Manuel d'utilisation / d'entretien du produit SafeNet du fabricant Secure Computing
Aller à la page of 80
VPN Administration Guide Revision A SafeNet/Soft-PK V ersion 5.1.3 Build 4 Sidewind er V ersi on 5.1 .0.02.
.
i Copy ri ght No ti ce This document an d the so ftware de scribed in it are copy righted . Under the co pyrigh t laws, n eithe r this docume nt nor this software may be copi ed, reprod uced, translated , or reduced to any elect ronic medium or machine -readable fo rm witho ut prior written author ization of Secure Com puting Co rporation.
ii SECURE COMPU TING’ S AND I TS LICENSORS ENTIRE LIABILITY UN DER, FOR BREACH OF , OR ARISING OUT OF THIS AG REEMENT, IS LIMITED T O A REFUN D OF TH E PURCH ASE PRICE OF THE PRODUCT OR SERVICE THA T GA VE R ISE TO THE CLAIM. IN NO EVENT SHA LL SECURE COMPUTING OR I TS LICENSORS BE LIABLE FOR YOUR COST OF PROCURING SU BSTITUTE GOODS.
Table of Contents iii T ABLE OF C ONTENTS Preface: Abou t this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . v Who s hould read this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v How this g uide is organi zed . . .
iv Table o f Cont ents Defining re mote client i dentities i n Sidewinder . . . . . . . . . . . 3 -13 Managing pre-shared keys (pas swords) . . . . . . . . . . . . . . . . . . 3 -14 Configur ing the VPN on the Side winder . . . . . . . . . . . . . . .
P Pre fac e: Abou t th i s Gui d e v P REFACE About this Guid e This guide p rovides t he informatio n needed to set up conne ctions between remot e system s runni ng SafeNe t/Soft-P K ™ VPN cl i e n t software and sys tems on a networ k protected by Secu re Comput ing ’ s Sidewinde r firewall .
P How this guid e is organized vi Pre fac e: Abou t th i s Gui d e How this guide is organized This guide cont ai ns the foll owin g ch apters . F inding information This guide is i n Acro bat (softc opy) format on ly and do es not co ntain an index .
Where to find additional information Pre fac e: Abou t th i s Gui d e vii Viewing and printing this document on line When yo u view t his docum ent onli ne in PDF format, you may find that the sc reen im age s are blurry .
Where to find additional info rmation viii Preface: A bout this Guid e T o co ntact Se cure Comput ing di rectly or inquire about o btaining a supp o r t co ntrac t , ref e r to our W eb site at www .sec urecom puting .com , and select “ Co ntact Us .
1 Getting Sta rted 1-1 1 C HAPTER 1 Ge t ti n g S t a r t e d About this chap te r This chapter p rovides an overvi ew of the Soft -PK ™ and Si dewinder Vir tual Private Network (V PN) enviro nment and d escribes t he require ments. I t inclu des a c hecklist t o guide you th rough t he basic steps to setu p and deploy a VP N.
1 About Soft-PK & Sidewinder VPNs 1-2 Get ting St arted About Soft-P K & Sidewinder VPNs Soft -PK is secur ity so ftwar e for r emote PC us ers.
Requ irem ents Getting Sta rted 1-3 Requir ements T o configure VPN co mmunicat ion between Sidewin der and Soft-PK client s, your Si dewind er must be confi gured with the prop er VPN para meter se tting s and acces s rule s. In ad dition, dependi ng on your VPN con nection set up, you may also nee d to defi ne the proper digital c ertificates .
Requirements 1-4 Getti ng Start ed Soft-PK requiremen ts Each syst em on whic h Soft-PK wi ll be install ed must meet the require ments li sted in T able 1-2 .
Roadmap t o deploying your VP Ns Getting Sta rted 1-5 Roadmap to deploying your VPNs Becaus e Se cu re Comp ut ing prod ucts prov i de network se curity, w e recommend that, as t he netwo rk adminis trator , you care fully ove rsee the in stallati on and c onfiguratio n of the Soft-PK clie nt(s).
Roadmap to d eploying your V PNs 1-6 Getti ng Start ed Figur e 1- 2. VPN deployment over view Admin t asks per formed on Sidewinder system Admin t asks per forme d using Sof t-P K p rior to deplo ying.
Roadmap t o deploying your VP Ns Getting Sta rted 1-7 Soft-PK d eployment checklist Th e follo wing chec klist id entifi es each majo r step inv ol ved in th e setup an d deploym ent of yo ur Soft-PK s oftware (as s hown in Fig ure 1-2) .
