Professional Documents
Culture Documents
Netasq F50 & GreenBow IPsec VPN Software Configuration
Netasq F50 & GreenBow IPsec VPN Software Configuration
Configuration Guide
Netasq f50
firmware v6.2.1
WebSite: http://www.thegreenbow.com
Contact: support@thegreenbow.com
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 0/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
Table of contents
1 Introduction ............................................................................................................................................................0
1.1 Goal of this document ......................................................................................................................................0
1.2 VPN Network topology .....................................................................................................................................0
2 Configuring IPSec Road Warrior connection with Netasq F50...........................................................................4
3 TheGreenBow IPSec VPN Client configuration...................................................................................................0
3.1 VPN Client Phase 1 Configuration ..................................................................................................................0
3.2 VPN Client Phase 2 Configuration ..................................................................................................................0
4 VPN IPSec Troubleshooting .................................................................................................................................0
4.1 « PAYLOAD MALFORMED » error .................................................................................................................0
4.2 « INVALID COOKIE » error .............................................................................................................................0
4.3 « no keystate » error.........................................................................................................................................0
4.4 « received remote ID other than expected » error..........................................................................................0
4.5 « NO PROPOSAL CHOSEN » error ...............................................................................................................0
4.6 « INVALID ID INFORMATION » error .............................................................................................................0
4.7 I clicked on “Open tunnel”, but nothing happens. ...........................................................................................0
4.8 The VPN tunnel is up but I can’t ping !............................................................................................................0
5 Contacts .................................................................................................................................................................0
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 2/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
1 Introduction
1.1 Goal of this document
This configuration guide describes how to configure TheGreenBow IPSec VPN Client with a Netasq F50 running
firmware v6.2.1, this is not a document about F50 administration (see Netasq for further informations about this
hardware)
VPN configuration was done using Netasq Global Administration v1.3.0
10.0.0.78
IPSec VPN Client
(as seen on the LAN)
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 3/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
In this example we chose strong encryption, enter the name and click next
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 4/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
Select the end point, roadwarrior configuration require “Any” as remote host
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 5/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
Press Finish
Once the wizard closes, an overview screen of your vpn tunnel pops up
Choose Pre-shared key configuration, check the “Show in text string” box to switch view from hexadecimal to
ascii view and enter you key, peer identity (we used IP address)
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 6/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
Select proposal 1 and choose Hash, Encryption algorithms and DH group. In our example we chose aes128,
sha1 and DH2 (1024bits).
Select policy 1 in key exchange (phase2) and choose the pfs key group
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 7/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
Press send to save your vpn configuration to the F50. The next screen is the vpn slots overview.
Activate your vpn
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 8/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
Phase 1 Configuration
Remote gateway can be either a dyndns name, or a public IP address. Pre-shared key, Encryption,
Authentication and dh group match the F50 settings.
Select P1 Advanced
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 9/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
Type of ID and value were previously entered in the Netasq vpn preshared key configuration screen
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 10/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
The VPN client address must not belong to the remote subnet range.
Phase2 advanced is used to enter alternate dns and/or wins servers addresses from the ones the vpn client is
using prior to establish the tunnel.
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 11/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
If you have an « PAYLOAD MALFORMED » error you might have a wrong Phase 1 [SA], check if the encryption
algorithms are the same on each side of the VPN tunnel.
If you have an « INVALID COOKIE » error, it means that one of the endpoint is using a SA that is no more in use.
Reset the VPN connection on each side.
Check if the preshared key is correct or if the local ID is correct (see « Advanced » button). You should have
more information in the remote endpoint logs.
The « Remote ID » value (see « Advanced » Button) does not match what the remote endpoint is expected.
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 12/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
If you have an « NO PROPOSAL CHOSEN » error, check that the « Phase 2 » encryption algorithms are the
same on each side of the VPN Tunnel.
Check « Phase 1 » algorithms if you have this:
115911 Default (SA CNXVPN1 -P1) SEND phase 1 M ain Mode [SA][VID]
115911 Default RECV Informational [NOTIFY] with NO_PROPOSAL_CHOSEN error
If you have an « INVALID ID INFORMATION » error, check if « Phase 2 » ID (local address and network
address) is correct and match what is expected by the remote endpoint.
Check also ID type (“Subnet address” and “Single address”). If network mask is not check, you are using a
IPV4_ADDR type (and not a IPV4_SUBNET type).
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 13/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 14/15
Doc.Ref tgbvpn_cg_Netasq F50_en
Doc.version 1.0 –June.2006
VPN version 3.1x
5 Contacts
News and updates on TheGreenBow web site : http://www.thegreenbow.com
Technical support by email at support@thegreenbow.com
Sales contacts at +33 1 43 12 39 37 or by email at info@thegreenbow.com
IPSec VPN Router Configuration Property of TheGreenBow Sistech SA - © Sistech 2001-2006 15/15