VPN
From Wiki@Commgate
Contents
|
Desktop-to-lan / PPTP
Overview
| VPN Server - PPTP | Information |
|---|---|
| Description | Virtual Private Network PPTP server. |
| Package Name | cc-pptpd |
| Configuration Page | Network > VPN > PC-to-LAN |
The PPTP server is a secure and cost effective way to provide road warrior VPN connectivity. The PPTP VPN client is built-in to Windows 98, ME, 2000, and XP. No extra software is required and CommGate provides full password and data encryption.
Back to top
Installation
If you did not select this module to be included during the installation process, you must first install the module.
Back to top
Configuration
Configuring the PPTP Server
Local IP and Remote IP
You must select a range of LAN IP addresses for the PPTP VPN connections. This range should be on the same network as your local area network. By default, the DHCP Server on CommGate only uses IP addresses above x.x.x.100. All addresses below this number are reserved for static use. We strongly suggest you use this sub-100 static range for PPTP.
Back to top
Encryption Key Size
Most PPTP VPN clients support the stronger 128-bit encryption key. However, some VPN clients (especially handheld computers and mobile phones) can only support 40-bit encryption. Change the encryption key size to meet your needs.
Back to top
Domain
The default domain used by the PPTP client.
Back to top
WINS Server
The Microsoft Networking WINS server used by the PPTP client. Depending on your network configuration, you may need to specify the WINS settings in VPN client configuration.
Back to top
DNS Server
The DNS server used by the PPTP client.
Back to top
Usernames and Passwords
PPTP users must have a valid account with the PPTP option enabled. See the Users Configuration page for more information.
Back to top
Configuring Microsoft Windows
Configuring Windows 95/98
- For stronger encryption and improved performance, install the latest version of Dial-Up Networking. See 128-bit Encryption for Windows 95/98
- Install the Virtual Private Networking client from the Windows 98 CD. Use the Add/Remove Programs tool in the Control Panel. Click on the Windows Setup tab, and select Communications from the list. Click on the Details button and make sure Virtual Private Networking is selected (see screenshot). You may need to reboot your system after changing this setting.
- The PPTP Client in Windows 98 is part of the Dial-up networking tools. It may seem strange using dial-up networking over another dial-up connection (or in some cases over broadband)... but that is the way it is.
- Go to dial-up networking by clicking on My Computer on your desktop.
- Click on Make New Connection.
- Name the connection and select the Microsoft VPN Adapter.
- Continue with the wizard and enter the IP or Hostname of the PPTP server.
- You are not quite done yet. Right-click on the VPN connection you just created.
- Select the Server Types tab.
- Make sure Require encrypted password, Require data encryption are selected (see screenshot).
- Disable the NetBEUI and IPX/SPX protocols (unless you really need them).
- Click on the TCP/IP Settings button.
- Use the default gateway on the remote network (see screenshot). This may not be necessary in some situations.
Configuring Windows XP
The PPTP client is built-in to Windows XP.
* Go to the Control Panel. * Click on Network Internet Connections (this step may not be necessary. * Click on Network Connections. * Click on Create a New Connection to start the configuration wizard (see screenshot).
- Select connect to the network at my workplace.
- Select Virtual Private Network connection.
- Add a connection name, and dial settings, and hostname.
- Click on the Properties button (or right-click on the new connection, and select Properties from the menu.
- Select the Security
- Make sure Require data encryption is selected.
- Select the Networking tab.
- From the Type of VPN drop box, select PPTP VPN.
Troubleshooting
Error 619, PPTP and Firewalls
PPTP requires special software when passing through gateways/firewalls. If you are having trouble connecting to a PPTP server, make sure any gateways/firewalls between your desktop and the CommGate server support PPTP passthrough mode. If you see the following in the /var/log/messages log file on the CommGate system, then it is likely a PPTP passthrough issue on the client side of the connection:
Back to top
PTY read or GRE write failed
Note: you can view log files via the web-based administration tool -- go to Reports > Logs in the menu.