Roadmap to d eploying your V PNs 1-8 Getti ng Start ed ❒ ISAKMP A CL en tr y : At a minimu m, you must define and enable an ACL entry that allows ISAKMP traffic from the Inter net to the Interne t burb on Si dewinder ( ex terna l IP addre ss of Si de winder ).
Roadmap t o deploying your VP Ns Getting Sta rted 1-9 5 — C onfigure the VPN c onnections on the Sidewinder ❒ Use Cobra to def ine the VPN secu rity association configurati on. See "Configu ring the VPN on the S idewinder" on page 3- 15 for details.
Roadmap to d eploying your V PNs 1-10 Getting Started 8 — T roubleshoot any c onnection problems ❒ Use th e Soft-PK Log Viewer. See "Soft-PK Log Viewer" on page A-1. ❒ Use th e Soft-PK Connection Moni tor. See "Soft- PK Connection Moni tor" on page A-2 .
2 Planning Your VPN Configurat ion 2- 1 2 C HAPTER 2 Planning Y our VPN Co n f i g u r a t i o n About this chap te r This chapter p rovides information t o help y ou unders tand key conce pts and opt ions t hat are invo lved i n a VPN c onnecti on.
2 Identifying basic VPN connection needs 2-2 Planning Your VPN Configuration Identifying b asic VPN connection needs Before you act ually begin confi guring yo ur Sidewinde r or wor k with Soft-PK, ensure you have an underst anding of the bas ic profile for your VP N co nnection s.
Identifying authentication requirements Planning Your VPN Configurat ion 2- 3 Identifying authentica tion req uire me nts Determine h ow you will id entify and auth enticate t he partner s in your VPN. Sidewinder an d Soft-PK b oth su pport usin g digi tal cer tificates and pre -shared key VPN c onfiguratio ns.
Identifyin g authent ication requiremen ts 2-4 Planni ng Your VPN Con figur ation If no t already done, de cide if you wil l use self -signed certif icates gener ated by Si dewinder or a pu blic/pr ivate CA s erver .
Identifying authentication requirements Planning Your VPN Configurat ion 2- 5 A closer look at CA-based certificates A VPN imple mented usin g CA-bas ed certific ates requ ires acces s to a private or public CA . Each end-p oint (c lient , firewall, etc.
Identifyin g authent ication requiremen ts 2-6 Planni ng Your VPN Con figur ation Extended au th entica tio n In addit ion to the normal authent ication checks i nherent during t he negoti a t i o n p.
Determining where you wil l terminate your VPNs Planning Your VPN Configurat ion 2- 7 Determining where you will termi nate you r VPNs Y ou c a n co nfigu r e a VPN s ec urity a s s ociati on on Si dewind er to terminat e in any bur b. For example, Figure 2-4 sh ows a VPN secu rity associat ion terminating i n the trus ted burb.
Determining where you wi ll terminate your VPNs 2-8 Planni ng Your VPN Con figur ation More about virtual burbs and VPNs Consid er a VPN a ssociatio n that is implemen ted with out th e use of a virtu al burb. No t only will VPN traffic m ix with no n-VPN tr affic, but there is n o wa y to enforce a diff e rent set of rul es for the VPN tr affi c.
Understanding Sidewinder client ad dress pools Planning Your VPN Configurat ion 2- 9 Understanding Sidewinder client addre ss pools Y ou may choose to impl ement you r VP N us ing Sidewind er client address pools. Client ad dress pools are r eserved v irtual IP addres ses, recogniz ed as i nternal address es of th e trust ed netwo rk.
Understanding Sidewinder client address pools 2-10 Planning Your V PN Confi gurati on Addre ss of t he firewal l Pro tec ted net work s The c lient do es not ne ed to de fine a virtual IP for use in the VPN connec tion , nor do th ey need to co ncern the mse lve s with DNS iss ues on the tr usted n etwork.
3 Configuring Sidewinder for Soft-PK Clients 3-1 3 C HAPTER 3 C onfiguring Side winder for Soft-PK Clients About this chap te r This chap ter provides a summary of Sidewinde r procedures associated with s etting up and co nfigurin g Soft-P K connecti ons in your netw ork.
3 Enabling the VPN servers 3-2 Configuring Sid ewinder for Soft-PK Clients Enabling the VPN ser vers Before you confi gure a VPN ass ociation o n your Sidewi nder , you m ust first enable the Sidewinder ’ s EGD an d CMD server s. In a dditio n, you must en able the ISAKMP s erver and set it to liste n on th e Internet burb.
Configuring ACL & proxies entries for VPN connections Configuring Sidewinder for Soft-PK Clients 3-3 C onfiguring ACL & pro xies entries for VPN connections Depend ing on wher e you dec ide to.
