manualshive.com logo in svg

HoB HOBLink, Administration Manual

Share
Download
HoB HOBLink Administration Manual Download Page 56

Configuring HOBLink VPN Gateway

HOBLink VPN Gateway

56

Security Solutions by HOB

Enabled

 – check to enable the peer. This is enabled by default.

Description

 – enter a description of the peer to help identify and manage it.

Type

 – select the type category of the peer. Supported types are 

Gateway

 

(default), 

User

 or

 

User Group

. The type selected here should match with the type 

of the element selected under 

Name

.

IKE version

 – enter the IKE version used. The supported versions are 

1

 

(default) 

and 

2

.

IKEv1 scheme

 – select the name of the IKEv1 scheme for this peer (see 

Section 

5.8 Internet Key Exchange (IKE) 

on page

42

). This field is only shown if the IKE 

version selected is 

1

.

IKEv2 scheme

 – select the name of the IKEv2 scheme for this peer (see 

Section 

5.8 Internet Key Exchange (IKE) 

on page

42

). This field is only shown if the IKE 

version selected is 

2

.

IKE port 

– enter the number of the UDP port used for incoming IKE packets. The 

value should be in the range of 

1–65535

. The default is 

500

.

UDP encapsulation (NAT-T) port

 – the number of the UDP port used for UDP 

encapsulation. The value should be in the range 

1–65535

. The default is 

4500

.

Client authentication

 – the client authentication method used. The supported 

methods are 

local password

 (default), 

RADIUS

 and 

LDAP

. This field is only 

shown when the 

Type

 is 

User

 or 

Group

.

RADIUS group

 – select the RADIUS group (as previously defined in 

Section 5.5 

Remote Authentication Dial In User Service (RADIUS) 

on page

35

) to use for this 

VPN peer. This field is only shown when the 

Type

 is 

User

 or 

Group

 and the 

Client 

authentication

 selected is 

RADIUS

.

LDAP service 

– select the LDAP service (as previously defined in 

Section 5.6 

Lightweight Directory Access Protocol (LDAP) 

on page

37

) to use for this VPN peer. 

This field is only shown when the 

Type

 is 

User

 or 

Group

 and the 

Client 

authentication

 selected is 

LDAP

Check group membership

 – enable this to check the group membership of a user 

during authentication. This is enabled by default. This field is only shown when the 

Type

 is 

Group

Use of virtual IP address

 – this allows the use of a virtual IP address. The 

supported options are 

Not used 

(default), 

IKE negotiation

 and 

L2TP/PPP

 

adapter

. This field is only shown when the 

Type

 is 

User

 or 

Group

Virtual IP address and mask

 – the virtual IP address and mask of this peer (for 

example 

10.1.1.2/24

). This field is only shown when the 

Type

 is 

User

 and the 

Use of virtual IP address

 is 

IKE negotiation

.

If this checkbox is not enabled, there is no group membership check. This 
means that any user that exists in the database can connect using any 
group (even without membership).

This checkbox must also be enabled to allow different groups to have 
different permissions.

Summary of Contents for HOBLink

Page 1: ...Administration Guide HOBLink VPN Gateway Software version 2 1 Issue November 2014 ...

Page 2: ...ons the content will be removed immediately Liability for links This publication may contain links to external websites over which we have no control Therefore we cannot accept any responsibility for their content The respective provider or operator of the website pages to which there are links is always responsible for the content of the linked pages The linked sites were checked at the time of l...

Page 3: ...mbers are marked in color as follows Section 5 Information and Support File names and text to be entered by the user are printed in Courier New This input is unless otherwise mentioned case sensitive In this documentation HOB specific terminology is abbreviated as follows Other abbreviations commonly used in this documentation are as follows This symbol indicates useful tips that can make your wor...

Page 4: ...4 Security Solutions by HOB Dead Peer Detection DPD User Datagram Protocol UDP Distinguished Name DN Network TUNnel Tap the Virtual Network Device Interface Tun Tap Remote Desktop Protocol RDP ...

Page 5: ...ortlets 20 3 6 Using the HOB Portal 22 4 Configuring the Kanji GUI Tool 25 4 1 Defining Paths for Kanji and XML files 26 4 2 Selecting Kanji and XML Filepaths from the Kanji Configuration 27 5 Configuring HOBLink VPN Gateway 29 5 1 Properties 29 5 2 Auditing 31 5 3 Network 33 5 4 Service 34 5 5 Remote Authentication Dial In User Service RADIUS 35 5 6 Lightweight Directory Access Protocol LDAP 37 5...

