VPNC Interoperability Profile

(1)

(2)

2 VPNC Interoperability Profile

Copyright Notice

v4.x-090623-06-1119

Trademarks

(3)

3

Chapter 1 Overview Scenario 1

(6)

1.1 General

This document describes how to configure a Barracuda NG Firewall 5.0 to implement the scenarios described by the VPN Consortium’s Interoperability specification.

The specification scenarios were developed by the VPN Consortium. Please refer to Documentation Profiles for IPsec Interoperability

(http://www.vpnc.org/InteropProfiles/Interop-01.html).

1.2 VPNC Scenario 1 Overview

• Gateway A (Barracuda NG Firewall) • Internal interface: eth0

• External interface: eth1

• Internal IP address of interface eth0: 10.5.6.1

• External IP address of interface eth1: 14.15.16.17

• VPN network behind gateway A: 10.5.6.0/24

• Gateway B (interoperable device)

• Internal IP address of interface eth0: 172.23.9.1

• External IP address of interface eth1: 22.23.24.25

• VPN network behind gateway B: 172.23.9.0/24

• WAN Connection

• Gateway A reaches the internet via a gateway with the IP address: 14.15.16.1 The procedures described within this document may not accurately apply to boxes running older versions of Barracuda NG Firewall. Barracuda Networks recommends to use this only with the latest Barracuda NG Firewall firmware 5.0.

(7)

Connecting the Hardware 7

Chapter 2 Connecting the Hardware

(8)

2.1 General

Based on the guidelines of the VPNC Interoperability Profile, the Barracuda NG Firewall 5.0 uses the following configuration:

• Management IP address: 10.5.6.10 • Management interface: eth0 • External interface: eth1

1. Connect one end of a crossover CAT5 ethernet cable to the management port (eth0) of the Barracuda NG Firewall.

2. Connect the other end of the CAT5 ethernet cable to the workstation used to manage the Barracuda NG Firewall.

3. Modify the network settings of the workstation in order to rely in the same subnet as the Barracuda NG Firewall

(9)

Barracuda NG Admin 9

Chapter 3 Barracuda NG Admin

(10)

3.1 General

The Barracuda NG Admin application (delivered with your Barracuda NG Firewall software) is the tool

to administer Barracuda NG Firewall gateways as well as Barracuda NG Control Centers. It acts as a stand-alone executable and does not need to be installed at the workstation.

3.2 Logging In

1. Launch the Barracuda NG Admin application. 2. Select Box in the upper area of the login dialog. 3. Type 10.5.6.10 within the Box-Address field. 4. Type root within the Login field.

5. Enter the root password into the Password field. Click the Login button. In case this is the first login to the Barracuda NG Firewall, proceed by clicking Trust Key within the appearing window.

3.3 Barracuda NG Admin User Interface

The User Interface is divided into five functional sections.

• Box Tabs

The Box Tabs allow switching between all currently connected Barracuda NG Firewall boxes or Control Centers

• Ribbon Bar

The Ribbon Bar is the main navigation and operation utility for the currently connected Barracuda NG Firewall or Control Center.

• Main Window

• Mini Map

(11)

Barracuda NG Admin 11 • Status Bar

Fig. 3–2 Barracuda NG Admin Interface

(12)

(13)

Network Configuration 13

Chapter 4 Network Configuration

(14)

4.1 Interfaces

In this scenario, the internal and external interfaces are defined as listed below:

• Internal interface: eth0_{(the internal interface additionally acts as the management}

interface)

• External interface: eth1

4.1.1 Internal Interface (Management Interface / eth0)

The management interface may, if necessary, be configured by following these steps: 1. Navigate to Config > Network.

2. Click Lock to enable configuration mode.

3. Modify the Management IP (MIP) and the Associated Netmask.

4. Confirm the modifications by clicking Send Changes, followed by Activate.

5. Navigate to Control, then open the Box tab. Click Activate New within the Network Configuration view and click Force within the appearing window.

