Wireless Data Privacy Guide - ftp
Contents
1. E Session Options controlling SSH tunnelling Logging 311 forwarding E Terminal M Enable 11 forward Keybosd display location Bell aD Features L El Window HEARE Siar T Local ports accept connections from other hosts Translation _T Remote ports do the same SSH v2 only Selection Forwarded ports Colours 192160224625 E Connection JLeos0 192168 2 205 8080 Prony L110 192 168 2248 110 Telnet Rgn El SSH Add new forwarded port Auth Source fia3 Add Tunnels d a Bea Bugs Destination 192 168 2 248 143 Local C Remote Open Cancel Note that in changing the configuration you are required to save the settings again so that the parameters can be reused When applicable clients that use port forwarding must be reconfigured to use localhost or 127 0 0 1 Loopback as the server address Step 6 Click Open Step 7 If the client connects to the Integrated Access Manager Access Controller for the first time you will be prompted to save the server s digital certificate Select Yes or Save Step 8 The PuTTY window displaying the login prompt appears Figure 3 115 Step 9 Type the username and press ENTER Step 10 Type the password and then press ENTER You will not see anything you ve typed for password At this point you should be able to access the network normally Please make sure to leave the PuTTY window opened to stay connected HP ProCurve Secure Acces2. Device Microsoft L2TP IPSec YPN Adapter 1 Server type PPP Internet Windows NT Server Windows Protocols Microsoft mutual challenge handshake authentication a TCP IP Windows 98 Clients This section describes how to configure computers running Windows 98 as L2TP IPSec clients The same process will work for Windows ME as well This example will use Windows 98 Second Edition SE the steps are the same for Windows ME To configure an L2TP client on a Windows 98 computer do the following Step 1 Download the Microsoft IPSec VPN Client and install it on your computer The Microsoft IPSec VPN Client along with instructions on how to install it is found at http www microsoft com windows2000 server evaluation news bulletins 12tpclient asp Step 2 On your Windows computer go to Dial Up Networking and click Make New Connection The Make New Connection window appears Figure 3 103 3 74 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 103 Make New Connection Wizard Initial Window Make New Connection Microsoft L2TP IPSec VPN Adapter 1 Doriauren Step 3 Enter the name you wish to give this connection Step 4 Select Microsoft L2TP IPSec VPN Adapter 1 for Select a device and click Next gt The next window appears where you specify the host name or IP address Figure 3 104 Figure 3 104 Make New Connection Wizard Specify Host IP Address Make
3. Authentication Method Authentication Policy will be the Connection Profile See Help for details Use Associated Authentication Policy Contin Use shared secret ve only z T Allow PAP for L2TP MSCHAP Save pSaveAs Copy p Cance Step 6 From the Encryption drop down box choose one of the following options e If encryption is required for all clients connecting through this Access Policy you select the Required option e The Allowed but not required setting allows access for unencrypted clients through this Access Policy as well as encrypted clients This setting is recommended for Access Policies used for unknown clients such as the Unauthenticated Access Policy Step 7 Select IPSec from the Encryption Protocols check boxes The Settings link following the IPSec check box takes you to the Wireless Data Privacy setup page where you can configure the settings for IPSec However if you do this before you have saved any changes you ve made on the current page those changes will be lost 2 4 HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide 700wl Series System Configuration Step 8 Click the Save button to save the settings Step 9 Since Authenticated is an existing Access Policy you should refresh all rights in order to apply the new settings to active users Click the STATUS icon in the Navigation Toolbar to go to the Status page then click the Client Status tab O
4. Company Name My Workplace via L2TP For example you could type the name of your workplace or the name of a server you will connect to Step 7 Enter the IP address of the VPN server in the Host name or IP address text box In this case the internal address 42 0 0 1 of the 700w1 Series unit either Access Controller or Integrated Access Manager is used Click Next gt Figure 3 71 VPN Server Selection Window New Connection Wizard YPN Server Selection What is the name or address of the VPN server Type the host name or Internet Protocol IP address of the computer to which you are connecting Host name or IP address for example microsoft com or 157 54 0 1 42 0 0 1 3 54 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration The Completing the New Connection Wizard page appears Step 8 Click the Finish button You may choose to add a shortcut to this connection to the desktop before clicking the Finish button Figure 3 72 New Connection Wizard Completion Window New Connection Wizard Completing the New Connection J Wizard You have successfully completed the steps needed to create the following connection My Workplace via L2TP Share with all users of this computer The connection will be saved in the Network Connections folder Add a shortcut to this connection to my desktop To create the connection and close this wizard click Finish At this point
5. s configured Diffie Hellman group Step 7 Click Save to save the modification The 700wI1 Series system is now ready for the IPSec clients PPTP Configuration This section describes how to configure the HP ProCurve Integrated Access Manager or Access Control Server as a PPTP server Configuring the Rights Manager for PPTP Do the following to configure an Access Policy for PPTP Step 1 To access the Administrative Interface from the network set your browser to the IP address or hostname of the Integrated Access Manager or Access Control Server Step 2 Enter the Administrator username and password in the appropriate fields and click Logon The Equipment Status page is displayed see Figure 2 1 on page 2 2 as the initial page in the Administrative Console Step 3 Click the RIGHTS icon to access the Rights Manager Step 4 Click Access Policies to access the Rights Manager s Access Policies page see Figure 2 2 on page 2 3 Step 5 Click on an Access Policy to configure PPTP encryption The Edit Access Policy page appears as shown in Figure 2 5 Suppose you want to configure an existing Access Policy named Authenticated to support PPTP encryption Note that there is currently no encryption configured for that Access Policy HP ProCurve Secure Access 700wIl Series Wireless Data Privacy Guide 2 7 700wI Series System Configuration Figure 2 5 Edit Access Policy page O invent STATUS gt RIGHTS NETWO
6. All Connections IPSec Protocols My Identity Seconds _ KBytes A Security Policy SA Life Unspecified Authentication Phase 1 gp Proposal 1 Compression None 7 G Key Exchange Phase 2 B IV Encapsulation Protocol ESP Encrypt Alg DES Hash Alg SHA 1 Encapsulation Tunnel Authentication Protocol AH Note The 700w Series system supports ESP only Do not select AH Step 10 Pull down the File menu and then select Save Changes Next pull down the File menu again and click Exit At this point your system should be able to establish the secured connection with the server You should see the icon as shown below in the Notify area on the lower left corner of the desktop Figure 3 7 Connection Icon If the connection failed you will not see the yellow key in the icon In this case the easiest approach to resolving the problem is to reboot your system You must also make sure that the settings on the HP ProCurve Integrated Access Manager or Access Control Server for IPSec match those on your client system 3 6 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration SSH Sentinel for Windows This configuration procedure is based on SSH Sentinel version 1 4 build 137 installed on Windows XP Professional You may follow the same procedures for configuring the software on different Windows platforms Note This procedure assumes you have alre
7. Figure 2 7 Edit Access Policy page Username admin Imegrated Access Manager 192 168 10 116 Date amp Time Thu Feb 12 18 26 21 2004 invent D STATUS RIGHTS NETWORK VPN MAINT LOGS g HELP LOGOUT Se SM aN SW Access Policies Edit Access Name Authenticated Policy You can change an Access Settings Allowed Traffic Redirected Traffic HTTP Proxy Bandwidth Policy s name and its properties found uncer tabbed headings as follows e Uncer Settings set properties Configure NAT policy IP addressing and encryption requirements for this Access Policy in the fields below See Help for details related to IP acdressing 202 1q Network Address Translation l Always S VLAN tag usage encryption Modifying NAT settings may cause requirements and others incorrect behavior See Help e Uncer Allowed Traffic select the Allowed Traffic Fitters for this policy These are processed after IP Addressing Require DHCP z Redirected Traffic Filters Under Redirected Traffic VLAN Identifier Remova any pre existing tag select the Redirected Traffic Fitters d for this policy These are Use client tag processed before Allowed Traffic Piters Apply this VLAN A e Uncer HTTP Proxy enable Encryption A a automatic HTTP proxy filtering and Disabled xs select proxy filters Encryption Protocols s e Under Bandwidth set T IPSEC Settings upstream and downstream I L2TP HPSEC banctwelith limits May force IP
8. VPN MAINT Wireless Data Privacy Wireless Data _Gibbalwireiess Data Privacy Configuration g Encryption Protocols Privacy crypt IT Enable IPSec T Enable L2TP IPSec requires IPSec Settings on this page affect the Wireless Data Privacy settings on T Enable PPTP allconnected Access Controllers I Enabe SSH q Wireless Data Privacy Configuration for IPSec Configuration Check Encryption Protocols to IKE Authentication C Public Key Certificate enable use Method ji l 4 For IPSec select the IPSec Shared Secret Confirm Authentication method a To usea certificate go to the KE Encryption Certificates tab to obtain and bad a certificate IKE Integrity M sHai M mps To usea shared secret enter and confirm the secret string IKE Diffie Hellman Vv Group 4 Vv Group2 Group M pes M apes l Bowtish cast Select one or more algorithms for P3 IKE Encryption inten stele ESP Encryption M pes V apes M acs TM Bowtish O cast I null Diffie Hellman i Select one or more algorithms or ESP Integrity M shai 4 mos I null None for ESP Encryption and Integrity When finished click Save Save Reset to Defaults Cancel Step 4 Select the check box for Enable SSH Step 5 Click the Save button to save the modification The 700wl Series system is now ready for SSH clients HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 2 17 700wl Series System Conf
9. 27 public key cryptography 1 4 S Secure Shell 1 4 SSH client configuration 3 79 configuration 2 14 configure per Access Policy 2 14 enable globally 2 16 overview 1 4 PuTTY client for Windows 3 79 V Virtual Private Network 1 2 VPN Overview 1 2 IX 1 Ww warranty 1 ii Windows L2TP client for Windows 2000 3 61 L2TP client for Windows XP 3 51 L2TP over IPSec setup scripts 4 1 PPTP client for Windows 2000 NT 3 36 PPTP client for Windows 98 95 ME 3 45 PPTP client for Windows XP 3 27 PuTTY client for SSH 3 79 SafeNet SoftRemote client for IPSec 3 1 SSH Sentinel client for IPSec 3 7 IX 2 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide ip invent Copyright 2003 Hewlett Packard Development Company L P The information contained herein is subject to change without notice June 2004 Manual Part Number 5990 8810 AAAA N
10. 53 DNS UDP 63 SOCKS redirect CS to AM Logon redirect S to Allowed Traffic filters identify External CS UI Internal Admin Ul Internal HTTP Internal AM Stop redirect peran be passed to their IS Ul Internal rights UI Kerberos SMB TCP 129 SMB Redirected Traffic fiters identify EDP ives IRR packets to be redirected to a different destination New Access Poli Grid views show Access Policies g T and Traffic Filters in a single view l4 Step 5 Click on the Access Policy you wish to configure for Wireless Data Privacy You can click the Access Policy name or the edit pencil button on the same row in the table The Edit Access Policy page appears as shown in Figure 2 3 Suppose you want to configure the Authenticated Access Policy to support IPSec Note that there is currently no encryption configured for that Access Policy HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 2 3 700wI Series System Configuration Figure 2 3 Encryption settings for Authenticated Access Policy O Usemame admin Integrated Access Manager 192 168 10 116 Date amp Time Thu Feb 12 18 26 21 2004 invent STATUS RIGHTS s gt NETWORK A ot LOGOUT tights Setup ty Pro Edit Access Policy You can change an Access Policy s name and its properties found uncer tabbed headings as follows e Under Settings set properties related to IP acidressing 202 1q VLAN tag usage encryption requirements an
11. Allowed Traffic Redirected Traffic HTTP Proxy Bandwidth _ Timeout Configure NAT policy IP addressing and encryption requirements for this Access Policy in the fields below See Help for details Network Address Translation Always Modifying NAT settings may cause incorrect behavior See Help e Under Allowed Traffic select the Allowed Traffic Filters for this policy These are processed after IP Addressing Require DHCP z Redirected Traffic Filters e Uncer Redirected Traffic VLAN Identifier Remove any pre existing tag select the Redirected Traffic Fitters i for this policy These are C Use client tag processed before Allowed Traffic Fitters Apply this VLAN tel e Unger HTTP Proxy enable Encryption A ij automatic HTTP proxy filtering and Disabled x sect proxy filters Encryption Protocols e Under Bandwidth set T Ipsec Sattings upstream and downstream I LoTpaipsec banclwelith limits May force IP addresses to be NATed See Help e Under Timeout specify the Linger and reauthentication z PEITA Adis sa to ba NATed San Hal timeouts y y P Liss ag When finished click Save J MPPE Changes take effect automatically PPTP only Stateless y at the next update of users rights assignments Key Length 40 bits PPTP only Save As Copy saves without replacing the original Authentication for PPTP or L2TP Authentication Method Authentication Policy will be the policy associated with the Connection Profile See Hel
12. Click Access Policies tab to access the Rights Manager s Access Policies page 2 2 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 700wl Series System Configuration Figure 2 2 Access Policies page Usemame admin Access Control Server 192 168 10 116 Date Time Thu FebS 17 10 42 2004 s gt STATUS RIGHTS NETWORK Se Access Policies Access Policy Allowed Traffic Grid Redirected Traffic Grid Authenticated All IP traffic AM Logon page shortcut CS to AM Logon redirect A a Guest Access AM HTTPS n AM SSL Stol AM Stoj AM Internal bocker AM n hortcut N A G E Allowed Trattic Fi Logon page p page p nal AM Logon page shortcut No A a i Sa page DHCP DNS TCP 53 DNS UDP 53 external rights UI No internal rights UI No internal Redirected Traffic Filters admin Ul No SSL internal UI CS to Al Logon HTTP Proxy Filters redirect CS to AM Stop redirect No internal IS UI gt DNS Fitters Network AILIP traffic A a gt WINS Filters Equipment B Ho Access AM SSL Stop page AM Stop page DHCP DNSTOP 53 BlackHok AM No SSL web AM No web CS to AM A fi Access Policies include traffic DNS UDP 63 isp fecirect bar fitters and other settings that P e regulate how a user can interact Unauthenticated AM HTTPS Logon page AM Logon fwd append URI AM AM HTTP Logon redirect All HTTPS Logon redirect A a with your natwork Logon fwol no URI DHCP DNS TCP
13. Configuration Utility The settings below will affect all L2TP IPSec connections from your computer C Automatically select a certificate for IPSec authentication C Use a specific certificate for IPSec authentication Select Wertticate Use a pre shared key for IPSec authentication Type or paste a pre shared key in the text box below er IV Enable IPSec Logging Cancel SSH Client Configuration There are many Windows based SSH client programs available for download on the Internet One of popular freeware is PuTTY which can be obtained from http www chiark greenend org uk sgtatham putty download html This section describes how to configure a computer running Microsoft Windows as an SSH client using PuTTY PuTTY for Windows The following procedure is based on a Windows XP client You may follow the same procedures for configuring the software on different Windows platforms Step 1 Start putty exe from the location where you stored the downloaded file Figure 3 112 The PuTTY desktop icon ra putty exe Step 2 The PuTTY Configuration window appears HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 79 Client Configuration Figure 3 113 The PuTTY Configuration window Dx PuTTY Configuration Xx Category E Session Basic options for your PuTTY session Logging m Specify your connection by host name or IP address E T
14. Enter the PIN associated with this profile If you enter the incorrect PIN or click Cancel the cancelled installation will be o Cancel Step 5 A new Network Connection shortcut Shortcut to my L2TP is created on the desktop HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 4 5 Scripts for L2TP IPSec on Windows 2000 or XP Figure 4 7 Desktop Shortcut af td Shortcut to my L2TP Step 6 Double click the Shortcut to My L2TP icon The L2TP connection window appears Step 7 Enter the User name and Password information in the appropriate text box You may select the Save password and or Connect automatically options by clicking the appropriate check boxes Figure 4 8 Sign on Window LN 2151 xi IV Save password T Connect automatically Save these credentials for my use only C Allow anyone to use these credentials Connection status Click Connect to begin connecting To work offline click Step 8 Optional Click the Properties button to modify the number of Redial attempts and the minutes of Idle time before disconnecting You may click the View Log button to display the connection s log The Advanced tab is used to enable packet filtering for this connection Click OK to save the settings 4 6 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Scripts for L2TP IPSec on Windows 2000 or XP Figure 4 9 L2TP Properties Window Options Tab My
