TheGreenBow IPSec VPN Client
Contents
1. 20 Access Control amp Hidden Interface eere eonun en on n ru nn i ia n i ni aga s aua n c aac aaa e arando raya EN Ne va RENE ana y Na o a 21 Ldrrier dm EO E PEER 22 Preferences 5 oro rci neenon AY kk 2 EER Ea EXE Y Ek scr a RV oE Yan e r Are O S eEREEUNS ES VE ERORUSU RR E rERU cR FREE EROR UBENHRE ERES ONE EN tete 23 5 Connection Panel 1 meia ea oas n e cesa duae esas a o coga Rode ra aS cR QNM DDR seccassvaedeaaneasatanvecaees 23 Part V Connection Panel 26 1 Connection Panel basics niei eidaxseccaskv ee esa ter eap aR Vas Fa gae caca RAF aiser aa ra a aeeiio este 26 2 More info about Connections nr eene enne nnn n nn nn nn nemus senc khan sa ao sean na nasa na ase aaa na 27 Part VI VPN Configuration 30 TheGreenBow IPSec VPN Client User Guide TheGreenBow IPSec VPN Client User Guide Il 1 Configuration Wizard 2 eiaa 30 Three step Configuration Wizard c ccccsssssseeessceeeesseeeseseneeesseeeeeseeeseseneeesseeseassaeesaseneeessaesessseeesasenesessceseassneess 30 Step 1 of 3 Choice of remote equipment issssissnrsrnnennneersnnenensnneenesnnessnneneesneeensnneesnnnene 30 Step 2 of 3 VPN tunnel parameters cccccccsseessseeeesseeeseseneeessesecsseeesasenesesseeseaesaeesaseneeesseeseasseeesasenesesseeseasaaeess 31 Step 3 of 3 SUMMALY sscisisseccse2. 49 How to use a tunnel with Certificates from a SmartCard eene 51 SmartCard Troubl sShootiNgz ss aeina aie EEEE AE aena aaea iaia 51 9 Configuration Management ii ssssnsennnennnnnnennnnnnnenennnneennnenennnse 52 Import or Export VPN Configuration via MENU nrrrrnnerrrsnerensnneesnnnenssnneeessnenessneenssnnenses 52 Embed your own VPN Configuration into IPSec VPN Client Setup eese 53 Default VPN Rer TET DES UC ERR 53 Part VII Deployment 55 Embedded VPN Configuration eeeeseeeeeeeeeeeeeen eene nnne nn nnn nin nnnn ir in nnn inne nnne ennnen nna 55 2 Setup OptIOlS cria te EORR XXRRARKIERSASERARERRIRARAR EE RUN XTRRSRRRERS a NERA TRARRARNR IE aAa Oaa ETEA Enina Eaa EEE 55 Setup option OV rvieW nnna 55 Setup Option for GUI MOE 2 etia ierit iota Eit iecit ice ia a noa e Ora Sra RESI a edo E Eaa EAER 55 Setup option for GUI mode access control 55 Setup option for systray menu items sisi 56 Other Setup Options otn netten teet ei Dei eee dede ee idee Tid Weed een dea esee dee eese aenea 56 3 Command iNe e 57 Command line OPTIONS e 57 Stopping IPSec VPN Client option stop sise 57 Import VPN Configuration options ins isnisnrsnnnneensnnnenssnn
3. PN Client Configuration Wizard Step 1 of 3 Choice of the remote equipment What is the type of the equipment at the end of the tunnel Please choose the equipment with which you want to open a tunnel C Another computer router or a VPN gateway lt Previous 6 1 3 Step 2 of 3 VPN tunnel parameters You must specify the following information e the public network side address of the remote gateway e the preshared key you will use for this tunnel this preshared key must be the same in the gateway e the IP address of your company LAN e g specify 192 168 1 0 VPN Client Configuration Wizard Step 2 of 3 x VPN tunnel parameters 3 What are the parameters of the VPN tunnel Sa Enter the following parameters for the VPN tunnel IP or DNS public external address astewey mydomain com of th e remote equipment Preshared key IP private internal address 192 168 1 0 of the remote network lt Previous TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 VPN Configuration 32 6 1 4 Step 3 of 3 Summary The third step summaries your new VPN configuration Other parameters may be further configured directly via the Configuration Panel e g Certificates virtual IP address etc VPN Client Configuration Wizard Step 3 of 3 Configuration Summary 3E The configu
4. Deployment 57 7 3 7 3 1 7 3 2 7 3 3 Syntax activmail activation email Allows to force the email used for activation confirmation During the activation process the edit box used for entering this email will be disabled Example Setup s license 0123456789ABCDEF0123 start boot activmail smith smith com Command line Command line options Several configuration tools are available on our web site Those tools are available as command line type and are meant to be used by IT managers to change the IPSec VPN Client behavior to their needs e Stopping IPSec VPN Client e Import or Export VPN Configuration Stopping IPSec VPN Client option stop TheGreenBow VPN Client can be stopped at any time by the command line path vpnconf exe stop where path is the IPSec VPN Client installation directory If there is several active tunnels they will close properly This feature can be used for example in a script that launch the VPN Client after establishing a dialup connection and exit it just before the disconnection Import VPN Configuration options TheGreenBow VPN Client can import a specific configuration file by the command line path vpnconf exe import file tgb where path is the VPN Client installation directory and ile tgb is the VPN Configuration file This command doesn t handle relative paths e g file tgb import may be used either if the VPN Client is
5. System Tray Icon The VPN Client user interface can be launched via a double click on application icon Desktop or Windows Start menu or by single click on application icon in system tray Once launched the VPN Client software shows an icon in the system tray that indicates whether a tunnel is opened or not using color code E GAOL 2105 VPN Client application color code is the following Blue icon no VPN tunnel is opened Green icon at least one VPN tunnel is opened A left button click on VPN icon opens configuration user interface Close tunnel Cnxvpni Open tunnel Cnxvpn2 Save amp Apply Console Connections Quit Mol 21 08 A right button click shows the following menu Quit will close established VPN tunnels stops the configuration user interface Save amp Apply will close established VPN tunnels apply latest VPN configuration modification and reopen all the VPN tunnels Console shows log window Connections opens the list of already established VPN tunnels You can configure tunnels to open up automatically when the software starts List of configured tunnels with current status Tunnels can be opened or closed from this menu as well Tooltips over VPN Client icon shows the connection status of the VPN tunnel e Tunnel lt tunnelname gt when one or more tunnels are established e Wait VPN ready when the IKE service is reinitializing e TheGreenBow VPN Client when the VPN C
6. THEGREENBOW VPN Router1 e TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Connection Panel Connection Panel 26 5 1 Connection Panel Connection Panel basics The Connection Panel enables users to open close and get clear information about every tunnel that have been configured This is all the end user needs to open and close tunnels The Connection Panel is made of several elements e An animated network diagram showing information on current tunnel top e A list of all configured tunnels with open close button below diagram The user simply clicks on the Open button of a tunnel to open this tunnel The Open button automatically switch to Close when then tunnel is opened One click on the name of the tunnel automatically opens the Configuration Panel enabling to change the tunnel configuration This feature is disabled when the Connection Panel is protected with a password see section Access Control It s always possible to switch from the Connection Panel to the Configuration Panel through the system menu menu Configuration Panel or via the shortcut Ctrl P see section Shortcuts 4e TheGreenBow PN Client F fe x fe TheGreenBow PN Client lei THEGREENBOW VPN Router1 Send Phase 2 ID opening closed THEGREENBOW VPN Router1 Close Close It is also possible to automatic
7. IKE key group Diffie Hellman key length For more advanced settings click on P1 Advanced TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 35 6 3 3 Phase Advanced Settings Description For advanced features amp parameters click on P1 Advanced button into Phase panel Phasel Advanced x Advanced features IV Config Mode Redund Gw Aggressive Mode NAT T Automatic X Auth IV Auth Popup Login Password Local and Remote ID Choose the type of ID Set the value for the ID Local ID Email Jemail company com Remote ID DNS aw mydomain net EE Config Mode If checked the VPN Client will activate Config Mode for this tunnel Config Mode allows to the VPN Client to fetch some VPN Configuration information from the VPN gateway If Config Mode is enabled and provided that the remote Gateway supports Config Mode the following parameters will be negotiated between the VPN Client and the remote Gateway during the IKE exchange Phase 1 e Virtual IP address of the VPN Client e DNS server address optional e WINS server address optional In case Config Mode is not available on the remote gateway you may refer to section Phase2 Advanced settings to manually set DNS and WINS server addresses into the IPSec VPN Client Aggressive Mode If checked the VPN Client will used aggressive mode as negociation mode wi
8. 4 Navigating the User Interface 4 1 User interface elements TheGreenBow IPSec VPN Client is fully autonomous and can start and stop tunnels without user intervention depending on traffic to certain destinations However it requires a VPN configuration The IPSec VPN Client configuration is defined in a VPN configuration file The software user interface allows creating modifying saving exporting or importing the VPN configurations together with security elements e g Preshared key Certificates The user interface is made of several elements e Configuration Panel e Connection Panel e Main menus e System Tray Icon e Status bar e Wizards e Preferences eo TheGreenBow PN Client File VPN Configuration View Tools A Console Configuration g gb Parameters Configuring a VPN tunnel or Connections 4 Right click on Configuration and select New Phase 1 Bg Configuration Phase 1 specifies the IKE Key negotiation parameters EYE ven Router1 Ln Router2 2 oc cate releases led ele eres ee Phase 2 defines the IPsec security parameters for a single IPsec Tunnel Any Phase 1 Configuration may contain several Phase 2 Configurations 3 Click on Save and Apply to apply the changes you made Save amp Apply E VPN ready Tunnel TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Navigating the User Interface 18 4 2 4 3
