Universal Network Solutions Inc

Published on April 2017 | Categories: Documents | Downloads: 70 | Comments: 0 | Views: 451
of 15
Download PDF   Embed   Report
Chandu Nsa
Subscribe 0

Comments

Content


9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 1/15
UNS Training
McAfee Web Gateway
McAfee Email Gateway
McAfee Firewall Enterprise
HOME
ABOUT
History
Employment Opportunities
News
TRAINING
En Espanol
In English
RECRUITING
ENTERPRISE
CONSULTING
Network Services
Security Services
Application Development
Compliance Services
Training
SUCCESS
STORIES
CONTACT
McAfee Firewall Enterprise [Sidewinder] Blog
In this edition:
Building an IPSEC VPN tunnel between MFE and Shrewsoft Remote IPSEC client.

At the RUSH concert in California June, 2011; pre-show with Alex Lifeson's guitar rig.
previous blogs
Hello, in this edition, we will built an IPSEC VPN tunnel between a MFE McAfee Firewall Enterprise (Sidewinder) and a Shrewsoft IPSEC vpn client for
Windows 7 64-bit, version 2.1.7.
For testing, I have a McAfee Firewall Enterprise version 8.0.1p01 and the Shrewsoft 2.1.7 IPSEC vpn client. The MFE's external ip address is 11.1.1.57 and
it's internal network is 10.1.1.0/24 and the remote pc's address is 111.1.1.2 for testing purposes. It can be any ip in a different network as well.
The goal here is to have a pc on the internet establish an IPSEC VPN connection to the MFE for greater security.
9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 2/15

MFE Policy Configuration
First, we will need a rule for the ISAKMP server communication on the MFE. This must be placed above the DENY ALL rule.

Next, we will configure the ISAKMP server and enable XAUTH. Remote users attempting to create an IPSEC tunnel to the MFE will receive an
authentication challenge. For testing purposes, I am using the local user database on the MFE. In the real world you could set this up to use an off-box
authentication server such as; RADIUS, AD, LDAP, etc.
9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 3/15
MFE Certificate Configuration
We will create a new remote certificate. Step 1 is to create it under the "Remote Certificates Tab".

9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 4/15

Once we have created it, we will need to perform two exports that will be imported into the Shrewsoft IPSEC VPN client at a later time.
The first export will be the: Export Certificate (Typical).
Make sure that you select X.509(PEM) as the file type.

We will then export the private key. This key will be password-protected to add another layer of security to the VPN. For testing purposes, I have set my
password to: password
In the real world, you would want to use a more complex password.
9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 5/15

Next, we will export our MFE firewall cert. I am using the default for testing purposes. In the real world you would want to create a new one with your
particular parameters.

We will export the firewall cert using: Export Certificate (Typical).

You will then take these 3 files and copy them to the pc that will be running the Shrewsoft IPSEC VPN Client.
9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 6/15
MFE VPN Configuration
First we will create a "client address pool"

I have configured a virtual subnet using the "200.1.1.0/24 Network" and defined the local network that remote users will have access to, which is my "internal
network 10.1.1.0/24"

We will now configure the MFE VPN

9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 7/15


9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 8/15



Shrewsoft IPSEC Client Configuration
If you do not have a copy of the software, you may download it from www.shrewsoft.com. This is 3rd party, freeware software. Check the
www.shrewsoft.com for answers to any technical questions that you may have about their software. There are many other IPSEC Clients (such as the SoftPk
client from Safenet), that will work with MFE if they are IPSEC compliant.
9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 9/15

Again, I created this using version 2.1.7. There are issues with older versions that I have seen. Make sure that you download the appropriate version for your
environment. (Vista, 7, XP, 32bit, 64bit).

Before I begin the configuration, from the test pc, I will run a constant "ping test" to 10.1.1.1 and it will fail because my VPN is not setup.

After installing the software, we will ADD a new connection

Here are the configuration steps that I used.

9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 10/15

10.1.1.1 is the ip address of my internal DNS server on the MFE for testing purposes and I hard-coded it instead of using "Obtain Automatically".


9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 11/15

Here, we will specify the path to the three certificate files that we copied over to our pc. It will look for this path each time so do not move the files once you
have copied them over or your VPN will not work.


9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 12/15


Once the configuration is done, I will click "Connect" to establish the VPN session.

I am now being prompted to authenticate by ISAKMP server on the MFE. The username and password is an account that I have on my MFE called "fosgood".
For testing, you can use the firewall account or create a reglar USER account under: Policy / Rule Elements / Authentication.
9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 13/15

I will receive a 2nd authentication prompt. This time, it is for the Private Key password that we created earlier. This password is: password
If all is configurated correctly, you will see the following message:

My ping is now working!

An nslookup shows that I am using the internal DNS server of the MFE firewall.

We can also check the status on the Shrew client.
9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 14/15

On the MFE, if I run a: tcpdump -npi em0 I can see the ESP connection between the MFE and the PC.

We can also check the status on the MFE VPN.

There are many other advanced configurations that we could do to add other layers of security to this VPN and those are some of the topics that we cover in
the advanced MFE firewall certifcation course.
Feel free to send me any questions or comments.
9/5/2014 Universal Network Solutions Inc.
http://www.unsinc.com/blog/shrewvpn.php 15/15
Thanks.,
- Frank Osgood.
List of previous blogs
upcoming UNS training courses
If you have questions or recommendations for the blog, please send me an email: [email protected].
Thanks.
The technical opinions expressed here are solely those of Frank Osgood.

Sponsor Documents

Recommended

Universal Industrial Gases, Inc..

Universal Network Profile (UNP)

Network Solutions

Dataslices Solutions Inc.

Seminars Seba Solutions Inc

Motorola Network Solutions

Wireless Network Solutions

Network Solutions for PROFIBUS

Network monitoring solutions

Airport Wireless Network Solutions

Network Monitoring Solutions

Network Monitoring Solutions

Enterprise Network Solutions

OSPF Network Design Solutions

Computer Network Model Solutions

Network monitoring solutions

10 Communication Network Solutions

DC Network Solutions

Network Product Solutions

Notice: Debarment proceedings: NEC-Business Network Solutions, Inc.

View All
Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close