User Guide
Page 1
VPN Connection to Nokia CryptoCluster 500 VPN Gateway 11 December 2002 This document explains how to configure a virtual private network connection over an open network from a remote host running SSH Sentinel to a private network protected by a Nokia CryptoCluster 500 VPN gateway.
VPN Connection to Nokia CryptoCluster 500 VPN Gateway 11 December 2002 This document explains how to configure a virtual private network connection over an open network from a remote host running SSH Sentinel to a private network protected by a Nokia CryptoCluster 500 VPN gateway.
User Guide
Page 2
... jurisdictions. Fredrikinkatu 42 FIN-00100 Helsinki FINLAND SSH Communications Security Inc. 1076 East Meadow Circle Palo Alto, CA 94303 USA SSH Communications Security K.K. VPN with SSH Sentinel and Nokia CryptoCluster SSH2, the SSH logo, IPSEC Express, SSH Certifier, SSH Sentinel, SSH NAT Traversal, IPSEC on silicon, Hypermode, SSH Accession, SSH...
... jurisdictions. Fredrikinkatu 42 FIN-00100 Helsinki FINLAND SSH Communications Security Inc. 1076 East Meadow Circle Palo Alto, CA 94303 USA SSH Communications Security K.K. VPN with SSH Sentinel and Nokia CryptoCluster SSH2, the SSH logo, IPSEC Express, SSH Certifier, SSH Sentinel, SSH NAT Traversal, IPSEC on silicon, Hypermode, SSH Accession, SSH...
User Guide
Page 3
CONTENTS 3 Contents 1 VPN Connection to Nokia CryptoCluster 500 VPN Gateway 5 1.1 Introduction 5 1.1.1 Further Information 5 1.1.2 Platform Requirements 5 1.2 Configuring Nokia CryptoCluster 500 6 1.2.1 Prerequisites 6 1.2.2 Enabling Client Access in CryptoCluster 6 1.3 Configuring SSH Sentinel 9 1.3.1 Prerequisites 9 1.3.2 Creating the VPN Rule 9 1.4 Troubleshooting 11 VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp.
CONTENTS 3 Contents 1 VPN Connection to Nokia CryptoCluster 500 VPN Gateway 5 1.1 Introduction 5 1.1.1 Further Information 5 1.1.2 Platform Requirements 5 1.2 Configuring Nokia CryptoCluster 500 6 1.2.1 Prerequisites 6 1.2.2 Enabling Client Access in CryptoCluster 6 1.3 Configuring SSH Sentinel 9 1.3.1 Prerequisites 9 1.3.2 Creating the VPN Rule 9 1.4 Troubleshooting 11 VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp.
User Guide
Page 4
4 CONTENTS c 2002 SSH Communications Security Corp. VPN with SSH Sentinel and Nokia CryptoCluster
4 CONTENTS c 2002 SSH Communications Security Corp. VPN with SSH Sentinel and Nokia CryptoCluster
User Guide
Page 5
... setting up a Nokia CryptoCluster 500 (CC500) VPN gateway to the Nokia CryptoCluster 500 (CC500) VPN Gateway documentation. 1.1.1 Further Information SSH Sentinel User Manual SSH Sentinel support: http://www.ipsec.com. 1.1.2 Platform Requirements The interoperability between SSH Sentinel and Nokia CryptoCluster 500 has been tested using the following components: SSH Sentinel VPN client v1.4 Nokia CryptoCluster 500 (CC500) VPN gateway, kernel version 4.0(102) Nokia VPN Policy Manager...
... setting up a Nokia CryptoCluster 500 (CC500) VPN gateway to the Nokia CryptoCluster 500 (CC500) VPN Gateway documentation. 1.1.1 Further Information SSH Sentinel User Manual SSH Sentinel support: http://www.ipsec.com. 1.1.2 Platform Requirements The interoperability between SSH Sentinel and Nokia CryptoCluster 500 has been tested using the following components: SSH Sentinel VPN client v1.4 Nokia CryptoCluster 500 (CC500) VPN gateway, kernel version 4.0(102) Nokia VPN Policy Manager...
User Guide
Page 6
...into the system. Otherwise the CryptoCluster gateway will not accept the connection. 1.2.2 Enabling Client Access in the Settings page. VPN with SSH Sentinel and Nokia CryptoCluster You can be created under Gateway Properties - A request for a gateway certificate can configure... - Note: The client certificate used by SSH Sentinel needs to Nokia CryptoCluster 500 VPN Gateway 1.2 Configuring Nokia CryptoCluster 500 1.2.1 Prerequisites It is assumed that the initial gateway installation has been performed and that an external certification authority (CA)...
...into the system. Otherwise the CryptoCluster gateway will not accept the connection. 1.2.2 Enabling Client Access in the Settings page. VPN with SSH Sentinel and Nokia CryptoCluster You can be created under Gateway Properties - A request for a gateway certificate can configure... - Note: The client certificate used by SSH Sentinel needs to Nokia CryptoCluster 500 VPN Gateway 1.2 Configuring Nokia CryptoCluster 500 1.2.1 Prerequisites It is assumed that the initial gateway installation has been performed and that an external certification authority (CA)...