9. e IPSec VPN Client TheGreenBow User Guide Contact support thegreenbow com Website www thegreenbow com Property of TheGreenBowO Sistech SA 2000 2007 TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 All rights reserved No parts of this work may be reproduced in any form or by any means graphic electronic or mechanical including photocopying recording taping or information storage and retrieval systems without the written permission of the publisher Products that are referred to in this document may be either trademarks and or registered trademarks of the respective owners The publisher and the author make no claim to these trademarks While every precaution has been taken in the preparation of this document the publisher and the author assume no responsibility for errors or omissions or for damages resulting from the use of information contained in this document or from the use of programs and source code that may accompany it In no event shall the publisher and the author be liable for any loss of profit or any other commercial damage caused or alleged to have been caused directly or indirectly by this document Printed January 2007 in San Francisco Table of Contents Part Introducing TheGreenBow IPSec VPN Client 2 1 What is TheGreenBow IPSec VPN Client nn eeee enne nennen nnn un nnn n nn nuin nn uan 2 2 Multi VPN Gateway solution
10. 10 5 Software Upgrade 5 nire ettet Excur ck ter Lu RERU epe EXER x FRRR GERE EE te EYE E ADR Eee EN terrine 11 6 Software Uninstallation eeeeeseeeeeeeeee nnne nnn nnn numer nana aa hana aa aa 44 a RR RR RR S A RR RR aa Rud 4 nan 12 Part Ill Quick HowTo s 14 1 HowTo Open VPN tunnel ciciscsscccsntissssissscaccnestenvanncenteneatentancnsdetecnatensannctnevansatesienncedsveneaneencmncean 14 2 HowTo Troubleshoot VPN tunnel eeeeeieieeeee eene nennen nnn n nnus nnn ahhh annue sana ea uasa asas nnmnnn 14 3 HowTo import with double click on VPN Configuration icon eee 14 Part IV Navigating the User Interface 17 1 User interface elements essseseeeeeeeseeee eene nnnnneme nan n una dana ua RR RR IR RR RR RR GEN R A ERR RR RR SNR NR RR aa RR 44 naa 17 2 System Tray lCOn eret ierat NAARAAN AA Fun AAAA MEE Ya se ERR Ra SEEK peigne st taste 18 3 Keyboard Shortcuts e 18 A Configuration Panel iiccjccscccccceediecgeasececcewssseescvasteccewesdeedeascceccew sliced eascdecdeveddeedeaseceevevstdeed ie pie ste ends 19 Main M nus asicisscssssssicisiccsesisiaicccesasiscacecsisasisvaisencsaniasnaccacasniesadseeessaasssascacasaassaassceesaasisasiaasasasiaaaisasisasisanisaausaniaaiieen 19 Status 20 Windows ADOUL
11. Sistech SA 2000 2007 Introducing TheGreenBow IPSec VPN Client 3 NAT Traversal Encryption User Authentication Dead Peer Detection DPD Redundant Gateway Mode Config USB Stick Smart Card and Token Log console Flexible User Interface Scripts Configuration Management Live update NAT Traversal Draft 1 enhanced Draft 2 and 3 full implementation e Including NAT OA support e Including NAT keepalive e Including NAT T Aggressive Mode Forced NAT Traversal mode It provides 3DES DES and AES 128 192 256bits encryption Additional capabilities like DH1536 DH2048 groups are also provided e X AUTH support e PreShared keying and X509 Certificates support It is compatible with most of the currently available IPSec gateways Support of Group 1 2 5 and 14 i e 768 1024 1536 and 2048 Flexible Certificate support PEM PKCS12 PKCS 12 certificates can be directly imported from the user interface Ability to configure one Certificate per tunnel Hybrid Authentication Method support SmartCards support DPD is an Internet Key Exchange IKE extension i e RFC3706 for detecting a dead IKE peer Redundant Gateway can offer to remote users a highly reliable secure connection to the corporate network Redundant Gateway feature allows TheGreenBow VPN Client to open an IPSec tunnel with an alternate gateway in case the primary gateway is down or not responding Mode Config is an Internet Key Excha
12. pdf e Online help html e Online Software Activation html e Use the Default VPN Configuration to test you network e IPSec VPN Client FAQs 3 3 HowTo import with double click on VPN Configuration icon Also known as Dial up mode A tunnel may be opened via a double click on a VPN Configuration i e extension tgb file This feature enables to create various VPN Configuration on the windows desktop and to open tunnels by clicking on these VPN Configuration shortcut icon To create a VPN Configuration shortcut icon on the desktop Step 1 Configure the tunnel in Configuration Panel Step 2 In Phase2 Advanced Settings configure the tunnel to Automatically open this tunnel when the VPN Client starts Step 3 Export the VPN Configuration onto your computer desktop Note You may protect the VPN Configuration with a password as it is exported This password will be asked each time the tunnel is clicked on TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Quick HowTo s Poste de travail TheGreenBow Favoris r seau TheGreenBow UDE o MSN Explorer VPN Router 1 Lo Mes documents VPN OpenBSD at ne portable Internet MyProvider Explorer 15 TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Navigating the User Interface Navigating the User Interface 17
13. Connection Panel is never controlled by password In case Access Control has been set the Configuration Panel can not be opened and showed by double clicking on desktop icon by selecting Start menu Right click over the icon in taskbar is limited to Console access quitting the software and opening closing the configured tunnels Open tunnel CnxVpni Console Quit 4 4 5 Wizards There are two Wizards available e VPN Configuration Wizard can be launched from Menu VPN Configuration gt Config Wizard e Software Activation Wizard can be launched from Menu gt Activation Wizard TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Navigating the User Interface 23 4 4 6 Preferences Preferences window allows you to define e Start up mode of the software Those modes can be configured in the software setup see section Setup options e Enable Disable the detection of interface disconnection feature Preferences are available via Menu File and click Preferences Preferences X VPN Client start mode Start VPN Client before Windows Logon C Start VPN Client after Windows Logon Don t start VPN Client when start Windows Disable detection of network interface disconnection VPN Client start mode TheGreenBow IPSec VPN Client software has several start up mode such as e Start IPSec VPN Client software before MS Wind
14. IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Installing TheGreenBow IPSec VPN Client 9 2 4 Software Activation 2 4 1 Software Activation Wizard For use beyond the evaluation period TheGreenBow IPSec VPN Client software must be activated The Software Activation is a two step process which requires a License Number and an email address The Activation Wizard can be launched from the VPN Client software as followed e Click on the Activate button in the startup windows when you start the VPN Client e Click on the menu and then click on Activation Wizard 2 4 2 Step 1 of 2 Enter License Number Software Activation requires a License Number Enter your License Number your email address and click Next as shown below TheGreenBow VPN Client Activation Wizard Step 1 of 2 License Number To activate this software please enter the License number and your email address License number 123456 789abc deto12 345678 gt Click here to enter a 20 characters license Email address mail company com e g maill company com is used to send you the activation ure it is a correct address Warning this email addres confirmation Please mak If you are using a Proxy click here lt Previous Note Be careful the email address is correct it will be used to send you back the activation confirmation Note The email address may not b
15. The NAT T mode allows Forced Disabled and Automatic The NAT T Disabled prevents the IPSec VPN Client and the VPN gateway to start NAT Traversal The NAT T Automatic mode leaves the VPN Gateway and VPN Client negotiate the NAT Traversal In NAT T Forced mode TheGreenBow IPSec VPN Client will force NAT T by encapsulating IPSec packets into UDP frames to solve traversal with intermediate NAT routers Local ID is the identity the VPN Client is sending during Phase 1 to VPN gateway This identity can be an IP address type IP address for example 195 100 205 101 e an domaine name type DNS e g mydomain com e an email address type Email e g support thegreenbow com e a string type KEY ID e g 123456 e a certificate issuer type DER ASN1 DN see Certificates configuration If this identity is not set VPN Client s IP address is used Remote ID is the identity the VPN Client is expecting to receive during Phase 1 from the VPN gateway This identity can be an IP address type IP address for example 80 2 3 4 an domaine name type DNS e g gateway mydomain com e e e an email address type Email e g admin mydomain com e e a string type KEY ID e g 123456 a certificate issuer type DER ASN1 DN see Certificates configuration If this identity is not set VPN gateway s IP address is used Define the login and password of an X Auth IPSec negotiation If X Auth popup is selected a popup window asking for
16. VPN Client 2 A readable SmartCard inserted in the SmartCard reader 3 The correct PIN code for reading the SmartCard Each issues while using SmartCard is displayed in the Software Console See section SmartCard TroubleShooting below 6 8 4 3 SmartCard Troubleshooting Users may encounter issues while configuring SmartCard and SmartCard Readers E TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 VPN Configuration 52 No SmartCard Reader is found No smart card found If no SmartCard is found it is probably because No ATR Unknown ATR this smart card may not be 6 9 1 the SmartCard Reader middleware is missing The procedure to easily add a SmartCard Reader middleware is displayed in the text area below the list box The SmartCard cannot be read The PIN code is wrong No certificate can be found in the SmartCard supported No PKCS 11 middleware for this smart card was found You can set PKCS 11 middleware with the command line Vpnconf exe addmiddleware path to the dll ATR 3B 7B 18 00 00 00 31 C0 64 77 E3 03 00 8 2 90 00 Using IDOne Lite PKCS 11 middleware found Error 0x00000015 ATR 3B 7B 18 00 00 00 31 C0 64 77 E3 03 00 8 2 90 00 Using IDOne Lite PKCS 11 middleware found Wrong PIN code ATR 3B 7B 18 00 00 00 31 C0 64 77 E3 03 00 8 2 90 00 Using IDOne Lite PKCS 11 middleware fou
