GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

GB-

OS

VPN Gateway

& GTA Mobile VPN Client

Version 4.01

ii GTA VPN Option Guide  Contents

Contents

IntroductIon 1

What is a VPn? ……… 1

About IPSec VPn on GtA Firewalls ……… 1

The VPN Gateway (Firewall) Component ……… 2

Features ……… 2

The Client Component ……… 2

Features ……… 2 Minimum Requirements ……… 3 Installation Support ……… 3 Support Options ……… 3 documentation ……… 3 Additional Documentation ……… 3 GtA FIreWAll SetuP 4 entering Feature codes ……… 4 running the VPn Setup Wizard ……… 5

Configuring Gateway to Gateway Connections ……… 6

Configuring Gateway to GTA Mobile VPN Client Connections ……… 9

Configuring a VPN Connection Manually ……… 12

Creating VPN Configuration Objects ……… 12

Default VPN Objects ……… 12

Which VPN Object Should I Use? ……… 12

Selecting the IPSec Key Mode ……… 12

Creating the VPN Connection ……… 13

Creating a VPN Connection using IKE IPSec Key Mode ……… 13

Creating a VPN Connection using Manual IPSec Key Mode ……… 14

Configuring a Custom VPN Object ……… 16

About Phase I ……… 17

About Phase II ……… 17

Configuring a Custom Encryption Object ……… 17

Encryption Methods ……… 18 Hash Algorithm ……… 18 Key Group ……… 19 Configuring VPN Policies ……… 19 creating Authorization ……… 20 Creating Groups ……… 20 Creating Users ……… 21

GTA Mobile VPN ClieNT SeTuP 22 installing the GTA Mobile VPN Client ……… 22

Activating the GTA Mobile VPN Client ……… 23

Configuring the VPN Client Software ……… 25

Running the Configuration Wizard ……… 25

VPN Settings Worksheet ……… 26

Manually Configuring the GTA Mobile VPN Client ……… 27

Entering Preferences (Parameters) ……… 27

Configuring Phase 1 (Authentication) ……… 28

Starting and Stopping VPN Client Connections ……… 30

Advanced GTA Mobile VPN Client Setup ……… 31

Advanced Phase 1 Configuration ……… 31

Advanced Phase 2 Configuration ……… 32

Launching Scripts ……… 33

Configuring Access Control ……… 34

USB Drive Mode ……… 35

Preferences ……… 36

Startup Modes ……… 36

Miscellaneous ……… 36

Console and Configuration Tools ……… 37

Configuration Management ……… 37

RefeReNCe A: GTA Mobile VPN ClieNT uSeR iNTeRfACe 40 Configuration Panel ……… 40 Menu Overview ……… 40 File ……… 41 VPN Configuration ……… 41 Tools ……… 41 ? (Help) ……… 41

Left Hand Menu Icons ……… 41

Configuration Menu Tree ……… 42

Status Bar ……… 42

connection Panel ……… 43

System Tray ……… 44

System Tray Menu ……… 44

RefeReNCe b: VPN CoNCePTS 46 elements of iPSec VPN Security ……… 46

Verifying Authorization ……… 47

Verifying Data Integrity ……… 47

Ensuring Data Privacy ……… 48

Packet Structure: IPSec VPn ……… 48

GtA Firewall VPn Packet Processing ……… 48

RefeReNCe C: exAMPle VPN CoNfiGuRATioNS 50 Client to Gateway: Dynamic/Static IP Addresses & IKE ……… 51

Client to Gateway: Dynamic IP Addresses & IKE ……… 55

Gateway to Gateway: Dynamic/Static IP Addresses & IKE ……… 59

Gateway to Gateway: Static/Static IP Addresses & IKE ……… 61

Gateway to Gateway: Static/Static IP Addresses and Manual Key Exchange ……… 62

RefeReNCe D: TRoubleShooTiNG 64 on the GtA Firewall ……… 64

FAQ ……… 64

Mobile VPN clients cannot connect to the firewall. Why? ……… 64

Log Messages ……… 64

Security Associations……… 65

Mobile Client VPN Authentication and Connection ……… 65

on the GTA Mobile VPN Client ……… 66

FAQ ……… 66

My GTA Mobile VPN Client says it is in a 30-day evaluation mode. ……… 66

I receive an error when trying to activate the GTA Mobile VPN Client. Why? ……… 66

How can I activate the GTA Mobile VPN Client when I need to connect to the Internet using a proxy server? ……… 67

I cannot activate the GTA Mobile VPN Client online. How do I activate the client manually? ……… 68

My Internet connection does not work when I return to the office. ……… 68

Why won’t the GTA Mobile VPN Client start a VPN on Windows XP? ……… 68

Can I use an address range for my Address Type when configuring Phase 1 settings? ……… 69

When should I set NAT-T to Forced when configuring advanced Phase 1 settings? ……… 69

Why would I disable NAT-T when configuring advanced Phase 1 settings? ……… 69

Log Messages ……… 69

Incorrect Remote Gateway ……… 69

Incorrect Pre-shared Key ……… 69

Incorrect Local ID Value ……… 69

Incorrect Local ID Type ……… 70

Incorrect Remote ID Value ……… 70

Incorrect Remote ID Type ……… 70

Incorrect Phase I Settings……… 70

Incorrect Phase II Settings ……… 70

Incorrect Phase II Authentication Settings ……… 71

Incorrect Phase II Key Group Settings ……… 71



GTA VPN Option Guide  Introduction

I n t r o d u c t i o n

W h a t i s a V P n ?

A VPN is a Virtual Private Network. 

•  What makes it private? You can access resources on your network as if you were a second 

private network attached to the private (trusted) part of your network.

•  What makes it virtual? You’re not really accessing your private network from the private 

network: you’re accessing it from a public or other untrusted network, such as the Internet. A  combination of authentication, encryption and tunneling technologies are used to make sure  that your data is transmitted securely, so you can trust your connection as if you would trust  your normal private network connection.

VPN connections provide a way to access your protected data from an insecure location, all 

without compromising your network security.

