Secure Computing ADMINGUIDEREVA User manual
VPN Administration Guide
Revision A
SafeNet/Soft-PK Version 5.1.3 Build 4
Sidewinder Version 5.1.0.02
i
Copyright Notice
This document and the software described in it are copyrighted. Under the copyright laws, neither this document nor this
software may be copied, reproduced, translated, or reduced to any electronic medium or machine-readable form without
prior written authorization of Secure Computing Corporation. Copyright © 2001, Secure Computing Corporation. All
rights reserved. Made in the U.S.A.
Trademarks
Secure Computing, Sidewinder, Type Enforcement, and Strikeback are either registered trademarks or trademarks of
Secure Computing Corporation. All other trademarks, tradenames, service marks, service names, product names, and
images mentioned and/or used herein belong to their respective owners.
Secure Computing Corporation Software License Agreement
CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE LOADING THE SOFTWARE. BY LOADING
THE SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND AGREE
TO BE BOUND BY ITS TERMS AND CONDITIONS.
Secure Computing Corporation ("Secure Computing") provides its software and licenses its use either directly or through
authorized dealers. You assume responsibility for the selection of the programs to achieve your intended results, and for
the installation (unless installation is purchased from Secure Computing or an authorized dealer), use, and results
obtained from the programs.
1. Grant of License
Secure Computing grants to you, and you accept, a non-exclusive, and non-transferable license (without right to sub-
license) to use the Software Products as defined herein on a single machine.
2. Software Products
"Software Products" mean (i) the machine-readable object-code versions of the Software of Secure Computing
contained in the media (the "Software"), (ii) the published user manuals and documentation that are made available for
the Software (the "Documentation"), and (iii) any updates or revisions of the Software or Documentation that you may
receive (the "Update"). Under no circumstances will you receive any source code of the Software. Software Products
provided for use as "backup" in the event of failure of a primary unit may be used only to replace the primary unit after
a failure in fact occurs. They may not be used to provide any capability in addition to the functioning primary system
that they backup.
3. Use
You may not transfer any Software Products to any third party. You may not copy, translate, modify, sub-license, adapt,
decompile, disassemble, or reverse engineer any Software Product in whole or in part except to make one copy of the
Software solely for back-up or archival purposes.
4. Limited Warranty and Remedies
Secure Computing warrants that the disk(s) or tape(s) on which its Software is recorded is/are free from defects in
material and workmanship under normal use and service for a period of ninety (90) days from the date of shipment to
you.
Secure Computing does not warrant that the functions contained in the Software will meet your requirements or that
operation of the program will be uninterrupted or error-free. The Software is furnished "AS IS" and without warranty as
to the performance or results Licensee may obtain by using the Software. The entire risk as to the results and
performance of the Software is assumed by Licensee. If Licensee does not receive media which is free from defects in
materials and workmanship during the 90-day warranty period, Licensee will receive a refund for the amount Licensee
paid for the Software Product returned.
5. Limitation of Warranty and Remedies
THE WARRANTIES STATED HEREIN ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES AND
COUNTRIES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT
APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS WHICH
VARY BY STATE OR COUNTRY.
ii
SECURE COMPUTING’S AND ITS LICENSORS ENTIRE LIABILITY UNDER, FOR BREACH OF, OR ARISING OUT OF
THIS AGREEMENT, IS LIMITED TO A REFUND OF THE PURCHASE PRICE OF THE PRODUCT OR SERVICE THAT
GAVE RISE TO THE CLAIM. IN NO EVENT SHALL SECURE COMPUTING OR ITS LICENSORS BE LIABLE FOR YOUR
COST OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING OR ITS LICENSORS BE
LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES
WHETHER OR NOT SECURE COMPUTING HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
6. Term and Termination
This license is effective until terminated. If you are using this license with a limited term, it shall expire at the end of
the license term. You may terminate it at any time by destroying the Software Product, including all computer programs
and documentation, and erasing any copies residing on computer equipment. This Agreement also will automatically
terminate if you do not comply with any terms or conditions of this Agreement. Upon such termination, you agree to
destroy the Software Product and erase all copies residing on computer equipment.
