Zyxel Secure Computing User Manual

VPN Administration Guide

Revision A

SafeNet/Soft-PK Version 5.1.3 Build 4

Sidewinder Version 5.1.0.02

Copyright No tice

This document and the software d escri bed in i t are co pyrighte d. Un der the copyri ght laws, neit her th is doc ument nor this
software may be copied, reproduced, translated, or reduced to any electronic medium or machine-readable form without
prior written authorization of Secure Computing Corporation. Copyright © 2001, Secure Computing Corporation. All
rights reserved. Made in the U.S.A.

Trademarks

Secure Computing, Sidewinder, Type Enforcement, and Strikeback are either registered trademarks or trademarks of
Secure Computing Corporation. All other trademarks, tradenames, service marks, service names, product names, and
images mentioned and/or used herein belong to their respective owners.

Secure Computing Corporation Software License Agree ment

CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE LOADING THE SOFTWARE. BY LOADING
THE SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND AGREE
TO BE BOUND BY ITS TERMS AND CONDITIONS.

Secure Computing Corporation ("Secure Computing") provides its software and licenses its use either directly or through
authorized dealers. You assume responsibility for the selection of the programs to achieve your intended results, and for
the installation (unless installation is purchased from Secure Computing or an authorized dealer), use, and results
obtained from the programs.

1. Grant of License

Secure Computing grants to you, and you accept, a non-exclusive, and non-transferable license (without right to sub­license) to use the Software Products as defined herein on a single machine.

2. Software Products

"Software Products" mean (i) the machine-readable object-code versions of the Software of Secure Computing
contained in the media (the "Software"), (ii) the published user manuals and documentation that are made available for
the Software (the "Documentation"), and (iii) any updates or revisions of the Software or Documentation that you may
receive (the "Update"). Under no circumstances will you receive any source code of the Software. Software Products
provided for use as "backup" in the event of failure of a primary unit may be used only to replace the primary unit after
a failure in fact occurs. They may not be used to provide any capability in addition to the functioning primary system
that they ba c k u p .

3. Use

You may not transfer any Software Products to any third party. You may not copy, translate, modify, sub-license, adapt,
decompile, disassemble, or reverse engineer any Software Product in whole or in part except to make one copy of the
Software solely for back-up or archival purposes.

4. Limited Warranty an d Remedies

Secure Computing warrants that the disk(s) or tape(s) on which its Software is recorded is/are free from defects in
material and workmanship under normal use and service for a period of ninety (90) days from the date of shipment to
you.

Secure Computing does not warrant that the functions contained in the Software will meet your requirements or that
operation of the program will be uninterrupted or error-free. The Software is furnished "AS IS" and without warranty as
to the performance or resu lt s Licensee may obtain by using the Software. The entire risk as to the result s and
performance of the Software is assumed by Licensee. If Licensee does not receive media which is free from defects in
materials and workmanship during the 90-day warranty period, Licensee will receive a refund for the amount Licensee
paid for the Software Product returned.

5. Limitation of Warranty and Remedies

THE W ARRANTIES STATED HEREIN ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES AND
COUNTRIES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, S O THE ABOVE EXCLUSION MAY NOT
APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS WHICH
VARY B Y STATE OR COUNTRY.

i

SECURE COMPUTING’S AND ITS LICENSORS ENTIRE LIABILITY UNDER, FOR BREACH OF, OR ARISING OUT OF
THIS AGREEMENT, IS LIMITED TO A REFUND OF THE PURCHASE PRICE OF THE PRODUCT OR SERVICE THAT
GAVE RISE TO THE CLAIM. IN NO EVENT SHALL SECURE COMPUTING OR ITS LICENSORS BE LIABLE FOR YOUR
COST OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING OR ITS LICENSORS BE
LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES
WHETHER OR NOT SECURE COMPUTING HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

6. Term and Termination

This license is effective until terminated. If you are using this license with a limited term, it shall expire at the end of
the license term. You may terminate it at any time by destroying the Software Product, including all computer programs
and documentation, and erasing any copies residing on computer equipment. This Agreement also will automatically
terminate if you do not comply with any terms or conditions of this Agreement. Upon such termination, you agree to
destroy the Software Product and erase all copies residing on computer equipment.

