BiGuard C01 BiGuard VPN Client Secure access to Company Network User’s Manual Version Release 3.
Table of Contents CHAPTER 1: INTRODUCTION ............................................................................................................. 1 INTRODUCTION TO BIGUARD VPN CLIENT ............................................................................................... 1 FEATURES .................................................................................................................................................. 1 CHAPTER 2: INSTALLING BIGUARD VPN CLIENT ..........................
How to set USB Mode on?.................................................................................................................. 27 How to enable a new USB Stick? ....................................................................................................... 28 How to automatically open tunnels when an USB Stick is plugged in? .............................................
Billion BiGuard VPN Client Chapter 1: Introduction Introduction to BiGuard VPN Client Your network is constantly evolving as you integrate more business applications and consolidate servers. In that environment, it is becoming extremely complex to maintain total security at the edge while users being employees or Teleworkers on the go are working with customers and partners. You need to get access to those applications and servers quickly, easily and securely.
Billion BiGuard VPN Client Invisible User Interface Silent install and invisible graphical interface allow IT managers to deploy solutions while preventing user to misuse configurations. Configuration building User Interface and Command Line.
Billion BiGuard VPN Client Chapter 2: Installing BiGuard VPN Client Software installation BiGuard VPN client installation is a classical Windows installation that does not require specific information. After completing the installation, you will be asked to reboot your computer. After reboot and session login, a window appears for a license number request. The license number is shown on the CD packaging. Quit: will close established this window and software.
Billion BiGuard VPN Client Software Evaluation It is possible to use BiGuard VPN Client during the evaluation period (i.e. limited to 30 days) by clicking on "Evaluate" button. When the IPSec VPN Client is on "Evaluation" mode, the register window appears at each boot of the client. Evaluation period is displayed into the yellow bar above. Once evaluation period expires, “Evaluation” button is no longer available and the software is disabled.
Billion BiGuard VPN Client Step 1 of 2: Enter License Number Activation requires a License Number. Enter your License Number, your email address and click “Next” as shown below. Email address will be used to send back an activation confirmation email to the user once activation has been successfully performed. From VPN Client release 3.0 and later, the License Number format is a 24-digit number (i.e. 4 times 6 digits). Older License Number format is a 20-digit number.
Billion BiGuard VPN Client Step 2 of 2: Online Activation The “Activation Wizard” will automatically connect to the online software activation server to activate the VPN Client Software. You can go back at anytime to change the License Number. Activation errors In case of an error is returned by the online software activation server, as shown below, you shall click on the (help button) available in the window to get more online explainations and recommandations on how to proceed next.
Billion BiGuard VPN Client exceeded Error 004 Wrong product code Error 050 Impossible to complete activation process Impossible to complete activation process Impossible to complete activation process Cannot connect activation server Error 051 Error 052 Error 053 Error 054 Error 055 processed for this specific license number. License numbers can not be used more than allowed by your IT department. The License number you've entered is not allowed on this software product.
Billion BiGuard VPN Client Chapter 3: Navigation the User Interface Navigation the user interface BiGuard VPN Client is fully autonomous and can start and stop tunnels without user intervention, depending on traffic to certain destinations. However it requires a VPN configuration. The VPN Client configuration is defined in a VPN configuration file. The software user interface allows creating, modifying, saving, exporting or importing the VPN configurations together with security elements (e.g.
Billion BiGuard VPN Client A left-button click on VPN icon opens configuration user interface. A right-button click shows the following menu: Quit: will close established VPN tunnels, stops the configuration user interface. Save & Apply: will close established VPN tunnels, apply latest VPN configuration modification and reopen all the VPN tunnels. Console: shows log window. Connections: opens the list of already established VPN tunnels.
Billion BiGuard VPN Client Main Window The main window is made of several elements: 1. Three buttons “Console”, “Parameters” and “Connections” (left column). 2. A tree list window (left window) that contains all IKE and IPSec configuration. 3. A configuration window (right window) that shows the associated tree level. Main Menus There are several menus as followed: File: used to Import or Export a configuration. It is also used to choose the location of the VPN Configuration: local or USB….