7. Ownership
All intellectual property rights including trademarks, service marks, patents, copyrights, trade secrets, and other
proprietary rights in or related to the Software Products are, and will remain the property of Secure Computing or its
licensors, whether or not specifically recognized or protected under local law.
8. Export Restrictions
You agree to comply with all applicable United States export control laws and regulations, including without limitation,
the laws and regulations administered by the United States Department of Commerce and the United States Department
of State.
9. U.S. Government Rights
Software Products furnished to the U.S. Government are provided on these commercial terms and conditions as set
forth in DFARS 227.7202-1(a).
10. General
Any waiver of or modification to the terms of this Agreement will not be effective unless executed in writing and
signed by Secure Computing. If any provision of this Agreement is held to be unenforceable, in whole or in part, such
holding shall not affect the validity of the other provisions of this Agreement. In the event of any inconsistency
between this Agreement and any other related agreements between you and Secure Computing, the terms of this
Agreement shall prevail.
Technical Support Information
Secure Computing works closely with our Channel Partners to offer worldwide Technical Support services. If you
purchased this product through a Secure Computing Channel Partner, please contact your reseller directly for support
needs.
To contact Secure Computing directly or inquire about obtaining a support contract, refer to our “Contact Secure" Web
page for the latest contact information at www.securecomputing.com. Or if you prefer, send us an email at
support@securecomputing.com.
Comments?
If you have comments or suggestions you would like to make regarding this document, please send an email to
techpubs@securecomputing.com.
Printing History
Date Part number SoftwareRelease
March2001 86-0935037-A Soft-PK 5.1.3 Build 4 and Sidewinder 5.1.0.02
TableofContents iii
TABLE OF CONTENTS
Preface: About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Who should read this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Where to find additional information . . . . . . . . . . . . . . . . . . . . . . .vii
Chapter 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
About Soft-PK & Sidewinder VPNs . . . . . . . . . . . . . . . . . . . . . . . 1-2
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3
Sidewinder and other network requirements . . . . . . . . . . . . . . 1-3
Soft-PK requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Roadmap to deploying your VPNs . . . . . . . . . . . . . . . . . . . . . . . 1-5
Chapter 2: Planning Your VPN Configuration. . . . . . . . . . 2-1
Identifying basic VPN connection needs . . . . . . . . . . . . . . . . . . . 2-2
Identifying authentication requirements . . . . . . . . . . . . . . . . . . .2-3
Using digital certificate authentication . . . . . . . . . . . . . . . . . . . 2-3
Understanding pre-shared key authentication . . . . . . . . . . . . 2-5
Extended authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6
Determining where you will terminate your VPNs . . . . . . . . . . . . 2-7
More about virtual burbs and VPNs . . . . . . . . . . . . . . . . . . . . 2-8
Defining a virtual burb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8
Understanding Sidewinder client address pools . . . . . . . . . . . . . 2-9
Chapter 3: Configuring Sidewinder for Soft-PK Clients . 3-1
Enabling the VPN servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Configuring ACL & proxies entries for VPN connections . . . . . . 3-3
Managing Sidewinder self-signed certs . . . . . . . . . . . . . . . . . . .3-4
Creating & exporting a firewall certificate . . . . . . . . . . . . . . . . 3-4
Creating & exporting remote certificate(s) . . . . . . . . . . . . . . . .3-6
Managing CA-based certificates . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Defining a CA to use and obtaining the CA root cert . . . . . . .3-9
Requesting a certificate for the firewall . . . . . . . . . . . . . . . . . 3-10
Determining identifying information for client certificates . . .3-12
iv TableofContents
Defining remote client identities in Sidewinder . . . . . . . . . . . 3-13
Managing pre-shared keys (passwords) . . . . . . . . . . . . . . . . . .3-14
Configuring the VPN on the Sidewinder . . . . . . . . . . . . . . . . . . 3-15
Chapter 4: Installing and Working with Soft-PK. . . . . . . . 4-1
