IPSec/VPN issues... help!

[AStar617]

Has anyone gotten the VPN functionality going on a Webramp 700s box? I have it unlocked and available for configuration, but I would like to be able to use an XP built-in connection to get inside (i.e., no third party clients)...

Now, normally XP only supports PPTP, BUT I have done some digging and determined that you can actually turn on IPSec functionality from XP's MMC (apparently not many people realize this). The question is, I'm not sure exactly what I should be choosing. And does it matter if my 700s is using DHCP to get its address from Comcast since the clients will all be using DHCP as well?

So really I need config advice on both ends, serverside and clientside. A little info on the current config: The Webramp had VPN enabled, with NetBIOS broadcasts enabled as well. The VPN gateway is set as my Comcast DHCP address. A unique firewall identifier is specified, and it matches the name since I believe this has to be b/c I have a DHCP address (I could be incorrect in this assumption). MD5 Authentication is set (no encryption). I chose IKE, and A shared secret has been established. The network to connect to is 192.168.1.0 (my NAT range), 255.255.255.0 mask. On the xp client side, IPSec snap-in has been added using MMC. Under the "Security" tab for the connection, advanced settings have been chosen, with 'MD5 challenge' selected and 'no encryption allowed' chosen to facilitate MD5. The shared secret has been entered into the client side as well.

Am I on the right track at all? I'm still a security noob--apparently my intermediate knowledge of Sun/Solaris in networked environments isnt translating too well into secure networked environments I figure my issues are generic to IPSec/VPN, but if you've done this on a Webramp that would be great since you could let me know exactly what screen my problems are on

Thanks to anyone who can shed some light on this for me!!

 

[Saltin]

Now, normally XP only supports PPTP, BUT I have done some digging and determined that you can actually turn on IPSec functionality from XP's MMC (apparently not many people realize this).

All Windows systems from 2k up include full support for IPsec. There arent any "modifications" needed to allow this; it's native.

The fact that you are employing the MMC to configure IPsec is part of your problem (afaict).
The MMC you are using is typically used to configure IPsec policy for encryption of certain protocols under certain circumstances (example : a machine passing payroll information to a print server, or a DC passing AD replication across a public network).

Simple client side connections, where XP connects to a VPN server, are configured from My Network Places (right click My Network Places and choose properties, then "new connection").

After that, in the wizard that appears, select "Connect to a network at my workplace", and then "VPN". After that, you just name the connection and tell it what IP you want to connect to.

When that is finished, you'll have a new connectiod in Your Network Places, if you right click that and select properties and then the Networking Tab, you'll see a drop down box for "VPN Type" The options are PPTP, IPSec, and automatic. By default it's set to automatic, which is fine for you.

That's all you have to do client side. There's no tricks or behind the scenes configuration needed.

 

[AStar617]

Thanks for the reply.

The problem is, the only way I can get the IPSec options button at all on the Security tab is to add the snap-in for IPSec. Without this, there is no way for me to even enter the pre-shared secret key. Something must be missing clientside. So while I don't doubt you are right that it shouldnt be required, how else will I be able to validate thru MD5 without that preshared secret? Does MD5 even make use of the preshared secret for validation at all?

Also, do I need to somehow establish a username/password of some sort? There is no server (Radius or otherwise) to validate against, the webramp has no account management of that sort either, and the clientside VPN profile can hide the user/pass fields and just try to connect (that's how I have it right now)... how should this be negotiated?

 

[AStar617]

Yet another question comes to mind: what ports (if any) on the Webramp are needed for this to work properly?

 

[AStar617]

anyone..?

 

[AT]

First let me say that I have no idea about Webramp products but I can give some general points.

The VPN available via Windows networking wizard is IPSec/L2TP and requires a L2TP server from the endpoint. First the Windows VPN client creates an IPSec association and then authenticates itself using L2TP to an server. This is how Windows 2000/3 VPN server works and it has all the pieces required included.

If you wish to use IPSec between Windows and some other IPSec implementation without L2TP such as Linux FreeSWAN or (I'm guessing) Webramp you have to create an IPSec policy without L2TP. It's not quite as easy to use as the standard client but it does the job.

