background image

                  Billion BiGuard VPN Client 

 

Chapter 4: VPN Configuration

 

31

 

Configuration Tools 

 

Command line tools 

Those tools are available as command line type and are meant to be used by IT managers to 
change the IPSec VPN Client behavior to their needs. 
1.  Stopping IPSec VPN Client 
2.  Import VPN Configuration 
3.  IPSec VPN Client Startup mode 
4.  Hiding IPSec VPN Client configuration user interface 
 

Stopping VPN Client: option “/stop” 

BiGuard VPN Client can be stopped at any time by the command line: 

[path]\vpnconf.exe /stop 

" where [path] is the client installation directory. 

 
If there are several active tunnels, they will close properly. 
 
This feature can be used, for example, in a script that launch the VPN Client after establishing a 
dialup connection and exit it just before the disconnection. 
 

Import VPN Configuration: option “/import” and “/importance” 

BiGuard VPN Client can import a specific configuration file by the command line: 

[path]\vpnconf.exe /import:[file.tgb] 

" where [path] is the client installation directory, and 

[file.tgb] is the VPN Configuration file. 
 

/import:

 " may be used either if the VPN Client is running or not. When the VPN Client is 

already running, it imports dynamically the new configuration and automatically applies it (i-e: 
restarts the IKE service). If the VPN Client is not running, it is launched with the new 
configuration. 
 

/importonce:

 " allows to import a VPN configuration file without running the VPN Client. This 

command is especially useful in installation scripts: it allows to run a silent installation and to 
import a configuration automatically. 

 

VPN Client Startup mode: VPNSTART 

VpnStart.exe

 is a configuration tool that sets up the client startup mode. 

 
BiGuard VPN Client can start with 3 different modes:   
1.  During PC boot: this mode can be used for secure remote action. 
2.  At Windows login ("login" mode). 
3.  Launched by user or from a script ("manual" mode). 
 

BiGuard VPN Client 3.0 and later version includes this feature into the VPN Client itself. 

 

 

Hiding VPN Client configuration user interface: VPNHIDE 

VpnHide.exe

 is a configuration tool that hides BiGuard VPN Client interface. It can be used by 

IT managers for preventing end-user from modifying configuration settings. 
 
In "invisible" mode, the window interface is never shown. 
 
 

Содержание English CO1

Страница 1: ...Version Release 3 0 BiGuard C01 BiGuard VPN Client Secure access to Company Network User s Manual ...

Страница 2: ...UT 11 HIDDEN INTERFACE 12 WIZARDS 12 PREFERENCES 12 VPN Client start mode 12 Miscellaneous 13 CHAPTER 4 VPN CONFIGURATION 14 CONFIGURATION WIZARD 14 Four easy step Wizard 14 Step 1 of 4 15 Step 2 of 4 15 Step 3 of 4 16 Step 4 of 4 16 VPN TUNNEL CONFIGURATION 17 How to create a VPN Tunnel 17 Multiple Authentication or IPSec Configuration Phase 17 Advanced Features 18 AUTHENTICATION OR PHASE 1 18 Wh...

Страница 3: ...tup mode VPNSTART 31 Hiding VPN Client configuration user interface VPNHIDE 31 CONSOLE AND LOGS 32 Console Windows 32 CHAPTER 5 TROUBLESHOOTING 34 INTRODUCTION 34 TOOLS IN CASE OF TROUBLE 34 A good network analyzer ethereal 34 VPN IPSEC TROUBLESHOOTING 34 PAYLOAD MALFORMED error wrong Phase 1 SA 34 INVALID COOKIE error 34 no keystate error 35 received remote ID other than expected error 35 NO PROP...

Страница 4: ...ttings Features Windows supported versions Win95 Win98 Me NT Win2000 WinXP Tunneling Protocol Full IKE support The IKE implementation is based on the OpenBSD 3 1 implementation ISAKMPD thus providing best compatibility with existing IPSec routers and gateways Full IPSec support Main mode and Aggressive mode MD5 and SHA hash algorithms NAT Traversal NAT Traversal Draft 1 enhanced Draft 2 and 3 full...

Страница 5: ...er 1 Introduction 2 Invisible User Interface Silent install and invisible graphical interface allow IT managers to deploy solutions while preventing user to misuse configurations Configuration building User Interface and Command Line ...

