• No results found

Advanced Settings:

In document IPSec XAUTH How To. Version 8.0.0 (Page 41-50)

1. Click on the P1 Advanced button (see Figure 4.22, “General Phase 1 Settings”).

2. Do not enable Config Mode.

3. Do not enable Aggressive Mode (insecure).

4. Do not enter a Redundant Gateway.

5. Set NAT-T (NAT Traversal) to Automatic.

6. Enable X-Auth Popup.

7. Do not enable Hybrid Mode.

8. Select Subject from X509. Keep the suggested value for the ID.

9. Select any Remote ID, e.g. KEY ID or leave this field blank (default). Do not set a value for the ID.

10. Click on OK.

11. Click on Save & Apply (see Figure 4.22, “General Phase 1 Settings”).

Figure 4.24. Phase 1 - Advanced Settings

Creating a new Phase 2:

1. Go to the main screen (see Figure 4.22, “General Phase 1 Settings”) and select the created Phase 1 Definition.

2. Right-click on the Phase 1 Definition.

3. Click on Add Phase 2 as shown below.

Phase 2 Configuration:

1. Enter a name for the Phase 2 Definition, e.g. Tunnel 1.

2. Enter a VPN Client IP Address, e.g. 192.168.1.110. Make sure this IP address is not used in the LAN of the AXS GUARD you are connecting to. If you are unsure about the IP address, use one in another range, e.g. 10.0.0.5.

3. Enter the Remote LAN IP address (network address) of the AXS GUARD as entered in Section 4.2.2.4,

“Phase 1 Settings”, e.g. 192.168.11.0.

4. Enter the subnet mask of the AXS GUARD LAN as entered in section Section 4.2.2.4, “Phase 1 Settings”, e.g. 255.255.255.0.

5. Set the ESP encryption to AES 128.

6. Set the ESP authentication to SHA-1.

7. Set the Mode to Tunnel.

8. Enable PFS.

9. Set the DH Group to DH5.

10. Click on Save & Apply.

Figure 4.26. Phase 2 Configuration

Phase 2 Advanced Settings:

1. Click on the P2 Advanced button (see Figure 4.26, “Phase 2 Configuration”).

2. Do not check any option under Automatic Open Mode.

3. Enter the IP address of the DNS server, e.g. 192.168.11.254. This is the LAN IP address of the AXS GUARD (see tip below).

4. Do not enter a WINS Server.

5. Click on OK.

6. Click on Save & Apply (see Figure 4.26, “Phase 2 Configuration”).

Figure 4.27. Phase 2 Advanced Settings

• To view the LAN IP address of your AXS GUARD, navigate to: Network > Devices > Eth and click on the appropriate secure device.

• You may also use the Active Directory DNS in your network, if available.

4.2.3.3. Testing your Connection

1. Start the GreenBow IPsec Client.

2. Click once on the Phase 2 Definition, e.g. Tunnel1 as shown below.

3. Click on Open Tunnel.

Figure 4.28. Starting the IPSec Tunnel

4. Enter your user credentials (i.e. user name and DIGIPASS OTP) in the authentication screen as shown below. The tunnel should start almost immediately.

Figure 4.29. Starting the IPSec Tunnel

5. Once the tunnel is up (see below), open a Windows command prompt (Navigate to Start > Run and type cmd followed by enter).

6. Ping the LAN IP address or DNS name of the AXS GUARD, e.g. ping 192.168.11.254. 7. Test your DNS settings by pinging the internal host name of the AXS GUARD.

Figure 4.30. Tunnel Status

• If you can ping the IP address of the AXS GUARD, but not the host name, the problem is DNS-related. Verify the DNS configuration settings of your client if necessary.

• If you are using an Active Directory (AD) DNS server, make sure that the internal host name of the AXS GUARD is correctly added to its DNS repository. Consult the documentation of your AD server if necessary.

Chapter 5. Troubleshooting

I cannot start the tunnel or the tunnel does not open.

1. Check the AXS GUARD IPsec logs, as explained in the AXS GUARD IPSec How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool.

2. Check the Windows firewall settings. Check that the Firewall it is not blocking traffic towards UDP ports 500 and 4500.

3. If a dedicated software firewall is installed on the client, e.g. ZoneAlarm, make sure it is not blocking traffic towards UDP ports 500 and 4500 and that TCP protocol 50 (ESP) is allowed. Consult your firewall Troubleshooting Documentation if necessary.

4. Check the firewall settings of your client’s gateway. The gateway should allow traffic to the following UDP ports: 500, 4500. (Some gateways refer to this as VPN Passthrough).

