hoblink vpn anywhere client - hob, inc.€¦ · the solution can access all servers in the internal...

Administration Guide

HOBLink VPN Anywhere Client

Software version: 2.1

Issue: October 2016

HOBLink VPN Anywhere Client Software and Documentation - Legal Notice

Contact: HOB GmbH & Co. KGSchwadermuehlstr. 390556 CadolzburgGermanyRepresented by: Klaus Brandstätter, Zoran AdamovicPhone: + 49 9103 715 0Fax: + 49 9103 715 271E-mail: [email protected]

Register of Companies: Entered in the Registry of Companies, Registry Court: Amtsgericht Fürth, Registration Number: HRA 5180Tax ID: Sales Tax Identification Number according to Section 27a Sales Tax Act: DE 132 747 002Responsible for content according to Section 55 Paragraph 2 Interstate Broadcasting Agreement: Klaus Brandstätter, Zoran Adamovic, Schwadermuehlstr. 3, 90556 Cadolzburg, Germany.

Disclaimer

All rights are reserved. Reproduction of editorial or pictorial contents without express permission is prohibited. HOBLink VPN Anywhere Client software and documentation have been tested and reviewed. Nevertheless, HOB will not be liable for any loss or damage whatsoever arising from the use of any information or particulars in, or any error in, or omission from this document.All information in this document is subject to change without notice, and does not represent a commitment on the part of HOB.

Liability for content

The contents of this publication were created with great care and diligence. While we keep it as up-to-date as practicable, we cannot take any responsibility for the accuracy and completeness of the contents of this publication. As a service provider we are responsible for our own content in this publication under the general laws according to Section 7 paragraph 1 of the TMG. According to Chapters 8 to 10 of the TMG we are not obliged as a service provider to monitor transmitted or stored information not created by us, or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information under the general laws remain unaffected. Liability is only possible however from the date of a specific infringement being made known to us. Upon notification of such violations, the content will be removed immediately.

Liability for links

This publication may contain links to external websites over which we have no control. Therefore we cannot accept any responsibility for their content. The respective provider or operator of the website pages to which there are links is always responsible for the content of the linked pages. The linked sites were checked at the time of linking for possible violations of the law. At the time the link was created in this publication, no illegal or harmful contents had been identified. A continuous and on-going examination of the linked pages is unreasonable without concrete evidence of a violation. Upon notification of any violations, such links will be removed immediately.

Copyright

The contents and works on these pages created by the author are subject to German copyright law. Reproducing, copying, modifying, adapting, distributing or any kind of exploiting of this material outside the realms of copyright require the prior written consent of the respective author or creator. The downloading of, and making copies of, these materials is only permitted for the intended use. Where contents of this publication have not been created by the author, the copyright of the third parties responsible for these contents shall be upheld. In particular any contents created by a third party are marked as such. If you become aware of any copyright infringement within this publication, we kindly ask to be provided with this information. Upon notification of any such violation, the concerned content will be removed immediately.

Trademarks

Microsoft Windows and Microsoft Exchange Server are trademarks of Microsoft Corporation.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.

UNIX is a registered trademark of The Open Group.

All other product names, company names and service names may be trademarks, registered trademarks or service marks of their respective corporations or owners, even if they are not specifically marked as such.

Issued: October 25, 2016

2

Purpose of this Guide

This guide is designed to provide system administrators with detailed information concerning HOBLink VPN Anywhere Client and to help them decide where and when this product can be most effectively deployed in their enterprise network.

This documentation contains descriptions of numerous possible scenarios and explains required conditions. The procedures for configuring the individual software components are documented in detail with step-by-step instructions.

Symbols and Conventions

This guide uses certain conventions and abbreviations which are explained here:

References to program commands, options and buttons are printed in Bold, for example: select the command Open.

Cross-references to section headings and figures with numbers are marked in color as follows: Chapter 1 Introducing HOBLink VPN Anywhere Client on page 7.

File names and text to be entered by the user are printed in Courier New. This input is – unless otherwise mentioned - case sensitive.

Keys or key combinations are displayed in square brackets, e.g. [Space].

