1. Home
    2. /
  2. Manuals
    3. /
  3. SnapGear
    4. /
  4. SG565
    5. /
  5. 37
Page 181 / 249 Scroll up to view Page 176 - 180
Virtual Private Networking
176
The Phase 2 proposal wanted.
The line
ESP algorithms wanted
reads
3_000-2;
pfsgroup=2
.
The
3_000
refers to cipher 3DES (where 3DES has an id of 3, see
Phase 2 Ciphers Loaded), the
2
refers to hash SHA1 or SHA (where SHA1 has
an id of 2, see Phase 2 Hashes Loaded) and
pfsgroup=2
refers to the Diffie
Hellman Group 2 for Perfect Forward Secrecy (where Diffie Hellman Group 2 has
an id of 2).
Negotiation State
reports what stage of the negotiation process the tunnel is in.
In this
example it has
initiated
and sent the first aggressive mode packet (
AI1
) and is expecting
its
response
(
AR1
) in the line
STATE_AGGR_I1 (sent AI1, expecting AR1)
.
Once the
Phase 1 has been successfully negotiated, the status will have the line
ISAKMP SA
established
.
Once the Phase 2 has been successfully negotiated, the status will read
IPSec SA established
.
The tunnel will then be established and running.
Enable/disable
One or more tunnel can be enabled or disabled by checking the checkbox to the right of
the tunnel, and clicking
Enable
or
Disable
under the
Tunnel List
menu.
Delete
One or more tunnel can be enabled or disabled by checking the checkbox to the right of
the tunnel, and clicking
Delete
under the
Tunnel List
menu.
NAT Traversal Support
NAT Traversal allows tunnels to be established when the IPSec endpoints reside behind
NAT devices.
If any NAT devices are detected, the NAT Traversal feature is
automatically used.
It cannot be configured manually on the CyberGuard SG appliance.
Dynamic DNS Support
Internet Service Providers generally charge higher fees for static IP addresses than for
dynamic IP addresses when connecting to the Internet.
The CyberGuard SG appliance
can reduce costs since it allows tunnels to be established with both IPSec endpoints
having dynamic IP addresses.
The two endpoints must, however, be CyberGuard SG
appliances and at least one end must have
dynamic DNS
enabled.
The CyberGuard SG
appliance supports a number of dynamic DNS providers.
When configuring the tunnel,
select the
DNS hostname address
type for the IPSec endpoint that has dynamic DNS
supported and enable
Dead Peer Detection
.
If the IP address of the CyberGuard SG
appliance's DNS hostname changes, the tunnel will automatically renegotiate and
establish the tunnel.
Page 182 / 249
Virtual Private Networking
177
Certificate Management
x.509 Certificates
can be used to authenticate IPSec endpoints during tunnel negotiation
for Automatic Keying.
The other methods are
Preshared Secrets
and
RSA Digital
Signatures
.
Certificates need to be uploaded to the CyberGuard SG appliance before they can be
used in a tunnel.
Certificates have time durations in which they are valid.
Ensure that
the certificates uploaded are valid and that the
Date and Time
settings have been set
correctly on the CyberGuard SG appliance.
The CyberGuard SG appliance only supports certificates in
base64 PEM
or
binary DER
format.
Some Certificate Authorities (CA) distribute certificates in a
PKCS#12
format file
and the CA, local public key and private key certificates must be extracted or created
before uploading them into the CyberGuard SG appliance.
Extracting certificates
Use the
openssl
application tool on the CyberGuard SG Installation CD to extract these
certificates (ensure the
cygwin1.dll
library is in the same directory as the
openssl
application).
To extract the CA certificate, enter the following at the Windows command
prompt:
openssl pkcs12 -nomacver -cacerts -nokeys -in pkcs12_file -out ca_certificate.pem
..
where
pksc12_file
is the PKCS#12 file issued by the CA and
ca_certificate.pem
is
the CA certificate to be uploaded into the CyberGuard SG appliance.
The application will prompt you to
Enter Import Password
.
Enter the password used to
create the certificate.
If none was used simply press enter.
To extract the local public key certificate type, enter the following at the Windows
command prompt:
openssl pkcs12 -nomacver -clcerts -nokeys -in pkcs12_file -out
local_certificate.pem
..
where
pksc12_file
is the PKCS#12 file issued by the CA and
local_certificate.pem
is
the local public key certificate to be uploaded into the CyberGuard SG appliance.