Another quick way to diagnose the issue is by connecting to the PPTP server while connected directly to the local network. With a direct connection to the CommGate PPTP server, you can eliminate the potential for the PPTP passthrough issue.
Back to top
PPTP Passthrough
If you are connecting a desktop from behind a CommGate gateway to a remote PPTP server, then you need to have PPTP passthrough software installed and enabled on the firewall.
However, we do not recommend running PPTP Passthrough and a PPTP server simultaneously. By default, the CommGate gateway will automatically disable PPTP Passthrough when the firewall is configured to allow PPTP server connections. If you would like to run PPTP Passthrough and a PPTP server simultaneously, follow the Force PPTP Passthrough documentation.
Back to top
Two PPTP Connections to the Same Server
The PPTP protocol does not allow two VPN connections from the same remote IP address. In other words, if you have two people behind a gateway (for example, CommGate) connecting to the same PPTP server, then the connection should fail. Note: it is fine to have two people behind a gateway connecting to different PPTP servers.
Some PPTP servers and gateways (including CommGate) do make an exception for this shortcoming. However, some PPTP servers may strictly follow the standard below:
"The PPTP RFC specifies in section 3.1.3 that there may only be one control channel connection between two systems. This should mean that you can only masquerade one PPTP session at a time with a given remote server, but in practice the MS implementation of PPTP does not enforce this, at least not as of NT 4.0 Service Pack 4. If the PPTP server you're trying to connect to only permits one connection at a time, it's following the protocol rules properly. Note that this does not affect a masqueraded server, only multiple masqueraded clients attempting to contact the same remote server."
Back to top
Links
LAN-to-LAN / IPsec
Overview
| VPN Server - IPsec | Information |
|---|---|
| Description | Virtual Private Network tools for LAN-to-LAN connections. |
| Package Name | cc-ipsec |
| Configuration Page | Network > VPN > LAN-to-LAN |
You can use the web-based administration tool to create a connection with other CommGate servers (on licensed systems, dynamic IP support is included).
Back to top
Installation
If you did not select this module to be included during the installation process, you must first install the module.
Back to top
Configuring Connections with Managed VPN
Managed VPN support not only simplifies configuration, but also improves the up-time of the connections. In order to create a connection between to systems, you need to configure both CommGate systems.
Warning! If you are configuring a VPN connection between your local gateway and a remote gateway, then configure the remote gateway first. Once the VPN is started on the remote system it will only be accessible when the VPN connection is up. If run into trouble configuring the tunnel, you can use a dial-up or other location to access the remote location.
From the web-based administration tool, click on Create in the Managed VPN Connections box. You need to:
- Select the IP address of the remote connect
- Type in a pre-shared secret (password)
Create a Connection
On the first connection or when an IP address changes, it may take a few minutes for the connection to synchronize.
Warning! The two LAN networks at either end of the VPN connection must not overlap! If you need to change the LAN IP address/network on your CommGate server, please use the Administration Console.
Configuring Un-managed VPN Connections (not recommended)
Select Headquarters and Satellite
Pick one server to be the "Headquarters" and the other to be the "Satellite". This is just a naming convention -- pick a convention and stick with it! The OpenSWAN documentation uses "left" and "right" in their documentation. This can be confusing at times, so we also use an alternate set of names: "headquarters" and "satellite".
Back to top
Gather Network Information
You must gather some network information for the IPsec server configuration, namely: the IP address, next hop (gateway), and network for both sides of the network. Make sure these settings are correct -- you will save many hours of pain and frustration. The information for the local CommGate system is shown when you start to configure an unmanaged VPN connection.
Warning! The two LAN networks at either end of the VPN connection must not overlap! If you need to change the LAN IP address/network on your CommGate server, please use the Administration Console
Select a Connection Name and Pre-Shared Secret
Once you have your network settings in hand, enter the information on both ends of the VPN connection. Enter a simple nickname for the connection along with a strong pre-shared secret. When configuring the other end of the VPN connection, do not be tempted to swap the Headquarters and Satellite information! The configuration screens on both ends of the connection will look exactly the same.
