VPN Administration Guide Revision A SafeNet/Soft-PK Version 5.1.3 Build 4 Sidewinder Version 5.1.0.
Copyright Notice This document and the software described in it are copyrighted. Under the copyright laws, neither this document nor this software may be copied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior written authorization of Secure Computing Corporation. Copyright © 2001, Secure Computing Corporation. All rights reserved. Made in the U.S.A.
SECURE COMPUTING’S AND ITS LICENSORS ENTIRE LIABILITY UNDER, FOR BREACH OF, OR ARISING OUT OF THIS AGREEMENT, IS LIMITED TO A REFUND OF THE PURCHASE PRICE OF THE PRODUCT OR SERVICE THAT GAVE RISE TO THE CLAIM. IN NO EVENT SHALL SECURE COMPUTING OR ITS LICENSORS BE LIABLE FOR YOUR COST OF PROCURING SUBSTITUTE GOODS.
T A B L E O F C O N T E N T S Preface: About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . .v Who should read this guide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Where to find additional information . . . . . . . . . . . . . . . . . . . . . . . vii Chapter 1: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 About Soft-PK & Sidewinder VPNs . . . . . . . .
Defining remote client identities in Sidewinder . . . . . . . . . . . 3-13 Managing pre-shared keys (passwords) . . . . . . . . . . . . . . . . . . 3-14 Configuring the VPN on the Sidewinder . . . . . . . . . . . . . . . . . . 3-15 Chapter 4: Installing and Working with Soft-PK . . . . . . . . 4-1 Soft-PK installation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Starting Soft-PK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PREFACE P About this Guide This guide provides the information needed to set up connections between remote systems running SafeNet/Soft-PK™ VPN client software and systems on a network protected by Secure Computing’s Sidewinder firewall. SafeNet/Soft-PK is a Windows-compatible program that secures data communications sent from a desktop or laptop computer across either a public network or an existing corporate dial-up line.
How this guide is organized How this guide is organized P This guide contains the following chapters. Chapter Title Description Chapter 1: Getting Started Presents an overview of the Soft-PK and the Sidewinder Virtual Private Network (VPN) environment and describes the requirements. It includes a checklist to guide you through the basic steps to setup and deploy a VPN.
Where to find additional information Viewing and printing this document online When you view this document online in PDF format, you may find that the screen images are blurry. If you need to see the image more clearly, you can either enlarge it (which may not eliminate the blurriness) or you can print it. (The images are very clear when printed out.) For the best results, print this PDF document using a PostScript printer driver.
Where to find additional information To contact Secure Computing directly or inquire about obtaining a support contract, refer to our Web site at www.securecomputing.com, and select “Contact Us." Or if you prefer, send us email at support@securecomputing.com (be sure to include your customer ID in the email).
1 CHAPTER 1 1 Getting Started About this chapter This chapter provides an overview of the Soft-PK™ and Sidewinder Virtual Private Network (VPN) environment and describes the requirements. It includes a checklist to guide you through the basic steps to setup and deploy a VPN.
About Soft-PK & Sidewinder VPNs About Soft-PK & Sidewinder VPNs 1 Soft-PK is security software for remote PC users. It is designed to provide data privacy between remote users and a corporate network. Industry-standard encryption and user verification routines protect the data sent over the connection. Soft-PK conforms to Internet Engineering Task Force (IETF) standards for TCP/IP and IP Security (IPSec) protocols.
Requirements Requirements To configure VPN communication between Sidewinder and Soft-PK clients, your Sidewinder must be configured with the proper VPN parameter settings and access rules. In addition, depending on your VPN connection set up, you may also need to define the proper digital certificates. To run the Soft-PK VPN client, each remote system must meet minimum hardware and software requirements.
Requirements Soft-PK requirements Each system on which Soft-PK will be installed must meet the requirements listed in Table 1-2. IMPORTANT: A remote system must only run one VPN client. If a VPN client program such as SecureClient was previously installed on the remote system, ensure it is properly uninstalled. See Chapter 4, "Installing and Working with Soft-PK" for details. Table 1-2.
Roadmap to deploying your VPNs Roadmap to deploying your VPNs Because Secure Computing products provide network security, we recommend that, as the network administrator, you carefully oversee the installation and configuration of the Soft-PK client(s). Setting up VPN connections using Soft-PK and Sidewinder involves performing procedures on each remote system running Soft-PK AND on your Sidewinder.