VPNs vs. Standard NAT Tunnels

Standard NAT tunnels can provide external access to your internal network. So why use a VPN? VPNs provide more secure access than standard NAT tunnels. VPN tunnels provide methods to assure  authorization, data integrity and privacy. As a result, VPN tunnels can secure even connections that  normally do not provide encryption, authorization or integrity checking on their own.  Standard tunnels do not provide these VPN safety mechanisms!

VPNs are an ideal secure network solution for employees that travel or work from home. They also 

can serve to securely connect branch offices to a main office or data center.

GTA firewalls support the IPSec VPN standard; this provides interoperability with many third-party 

VPN products. IPSec VPNs can use a defined combination of authentication keys, anti-tampering 

hashes, data encryption and IP packet encapsulation to ensure the identity, integrity, and privacy 

of your data transfers over public, untrusted networks. For more information, see 

Elements of 

IPSec VPN Security

.

A b o u t I P S e c V P n o n G tA F i r e w a l l s

GTA firewalls provide IPSec controls for both mobile client (commuter-to-office) and

gateway-to-gateway (office-to-office) VPN connections.

T h e V P N G a t e w a y ( f i r e w a l l ) C o m p o n e n t

GTA firewalls can function as VPN gateways, handling authentication and encryption for VPN 

tunnels.The VPN gateway is configured on the firewall directly using the web administrative

inter-face. VPN configurations are created in Configuration>VPN>IPSec Tunnels, and bound to an incoming 

authorization channel in either Configuration>Accounts>Users and Configuration>Accounts>Groups (for mobile 

VPN clients or a second VPN gateway with a dynamic IP address) or Configuration>VPN>IPSec Tunnels 

(where both VPN gateways have a static IP address).

GTA firewalls can interoperate with either another GTA firewall (for office-to-office VPNs) or a 

mobile VPN client (for commuter-to-office VPNs). 

Because GTA firewalls support the IPSec VPN standard, GTA firewall VPNs are also interoperable 

with third-party products that also support the IPSec VPN standard. For information on creating a 

VPN between a GTA firewall and another VPN gateway, see additional documentation located on 

GTA’s web site (

http://gta.com/support/documents/

).

Features

NAT traversal

Easy application of security policies

Easy creation and revision of VPNs using VPN configuration objects Quickly enable and disable VPN authorizations

AES-8, AES-9 and AES-56, 3DES, DES and Blowfish methods for confidentiality MD5, SHA- and SHA- one-way hash methods for data integrity

Up to 4,096-bit Diffie-Hellman keys for authenticity

t h e c l i e n t c o m p o n e n t

With the GTA Mobile VPN Client option, GTA firewalls can also provide VPN protection to travelling

employees or employees working from home.  Your mobile VPN client software is installed on the 

client computer. It serves to locally perform the authentication, encryption and other services that 

would normally be performed by a second VPN gateway. Mobile VPN client software negotiates 

the connection with your GTA firewall VPN gateway.

The GTA Mobile VPN Client is Microsoft

_Windows

_{-compatible VPN software.}

Note

Microsoft®_{Windows  Vista™  is  currently  not  supported  by  the  GTA  Mobile  VPN  Client.    Microsoft} Windows Vista support will be included in a future release.

Features

3

GTA VPN Option Guide  Introduction

Minimum Requirements

•  Microsoft®_Windows®_{98, Me, NT 4 (Service Pack 6 or greater), 000, XP}

•  Intel®_Pentium®_{class or greater processor}

•  0 MB unused hard disk space •  8 MB RAM •  56K dial-up modem, wireless (WiFi), Ethernet or other compatible network card

I n s t a l l a t i o n S u p p o r t

Installation (“up and running”) support is available to registered users.  See GTA’s website for more 

information.  If you need installation assistance, be sure to register your product and then contact 

the GTA Technical Support team by email at 

[email protected]

.  Please include your serial number 

and a brief description of the problem in the body of the email.

S u p p o r t o p t i o n s

If you need support for GTA Products, a variety of support contracts are available.  Contact GTA 

Sales staff by email at 

[email protected]

 for more information.  Contracts range from support by the 

incident to full coverage for a year.  Other assistance is available through the GNAT Box Mailing 

List or an authorized GTA Channel Partner.

d o c u m e n t a t i o n

A few conventions are used throughout this guide to help you recognize specific elements of the

text. If you are viewing this guide in PDF format, color variations may also be used to emphasize 

notes, warnings and new sections. 

Bold Italics Emphasis

Italics _Publications

Blue Underline Clickable hyperlink (email address, web site or in-PDF link)

Small CapS On-screen field names

Monospace Font _{On-screen text}

Condensed Bold On-screen menus, menu items

bolD SMAll CAPS _{On-screen buttons, links}

G TA F i r e w a l l S e t u p

This chapter explains configuration steps for an IPSec VPN on both the firewall and a client

computer. It also provides a worksheet to help with initial configuration.

Each GTA firewall VPN requires a minimum of two points: an initiator and a responder. The 

responder must be a GTA firewall, while the initiator can be either a second VPN gateway or a GTA 

Mobile VPN client.

GTA firewall VPN setup requires configuration of both:

•  GTA Mobile VPN Client or a second VPN gateway (e.g. GTA firewall)

Instructions for VPN setup with Macintosh computers, third party firewalls and non-IPSec VPNs

are available at the GTA web site (

http://gta.com/support/documents/

).

For more information on IPSec VPNs, see 

Elements of IPSec VPN Security

. 

e n t e r i n g F e a t u r e c o d e s

When a VPN option or GTA Mobile VPN Client licenses package has been purchased, feature acti-vation codes are required for client-to-gateway VPNs. If you have purchased a mobile VPN client 

license package, navigate to Configuration>System>Activation Codes enter its feature activation code. 

Click 

.

The feature activation code necessary for activation can be retrieved from the GTA Support Center 

(

https://www.gta.com/support/center/

).  Once logged in, click on View Products and select your 

firewall’s serial number. Your feature activation code will be displayed.

If a gateway-to-gateway VPN is not a standard feature of your firewall, and you have purchased a

VPN option, also enter the VPN option’s feature activation code and click 

.