Страница 6: ...o continue software evaluation Evaluation period is displayed into the yellow bar above Activate allows you to activate the software online This requires a License Number When clicking on Activate button an Activation Wizard pops up Buy allows you to find the purchase contact window a license in Billion s Website Shortcuts After software installation BiGuard VPN window can be launched 1 From user ...

Страница 7: ...es Evaluation button is no longer available and the software is disabled Activation Wizard Two easy step Wizard The Activation Wizard is a two steps Wizard that allows users to activate the software online Activation requires a License Number Enter your License Number email address and click Next as shown below Email address will be used to send back an activation confirmation to the user The Acti...

Страница 8: ...elow Email address will be used to send back an activation confirmation email to the user once activation has been successfully performed From VPN Client release 3 0 and later the License Number format is a 24 digit number i e 4 times 6 digits Older License Number format is a 20 digit number You can select the right format by clicking on Format on the right end side next to the License Number fiel...

Страница 9: ...software activation server as shown below you shall click on the help button available in the window to get more online explainations and recommandations on how to proceed next Error codes Error messages Error explanations Error 001 License not found License number doesn t exist in the activation server database There must be an error in entering the license number Also some old licenses are 20 di...

Страница 10: ...ivate code for this license at the moment of activation Error 052 Impossible to complete activation process Activation server can not generate activate code for this license at the moment of activation Error 053 Cannot connect activation server The activation server can t be contacted Reasons can be broken Internet connection activation server down firewall and security policies Error 054 Cannot c...

Страница 11: ...importing the VPN configurations together with security elements e g Preshared key The user interface is made of several elements 1 System Tray Icon 2 Main window 3 Main menus 4 Status bar 5 Wizards 6 Preferences System Tray The VPN Client user interface cab be launched via a double click on application icon Desktop or Windows Start menu by single click on application icon in system tray Once laun...

Страница 12: ...reopen all the VPN tunnels Console shows log window Connections opens the list of already established VPN tunnels You can configure tunnels to open up automatically when the software starts List of configured tunnels with current status Tunnels can be opened or closed from this menu as well Tooltips over VPN Client icon shows the connection status of the VPN tunnel 1 Tunnel tunnelname when one or ...

Страница 13: ...enus There are several menus as followed File used to Import or Export a configuration It is also used to choose the location of the VPN Configuration local or USB It is finally used to configure miscellaneous preferences such as the way the VPN Client may start e g before or after logon VPN Configuration contains all actions from tree control right click menu it also gives access to the Configura...

Страница 14: ...nding on the presence of a valid VPN USB stick The central box gives some information about VPN Client Software status e g opening tunnel in progress saving configuration rules in progress VPN client start up in progress The light box right side gives some information about tunnels e g Green light means at least one tunnel is open Gray light means no tunnel open Windows About The About window prov...

Страница 15: ...con by selecting Start menu Right click over the icon in taskbar is limited to Console access quitting the software and opening closing the configured tunnels Wizards There are two Wizards available VPN Configuration Wizard can be launched from Menu VPN Configuration Config Wizard Software Activation Wizard can be launched from Menu Activation Wizard Preferences Preferences window allows you to de...

Страница 16: ...e after MS Windows logon Don t start VPN Client when I start MS Windows VPN Client is launched by user or from a script manual mode Miscellaneous Disable detection of interface disconnection allows the VPN Client maintain tunnels opened while the network interface disconnects momentarely but very often This type of behavior occurs when the interface used to open tunnels is unstable such as WiFi GP...

Страница 17: ... computers that need to get connected to a corporate LAN through a VPN gateway Let take the following example The remote computer has a dynamically provided public IP address It tries to connect the Corporate LAN behind a VPN gateway that has a DNS address gateway mydomain com The Corporate LAN address is 192 168 1 xxx e g the remote computer want to reach a server with the IP address 192 168 1 10...

Страница 18: ...rk side address of the remote gateway Address In IP or Domain name e g specify gateway mydomain com The Preshared key you will use for this tunnel this Preshared key must be the same in the gateway Step 2 of 4 You must specify the following information The IP address of your remote gateway LAN Network address e g specify 192 168 1 0 ...

Страница 19: ...ll be used to identify the client in the VPN connection e g specify 192 100 205 101 Step 4 of 4 The fourth step summaries your new VPN configuration Other parameters may be further configured directly via the main interface e g virtual IP address etc Be sure that each client must use different VPN Client IP Address Warning ...