Roadmap to deploying your VPNs Figure 1-2.
Roadmap to deploying your VPNs The following checklist identifies each major step involved in the setup and deployment of your Soft-PK software (as shown in Figure 1-2). You can use the checklist as a reference point and mark off each item as you complete it to ensure a successful VPN rollout. Soft-PK deployment checklist TIP: Each step provides an overview of the task and points you to specific documentation for more detailed information.
Roadmap to deploying your VPNs ❒ ISAKMP ACL entry: At a minimum, you must define and enable an ACL entry that allows ISAKMP traffic from the Internet to the Internet burb on Sidewinder (external IP address of Sidewinder). ❒ Other ACL entries: Depending on where you terminate your VPN connections on Sidewinder (e.g., in a virtual burb), you may need to create ACL entries to allow traffic between burbs. ❒ Proxies: Depending on where you terminate your VPN connections on Sidewinder (e.g.
Roadmap to deploying your VPNs 5 —Configure the VPN connections on the Sidewinder ❒ Use Cobra to define the VPN security association configuration. See "Configuring the VPN on the Sidewinder" on page 3-15 for details. ❒ Enable Extended Authentication. 6 — Configure the certificates and security policy(ies) for your remote users ❒ Install your copy of Soft-PK. See "Soft-PK installation notes" on page 4-2 for details. ❒ Use Soft-PK to set up the certificates needed by each end users.
Roadmap to deploying your VPNs 8 —Troubleshoot any connection problems 1-10 Getting Started ❒ Use the Soft-PK Log Viewer. See "Soft-PK Log Viewer" on page A-1. ❒ Use the Soft-PK Connection Monitor. See "Soft-PK Connection Monitor" on page A-2. ❒ Use Sidewinder commands. See "Sidewinder troubleshooting commands" on page A-4 and the Sidewinder Administration Guide for details.
2 CHAPTER 2 Planning Your VPN Configuration About this chapter 2 This chapter provides information to help you understand key concepts and options that are involved in a VPN connection.
Identifying basic VPN connection needs 2 Identifying basic VPN connection needs Before you actually begin configuring your Sidewinder or work with Soft-PK, ensure you have an understanding of the basic profile for your VPN connections. Begin by doing the following: List the remote users that need a VPN connection List the internal/trusted systems to which users need access Identify the important IP addresses It may help to start a sketch that defines your basic requirements.
Identifying authentication requirements Identifying authentication requirements Determine how you will identify and authenticate the partners in your VPN. Sidewinder and Soft-PK both support using digital certificates and pre-shared key VPN configurations. In addition, when you use Sidewinder version 5.1.0.02 or later, you can set up Extended Authentication to provide increased security to your VPN network. The following summarizes VPN authentication methods.
Identifying authentication requirements If not already done, decide if you will use self-signed certificates generated by Sidewinder or a public/private CA server. Table 2-1.
Identifying authentication requirements A closer look at CA-based certificates A VPN implemented using CA-based certificates requires access to a private or public CA. Each end-point (client, firewall, etc.) in the VPN retains a private key file that is associated with a public certificate. In addition, each end-point in the VPN needs the CA root certificate on their system. Figure 2-3 shows the certificates involved in a VPN using CA-based certificates. Figure 2-3.
Identifying authentication requirements Extended authentication In addition to the normal authentication checks inherent during the negotiation process at the start of every VPN association, Extended Authentication goes one step further by requiring the person requesting the VPN connection to validate their identity. Depending on the authentication method you select, the person must provide a unique user name and password, a special passcode, or one-time password before the VPN association is established.
Determining where you will terminate your VPNs Determining where you will terminate your VPNs You can configure a VPN security association on Sidewinder to terminate in any burb. For example, Figure 2-4 shows a VPN security association terminating in the trusted burb. It allows all network traffic to flow between the hosts on the trusted network and the VPN client. Other than an external-to-external ISAKMP ACL entry, you need no special ACL entries or proxy control. Figure 2-4.
Determining where you will terminate your VPNs More about virtual burbs and VPNs Consider a VPN association that is implemented without the use of a virtual burb. Not only will VPN traffic mix with non-VPN traffic, but there is no way to enforce a different set of rules for the VPN traffic. This is because proxies and ACLs, the agents used to enforce the rules on a Sidewinder, are applied on burb basis, not to specific traffic within a burb. Note: Do not terminate VPN connections in the Internet burb.