4.2 Routing

4.2.1 Device Route for the External Interface (eth1)

1. Connect the external interface (eth1) of the Barracuda NG Firewall to the internet. 2. Navigate to Config > Network.

4. Click the Network Routes link on the left side of the window. 5. Click Insert to introduce routes to the Main Routing Table.

6. Type a Name for the route within the appearing window (e.g.: 14-15-16-0) and confirm it by clicking OK...

7. In the appearing window, set the following values: • Target Network Address: 14.15.16.0/24 • Route Type: direct

• Interface Name: eth1

(15)

Network Configuration 15 9. Navigate to Control and open the Box tab.

10. Click Activate New in the Network Configuration view and click Force within the appearing window.

4.3 Gateway Route for the WAN Network

1. Navigate to Config > Network.

3. Click the Network Routes link on the left side of the window. 4. Click Insert to introduce routes to the Main Routing Table.

5. Insert a Name for the route within the appearing window (e.g.: 22-23-24-0) and confirm by clicking OK...

6. In the appearing window, set the following values: • Target Network Address: 22.23.24.0/24 • Route Type: gateway

• Gateway: IP Address of the default gateway (in this scenario, the default gateway is 14.15.16.1)

(16)

9. Click Activate New within the Network Configuration view and click Force within the appearing window.

Fig. 4–3 Network User Interface

(17)

Licensing 17

Chapter 5 Licensing

(18)

5.1 General

Operating a Barracuda NG Firewall without a valid license allows only an encryption level of DES or no encryption at all.

5.2 License Import

1. Navigate to Config > Box Licenses. 2. Click Lock to enable configuration mode.

3. Click Import and choose Import from File... in the appearing list.

4. Use the appearing file browser to navigate to the location of the license (*.lic) file.

5. Confirm the Certificate View window by clicking OK. Accept the End User License Agreement by selecting I Agree and then clicking OK.

6. After installing all necessary licences, navigate to Config > Box Properties and set the Encryption Level to Full-Featured-Encryption.

7. Move to Control > Box and click the button Barracuda Restart. This command restarts all modules to guarantee that the installed licences are loaded correctly by each module of the Barracuda NG Firewall.

(19)

Server and Services 19

Chapter 6 Server and Services

What is a Server? ...20

What is a Service?...20

Introducing a Server ...20

(20)

6.1 What is a Server?

The so-called Virtual Servers represent the network addresses under which certain services are available. Since a server may, for high availability purposes, be assigned to more than one box, the traditional notion of a server as a piece of hardware is extended by this concept. The server entity belongs to what we refer to as the logical layer.

6.2 What is a Service?

A service provides the required functionality and the services make use of software modules. For example the VPN service, responsible for all kinds of VPN functionality, is a typical service within the server-and-service concept of Barracuda NG Firewalls.

6.3 Introducing a Server

1. Navigate to Config > Virtual Servers.

2. Right-click the Virtual Servers configuration node and choose Create Server... within the context menu.

3. In the appearing window, set the following values: • Server Name: vpnc

• Active Box: This-Box • Backup Box: No-Backup

• Encryption Level: Full-Featured-Encryption

• First-IP [S1]: 14.15.16.17 (IP address of the external interface eth1)

• Second-IP [S2]: 10.5.6.1 (IP address of the internal interface eth0)

4. Click Finish to complete the server configuration.

5. Confirm the modifications by clicking Send Changes followed by Activate.

6.4 Introducing a Service

A successfully introduced virtual server is mandatory to be able to introduce a specific service. In this scenario, a Firewall and a VPN service are needed to set up a working IPSec VPN connection between two peers.

