The VPN Menu

Download Report

Transcript The VPN Menu

The VPN Menu
1
The VPN Menu
 VPN
The GD eSeries can be set up either as an OpenVPN server or as a client, and even
play both roles at the same time, in order to create a network of OpenVPN-connected
appliances and/or clients. The menu items available in the sub-menu are the following:
OpenVPN server: set up the OpenVPN server so that clients (both road-warriors and
other appliances in a Gateway-to-Gateway setup) can connect to one of the local zones.
OpenVPN client (Gw2Gw): set up the client-side of a Gateway-to-Gateway setup
between two or more appliances
IPSec: set up IPSec-based VPN tunnels
L2TP: manage L2TP VPNs
VPN Users: manage users for VPN connections.
2
The VPN Menu
OpenVPN server – Server configuration
OpenVPN server enabled: Tick this checkbox to make sure the OpenVPN server is started.
Bridged: To run the OpenVPN server in bridged mode, i.e., within one of the existing zones.
VPN subnet: This option is only available if bridged mode is disabled. It allows the OpenVPN server to
run in its own dedicated subnet, which can be specified in the text box and should be different from
the subnets of the other zones.
Bridge to: The (available) zone to which the OpenVPN server should be bridged.
Dynamic IP pool start address: The first possible IP address in the network of the selected zone that
should be used for the OpenVPN clients.
Dynamic IP pool end address: The last possible IP address in the network of the selected zone that
should be used for the OpenVPN clients.
3
The VPN Menu
OpenVPN server – Advanced
Port & Protocol: The UDP/1194 combination for protocol and port is the default OpenVPN setting
and it is a good practice to keep it unchanged. To make OpenVPN accessible via other ports, port
forwarding rules to redirect incoming traffic to port 1194 should be defined accordingly. The protocol
should be set as TCP only in some borderline case, like e.g., when accessing the OpenVPN server
through some 3rd HTTP proxy, otherwise the default settings should be used.
Block DHCP responses coming from tunnel: Tick this checkbox when receiving DHCP responses from
the LAN at the other side of the VPN tunnel that conflict with the local DHCP server.
4
The VPN Menu
OpenVPN server – Advanced
Don’t block traffic between clients: By default, the OpenVPN server isolates clients from each other.
To change this behavior and allow traffic between different VPN clients, tick this option.
Allow multiple connections from one account: Usually one client is allowed to connect from one
location at a time. Selecting this option permits multiple client logins, even from different locations.
Push these networks: The routes to the specified networks defined here (typically not managed by
GD) are sent to the connected clients.
Push these nameservers: The specified nameservers are sent to the connected clients.
Push domain: The search domains used for local name resolution are added to those of the
connected clients.
5
The VPN Menu
OpenVPN server – Example
6
The VPN Menu
OpenVPN server – Example
• From the GD eSeries main menu, select VPN and immediately you will be taken to the SSL VPN
(OpenVPN) server configuration page. The first thing to do is to ensure the OpenVPN server is
enabled by checking the first box.
• The next step is to choose whether you want the OpenVPN server to run in bridged mode (i.e.
included in the interface bridge) or you want it to run in non-bridged mode with a separate,
unique VPN IP subnet pool. The default is to run in bridged mode to the Green zone and this is
recommended for most common VPN deployments. If you choose to run in bridged mode, you
may also specify which network zone you want the VPN interface to be bridged to.
• The last thing is to set aside a range of IP's within the bridged interface network to be used
exclusively by the VPN server. Keep in mind that these IP's shouldn't be allocated anywhere else
on the Endian device (e.g. DHCP range, Static IP's , etc.). Once you're done, you can click Save
and restart to enable the VPN server.
7
The VPN Menu
OpenVPN server – Example
• Select “Add new user” from the VPN Server menu and create a new remote user VPN account:
• The main things to configure for the new road-warrior VPN account are the Username and
Password.
• Some of the other options you can specify include the client routing options where you can
determine specific routes being pushed to the remote VPN device as well as some custom push
configuration options that allow you to override the settings from the global options (VPNAdvanced). Remember anything provided here will override the settings you configured for the
VPN global options so only use these if this client account requires a different configuration. Once
8
you've completed the necessary fields, click Add to proceed.
The VPN Menu
OpenVPN server – Example