7. Ownership

All intellectual property rights including trademarks, service marks, patents, copyrights, trade secrets, and other
proprietary rights in or related to the Software Products are, and will remain the property of Secure Computing or its
licensors, whether or not specifically recognized or protected under local law.

8. Export Restrictions

You agree to comply with all applicable United States export control laws and regulations, including without limitation,
the laws and regulations administered by the United States Department of Commerce and the United States Department
of State.

9. U.S. Government Rights

Software Products furnished to the U.S. Government are provided on these commercial terms and conditions as set
forth in DFARS 227.7202-1(a).

10. General

Any waiver of or modification to the terms of this Agreement will not be effective unless executed in writing and
signed by Secure Computing. If any provision of this Agreement is held to be unenforceable, in whole or in part, such
holding shall not affect the validity of the other provisions of this Agreement. In the event of any inconsistency
between this Agreement and any other related agreements between you and Secure Computing, the terms of this
Agreement shall prevail.

Technical Support Information

Secure Computing works closely with our Channel Partners to offer worldwide Technical Support services. If you
purchased this product through a Secure Computing Channel Partner, please contact your reseller directly for support
needs.

To contact Secure Computing directly or inquire about obtaining a support contract, refer to our “Contact Secure" Web
page for the latest contact information at www.securecomputing.com. Or if you prefer, send us an email at
support@securecomputing.com.

Comments?

If you have comments or suggestions you would like to make regarding this document, please send an email to
techpubs@securecomputing.com.

Printing History

Date Part number Software Release

March 2001 86-0935037-A Soft-PK 5.1.3 Build 4 and Sidewi nder 5.1.0.02

ii

T ABLE OF CONTENTS

Preface: About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . .v

Who should read this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v

How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Where to find additional information . . . . . . . . . . . . . . . . . . . . . . .vii

Chapter 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

About Soft-PK & Sidewinder VPNs . . . . . . . . . . . . . . . . . . . . . . . 1-2

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3

Sidewinder and other network requirements . . . . . . . . . . . . . . 1-3

Soft-PK requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Roadmap to deploying your VPNs . . . . . . . . . . . . . . . . . . . . . . . 1-5

Chapter 2: Planning Your VPN Configuration. . . . . . . . . . 2-1

Identifying basic VPN connection needs . . . . . . . . . . . . . . . . . . . 2-2

Identifying authentication requirements . . . . . . . . . . . . . . . . . . . 2-3

Using digital certificate authentication . . . . . . . . . . . . . . . . . . . 2-3

Understanding pre-shared key authentication . . . . . . . . . . . . 2-5

Extended authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Determining where you will terminate your VPNs . . . . . . . . . . . .2-7

More about virtual burbs and VPNs . . . . . . . . . . . . . . . . . . . . 2-8

Defining a virtual burb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8

Understanding Sidewinder client address pools . . . . . . . . . . . . .2-9

Chapter 3: Configuring Sidewinder for Soft-PK Clients . 3-1

Enabling the VPN servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Configuring ACL & proxies entries for VPN connections . . . . . .3-3

Managing Sidewinder self-signed certs . . . . . . . . . . . . . . . . . . .3-4

Creating & exporting a firewall certificate . . . . . . . . . . . . . . . . 3-4

Creating & exporting remote certificate(s) . . . . . . . . . . . . . . . .3-6

Managing CA-based certificates . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Defining a CA to use and obtaining the CA root cert . . . . . . . 3-9

Requesting a certificate for the firewall . . . . . . . . . . . . . . . . . 3-10

Determining identifying information for client certificates . . . 3-12

Table of Contents iii

Defining remote client identities in Sidewinder . . . . . . . . . . . 3-13

Managing pre-shared keys (passwords) . . . . . . . . . . . . . . . . . .3-14

Configuring the VPN on the Sidewinder . . . . . . . . . . . . . . . . . . 3-15

Chapter 4: Inst a lling and Working w ith S o ft -P K . . . . . . . . 4-1

Soft-PK installation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2

Starting Soft-PK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Determining Soft-PK status from icon variations . . . . . . . . . . .4-3

