REMOTE ACCESS PPTP & L2TP - Building Firewalls Since · PDF fileRemote Access PPTP & L2TP...

Global Technology Associates, Inc.

REMOTE ACCESS PPTP & L2TP

5/14/2014 1

Course 4003 & 4004

http://www.gta.com/


Remote Access PPTP & L2TP Features

5/14/2014 2

! Clients Android iPad/iPhone MAC Windows Linux – [PPTP]

! Provides Seamless integration with GTA Firewalls. ! Granular Network Access and Authorization based

on groups and policies. ! Authentication:

Radius Users defined on the firewall


PPTP & L2TP Requirements

! GB-OS 5.4.0 or above Upgrade if not on current release. Lot of updates & security patches since the initial release.

! Supported OS/Client ! IPv4 ! IPv6 is not supported for

PPTP.

5/14/2014 3


PPTPCourse #4004

5/14/2014 4


What is PPTP

PPTP or Point to Point Tunneling Protocol is a method to establish a VPN between a host and a VPN device. It use control channel over TCP port 1723 and tunnels data over GRE , Generic Routing Protocol or IP Protocol 47.

5/14/2014 5


Configuration ! Configure Service –

[Configure -> VPN -> Remote Access -> PPTP] ! Create or edit Groups allowing PPTP Access -

[Configure -> Accounts -> Groups] ! Create Security policies

PPTP Policies - [Configure -> Security Policies -> Policy Editor -> VPN -> PPTP]

! Create Users or configure Radius. [Configure -> Accounts -> Users] [Configure -> Accounts -> Authentication]

5/14/2014 6


PPTP Service Configuration

! Local Network – This is used to set up PPTP Security Policies. It not the same as the Local Network for IPSec Tunnels, Mobile IPSec clients to SSL Client.. When VPN is established. It is a point to point tunnel between host and the firewall. The host can (if policies allow) connect to all networks defined in the PPTP Security Policies.

! Pool Network - ! Name Server IP Address ! WINS Server IP Address ! Authentication

Radius

5/14/2014 7


PPTP Advanced

! Automatic Policies – Sets policy to allow TCP 1723 and GRE ! Encryption – None,40, 56, 128, and All ! MTU – Sets MTU for service ! Time Out - close VPN if no activity detected ! Debug – Advanced debugging for connection issue

Chat LCP Phase

5/14/2014 8


PPTP Security Policies

! PPTP Policies control access inbound and outbound for PPT clients.

! Miss-configured policies can allow to much access.

5/14/2014 9


Group & Users

! Create a group that has PPTP access

! Create user in the PPTP group

5/14/2014 10

Global Technology Associates, Inc.5/14/2014 11

!1. Open the Windows Control Panel. 2. Go to Network and Internet > Network and Sharing Center. 3. Click Set up a new connection or network. !!!4. Select Connect to a workplace and click Next. !! 5. Click Use my Internet connection (VPN). !!!!!6. Enter the IP Address or Resolvable Hostname of the firewall in the Internet Address field, and a description for the VPN Connection.

Configuring Windows Client


! 7. Check Don’t connect now; just set it up so I can connect later.

5/14/2014 12



8. Enter the PPTP Username and Password fof the VPN.

!!!!

9. Click Create.

5/14/2014 13



10. Navigate to Control Panel > Network and Internet > Network Connections 11. Right click on the connection and select properties. Click on the security tab. Set the Type of VPN to PPTP.

5/14/2014 14



Connecting with Windows Client

5/14/2014 15


[Monitor -> Activity -> Accounts -> Authenticated]

5/14/2014 16

[Monitor -> Activity -> Network -> Connections]


Route Table PPTP

5/14/2014 17


System Overview

! Overview will display the Licenses used and available.

5/14/2014 18


No Free Licenses Oct 7 16:12:26 pri=6 msg="PPTPServer: Unable to acquire license, access for 'David Brooks' denied" type=mgmt

5/14/2014 19


L2TP over IPSec Course #4003

5/14/2014 20


Configuration ! Configure Service –

[Configure -> VPN -> Remote Access -> L2TP] Configure (Optional) – IPSec Object Start IPSec Service - [Configure -> VPN -> Remote Access -> IPSec]

! Create or edit Groups allowing L2TP Access - [Configure -> Accounts -> Groups]

! Create Security policies IPSec L2TP Policy - [Configure -> Security Policies -> Policy Editor -> VPN -> IPSec] L2TP Policies - [Configure -> Security Policies -> Policy Editor -> VPN -> L2TP]

! Create Users or configure Radius. [Configure -> Accounts -> Users] [Configure -> Accounts -> Authentication]

5/14/2014 21


L2TP Service

! Interface – ! Local Network – used in defining the local network allowed. ! Pool Network ! Name Server IP Address ! WINS Server IP Address ! Authentication

Pre-Shared Secret Radius

5/14/2014 22


L2TP Advanced

! Automatic Policies ! MTU ! Time Out ! Debug

Chat LCP Phase

5/14/2014 23


Custom Objects

! [Configure -> Objects -> Encryption Objects] ! [Configure -> Objects -> IPSec Objects]

5/14/2014 24


Configuring IPSec Service

! Authentication – Local Identity Or Certificate

! Method Pre-Shared Secret

5/14/2014 25

! Enable Service ! Ipsec Object

Select the Custom Object


[Configure -> Security Policies -> Policy Editor -> VPN -> IPSec]

! Policy Allows the L2TP connection over IPSEC.

5/14/2014 26


- [Configure -> Security Policies -> Policy Editor -> VPN -> L2TP]

! L2TP policies control access through the VPN based on the source, destination and protocols.