Page 6: ...vice service 63 6 5 Configuration Parameters for RADIUS radius 64 6 6 Configuration Parameters for IKE ike 66 6 7 Configuration Parameters for IPsec ipsec 71 6 8 Configuration Parameters for Users user 73 6 9 Configuration Parameters for VPN vpn 74 6 10 Configuration Parameters for L2TP l2tp 80 6 11 Configuration Parameters for LDAP ldap 81 7 Information and Support 83 ...

Page 7: ...e used in the HOB Portal that anyone is able to use to configure VPN connections See Section 3 Administering HOBLink VPN Gateway on page 15 for more information 1 2 Introducing VPN Peers and VPN Rules HOBLink VPN Gateway uses IPsec and IKE security encryption protocols As these do not allow a traditional client server relationship a system of peers is used to avoid this problem In a peer system th...

Page 8: ... combinations AH ESP AH IPCOMP ESP IPCOMP AH ESP IPCOMP to provide data manipulation alerts and replay detection This ensures that the data has not been corrupted IPsec processing takes advantage of multiple CPUs and can process several packets concurrently A special thread managing system optimizes the usage of CPU and RAM resources The Tun Tap interface is used to carry the IP packets from the k...

Page 9: ...dicates to the hobvpn2 process that the configuration has been changed while the VPN is still running The hobvpn2 process then reads the configuration file again and updates its in ternal processes accordingly while it continues running sendsig hobvpn2 this forces the hobvpn2 process to stop running Library Modules Some libraries are needed for a proper connection libgcc_s so 1 libhobxcw3 so libhv...

Page 10: ... in the folder HOBPortal which is found in the HOB folder of the installation A standard TCP IP connection from the Java capable web browser is used to connect to the HOB Portal server please see Section 3 1 HOB Portal on page 15 for more information 1 4 3 Certificate Support Modules Certificates are used to authenticate the machines responsible for communication The modules that contain these cer...

Page 11: ...operations you remove these vpn cdb and vpn pwd files and create your own keystore and password files Use the HOBLink Security Manager to either create your own PKI or just add the available certificates to your own keystore These files can be edited via the HOBLink Security Manager tool which is delivered on CD for extra installation Documentation concerning the HOBLink Security Manager is availa...

Page 12: ...Introducing HOBLink VPN Gateway HOBLink VPN Gateway 12 Security Solutions by HOB ...

Page 13: ...N Gateway 1 Log on to the system as a normal user 2 From the command line run the script startVPN sh located in the HOB folder This starts the hobvpn2 process giving the parameter c vpnconfig xml for the configuration file as a daemon The script startVPN2 GW sh can also be used to start HOBLink VPN Gateway which in turn also starts the HOBPortal server For debugging purposes The process hobvpn2 ac...

Page 14: ...PN Gateway is designed to run on the Linux operating system platform It requires only a standard Linux machine with at least Kernel 2 6 x including the Tun Tap interface HOBLink VPN Gateway supports both 32 and 64 bit systems Software Requirements There are two options available for configuring HOBLink VPN Gateway a web browser a standard or XML editor for editing the configuration file For loggin...

Page 15: ...or the browser connection to HOBLink VPN Gateway over an IP based network This interface provides information about the gateway and allows HOBLink VPN Gateway to be configured The installation folder of HOB Portal is opt HOB HOBPortal by default The HOB Portal server should be started by the script startHOBPortal sh which launches the command bin startup sh To stop the HOB Portal server run the sc...

Page 16: ...er or another user with the authority to manage the portal of HOBLink VPN Gateway Logon to HOBLink VPN Gateway with the root user username and password The following screen is displayed Figure 2 HOBLink VPN Portal Information about the root user s current status and permissions is provided here as well as the quick links Manage Sessions and Manage the portal that are available to you Only an admin...

Page 17: ...s user in the system Password enter the password for confirming the identity of this user Confirm password enter the password again to confirm User authorities select the permissions from this list of permissions available to the user It is possible to select several permissions Enabled check this box to activate this user in the user list Sessions displays the manage sessions page See Section 3 4...

