BiGuard C01
BiGuard VPN Client
Quick Installation Guide
(BiGuard series VPN enabled devices)
Secure access to Company Network
Your network is constantly evolving as you integrate more business applications and
consolidate servers. In that environment, it is becoming extremely complex to maintain
total security at the edge while users being employees or Teleworkers on the go are
working with customers and partners. You need to get access to those applications and
servers quickly, easily and securely.
BiGuard VPN Client is an on demand IPSec VPN Client, compliant with Billion BiGuard
series VPN enabled devices. Ideal for remote users and Teleworkers requiring access to
the company network.
Network Topology
In this example, we will connect BiGuard VPN Client to the LAN behind the Billion BiGuard
series VPN enabled routers. The VPN Client is connected to the Internet by a DSL/dialup
connection from an ISP or through a LAN. The client will have a virtual IP address in the remote
LAN. All the addressed in this document are given for example purpose,
Billion BiGuard VPN enabled devices – VPN Configuration
After connected to your Billion BiGuard VPN enabled devices, you must select the menu:
【Configuration】→ 【IPSec】.
Click and add a new IPSec VPN setting as below.
Connection Name: A user-defined name for the connection (e.g. “BiGuardVPN”).
Tunnel: Activates or deactivates the IPSec connection
Local:
ID: Select local ID type
Data: Input ID’s information, like domain name www.ipsectest.com.
Network: Set the Any local address, subnet or single address of the local network.
~Any Local Address: All IP address of the local network
~ Subnet: The subnet of the local network. For example, IP: 192.168.100.0 with netmask
255.255.255.0 specifies one class C subnet starting from 192.168.100.1 (i.e. 192.168.100.1
through to 192.168.100.254).
~ Single Address: The IP address of the local host.
Remote:
Secure Gateway Address (or hostname): The IP address or hostname of the remote
VPN device that is connected and establishes a VPN tunnel. It must be filled in with VPN
Client IP address or public IP address of the router behind which the VPN Client is
(“vpnclient.dyndns.org” in our example).
ID: Select remote ID type
Data: Input ID’s information, like domain name www.ipsectest.com
.
Network: Set the IP address, subnet or address range of the remote network. In our
example, you must add FQUN (biguardsupport@billion.com
) for the VPN Client.
Proposal:
Secure Association: (SA) is a method of establishing a security policy between two points.
There are three methods of creating a Secure Association, each varying in degrees of
security and speed of negotiation.
~ Main Mode: Uses the automated Internet Key Exchange (IKE) setup; most secure
method with the highest level of security.
~ Aggressive Mode: Uses the automated Internet Key Exchange (IKE) setup; mid-level
security. Speed is faster than Main mode.
~ Manual Key: Manual; standard level of security. It is the fastest of the three methods.
Method:
There are two methods of checking the authentication information, AH
(authentication header) and ESP (Encapsulating Security Payload). Use ESP for greater
security so that data will be encrypted and authenticated. Using AH data will be
authenticated but not encrypted.
Encryption: Select the encryption method from the pull-down menu. There are several
options, DES, 3DESand AES (128, 192 and 256). 3DES and AES are more powerful but
increase latency.
~ DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.
~ 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an
encryption method.
~ AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as
encryption method.
Authentication: Authentication establishes the integrity of the datagram and ensures it is
not tampered with in transmit. There are two options, Message Digest 5 (MD5), and Secure
Hash Algorithm (SHA1). SHA1 is more resistant to brute-force attacks than MD5, however it
is slower.
~ MD5: A one-way hashing algorithm that produces a 128−bit hash.
~ SHA1: A one-way hashing algorithm that produces a 160−bit hash.
Perfect Forward Secrecy: Choose whether to enable PFS using Diffie-Hellman public-key
cryptography to change encryption keys during the second phase of VPN negotiation. This
function will provide better security, but extends the VPN negotiation time. Diffie-Hellman is
a public-key cryptography protocol that allows two parties to establish a shared secret over
an unsecured communication channel (i.e. over the Internet). There are two modes, MODP
768-bit, and MODP 1024-bit. MODP stands for Modular Exponentiation Groups.
Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol. Both sides should
use the same key. IKE is used to establish a shared security policy and authenticated keys
for services (such as IPSec) that require a key. Before any IPSec traffic can be passed,
each router must be able to verify the identity of its peer. This can be done by manually
entering the pre-shared key into both sides (router or hosts).
IKE Life Time: Allows you to specify the timer interval for renegotiation of the IKE security
association. The value is in seconds, eg. 28800 seconds = 8 hours.
Key Life: Allows you to specify the timer interval for renegotiation of another key. The value
is in seconds eg. 3600 seconds = 1 hour.
Select the to submit the setting then click the to save the settings into
flash.
After changing the router’s configuration settings, you must save all of the
configuration parameters to FLASH to avoid them being lost after turning
off or resetting your router.
BiGuard VPN Client Configuration – Phase 1 Configuration
“Authentication” or “Phase 1” window will concern settings for Authentication Phase or Phase
1. It is also called IKE Negotiation Phase.
Phase 1's purpose is to negotiate IKE policy sets, authenticate the peers, and set up a secure
channel between the peers. As part of Phase 1, each end system must identify and authenticate
itself to the other.
You need use for the BiGuard VPN Client settings defined in Billion BiGuard series VPN
enabled devices VPN configuration.
Name: Label for Authentication phase used only the configuration user interface. This value is
never used during IKE negotiation. It is possible to change this name at any time and read it in
the tree control. Two Phase 1 can not have the same name (“billion” in our example).
Interface: IP address of the network interface of the computer, through which VPN connection is
established. If the IP address may change (when it is received dynamically by an ISP), select
"any".
Remote Gateway: IP address or DNS address of the remote router (in our example:
gateway.dyndns.com). This field is mandatory.
Pre-shared key: Password or key shared with the remote router (“12345678” in our example).
Certificate (Please see the Appendix A): X509 certificate used by the VPN client (see
certificate configuration).
IKE encryption: Encryption algorithm used during Authentication phase (3DES, AES, ...).
IKE authentication: Authentication algorithm used during Authentication phase (MD5, SHA, ...).