Activating/Deactivating Soft-PK . . . . . . . . . . . . . . . . . . . . . . .4-4

About the Soft-PK program options . . . . . . . . . . . . . . . . . . . .4-5

Managing certificates on Soft-PK . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Setting up Sidewinder self-signed certificates . . . . . . . . . . . . . 4-6

Setting up CA-based certificates . . . . . . . . . . . . . . . . . . . . . . . 4-7

Requesting a personal certificate from a CA on user’s behalf 4-8

Importing certificate in Soft-PK . . . . . . . . . . . . . . . . . . . . . . . .4-9

Configuring a security policy on the Soft-PK . . . . . . . . . . . . . . .4-13

Chapter 5: Deploying Soft-PK to Your End Users . . . . . . 5-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Customizing the user worksheet . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

Specifying dial-up network instructions . . . . . . . . . . . . . . . . . . 5-4

Specifying installation instructions . . . . . . . . . . . . . . . . . . . . .5-4

Specifying certificate import/request instructions . . . . . . . . . . 5-5

Specifying security policy instructions . . . . . . . . . . . . . . . . . . . 5-6

Specifying basic connection information . . . . . . . . . . . . . . . . . 5-6

iv Table of Contents

Appendix A: Troubleshooting . . . . . . . . . . . . . . . . . . . . . .A-1

Soft-PK Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1

Soft-PK Connection Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-2

More about the Connection Monitor . . . . . . . . . . . . . . . . . . . .A-3

To view the details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-3

Sidewinder troubleshooting commands . . . . . . . . . . . . . . . . . . .A-4

P REFACE

Who should read

this guide?

About this Guide

This guide provides the information needed to set up connections
between remote systems running SafeNet/Soft-PK™ VPN client
software and systems on a network protected by Secure Computing’s
Sidewinder firewall. SafeNet/Soft-PK is a Windows-compatible
program that secu res data communications sent from a desktop o r
laptop computer across either a public network or an existing
corporate dial-up line.

Note: The SafeNet/Soft-PK product is referred to as simply "Soft-PK" throughout the
remainder of this document.

IMPORTANT: This guide describes administration of VPNs between Soft-PK Version 5.1.3
Build 4 and Sidewinder Version 5.1.0.02. If you are working with a later version of either
product, check our Web page at www.securecomputing.com for the latest
documentation (select Downloads & Activations -> Product Documentation).

This guide is written for the person as signed to administer
Sidewinder-bas ed VPN connections involving a Soft-PK VP N client.
Setting up VPN con nect ions i nvo lves p roce dures done on Si dewi nder
and procedure s done using Soft-PK to pre-configure the VPN client
security policy for eac h remote user (road warrior, telecommuter,
etc.).

P

As a network administrator, you should read and understand all the
procedures in this document. You will then be able to provide all
remote users with the information, files, and software they need to set
up Soft-PK software to communicate with your trusted network(s).

This guide assumes you are familiar with networks and network
terminology. Because Soft-PK will use a security association with a
Sidewinder firewall, you sh ould be familiar with Sidewinder
administration. Know led ge of the Int ernet and of Windows operating
systems are also key requirements.

Preface: Abou t th i s Gui de v

How this guide is organized

P

How this guide is
organized

This guide contains the f ollowing chapters.

Chapter Title Description

Chapter 1:

Getting Started

Chapter 2:

Planning your VPN
Configuration

Chapter 3:

Configuring Sidewinder
for Soft-PK Clients

Chapter 4:

Installing and Working
with Soft-PK

Chapter 5:

Deploying Soft-PK to Your
End Users

Presents an overview of the Soft-PK and the
Sidewinder Virtual Private Network (VPN)
environment and describes the requirements. It
includes a checklist to guide you through the
basic steps to setup and deploy a VPN.

Provides information to help you understand key
concepts and options that are involved in a VPN
connection.

Provides a summary of Sidewinder procedures
associated with setting up and configuring Soft­PK connections in your network.

Note: Perform these procedures before you
configure your Soft-PK clients.

Includes Soft-PK installation notes and describes
the basic Soft-PK procedures for managing
certificates and creating a customized Soft-PK
security policy for your remote clients.

Summarizes the steps for preparing and
deploying the Soft-PK software, digital certi ficat e
files, and security policy to your end users. It is
based on a worksheet (in MS Word format) that
you edit and send to each remote end user.

