Upload
doanhuong
View
221
Download
1
Embed Size (px)
Citation preview
Global Technology Associates, Inc.
REMOTE ACCESS PPTP & L2TP
5/14/2014 1
Course 4003 & 4004
Global Technology Associates, Inc.
Remote Access PPTP & L2TP Features
5/14/2014 2
! Clients Android iPad/iPhone MAC Windows Linux – [PPTP]
! Provides Seamless integration with GTA Firewalls. ! Granular Network Access and Authorization based
on groups and policies. ! Authentication:
Radius Users defined on the firewall
Global Technology Associates, Inc.
PPTP & L2TP Requirements
! GB-OS 5.4.0 or above Upgrade if not on current release. Lot of updates & security patches since the initial release.
! Supported OS/Client ! IPv4 ! IPv6 is not supported for
PPTP.
5/14/2014 3
Global Technology Associates, Inc.
What is PPTP
PPTP or Point to Point Tunneling Protocol is a method to establish a VPN between a host and a VPN device. It use control channel over TCP port 1723 and tunnels data over GRE , Generic Routing Protocol or IP Protocol 47.
5/14/2014 5
Global Technology Associates, Inc.
Configuration ! Configure Service –
[Configure -> VPN -> Remote Access -> PPTP] ! Create or edit Groups allowing PPTP Access -
[Configure -> Accounts -> Groups] ! Create Security policies
PPTP Policies - [Configure -> Security Policies -> Policy Editor -> VPN -> PPTP]
! Create Users or configure Radius. [Configure -> Accounts -> Users] [Configure -> Accounts -> Authentication]
5/14/2014 6
Global Technology Associates, Inc.
PPTP Service Configuration
! Local Network – This is used to set up PPTP Security Policies. It not the same as the Local Network for IPSec Tunnels, Mobile IPSec clients to SSL Client.. When VPN is established. It is a point to point tunnel between host and the firewall. The host can (if policies allow) connect to all networks defined in the PPTP Security Policies.
! Pool Network - ! Name Server IP Address ! WINS Server IP Address ! Authentication
Radius
5/14/2014 7
Global Technology Associates, Inc.
PPTP Advanced
! Automatic Policies – Sets policy to allow TCP 1723 and GRE ! Encryption – None,40, 56, 128, and All ! MTU – Sets MTU for service ! Time Out - close VPN if no activity detected ! Debug – Advanced debugging for connection issue
Chat LCP Phase
5/14/2014 8
Global Technology Associates, Inc.
PPTP Security Policies
! PPTP Policies control access inbound and outbound for PPT clients.
! Miss-configured policies can allow to much access.
5/14/2014 9
Global Technology Associates, Inc.
Group & Users
! Create a group that has PPTP access
! Create user in the PPTP group
5/14/2014 10
Global Technology Associates, Inc.5/14/2014 11
!1. Open the Windows Control Panel. 2. Go to Network and Internet > Network and Sharing Center. 3. Click Set up a new connection or network. !!!4. Select Connect to a workplace and click Next. !! 5. Click Use my Internet connection (VPN). !!!!!6. Enter the IP Address or Resolvable Hostname of the firewall in the Internet Address field, and a description for the VPN Connection.
Configuring Windows Client
Global Technology Associates, Inc.
! 7. Check Don’t connect now; just set it up so I can connect later.
5/14/2014 12
Configuring Windows Client
Global Technology Associates, Inc.
8. Enter the PPTP Username and Password fof the VPN.
!!!!
9. Click Create.
5/14/2014 13
Configuring Windows Client
Global Technology Associates, Inc.
10. Navigate to Control Panel > Network and Internet > Network Connections 11. Right click on the connection and select properties. Click on the security tab. Set the Type of VPN to PPTP.
5/14/2014 14
Configuring Windows Client
Global Technology Associates, Inc.
[Monitor -> Activity -> Accounts -> Authenticated]
5/14/2014 16
[Monitor -> Activity -> Network -> Connections]
Global Technology Associates, Inc.
System Overview
! Overview will display the Licenses used and available.
5/14/2014 18
Global Technology Associates, Inc.
No Free Licenses Oct 7 16:12:26 pri=6 msg="PPTPServer: Unable to acquire license, access for 'David Brooks' denied" type=mgmt
5/14/2014 19
Global Technology Associates, Inc.
Configuration ! Configure Service –
[Configure -> VPN -> Remote Access -> L2TP] Configure (Optional) – IPSec Object Start IPSec Service - [Configure -> VPN -> Remote Access -> IPSec]
! Create or edit Groups allowing L2TP Access - [Configure -> Accounts -> Groups]
! Create Security policies IPSec L2TP Policy - [Configure -> Security Policies -> Policy Editor -> VPN -> IPSec] L2TP Policies - [Configure -> Security Policies -> Policy Editor -> VPN -> L2TP]
! Create Users or configure Radius. [Configure -> Accounts -> Users] [Configure -> Accounts -> Authentication]
5/14/2014 21
Global Technology Associates, Inc.
L2TP Service
! Interface – ! Local Network – used in defining the local network allowed. ! Pool Network ! Name Server IP Address ! WINS Server IP Address ! Authentication
Pre-Shared Secret Radius
5/14/2014 22
Global Technology Associates, Inc.
L2TP Advanced
! Automatic Policies ! MTU ! Time Out ! Debug
Chat LCP Phase
5/14/2014 23
Global Technology Associates, Inc.
Custom Objects
! [Configure -> Objects -> Encryption Objects] ! [Configure -> Objects -> IPSec Objects]
5/14/2014 24
Global Technology Associates, Inc.