Note

5

GTA VPN Option Guide  Setup

r u n n i n g t h e V P n S e t u p W i z a r d

The VPN Setup Wizard is designed to help configure a simple Virtual Private Network (VPN) quickly

and easily.  The wizard will automatically create security policies to accept connections using 

the ESP (protocol 50) and UDP (ports 500 and 4500) protocols.  These automatic policies can be 

turned off in the Configuration>VPN>IPSec Tunnels screen under the a

 tab.

Note

All connections through the VPN are controlled by VPN policies, located at Configuration>Security Policies>Policy Editor>VPN Policies.

To run the VPN Wizard, navigate to Wizards>VPN Setup. Before running the wizard, it may be helpful to 

print out the following worksheet:

Table 2.1: VPN Wizard Worksheet

Field Description Value

Local Network

Gateway Select the logical interface that acts as the gateway to the  local network.  Typically, this will be the external interface. Network Select the address object of the configured network you

wish to be able to connect to using the VPN. Select <USER DEFINED> to enter the local network’s IP address manually.

         .         .         .

Identity Enter the identity for the local network.  The identity  should be a fully qualified domain name or email address. This field is only required if the local network is behind a dynamic IP address.

Remote Network

Gateway Type

(circle one)

Select the type of the remote network’s gateway.  This field is only required if the local network is behind a dynamic IP address.

dynamiC

StatiC

User Name Enter the user name for that will be used to connect to  the remote network. This field is only required if the local network is behind a dynamic IP address.

Identity Enter the identity for the remote network. This field is only required if the local network is behind a dynamic IP  address.

Group The user group that will be connecting to the remote  network.

IP Address / Identity If the remote network’s gateway is Static, enter its IP  address. If the gateway is dynamic, enter an IP address,  email address or valid DNS resolvable host name to asso-ciate the remote gateway with a pre-shared secret key. Network The destination IP address of that network that resides 

behind the remote firewall. 

Select <USER DEFINED> to enter the IP address manually.          .         .         . Pre-shared Secret Pre-shared Secret Format (circle one) The format of the pre-shared secret to be used by the  VPN. ASCII_Hex

Configuring Gateway to Gateway Connections

The first screen of the wizard will prompt you to enter a brief description of the VPN. For example,

Orlando to New York.

Click the N

A

 to continue.

Figure 2.1: Entering the VPN’s Description

Once a description has been entered, it will then be necessary to define the local network that will

be establishing the VPN.  For the local network’s G

, select the logical interface assigned to 

the external network.  In most cases, this will be <EXTERNAL>.

For the n

, select the local network that is to be accessible via the VPN.  If the desired local 

network is not listed, you may define it manually be selecting <USER DEFINED> and entering the 

network’s IP address in the corresponding field.

If the selected G

 is dynamic, enter the i

 to be used.  The i

 should be a fully 

qualified domain name or email address.

Click the N

A

 to continue.

Figure 2.2: Defining the Local Network (Static Gateway)



GTA VPN Option Guide  Setup

To define the remote network that the VPN will be connecting to, it is necessary to select the

nature of the IP address of the external network’s G

.

If it is a static (fixed) IP address, select the S

 radio button and enter the gateway’s IP address 

in the n

field.

If the remote gateway is d

, enter an IP address, email address or valid DNS resolvable host 

name in the U

n

 and i

fields to associate the remote gateway with a pre-shared secret

key. The Group field defaults to Firewalls, which sets the appropriate VPN settings for the

connec-tion.

Click the N

A

 to continue.

Figure 2.4: Defining the Remote Network (Static Gateway)

A pre-shared secret is used to ensure a secure, trusted connection between host computers and 

the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the

pre-shared secret must match the pre-shared secret defined in this step in order to establish a

connection.

Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2, 3, 4,

5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The p

S

field is case sensitive.

Click the N

A

 to continue.

Figure 2.6: Entering the Pre-shared Secret

The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review

the VPN’s setup prior to committing the displayed configuration. To make changes to your basic

setup, select the B

 button to return to the appropriate screen.

Click the S

icon to save the displayed configuration, or select the c

 icon to abort.

9

GTA VPN Option Guide  Setup

Configuring Gateway to GTA Mobile VPN Client Connections

To allow users to connect to the GTA firewall’s protected networks remotely using the GTA 

Mobile VPN Client, the GTA firewall’s external gateway must have a static IP address.  That is, 

it cannot obtain its IP address using DHCP or PPP.

Note

The VPN Setup Wizard will only configure the GTA firewall to allow connections from the GTA Mobile VPN Client. For instructions on configuring the GTA Mobile VPN Client to connect to the GTA firewall, please refer to the GB-OS VPN Gateway & GTA Mobile VPN Client Option Guide.

To run the VPN Setup Wizard, navigate to Wizards>VPN Setup.

The first screen of the wizard will prompt you to enter a brief description of the nature of the VPN.

For example, Mobile VPN Connections.

Click the N

A

 to continue.

Figure 2.8: Entering the VPN’s Description

Once a description has been entered, it will then be necessary to define the local network that will

be accessible to users using the GTA Mobile VPN Client.  For the local network’s G

, select 

the logical interface assigned to the external network.  In most cases, this will be <EXTERNAL>.

For the n

, select the local network that is to be accessible via the VPN.  If the desired local 

network is not listed, you may define it manually be selecting <USER DEFINED> and entering the 

network’s IP address in the corresponding field.

To define the remote network, where the Mobile VPN Client will be connecting from, set the

G

t

 to d

.

Enter the Mobile VPN Client’s U

n

 and i

in the appropriate fields. The i

 must be 

in the form of an email address.  Set the G

 to <Users>.  For the n

, enter the IP address 

the GTA Mobile VPN Client should use.

Click the N

A

 to continue.

Figure 2.10: Defining the Remote Network for GTA Mobile VPN Client Connections

A pre-shared secret is used to ensure a secure, trusted connection between host computers and 

the internal network. When configuring GTA Mobile VPN Clients for connection to the VPN, the

pre-shared secret must match the pre-shared secret defined in this step in order to establish a

connection.