Finding information This guide is in Acrobat (softcopy) format only and does not contain

vi Preface: About this Gui d e

Appendix A:

Troubleshooting

an index. However, you can use Acrobat’s

Provides a summary of troubleshooting
techniques available for reso lvin g Soft-PK and
Sidewinder VPN connection problems.

Find feature to search for

every instance of any word or phrase that you want.

Where to find additional information

Viewing and printing this document online

Where to find
additional
information

When you view this document online in PDF format, you may find
that the screen images are blurry. If you nee d to see the image more
clearly, you can either enlarge it (which may not eliminate the
blurriness) or you can print it. (The images are very clear when
printed out.)

For the best results, print this PDF document using a PostScript printer
driver.

 If your printer understands PostScript but does not have a

PostScript driver inst alled, you need to install a PostScript driver.

You can download one for your printer from

www.adobe.com.

 If your printer is no t a Po s tScript printer and this do c ument does

not print as expected, try one of the follow ing:

— If your pri nter h as t he op tion,

and then try printing .

— Print specific pag e(s) at a ti me ra ther than sending the entire

document to the printer.

Refer to the following for related information.

Print as Image, enable this option

 About Soft- PK

For additional information about configuring and troubleshooting

Soft-PK software, refer to the online help that is integrated into the

program’s user interface. Soft-PK online help provides detailed

step-by-step procedures for individual VPN client tasks.

 About Sidewi nder

For more information about setting up VPN connections on

Sidewinder, refer to Chapter 11 in the Sidewinder Administration

Guide. In addition, be s ure to review docume ntation associated

with patch releases.

 About digital certificates

For information on digital c ertificates and Pu blic Key Infras tructure

(PKI) technology, see:

— Understanding Public-Key Infrastructure, by Carlisle Adams

and Steve Lloyd (1999)

— Internet X.509 Public Key Infrastructure, Certificate and CRL

Profile, RFC 2459, R. Housley, W. Ford, W. Polk, D. Solo

(January 1999)

Preface: Abou t th i s Gui de vii

Where to find additional information

To contact Secure Computing directly or inquire about obtaining a
support contra ct, refer to our Web site at
and select “Contact Us." Or if you prefer, send us email at

support@securecomputing.com (be sure to include your customer ID in

the email).

www.securecomputing.com,

viii Preface: About this Guide

1

C HAPTER 1

Getting St arted

About this chapter This chapter provides an overview of the Soft-PK™ and Sidewinder

Virtual Private Network (VPN) environment and describes the
requirements. It includes a checklist to guide you through the basic
steps to setup and deploy a VP N.

This chapter addresses the following topics:

 "About Soft-PK & Sidewinder VPNs" on page 1-2
 "Requirements" on pag e 1-3
 "Roadmap to depl oy ing your VPNs" on page 1-5

1

Getting Started 1-1

About Soft-PK & Sidewinder VPNs

1

About Soft-PK &
Sidewinder VPNs

Figure 1-1.

Sidewinder VPN

connection providing

secure data transmission

between a remote

system running Soft-PK

and your internal

network(s)

Soft-PK is security software for remote PC users. It is designed to
provide data privac y between remote users and a corporate network.
Industry-sta ndard encryp tion and us er verif ication rou tines prot ect the
data sent over the connection. Soft-PK conforms to Internet
Engineering Task Force (IETF) standards for TCP/IP and IP Security
(IPSec) protocols.

Soft-PK works with the Secure Computing Sidewinder firewall to
establish secure VPNs over public and private networks. Information
passed across a VPN is encrypted, ensuring privacy and
confidentiality.

Protected Network

Note: In a VPN connection, keep in mind that the definition of "remote" depends on
perspective. From the Sidewinder’s point of view, the remote end is a system connecting
from the Internet. From the Soft-PK system’s point of view, the remote end is the Sidewinder
(VPN gateway) and the protected network.

Sidewinder

Internet

VPN

= VPN tunnel
= Data

Soft-PK

Internet

1-2 Getting Started

Using Soft-PK, a mobile employee or telecommuter can establish
authenticated and encrypted access with networks protected by
Secure Computing’s fully IKE (Internet Key Exchange) compliant
Sidewinder firewall. Remote users can access secure corporate
resources using either public networks or corporate dial-up lines.