Billion BiGuard VPN Client Status Bar The status bar displays several informations: The left side box indicates the VPN configuration location. For example, if the "USB Mode" is set, the image will show a USB stick, enabled or not depending on the presence of a valid VPN USB stick. The central box gives some information about VPN Client Software status (e.g.
Billion BiGuard VPN Client Hidden Interface The graphical user interface can be hidden to the end user. We provide configuration tools for IT managers that prevent the end user from changing their configuration. Access to the configuration user interface can be restricted with configuration tool VPNHIDE. See section Configuration Tools. In that case, the Main window can not be opened and showed by double-clicking on desktop icon, by selecting Start menu.
Billion BiGuard VPN Client can start with 3 different modes: Start VPN Client software before MS Windows logon: this mode can be used for secure remote login Start VPN Client software after MS Windows logon Don't start VPN Client when I start MS Windows: VPN Client is launched by user or from a script ("manual" mode) Miscellaneous Disable detection of interface disconnection: allows the VPN Client maintain tunnels opened while the network interface disconnects momentarely but very often.
Billion BiGuard VPN Client Chapter 4: VPN Configuration Configuration Wizard Four easy step Wizard BiGuard VPN client provides a Configuration Wizard that allows the creation of VPN configuration in four easy steps. This Configuration Wizard is designed for remote computers that need to get connected to a corporate LAN through a VPN gateway. Let take the following example: The remote computer has a dynamically provided public IP address.
Billion BiGuard VPN Client Step 1 of 4 You need to specify the following information: The public (network side) address of the remote gateway Address (In IP or Domain name). (e.g. specify gateway.mydomain.com) The Preshared-key you will use for this tunnel (this Preshared-key must be the same in the gateway). Step 2 of 4 You must specify the following information: The IP address of your remote gateway LAN Network address (e.g. specify 192.168.1.0).
Billion BiGuard VPN Client Step 3 of 4 You need to input this VPN Client IP address that will be used to identify the client in the VPN connection (e.g. specify 192.100.205.101). Be sure that each client must use different VPN Client IP Address. Warning Step 4 of 4 The fourth step summaries your new VPN configuration. Other parameters may be further configured directly via the main interface (e.g.virtual IP address, etc..).
Billion BiGuard VPN Client VPN Tunnel Configuration How to create a VPN Tunnel? To create a VPN tunnel from the main window (without using the Configuration Wizard), you must follow the following steps: 1. Right-click on “Configuration’ in the tree list window and select “New Phase 1” 2. Configure Authentication Phase (Phase 1) 3. Right-click on the “new Phase 1” in the tree control and select “Add Phase 2” 4. Configure IPSec Phase (Phase 2) 5.
Billion BiGuard VPN Client Phase (Phase 1). Advanced Features Advanced features and parameters can be defined for Phase 1 and Phase 2.
Billion BiGuard VPN Client Phase 1 Settings Description Name: Label for Authentication phase used only the configuration user interface. This value is never used during IKE negotiation. It is possible to change this name at any time and read it in the tree control. Two Phase1s cannot have the same name. Interface: IP address of the network interface of the computer, through which VPN connection is established. If the IP address may change (when it is received dynamically by an ISP), select "Any".
Billion BiGuard VPN Client z AES: Stands for Advanced Encryption Standards, you can use 128, 192 or 256 bits as encryption method. ~ IKE authentication: It is a Message Digest algorithm which coverts any length of a message into a unique set of bits. It is widely used MD5 (Message Digest) and SHA (Secure Hash Algorithm) algorithms. SHA is more resistant to brute-force attacks than MD5, however it is slower. z z MD5: A one-way hashing algorithm that produces a 128−bit hash.