Select the character set that the pre-shared secret will be defined with; ASCII or HEX (0, 1, 2, 3, 4,

5, 6, 7, 8, 9, A, B, C, D, E, F). Enter the pre-shared secret in the corresponding field. The p

S

field is case sensitive.

Click the N

A

 to continue.



GTA VPN Option Guide  Setup

The final screen of the VPN Setup Wizard is a summary view of all entered settings. Please review

the VPN’s setup prior to committing the displayed configuration. To make changes to your basic

setup, select the B

 button to return to the appropriate screen.

Click the S

icon to save the displayed configuration, or select the c

 icon to abort.

C o n f i g u r i n g a V P N C o n n e c t i o n M a n u a l l y

To manually configure an IPSec VPN with a GTA firewall, six firewall aspects must be configured in

order: 

.  Feature activation codes .  IPSec Tunnels

3.  VPN objects (optional) 4. Encryption objects (optional)

5.  VPN or GTA Mobile VPN Client authorization

6.  VPN Policies (located at Configuration>Security Policies>Policy Editor>VPN Policies) (optional)

Additionally, the second VPN gateway (GTA firewall or third-party VPN gateway) or mobile VPN 

client must be configured to reflect the same settings.

C r e a t i n g V P N C o n f i g u r a t i o n o b j e c t s

VPN objects determine how incoming VPN connections will be negotiated by defining what client

or VPN gateway initiation behavior should be acceptable by your GTA firewall.

Default VPN objects

By default, GB-OS has two VPN objects:

Standard Dynamic Standard Static

Which VPN object Should i use?

Depending on whether your GTA firewall has a static or dynamic (DHCP/PPP) IP address, different

VPN objects will be used.

If both VPN gateways have static IP addresses:

Each will use the S

S

VPN object.

If an initiating VPN gateway (or mobile VPN client) has a dynamic IP address:

The dynamically addressed initiator will use the S

d

VPN object.

S e l e c t i n g t h e i P S e c K e y M o d e

Key exchange, essential to authentication during IPSec VPN construction, can be accomplished 

either automatically using IKE or manually.

Using IKE (automatic key exchange), Phase I of the connnection establishes an IKE security 

association (SA) that is later used to securely create an IPSec SA; it negotiates the VPN terms and 

authorizes the peer.  Phase II establishes SAs for IPSec, providing source authentication, integrity 

and confidentiality.

Using manual key exhange, Phase I settings will be ignored by the GTA firewall.

3

GTA VPN Option Guide  Setup

c r e a t i n g t h e V P n c o n n e c t i o n

Presuming that you use the default VPN objects, navigate to Configuration>VPN>IPSec Tunnels.

Creating a VPN Connection using iKe iPSec Key Mode

Select the VPN object to be used for dynamic incoming connections from the d

i

C

pulldown. The default VPN object is Standard Dynamic.

Under the A

 tab, ensure the Automatic Policies checkbox is enabled.  This option will 

automatically configure the necessary VPN policies to allow ESP protocol 50/UDP ports 500

and 4500 on the configured VPN. 

To create more restrictive VPN policies, navigate to Configuration>Security Policies>Policy Editor>VPN

Policies.

Select N

 to create a new IPSec Tunnel.

Select the ipS

k

m

.  For this example, select Ike (automatic key mode) 

To create a Manual VPN, see 

Creating a VPN Using Manual IPSec Key Mode

.

Complete the VPN settings fields as described on the following page:

Table 2.3: Creating a VPN Using IKE IPSec Key Mode

Field Description

Disable Check to disable all access for the configured IPSec tunnel. Description A description of the IPSec Tunnel.

IPSec Key Mode IKE (automatic key exchange)

VPN Object A selection for the VPN object used to define this VPN. See Which VPN  Object Should I Use? for more information.

Pre-shared Secret ASCII or HEX format value preshared secret as defined in the VPN. This same key needs to be entered in the GTA Mobile VPN Client when   configuring the security policy.

Local

Gateway Select an IP address, alias or H_A group assigned to an external network  interface on the local firewall that will serve as the VPN gateway. (For the second VPN gateway or mobile client, this IP address is the remote  gateway.)  This is the visible, non-encapsulated, non-encrypted IP address. Network

Select the host/subnetwork that should be accessible from the VPN.  Typi-cally this is the protected network or PSN.  Alternatively, select <USE IP ADDRESS> and enter the IP address(es) in the ip addreSS field.

Advanced

Identity User IP address, domain name or email address for user authentication.   This field is used to associate the local identity with a preshared secret key. Typically, this is <IP Address>.

Remote

Gateway The IP address of the remote end of the VPN tunnel, the gateway to the  remote network. If the remote network is behind a firewall, then this will be assigned to the external network interface.  This IP address will also help  determine the routing of the encapsulated packet.

Network Previously defined address object or an IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the pro-tected network, PSN or a subnet of either.) Use a subnet mask to define the class of network.

Advanced

Creating a VPN Connection using Manual iPSec Key Mode

Select the VPN object to be used for dynamic incoming connections from the d

i

C

pulldown. The default VPN object is Standard Dynamic.

Under the A

 tab, ensure the Automatic Policies checkbox is enabled.  This option will 

automatically configure the necessary security policies to allow inbound and outbound access

on the configured VPN.

Select N

 to create a new IPSec Tunnel.

Select the ipS

k

m

.  For this example, select M

.

Complete the VPN settings fields as described below.

Table 2.2: Creating a VPN Using Manual IPSec Key Mode

Field Description

Disable Check to disable all access for the selected VPN. Description A description of the VPN.

IPSec Key Mode Manual

VPN Object A selection for the VPN object used to define this VPN. See Which VPN  Object Should I Use? for more information.

Local

Gateway Select an IP address, alias or H_A group assigned to an external network  interface on the local firewall that will server as the VPN gateway. (To the second VPN gateway or mobile client, this IP address is the remote  gateway.)  This is the visible, non-encapsulated, non-encrypted IP address. Network Select the host/subnetwork that should be accessible from the VPN.  

Typically this is the protected network or PSN.  Alternatively, select <USER DEFINED> and enter the IP address in the IP Address field.