Page 18: ...s In this list of users you select the user from the list Use the Edit and the Remove selected users buttons to manage selected users in the list click Reset to discard any edits and restore any previously entered information to this page click Add user to save any changes and add the new user to the user list use this button to edit the configuration of the selected user this button deletes the s...

Page 19: ...creen Here you manage the sessions in HOBLink VPN Gateway Figure 5 Sessions Sessions that are currently open are displayed in the list Details of the sessions such as username authorities and last request time are shown Sessions can be deleted by selecting the sessions to be removed and then using the Remove selected sessions button to remove them from this list ...

Page 20: ...hree tabs on this interface Portlets Pages and New 3 5 1 Portlets When the Portlets tab is selected the following screen is displayed Figure 6 Manage Portlets Here you see the portlets currently available for use in the pages showing the ID number the context of the application and the name of each portlet 3 5 2 Pages Select the Pages tab to display the following screen where you manage pages Figu...

Page 21: ...t the New tab to display the following screen where you can create new pages Figure 8 Manage New Pages For each new page you need to complete the following fields Name enter a name for the new page Portlets select from the list of existing portlets those that you wish to be included on the new page Once you have finished entering the parameters you have the following options click Add Page to crea...

Page 22: ...see this screen Figure 9 Logon Following the default installation two default users are already configured root password root the administrator user for the HOB Portal vpnadmin password vpnadmin the VPN administrator user for configuration and status information Log in as vpnadmin or root to display the HOB Portal Figure 10 HOB Portal The HOB Portal provides two portlets ...

Page 23: ...g HOBLink VPN Gateway on page 29 for more information VPN Gateway StatusInfo see Section 5 12 VPN Gateway StatusInfo on page 59 for more information HOB Portal it is possible to return to the HOB Portal screen by clicking on this button click this button on the right of the title bar for the following options HOBLink VPN HOBLink VPN displays an information page for HOB Portal authentication and ma...

Page 24: ...Administering HOBLink VPN Gateway HOBLink VPN Gateway 24 Security Solutions by HOB ...

Page 25: ...s displayed Figure 11 HOBLink VPN Gateway Start Screen Locate the Edit command that is in the dropdown menu under View in the right hand corner of the start bar of this screen Figure 12 View Edit Help Menu Selecting this command displays the interface shown here from where you can configure the portal using Kanji Use the View command to return you to the HOBLink VPN Gateway configuration interface...

Page 26: ... the Kanji Filepath screen where you can specify the filepath See Section 4 2 Selecting Kanji and XML Filepaths from the Kanji Configuration on page 27 for more information Selected path this field shows the current path for the Kanji and XML files You can have several paths to have several configuration filepaths The default configuration filepath is opt HOB HOBLinkVPN Kanji file select from the ...

Page 27: ...and XML Filepaths from the Kanji Configuration This link brings up the Kanji filepath screen where you can specify the filepath to be used for the Kanji configuration Figure 15 Kanji Settings Set Filepath Filepath select from the dropdown box the filepath to be used for the Kanji and XML configuration files The options available are the selected paths in the previous section Section 4 1 Defining P...

Page 28: ...Configuring the Kanji GUI Tool HOBLink VPN Gateway 28 Security Solutions by HOB ...

Page 29: ...Gateway are displayed on the following screen Figure 16 HOBLink VPN Gateway Configuration Properties Minimized Display The most important parts of the configuration the VPN Peers and the VPN Rules are set up in Section 5 11 VPN on page 54 The other parts of the configuration contain the information that is needed to fulfill the requirements for setting up VPN Peers and VPN Rules click the Maximize...

Page 30: ...n the current version of the HOBLink Configuration software Type how the machine is currently configured click Save to save the edited entries This command includes automatic validation of the data Make sure to do this regularly or after you are finished editing HOBLink VPN Gateway It is not necessary to save each screen once edits have been made click Save anyway to save even if the data is inval...

Page 31: ...of virtual TUN adapter this setting completes the network configuration of the TUN adapter The default value of 30 bits sets up the smallest possible network of only 4 addresses 5 2 Auditing Logfiles are necessary to record all activity in a system This allows the administrator to monitor the performance of the system as well as identify any faults or errors that may occur Figure 18 Auditing Make ...

Page 32: ...er the name of the machine being used as the syslog server where the log files will be written and stored This is a required field IP address enter the IP address of the machine being used as the syslog server where the log files will be written and stored This is a required field The checkbox Enable syslog needs to be checked to generally enable the logging functionality click New to create a new...