Requirements

Requirements To configure VPN commun ic at ion between Sidewinder and Soft-PK

clients, your Sidewinder must be configured with the proper VPN
parameter settings and access rules. In addition, depending on your
VPN connection set up, you may also need to define the proper
digital certificates.

To run the Soft-PK VPN client, each remote system must meet
minimum hardware and software requirements. In addition, the
system must be able to make a connection with the Internet through
any of a number of means (for example, a di al-up net working fac ility,
an Ethernet LAN interface, DSL, cable modem, etc.).

Before starting your VPN setup, ensure that your environment meets
the requirement s lis t ed in this section.

Sidewinder and other network requirements

The network over which Soft-PK and Sidewinder will be used must
meet the basic requirements listed in Table 1-1.

Table 1-1. Network requirements for using Soft-PK with Sidewinder

Category Requirement
Network

Sidewinder

 A network infrastructure with at least one installed and

operational Sidewinder.

Note: You can protect more than one LAN with a single

Sidewinder.

 Sidewinder Version 5.1 or later

a

 VPN feat u re license

Remote client
Internet
connection

If using digital
certificate
authentication

 Connection to the Internet (via a dial-up line, DSL, cable

modem, etc.)

 Digital certificates based on Sidew in de r self -signed

certificates,
or

 Digital certificates from a public CA or y our ow n CA

server. (Registration over the network using SCEP is
recommended.)

a. This document is based on Sidewinder running Version 5.1.0.02.

Getting Started 1-3

Requirements

Soft-PK requirements

Each system on which Soft-PK will be installed must meet the
requirements listed in Table 1-2

IMPORTANT: A remote system must only run one VPN client. If a VPN client program
such as SecureClient was previously installed on the remote system, ensure it is properly
uninstalled. See Chapter 4, "Installing and Working with Soft-PK" fo r deta ils.

Table 1-2. System requiremen ts f o r running Soft- P K

Category Requirement

.

Hardware

Software

 An IBM PC or compatible computer (portable or desktop)

with at least a 75 Mhz Pentium microprocessor (or
equivalent).

 A non-encrypting modem (for use with dial-up

networking) or an Ethernet interface.

 At least 10 MB of free hard disk space.
 The reco mmended system RA M size:

—Windows 95: 16 MB
— Windows 98, NT: 32 MB
— Windows 2000, Me: 64 MB

 Microsoft Windows 95, 98, Me, NT 4.0, or 2000

Professional.

 Dial-up Networking component of Microsoft Windows

and/or Ethernet LAN interface.

 If the remo te system uses a mod em, the end user mus t

have dial-up account with an Internet Service provider
(ISP) or a private corporate dial-up account.

TIP: Instruct Soft-PK users to follow the instructions
provided by Microsoft to install Dial-Up Networking

on their Windows machine. Also, create a dial-up
networking profile for the ISP used to gain access to the
Internet.

 Microsoft Internet Explorer 4.0 or later (for using help)

1-4 Getting Started

Roadmap to deploying your VPNs

Roadmap to
deploying your
VPNs

Because Secure Co mputing products provide network securi ty, we
recommend that, as the network administrator, you carefully oversee
the installation and configuration of the Soft-PK client(s). Setting up
VPN connections u sing Soft-PK and Sidewinder involves performing
procedures on ea ch remote system runn i ng Soft-PK AND on your
Sidewinder.

If done properly, ad ministr ators ca n do most of the VPN confi guration
for both Soft-PK and Sidewinder, with little required of the end user s.
For example, you can set up the digital certificates and create a
security profile tha t yo u inc lude with Soft-PK’s installation files. Use rs
then simply need to install Soft-PK and import a few files.

TIP: A separate Soft-PK User’s Guide is NOT provided for end users of Soft-PK. As an
administrator, you should use the worksheet provided on the SafeNet/Soft-PK CD -R OM (in
MS Word format) as the basis for providing the remote Soft-PK users with the appropriate
installation and setup instructions. This way, Soft-PK users are required to follow o n ly the
instructions that have been customized for your firewall configuration. (Refer to Chapter 5,
"Deploying Soft-PK to Your End Users" for details about the worksheet.)