Remote

Gateway The IP address of the remote end of the VPN tunnel, the gateway to the  remote network. If the remote network is behind a firewall, then this will be assigned to the external network interface.  This IP address will also help  determine the routing of the encapsulated packet.  Default is 0.0.0.0. Network Previously defined address object or an IP address of the network that

resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the pro-tected network, PSN or a subnet of either.) Use a subnet mask to define the class of network.

Manual

Encryption Key Select the format for the encryption key value: ASCII or HEX

Hash Key ASCII or HEX fomat value hash algorithm for the authentication transformation.

Security Parameter Index

Inbound SPI Default value is 256. Outbound SPI Default value is 256.

.

.

5

GTA VPN Option Guide  Setup

e n c r y p t i o n K e y l e n g t h

Blowfish encryption transformations use variable key lengths, while AES, DES and 3DES use a

fixed length key. If you exceed the maximum key length in these fields, you will generate an error

and not be able to save the configuration until it is corrected. You may enter a shorter length key;

the system will pad it to the minimum key size.  Higher-bit key size generally results in stronger 

encryption.

Table 2.3: Encryption Key Length

Algorithm Key Size ASCII and Hexidecimal Characters

AES-128 8 bits 6 ASCII or 3 Hex AES-192 9 bits 4 ASCII or 48 Hex AES-256 56 bits 3 ASCII or 64 Hex Blowfish 40-448 bits 5-56 ASCII or 0- Hex

DES 64 bits 8 ASCII or 6 Hex

3DES 9 bits 4 ASCII or 48 Hex

C o n f i g u r i n g a C u s t o m V P N o b j e c t

VPN objects configure how incoming VPN connections will be negotiated by defining what client

or VPN gateway initiation behavior should be acceptable by your GTA firewall. Appropriate VPN

configuration objects vary with the type of VPN connection and your security policies.

Encryption objects are used to easily reference encryption settings when configuring a VPN object.

For more information, see 

Configuring an Encryption Object

.

To create or configure an existing VPN object, navigate to Configuration>System>Object Editor>VPN Objects.

Table 2.4: Configuring a VPN Object

Field Name Description

Disable Disables the VPN object for use in a VPN configuration.

Name A unique name for the VPN object to reference it throughout the firewall’s configuration.

Description A brief description to describe the use of the VPN object.

Phase I

Exhange Mode Specify flexible (<main>) or forced (<aggressive>) negotiation of acceptable  encryption algorithms for IKE.  Aggressive mode is required if one   component of the VPN has a dynamic (DHCP or PPP) IP address, such as  with a dynamically-addressed VPN gateway or mobile VPN client.

Encryption Object A selection for the level of encryption to be used by the VPN object. For more information on configuring encryption objects, see Configuring a Custom Encryption Object.

Advanced

Force Mobile Protocol A toggle used to switch forced negotiation suited to VPNs involving  dynamic IP addresses, including VPN gateways with dynamic (DHCP or  PPP) IP addresses. 

Force NAT-T Protocol A toggle used to switch forced use of NAT-T (Network Address Translation  - Transversal) for connections that do not require NAT-T (are not using NAT  that denies VPN IKE connections) on or off. Lifetime Specify the length of time in minutes before the Phase I (IKE) security  associations must be renewed.  Shorter times are generally more secure,  but may reduce performance by adding renewal overhead time to the con-nection. DPD Interval Specify the interval in seconds between checks for continued viability  of the VPN connection (also known as dead peer detection).  To disable  DPD queries made by this firewall, set the interval to 0; the firewall will still respond to DPD signals from other VPN gateways and clients, but will not  initiate any signals of its own.

Phase II



GTA VPN Option Guide  Setup

About Phase I

Phase I establishes VPN peer identities (keys) that can be tested for authenticity and establishes 

initial security associations (SAs) correlating hosts to encryption methods, securing further VPN 

negotiation/setup communications, and not actual transfers of user data.

During Phase I, the Diffie-Hellman cryptographic technique uses random and prime numbers to

generate a secondary number.  These secondary numbers are then exchanged, and each host 

uses a combination of these secondary numbers as keys.  Because predicting random numbers 

and determining prime numbers are both computationally difficult, knowledge of the random and

prime numbers behind the generation of a key can be used to prove host authenticity.  Increased 

computational power means that a key may eventually be computed, this is the reason why key-based security such as VPN phases must be periodically regenerated to guarantee authenticity of 

a packet’s source.

Once Diffie-Hellman key exchanges have been performed, (automatically with IKE or manually),

these temporary keys are used to prove authenticity of hosts requesting encryption and hash 

methods to be used during Phase II negotiations.

Automatic key exchange (IKE) uses Phase I settings during its automatic negotiations.  Manual key 

exhange does not use Phase I settings, because the firewall does not provide automatic

negotia-tions in manual mode.

About Phase II

Phase II uses the host authenticity and agreed initial hash and encryption established in Phase I to 

protect secondary negotiations for authenticity, data integrity and confidentiality setings. These

secondary settings are used in the actual transfer of user data.

Using the temporary protection mechanisms devised during Phase I, Phase II again performs 

negotiations for keys, hashes and encryption that will be used to protect the transfer of actual user 

data.

C o n f i g u r i n g a C u s t o m e n c r y p t i o n o b j e c t

Encryption objects are used to easily reference encryption settings when configuring a VPN object.

By default, GB-OS ships with five built-in encryption objects that are pre-configured with varying

levels of encryption.  They can be viewed and duplicated, but cannot be edited or deleted.

Table 2.5: Configuring a Custom Encryption Object

Field Description

Disable Disables the configured encryption object.

Name A unique name for the encryption object to reference it throughout the firewall’s configuration.

Description A brief description to describe the use of the encryption object. Encryption Method Select the encryption algorithm that the firewall should accept for VPN

data transfers.  Default is <AES-192>.

For more information on what encryption method to select, see Encryption  Method.

Hash Algorithm Select the hash algorithm that should be used to provide provide checks  for packet tampering.  Default is <HMAC-SHA1>.

For more information on what hash algorithm to select, see Hash  Algorithm.

