Innominate mguard. Application Note. How to setup an VPN connection between mguard Secure VPN Client and the mguard

(1)

Innominate mGuard

Application Note

How to setup an VPN connection between

mGuard Secure VPN Client and the mGuard

Innominate Security Technologies AG Rudower Chaussee 13

12489 Berlin, Germany Phone: +49 (0)30-921028 0 Fax: +49 (0)30-921028 020 contact@innominate.com

(2)

Document ID: I15004_en_01 Version 1.1 Page 2 of 23

5.2 Basic Configuration with the Wizard _________________________________________________________ 12 5.3 Specific Connection Settings ________________________________________________________________ 16 5.4 Start/Stop the VPN Connection _____________________________________________________________ 17 6 Troubleshooting ____________________________________________________________________________ 18

6.1 Error: VPN gateway not responding (waiting for Msg 2) ________________________________________ 18

6.1.1 Logbook: “Could not contact Gateway (No response) in state <Wait for Message 2>” ____________ 18

6.1.1.1 Is the default gateway reachable? ____________________________________________________ 18

6.1.1.2 Is the Internet reachable? ___________________________________________________________ 18

6.1.1.3 Is the specified IP address/DNS name of the remote VPN peer correct? ____________________ 18

6.1.1.4 Does the VPN initiating packet reach the mGuard? ______________________________________ 19

6.1.1.5 mGuard log: “… no connection has been authorized with policy …” ________________________ 19

6.1.2 Logbook: “Could not contact Gateway (No response) in state <Wait for Message 6>” ____________ 20

6.1.2.1 mGuard Log: “no suitable connection for peer …” _______________________________________ 20

6.1.2.2 mGuard Log: “ISAKMP Hash Payload has an unknown value” after “STATE_MAIN_R2” _______ 20

6.2 Error: PKI error ___________________________________________________________________________ 20 6.3 Error: IKE (phase 2) – Waiting for Msg 2 _____________________________________________________ 20

6.3.1 Logbook: “RECEIVED : INVALID_ID_INFORMATION” after “SUCCESS: IKE phase 1 ready” ________ 21

6.3.1.1 mGuard Log: “cannot respond to IPsec SA request because no connection is known for …” ___ 21

6.3.2 Logbook: “RECEIVED : NO_PROPOSAL_CHOSEN” after “SUCCESS: IKE phase 1 ready” ___________ 22

6.3.2.1 mGuard Log: “IPsec Transform [...] refused due to strict flag” ____________________________ 22

(3)

1 Disclaimer

“Innominate” and “mGuard” are registered trademarks of the Innominate Security Technologies AG. All other brand names or product names are trade names, service marks, trademarks, or registered trade marks of their respective owners.

mGuard technology is protected by the German patents #10138865 and #10305413. Further national and international patent applications are pending.

No part of this documentation may be reproduced or transmitted in any form, by any means without prior written permission of the publisher.

All information contained in this documentation is subject to change without previous notice. Innominate offers no warranty for these documents. This also applies without limitation for the implicit assurance of scalability and suitability for specific purposes.

In addition, Innominate is neither liable for errors in this documentation nor for damage, accidental or otherwise, caused in connection with delivery, output or use of these documents.

This documentation may not be photocopied, duplicated or translated into another language, either in part or in whole, without the previous written permission of Innominate Security Technologies AG.

(4)

2 Introduction

This document describes the required steps to configure a VPN connection between the mGuard Secure VPN Client (referred to hereafter as VPN Client) and the mGuard, using X.509 certificates for authentication.

mGuard Secure VPN Client 10.01 (Build 21604) on Windows 7 and mGuard 8.1 were used for this application note.

The following diagram illustrates the machines and addresses involved in the connection. The examples in this document refer to this setup. The VPN Client initiates the VPN connection, the mGuard waits for it.

The VPN Client uses a virtual IP address (e.g. 172.16.1.1/32), forwarding packets directed to this IP address through the tunnel automatically to the real IP address of the client.

• The functionality of the mGuard Secure VPN Client is restricted to establish VPN connections to mGuard VPN appliances only.

• Only one software VPN client shall be installed on a Windows system. If there is a software VPN client installed (e.g. Shrew Soft VPN Client), uninstall it before installing the mGuard Secure VPN Client.

