spacer
Support - Platinum Support
tab end BCS Web Site divider MySupport divider Log Out navbar end
navbar end home symantec alerting service security center knowledge base navbar end
spacer
BCS Knowledge Base

spacer
spacer

Rate This Document
1x3 spacer
1x1 spacer

print this documentDocument ID:2007100515540654
Last Modified:03/11/2008

How to connect a tunnel to a Symantec Gateway Security v3.0.1 appliance using TheGreenBow VPN

Situation:You want to know how to connect an IPsec VPN tunnel to a Symantec Gateway Security 1600- or 5000-series appliance using TheGreenBow VPN on Windows XP or Windows Vista.

Solution:Note: These instructions are provided for your convenience only. Symantec does not provide warranty support for or assistance with TheGreenBow VPN. For technical support or assistance with TheGreenBow VPN, contact TheGreenBow Enterprise Security Solutions.

TheGreenBow VPN can connect basic IPsec VPN tunnels with preshared key authentication to Symantec Gateway Security appliances.
Extended authentication, client compliance and UDP encapsulation for NAT traversal are not possible when using TheGreenBow VPN.

To verify the Symantec Gateway Security appliance configuration
If you do not already have a Client VPN tunnel configured, read the article Configuring Client VPN on a Symantec Gateway Security appliance version 3.0 or version 3.0.1.
    1. In the left pane of the SGMI, click VPN.
    2. On the Tunnels tab, double-click your Client VPN tunnel.
    3. In the tunnel properties, click the check mark button beside the Remote Endpoint user group.
    4. In the user group properties, on the VPN Authentication tab, check to make sure that:
      - Authentication Scheme is set to (none)
      - Enforce Client Compliance is set to Ignore

If either the Authentication Scheme or Enforce Client Compliance is set differently, disable those options or create another user group for use with TheGreenBow.


To configure TheGreenBow VPN
    1. Start TheGreenBow VPN from the Start menu or from an icon on the desktop.
    2. In the system tray, right-click the TheGreenBow icon and select Connection Panel.
    3. Click one of the preconfigured tunnel names in the list to open the configuration dialog box.
    4. In the lower left pane, right-click Configuration and select New Phase 1. In the right pane, enter the following parameters:
      Name: <A name for the gateway>
      Interface: Any
      Remote Gateway: <The firewall's external IP address or domain name>
      Preshared Key: <The shared secret>
      Encryption: 3DES
      Authentication: SHA
      Key Group: DH1024

      Note: The shared secret cannot begin with the hexadecimal prefix 0x. Symantec firewalls interpret secrets beginning with 0x as hexadecimal values, but TheGreenBow VPN does not.
    5. Click P1 Advanced.
    6. In the NAT-T drop down box, select Disabled.
    7. Check Aggressive Mode.
    8. In the Local ID dropdown box, choose KEY ID. In the text box next to the Local ID dropdown box, type the username.
    9. If your Security Gateway Network Entity has a custom phase 1 ID, then in the Remote ID dropdown box, choose KEY ID. In the text box next to the Remote ID dropdown box, type the custom Phase 1 ID.
    10. In the lower left pane, right-click the gateway name that was added, then select Add Phase 2. In the right pane, enter the following parameters:
      Name: <A name for the network>
      VPN Client address: 0.0.0.0
      Address Type: Subnet address
      Remote LAN address: <The internal subnet>
      Subnet mask: <The internal subnet mask>
      Encryption: 3DES
      Authentication: SHA
      Mode: Tunnel
      PFS: Checked
      Group: DH1024
    11. Click P2 Advanced.
    12. Enter the IP addresses of your internal DNS and/or WINS servers, if any, then click OK.
    13. Repeat steps 10 through 12 for any other internal networks that you want to connect to.
    14. In the upper left pane, click Parameters. In the right pane, in the Check interval (sec.) text box under Dead Peer Detection (DPD), type: 28800
    15. Click Save & Apply, then close the TheGreenBow VPN configuration dialog box.

To change the Windows firewall settings in Windows Vista
In some cases, the Windows firewall may block the Symantec Gateway Security's response. To allow the response, change the firewall settings to allow the ISAKMP protocol.
    1. Open the Windows Vista Control Panel.
    2. Under Security, click Allow a program through Windows Firewall. If you are asked for permission, click Continue.
    3. Click Add port...
    4. In the Add a Port dialog box, enter the following parameters:
      Name: ISAKMP
      Port number: 500
      Protocol: UDP
    5. Click OK, then click OK again.

You are now able to connect.


To connect TheGreenBow VPN
In the system tray, right-click the TheGreenBow icon and select Open Tunnel '<network name>'. If you want to connect to multiple networks, you must connect to each one individually.

print this documentDocument ID:2007100515540654
Last Modified:03/11/2008


rate this document
Does this document answer your question?
Yes
No
Maybe, need to test
None of the above
Is this document well written and easy to use?
Submit specific suggestions to improve the quality of this document.

Product(s): Symantec Gateway Security 1600 Series v3.0.1, Symantec Gateway Security 1600 Series version 3.0, Symantec Gateway Security 5000 Series 3.0, Symantec Gateway Security 5000 Series v3.0.1
Operating Systems(s):
Date Created: 10/05/2007

  © 1995-2013 Symantec Corporation. All rights reserved. feedback | legal notices | privacy policy