SSH IPSec Client Models RFIPSC-1/5/10/50 Quick Start Guide
Quick Start Guide 82013151 Revision B SSH IPSec Client Model # RFIPSC-1/5/10/50 for RouteFinder Model # RF650VPN This publication may not be reproduced, in whole or in part, without prior expressed written permission from Multi-Tech Systems, Inc. All rights reserved. Copyright © 2001, by Multi-Tech Systems, Inc. Multi-Tech Systems, Inc.
iv
Contents Chapter 1 – Introduction and Description Introduction ......................................................................................... Product Description .............................................................................. Internet Protocol (IP)............................................................................ Internet Protocol Security (IPSec)......................................................... About this Manual and Related Manuals ...............................
Figures Figure Number Title Figure 1 Figure 2. Figure 3. Figure 4. Figure 5. Figure 6. Figure 7. Figure 8. Figure 9. Figure 10. Figure 11. Figure 12. The SSH Sentinel installation package icon. SSH Sentinel Welcome screen. Licensing Agreement Choose Destination Path. Generating the Authentication Key. Authentication Key Generation Done. Inquiring Certificate Identity. Choosing the Enrollment Method. Online Enrollment Settings. Off-line Certification Request.
RFIPSC Quick Start Guide Chapter 1 – Introduction and Description Introduction Welcome to Multi-Tech’s new RouteFinder, model RF650VPN. The RF650VPN is an Internet security appliance that lets you use data encryption and the Internet to securely connect to telecommuters, remote offices, customers or suppliers while avoiding the cost of expensive private leased lines. The SSH Sentinel IPSec VPN Client software is available in 1-, 5-, 10- and 50-user packages. The RF650VPN provides SSH Sentinel version 1.1.
PN 82013151 Internet Protocol (IP) The open architecture of the Internet Protocol (IP) makes it a highly efficient, costeffective and flexible communications protocol for local and global communications. IP is widely adopted, not only on the global Internet, but also in the internal networks of large corporations. The Internet Protocol was designed to be highly reliable against random network errors. However, it was not designed to be secure against a malicious attacker.
RFIPSC Quick Start Guide About this Manual and Related Manuals This Quick Start Guide manual contains four chapters and one appendix, and is intended to provide the experienced client user or system administrator with the information needed to quickly get the SSH IPSec Client software up and running. The full Sentinel SSH IPSec Client User Guide manual is provided on the SSH IPSec Client CD-ROM included in the license pak. Please address comments about this manual to the Multi-Tech Publications Dept.
PN 82013151 10
RFIPSC Quick Start Guide Chapter 2 - SSH IPSec Client Installation and Setup Introduction This section describes the SSH Sentinel software, an IPSsec client product by SSH Communications Security Corp, providing secure communications over a TCP/IP connection. The Sentinel SSH software is used by client devices for secure connection to the Multi-Tech RouteFinder model RF650VPN. The SSH Sentinel client installation and setup procedures are described in the following sections.
PN 82013151 To run the SSH Sentinel client software, you need a personal computer with at least the following configuration: • Processor Pentium 100 MHz • Memory (RAM) 32 MB for Windows 9x, or 64 MB for Windows NT4/2000 • Hard disk space 10 megabytes of free disk space • Network connection TCP/IP network protocol Starting the SSH Sentinel Installation The SSH Sentinel installation requires that you have full access rights for the system files on your computer.
RFIPSC Quick Start Guide The installer will run Installation Wizard, which creates the initial configuration and sets up the SSH Sentinel client software. Note: If a previous version of the SSH Sentinel software is installed on your computer and you try to install a new version, the wizard updates the software and the steps described here are skipped. 3.
PN 82013151 Figure 4. Choose Destination Path. Authentication Key Generation The SSH Sentinel Installation Wizard generates a primary authentication key for IPSec peer (host) authentication purposes. The primary authentication key is a 1024-bit RSA key pair that is used for digital signatures and strong authentication. Authentication key generation begins with random seed generation. A random pool of data is collected from the user moving the mouse or typing in random text.
RFIPSC Quick Start Guide Figure 5. Generating the Authentication Key. Figure 6. Authentication Key Generation Done.
PN 82013151 Identity Information 5. SSH Sentinel uses certificates and digital signatures as its primary authentication method. SSH Sentinel processes certificates according to the IETF Public-Key Infrastructure X.509v3 standards, allowing you to take advantage of the public-key infrastructure (PKI). SSH Sentinel supports certificate revocation lists (CRLs) and authority revocation lists (ARLs, that is, CRLs for CAs) and is very configurable.
RFIPSC Quick Start Guide Choose the Enrollment Method 6. A certification request can be created as part of the installation process. You can either enroll online, in other words create and send the request immediately, or save the request in a file and deliver it later to the certification authority (CA). If there is no certification authority available or you for some reason want to postpone the creation of the request, create a self-signed certificate.
PN 82013151 Online Enrollment Information To enroll online, you must locate the certification authority server and you must possess the certification authority certificate. Most often, you can download the certificate of the certification authority from its web site. Figure 9. Online Enrollment Settings You must also specify the enrollment protocol. In addition, you may configure the Socks and proxy settings to get through the firewall if the local server is protected by one.