17. a login and a password will appear each time an authentication is required to open a tunnel with the remote gateway The end user has 20 seconds to enter its login and password before X Auth authentication fails If X Auth authentication fails then the tunnel establishment will fail too TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 VPN Configuration 37 Hybrid The Hybrid mode is a specific authentication method used within IKE Authentication Mode Phase 1 This method assume an asymmetry between the authenticating entities One entity typically an Edge Device e g firewall authenticates using standard public key techniques in signature mode while the other entity typically a remote User authenticates using challenge response techniques These authentication methods are used to establish at the end of Phase 1 an IKE SA which is unidirectionally authenticated To make this IKE bi directionally authenticated this Phase 1 is immediately followed by an X Auth Exchange XAUTH The X Auth Exchange is used to authenticate the remote User The use of these authentication methods is referred to as Hybrid Authentication mode TheGreenBow IPSec VPN Client implements the RFC draft ietf ipsec isakmp hybrid auth 05 txt 6 4 IPSec Configuration or Phase 2 6 4 4 Whatis Phase 2 IPSec Configuration or Phase 2 window will concern settings for Phase 2 The purpose of Phase 2
18. can be used to analyze VPN tunnels This tool is particularly useful for IT managers in setting up their network fe VPN Console ACTIVE Save Sep fi tes ioj x 183520 Default SA Cnxvpn2 P1 SEND phase 1 Main Mode SA VID VID VID VID 183527 Default SA Cnxvpn2 P1 SEND phase 1 Main Mode SA VID VID VID VID Button Clear Save Stop Options Description Clear console window content Save logs in a file Stop saving logs in a file Set level of log filtering TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Console and Logs 61 8 2 Console Filters Debug Levels All JE Misc fis SDep fis Tot 5 sa 5r Mesg fis Exch fis Cyp fisz Neat fisz Tm iS Pe 5r Label Name Description Misc Misc log level for configuration reading or dump of low level messages Trpt Transport log level for UDP transport mode Mesg Message log level for IKE decode Cryp Crypto log level and dump for crypto material exchanged Timr Timer log level about timers SDep Sysdep log level about IKE interface from to IPSec SA SA log level for SA managment Exch Exchange log level about IKE exchanges very useful Negt Negotiation log level about phase 1 and phase 2 negociation Plcy Policy not used All All Apply the same log level to all subsystems Most of the time log level set to 0 is largely enough for resolving configuration is
19. configured Therefore one computer can establish IPSec VPN connections with several gateways or other computers peer to peer Similarly several IPSec Configuration Phase 2 can be created for a same Authentication Phase Phase 1 6 2 3 Advanced Features Advanced features and parameters can be defined for Phase 1 and Phase 2 Those defined in Phase 1 apply to all Phase 2 created in current VPN Configuration e Enable Disable Config Mode e Enable Disable NAT T Agressive Mode e Enable Disable Redundant Gateway e Select NAT T mode Forced Disabled or Automatic e Set X Auth Login password with pop up option Those defined in Phase 2 only apply to the associated Phase 2 e Automatic Open Mode e Choose Script Application to be launched when tunnel opens e Manual settings of DNS WINS server addresses 6 3 Authentication or Phase 1 6 3 1 Whatis Phase 1 Authentication or Phase 1 window will concern settings for Authentication Phase or Phase 1 It is also called IKE Negotiation Phase Phase 1 s purpose is to negotiate IKE policy sets authenticate the peers and set up a secure channel between the peers As part of Phase 1 each end system must identify and authenticate itself to the other TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 34 6 3 2 Phase 1 Settings Description eo TheGreenBow YPN Client File VPN Configuration View Tools SB
20. e Moving the configuration onto the USB Stick the IPSec VPN Client will copy the security information onto the USB Stick and remove all security information from the computer This method is used to secure a computer once VPN configuration completed setup TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 VPN Configuration 45 The USB stick you inserted is empty You may move the current configuration onto the USB stick the local configuration will be emptied or copy the current configuration in this USB stick the local configuration will be kept 6 7 4 How to automatically open tunnels when an USB Stick is plugged in Each and every tunnels may be configured individually e In the IPSec Configuration Phase 2 of the relevant tunnel click on P2 Advanced button e Select the Automatically open this tunnel when USB stick is inserted mode Phase2 Advanced Automatic Open mode IV Automatically open this tunnel when VPN Client starts Automatically open this tunnel when USB stick is inserted IV Automatically open this tunnel on traffic detection Alternate servers DNS Server 132 168 205 106 WINS Server 192 168 205 106 6 8 Certificate Management 6 8 1 Certificate Management overview TheGreenBow IPSec VPN Client can use Certificates from PEM files PKCS 12 file or SmartCard TheGreenBow IPSec VPN Client User Guide Pr
21. full user or hidden 2 Protection of the GUI mode access control with a password 3 Configuration of the systray menu items 4 Other options for Software Start License Number and Activation email Setup option for GUI mode Syntax vpngui full user hidden enables to define the GUI appearance when the IPSec VPN Client starts full Default The Configuration Panel is displayed user The Connection Panel is displayed hidden Both VPN Configuration Panel and Connection Panel are not displayed Only the Systray menu can be opened Tunnels can be opened from the systray menu Remark vpngui hidden is equivalent to option hide yes This option can still be used as it is maintained for compatibility reasons Setup option for GUI mode access control Syntax password mypwd Enables to control the acces to the VPN GUI with a password The user will be asked for the password e When the user clicks or double clicks on the VPN systray icon e When the user wants to switch from the Connection Panel to the Configuration Panel TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Deployment 56 Access Control A Please enter your password to open the VPN Configuration Panel Enter the password XXXXXX Example vpngui user password admin01 These 2 options enable the GUI to be locked in Connection Panel mode only while the access to the Conf
22. is to negotiate the IPSec security parameters that are applied to the traffic going through tunnels negotiated during Phase 1 TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 38 6 4 2 Phase 2 Settings Description eo TheGreenBow YPN Client File VPN Configuration View Tools HEGREENBOW A Console Phase 2 IPSec Configuration E Parameters YEA Rode amp Connections VPN Client address 132 168 100 56 B 63 Configuration Address type Subnet address j EE ve i omm Remote LAN address 192 168 204 O i e Router2 SubnetMask 255 255 255 ESP Encryption AES 128 P2 Advanced Authentication INN j Scripts Mode Tunnel v Save amp Apply E VFN ready Tunnel amp Name Label for IPSec Configuration only used by the VPN Client This parameter is never transmitted during IPSec Negotiation It is possible to change this name at any time and read it in the tree list window Two Phases can not have the same name VPN Client address Virtual IP address used by the VPN Client inside the remote LAN The computer will appear in the LAN with this IP address It is important this IP address not to belong to the remote LAN e g in the example you should avoid an IP address like 192 168 1 10 Address type The remote endpoint may be a LAN or a single computer In case the remote endpoint is a LAN choose Subnet address
23. possible available right now on the market in order to offer a true multi vendor solution to its customers New IPSec VPN gateways or appliances are tested in our labs The list of certified gateways is available on our web site and is increasing daily thus do not hesitate to regularly check for new certified VPN gateways Linux Appliance Support TheGreenBow supports several implementations of Linux IPSec VPN like StrongS WAN and FreeS WAN Therefore TheGreenBow IPSec VPN Client is compatible with most of the IPSec routers appliances based on those Linux implementations We will support more Linux implementations in the future The list of supported Linux VPN appliance is available on our website TheGreenBow IPSec VPN Client Features Windows supported Win98 Me NT Win2000 WinXP versions Connection Mode It operates as a peer to peer VPN as well as point to multiple mode without a gateway or server All connections types like Dial up DSL Cable GSM GPRS and WiFi are supported Allow IP Range networking It can run in an RDP session Remote Desktop connection Tunneling Protocol Full IKE support Our IKE implementation is based on the OpenBSD 3 1 implementation ISAKMPD thus providing best compatibility with existing IPSec routers and gateways Full IPSec support e Main mode and Aggressive mode e MD5 and SHA hash algorithms e Change IKE port TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow
24. 00 2007 VPN Configuration a 6 5 Global Parameters 6 5 1 Global Settings Description Global Parameters are generic settings that apply to all created VPN tunnels Once modified click on Save amp Apply to take into account your modifications feo TheGreenBow PN Client File VPN Configuration View Tools rum d Default Minimal Maximal Fr w Connections Authentication IKE 26800 28800 28800 Configuration Encryption IPSec 28800 28800 28800 e ven Routeri 8 Router Dead Peer Detection DPD Check interval sec 30 Max number of retries FE Delay between retries sec is Miscellaneous Retransmissions 5 IKE Port 20d Delay between retries sec feo Block non ciphered connection Save amp Apply E VPN ready Tunnel e Lifetime sec IKE default lifetime Default lifetime for IKE rekeying IKE minimal lifetime Minimal lifetime for IKE rekeying IKE maximal lifetime Maximal lifetime for IKE rekeying IPSec minimal lifetime Default lifetime for IPSec rekeying IPSec maximal lifetime Maximal lifetime for IPSec rekeying IPSec minimal lifetime Minimal lifetime for IPSec rekeying e Dead Peer Check interval sec Interval between DPD messages Detection DPD Max number of retries Number of DPD messages sent Delay between retries Interval between DPD messages when no sec reply from remote gateway e Miscellaneous Retransmissions How many times a message sh