Page 33: ...rk Objects List of Network Objects A list of the network objects that are currently configured for your system is displayed here The buttons below the list have the following functions Use the arrow buttons to manage the order in which the network objects appear in this list The entry fields for the Network Object interface are as follows Name enter the name of the object you are adding to your ne...

Page 34: ...way Roaming enable to allow this object to roam and still maintain a connection to your network This field is only shown if the Type is Gateway List of group members this is the list of network objects that belong to the group This field is only shown if the Type is Group 5 4 Service HOBLink VPN Gateway allows services to be configured for your system These services can be used across the network ...

Page 35: ...s or deactivates the destination port field Destination port enter a specific destination port 5 5 Remote Authentication Dial In User Service RADIUS HOBLink VPN Gateway allows you to configure a single RADIUS server or a group of RADIUS servers for your system RADIUS is a network protocol standard used to manage access authentication and authorization of users in a network This screen allows you t...

Page 36: ...IUS group Option select an option to change the protocol for RADIUS servers of the group The default is None Character setting select the character setting to be used default is UTF 8 Timeout s specify a timeout in seconds for a RADIUS server to respond If a connection is not made within this time then the connection attempt moves to the next server in the group If this next server also does not r...

Page 37: ...r this server If you are not sure of the secret being used click the Show button to display it Comment enter a comment to help you identify or manage this RADIUS server 5 6 Lightweight Directory Access Protocol LDAP LDAP is a standard application protocol used for managing directory information services over a network LDAP provides for the sharing of user system and network information throughout ...

Page 38: ...rvers list and the parameters of the selected server in this list is disabled The buttons below this list have the following functions Use the arrow buttons to manage the order in which the LDAP services appear in this list Name enter the name of the LDAP service you are adding to your network This is a required field click New to create a new entry in the list of LDAP services You will then be pr...

Page 39: ... Base DN enter the Base DN Distinguished Name for the LDAP server Search timeout s the timeout length for a search of the LDAP to be performed in seconds The default is 5 seconds Retry after error s the amount of time in seconds that a connection attempt must wait to be made again after a failed attempt The default is 5 seconds Search result buffer size the maximum amount of data that will be retu...

Page 40: ...lds for the List of LDAP Templates interface are as follows Name enter the name of the LDAP template you are adding to your network User attribute enter the user attribute to be used for this template Group attribute enter the group attribute to be used Member attribute enter the member attribute to be used User prefix enter the user prefix to be used All fields on this screen must be completed in...

Page 41: ...l L2TP interface are as follows Virtual local IP address enter the virtual local IP address of the machine hosting the L2TP protocol This is a required field Receive window size the size of the window that will be receiving the communicated data The default is 4 Keepalive interval the keepalive mechanism is employed by L2TP in order to check whether the IPsec tunnel is still working The default is...

Page 42: ...ersions Here you specify the IKE scheme Version 1 to be used by default which is important in Main mode Figure 26 IKE Select IKE Scheme The entry field for the Internet Key Exchange IKE interface is as follows Default IKEv1scheme select a scheme to be used as the default The selection for Gateway Authentication for the selected scheme should be Pre shared Key because a scheme with certificates is ...

Page 43: ...KEv1 Schemes List of IKEv1 Schemes A list of configured IKEv1 schemes is displayed The buttons below the list have the following functions click New to create a new entry in the list of IKEv1 schemes You will then be prompted to enter a name as an identifier for this new scheme click Clone to clone the selected scheme The clone must be given a new name to avoid future conflicts click Remove to rem...

Page 44: ...left by using the horizontal arrow buttons You can then use the vertical arrow buttons to manage the list of hash functions types that have already been selected Supported functions are SHA1 and MD5 Gateway authentication select the type of gateway authentication methods you wish to use from the list of those available in the list on the left by using the horizontal arrow buttons You can then use ...

Page 45: ... This field is only shown if Enable authentication retries is enabled Detect NAT device s enable to allow the detection of NAT device s This is enabled by default Enable dead peer detection DPD enable to allow the detection of dead or unresponsive peers This is enabled by default Enable DPD logging enable to allow the logging of DPD This is disabled by default DPD inbound data timeout the DPD data...