Страница 20: ...ure IPSec Phase Phase 2 5 Once the parameters are set click on Save Apply to take into account the new configuration That way the IKE service will run with the new parameters 6 Click on Open Tunnel for establishing the IPSec VPN tunnel only in IPSec Configuration window Please refer to Phase 1 and Phase 2 for settings descriptions Multiple Authentication or IPSec Configuration Phase Several Authen...

Страница 21: ...th pop up option Those defined in Phase 2 only apply to the associated Phase 2 Automatic Open Mode Choose Script Application to be launched when tunnel opens Manual settings of DNS WINS server addresses Authentication or Phase 1 What is Phase 1 Authentication or Phase 1 window will concern settings for Authentication Phase or Phase 1 It is also called IKE Negotiation Phase Phase 1 s purpose is to ...

Страница 22: ...ress or DNS address of the remote router in our example gateway mydomain com This field is mandatory Pre shared key Password or key shared with the remote gateway Certificate Please see the Appendix A X509 certificate used by the VPN client Please see the Certificate Management of this on line manual for detailed instructions and please see the Appendix A the Compatible table of Billion VPN enable...

Страница 23: ...blic key cryptography protocol that allows two parties to establish a shared secret over an unsecured communication channel i e over the Internet There are three modes MODP 768 bit MODP 1024 bit and MODP 1536 bit MODP stands for Modular Exponentiation Groups For more advanced settings click on P1 Advanced Phase 1 Advanced configuration For Advanced features and parameters click on P1 Advanced butt...

Страница 24: ...th the redundant gateway The exact same behaviour will apply to the redundant gateway This means that the VPN Client will try to open primary and redundant gateway until the user exits software or click on Save Apply X Auth Define the login and password of an X Auth IPSec negotiation If X Auth popup is selected a popup window asking for a login and a password will appear each time an authenticatio...

Страница 25: ...ng IPSec Negotiation It is possible to change this name at any time and read it in the tree list window Two Phases cannot have the same name VPN Client address Virtual IP address used by the client inside the remote LAN The computer will appear in the LAN with this IP address It is important this IP address not to belong to the remote LAN e g in the example you should avoid an IP address like 192 ...

Страница 26: ... a message into a unique set of bits It is widely used MD5 Message Digest and SHA Secure Hash Algorithm algorithms SHA is more resistant to brute force attacks than MD5 however it is slower z MD5 A one way hashing algorithm that produces a 128 bit hash z SHA A one way hashing algorithm that produces a 160 bit hash ESP mode IPSec encapsulation mode tunnel PFS group Diffie Hellman key length It is a...

Страница 27: ...ode Auto open this tunnel when the VPN Client detect traffic towards remote LAN Open script A specific script or application e g Outlook CRM apps can be launched when this tunnel opens Script or application can be selected by browsing using button Alternate servers DNS and WINS server IP addresses of the remote LAN can be entered here to help users to resolve intranet addressing The DNS or WINS ad...

Страница 28: ...ing IKE Minimal Lifetime sec Minimal lifetime for IKE rekeying IKE Maximal lifetime sec Maximal lifetime for IKE rekeying IPSec Default Lifetime sec Default lifetime for IPSec rekeying IPSec Minimal Lifetime sec Minimal lifetime for IPSec rekeying IPSec Maximal lifetime sec Maximal lifetime for IPSec rekeying Dead Peer Detection DPD Check interval sec Interval between DPD messages Max number of re...

Страница 29: ... IPSec VPN Client is using DPD to delete opened SA in the VPN Client when peer has been detected dead to re start IKE negotiations with the Redundant Gateway if activated in the Phase1 Advanced VPN configuration panel Once the parameters are set click on Save Apply to save and to take into account the new configuration VPN Tunnel View How to view opened tunnels Select to see the screen shows VPN t...

Страница 30: ...Once done and the USB mode is set On you just need to insert the USB Stick to automatically open tunnels And you just need to unplug the USB Stick to automatically close all established tunnels How to set USB Mode on 1 Select menu File Configuration Mode 2 Select USB Stick At this stage if an USB Stick containing a VPN configuration with VPN security elements is already plugged in the associated d...

Страница 31: ...onto the USB Stick the VPN client will copy the security information onto the USB Stick and leave a copy in the computer This used by IT managers to enable multiple USB Sticks for multiple users in no time Moving the configuration onto the USB Stick the IPSec VPN client will copy the security information onto the USB Stick and remove all security information from the computer This method is used t...

