HotBrick VPN Client User Manual
Table of Content 1 2 INTRODUCTION 3 INSTALL 3 2.1 Software installation 2.2 Evaluation Period 3 4 3 SOFTWARE MANIPULATION 3.1 System Tray 4 3.2 Hidden User interface 5 3.3 Main window 5 4 CONFIGURATION 7 4.1 USB Mode 7 4.2 Configuration Wizard 9 4.3 Tunnel configuration (main window) 4.4 Authentication or Phase 1 12 4.5 IPSec Configuration or Phase 2 4.6 Certificate management 15 4.7 Global Parameters 16 4.8 Configuration management 17 4.9 Tunnel management (Connections) 4.
1 Introduction HotBrick VPN client is a complete IPSec VPN solution for all Windows versions. It provides full IKE support (preshared keying and X509 certificates) and Nat Traversal. It is compatible with most of the currently available IPSec gateways and also operates as a peer-to-peer VPN in a “point – to – multiple" mode, without a gateway or server. HotBrick VPN Client provides 3DES, DES and AES encryption and MD5 and SHA authentication.
The license number is a string with hexadecimal characters as "0123456789ABCDEF0123". An error message warns user if this value is false. If the License number is correct, HotBrick VPN Client is activated. You can then find a green/red icon in the taskbar. Right and left click give access to the configuration user interface and “Quit” command.
3.1 System Tray The configuration user interface can be launch via a double click on application icon (Desktop or Windows Start menu) or by single click on application icon in system tray. Once launched, the VPN Client software shows an icon in the system tray that indicates whether a tunnel is opened or not, using color code. 3.1.
3.3 Main window The main window is made of several elements: • A tree list window (left column) that contains all the IKE and IPSec configuration • Three buttons '”Console”, “Parameters” et “Connections” (left column) • A configuration window (right column) that shows the associated tree level. 3.3.1 Main menus • “File” menu is used for saving and loading a configuration. With this menu, you can import or export VPN configuration.
• 3.3.2 '?' menu gives access to online help and window 'About'. Status bar The status bar displays several information: • The “USB Token box” (left side) indicates whether the “USB mode” is set “On” or “Off” (see also section 4.1 page 7). In case it is set “On”, “USB” will appear. • The “central box” gives some information about VPN Client Software status (e.g.
4.1.1 How to set “USB mode" on? • Select menu File > Configuration Mode • Select USB Stick • Optional: indicates the drive of the USB stick if you’ve plugged it in Note: At this stage, if an USB stick containing a VPN configuration with tunnel security elements is already plugged in, the associated drive will be automatically recognized. Please note also that this is not necessary to insert a USB Stick during this step.
• Copying the configuration onto the USB stick: the VPN client will copy the configuration onto the USB Stick and leave a copy in the computer. This is used by IT managers to enable multiple USB Sticks for multiple users. • Moving the configuration onto the USB stick: the VPN client will copy the configuration onto the USB Stick and remove all configuration information from the computer. This method is used to secure a computer once VPN configuration completed setup. 4.1.
For configuring this connection, open wizard's window by selecting menu "Configuration > Wizard" 4.2.1 Step 1 of 3 You specify the type of the equipment at the end of the tunnel: VPN gateway. 4.2.
• the preshared key you will use for this tunnel (this preshared key must be the same in the gateway) • the IP address of your company LAN (e.g. specify 192.168.1.0) 4.2.3 Step 3 of 3 The third step summaries your configuration. Other parameters may be further configured directly via the main interface (e.g. Certificates, virtual IP address, etc...) 4.3 Tunnel configuration (main window) 4.3.
4. Configure IPSec Phase (Phase 2) 5. Once the parameters are set, click on “Save & Apply” to take into account the new configuration. That way the IKE service will run with the new parameters 6. Click on “Open Tunnel” for establishing the IPSec VPN tunnel (only in “IPSec Configuration” window) 4.3.2 Several Authentication or IPSec Configuration Phases Several Authentication Phases can be configured.
HotBrick VPN Client User Manual Property of HotBrick — 2005 13
4.4.1 Settings description Name Label for Authentication phase used only the configuration user interface. This value is never used during IKE negotiation. It is possible to change this name at any time and read it in the tree control. Two Phase 1 can not have the same name. Interface IP address of the network interface of the computer, through which VPN connection is established. If the IP address may change (when it is received dynamically by an ISP), select "*".
4.4.3 Settings description Aggressive Mode If checked, the VPN client will used aggressive mode as negotiation mode with the remote gateway Nat port Negotiation port for IKE. Default value is 500. Local ID Local ID is the identity the VPN client is sending during Phase 1 to VPN gateway. This identity can be: •1 •2 •3 •4 •5 an IP address (type = IP address), for example: 195.100.205.101 an domain name (type = DNS), e.g. mydomain.com an email address (type = Email), e.g. support@HotBrick.
4.
4.5.1 Settings description Name Label for IPSec Configuration only used by the VPN client. This parameter is never transmitted during IPSec Negotiation. It is possible to change this name at any time and read it in the tree list window. Two Phases can not have the same name. VPN Client address Virtual IP address used by the client inside the remote LAN: The computer will appear in the LAN with this IP address. It is important this IP address not to belong to the remote LAN (e.g.
4.6 Certificate management HotBrick IPSec VPN Client uses X509 certificates with PEM format. This kind of certificates is created with OpenSSL, not with HotBrick VPN Client. In order to use X509 Certificates with HotBrick IPSec VPN client, you must have the following items: • Root certificate • User certificate • Private key of the user certificate The private key must not be encrypted. X509 certificates are used during Phase 1. 4.6.1 How configuring IPSec VPN Client with certificates? 1.
4.
4.7.1 Settings description IKE default lifetime Default lifetime for IKE rekeying. IKE minimal lifetime Minimal lifetime for IKE rekeying. IKE maximal lifetime Maximal lifetime for IKE rekeying. IPSec minimal lifetime Default lifetime for IPSec rekeying. IPSec maximal lifetime Maximal lifetime for IPSec rekeying. IPSec minimal lifetime Minimal lifetime for IPSec rekeying. Retransmissions How many times a message should be retransmitted before giving up.
4.10 Configuration tools 4.10.1 Stopping IPSec VPN Client: option "/stop" HotBrick VPN Client can be stopped at any time by the command line: • " [path]\vpnconf.exe /stop " where [path] is the client installation directory. If there are several active tunnels, they will close properly. This feature can be used, for example, in a script that launches the VPN Client after establishing a dialup connection and exit it just before the disconnection. 4.10.2 IPSec VPN Client Startup mode: VPNSTART VpnStart.
• At Windows login ("login" mode) • Launched by user or from a script ("manual" mode) 4.10.3 Hiding IPSec VPN Client configuration user interface: VPNHIDE VpnHide.exe is a configuration tool that hides HotBrick Client VPN interface. It can be used by IT managers for preventing end-user from modifying configuration settings. In "invisible" mode, the window interface is never shown. 4.
Button Description Start / Stop Start / Stop printing log Clear Clear console window content Save File Save logs in a file Stop File Stop saving logs in a file Report Print VPN configuration and IKE internal state.
7 Contacts Information and update are available at: www.HotBrick.com. Technical support is available by email: support@HotBrick.com .
