Symantec.com
VERITAS.com
Partners
About Symantec
cartCart
WelcomeProducts & ServicesSecurity ResponseSupportSolutions & IndustriesLicensingTrainingStore
Enterprise
Symantec.com > Enterprise > Support > Knowledge Base


PRINT THIS PAGE PRINT THIS PAGE

Configuring VPN Tracker to connect with Symantec Gateway Security appliances 300 Series or 400 Series appliances

Question/Issue:
You have Mac computers that from which you need to establish VPN connections to your Symantec Gateway Security 300 Series or 400 Series appliance. You user VPN Tracker as a VPN client for your Mac computers. You need instructions to configure VPN Tracker to connect to your security gateway.


Solution:
Configure your Symantec Gateway Security 300 Series or 400 Series appliance
Before you connect a client VPN tunnel, you must configure the client VPN settings on your security gateway. If you have already configured your client VPN settings on your security gateway, skip to the section about VPN Tracker configuration.

Define the client VPN tunnel
Before you connect from your client computer, you must configure your appliance to accept the VPN connection.

To enable client tunnels

  1. In the left pane of the Security Gateway Management Interface (SGMI), click VPN.
  2. On the Client Tunnels tab, under Group Tunnel Definition, check one of the following:
    • Enable Client VPNs on WAN side
      This option enables client VPN tunnels only for traffic arriving on a WAN port of the appliance.
    • Enable client VPNs on WLAN/LAN side
      This option enables client VPN tunnels for traffic on any port of the appliance.
  3. Under VPN Network Parameters, in the Primary DNS text box, type the name of the primary DNS server.
    Domain Name System or Service (DNS) is an Internet service that translates domain names into IP addresses.
  4. Optionally, in the Secondary DNS text box, type the name of the secondary DNS server.
  5. Optionally, in the Primary WINS text box, type the name of the primary WINS server.
    Windows Internet Naming Service (WINS) is a system that determines the IP address that is associated with a particular network computer.
  6. Optionally, in the Secondary WINS text box, type the name of the secondary WINS server.
  7. Optionally, in the Primary Domain Controller text box, type the name of the primary domain controller.
  8. Optionally, in the RADIUS Group Binding text box, type the RADIUS Group Binding name.
    If you plan to use RADIUS authentication, you must check Enable Extended User Authentication and provide the RADIUS Group Binding. The RADIUS Group Binding name must match the filter ID parameter that the RADIUS server returns.
  9. Click Update.

Select an authentication method
Clients can authenticate by with a user name and password that you define at the Symantec security gateway, or with extended authentication through RADIUS. If you use RADIUS authentication, you do not need to define the users at the security gateway. You define the users at the RADIUS server.

When a dynamic user (a user that is not defined on the security gateway) attempts to connect a VPN tunnel, the security gateway checks the defined user list for the provided user name. If the user name does not exist in that list, and extended authentication is enabled and configured, the security gateway verifies that the shared secret matches that which is configured for the tunnel. If the shared secret matches, the security gateway prompts for the information that the RADIUS server requires. If the group information that the RADIUS server returns matches the RADIUS Group Binding on the security gateway, the tunnel is allowed to connect. You do not need to define dynamic users on the security gateway.

If you do not use RADIUS authentication, you must create a VPN user identity on the security gateway for each user.

The Symantec Gateway Security configuration is now complete.

Configure VPN Tracker
VPN Tracker is a third-party VPN client from equinux. Symantec does not support or endorse any specific third-party software use. The following configuration procedure is provided as a convenience to our customers on an "as is" basis with now guarantee or warranty.

If you do not already have a licensed copy of VPN Tracker, you can download one from the equinux Web site.

The configuration settings in this procedure are based on the ike_default_crypto security policy on the security gateway. If you use a different security policy for you VPN client tunnels on your security gateway, make appropriate changes to the procedure that you follow to configure VPN Tracker.

To configure VPN Tracker
  1. Open VPN Tracker.
  2. In the main window, click New.
  3. In the Connection dialog box, in the Connection text box, type a unique name for this connection.
  4. On the Connection tab, in the Vendor drop-down list, click Custom.
  5. In the Model drop-down list (signified by a gear-shaped icon), click New.
  6. In the Connection Type dialog box, in the Connection Type text box, type a descriptive name for the connection type.
    For example, Symantec360.
  7. On the Phase 1 General tab, configure the following attributes:
    AttributeValue
    Exchange Modeaggressive
    Proposal checkclaim
    Nonce size16
    Send INITIAL-CONTACT messageUnchecked
    Support MIP6Unchecked
    Send certificateUnchecked
    Send request for remote certificateUnchecked
    Verify remote certificateUnchecked.
  8. On the Phase 1 Proposal, configure the following attributes:
    AttributeValue
    Encryption AlgorithmDES
    Hash AlgorithmMD5
    Diffie-HellmanGroup 1 (768 bit)
    Lifetime480 minutes
  9. On the Phase 2 tab, configure the following attributes:
    AttributeValue
    Enable PFSChecked.
    On the drop-down list click Group 1 (768 bit)
    Lifetime480 minutes
    Encryption AlgorithmDES
    Hash AlgorithmMD5
    Establish unique SAs for multiple networksUnchecked.
  10. Click OK.
  11. In the Connection dialog box, on the Connection tab, under Connection Options, check Initiate connection from this end.
  12. On the Network tab, configure the following attributes:
    AttributeValue
    TopologyHost to Network
    Network PortBuilt-in Ethernet
    VPN Gateway AddressType the WAN IP address of your appliance
    Local AddressType the IP address of the local computer
    Remote Network/MaskType the network address of the network that your security gateway protects. Type the network mask for that network.
  13. On the Identifiers tab, under Local Identifier, click next to Key ID and , in the text box, type the user account name for the VPN connection.
  14. Under Remote Identifiers, click Remote endpoint IP address.
  15. Click OK.

To connect the tunnel
  1. In the VPN Tracker main window, in the Connection table, check the box next to the tunnel that you created.
  2. Click Start VPN.
  3. When the tunnel connects, verify that the status shows the appropriate network information.

Your VPN tunnel is established.



Document ID: 2006020611290154
Last Modified: 01/29/2007
Date Created: 02/06/2006
Operating System(s): Appliance
Product(s): Symantec Gateway Security 300 Series, Symantec Gateway Security 400 Series
Release(s): 320, 360, 360R, 440, 460, 460R, SGS 440, SGS 460, SGS 460R


Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2009 Symantec Corporation