25. 1 Select radio button Certificate in the Phase 1 window and click on Certificates import TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 VPN Configuration 48 Preshared Key Confirm Certificates Import Step 2 Choose Certificate from a PEM file in the list box Step 3 Import the Root Certificate the User Certificate and the Private Key by clicking on the associated button Once the certificate is correctly imported its subjects are filled in the Certificate Import window ix Certificates Import A Root Certificate C FR L Paris O T heGreenBow CN T heGreenBow CA email User Certificate C FR O TheGreenBow CN tgb1 A User Private Key Choose below the Certificate location and type Import a PEM Root Certificate Import Import a PEM User Certificate Import Import a Private Key Import Step 4 PEM Certificates will be stored in the VPN Configuration file as soon as you click on Save amp Apply Note Once the Certificate is imported its subject is used for the local ID of the associated Phase1 This is shown in the P1 Advanced window with the following indication TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 VPN Configuration 49 Local and Remote ID Choose the type of ID Set the value for the ID Local ID Subjec
26. Console Phase 1 Authentication amp Parameters Name VPN amp Connections Interface any d Configuration Remote Gateway mycompany dyndns org On Router G Pesaedk P e Router2 Confirm ir Certificate Certificates Import IKE Encryption AES 128 j P1 Advanced Authentication SHA j Key Group DH1024 Save amp Apply E VPN ready Tunnel Name Label for Authentication phase used only the configuration user interface This value is never used during IKE negotiation It is possible to change this name at any time and read it in the tree control Two Phase 1 can not have the same name Interface IP address of the network interface of the computer through which VPN connection is established If the IP address may change when it is received dynamically by an ISP select Any Remote Gateway IP address or DNS address of the remote gateway in our example gateway mydomain com This field is mandatory Pre shared key Password or key shared with the remote gateway Certificate X509 certificate used by the VPN Client Click on Certificate Import to choose the certificate source PEM files PKCS 21 file or SmartCard see section How to configure Certificates One Certificate per tunnel can be configured IKE encryption Encryption algorithm used during Authentication phase 3DES AES IKE authentication Authentication algorithm used during Authentication phase MD5 SHA
27. Import window Also key icons are displayed next to each certificate component root certificate user certificate private key as shown below TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 47 x Certificates Import Me TA Root Certificate TheGreenBow CA emaildddress support thegreenbow com User Certificate C FR 0 TheGreenBow CN tgb1 TA User Private Key Choose below the Certificate location and type Certificate from a PKCS1H2 file Import Certificates from a PKCS12 file Import Step 4 PKCS 12 Certificates will be stored in the VPN Configuration file as soon as you click on Save amp Apply Note Once the Certificate is imported its subject is used for the local ID of the associated Phase1 This is shown in the P1 Advanced window with the following indication Local and Remote ID Choose the type of ID Set the value for the ID Local ID Subject from 509 local Remote ID 6 8 3 How to configure IPSec VPN Client with PEM Certificates TheGreenBow IPSec VPN Client can import PEM Certificates into the VPN Configuration directly from the Configuration Panel One PEM Certificate can be defined per tunnel Therefore it is possible to connect to several gateways that do not use the same PKI Public Key Infrastructure Here are the steps to configure the IPSec VPN Client with PEM Certificate Step
28. N Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Installing TheGreenBow IPSec VPN Client 8 TheGreenBow PN Client Activation Wizard Software Activation Thank you for using TheGreenBow VPN Client 63 DAYS TEMPORARY VERSION You have 42 days left for product evaluation and software activation This software is not activated You may O Activate this software with your license number button Activate O Buy a software license button Buy O Evaluate this software during a limited period button E valuate Quit Evaluate Activate During all the time a Temporary Software License Number is used the activation window is available from the Configuration Panel It enables the user to activate a new license for example a life time License Number instead of a temporary one During that period the remaining time is available through the About menu as shown below TheGreenBow YPN Client x THEG2S lt NBOW VPN CLIENT TheGreenBow VPN Client 4 00 001 IKE Service 3 10 04 02 12 TheGreenBow 2006 All rights reserved www thegreenbow com 63 DAYS TEMPORARY VERSION This product is licensed to mail company com 123456 789abe def01 2 345678 35 days left before license is over When the Temporary Software License Number expires the Evaluate button is disabled The user can Buy and Activate a life time software license TheGreenBow
29. Stop software Support contact System tray icon T Temporary Software License U Uninstall V VPN Configuration VPN Configuration with Certificates W What is IKE Phase 1 What is IKE Phase 2 What is USB Mode What s the IPSec VPN Client for Wizard 53 55 56 18 51 9 10 11 20 57 65 18 12 52 53 55 57 46 47 33 37 43 22 TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Secure Strong Simple TheGreenBow Security Software Property of TheGreenBowO Sistech SA 2000 2007
30. ally apply a new VPN Configuration by a drag amp drop of a VPN Configuration onto the Connection Panel If a tunnel is configured to be automatically opened when VPN Client starts see section Phase2 Advanced Settings it will be immediately opened as soon as the new VPN Configuration is applied Save amp Apply TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Connection Panel 27 5 2 More info about Connections If problems occur during the tunnel opening process a warning is shown on the right of the tunnel list TheGreenBow VPN Client ioixl FORCE 101 xl THEGREENBOW THEGREENBOW VPN Router1 VPN Router2 Tunnel opened opened closed closed VPN Router2 Ds waming Close Close A link associated to the warning automatically opens the Warning tab control and shows a detailed message about the problem Explicit warning messages help users and IT Managers to find the VPN issue These popups are also linked more information link to our online help web pages that detail symptoms and give clues for troubleshooting No proposal chosen The Phase 2 algorithm doesn t match the gateway configuration Check the gateway Phase 2 algorithm More information about this error TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Connection Panel 28 VPN Clie
31. combined with Open tunnel when traffic feature allows to automatically open tunnel when traffic is detected for a specific range of IP Addresses However the range of IP addresses must be authorized in the configuration of VPN gateway For more advanced settings click on P2 Advanced Once the parameters are set click on Save amp Apply to save and to take into account the new configuration You ll find a set of useful VPN Client configuration documents available for each of the VPN Client gateway we support Please go to our knowledge base on our website 6 4 3 Phase2 Advanced Settings Description For advanced features amp parameters click on P2 Advanced button into Phase2 panel Phase2 Advanced x Automatic Open mode IV Automatically open this tunnel when VPN Client starts Automatically open this tunnel when USB stick is inserted IV Automatically open this tunnel on traffic detection Alternate servers DNS Server 182 168 205 106 WINS Server 192 168 205 106 TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 VPN Configuration 40 Automatic Open The VPN Client can automatically open the specified tunnel Phase2 on Mode specific events such as e Auto open this tunnel when the VPN Client starts up e Auto open this tunnel when USB stick is inserted see section USB Mode e Auto open this tunnel when the VPN Client detect traf
32. cscccssatetacscctascoscasssaccnetssccsdcnscacsustssansuaresascectssoastarsuarcaasuscastoustaractaseouersevoastataicrssacsoias 32 2 VPN Tunnel Configuration eene tenere nnne ANNANN ARNAR ANNAA ARANAN NNA RAN ARAA AANA NAAA AN 32 How t create a VPN Tunnel A 32 Multiple Authentication or IPSec Configuration Phase iii 33 Advanced Features iss idsecaiscckchdsucitecssscansicaddencntsuvushstascucecosetnstsdacausnadcecoasutneduocstsuanenesuchigenszaansvadacdbacitesduststasauacassote 33 3 Authentication of Phase 1 siisii enana aaaea aA nEaN EAEE naihain ReTaS anA 33 What is Phase C Y 33 Phase 1 Settings Description usseeeeeseeesesseeeeeeeee eene nennen nnnn tnnt nass inna sas n tna nane nass sina a sse sn asas ens a saei naa a nna 34 Phase1 Advanced Settings Description eeeeesseeesseeeeeeeee eene nennen nnne nnnn annt nnns senis nain nasse nna ianua 35 4 IPSec Configuration or Phase 2 nn nnne nnnennnn nnne nnne nnnn in in nnn inne nnn ir nnmnnn 37 What is Phase 27 e 37 Phase 2 Settings Description 38 Phase2 Advanced Settings Description in issirsnersnnesnnenrnsnenensnnnenssnneeensenensneensnnennne 39 DSCHIPE CONFIQUEA HON T E P 40 5 Global Parameters PE LL 41 Global Settings Description 41 6 VPN Tu
33. dentified by the last digit of a version Example My maintenance period is expired and my current software Release is 3 12 only can upgrade to Release 3 13 till 3 19 cannot upgrade to Release 3 20 3 30 or 4 00 If you want to subscribe or extend your maintenance period please contact our sales team sales thegreenbow com Note The VPN Configuration is saved during a Software Upgrade and automatically enabled again within the new release 2 6 Software Uninstallation TheGreenBow IPSec VPN Client can be uninstalled e from Windows Control Panel by selecting Add Remove programs e from Start Menu gt Programs gt TheGreenBow gt VPN gt Uninstall IPSec VPN Client TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Quick HowTo s Quick HowTo s 14 3 Quick HowTo s 3 1 HowTo Open VPN tunnel How to open a tunnel once VPN configuration is set e Connection panel gt Open e SystemTray gt click on Open xxx e Automatic as soon as traffic is detected e Automatic as soon as USB stick is inserted e Automatic as soon as MS Windows starts before or after logon e Double click on a VPN Configuration e g icon on desktop email attachment 3 2 HowTo Troubleshoot VPN tunnel How to troubleshoot a VPN tunnel You will be able to find all troubleshooting issues listed in the following documents on our website e TroubleShooting Document
