User Guide
Page 1
VPN Connection to Nokia CryptoCluster 500 VPN Gateway 11 December 2002 This document explains how to configure a virtual private network connection over an open network from a remote host running SSH Sentinel to a private network protected by a Nokia CryptoCluster 500 VPN gateway.
VPN Connection to Nokia CryptoCluster 500 VPN Gateway 11 December 2002 This document explains how to configure a virtual private network connection over an open network from a remote host running SSH Sentinel to a private network protected by a Nokia CryptoCluster 500 VPN gateway.
User Guide
Page 2
... support) Tel: +358 20 500 7030 (Finland), +1 650 251 2700 (USA), +81 3 3459 6830 (Japan) Fax: +358 20 500 7031 (Finland), +1 650 251 2701 (USA), +81 3 3459 6825 (Japan) c 2002 SSH Communications Security Corp. SSH2, the SSH logo, IPSEC Express, SSH Certifier, SSH Sentinel, SSH NAT Traversal, IPSEC on silicon, Hypermode, SSH Accession, SSH Token Master, SSH Secure Shell and Making the Internet Secure...
... support) Tel: +358 20 500 7030 (Finland), +1 650 251 2700 (USA), +81 3 3459 6830 (Japan) Fax: +358 20 500 7031 (Finland), +1 650 251 2701 (USA), +81 3 3459 6825 (Japan) c 2002 SSH Communications Security Corp. SSH2, the SSH logo, IPSEC Express, SSH Certifier, SSH Sentinel, SSH NAT Traversal, IPSEC on silicon, Hypermode, SSH Accession, SSH Token Master, SSH Secure Shell and Making the Internet Secure...
User Guide
Page 3
CONTENTS 3 Contents 1 VPN Connection to Nokia CryptoCluster 500 VPN Gateway 5 1.1 Introduction 5 1.1.1 Further Information 5 1.1.2 Platform Requirements 5 1.2 Configuring Nokia CryptoCluster 500 6 1.2.1 Prerequisites 6 1.2.2 Enabling Client Access in CryptoCluster 6 1.3 Configuring SSH Sentinel 9 1.3.1 Prerequisites 9 1.3.2 Creating the VPN Rule 9 1.4 Troubleshooting 11 VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp.
CONTENTS 3 Contents 1 VPN Connection to Nokia CryptoCluster 500 VPN Gateway 5 1.1 Introduction 5 1.1.1 Further Information 5 1.1.2 Platform Requirements 5 1.2 Configuring Nokia CryptoCluster 500 6 1.2.1 Prerequisites 6 1.2.2 Enabling Client Access in CryptoCluster 6 1.3 Configuring SSH Sentinel 9 1.3.1 Prerequisites 9 1.3.2 Creating the VPN Rule 9 1.4 Troubleshooting 11 VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp.
User Guide
Page 4
4 CONTENTS c 2002 SSH Communications Security Corp. VPN with SSH Sentinel and Nokia CryptoCluster
4 CONTENTS c 2002 SSH Communications Security Corp. VPN with SSH Sentinel and Nokia CryptoCluster
User Guide
Page 5
... to accept connections from SSH Sentinel VPN clients. VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp. 5 Chapter 1 VPN Connection to Nokia CryptoCluster 500 VPN Gateway 1.1 Introduction This document contains all the required information for authentication. Certificates granted by an external certification authority are used for setting up a Nokia CryptoCluster 500 (CC500) VPN gateway to the Nokia CryptoCluster 500 (CC500) VPN Gateway documentation. 1.1.1 Further Information SSH Sentinel User Manual SSH Sentinel support: http://www...
... to accept connections from SSH Sentinel VPN clients. VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp. 5 Chapter 1 VPN Connection to Nokia CryptoCluster 500 VPN Gateway 1.1 Introduction This document contains all the required information for authentication. Certificates granted by an external certification authority are used for setting up a Nokia CryptoCluster 500 (CC500) VPN gateway to the Nokia CryptoCluster 500 (CC500) VPN Gateway documentation. 1.1.1 Further Information SSH Sentinel User Manual SSH Sentinel support: http://www...
User Guide
Page 6
... external CA, open the Gateway Properties window and select Client Access - IPSec Clients - VPN with SSH Sentinel and Nokia CryptoCluster Certification Authorities on the left pane, right-click it, and select New from the opening menu. Next, select Import External and import the external CA certificate into the system. Note: The client certificate used by SSH Sentinel needs to Nokia CryptoCluster 500 VPN Gateway...