15. L2TP Properties Step 9 Click the Connect button to make the VPN connection to the 700w1 Series system Step 10 Once the connection is made you will see a new connection icon appeared in the notification tray lower right corner of your desktop You may click on the icon to view the connection status Figure 4 10 L2TP Status Window General Tab amp My L2TP Status HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide 4 7 Scripts for L2TP IPSec on Windows 2000 or XP Figure 4 11 L2TP Status Window Details Tab CT 2x General Details 3 WAN Miniport L2TP Device Type vpn Server type PPP Transports TCPAP Authentication MS CHAP V2 IPSEC Enctyption IPSec ESP 3DES Compression PPP multilink framing Server IP address 192 168 2148 Client IP address 42 65 76 67 Note Both PIN and IPSec shared secret are embedded into the CMAK package The only method to change either PIN or IPSec shared secret is to rebuild the CMAK package See How to Rebuild a CMAK Package for instructions on how to rebuild a CMAK package How to Rebuild a CMAK Package Step 1 Start the CMAK Wizard Start Run Enter cmak in the Open text box gt OK The Welcome window of the CMAK Wizard appears Click Next gt 4 8 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Scripts for L2TP IPSec on Windows 2000 or XP Figure 4 12 Connection Manager Administration Kit Wizard Conne
16. New Connection x Select a device L Microsoft L2TP IPSec VPN Adapter 1 x Bomae lt Back Nest gt Cancel Step 4 Under Entry Name enter the name you wish to give this connection Step 5 In the Phone number field enter the destination IP address In this example the internal address 42 0 0 1 of the 700w1 Series unit either Access Controller or Integrated Access Manager is used HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 71 Client Configuration Step 6 Select MRASL2TPM VPN2 from the drop down list of devices in the Dial using field and click Configure The Microsoft IPSec VPN Configuration Utility window appears Figure 3 97 Figure 3 97 Microsoft IPSec VPN Configuration Utility Window Q Microsoft IPSec YPN Configuration Utility x The settings below will affect all L2TP IPSec connections from your computer C Automatically select a certificate for IPSec authentication C Use a specific certificate for IPSec authentication m GElectmpenncate Type or paste a pre shared key in the text box below V Enable IPSec Logging Cancel Step 7 Select the radio button for either Use a specific certificate for IPSec authentication or Use a pre shared key for IPSec authentication e Ifyou select Use a specific certificate for IPSec authentication the Select Certificate button will become active Click Select Certificate and enter the certificate informa
17. Sent A Received Bytes 57 795 554 385 0 Compression 0 Errors 0 My Workplace via PP TP Status General Details Property Value Device Name WAN Miniport PPTP Device Type vpn Server type PPP Transports TCP IP Authentication MS CHAP Y2 Encryption MPPE 128 Compression none PPP multilink framing Off Server IP address 192 168 2 17 Client IP address 192 168 2112 Notice that your system is now connected to the server via the VPN device using PPTP protocol with 128 bit session key and MS CHAP v2 authentication Windows 2000 NT Clients In this section the procedures for configuring a PPTP connection on Windows 2000 NT are described The following procedures are created based on a Windows 2000 client You may follow similar procedures for configuring PPTP on Windows NT RAS 3 36 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Step 1 Open the Network and Dial up Connections window Click the Start button Move the pointer to and select Programs Accessories and Communications respectively Click on Network and Dial up Connections on the Communications menu The Network and Dial up Connections window appears Step 2 Double click the Make new connection icon The Network Connection Wizard window appears Figure 3 44 Network Connection Wizard Network Connection Wizard EN Welcome to the Network J Connection Wizard Using th
18. Settings button 3 66 HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide Client Configuration Figure 3 89 Virtual Private Connection Window Security Tab ax General Options Security Networking Sharing Security options C Typical recommended settings identity Jate m as foll Advanced custom settings Using these settings requires a knowledge of security protocols Salop The Advanced Security Settings window appears Step 12 Make sure that Microsoft CHAP MS CHAP is not selected Note that this protocol is selected by default You must deselect this option so that only MS CHAP v2 is used If an external LDAP server is used for user authentication with PAP an Option in the Location properties then make sure that only Unencrypted password PAP is selected Step 13 Pull down the Data Encryption menu and select Maximum strength encryption disconnect if server declines This will set the length of the encryption key to 128 bits If an external LDAP server is used for user authentication with PAP then select Optional encryption connect even if no encryption from the Data encryption menu HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 67 Client Configuration Figure 3 90 Advanced Security Settings Window Advanced Security Settings 2 xj Data encryption Require encryption disconnect if server declines No encryption allowed server will
19. Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks Step 11 Click the Security tab to customize the security protocols Select Advanced custom settings and then click the Settings button The Advanced Security Settings window appears Step 12 Make sure that Microsoft CHAP MS CHAP is not selected Note that this protocol is selected by default You must deselect this option so that only MS CHAP v2 is used Step 13 Pull down the Data Encryption menu and select Maximum strength encryption disconnect if server declines This will set the length of the encryption key to 128 bits Step 14 Click OK to go back to the connection s properties window HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 33 Client Configuration Figure 3 40 Advanced Security Settings Window Advanced Security Settings Data encryption Require encryption disconnect if server declines No encryption allowed server will disconnect if it requires encryption Optional encryption connect even if no encryption i yption disconnect if server declines Maximum strenath encryption disconnect if server declines Allow these protocols C Unenctypted password PAP C Shiva Password Authentication Protocol SPAP C Challenge Handshake Authentication Protocol CHAP J Microsoft CHAP MS CHAP Allow older MS CHA
20. addresses to be NATed See Help e Uncer Timeout specify the I pete Linger and reauthentication May force IP addresses to be NATed See Help timeouts i I ssH When finished click Save MPPE l Stateless Changes take effect automatically PPTP orly at the next update of users rights assignments Key Length 40 bits z PPTP only Save As Copy saves without replacing the original Authentication for PPTP or L2TP Authentication Method Use Associated Authentication Policy Authentication Policy will be the c policy associated with the J i J C on Profile See Help for Use shared secret Confirm details MSCHAP v only eg I Allow PAP for L2TP A Save Saves Copy p Cance H Suppose you want to configure an existing location named Authenticated to support L2TP IPSec encryption Note that there is currently no encryption configured for that Access Policy Step 6 From the Encryption drop down box choose one of the following options e If encryption is required for all clients connecting through this Access Policy you select the Required option HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 2 11 700wl Series System Configuration e The Allowed but not required setting allows access for unencrypted clients through this Access Policy as well as encrypted clients This setting is recommended for Access Policies used for unknown clients such as the Unauthenticated Access Po
21. an icon representing the new connection appears in the Network Connections window under the Virtual Private Network section In the meantime the Sign on window should appear on the screen otherwise double click the new connection icon HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 55 Client Configuration Figure 3 73 Sign on Window Connect My Workplace via L2TP Password C Save this user name and password for the following users Step 9 You need to customize the properties of your connection to use L2TP IPSec and match the settings of the 700w1 Series unit Click the Properties button to open the connection s properties window Step 10 Click the Networking tab to specify the type of VPN Pull down the Type of VPN menu and select L2TP IPSec VPN Make sure that Internet Protocol TCP IP is selected 3 56 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 74 L2TP Properties Window Networking Tab My Workplace via L2TP Properties R General Options Security Networking Advanced Type of YPN Automatic Automatic PPTP VPN L2TP IPSec VPN This connection uses the following items Internet Protoc ol TC P I P v r File and Printer Sharing for Microsoft Networks F Deterministic Network Enhancer A E Client for Microsoft Networks Description Transmission Control Protocol Internet Protocol The default wide ar
22. disconnect if it requires encryption Optional encryption connect even if no encryption Reg p n strength e Properties Allow these protocols I Unencrypted password PAP I Shiva Password Authentication Protocol SPAP I Challenge Handshake Authentication Protocol CHAP I Microsoft CHAP MS CHAP I Allow older MS CHAP version for Windows 95 servers IV Microsoft CHAP Version 2 MS CHAP v2 For MS CHAP based protocols automatically use Wirid boon nena and harini fand daran E aro Lox J ca Step 14 Click OK to go back to the connection s properties window Step 15 Click OK to go back to the Sign on window Before starting the VPN connection you must make sure your system has established the network connection with the server and the server has assigned an IP address to your system Step 16 Enter your username and password in the appropriate boxes and then click the Connect button to connect to the server You may choose to save this username and password for future uses before clicking the Connect button 3 68 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 91 Sign on Window Connect My Workplace via L2TP g 2f xj After the connection is made the connection icon appears in the notification area on the lower right corner of the screen as shown below Figure 3 92 Connection Icon You may double click on the icon to display the st
23. in the Value field Click Apply HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide 4 13 Scripts for L2TP IPSec on Windows 2000 or XP Figure 4 19 Advanced Customization Window Connection Manager Administration Kit Wizard x Advanced Customization You can modify files that are included in this profile Select a file and a section of the file and then select the key that you want to modify Type a new value and then click Apply File name L2TP cms gt Section name Connection Manager 7 Key name Dialup b Select Networking amp Default L2TP Tunnel from the Section name menu Select VpnStrategy from the Key name menu Enter 3 in the Value field Click Apply and then click Next gt Figure 4 20 Advanced Customization Window Connection Manager Administration Kit Wizard x Advanced Customization You can modify files that are included in this profile Select a file and a section of the file and then select the key that you want to modify Type a new value and then click Apply File name L2TP cms gt Section name Networking L2TP Tunnel Key name Vons trategy v 4 14 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Scripts for L2TP IPSec on Windows 2000 or XP This will build your files Figure 4 21 Connection Manager Administration Kit Wizard Completion Window Connection Manager Administration Kit Wizard i xj Completing the Con
24. os Ushi E NEDA Ea a aaa a tak SANS soles tN Soe at Bed 1 2 DOI aah cesses id iets ta rata ee A E ash hdres Res asa lotanacaa ciel seem cte tg uahan ate EEN 1 4 Wireless Data Privacy in the 700wl Series System The 700w1 Series system is used to enhance the security and availability of client connections at the edge of the network The connections can be made from both wired and wireless networks The client must be authenticated by the 700w1 Series system before he she can gain access to the network The client connection can be secured through a Virtual Private Network VPN established between the client system and the 700w1 Series system This document describes how to configure the HP Integrated Access Manager to provide support for client connections via IPSec PPTP Point to Point Tunneling Protocol L2TP IPSec Layer 2 Tunnel Protocol over IPSec and SSH It also describes how to configure the client system to use an IPSec PPTP or L2TP IPSec client for its VPN connection The client configuration procedures are described based on Windows XP Windows 2000 Windows Me Windows 98 and Apple Mac OS The configuration procedures described in this document are also applicable for the system using a combination of an HP Access Control Server and Access Controller instead of an HP Integrated Access Manager IPSec IPSec is a protocol suite that provides security services at the IP layer IPSec enables a system to select required security prot
25. s rights on a per user basis by clicking on each individual user s link in the Clients table or clicking the refresh icon on the right of each row in the table Note If you allow or require SSH in some of your Access Policies you must configure the Unauthenticated or equivalent Access Policy to allow SSH as well since most VPN clients are enabled before they can logon See Configuring Rights in the 700wl Series system Management and Configuration Guide for a detailed explanation of the logon process and Access Policies Enabling SSH Enabling SSH in the Wireless Data Privacy settings is a global setting that affects the entire 700w1 Series system To enable SSH do the following Step 1 To access the Administrative Interface from the network set your browser to the IP address or hostname of the Integrated Access Manager or Access Control Server Step 2 Enter the administrator username and password in the appropriate fields and then click the Login button The Equipment Status page is displayed see Figure 2 1 on page 2 2 Step 3 Click the VPN icon in the Navigation Toolbar The Wireless Data Privacy setup page appears as shown in Figure 2 10 2 16 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 700wl Series System Configuration Figure 2 10 Wireless Data Privacy setup page Usemame admin Access Control Server 192 168 10 116 Date Time Tue Feb 10 12 28 05 2004 STATUS RIGHTS NETWORK
26. slats in ed ote ieee E D ee eee 2 14 Configuration Overview There are two parts to the configuration procedure for each security protocol First configure the security protocol for each Access Policy as appropriate by editing the Access Policies under the Rights icon in the Administrative Console of your Integrated Access Manager or Access Control Server The other is to globally enable the Wireless Data Privacy protocols through the VPN icon in the Administrative Console To access the Administrative Console point your browser to the IP address or host name of the Access Control Server or Integrated Access Manager you want to access For all examples in this document the HP ProCurve Secure Access 700wI Series Built in Authentication Service is assumed as the method used to authenticate users Note If you allow or require encryption for any of your Access Policies you must also configure the same security policy for the Unauthenticated Access Policy or any customized Access Policies you use for unknown clients Normally when an unknown client first connects to the 700wl Series system before it authenticates it receive logon rights based on the Unauthenticated Access Policy If this Access Policy does not allow any encryption protocols clients will not be able to connect if they use those protocols The Unauthenticated Access Policy must allow any protocol that might be allowed or required by any other Access Policy IPSec Config
27. the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Hewlett Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett Packard Warranty See the Customer Support Warranty booklet included with the product A copy of the specific warranty terms applicable to your Hewlett Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer CONTENTS Chapter 1 Chapter 2 Preface Audience How To Use This Document Document Conventions Organization Overview of Security Protocols Wireless Data Privacy in the 700wl Series System IPSec PPTP L2TP over IPSec IPSec vs L2TP IPSec L2TP vs PPTP SSH 700wl Series System Configuration Configuration Overview IPSec Configuration Configuring an Access Policy for IPSec Enabling IPSec PPTP Configuration Configuring the Rights Manager for PPTP Enabling PPTP L2TP IPSec Configuration Configuring an Access Policy for L2TP IPSec Enabling L2TP IPSec SSH Configuration Configuring an Access Policy for SSH Enabling SSH vi 1 1 1 1 1 1 1 2 1 2 1 3 1
28. you to important information Table i 2 Notices Icon Notice Type Alerts you to None Note Helpful suggestions or information that is of special importance in certain situations None Caution Risk of loss of system functionality or loss of data Warning Risk of personal injury system damage or irrecoverable loss of data Organization This document is organized as follows Chapter 1 Overview of Security Protocols This chapter provides an overview of the security protocols that can be used with the 700w1 Series system Chapter 2 700wl Series System Configuration This chapter describes the configuration of the HP ProCurve Secure Access 700w1 Series VPN and Wireless Data Privacy setup Chapter 3 Client Configuration This chapter describes client security configuration Chapter 4 Scripts for L2TP IPSec on Windows 2000 or XP This chapter describes the use of scripts to setup L2TP IPSec connections on Windows systems vi HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide OVERVIEW OF SECURITY PROTOCOLS This chapter provides an overview of security protocols It consists of the following sections Wireless Data Privacy in the 700wI Series System 6 cece eee 1 1 DES OC ce Sao Sih Saeed dank oO Bd A ate She Ang Meta ee 8d ti ae ami E E ag Site ah 1 1 PEIP Sheni Rin e ante neg ay aca dete cde AR sta tesa ees Nak a nae Adtech ek ts aaa 1 2 TEDNPsO Ver IPOCC x 8 utes hae
29. 2 You may follow the same procedures for configuring the software on different Mac OS 9 x versions Step 1 After the installation and system restart PGPnet is started automatically Click the PGPnet icon on the upper right corner of the desktop left of Finder and then select PGPnet The PGPnet window appears Figure 3 17 PGPnet Window Status Tab Sent Revd Properties 361 Remove 3R PGPnet is active 7 Step 2 Select the VPN tab and then click the Add button The Host Gateway window appears Step 3 Setup the VPN gateway by entering the desired name and IP address in the appropriate text boxes Pull down the menu below IP Address and then select VPN Gateway Next select Require manual connection from the Connection Options If the button in the Shared Secret section shows Set Shared Passphrase you must click on the button to setup the Pre shared key On the other hand if the button shows Clear Shared Passphrase but you are not sure that the passphrase is setup correctly you may click the button to clear the previous setting and then set up a new one Click OK when you are done HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 13 Client Configuration Figure 3 18 Host Gateway Window Host Gateway Name PN gateway 1 Type Connection Options ie Connect automatically Require manual connection
