Universal Network Solutions Inc

8/11/2019 Universal Network Solutions Inc

1/15

9/5/2014 Universal Network Solutions Inc.

http://www.unsinc.com/blog/shrewvpn.php 1/15

UNS TrainingMcAfee Web Gateway

McAfee Email Gateway

McAfee Firewall Enterprise

HOMEABOUT

HistoryEmployment Opportunities

NewsTRAINING

En EspanolIn English

RECRUITINGENTERPRISECONSULTING

Network ServicesSecurity ServicesApplication DevelopmentCompliance ServicesTraining

SUCCESS

STORIESCONTACT

McAfee Firewall Enterprise [Sidewinder] Blog

In this edition:Building an IPSEC VPN tunnel between MFE and Shrewsoft Remote IPSEC client.

At the RUSH concert in California June, 2011; pre-show with Alex Lifeson's guitar rig.

previous blogs

Hello, in this edition, we will built an IPSEC VPN tunnel between a MFE McAfee Firewall Enterprise (Sidewinder) and a Shrewsoft IPSEC vpn client forWindows 7 64-bit, version 2.1.7.

For testing, I have a McAfee Firewall Enterprise version 8.0.1p01 and the Shrewsoft 2.1.7 IPSEC vpn client. The MFE's external ip address is 11.1.1.57 andit's internal network is 10.1.1.0/24 and the remote pc's address is 111.1.1.2 for testing purposes. It can be any ip in a different network as well.

The goal here is to have a pc on the internet establish an IPSEC VPN connection to the MFE for greater security.
http://www.unsinc.com/blog/prevblogs-en.phphttp://www.unsinc.com/blog/index.phphttp://www.unsinc.com/blog/prevblogs-en.phphttp://www.unsinc.com/contact/index.phphttp://www.unsinc.com/stories/index.phphttp://www.unsinc.com/enterprise/training.phphttp://www.unsinc.com/enterprise/compliance.phphttp://www.unsinc.com/enterprise/development.phphttp://www.unsinc.com/enterprise/security.phphttp://www.unsinc.com/enterprise/network.phphttp://www.unsinc.com/enterprise/index.phphttp://www.unsinc.com/recruiting/index.phphttp://www.unsinc.com/training/english.phphttp://www.unsinc.com/training/espanol.phphttp://www.unsinc.com/training/index.phphttp://www.unsinc.com/about/news.phphttp://www.unsinc.com/about/employment.phphttp://www.unsinc.com/about/history.phphttp://www.unsinc.com/about/index.phphttp://www.unsinc.com/index.phphttp://www.unsinc.com/blog/index.php


2/15



MFE Policy Configuration

First, we will need a rule for the ISAKMP server communication on the MFE. This must be placed above the DENY ALL rule.

Next, we will configure the ISAKMP server and enable XAUTH. Remote users attempting to create an IPSEC tunnel to the MFE will receive anauthentication challenge. For testing purposes, I am using the local user database on the MFE. In the real world you could set this up to use an off-boxauthentication server such as; RADIUS, AD, LDAP, etc.


3/15



MFE Certificate Configuration

We will create a new remote certificate. Step 1 is to create it under the "Remote Certificates Tab".


4/15



Once we have created it, we will need to perform two exports that will be imported into the Shrewsoft IPSEC VPN client at a later time.

The first export will be the: Export Certificate (Typical).

Make sure that you select X.509(PEM) as the file type.

We will then export the private key. This key will be password-protected to add another layer of security to the VPN. For testing purposes, I have set mypassword to: password

In the real world, you would want to use a more complex password.


5/15



Next, we will export our MFE firewall cert. I am using the default for testing purposes. In the real world you would want to create a new one with yourparticular parameters.

We will export the firewall cert using: Export Certificate (Typical).

You will then take these 3 files and copy them to the pc that will be running the Shrewsoft IPSEC VPN Client.


6/15



MFE VPN Configuration

First we will create a "client address pool"

I have configured a virtual subnet using the "200.1.1.0/24 Network" and defined the local network that remote users will have access to, which is my "internalnetwork 10.1.1.0/24"

We will now configure the MFE VPN


7/15




8/15



Shrewsoft IPSEC Client Configuration

If you do not have a copy of the software, you may download it from www.shrewsoft.com. This is 3rd party, freeware software. Check thewww.shrewsoft.com for answers to any technical questions that you may have about their software. There are many other IPSEC Clients (such as the SoftPkclient from Safenet), that will work with MFE if they are IPSEC compliant.


9/15



Again, I created this using version 2.1.7. There are issues with older versions that I have seen. Make sure that you download the appropriate version for yourenvironment. (Vista, 7, XP, 32bit, 64bit).

Before I begin the configuration, from the test pc, I will run a constant "ping test" to 10.1.1.1 and it will fail because my VPN is not setup.

After installing the software, we will ADDa new connection

Here are the configuration steps that I used.


10/15



10.1.1.1 is the ip address of my internal DNS server on the MFE for testing purposes and I hard-coded it instead of using "Obtain Automatically".


11/15



Here, we will specify the path to the three certificate files that we copied over to our pc. It will look for this path each time so do not move the files once youhave copied them over or your VPN will not work.


12/15



Once the configuration is done, I will click "Connect" to establish the VPN session.

I am now being prompted to authenticate by ISAKMP server on the MFE. The username and password is an account that I have on my MFE called "fosgood".

For testing, you can use the firewall account or create a reglar USER account under: Policy / Rule Elements / Authentication.


13/15



I will receive a 2nd authentication prompt. This time, it is for the Private Key password that we created earlier. This password is: password

If all is configurated correctly, you will see the following message:

My ping is now working!

An nslookupshows that I am using the internal DNS server of the MFE firewall.

We can also check the status on the Shrew client.


14/15



On the MFE, if I run a: tcpdump -npi em0I can see the ESP connection between the MFE and the PC.

We can also check the status on the MFE VPN.

There are many other advanced configurations that we could do to add other layers of security to this VPN and those are some of the topics that we cover inthe advanced MFE firewall certifcation course.

Feel free to send me any questions or comments.


15/15


Thanks.,

- Frank Osgood.

List of previous blogs

upcoming UNS training courses

If you have questions or recommendations for the blog, please send me an email: [email protected].

Thanks.

The technical opinions expressed here are solely those of Frank Osgood.
mailto:[email protected]?subject=bloghttp://www.unsinc.com/enterprise/training-sched_travel_spanish.phphttp://www.unsinc.com/blog/prevblogs-en.php

Universal Network Solutions Inc

Documents

Transcript of Universal Network Solutions Inc