Understanding Sidewinder client address pools Understanding Sidewinder client address pools Figure 2-6. VPN association implemented using client address pool You may choose to implement your VPN using Sidewinder client address pools. Client address pools are reserved virtual IP addresses, recognized as internal addresses of the trusted network. Addresses in this pool are configured on Sidewinder and assigned (or "pushed") to a VPN client (per VPN configuration) when the VPN connection is started.
Understanding Sidewinder client address pools Address of the firewall Protected networks The client does not need to define a virtual IP for use in the VPN connection, nor do they need to concern themselves with DNS issues on the trusted network. In addition to simplifying the configuration process for your clients, client address pools give you the ability to place additional controls on VPN clients. You can allow or restrict access on a client address pool basis.
3 CHAPTER 3 Configuring Sidewinder for Soft-PK Clients About this chapter 3 This chapter provides a summary of Sidewinder procedures associated with setting up and configuring Soft-PK connections in your network. IMPORTANT: Perform these procedures before you configure your Soft-PK clients.
Enabling the VPN servers Enabling the VPN servers 3 Before you configure a VPN association on your Sidewinder, you must first enable the Sidewinder’s EGD and CMD servers. In addition, you must enable the ISAKMP server and set it to listen on the Internet burb. Do the following from the Sidewinder Cobra interface: 1. Enable the cmd, egd, and isakmp servers. a. Select Services Configuration -> Servers -> Control. Figure 3-1.
Configuring ACL & proxies entries for VPN connections Configuring ACL & proxies entries for VPN connections Depending on where you decide to terminate your VPN tunnel, you must ensure that you have the appropriate ACL entries set up to allow ISAKMP traffic and allow/deny the appropriate proxy traffic. At a minimum, you must define and enable an ACL entry that allows ISAKMP traffic from the Internet to the external IP address of Sidewinder. 1.
Managing Sidewinder self-signed certs Managing Sidewinder selfsigned certs If you are using Sidewinder to generate certificates, use the following procedure to create and export self-signed certificates that identify the firewall and each remote client. TIP: Typically, a VPN configuration using Sidewinder self-signed certificates is suitable if the number of clients is small. Note: A self-signed certificate created on Sidewinder remains valid for one year beginning from the date it is created.
Managing Sidewinder self-signed certs 3. Specify the following Firewall Certificate settings. Field Setting Certificate Name Specify a name for the firewall certificate. Distinguished Name Specify a set of data that identifies the firewall. Use the following format: cn=,ou=,o=,l=,st=,c= where: cn = common name ou = organizational unit o = organization l = locality st = state c = country IMPORTANT: The syntax for this field is very important.
Managing Sidewinder self-signed certs Creating & exporting remote certificate(s) Use the following procedure on Sidewinder to create a self-signed certificate file (with its embedded public key) and a private key file for each of your Soft-PK clients. Once a pair of certificate/private key files are created for a unique client, you must use Sidewinder’s pkcs12_util command to combine each file pair into a PKCS12formatted object.
Managing Sidewinder self-signed certs 3. Specify the following Remote Certificate settings. Field Setting Certificate Name Specify a name for the remote certificate. Distinguished Name Specify a set of data that identifies the client. Use the following format: cn=,ou=,o=,l=,st=,c= where: cn = common name ou = organizational unit o = organization l = locality st = state c = country IMPORTANT: The syntax for this field is very important.
Managing Sidewinder self-signed certs Converting the certificate file/private key file pair to pkcs12 format 5. Click Close to return to the previous window. 6. To start the PKCS12 utility on the Sidewinder, from the command line, enter the following command: pkcs12_util The utility will prompt you for the name and location of the private key file, for the name and location of the associated certificate file, and for the name and location in which to store the resulting PKCS12-formatted object.
Managing CA-based certificates Managing CAbased certificates If you are using a CA to authorize certificates, use the following procedures to define the CA, request the firewall and CA certificates, and define the remote identities of each client within Sidewinder (needed later when setting up your VPN connections). Defining a CA to use and obtaining the CA root cert To request a CA certificate for Sidewinder, do the following from Cobra. 1.
Managing CA-based certificates 6. Click Export to save the CA certificate to a file for later importation into client system(s). Each user must then use Soft-PK to import the CA certificate you obtained for them. Note: You can have the user request the CA certificate from the CA using Soft-PK. You must provide the necessary CA information/instructions to do so. Requesting a certificate for the firewall To request a firewall certificate from a CA, do the following. 1.