30. 3 1 4 2 1 2 1 2 1 2 2 2 5 2 7 2 7 2 9 2 10 2 10 2 13 2 14 2 14 2 16 Chapter3 Client Configuration 3 1 IPSec Client Configuration 3 1 SafeNet SoftRemote for Windows 3 1 SSH Sentinel for Windows 3 7 PGPnet for Mac OS 9 x 3 13 VPN Tracker for Mac OS X 3 20 PPTP Client Configuration 3 27 Windows XP Clients 3 27 Windows 2000 NT Clients 3 36 Windows 98 95 ME Clients 3 45 L2TP IPSec Client Configuration 3 51 Windows XP Clients 3 51 Windows 2000 Clients 3 61 Windows NT Clients 3 71 Windows 98 Clients 3 74 SSH Client Configuration 3 79 PuTTY for Windows 3 79 Chapter 4 Scripts for L2TP IPSec on Windows 2000 or XP 4 1 Scripts Overview 4 1 What s in the Package 4 1 Setting up Windows 2000 4 2 Setting up Windows XP 4 5 How to Rebuild a CMAK Package 4 8 References Ref 1 Index IX 1 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide PREFACE This preface describes the audience use and organization of the Wireless Data Privacy Guide It also outlines the document conventions safety advisories compliance information related documentation support information and revision history Audience The primary audience for this document are network administrators who want to enable their network users to communicate using the HP ProCurve Secure Access 700w1 Series This document is intended for authorized personnel who have previous experience working with network telecommunications syst
31. 700wI Series System Configuration Enabling L2TP IPSec Enabling L2TP IPSec in the Wireless Data Privacy settings is a global setting it only needs to be done once for the entire 700wl Series system Since this security protocol is L2TP over IPSec you are required to enable not only L2TP but also IPSec Do the following to enable L2TP IPSec Step 1 To access the Administrative Interface from the network set your browser to the IP address or hostname of the Integrated Access Manager or Access Control Server Step 2 You are prompted for the Administrator username and password Type the username and password in the appropriate text boxes and then click the Logon button The Equipment Status page is displayed see Figure 2 1 on page 2 2 Step 3 Click the VPN icon in the Navigation Toolbar The Wireless Data Privacy setup page appears as shown in Figure 2 8 Figure 2 8 Wireless Data Privacy setup page Usemame admin Access Control Server 192 168 10 116 Dat Time Tue Feb 10 12 28 05 2004 Sits oe STATUS RIGHTS NETWORK HELP LOGOUT T Wireless Data Privacy Wireless Data _ Global Wrelese Data Privacy Configuration Privacy Encryption Protocol gnabeipsac lt lt tt th fect th T Enable LoTPuPSac requires IPSec lt lt Settings on this page affect the Wireless Data Privacy settings on g Enable PPTP allconnected Access Controllers T Enable SSH Wireless Data Privacy Configuration for IPSec Contigurati
32. Automatic Proxy Configuration window appears Click Next gt Note Note that if the Proxy support is required you must create a PAC file which contains the proxy information However this is beyond the scope of this document The detailed information is not provided Step 16 The Custom Actions window appears Click Next gt Step 17 The Logon Bitmap window appears Click Next gt Step 18 The Phone Book Bitmap window appears Click Next gt Step 19 The Icons window appears Click Next gt Step 20 The Notification Area Shortcut Menu window appears Click Next gt Step 21 The Help File window appears Click Next gt Step 22 The Support Information window appears Click Next gt 4 12 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Scripts for L2TP IPSec on Windows 2000 or XP Step 23 The Connection Manager Software window appears Click Next gt Step 24 The License Agreement window appears Click Next gt Step 25 The Additional Files window appears Click Next gt Step 26 The Ready to Build the Service Profile window appears Select Advanced customization Click Next gt Step 27 The Advanced Customization window appears Figure 4 18 Advanced Customization Window Connection Manager Administration Kit Wizard Make the following modifications click Apply after each change a Select Connection Manager from the Section name menu Select Dialup from the Key name menu Enter 0
33. Editor SafeNet Remote Window My Identity Panel S Security Policy Editor SafeNet SoftRemote File Edit Options Help axal tA Network Security Policy All Connections My Identity G Genin Select Certificate Pre Shared Key amp Security Policy None v ID Type Port IP Address fal z Virtual Adapter Disabled z r Internet Interface Name any IP Addr Any Make sure that Select Certificate is set to None Step 5 Click the Pre Shared Key button The Pre Shared Key window appears Figure 3 4 Figure 3 4 Pre Shared Key Dialog Pre Shared Key r Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key Step 6 Click the Enter Key button and then enter the shared key in the text box The key must be at least 8 characters long and it must be the same key as you entered when you configured IPSec in the 700wl Series system Click OK 3 4 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Step 7 Expand Security Policy in the Network Security Policy panel Also expand all items below Security Policy including Authentication Phase 1 and Key Exchange Phase 2 see Figure 3 5 The Authentication Proposals correspond to the IKE configuration parameters set in the 700wl Series system see Enabling IPSec on page 2 5 Figure 3 5 Security Policy Edi
34. F ersion for Window Microsoft CHAP Version 2 MS CHAP v2 _ For MS CHAP based protocols automatically use my Windows logon name and password and domain if any Step 15 Click OK to go back to the Sign on window Before starting the VPN connection you must make sure your system has established the network connection with the server and the server has assigned an IP address to your system Step 16 Enter your username and password in the appropriate boxes and then click the Connect button to connect to the server You may choose to save this username and password for future uses before clicking the Connect button 3 34 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 41 Sign on Window Connect My Workplace via PP TP User name jiohn Password eecccccce V Save this user name and password for the following users Me only Anyone who uses this computer After the connection is made the connection icon appears in the notification area on the lower right corner of the screen as shown below Figure 3 42 Connection Icon You may double click on the icon to display the status of the connection HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 35 Client Configuration Figure 3 43 Connection Status Windows My Workplace via PPTP Status General Details Connection Status Connected Duration 00 27 11 Activity J
35. N tunnel L2TP vs PPTP PPTP and L2TP IPSec both use PPP to initially encode the data Each then adds additional information in headers for network transport PPTP and L2TP IPSec differ in the following ways e With PPTP data encryption begins after the PPP connection and authentication completes With L2TP IPSec data encryption begins before the PPP connection process by negotiating an IPSec security association this secures the authentication process e PPTP connections use MPPE a stream cipher while L2ZTP IPSec connections uses DES and other block cipher algorithms Stream ciphers encrypt data as a bit stream Block ciphers encrypt data in discrete blocks e PPTP connections require only user level authentication through a PPP based authentication protocol L2TP IPSec connections require user level authentication and an additional computer level authentication via digital certificates or a pre shared key shared secret Advantages of L2TP IPSec over PPTP L2TP IPSec has the following advantages over PPTP e IPSec ESP provides per packet data origin authentication i e proof that the data was sent by the authorized user data integrity proof that the data was not modified in transit replay protection encrypted packets captured by a third party cannot be resent and encryption PPTP only provides per packet data confidentiality e L2TP IPSec connections provide stronger authentication by requiring both computer level authe
36. New Connection Step 5 Enter the destination address in the Host name or IP address text box In this case the internal address 42 0 0 1 of the 700wl Series unit either Access Controller or Integrated Access Manager is used Click Next gt A confirmation window appears Figure 3 105 Click Finish to close the window HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide 3 75 Client Configuration Figure 3 105 Make New Connection Wizard Confirmation Window Make New Connection Step 6 Return to Dial Up Networking and right click the icon for the connection you have just created Select Properties from the menu that appears The properties window for your connection appears Figure 3 106 Figure 3 106 Connection Properties Window My Connection Step 7 Click the Server Types tab The Server types settings appear Figure 3 107 Step 8 Make sure Log on to Network is enabled and there is a check mark next to the TCP IP network protocol 3 76 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 107 Connection Properties Window Server Types Tab My Connection Step 9 Click TCP IP Settings A TCP IP Settings window appears Figure 3 108 Figure 3 108 Connection Properties TCP IP Settings TCP IP Settings secondary WINS EAA KE Step 10 Make sure that Use default gateway on remote network is checked Click OK The Connection Properties windo
37. P ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 9 Client Configuration Step 10 Do the following e Enter 42 0 0 1 in the Gateway name field e Specify the Remote network default is any 0 0 0 0 0 0 0 0 that this computer will accessed through the VPN connection e Pull down the Authentication key menu and then select the pre shared key entry created in Step 6 Step 11 Click Properties the Rule Properties tab will appear Figure 3 13 SSH Sentinel Policy Editor Window Rule Properties Tab Rule Properties Step 12 Click Settings under IPSec IKE proposal The Proposal Parameters window appears 3 10 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 14 SSH Sentinel Policy Editor Window Proposal Parameters Window Proposal Parameters Ei x Set the preferred value of each parameter of the IKE and IPSec proposal IKE proposal Encryption algorithm Integrity function MD5 7 IKE mode mainmode IKE group MODP 1024 qroup2 7 IPSec proposal Encryption algorithm AES Rindas Integrity function JHMACMD5 sts IPSec mode funnel ti Yd PFS group MODP1024 group2 F Attach only the selected values to the proposal Cancel Step 13 Select the desired IKE proposal encryption algorithm for example 3 DES and click OK Note You cannot use the default IKE proposal encryption algorithm AES
38. Q Acquire virtual identity E Exclusive Gateway Capresso usame OOOO Authentication Type Shared Secret Remote Authentication Any valid key Q PGP Key X 509 Certificate Cancer Co Based on the above settings a new entry named VPN gateway 1 appears in the PGPnet panel The following shows how to create a secured connection to the internal network with the address 192 168 0 0 16 using the VPN gateway created in Step 3 Step 4 Highlight the entry you created in the previous step and then click Add 3 14 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 19 PGPnet Window VPN Panel YPN gateway 1 Properties 1 Add 38D Connect 385 PGPnet is active The Host Gateway window appears Step 5 Enter the desired name and IP address in the appropriate text boxes Pull down the menu below IP Address and then select Subnet The Host Gateway window will be reduced to that shown below Make sure that the Subnet Mask value is 255 255 0 0 16 Click OK HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 15 Client Configuration Figure 3 20 Host Gateway Window Host Gateway Name 192 168 network IP Address 192 168 0 0 Type Subnet Mask 255 255 0 Note that based on the above settings all traffic going to this
39. RK Usemame admin Inegrated Access Manager 192 168 10 116 Dae Time Thu Feb 12 18 26 21 2004 fo SE MAINT HELP LOGOUT Edit Access Policy You can change an Access Policy s name and its properties found uncer tabbed headings as follows e Under Settings set properties related to IP addressing 802 1q VLAN tag usage encryption Connect Profiles Auti icati Polici Access Policies Name Authenticated Settings Allowed Traffic Redirected Traffic HTTP Pro aiii oaa Configure NAT policy IP addressing and encryption requirements for this Access Policy in the fields below See Help for details Network Address Translation Always z Modifying NAT settings may cause requirements and others e Uncer Allowed Traffic select the Allowed Traffic Filters for this incorrect behavior See Help policy These are processed after IP Addressing Require DHCP z Redirected Traffic Filters e Under Redirected Traffic VLAN Identifier Ol pameraany E ERDO select the Redirected Traffic Fitters for this policy These are C Use client tag rocessed before Allowed Traffic pee C Apply this VLAN tag e Under HTTP Proxy enable Encryption Disabled z 4 automatic HTTP proxy filtering and select proxy filters e Uncer Bandwidth set Encryption Protocols T IPSEC Settings upstream and downstream I L2TPHPSEC banchwelith limits May force IP addresses to be NATed See Help e Uncer Timeout specify the I perp Linger and reaut
40. Sec client and server Three applications namely SafeNet SoftRemote LT PGPnet and SSH Sentinel are used as IPSec clients on Windows platforms VPN Tracker is available for Mac OS X PPTP Point to Point Tunneling Protocol PPTP is a network protocol used to secure Point to Point PPP connections by creating a Virtual Private Network VPN which tunnels traffic across a public TCP IP network The security of a VPN relies on the strength of authentication and encryption protocols used This document describes PPTP based security only on the Microsoft implementation Authentication protocols used in Microsoft PPTP include the Microsoft Challenge Reply Handshake Protocol MS CHAP and its new version MS CHAPv2 The encryption protocol used in Microsoft PPTP is Microsoft Point to Point Encryption MPPE The minimum encryption key length for PPTP is 40 bits and the maximum is 128 bits Configuration of both the PPTP client and server to use MS CHAPv2 with the 128 bit encryption key length is described PPTP is available on all Windows platforms and on Apple s Mac OS L2TP over IPSec Layer 2 Tunneling Protocol L2TP is an extension of PPP similar to PPTP described in the previous section L2TP tunnels PPP traffic across a public network L2TP inherits the authentication encryption and compression control protocols from PPP It also includes support for tunnel authentication which can be used to mutually authenticate the tunnel en
41. Step 5 The Create Pre Shared Key window appears Figure 3 10 Figure 3 10 Create Pre Shared Key window Preshared Key Information Create Pre Shared Key Type in the shared secret Give the pre shared key a name that is for yout reference only Type the shared secret twice to avoid typos Use the fingerprint to verily the secret with the other party involved in the communication without revealing the actual secret Preshared key Name My preshared key Shared secret eccccccees Confirm shared secret eros Fingerprint SHAT 8d99 63ac Step 6 Type the Pre shared key name the Shared secret and Confirm the shared secret in the appropriate fields Click Finish 3 8 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration The new entry appears in the My Keys list Step 7 Click the Security Policy tab to create a new policy Figure 3 11 Figure 3 11 SSH Sentinel Policy Editor Window Security Policy Tab 3 SSH Sentinel Policy Editor oa Aaaa 9 Pre IPSec Filter N Connections Secured Connections 2 J Secured Networks C Default Response G Post IPSec Filter Allow all traffic a m m I Fy c a Ey d o rs o a E Diagnostics Step 8 Select VPN Connections and then click Add Step 9 The Add VPN Connection window appears Figure 3 12 Figure 3 12 Add VPN Connection Dialog Add YPN Connection H
42. Wireless Data Privacy Guide Client Configuration Figure 3 26 VPN Tracker Window Profile Settings Window General Name myRacoon Connection Type Other 4 7 ZA Initiate connection Networking Local Endpoint Default interface O B Remote Endpoint 42 001 Local Host optional Remote Network all traffic runs across the YPN Authentication Pre shared key O Certificates Click the lock to prevent further changes Table 3 1 VPN Tracker Connection Type Settings Phase 1 General Field Setting Exchange Mode main aggressive Proposal Check claim Nonce Size 16 Send INITIAL CONTACT message checked Support MIP6 checked Use IPSEC DOI checked Use SIT_INDENTITY_ONLY checked HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 21 Client Configuration Figure 3 27 VPN Tracker Window Connection Types Window Phase 1 General Tab Connection Types Exchange mode main aggressive a Proposal check claim EF Nonce Size 16 v Send INITIAL CONTACT message KA Support MIP6 Use IPSEC DOI M Use SIT_IDENTITY_ONLY a icc ccc ccc ct Click the lock to prevent further changes Step 6 Click Phase 1 Proposal The Phase 1 Proposal tab setting appear Figure 3 28 Step 7 Select or enter data into the fields as described in Table 3 2 below Table 3 2 VPN Tracker Connection Type Settings Phase 1 Proposal Field Setting Encryption Algorit
43. Wireless Data h Privacy Guide ly invent HP ProCurve Secure Access 700wI Series www hp com go hpprocurve HP PROCURVE SECURE ACCESS 700wL SERIES WIRELESS DATA PRIVACY GUIDE Copyright 2004 Hewlett Packard Development Company L P The information contained herein is subject to change without notice This document contains proprietary information which is protected by copyright No part of this document may be photocopied reproduced or translated into another language without the prior written consent of Hewlett Packard Publication Number 5990 8810 February 2004 Edition 1 Applicable Products HP ProCurve Access Controller 720w1 J8153A HP ProCurve Access Control Server 740w1 J8154A HP ProCurve Integrated Access Manager 760w1 J8155A HP ProCurve 700w1 10 100 Module J8156A HP ProCurve 700w1 Gigabit SX Module J8157A HP ProCurve 700w1 Gigabit LX Module J8158A HP ProCurve 700w1 10 100 1000Base T J8159A HP ProCurve 700w1 Acceleration Module J8160A Trademark Credits Windows NT Windows and MS Windows are US registered trademarks of Microsoft Corporation Disclaimer HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with
