Billion BiGuard User Manual

BiGuard C01
BiGuard VPN Client
Quick Installation Guide
(BiGuard series VPN enabled devices)
Secure access to Company Network
Your network is constantly evolving as you integrate more business applications and consolidate servers. In that environment, it is becoming extremely complex to maintain total security at the edge while users being employees or Teleworkers on the go are working with customers and partners. You need to get access to those applications and servers quickly, easily and securely.
BiGuard VPN Client is an on demand IPSec VPN Client, compliant with Billion BiGuard series VPN enabled devices. Ideal for remote users and Teleworkers requiring access to the company network.

Network Topology

In this example, we will connect BiGuard VPN Client to the LAN behind the Billion BiGuard series VPN enabled routers. The VPN Client is connected to the Internet by a DSL/dialup connection from an ISP or through a LAN. The client will have a virtual IP address in the remote LAN. All the addressed in this document are given for example purpose,

Billion BiGuard VPN enabled devices – VPN Configuration

After connected to your Billion BiGuard VPN enabled devices, you must select the menu:
Configuration】→ IPSec.
Click and add a new IPSec VPN setting as below.
Connection Name: A user-defined name for the connection (e.g. “BiGuardVPN”). Tunnel: Activates or deactivates the IPSec connection Local:
ID: Select local ID type
Data: Input ID’s information, like domain name www.ipsectest.com.
Network: Set the Any local address, subnet or single address of the local network.
~Any Local Address: All IP address of the local network ~ Subnet: The subnet of the local network. For example, IP: 192.168.100.0 with netmask
255.255.255.0 specifies one class C subnet starting from 192.168.100.1 (i.e. 192.168.100.1
through to 192.168.100.254).
~ Single Address: The IP address of the local host.
Remote:
Secure Gateway Address (or hostname): The IP address or hostname of the remote
VPN device that is connected and establishes a VPN tunnel. It must be filled in with VPN Client IP address or public IP address of the router behind which the VPN Client is (“vpnclient.dyndns.org” in our example).
ID: Select remote ID type Data: Input ID’s information, like domain name www.ipsectest.com
.
Network: Set the IP address, subnet or address range of the remote network. In our
example, you must add FQUN (biguardsupport@billion.com
) for the VPN Client.
Proposal:
Secure Association: (SA) is a method of establishing a security policy between two points.
There are three methods of creating a Secure Association, each varying in degrees of security and speed of negotiation.
~ Main Mode: Uses the automated Internet Key Exchange (IKE) setup; most secure method with the highest level of security.
~ Aggressive Mode: Uses the automated Internet Key Exchange (IKE) setup; mid-level security. Speed is faster than Main mode.
~ Manual Key: Manual; standard level of security. It is the fastest of the three methods.
Method:
There are two methods of checking the authentication information, AH
(authentication header) and ESP (Encapsulating Security Payload). Use ESP for greater security so that data will be encrypted and authenticated. Using AH data will be authenticated but not encrypted.
Encryption: Select the encryption method from the pull-down menu. There are several
options, DES, 3DESand AES (128, 192 and 256). 3DES and AES are more powerful but increase latency.
~ DES: Stands for Data Encryption Standard, it uses 56 bits as an encryption method.
~ 3DES: Stands for Triple Data Encryption Standard, it uses 168 (56*3) bits as an
encryption method.
~ AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as
encryption method.
Authentication: Authentication establishes the integrity of the datagram and ensures it is not tampered with in transmit. There are two options, Message Digest 5 (MD5), and Secure Hash Algorithm (SHA1). SHA1 is more resistant to brute-force attacks than MD5, however it
is slower.
~ MD5: A one-way hashing algorithm that produces a 128−bit hash. ~ SHA1: A one-way hashing algorithm that produces a 160−bit hash.
Perfect Forward Secrecy: Choose whether to enable PFS using Diffie-Hellman public-key
cryptography to change encryption keys during the second phase of VPN negotiation. This function will provide better security, but extends the VPN negotiation time. Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel (i.e. over the Internet). There are two modes, MODP 768-bit, and MODP 1024-bit. MODP stands for Modular Exponentiation Groups.
Pre-shared Key: This is for the Internet Key Exchange (IKE) protocol. Both sides should
use the same key. IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require a key. Before any IPSec traffic can be passed, each router must be able to verify the identity of its peer. This can be done by manually entering the pre-shared key into both sides (router or hosts).
IKE Life Time: Allows you to specify the timer interval for renegotiation of the IKE security
association. The value is in seconds, eg. 28800 seconds = 8 hours.
Key Life: Allows you to specify the timer interval for renegotiation of another key. The value
is in seconds eg. 3600 seconds = 1 hour.
Select the to submit the setting then click the to save the settings into
flash.
After changing the router’s configuration settings, you must save all of the configuration parameters to FLASH to avoid them being lost after turning off or resetting your router.

BiGuard VPN Client Configuration – Phase 1 Configuration

“Authentication” or “Phase 1” window will concern settings for Authentication Phase or Phase
1. It is also called IKE Negotiation Phase.
Phase 1's purpose is to negotiate IKE policy sets, authenticate the peers, and set up a secure channel between the peers. As part of Phase 1, each end system must identify and authenticate itself to the other.
You need use for the BiGuard VPN Client settings defined in Billion BiGuard series VPN enabled devices VPN configuration.
Name: Label for Authentication phase used only the configuration user interface. This value is
never used during IKE negotiation. It is possible to change this name at any time and read it in the tree control. Two Phase 1 can not have the same name (“billion” in our example).
Interface: IP address of the network interface of the computer, through which VPN connection is
established. If the IP address may change (when it is received dynamically by an ISP), select "any".
Remote Gateway: IP address or DNS address of the remote router (in our example:
gateway.dyndns.com). This field is mandatory.
Pre-shared key: Password or key shared with the remote router (“12345678” in our example). Certificate (Please see the Appendix A): X509 certificate used by the VPN client (see
certificate configuration).
IKE encryption: Encryption algorithm used during Authentication phase (3DES, AES, ...). IKE authentication: Authentication algorithm used during Authentication phase (MD5, SHA, ...).
Loading...
+ 12 hidden pages