In this documentation, HOB-specific terminology is abbreviated as follows:

This symbol indicates additional informative and otherwise helpful text.

This symbol indicates an important tip, procedure or warning. This may have far-reaching effects, so please consider carefully the consequences of any changes and settings made here.

HOB-specific Terminology Abbreviation

HOBLink Virtual Private Network Anywhere Client HOBLink VPN Anywhere Client

3

Contents

1. Introducing HOBLink VPN Anywhere Client 7

1.1. Features of HOBLink VPN Anywhere Client............................................................ 8

2. System Requirements 9

2.1. Server System ......................................................................................................... 9

2.2. Client System........................................................................................................... 9

3. Running HOBLink VPN Anywhere Client 11

3.1. Copying HOBLink VPN Anywhere Client............................................................... 11

3.2. Downloading HOBLink VPN Anywhere Client ....................................................... 12

3.3. Files Delivered with HOBLink VPN Anywhere Client............................................. 13

3.4. Using HOBLink VPN Anywhere Client................................................................... 15

4. HOBLink VPN Anywhere Client (SSO) 19

4.1. System Requirements ........................................................................................... 19

4.2. Installing HOBLink VPN Anywhere Client (SSO)................................................... 19

4.3. Using HOBLink VPN Anywhere Client (SSO)........................................................ 23

4.4. HOBLink VPN Anywhere Client (SSO) Settings in KanjiDesktop.......................... 25

5. Configuring HOBLink VPN Anywhere Client 29

5.1. Using KanjiDesktop ............................................................................................... 30

5.2. KanjiDesktop Properties ........................................................................................ 32

5.3. Configuration Schemes ......................................................................................... 33

5.4. NetWatch ............................................................................................................... 36

5.5. IKEv1 ..................................................................................................................... 37

5.6. IKEv2 ..................................................................................................................... 42

5.7. IPsec...................................................................................................................... 46

5.8. Dynamic NAT......................................................................................................... 49

5.9. L2TP ...................................................................................................................... 55

5.10. External Library...................................................................................................... 56

5.11. Manually Editing the XML File ............................................................................... 56

6. Using KanjiDesktop with XML Files 57

6.1. Using KanjiDesktop with Split XML Files ............................................................... 57

7. Splitting the XML Configuration Files 63

7.1. Splitting the XML Files ........................................................................................... 63

8. Supplementary Information 67

8.1. Configuring with an AVM Router - FRITZ!Box....................................................... 67

8.2. Removing HOBLink VPN Anywhere Client............................................................ 79

5

8.3. Error Messages - IKEv1......................................................................................... 80

8.4. Error Messages - IKEv2......................................................................................... 86

8.5. IPsec Errors ........................................................................................................... 88

9. Information and Support 91

6

Introducing HOBLink VPN Anywhere Client

1 Introducing HOBLink VPN Anywhere ClientHOBLink VPN Anywhere Client is an independent standard security solution that gives network users access to data located on a central server anywhere in the network.

HOBLink VPN Anywhere Client uses a combination of the IPsec (Internet Protocol Security) and IKE (Internet Key Exchange) security protocols to provide the highest level of security for any computer supporting Windows 10, Windows 8, Windows 7 or Windows Vista operating systems. This level of security ensures that the data cannot be decrypted or changed while being transmitted.

HOBLink VPN Anywhere Client has the advantage that the users need not install any software on the client computer. This solution works on the client computer as an application held within the user space, meaning no installation or drivers are needed. Users have the option to save it as an executable file and run it locally or to download HOBLink VPN Anywhere Client directly from a web server. This also means that the IT administrator is not tied to administering large numbers of clients due to one-time central installation and configuration.

Figure 1: HOBLink VPN Anywhere Client

All data communications using this solution are protected by the use of IPsec and IKE/ISAKMP standards (RFC 2401-ff), including strong encryption and authentication. HOBLink VPN Anywhere Client can be used with all current authentication processes such as RADIUS, certificates, username and password, smartcards or tokens.All common and commercially available encryption methods, such as AES (128/192/256) and 3DES are also supported. There is also an application-level gateway (ALG) for FTP and SIP available, guaranteeing the security of the data when accessed from outside the network. The solution can access all servers in the internal networks through a SOCKS5 (Secure Socket) proxy contained in the integrated SOCKS5 gateway applications.