44. You can view the Certificate configuration or install a new certificate under the Certificates tab at the top of the page See the 700wl Series system Management and Configuration Guide or click the HELP icon from the Certificates page for detailed instructions on installing a public key certificate Make sure that the client uses the same certificate key and certificate authority when making IPSec connection to the 700w1 Series system Step 6 Make any necessary changes to the various settings for IKE Integrity Encryption ESP Integrity Encryption and so on Note Select the appropriate setting for your IPSec VPN clients configuration so that they match For example if your client only supports DES and 3 DES for IKE you need to have one of these selected for IKE encryption Typically if you use PGPnet as the IPSec client software you need to enable MD5 for IKE encryption and if you use SSH Sentinel as the IPSec client software you should enable AES for ESP encryption Otherwise the client connection will fail You need to take the settings for all possible clients on your network into account For example the Cisco Unity client only supports Diffie Hellman group 2 in aggressive mode when a pre shared key is used 2 6 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 700wl Series System Configuration Note To support VPN clients that use aggressive mode select a single Diffie Hellman group to match the client
45. ac_shal E non_auth Establish unique SAs for multiple networks i 4 4 1 4 4 4 1 i 4 4 1 Click the lock to prevent further changes HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 25 Client Configuration Step 10 Click Save to save these connection settings The Profile Settings window reappears Figure 3 26 Step 11 Put a check in the Initiate connection check box this enables you to establish this connection from your end Step 12 Select Host to Everywhere from the Topology pull down list to secure all your network traffic Step 13 For Local Endpoint select Default Interface This means that VPN Tracker will use the default network connection of your Mac for connecting to the remote endpoint Step 14 For Remote Endpoint enter the IP address of the VPN server In this case the internal address 42 0 0 1 of the 700w1 Series unit either the Integrated Access Manager or Access Controller is used Step 15 Leave the Local Host field blank Step 16 For Authentication select Pre shared key if you have set up the corresponding Access Policy to use a shared secret for authentication or select Certificates if you have set up the corresponding Access Policy to use a certificate for authentication Step 17 If you selected Pre shared key as the auth
46. ady installed the SSH Sentinel software on your system To configure the SSH Sentinel IPSec client do the following Step 1 Start SSH Sentinel Policy Editor e From the Start menu select All Programs then SSH Sentinel then SSH Sentinel Policy Editor or e Right click the Sentinel icon in the notification area lower right corner of the desktop and then select Run Policy Editor Step 2 The SSH Sentinel Policy Editor window appears Click the Key Management tab and then select My Keys Figure 3 8 Figure 3 8 SSH Sentinel Policy Editor Window Key Management Tab SSH Sentinel Policy Editor Security Policy Key Management Trusted Policy Servers Trusted Certificates Gx Certification Authorities H Ga Remote Hosts Directory Services ames 5 host key Description The keys that are used for authenticating the local host Step 3 Click the Add button to start the New Authentication Key wizard Figure 3 9 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 7 Client Configuration Figure 3 9 New Authentication Key Wizard This wizard guides you through the generation of a new authentication key What kind of an authentication key would you like to create C Create an authentication key pair and a certificate Enrol top e ceriticate G Create a pre shared key Step 4 Select the Create a pre shared key option and then click Next gt
47. age Usermame admin Access Control Server 192 168 10 116 Date amp Time Tue Feb 10 12 28 05 2004 cal TSE STATUS a NETWORK HELP T Wireless Data Privacy Privacy Wireless Data Global Wireless Data Privacy Configuration Privacy O Enable IPSec q PP Enable L2TP IPSec requires IPSec 7 Enable PPTP I Enable SSH Settings on this page affect the Configuration for IPSec IKE Authentication Public Key Certificate Method IPSec Shared Secret Confirm gt Useacertiicate goto the am M ves M apes I Bowtish I cast Certificates tab to obtain and badi E a certificate IKE integrity SA One To usea shared secret and confirm the tS 19 IKE Diffie Hellman Vv Group 4 Vv Group2 DO Group S Select one or more algorithms for IKE Encryption Integrity ancl ESP Encryption M pes M apes M aes I Bowtish O cast I Null Diffie Hellman ie Select one or more algorithms or ESP Integrity M sHai M mos null None for ESP Encryption and Integrity gt Save Reset to Defaults Cancel When finished click Save Step 4 Check Enable IPSEC in the list of encryption protocols to enable IPSec for the 700w1 Series system Step 5 To use an IPSec shared secret enter the secret in the appropriate field and confirm it in the second field You can use a Public Key Certificate as the alternative to using the shared secret Click Public Key Certificate to use a Public Key Certificate
48. are being used for authentication VPN Tracker will verify the 700wl Series system certificate Step 8 Click Phase 2 The Phase 2 tab setting appear Figure 3 29 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 23 Client Configuration Figure 3 28 VPN Tracker Window Connection Types Window Phase 1 Proposal Tab OO 6 Connection Types Connection Type Other iy Phase 1 General Encryption Algorithm 3des ik Hash Algorithm md5 DH Group modp1024 H Lifetime 1 hours Ly A Send certificate EA Send request for remote certificate v Verify remote certificate 4 4 4 i 4 4 4 4 4 4 5 Click the lock to prevent further changes Step 9 Select or enter data into the fields as described in Table 3 3 below Table 3 3 VPN Tracker Connection Type Settings Phase 2 Field Setting PFS Group Specifies the group of Diffie Hellman exponentiations for PFS Perfect Forward Secrecy in phase 2 If you do not require PFS un check the check box Otherwise select the group used for the Diffie Hellman exponentiations that matches the setting for IKE Diffie Hellman under Wireless Data Privacy in the VPN section of the 700wI Series system Administrative Console Diffie Hellman Group 1 matches modp768 Diffie Hellman Group 2 matches
49. as the 700wl Series system does not support AES for IKE encryption Step 14 When the Rule Properties window reappears click OK to save your settings Step 15 Optional When the Add VPN Connection window reappears click the Diagnostics button to test the connection Step 16 Click OK to finish the settings Step 17 Do the following to establish the VPN connection e Right click on the Sentinel icon in the notification area to display the SSH Sentinel menu e Move the pointer to the Select VPN submenu and then select 42 0 0 1 any which is the VPN connection created in the previous section HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 11 Client Configuration Figure 3 15 Select VPN Submenu The computer will open the VPN connection to the 700w1 Series unit 42 0 0 1 Step 18 Verify the VPN Connection Double click the Sentinel icon in the notification area to view the statistics of the VPN connection Notice that the 42 0 0 1 entry appears in the Security Associations panel along with the detailed information of the encryption protocol Figure 3 16 Figure 3 16 SSH Sentinel Statistics Window SSH Sentinel Statistics 3 12 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration PGPnet for Mac OS 9 x In this section the procedures for configuring PGPnet 7 1 on Apple Mac OS 9 x are described The following procedures are created based on Mac OS 9 2
50. ated the scripts and compiled them in ZIP packages HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide INDEX A Access Policy IPSec configuration 2 2 2 3 L2TP configuration 2 10 PPTP configuration 2 7 SSH configuration 2 14 AH 1 2 Audience i v Authentication Header 1 2 Authentication protocols 1 2 C CMAK 4 1 rebuilding package 4 8 D Document Conventions i v E Encapsulating Security Payload 1 2 ESP 1 2 l IPSec client configuration 3 1 configuration 2 1 configure per Access Policy 2 3 enable globally 2 5 overview of 1 1 protocols 1 2 SafeNet SoftRemote client for Windows 3 1 SSH Sentinel client for Windows 3 7 L L2TP client configuration 3 51 3 71 3 74 configuration 2 10 configure per Access Policy 2 10 enable globally 2 13 overview 1 2 setup script for Windows 2000 4 2 setup script for Windows XP 4 5 Windows 2000 client 3 61 Windows XP client 3 51 L2TP over IPSec 1 2 client configuration 3 51 3 71 3 74 configuration 2 10 setup script for Windows XP 4 5 Windows setup scripts 4 1 Layer 2 Tunneling Protocol 1 2 M Microsoft Challenge Reply Handshake Protocol 1 2 Microsoft Point to Point Encryption 1 2 MPPE 1 2 MS CHAP 1 2 P Point to Point Tunneling Protocol 1 2 PPP 1 2 PPTP client configuration 3 27 configuration 2 7 configure per Access Policy 2 7 enable globally 2 9 overview 1 2 Windows 2000 NT client 3 36 Windows 98 95 ME client 3 45 Windows XP client 3
51. atus of the connection HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 69 Client Configuration Figure 3 93 Virtual Private Connection Status Window General Tab a Yirtual Private Connection 3 Status Figure 3 94 L2TP IPSec Status Window Details Tab L2TP IPsec Status Notice that your system is now connected to the server via IPSec using 3DES 168 bit encryption and MS CHAP v2 authentication 3 70 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Windows NT Clients This section describes how to configure computers running Windows NT as L2TP IPSec clients To configure an L2TP client on a Windows NT computer do the following Step 1 Download the Microsoft IPSec VPN Client and install it on your computer The Microsoft IPSec VPN Client along with instructions on how to install it is found at http www microsoft com windows2000 server evaluation news bulletins 12tpclient asp Step 2 On your Windows computer click My Computer then Dial Up Networking The Dial Up Networking window appears Figure 3 95 Figure 3 95 Dial Up Networking Initial Window J Dial Up Networking 21x Dialing from Location Dial Close Step 3 Click New to create a new connection profile The New Phonebook Entry window appears displaying the Basic tab Figure 3 96 Figure 3 96 New Phonebook Entry Basic Tab Make
52. connection is made the connection icon appears in the notification area on the lower right corner of the screen as shown below Figure 3 78 Connection Icon You may double click on the icon to display the status of the connection HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 59 Client Configuration Figure 3 79 Connection Status Window General Tab My Workplace via L2TP Status General Details Connection Status Duration Activity Bytes Compression Errors Sent A Received 180 556 0 My Workplace via L2TP Status General Details Property Device Name Device Type Server type Transports Authentication IPSEC Encryption Compression PPP multilink framing Server IP address Client IP address Value WAN Miniport L2TP vpn PPP TCPAP MS CHAP V2 IPSec ESP 3DES none Off 192 168 2 17 42 65 76 67 Notice that your system is now connected to the server via IPSec using 3DES 168 bit encryption and MS CHAP v2 authentication 3 60 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Windows 2000 Clients Before configuring the L2TP IPSec client please read Chapter 3 Scripts for L2TP IPSec on Windows 2000 or XP The instructions in Chapter 3 will guide you through the uses of Microsoft Connection Manager Administration Kit to create a script for setting up an L2TP IPSec connection
53. ction Availability option e g Only for myself Click Next gt Figure 3 84 Connection Availability Window Network Connection Wizard Connection Availability You may make the new connection available to all users or just yourself You may make this connection available to all users or keep it only for your own use A connection stored in your profile will not be available unless you are logged on Create this connection C For all users Only for myself Step 8 Enter the desired name for this connection in the text box and then click the Finish button You may choose to add a shortcut to this connection to the desktop before clicking the Finish button HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 63 Client Configuration Figure 3 85 Network Connection Wizard Completion Window Network Connection Wizard Completing the Network J Connection Wizard Type the name you want to use for this connection My Workplace via L2TP To create this connection and save it in the Network and Dial up Connections folder click Finish To edit this connection in the Network and Dial up Connections folder select it click File and then click Properties IV Add a shortcut to my desktop lt Back Bl At this point an icon named Virtual Private Network representing the new connection appears in the Network and Dial up Connections window In the meantime the Sign on window should appear
54. ction Manager Administration Kit Wizard xj Welcome to the Connection Manager Administration Kit Wizard This wizard helps you create a service profile that customizes Connection Manager for users of your service For a list of tasks to complete before you start this wizard click Help For more information about any other page in this wizard click Help on that page To continue click Next ee e D D Step 2 The Service Profile Selection window appears Make sure that New profile is selected and then click Next gt Step 3 The Service and File Names window appears Enter the Service name and File name in the appropriate text box Click Next gt Step 4 The Realm Name window appears Make sure that Do not add a realm name to the user name is selected Click Next gt Step 5 The Merging Profile Information window appears Click Next gt Step 6 Select Phone book from this profile Enter 42 0 0 1 in the Always use the same VPN server text box and then select Use the same user name and password for VPN and dial up connections Click Next gt HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 4 9 Scripts for L2TP IPSec on Windows 2000 or XP Figure 4 13 VPN Support Window Connection Manager Administration Kit Wizard VPN Support You can set up this profile to support VPN connections for remote access to private networks over the Internet Establish a virtual private network VPN con
55. d others e Under Allowed Traffic select the Allowed Traffic Filters for this Access Policies Name Authenticated Settings Allowed Traffic Redirected Traffic HTTP Proxy Bandwidth Timeout seniniinnieaanmasmiahi Configure NAT policy IP addressing and encryption requirements for this Access Policy in the fields below See Help for details Network Address Translation Always z Modifying NAT settings may cause incorrect behavior See Help policy These are processed after IP Addressing Require DHCP z Redirected Traffic Filters e Uncer Redirected Traffic VLAN Identifier Remove any pre existing tag select the Redirected Traffic Filters for this policy These are C Use client tag processed before Allowed Traffic A Fitters Apply this VLAN tgl e Under HTTP Proxy enable Encryption lt i automatic HTTP proxy filtering and Disabled z select proxy filters cryption Protocol 3 e Under Bandwidth set Frene 7 T IPSEC Settings f upstream and downstream D L2TP IPSEC banclwelith limits May force IP addresses to be NATed See Help e Under Timeout specify the I ppre Linger and reauthentication May force IP addresses to be NATed See Hel timeouts Dies y e When finished click Save Changes take effect automatically polit Stateless z at the next update of users rights assignments Key Length mos J PPTP only Save As Copy saves without replacing the original Authentication for PPTP or L2TP
56. default gateway for the remote network right click on the new connection icon and select Properties from the pop up menu Go to the Server Types tab and click the TCP IP Settings button The TCP IP Settings window appears see Figure 3 63 Check the box for Use default gateway on remote network at the bottom of the window Click OK to close the window and OK in the Properties window 3 48 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 63 TCP IP Settings TCP IP Settings fe 2 eaGress fe 2 EDA BREE SEconaarisidsr FEIEREN Before starting the VPN connection you must make sure your system has established the network connection with the server and the server has assigned an IP address to your system Step 6 Double click the new connection icon to start connecting The Connect To window appears Enter your username and password in the appropriate boxes and then click the Connect button to connect to the server You may choose to save this username and password for future uses before clicking the Connect button HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 49 Client Configuration Figure 3 64 Connect To Window Connect To After the connection is made the connection icon appears in the notification area on the lower right corner of the screen as shown below Figure 3 65 Connection Icon You may double click on the
57. dem or ISDN C Dial up to the Internet Connect to the Internet using my phone line modem or ISDN Connect to a private network through the Internet Create a Virtual Private Network VPN connection or tunnel through the Internet Ce 5 gt Let other computers connect to mine by phone line the Internet or direct cable Connect directly to another computer Connect using my serial parallel or infrared port Step 5 Enter the destination address in the Host name or IP address text box In this case the internal address 42 0 0 1 of the 700w1 Series unit either Access Controller or Integrated Access Manager is used Click Next gt Figure 3 83 Destination Address Window Network Connection Wizard Destination Address What is the name or address of the destination Type the hast name or IP address of the computer or network to which you are connecting Host name or IP address such as microsoft com or 123 45 6 78 42 0 0 1 lt Back Next gt Cancel 3 62 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Step 6 The network connection wizard will display the Public Network window if other dial up connections exist Select the Do not dial the initial connection option and then click Next gt If no other dial up connection is previously created the Connection Availability window shown in Step 6 is displayed Step 7 Select the desired Conne
58. double click the new connection icon Connect My Workplace via PPTP Password C Save this user name and password for the following users HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 31 Client Configuration Figure 3 37 Sign on Window Step 9 You need to customize the properties of your connection to use PPTP and match the settings of the 700w1 Series unit Click the Properties button to open the connection s properties window Figure 3 38 PPTP Properties Window General Tab My Workplace via PPTP Properties PR General Options Security Networking Advanced Host name or IP address of destination such as microsoft com or 157 54 0 1 First connect Windows can first connect the public network such as the Internet before trying to establish this virtual connection C Dial another connection first Show icon in notification area when connected Step 10 Click the Networking tab to specify the type of VPN Pull down the Type of VPN menu and select PPTP VPN Make sure that Internet Protocol TCP IP is selected 3 32 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 39 PPTP Properties Window Networking Tab My Workplace via PPTP Properties m QoS Packet Scheduler 8 File and Printer Sharing for Microsoft Networks M B Deterministic Network Enhancer W E Client for Microsoft Networks Description