Configuring IPSec Service
! Authentication – Local Identity Or Certificate
! Method Pre-Shared Secret
5/14/2014 25
! Enable Service ! Ipsec Object
Select the Custom Object
Global Technology Associates, Inc.
[Configure -> Security Policies -> Policy Editor -> VPN -> IPSec]
! Policy Allows the L2TP connection over IPSEC.
5/14/2014 26
Global Technology Associates, Inc.
- [Configure -> Security Policies -> Policy Editor -> VPN -> L2TP]
! L2TP policies control access through the VPN based on the source, destination and protocols.
5/14/2014 27
Global Technology Associates, Inc.5/14/2014 28
!1. Open the Windows Control Panel. 2. Go to Network and Internet > Network and Sharing Center. 3. Click Set up a new connection or network. !!!4. Select Connect to a workplace and click Next. !! 5. Click Use my Internet connection (VPN). !!!!!6. Enter the IP Address or Resolvable Hostname of the firewall in the Internet Address field, and a description for the VPN Connection.
Configuring Windows Client
Global Technology Associates, Inc.
! 7. Check Don’t connect now; just set it up so I can connect later.
5/14/2014 29
Configuring Windows Client
Global Technology Associates, Inc.
8. Enter the L2TP Username and Password for L2TP.
!!!!
9. Click Create.
5/14/2014 30
Configuring Windows Client
Global Technology Associates, Inc.
10. Navigate to Control Panel > Network and Internet > Network Connections 11. Right click on the connection and select properties. Click on the security tab.
5/14/2014 31
Configuring Windows Client
Global Technology Associates, Inc.
Configuring Windows Client
12. Set the Pre-Shared Key configured in the firewall interface at Configure>VPN>Remote Access>L2TP. !!!!!13. Click Ok.
5/14/2014 32
Global Technology Associates, Inc.
Monitoring & Logging
Oct 31 14:25:42 pri=6 msg="L2TPServer: L2TP client assigned '192.168.74.2', user 'PPTP User' " type=mgmt Oct 31 14:25:40 pri=5 msg="IKE: IPsec-SA established" type=vpn src=199.120.225.20 srcport=4500 dst=199.120.225.80 dstport=4500 Oct 31 14:28:53 pri=4 pol_type=L2TP pol_action=block count=4 msg="Block L2TP" duration=15 rule=1 proto=icmpV4 src=192.168.74.2 srcport=8 dst=192.168.181.1 dstport=8 interface="LT2P" attribute="alarm,report“ Oct 31 14:29:02 pri=5 msg="Close outbound, L2TP" proto=icmpV4 src=192.168.74.2 srcport=8 user="PPTP User" nat=192.168.181.254 natport=8 dst=192.168.181.1 dstport=8 rule=4 duration=33 sent=118 rcvd=120 pkts_sent=2 pkts_rcvd=2
5/14/2014 34
Global Technology Associates, Inc.
Trouble Shooting No IPSec Policy to Allow L2TP - Oct 31 14:53:32 pri=4 pol_type=IPSEC pol_action=block count=5 msg="Block IPSEC" duration=4 proto=1701/udp src=199.120.225.20 srcport=1701 dst=199.120.225.80 dstport=1701 interface="EXTERNAL-eth4" attribute=alarm Incorrect PPTP Login - Oct 31 15:06:29 pri=6 msg="L2TPServer: [LL2TP-1] CHAP: Reply message: E=691 R=0 M=Login incorrect" type=mgmt iPhone/iPad/MAC – connects and does not pass traffic – Check that the host/device is configured to send all traffic through VPN. Check – Pre-shared key match in [Configure -> VPN -> Remote Access - > L2TP] IPSec Tunnel has [Configure -> VPN -> Remote Access -> IPSec] has Pre-Shared Enbaled.
5/14/2014 35
Global Technology Associates, Inc.
Recommend Encryption Object Configuration to support maximum
number of different mobile devices
Encryption HASH Key group Lifetime (Seconds) Phase 1 3DES SHA1 Diffie-Hellman group 2
(1024 bits)28,800
Phase 2 AES128 SHA1 NONE (No PFS) 28,800
5/14/2014 36
Global Technology Associates, Inc.
Problem – When PPTP/L2TP is established the client cannot
access the Internet
! Add Security Policy to Allow Client Internet Access
5/14/2014 37
Global Technology Associates, Inc.
Or! Configure
client to Not use default gateway on remote network.
! Assign clients from range of local network on firewall.
5/14/2014 38
Global Technology Associates, Inc.
References ! GTA Documentation - http://www.gta.com/support/documents/ ! Android - http://www.gta.com/downloads/external/60/General/
PPTP_Android.pdf ! Apple iPad - http://www.gta.com/downloads/external/60/General/
L2TP_iPad.pdf ! Apple iPhone - http://www.gta.com/downloads/external/60/General/
PPTP_iPhone.pdf ! Mac - http://www.gta.com/downloads/external/60/General/PPTP_Mac.pdf ! Linux - http://www.gta.com/downloads/external/60/General/PPTP_Ubuntu.pdf ! Win7 - http://www.gta.com/downloads/external/60/General/
PPTP_Windows7.pdf
5/14/2014 39
Global Technology Associates, Inc.
If you require additional assistance or have additional questions please contact GTA Technical Support.
Email: support @gta.com Phone: 1.407.482.6925 Skype: gta_support Free User Support – http://forum.gta.com
5/14/2014 40