Soft-PK installation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
Starting Soft-PK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3
Determining Soft-PK status from icon variations . . . . . . . . . . . 4-3
Activating/Deactivating Soft-PK . . . . . . . . . . . . . . . . . . . . . . . 4-4
About the Soft-PK program options . . . . . . . . . . . . . . . . . . . . 4-5
Managing certificates on Soft-PK . . . . . . . . . . . . . . . . . . . . . . . .4-6
Setting up Sidewinder self-signed certificates . . . . . . . . . . . . .4-6
Setting up CA-based certificates . . . . . . . . . . . . . . . . . . . . . . . 4-7
Requesting a personal certificate from a CA on user’s behalf 4-8
Importing certificate in Soft-PK . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Configuring a security policy on the Soft-PK . . . . . . . . . . . . . . .4-13
Chapter 5: Deploying Soft-PK to Your End Users . . . . . . 5-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-2
Customizing the user worksheet . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Specifying dial-up network instructions . . . . . . . . . . . . . . . . . . 5-4
Specifying installation instructions . . . . . . . . . . . . . . . . . . . . .5-4
Specifying certificate import/request instructions . . . . . . . . . .5-5
Specifying security policy instructions . . . . . . . . . . . . . . . . . . . 5-6
Specifying basic connection information . . . . . . . . . . . . . . . . . 5-6
Appendix A: Troubleshooting . . . . . . . . . . . . . . . . . . . . . .A-1
Soft-PK Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1
Soft-PK Connection Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-2
More about the Connection Monitor . . . . . . . . . . . . . . . . . . . .A-3
To view the details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-3
Sidewinder troubleshooting commands . . . . . . . . . . . . . . . . . . .A-4
P
Preface:AboutthisGuide v
PREFACE
About this Guide
This guide provides the information needed to set up connections
between remote systems running SafeNet/Soft-PK™VPN client
software and systems on a network protected by Secure Computing’s
Sidewinder firewall. SafeNet/Soft-PK is a Windows-compatible
program that secures data communications sent from a desktop or
laptop computer across either a public network or an existing
corporate dial-up line.
Note: TheSafeNet/Soft-PKproductisreferredtoas simply"Soft-PK"throughoutthe
remainderofthisdocument.
IMPORTANT: ThisguidedescribesadministrationofVPNsbetweenSoft-PKVersion5.1.3
Build4andSidewinderVersion5.1.0.02.Ifyouareworkingwithalaterversionofeither
product,checkourWebpageatwww.securecomputing.comforthelatest
documentation(selectDownloads & Activations -> ProductDocumentation).
Who should read
this guide? This guide is written for the person assigned to administer
Sidewinder-based VPN connections involving a Soft-PK VPN client.
Setting up VPN connections involves procedures done on Sidewinder
and procedures done using Soft-PK to pre-configure the VPN client
security policy for each remote user (road warrior, telecommuter,
etc.).
As a network administrator, you should read and understand all the
procedures in this document. You will then be able to provide all
remote users with the information, files, and software they need to set
up Soft-PK software to communicate with your trusted network(s).
This guide assumes you are familiar with networks and network
terminology. Because Soft-PK will use a security association with a
Sidewinder firewall, you should be familiar with Sidewinder
administration. Knowledge of the Internet and of Windows operating
systems are also key requirements.
P
Howthisguideisorganized
vi Preface:AboutthisGuide
How this guide is
organized This guide contains the following chapters.
Finding information This guide is in Acrobat (softcopy) format only and does not contain
an index. However, you can use Acrobat’s Find feature to search for
every instance of any word or phrase that you want.
ChapterTitle Description
Chapter 1:
Getting Started Presents an overview of the Soft-PK and the
Sidewinder Virtual Private Network (VPN)
environment and describes the requirements. It
includes a checklist to guide you through the
basic steps to setup and deploy a VPN.
Chapter 2:
Planning your VPN
Configuration
Provides information to help you understand key
concepts and options that are involved in a VPN
connection.
Chapter 3:
Configuring Sidewinder
for Soft-PK Clients
Provides a summary of Sidewinder procedures
associated with setting up and configuring Soft-
PK connections in your network.