34. e required IT Managers can force this value during the setup then it will not be displayed by the Software Activation Wizard This feature can be used to centralize all the Software Activation confirmation emails to a single email address TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Installing TheGreenBow IPSec VPN Client 10 2 4 3 Step 2 of 2 Online Activation The Activation Wizard will automatically connect to the online software activation server to activate the VPN Client Software You can go back at anytime to change the License Number The Activation Wizard will end with a successful Activation TheGreenBow VPN Client Activation Wizard Step 2 of 2 Processing Activation TheGreenBow VPN Client Activation Process Software successfully activated 2 4 4 Activation Troubleshooting Errors may occurred during the activation process Each activation error is briefly explained on the step 2 activation window The link More information about this error below the progress bar provides online full explanations and recommendations on how to proceed next TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Installing TheGreenBow IPSec VPN Client 11 TheGreenBow PN Client Activation Wizard Step 2 of 2 Processing Activation TheGreenBow VPN Client Activation Process Error 053 Ca
35. el can be opened from my computer to an operational remote network for test and eventually for debug purpose TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Deployment Deployment 55 7 1 7 2 7 2 1 7 2 2 7 2 3 Deployment Embedded VPN Configuration A VPN Configuration tgb file embedded within the IPSec VPN Client Setup unzipped see Deployment Guide description on our website is automatically imported by the IPSec VPN Client during software installation The process to create a setup with a VPN Configuration is the following 1 Create the VPN Configuration that need to be embedded into the Setup This step must be processed from a formerly installed IPSec VPN Client from which the VPN Configuration is exported and named myconfig tgb 2 Create a silent installation or simply unzip the IPSec VPN Client Setup 3 Add the VPN Configuration myconfig tgb file into the unzipped setup directory 4 Deploy the package to the user the myconfig tgb VPN Configuration will be used during the setup Important note the Setup cannot import and use an encrypted protected VPN Configuration When creating your VPN Configuration make sure it is exported without being encrypted without being protected with a password Setup options Setup option overview Several options are available with the IPSec VPN Client Setup 1 Configuration of the GUI mode
36. enensnenensnneeessnneeenseneesnneensnnensns 57 TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Part VIII Console and Logs 1 Console Windows eese nens nnne nnn 2 Console Filters 0 0csccsessccsssssnessecscececcnssensessencsonensesessenaesoans Part IX Software Localization Part X Contacts Index TheGreenBow IPSec VPN Client User Guide Introducing TheGreenBow IPSec VPN Client Introducing TheGreenBow IPSec VPN Client 2 1 1 1 2 1 3 1 4 Introducing TheGreenBow IPSec VPN Client What is TheGreenBow IPSec VPN Client TheGreenBow IPSec VPN Client is an IPSec VPN software for all Windows versions that allows to establish secure connections over the Internet usually between a remote worker and the Corporate Intranet IPSec is the most secure way to connect to the enterprise as it provide strong user authentication strong tunnel encryption with ability to cope with existing network and firewall settings TheGreenBow IPSec VPN Client is the result of many years of experience in network security and Windows network driver development as well as extensive research in related areas The IPSec VPN Client completes our range of network security products and like all our products is extremely easy to use and to install Multi VPN Gateway solution TheGreenBow strategy is to support as many VPN gateway and appliance vendors as
37. er when imported C Don t protect the exported VPN Configuration Protect the exported VPN Configuration Enter the password When a VPN Configuration is protected with a password its importation will automatically ask the user to enter the password An exported VPN Configuration which is not protected with a password will be automatically imported without any request to the user Note Import Export in USB Mode When the VPN Client is configured in USB Mode and when a USB stick is inserted the importation of a VPN Configuration is directly written on the USB stick If the VPN Client is configured in USB mode but no USB stick is inserted the USB icon in the bottom left corner of the GUI is disabled the exportation and importation of a VPN Configuration are disabled Note A VPN Configuration file can also be imported via the command line Embed your own VPN Configuration into IPSec VPN Client Setup A pre created VPN Configuration may be enclosed into the IPSec VPN Client Setup Enclosing VPN Configuration within the IPSec VPN Client Setup enables IT Manager to deploy pre configured IPSec VPN Client software in a single package to all company users Default VPN Configuration The IPSec VPN Client Setup embeds a Default VPN Configuration This Default VPN Configuration enables to open a tunnel to our TheGreenBow Demo Server as soon as the IPSec VPN Client software is installed It is particularly useful to check if a tunn
38. evaluation Evaluation period left is displayed into the orange bar above e Activate allows you to activate the software online This requires a License Number When clicking on Activate button an Activation Wizard pops up e Buy allows you to go online and purchase a Software License in TheGreenBow online shop TheGreenBow VPN Client Activation Wizard Software Activation Thank you for using TheGreenBow VPN Client EVALUATION VERSION You have 5 days left for product evaluation and software activation This software is not activated You may O Activate this software with your license number button Activate O Buy a software license button Buy O Evaluate this software during a limited period button E valuate Quit Evaluate Activate Caution On Windows NT 2000 and XP you must have administrator rights If it is not the case the installation stops after the language choice with an error message Shortcuts After software installation TheGreenBow VPN window can be launched e from user desktop by double clicking on TheGreenBow VPN shortcut e from VPN Client icon available in the taskbar e from menu Start gt Programs gt TheGreenBow gt TheGreenBow VPN gt TheGreenBow VPN Client Note Software Installation can be customized with several parameter options in command line Please refer to the Deployment Guide document available on our website Software Evaluation It is po
39. fic towards remote LAN Alternate Servers DNS ans WINS server IP addresses of the remote LAN can be entered here to help users to resolve intranet addressing The DNS or WINS addresses are taken into account as soon as the tunnel is opened and as long as it is opened 6 4 4 Script configuration Scripts may be configured in the Script configuration window This window can be opened through the button Scripts of a Phase 2 Settings window ix Script Configuration 2 IF Launch this script when clicking on Open Tunnel Launch this script when this tunnel opens Script c Intranet_connect bat d Launch this script when clicking on Close Tunnel Si Launch this script after this tunnel is closed Sp d toes Scripts or applications can be enabled for each step of a VPN tunnel opening and closing process Before tunnel is opened Right after the tunnel is opened Before tunnel closes Right after tunnel is closed This feature enables to execute scripts batches scripts applications at each step of a tunnel connection for a variety of purposes e g to check current software release to check database availability before launching backup application to check a software is running a logon is set It also enables to configure various network configuration before during and after tunnel connections TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 20
40. gement Command line Configuration Panel Configuration Wizard Configuration Wizard to create VPN tunnels Connection Panel Console Console Filters D Default VPN Configuration Bs Embed VPN Configuration Evaluation period Export VPN Configuration F Features rer Global parameters H Hidden user interface How to automatically open tunnels when an USB Stick is plugged in How to create a VPN Tunnel 20 10 45 47 45 46 45 45 46 47 57 19 30 31 32 30 23 26 27 60 61 53 53 52 41 21 45 32 How to enable a new USB Stick How to install How to set USB Mode How to view opened tunnels IKE Port Import Command line Import VPN Configuration Import with double click on VPN Configuration icon L License Number Linux appliance compatibility Localization Maintenance Menu Multi Gateway Compatibility O OEM Partners P PEM Phase Advanced Settings Phase1 Settings Phase2 Advanced Settings Phase2 Settings PKCS 12 Preferences Proxy R RDP session Remote Desktop E Sales contact Script 44 43 42 41 57 14 52 14 63 11 19 45 47 35 34 39 38 45 46 23 65 40 TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 67 Index Setup Setup options Shortcut SmartCard Troubleshooting Software Activation Software upgrade Status Bar
41. iguration Panel is protected with a password 7 2 4 Setup option for systray menu items Syntax menuitem 0 15 Enables to specify the items of the systray menu that the IT manager wants to keep The value is a bitfield 1 Quit 2 Connection Panel 4 Console 8 Save amp Apply Example menuitem 5 will configure a systray menu with the items Quit Console Note 1 the tunnels are always shown in the systray menu and can always be opened and closed from this systray menu Note 2 menuitem and vpngui hidden By default vpngui hidden or hide yes set the systray menu item list to Quit Console The items Save amp Apply and Connection Panel are not visible However the use of menuitem overrides vpngui That means the following vpngui hidden menuitem 1 will set a systray menu with only the Quit item 7 2 5 Other Setup options Here are the other installation parameters for the setup command line Syntax s Allows to install in a silent mode Syntax license licence number Allows to configure the licence number The License Number is a set of 24 hexadecimal characters Old License Numbers might be 20 hexadecimal characters Syntax start logon boot manual Allows to configure the start mode for the VPN Client after the logon windows during the boot or manually Default is logon TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007