Page 46: ...ie Hellmann groups that have already been selected The supported groups are MODP768 MODP1024 MODP1536 MODP2048 MODP3072 MODP4096 MODP6144 MODP8192 EC2NGF163 EC2NGF283 EC2NGF409 and EC2NGF571 Encryption select the types of encryption you wish to use from the list of those available in the list on the left by using the horizontal arrow buttons You can then use the vertical arrow buttons to manage th...

Page 47: ...he list of gateway authentication methods that have already been selected Supported methods are RSA DSA and Pre shared key Pre shared key enter the pre shared key Click Hide Show to blend out the value out or to display it if already blended out Certificate name the name of the certificate used when the entry for Gateway authentication includes DSA or RSA signatures If this field is empty the firs...

Page 48: ...value should be in the range of 1 5 the default is 3 This field is only shown if Enable authentication retries is enabled EAP mode EAP Extensible Authentication Protocol mode is used when a client requests EAP authentication The supported modes are None this is the default mode GTC MD5 and MSCHAPv2 Detect NAT device s enable to allow the detection of NAT device s This is enabled by default UDP tim...

Page 49: ...9600 seconds the default is 604800 5 9 Internet Protocol Security IPsec HOBLink VPN Gateway uses the IPsec security protocol to encrypt the communications between the peers in the network How this is done can be configured in the following sections This following screen shows the IPsec scheme that is defined by default for all new connections Figure 30 IPsec The entry field for the Internet Protoc...

Page 50: ...ns below this list have the following functions Use the arrow buttons to manage the order in which the IPsec schemes appear in this list The entry fields for each IPsec scheme are as follows Name enter the name of the scheme you are adding to your network This is a required field click New to create a new entry in the list of IPsec schemes You will then be prompted to enter a name as an identifier...

Page 51: ...e list of those available in the list on the left by using the horizontal arrow buttons You can then use the vertical arrow buttons to manage the list of integrity methods that have already been selected The supported methods are HMAC_SHA1 and HMAC_MD5 This field is only shown when the selected Protocol is ESP or AHESP Compression the compression protocol that is used The supported protocols are N...

Page 52: ...igured users is displayed here The buttons below this list have the following functions Use the arrow buttons to manage the order in which the users appear in this list The entry fields for the User interface are as follows Name enter the name of the user you are adding to your network This is a required field Description enter a description of the user to help identification and management of the...

Page 53: ... The user groups of HOBLink VPN Gateway also need to be configured A list of configured user groups is displayed here The buttons below this list have the following functions Use the arrow buttons to manage the order in which the user groups appear in this list The entry fields for the User Group interface are as follows Name enter the name of the user group you are adding to your network This is ...

Page 54: ...IKE on page 42 IKE port the UDP port number used for the IKE protocol The value should be in the range of 1 65535 The default is 500 UDP encapsulation NAT T Port the UDP port number used for UDP encapsulation The value should be in the range of 1 65535 The default is 4500 RPC port Remote Procedure Call the port number used for remote procedure calls The value should be in the range of 1 65535 The ...

Page 55: ...of the channel to establish the connection The buttons below this list have the following functions Use the arrow buttons to manage the order in which the VPN peers appear in this list The entry fields for the List of VPN Peers interface are as follows Name select from the dropdown box the name of the VPN peer to be added to your VPN network The name has been created previously as the name of a ne...

Page 56: ... and LDAP This field is only shown when the Type is User or Group RADIUS group select the RADIUS group as previously defined in Section 5 5 Remote Authentication Dial In User Service RADIUS on page 35 to use for this VPN peer This field is only shown when the Type is User or Group and the Client authentication selected is RADIUS LDAP service select the LDAP service as previously defined in Section...

Page 57: ... here you set the IP address and subnet mask of the user for example 172 20 22 222 24 This field is only shown when the Type is User or Group and the Virtual IP address is L2TP PPP adapter PPP L2TP IP address pool for a user group the IP address pool of the user group Select from the dropdown box the name of the network object that contains the pool This field is only shown when the Type is User o...

Page 58: ... The initial text shown here of Select destination is used in this field only to indicate that it is necessary to select a valid destination to configure a valid rule Service select the name of an IP service or group of services determining the functionality of the previously specified tunnel see Section 5 4 Service on page 34 The default is Any Bidirectional enable to allow this rule to be valid ...