Billion BiGuard VPN Client ~ Aggressive Mode: If checked, the VPN client will used aggressive mode as negotiation mode with the remote router. ~ IKE port: Negotiation port for IKE. Default value is 500. ~ Redundant GW: This allows the VPN Client to open an IPSec tunnel with an alternate gateway in case the primary gateway is down or not responding. Enter either the IP address or the url of the Redundant Gateway (e.g. router.dyndns.com).
Billion BiGuard VPN Client If this identity is not set, VPN gateway's IP address is used. IPSec Configuration or Phase 2 What is Phase 2? “IPSec Configuration” or “Phase 2” window will concern settings for Phase 2. The purpose of Phase 2 is to negotiate the IPSec security parameters that are applied to the traffic going through tunnels negotiated during Phase 1. Phase 2 Settings Description Name: Label for IPSec Configuration only used by the VPN client.
Billion BiGuard VPN Client Remote address: This field may be "Remote host address" or "Remote LAN address" depending of the address type. It is the remote IP address, or LAN network address of the gateway, that opens the VPN tunnel. Subnet mask: Subnet mask of the remote LAN. Only available when address type is equal to the "Subnet address". ESP: ~ ESP Encryption: Select the encryption method from the pull-down menu. There are several options, DES, 3DES and AES (128, 192 and 256).
Billion BiGuard VPN Client Automatic Open mode: The VPN Client can automatically open the specified tunnel (Phase2) on specific events such as: Auto open this tunnel when the VPN Client starts up. Auto open this tunnel when USB stick is inserted (see section "USB Mode"). Auto open this tunnel when the VPN Client detect traffic towards remote LAN. Open script: A specific script or application (e.g. Outlook, CRM apps, ..) can be launched when this tunnel opens.
Billion BiGuard VPN Client Global Parameters – Global Settings Description Global Parameters are generic settings that apply to all created VPN tunnels. Once modified, click on “Save & Apply” to take you modifications into account. Lifetime (sec.) ~ IKE Default Lifetime (sec.): Default lifetime for IKE rekeying. ~ IKE Minimal Lifetime (sec.): Minimal lifetime for IKE rekeying. ~ IKE Maximal lifetime (sec.): Maximal lifetime for IKE rekeying. ~ IPSec Default Lifetime (sec.
Billion BiGuard VPN Client Miscellaneous: ~ Retransmissions: How many times a message should be retransmitted before giving up. ~ Delay between retries (sec.): Waiting time in an exchange before giving up a negociation. ~ Block non-ciphered connection: When this option is checked, only encrypted traffic is authorized. Dead Peer Detection (i.e. DPD) is an Internet Key Exchange (IKE) extension (i.e. RFC3706) for detecting a dead IKE peer.
Billion BiGuard VPN Client USB Mode What is USB Mode? BiGuard VPN Client brings the capability to secure VPN configurations and VPN security elements (e.g. PreShared key, Certificates, …) by the use of an USB Stick. When you select "USB mode", the VPN configuration and security elements contained into the configuration are stored onto the USB Stick the first time you plug it in. Once done and the "USB mode" is set "On", you just need to insert the USB Stick to automatically open tunnels.
Billion BiGuard VPN Client Once USB mode is set on, the left side box in the status bar shows an USB stick icon. The USB Stick icon is plain when a USB Stick is plugged in: The USB Stick icon is gray when no USB Stick is plugged in: How to enable a new USB Stick? A new USB Stick (no data) must be enabled by copying VPN configuration and security elements onto it.
Billion BiGuard VPN Client Certificate Management (Please see Appendix A - Compatible table of Billion VPN enabled devices and BiGuard VPN Client) Additional support documents BiGuard VPN Client uses X509 certificates with PEM format. This kind of certificates is created with OpenSSL, not with BiGuard VPN Client. In order to use X509 Certificates with BiGuard VPN client, you must have the following items: 1. Root certificate 2. User certificate 3.
Billion BiGuard VPN Client Configuration Management – How to Import or Export a VPN Configuration? BiGuard VPN Client can import or export a VPN Configuration. With this feature, IT managers can prepare a configuration and deliver it to other users. 1. Importing a configuration, select "File > Import VPN Configuration". 2. Exporting a configuration, select "File > Export VPN Configuration". All configuration files will have a ".tgb" extension.