42. iguration file Specific VPN configuration file can be provided within the setup Embedded default VPN Configuration to test and debug with online TheGreenBow servers Incremental install allows to replace encryption or authentication modules with new releases This works in addition to the live update feature which allows to update software from a central server TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Introducing TheGreenBow IPSec VPN Client Licensing Lifetime Temporary Release based Licensing are available 1 5 OEM and Software rebranding Our offer is specially designed to target OEM clients and System Integrators We provide a fully functional VPN Client solution to complete existing offers Our IPSec VPN Client can be re branded TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Installing TheGreenBow IPSec VPN Client Installing TheGreenBow IPSec VPN Client 6 2 2 1 2 2 Installing TheGreenBow IPSec VPN Client Software Installation TheGreenBow VPN Client installation is a classical Windows installation that does not require specific information After completing the installation you will be asked to reboot your computer After reboot and session login a window appears with several options e Quit will close this window and software e Evaluate allows you to continue software
43. lient is up but with no opened tunnel Keyboard Shortcuts This feature improves the usual manipulations Shortcut Action Ctrl P Switches between the Configuration Panel and the Connection Panel Note in case the Configuration Panel is protected with a password the user will be asked for this password when he tries to switch to the Configuration Panel Ctrl C Opens the VPN Console Ctrl A Save amp Apply a VPN Configuration TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Navigating the User Interface 19 4 4 Configuration Panel The Configuration Panel is made of several elements e Three buttons Console Parameters et Connections left column e A tree list window left column that contains all the IKE and IPSec configurations e A configuration window right column that shows the associated tree level TheGreenBow VPN Client fes af EX File VPN Configuration View Tools SB Console Phase 1 Authentication g amp Parameters Name VPN Z Connections Interface any EG Configuration Remote Gateway mycompany dyndns org zam Preshared Key ee Confirm i 0o 757 Certificate Certificates Import IKE Encryption AES 128 P1 Advanced Authentication SHA gt Key Group DH1024 gt Save amp Apply E VPN ready Tunnel A VPN Configuration file i e extension tgb can be drag and dropped onto the Co
44. nd No configuration or no certificate found in the smart card Message displayed in the text area below the SmartCard listbox Users may encounter issues while opening a tunnel which requires Certificates on a SmartCard No SmartCard Reader is found The PIN code is wrong no certificate can be found in the SmartCard or The SmartCard cannot be read Configuration Management Missing SmartCard Reader Wrong PIN code Empty or unreadable SmartCard Import or Export VPN Configuration via menu TheGreenBow VPN Client can import or export a VPN Configuration With this feature IT managers can prepare a configuration and deliver it to other users e Importing a configuration select menu File gt Import VPN Configuration e Exporting a configuration select menu File gt Export VPN Configuration All configuration files will have a tgb extension VPN Configuration including Certificates can be protected by a password during import or export When the user wants to export a configuration a window automatically asks if the exportated VPN configuration must be protected with a password or not TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 53 6 9 2 6 9 3 Export Protection X You are about to export a VPN Configuration You may protect this configuration with a password It will be automatically asked to the us
45. nfiguration Panel This feature enables to easily apply a new VPN configuration If a tunnel is configured to be opened when the VPN Client starts see section Phase2 Advanced Settings it will be immediately opened as soon as the new VPN Configuration is applied Save amp Apply 4 4 1 Main Menus There are several menus as followed File menu is used to Import or Export a configuration It is also used to choose the location of the VPN Configuration local USB server Token It is finally used to configure miscellaneous preferences such as the way the VPN Client may start e g before or after logon e VPN Configuration menu contains all actions from tree control right click menu Configuration menu gives also access to the Configuration Wizard e View menu contains the Configuration of what the user can have access to e Tools menu contains Console and Connections choice TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Navigating the User Interface 20 e menu gives access to check for update online help and window About menu also gives access to the Activation Wizard 4 4 2 Status Bar The status bar displays several information ES VPN Tunnelactve Turn e The left side box indicates the VPN configuration location For example if the USB Mode is set the image will show a USB stick enabled o
46. nge IKE extension that enables the IPSec VPN gateway to provide LAN configuration to the remote user s machine i e IPSec VPN Client With Config Mode the end user is able to address all servers on the remote network by using their network name e g myserver marketing budget instead of their IP Address VPN configurations and security elements certificates preshared key can be saved into an USB Stick in order to remove security information e g authentication from the computer Automatically open and close tunnels when plugging in or removing USB Stick TheGreenBow IPSec VPN Client can read Certificates from Smart Cards to make full use of existing corporate ID card or employee cards that may carry Digital credentials All phase messages are logged for testing or staging purposes and multiple filters 10 allows to easily narrow the view on specific aspects Silent install and invisible graphical interface allow IT managers to deploy solutions while preventing user to misuse configurations Tiny Connection Panel and VPN Configuration Panel can be available to end users separately with access control Drag amp drop VPN Configurations into the IPSec VPN Client Multiple keyboard shortcuts to easily navigate the IPSec VPN Client Scripts or applications can be launched automatically on several events e g before and after a tunnel opens before and after a tunnel is closed User Interface and Command Line Password protected VPN conf
47. nnel VIeW 54e etienne CEN RA RERESE EE RR etes an innn RAE CR ARURESEER SR tt fente 42 How to view opened tunnels ssseeseseseseseeeeee nennen nennen entre nn nnna nant n assi inns as iiR sias sns ases nasa ss sn suas ena a aas nn nada 42 1 USB MOG 43 What is USB Mode PH 43 How to set USB Mode icssicccccccsissscstesasccecsscctessctarsustdsccccatenscctetescncsanesdacesastsusuauctadenasuacbtorevaucietedcctensosbrsuatesaraaaoneies 43 How to enable a new USB Stick ccccscessseesssneeesecenesessnesesseeeeasceeeeeseneeesseeesasceeeeasnasaseneeeasceeeeeseeeseseneeeaesesenens 44 How to automatically open tunnels when an USB Stick is plugged in seeeeeeeen 45 8 Certificate Management sionerien inisiasi enhn RP Rn HERR RR aaaeeeaa HER EARN ANRNNR RR HER Eaa aE aaaea 45 Certificate Management overview re nennen nennen nnnnnnnnnna asina saei tns satin dass inns ast nn asas sna adsit nasa na 45 How to configure IPSec VPN Client with PKCS 12 Certificates 46 How to configure IPSec VPN Client with PEM Certificates esses 47 Smart Card and Token Management sssesseseeesseeseeeeeeee eene ennenn nn nennninitnn nsa t etna sa sinn assise asas snas senta ans 49 How to configure a tunnel with Certificates from a SmartCard
48. nnot connect to the activation server Most of errors encountered may be fixed by carefully checking the following points 1 Check you entered the correct License Number error 031 2 The communication with our activation server may be filtered by a proxy error 053 or error 054 You should configure the proxy in the step 1 of the Software Activation Wizard by clicking the link at the bottom of the window 3 The communication with our activation server may be filtered by a firewall error 053 or error 054 Check if a personal firewall or a corporate firewall is filtering communications 4 Our activation server may be temporarily unreachable Try to activate the software a few minutes later 5 Your License Number is already activated error 033 Contact our sales team sales thegreenbow com All activation errors are detailed online on our website http Awww thegreenbow com help html subject osa amp id 001 2 5 Software Upgrade TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Installing TheGreenBow IPSec VPN Client 12 The success of a software upgrade activation depends on your maintenance contract 1 During your maintenance period which starts from your first activation all software upgrades are allowed 2 Once your maintenance period is expired or if you have no maintenance contract only minor software upgrades are allowed Minor software upgrades are i
49. nt gave up the connection Retry to open the tunnel More information about this error TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 VPN Configuration VPN Configuration 30 6 VPN Configuration 6 1 Configuration Wizard 6 1 1 Three step Configuration Wizard TheGreenBow IPSec VPN Client provides a Configuration Wizard that allows the creation of VPN configuration in three easy steps This Configuration Wizard is designed for remote computers that need to get connected to a corporate LAN through a VPN gateway Remember that Peer to Peer mode is also available Let take the following example e The remote computer has a dynamically provided public IP address e It tries to connect the Corporate LAN behind a VPN gateway that has a DNS address gateway mydomain com e The Corporate LAN address is 192 168 1 xxx e g the remote computer want to reach a server with the IP address 192 168 1 100 192 168 1 100 192 168 1 2 195 100 205 101 TheGreenBow 192 168 1 4 192 168 1 3 For configuring this connection open wizard s window by selecting menu Configuration gt Wizard 6 1 2 Step 1 of 3 Choice of remote equipment You must specify the type of the equipment at the end of the tunnel VPN gateway TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 31