59. dows XP and Windows 2000 http support microsoft com default aspx scid kb en us 818043 B Schneier and Mudge Cryptanalysis of Microsoft s Point to Point Tunneling Protocol PPTP http www counterpane com pptp pdf B Schneier D Wagner and Mudge Cryptanalysis of Microsoft s PPTP Authentication Extensions MS CHAP v2 http Awww counterpane com pptpv2 pdf S Kent and R Atkinson Security Architecture for the Internet Protocol RFC 2401 November 1998 S Kent and R Atkinson IP Authentication Header RFC 2402 November 1998 S Kent and R Atkinson IP Encapsulating Security Payload ESP RFC 2406 November 1998 D Piper The Internet IP Security Domain of Interpretation for ISAKMP RFC 2407 November 1998 D Maughan M Schertler M Schneider and J Turner Internet Security Association and Key Management Protocol ISAKMP RFC 2408 November 1998 D Harkins and D Carrel The Internet Key Exchange IKE RFC 2409 November 1998 R Thayer N Doraswamy and R Glenn IP Security Document Roadmap RFC 2411 November 1998 B Patel B Aboba W Dixon G Zorn and S Booth Securing L2TP using IPsec RFC 3193 November 2001 VPN Tracker User Manual available as a downloadable PDF file from http www equinuxusa com download files Manual_VPN_Tracker_2 2 0 pdf HP ProCurve Secure Access 700w1 Series Management and Configuration Guide v 4 0 Michael Moy cre
60. dpoints However L2TP does not define tunnel protection mechanisms The IPSec protocol suite described in Section 2 1 can be used to protect the L2TP traffic over IP networks The implementation of L2TP using IPSec is referred to as L2TP over IPSec L2TP IPSec See more details in RFC 3193 see References on page Ref 1 The 700w1 Series system does not allow L2TP configuration without IPSec 1 2 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Overview of Security Protocols This document describes how to configure both the L2TP IPSec client and server L2TP IPSec clients are available on all Windows platforms including Windows Mobile 2003 software for Pocket PC IPSec vs L2TP IPSec The primary advantage of an IPSEC VPN client over L2TP IPSec is that it allows you more flexibility in configuring the exact encryption methods you want and the network traffic that is protected by the VPN Thus you can allow specified traffic to be unencrypted so that you don t have to pay the computational overhead for encryption for traffic that doesn t require it such as Internet traffic The drawback is that an IPSEC VPN client requires more user expertise and the client software is an added cost while L2TP IPSec comes with bundled with Windows Alternatively setting up and using an L2TP IPSec client is simpler than setting up and using IPSEC and offers the benefits of IPSEC However all the traffic goes through a single VP
61. e 3 24 PGPnet Window Status Panel TripleDES MDS 8 20 02 6 18 48 PM OKB OKB Properties 1 Remove R HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 19 Client Configuration VPN Tracker for Mac OS X In this section the procedures for configuring VPN Tracker 2 2 on Apple Mac OS X are described Note VPN Tracker requires Mac OS X 10 2 or higher and the BSD subsystem from the Mac OS X installation to be installed The following procedures are created based on Mac OS X 10 2 You may follow the same procedures for configuring the software on higher versions of Mac OS X Step 1 After the installation of VPN Tracker and system restart start up VPN Tracker The main VPN Tracker window appears Figure 3 25 Figure 3 25 VPN Tracker Window Main Window IPsec is not running Stop IPsec Step 2 Click New to create a new profile or select an existing profile and click Edit to modify an existing profile in Figure 3 25 MyRacoon is an existing profile The profile settings window appears Step 3 In the profile settings window as shown in Figure 3 26 enter a name for the connection profile Step 4 In the Connection Type field select Other then Edit connection types The Connection Types window appears displaying the Phase 1 General tab Figure 3 27 Step 5 Select or enter data into the fields as described in Table 3 1 below 3 20 HP ProCurve Secure Access 700wl Series
62. ea network protocol that provides communication across diverse interconnected networks Step 11 Click the Security tab to customize the security protocols Select Advanced custom settings and then click the Settings button The Advanced Security Settings window appears Step 12 Make sure that Microsoft CHAP MS CHAP is not selected Note that this protocol is selected by default You must clear the selection so that only MS CHAP v2 is used If an external LDAP server is used for user authentication with PAP an Option in the Location properties then make sure that only Unencrypted password PAP is selected Step 13 Pull down the Data Encryption menu and select Maximum strength encryption disconnect if server declines This will set the length of the encryption key to 128 bits If an external LDAP server is used for user authentication with PAP then select Optional encryption connect even if no encryption from the Data encryption menu HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 57 Client Configuration Figure 3 75 Advanced Security Settings Window Advanced Security Settings Data encryption Require encryption disconnect if server declines No encryption allowed server will disconnect if it requires encryption Optional encryption connect even if no encryption Require encryption disconnect if server declines Maximum strenath encryption disconnect if server declines All
63. ems or similar equipment It is assumed that the personnel using this document have the appropriate background and knowledge to complete the procedures described in this document How To Use This Document This document contains procedural information describing how to configure an HP ProCurve Integrated Access Manager or an HP ProCurve Access Control Server to provide support for client connections via IPSec PPTP Point to Point Tunneling Protocol and L2TP IPsec Layer 2 Tunnel Protocol over IPsec It also describes how to configure the client system to use an IPsec PPTP or L2TP IPsec client for its VPN connection Where applicable navigation aids also refer you to supplemental information such as figures tables and other procedures in this document or another document Main chapters are followed by supplemental information such as appendices and an index Document Conventions The following text conventions are used in this document Table i 1 Text Conventions Convention Definition Boldface Arial Window menus that you click to select commands that you select or field names are in boldface Arial Boldface Italic New terms that are introduced are in boldface italic Palatino Palatino Italic Palatino Emphasized terms are in italic Palatino Table i 1 Text Conventions Convention Definition Courier Filenames and text that you type are in Courier The following notices and icons are used to alert
64. ent server connection are authenticated using a digital certificate and passwords are protected by being encrypted SSH uses RSA public key cryptography for both connection and authentication Encryption algorithms include AES SSH2 only Blowfish 3DES and DES There are two versions of SSH version 1 SSH1 and version 2 SSH2 SSH2 the latest version is a proposed set of standards from the Internet Engineering Task Force IETF The 700w1 Series system supports both versions SSH is widely used among network administrators to control Web and other application servers remotely SSH is also available on Microsoft Windows and Apple Mac OS platforms This document describes how to configure the 700w1 Series system to function as the SSH server A freeware application named PuTTY is used as the SSH client on a Windows platform User traffic is tunneled through the opened SSH session into the network 1 4 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 7OOWL SERIES SYSTEM CONFIGURATION This chapter provides an overview of the 700w1 Series system Wireless Data Privacy configuration It consists of the following sections Configuration Overview mions enia hve ad aang bbe da ena a ioe 2 1 IPSec Configuration seenen eek Geek Sinaka e ae Aa Pes ee tees ee Gee 2 1 PPEP COMMS UTALON sosiete pe TEE e eke ora cake win eh eRe E ee ins bat EEE 2 7 L2TP IPSec Configuration ser i nD E neces 2 10 SSH Configuration seris sce
65. entication method click Edit next to the Pre shared key radio button to enter the shared secret The Pre shared Key Window appears Figure 3 30 If you selected Certificates as the authentication method Figure 3 26 click Edit next to the Certificates radio button to add and manage your certificates as well as certificate authorities CAs See the VPN Tracker User Manual for further information see References on page Ref 1 Figure 3 30 VPN Tracker Window Pre shared Key Window Pre shared Key O CEEE EEEEE Vv Hide typing Enter key when establishing connection The key will not be saved on disk Local Identifier Local endpoint IP address gt Remote Identifier Remote endpoint IP address ra S l Verify remote identifier f Cancel OK j 3 26 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Step 18 Enter the shared secret specified in the corresponding Access Policy in the top field Click OK when you are done You return to the Profile Settings Window Figure 3 26 Step 19 Click Save to save these profile settings The main VPN Tracker window reappears Figure 3 25 Step 20 In the main VPN Tracker window put a check mark next to the profile you have created and click Start IPsec to start an IPSec connection PPTP Client Configuration This section describes how to configure computers running Windows XP 2000 and 98SE as PPTP cl
66. erminal Host Name or IP address Port oe fa2 0 0 1 22 e Protocot Features 4 i Window C Raw C Telnet C Rlogin SSH Appearance L oad save or delete a stored session acetal Saved Sessions Default Settings Load Colane 420 01 pea El Connection Save Prony Telnet Delete Rilogin E SSH Auth side Close window on exit 9 C Always C Never Only onclean exit coe Step 3 Enter 42 0 0 1 in the Host Name or IP address field and then select SSH for Protocol Note that once SSH has been selected the Port field is automatically updated to 22 Step 4 Optional Enter 42 0 0 1 in the Saved Sessions field and then click Save to store the setting so that it can be reused in the next logon attempt Step 5 Optional Configure port forwarding tunnels to encrypt application data such as SMTP POP3 and IMAP via the SSH session to the appropriate servers inside the network a Click Tunnels in the Category panel The window displays tunneling configuration options Figure 3 114 b Type the Source port and Destination address in the appropriate fields c Click Add d Repeat the above steps to include all desired applications In the example shown in Figure 3 114 the Forwarded ports include SMTP Proxy POP3 and IMAP 3 80 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 114 SSH Tunneling options Dx PuTTY Configuration x Category
67. es Wireless Data Privacy Guide 3 39 Client Configuration Figure 3 48 Network Connection Wizard Completion Window Network Connection Wizard o Completing the Network A Connection Wizard Type the name you want to use for this connection To create this connection and save it in the Network and Dial up Connections folder click Finish To edit this connection in the Network and Dial up Connections folder select it click File and then click Properties IV Add a shortcut to my desktop lt Back Frish Cancel At this point an icon named Virtual Private Network representing the new connection appears in the Network and Dial up Connections window In the meantime the Sign on window should appear on the screen otherwise double click the new connection icon Figure 3 49 Sign on Window Connect Virtual Private Connection 2h x Step 8 You need to customize the properties of your connection to use PPTP and match the settings of the 700w1 Series unit Click the Properties button to open the connection s properties window 3 40 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 50 Virtual Private Connection Window General Tab irtual Private Connection 3 Status Step 9 Click the Networking tab to specify the type of VPN Next pull down the Type of VPN menu and select PPTP Make sure that Internet Protocol TCP IP is selected F
68. fault gateway on remote network check box and click OK to save your PPP TCP IP settings The New Phonebook Entry window returns Figure 3 98 Step 14 Click Security to go to the security setting tab Figure 3 100 Figure 3 100 New Phonebook Entry Security Tab New Phonebook Entry Step 15 Select the Accept only Microsoft encrypted authentication radio button and put a check mark in the Require data encryption check box Step 16 Click OK to save your connection profile settings HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide 3 73 Client Configuration Step 17 To connect to the 700w1 Series system using your new L2TP client go back to Dial Up Networking and click the icon for the connection you have just created A connection window appears Figure 3 101 Figure 3 101 Connection Windows Connect To 2 x ao My Connection User name VPNUser Password I Save password VPN server 420 0 omoa Step 18 Enter your Username and Password and optionally check the Save password check box and click Connect Step 19 Once you have successfully connected to the network the connection window will show the status and details of the connection Figure 3 102 Figure 3 102 Connection Windows Connection Status and Details z Connected to My Connection 2 x ao Connected at 10 485 760 bps 0K Duration 000 00 55 Bytes received 342 Disconnect Bytes sent 1 627
69. hentication May force IP addresses to be NATed See Help timeouts m 5 SSH When finished click Save MPPE aj Changes take effect automatically PPTP only Stateless at the next update of users rights assignments Key Length 40 bits PPTP orly a Save As Copy saves without replacing the original Authentication for PPTP or L2TP Authentication Method Authentication Policy will be the policy associated with the Use Associated Authentication Policy A Confirm Use shared secret ve only z T Allow PAP for L2TP Connection Profile See Help for details MSCHAP Save Save As Copy Cance Step 6 From the Encryption drop down box choose one of the following options e If encryption is required for all clients connecting through this Access Policy you select the Required option e The Allowed but not required setting allows access for unencrypted clients through this Access Policy as well as encrypted clients This setting is recommended for Access Policies used for unknown clients such as the Unauthenticated Access Policy Step 7 Click the check box to select PPTP from the Encryption Protocols check boxes Step 8 Change the MPPE or Key Length as desired Note that MSCHAP V2 is selected by default HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide 700wl Series System Configuration Step 9 For the authentication method you can either use the Authentication Pol
70. hm Select an algorithm that matches the setting for IKE Encryption under Wireless Data Privacy in the VPN section of the 700wl Series system Administrative Console e g 3des Hash Algorithm Select an algorithm that matches the setting for IKE Integrity under Wireless Data Privacy in the VPN section of the 700wl Series system Administrative Console sha1 or md5 3 22 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Table 3 2 VPN Tracker Connection Type Settings Phase 1 Proposal Continued Field Setting DH Group Select the group used for the Diffie Hellman exponentiations that matches the setting for IKE Diffie Hellman under Wireless Data Privacy in the VPN section of the 700wl Series system Administrative Console Diffie Hellman Group 1 matches modp768 Diffie Hellman Group 2 matches modp1024 Diffie Hellman Group 5 matches modp1024 Lifetime Defines the encryption lifetime in hours which will be proposed in the phase 1 negotiations Send certificate checked If checked and certificates are being used for authentication VPN Tracker will send your own certificate to the 700wl Series system for verification Send request for remote certificate checked If checked and certificates are being used for authentication VPN Tracker will request the certificate from the 700wl Series system for verification Verify remote certificate checked If checked and certificates
71. icon to display the status of the connection 3 50 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 66 Connection Status Window z Connected to My Workplace via PPTP 20x ao Connected at 10 000 000 bps OK Duration 000 02 12 Bytes received 43 381 Disconnect Bytes sent 19 284 Device Microsoft VPN Adapter Server type PPP Internet Windows NT Server Windows Protocols Microsoft encryption a Microsoft mutual challenge handshake authentication TCP IP Notice that your system is now connected to the server via PPP using Microsoft encryption and Microsoft mutual challenge handshake MS CHAP authentication This PPP connection is certainly using a 128 bit encryption key and MS CHAP v2 authentication because the server is configured to accept only this type of the connection Warning If the server rejects the connection it is highly likely that the 128 bit encryption key does not work You need to access the Rights Manager to modify the Location s properties to lower the minimum encryption key length to 40 bits see Configuring the Rights Manager for PPTP L2TP IPSec Client Configuration This section describes how to configure computers running Windows XP Windows 2000 Windows NT and Windows 98 or Windows ME as L2TP IPSec clients Windows XP Clients Before configuring the L2TP IPSec client please read Chapter 4 Scripts for L2TP IPSec on Window
72. icy defined by the Connection Profile that matches the client s connection location or you can configure a shared secret Step 10 Click Save to save the settings Step 11 Since Authenticated is an existing Access Policy you should refresh all rights in order to apply the new settings to active users a Click the STATUS icon in the Navigation Toolbar at the top of the page then click Client Status tab to go to the clients page b Once the client page appears click Refresh User Rights Now to refresh the rights of all users You may choose to refresh the client s rights on a per user basis by clicking on each individual user s link in the Clients table or clicking the refresh icon to the right of each row Note If you allow or require PPTP in some of your Access Policies you must configure the Unauthenticated or equivalent Access Policy to allow PPTP as well See Configuring Rights in the 700wI Series system Management and Configuration Guide for a detailed explanation of the logon process and Access Policies Enabling PPTP Enabling PPTP in the Wireless Data Privacy Setup is a global setting that affects the entire 700w1 Series system Do the following to enable PPTP Step 1 To access the Administrative Interface from the network set your browser to the IP address or hostname of the Integrated Access Manager or Access Control Server Step 2 You are prompted for the Administrator username and password Type the u