Страница 32: ...ertificate The private key must not be encrypted X509 certificates are used during Phase 1 How to configure IPSec VPN Client with Certificates 1 Select radio button Certificate in the Authentication window and click on Certificates Mgt 2 Click on Browse and select the appropriate files 1 Root certificate is copied into directory install_path ca 2 User certificate is copied into directory install_p...

Страница 33: ...tion and deliver it to other users 1 Importing a configuration select File Import VPN Configuration 2 Exporting a configuration select File Export VPN Configuration All configuration files will have a tgb extension You can open and modify an exported configuration file extension tgb with any word processing e g Notepad and re import it again This is other way for IT managers to customize VPN confi...

Страница 34: ... the VPN Configuration file import may be used either if the VPN Client is running or not When the VPN Client is already running it imports dynamically the new configuration and automatically applies it i e restarts the IKE service If the VPN Client is not running it is launched with the new configuration importonce allows to import a VPN configuration file without running the VPN Client This comm...

Страница 35: ...ext menu of the systray icon or from Console button in the configuration user interface This window can be used to analyze VPN tunnels This tool is particularly useful for IT managers in setting up their network Save Save logs in a file Stop Stop saving logs in a file Clear Clear console window content Options Set level of log filtering ...

Страница 36: ...nd dump for crypto material exchanged Timr Timer log level about timers Sdep Sysdep log level about IKE interface from to IPSec SA SA log level for SA managment Exch Exchange log level about IKE exchanges very useful Nego Negotiation log level about phase 1 and phase 2 negotiations Plcy Policy not used All All Apply the same log level to all subsystems Most of the time log level set to 0 is largel...

Страница 37: ...ooting PAYLOAD MALFORMED error wrong Phase 1 SA 114915 Default sysdep_app_open Init Connection for Cnx Cnx P2 Cnx remote addr 114915 Default sysdep_app_open IPV4_SUBNET Network 192 168 1 1 114915 Default sysdep_app_open IPV4_SUBNET Netmask 255 255 255 0 114920 Default SA Cnx P1 SEND phase 1 Main Mode SA VID 114920 Default SA Cnx P1 RECV phase 1 Main Mode NOTIFY 114920 Default exchange_run exchange...

Страница 38: ...RECV phase 1 Main Mode 120351 Default SA Cnx P1 SEND phase 1 Main Mode 120351 Default SA Cnx P1 RECV phase 1 Main Mode KEY NONCE KEY NONCE ID HASH NOTIFY ID HASH NOTIFY 120351 Default ike_phase_1_recv_ID received remote ID other than expected The Remote ID value see Advanced Button does not match what the remote endpoint is expected NO PROPOSAL CHOSEN error 115905 Default sysdep_app_open Init Conn...

Страница 39: ... SA KEY ID HASH NONCE 122626 Default RECV Informational HASH NOTIFY with INVALID_ID_INFORMATION error 122626 Default RECV Informational HASH DEL 122626 Default Cnx P1 deleted If you have an INVALID ID INFORMATION error check if Phase 2 ID local address and network address is correct and match what is expected by the remote endpoint Check also ID type Subnet address and Single address If network ma...

Страница 40: ...are a few guidelines 1 Check Phase 2 settings VPN Client address and Remote LAN address Usually VPN Client IP address should not belong to the remote LAN subnet 2 Once VPN tunnel is up packets are sent with ESP protocol This protocol can be blocked by firewall Check that every device between the client and the VPN server does accept ESP 3 Check your VPN server logs Packets can be dropped by one of...

Страница 41: ...rithms MD5 v v v v SHA1 v v v v Encryption DES v v v v 3DES v v v v AES 128 v v v v AES 192 v v v v AES 256 v v v v Diffie Hellman Group Support Group1 MODP 768 v v v v Group2 MODP 1024 v v v v Group5 MODP 1536 v v v v Authentication Mechanism Preshared key v v v v X509 Certificate support PEM x x x x X Auth x x x x Key Management ISAKMP RFC2408 v v v v IKE RFC2409 v v v v IPSec Mode ESP v v v v T...

Страница 42: ...t Support and Contact Information Most problems can be solved by referring to the Troubleshooting section in the User s Manual If you cannot resolve the problem with the Troubleshooting chapter please contact the dealer where you purchased this product Contact Billion WORLDWIDE http www billion com ...

Отзывы: