Creating a Road Warrior-to-Gateway Connection

Next: Verifying Connection Security Up: Configuring SafeNET SoftRemote/LT v9.0.1 Previous: Configuring SafeNET SoftRemote/LT v9.0.1 Contents

Creating a Road Warrior-to-Gateway Connection

$\includegraphics{images/SafeNET-01.eps}$

From the Start Menu of the Windows client, select Programs, SoftRemoteLT, Security Policy Editor.

$\includegraphics{images/SafeNET-02.eps}$
The Security Policy Editor menu will appear. From the tool-bar select Options.

$\includegraphics{images/SafeNET-03.eps}$
From the Options menu choose Certificate Manager.

$\includegraphics{images/SafeNET-04.eps}$
The Certificate Manager window will appear. In the current tab, My Certificates, click the Import Certificate button.

$\includegraphics{images/SafeNET-05.eps}$
Select the Browse button from the Import Personal Certificate menu, to search for the PKCS#12 Certificate. Make certain under the File of Type pull-down menu Personal Certificate (PKCS12)(*.p12) is selected. Once the file has been located click Open.

$\includegraphics{images/SafeNET-06.eps}$
On the Import Personal Certificate menu make certain the PKCS#12 Personal Certificate check-box is selected under the Import Type.
Enter the password used when the certificate was created into the Password field and click the Import button.

$\includegraphics{images/SafeNET-06.eps}$
You will be prompted to verify the certificate. Click Yes.

$\includegraphics{images/SafeNET-07.eps}$
The certificate will now be listed in the My Certificates tab of the Certificate Manager.

$\includegraphics{images/SafeNET-08.eps}$
From the Certificate Manager menu select the Root CA Certificate tab and click the Import Certificate... button.

$\includegraphics{images/SafeNET-09.eps}$
Under the Files of Type pull-down menu choose Binary certificate files (*.der) in the Import CA Certificate menu.
Browse to where the saved certificate is, select the certificate and click Import.
Click the Close button after adding these certificates.

$\includegraphics{images/SafeNET-11.eps}$
From the Security Policy Editor window click Edit from the tool-bar, then select Add and Connection.

$\includegraphics{images/SafeNET-12.eps}$
1. Rename the new connection to an appropriate name such as in the example below. When new connection is first created you have the option to rename it. To change it later select Edit from the tool-bar and then click Rename.
2. Under Connection Security, select Secure.
3. Confirm the Only Connect Manually checkbox is not checked.
4. Under Remote Party Identity and Address, from the ID Type pull-down select Distinguished Name.
5. Click the Edit Name... button.
6. Fill in the Edit Distinguished Name fields with the CA Certificate from the Guardian Digital VPN server that was imported earlier.
  
  $\resizebox*{2.8in}{!}{\includegraphics{images/SafeNET-13.eps}}$
7. Next the IP Address of the Guardian Digital VPN server needs to be entered in to the IP Address field located next to the Edit Name... button.
8. Confirm the Protocol field is set to All.
9. Make certain the Connect Using checkbox is not checked and the entire field is grayed out.
$\includegraphics{images/SafeNET-14.eps}$
Expand the new connection that was just created in the Network Security Policy section by clicking on the '+' next to the name.
Two options will appear. Select My Identity by clicking on it once.

$\includegraphics{images/SafeNET-15.eps}$
1. Under Select Certificate found in the My Identity portion of the right-side window, select from the pull-down menu the certificate that was imported earlier.
2. From the ID Type pull-down menu Distinguished Name should be selected. The fields around it should be grayed out and filled in with information from the certificate.
3. In the Internet Interface pull-down make sure Any is selected. This will gray out the other fields in this section.
$\includegraphics{images/SafeNET-16.eps}$
From the Network Security Policy window select the second option below the new connection, Security Policy.
1. Under Select Phase 1 Negotiation Mode, select Main Mode.
2. Check the Enable Perfect Forward Secrecy (PFS) box.
3. From the PFS Key Group pull-down menu select Diffie Hellman Group 2.\
4. Remove the check from Enable Replay Detection.
$\includegraphics{images/SafeNET-17.eps}$
In Network Security Policy expand the Security Policy by clicking the '+', then expand Authentication (Phase 1), and highlight Proposal 1.
1. For the Authentication Method choose RSA Signatures.
2. Under Encryption and Data Integrity Algorithms, for Encrypt Alg, choose Triple DES.
3. Select SHA-1 for the Hash Alg.
4. Under SA Life, choose Seconds, and enter 300 (5 minutes) for the number of seconds.
5. Lastly select Diffie-Hellman Group 2 from the Key Group pull-down menu.
$\includegraphics{images/SafeNET-19.eps}$
Returning to the Network Security Policy window, expand Key Exchange (Phase 2) by clicking the '+', and highlight Proposal 1.
1. In the IP Sec Protocols section, select Seconds from the SA Life pull-down, enter 300 in the Seconds field and select None for Compression.
2. Check Encapsulation Protocol (ESP) next.
3. For Encrypt Alg. select Triple DES.
4. Select SHA-1 for Hash Alg.
5. From the Encapsulation pull-down menu select Tunnel.
6. Uncheck Authentication Protocol (AH).
$\includegraphics{images/SafeNET-20.eps}$
The settings are now all configured for this connection. Go to the File menu on the tool bar and select Save.