... external CA, open the Gateway Properties window and select Client Access - IPSec Clients - VPN with SSH Sentinel and Nokia CryptoCluster Certification Authorities on the left pane, right-click it, and select New from the opening menu. Next, select Import External and import the external CA certificate into the system. Note: The client certificate used by SSH Sentinel needs to Nokia CryptoCluster 500 VPN Gateway...
User Guide
Page 7
... the of the Gateway Properties window, select Client Access. to be The gateway's protected host groups. Make the settings shown in Figure 1.3 (CryptoCluster Advanced IPSec settings): Figure 1.3: CryptoCluster Advanced IPSec settings 5. VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp. This is likely to configure the Client IKE Policy. 6. and make the settings shown in this example, root). 2. In the Client Policy view, click...
... the of the Gateway Properties window, select Client Access. to be The gateway's protected host groups. Make the settings shown in Figure 1.3 (CryptoCluster Advanced IPSec settings): Figure 1.3: CryptoCluster Advanced IPSec settings 5. VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp. This is likely to configure the Client IKE Policy. 6. and make the settings shown in this example, root). 2. In the Client Policy view, click...
User Guide
Page 8
Apply Changes in Figure 1.5 (CryptoCluster Client Access settings): Figure 1.5: CryptoCluster Client Access settings 10. Enable Allow clients to Nokia CryptoCluster 500 VPN Gateway Figure 1.4: CryptoCluster IKE Policy settings 9. 8 Chapter 1. c 2002 SSH Communications Security Corp. VPN with SSH Sentinel and Nokia CryptoCluster VPN Connection to connect using certificate based authentication, and add a new Certificate Clients entry as shown in the Policy Manager main menu. Take the new settings into use by selecting Actions -
Apply Changes in Figure 1.5 (CryptoCluster Client Access settings): Figure 1.5: CryptoCluster Client Access settings 10. Enable Allow clients to Nokia CryptoCluster 500 VPN Gateway Figure 1.4: CryptoCluster IKE Policy settings 9. 8 Chapter 1. c 2002 SSH Communications Security Corp. VPN with SSH Sentinel and Nokia CryptoCluster VPN Connection to connect using certificate based authentication, and add a new Certificate Clients entry as shown in the Policy Manager main menu. Take the new settings into use by selecting Actions -
User Guide
Page 9
... example, if the network behind the gateway is already present in the SubjectAltName field. For detailed instructions, see the SSH Sentinel User Manual. Certification Authorities on the Key Management page. In addition, you need to create a new VPN connection rule. For detailed instructions, see the SSH Sentinel User Manual. Specify the following values (see Figure 1.7 (The general properties of the VPN connection)): Security gateway: the IP address of the gateway Remote network: a network...
... example, if the network behind the gateway is already present in the SubjectAltName field. For detailed instructions, see the SSH Sentinel User Manual. Certification Authorities on the Key Management page. In addition, you need to create a new VPN connection rule. For detailed instructions, see the SSH Sentinel User Manual. Specify the following values (see Figure 1.7 (The general properties of the VPN connection)): Security gateway: the IP address of the gateway Remote network: a network...
User Guide
Page 10
... - c 2002 SSH Communications Security Corp. Proposal template: legacy. 10 Chapter 1. VPN Connection to use for authentication. Integrity function: SHA-1 - Integrity function: HMAC-SHA-1 - button to specify the following: IKE proposal - On the Rule properties dialog box, under IPSec/IKE proposal, click Settings to open the editor), and select it as the remote network here. IKE mode: main mode - VPN with SSH Sentinel and Nokia CryptoCluster Figure...
... - c 2002 SSH Communications Security Corp. Proposal template: legacy. 10 Chapter 1. VPN Connection to use for authentication. Integrity function: SHA-1 - Integrity function: HMAC-SHA-1 - button to specify the following: IKE proposal - On the Rule properties dialog box, under IPSec/IKE proposal, click Settings to open the editor), and select it as the remote network here. IKE mode: main mode - VPN with SSH Sentinel and Nokia CryptoCluster Figure...
User Guide
Page 11
... default values for troubleshooting. Open the VPN tunnel via the SSH Sentinel tray icon. 7. Click OK and Apply to probe the connection. 6. Ping the private interface of the router and verify that traffic goes through the VPN tunnel. 1.4 Troubleshooting The audit logs and IKE log are available in SSH Sentinel for Security Association Lifetimes should be OK. VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security...
... default values for troubleshooting. Open the VPN tunnel via the SSH Sentinel tray icon. 7. Click OK and Apply to probe the connection. 6. Ping the private interface of the router and verify that traffic goes through the VPN tunnel. 1.4 Troubleshooting The audit logs and IKE log are available in SSH Sentinel for Security Association Lifetimes should be OK. VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security...