• If the mGuard has a dynamic public IP address, it needs to register its IP address under a fixed name at a dynamic DNS service (e.g. mGuard.dyndns.org). The VPN Client must refer to this name to establish the VPN connection to the mGuard

(5)

3 X.509 Certificates

You can use freeware tools like e.g. XCA or OpenSSL to create the required certificates or you may request them from a Microsoft CA server. Please refer to the document How to obtain X.509 certificates which is available through our homepage:

http://www.innominate.com/data/downloads/manuals/appnot_x509certificates.pdf

The following certificates are required:

• A Certification Authority (CA) certificate. The PEM export of the CA is required when configuring the VPN Client.

• A CA signed mGuard certificate. The PKCS#12 export of the mGuard certificate has to be imported into the mGuard through the menu Authentication > Certificates, tab Machine Certificates of the mGuard Web UI.

• A CA signed VPN Client certificate.

o The PKCS#12 export of this certificate has to be imported into the VPN client.

o The PEM export of this certificate hat to be imported into the mGuard when configuring the VPN connection, menu IPsec VPN > Connections, tab Authentication.

You will be prompted to enter a password when exporting a certificate in PKCS#12 format. This password protects the PKCS#12 file, which contains the private key, against unauthorized usage.

(6)

4 Configuring the mGuard

The following steps are required to configure the VPN connection on the mGuard:

1) Import of the mGuard machine certificate, menu Authentication > Certificates, tab Machine Certificates.

2) Configuration of the VPN connection, menu IPsec VPN > Connections. 4.1 Import of the mGuard Machine Certificate

• From the menu, select Authentication > Certificates, tab Machine Certificates.

1) Click the down arrow at the left to create a new line.

2) Click <Browse> and open the PKCS#12 export of the mGuard certificate. 3) Enter the Password, which protects the certificate against unauthorized usage. 4) Click <Import>.

 The certificate identifying parameters (subject, issuer, etc.) are displayed. 5) Click <Apply>.

(7)

Document ID: I15004_en_01 Version 1.1 Page 7 of 23 4.2 Configuring the VPN Connection

• Select IPsec VPN > Connections from the menu.

1) Click the down arrow at the left to create a new line. 2) Enter a descriptive name for the connection.

3) Click <Edit>.

4.2.1 General Settings

1) Verify that Address of the remote site’s VPN gateway contains the value %any (default value).

2) Verify that Connection startup is set to Wait (default value). The mGuard waits for the VPN connection.

3) Enter the internal network of the mGuard as Local network, in our example 192.168.1.0/24. 4) Enter the virtual IP address of the VPN Client as Remote network, in our example

(8)

Document ID: I15004_en_01 Version 1.1 Page 8 of 23 4.2.2 Authentication

1) Verify that Authentication Method is set to X.509 Certificate (default value). 2) Select the mGuard machine certificate (imported in chapter Import of the mGuard Machine

Certificate) by its shot name as Local X.509 Certificate.

3) Verify that Remote CA Certificate is set to No CA certificate, but the remote certificate below (default value).

4) Click <Browse> and open the PEM export of the VPN Client certificate. 5) Click <Upload>.

 The certificate identifying parameters (subject, issuer, etc.) are displayed in the section

(9)

Document ID: I15004_en_01 Version 1.1 Page 9 of 23 4.2.3 Firewall

The VPN firewall allows restricting the access through the VPN tunnel. You may configure the VPN firewall if required. The VPN firewall allows any incoming and outgoing traffic by default.

(10)

Document ID: I15004_en_01 Version 1.1 Page 10 of 23 4.2.4 IKE Options

The VPN Client provides default policies supporting 3DES/SHA1 and AES-256/SHA-512 for the

ISAKMP SA and 3DES/SHA1 and AES-256/SHA-256 for the IPsec SA.

We recommend using the strongest encryption and hash algorithms. Thus, we choose AES-256/SHA-512 for the ISAKMP SA and AES-256/SHA-256 for the IPsec SA.

1) ISAKMP SA (Key Exchange): Specify the Encryption and Hash Algorithm for phase I, in our example AES-256/SHA-512.

2) IPSec SA (Data exchange): Specify the Encryption and Hash Algorithm for phase II, in our example AES-256/SHA-256.

• Click <Apply> to save the configuration.

(11)

5 Configuring the VPN Client

Start the VPN Client by selecting Start > Programs > mGuard Secure VPN Client > Secure VPN Client Monitor.