Note: Performtheseproceduresbefore you
configureyourSoft-PK clients.
Chapter 4:
Installing and Working
with Soft-PK
Includes Soft-PK installation notes anddescribes
the basic Soft-PK procedures for managing
certificates and creating a customized Soft-PK
security policy for your remote clients.
Chapter 5:
Deploying Soft-PK to Your
End Users
Summarizes the steps for preparing and
deploying the Soft-PK software, digital certificate
files, and security policy to your end users. It is
based on a worksheet (in MS Word format) that
you edit and send to each remote end user.
Appendix A:
Troubleshooting Provides a summary of troubleshooting
techniques available for resolving Soft-PK and
Sidewinder VPN connection problems.
Wheretofindadditionalinformation
Preface:AboutthisGuide vii
Viewing and printing this
documentonline When you view this document online in PDF format, you may find
that the screen images are blurry. If you need to see the image more
clearly, you can either enlarge it (which may not eliminate the
blurriness) or you can print it. (The images are very clear when
printed out.)
For the best results, print this PDF document using a PostScript printer
driver.
If your printer understands PostScript but does not have a
PostScript driver installed, you need to install a PostScript driver.
You can download one for your printer from www.adobe.com.
If your printer is not a PostScript printer and this document does
not print as expected, try one of the following:
—If your printer has the option, Printas Image, enable this option
and then try printing.
—Print specific page(s) at a time rather than sending the entire
document to the printer.
Where to find
additional
information
Refer to the following for related information.
About Soft-PK
For additional information about configuring and troubleshooting
Soft-PK software, refer to the online help that is integrated into the
program’s user interface. Soft-PK online help provides detailed
step-by-step procedures for individual VPN client tasks.
About Sidewinder
For more information about setting up VPN connections on
Sidewinder, refer to Chapter 11 in the Sidewinder Administration
Guide. In addition, be sure to review documentation associated
with patch releases.
Aboutdigitalcertificates
For information on digital certificates and Public Key Infrastructure
(PKI) technology, see:
—Understanding Public-Key Infrastructure, by Carlisle Adams
and Steve Lloyd (1999)
—Internet X.509 Public Key Infrastructure, Certificate and CRL
Profile, RFC 2459, R. Housley, W. Ford, W. Polk, D. Solo
(January 1999)
Wheretofindadditionalinformation
viii Preface:AboutthisGuide
To contact Secure Computing directly or inquire about obtaining a
support contract, refer to our Web site at www.securecomputing.com,
and select “Contact Us." Or if you prefer, send us email at
support@securecomputing.com (be sure to include your customer ID in
the email).
1
GettingStarted 1-1
1
CHAPTER 1
GettingStarted
About this chapter This chapter provides an overview of the Soft-PK™and Sidewinder
Virtual Private Network (VPN) environment and describes the
requirements. It includes a checklist to guide you through the basic
steps to setup and deploy a VPN.
This chapter addresses the following topics:
"About Soft-PK & Sidewinder VPNs" on page 1-2
"Requirements" on page 1-3
"Roadmap to deploying your VPNs" on page 1-5
1
AboutSoft-PK&SidewinderVPNs
1-2 GettingStarted
About Soft-PK &
Sidewinder VPNs Soft-PK is security software for remote PC users. It is designed to
provide data privacy between remote users and a corporate network.
Industry-standard encryption and user verification routines protect the
data sent over the connection. Soft-PK conforms to Internet
Engineering Task Force (IETF) standards for TCP/IP and IP Security
(IPSec) protocols.
Soft-PK works with the Secure Computing Sidewinder firewall to
establish secure VPNs over public and private networks. Information
passed across a VPN is encrypted, ensuring privacy and
confidentiality.
Figure 1-1.
SidewinderVPN
connectionproviding
securedata transmission
betweenaremote
systemrunningSoft-PK
andyourinternal
network(s)
Note: InaVPNconnection,keepinmindthatthedefinitionof"remote"dependson
perspective.FromtheSidewinder’spointofview,theremoteendisasystemconnecting
fromtheInternet.FromtheSoft-PKsystem’spointofview,theremoteendistheSidewinder
(VPNgateway)andtheprotectednetwork.
