TheGreenBow IPSec VPN Client Configuration Guide Cisco SA 500 Series Security Appliance This guide applies to the following models: Cisco SA 520 Cisco SA 520W Cisco SA 540 WebSite: http://www.thegreenbow.de Contact: support@thegreenbow.de Configuration Guide written by: Writer: Timm Richter Company: www.thegreenbow.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x Table of contents 1 1.1 1.2 1.3 1.4 Introduction .................................................................................................................................................... 3 Goal of this document ............................................................................................................................ 3 VPN Network topology ........................................................
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x 1 Introduction 1.1 Goal of this document This configuration guide describes how to configure TheGreenBow IPSec VPN Client software with a Cisco SA 520W VPN router to establish VPN connections for remote access to corporate network. The Cisco SA 500 Series includes Cisco SA 520, Cisco SA 520W, Cisco SA 540. 1.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x 2 Cisco SA 520W Security Appliance VPN configuration This section describes how to build an IPSec VPN configuration with your Cisco SA 520W VPN router. 2.1 Preparation To ensure that your Cisco SA 520W VPN router is accessible from the Internet via a domain such as "ciscogateway.de", you should configure a dynamic DNS service. For more support, see your Cisco SA 520W VPN router user manual or under http://www.cisco.de/.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x Your Cisco SA 520W is now ready; the VPN Wizard has automatically created each one corresponding IKE and VPN policies. Under the menu "IKE Policies" and "VPN Policies" you can make further detailed settings for the tunnel configuration. Please note that these changes must be considered in the IPSec VPN Client as well.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x 3 TheGreenBow IPSec VPN Client configuration This section describes the required configuration to connect to a Cisco SA 520W VPN router via VPN connections. To download the latest release of TheGreenBow IPSec VPN Client software, please go to http://www.thegreenbow.com/vpn_down.html. 3.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x 3.2 VPN Client Phase 1 Advanced settings Click the "P1 Advanced" to access the Advanced configuration settings of the Phase 1. Select the option "Aggressive Mode". Now, enter the local and remote ID for the VPN Client. Choose DNS as ID type ", and then enter the ID value in the Cisco-defined values. Confirm the settings by clicking "OK". 3.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x 3.4 Open IPSec VPN tunnels Once both Cisco SA 520W router and TheGreenBow IPSec VPN Client software have been configured accordingly, you are ready to open VPN tunnels. First make sure you enable your firewall with IPSec traffic. 1. Click on "Save & Apply" to take into account all modifications we've made on your VPN Client configuration 2.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x 4 Tools in case of trouble Configuring an IPSec VPN tunnel can be a hard task. One missing parameter can prevent a VPN connection from being established. Some tools are available to find source of troubles during a VPN establishment. 4.1 A good network analyser: Wireshark Wireshark is a free software that can be used for packet and traffic analysis. It shows IP or TCP packets received on a network card.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x 5 VPN IPSec Troubleshooting 5.1 « PAYLOAD MALFORMED » error (wrong Phase 1 [SA]) 114920 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID] 114920 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [NOTIFY] 114920 Default exchange_run: exchange_validate failed 114920 Default dropped message from 195.100.205.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x 5.
Doc.Ref Doc.version VPN version • • • • tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN computer interface (with Wireshark for example). You will have an indication that encryption works. Check the “default gateway” value in VPN Server LAN. A target on your remote LAN can receive pings but does not answer because there is a no “Default gateway” setting. You cannot access to the computers in the LAN by their name.
Doc.Ref Doc.version VPN version tgbvpn_cg-cisco-SA500-series-en 3.0 – May 2010 4.x 6 Contacts News and updates on TheGreenBow web site: http://www.thegreenbow.com Technical support by email at support@thegreenbow.com Sales contacts by email at sales@thegreenbow.
Secure, Strong, Simple.