73. ients Windows XP Clients Do the following to configure the Windows XP client Step 1 Open the Network Connections window Click the Start button and then move the pointer to My Network Places Right click on My Network Places to display the pop up menu and then select Properties The Network Connections window appears Step 2 Click on the Create a new connection link on the Network Tasks panel The New Connection Wizard window appears Step 3 Click the Next gt button to go to the Network Connection Type page Figure 3 31 New Connection Wizard New Connection Wizard Welcome to the New Connection J Wizard This wizard helps you Connect to the Internet Connect to a private network such as your workplace network Set up a home or small office network To continue click Next HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 27 Client Configuration Step 4 Select the Connect to the network at my workplace option and then click the Next gt Button Figure 3 32 Network Connection Type Window New Connection Wizard Network Connection Type What do you want to do Connect to the Internet Connect to the Internet so you can browse the Web and read email Connect to the network at my workplace Connect to a business network using dial up or VPN so you can work from home a field office or another location Set up a home or small office network Connect to an ex
74. iguration 2 18 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide CLIENT CONFIGURATION This chapter provides an overview of client configurations It consists of the following sections IPSec Client Configurations erion site Era AE E a wee gee hae Si E aE EEEIEE 3 1 PPP Client Configuration sereine mae ed doe EE ed Be Be Ee RES 3 27 L2TP IPSec Client Configuration 0 ccc eee eee 3 51 SSH Client Configuration atiae Uleh hit ae dhe aa eS LA UNS 3 79 IPSec Client Configuration This section describes how to configure computers running Microsoft Windows as IPSec clients SafeNet SoftRemote for Windows The following procedures configures SafeNet SoftRemote for use as an IPSec client Note This procedure assumes you have already installed the SoftRemote software on your system SoftRemote should start automatically after the software installation and system reboot The following procedure is based on a Windows XP client You may follow the same procedure for configuring the software on different Windows platforms Step 1 Start the Softkemote software Security Policy Editor e Double click the SoftRemote icon in the desktop taskbar s Notify area lower right corner to open the Security Policy Editor window or e From the Start menu select Programs then SoftRemote then click on Security Policy Editor The Security Policy Editor SafeNet SoftRemote window appears Figure 3 1 3 1 Client C
75. igure 3 51 Virtual Private Connection Window Networking Tab Virtual Private Connection HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide 3 41 Client Configuration Step 10 Click the Security tab to customize the security protocols Next select Advanced custom settings and then click the Settings button Figure 3 52 Virtual Private Connection Window Security Tab Virtual Private Connection AE General Options Security Networking Sharing Security options C Typical recommended settings alidat my identity ae follows i Automat passwo I Require datae ncyption disconnect if none Advanced custom settings Using these settings requires a knowledge of security protocols Settings The Advanced Security Settings window appears Step 11 Make sure that Microsoft CHAP MS CHAP is not selected Note that this protocol is selected by default You must deselect this option so that only MS CHAP v2 is used Step 12 Pull down the Data Encryption menu and select Maximum strength encryption disconnect if server declines This will set the length of the encryption key to 128 bits 3 42 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 53 Advanced Security Settings Window Advanced Security Settings 2 x Data encryption Require encryption disconnect if server declines No encryption allowed server wil
76. ile Edit Format Help REG p MyL2TP r MyL2TP_Rule aPRESHAR f0 17014 42 0 0 1 UDP x Step 4 Run setupL2TP cmd The script will modify the system s registry to allow the uses of shared secret and create the MMC IPSec policy named my_L2TP In addition a new Network Connection shortcut Shortcut to My L2TP is created on the desktop Figure 4 2 Desktop Shortcut ais tl Shortcut to my L2TP Step 5 Reboot the system Warning Without rebooting any attempt to make the L2TP connection will fail Step 6 Double click the Shortcut to My L2TP icon The L2TP connection window appears Step 7 Enter the User name and Password information in the appropriate text box If required enter the Logon domain information in the third text box You may select the Save password and or Connect automatically options by clicking the appropriate checkboxes HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 4 3 Scripts for L2TP IPSec on Windows 2000 or XP Figure 4 3 My L2TP Connection Window gt My L2TP User name fuser 1 Password es IV Save password I Connect automatically Connection status Click Connect to begin connecting To work offline click Cancel ec Cancel Properties Help Step 8 Optional Click the Properties button to modify the number of Redial attempts and the minutes of Idle time before disconnecting After finishing the modification click OK Step 9 Click the C
77. ion Address Window Network Connection Wizard Destination Address What is the name or address of the destination Type the host name or IP address of the computer or network to which you are connecting Host name or IP address such as microsoft com or 123 45 6 78 42 0 0 1 lt Back New Cancel 3 38 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Step 5 The network connection wizard will display the Public Network window if other dial up connections exist Select the Do not dial the initial connection option and then click Next gt If no other dial up connection is previously created the Connection Availability window shown in Step 6 is displayed Step 6 Select the desired Connection Availability option e g Only for myself Click Next gt Figure 3 47 Connection Availability Window Network Connection Wizard a Connection Availability You may make the new connection available to all users or just yourself You may make this connection available to all users or keep it only for your own use A Connection stored in your profile will not be available unless you are logged on Create this connection C For all users Only for myself lt Back Next gt Cancel Step 7 Click the Finish button You may choose to add a shortcut to this connection to the desktop before clicking the Finish button HP ProCurve Secure Access 700wl Seri
78. irectory containing files for setting up an L2TP connection that uses PAP clear text for authentication If PAP is required for instance if you are using L2TP IPSec via LDAP authentication these files should be used This is the default set of files in other words the files in this directory match the default files found in the win2k or winxp directory This subdirectory is used for restoration purposes in case the files in the main directory have been modified vnil2tp_MSCHAP is the subdirectory containing files for setting up the L2TP connection that uses MS CHAP v2 for authentication If you want to use MS CHAP v2 for authentication copy all files in this subdirectory and place them in the win2k directory This will override the existing files Setting up Windows 2000 Do the following to install and configure a new L2TP IPSec connection on Windows 2000 Step 1 Download the ZIP package I2tp_setup zip from the 700wl Series system technical support web site Step 2 Extract the ZIP package on to a directory Step 3 To setup your IPSec shared secret use a text editor such as Notepad to edit the file MyL2TP txt and then replace the default shared secret mysecret see the figure below with the one that is set on the 700w Series unit HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Scripts for L2TP IPSec on Windows 2000 or XP Figure 4 1 Editing MyL2TP txt File ZimyL2TP tt notepad TST F
79. is wizard you can create a connection to other computers and networks enabling applications such as e mail Web browsing file sharing and printing To continue click Next Step 3 Click the Next gt button to go to the Network Connection Type page Select the Connect to a private network through the Internet option and then click the Next gt button HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 37 Client Configuration Figure 3 45 Network Connection Type Window Network Connection Wizard ji Network Connection Type You can choose the type of network connection you want to create based on your network configuration and your networking needs C Dial up to private network Connect using my phone line modem or ISDN C Dial up to the Internet Connect to the Internet using my phone line modem or ISDN Connect to a private network through the Internet Create a Virtual Private Network YPN connection or tunnel through the Internet e ti ti Let other computers connect to mine by phone line the Intenet or direct cable C Connect directly to another computer Connect using my serial parallel or infrared port c ie cen Step 4 Enter the destination address in the Host name or IP address text box In this case the internal address 42 0 0 1 of the 700w1 Series unit either Integrated Access Manager or Access Controller is used Click Next gt Figure 3 46 Destinat
80. isting home or small office network or set up a new one Set up an advanced connection Connect directly to another computer using your serial parallel or infrared port or set up this computer so that other computers can connect to it Step 5 Select the Virtual Private Network connection option Click Next gt Figure 3 33 Network Connection Window New Connection Wizard Network Connection How do you want to connect to the network at your workplace Create the following connection Dial up connection Connect using a modem and a regular phone line or an Integrated Services Digital Network ISDN phone line Virtual Private Network connection Connect to the network using a virtual private network VPN connection over the Internet cna 3 28 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Step 6 Enter the desired connection name in the Company Name text box Click Next gt Figure 3 34 Connection Name Window New Connection Wizard Connection Name Specify a name for this connection to your workplace Type a name for this connection in the following box Company Name My Workplace via PPTP For example you could type the name of your workplace or the name of a server you will connect to Step 7 Enter the IP address of the VPN server in the Host name or IP address text box In this case the internal address 42 0 0 1 of the 700w1 Series unit ei
81. l disconnect if it requires encryption pho oreopuon connect even if no encryption R Properties Allow these protocols I Unenerypted password PAP Shiva Password Authentication Protocol SPAP I Challenge Handshake Authentication Protocol CHAP I Microsoft CHAP MS CHAP I Allow older MS CHAP version for Windows 95 servers IV Microsoft CHAP Version 2 MS CHAP v2 For MS CHAP based protocols automatically use dai gun rite ered hasard and deran Have Lok ca Step 13 Click OK to go back to the connection s properties window Step 14 Click OK to go back to the Sign on window Before starting the VPN connection you must make sure your system has established the network connection with the server and the server has assigned an IP address to your system Step 15 Enter your username and password in the appropriate boxes and then click the Connect button to connect to the server You may choose to save this username and password for future uses before clicking the Connect button HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 43 Client Configuration Figure 3 54 Sign on Window Connect Virtual Private Connection E 2x User name john P j j IV Save Password crest nets to After the connection is made the connection icon appears in the notification area on the lower right corner of the screen as shown below Figure 3 55 Connection Ico
82. licy Step 7 Click the check box to select L2TP IPSec from the Encryption Protocols check boxes Step 8 Change the MSCHAP setting as desired Note that MSCHAP V2 is selected by default Step 9 For the authentication method you can either use the Authentication Policy defined by the Connection Profile that matches the client s connection location or you can configure a shared secret Note For L2TP there are restrictions on the Authentication Policy that may be used if PAP is not allowed In this case the Authentication Policy must include only RADIUS or the built in authentication services If PAP is allowed any authentication service may be included Note If a shared secret is specified this shared secret is not used for client authentication Once the connection is made the client is presented with the web based logon page and is authenticated based on the appropriate Authentication Policy to determine what access is allowed to the network Step 10 Optional If an external LDAP server is used to authenticate the client checking Allow PAP for L2TP enables the 700w1 Series system to both authenticate the user and obtain Identity Profile information for the client from the LDAP server This option allows the 700w1 Series system to assign the appropriate Identity Profile to the user once authenticated Authentication by an external LDAP server and Identity Profile information from the LDAP server cannot be obtained through MS CHAP v2
83. lient Configuration Figure 3 22 PGP Preferences Settings PGP Preferences General Allowed Remote Proposals Files Ciphers Mcast Mtripledes None Email Hashes WsHA 1 mos C None Menu Diffie Hellman X 1024 bits f 1536 bits Server Compression f LZS A Deflate Certificate Authority Advanced Personal Firewall IDS YPN YPN Authentication YPN Advanced PGPdisk Proposals Shared Key Shared Key SHA MDS TripleDES None SHA CAST None MDS CAST None e Click OK At this point PGPnet is ready for connecting to the IPSec gateway Step 8 Highlight the VPN gateway in this example VPN gateway 1 and then click Connect After the VPN connection has been made you will see a green icon on the SA column of each entry Otherwise you will get a red icon indicating that the VPN connection has failed 3 18 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 23 PGPnet Window VPN Panel EB 192 168 network 192 168 0 0 16 Properties 1 Add 38D Disconnect 5 If you have problems connecting to the VPN server you can click on the Log tab for information You may also view additional information from the Log File on the 700w1 Series unit When you click on the Status tab you should see the Sent Rcvd values increase every time traffic is generated to your defined subnets Figur
84. modp1024 Diffie Hellman Group 5 matches modp1536 Lifetime Defines the lifetime in hours to be used in the IPsec SA The connection will expire and be reestablished after this period of time 3 24 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Table 3 3 VPN Tracker Connection Type Settings Phase 2 Continued Field Setting Encryption Algorithm Select one or more algorithms that matches the setting for ESP Encryption under Wireless Data Privacy in the VPN section of the 700wl Series system Administrative Console e g 3des and des Authentication Algorithm Select one or more algorithms that matches the setting for ESP Integrity under Wireless Data Privacy in the VPN section of the 700wI Series system Administrative Console The terms used by VPN Tracker match the ESP integrity settings as follows hmac_md5 matches MD5 hmac_sha1 matches SHA 1 non_auth matches Null Establish unique SAs for multiple networks Enabled VPN Tracker will establish an unique Security Association SA for each network when multiple local or remote networks are specified for a connection Otherwise the same SA will be used for all networks of a connection Figure 3 29 VPN Tracker Window Connection Types Window Phase 2 Tab Connection Types Vi PFS Group modp1024 Lifetime 8 f hours Encryption Algorithm aes 256 aes 192 Authentication Algorithm hmac_md5 4 hm
85. n You may double click on the icon to display the status of the connection Figure 3 56 Virtual Private Network Status Window General Tab ajx General Details r Connection 3 44 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 57 Virtual Private Network Status Window Details Tab Virtual Private Network Status mee zi xt General Details Server type Transports Authentication Encryption MPPE 128 Compression none PPP muttilink framing On Notice that your system is now connected to the server via PPP using 128 bit encryption and MS CHAP v2 authentication Windows 98 95 ME Clients This section describes the procedures for configuring a PPTP connection on Windows 98 95 ME For Windows 95 make sure that Dial up Networking has been updated to version 1 3 and Virtual Private Networking for Windows 95 has been installed For Windows 98 make sure that the Virtual Private Networking has been updated You should read Article Q237691 at http www microsoft com prior to updating the software The software updates for both Windows 95 and 98 can be found at the Microsoft web site The easiest approach to find all the information at once is by searching for the keyword DUN at the web site The following procedures are created based on a Windows 98 client You may follow similar procedures for configuring PPTP on Windows 95 and ME Step 1 Open the Dial Up Ne
86. nce the Client Status page appears click on the Refresh User Rights Now to refresh the rights of all users Note that you may choose to refresh the client s rights on a per user basis by clicking on each individual user s link in the Clients table or via the refresh button at the right of each row in the client table Note If you allow or require IPSec in some of your Access Policies you must configure the Unauthenticated or equivalent Access Policy to allow IPSec since most VPN clients are enabled before they can logon See Configuring Rights in the 700wl Series system Management and Configuration Guide for a detailed explanation of the logon process and Access Policies Enabling IPSec Enabling IPSec in the Wireless Data Privacy setup is a global setting that affects the entire 700w1 Series system Do the following to enable IPSec Step 1 To access the Administrative Interface from the network set your browser to the IP address or hostname of the Integrated Access Manager or Access Control Server Step 2 Enter the Administrator username and password in the appropriate fields and click Logon Step 3 Once the Equipment Status page appears see Figure 2 1 click the VPN icon in the Navigation Toolbar The Wireless Data Privacy setup page appears as shown in Figure 2 4 HP ProCurve Secure Access 700wIl Series Wireless Data Privacy Guide 2 5 700wI Series System Configuration Figure 2 4 Wireless Data Privacy setup p
