Additional securing of the VPN IPSec tunnel with a one-time password (optional)

To further secure the VPN IPSec tunnel, there is the option of enabling a one-time password request. This example describes the KOBIL SecOVID™ one-time password solution. The one-time password is generated with a token. At setup of the VPN IPSec tunnel, this one-time password is authenticated on the KOBIL SecOVID™ Radius Server.

Installation of the KOBIL SecOVID™ servers on a 32Bit Windows 2003 server

The installation program of the KOBIL SecOVID™ server is launched on the CD by opening the win32\server\SECOVID Server.exe file. Please read the setup outputs for your information and follow the instructions and recommendations of the installation routine. At conclusion of the installation routine, the logfile of the KOBIL SecOVID™ server should be checked to insure that the server started up.

Installation of the KOBIL SecOVID ™ administration tool

For installation of the KOBIL SecOVID™ administration tool under Win32 systems, proceed as follows:

Launch the setup program for the drivers of your KOBIL chip card terminal via /Driver Setup/KOBILDriverSetup.exe
Follow setup program instructions and close the chip card terminal when prompted. The chip card terminal is required to administer the KOBIL SecOVID™ server per remote console. The KOBIL chip card terminal is not required for local administration of the KOBIL SecOVID™ server.

For installation of the KOBIL SecOVID™ administration tool, the setup program /win32/admin/Setup_admintools.exeon the installation CD must be launched. At installation, please follow additional instructions of the setup program.

Launching the KOBIL SecOVID ™ administration tool

The KOBIL SecOVID™ administration tool is launched over the Start ->Programs-> SecOVID Admintools-> WxOvid menu. After initial startup of KOBIL SecOVID™ Admintools, the secret token data can be imported and added to the SecOVID data bank. At a second SecOVID testing, token data are displayed in clear text. If you've bought the SecOVID tokens, the token data are generally provided in encrypted form. Import of token data (e.g. tokendata_firm.db) occurs via menu Other Tokens -> Import Tokens.

Token personalisation

For assignment of tokens to a user, token sets must be blocked. After temporary blocking of a token data set, user information can be saved by editing the entry. The information in the User Name field is used after configuration of the bintec secure IPSec client™ for advanced IPSec authentication.

Initial function test of the KOBIL SecOVID ™ server

An initial function test can be performed with the command line tool radping.exe. With the one-time password, Radping initiates an authentication request on the SecOVID RADIUS server. During installation, the tool was saved in the \etc\SecOVID\ directory.

With the -u option, the user name and the one-time password are transmitted to the SecOVID server. The one-time password must be generated with the user token. The SecOVID server is addressed with the -Soption. For the first function test, radping must be executed directly on the server. The RADIUS password is sent with the -k option. The default value is secret . The SecOVID logfile (\etc\SecOVID\ovid.proto) displays the following message in case of successful authentication:

Configuration of the RADIUS client on the SecOVID server

All RADIUS clients (e.g. the bintec VPN gateway, or the test application radping) must be saved on the SecOVID server as RADIUS client. For this, configuration file \etc\SecOVID\clients is edited. In our example, the bintec VPN gateway with the IP address 192.168.0.30 and the RADIUS password radius_PWD is added. This password is subsequently also saved on the VPN gateway in the RADIUS settings. The SecOVID server service must be restarted for these changes to become effective.