Using Soft-PK, a mobile employee or telecommuter can establish
authenticated and encrypted access with networks protected by
Secure Computing’s fully IKE (Internet Key Exchange) compliant
Sidewinder firewall. Remote users can access secure corporate
resources using either public networks or corporate dial-up lines.
Soft-PK
Sidewinder Internet
Protected Network
Internet
= VPN tunnel
=Data
VPN
Requirements
GettingStarted 1-3
Requirements To configure VPN communication between Sidewinder and Soft-PK
clients, your Sidewinder must be configured with the proper VPN
parameter settings and access rules. In addition, depending on your
VPN connection set up, you may also need to define the proper
digital certificates.
To run the Soft-PK VPN client, each remote system must meet
minimum hardware and software requirements. In addition, the
system must be able to make a connection with the Internet through
any of a number of means (for example, a dial-up networking facility,
an Ethernet LAN interface, DSL, cable modem, etc.).
Before starting your VPN setup, ensure that your environment meets
the requirements listed in this section.
Sidewinder and other network requirements
The network over which Soft-PK and Sidewinder will be used must
meet the basic requirements listed in Table 1-1.
Table 1-1. Network requirements for using Soft-PK with Sidewinder
Category Requirement
Network A network infrastructure with atleast one installed and
operational Sidewinder.
Note: Youcanprotectmore thanoneLANwithasingle
Sidewinder.
Sidewinder Sidewinder Version 5.1 or latera
VPNfeature license
a. This document is based on Sidewinder running Version 5.1.0.02.
Remote client
Internet
connection
Connection to the Internet (via a dial-up line, DSL, cable
modem, etc.)
If using digital
certificate
authentication
Digital certificates based on Sidewinder self-signed
certificates,
or
Digital certificates froma public CA or your own CA
server. (Registration over the network using SCEP is
recommended.)
Requirements
1-4 GettingStarted
Soft-PK requirements
Each system on which Soft-PK will be installed must meet the
requirements listed in Table 1-2.
IMPORTANT: AremotesystemmustonlyrunoneVPNclient.IfaVPNclientprogram
suchasSecureClientwaspreviouslyinstalledontheremotesystem,ensureitisproperly
uninstalled.See Chapter4,"InstallingandWorkingwith Soft-PK" fordetails.
Table 1-2. System requirements for running Soft-PK
Category Requirement
Hardware An IBM PC or compatiblecomputer (portable or desktop)
with at least a 75 Mhz Pentium microprocessor (or
equivalent).
A non-encrypting modem (for use with dial-up
networking) or an Ethernet interface.
At least10 MB of free hard disk space.
The recommended system RAM size:
—Windows95:16MB
— Windows 98, NT: 32 MB
— Windows 2000, Me: 64 MB
Software Microsoft Windows 95,98, Me,NT 4.0, or 2000
Professional.
Dial-up Networking component of Microsoft Windows
and/or Ethernet LAN interface.
If the remote system uses a modem, theend user must
have dial-up account with an Internet Service provider
(ISP) ora private corporate dial-up account.
TIP: InstructSoft-PKuserstofollowtheinstructions
providedbyMicrosofttoinstallDial-UpNetworking
ontheir Windowsmachine.Also,createadial-up
networkingprofilefortheISPusedtogainaccesstothe
Internet.
Microsoft Internet Explorer 4.0 or later (for using help)
RoadmaptodeployingyourVPNs
GettingStarted 1-5
Roadmap to
deploying your
VPNs
Because Secure Computing products provide network security, we
recommend that, as the network administrator, you carefully oversee
the installation and configuration of the Soft-PK client(s). Setting up
VPN connections using Soft-PK and Sidewinder involves performing
procedures on each remote system running Soft-PK AND on your
Sidewinder.
If done properly, administrators can do most of the VPN configuration
for both Soft-PK and Sidewinder, with little required of the end users.
For example, you can set up the digital certificates and create a
security profile that you include with Soft-PK’s installation files. Users
then simply need to install Soft-PK and import a few files.
