Overview of configuration steps

Configuration of the VPN gateway

Field	Menu	Value
Address mode	LAN -> IP Configuration-> Interfaces -> <en1-0>	`Static`
IP Address/Netmask	LAN -> IP Configuration-> Interfaces -> <en1-0>	e.g. `192.168.0.30` / `255.255.255.0`
Interface Mode	LAN -> IP Configuration-> Interfaces -> <en1-0>	`Manual`
Proxy ARP	LAN -> IP Configuration-> Interfaces -> <en1-0>	`Enabled`

VPN Configuration

Field	Menu	Value
IP pool name	VPN -> IPSec ->IP Pools -> Add	e.g. `pool` .
IP pool range	VPN -> IPSec ->IP Pools -> Add	e.g. `192.168.0.150` - `192.168.0.180`

Importing Certificates

Field	Menu	Value
External Filename	VPN -> Certificates -> Certificate List -> Import	e.g. `/usr/lib/ssl/misc/vpn-gateway/vpn-gateway.p12`
Local Certificate Description	VPN -> Certificates -> Certificate List -> Import	e.g. `vpn gateway`
Password	VPN -> Certificates -> Certificate List -> Import	Password for PKCS#12 certificate

Configuration of Phase 1 Profiles

Field	Menu	Value
Authentication Method	VPN -> IPSec ->Phase 1 Profiles -> Edit	`RSA Signature`
Local Certificate	VPN -> IPSec ->Phase 1 Profiles -> Edit	e.g. `vpn gateway`
Mode	VPN -> IPSec ->Phase 1 Profiles -> Edit	`Main Mode (ID Protect)`
Local ID Value	VPN -> IPSec ->Phase 1 Profiles -> Edit	Enable `Use Subject Name from Certificate`

IPSec peers configuration

Field	Menu	Value
Administrative Status	VPN -> IPSec ->IPSec Peers ->	`Active`
Description	VPN -> IPSec ->IPSec Peers ->	e.g. `vpnclient1`
Peer ID	VPN -> IPSec ->IPSec Peers ->	`ASN.1-DN (Distinguished Name)` and `MAILTO=vpnclientuser@bintec-elmeg.com, CN=vpnclientuser, OU=sales, O=FEC, L=nuernberg, ST=bavaria, C=DE`
IP Address Assignment	VPN -> IPSec ->IPSec Peers ->	`IKE Config Mode`
IP Assignment Pool	VPN -> IPSec ->IPSec Peers ->	`pool`
Local IP Address	VPN -> IPSec ->IPSec Peers ->	e.g. `192.168.0.30`
Phase 1 Profile	VPN -> IPSec -> IPSec Peers -> -> Advanced Settings	` RSA Multiproposal`*
Phase 2 Profile	VPN -> IPSec -> IPSec Peers -> -> Advanced Settings	` Multi-Proposal`*
Proxy ARP	VPN -> IPSec -> IPSec Peers -> -> Advanced Settings	`Up or Dormant`

Configuration of bintec secure IPSec clients

Field	Menu	Value
Connector Type	Assistant for new profile	`Connection to company network via IPSec`
Profile Name	Assistant for new profile	`Head Office`
Connection Medium	Assistant for new profile	`LAN (over IP)`
User Name	Assistant for new profile	e.g. `vpngateway.bintec-elmeg.com`
Exchange Mode	Assistant for new profile	Main Mode
PFS Group	Assistant for new profile	DH Group 2 (1024 Bit)
Local Identity	Assistant for new profile	`ASN1 Distinguished Name`
IP address assignment	Assistant for new profile	`Use IKE Config Mode`
Stateful Inspection	Assistant for new profile	`off`
NetBIOS over IP	Assistant for new profile	Enabled

Copy certificates

Field	Menu	Value
Name	Configuration -> Certificates -> Add	`IPSecClientCertificate`
Certificate	Configuration -> Certificates -> Add	`from PKCS#12 file`
PKCS#12 data name	Configuration -> Certificates -> Add	`bintec secure IPSec client\vpnclientuser1.p12`

Profile Settings

Field	Menu	Value
Gateway (Tunnel Endpoint)	Configuration -> Profile -> Edit -> IPSec Settings	`vpngateway.bintec-elmeg.com`
IKE Policy	Configuration -> Profile -> Edit -> IPSec Settings	`RSA Signature`
IPSec Guideline	Configuration -> Profile -> Edit -> IPSec Settings	`ESP - AES128 - MD5`
Exchange Mode	Configuration -> Profile -> Edit -> IPSec Settings	`Main Mode`
PFS Group	Configuration -> Profile -> Edit -> IPSec Settings	`DH Group 2 (1024 Bit)`
Type	Configuration -> Profile -> Edit -> Identity	ASN1 Distinguished Name
Certificate Configuration	Configuration -> Profile -> Edit -> Identity	IPSecClientCertificate

Setup of the VPN IPSec tunnel

Field	Menu	Value
PIN	PIN Entry	`Password for PKCS#12 certificate`

RADIUS settings

Field	Menu	Value
Authentication Type	System Administration -> Remote Authentication -> RADIUS -> New	`XAUTH`
Server IP Address	System Administration -> Remote Authentication -> RADIUS -> New	e.g. `192.168.0.111`
RADIUS Password	System Administration -> Remote Authentication -> RADIUS -> New	The Radius password saved on the SecOVID server
Group description	System Administration -> Remote Authentication -> RADIUS -> New	`xauth`

XAUTH Configuration

Field	Menu	Value
Description	VPN -> IPSec ->XAUTH Profiles -> New	e.g. `radius`
Role	VPN -> IPSec ->XAUTH Profiles -> New	`Server`
Mode	VPN -> IPSec ->XAUTH Profiles -> New	`RADIUS`
RADIUS Server Group ID	VPN -> IPSec ->XAUTH Profiles -> New	`xauth`

IPSec peers configuration

Field	Menu	Value
XAUTH Profile	VPN -> IPSec -> IPSec Peers -> -> Advanced Settings	`radius`

Profile Settings

Field	Menu	Value
Type	Configuration -> Profile -> Edit -> Identity	ASN1 Distinguished Name
Certificate Configuration	Configuration -> Profile -> Edit -> Identity	IPSecClientCertificate
User Name	Configuration -> Profile -> Edit -> Identity	e.g. `jeveryman` .

Copyright© Version 01/2020 bintec elmeg GmbH