RFIPSC Quick Start Guide either saved it in a file or copied the contents of it to the Windows clipboard. In a file, the certificate may be in binary (X.509), PEM (Privacy Enhanced Mail) or HEX format. Pasted from the clipboard, the certificate must be in PEM encoded format. Advanced button (D) Opens a dialog box for configuring the socks and proxy settings. Reference Number (E) (Key Identifier) The key identifier is used only in connection with the Certificate Management Protocol (CMP).
PN 82013151 you may prefer sending the request via email or using an enrollment service on the Web. Select PKCS#10 request file location In the text field (callout A in Figure 10 above), enter the path and the name of the file where the certification request will be stored. You can also click the Browse button to select. Click Next and continue installation. Encryption Speed Diagnostics 8. SSH Sentinel runs diagnostics on the encryption algorithms as the last step of the installation.
RFIPSC Quick Start Guide encryption hardware vendors. It has the advantage of giving simple figures on the speed: Due to a number of variables that affect the final result, it would be very complicated to define a standard environment in which to reliably measure the overall network throughput. Moreover, the real-world network throughput simply cannot be measured during the installation, because the kernel-mode IPSec engine is not available before the first reboot.
PN 82013151 SSH IPSec Client Setup The RouteFinder supports VPN (Virtual Private Networking), which provides the ability to encrypt IP network traffic. Host 1 <----> Router <----> Internet <----> Router <----> Host 2 <----------------- encrypted -------------------> All communication between the hosts uses strong encryption, so that nobody is able to listen to this communication. As discussed earlier, the three methods of VPN setup are Host to Host, Host to Net, and Net to Net.
RFIPSC Quick Start Guide RouteFinder Configuration 1. Define two networks in Definitions|Networks: DMZ Network 192.168.3.0 255.255.255.0 Sentinel ssh Client 212.6.145.3 255.255.255.255 2. Define and enable the following Packet Filter rules: Sentinel ssh Client ←→ Any ←→ DMZ Network ←→ Allow DMZ Network ←→ Any ←→ Sentinel ssh Client ←→ Allow The first rule allows the Sentinel SSH Client to initiate connections to the DMZ Network.
PN 82013151 Sentinel Configuration 4. From the Control panel select the Sentinel Policy Editor. 5. At Key Management select Authentication Keys . 6. Click OK.
RFIPSC Quick Start Guide 7. Click Add to create a new Authentication Key. 8. Check the Create new preshared key checkbox and click OK.
PN 82013151 9. Select a Primary Identifier from the Select Primary Identifier drop down list. Select a Host IP Address and click OK. 10. Enter the Preshared Key Information and click OK.
RFIPSC Quick Start Guide 11. Select VPN Connection and click OK.
PN 82013151 12. Select the Security Gateway and Intranet IP Address information and click OK. Note that the System routing (Subnet Mask) is set automatically. The RouteFinder looks for the Intra IP Address that you entered. If the Intra IP Address that you entered is not found, the Probe Results .. unsuccessful screen is displayed.
RFIPSC Quick Start Guide 13. Click Details>> . The Connection Properties|General screen is displayed. 14. Edit the IP Address Settings and the Proposal Parameters , then change the Rule Comment (if necessary). Click OK .
PN 82013151 15. Click on the Advanced tab. 16. As necessary, edit the Advanced Options , NAT Traversal , Virtual IP Address Settings , and/or check the Enable Extended Authentication check box and click OK. The Probe Results screen displays.
RFIPSC Quick Start Guide 17. Click Details>> .
PN 82013151 18. Verify the connection details information and click Close .
RFIPSC Quick Start Guide The Security Policy begins updating. 19. When the Security Policy is done updating, click Diagnostics ... to Ping the new connection.
PN 82013151 If the ping is successful, the Host to NET using SSH Sentinel 1.1.1 (static IP) to connect to a RouteFinder using Pre Shared Keys (PSK) process is complete.
RFIPSC Quick Start Guide SSH Sentinel Installation Notes SSH Sentinel supports Microsoft Windows 95/98, Windows Me, Windows NT 4.0 and Windows 2000. The SSH Sentinel software download site is at http://www.ssh.com/products/sentinel/beta/. Start the SSH Sentinel setup program (Sentinel.exe) by double clicking the icon and follow instructions on the screen. The installation procedure is documented in the SSH Sentinel User Manual.
PN 82013151 Updating SSH Sentinel If you launch the installation package with a previous version of SSH Sentinel software on your computer, the existing version is automatically updated. The contents (i.e., the policies, the rules, the authentication keys, etc.) are preserved. Only the software version is updated. Removing SSH Sentinel Before removing the software, you are advised to do the following: 1. Export and save any data in the SSH Sentinel that you might need in the future.
RFIPSC Quick Start Guide Chapter 3 - Service, Warranty and Tech Support Introduction This chapter starts out with statements about your RouteFinder two-year warranty. The next section, Tech Support, should be read carefully if you have questions or problems with your RouteFinder. It includes the technical support phone numbers, space for recording your product information, and an explanation of how to send in your RouteFinder should you require service. Limited Warranty Multi-Tech Systems, Inc.