Sanity Checking
Start the IPsec server on both ends of the connection. Do not use Windows Network Neighborhood to verify the VPN (there is a Howto on getting your Windows Network up and running). Instead, make sure you can ping from:
- gateway to gateway
- gateway to remote PC
- remote PC to gateway
- remote PC to remote PC
If the connection fails, double check your network settings and restart your firewall. Look in the log files -- /var/log/messages and /var/log/secure -- for error messages.
Back to top
Configuration for Road Warriors
The web-based administration tool does not support Road Warrior connections or interoperability with other IPsec servers. The software is capable of these configurations (including X.509 solutions), however, you must manually configure these connection types. Configuration can be a non-trivial task, so please read the [site] for more information.
For road warriors/telecommuters, we strongly suggest using the 128-bit encrypted PPTP server. This option is not only more cost effective, but also easy to configure. See PPTP Server for installation and configuration instructions.
Back to top
Configuring Windows Network Neighborhood - WINS
Do you want to be able to browse Windows Network Neighborhood across your VPN connection? You must configure and use a WINS server. Fortunately, CommGate has all the pieces of the puzzle in place. Please view the additional documentation here.
Interoperability
The IPsec protocol is an industry standard, but one with many of loose ends. This means that other IPsec servers - though standards compliant - may not be able to connect to a CommGate IPsec server. If you are familiar with the command line environment, you may be able to successfully connect a CommGate system to a third party system. You can find more information in the OpenSwan Interoperability Documentation. Technical support is not provided for IPsec interoperability.
Back to top
Troubleshooting
- Make sure your firewall allows incoming connections for IPsec traffic
- The IPsec protocol does not pass through NAT-based routers. In other words, if your external IP address is 192.168.x.x or 10.x.x.x, then your system is behind a NAT-based router.
OpenVPN
Overview
| VPN Server - OpenVPN | Information |
|---|---|
| Description | Virtual Private Network OpenVPN server. |
| Package Name | cc-openvpn |
| Configuration Page | Network > VPN > OpenVPN |
The OpenVPN server is a secure and cost effective way to provide road warrior VPN connectivity. The OpenVPN client is available at no cost. Unlike the PPTP VPN server, OpenVPN is more robust in getting through other firewalls and gateway.
Back to top
Installation
If you did not select this module to be included during the installation process, you must first install the module.
Back to top
Configuration
Configuring the Server
Organization Information
Before you can configure OpenVPN, you will be directed to the Organization configuration page in the web-based administration tool. The information provided on this page does four important:
- Initializes LDAP
- Creates the required certificate authority
- Creates the required server certificate
- Creates the default data (e.g. city, country, company, etc.) when adding new users
We certainly do not track this information, but you will see these details in security certificates (for example, the one used for HTTPS connections to the web-based administration). If you allow remote access to the web-based administration tool (or webmail), you should know that this information is publicly available. Feel free to create fake details about your organization, but something must be provided.
Back to top
Domain
The default domain used by the OpenVPN client.
Back to top
WINS Server
The Microsoft Networking WINS server used by the OpenVPN client. Depending on your network configuration, you may need to specify the WINS settings in VPN client configuration.
Back to top
DNS Server
The DNS server used by the OpenVPN client.
Back to top
Manage User Accounts
Users must be configured with OpenVPN access. To manage users, go to the Users page in the web-based configuration tool. When a user is created, a certificate key/pair that is required for the OpenVPN system is created.
Back to top
Configuring the Client
To configure the Windows OpenVPN client:
- Download and install the client software (download).
- Login to the web-based administration tool as the OpenVPN user (not the root/administrator account!)
- Go to the Account Manager > Security and Keys page in the web-based administration tool. You will need to download the certificate, certificate authority, key and the OpenVPN configuration file into the "configuration" directory on your Windows system.