7

Introducing HOBLink VPN Anywhere Client

1.1 Features of HOBLink VPN Anywhere Client

HOBLink VPN Anywhere Client comes with the following features included:

Universally deployable IPsec client

No administrator rights, installation, or drivers needed on the client-side

Supports dynamic NAT, eliminating address conflicts

Supports all common and commercially available encryption methods and IKE/ISAKMP standards (RFC 2401-ff) for the highest security

Fully integrated SOCKS5 gateway

Application-level gateway (ALG) for FTP and SIP

Speedometer for statistic and state information

Integrated DNS server

Customer external library support

NetWatch

User group identification

SSO version available

Multiple gateway addresses, with round robin (load balancing)

Certificate authentication (smart card, PKC#11)

Single Sign-on (SSO) and Pre-Logon Authentication Provider (PLAP) support

8

System Requirements

2 System RequirementsHOBLink VPN Anywhere Client has the following requirements before it can be installed on the network.

2.1 Server System

A general requirement for all servers is an IPsec VPN gateway conforming to RFC 2401-ff that supports the IKEv1 or IKEv2 protocol.

The following vendor products have been successfully tested for compatibility:

HOBLink VPN 2.1 Gateway

Cisco Router

Cisco ASA

Juniper

Lancom

AVM FRITZ!Box

Internet: All connections are supported by the OS.

2.2 Client System

HOBLink VPN Anywhere Client can be deployed on the following platforms:

Windows 10 (from version 1607)

Windows 8.1

Windows 8

Windows 7

Windows Vista

HOBLink VPN Anywhere Client is available for Intel/AMD 32-bit systems. HOBLink VPN Anyhwere Client (SSO) can be installed both on Intel/AMD 32-bit and 64-bit systems. The correct version is automatically installed. All internet connections supported by the operating system may be used.

9

System Requirements

10

Running HOBLink VPN Anywhere Client

3 Running HOBLink VPN Anywhere ClientThe deployment of HOBLink VPN Anywhere Client depends on the needs of the current connectivity policies of the company. There are no installation or administrative rights required on the client-side, so no drivers or services are necessary. Licensing is available through a flexible licensing key option. The application simply needs to be started.

HOBLink VPN Anywhere Client can be started on the client computer in two ways:

Copy HOBLink VPN Anywhere Client onto a USB stick, disk or other media of choice and run it through the user space.

Download HOBLink VPN Anywhere Client from a web server.

Both of these options can be used with or without security certificates.

3.1 Copying HOBLink VPN Anywhere Client

All required files are found in the folder HOBLinkVPNAnywhereClient on the delivered CD or memory stick. The XML configuration file should be kept in the folder with the software itself.

The software modules are available for loading onto the client device using the local disk, a CD/DVD or USB memory stick. Copy the HOBLink VPN Anywhere Client folder into the user environment of the local disk.

Figure 2: Copy and Run HOBLink VPN Anywhere Client

1. The administrator preconfigures the HOBLink VPN Anywhere Client using the KanjiDesktop.

2. The administrator then copies the folder HOBLinkVPNAnywhereClient onto a suitable storage medium and makes it available to the client users.

11


3. The client computer opens the HOBLink VPN Anywhere Client folder in the user space and accesses the corporate LAN via a VPN gateway.

3.2 Downloading HOBLink VPN Anywhere Client

When downloading from the web server a prompt asks for a shortcut to be saved to the desktop. Once downloaded the HOBLink VPN Anywhere Client can also be started from the local disk by entering the following command <path>\ibipseccl01.exe <path>\ibipseccl01.xml in a console.

HOBLink VPN Anywhere Client can be started from the local disk by entering the following command in a console:

<path>\ibipseccl01.exe <path>\ibipseccl01.xml

To open HOBLink VPN Anywhere Client not in a new console window, add the suffix: /noconsole to this command.