User Guide
Page 7
.... 7. Select Edit to modify an existing IKE policy, or Add to be The gateway's protected host groups. This is likely to create a new one. Configuring Nokia CryptoCluster 500 7 1. Click Edit to configure the Client IKE Policy. 6....Gateway Properties window, select Client Access. Click Advanced... Please note that suits your needs. Select Encryption and Integrity as the IPSec policy. 3. 1.2. In the Client Policy view, click Settings... to configure the IPSec policy and make the settings shown in this example, root). 2. VPN with SSH Sentinel and Nokia...
.... 7. Select Edit to modify an existing IKE policy, or Add to be The gateway's protected host groups. This is likely to create a new one. Configuring Nokia CryptoCluster 500 7 1. Click Edit to configure the Client IKE Policy. 6....Gateway Properties window, select Client Access. Click Advanced... Please note that suits your needs. Select Encryption and Integrity as the IPSec policy. 3. 1.2. In the Client Policy view, click Settings... to configure the IPSec policy and make the settings shown in this example, root). 2. VPN with SSH Sentinel and Nokia...
User Guide
Page 8
VPN with SSH Sentinel and Nokia CryptoCluster Apply Changes in Figure 1.5 (CryptoCluster Client Access settings): Figure 1.5: CryptoCluster Client Access settings 10. c 2002 SSH Communications Security Corp. Take the new settings into use by selecting Actions - Enable Allow clients to Nokia CryptoCluster 500 VPN Gateway Figure 1.4: CryptoCluster IKE Policy settings 9. 8 Chapter 1. VPN Connection to connect using certificate based authentication, and add a new Certificate Clients entry as shown in the Policy Manager main menu.
VPN with SSH Sentinel and Nokia CryptoCluster Apply Changes in Figure 1.5 (CryptoCluster Client Access settings): Figure 1.5: CryptoCluster Client Access settings 10. c 2002 SSH Communications Security Corp. Take the new settings into use by selecting Actions - Enable Allow clients to Nokia CryptoCluster 500 VPN Gateway Figure 1.4: CryptoCluster IKE Policy settings 9. 8 Chapter 1. VPN Connection to connect using certificate based authentication, and add a new Certificate Clients entry as shown in the Policy Manager main menu.
User Guide
Page 9
... in Figure 1.6 (Certificate properties of the CA certificate 1.3.2 Creating the VPN Rule 1. For example, if the network behind the gateway is protcted by the CryptoCluster gateway. Certification Authorities on the Key Management page. For detailed instructions, see the SSH Sentinel...already present in SSH Sentinel and that is 192.168.1.0./255.255.255.0, create VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp. On the Security Policy page of the gateway Remote network: a network that matches the host group that it contains an ...
... in Figure 1.6 (Certificate properties of the CA certificate 1.3.2 Creating the VPN Rule 1. For example, if the network behind the gateway is protcted by the CryptoCluster gateway. Certification Authorities on the Key Management page. For detailed instructions, see the SSH Sentinel...already present in SSH Sentinel and that is 192.168.1.0./255.255.255.0, create VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp. On the Security Policy page of the gateway Remote network: a network that matches the host group that it contains an ...
User Guide
Page 10
...Security Corp. IKE group: MODP 1024 (group 2) IPSec proposal - VPN with SSH Sentinel and Nokia CryptoCluster PFS group: MODP 1024 (group 2). Authentication key: select the certificate you wish to Nokia CryptoCluster 500 VPN Gateway this network entry in the Network Editor (click the ... Figure ...1.7: The general properties of the VPN connection 2. On the Rule properties dialog box, under IPSec/IKE proposal,...
...Security Corp. IKE group: MODP 1024 (group 2) IPSec proposal - VPN with SSH Sentinel and Nokia CryptoCluster PFS group: MODP 1024 (group 2). Authentication key: select the certificate you wish to Nokia CryptoCluster 500 VPN Gateway this network entry in the Network Editor (click the ... Figure ...1.7: The general properties of the VPN connection 2. On the Rule properties dialog box, under IPSec/IKE proposal,...
User Guide
Page 11
...Manual for Security Association Lifetimes should be OK. Select the CryptoCluster VPN rule and click Diagnostics to save the settings. 5. VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp. Open the VPN tunnel via the SSH Sentinel tray icon. 7. Ping the ...private interface of the router and verify that traffic goes through the VPN tunnel. 1.4 Troubleshooting The...
...Manual for Security Association Lifetimes should be OK. Select the CryptoCluster VPN rule and click Diagnostics to save the settings. 5. VPN with SSH Sentinel and Nokia CryptoCluster c 2002 SSH Communications Security Corp. Open the VPN tunnel via the SSH Sentinel tray icon. 7. Ping the ...private interface of the router and verify that traffic goes through the VPN tunnel. 1.4 Troubleshooting The...