5.1 Certificate Import 5.1.1 CA Certificate

• Copy the PEM export of the CA certificate into the installation directory of the VPN Client

(default: C:\Program Files\Innominate\mGuardSecureVpnClient), subdirectory CaCerts.

• The file extension of the CA certificate must be “pem”. Otherwise the VPN Client won’t find the CA certificate. If the PEM export of the CA certificate has another extension, rename it as pem.

• To verify that the VPN Client can load the CA certificate, select Connection > Certificates > Display CA Certificates from the menu. The subject of the CA certificate should be displayed, marked with a green checkmark.

(12)

Document ID: I15004_en_01 Version 1.1 Page 12 of 23 5.1.2 VPN Client Certificate

• Select Configuration > Certificates from the menu.

• Click <Add>.

1) Enter a descriptive name for the certificate.

2) Select from PKCS#12 file. 3) Click <…> and open the PKCS#12

export of the VPN client certificate. If you have chosen a password with less than 6 characters when exporting the VPN client certificate as PKCS#12, switch to the tab PIN Policy and change the minimum number of required characters to match the password length.

4) Click <OK>.

⇒ The name of the certificate is displayed in the Certificate configuration list.

• Click <Close>.

5.2 Basic Configuration with the Wizard

• Select Configuration > Profiles from the menu.

• Click <Add/Import>.

1) Select Manually configure profile. 2) Click <Next>.

(13)

Document ID: I15004_en_01 Version 1.1 Page 13 of 23 1) Enter a descriptive name for the VPN

connection. 2) Click <Next>.

1) Select Certificate for Authentication. 2) Select the VPN client’s certificate

which was imported in chapter VPN Client Certificate.

3) Click <Next>.

1) Enter either the static public IP address of the mGuard or its DNS name.

(14)

Document ID: I15004_en_01 Version 1.1 Page 14 of 23 1) Leave the default settings (Exchange

Mode=main mode, PFS Group= DH-Group 5) and click <Next>.

1) Leave Type=ASN1 Distinguished Name.

2) Click <Next>.

1) Select Manual IP Address.

2) Enter the virtual IP which should be used by the VPN Client, in our example 172.16.1.1. This virtual IP can be used for accessing the client through the tunnel from the internal network of the mGuard.

(15)

Document ID: I15004_en_01 Version 1.1 Page 15 of 23 1) Click <Add>.

2) Enter the network and the subnet mask of the internal network of the mGuard, in our example

192.168.1.0/255.255.255.0, and click <OK>.

3) Click <Finish>.

(16)

Document ID: I15004_en_01 Version 1.1 Page 16 of 23 5.3 Specific Connection Settings

After configuring the basic setting of the connection with the Wizard, some default settings need to be adjusted.

• From the menu, select Configuration > Profiles.

• Select the VPN connection and click <Edit>.

1) Select Line Management.

2) Select whether the VPN connection should be established manually, on traffic or always.

3) If desired, increase the inactivity timeout to allow a convenient work (default=100s).

1) Select IPsec General Settings. 2) Select RSA-AES256-SHA512. 3) Select DH-Group 5.

4) Select ESP-AES256-SHA256. 5) Click <OK>.

(17)

Document ID: I15004_en_01 Version 1.1 Page 17 of 23 5.4 Start/Stop the VPN Connection

Start the VPN connection Stop the VPN connection

When starting the VPN connection, you’ll be prompted to enter the PIN.

The PIN is the password which protects the PKCS#12 export of the VPN Client certificate against unauthorized usage (refer to X.509 Certificates).

If the VPN connection was established successfully, the VPN Client displays Connection established.

If the VPN Client displays an error message instead, proceed with the next chapter to narrow down the reason for the problem.

(18)

6 Troubleshooting

To narrow down a problem, you should:

1) Open the Log book of the VPN Client (menu Help > Logbook).

2) Know from which public IP address the VPN Client accesses the Internet. You can get this information through the web site http://www.whatsmyip.org (Your IP address is w.x.y.z) or

http://www.whatismyip.com (Your IP: is w.x.y.z). This information is required to find the according log entries in the logs of the mGuard.

3) Get HTTPS access to the mGuard, switch to the menu Logging > Browse local logs, uncheck all log types except IPsec VPN and click <Reload logs>. Click <Reload logs> after each connect attempt from the VPN Client.