87. nection Manager Administration Kit Wizard You have successfully completed the Connection Manager Administration Kit Wizard Your new service profile a self installing executable exe file is located at C Program Files CMAK Profiles L2T PAL2TP exe To close this wizard click Finish Step 28 Click Finish You are now ready to install this connection on a client device Copy the output files L2TP exe and L2TP inf from C Program Files CMAK Profile L2TP to any target directory To install use the following command 12tp gq a c cmstp exe 12tp inf u s 12tp gq a c cmstp exe 12tp inf s The first line will uninstall this connection if it exists and the second line will install the connection HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 4 15 Scripts for L2TP IPSec on Windows 2000 or XP 4 16 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide REFERENCES oa NS oo UP 10 11 12 13 14 Microsoft On line documents Point Point Tunneling Protocol PPTP FAQ http www microsoft com ntserver ProductInfo faqs PPTPfaq asp Virtual Private Networking with Windows Server 2003 Overview http www microsoft com windowsserver2003 techinfo overview vpnover mspx Microsoft L2TP IPSec VPN Client http www microsoft com windows2000 server evaluation news bulletins 12tpclient asp L2TP IPSec NAT T Update for Win
88. nection installation package that reflects the customer s settings In addition to CMAK the script for Windows 2000 made use Microsoft s ipsecpol exe command line program which is a tool for configuring Internet Protocol Security IPSec policies on the computer Note The CMAK package is part of the adminpak that is found on the Windows 2000 Server distribution CD For Windows XP you can download the adminpak for Windows 2003 Server from the Microsoft download site search for adminpak The ipsecpol tool for Windows 2000 can also be downloaded from the Microsoft download site search for ipsecpol It should be noted that without the two scripts you still can create a new L2TP IPSec connection using New Connection Wizard available by default on both Windows 2000 and Windows XP What s in the Package The package contains two important subdirectories win2k and winxp The list of files in each subdirectory is shown in Table 4 1 4 1 Scripts for L2TP IPSec on Windows 2000 or XP Table 4 1 Files Contained In Package Subdirectories Platform Windows 2000 Subdirectory win2k Files IPSECPOL EXE IPSECUTIL DLL prohibitIPSec reg setupL2TP cmd TEXT2POL DLL uninstallL2Tp cmd u_prohibitIPSec reg vn txt vnil2tp exe vnil2tp inf vnil2tp_PAP vnil2tp_ MSCHAP Windows XP winxp setupI2tp_XP cmd uninstalll2tp_XP cmd vnil2tp exe vnil2tp inf vnil2tp_PAP vnil2tp_MSCHAP Note vnil2tp_PAP is the subd
89. nection when the user dials a phone number from these phone books IV Phone book from this profile I Phone books from the merged profiles VPN Server name or IP Address Always use the same VPN server 4200 1 C Allow the user to choose a VPN server before connecting E gea IV Use the same user name and password for VPN and dial up connections ctes oe ca e Step 7 The VPN Entries window appears Select the entry you just created named after the Service name specified in Step 3 and then click Edit Figure 4 14 VPN Entries Window VPN Entries Virtual Private Networking entries provide configuration data for one or more VPN servers Provide the network and security configuration to enable a client to connect to a VPN server Click Edit to specify these settings Virtual Private Networking entries New Ea peee toe eo _ 4 10 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Scripts for L2TP IPSec on Windows 2000 or XP Step 8 The Edit Virtual Private Networking Entry window appears Click the Security tab and then click the Configure button Figure 4 15 Edit Virtual Private Networking Entry Window Edit Virtual Private Networking Entry Step 9 The Security Settings window appears Select Use L2TP IPSec if available and then select the Use a pre shared key when using L2TP IPSec option Click OK Figure 4 16 Security Settings Window i Secu
90. ney M ves M apes M aes I Blowfish O cast I nut Diffie Hellman Y Select one or more algorithms or ESP Integrity M sHai M mos I null None for ESP Encryption and Integrity Save gt Reset to Defaults Cancel When finished click Save Step 4 Place a check mark in the Enable PPTP check box to enable PPTP Step 5 Click Save to save the settings The 700w1 Series system is now ready for the PPTP clients L2TP IPSec Configuration This section describes how to configure the 700wl Series system as an L2TP IPSec server Configuring an Access Policy for L2TP IPSec Do the following to configure an Access Policy for L2TP IPSec Step 1 To access the Administrative Interface from the network set your browser to the IP address or hostname of the Integrated Access Manager or Access Control Server Step 2 Type the Administrator username and password in the appropriate fields and click Logon The Equipment Status page is displayed see Figure 2 1 on page 2 2 as the initial page in the Administrative Console Step 3 Click the RIGHTS icon to access the Rights Manager 2 10 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 700wl Series System Configuration Step 4 Click Access Policies to access the Rights Manager s Access Policies page see Figure 2 2 on page 2 3 Step 5 Click on an Access Policy to configure for L2TP IPSec The Edit Access Policy page appears as shown in Figure 2 7
91. ntication and user level authentication e PPP packets exchanged during user level authentication are sent in an encrypted form since the IPSec security negotiation occurs prior to the PPP connection process With PPTP the PPP authentication exchange is susceptible to attack allowing user passwords to be recovered by the attacker HP ProCurve Secure Access 700wIl Series Wireless Data Privacy Guide 1 3 Overview of Security Protocols Advantages of PPTP over L2TP IPSec PPTP has the following advantages over L2TP IPSec e PPTP does not require a generating and installing any digital certificates L2TP IPSec requires a digital certificate or pre shared key shared secret for authentication between the VPN server computer and all VPN clients e PPTP clients can be placed behind a network address translator NAT if the NAT has an editor for PPTP traffic L2TP IPSec based VPN clients or servers cannot be placed behind a NAT unless both the VPN client and server support IPSec NAT traversal NAT T IPSec NAT T is supported by Windows Server 2003 Microsoft L2TP IPSec VPN Client SSH Secure Shell SSH is a UNIX based command interface and protocol for users on a local computer SSH Client to log into and execute commands on a remote computer SSH Server SSH provides secure encrypted communications between the local and remote computers which include X11 connections and applications running on arbitrary TCP IP ports Both ends of the cli
92. ocols determine the algorithm s to use for the service s and put in place any cryptographic keys required to provide the requested services IPSec can be used to protect communications between a pair of security gateways or between a security gateway and a host In a 700w1 Series system the Integrated Access Manager and Access Controller are used as the security gateway 1 1 Overview of Security Protocols IPSec uses two protocols to provide traffic security Authentication Header AH and Encapsulating Security Payload ESP See more details on these two protocols in RFCs 2402 and 2406 respectively see References on page Ref 1 The HP Integrated Access Manager and Access Controller only support IPSec ESP protocol ESP completely encapsulates user data and provides optional authentication Cryptographic keys or shared secret values are used for both authentication integrity and encryption services IPSec relies on a separate set of mechanisms for putting these keys in place one of which uses the Internet Key Exchange IKE protocol IKE is used between the client and the security gateway for negotiating what kind of IPSec attributes to use The attributes are for example the encryption algorithm the authentication algorithm the key length and so on For technical details on ESP and IKE refer to RFC 2406 RFC 2407 RFC 2408 and RFC 2409 see References on page Ref 1 This document describes how to configure both the IP
93. on Check Encryption Protocols to IKE Authentication C Public Key Certificate enable use Method ig For IPSec select the IPSec Shared Secret Confirm Authentication method e To usa acartificata go to tha IKE Encryption M pes M spes l Blowtish l cast Certificates tab to obtain and bad a certificate IKE Integrity M sHai M mps e Tousea shared secret enter and confirm the secret string IKE Diffie Hellman Vv Group 4 Vv Group2 T Group S Select one or more algorithms for a IKE Encryption Intagrty and ESP Encryption M pes M spes M aes 7 Bowtish C cast O null Diffie Hellman ji Sal or more algorithms or ESP Integrity MV sHa i M mos null for ESP Encryption and Integrity Save gt Reset to Defaults Cancel When finished click Save Step 4 Check the Enable IPSec check box This makes the Enable L2TP IPSec check box available Step 5 Check the Enable L2TP IPSec check box Step 6 Make any necessary changes to the various settings for IKE Integrity Encryption ESP Integrity Encryption and so on See Enabling IPSec on page 2 5 for more information about the IPSec algorithm choices HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 2 13 700wl Series System Configuration Step 7 Click Save to save your changes The 700w1I Series system is now ready for the L2TP IPSec clients SSH Configuration This section describes how to configure the 700w1 Series system as an SSH se
94. on Windows 2000 If the script is used it is not required to follow the instructions described below Do the following to configure the L2TP IPSec connection on Windows 2000 Step 1 Open the Network and Dial up Connections window Click the Start button Move the pointer to and select Programs Accessories and Communications respectively Click on Network and Dial up Connections on the Communications menu The Network and Dial up Connections window appears Step 2 Double click the Make new connection icon The Network Connection Wizard window appears Figure 3 81 Network Connection Wizard Network Connection Wizard Welcome to the Network J Connection Wizard Using this wizard you can create a connection to other computers and networks enabling applications such as e mail Web browsing file sharing and printing To continue click Next Step 3 Click the Next gt button to go to the Network Connection Type page Step 4 Select the Connect to a private network through the Internet option and then click the Next gt button HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 61 Client Configuration Figure 3 82 Network Connection Type Window Network Connection Wizard Network Connection Type lt You can choose the type of network connection you want to create based on your network configuration and your networking needs C Dial up to private network Connect using my phone line mo
95. on the screen otherwise double click the new connection icon Figure 3 86 Sign on Window Connect My Workplace via L2TP me Zh x User name Saar Password I Save Password toed Prater eo Step 9 You need to customize the properties of your connection to use L2TP over IPSec and match the settings of the 700w1 Series unit Click the Properties button to open the connection s properties window 3 64 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 87 L2TP Connection Properties Window General Tab My Workplace via L2TP connection first Step 10 Click the Networking tab to specify the type of VPN Next pull down the Type of VPN menu and select L2TP Make sure that Internet Protocol TCP IP is selected HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide 3 65 Client Configuration Figure 3 88 L2TP Connection Properties Window Networking Tab iy Workplace vo 21 gt TE General Options Security Networking Sharing Type of VPN server am calling automatic 7 Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks Step 11 Click the Security tab to customize the security protocols Next select Advanced custom settings and then click the
96. onfiguration Figure 3 1 Security Policy Editor SafeNet Remote Window S Security Policy Editor SafeNet SoftRemote File Edit Options Help Bl Bal hcl x ta t Network Security Policy J My Connections Other Connections Step 2 Click Options to display the Options menu Select Secure and then select All Connections This will force all network connections through the secure tunnel The Connection Security Panel appears Figure 3 2 3 2 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 2 Security Policy Editor SafeNet Remote Window Connection Security Panel S Security Policy Editor SafeNet SoftRemote File Edit Options Help 2 Bal Pol x ea tA Network Security Policy All Connections Connection Security Secure C terse Vial C Bloc V Connect using Secure Gateway Tunnel ID Type IP Address faz 0 0 1 Click here to find out about program add ons Step 3 Click to select the Connect using checkbox and make sure that Secure Gateway Tunnel is selected Also make sure that ID Type is set to IP Address Next enter 42 0 0 1 in the text box below the ID Type menu Step 4 Expand All Connections in the Network Security Policy panel and select My Identity The displays the My Identity panel Figure 3 3 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 3 Client Configuration Figure 3 3 Security Policy
97. onnect button to make the VPN connection to the 700w1 Series unit Once the connection is made you will see a new connection icon appeared in the notification tray low right corner of your desktop You may click on the icon to view the connection status Figure 4 4 L2TP Status Window General Tab fe ryizisous TE General Details At 3 Status Connected 4 4 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Figure 4 5 L2TP Status Window Details Tab My L2TP Status 2 x General Details Device Type Server type Transports Authentication IPSEC Enctyption Compression PPP multilink framing Server IP address Client IP address WAN Miniport L2TP vpn PPP TCPAP MS CHAP V2 IPSec ESP 3DES none On 192 168 2 148 42 65 76 67 Setting up Windows XP Do the following to install and configure a new L2TP IPSec connection on Windows XP Scripts for L2TP IPSec on Windows 2000 or XP Step 1 Download the ZIP package I2tp_setup zip from the internal web site Step 2 Extract the ZIP package on to a directory Step 3 Run setupL2TP cmd Step 4 You will be prompted to enter the PIN for pre shared key Enter the PIN and then click OK See details in How to Rebuild a CMAK Package on how to rebuild the CMAK package which includes the information on how to setup the PIN and the pre shared key Figure 4 6 PIN Entry Dialog Enter PIN for Pre shared Key x
98. or MS CHAP Once the Allow PAP for L2TP option is selected the user must also customize their L2TP IPSec connection properties on the Windows client to use PAP as well Please see details on the client side configuration in Step 12 and Step 13 of Windows XP Clients and in Step 12 and Step 13 of Windows 2000 Clients in Chapter 3 Client Configuration Step 11 Click Save to save the settings Step 12 Since Authenticated is an existing Access Policy you should refresh all rights in order to apply the new settings to active users a Click the STATUS icon in the Navigation Toolbar at the top of the page then click the Client Status tab to go to the client status page b Once the Client Status page appears click Refresh User Rights Now to refresh the rights of all users You may choose to refresh the client s rights on a per user basis by clicking on each individual user s link in the Clients table or clicking the refresh icon on the right of each row in the table Note If you allow or require L2TP IPSec in some of your Access Policies you must configure the Unauthenticated or equivalent Access Policy to allow L2TP IPSec as well since most VPN clients are enabled before they can logon See Configuring Rights in the 700wl Series system Management and Configuration Guide for a detailed explanation of the logon process and Access Policies 2 12 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide
99. ow these protocols C Unencrypted password PAP C Shiva Password Authentication Protocol SPAP C Challenge Handshake Authentication Protocol CHAP C Microsoft CHAP MS CHAP V Microsoft CHAP Version 2 MS CHAP v2 C For MS CHAP based protocols automatically use my Windows logon name and password and domain if any Step 14 Click OK to return to the Security tab Step 15 Click the IPSec Settings button The IPSec Settings window appears Step 16 Enter the appropriate pre shared key in the Key text box Click OK Figure 3 76 IPSec Settings Authentication Window IPSec Settings V Use pre shared key for authentication Key a Step 17 Click OK to go back to the Sign on window Before starting the VPN connection you must make sure your system has established the network connection with the server and the server has assigned an IP address to your system 3 58 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Step 18 Enter your username and password in the appropriate boxes and then click the Connect button to connect to the server You may choose to save this username and password for future uses before clicking the Connect button Figure 3 77 Sign on Window Connect My Workplace via L21P User name jiohn Password eseececee Save this user name and password for the following users O Me only Anyone who uses this computer After the
100. p for details Use Associated Authentication Policy Contirm Use shared secret ve only z T Allow PAP for L2TP MSCHAP Save Save As Copy Cance Suppose you want to configure the default Access Policy Authenticated to support SSH Note that there is no encryption protocol assigned to this Access Policy Step 6 From the Encryption drop down box choose one of the following options e If encryption is required for all clients connecting through this Access Policy you select the Required option e The Allowed but not required setting allows access for unencrypted clients through this Access Policy as well as encrypted clients This setting is recommended for Access Policies used for unknown clients such as the Unauthenticated Access Policy Step 7 Click the check box to select SSH from the Encryption Protocols check boxes HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 2 15 700wl Series System Configuration Step 8 Click Save to save the settings Step 9 Since Authenticated is an existing Access Policy you should refresh all rights in order to apply the new settings to active users a Click the STATUS icon in the Navigation Toolbar at the top of the page then click the Client Status tab to go to the client status page b Once the Client Status page appears click Refresh User Rights Now to refresh the rights of all users You may choose to refresh the client