Managing Sidewinder self-signed certs 3-4 Config uring Sidewinder for Sof t-PK Clien ts Mana ging Sidewinder self- sign ed cer ts If yo u are us ing Si dewind er to gen erate c ertific ates, use the f ollowi ng procedu re to create and expor t self-signed cer tificates that ide ntify the firew a ll and each re mote clie nt.
Managing Sidewinder self-signed certs Configuring Sidewinder for Soft-PK Clients 3-5 3. Specif y the fol lowing Firewall Cer t ificate settin gs. 4. Click Ad d t o add t he cer tificate to the Cert ificates li st. 5. Click Cl os e to return to th e F irewall Ce r tifica te window .
Managing Sidewinder self-signed certs 3-6 Config uring Sidewinder for Sof t-PK Clien ts Cr eating & exporting r emote certifica te(s ) Use the f o llowin g proced ure on Si de winde r to crea te a self-s igned certific ate file (wit h its em bedded pub lic key) and a private key fi le for each of yo ur Soft- PK c lie nts.
Managing Sidewinder self-signed certs Configuring Sidewinder for Soft-PK Clients 3-7 3. Specif y the fol lowing Re mote Cer tificate settings. 4. Click Ad d t o add t he cer tificate to the Cert ificates li st. Fie ld Setting Certificate Name Specify a name for the remote certific ate.
Managing Sidewinder self-signed certs 3-8 Config uring Sidewinder for Sof t-PK Clien ts 5. Click Cl os e to return to th e previous window . Conv er ting the cer tificate file/private key file pair to pkcs12 format 6.
Managing CA-based certificates Configuring Sidewinder for Soft-PK Clients 3-9 Mana ging CA- based cer tificates If yo u are using a CA to au thorize certifi cates, use the follo wing proced ures to de.
Managing CA-based certificates 3-10 Configur ing Sidewi nder for Soft-PK Client s 6. Click Ex por t to save the CA ce r tificate to a file fo r later impor tat ion into client system(s). Each user must then use Soft-PK to import the CA cer t if ica te you obt ain ed fo r them .
Managing CA-based certificates Configuring Sidewinder for Soft-PK Clients 3-11 2. Spec ify the firewall cer tific ate infor mati on. 3. Click Ad d to send the enrollment request. IMPORT AN T: After you send the enrollment request, the CA administrator must issue the cer t ificate before you can continue.
Managing CA-based certificates 3-12 Configur ing Sidewi nder for Soft-PK Client s Deter minin g ident ifyin g i nfor m ation f or clie nt cer ti fic ates Define t he identif ying info rmation that wil l be us ed for each remote client certific ate.
Managing CA-based certificates Configuring Sidewinder for Soft-PK Clients 3-13 Definin g remote clie nt identitie s in Sidewinde r When us ing CA-b ased cert ificates, y ou must defi ne an ide ntity "templat e" in Sidewi nd er that matc he s all possib le cl ient iden ti ties used by the remote entiti e s in your VPN.
Managing pre-shared keys (passwords) 3-14 Configur ing Sidewi nder for Soft-PK Client s Mana ging p re - shared keys (pass words) When usi ng pre-shared keys (pass words), you must define an identit y "templat e" in Sidewi nd er that matc he s all possib le cl ient iden ti ties used by the remote entiti e s in your VPN.
Conf i g uring the VPN on the Si dewin d e r Configuring Sidewinder for Soft-PK Clients 3-15 C onfiguring the VPN on the Sidewinder Create a VPN se curity as sociation for a Tu n n e l VPN usi ng the newl y create d cert ificates. Do th e following from th e Sidewi nder Cobra inter fac e: 1.
Configuring the V PN on the Sidewinder 3-16 Configur ing Sidewi nder for Soft-PK Client s Local Netw ork/IP Specify the network names or IP addresses to use as the destination for the client(s) in the VPN. Click the New button to specify the IP Address / H ostname and Number of bit s in Netm ask .
Conf i g uring the VPN on the Si dewin d e r Configuring Sidewinder for Soft-PK Clients 3-17 3. Select the A uth enti catio n tab . Choose the authenticati on method appropria te for y our config uration .
Configuring the V PN on the Sidewinder 3-18 Configur ing Sidewi nder for Soft-PK Client s If you selected Ce rtif ica te & C ertif ica t e Au thor ity ( F igure 3- 11), specif y the f ollowing CA cer tificate opt ions. Figure 3-11. "Cer tificate & Certificat e Authority" opt ions T able 3-3.