The application will prompt you to
Enter Import Password
.
Enter the password used to
create the certificate.
If none was used simply press enter.
Page 183 / 249
Virtual Private Networking
178
To extract the local private key certificate type, enter the following at the Windows
command prompt:
openssl pkcs12 -nomacver -nocerts -in pkcs12_file -out local_private_key.pem
..
where
pksc12_file
is the PKCS#12 file issued by the CA and
local_private_key.pem
is the local private key certificate to be uploaded into the CyberGuard SG appliance.
The application will prompt you to
Enter Import Password
.
Enter the password used to
create the certificate.
If none was used simply press enter.
The application will also
prompt you to
Enter PEM pass phrase
which is the pass phrase used to secure the
private key file.
Choose a secure pass phrase that is greater than 4 characters long and
this will be the same pass phrase entered when uploading the private key certificate into
the CyberGuard SG appliance.
The application will then prompt you to verify the pass
phrase again.
Simply type it in again.
The CyberGuard SG appliance also supports
Certificate Revocation List
(CRL) files.
A
CRL is a list of certificates that have been revoked by the CA before they expired.
This
may be necessary if the private key certificate has been compromised or if the holder of
the certificate is to be denied the ability to establish a tunnel to the CyberGuard SG
appliance.
Creating certificates
The first thing necessary is to create a Certificate Authority (CA).
1. Create the CA directory:
mkdir rootCA
2.
Create the serial number for the first certificate:
echo 01 > rootCA/serial
3.
Create an empty CA database file:
linux:
touch rootCA/index.txt
Windows:
type nul > rootCA/index.txt
Page 184 / 249
Virtual Private Networking
179
4.
Create the self-signed root CA certificate:
openssl req -config openssl.cnf -new -x509 -keyout
rootCA/ca.key -out rootCA/ca.pem -days
DAYS_VALID
-nodes
.. where
DAYS_VALID
is the number of days the root CA is valid for.
Remove the
–nodes
option if you want to use a password to secure the CA key.
For each certificate you wish to create, there are two steps:
1. Create the certificate request:
openssl req -config openssl.cnf -new -keyout cert1.key -out
cert1.req
Enter a PEM pass phrase (this is the same pass phrase required when you
upload the key to the CyberGuard SG appliance) and then the certificate details.
All but the
Common Name
are optional and may be omitted.
2.
Sign the certificate request with the CA :
openssl ca -config openssl.cnf -out cert1.pem -notext -
infiles cert1.req
Then you will have a certificate/key pair,
cert1.pem
and
cert1.key
, ready to use in the
CyberGuard SG appliance.
For each certificate required, change the
cert1.*
filenames appropriately.
Using certificates with Windows IPSec
To create certificates to use with IPSec on a Windows system, first follow the previous
instructions on creating and then signing a certificate request.
Then the key, client certificate and CA certificate must all be bundled together into a
PKCS12 file:
openssl pkcs12 -export -inkey cert1.key -in cert1.pem -
certfile rootCA/ca.pem -out cert1.p12 -name "Certificate 1"
Page 185 / 249
Virtual Private Networking
180
To install the PCKS12 files on Windows XP:
1. Open up the
Microsoft Management Console
(
Start
->
Run
->
mmc
)
2. Add the
Certificate Snap-in
(
File
->
Add/Remove Snap-in
->
Add
->
select
Certificates
->
Add
->
select the account level you want the certificates installed for
(i.e. current user vs. all users) (
->
Local Computer
)
->
Close
->
OK
3. Double click
Certificates
to open the store
4. Select the
Personal
store
5. Import new certificate (
Action
->
All Tasks
->
Import
)
6. Locate the
.p12
file you created with openssl previously
7. Type in the
Export Password
(if you used one)
8. Select
Automatically select the certificate store based on the type of certificate
Adding certificates
To add certificates to the CyberGuard SG appliance, click the
IPSec
link on the left side
of the
Web Management Console
web administration pages and then click the
Certificate Lists
tab at the top of the window.
A window similar to the following will be
displayed.
Figure 9-22

Rate

4 / 5 based on 3 votes.

Popular SnapGear Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top