5/14/2014 27

Global Technology Associates, Inc.5/14/2014 28

!1. Open the Windows Control Panel. 2. Go to Network and Internet > Network and Sharing Center. 3. Click Set up a new connection or network. !!!4. Select Connect to a workplace and click Next. !! 5. Click Use my Internet connection (VPN). !!!!!6. Enter the IP Address or Resolvable Hostname of the firewall in the Internet Address field, and a description for the VPN Connection.



! 7. Check Don’t connect now; just set it up so I can connect later.

5/14/2014 29



8. Enter the L2TP Username and Password for L2TP.

!!!!

9. Click Create.

5/14/2014 30



10. Navigate to Control Panel > Network and Internet > Network Connections 11. Right click on the connection and select properties. Click on the security tab.

5/14/2014 31




12. Set the Pre-Shared Key configured in the firewall interface at Configure>VPN>Remote Access>L2TP. !!!!!13. Click Ok.

5/14/2014 32


Connecting with Windows Client

5/14/2014 33


Monitoring & Logging

Oct 31 14:25:42 pri=6 msg="L2TPServer: L2TP client assigned '192.168.74.2', user 'PPTP User' " type=mgmt Oct 31 14:25:40 pri=5 msg="IKE: IPsec-SA established" type=vpn src=199.120.225.20 srcport=4500 dst=199.120.225.80 dstport=4500 Oct 31 14:28:53 pri=4 pol_type=L2TP pol_action=block count=4 msg="Block L2TP" duration=15 rule=1 proto=icmpV4 src=192.168.74.2 srcport=8 dst=192.168.181.1 dstport=8 interface="LT2P" attribute="alarm,report“ Oct 31 14:29:02 pri=5 msg="Close outbound, L2TP" proto=icmpV4 src=192.168.74.2 srcport=8 user="PPTP User" nat=192.168.181.254 natport=8 dst=192.168.181.1 dstport=8 rule=4 duration=33 sent=118 rcvd=120 pkts_sent=2 pkts_rcvd=2

5/14/2014 34


Trouble Shooting No IPSec Policy to Allow L2TP - Oct 31 14:53:32 pri=4 pol_type=IPSEC pol_action=block count=5 msg="Block IPSEC" duration=4 proto=1701/udp src=199.120.225.20 srcport=1701 dst=199.120.225.80 dstport=1701 interface="EXTERNAL-eth4" attribute=alarm Incorrect PPTP Login - Oct 31 15:06:29 pri=6 msg="L2TPServer: [LL2TP-1] CHAP: Reply message: E=691 R=0 M=Login incorrect" type=mgmt iPhone/iPad/MAC – connects and does not pass traffic – Check that the host/device is configured to send all traffic through VPN. Check – Pre-shared key match in [Configure -> VPN -> Remote Access - > L2TP] IPSec Tunnel has [Configure -> VPN -> Remote Access -> IPSec] has Pre-Shared Enbaled.

5/14/2014 35


Recommend Encryption Object Configuration to support maximum

number of different mobile devices

Encryption HASH Key group Lifetime (Seconds) Phase 1 3DES SHA1 Diffie-Hellman group 2

(1024 bits)28,800

Phase 2 AES128 SHA1 NONE (No PFS) 28,800

5/14/2014 36


Problem – When PPTP/L2TP is established the client cannot

access the Internet

! Add Security Policy to Allow Client Internet Access

5/14/2014 37


Or! Configure

client to Not use default gateway on remote network.

! Assign clients from range of local network on firewall.

5/14/2014 38


References ! GTA Documentation - http://www.gta.com/support/documents/ ! Android - http://www.gta.com/downloads/external/60/General/

PPTP_Android.pdf ! Apple iPad - http://www.gta.com/downloads/external/60/General/

L2TP_iPad.pdf ! Apple iPhone - http://www.gta.com/downloads/external/60/General/

PPTP_iPhone.pdf ! Mac - http://www.gta.com/downloads/external/60/General/PPTP_Mac.pdf ! Linux - http://www.gta.com/downloads/external/60/General/PPTP_Ubuntu.pdf ! Win7 - http://www.gta.com/downloads/external/60/General/

PPTP_Windows7.pdf

5/14/2014 39

http://www.gta.com/support/documents/



http://www.gta.com/downloads/external/60/General/PPTP_Android.pdf

http://www.gta.com/downloads/external/60/General/PPTP_Android.pdf

http://www.gta.com/downloads/external/60/General/L2TP_iPad.pdf

http://www.gta.com/downloads/external/60/General/L2TP_iPad.pdf

http://www.gta.com/downloads/external/60/General/PPTP_iPhone.pdf

http://www.gta.com/downloads/external/60/General/PPTP_iPhone.pdf

http://www.gta.com/downloads/external/60/General/PPTP_Mac.pdf

http://www.gta.com/downloads/external/60/General/PPTP_Mac.pdf

http://www.gta.com/downloads/external/60/General/PPTP_Ubuntu.pdf

http://www.gta.com/downloads/external/60/General/PPTP_Ubuntu.pdf

http://www.gta.com/downloads/external/60/General/PPTP_Windows7.pdf

http://www.gta.com/downloads/external/60/General/PPTP_Windows7.pdf


If you require additional assistance or have additional questions please contact GTA Technical Support.

Email: support @gta.com Phone: 1.407.482.6925 Skype: gta_support Free User Support – http://forum.gta.com

5/14/2014 40

mailto:[email protected]

http://forum.gta.com/

http://www.gta.com/

REMOTE ACCESS PPTP & L2TP - Building Firewalls Since · PDF fileRemote Access PPTP & L2TP...

Documents

Transcript of REMOTE ACCESS PPTP & L2TP - Building Firewalls Since · PDF fileRemote Access PPTP & L2TP...