6.1 Error: VPN gateway not responding (waiting for Msg 2)

The VPN Client has sent the first message to initiate the VPN connection but did not get a response from the remote VPN gateway. This could have several reasons.

6.1.1 Logbook: “Could not contact Gateway (No response) in state <Wait for Message 2>”

6.1.1.1 Is the default gateway reachable?

On the Windows client on which the VPN Client is running, open a command prompt and execute the command ipconfig.

C:\>ipconfig

Ethernet adapter Local Area Connection: IPv4 Address. . . : 192.168.1.104 Subnet Mask . . . : 255.255.255.0

Default Gateway . . . : 192.168.1.254

If there is no default gateway specified for the Ethernet adapter, targets located in different networks cannot be reached.

Check if pings to the IP address of the default gateway are replied (e.g.: ‘ping 192.168.1.254‘). If the pings are not replied, contact the system administrator of the network to get the correct settings.

6.1.1.2 Is the Internet reachable?

Ping an IP address located in the Internet, e.g. ‘ping 8.8.8.8‘.

If the pings are not replied it also won’t be possible for the VPN Client to reach the mGuard. 6.1.1.3 Is the specified IP address/DNS name of the remote VPN peer correct? Edit the profile, go to IPsec General Settings and check the value of Gateway (Tunnel Endpoint).

(19)

Document ID: I15004_en_01 Version 1.1 Page 19 of 23 6.1.1.4 Does the VPN initiating packet reach the mGuard?

Go to the mGuard logging and check if the mGuard registers incoming packets (received Vendor ID payload) from the public IP address of the VPN Client.

packet from 77.245.32.76:40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] packet from 77.245.32.76:40676: received Vendor ID payload [RFC 3947] method set to=115 packet from 77.245.32.76:40676: received Vendor ID payload [Dead Peer Detection]

…

If such entries do not appear in the mGuard logging, most likely a firewall in-between the VPN Client and the mGuard blocks traffic to UDP port 500.

6.1.1.5 mGuard log: “… no connection has been authorized with policy …”

packet from 77.245.32.76:40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 packet from 77.245.32.76:40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

packet from 77.245.32.76:40676: received Vendor ID payload [RFC 3947] method set to=115 packet from 77.245.32.76:40676: received Vendor ID payload [Dead Peer Detection]

…

packet from 77.245.32.76:40676: Innominate mGuard found

packet from 77.245.32.76:40676: received Vendor ID payload [Innominate mGuard] packet from 77.245.32.76:40676: Innominate IKE Fragmentation found

packet from 77.245.32.76:40676: received Vendor ID payload [Innominate IKE Fragmentation] …

packet from 77.245.32.76:40676: ignoring Vendor ID payload [Cisco IKE Fragmentation]

packet from 77.245.32.76:40676: initial Main Mode message received on 77.245.33.67:500 but no connection has been

authorized with policy=RSASIG

If this message appears with the public IP address of the VPN Client, the VPN initiating packet has reached the mGuard but the mGuard cannot find a corresponding VPN connection with the

encryption, hash algorithm and Diffie-Hellman group proposed by the VPN Client.

The problem is caused by a mismatch of the specified encryption or hash algorithm or Diffie-Hellman group for the ISAKMP SA.

Edit the profile, go to IPsec General Settings and ensure that the same encryption and hash algorithms and Diffie-Hellman group are specified in the parameter IKE Policy as specified on the mGuard in the VPN connection, tab IKE Options, section ISAKMP SA (key exchange) (refer to IKE Options). You do not need to check the Diffie-Hellman group if All is selected on the mGuard.

(20)

Document ID: I15004_en_01 Version 1.1 Page 20 of 23 6.1.2 Logbook: “Could not contact Gateway (No response) in state <Wait for Message

6>”

6.1.2.1 mGuard Log: “no suitable connection for peer …”

packet from 77.245.32.76:40676: received Vendor ID payload [Innominate IKE Fragmentation] "MAI0434440134_1"[1] 77.245.32.76 #41: responding to Main Mode from unknown peer 77.245.32.76 "MAI0434440134_1"[1] 77.245.32.76 #41: enabling Innominate IKE Fragmentation (main_inI1_outR1) "MAI0434440134_1"[1] 77.245.32.76 #41: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