Key Group Select the Diffie-Hellman key group (bit size of the key) to use in  

encryption Methods

Different encryption methods use proprietary methods for generating keys used to verify VPN data 

transfers. GTA firewalls support the following encryption methods:

Table 2.6: Encryption Methods

Field Description

None None provides neither encryption nor encapsulation when establishing a  VPN connection.

Null Null provides IP encapsulation, but no encryption.  There are no security  benefits when <Null> is selected, but it is useful to transport non-IP proto-cols when using NAT between firewalls.

AES 128-256 Advanced Encryption Standard; AES has become the new United States  federal standard for encrypting commercial and government data.  AES,  with a key strength of 9 bits, is the default encryption level used by   GB-OS encryption objects.

Blowfish Blowfish is fast, supports long keys and is widely recognized throughout the security industry. Blowfish has been known to perform nearly twenty times faster than DES encryption.

DES Data Encryption Standard; an algorithm used for encryption which was the  official algorithm of the United States Government. DES has since been replaced by the AES algorithm.

3DES 3DES, often referred to as Triple DES, is three rounds of DES encryption.   Each round uses a different permutation of your key.  3DES is a secure  algorithm, yet can impact performance.

Strong Selecting <Strong> allows use of any encryption algorithm, a suitable selec-tion when the VPN object’s Phase I exChanGe mode is set to <Main>.

hash Algorithm

The encryption object’s h

a

 is used to perform packet tampering checks in the Phase I 

and Phase II authentication headers. GTA firewalls support the following hash algorithms:

Table 2.7: Hash Algorithms

Field Description

None <None> provides no authenticity checks on the connection.

HMAC-MD5 A one-way hash function that creates a 6-byte (8-bit) hash or message  digest to authenticate packet data.

HMAC-SHA1 A one-way hash function that creates a 0-byte (60-bit) hash or message  digest to authenticate packet data. SHA is more resistant to attacks than  MD5, but slower to compute.

HMAC-SHA2 Blowfish is fast, support long keys and is widely recognized throughout the security industry. Blowfish has been known to perform nearly twenty times faster than DES  encryption.

9

GTA VPN Option Guide  Setup

Key Group

The encryption object’s k

G

is used to exchange the VPN’s pre-shared secret using a

Diffie-Hellman exchange. In a Diffie-Diffie-Hellman exchange, two parties independently generate random

public and private values. Each sends their public value to the other (using authentication to foil 

man-in-the-middle attacks); the private values remain secret. Each then combines the public key 

received with their own private key.  The resulting key is the pre-shared secret and it is identical for 

both sides.

When selecting the bit size Diffie-Hellman group, keep in mind that while a larger bit size is

gener-ally more secure, it can significantly increase the amount of time it takes to decrypt content.

GB-OS encryption objects default to <Diffie-Hellman Group 2 (1024 bits)>.

C o n f i g u r i n g V P N P o l i c i e s

By default, GB-OS will automatically configure the necessary security policies to allow inbound

and outbound access for all configured VPNs. If this has been toggled off (the setting is available

under the A

 tab located on the Configuration>VPN>IPSec Tunnels) it is necessary to manually 

define VPN policies to allow VPN traffic (ESP (protocol 50) and UDP (ports 500 and 4500)) .

Note

It is recommended to have automatic policies enabled on the Configuration>VPN>IPSec Tunnels screen to 

simplify the VPN configuration process.

c r e a t i n g A u t h o r i z a t i o n

If the configured IPSec Tunnel is to be used by mobile users using the GTA Mobile VPN Client, it is

necessary to define how the mobile users will be authenticating with the firewall.

After configuring a VPN connection, use the Configuration>Accounts section to configure mobile users

by assigning them to groups and defining their user accounts. User groups are used to assign

users to a VPN object and local network. User accounts, pooled in user groups, are used to

define the identity and password to be entered when authenticating with the firewall.

c r e a t i n g G r o u p s

Groups are used to define the VPN object and local network that GTA Mobile VPN Client users will

be using.

When defining a group, additional groups can also be added to the group being defined to pool

additional users. This can be useful if a policy is being defined that is required to affect multiple

groups.

Groups are configured under Configuration>Accounts>Groups.  

Table 2.8: Creating Groups

Field Name Description

Disable Disables the group.

Name The name for the group.

Description A short description to identify the use of the group.

Mobile VPN

Disable Disables VPN access for the user group.

Authentication Required A toggle for whether users configured under the group should be required to authenticate with the firewall using the GTA Mobile VPN Client or not. VPN Object The VPN object to be used by the user group.

Local Network The local network on which the user organized within the configured user can access.

Groups



GTA VPN Option Guide  Setup

c r e a t i n g u s e r s

User accounts are used to define the identity and password to be entered when mobile users

authenticated with the firewall.

Table 2.9: Creating User Accounts

Field Name Description

Disable Disables the account. Name The name for the account. Description A short description to identify the use of the account. Identity Used for authentication purposes, this is typically the user’s email account. Group A selection for the user’s user group.  Selecting ??? means no user group  has been selected.

See Creating Groups for more information.

Authentication

Method Select the method for authentication. Password The password for user authentication.

Mobile VPN

Disable Disables VPN access for the account.

Remote Network The IP address or address object of the remote network.

IP Address If <USER DEFINED> is selected as the remote network, then enter the IP 

address here.

G TA M o b i l e V P N C l i e n t S e t u p

If laptop computers and other non-gateway servers and computers will connect to your GTA 

Firewall’s VPN, install and configure GTA Mobile VPN Client software on those computers.

Additional Mobile VPN Client licenses are available for purchase separately from an authorized 

GTA Channel Partner or 

GTA sales

.

Note

Installation and configuration instructions assume that the client computer is not behind a router that  requires modification.

i n s t a l l i n g t h e G TA M o b i l e V P N C l i e n t

The installation process for the GTA Mobile VPN Client is typical for Windows

-compatible soft-ware.

Note

To install the GTA Mobile VPN Client software:

Login to the Windows computer under an administrative account.

