Configuring the QVPN Clients

Access Point QVPN implements Virtual Private Network (VPN) tunnels within a highly-scalable, layered architecture. QVPN tunnels are created with standard IPSec security protocols to provide desired combinations of encryption, authentication, and secure transport of data at the IP layer.

Access Point QVPN implements the Internet Key Exchange (IKE) framework (also referred to as ISAKMP/Oakley), allowing automatic negotiation of security associ- ations (SAs) and automated generation and refresh of cryptographic keys. IKE uses preshared keys and digital certificates, provided by the administrator, to authenticate tunnel connections between gateways and clients.

To use the client connection features on VPNs with Access Point QVPN systems, you must configure both the Access Point system (AP) and the client. For IKE negotiation, the following attributes must match on both the client and AP sides:

• Encryption algorithm • Hash algorithm • Diffie-Hellman group • Perfect Forward Secrecy (PFS)

On the AP side, these attributes are set in the security profile. On the client side, these attributes are set using the procedure for your specific client — the Lucent IPSec Client (for Windows 95, 98, or NT users) or the Windows 2000 VPN Client.

This document explains how to set up secure VPNs across public networks with Setting Up Lucent IPSec Clients

these clients. For information about configuring the clients on the AP, refer to the Access Point Configuration Guide (Configuring IPSec Client Tunnels section).

Setting Up Lucent IPSec Clients

The Lucent V3.0.5 IPSec Client software is for Windows 95, 98, 2000, and NT users who want to have secure IP-only network access. If you want to support multiprotocol access (including PPP over L2TP), use the Windows 2000 VPN Client.

NOTE If you already have the IRE client installed, you must uninstall it before installing the Lucent IPSec Client because they cannot coexist on the same system.

Installing the Lucent IPSec Client Software To install the Lucent IPSec Client software:

1 Verify that the IRE client is not installed on your system. You must uninstall it before installing the Lucent IPSec Client. To uninstall the IRE client: • Select Start > Settings > Control Panel > Add/Remove Programs. • Select SafeNet/Soft-PK and click the Add/Remove... button. • Reboot. 2 Log in to your PC with Administrator Privileges. 3 Obtain the Lucent IPSec Client software. 4 Double click on this self-extracting executable file to install the client software. Follow the InstallShield prompts to specify your installation directory. Click on all the defaults. 5 In the Installation Complete window, click the Finish button to reboot. You must restart your computer before you can use the Lucent IPSec Client.

Configuring the Lucent IPSec Client To configure the Lucent IPSec Client:

1 Start up the Lucent client by selecting Start > Secure VPN Access Control Center. 2 Select Secure Connection > Enable New to bring up the Enable Secure Con-

-2- nection window shown here.

For the Tunnel Name, enter a name that you want to associate with the tunnel (for example, Xedia). For the Primary Tunnel End Point, enter the primary tunnel endpoint address provided by your tunnel administrator. This address must be the router’s official IP address. For the User Identity, enter your username (depending on your authentication configuration). It can be defined on the AP or on a RADIUS server. For the Password, enter the password for the specified user. For the Group Key, enter the preshared key provided by your tunnel administrator (for example, PreSharedKey1). Do not check the Save Password or Digital Certificate check boxes. Click the Enable button. 3 Double click on the appropriate tunnel name. Enter the password in the Enable Secure Connection window. Click Enable, and you should be all set.

The Lucent Client UserGuide.pdf file is available in the Lucent IPSec Client installation directory. If you accepted the defaults, this file should be under the Program Files\Lucent Technologies\Lucent IPSec Client folder.

-3- Configuring the AP to Support the Lucent IPSec Client Configuring the AP to Support the Lucent IPSec Client

To use the Lucent IPSec Client to communicate through a tunnel terminating on an AP, do the following:

1 Configure the AP to support tunnel users and provide RADIUS authentication. 2 Configure the RADIUS server to perform user authentication and provide the client configuration information.

The following sections provide additional details about these configuration tasks.

Configuring the AP To configure the AP to communicate with the Lucent IPSec Client, do the following:

1 Configure the AP to use RADIUS authentication 2 Configure client groups 3 Configure the RADIUS client

Configuring the AP to Use RADIUS Authentication

To configure the AP to use RADIUS to authenticate users who do not have an entry in the user table, enter the following command:

> add services authentication user.(default) authentication-method radiusAuthentication

Note that you can also specify that RADIUS authenticates a particular user:

> add services authentication user.joe authentication-method radiusAuthentication

Configuring the RADIUS Client

Configure the AP’s RADIUS client to communicate with the RADIUS server that will authenticate users:

> add services radius-client servers authentication server.6 ip-address 1.2.3.4 \ shared-key xxxx udp-port 1812

Note that the address and shared key values vary, depending upon your network environ- ment. The UDP port is typically 1812 or 1645. If your server does not support vendor encoding, you must specify the vendor offset.

Refer to the “Configuring RADIUS Authentication” under the “Advanced Configura- tion” chapter of the Access Point Configuration Guide, for additional information on

-4- configuring the AP’s RADIUS client to communicate with a RADIUS server.