50. operty of TheGreenBow Sistech SA 2000 2007 VPN Configuration 46 When used by TheGreenBow IPSec VPN Client it is composed of the following items e Root certificate e User certificate e Private key of the user certificate Note This feature makes management the VPN configurations easier since a full VPN Configuration including Certificates can be provided and quickly implemented by end users 6 8 2 How to configure IPSec VPN Client with PKCS 12 Certificates PKCS 12 certificates are supported by a lot of gateways TheGreenBow IPSec VPN Client can import PKCS 12 certificates into the VPN Configuration directly from the main interface One PKCS 12 certificate can be defined per tunnel Therefore it is possible to connect to several gateways that do not use the same PKI Public Key Infrastructure Here are the steps to configure the IPSec VPN Client with PKCS 12 Certificates Step 1 Select radio button Certificate in the Phase 1 window and click on Certificates Import Preshared Key Confirm Certificates Import Step 2 Select Certificate from a PKCS 12 file in the list box then click on the Import button Step 3 Select the PKCS 12 Certificates you want to import If the PKCS 12 Certificate is protected enter the password in the password pop up window Once the Certificate is correctly imported its subject is automatically displayed in the top fields of the Certificates
51. or IP Range When choosing Subnet address the two fields Remote LAN address and Subnet mask become available When choosing IP Range the two fields Start address and End address become available enabling TheGreenBow IPSec VPN Client to establish a tunnel only within a range of a predefined IP addresses The range of IP addresses can be just one IP address Incase the remote end point is a single computer choose Single Address When choosing Single address only the field Remote host address is available Remote address This field may be Remote host address or Remote LAN address depending of the address type It is the remote IP address or LAN network address of the gateway that opens the VPN tunnel TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 39 Subnet mask Subnet mask of the remote LAN Only available when address type is equal to Subnet address ESP encryption Encryption algorithm negotiated during IPSec phase 3DES AES ESP authentication Authentication algorithm negotiated during IPSec phase MD5 SHA ESP mode IPSec encapsulation mode tunnel or transport PFS group Diffie Hellman key length Open Tunnel This button allows to open the tunnel This button changes to Close Tunnel as soon as the tunnel is opened Scripts Scripts may be configured in the Script configuration window Note IP Range feature
52. ould be retransmitted before giving up TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 42 Delay between retries Minimum time before any attempts by user to restart IKE negotiation Block non ciphered When this option is checked only encrypted connection traffic is authorized IKE Port User can change port number for IKE negotiation Exchanges are still on UDP but they can be on another port than 500 as some firewalls do not allow IKE Port 500 The remote gateway must support this feature Dead Peer Detection i e DPD is an Internet Key Exchange IKE extension i e RFC3706 for detecting a dead IKE peer TheGreenBow IPSec VPN Client is using DPD e to delete opened SA in the VPN Client when peer has been detected dead e to re start IKE negotiations with the Redundant Gateway if activated in the Phase1 Advanced Configuration Panel Once the parameters are set click on Save amp Apply to save and to take into account the new configuration 6 6 VPN Tunnel View 6 6 1 How to view opened tunnels Tunnel View screen shows VPN tunnels currently opened This screen may also be used to close opened tunnels To close a VPN tunnel select the tunnel in the list and click on Close Tunnel Tunnels may also be viewed opened and closed directly from the context menu of the system tray icon TheGreenBow IPSec VPN Client User Guide Propert
53. ows logon this mode can be used for secure remote login e Start IPSec VPN Client software after MS Windows logon e Don t start IPSec VPN Client when start MS Windows IPSec VPN Client is launched by user or from a script manual mode Miscellaneous Disable detection of interface disconnection allows the IPSec VPN Client maintain tunnels opened while the network interface disconnects momentarely but very often This type of behavior occurs when the interface used to open tunnels is unstable such as WiFi GPRS and all 3G interfaces 4 5 Connection Panel The Connection Panel enables users to open close and get clear information about every tunnel that have been configured This is all the end user needs to open and close tunnels This feature clearly help both IT Managers who configure the VPN connections and users who only open or close VPN connections with their own usage The Connection Panel is made of several elements e An animated network diagram showing information on current tunnel top e A list of all configured tunnels with open close button below diagram TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Navigating the User Interface 24 It s always possible to switch from the Connection Panel to the Configuration Panel through the system menu menu Configuration Panel or via the shortcut Ctrl P see section Shortcuts fe TheGreenBow VPN Client
54. r not depending on the presence of a valid VPN USB stick e The central box gives some information about VPN Client Software status e g opening tunnel in progress saving configuration rules in progress VPN Client start up in progress e The light box right side gives some information about tunnels e g Green light Tunnel o Tunnel L means at least one tunnel is open Gray light means no tunnel 4 4 3 Windows About The About window provides the VPN Client software version and software activation information There is also an URL to our web site TheGreenBow YPN Client x THEGESSNBOW VPN CLIENT TheGreenBow VPN Client 4 00 001 IKE Service 3 10 04 02 12 TheGreenBow 2006 All rights reserved www thegreenbow com EVALUATION VERSION You have 5 days left for product evaluation and software activation TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Navigating the User Interface 21 4 4 4 Access Control amp Hidden Interface This feature is especially designed for IT Managers It enables to lock the access to the Configuration Panel and to restrict with password the use of the IPSec VPN Client to the Connection Panel and or to the systray menu Therefore users cannot modify the VPN Configuration anymore and misconfiguration are avoided Once configured the user will be asked for the password 1 when he click
55. ration procedure is completed Sc The tunnel configuration is corectly completed Tunnel name Cnxpn3 Remote Equipment Router or VPN gateway IP or name of this equipment myrouter dyndns org Preshared key IP address of the remote network 182 168 1 0 Subnet mask 255 255 0 0 You may change these parameters anytime directly with the main interface lt Previous 6 2 VPN Tunnel Configuration 6 2 1 How to create a VPN Tunnel To create a VPN tunnel from the Configuration Panel without using the Confiquration Wizard you must follow the following steps 1 Right click on Configuration in the tree list window and select New Phase 1 2 Configure Authentication Phase Phase 1 3 Right click on the new Phase 1 in the tree control and select Add Phase 2 Configuration Add Phase 2 4 Configure IPSec Phase Phase 2 5 Once the parameters are set click on Save amp Apply to take into account the new configuration That way the IKE service will run with the new parameters 6 Click on Open Tunnel for establishing the IPSec VPN tunnel only in IPSec Configuration window TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 33 Please refer to Phase 1 and Phase 2 for settings descriptions 6 2 2 Multiple Authentication or IPSec Configuration Phase Several Authentication Phases Phase1 can be
56. rtificate location and type Certificate from a SmartCard Select a Smart Card Reader eee Once the SmartCard is successfully read information about the SmartCard Reader and the SmartCard are displayed in the text area below the list box while the subjects of the Certificates are displayed in the top two fields of the window TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 VPN Configuration 51 ix Certificates Import Root Certificate C FR L Paris 0 TheGreenBow CN TheGreenBow C emails User Certificate C FR 0 TheGreenBow CN tgb1 TA User Private Key Choose below the Certificate location and type Certificate from a SmartCard Select a Smart Card Reader OMNIKEY CardMan 3x21 0 ATR 3B 7B 18 00 00 00 31 C0 64 7 7 E 3 03 00 82 30 00 Using IDOne Lite PKCS 11 middleware found Step 4 SmardCard Reader information will be stored in the VPN Configuration file as soon as you click on Save amp Apply 6 8 4 2 How to use a tunnel with Certificates from a SmartCard When a tunnel is configured to use Certificates from a SmartCard the PIN code of the SmartCard is asked to the user each time the tunnel must be opened excepted on automatic VPN renegociations Thus to open a tunnel with Certificates from a SmartCard it is required to have 1 The SmartCard reader correctly installed and configured in the IPSec
57. running or not When the VPN Client is already running it imports dynamically the new configuration and automatically applies it i e restarts the IKE service If the VPN Client is not running it is launched with the new configuration mportonce allows to import a VPN configuration file without running the VPN Client This command is especially useful in installation scripts it allows to run a silent installation and to import a configuration automatically export exports the current VPN Configuration including certificates in the specified file This command runs the VPN Client if it is not already running This command doesn t handle relative paths e g file tgb exportonce Exports the current VPN Configuration including certificates in the specified TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Deployment 58 file This command doesn t run the VPN Client if it is not running All 4 arguments import importonce export and exportonce are exclusives and cannot be used together TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Console and Logs Console and Logs 60 8 Console and Logs 8 1 Console Windows The Console window is available from the context menu of the systray icon or from Console button in the configuration user interface This window
