VPN Support

Ingate Virtual Private Network (VPN) can communicate with any VPN clients, firewalls and other products supporting the IPSec and IKE protocols. Ingate VPN is included in all Ingate Firewalls and SIParators. Following are technical specifications and other critical information for users of Ingate VPN.

Using VPN

To use VPN from off-site locations with an Ingate Firewall, VPN client software must be installed on the traveling computer. A Certifying Authority (CA) for signing certificates is also required.

Technical specifications for Ingate VPN

Compatible VPN software must meet the following requirements:

• The IETF standards IPSec and IKE (or PPTP) must be supported.
• Preshared keys or X.509 certificates as authentication must be used. Other methods using preshared keys, digital signatures or certificates are not supported by Ingate VPN.
• For VPN clients, X.509 certificates as authentication must be used.
• Main Mode must be supported. Ingate Firewall® does not support Aggressive Mode.
• At least one of the encryption algorithms 3DES or AES must be supported. Keep in mind that 3DES performs encryption with 168 bits, and some countries do not allow export of products with such a strong encryption algorithm.
• ESP must be used for traffic encryption. The ESP standard permits the use of authentication only, but Ingate VPN will not permit this for security reasons.
• At least one of the authentication algorithms MD5 or SHA1 must be supported. [Almost all security products support these methods.]
• Tunnel mode must be used. Transport mode is not supported.
• PFS (Perfect Forward Secrecy), group 2 or 5, must be supported. Be aware that PFS is turned off as default in some products.

VPN Software

Following are examples of VPN software that Ingate has successfully tested for compatibility with Ingate’s firewalls.

Greenbow

The Greenbow client can be bought from any Ingate reseller.

• Configuring The Greenbow VPN client for Ingate Firewall/SIParator®
• Greenbow FAQ with Troubleshooting section
• Greenbow support form for contact

SSH Sentinel

SSH Sentinel supports Windows 95, 98, NT, 2000 and XP.

• Configuring an SSH Sentinel VPN client for Ingate Firewall/SIParator®

SafeNet

SafeNet is a VPN client and supports Windows 98, NT and 2000 (not Windows 2000 for Cisco).

SafeNet U.S.

http://www.safenet-inc.com/

SafeNet Sweden

Principal agent in Sweden is MBG Elektronik AB, +46-(0)42-13 60 60.

• Configuring a SafeNet VPN client for Ingate Firewall/SIParator®

FreeS/WAN

A free implementation for Linux, http://www.freeswan.org/, combined with the X.509 patch at http://www.strongsec.com/freeswan/.

X.509 Certificates

In order to be compatible with Ingate IPSec VPN, the IPSec software on the network must be authenticated by X.509 certificates, which are used to identify a computer when it communicates with other computers. An X.509 certificate is digitally signed to ensure that no one has changed the certificate. This signature is made by a special kind of software, called a Certifying Authority (CA).

The construction of an X.509 certificate

An X.509 certificate consists of two parts: private and public. The private part should be kept secret and should not be moved more than is necessary. The public part can be freely distributed.

The public part contains a Distinguished Name (DN). A DN consists of several fields, each describing an identity of the computer and signed by a CA to guarantee this identity.

Certifying Authority

A Certifying Authority (CA) can be compared to a passport authority. The passport authority guarantees that the passport identity is correct, and uses various methods to make the passport hard to forge.

A CA producing X.509 certificates works in the same way. It uses a digital signature to guarantee that the certificate belongs to the computer using it. It is important that no unauthorized people can access the CA.

A CA has a certificate of its own. This certificate can be signed by the CA itself, as with the Ingate VPN's certificate engine.

This is how a certificate is created:

1. The private part of the certificate is created.
2. A certificate request is created.
3. The public part of the certificate is created by the CA signing the certificate request.

Installation and protection of the CA server

The CA of a company is among the most important things protecting the company's computer system. It should be installed on a machine that is designated solely for CA, and both physical and network access to it should be as restricted as possible.

The CA certificate is protected by a password used when another certificate is signed. This password should only be known by those who need to be able to sign certificates.

VPN clients need to know the public part of the CA's own certificate, so this should be put someplace where all current and future users can reach it. Backup the public and the private part of the CA's certificate, and store the backup where it can’t be modified or read.

VPN client certificate signing routines

There are two ways to create certificates for VPN clients:

• By making the client create a certificate request and only using the CA for signing the public part
• By using use the CA for creating both keys and certificate for the client

From a security perspective, the first alternative is better, as the private part of the client certificate never leaves the client.

Following are suggested routines for creating and signing certificates for VPN clients and distribution of keys to and from the Ingate Firewall®.

Certificate signing routine

This routine is used for clients able to create their own certificates, but which need help with signing them.

1. Let the client create a certificate request. Now the secret key is created in the client.
2. Send the certificate request from the client to the CA. This is securely not a crucial step.
3. Sign the certificate request.
4. Send the signed certificate back to the client. This is securely not a crucial step.
5. Configure the firewall with the new certificate. (See the Ingate Firewall® manual for more information.)
6. Download the certificate for the firewall and send it to the client. This is securely not a crucial step.

Certificate creation routine

This routine is used for clients who cannot create certificates themselves.

1. Create a new certificate on the CA.
2. Distribute the private part of the certificate to the client, either on an encrypted network connection or via a floppy or something like that. This is securely a crucial step!
3. Distribute the public part of the certificate to the client. This is securely not a crucial step.
4. Backup the private part of the certificate in the same way as for the CA certificate.
5. Configure the firewall with the new certificate. (See the Ingate Firewall® manual for more information.)
6. Download the certificate for the firewall and send it to the client. This is securely not a crucial step.