Start the installer.  Click the Next button to read the license agreement.  If you agree to the 

3

GTA VPN Option Guide  Setup

A c t i v a t i n g t h e G TA M o b i l e V P N C l i e n t

The GTA Mobile VPN Client requires activation for any use beyond the initial thirty day evalua-tion period.  The license number necessary for activation can be retrieved from the GTA Support 

Center (

https://www.gta.com/support/center/

).  Once logged in, click on the View Your Registered

Products link and select your firewall’s serial number. Your GTA Mobile VPN Client license number

will be displayed in the a

C

 section.

Note

Should your GTA Mobile VPN Client license number not be displayed in the aCtivation CodeS section,  make sure your GTA Firewall is running GB-OS version 3. or greater.  If you have a current support  contract, please upgrade your GTA firewall and then retrieve the activation code. If you do not have a current support contract, you will need to contact GTA’s sales department or your local GTA Channel  Partner.

To activate the GTA Mobile VPN Client:

.  Open the GTA Mobile VPN Client to start the activation wizard.  If the client is already open and  running, navigate to ?(Help)>Activation Wizard.

Figure 3.1: Activation Wizard

.  Click the ActIvAte button.  Doing so will display the following screen:

3.  The GTA Mobile VPN Client license number needs to be entered either as a single string of  twenty characters (12345678901234567890) or four sets of six characters (123456-123456-123456-123456).  If your license number is four sets of six characters, you will need to switch 

the format of the liCenSe nUmber field to allow entry of your license number. To do so, select the

Click here to enter... link.

Figure 3.3: Switching the License Number Format

4.  Enter the GTA Mobile VPN Client license number and click Next.  A successful activation will 

display the following screen:

Figure 3.4: Completing the Activation Wizard.

Note

5

GTA VPN Option Guide  Setup

C o n f i g u r i n g t h e V P N C l i e n t S o f t w a r e

To connect your computer to the GTA Firewall’s VPN, you must first input connection settings into

the GTA Mobile VPN Client.

You may use the Configuration Wizard to configure the software. It will configure the client for a

connection compatible with default GB-OS firewall settings.

If you elect to use the VPN client 

configuration wizard, you do not need to complete the manual configuration instructions later in

this section. For more information, see 

Running the Configuration Wizard

.

Use the included worksheet on the following page to collect settings for your VPN client. Enter 

the settings as required by tunnel, Phase  or Phase  setup. Once your VPN client is configured,

start/stop your VPN connection as desired.

For more information on advanced mobile VPN client features such as automatic start/stop of your 

VPN connection, see 

Advanced Mobile Client Setup

. 

R u n n i n g t h e C o n f i g u r a t i o n W i z a r d

Running the configuration wizard will configure the GTA Mobile VPN Client for a connection

compatible with default GB-OS firewall settings. Settings for your GTA Mobile VPN Client must

match your firewall’s VPN configuration object and authorization settings. Contact your network

administrator to obtain matching VPN settings.

To run the configuration wizard, navigate to VPN Configure>Config. Wizard and complete the available 

fields. Once complete, click N

.  The next screen will allow you to review your settings.  If 

correct, click F

.

VPn Settings Worksheet

Print and fill out the below fields for assistance when configuring the GTA Mobile VPN Client.

Table 3.1: VPN Settings Worksheet

Field Value Firewall IP Address 000.000.000. Phase 1 Name Interface 000.000.000. Remote Gateway 000.000.000. Preshared Key IKE

Encryption (circle one) DES     3DES     AES 8     AES 9     AES 56 Authentication (circle one) MD5     SHA

Key Group (circle one) DH68     DH04     DH536     DH048

Phase 2

Name

VPN Client Address 000.000.000.

Address Type (circle one) Single Address     Subnet Address Remote LAN Address 000.000.000.

Subnet Mask 000.000.000.

ESP

Encryption (circle one) DES     3DES     AES 8     AES 9     AES 56 Authentication (circle one) MD5     SHA

Mode (circle one) Tunnel



GTA VPN Option Guide  Setup

M a n u a l l y C o n f i g u r i n g t h e G TA M o b i l e V P N C l i e n t

If you wish to manually configure the GTA Mobile VPN Client, configure the client using the

following instructions.

entering Preferences (Parameters)

Parameters for phase lifetime and dead peer detection (DPD) do not need to match the settings of 

your GTA firewall, but agreement between the two is beneficial.

To enter lifetimes and DPD intervals for Phase 1 and 2 of your VPN:

.  Start the GTA Mobile VPN Client software (or click its icon in the system tray to display the Con-figuration Panel).

.  Click the PArAMeterS icon located in the left hand menu.

3.  Enter your IKE and IPSec (Phase  and ) lifetimes in the lifetime fields. Values entered are in

seconds.  Times specify when keys should be renewed and security associations recreated.   Shorter times are generally more secure, although they can add performance overhead to the  VPN.

Note

4.  Enter your CheCk interval for dead peer detection (DPD).  Do not enter a value of 0.

5. Configure miSCellaneoUS settings as desired.  retranSmiSSionS defines how many times the client

will attempt to retransmit a message before giving up.  delaybetweenretrieS defines the amount

of time, in seconds, before the client will attempt to retry opening a connection.  Leave the ike  port field blank.

6.  Leave bloCknon-CipheredConneCtion

Configuring Phase 1 (Authentication)

Phase 1 settings must match your GTA firewall settings. Defaults for Phase 1 are AES-192

encryp-tion, SHA hashes and Diffie Hellman Group 2 (1,024-bit) keys.

To enter Phase 1 settings of your VPN:

1. Start the GTA Mobile VPN Client (or click its icon in the system tray to display the configuration window).

.  Right-click the Configuration menu item and select New Phase 1.  A new sub-item to the Configuration  tree will appear.  It will be given a default name, such as CnxVpn1, that you may change by edit-ing the name field.

3.  Enter a new name, if desired, with no spaces or special characters (e.g., Office_Phase_1).

4.  Select the interfaCe (network card) that will be used (select ANY to indicate all available network 

cards).

5.  Enter the remote Gateway, which should be the external IP address or domain name of your GTA 

firewall.