Billion BiGuard VPN Client Configuration Tools Command line tools Those tools are available as command line type and are meant to be used by IT managers to change the IPSec VPN Client behavior to their needs. 1. Stopping IPSec VPN Client 2. Import VPN Configuration 3. IPSec VPN Client Startup mode 4. Hiding IPSec VPN Client configuration user interface Stopping VPN Client: option “/stop” BiGuard VPN Client can be stopped at any time by the command line: " [path]\vpnconf.
Billion BiGuard VPN Client Console and Logs Console Windows The “Console” window is available from the context menu of the systray icon or from “Console” button in the configuration user interface. This window can be used to analyze VPN tunnels. This tool is particularly useful for IT managers in setting up their network. Save: Save logs in a file. Stop: Stop saving logs in a file. Clear: Clear console window content. Options: Set level of log filtering.
Billion BiGuard VPN Client Misc (Misc): log level for configuration reading or dump of low level messages Trpt (Transport): log level for UDP transport mode Msg (Message): log level for IKE decode Cryp (Crypto): log level and dump for crypto material exchanged Timr (Timer): log level about timers Sdep (Sysdep): log level about IKE interface from/to IPSec SA (SA): log level for SA managment Exch (Exchange): log level about IKE exchanges (very useful) Nego (Negotiation): log level about phase 1 and phase 2 n
Billion BiGuard VPN Client Chapter 5: Troubleshooting Introduction The goal of this section is to help IT Managers, system administrators or users facing VPN configuration issues of their IPSec VPN network. All information concerning VPN connection state, VPN trace or VPN Logs can be found in the "Console" Window of BiGuard VPN Client. Tools in case of trouble Configuring an IPSec VPN tunnel can be a hard task. One missing parameter can prevent a VPN connection from being established.
Billion BiGuard VPN Client « no keystate » error 115305 115305 115305 115315 115317 115317 115319 115319 115319 Default Default Default Default Default Default Default Default Default sysdep_app_open: Init Connection for : Cnx-Cnx-P2 Cnx-remote-addr sysdep_app_open: IPV4_SUBNET Network 192.168.1.1 sysdep_app_open: IPV4_SUBNET Netmask 255.255.255.
Billion BiGuard VPN Client 115905 115905 115905 115911 115911 Default Default Default Default Default sysdep_app_open: Init Connection for : Cnx-Cnx-P2 Cnx-remote-addr sysdep_app_open: IPV4_SUBNET Network 192.168.1.1 sysdep_app_open: IPV4_SUBNET Netmask 255.255.255.
Billion BiGuard VPN Client No response to phase 2 requests 120348 Default [ID] [ID] 120349 Default [ID] [ID] 120351 Default [ID] [ID] 120351 Default [ID] [ID] (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] (SA CnxVpn1-CnxVpn1-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] Check algorithms and phase 2 identities (“Local address” and “Network a
Billion BiGuard VPN Client Appendix A: Compatible table of Billion VPN enabled devices and BiGuard VPN Client BIPAC 74xx series BIPAC 75xx series BIPAC 85xx series BiGuard 2/10/30 series Hash algorithms MD5 SHA1 Encryption DES 3DES AES 128 AES 192 AES 256 Diffie Hellman Group Support Group1: MODP 768 Group2: MODP 1024 Group5: MODP 1536 Authentication Mechanism Preshared key X509 Certificate support (PEM) X-Auth Key Management ISAKMP (RFC2408) IKE (RFC2409) IPSec Mode ESP Tunnel IKE Mode Main Aggressive Qui
Billion BiGuard VPN Client APPENDIX B: Product Support and Contact Information Most problems can be solved by referring to the Troubleshooting section in the User’s Manual. If you cannot resolve the problem with the Troubleshooting chapter, please contact the dealer where you purchased this product. Contact Billion WORLDWIDE http://www.billion.