Equinux VPN Tracker

Quick Start Guide

Copyright © 2005 CRYPTOCard Corporation All Rights Reserved http://www.cryptocard.com

Copyright

Copyright © 2005, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp.

Trademarks

CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, are either registered trademarks or trademarks of CRYPTOCard Corp. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.

Technical Support information

CRYPTOCard works closely with our Channel Partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard Channel Partner, please contact your reseller directly for support needs.

To contact CRYPTOCard directly, telephone 800-307-7042 or +1-613-599-2441. If you prefer, send an email to support@cryptocard.com. To inquire about obtaining a support contract, refer to our “Support" Web page for the latest contact information at http://www.cryptocard.com.

Comments

If you have comments or suggestions you would like to make regarding this document, please send an email to support@cryptocard.com.

Publication History

Date Version Changes

2005.05.27 Rev.1.0 Initial Release

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide i

Table of Contents

VPN TRACKER OVERVIEW ...................................................................................... 1 SONICWALL OVERVIEW ......................................................................................... 1

RADIUS Authentication .......................................................................................... 2

CRYPTO-SERVER CONFIGURATION ........................................................................ 2 RadiusProtocol NAS.# keys..................................................................................... 4

SONICWALL SECURITY APPLIANCE CONFIGURATION............................................ 5 EQUINUX VPN TRACKER CONFIGURATION............................................................. 8

Connections Tab ................................................................................................... 8

Network Tab......................................................................................................... 8

Authentication Tab ................................................................................................ 9

Ensure that the Enable Extended Authentication (XAUTH) checkbox is active. This is mandatory for RADIUS authentication with SonicWALL Security Appliances. .................. 9

Identifier Tab........................................................................................................ 9

DNS Tab ............................................................................................................ 10

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide ii

VPN Tracker Overview

Equinux VPN Tracker is the leading, full featured IPsec VPN client for the Mac platform. It sets up secure, encrypted tunnels over the Internet that can be used to establish connections to VPN gateways of all leading firewall vendors including SonicWALL.

Based on XAUTH (extended authentication), you can authenticate against a central password server, thus delivering a single sign-on solution. Additionally, VPN Tracker supports two-factor authentication systems, like CRYPTO-Server, using passwords and hardware tokens. This provides additional security whereby only authorized users gain access to files and applications.

SonicWall Overview

SONICWALL Security Appliances are typically configured to establish VPN connections and grant access to network resources according to the results of an internal static password based authentication scheme.

A far superior and more secure option is to configure the SONICWALL Security Appliances to forward authentication requests to a RADIUS Server. CRYPTO-Server can act as a full-featured RADIUS server backend for providing strong two-factor authentication services to SONICWALL Security Appliances. The CRYPTO-Server listens for RADIUS based authentication and accounting requests on designated ports; typically ports 1812 and 1813 respectively.

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 1

RADIUS Authentication

With CRYPTO-Server acting as a RADIUS authentication server for a SONICWALL Security Appliance, a VPN connection sequence would be as follows:

1. A user initiates a VPN connection request through a SONICWALL recognized client such as the Equinux VPN Tracker. The end user initiating the VPN connection is then prompted to provide a username and a one-time-password from an active CRYPTOCard token.

2. The SONICWALL Security Appliance forwards the authentication request to a CRYPTO-Server in a RADIUS protocol formatted packet. The CRYPTO-Server validates the username and one-time-password combination and returns a response in a RADIUS packet to the SONICWALL Appliance.

3. Based on the response from the CRYPTO-Server, the user is either granted or denied VPN access to on-line resources.

CRYPTO-Server Configuration

If you wish to use the CRYPTO-Server as your RADIUS server, you must verify that the Protocol Server is configured to accept RADIUS communications from the SonicWALL Security Appliance.

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 2

Connect to the CRYPTO-Server using the Console. Choose System Configuration… from the Server menu.

In the “Entity” column choose “RadiusProtocol”. Next look at the “Value” corresponding to the key “NAS.2”. The data in this value field defines which RADIUS clients are allowed to connect to the CRYPTO-Server, and the shared secret they must use.

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 3

RadiusProtocol NAS.# keys By default, the CRYPTO-Server is configured to listen for RADIUS requests over UDP port 1812, from any host on the same subnet, using a shared secret of “testing123”. You can manually define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO-Server configuration. The syntax of the data for a NAS entry is as follows: <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols> Where: <First IP>: The first IP address of the RADIUS client(s) configured in this NAS.# key.

<Last IP>: The last IP address of the RADIUS client(s) configured in this NAS.# key.

If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the same.