Figure 1-2 provi des a graphical over view of the Soft-PK a nd
Sidewinder VPN deployment process. Each of the tasks depicted in
Figure 1-2 are also reflected in the checklist starti ng on page 1-7.

Getting Started 1-5

Roadmap to deploying your VPNs

Admin tasks

performed on

Sidewinder system

Admin tasks

performed using

Soft-PK prior to

deploying to end

users

Figure 1-2. VPN

deployment

overview

1 — Satisfy Sidewinder, network, & system requirements

2 — Plan your VPN configuration

3 — Enable appropriate Sidewinder servers, ACL entries, & proxies

4 — Set up VPN authentication on Sidewinder

If using Sidewinder
self-signed certificates:

4a1 — Create & e xpo rt a

firewall certificate

4a2 — Create & export
remote certificates

4a3 — Convert key file/
certificate pair to pkcs12
format

If using CA-assigned
certificates:

4b1 — Request/export

the CA root certificate

4b2 — Request a firewall
certificate

4b3 — Determine the
identifying information
(DN) your clients use

4b4 — Define remote
certificate identities
within Sidewinder

5 — Configure the VPN connections on the Sidewinder

6 — Configure the certificates and security policy(ies) for your

remote users

7 — Prepare and deploy your Soft-PK installation package to
remote users

If using pre-shared
keys (passwords):

4c1 — Define remote

identities within
Sidewinder

Important: Be sure
specify Extended
Authentication when
configuring your VPN
connection in Step 5

8 — Troubleshoot any connection problems

1-6 Getting Started

Roadmap to deploying your VPNs

Soft-PK deployment checklist

The following checklist identi f i es each major step inv ol ved in the
setup and deployment of your Soft-PK software (as shown in Figure
1-2). You can use the checklist as a reference point and mark off each
item as you complete it to ensure a successful VPN rollout.

TIP: Each step provides an overview of the task and points you to specific documentation
for more detailed information.

1 — Satisfy Sidewinder, network, & system requirements

Sidewinder/network: Verify that your Sidewinder is at Version 5.1.0.02 or later,

❒

licensed for VPN, and that your network is fully operational.

End-user systems: Verify that each system on which Soft-PK will be installed meets

❒

the requirements as described on page 1-4.

2 — Plan your VPN configuration

Review Chapter 2 to become familiar with key concepts and options that are

❒

available when setting up VPNs.

Review Chapter 11 in the Sidewinder Administration Guide for additional background

❒

on VPN configuration.

Review the readme.txt file located on the So ft-PK CD for additi onal informatio n fr o m

❒

Secure Computing.

3 — Enable appropriate Sidewinder servers, ACL entries, & proxies

Note: For details, see"Enabling the VPN servers" on page 3-2 and "Configuring ACL & proxies
entries for VPN connections" on page 3-3.

CMD server: The Certificate Management Daemon (CMD) server must be enabled

❒

before you can configure the certificate ser ver.

EGD server: The Entropy Generating Daemon (EGD) server is used by ISAKMP. This

❒

server must be enabled before you can create VPN associations.

ISAKMP server: The ISAKMP server must be enabled and set to listen on the

❒

appropriate burb (typically, this w ill be the Internet burb).

Getting Started 1-7

More...

Roadmap to deploying your VPNs

❒

❒

❒

4 — Create/Request the digital certificates

If using Sidewinder self-signed certificates:

❒
❒
❒

ISAKMP ACL entry: At a minimum, you must define and enable an ACL entry that
allows ISAKMP traffic from the Internet to the Internet burb on Sidewinder (external

IP address of Sidewinde r).

Other ACL entries: Depending on where you terminate your VPN connections on

Sidewinder (e.g., in a vir t ual burb), you may need to create ACL entries to allow traffic
between burbs.

Proxies: Depending on where you terminate your VPN connections on Sidewinder
(e.g., in a virtual burb), you may need to enable proxies to allow traffic between burbs.

Use Cobra to create and export a firewall certificate. See "Creating & exporting a
firewall certificate" on page 3-4 for details.

Use Cobra to create and export remote certificates for each end user. See "Creating &
exporting remote certi ficate(s)" on page 3-6 for details.

