www.blackbox.com
Using Opensource VPN Clients with Firetunnel
This document describes how to use VPN Clients. Since the number of VPN Tunnels using PPTP is limited to 4, this is your way to connect up to 10 parallel tunnels using VPN/IPSEC technology.
The method for using PPTP tunnel technology is described in the manual for
Firetunnel. For PPTP tunnelling no extra client software is needed. That functionality is already built into Windows 2000, XP and Vista.
Using IPSEC technology requires extra software. A good and free open source software is the ShrewSoft VPN Client, which can be downloaded for free at
www.shrew.net
The OpenVPN Client is not compatible with Firetunnel. There are other VPN Clients on the market available which need to be licensed and purchased. The purpose of this document is to cover only the ShrewSoft VPN Client.
Before you begin you need to setup your Firetunnel. Check the manual on how to do that. The manual for Firetunnel can be downloaded from
ftp://www.all-about-kvm.com/Firmware%20Downloads/Networking/LRE10x0E/
Additionally you need to download the ShrewSoft VPN Client. Check www.shrew.net, click on Download and select the appropriate Client and latest version that meets your requirement.
While there is also a Client Software from Shrew available for Linux, this document only covers the installation on Windows platforms. This because of the fact that Linux environments may require additional work to do (use the appropriate kernel and support files) and know how on maintaining Linux systems, which definitively would go beyond the scope of this document.
The steps to do for setting up VPN IPSEC technology with Shrew and Firetunnel and Windows starts at the point where you have setup your Firetunnel product with a valid Internet connection and with the Shrew Client downloaded and installed. In these steps we assume that your Firetunnel has a Local LAN IP Address of
192.168.181.254 with a subnetting of 255.255.255.0. If your setup is different this may require changing from the examples shown here.
www.blackbox.com
Step 1 Setting up the Firetunnel for VPN/IPSEC
Log in to the web administration page of Firetunnel. Click on Configuration in the menu on the right and then select VPN. Two new menu items will come up (See right picture). Click on IPSec Policy to get the following screen:
Click on Create to define a new connection for VPN/IPSEC.
www.blackbox.com
the second etc etc. The shown example prohibits that VPN user 1 can communicate with VPN user 2.
The other settings configure like shown in this example. For PreShared key select a “per connection” unique keyword. The more complex the keyword is, the better the security.
Proceed with the settings for the Keep Alive Function. If your provider disconnects you every 24 hours giving you a new WAN IP Adress, you should use DynDNS services and the Keep Alive Function to have a stable ongoing VPN connection. At the end click on Apply and Save the Settings. Do not forget to Click on SAVE CONFIG to save your changes into flash memory of Firetunnel.
www.blackbox.com
Step 2 Setting up the Shrew Client
After downloading and installing the client you will find a new program group in your “Start” Menu. In there you can find the Access
Manager. Start that one to get the window on the right. Click on Add to define a new
connection.
You will find some tabs where you need to enter information for your connection. Enter the
following information pieces:
GENERAL: Remote Host:
Host Name or IP Address:
Enter the IP Address or DynDNS Address of your Firetunnel. Port: 500 Auto Configuration: disabled Local Host : Address Method :
Use a virtual adapter and assigned address
MTU:
1380
Obtain Automatically:
Uncheck
Address:
Enter IP of Remote IP from Firetunnel setup, e.g. 10.10.10.1 for first connection, 10.10.10.2 for second connection etc.
Netmask:
www.blackbox.com
Jump to the second Tab Client:CLIENT:
Firewall Options: NAT Traversal:
enable
NAT Traversal Port:
4500
Keep alive packet rate :
15
IKE Fragmentation:
disable
Other options:
Enable Dead Peer Detection
Check
Enable ISAKMP Failure Notifications
Check
Enable Client Login Banner
Uncheck
Jump to the third Tab Name Resolution:
NAME RESOLUTION: WINS/DNS
Enable WINS
Uncheck if you do not need Netbios Drive Mappings, Check if you need them, but then enter the IP Address of your Domain Controller
Enable DNS
Check and manually enter the LAN IP Address of your Firetunnel, e.g.
192.168.181.254. For DNS Suffix you can enter almost anything that fits your domain, e.g. myfiretunnel.com
Enable Split DNS
www.blackbox.com
Jump to the fourth Tab AuthenticationAUTHENTICATION Authentication Method: Mutual PSK Local Identity: Identification Type: IP Address
Use a discovered remote host address
Uncheck
Address String:
Again the Remote IP in the Firetunnel Setup, e.g. 10.10.10.1 for the first connection, 10.10.10.2 for the second etc etc.
Remote Identity: Identification Type:
IP Address
Use a discovered remote host address
Check
Credentials:
Enter the Key your entered in the Firetunnel Setup Jump to the fifth Tab Phase 1
PHASE 1 EXCHANGE Type: aggressive DH Exchange: Group 2 Cipher Algorithm : Auto Hash Algorithm: Auto
Key Life Time Limit:
86400
Key Life Data limit:
0
Enable Check Point Compatible Vendor ID:
www.blackbox.com
Jump to the sixth Tab Phase 2PHASE 2 Transform Algorithm: Auto HMAC Algorithm: Auto PFS Exchange: Group 2 Compress Algorithm: Disabled
Key Life Time limit:
3600
Key Life Data limit:
0
Jump to the seventh Tab Policy.
Pay 100% attention here, the most errors why VPN is not working are made here
POLICY
Uncheck ALL Buttons like “Maintain…” and “Obtain…” Click on Add in the field “Remote Network Resource”
A new window is popping up, for Type select “Include”, for Address the Subnet Address of the Local Network behind the Firetunnel needs to be entered. This means that in this example with Firetunnel having 192.168.181.254 you enter
192.168.181.0. For Netmask enter 255.255.255.0 Click on Ok to make this settings happen.