If using the version with a certificate option, then the folder <path>\HOBLinkVPNAnywhereClient\cert.db contains two sample files created by the HOB Certificate Manager:

cert.cdb (the HOB certificate store) and

cert.pwd (containing the password in encrypted form for accessing the certificate store).

While the name of this folder cert.db must not be changed, the names of the .cdb and .pwd files can be chosen freely and should be configured for the HOBLink VPN Anywhere Client (see Section 5 Configuring HOBLink VPN Anywhere Client on page 29). If the .pwd file does not exist in the cert.db folder, then a prompt to type the password in a dialog appears. For more information, refer to the administration guide for HOBLink Secure and HOBLink Security Manager.

If using your own certificates, import these into a newly created file *.cdb using the HOB Certificate Manager. When this is done, the newly created user-specific files should be copied into the folder cert.db and delivered to the user.

12


Figure 3: Diagram of HOBLink VPN Anywhere Client Download and Run

1. The administrator configures the HOBLink VPN Anywhere Client using the KanjiDesktop.

2. The administrator then installs the folder downloader onto the web server.

3. The client computer goes to the location (…/downloader/applet.html) on the web server and uses the included applet to download and start the HOBLink VPN Anywhere Client.

4. The client computer opens the HOBLink VPN Anywhere Client in the user space and has access to the corporate LAN via a VPN gateway.

3.3 Files Delivered with HOBLink VPN Anywhere Client

A number of folders and files are delivered with HOBLink VPN Anywhere Client:

3.3.1 Downloader

The web server download package files are located here. In this folder are all download components including the zip file containing the software. To download the HOBLink VPN Anywhere Client the user needs to open the file applet.html in the web browser using Java Web Start. The user can optionally create a shortcut on the desktop and start the HOBLink VPN Anywhere Client automatically.

If using the download and run system, then this folder must be installed on the web server.

The web server needs to have the MIME type .hxml set as text/xml.

13


3.3.2 KanjiDesktop

The tools for configuring the HOBLink VPN Anywhere Client are located here.The automatically included Java environment is stored here if a Java Runtime Environment is not already installed. A Windows batch file and a Unix script for launching the KanjiDesktop service and the Kanji web interface can also be found here.

3.3.3 HOBLink VPN Anywhere Client

The HOBLink VPN Anywhere Client software and information are located in this folder, along with the cert.db folder that is required for the certificate supporting version only. After copying these files to the client computer, HOBLink VPN Anywhere Client can simply be started; no installation is required.

3.3.4 HOBLink Security Manager

For the certificate supporting version only, the certificates are stored in the folder <path>HOBLinkVPNAnywhereClient\cert.db that is delivered with the installation.Two files are needed in this folder:

vpn.cdb – (HOB certificate database) file for the certificates.

vpn.pwd – (HOB certificate password) file for the password to get access to the HOB certificate keystore (*.cdb file).

3.3.5 License Key

Administrators control several variables regarding the license key. The license key is contained in the file rel44.gif. This file is created when an instance of HOBLink VPN Anywhere Client is started for the first time if it does not already exist.The file can be provided to the users and then it will not be required that the user enter it. The same license can be given to several users to be entered when using the HOBLink VPN Anywhere Client. This can be useful for internal use situations.The administrator can also configure several different keys and give each user an individual key, useful when contracted (outside) users are employed.

This tool is available if HOBLink VPN Anywhere Client with certificate authentication is being used. All of the required files for certificate authentication are available here.

The HOBLink Security Manager must be installed by the administrator.The authentication methods used by the gateway are Preshared key, DSA certificate and RSA certificate.

The names of the files can be chosen freely but must be the same for *.cdb and *.pwd and should be configured for the HOBLink VPN Anywhere Client in ibipseccl01.xml

Read the HOBLink Secure and HOBLink Security Manager administration guide for more information regarding certificate authentication.