"MAI0434440134_1"[1] 77.245.32.76 #41: STATE_MAIN_R1: sent MR1, expecting MI2

"MAI0434440134_1"[1] 77.245.32.76 #41: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed "MAI0434440134_1"[1] 77.245.32.76 #41: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

"MAI0434440134_1"[1] 77.245.32.76 #41: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000 "MAI0434440134_1"[1] 77.245.32.76 #41: Main mode peer ID is ID_DER_ASN1_DN: 'O=Innominate, OU=Support, CN=VPN Client'

"MAI0434440134_1"[1] 77.245.32.76 #41: no suitable connection for peer 'O=Innominate, OU=Support, CN=VPN Client'

A wrong remote X.509 certificate was uploaded into the VPN connection on the mGuard (refer to

Authentication, steps 3 to 5). It is not the certificate used by the VPN Client. 6.1.2.2 mGuard Log: “ISAKMP Hash Payload has an unknown value” after

“STATE_MAIN_R2”

packet from 77.245.32.76:40676: received Vendor ID payload [Innominate IKE Fragmentation] "MAI0434440134_1"[2] 77.245.32.76 #44: responding to Main Mode from unknown peer 77.245.32.76 "MAI0434440134_1"[2] 77.245.32.76 #44: enabling Innominate IKE Fragmentation (main_inI1_outR1) "MAI0434440134_1"[2] 77.245.32.76 #44: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

"MAI0434440134_1"[2] 77.245.32.76 #44: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed

"MAI0434440134_1"[2] 77.245.32.76 #44: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

"MAI0434440134_1"[2] 77.245.32.76 #44: next payload type of ISAKMP Hash Payload has an unknown value: 66

A VPN connection is established through UDP port 500. If the connection is established across one or more gateways with Network Address Translation (NAT) activated (indicated in the log), the port is switched to UDP port 4500.

This problem is cause by a firewall in-between the VPN Client and the mGuard, blocking traffic to UDP port 4500.

6.2 Error: PKI error

This error message indicates a problem with the certificates.

The CA certificate, which was used to sign the mGuard and the VPN Client certificate, is not present in the installation directory of the VPN Client (default: C:\Program Files\Innominate\

mGuardSecureVpnClient), subdirectory CaCerts, or its extension is not pem (refer toCA Certificate).

If the mGuard and the VPN Client certificates were signed with different CA certificates, both CA certificates must be present in the above mentioned directory.

6.3 Error: IKE (phase 2) – Waiting for Msg 2

The ISAKMP SA (phase 1) was established successfully. Now a problem occurred during the establishment of the IPsec SA (phase 2).

(21)

Document ID: I15004_en_01 Version 1.1 Page 21 of 23 6.3.1 Logbook: “RECEIVED : INVALID_ID_INFORMATION” after “SUCCESS: IKE phase 1

ready”

6.3.1.1 mGuard Log: “cannot respond to IPsec SA request because no connection is known for …”

packet from 77.245.32.76:40676: received Vendor ID payload [Innominate IKE Fragmentation] "MAI0434440134_1"[1] 77.245.32.76 #49: responding to Main Mode from unknown peer 77.245.32.76 "MAI0434440134_1"[1] 77.245.32.76 #49: enabling Innominate IKE Fragmentation (main_inI1_outR1) "MAI0434440134_1"[1] 77.245.32.76 #49: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 "MAI0434440134_1"[1] 77.245.32.76 #49: STATE_MAIN_R1: sent MR1, expecting MI2

"MAI0434440134_1"[1] 77.245.32.76 #49: Main mode peer ID is ID_DER_ASN1_DN: 'O=Innominate, OU=Support, CN=VPN Client'

"MAI0434440134_1"[1] 77.245.32.76 #49: I am sending my cert

"MAI0434440134_1"[1] 77.245.32.76 #49: Dead Peer Detection (RFC 3706): enabled

"MAI0434440134_1"[1] 77.245.32.76 #49: new NAT mapping for #49, was 77.245.32.76:40676, now 77.245.32.76:19242

"MAI0434440134_1"[1] 77.245.32.76 #49: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG

cipher=aes_256 prf=OAKLEY_SHA2_512 group=modp1536}

"MAI0434440134_1"[1] 77.245.32.76 #49: the peer proposed: 192.168.2.0/24:0/0 -> 172.16.1.1/32:0/0

"MAI0434440134_1"[1] 77.245.32.76 #49: cannot respond to IPsec SA request because no connection is known for

{192.168.2.0/24}===77.245.33.67[O=Innominate, OU=Support, CN=Central Gateway]...77.245.32.76[O=Innominate, OU=Support, CN=VPN

Client]==={172.16.1.1/32}

Mismatch of the specified local/remote VPN network.