PN 82013151 Recording RouteFinder Information Please fill in the following information on your Multi-Tech RouteFinder. This will help tech support in answering your questions. (The same information is requested on the Warranty Registration Card.) Model No.: ________________________ Serial No.: _________________________ Software Version: ____________________ The Model No. and Serial No. are on the bottom of the RouteFinder; additional information is provided on the SSH IPSec Client pak.
RFIPSC Quick Start Guide Service If your tech support specialist decides that service is required, your RouteFinder may be sent (freight prepaid) to our factory. Return shipping charges will be paid by Multi-Tech Systems. Include the following with your RouteFinder: • a description of the problem. • return billing and return shipping addresses. • contact name and phone number. • check or purchase order number for payment if the RouteFinder is out of warranty.
PN 82013151 SupplyNet On-line Ordering Instructions 1. Browse to http://www.thesupplynet.com. In the Browse by Manufacturer drop-down list, select Multi-Tech and click GO! . 2. To order, type in the quantity, and click Add to Order . 3. Click Review Order to change your order. 4. After you have selected all of your items click Checkout to finalize the order. The SupplyNet site uses Verisign’s Secure Socket Layer (SSL) technology to ensure your complete shopping security.
RFIPSC Quick Start Guide Appendix A - RFIPSC-5/10/50 Client Software CD The RouteFinder RFIPSC-5/10/50 CD contains the SSH Sentinel IPSec Client files as shown below. When you insert the CD in your computer's CD-ROM drive, the SSH Sentinel IPSec Client software Install screen displays. (If the Program Not Found message displays or if the Auto run feature does not function, click on the file Autorun.bat ( )in the CDs root directory. Each of the initial CD Install screen selections is described below.
PN 82013151 Click Install IPSEC Client Software to load the SSH Sentinel IPSec Client Software and either run the program from the CD or save it to your computer's hard disk drive (the initial screen is shown below). Click Read the End User Licensing Agreement to view the Multi-Tech Multi-User Software License Agreement (the initial screen is shown below). Note that the Software License Agreement is also provided in Appendix B of this manual.
RFIPSC Quick Start Guide Click Read the Installation User Guide to view and/or print the full online User Guide manual (this document). You can also find it directly on the CD in Acrobat format (InstallationGuide.pdf), as well as on the Multi-Tech web site (http://www.multitech.com). This is an Adobe Acrobat file if you don't have the Acrobat Reader, download it from http://www.adobe.com.
PN 82013151 44
RFIPSC Quick Start Guide Appendix B - Multi-User Software License Agreement Multi-Tech Systems, Inc. Multi-User Software License Agreement IMPORTANT – READ BEFORE OPENING OR ACCESSING SOFTWARE This is a basic multi-user software license granted by Multi-Tech Systems, Inc., a Minnesota corporation, with its mailing address at 2205 Woodale Drive, Mounds View, MN 55112. This is a legal agreement between you (either an individual or a single entity) and Multi-Tech Systems, Inc.
PN 82013151 than Customer and his employees and /or agents, without prior written consent from MTS. Customer acknowledges that the techniques, algorithms, and processes contained in the software are proprietary to MTS and Customer agrees not to use or disclose such information except as necessary to use the software.
RFIPSC Quick Start Guide prohibited by United States law, including, without limitation, for the development, design, manufacture or production of nuclear, chemical, or biological weapons of mass destruction. Licensee agrees that by purchase and/or use of the Software, s/he hereby accepts and agrees to the terms of this License Agreement. Multi-User Limited Warranty and License Agreement The software contained in this package is licensed by Multi-Tech Systems, Inc.
PN 82013151 DAMAGES, INCLUDING CONSEQUENTIAL DAMAGES, WHETHER OR NOT KNOWN TO MULTI-TECH SYSTEMS, INC. IT IS HEREBY EXPRESSLY AGREED THAT LICENSEE’S REMEDY IS LIMITED TO REPLACEMENT OR REFUND OF THE LICENSE FEE, AT THE OPTION OF MULTI-TECH SYSTEMS, INC., FOR DEFECTIVE DISTRIBUTION MEDIA. There is no warranty for misused materials. If this package contains multiple media formats (e.g., both 3.5" disk(s) and CD-ROM), they are provided only to facilitate use at a single site.
RFIPSC Quick Start Guide Register Your Software (U.S. Residents) Thank you for purchasing software from Multi-Tech Systems. Choose one of the following options to register your software: By Mail: Complete the registration form and mail. By Fax: Fax this completed registration card to: (763) 785-9874 Via the Web: www.multitech.
PN 82013151 50
RFIPSC Quick Start Guide Register Your Software (outside the United States) Thank you for purchasing software from Multi-Tech Systems. Choose one of the following options to register your software: By Mail: Complete the registration card, affix postage and mail. By Fax: Fax this completed registration card to: + (763) 785-9874 Via the Web: www.multitech.
PN 82013151 52
RFIPSC Quick Start Guide 53
PN 82013151 82013151 (B) 54
