User ManualTable of ContentsTable of Contents5Preface: About this Guide7Who should read this guide?7How this guide is organized8Finding information8Viewing and printing this document online9Where to find additional information9About this chapter11Chapter 1: Getting Started11About Soft-PK & Sidewinder VPNs12Figure 1-1. Sidewinder VPN connection providing secure data transmission between a remote system ...12Requirements13Sidewinder and other network requirements13Table 1-1. Network requirements for using Soft-PK with Sidewinder13Soft-PK requirements14Table 1-2. System requirements for running Soft-PK14Roadmap to deploying your VPNs15Figure 1-2. VPN deployment overview16Soft-PK deployment checklist17About this chapter21Chapter 2: Planning Your VPN Configuration21Identifying basic VPN connection needs22Figure 2-1. Identify remote users and the target internal systems in a sample diagram22Identifying authentication requirements23Using digital certificate authentication23Table 2-1. Sidewinder self-signed certificates versus CA-based certificates24A closer look at self-signed certificates24Figure 2-2. Sidewinder self-signed certificate summary24A closer look at CA-based certificates25Figure 2-3. CA-based digital certificate summary25Understanding pre-shared key authentication25Extended authentication26Determining where you will terminate your VPNs27Figure 2-4. VPN tunnel terminating on trusted burb27Figure 2-5. VPN tunnel terminating on a virtual burb27More about virtual burbs and VPNs28Defining a virtual burb281. Select Firewall Administration -> Burb Configuration.282. Click New and create the new virtual burb.283. Click Apply.284. Assign DNS to listen for the virtual burb. Enter the following command:285. Verify that DNS is listening on the virtual burb by typing the following command:28Understanding Sidewinder client address pools29Figure 2-6. VPN association implemented using client address pool29About this chapter31Chapter 3: Configuring Sidewinder for Soft-PK Clients31Enabling the VPN servers321. Enable the cmd, egd, and isakmp servers.32a. Select Services Configuration -> Servers -> Control.32Figure 3-1. Services Configuration -> Servers -> Control32b. To enable a server, select it from the Server Name list and click Enable.32c. Click Apply.322. Configure the ISAKMP server.32a. Select VPN Configuration -> ISAKMP Server.32Figure 3-2. VPN Configuration -> ISAKMP Server32b. In the Burbs to Listen on list column, click the burb name associated with the Internet burb.32c. In the Available Authentication Method fields, specify the method(s) to use for Extended Authe...32d. Click Apply.32Configuring ACL & proxies entries for VPN connections331. Define (or ensure you have) an ACL entry that allows external-to- external ISAKMP traffic. Sel...332. [Configuration dependent] Define (or ensure you have) ACL entries that allow access to and fro...333. [Configuration dependent] Enable the desired proxies in the appropriate virtual burb(s). Selec...33Managing Sidewinder self- signed certs34Creating & exporting a firewall certificate341. Select Services Configuration -> Certificate Management.342. Select the Firewall Certificates tab. Click New.34Figure 3-3. Sidewinder Certificate Management: Create New Firewall Certificate window343. Specify the following Firewall Certificate settings.354. Click Add to add the certificate to the Certificates list.355. Click Close to return to the Firewall Certificate window.35Export the firewall certificate (for later transfer to each client system)356. Click Export and save the firewall certificate (containing the public key) to a file. Add a .p...357. Click OK when done.35Creating & exporting remote certificate(s)361. Select Services Configuration -> Certificate Management.362. Select the Remote Certificates tab. Click New.36Figure 3-4. Sidewinder Certificate Management: Create New Remote (Client) certificate window363. Specify the following Remote Certificate settings.374. Click Add to add the certificate to the Certificates list.375. Click Close to return to the previous window.38Converting the certificate file/private key file pair to pkcs12 format386. To start the PKCS12 utility on the Sidewinder, from the command line, enter the following comm...387. Type the full path name of the private key file.388. Type the full path name of the associated certificate file.389. Type the full path name of the object file that will be created by the utility. Be sure to use...3810. Type a password for this PKCS12 object.3811. Return to Step 1 for each remote client.38Copy the client key/ certificate object to a diskette38Managing CA- based certificates39Defining a CA to use and obtaining the CA root cert391. Select Services Configuration -> Certificate Management and click the Certificates Authorities...39Figure 3-5. Create New Certificate Authority window392. In the New Certificate Authority window, specify the name, type, and location of the CA.393. Click Add, then click Close.394. Click Get CA Cert to request the CA certificate and import it to the firewall395. Click Get CRL to manually retrieve a new Certificate Revocation List (CRL) from the CA.396. Click Export to save the CA certificate to a file for later importation into client system(s)....40Requesting a certificate for the firewall401. Select Services Configuration -> Certificate Management and click the Firewall Certificates ta...40Figure 3-6. Create New Firewall Certificates window402. Specify the firewall certificate information.413. Click Add to send the enrollment request.414. On the Firewall Certificates tab, click Query to request the CA for a signed copy of the certi...415. Record all firewall certificate information specified in Step 2. This information must be ente...41Determining identifying information for client certificates42Table 3-1. Client Distinguished Name (DN) information42Defining remote client identities in Sidewinder431. Select Services Configuration -> Certificate Management and click the Certificate Identities t...43Figure 3-7. Certificate Identities defined on the firewall432. Specify an identify name and the Distinguished Name fields.433. Click Add.43Managing pre- shared keys (passwords)44Configuring the VPN on the Sidewinder451. Select VPN Configuration -> Security Associations. Click New.45Figure 3-8. Sidewinder Security Associations window (defined VPNs)452. Select the General tab and specify the following primary VPN settings.453. Select the Authentication tab. Choose the authentication method appropriate for your configura...47Figure 3-9. Sidewinder Security Associations Properties, Authentication tab47Figure 3-10. "Single Certificate" options47Table 3-2. Single Certificate (self-signed) options47Figure 3-11. "Certificate & Certificate Authority" options48Table 3-3. Certificate + Certificate Authority options48Figure 3-12. "Password" options49Table 3-4. Password options49Save your settings!494. Click Add to save the settings.495. Click Close.49About this chapter51Chapter 4: Installing and Working with Soft-PK51Soft-PK installation notes52Table 4-1. Soft-PK install/uninstall task summary52Starting Soft-PK53Figure 4-1. Soft-PK icon in the Windows taskbar53Determining Soft-PK status from icon variations53Table 4-2. Soft-PK taskbar icons53Activating/Deactivating Soft-PK54Figure 4-2. Soft-PK taskbar icon options54Figure 4-3. Soft-PK Start menu options54About the Soft-PK program options55Managing certificates on Soft-PK56Setting up Sidewinder self-signed certificates561. If not already done, create and export a firewall certificate. See "Creating & exporting a fir...562. If not already done for each end user, create and export a remote certificate and convert to P...563. Provide instructions for importing the self-signed firewall certificate. A copy of this proced...564. Provide instructions for importing the self-signed personal certificate. A copy of this proced...56Setting up CA-based certificates571. If not already done, request and export the CA root certificate. See "Defining a CA to use and...572. If not already done for each end user, create and export a remote certificate. See "Requesting...573. Provide instructions for importing the CA root certificate. A copy of this procedure is provid...574. Provide instructions for importing the personal certificate. A copy of this procedure is provi...57Requesting a personal certificate from a CA on user’s behalf581. Select Start -> Programs -> SafeNet/Soft-PK -> Certificate Manager (or right click the SafeNet...582. Click the My Certificates tab.583. Click Request Certificate.... The Online Certificate Request dialog box appears.584. Select the Generate Exportable Key check box.585. Click Advanced to select a certificate service provider.586. Under Enrollment method, click Online.587. Under Subject Information, enter all relevant personal information, pressing the Tab key to mo...588. Under Online Request Information, enter or select these options:58a. In the Challenge Phrase box, enter any combination of numbers or letters you choose. For secur...58b. In the Confirm Challenge box, enter the same phrase from the last step.58c. From the Issuing CA list, select a CA certificate.589. Click OK. Certificate Manager now generates a public/private key pair, and then displays the O...5810. Optional: To view your request, click the Certificate Requests tab. Select the request and cl...5811. Get your CA administrator to approve your request.5812. Once your request is approved, select it under the Certificate Requests tab and click Retrieve.5813. Click Yes when the Certificate Manager dialog box asks if you want to add this personal certi...58Exporting a personal certificate5914. In the My Certificates tab, select a personal certificate.5915. Click Export. The Export Certificate and Private Key dialog box appears.5916. In the Filename box, enter the drive, directory, and filename for the personal certificate fi...5917. In the Password box, type any password you choose.5918. In the Confirm Password box, retype the password.59Importing certificate in Soft-PK59Importing a CA root or self- signed firewall certificate into Soft-PK591. Select Start -> Programs -> SafeNet/Soft-PK -> Certificate Manager (or right click the SafeNet...592. Click the CA Certificates tab.593. Click Import Certificate.... The Import CA Certificate window appears.59Figure 4-4. Soft-PK Certificate Manager: CA Certificates tab, Import CA Certificate604. Insert the diskette containing the self-signed firewall or certificate file.605. From the Files of type: field, select All Files (*.