Conf i g uring the VPN on the Si dewin d e r Configuring Sidewinder for Soft-PK Clients 3-19 If you selected Password (F igu r e 3-12) , spec i fy the f ollow ing password options. Figure 3-12. "Password" opt ions T abl e 3-4. Password options Save your setting s! 4.
Configuring the V PN on the Sidewinder 3-20 Configur ing Sidewi nder for Soft-PK Client s.
4 Installing and Working with Soft-PK 4-1 4 C HAPTER 4 Installing and W ork ing with Soft-PK About this chapter This chapter in cludes Soft-PK inst allation notes. It also d escribes t he basic So ft-PK procedu res for m anaging ce rtificat es and cr eating a custo mized S oft-P K secu rity policy for your remo te clie nts.
4 Soft-PK ins tall ation notes 4-2 Installing and Working with Soft-PK Soft-PK installation notes Note the followin g about installi ng, removing , or upgr ading Soft-PK softwar e. Y ou can customize the User W ork sheet .doc file locate d on th e produc t CD to sp e cify deta i led inst allati on instru ctions to yo ur end users.
Starting Soft-PK Installing and Working with Soft-PK 4-3 Sta rt ing Sof t-P K Soft-P K star ts automati cally each time the co mputer on whi ch it reside s is sta rted. I t runs t ransparent ly at all t imes behi nd all ot her software ap plications including the Win dows login .
Starting Soft-PK 4-4 Install ing and Workin g with Soft-PK Activ a ting/Deactiv ating So f t-PK The Soft -PK user interface d efines the securit y mode and the act ion Soft- PK takes when it det ects packet s of various protocol s and various desti nation s.
Starting Soft-PK Installing and Working with Soft-PK 4-5 About t he Soft-PK progr am options This sec t io n provid es a br ie f descr ip ti on of the Sof t -PK main prog ram option s. Use Sof t -PK ’ s compreh ensive onli ne help for deta iled info rm ation .
Managing certificates on Soft-PK 4-6 Install ing and Workin g with Soft-PK Mana ging certificates on Soft-PK If yo u are using digita l certificat e authen ticatio n in you r VPN, you shoul d provi de your en d u sers wi th the inf orma t ion an d f i les nee d ed to set up the ne cessar y certi ficates o n their So ft-PK clie nt.
Managing certificates on Soft-PK Installing and Working with Soft-PK 4-7 Set tin g up C A-b ased ce r tifi cates If you a r e using CA -base d digital ce rtific a t es, as a dm inistr ator , do the following . 1. If not already d one, request and export the CA root certificate .
Managing certificates on Soft-PK 4-8 Install ing and Workin g with Soft-PK Requesting a person al certificate from a CA on user ’ s behalf 1. Select Start -> P rog rams - > SafeNet /Soft- PK -> C ertifica te Mana ger (or right cl ick the SafeNet ico n and selec t Cer tificate M anager).
Managing certificates on Soft-PK Installing and Working with Soft-PK 4-9 TIP: Y ou should selec t th e ne w certificate and cli c k Verify to validate it. Exporting a personal certificate 14 . In the My Certificates tab , select a personal cer tificat e.
Managing certificates on Soft-PK 4-10 Installin g and W orking with So ft-PK Figure 4- 4. Soft-PK Certificat e Mana ge r: C A Cer tificate s tab, Import CA Certific ate 4. Inser t th e disk ette contain ing th e self-si gned fi rewall or cer tificate f ile.
Managing certificates on Soft-PK Installing and Working with Soft-PK 4-11 Importing a personal certificate into Soft-PK Use th e f o llowin g proce d ure to i m po rt a perso n al certif i cate into the Soft-PK s ystem. T his pro cedure is done at the client system and assumes Soft- PK is already installe d .
Managing certificates on Soft-PK 4-12 Installin g and W orking with So ft-PK Note: Y ou mu st pr ovide this password to th e end user so the y can la ter imp ort this certif icate file. 8. Click Im por t . A prompt appears to confirm you want to import the sele ct ed P erso nal Certific at e .
Co nfig uri ng a sec uri ty p olic y o n th e So ft- PK Installing and Working with Soft-PK 4-13 C onfiguring a security policy on the Soft-PK As an administr ator , you ca n configur e end us er secur ity po licies on your So ft-PK syst em, save t hem to a diskett e, and dist ribute them to your u sers.
Configuring a security policy on the Soft-PK 4-14 Installin g and W orking with So ft-PK 4. Star t defi ning a new p oli c y . Sele c t Ed it -> A dd -> C o nne ction to c reate a new p oli c y . Fig ure 4-1 1. Soft- PK: Secu rity P oli cy Editor 5.