TIP: AseparateSoft-PKUser’sGuideis NOTprovidedforendusersofSoft-PK.Asan
administrator,youshouldusetheworksheetprovidedon theSafeNet/Soft-PKCD-ROM (in
MSWordformat)asthebasisforprovidingtheremoteSoft-PKuserswiththeappropriate
installationandsetupinstructions.Thisway,Soft-PKusersarerequiredtofollowonlythe
instructionsthathavebeencustomizedforyourfirewallconfiguration.(RefertoChapter5,
"DeployingSoft-PKtoYourEndUsers"fordetailsabouttheworksheet.)
Figure 1-2 provides a graphical overview of the Soft-PK and
Sidewinder VPN deployment process. Each of the tasks depicted in
Figure 1-2 are also reflected in the checklist starting on page 1-7.
RoadmaptodeployingyourVPNs
1-6 GettingStarted
Figure1-2. VPN
deployment
overview
Admin tasks
performed on
Sidewinder system
Admin tasks
performed using
Soft-PKprior to
deploying toend
users
1 — Satisfy Sidewinder, network, & systemrequirements
6— Configure the certificates and security policy(ies) for your
remote users
2 — Plan your VPN configuration
3— Enable appropriate Sidewinder servers, ACL entries, & proxies
4 — Set up VPN authentication on Sidewinder
If using pre-shared
keys (passwords):
If using CA-assigned
certificates:
If using Sidewinder
self-signed certificates:
4a1—Create& exporta
firewall certificate
4a2 —Create & export
remote certificates
4a3 —Convert key file/
certificatepairtopkcs12
format
4b1 —Request/export
the CA root certificate
4b2—Requestafirewall
certificate
4b3 —Determine the
identifying information
(DN) your clients use
4b4 —Defineremote
certificate identities
withinSidewinder
4c1 —Define remote
identities within
Sidewinder
Important: Besure
specify Extended
Authentication when
configuring your VPN
connection in Step 5
5—Configurethe VPN connectionson the Sidewinder
8—Troubleshoot any connection problems
7—Prepare and deploy your Soft-PK installation package to
remote users
RoadmaptodeployingyourVPNs
GettingStarted 1-7
Soft-PK deployment
checklist The following checklist identifies each major step involved in the
setup and deployment of your Soft-PK software (as shown in Figure
1-2). You can use the checklist as a reference point and mark off each
item as you complete it to ensure a successful VPN rollout.
TIP: Eachstepprovidesanoverviewofthetaskandpointsyoutospecificdocumentation
formoredetailedinformation.
1 — Satisfy Sidewinder, network, & system requirements
❒Sidewinder/network: Verify that your Sidewinder is at Version 5.1.0.02 or later,
licensed for VPN, and that your network is fully operational.
❒End-user systems: Verify that each system on which Soft-PK will be installed meets
the requirements as described on page 1-4.
2 — Plan your VPN configuration
❒Review Chapter 2 to become familiar with key concepts and options that are
available when setting up VPNs.
❒Review Chapter 11 in the SidewinderAdministrationGuidefor additional background
on VPN configuration.
❒Review the readme.txt file located on the Soft-PK CD for additional information from
SecureComputing.
3 — Enable appropriate Sidewinder servers, ACL entries, &proxies
Note: Fordetails,see"EnablingtheVPNservers"onpage3-2and"ConfiguringACL&proxies
entriesforVPNconnections"onpage3-3.
❒CMD server: The Certificate Management Daemon (CMD) server must be enabled
beforeyou can configure the certificate server.
❒EGDserver: The Entropy Generating Daemon (EGD) server is used by ISAKMP. This
server must be enabled before you can create VPN associations.
❒ISAKMP server: The ISAKMP server must be enabled and set to listen on the
appropriate burb (typically, this will be theInternet burb).
More...
RoadmaptodeployingyourVPNs
1-8 GettingStarted
❒ISAKMP ACL entry: At a minimum, you must define and enable an ACL entry that
allowsISAKMPtrafficfromtheInternet to the InternetburbonSidewinder (external
IP address of Sidewinder).
