Documente Academic
Documente Profesional
Documente Cultură
Configuration Guide
Table of contents
1 Introduction .................................................................................................................................................... 3
1.1 Goal of this document ............................................................................................................................ 3
1.2 VPN Network topology ........................................................................................................................... 3
1.3 Astaro Security Gateway Restrictions .................................................................................................... 3
1.4 Astaro Security Gateway........................................................................................................................ 3
1.5 Astaro Security Gateway product info .................................................................................................... 3
2 Astaro Security Gateway VPN configuration.................................................................................................. 4
2.1 Preparations........................................................................................................................................... 4
2.2 Astaro Security Gateway configuration .................................................................................................. 4
3 TheGreenBow IPSec VPN Client configuration ............................................................................................. 7
3.1 VPN Client Phase 1 (IKE) Configuration ................................................................................................ 7
3.2 Phase 1 Advanced settings.................................................................................................................... 8
3.3 VPN Client Phase 2 (IPSec) Configuration ............................................................................................ 9
3.4 Open IPSec VPN tunnels ....................................................................................................................... 9
4 Tools in case of trouble ................................................................................................................................ 10
4.1 A good network analyser: Wireshark ................................................................................................... 10
5 VPN IPSec Troubleshooting ........................................................................................................................ 11
5.1 PAYLOAD MALFORMED error (wrong Phase 1 [SA]) ................................................................. 11
5.2 INVALID COOKIE error.................................................................................................................. 11
5.3 no keystate error ............................................................................................................................ 11
5.4 received remote ID other than expected error................................................................................ 11
5.5 NO PROPOSAL CHOSEN error .................................................................................................... 12
5.6 INVALID ID INFORMATION error .................................................................................................. 12
5.7 I clicked on Open tunnel, but nothing happens. ................................................................................. 12
5.8 The VPN tunnel is up but I cant ping ! ................................................................................................. 12
6 Contacts ....................................................................................................................................................... 14
1 Introduction
1.1 Goal of this document
This configuration guide describes how to configure TheGreenBow IPSec VPN Client software with an Astaro
Security Gateway to establish VPN connections for remote access to corporate network
mygateway.dyndns.org
192.168.34.254
Internet 192.168.34.51
IPSecVPNClient
(Remote) Astaro Security
Gateway
192.168.34.52
2.1 Preparations
To connect to your Astaro Security Gateway from the internet by a host or domain name, you might configure a
dynamic name resolution service. You will find more detailed information about this topic in your Astaro
documentation or on the user guide website: http://www.astaro.de.
Select the tab Connections, and choose New IPSec remote access rule. In the window Add IPSec remote
access rule enter a name (e.g. GREENBOW) for this tunnel configuration. Choose an Interface and select
External from the list. At Local Networks select the internal interface Internal (Network) with a click on the
directory symbol). At Policy you can select a IPSec Security Policy (e.g. AES-128 PFS Policy settings see
pictures below). The Astaro Security Gateway offers premade IPSec Security Policies (see tab Policies), you
can as well define custom IPSec Security Policies
Please select Preshared key as authentication type. Here you can enter the pre-shared key. Now click Save to
apply the changes.
To have a successful VPN connection, its mandatory to configure a firewall rule which defines a virtual VPN
Client IP address.
On the main admisistration site, select the menu option Definitions. Select Networks from the submenu and
click on New network definition. Now select Create new network definition and define a name (e.g.
VPN Client). Select Host as type and enter an IP address (this IP address must not belong to the local subnet,
here 192.168.22.222). For Interface, select <<Any>> Apply the settings by clicking Save.
On the main admisistration site, select the menu option Network Security. Select Packer Filter from the
submenu. Select the tab Rules and click New rule. In the window Create new rule do the following
settings:
Leave the value for Group on No group. You can select the order and position of the firewall rule (in our
example 2). As source (click on the directory symbol) apply the already made network definition VPN Client.
For Service and Destination select Any and Internal (Network). Action must be Allow and Time
Event can be Always. Apply settings by clicking Save.
The settings for the Astaro Security Gateway are now completed.
TheremoteVPN
GatewayIPaddressis
eitheranexplicitIP
addressoraDNSName
PresharedKeyas
configuredintheAstaro
gateway.
Phase 1 configuration
As local and remote ID type, select IP address. The ID values can be left blank. Apply changes with a click on
OK.
VPNClientVirtualIP
addressaddefinedin
theAstarofirewallrule
EntertheIPaddress
(andsubnetmask)
oftheremoteLAN.
Phase 2 Configuration
Klick Save & Apply to save all configuration settings.
If you have an PAYLOAD MALFORMED error you might have a wrong Phase 1 [SA], check if the encryption
algorithms are the same on each side of the VPN tunnel.
If you have an INVALID COOKIE error, it means that one of the endpoint is using a SA that is no more in use.
Reset the VPN connection on each side.
Check if the preshared key is correct or if the local ID is correct (see Advanced button). You should have
more information in the remote endpoint logs.
The Remote ID value (see Advanced Button) does not match what the remote endpoint is expected.
If you have an NO PROPOSAL CHOSEN error, check that the Phase 2 encryption algorithms are the
same on each side of the VPN Tunnel.
Check Phase 1 algorithms if you have this:
If you have an INVALID ID INFORMATION error, check if Phase 2 ID (local address and network
address) is correct and match what is expected by the remote endpoint.
Check also ID type (Subnet address and Single address). If network mask is not check, you are using a
IPV4_ADDR type (and not a IPV4_SUBNET type).
If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN computer interface
(with Wireshark for example). You will have an indication that encryption works.
Check the default gateway value in VPN Server LAN. A target on your remote LAN can receive pings
but does not answer because there is a no Default gateway setting.
You cannot access to the computers in the LAN by their name. You must specify their IP address inside
the LAN.
We recommend you to install Wireshark (http://www.wireshark.org) on one of your target computer. You
can check that your pings arrive inside the LAN.
6 Contacts
News and updates on TheGreenBow web site: http://www.thegreenbow.com
Technical support by email at support@thegreenbow.com
Sales contacts by email at sales@thegreenbow.com