Co nfig uri ng a sec uri ty p olic y o n th e So ft- PK Installing and Working with Soft-PK 4-15 — Click on the Edit Name button, in the windo w that appears (F igur e 4-12, enter the Distinguished Name infor matio n. Inpu t all fiel ds from the F irewa ll Cer tificat e and click OK .
Configuring a security policy on the Soft-PK 4-16 Installin g and W orking with So ft-PK a. Select the authen tication method for thi s connection. If usin g share d passw ord: Click Pre-Shar ed Key and enter the shared password.
Co nfig uri ng a sec uri ty p olic y o n th e So ft- PK Installing and Working with Soft-PK 4-17 12. Specify the Key Exch ange settings. Select Key Exchan g e (Phase 2) -> Proposal 1 . Fig ure 4-1 6. Soft -PK: K ey E xch ange (Pha se 2) -> Pr oposa l 1 fiel ds SA Life : Se lect Unspecified to default t o Sidewinder settings.
Configuring a security policy on the Soft-PK 4-18 Installin g and W orking with So ft-PK.
5 Deployi n g S oft -PK to Your End Us e rs 5- 1 5 7 C HAPTER 5 Deplo ying Soft- PK to Y our End U sers About this chapter This chapt er su mmariz es the final p reparati on steps for deploy ing th e Soft-PK s oftware, digit al certifi cate files, and secur ity policy to your end use rs.
5 Overview 5-2 Deploying Soft-PK to Your End Users Ove r vie w Y ou should de ploy the Soft-PK ins tallation prog ram with a customized securit y policy and the necessary digital c ertificat es. Custom instal lations are designed to make it easy to manage co rp orate secur ity po licies for ten s, hundr eds, or thousa nds of e nd user s.
Overview Deployi n g S oft -PK to Your End Us e rs 5- 3 Pri or to cus tomiz ing th e works heet, take a f ew minu tes t o or ganiz e the f iles and information y ou need to depl oy to y our end users.
Customizing the user worksheet 5-4 Deploy ing Soft-P K to Yo ur End Users C ustomizing the user w ork sheet This sectio n provi des summ ary inform ation abou t each se ction i n the defa ult UserW ork sheet.doc file . Specifyi ng dial-up network inst ruction s Figure 5-2 s hows th e text in the initial UserWorksheet .
Customizing the user workshee t Deployi n g S oft -PK to Your End Us e rs 5- 5 Specifyi ng cer tificate impor t/request instruc tions Figure 5-4 s hows th e text in the initial UserWorksheet .doc file that pertains to digit al cer tificates. The de fault text covers a basic instruc t ion s for importing cert ificate files fro m a disk you provide.
Customizing the user worksheet 5-6 Deploy ing Soft-P K to Yo ur End Users Specifyi ng securit y polic y instruc tions Figure 5-5 s hows th e text in the initial UserWorksheet .doc file that pertains to the Soft- PK se cu ri ty policy. The defaul t te xt covers a basic instruc tions for import ing a secu rity p olicy from a disk y ou provid e.
A Troubleshooting A- 1 A A PPENDIX A T roubleshooting About this append ix This app en dix provide s a summar y of tr oub leshoot ing tech niques available for resolv ing Soft-PK and Sidewind er VPN con nection problems .
A Soft-PK Connection Monitor A-2 Troubleshooting The f ollowi ng summ arize s the t asks you can perform. Soft-PK Co nn e c t io n Moni tor The Connec tion Monitor dis plays statis tical and diag nostic informatio n for eac h active c onnection in the se curity p olicy.
Soft-PK Connection Monitor Troubleshooting A- 3 Y ou will see an icon to the le ft of the connect ion name: A key indi cates th at the co nnectio n has a P hase 2 IP Sec SA, or both a Phase 1 an d Phase 2 SA.
Sidewinder troubleshooting commands A-4 Troub leshootin g that the se l ec ted conne cti on has es tabl i shed SAs. T o view Aut he nticati on (Phase 1) secu rity asso ci ations neg ot iat ed by IK E, click t he Phase 1 tab. T o view K e y Excha ng e (Phas e 2) se curity a sso ciation s n egotiat ed by IPS e c, click th e Phas e 2 tab.
.
Part Numbe r: 86-09350 37-A Software V ersion : Soft-PK 5.1. 3 Build 4 and Sideiwnder 5 .1.0.02 Product n ames used within are tra demarks of their respe ctive own ers.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté Secure Computing SafeNet c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du Secure Computing SafeNet - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation Secure Computing SafeNet, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le Secure Computing SafeNet va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le Secure Computing SafeNet, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du Secure Computing SafeNet.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le Secure Computing SafeNet. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei Secure Computing SafeNet ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.