Configuring Client Groups

Next, configure the client groups that Lucent IPSec Client users will need.

For Windows 98, configure users to be part of the “static” tunnel client group configuration, so static addresses are assigned to the tunnel.

> add ipsec.1 tunnel.static client-address-assign disabled security-profile default-client

For Windows NT, configure users for either static addressing or an address pool. This example uses an address pool.

> add ipsec.1 tunnel.dynamic client-address-assign internalPool remote-address 10.20.40.0 remote-mask 255.255.255.0 security-profile default-client

Refer to the “Configuring QVPN Tunnels” section of the Access Point Configuration Guide, for additional information on configuring IPSec tunnels.

Configuring the Radius Server A RADIUS server must be present in your network to perform user authentication. After authenticating the user, RADIUS returns the attributes of the client group to which the user belongs. To support the client configuration, you’ll need to add additional attributes to your RADIUS dictionary. For example:

# # Xedia Vendor Specific #

ATTRIBUTE Xedia-DNS-Server ATTRIBUTE Xedia-NetBios-Server ATTRIBUTE Xedia-Address-Pool ATTRIBUTE Xedia-Echo-Interval ATTRIBUTE Xedia-Client-Access-Network

After the appropriate attributes have been added to the RADIUS server, you’ll need to create user entries. The following is an example of a Windows 98 RADIUS entry:

user Password = "hello" Xedia-DNS-Server = 198.202.232.207, Xedia-NetBios-Server = 198.202.232.64, Tunnel-Private-Group-ID = "static", Framed-IP-Address = 255.255.255.255, Xedia-Client-Access-Network = "208.218.164.0/24",

-5- Setting Up Windows 2000 VPN Clients

Xedia-Client-Access-Network = "198.202.232.0/24"

Note that the framed IP address attribute assigns static addresses to the tunnel. Refer to the “Configuring RADIUS Authentication” under the “Advanced Configuration” chapter of the Access Point Configuration Guide, for additional information on configuring RADIUS servers to provide authentication services for APs.

Setting Up Windows 2000 VPN Clients

Windows 2000 users should use the Windows 2000 VPN Client (PPP/L2TP/IPSec) for secure network access.

The MS VPN client requires a PKI certificate, issued by our local certificate authority. You can get this certificate by submitting a request as described in the “Requesting a Certificate” section.

NOTE You must use the Microsoft Internet Explorer browser or you will not be able to request the certificate.

An administrator must actually grant your request, so it might be a business day before you receive your certificate. Once you have a certificate, proceed with the configuration.

Requesting a Certificate To request a certificate:

1 Using Microsoft Internet Explorer, go to your certificate request site to bring up the Microsoft Certificate Services window shown here.

NOTE You must use the Microsoft Internet Explorer browser or you will not be able to request the certificate as described in this section.

-6- 2 From the Select a task list, choose the Request a certificate radio button and click Next to bring up the Choose Request Type screen.

3 Select the Advanced Request radio button and click Next to bring up the Advanced Certificate Requests screen shown here.

4 Select the Submit a certificate request to this CA using a form radio button and

-7- Setting Up Windows 2000 VPN Clients

click Next to bring up the Advanced Certificate Requests screen shown here.

5 Enter your information in the Identifying Information section. Select IPSec Certificate from the Intended Purpose drop-down list. Check the Use local machine store box in the Key Options section. 6 Click Submit.

You have now submitted your request. You can check on its status at the same Web site

-8- by selecting the Check on a Pending Certificate radio button and clicking Next.

Configuring the Windows 2000 Client To configure the Windows 2000 client, use the New Connection Wizard to perform these steps:

1 Select Start > Settings > Network and Dial-Up Connections > Make New Connection to bring up the Network Connection Wizard and click Next. 2 In the Network Connection Type dialog box, select the Connect to a private network through the Internet radio button and click Next. 3 In the Public Network dialog box, select the option which makes sense for your setup and then click Next. If your Internet connection is via a LAN, select the Do not dial the initial connection radio button. If you dial up to reach an ISP, select the Automatically dial this initial connection radio button and select the appropriate connection from the drop- down list. 4 In the Destination Address dialog box, enter the destination address provided by your tunnel administrator and click Next. 5 Select the Create this connection for all users radio button and click Next. 6 Give the connection a name (for example, XediaCorp) and click Finish.

Refer to the next section for configuring advanced settings before you try to make a connection.

Advanced Configuration For advanced configuration options, perform these steps:

1 The Connect window should pop up when the New Connection Wizard is fin- ished. The connection name that you specified in step 6 of the “Configuring the Windows 2000 Client” section should appear in the title bar. Click the Proper- ties button. 2 Click the Networking tab and select L2TP in the Type of VPN server I am call- ing: drop-down list. 3 Click the Security tab and select the Advanced (custom settings) radio button. 4 Click the Settings button and select the Allow these protocols radio button. Select the CHAP check box and do not select the MS-CHAP or MS-CHAP v2

-9- Setting Up Windows 2000 VPN Clients

boxes. Click OK. 5 Click OK on the Properties sheet.

Now you are ready to connect.

-10-