<Hostname>: Only applies in cases where the NAS.# key is for one host. Required for performing reverse lookup.

<Shared Secret>: A string used to encrypt the password being sent between the CRYPTO-Server and the RADIUS client (i.e. SSL VPN). You will need to enter the exact same string into SSL VPN. The <Shared Secret> string can be any combination of numbers and uppercase and lowercase letters.

<Perform Reverse Lookup?>: An added security feature of the CRYPTO-Server is its ability to verify the authenticity of a RADIUS client by cross-checking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the hostname set in the NAS.# entry. The DNS should respond with the same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client, and ignores the request completely (also known as a “man in the middle” attack).

<Authentication Protocols>: Many different authentication protocols can be used during RADIUS authentication. Common examples are PAP, CHAP,MS-CHAP and EAP. This setting determines which authentication protocols the CRYPTO-Server will allow from a given RADIUS client. Currently PAP and CHAP are the only available authentication protocols for RADIUS clients.

NOTE: After changing or adding a NAS.# entry, click the “Apply” button.

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 4

SONICWALL Security Appliance Configuration

Logon to the SONICWALL Security Appliance with an administrator account name and password.

Select the Users menu item from the Navigation Bar found on the left hand side of the Management Interface page. Choose the Settings submenu item to reveal the User Login Settings page.

Use the pull down menu to set the Authentication Method to RADIUS. Press the Configure button next to the pull down menu to display the RADIUS Configuration Window.

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 5

The RADIUS Server section of the Settings Tab allows specification of communication information required to pass authentication requests to the CRYPTO-Server. Enter the IP address or hostname, shared secret and RADIUS requests port number of the CRYPTO-Server in the Primary Server Settings Section. If a Secondary CRYPTO-Server exists on the network, enter the corresponding information in the Secondary Server Settings Section.

Press the RADIUS User Tab to expose the RADIUS User Settings options. If desired, the CRYPTO-Server can return a Filter-ID that can be processed by the SonicWALL Security Appliance. To take advantage of this feature, activate the Use RADIUS Filter-ID attribute on RADIUS server radio button. The default setting is Use SonicWALL vendor-specific attributes on RADIUS Server. If desired, select a pre-configured group the from the drop down men under the heading Default user group to which all RADIUS users belong:

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 6

The Test Tab provides a utility to test communication between the SonicWALL Security Appliance and the CRYPTO-Server. Enter a CRYPTO-Server recognized username and corresponding one-time-password from the token assigned to the user. Press the Test button. If the test succeeds, users can now establish VPN connection using their CRYPTOCard tokens. If the test fails, revisit the RADIUS server settings.

Press the Apply button to commit all changes.

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 7

Equinux VPN Tracker Configuration

Connections Tab

Enter a name for identifying the VPN connection to be created.

Select SonicWALL from the Vendor pull-down menu.

From the Model pick list, choose the model name that describes your SonicWALL Security Appliance.

Enable the desired Connection Options by clicking on the checkboxes beside each option.

Network Tab

Choose Host to Network as the Topology to be used for the VPN connection.

Leave the Network Port setting at the default of Automatic.

Enter the IP address of the SonicWALL Security Appliance in the VPN Gateway Address field.

Set the Remote Network/Mask fields to values corresponding to the start of the address range and network mask of the network to be joined once the VPN connection is established.

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 8

Authentication Tab

Ensure that the Enable Extended Authentication (XAUTH) checkbox is active. This is mandatory for RADIUS authentication with SonicWALL Security Appliances.

Identifier Tab

The Local Identifier and Remote Identifier attributes should be left in their default states.

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 9

DNS Tab

If a remote DNS Server is to be used for name and IP address resolution, activate the Use Remote DNS Server checkbox. Enter the IP address or hostname of the remote server in the DNS Server field. Add domain name entries to the Search Domains field use the radio buttons in the Options field to further specify how and when the remote DNS server should be consulted.

Press the OK button to commit the changes.

To initiate the VPN connection, simply press the Start VPN button from the main VPN Tracker Window.

When prompted, enter your assigned user name in the User Name field of the Authenticate Pop-up Window.

Generate a one-time-password (OTP) with your CRYPTOCard token and enter it into the User Password field. If you have been assigned a server-side PIN, be certain to prepend it to the OTP from your token.

DO NOT activate the Remember this password (add to keychain) checkbox.

Press the OK Button to authenticate and establish the VPN connection.

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 10

3rd Party Integration –Equinux VPN Tracker / Sonic Wall QuickStart Guide 11

Press the Stop VPN button from the main VPN Tracker Window to tear down the VPN connection.