This Technet article should give you an idea how to do it.

Here are a lot of resources that should help you get further.

 

[mboy]

Did you flash the Webramp to Sonicwall's 5.1.7 firmware? Why are you so against using the Sonicwall's (if u indeed did flash) VPN software? it would make your life MUCH easier.

 

[AStar617]

Thanks for the replies. The problem is essentially resolved. However, to better illustrate the scenario, I'll address the posts above before sharing my resolution.

AT - Thanks for the links to the info. That stuff will provide good in-depth reading now that my interest is piqued on this.

mboy - No, I did not flash to the SonicWall firmware, as there is no need to other than if having a SOHO1 gives you a warm and bubbly feeling inside. There is no functional difference, and since I received mine with 5.1.1, flashing to 5.1.7 just to change the logo in the corner is not worth the risk of a failed firmware update ruining the box. Also, understand that the necessity for the XP client was not by choice. Ramp Networks as a company went under before the release of Windows 2000, so the originally intended client was for Win95/98/NT4 only, so that was ruled out. If you attempt to use SonicWall's client, it asks during installation for a client product key which I don't have since I bought a bare box from Centrix and unlocked the VPN capability myself. Therefore, I wasn't "so against" using the prescribed client by any means; in fact, not having the client put me at a severe disadvantage. Without it, I couldn't simply follow any set of directions and set up the generic configuration to at least determine that my server settings were correct. It's like trying to shoot a moving target, since I was changing settings on both sides with no frame of reference whatsoever regarding a proper setup, clientside or serverside. But without the client key, I had no client. Therefore manipulating XP's capabilities was the next approach. This had the added potential bonus of being able to log in from any machine in the world without the installation additional software, which is not always possible or allowed (of course, this bonus was assuming the setup process was fairly simple, which it definitely is NOT).

With all that said, here's the good stuff I've been taking this up on several places online, as well as with theCheckpoint experts at work. As it turns out, the Webramp itself is not a VPN server; rather, it can be the tunnel endpoint for a VPN server in your infrastructure. This is a critical fundamental understanding that I was missing. This explains the fact that I could not figure out how to negotiate any sort of authentication. If you want to authenticate VPN clients, the practical way to do this without the original client is to have a RADIUS server set up on your network, and have all the AAA (Authentication, Accounting, Authorization) handled by it. The only time the Preshared Secret Key field in the Security Association comes into play is if you are doing a site-to-site VPN between two Webramps, which works fine (this is the setup I am currently using with my brother's Webramp, sluggish of course since we are on asynchronous cable connections, around 256kbps upstream). I am in the process of installing Win2K Server with IAS (Microsoft's RADIUS server) on one of my boxes to facilitate a client login. Note that the settings in the Webramp on the RADIUS tab have their own field for a pre-shared key if you wanted to alternately use that for RADIUS authentication over a user/pass.

As I hinted above, the site-to-site between Webramps works perfectly fine. Here are simple, walk-thru directions I found that make the setup on both sides a snap. Remember to check that NetBIOS is allowed thru the tunnel! If this is prevented, you will break the Windows filesharing functionality (i.e. you can't see their workgroup and browse to their folders). There are two boxes that govern this: On the VPN Summary tab, uncheck "Disable all VPN Windows Networking (NetBIOS) broadcast", and on the Configure screen for the SA you set up (see the linked instructions), check "Enable Windows Networking (NetBIOS) broadcast".

This site-to-site will suffice to get network games going with my brother without having to disconnect the Webramp physically and rebind a DHCP address from Comcast to my gaming system (most games use the NAT address which is no good on an external server, and don't allow manual entry). In fact, I plan on having my other brother get a Webramp too so we can have a 3-way site-to-site setup The RADIUS is being implemented b/c I ultimately want to be able to log a single host into the network.

Thats pretty much it for now. I'll probably format this info better and publish a more readable faq/walkthru at 2CPU.com when I get time. Thanks to everyone here, at 2CPU.com (especially big boi), everywhere else online, and at my company's Network Security & Solutions group (especially Kai Chin).