• On the mGuard, edit the VPN connection and go to the tab General (refer to General Settings)

• On the VPN Client, edit the profile and go to Local network.

 Ensure that the Remote network on the mGuard has the same value as the IP address on the VPN Client.

• On the VPN Client, go to Remote network.

 Ensure that the Local network on the mGuard has the same value as the Remote network

on the VPN Client, including the correct subnet mask in CIDR notation (e.g. 255.255.255.0 = /24).

(22)

Document ID: I15004_en_01 Version 1.1 Page 22 of 23 6.3.2 Logbook: “RECEIVED : NO_PROPOSAL_CHOSEN” after “SUCCESS: IKE phase 1

ready”

6.3.2.1 mGuard Log: “IPsec Transform [...] refused due to strict flag”

packet from 77.245.32.76:40676: received Vendor ID payload [Innominate IKE Fragmentation] "MAI0434440134_1"[2] 77.245.32.76 #55: responding to Main Mode from unknown peer 77.245.32.76 "MAI0434440134_1"[2] 77.245.32.76 #55: enabling Innominate IKE Fragmentation (main_inI1_outR1) "MAI0434440134_1"[2] 77.245.32.76 #55: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 "MAI0434440134_1"[2] 77.245.32.76 #55: STATE_MAIN_R1: sent MR1, expecting MI2

"MAI0434440134_1"[2] 77.245.32.76 #55: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000 "MAI0434440134_1"[2] 77.245.32.76 #55: Main mode peer ID is ID_DER_ASN1_DN: 'O=Innominate, OU=Support, CN=VPN Client'

"MAI0434440134_1"[2] 77.245.32.76 #55: I am sending my cert

"MAI0434440134_1"[2] 77.245.32.76 #55: Dead Peer Detection (RFC 3706): enabled

"MAI0434440134_1"[2] 77.245.32.76 #55: new NAT mapping for #55, was 77.245.32.76:40676, now 77.245.32.76:19242

"MAI0434440134_1"[2] 77.245.32.76 #55: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG

cipher=aes_256 prf=OAKLEY_SHA2_512 group=modp1536}

"MAI0434440134_1"[2] 77.245.32.76 #55: the peer proposed: 192.168.2.0/24:0/0 -> 172.16.1.1/32:0/0

"MAI0434440134_1"[2] 77.245.32.76 #56: IPsec Transform [ESP_AES (256), AUTH_ALGORITHM_HMAC_SHA2_256] refused

due to strict flag

Mismatch of the specified encryption or hash algorithms for the IPsec SA.

Edit the profile, go to IPsec General Settings and ensure that the same encryption and hash algorithms are specified in the parameter IPsec Policy as specified on the mGuard in the VPN connection, tab IKE Options, section IPsec SA (data exchange) (refer to IKE Options).

(23)

Document ID: I15004_en_01 Version 1.1 Page 23 of 23 6.4 Required Data when requesting Support

If you encounter problems and need support, please provide the following information/data: 1) mGuard Snapshot (configuration and logs without private information)

It is important that you download the snapshot after a failed connection.

• From the menu, select Support > Advanced, tab Snapshot.

• Click <Download> and store the file snapshot.tar.gz on a local system. 2) The public IP address through which the VPN Client accesses the Internet

You can get this information through the web site http://www.whatsmyip.org (Your IP address is w.x.y.z) or http://www.whatismyip.com (Your IP: is w.x.y.z). This information is required to find the corresponding log entries in the logs of the mGuard.

3) The configuration file ncpphone.cfg of the VPN Client which is located in the installation directory of the client.

4) The file InnominateSupport.zip. Click Help > Support Assistant > [nothing needs to be changed here] > Next > Next, then click C:\Users\... \InnominateSupport.zip in the dialog to copy and provide the zip file.

Innominate mguard. Application Note. How to setup an VPN connection between mguard Secure VPN Client and the mguard