Use a command-line utility on Sidewinder to convert the key/file certificate pair to
pkcs12 format. See "Conve r t in g t h e certificate file/private key file pair to pkc s 12
format" on page 3-8 for details.

If using a CA -assigned certificates:

Use Cobra to define a CA and obtain the CA root certificate and export it for sending

❒

to client(s). See "Defining a CA to use and obtaining the CA root cert" on page 3-9 for
details.

Use Cobra to request a certificate for the firewall from the CA. See "Requesting a

❒

certificate for the firewall" on page 3-10 for details.

Determine the identifying info r mation (e.g., Dist i n g u is h ed Name settings) you r

❒

clients will use in the ir p ersonal cer tifi cates. Se e " Det ermini ng ide nt ifyin g inf ormatio n
for client certificates" on page 3-12.

Use Cobra to specify the client certificat e identity information to within Sidew in d e r .

❒

See "Defining re mote client identities in Sidewi n der" on page 3-13 for details.

If using pre-shared keys (passwords):

Use Cobra to specify the client identity information to within Sidewinder. See

❒

"Managing pre-shared keys (passwords)" on page 3-14 for details.

1-8 Getting Started

More...

Roadmap to deploying your VPNs

TIP: Use the

UserWorksheet.doc

file on the Soft-PK CD

as a starting point to define

the information each end

user will need to install and

quickly set up Soft-PK for

your network .

5 —Configure the VPN connections on the Sidewinder

Use Cobra to define the VPN security association configuration. See "Configuring the

❒

VPN on the Sidewinder" on page 3-15 for details.

Enable Extended Authentication.

❒

6 — Configure the certificates and security policy(ies) for your remote
users

Install your copy of Soft-PK. See "Soft-PK installation notes" on page 4-2 for details.

❒

Use Soft-PK to set up the certificates needed by each end users. See

❒

Use Soft-PK to create and save security policies that are customized for your end

❒

users. See "Configuring a security policy on the Soft-PK" on page 4-13 for details.

7 — Prepare and deploy your Soft-PK installa tion pac kage to remot e users

Prepare the files you will distribute to your end users. For details, see "Overview" on

❒

page 5-2.

Create Soft-PK installation and configuration instructions for your end users. For

❒

details, see "Customizing the user worksheet" on page 5-4.
— If necessary, define configuration steps for the Windows Dial-Up Networking

feature on each machine on which y ou ar e installing and using Soft-PK. For
details, see "Spe cifying dial-u p n etwork instructions" on page 5-4.

— Specify the Soft-PK installatio n instructions. F or details , see "Spe cifying install ation

instructions" on page 5- 4.

— Specify the instructions for importing/requesting/setting up client certificates.

For details , s ee "Specifying certificate import/request instruct ion s" on page 5-5.

— Specify the instructions for establishing a security association. For details, see

"Specifying security policy instructions" on page 5-6.

Send the Soft-PK deployment software and files to your end users.

❒

More...

Getting Started 1-9

Roadmap to deploying your VPNs

8 —Troubleshoot any connection problems

❒
❒
❒

Use the Soft-PK Log Viewer. See "Soft-PK Log Viewer" on page A-1.

Use the Soft-PK Connection Monitor. See "Soft-PK Connection Monitor" on page A-2.

Use Sidewinder commands. See "Sidewinder troubleshoot ing com mands" on p age
A-4 and the Sidewinder Administration Guide for details.

1-10 Getting Started

2

C HAPTER 2

Planning Your VPN
Configuration

About this chapter This chapter provides information to help you understand key

concepts and options that are involved in a VPN connection. It
addresses the foll ow i ng topics:

 "Identifying basic VPN connection needs" on page 2-2
 "Identifying authentication requirements" on page 2-3
 "Determining where you will terminate your VPNs" on page 2-7
 "Understanding Si dewinder client address pools" on page 2-9

2

Planning Your VPN Configuration 2-1

Identifying basic VPN connection needs

2

Identifying basic
VPN connection
needs

Figure 2-1.

Identify remote users

and the target internal

systems in a sample

diagram

Before you actually begin configuring your Sidewinder or work with
Soft-PK, ensure you have an understanding of the basic profile for
your VPN connecti on s.