Managing CA-based certificates 2. Specify the firewall certificate information. Field Setting Certificate Name Specify a name for the firewall certificate. Distinguished Name Specify a set of data that identifies the firewall. Use the following format: cn=,ou=,o=,l=,st=,c= where: cn = common name ou = organizational unit o = organization l = locality st = state c = country IMPORTANT: The syntax for this field is very important.
Managing CA-based certificates Determining identifying information for client certificates Define the identifying information that will be used for each remote client certificate. Typically, these are the values entered in the Distinguished Name (DN) fields when defining a certificate. This information will be needed in either of the following scenarios: If you plan to direct remote users to request a remote certificate from the CA.
Managing CA-based certificates Defining remote client identities in Sidewinder When using CA-based certificates, you must define an identity "template" in Sidewinder that matches all possible client identities used by the remote entities in your VPN. To define remote certificate identities on Sidewinder, do the following. 1. Select Services Configuration -> Certificate Management and click the Certificate Identities tab. Click New. 2. Specify an identify name and the Distinguished Name fields.
Managing pre-shared keys (passwords) Managing preshared keys (passwords) When using pre-shared keys (passwords), you must define an identity "template" in Sidewinder that matches all possible client identities used by the remote entities in your VPN. To define remote certificate identities on Sidewinder, use the same procedure as defined in "Defining remote client identities in Sidewinder" on page 3-13.
Configuring the VPN on the Sidewinder Configuring the VPN on the Sidewinder Create a VPN security association for a Tunnel VPN using the newly created certificates. Do the following from the Sidewinder Cobra interface: 1. Select VPN Configuration -> Security Associations. Click New. 2. Select the General tab and specify the following primary VPN settings. Figure 3-8. Sidewinder Security Associations window (defined VPNs) Field Setting Name Enter the name of this VPN association.
Configuring the VPN on the Sidewinder Field Setting Local Network/IP Specify the network names or IP addresses to use as the destination for the client(s) in the VPN. Click the New button to specify the IP Address / Hostname and Number of bits in Netmask. The value specified identifies the network portion of the IP address. For example, if you specify 24 with an IP address of 10.10.10.0, all IP addresses that begin with 10.10.10 are accepted.
Configuring the VPN on the Sidewinder 3. Select the Authentication tab. Choose the authentication method appropriate for your configuration. Figure 3-9. Sidewinder Security Associations Properties, Authentication tab The "view" changes depending upon the Authentication Method you select from the dropdown list. If you selected Single Certificate (Figure 3-10), specify the following self-signed certificate options. Figure 3-10. "Single Certificate" options Table 3-2.
Configuring the VPN on the Sidewinder If you selected Certificate & Certificate Authority (Figure 3-11), specify the following CA certificate options. Figure 3-11. "Certificate & Certificate Authority" options Table 3-3. Certificate + Certificate Authority options Firewall Credentials tab Remote Credentials tab 3-18 Configuring Sidewinder for Soft-PK Clients Field Setting Firewall Certificate Select the certificate used to authenticate the key exchange.
Configuring the VPN on the Sidewinder If you selected Password (Figure 3-12), specify the following password options. Figure 3-12. "Password" options Table 3-4. Password options General Identities Save your settings! Field Setting Enter Password/ Renter password Select the certificate used to authenticate the key exchange. Require Extended Authentication Enable this checkbox. Firewall Identity Specify the identity to use when identifying the firewall to the remote client.
Configuring the VPN on the Sidewinder 3-20 Configuring Sidewinder for Soft-PK Clients
4 CHAPTER 4 Installing and Working with Soft-PK About this chapter 4 This chapter includes Soft-PK installation notes. It also describes the basic Soft-PK procedures for managing certificates and creating a customized Soft-PK security policy for your remote clients. IMPORTANT: As network administrator, you need to install your own copy of Soft-PK and become familiar with the software before you deploy setup instructions and the SoftPK software to each end user.
Soft-PK installation notes Soft-PK installation notes 4 Note the following about installing, removing, or upgrading Soft-PK software. You can customize the UserWorksheet.doc file located on the product CD to specify detailed installation instructions to your end users. (See Chapter 5 for details.) Table 4-1.
Starting Soft-PK Starting Soft-PK Soft-PK starts automatically each time the computer on which it resides is started. It runs transparently at all times behind all other software applications including the Windows login. The Soft-PK icon in the taskbar changes color and image to indicate the status of system communications. Figure 4-1.