*) and then navigate to display the files l...606. Select the appropriate certname.pem file and click Open. The following window appears promptin...60Figure 4-5. Verification window607. Click Yes.608. [Optional] From the CA Certificates tab, click View to see the information in the certificate.60Figure 4-6. Viewing the certificate60Importing a personal certificate into Soft-PK611. Select Start -> Programs -> SafeNet/Soft-PK -> Certificate Manager (or right click the SafeNet...612. Click the My Certificates tab.613. Click Import Certificate....61Figure 4-7. My Certificates tab: Import Certificate (and private Key) window614. Insert the diskette containing the remote key/certificate object file.615. From the Files of type: field, select All Files (*.*) and then navigate to display the files l...616. Select the appropriate filename.p12 file and click Open. The following window appears.61Figure 4-8. Import Certificate Password window617. Specify the password used when creating the p12 object (step 10 on page 3-8). You will not be ...618. Click Import. A prompt appears to confirm you want to import the selected Personal Certificate.62Figure 4-9. Verification window629. Click Yes.6210. [Optional] From the My Certificates tab, click View to see the information in the certificate.62Figure 4-10. Viewing the certificate62Configuring a security policy on the Soft-PK63Basic connection options63Setting up an Other Connections policy631. Select Start -> Programs -> SafeNet/Soft-PK -> Security Policy Editor (or right click the Safe...632. Select Options -> Secure Specified Connections.633. Click on Other Connections. This is the catchall rule for all IP communications that do not co...634. Start defining a new policy. Select Edit -> Add -> Connection to create a new policy.64Figure 4-11. Soft-PK: Security Policy Editor645. Specify a descriptive name for the connection. (The name "SecureVPN" is used in this example.)646. Specify the connection type. In the Connection Security field, specify Secure.647. Specify the trusted network to which the client will be communicating. In the Remote Party Ide...648. Specify the Sidewinder connection information.64a. Enable the Connect using Secure Gateway Tunnel box.64b. Specify the interface information:64Figure 4-12. Soft-PK: Edit Distinguished Name window to specify Firewall public certificate659. Select Security Policy and select the Phase 1 Negotiation Mode.65Figure 4-13. Soft-PK: Security Policy fields6510. Specify how the user will be identified to the Sidewinder. Select My Identify.65Figure 4-14. Soft-PK: My Identity fields65a. Select the authentication method for this connection.66b. In the Internet Interface selection drop-down box, specify which interface to use when creatin...6611. Specify the Authentication settings. Select Authentication (Phase 1) -> Proposal 1.66Figure 4-15. Soft-PK: Authentication (Phase 1) -> Proposal 1 fields66a. In Authentication Method field, specify the method appropriate for your configuration. (For ex...66b. In Encryption and Data Integrity/Algorithms fields:66c. In Key Group field, select at least Group 2. Group 5 (highest).6612. Specify the Key Exchange settings. Select Key Exchange (Phase 2) -> Proposal 1.67Figure 4-16. Soft-PK: Key Exchange (Phase 2) -> Proposal 1 fields6713. [Optional] Click Save to save the policy on this system.6714. Select File -> Export.67a. You will be prompted to protect your security policy. Your end users will then not be able to ...67b. Specify the location of the exported file.6715. Provide a copy of this file to the appropriate end users (see Chapter 5 for details).67About this chapter69Chapter 5: Deploying Soft-PK to Your End Users69Overview70Figure 5-1. Sample userworksheet.doc file contained on Soft-PK product CD70Table 5-1. Organize the files/software for each client (end user)71Customizing the user worksheet72Specifying dial-up network instructions72Figure 5-2. Sample text for specifying dial-up networking setup72Specifying installation instructions72Figure 5-3. Sample text for specifying Soft-PK installation instructions72Specifying certificate import/request instructions73Figure 5-4. Sample text for specifying certificate instructions (if applicable)73Specifying security policy instructions74Figure 5-5. Sample text for importing the security policy74Specifying basic connection information74Figure 5-6. Sample text for starting the VPN74Appendix A: Troubleshooting75About this appendix75Soft-PK Log Viewer75Figure A-1. Log Viewer window on Soft-PK75Soft-PK Connection Monitor76Figure A-2. Connection Monitor window76More about the Connection Monitor77To view the details77Figure A-3. Connection Monitor window77Sidewinder troubleshooting commands78Table A-1. Basic Sidewinder VPN troubleshooting commands78Size: 1000 KBPages: 80Language: EnglishOpen manual