6.  Enter the pre-Shared key (secret) for your VPN and then Confirm it.

.  Enter appropriate IKE settings such as enCryption, aUthentiCation and key GroUp.

8.  Click the P1 AdvANced button.

  Check the Aggressive Mode checkbox.  Set nat-t to <Automatic>. 

Enter your loCal id.  The valUe will be the email address indicated in your firewall’s Users

configu-ration, so select the type indicating <Email>. 

Enter the remote id of the firewall. The value should be the external IP address of the firewall,

so select the type indicating <IP address>. 

Click ok.

9.  Click SAve & APPlY to complete Phase 1 configuration.

9

GTA VPN Option Guide  Setup

Configuring Phase 2 (iPSec Configuration)

Phase  settings must match your GTA Firewall’s settings.  Defaults for Phase  are 3DES encryp-tion, SHA hashes and Diffie Hellman Group 2 (1,024-bit) keys.

To enter Phase 2 settings of your VPN:

1. Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration window).

2. Right-click on the previously created Phase 1 configuration. Select Add Phase 2.  A new sub-item  to the Configuration tree will appear, underneath the Phase 2 configuration. It will be given a default name, such as CnxVpn1, that you may change be editing the name field.

3.  Enter a new name, if desired, with no spaces or special characters (e.g., Office_Phase_2).

4.  Enter the vpn Client addreSS, which is the IP address your computer will use when attached to 

the firewall’s internal network.

5.  Select the addreSS type. This will be a subnet address if you are connecting to the firewall’s

internal network.  It will be a single IP address if you are connecting to only one host such as  another GTA Mobile VPN Client.

  Enter the remote hoSt addreSS. This will be the IP address of the firewall’s internal network with

subnet mask if you are connecting to the firewall’s internal network.

6.  Enter ESP settings such as enCryption, aUthentiCation and tUnnel mode.  Note that these settings 

may be different than those used in Phase . .  Check the PFS (perfect forward secrecy) checkbox. 8. Select the Diffie-Hellman key GroUp.

9.  Click SAve & APPlY.  If you wish to open your VPN connection immediately, click oPeN tuNNel.

Figure 3.7: Configuring Phase 2 (IPSec)

Note

S t a r t i n g a n d S t o p p i n g V P n c l i e n t c o n n e c t i o n s

Your VPN client software can be configured to automatically start or stop your VPN connection. 

This can be particularly useful if your primary network traffic must use the VPN, or if you always

use the same VPN settings. You can also select to start and stop your VPN connections manually.

For a fully automated VPN solution, you may also elect to automatically start your VPN client soft-ware. For more information on automatic startup of your VPN client, see 

Startup Modes

.

To automatically start your VPN connection:

.  Start the GTA Mobile VPN Client (or click its icon in the system tray to show a configuration window).

.  Select a Phase 2 configuration item in the Configuration tree and click the P2 AdvANced button.

3.  If you wish your VPN connection to begin automatically upon start of the VPN client software,  check the aUtomatiCally open thiS tUnnel when vpn Client StartS check box.

4.  If you wish your VPN connection to start automatically upon insertion of a USB drive/stick con-taining a VPN client configuration, check the aUtomatiCally open thiS tUnnel when USb StiCk iS

inSerted check box.

5.  Click SAve & APPlY.

6.  If you are using automatic connection startup that occurs upon insertion of a USB drive/stick,  insert the USB drive/stick. Select File then Export VPN Configuration from the menu. Choose the loca-tion of the USB drive/stick and save the exported configuration there.

To manually start and stop your VPN connection:

.  Start the GTA Mobile VPN Client software (or click its item in the system tray to show a configu-ration window).

.  Click a Phase 2 configuration item in the Configuration tree. Click oPeN tuNNel

 to start the VPN con-nection.

3.  Click the coNNectIoNS icon in the left hand menu to view your open VPN connections.

4.  To stop a VPN connection, click the VPN connection and click cloSe tuNNel.

Note

3

GTA VPN Option Guide  Setup

A d v a n c e d G TA M o b i l e V P N C l i e n t S e t u p

The GTA Mobile VPN Client has several features to enable use on servers, desktop or laptop 

computers.

A d v a n c e d P h a s e 1 C o n f i g u r a t i o n

For advanced features and parameters when configuring Phase 1, click the P1 A

 button.

Figure 3.8: Phase 1 Advanced

Table 3.2: Advanced Phase 1 Configuration

Field Value

Config Mode Config Mode is currently not supported on GTA firewalls.

Aggressive Mode Aggressive Mode creates a more efficient connection, and it is recom-mended that it be enabled.

Redundant GW This field allows the GTA Mobile VPN Client to open an IPSec tunnel with an alternate gateway in case the primary gateway is down or is not  responding.  Enter either the IP address or DNS resolvable host name of  the redundant gateway (e.g., router.gta.com) NAT-T A selection for when Network Address Translation Tranversal should be  used.  Typically, <Automatic> should be selected.  Other options include  <Forced> and <Disabled>.

A d v a n c e d P h a s e 2 C o n f i g u r a t i o n

For advanced features and parameters when configuring Phase 2, click the P2 A

 button.

Figure 3.9: Phase 2 Advanced

Table 3.3: Advanced Phase 2 Configuration

Field Value

Automatic Open Mode The GTA Mobile VPN Client can automatically open the specified tunnel on the following specific events:

When the GTA Mobile VPN Client starts.

When a USB Drive is inserted. If the VPN configuration file location is not set to USb StiCk, then this field is ignored. 

See USB Drive Mode

Upon traffic detection. •

•

•

33

GTA VPN Option Guide  Setup

launching Scripts

The GTA Mobile VPN Client can be configured to launch a script or application when a certain

action is performed by the user.  For example, this feature can be used to launch a program that 

requires resources available on the remote network, or to display an acceptable use policy when 

the tunnel is opened.

To launch scripts or applications, click the S

button when configuring Phase 2 settings.

Scripts can be configured to launch:

When the user attempts to open a tunnel, When the tunnel is successfully opened, When the user attempts to close the tunnel, When the tunnel is successfully closed.

Figure 3.10: Launching Scripts