58. s or double clicks on the systray IPSec VPN Client icon 2 when he switches from the Connection Panel to the Configuration Panel Access Control X TA Please enter your password to open the VPN Configuration Panel Enter the password me o c This password may be configured as an option of the setup see section Setup options The Access Control Window available through the menu View gt Configuration in the Configuration Panel also enables to configure the systray menu items Thus the IT Manager can restrict the Software access from a full access to a completely hidden interface TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Navigating the User Interface 22 GUI Access Control X 5 Lock GUI Access Enter a password to lock the access to the main GUI This also enables to lock the GUI in Connection Panel mode Password 7 Confirm fr Show in systray menu IV Save amp Apply IV Console M Connections Jv Guit To remove the access control just empty both fields Password and Confirm then click OK Note The Quit item for the systray menu is disabled in the standard version of the software It can nevertheless be removed during the software setup through the setup option menuitem see section Setup option The access control with a password only concerns the Configuration Panel The access to the
59. sesseeeeseeeeeeeeeeee enne nnne erret nn nnn nni n nnn inan nnne inne nnne innt nnns 2 3 Linux Appliance SuppONt ei ento op na Ra eet ERRRRRRNANRE SERARERRRRRRARRRSRRRERERRRRNRRRESREERRRRRRNRRRRSRRRERRA RRRARRRR GRE 2 4 TheGreenBow IPSec VPN Client Features ccccccscsssssseeeeeseeeensnseeneeseeeenansenseeeeseseenenseeaeeesees 2 5 OEM and Software rebranding sense 4 Part I Installing TheGreenBow IPSec VPN Client 6 1 Software Installation 5 n o oe co nx En eo Ge x e sa rero Rx oe pou vae us EE vU ER aka Eu ERN ER sean vaansuensdsepee 6 2 Software Evaluation ooi etnia occi reden Eos i osa d P Esau E ix rV as EVER oin ann DA RV ERES red 6 3 Temporary Software License eeeeeeseseeeeeeeeeeene nnne entren nn nn nnne nn nnn nena tnn inni tenen n nn nennen 7 4 Software Activation eesseseeeeeseeeeeeeeeene nn ennn nnn kann h nna mn aa RR RR SR RR RR ERR RR NR ERR RR REGE NR NR RENE RR RR EAR RR Ra add d 9 Software Activation Wizard rico eo rei c eee nope eu uso aae Eae S REe S Es ey XXe REOR ENS YER E EREE SEE YERV ERROR Sn SNR eRN SRM ERIYSER SENE NER AN ve n es 9 Step 1 0f 2 Enter License Number iiio tete ii eiit iiL eH ERE ae Ee singe dieto E apia 9 Step 2 of 2 Online Activation esseeeeseeesseseeseeeeene ee eeenn nn ennennnnnn nahen asa itnni ase tn sias sinas asina asse nnn dass n asas nna ann 10 Activation Troubleshooting
60. sic mode C USB stick plug in automatic detection m PIN Token USB Token Smart card BS Server Centralized management Note At this stage if an USB Stick containing a VPN configuration with VPN security elements is already plugged in the associated drive will be automatically recognized Please note also that this is not necessary to insert a USB Stick during this step In case no USB Stick is plugged in the following pop window will inform the user No VPN USB stick are detected A USB stick will be automatically detected when it will be plugged in If it is already plugged in please remove it and plug it again Once USB mode is set on the left side box in the status bar shows an USB stick icon ea VPN Tunnel active ec VPN Tunnel active The USB Stick icon is plain when a USB Stick is plugged in The USB Stick icon is gray when no USB Stick is plugged in How to enable a new USB Stick A new USB Stick no data is enabled by copying VPN configuration and security elements onto it When you insert a new USB Stick the IPSec VPN Client automatically propose to enable the USB Stick through the following options e Copying the VPN configuration and security elements onto the USB Stick the VPN Client will copy the security information onto the USB Stick and leave a copy in the computer This feature is specially designed for IT Managers to enable multiple USB Sticks for multiple users in no time
61. ssible to use TheGreenBow IPSec VPN Client during the evaluation period i e limited to 30 days by clicking on Evaluate button When the IPSec VPN Client is on Evaluation mode the register window appears at each start of the IPSec VPN Client Evaluation period is displayed into TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Installing TheGreenBow IPSec VPN Client 7 the orange bar above Once evaluation period expires Evaluation button is no longer available and the software is disabled TheGreenBow PN Client Activation Wizard Software Activation Thank you for using TheGreenBow VPN Client EVALUATION VERSION Your evaluation period is over Please activate the software This software is not activated You may O Activate this software with your license number button Activate O Buy a software license button Buy Quit Evaluate Activate 2 3 Temporary Software License A Temporary Software License Number may be provided for test purpose The period of validity is between 1 and 35 weeks To receive a Temporary Software License Number you can contact our sales team sales thegreenbow com The validity period of the Temporary Software License Number and the remaining time of use are shown in the first popup window of the IPSec VPN Client At the end of the validity period the software cannot be run TheGreenBow IPSec VP
62. sues TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 Software Localization Software Localization 63 9 Software Localization The localization L10N of the IPSec VPN Client is now possible even by a third party company All the strings used by the VPN Client are listed in a Translation tool ready for translation Step1 Download the VPN Client Translation tool from our website Step2 Translate the strings into your own language Step3 Send us back the translated VPN Client string file to support thegreenbow com Step4 We will include your language into the next Generally Available GA Product release of the IPSec VPN Client See on our website who is contributing already The whole translation process is also described at www thegreenbow com vpn local html TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Contacts Contacts 65 10 Contacts Information and update are available at www thegreenbow com Technical support by email at support thegreenbow com Sales support by email at sales thegreenbow com TheGreenBow IPSec VPN Client User Guide Property of TheGreenBow Sistech SA 2000 2007 Index 66 Index A About Activation errors Activation Wizard Ca Certificate from PEM file Certificate from PKCS 12 file Certificate from SmartCard Certificate Mana
63. t from X509 local Remote ID Note The PEM file enclosing the private key must not be encrypted or protected with a password 6 8 4 Smart Card and Token Management 6 8 4 1 How to configure a tunnel with Certificates from a SmartCard TheGreenBow IPSec VPN Client can read Certificates from Smart Cards Smart Cards can be used for securing X509 certificates that can be protected by a PIN code Here are the steps to configure a tunnel using Certificates from Smart Cards Step 1 Select radio button Certificate in the Phase 1 window and click on Certificates Import Preshared Key Confirm Certificates Import Step 2 Select Certificate from a SmartCard in the list box The bottom part of the window shows a list of SmartCard Reader TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 50 ix Certificates Import Root Certificate User Certificate User Private Key Choose below the Certificate location and type Certificate from a PKCS 12 file Certificate from a PKCSH 2 file Certificate from a PEM file Certificate from a SmartCard Import Certificates from a PKCS12 file Import EUN Step 3 Select the SmartCard Reader you want to use The SmartCard Reader identification process starts and a PIN code may be required Enter your SmartCard PIN code and click OK Choose below the Ce
64. th the remote gateway TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration Redundant GW NAT T mode Local ID Remote ID X Auth This allows the VPN Client to open an IPSec tunnel with an alternate gateway in case the primary gateway is down or not responding Enter either the IP address or the url of the Redundant Gateway e g router dyndns com e TheGreenBow VPN Client will contact the primary gateway to establish a tunnel If it fails after several tries default is 5 tries configurable in Parameters panel gt Retransmissions field the Redundant Gateway is used as the new tunnel endpoint Delay between two retries is about 10 seconds e In case primary gateway can be reached but tunnel establishment fails e g VPN configuration problems then the VPN Client won t try to establish tunnels with the redundant gateway Configurations need modifications If a tunnel is successfully established to the primary gateway with DPD feature i e Dead Peer Detection negotiated on both sides when the primary gateway stops responding e g DPD detects non responding remote gateways the VPN Client immediately starts opening a new tunnel with the redundant gateway The exact same behaviour will apply to the redundant gateway This means that the VPN Client will try to open primary and redundant gateway until the user exits software or click on Save amp Apply
65. y of TheGreenBow Sistech SA 2000 2007 VPN Configuration 43 eo TheGreenBow PN Client File VPN Configuration View Tools Tunnels view gt Console g amp Parameters Connection Panel E Configuration EE ven Routeri 8 Router2 SE VPN Routerl P2 192 168 20 07 Tunnel ESP 3DES SHA Close Tunnel Save amp Apply EJ VPN Tunnel opened Tunnel o 6 7 USB Mode 6 7 1 What is USB Mode TheGreenBow VPN Client brings the capability to secure VPN configurations and VPN security elements e g PreShared key Certificates by the use of an USB Stick When you select USB mode the VPN configuration and security elements contained into the configuration are stored onto the USB Stick the first time you plug it in Once done you just need to insert the USB Stick to automatically open tunnels And you just need to unplug the USB Stick to automatically close all established tunnels 6 7 2 Howto set USB Mode The USB Mode can be set by clicking on the USB Stick icon in the status bar of the Configuration Panel or via the menu e Select menu File gt VPN Configuration File e Select USB Stick en VPN Tunnel active TheGreenBow IPSec VPN Client User Guide Property of TheGreenBowO Sistech SA 2000 2007 VPN Configuration 44 6 7 3 PN Configuration file location x Choose a location for the YPN Configuration file E Local local drive clas
Download Pdf Manuals
Related Search