(21)

Server and Services 21

6.4.1 Create a Firewall Service

1. Navigate to Config > Virtual Servers > vpnc > Assigned Services.

2. Right-click the Assigned Services configuration node, then choose Create Service... within the context menu.

3. In the appearing window, set the following values: • Disable Service: no

• Service Name: FW

• Software Module: Firewall • Service Availability: All-IPs

4. Click Finish to complete the service configuration.

5. Confirm the modifications by clicking Send Changes followed by Activate.

6.4.2 Create a VPN Service

1. Navigate to Config > Virtual Servers > vpnc > Assigned Services.

2. Right-click the Assigned Services configuration node, then choose Create Service... within the context menu.

3. In the appearing window, set the following values: • Disable Service: no

• Service Name: VPN

• Software Module: VPN-Service • Service Availability: First+Second-IP

4. Click Finish to complete the service configuration.

(22)

(23)

Firewall Configuration 23

Chapter 7 Firewall Configuration

(24)

7.1 General

By default, the firewall service is configured to block all traffic reaching the Barracuda NG Firewall. In order to allow specific traffic to pass, the firewall ruleset needs to be adjusted.

7.2 Firewall Rule for Traffic Between 10.5.6.0/24 and 172.23.9.0/24

1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > FW (firewall) > Forwarding Rules.

2. Double-click the Forwarding Rules configuration node to open the Forwarding Firewall Ruleset. 3. Click Lock to enable configuration mode.

4. Right-click into the firewall ruleset table and choose New... within the appearing context menu. 5. In the appearing window, set the following values:

• Rule Type: Pass • Source: <explicit-src>

• Right click within the Source table and choose Edit... in the appearing context menu. • Type 10.5.6.0/24 into the IP field (Entry section) and click New and close the

window by clicking OK. • Service: ALL

• Destination: <explicit-dest>

• Right click within the Destination table and choose Edit... in the appearing context menu.

• Type 172.23.9.0/24 into the IP field (Entry section) and click New and close the window by clicking OK.

(25)

Firewall Configuration 25 6. Drag the newly created firewall rule on top of the firewall ruleset.

(26)

(27)

VPN Configuration 27

Chapter 8 VPN Configuration

(28)

8.1 Creating a Server Certificate

1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > VPN(vpnserver) > VPN Settings.

3. Open the Settings tab, then click the Click here for Server Settings link.

4. In the Default Server Certificate section, click Ex/Import, then choose New/Edit Certificate. 5. Fill in all editable information in the appearing Certificate View dialogue according to your

organisation. Then confirm the form by clicking OK.

6. Generate a Default Key by clicking Ex/Import. Choose New 1024-Bit RSA Key.

7. Assign the public key to the self-signed certificate and generate the key by confirming the appearing window with Yes.

8. Confirm the modifications by clicking Send Changes, followed by Activate.

8.2 Introducing the IPSec Tunnel

1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > VPN(vpnserver) > Site to Site.

2. Click Lock to enable configuration mode. 3. Open the IPSEC Tunnels tab.

4. Right-click into the IPSec tunnels list and choose New IPSec tunnel from the context menu.

8.2.1 General Tunnel Settings

(29)

VPN Configuration 29

8.2.2 IPSec Phase1

9. Encryption: 3DES 10. Hash Meth.: SHA 11. DH-Group: Group2 12. Lifetime [sec]: 28800

8.2.3 IPSec Phase2

13. Encryption: 3DES 14. Hash Meth.: SHA 15. DH-Group: Group2 16. Lifetime [sec]: 3600

8.2.4 Networks

17. Enter 10.5.6.0/24 into the Network Address field and insert it to the Local list by clicking the Add button on the left side.

18. Enter 172.23.9.0/24 into the Network Address field and insert it to the Remote list by clicking the Add button on the right side.

8.2.5 Authentication

19. Open the Authentication tab of the IPSec Tunnel dialogue. 20. Set Identification Type to Shared Passphrase.

(30)

(31)

Testing and Diagnostics 31

Chapter 9 Testing and Diagnostics

Global Status ... 32

Network Status... 32

VPN Status ... 33

Network ICMP Ping... 33

Analyzing the Log Files... 34

(32)

9.1 Global Status

The Control window provides a general overview over the box and the status of its most important basic functions.