Starting Soft-PK Activating/Deactivating Soft-PK The Soft-PK user interface defines the security mode and the action Soft-PK takes when it detects packets of various protocols and various destinations. Once configured, users need to access the user interface only to view or modify these settings. As shown in Figure 4-2, you can right-click on the Soft-PK icon in the taskbar to see all program options. Figure 4-2.
Starting Soft-PK About the Soft-PK program options This section provides a brief description of the Soft-PK main program options. Use Soft-PK’s comprehensive online help for detailed information. Certificate Manager The Certificate Manager allows you to request, import, and store the digital certificates received from certificate authorities (CAs).
Managing certificates on Soft-PK Managing certificates on Soft-PK If you are using digital certificate authentication in your VPN, you should provide your end users with the information and files needed to set up the necessary certificates on their Soft-PK client. This section provides a basic overview of what you need to do and includes (or provides cross-reference to) the appropriate procedures.
Managing certificates on Soft-PK Setting up CA-based certificates If you are using CA-based digital certificates, as administrator, do the following. 1. If not already done, request and export the CA root certificate. See "Defining a CA to use and obtaining the CA root cert" on page 3-9 for details. Note: You must have a CA certificate configured in the Soft-PK system before you can request a personal certificate online. 2. If not already done for each end user, create and export a remote certificate.
Managing certificates on Soft-PK Requesting a personal certificate from a CA on user’s behalf 1. Select Start -> Programs -> SafeNet/Soft-PK -> Certificate Manager (or right click the SafeNet icon and select Certificate Manager). 2. Click the My Certificates tab. 3. Click Request Certificate.... The Online Certificate Request dialog box appears. 4. Select the Generate Exportable Key check box.
Managing certificates on Soft-PK TIP: You should select the new certificate and click Verify to validate it. Exporting a personal certificate 14. In the My Certificates tab, select a personal certificate. 15. Click Export. The Export Certificate and Private Key dialog box appears. 16. In the Filename box, enter the drive, directory, and filename for the personal certificate file. The default setting is C:\Temp\Cert.p12. 17. In the Password box, type any password you choose. 18.
Managing certificates on Soft-PK Figure 4-4. Soft-PK Certificate Manager: CA Certificates tab, Import CA Certificate 4. Insert the diskette containing the self-signed firewall or certificate file. 5. From the Files of type: field, select All Files (*.*) and then navigate to display the files located on the diskette. 6. Select the appropriate certname.pem file and click Open. The following window appears prompting you to confirm you want to import the selected certificate. 7. Click Yes. 8.
Managing certificates on Soft-PK Importing a personal certificate into Soft-PK Use the following procedure to import a personal certificate into the Soft-PK system. This procedure is done at the client system and assumes Soft-PK is already installed. Note: This procedure is summarized on the UserWorksheet.doc file, customize that procedure as needed for your end users. 1. Select Start -> Programs -> SafeNet/Soft-PK -> Certificate Manager (or right click the SafeNet icon and select Certificate Manager).
Managing certificates on Soft-PK Note: You must provide this password to the end user so they can later import this certificate file. 8. Click Import. A prompt appears to confirm you want to import the selected Personal Certificate. 9. Click Yes. Figure 4-9. Verification window 10. [Optional] From the My Certificates tab, click View to see the information in the certificate. Figure 4-10.
Configuring a security policy on the Soft-PK Configuring a security policy on the Soft-PK As an administrator, you can configure end user security policies on your Soft-PK system, save them to a diskette, and distribute them to your users. Your end users then simply import the security policy you’ve set up.
Configuring a security policy on the Soft-PK 4. Start defining a new policy. Select Edit -> Add -> Connection to create a new policy. Figure 4-11. Soft-PK: Security Policy Editor New connection named SecureVPN Note: By default, the "Other Connections" policy handles all traffic not defined in other policies 5. Specify a descriptive name for the connection. (The name "SecureVPN" is used in this example.) 6. Specify the connection type. In the Connection Security field, specify Secure. 7.
Configuring a security policy on the Soft-PK — Click on the Edit Name button, in the window that appears (Figure 4-12, enter the Distinguished Name information. Input all fields from the Firewall Certificate and click OK. Figure 4-12. Soft-PK: Edit Distinguished Name window to specify Firewall public certificate This is case sensitive, make sure it matches the certificate exactly. 9. Select Security Policy and select the Phase 1 Negotiation Mode. Figure 4-13.