❒Other ACL entries: Depending on where you terminate your VPN connections on
Sidewinder (e.g., in avirtual burb), you may needto create ACL entries toallow traffic
between burbs.
❒Proxies: Depending on where you terminate your VPN connections on Sidewinder
(e.g.,ina virtualburb), youmayneedtoenable proxiesto allowtrafficbetweenburbs.
4 —Create/Request the digital certificates
If using Sidewinder self-signed certificates:
❒UseCobra to create and export a firewall certificate. See "Creating & exporting a
firewall certificate" on page 3-4 for details.
❒UseCobra tocreate andexport remote certificates foreach enduser.See"Creating &
exporting remote certificate(s)" on page3-6 for details.
❒Use a command-line utility on Sidewinder to convert the key/file certificate pair to
pkcs12 format. See "Converting the certificate file/private key file pairto pkcs12
format" on page 3-8 fordetails.
If using a CA -assigned certificates:
❒UseCobra to define a CA and obtain the CA root certificate and export it for sending
to client(s). See "Defining a CA to use andobtaining the CAroot cert" on page 3-9for
details.
❒UseCobra to request a certificate for the firewall from the CA. See "Requesting a
certificate for the firewall" on page 3-10 for details.
❒Determine the identifying information (e.g., Distinguished Name settings) your
clientswilluseintheirpersonalcertificates.See"Determiningidentifyinginformation
for client certificates" on page 3-12.
❒UseCobra to specify the client certificate identity information to within Sidewinder.
See "Defining remote client identities in Sidewinder" on page 3-13 fordetails.
If using pre-sharedkeys (passwords):
❒UseCobra to specify the client identity information to within Sidewinder. See
"Managing pre-shared keys (passwords)" on page 3-14 for details.
More...
RoadmaptodeployingyourVPNs
GettingStarted 1-9
5 —Configure the VPN connections on the Sidewinder
❒UseCobra to define the VPN security association configuration. See "Configuring the
VPN on the Sidewinder" on page 3-15 for details.
❒Enable Extended Authentication.
6 —Configurethe certificates and security policy(ies) for your remote
users
❒Install your copy of Soft-PK. See "Soft-PK installation notes" on page 4-2 for details.
❒UseSoft-PK toset up the certificates needed by each end users. See
❒UseSoft-PK tocreate and save security policies that are customized for your end
users. See "Configuring a security policy on theSoft-PK" on page4-13 for details.
7 —Prepareand deployyour Soft-PK installation package to remote users
❒Prepare the files you will distribute to your end users. For details, see "Overview" on
page 5-2.
❒Create Soft-PK installation and configuration instructions for your end users. For
details, see "Customizing the user worksheet" on page 5-4.
—If necessary, define configuration steps for the Windows Dial-Up Networking
feature on each machine on which you are installing and using Soft-PK. For
details, see "Specifying dial-up network instructions" on page 5-4.
—SpecifytheSoft-PKinstallationinstructions.Fordetails,see"Specifyinginstallation
instructions" on page 5-4.
—Specify theinstructionsfor importing/requesting/setting upclientcertificates.
For details, see "Specifying certificate import/requestinstructions" on page 5-5.
—Specify the instructions for establishing a security association. For details, see
"Specifying security policy instructions" on page 5-6.
❒Send the Soft-PK deployment software and files to your end users.
More...
TIP: Usethe
UserWorksheet.doc
fileontheSoft-PKCD
asastartingpointtodefine
theinformationeachend
userwillneedtoinstalland
quicklysetupSoft-PKfor
yournetwork.
RoadmaptodeployingyourVPNs
1-10 GettingStarted
8 —Troubleshoot anyconnection problems
❒Use theSoft-PK Log Viewer. See "Soft-PK Log Viewer" on page A-1.
❒UsetheSoft-PKConnection Monitor. See "Soft-PK Connection Monitor" on page A-2.
❒UseSidewinder commands. See"Sidewindertroubleshootingcommands"onpage
A-4 and the SidewinderAdministrationGuidefor details.
This manual suits for next models
5
Table of contents
Other Secure Computing Software manuals