9.2 Network Status

The Config > Network tab provides an overview of all configured network interfaces, active IP addresses and routing tables.

Table 9–1 Status Icons

Line Description

Overview Displays an overview of the system by using a color code (<blank> - everything is OK; yellow - something is not

working properly and a check is recommended; red -

something is not working properly and a check is mandatory) and the following icons:

Status of the servers Status of the network Status of the processes Disk usage

Validity of certificates/licenses) Status of the box

Status of the operative-relevant event monitoring

Status of the security-relevant event monitoring

(33)

Testing and Diagnostics 33

9.3 VPN Status

The VPN status user interface provides an overview of the currently active VPN tunnels and double clicking the listed tunnel displays all available tunnel details.

The status User Interface is accessible via the VPN button on the left side of the Barracuda NG Admin administration tool.

9.4 Network ICMP Ping

9.4.1 Ping: Outside Interface to Outside Interface

The following steps describe how to test the IPSec tunnel by sending five ICMP packets from the outside interface of gateway A to the outside interface of gateway B.

1. Navigate to SSH to open the command line interface of gateway A.

2. Log in as root user, therefore type the appropriate password.

3. Type the following string at the command line, followed by pressing the Enter key: ping 22.23.24.25 -c 5

Fig. 9–8 VPN Status

(34)

9.4.2 Ping: Inside Interface to Inside Interface

The following steps describe how to test the IPSec tunnel by sending five ICMP packets from the inside interface of gateway A to the inside interface of gateway B.

1. Navigate to SSH to open the command line interface of gateway A.

2. Login as root user, therefore type the appropriate password.

3. Type the following string at the command line, followed by pressing Enter: ping -I 10.5.6.1 172.23.9.1 -c 5

9.5 Analyzing the Log Files

For troubleshooting tunnel connection problems, the most significant information is accessible by analysing the VPN log files.

Navigate to Logs to open the Log Viewer.

9.5.1 IKE Log

The IKE log file is accessible by navigating within the log-tree to vpnc > VPN > ike.

9.5.2 VPN Log

The general VPN log file is accessible by navigating within the log-tree to vpnc > VPN > VPN.

9.6 Increasing the Log Level

For a more detailed log output, it is possible to increase the log level of the VPN service. 1. Navigate to SSH to open the command line interface of the Barracuda NG Firewall.

If this is the first time you connect to the command line interface, you will be prompted to accept the authentication check. Do this by clicking the Trust Key button in the respective dialog window.

(35)

Testing and Diagnostics 35 2. Type the following string at the command line followed by pressing Enter:

ipsecctrl isakmpd buglevel <log level>

Replace <log level> by a number between 0 and 99, whereas 0 is the lowest and 99 the highest possible log level.

(36)

(37)

Overview IPSec Client to Site 37

Chapter 10 Overview IPSec Client to Site

(38)

10.1 General

This document describes how to configure a Barracuda NG Firewall 5.0 to implement the scenarios described by the VPN Consortium’s Interoperability specification.

The specification scenarios were developed by the VPN Consortium. Please refer to Documentation Profiles for IPsec Interoperability

(http://www.vpnc.org/InteropProfiles/Interop-01.html).

10.2 VPNC Scenario 1 Overview

• Barracuda NG Firewall

• Internal interface: Port2

• External interface: Port3

• Internal IP address of interface Port2: 10.5.6.1

• External IP address of interface Port3: 14.15.16.17

• VPN network behind gateway A: 10.5.6.0/24

• IPSec VPN Client

• The IPSec VPN Client connects to the corporate network through the VPN point of entry at: 14.15.16.17

The procedures described within this document may not accurately apply to boxes running older versions of Barracuda NG Firewall. Barracuda Networks recommends to use this only with the latest Barracuda NG Firewall firmware 5.0.