101. rity Settings Step 10 Click OK to return to the VPN Entries window Click Next gt HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 4 11 Scripts for L2TP IPSec on Windows 2000 or XP Step 11 The Pre shared Key window appears Enter your shared secret in the Enter key field and then enter the PIN and the confirmation in the appropriate text box Note that you must enter a PIN otherwise the system does not use a shared secret Click Next gt Figure 4 17 Pre Shared Key Window Connection Manager Administration Kit Wizard J xj Pre shared Key You can configure this profile to use a pre shared key to provide authentication for your L2TP over IPSec connections Note Computer certificates are the recommended method of authentication Pre shared key is a relatively weak authentication method Enter key p Using a PIN to encrypt the pre shared key increases the security of your deployment Users will need the PIN in order to install the profile The PIN must be between 4 and 15 characters long IV Encrypt the pre shared key using a PIN Step 12 The Phone Book window appears Make sure that the Automatically download phone book updates option is cleared Click Next gt Step 13 The Dial up Networking Entries window appears Select the entry which is named after the Service name defined in Step 3 and then click Next gt Step 14 The Routing Table Update window appears Click Next gt Step 15 The
102. rivacy Guide Client Configuration Step 3 Enter the IP address of the VPN server in the Host name or IP address text box In this case the internal address 42 0 0 1 of the 700w1 Series unit either Access Controller or Integrated Access Manager is used Click Next gt Figure 3 60 Make New Connection Window VPN server address Make New Connection xj Type the name or address of the VPN server Host name or IP Address 42 0 0 1 Step 4 Click the Finish button to complete the process Figure 3 61 Make New Connection Window Final Dialog Box Make New Connection x You have successfully created a new Dial Up Networking connection called My Workplace via PPTP Click Finish to save it in your Dial Up Networking folder Double click it to connect To edit this connection later click it click the File menu and then click Properties check Fh Ceas At this point an icon representing the new connection appears in the Dial Up Networking window as shown below HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 47 Client Configuration Figure 3 62 Dial up Networking Window with new connection icon Ec Exploring Dial Up Networking Make New Connection Dial Up Networking Make New Connection The Make New Connection wizard walks you step by step through adding Dial Up Networking connections Just follow the instructions on each screen Step 5 To set the
103. rver Configuring an Access Policy for SSH To configure the Access Policy to allow SSH do the following Step 1 To access the Administrative Interface from the network set your browser to the IP address or hostname of the Integrated Access Manager or Access Control Server Step 2 Type the administrator username and password in the appropriate fields and then click the Login button The Equipment Status page is displayed see Figure 2 1 on page 2 2 as the initial page in the Administrative Console Step 3 Click the RIGHTS icon to access the Rights Manager Step 4 Click Access Policies to access the Rights Manager s Access Policies page see Figure 2 2 on page 2 3 Step 5 Click on an Access Policy to configure it for SSH The Edit Access Policy page appears as shown in Figure 2 9 2 14 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 700wl Series System Configuration Figure 2 9 Edit Access Policy page O invent s gt STATUS RIGHTS NETWORK TATS VPN MAINT Usemame admin Integrated Access Manager 192 168 10 116 Date amp Time Thu Feb 12 18 26 21 2004 LOGS LOGOUT tigh Edit Access Policy You can change an Access Policy s name and its properties found uncer tabbed headings as follows e Under Settings set properties related to IP acidressing 202 1q VLAN tag usage encryption requirements and others Access Policies _ Name Authenticated Settings
104. s 2000 or XP The instructions in Chapter 4 will guide you through the uses of Microsoft Connection Manager Administration Kit to create a script for setting up an L2TP IPSec connection on Windows XP If you use the script you do not need to use the procedure described here Do the following to configure the Windows XP client Step 1 Open the Network Connections window Click the Start button and then move the pointer to My Network Places Right click on My Network Places to display the pop up menu and then select Properties The Network Connections window appears Step 2 Click on the Create a new connection link on the Network Tasks panel HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 51 Client Configuration The New Connection Wizard window appears Step 3 Click the Next gt button to go to the Network Connection Type page Figure 3 67 New Connection Wizard New Connection Wizard Welcome to the New Connection J Wizard This wizard helps you Connect to the Internet Connect to a private network such as your workplace network Set up a home or small office network To continue click Next Step 4 Select the Connect to the network at my workplace option and then click the Next gt button 3 52 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 68 Network Connection Type Window New Connection Wizard Network Connection T
105. s 700wl Series Wireless Data Privacy Guide 3 81 Client Configuration Figure 3 115 PuTTY login window 42 0 0 1 PuTTY login as evelyn Sent username evelyn evelyn 42 6 8 1 s password Copyright c 1986 1983 1986 1988 1996 1991 1993 199 The Regents of the University of California A11 rights reserved You may logoff the network by selecting the PuTTY window and then typing CTRL D CTRL and D keys together 3 82 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide SCRIPTS FOR L2TP IPSEC ON WINDOWS 2000 OR XP This chapter describes the setup of L2TP IPSec connections on Windows systems It includes the following sections DCrIpts OVERVIEW moei lhe Ril ls betes Medecine Sede Gea Ps wo appeal ll adhe 4 1 What s in the Package s 2 6 ess sees Soba see eee asa ee Hee ee eae eee 4 1 Setting Up Windows 2000 ace pesien E E we a ature ys E E mail geduew ates 4 2 Setting up Windows XP 1 eee eee eens 4 5 How to Rebuild a CMAK Package 1 oo eens 4 8 The information described in this section is intended for use by an administrator Scripts Overview This section describes how to setup an L2TP IPSec connection to the 700w1 Series system on Windows 2000 and Windows XP Two scripts one for Windows 2000 and the other for Windows XP are used to streamline the setup process Both scripts use Microsoft CMAK Connection Manager Administration Kit which allows you to build a client con
106. sername and password in the appropriate text boxes and then click the Logon button The Equipment Status page is displayed see Figure 2 1 on page 2 2 Step 3 Click the VPN icon in the Navigation Toolbar The Wireless Data Privacy setup page appears HP ProCurve Secure Access 700wIl Series Wireless Data Privacy Guide 2 9 700wI Series System Configuration Figure 2 6 Wireless Data Privacy setup page Usemame admin Access Control Server 192 168 10 116 Date amp Time Tue Feb 10 12 28 05 2004 ELETAN STATUS RIGHTS NETWORK HELP Wireless Data Privacy Wireless Data Global Wireless Data Privacy Configuration 1 En ion Protocols Priva cy crypt IT Enable IPSec IT Enable L2TP IPSec requires IPSec Settings on this page affect the Wirelass Data Privacy settings on I Enabe PPTP w allconnected Access Controllers T Enable SSH Wireless Data Privacy Configuration for IPSec Configuration Check Encryption Protocols to IKE Authentication C Public Key Certificate enable use od bi eat Q SA For IPSec selact the IPSec Shared Secret Contirm Authentication method a e Touseacertticate gotothe CE Encryption M ves M spes I Bewtish I cast Certificates tab to obtain and bad fi a certificate IKE Integrity M sHai M mps To use a shared secret enter and confirm the secret string IKE Diffie Hellman Vv Group 4 Vv Group2 oD Group 5 Select one or more algorithms for P IKE Enoryptbn MEATY and ESPEN E
107. subnet will be encrypted A new entry appears below the VPN gateway 1 entry you must expand the VPN gateway 1 entry to see it as shown below 3 16 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 21 PGPnet Window VPN Panel GP 192 168 network 192 168 0 0 16 Properties 31 Add 38D Connect S Step 6 Repeat Steps 4 and 5 to create additional subnet host entries to which your system will encrypt the traffic and send it through the VPN gateway Note If you plan to encrypt all IP traffic through the VPN gateway you must create the following subnet entries 0 0 0 1 1 covers 0 0 0 1 127 255 255 255 128 0 0 0 1 covers 128 0 0 0 255 255 255 255 Step 7 The last configuration step is to change the order of how the PGPnet client attempts to connect to the VPN gateway a Pull down the Edit menu and then select Preferences The PGP Preferences window appears b Select VPN Advanced from the Preference Panels c In the Proposals section highlight the Shared Key MD5 TripleDES 1024 bits in the IKE panel and then click Move Up repeatedly until the entry is at the top of the panel d Highlightthe None MD5 TripleDES None entry in the IPSec panel and then move the entry up to the top of the panel The final settings are shown in the picture below HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 17 C
108. ther the Integrated Access Manager or Access Controller is used Click Next gt HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 29 Client Configuration Figure 3 35 VPN Server Selection Window New Connection Wizard VPN Server Selection What is the name or address of the VPN server Type the host name or Internet Protocol IP address of the computer to which you are connecting Host name or IP address for example microsoft com or 157 54 0 1 420 01 The Completing the New Connection Wizard page appears Step 8 Click the Finish button You may choose to add a shortcut to this connection to the desktop before clicking the Finish button 3 30 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 36 New Connection Wizard Completion Window New Connection Wizard Completing the New Connection J Wizard You have successfully completed the steps needed to create the following connection My Workplace via PPTP Share with all users of this computer The connection will be saved in the Network Connections folder Add a shortcut to this connection to my desktop To create the connection and close this wizard click Finish Ca At this point an icon representing the new connection appears in the Network Connections window under the Virtual Private Network section In the meantime the Sign on window should appear on the screen otherwise
109. tion This must match the certificate settings specified in the VPN settings in the 700w1 Series system Administrative Console e If you select Use a pre shared key for IPSec authentication enter the shared secret in the Type of paste a pre shared key in the text box below field Step 8 Optional Enter a check mark in the Enable IPSec Logging check box This is useful if you need to debug the connection Step 9 Click OK to save your IPSec configuration settings The New Phone Book Entry window appears Figure 3 96 Click the Server tab to go to the server settings Figure 3 98 Figure 3 98 New Phonebook Entry Server Tab New Phonebook Entry 21x Basic Sever Scip Secwiy x Dial up server type 5 Plus Internet Network protocols M TCP IP TCP IP Settings I IPX SPX compatible P NetBEUI I Enable software compression I Enable PPP LCP extensions 3 72 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Step 10 Select PPP Windows NT Windows 95 Plus Internet from the Dial Up server type pull down list Step 11 Enter a check mark in the TCP IP check box and click TCP IP Settings A PPP TCP IP Settings window appears Figure 3 99 Figure 3 99 PPP TCP IP Settings Window PPP TCP IP Settings Step 12 Select the Server assigned IP address and Server assigned name server addresses radio buttons Step 13 Enter a check mark in the Use de
110. tor SafeNet Remote Window Authentication Method Panel S Security Policy Editor SafeNet SoftRemote File Edit Options Help al x tA Network Security Policy All Connections 3 My Identity Gl Security Policy Authentication Method and Algorithms Authentication Phase 1 Authentication Method DEEH PeShaedKey o SY Key Exchange Phase 2 3 Proposal 1 Encryption and Data Intearity Algorithms Encrypt Ala DES Hash Alg SHA 1 Seconds SA Life Unspecified 7 Key Group Diffie Hellman Group 1 7 Step 8 Setup the authentication method Select Proposal 1 below Authentication Phase 1 Make sure that the Authentication Method is set to Pre Shared Key Note the default settings of SafeNet Softkemote work with the default settings of the 700w1 Series system If a different authentication algorithm is used make sure that the settings match those configured on the 700wl Series unit Step 9 Setup the key exchange protocol Select Proposal 1 below Key Exchange Phase 2 You may keep the default settings see Figure 3 6 because they work with the default IPSec settings on the 700w1 Series unit HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 5 Client Configuration Figure 3 6 Security Policy Editor SafeNet Remote Window IPSec Protocols Panel S Security Policy Editor SafeNet SoftRemote File Edit Options Help Bal xla tle Si Network Security Policy
111. tworking window Move the pointer to the My Computer icon on the desktop Right click on the icon to display the pop up menu and then select Explore The Exploring My Computer window appears Double click the Dial Up Networking link on the Network Tasks panel The New Connection Wizard window appears HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 45 Client Configuration Figure 3 58 New Connection Wizard Window i Exploring Dial Up Networking IA Desktop E B My Computer l gl 3 Floppy A ae C HE System_save D Networking ree Make New Connection The Make New Connection wizard walks you step by step through adding Dial Up Networking connections Just follow the instructions on each screen Step 2 Double click the Make New Connection icon to start the Make New Connection wizard see Figure 3 59 Enter the desired connection name in the text box Pull down the Select a device menu and then select Microsoft VPN Adapter Click Next gt Figure 3 59 Make New Connection Window selecting a device Make New Connection x My Workplace via PPTP RR Lucent 56K V 90 PCI DF Modem Lucent 56K V 90 PCI DF Modem i f Mic t VPN Adapter S r Note that if Microsoft VPN Adapter does not appear on the menu you must cancel the Make New Connection activities and add the VPN adapter to the Network s Properties 3 46 HP ProCurve Secure Access 700wl Series Wireless Data P
112. uration This section describes how to configure the 700w1 Series system as a VPN Security Gateway for IPSec clients 2 1 700wI Series System Configuration Configuring an Access Policy for IPSec Do the following to configure an Access Policy for IPSec Step 1 To access the Administrative Interface from the network set your browser to the IP address or hostname of the Integrated Access Manager or Access Control Server Step 2 Enter the Administrator username and password in the appropriate fields and click Logon The Equipment Status page is displayed as shown in Figure 2 1 as the initial page in the Administrative Console Figure 2 1 Initial Page after Logon Equipment Status Page Usermame admin Access Control Server 192 168 10 116 Date amp Time Wed Feb4 13 40 01 2004 NETWORK HELP Mar ayee Equipment Status Equipment Status access Controllers e Click an Access Controller name to view detailed status See Help for more information Component Name IP Address Connection Time Up Time Access Control Servers Default p192 168 10 68 492 463 10 63 4 0 3 5 dhr Simins 4 0 2 10 Alterate 2days hrs Access Control Server 19216810116 UpTime ihr Simins Installed 4 0 3 7 Sofware 40 5 1 Alterate 1 Total Clients 0 Unauthenticated Users 1 Authenticated Users Auto Refresh Off z Refresh Step 3 Click the RIGHTS icon to access the Rights Manager Step 4
113. w is reactivated Step 11 In the Connection Properties window click OK to save your settings Step 12 From the Windows Start Menu select Programs Microsoft IPSEC VPN Microsoft IPSEC VPN Configuration The Microsoft IPSec Configuration Utility windows appears Figure 3 109 HP ProCurve Secure Access 700wI Series Wireless Data Privacy Guide 3 77 Client Configuration Figure 3 109 Microsoft IPSec Configuration Utility Windows Microsoft IPSec PN Configuration Utility Step 13 Either select Use a pre shared key for IPSec authentication and enter the shared secret or select Use a specific certificate for IPSec authentication then click Select Certificate and enter the certificate information Step 14 Click OK to save your settings Step 15 To connect to the 700w1 Series system using your new L2TP client go back to Dial Up Networking and click the icon for the connection you have just created A connection window appears Figure 3 110 Figure 3 110 Connection Windows Connect To Step 16 Enter your Username and Password and optionally check the Save password check box and click Connect Step 17 Once you have successfully connected to the network the connection window will show the status and details of the connection Figure 3 111 3 78 HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide Client Configuration Figure 3 111 Connection Windows Connection Status and Details Microsoft IPSec YPN
114. ype What do you want to do Connect to the Internet Connect to the Internet so you can browse the Web and read email Connect to the network at my workplace Connect to a business network using dial up or VPN so you can work from home a field office or another location Set up a home or small office network Connect to an existing home or small office network or set up a new one Set up an advanced connection Connect directly to another computer using your serial parallel or infrared port or set up this computer so that other computers can connect to it Step 5 Select the Virtual Private Network connection option Click Next gt Figure 3 69 Network Connection Window New Connection Wizard Network Connection How do you want to connect to the network at your workplace Create the following connection Dial up connection Connect using a modem and a regular phone line or an Integrated Services Digital Network ISDN phone line Virtual Private Network connection Ese TE ase Oe A Ned Pe yoda DEGENEN opnar ON nternet Step 6 Enter the desired connection name in the Company Name text box Click Next gt HP ProCurve Secure Access 700wl Series Wireless Data Privacy Guide 3 53 Client Configuration Figure 3 70 Connection Name Window New Connection Wizard Connection Name Specify a name for this connection to your workplace Type a name for this connection in the following box
Download Pdf Manuals
Related Search