• From Panda Perimetral Management Console, once logged in, you should see the available VPN
installer packages under “Downloads”, at which point you can get the one suitable for your
operating system - Windows, Mac OS X, or Linux (.deb - Ubuntu).
• Direct link: https://managedperimeter.pandasecurity.com/downloads_panda.php
• Once the download is complete, follow your operating system's normal installation procedure to
run the PandaVPN installation package.
9
The VPN Menu
OpenVPN server – Example
• When you open the client the first time you will need to configure the appropriate settings for
the client to connect sucessfully. To do this, click the [ + ] icon and add a new VPN account profile.
• Now all that is left is to configure is the VPN account information. For Description, you can
provide any brief string to identify the VPN account. Under Server, you need to specify the IP
address or fully-qualified name of the VPN server (e.g. vpn.example.com). Next, you must choose
the server certificate file you previously downloaded from GD eSeries (.pem or .cer). Lastly, you
must provide the Username and Password for the previously created VPN account.
10
The VPN Menu
OpenVPN server – Example
• Select the appropriate VPN account and click Connect to establish your VPN connection.
• You should a message saying "Connected to <vpn server ip/name>”– this indicates a successful
VPN connection.
• You can close the VPN Manager at any point but the VPN service it will remain running. You must
click Disconnect to terminate the VPN.
11
The VPN Menu
L2TP/IPSec tunnel – Example
Setting up a L2TP tunnel is straightforward and you can achieve it in a few steps:
• Go under Menubar ‣ VPN ‣ On the left IPSec/L2TP ‣ L2TP Tab. Enable L2TP.
• Choose to which zone (among the existing ones) should the L2TP tunnel connections be
directed.
• Choose a pool of IP addresses that should be assigned to the clients connecting through L2TP.
These interval should fall within the IP addresses allocated to the zone.
• Optionally, you can activate debug mode, which results in more verbose logging.
• Finally, you can save the configuration by clicking on the Save button and then on Apply in the
12
green callout that will appear after saving the configuration.
The VPN Menu
L2TP/IPSec tunnel – Example
• After the L2TP tunnel has been enabled, you are just a few more steps away to enable IPSec with
the L2TP tunnel.
• Click on to the IPSec tab item to open the page to configure IPSec, which consists of three boxes.
• In the first box, click on the checkbox to enable the VPN connections using IPSec.
• You can optionally click on any of the four checkboxes to enable specific debugging options,
which will result in verbose logging.
• Then click on the Add button to start the configuration of the VPN.
13
The VPN Menu
L2TP/IPSec tunnel – Example
• In the first panel, choose the type of connection to use, which is in this case the third option, i.e.,
a "roadwarrior using L2TP", then click on Add.
14
The VPN Menu
L2TP/IPSec tunnel – Example
• The first step is to configure the VPN account by providing the Name and External Interface to
listen to incoming VPN connections. Also, tick the checkbox to enable the account, otherwise it
cannot be used to connect.
• The second part of the VPN account creation requires providing a strong pre-shared key for
authentication.
• Once you are done, click on Save to store the settings.
15
The VPN Menu
L2TP/IPSec tunnel – Example
• After the VPN connection and the L2TP tunnel have been created, the only piece missing to set up
the VPN/IPSec connection is represented by the L2TP users.
• To create new L2TP users, go under Menubar ‣ VPN ‣ VPN Users , then click on “Add new User”.
• In this step you define the name and the password for the VPN user. Make also sure that you
check the “L2TP” and “Enabled” checkboxes to activate a new L2TP user. Finally, click on
Advanced Settings to proceed to the last step.
• In this last step, click on L2TP options to show the last option: the choice of the IPSec tunnel to be
used from the dropdown menu and finalize the user creation by clicking on the Add button.
16
The VPN Menu
Connecting to GD eSeries via L2TP (IPSec) using iOS – Example
• To configure your iOS device, e.g., iPhone or iPad, you need first to go under General > Network
> VPN, then tap Settings and tap on Add VPN connection.
• Tap on L2TP.
• Enter a custom description for the connection. This is the name that will be displayed in the list
of available VPN connections.
• Enter the IP address or hostname next to Server.
• Tap on Account and enter your username.
• If you want to store your password on the device, tap Password and enter your password.
• Tap Secret and enter your PSK Secret (pre-shared key).
17
• When the configuration is done, slide the VPN switch to ON to start the connection.