(39)

Basic Configuration 39

Chapter 11 Basic Configuration

For the basic configuration of a Barracuda NG Firewall, to fit the requirements needed in the following description in these document, please have a look at the following chapters:

What is a Server? ... 20

What is a Service?... 20

Introducing a Server... 20

(40)

(41)

VPN Server Configuration 41

Chapter 12 VPN Server Configuration

Basic Server Configuration ... 42

Introducing the IPSec Tunnel... 42

Firewall Rule ... 43

(42)

12.1 Basic Server Configuration

1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > VPN(vpnserver) > VPN Settings.

3. Open the Settings tab, then click the Click here for Server Settings... link.

4. In the Default Server Certificate section, click Ex/Import. Depending on the format of the available certificate, choose either Import PEM from file... or Import from PKCS12.... 5. Generate a Default Key by clicking Ex/Import. Choose New 2048-Bit RSA Key.

6. Assign the public key to the certificate and generate the key by confirming the appearing window with Yes.

7. Click OK.

8. Open the Root Certificates tab, right-click to open the context menu and select either Import PEM from file... or Import CER from file... to import the client root certificate.

9. Open the Personal Networks tab.

10. Right click and select New VPN Network... in the context menu. 11. In the appearing window enter the following values:

• Name: Name for the VPN network • Network Address: 192.168.1.0 • Network Mask: 24

• Gateway: 192.168.1.254 • Type: routed (Static Route)

12. Confirm the modifications by clicking Send Changes, followed by Activate

12.2 Introducing the IPSec Tunnel

1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > VPN(vpnserver) > Client to Site.

3. Open the External CA tab, followed by the IPSec tab.

4. Double-click the default Phase 1 entry and enter the following values: • Encryption: AES

• Hash Meth.: SHA • DH-Group: Group2 • Time: 3600

(43)

VPN Server Configuration 43 5. Right-click into the Phase 2 table and select New phase II... and enter the following values:

• Encryption: AES • Hash Meth.: SHA • DH-Group: Group2 • Time: 3600

• Minimum: 1200 • Maximum: 4800

6. Open the Group Policy tab and then click Click here for options.... 7. Mark the X509 Certificate checkbox and click OK.

8. Right click and select New Group Policy... in the context menu. 9. In the appearing window enter the following values:

• Name: Name for Group Policy

• Network: select the previously created personal network

• Network Routes: right click, select Insert IP... and enter 10.5.6.0/24 10. Open the IPSec tab (within the Edit Group Policy window)

11. Disable the checkbox next to the IPSec Phase II - Settings to enable the drop down menu and select the previously created phase 2.

12. Right click into the Group Policy Condition table and select New Rule....

13. In the appearing window, click Edit/Show within the X509 Certificate Conditions section.

14. Select emailAddress(Email Address) (or any other condition of the drop-down menu), enter the desired Subject, click Add/Change and close by clicking OK.

15. Be sure to have the IPSec Client checkbox enabled.

16. Close the Group Policy Condition window and the Edit Group Policy window by clicking OK.

12.3 Firewall Rule

1. Navigate to Config > Virtual Servers > vpnc > Assigned Services > FW (firewall) > Forwarding Rules.

2. Double-click the Forwarding Rules configuration node to open the Forwarding Firewall Ruleset. 3. Click Lock to enable configuration mode.

4. Right-click into the firewall ruleset table and choose New... within the appearing context menu. 5. In the appearing window, set the following values:

• Rule Type: Pass • Source: <explicit-src>

• Right click within the Source table and choose Edit... in the appearing context menu. • Type 10.5.6.0/24 into the IP field (Entry section) and click New and close the

(44)

• Destination: <explicit-dest>

• Right click within the Destination table and choose Edit... in the appearing context menu.

• Type 192.168.1.0/24 into the IP field (Entry section) and click New and close the window by clicking OK.

• Policy: Activate the 2-Way checkbox • Connection Method: No Src NAT (Client) • Click OK to finish the rule configuration.

