ProCurve VPN Client and ProCurve Secure Router 7000dl Series - Application Note

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

ProCurve VPN Client and ProCurve Secure Router 7000dl Series

Introduction

Customers today work from a variety of locations and settings; this is the mobile worker.

Equipped with laptop and access to a Hotpoint, or in a hotel with high-speed Internet, they

continuing the day’s tasks taking advantage of flexibility these technologies afford.

Working on sensitive and private information within a public setting requires secure

technologies. The ProCurve VPN Client provides such security with industry standard

IPSec tunneling capabilities that form the virtual private network (VPN) to your ProCurve

Secure 7000dl series router.

The IT professional who configures such a solution for the employees in their company

can use this application note to understand the configuration of such access. This

application note will explain how to configure a VPN tunnel between a ProCurve 7000dl

series router, running SROS J.01.02B or greater, using the ProCurve VPN client software

(version 10.3). This configuration approach utilizes “Mode config”, and simplifies client

configuration by dynamically assigning the VPN client an IP address for VPN traffic.

“Mode config” allows the administrator to import the same security policy to each VPN

client.

Included on this document are:

- Step by step instructions to configure VPN in on the ProCurve 7000dl series router.

- Full sample configuration of the ProCurve 7000dl series with firewall and VPN.

- Step by step instructions, with screen shots, to configure ProCurve VPN client on your

laptop or PC.

This application note assumes the ProCurve 7000dl series router is already installed and

has connectivity to a network. The Internet is shown in Figure 1 as an example. It is

further assumed that the ProCurve VPN client software is already installed on the user’s

PC and the PC has access to the network or Internet.

Note: It is very important to verify with your ISP that they will allow ESP traffic (protocol

50) and AU (protocol 51) through their network. ESP is the protocol that carries the

encrypted data of your VPN across the Internet. Some ISPs require a corporate or

business class of service before they will allow ESP through.

Summary of content (15 pages)

