            p1crypt=3des p1exchange=AGGRESSIVE_MODE p1oakly=5,2,1 remotegw=dynamic version=1
            ids=client1,client2,client3 password=test1234
          2. IDs:
            cf cert add id name=client1 email=user1@yourdomain.com
            cf cert add id name=client2 email=user2@yourdomain.com
            cf cert add id name=client3 email=user3@yourdomain.com
          3. Pool:
            cf pool add address name=VPN intranets=192.168.0.0/16 netaddress=10.10.0.0/24
            Optional:
            Create a static pool mapping using the above IDs
          4. isakmp rule (I prefer it to be the first rule):
            cf policy add table=rule name=ikmpd rulegroup='' pos=1 action=allow dest=YOUR.EXTERNAL.FIREWALL.IP
            dest_burbs=burb:external service=service:isakmp source='*' source_burbs=burb:external


          Make sure the clients are configured to use the remote-IDs you've configured on the firewall.
          Also make sure the remote-IDs are unique.

           

          Oliver

          • 2. Re: Basic VPN Configuration help

            Oliver,

             

            Thanks so much for the reply. I do have some questions for you.

             

            1. I was told that my vpn peers can use the built in vpn clients for windows to connect to the sidewinders vpn. I see that you mentioned softremote, we do not have that. We are trying to connect via windows built in vpn software, does that present any problems?

             

            2. the configuration you showed was very similar to what I am trying to use, but when my clients are attempting to connect to the vpn they are coming in via the pptp port. From what you show, that looks like it isn't supposed to happen.

             

            3. remote ID's i'll admitt that I am only somewhat familiar with these. I get what they are supposed to do and all that. My issue is that I don't have to set this up on my PIX to get people to connect, why would it be needed on the sidewinder? How can I set one up for every user in my domain? and I see that you are using the command "cf cert" is that suppo\sed to be creating a certificate for every remote user? I'm just curious because I have hundreds of people that could be using the vpn and i can't be doing that for each of them, not to mention the fact that i would have to have them load the certs on thier remote machines correct? I don't think my company would go for anything like that. They just want to be able to give one password out to everyone and have them use that to get in.

             

            I really appreciate the response and assistance I feel like I'm in a bit of a bind because it sounds like the vpn can't be configured the way my management claims that the sales people told them it could (without any 3rd party software and access using only a password).

             

            Thanks again!

            • 3. Re: Basic VPN Configuration help

              I guess maybe i can narrow it down a bit...

               

              Two issues:

               

              1. CAN I even use windows built in vpn software to connect to a sidewinder 7x vpn?

               

              2. How can I configure a remote identity that can be shared by 200 people? (i.e. is there a way to cheat by creating a single client cert that all of the multiple users can share?)

               

              I guess those might be a better place to start

               

              Thank you.

              • 4. Re: Basic VPN Configuration help
                oreeh

                > 1. I was told that my vpn peers can use the built in vpn clients for windows to connect to the sidewinders vpn. I see that you mentioned softremote, we do not have that. We are trying to connect via windows built in vpn software, does that present any problems?

                 

                The built in Windows client doesn't work as it doesn't support standard IPsec.

                 

                > 2. the configuration you showed was very similar to what I am trying to use, but when my clients are attempting to connect to the vpn they are coming in via the pptp port. From what you show, that looks like it isn't supposed to happen.

                 

                That's (pptp) the problem (see above).

                 

                > 3. remote ID's i'll admitt that I am only somewhat familiar with these. I get what they are supposed to do and all that. My issue is that I don't have to set this up on my PIX to get people to connect, why would it be needed on the sidewinder? How can I set one up for every user in my domain? and I see that you are using the command "cf cert" is that suppo\sed to be creating a certificate for every remote user? I'm just curious because I have hundreds of people that could be using the vpn and i can't be doing that for each of them, not to mention the fact that i would have to have them load the certs on thier remote machines correct? I don't think my company would go for anything like that. They just want to be able to give one password out to everyone and have them use that to get in.

                 

                remote-IDs are required

                - for the pool to work

                - to distinguish different remote users (unless you want to create individual IPsec SAs, using different passwords, for every single client)

                 

                I'm not sure what type of VPN the PIX does, so I can't comment on that.

                 

                The cf cert command can be used to create certificates and IDs (not sure why SCC / McAfee never split that command in two).

                 

                When using a password based VPN the remote ID (besides the remote IP, which probably is dynamic anyway) is the only way to distinguish the clients.

                This is not needed when using certificates, since the certificates CN is unique.

                 

                Regarding the client software:

                Almost every standard IPsec compatible client should work (the Windows built in client and the Cisco IPsec client don't work).

                When using the Safenet (Softremote) client you can easily create a policy file for your users to ease the deployment and configuration (your users only have to import it).

                I suggest you get an eval version of the client and give it a try.

                 

                > I feel like I'm in a bit of a bind because it sounds like the vpn can't be configured the way my management claims that the sales people told them it could

                 

                Sales people ...

                • 5. Re: Basic VPN Configuration help
                  oreeh

                  > 2. How can I configure a remote identity that can be shared by 200 people? (i.e. is there a way to cheat by creating a single client cert that all of the multiple users can share?)

                   

                  You can't, since remote-IDs need to be unique (you can of coursescript it).

                  • 6. Re: Basic VPN Configuration help

                    Oliver,

                     

                    Thanks so much for your help. This is exactly what I thought was happening. Unfortunately the only two vpn clients I have at my disposal are the windows vpn client and the cisco vpn client. I'd love to do an evel of softremote, but I think it would be a bit useless in the end as there as there is no way my company is going to lay out additional funds to buy licenses for a product that will just end up giving them the same functionality that they already have (an operational VPN) especially if the prices are what they appeared to be $600 per client? No ty, lol.

                     

                    But anyways, thanks a bunch for your help. I greatly appreciate it. I had a feeling where the problems were, and you've confirmed it for me

                     

                    Thanks.

                    • 7. Re: Basic VPN Configuration help
                      oreeh

                      I'd try to "convince" the "sales people" to supply the client at no extra cost.

                      • 8. Re: Basic VPN Configuration help

                        There are a few 'free' IPSEC VPN clients that work great.

                         

                        ShrewSoft (http://www.shrew.net/download) has a client for Windows and Linux.

                         

                        I have attached a document outlining how to set it up with the McAfee Firewall Enterprise (Sidewinder)

                         

                        Good luck!

                         

                        Dave

                        • 9. Re: Basic VPN Configuration help

                          Dave,

                           

                          Thanks so much for the input! I had actually just downloaded that software myself. Thanks very much for the guide. That's a big help!

                          1 2 Previous Next