6. Drag the newly created firewall rule on top of the firewall ruleset.

(45)

VPN Client Configuration: NCP Secure Client 45

Chapter 13 VPN Client Configuration: NCP Secure Client

(46)

13.1 Configuring the Client

1. Copy the self-signed server certificate or a server certificate to the following folder: program files > ncp > secure client > cacerts

2. Launch the NCP Secure Client. 3. Navigate to Configuration > Profiles 4. Click Add/Import to create a new profile. 5. Select Link to Corporate Network Using IPsec. 6. Enter a Profile Name.

7. Select the desired Communication Media.

8. Enter the following Gateway (Tunnel Endpoint): 14.15.16.17. 9. Select main mode in the Exchange Mode drop-down menu. 10. Select DH-Group 2 (1024 Bit) in the PFS Group drop-down menu.

11. Select Fully Qualified Username as Local identity (IKE) Type and the ID:

[email protected] (this string needs to match the SubAltName string of the client certificate)

12. Select IKE Config Mode in the IP Address Assignment drop-down menu. 13. Finish the configuration wizard.

14. Launch the NCP Secure Client. 15. Click Configuration > Profiles. 16. Select your profile and click Edit.

17. Select IPSec General Settings and set IKE Policy to RSA Signature, IPsec Policy to ESP-AES128-MD5, Exch. Mode to main mode and PFS Group to DH-Group 2 (1024 Bit). 18. Click Policy Lifetimes... and set the following values:

• IKE Policy - Life Time: 000:01:00:00 • IPsec Policy - Life Type: Life Time • IPsec Policy - Life Time: 00:01:00:00

19. Click Policy Editor... and set the following values:

• RSA Signature: RSA-Signature / AES 128 Bit / SHA DH-Group 2 (1024 Bit) • ESP-AES128-MD5: ESP / AES128 / SHA

20. Open the Identities settings, disable the Pre-shared Key checkbox and select Standard certificate configuration in the Certificate configuration drop-down menu.

(47)

VPN Client Configuration: NCP Secure Client 47 22. In the NCP Secure Client main window, click Configuration > Certificates.

23. Select Standard certificate configuration and click Edit. In the Certificate drop-down menu, select the desired certificate format and import your certificate.

13.2 Establish a Client to Site IPSec Connection

1. Launch the NCP Secure Client.

2. Select the desired profile and click the Connection button. 3. Enter the correct certificate PIN.

(48)

(49)

(50)

VPNC Interoperability Profile

Contents

Chapter 1 - Overview Scenario 1 . . . 5

Chapter 2 - Connecting the Hardware . . . 7

Chapter 3 - Barracuda NG Admin . . . 9

Chapter 6 - Server and Services . . . 19

Chapter 7 - Firewall Configuration . . . 23

Chapter 8 - VPN Configuration . . . 27

Chapter 9 - Testing and Diagnostics . . . 31

Chapter 1

Overview Scenario 1

1.1

General

1.2

VPNC Scenario 1 Overview

Chapter 2

Connecting the Hardware

2.1

General

Chapter 3

Barracuda NG Admin

3.1

General

3.2

Logging In

3.3

Barracuda NG Admin User Interface

Chapter 4

Network Configuration

4.1

Interfaces

4.1.1

Internal Interface (Management Interface / eth0)

4.2

Routing

4.2.1

Device Route for the External Interface (eth1)

4.3

Gateway Route for the WAN Network

Chapter 5

Licensing

5.1

General

5.2

License Import

Chapter 6

Server and Services

6.1

What is a Server?

6.2

What is a Service?

6.3

Introducing a Server

6.4

Introducing a Service

6.4.1

Create a Firewall Service

6.4.2

Create a VPN Service

Chapter 7

Firewall Configuration

7.1

General

7.2

Firewall Rule for Traffic Between 10.5.6.0/24 and 172.23.9.0/24

Chapter 8

VPN Configuration

8.1

Creating a Server Certificate

8.2

Introducing the IPSec Tunnel

8.2.1

General Tunnel Settings

8.2.2

IPSec Phase1

8.2.3

IPSec Phase2

8.2.4

Networks

8.2.5