Page 59: ...ation fields to be seen are as follows CPU Name the name of the CPU being used Manufacturer the manufacturer of the CPU being used Operating System Name the name of the current operating system Version the version number and release date of the current operating system Release the release version of the current operating system Memory Total the total memory of the system Available the current amou...

Page 60: ...p the peer belongs to in this connection and its IP and assigned virtual IP When you select the channel of a peer on the left parameters of the negotiation of the connection like IKE version mode encryption method hash method authentication method and when the connection was created and its duration are displayed on the right When you select a tunnel of a peer on the left you can see the parameter...

Page 61: ...ry list entry is grouped in the node syslog server entry This list contains the parameters that can be entered for Syslog server Parameters XML Name Description Version version The default value 2 0 0 3 should not be changed Type type Currently GATEWAY is the only supported value Configuration file configfile Currently only LOCAL is supported Number of CPUs cpus The default value is 0 automatic de...

Page 62: ...e Description Name name Every network object needs to have a unique name Description description This may be edited as desired Type type The types supported are GATEWAY this is the default value SUBNET WORKSTATION GROUP Network network This is the only valid for type SUBNET This is the IP address and subnet mask syntax 172 22 0 0 16 IP Address ineta This is only valid for types GATEWAY with Roamin...

Page 63: ...st Parameters XML Name Description Name name This is the unique name of the service Description description This may be edited as desired Type type The following types are supported Generic protocol PROTOCOL any IP protocol number specified in the parameter Protocol Number protocol number TCP Port TCP_PORT any TCP session UDP Port UDP_PORT any UDP session Group GROUP a group of other services that...

Page 64: ...TCP Port and UDP Port Check if a destination port has been specified YES NO default is NO Destination Port Number port This is only valid for types TCP Port and UDP Port It is a specified destination port number and is valid if any port NO The value should be in the range 1 65535 Protocol Number protocol number This is only valid for type PROTOCOL enter a decimal IP protocol number Parameters XML ...

Page 65: ...use the next server in the group Comment comment This may be edited as desired Parameters XML Name Description Name name This is the unique name of the RADIUS server IP address radius ineta This is the IP address of the RADIUS server Port Number UDP port This is the RADIUS port number of that server The value should be in the range 1 65535 Shared Secret shared secret plain This is the shared secre...

Page 66: ...ription description This may be edited as desired IKE Mode mode Two options are possible the supported modes are MAIN and AGGRESSIVE Special Authentication Mode authentication mode The supported modes are NONE HYBRID and XAUTH Initiator Identification Type initiator id type The supported types are IP Address INETA Fully Qualified Distinguished Name FQDN Fully Qualified Username USER_FQDN Encryptio...

Page 67: ...mandatory only if authentication includes PRESHAREDKEY and preshared key encrypted is not specified Pre shared Key encrypted preshared key encrypted This is the pre shared key string encrypted This value encoded with Base 64 takes precedence over preshared key Name of certificate certificate name This is the name of certificate used when the list of authentication includes DSA or RSA If this field...

Page 68: ... timeout DPD timeout This is only valid if DPD is enabled This is the DPD wait timeout in seconds The value should be in the range 1 600 and 10 is the value by default DPD retries DPD retries This is only valid if DPD is enabled This is the number of DPD retries permitted The value should be in the range 0 20 and 2 is the value by default Parameters XML Name Description Diffie Hellman Group diffie...

Page 69: ...This is the pre shared key string It is mandatory only if authentication includes PRESHAREDKEY and preshared key encrypted is not specified Pre shared Key encrypted preshared key encrypted This is the pre shared key string encrypted This value encoded with Base 64 takes precedence over preshared key Name of certificate certificate name This is the name of the certificate used when the list of auth...

Page 70: ... permitted The value should be in the range 0 20 and 2 is the value by default Enable Dead Peer Detection DPD This is used to enable the Dead Peer Detection YES NO The value by default is YES Enable DPD logging DPD logging This is only valid if DPD is enabled This is used to enable the logging of DPD YES NO The value by default is NO Inbound data timeout s for DPD DPD timer This is only valid if D...

Page 71: ...on description This may be edited as desired Protocol protocol This is the type of IPsec protocol used The supported protocols are NONE ESP AH AHESP The option NONE can only be specified if compression is not NONE The option AHESP is not supported for IKEv2 Mode mode This is the operation mode used The supported modes are TUNNEL TRANSPORT The value by default is TUNNEL The value TRANSPORT is only ...

