TheGreenBow IPsec VPN Client Configuration Guide WatchGuard XTM 33 Written by: Anonymous Customer Website: www.thegreenbow.com Contact: support@thegreenbow.com Property of TheGreenBow – Sistech S.A.
Configuration Guide Table of Contents 1 2 3 4 5 6 Introduction ............................................................................................................................................ 3 1.1 Goal of this document.................................................................................................................... 3 1.2 VPN Network topology .................................................................................................................. 3 1.
Configuration Guide 1 Introduction 1.1 Goal of this document This configuration guide describes how to configure TheGreenBow IPsec VPN Client software with a WatchGuard XTM 33 VPN router to establish VPN connections for remote access to corporate network. 1.2 VPN Network topology In our VPN network example (diagram hereafter), we will connect TheGreenBow IPsec VPN Client software to the LAN behind the WatchGuard XTM 33 router.
Configuration Guide 2 WatchGuard XTM 33 VPN configuration This section describes how to build an IPsec VPN configuration with your WatchGuard XTM 33 VPN router. Once connected to your WatchGuard XTM 33 VPN gateway, 2.1 Add VPN using Wizard Navigate to the menu > VPN > Mobile VPN > IPSec… > Add Add The IPSec Wizard starts IPsec VPN Router Configuration 4 Property of TheGreenBow – Sistech S.A.
Configuration Guide Use the Firebox-DB as the user authentication server. This is an internal authentication server built within the WatchGuard XTM 33 firewall itself. Assign the group name. In this example, the group name is "IPsecTest". Take note of the group name. You will require it in configuring the VPN Client. Use a passphrase as an authentication method. Take note of the "Tunnel Passphrase" that you key in. This will be required in configuring the VPN Client.
Configuration Guide You can choose either option. The matching setting in TheGreenBow VPN Client is "Disable Split Tunnelling". Here you add the network resources of the remote network that are to be accessible to the VPN client. Here you specify the addresses that will be assigned to the remote VPN client. These must be a range of private addresses that do not coincide with the subnet of the remote network.
Configuration Guide Choose to continue to the next step which is adding users to IPsecTest group. IPsec VPN Router Configuration 7 Property of TheGreenBow – Sistech S.A.
Configuration Guide 2.2 Add VPN User Create the VPN user(s). In this example, the user is vpntestuser. Take note of the user name and passphrase. You will need to assign this user to the "IPsecTest" group by clicking on the << button in the "Firebox Authentication Groups" panels. It is not assigned by default. Add to Group member The user is assigned to the "IPsecTest" group. The VPN configuration is completed. IPsec VPN Router Configuration 8 Property of TheGreenBow – Sistech S.A.
Configuration Guide 3 TheGreenBow IPsec VPN Client configuration This section describes the required configuration to connect to a WatchGuard XTM 33 VPN router via VPN connections. To download the latest release of TheGreenBow IPsec VPN Client software, please go to www.thegreenbow.com/vpn/vpn_down.html. 3.
Configuration Guide Phase 1 advanced configuration Enable X-Auth Popup or enter X-Auth Login and Password. Note : If X-Auth Popup is enabled, user will be requested to enter Login and Password every time the tunnel opens. IPsec VPN Router Configuration 10 Property of TheGreenBow – Sistech S.A.
Configuration Guide 3.2 VPN Client Phase 2 (IPsec) Configuration Enter the IP address (and subnet mask) of the remote LAN. Phase 2 Configuration 3.3 Open IPsec VPN tunnels Once both WatchGuard XTM 33 router and TheGreenBow IPsec VPN Client software have been configured accordingly, you are ready to open VPN tunnels. First make sure you enable your firewall with IPsec traffic. 1/ Click on "Save & Apply" to take into account all modifications we've made on your VPN Client configuration.
Configuration Guide 4 Tools in case of trouble Configuring an IPsec VPN tunnel can be a hard task. One missing parameter can prevent a VPN connection from being established. Some tools are available to find source of troubles during a VPN establishment. 4.1 A good network analyser: Wireshark Wireshark is a free software that can be used for packet and traffic analysis. It shows IP or TCP packets received on a network card. This tool is available on website www.wireshark.org.
Configuration Guide 5 VPN IPsec Troubleshooting 5.1 “PAYLOAD MALFORMED” error (wrong Phase 1 [SA]) 114920 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID] 114920 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [NOTIFY] 114920 Default exchange_run: exchange_validate failed 114920 Default dropped message from 195.100.205.
Configuration Guide 5.
Configuration Guide 5.8 The VPN tunnel is up but I can’t ping ! If the VPN tunnel is up, but you still cannot ping the remote LAN, here are a few guidelines: Check Phase 2 settings: VPN Client address and Remote LAN address. Usually, VPN Client IP address should not belong to the remote LAN subnet Once VPN tunnel is up, packets are sent with ESP protocol. This protocol can be blocked by firewall.
Configuration Guide 6 Contacts News and updates on TheGreenBow web site: www.thegreenbow.com Technical support by email at: support@thegreenbow.com Sales contacts by email at: sales@thegreenbow.com IPsec VPN Router Configuration 16 Property of TheGreenBow – Sistech S.A.
Secure, Strong, Simple TheGreenBow Security Software