PAGE 1
ProCurve VPN Client and ProCurve Secure Router 7000dl Series Introduction Customers today work from a variety of locations and settings; this is the mobile worker. Equipped with laptop and access to a Hotpoint, or in a hotel with high-speed Internet, they continuing the day’s tasks taking advantage of flexibility these technologies afford. Working on sensitive and private information within a public setting requires secure technologies.
PAGE 2
In Figure 1 on the right is a user requiring access to the remote network (10.24.25.0/24). The ProCurve 7000dl router and ProCurve VPN client software will be setup using “mode config”. “Mode config” allows the ProCurve 7000dl series to dynamically assign an IP address to the VPN client. (This is not address assigned to the client manually or DHCP but an additional address for the tunnel.) The dynamic IP address range for this example will be 192.168.4.1 through 192.168.4.5.
PAGE 3
E) Type ‘no shutdown’ to activate the interface to pass data. F) Type ‘exit’ to return to the Global Configuration mode. 3.
PAGE 4
B) Type ‘hostname SecureSiteRouter’ to change the host name on the ProCurve Secure Router. C) Type ‘interface ethernet 0/1’ to access the configuration parameters for the Ethernet port located on the front panel of the router. D) Type ‘ip address 10.24.25.1 255.255.255.0’ to assign an IP address to the ethernet port using a 24 bit subnet mask. E) Type ‘no shutdown’ to activate the interface to pass data. F) Type ‘exit’ to return to the Global Configuration mode. 3.
PAGE 5
Configuring IKE client configuration pool a) The IKE client configuration pool contains the options to be passed to the client during IKE negotiation. Each pool must be given a label so that it may be referenced later in the IKE policy. The example below creates a configuration pool called “vpn_users”. SecureSiteRouter(config)# crypto ike client configuration pool vpn_users Figure 3 b) Once a pool is created, enter the properties of that pool.
PAGE 6
The following IKE policy is configured to use any peer IP address since it is assumed the dial-up users will all have differing IP addresses. This IKE policy is set not to initiate a tunnel but respond to main or aggressive mode, use 3DES encryption and SHA1 hash. A pre-shared key will be used for authentication, Diffie-Hellman Group 1 and an IKE lifetime in seconds of 600.
PAGE 7
4. Access Control List An Extended Access Control List (ACL) is used to specify which traffic needs to be sent securely over the VPN tunnel. The entries in the list are defined with respect to the local system. For this sample configuration, the source is the LAN IP network behind the ProCurve 7000dl is 192.168.100.0. The destination is the vpn pool IP network (192.168.4.
PAGE 8
. Allow Traffic Through Firewall a) If the firewall feature is enabled on the ProCurve 7000dl router, then Extended ACLs will need to be added to the configuration. IP access-list extended vpn_lan will use the following permit statement: SecureSiteRouter(config)# ip firewall SecureSiteRouter(config)# ip access-list extended VPN_to_LAN SecureSiteRouter(config-ext-nacl)# permit ip 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.
PAGE 9
c) An allow statement must be added to the TRUSTED policy class allowing vpn-traffic through the firewall to be encrypted. NOTE: Policy-class names are case sensitive. The policy-class names below may need to be changed based on the current policy-class nomencalature. If a nat source list MATCHALL statement is in the policy-class be sure to remove it by using the no form of the command. Re-enter the nat source list MATCHALL statement after entering new statements.
PAGE 10
The “Secure Site” ProCurve 7000dl series router configuration used in the sample network is listed below: ! hostname "SecureSiteRouter" no enable password ! ip subnet -zero ip classless ip routing ! event-history on no logging forwarding no logging email logging email priority-level info ! ! ip firewall ! ! ! ! ! ! ip crypto ! crypto ike client configuration pool vpn_users ip-range 10.24.44.1 10.24.44.5 dns-server 10.24.3.10 netbios-name-server 192.168.100.
PAGE 11
Configuring the ProCurve VPN Client Software 1. Configure new connection a) Start the Security Policy Editor by double-clicking on the ProCurve VPN Client icon in the Taskbar. Then select Edit > Add > Connection to create a New Connection. b) Select Secure from the Connection Security list. c) For ID Type choose IP Subnet. Then enter 10.24.25.0 and 255.255.255.0 for the Subnet and Mask (ProCurve 7000dl router’s Private LAN network). d) Check Connect using and Select Secure Gateway Tunnel.
PAGE 12
2. Configure Security Policy a) Next, select Security Policy and under Security Policy select Aggressive Mode. (we are using “Aggressive Mode” in this simple example, but “Main Mode” should be the most common choice when combined with use of a “pre-shared” key. See Figure 2.
PAGE 13
3. Set My Identy Parameters Select My Identity. Under ID Type select Domain Name and type in the local ID (remote.com). This local ID data will be the ProCurve 7000dl series remote ID information. Select Pre-Shared Key and enter same key as entered into the ProCurve 7000dl router (ProCurve_Networking). Select Disabled for Virtual Adapter. See Figure 3.
PAGE 14
4. Configure IKE Parameters Click on the plus (+) sign by Security Policy. Then click on the plus (+) sign by Authentication (Phase 1). Click on Proposal 1 . Select Pre-Shared Key for the Authentication Method. Select Triple DES for the Encrypt Alg. Select SHA1 for Hash Alg. Select Seconds for SA Life and enter 1800 (The IKE policy timeout from the ProCurve 7000dl router). Select Diffie-Hellman Group 1 for Key Group. See Figure 4.
PAGE 15
5. Configure IPSec Parameters Click on the plus (+) sign by Key Exchange (Phase 2). Then click on Proposal 1. Under IPSec Protocols, select Seconds for SA life. For Seconds enter 600 (The IPSec Lifetime Secs of the ProCurve 7000dl router). Check Encapsulation Protocol (ESP). Select Triple DES for the Encrypt Alg, SHA1 for the Hash Alg and Tunnel for the Encapsulation. See Figure 5. Figure 5 6. Save and Reload new Policy Finally, click on File and then Save.