Page 72: ...llman group This is only valid if PFS is enabled The supported groups are MODP768 MODP1024 MODP1536 MODP2048 MODP3072 MODP4096 MODP6144 MODP8192 EC2NGF163 EC2NGF282 EC2NGF409 EC2NGF571 IPsec SA Lifetime s sa lifetime The SA lifetime in seconds The value should be in the range 120 604800 and 28800 is the value by default Enable IPsec SA volume enable volume Check if the SA lifetime in Kilobytes has...

Page 73: ...eepalive retransmissions The value by default is 0 This is only valid if use udp encapsulation is ALWAYS or ON_NAT_DETECTED Parameters XML Name Description Name name This is the name of the user Description description This may be edited as desired Password password The password used for direct password authentication Password encrypted password encrypted The encrypted password for the direct pass...

Page 74: ...heme entry initiator id type or ike ike2 scheme list ike2 scheme entry initiator id type is FQDN or USER_FQDN IKE Port Number ike port The UDP port number used for the IKE protocol The value should be in the range 1 65535 The value by default is 500 UDP Encapsulation Port udpenc port The UDP port number used for UDP encapsulation The value should be in the range 1 65535 The value by default is 450...

Page 75: ...y default is YES Name name This is the name of the peer The name is the same as that of an existing user user group or network object These users user groups or network objects must be already specified in the list of users user user list user entry name users groups user usergroup list usergroup entry name or network objects network networkobject list networkobject entry name Description descript...

Page 76: ...c port The UDP port number used for UDP encapsulation The value should be in the range 1 65535 and 4500 is the value by default Client authentication client authentication This is only valid for types USER and GROUP This is the client authentication method used The supported methods are PASSWORD RADIUS LDAP The value by default is PASSWORD LDAP service LDAP service This is only valid for client au...

Page 77: ...bership of a user during the authentication phase If the value is NO the group membership is not checked and any user already existing in the data base can connect using any group even without group membership To have different permissions to different groups assign the value YES The value by default is YES Use of Virtual IP Address virtual ineta type This is only valid for types USER and GROUP Th...

Page 78: ... type IKE and PPP_L2TP This is the IP address of secondary DNS server Primary WINS wins1 This is only valid for virtual ineta type IKE and PPP_L2TP This is the IP address of primary WINS server Secondary WINS wins2 This is only valid for virtual ineta type IKE and PPP_L2TP This is the IP address of secondary WINS server PPP L2TP IP address of the user group ppp ineta pool This is only valid for ty...

Page 79: ...nation destination This is the destination of an IP packet or peer name Introduce the name of a network object of type SUBNET WORKSTATION or GROUP or a user name or a user group name It is necessary to select a valid destination to configure a valid rule Service service This is the name of the IP service name of a service entry specified previously service service list service entry name The value...

Page 80: ...to assure a level of QoS Quality of Service for some services if there are several types of packets in a network The value should be in the range from 1 highest to 5 lowest The default priority is 1 Parameters XML Name Description Local virtual IP Address virtual ineta local This is the IP address of the local L2TP endpoint Receive window size receive window size The value should be in the range 1...

Page 81: ...umber of that server The value should be in the range 1 65535 Waiting time for connection wait connect The value should be in the range 1 65535 and 5 is the value by default Search nested groups search nested groups level The level should be in the range 1 65535 and 1 is the value by default Global directory global directory This is used to enable global directory YES NO The value by default is NO...

Page 82: ... LDAP template LDAP template This is the LDAP template used in this service The templates should be specified previously ldap LDAP template name because they are used in this field Parameters XML Name Description Editable editable This is used to allow modify the template YES NO Name name The name of the LDAP template User attribute user attribute The name of the user attribute Group attribute gro...

Page 83: ...hobsoft com Web www hobsoft com Technical Support Phone 1 866 914 9970 Fax 49 9103 715 3299 E mail info hobsoft com Germany General Enquiries Phone 49 9103 715 0 Fax 49 9103 715 3271 E mail marketing hob de Web www hob de Technical Support Phone 49 9103 715 3161 Fax 49 9103 715 3299 E mail support hob de Other Countries General Enquiries Phone 49 9103 715 3103 Fax 49 9103 715 3299 E mail support h...

Reviews:

No comments

Brands by name

Popular brands

Load more brands