|Document ID:2007100515540654 |
How to connect a tunnel to a Symantec Gateway Security v3.0.1 appliance using TheGreenBow VPN
|Situation:||You want to know how to connect an IPsec VPN tunnel to a Symantec Gateway Security 1600- or 5000-series appliance using TheGreenBow VPN on Windows XP or Windows Vista.|
|Solution:||Note: These instructions are provided for your convenience only. Symantec does not provide warranty support for or assistance with TheGreenBow VPN. For technical support or assistance with TheGreenBow VPN, contact TheGreenBow Enterprise Security Solutions.|
TheGreenBow VPN can connect basic IPsec VPN tunnels with preshared key authentication to Symantec Gateway Security appliances.
Extended authentication, client compliance and UDP encapsulation for NAT traversal are not possible when using TheGreenBow VPN.
To verify the Symantec Gateway Security appliance configuration
If you do not already have a Client VPN tunnel configured, read the article Configuring Client VPN on a Symantec Gateway Security appliance version 3.0 or version 3.0.1.
- In the left pane of the SGMI, click VPN.
- On the Tunnels tab, double-click your Client VPN tunnel.
- In the tunnel properties, click the check mark button beside the Remote Endpoint user group.
- In the user group properties, on the VPN Authentication tab, check to make sure that:
- Authentication Scheme is set to (none)
- Enforce Client Compliance is set to Ignore
If either the Authentication Scheme or Enforce Client Compliance is set differently, disable those options or create another user group for use with TheGreenBow.
To configure TheGreenBow VPN
To change the Windows firewall settings in Windows Vista
- Start TheGreenBow VPN from the Start menu or from an icon on the desktop.
- In the system tray, right-click the TheGreenBow icon and select Connection Panel.
- Click one of the preconfigured tunnel names in the list to open the configuration dialog box.
- In the lower left pane, right-click Configuration and select New Phase 1. In the right pane, enter the following parameters:
Name: <A name for the gateway>
Remote Gateway: <The firewall's external IP address or domain name>
Preshared Key: <The shared secret>
Key Group: DH1024
Note: The shared secret cannot begin with the hexadecimal prefix 0x. Symantec firewalls interpret secrets beginning with 0x as hexadecimal values, but TheGreenBow VPN does not.
- Click P1 Advanced.
- In the NAT-T drop down box, select Disabled.
- Check Aggressive Mode.
- In the Local ID dropdown box, choose KEY ID. In the text box next to the Local ID dropdown box, type the username.
- If your Security Gateway Network Entity has a custom phase 1 ID, then in the Remote ID dropdown box, choose KEY ID. In the text box next to the Remote ID dropdown box, type the custom Phase 1 ID.
- In the lower left pane, right-click the gateway name that was added, then select Add Phase 2. In the right pane, enter the following parameters:
Name: <A name for the network>
VPN Client address: 0.0.0.0
Address Type: Subnet address
Remote LAN address: <The internal subnet>
Subnet mask: <The internal subnet mask>
- Click P2 Advanced.
- Enter the IP addresses of your internal DNS and/or WINS servers, if any, then click OK.
- Repeat steps 10 through 12 for any other internal networks that you want to connect to.
- In the upper left pane, click Parameters. In the right pane, in the Check interval (sec.) text box under Dead Peer Detection (DPD), type: 28800
- Click Save & Apply, then close the TheGreenBow VPN configuration dialog box.
In some cases, the Windows firewall may block the Symantec Gateway Security's response. To allow the response, change the firewall settings to allow the ISAKMP protocol.
- Open the Windows Vista Control Panel.
- Under Security, click Allow a program through Windows Firewall. If you are asked for permission, click Continue.
- Click Add port...
- In the Add a Port dialog box, enter the following parameters:
Port number: 500
- Click OK, then click OK again.
You are now able to connect.
To connect TheGreenBow VPN
In the system tray, right-click the TheGreenBow icon and select Open Tunnel '<network name>'. If you want to connect to multiple networks, you must connect to each one individually.
|Document ID:2007100515540654 |