Configuring a security policy on the Soft-PK a. Select the authentication method for this connection. If using shared password: Click Pre-Shared Key and enter the shared password. If using digital certificates: Select the personal certificate previously imported from the drop-down list. Notice the ID Type automatically changes to Distinguished Name. b. In the Internet Interface selection drop-down box, specify which interface to use when creating the VPN.
Configuring a security policy on the Soft-PK 12. Specify the Key Exchange settings. Select Key Exchange (Phase 2) -> Proposal 1. Figure 4-16. Soft-PK: Key Exchange (Phase 2) -> Proposal 1 fields SA Life: Select Unspecified to default to Sidewinder settings. Compression should not be used. Encapsulation Protocol: Select the same settings in the Encryption and Hash Algorithms fields as Phase I. Do not change Tunnel Encapsulation. Do not use the Authentication Protocol (AH).
Configuring a security policy on the Soft-PK 4-18 Installing and Working with Soft-PK
57 CHAPTER 5 Deploying Soft-PK to Your End Users About this chapter 5 This chapter summarizes the final preparation steps for deploying the Soft-PK software, digital certificate files, and security policy to your end users. It is based on a worksheet that you edit and send to each remote end user. IMPORTANT: This chapter assumes you have obtained the required certificates and have configured and saved a security policy.
Overview Overview 5 You should deploy the Soft-PK installation program with a customized security policy and the necessary digital certificates. Custom installations are designed to make it easy to manage corporate security policies for tens, hundreds, or thousands of end users. Along with the necessary software and files, you should provide specific Soft-PK installation and setup instructions for each end user.
Overview Prior to customizing the worksheet, take a few minutes to organize the files and information you need to deploy to your end users. Table 5-1. Organize the files/software for each client (end user) Deployment item Notes Soft-PK software program Soft-PK setup.exe file and supporting files. Digital certificate files If deploying Sidewinder self-signed certificates: firewall certificate (*.pem) personal certificate, with private key (*.
Customizing the user worksheet Customizing the user worksheet This section provides summary information about each section in the default UserWorksheet.doc file. Specifying dial-up network instructions Figure 5-2 shows the text in the initial UserWorksheet.doc file that pertains to setting up dial-up networking. Delete or change this text as needed for your end user’s particular environment. Figure 5-2.
Customizing the user worksheet Specifying certificate import/request instructions Figure 5-4 shows the text in the initial UserWorksheet.doc file that pertains to digital certificates. The default text covers a basic instructions for importing certificate files from a disk you provide. Change this text according to how you want users to set up digital certificates (or delete if not using certificates). Figure 5-4.
Customizing the user worksheet Specifying security policy instructions Figure 5-5 shows the text in the initial UserWorksheet.doc file that pertains to the Soft-PK security policy. The default text covers a basic instructions for importing a security policy from a disk you provide. Change this text according to how you want users to set up the security policy. Figure 5-5.
A APPENDIX A Troubleshooting About this appendix A This appendix provides a summary of troubleshooting techniques available for resolving Soft-PK and Sidewinder VPN connection problems.
Soft-PK Connection Monitor The following summarizes the tasks you can perform. A Button Summary Clear Clears the communications log. IMPORTANT: You cannot retrieve this information once you clear it. Freeze Freezes/Unfreezes the communications log. Because the communications log scrolls through IKE negotiations as they occur, you may need to freeze the log in order to save or print specific messages.
Soft-PK Connection Monitor You will see an icon to the left of the connection name: A key indicates that the connection has a Phase 2 IPSec SA, or both a Phase 1 and Phase 2 SA. When there is a single Phase 1 SA to a gateway that is protecting multiple Phase 2 SAs, there will be a single Phase 1 connection with the SA icon and individual Phase 2 connections with the key icon listed above that entry. An SA indicates that the connection has only a Phase 1 IKE SA.
Sidewinder troubleshooting commands that the selected connection has established SAs. To view Authentication (Phase 1) security associations negotiated by IKE, click the Phase 1 tab. To view Key Exchange (Phase 2) security associations negotiated by IPSec, click the Phase 2 tab. Sidewinder troubleshooting commands In addition to standard logging, the Sidewinder also performs auditing of certain system events which allows you to generate information on VPN connections.
Part Number: 86-0935037-A Software Version : Soft-PK 5.1.3 Build 4 and Sideiwnder 5.1.0.02 Product names used within are trademarks of their respective owners. Copyright © 2001 Secure Computing Corporation. All rights reserved.
