TECHNICAL SUPPORT NOTE
Configuring the Netvanta VPN Client
Featuring the NetVanta 2x00
* Before You Begin
This document assumes that the Netvanta 2x00 is already configured and working as a Firewall, and that the Netvanta Client Software is already installed on a PC. For this example the WAN interface IP address of the Netvanta 2x00 is 188.8.131.52. The LAN interface IP address is 10.10.10.1. The WAN IP address of the Netvanta Client is dynamic, but the Internal Network IP address will be 192.168.1.1.
Configuring the Netvanta 2x00
- The WAN interface IP address of the Netvanta 2x00 is 184.108.40.206. The LAN interface IP address is 10.10.10.1. Check Treat interface as static. Then select Submit. See figure 1.
2. Next, go to Policies, VPN, IKE. Select Add. See Figure 2.
3. Then Configure the IKE policy as shown in Figure 3. Policy Name, Local ID Data, and Remote ID Data are examples. Create new values for these fields.
4. Next, finish the IKE setup by entering the Public (WAN) IP address of the Netvanta 2x00 in the Local IP Address. This address MUST be reachable from the remote site. Set the Remote IP Address to 0.0.0.0. Create a 12-character, Pre-Shared Key. Specify the Lifetime of Key. This is the amount of time between IKE renegotiations. Then select the rest of the options and select Submit. An Example is shown in Figure 4.
5. The IKE Menu should look similar to the example in Figure 5.
6. Next, setup the IPSec policy. This is done in the Tunnels Menu. Select AUTO to begin configuring the IPSec policy. See Figure 6.
7. Start the IPSec configuration by specifying a useful PolicyName. Then set the Source Address to OTHER, set the Source IP Address (the LAN network of the 2x00) and specify the Mask. Set the Destination Address to OTHER, set the Destination IP Address (the Internal Network IP Address of the Netvanta Client) and specify theMask. Set the Source Port, Destination Port, and Protocol to allow the desired applications across the Tunnel. The Peer Security Gateway will be 0.0.0.0 in this case because it is assumed that the WAN IP address of the client is dynamic and therefore unknown. If it is known, specify it here. See Figure 7.
8. Next, select the Security Protocol, Authentication and ESP Algorithms. Specify the Life Time Secs. It is good practice for this time to be 1/3 of the Life Time of Keyfrom the IKE Menu. Select Add. See Figure 8.
9. The Tunnel Policies should look similar to Figure 9.
10. Next, setup the Access Policies. Start with the To LAN. Set Add to BEGINING and choose Submit. See Figure 10.
11. Set the Source IP to OTHER, and specify the Internal Network IP Address of the Netvanta Client. Then set the Destination IP to OTHER and specify the LAN IP network of the Netvanta 2x00. Set the Destination Port and Protocol to allow the desired applications across the tunnel. See Figure 11.
12. Then set Action Type to PERMIT, Enable NAT to NO, and Check for System VPN Policy to YES. See Figure 12. The Access Polic: To LAN should look similar to Figure 13.
13. Finally, setup the From LAN Access Policy. Set Add to BEGINING and choose Submit. See Figure 14.
14. Set the Source IP to OTHER, and specify the LAN IP network of the Netvanta 2x00. Then set the Destination IP to OTHER and specify the Internal Network IP Addressof the Netvanta Client. Set the Destination Port and Protocol to allow the desired applications across the tunnel. See Figure 15.
15. Then set Action Type to PERMIT, Enable NAT to NO, and Check for System VPN Policy to YES. See Figure 16. The Access Policy: From LAN should look similar to Figure 17.
Configuring the Netvanta VPN Client Software
- Start the Security Policy Editor by double-clicking on the Netvanta VPN Client icon in the Taskbar. Then select NEW to create a New Connection.
- Select Secure from the Connection Security list.
- For ID Type choose IP Subnet. Then enter 10.10.10.0 and 255.255.255.0 for the Subnet and Mask (Netvanta 2x00’s LAN IP network address).
- Check Connect using and Select Secure Gateway Tunnel.
- Under ID type select Domain Name and below enter the remote ID data (Local ID data on Netvanta 2x00 IKE policy setup).
- Under IP address enter the 220.127.116.11 (Netvanta 2x00’s WAN IP address).
7. Next, select Security Policy and under Security Policy select Aggressive Mode. See Figure 2.
8. Then select My Identity. Under ID Type select Domain Name and type in the local ID (Remote ID data on Netvanta 2x00 IKE policy setup). Select Disabled for Virtual Adapter. Select Pre-Shared Key and enter the 12-character key as entered into the Netvanta 2x00. See Figure 3.
9. Select Options and Global Policy Settings.
10. Check Allow to Specify Internal Network Address.
11. Enter 192.168.1.1 as the Internal Network IP Address under My Identity. See Figure 6.
12. Click on the plus sign by Security Policy. Then click on the plus sign by Authentication (Phase 1). Click on Proposal 1. Select Pre-Shared Key for theAuthentication Method. Select Triple DES for the Encrypt Alg. Select MD5 for Hash Alg. Select Seconds for SA Life and enter 1800 (The IKE policy timeout from the Netvanta 2x00). Select Diffie-Hellman Group 1 for Key Group. See Figure 7.
13. Click on the plus sign by Key Exchange (Phase 2). Then click on Proposal 1. Under IPSec Protocols, select Seconds for SA life. For Seconds enter 600 (The IPSec Lifetime Secs of the Netvanta 2x00). Check Encapsulation Protocol (ESP). Select Triple DES for the Encrypt Alg, MD5 for the Hash Alg and Tunnel for theEncapsulation. See Figure 8.
14. Finally, click on File and then Save. Right-click on the Netvanta VPN Client icon and select Reload Security Policy. On the PC, open up a DOS prompt and type ping 10.10.10.1. This should activate the tunnel and you should get replies from 10.10.10.1.