5. Make sure NAT traversal is enabled on the client’s gateway (VPN Passthrough).

6. Check the allowed protocols on the client’s gateway. Access should be allowed to TCP protocol 50 (ESP).

7. Check the Phase 1 (IKE) parameters. They should match the Phase 1 parameters of the AXS GUARD, e.g. the encryption Algorithm, the Hashing Algorithm, the authentication Method (X.509), etc. If you are prompted for authentication, but are unable to proceed, it is more than likely that your Phase 2 parameters contain errors.

8. Check the Phase 2 (ESP) parameters. They should match the Phase 2 parameters of the AXS GUARD, e.g. the DH Group, the encryption Algorithm, etc.

9. The local parameters on the AXS GUARD are the remote parameters of the IPsec Client and vice versa.

Make sure they are properly mirrored.

10. If using DIGIPASS authentication, make sure the user has been assigned a DIGIPASS and is allowed to authenticate for IPSec, as explained in the AXS GUARD Authentication How To, which is accessible by clicking on the permanently available Documentation button in the Administrator Tool.

11. If you purchased and enabled the AXS GUARD IPS Module, check the IPS logs for blocked traffic on UDP ports 4500 and 500.

• The AXS GUARD only supports IPSec in Tunnel Mode. This is the most secure option. AH (TCP Protocol 51) is not supported.

• Some countries, Internet Sevice Providers and intermediate networks do not allow IPSec traffic. You will not be able to establish a connection if this is the case.

I can start the tunnel, but I am unable to access the remote LAN (Shrew Soft Client)

1. Make sure you entered the correct network resource in the Policy. Refer to the Shrew Soft IPsec Client’s documentation if necessary.

2. Once the network resource has been updated, start the tunnel again and verify whether you can ping the AXS GUARD LAN IP.

3. Verify the Virtual Adapter’s IP Address. Try an IP address in a different range than the AXS GUARD LAN.

4. Verify the Firewall settings on the AXS GUARD.

5. If the problem persists, consult the Shrew Soft online Documentation.

I can start the tunnel, but I am unable to access the remote LAN (GreenBowClient)

1. Verify the VPN Client Address. Try an IP address in a different range than the AXS GUARD LAN.

2. Verify the Firewall settings on the AXS GUARD.

3. If the problem persists, consult the GreenBow online Documentation.

The user cannot authenticate

1. Make sure the is no Authentication Restriction for the user (see the AXS GUARD Authentication How To, which can be accessed by clicking on the permanently available Documentation button in the Administrator Tool).

2. If DIGIPASS Authentication is enforced, test the user’s DIGIPASS (Authentication > VASCO DIGIPASS

> DIGIPASS).

3. Make sure the user can log in (User login is enabled, as shown below).

Figure 5.1. User Login Enabled

The Greenbow client throws and XAUTH error while the AXS GUARD credentials are correct.

If the AXS GUARD IPSec log shows the following, but the client shows an XAUTH warning:

15:08:44 pluto[28587] XAUTH: pam authentication being called to authenticate user xyz

15:08:44 pluto[28587] XAUTH: User xyz: Authentication Successful

1. In the Greenbow menu, select Tools 2. Then "Reset IKE"

3. Restart the tunnel

Chapter 6. Support

6.1. If you encounter a problem

If you encounter a problem with a VASCO product, follow the steps below:

1. Check the troubleshooting section of the feature-specific manual.

2. Check the knowledge base for information on known issues, i.e. http://www.vasco.com/support.

3. Check the white papers section on http://documentation.axsguard.net/manuals/Gatekeeper/8.0.0/ for information about special configurations.

4. If no solution is available in any of the above sources, contact your VASCO supplier.

For additional information about support capabilities, visit: http://www.vasco.com/support/

support_services/types_of_customes.aspx

6.2. RMA Procedures for Replacement

6.2.1. Information needed by VASCO Support

Prior to contacting VASCO Support, we kindly ask you to collect the information below. This will allow our services to save time and ensure a swift replacement of the defective unit.

• Customer’s Name / Company Name

• Serial number of the defective AXS GUARD

• License number of the defective AXS GUARD

• Reseller’s Name

• Serial number of the spare unit

• License number of the spare unit

• Return delivery address for the spare unit

6.2.2. How to request an RMA Number

If your AXS GUARD appliance has a hardware defect and you have collected all the information listed above, contact the VASCO support department either by phone or by e-mail to request an RMA number.

Once your request has been received by VASCO, it will be carefully examined by our support engineers before an RMA number is assigned. Please note that replacement requests must have a valid RMA number before they can be processed by our production facility.

• VASCO Support Phone: (+32) 2-609-9770

• VASCO Support E-mail: [email protected]

In document IPSec XAUTH How To. Version 8.0.0 (Page 41-50)
Download now "IPSec XAUTH How To. Ve..."

Outline

Related documents