Begin by doing the following:

 List the remote users that need a VPN connecti on
 List the internal/ tr usted systems to which users need a cc ess
 Identify the importan t I P ad dresses

It may help to start a sketch that defines your basic requirements.
Depending on your organization and network, this could be
somewhat more complex than the diagram shown in Figure 2-1.

Mike

(1)

abc server

172.16.17.2

Protected Network

xyz server

- How many remote clients?

- Which internal networks?

- Sidewinder addresses?

Sidewinder

192.168.10.7

(1)

Internet

Bryan

(4) road warriors

Support group

(4) road warriors

Gary
Laz
Todd
Chuck

Sales

Larry
Moe
Curly
Shemp

2-2 Planning Your VPN Configuration

Identifying authentication requirements

Identifying
authentication
requirements

Determine how you will id entify and auth enticate t he partner s in your
VPN. Sidewinder and Soft-PK both support using digital certificates
and pre-shared key VPN configurations. In addition, when you use
Sidewinder version 5.1.0.02 or later, you can set up Extended
Authentication to provide increased security to your VPN network.
The following sum marizes VPN authentic a tion methods.

Using digital cert ifi c at e au th e ntication

When using digital certificates (or "public key authentication"), each
system in the VPN requires a unique
corresponding public key

certificate file.

 The private key file

A private key file is unique t o each system in the net work and kept
secret by the holder (VPN client, firewall, etc.). It is used to create
digital signatures and, depending upon the algorithm, to decrypt
data encrypted with the corresponding public key.

 The certificate file (with public key)

Certificates contain informational values such as the identity of the
public key’s owner, a copy of the public key itself (so others can
encrypt messages or verify digital signatures), an expiration date,
and the digital signature of creating entity (CA or firewall).

private key file and a

When using Sid ewinder, the trusted source for a uthorizing key/
certificate pairs can be Sidewinder itself through "self-signed"
certificates, or a public or p rivate Cert ificate Autho rity (CA) serve r (for
example; Netscape, Baltimor e, Entrust, etc.). Digital certificate
implementations using Sidewinder/Soft-PK follow the X.509 standard.

IMPORTANT: You must configure the necessary certificates before you configure the VPN
connection parameters on Sidewinder or Soft-PK.

In addition, digital certificates have an "effective" date and an
"expiration date." Before certificates expire, they must be retrieved
and updated in the VPN gateway (i.e. , S idewinder firewa ll) to
continue using them in a VPN.

Planning Your VPN Configuration 2-3

Identifying authentication requirements

If not already done, decide if you will use self-signed certificates
generated by Sidewinder or a public/private CA server.

Table 2-1. Sidewinder self-signed cert ific ates versus CA-based certificates

Scenario Profile

A closer look at self-signed certificates

Figure 2-2. Sidewinder

self-signed certificate

summary

Using self-signed cer t ificates
(for a small number of VPN

 No CA needed
 Requires one VPN association for each client

clients)
Using CA-based certificates

(for a medium to large
number of VPN clients)

 Uses a private or public CA
 Single VPN association for all clie n t s
 Can make VPN deployment and management

more efficient

A VPN implemented using Sidewi nder self- signed ce rtificates d oes not
require an external certificate authority and is relatively easy to
configure fo r a small number of (le ss than 10) clients. However, one
VPN association m ust be config ured on Sid ewinde r for e ach cl ient. As
the number of configured clients grows, so does the administrative
time. Figure 2-2 shows the certificates involved in a VPN using
Sidewinder self-signed certificates.

4

Soft-PK

5

Firewall

Cert.

Client

Cert.

Protected Network

Admin creates f irewall private key and

1

certificate
Admin creates client private key/

2

certificate pair(s)
Admin converts client private key &

3

exports certificate f iles to PK12 object
Firewall certific ate imported to Soft-PK,

4

(private key remains on Sidewinder)
Client private key and certificate file

5

(PKCS12) imported into Soft-PK

1

Sidewinder

Firewall
Cert.

Client

Cert.

2

*.pk1

*.pem

Internet

*.pem

3

PK12 object for
importing to
Soft-PK

Note: A self-si g n ed ce rtificate cre ate d
on Sidewinder remains valid for one
year beginnin g f rom the date it is
created.

2-4 Planning Your VPN Configuration