14


3.3.6 HOBLink VPN Anywhere Client (SSO)

The single sign-on option is only available with the certificate supporting version. This service allows users to first sign on to the VPN gateway and then automatically sign on to their Windows account. The folder HOBLink VPN Anywhere Client (SSO) contains the file HOBLink_VPN_Anywhere_Client_(SSO).exe. This service allows users to first sign on to the VPN gateway and establish the IPsec VPN tunnel, and then automatically sign on to their Windows account. This way it is possible to run Windows Domain login scripts located on a Windows Domain server.

3.4 Using HOBLink VPN Anywhere Client

Start the HOBLink VPN Anywhere Client on the client computer by selecting the program from the desktop and double click to begin. HOBLink VPN Anywhere Client can also be started through the command prompt in a console window and entering <path>\ibipseccl01.exe <path>\ibipseccl01.xml.

When the tray icon is clicked, the HOBLink VPN Anywhere Client dialog is shown.This dialog records and displays information about the connection to the corporate LAN. Information about the packets being sent and received, the virtual client IP address and the local virtual IP address can also be seen on this screen.

Figure 4: HOBLink VPN Anywhere Client Screen

To stop the VPN connection and exit HOBLink VPN Anywhere Client, sign out using the exit symbol on the Connection bar.

Close Icon – click to stop the VPN connection and exit HOBLink VPN Anywhere Client

15


Another way to view the information being recorded is to use the speedometer feature of HOBLink VPN Anywhere Client. To access this feature, either right-click on the HOBLink VPN Anywhere Client icon in the task bar and select Speedometer, or click the icon on the right of the Activity bar.

The speedometer appears.

Figure 5: HOBLink VPN Anywhere Client Speedometer

The HOBLink VPN Anywhere Client speedometer shows the speed at which IPsec and L2TP packets are being sent and received in bits per second on the white hand.The green hand shows the highest speed at which information is sent or received in that particular session.

The speedometer can be configured on the client computer by right-clicking the HOBLink VPN Anywhere Client tray icon in the task bar and selecting the option Speedometer Configuration. The following screen appears where the speedometer display and position can be set.

Expand/Collapse icon – click to either show or hide the Activity panel

Speedometer icon – click to display the speedometer.

16


Figure 6: Speedometer Configuration

Display – check here which speedometer (IPsec sent, IPsec received, L2TP sent, L2TP received) to display in the speedometer window (the default is all four).

Position – there are two settings where the position of the speedometer can be configured:

Last position – the speedometer screen appears where it was last positioned.

User defined – the position coordinates of the speedometer are set by the current user, and will appear in this location at each subsequent launch. The speedometer can also be dragged to any desired location.

To close the speedometer right-click the HOBLink VPN Anywhere Client icon in the task bar and select Close Speedometer, or click the icon to the right of the activity bar.

To exit HOBLink VPN Anywhere Client right-click the HOBLink VPN Anywhere Client icon in the task bar and select Exit or use the exit symbol on the Connection bar.

17


18

HOBLink VPN Anywhere Client (SSO)

4 HOBLink VPN Anywhere Client (SSO)The SSO version of HOBLink VPN Anywhere Client allows users to either log on to the VPN gateway and then automatically log on to Windows (SSO), or to log on to the VPN gateway and then manually sing on to Windows (PLAP).

HOBLink VPN Anywhere Client (SSO) is a service that runs on the system level. The user can sign on to HOBLink VPN Anywhere Client on the logon screen and does not have to start the client from the desktop after signing on to their Windows account. With the single sign-on option the user logs on directly to the domain controller.

4.1 System Requirements

HOBLink Anywhere Client (SSO) can be installed on the following platforms:

Windows 10 (from version 1607)

Windows 8.1

Windows 8

Windows 7

Both Intel/AMD 32-bit and 64-bit versions can be used.

4.2 Installing HOBLink VPN Anywhere Client (SSO)

Whereas the other versions of HOBLink VPN Anywhere Client (with or without certificate option) are executed as an application, this version runs as a service.Hence, administration rights are required to install HOBLink VPN Anywhere Client (SSO).

1. By clicking on HOBLink_VPN-Anywhere_Client_(SSO).exe the IntstallShield Wizard starts. The buttons Back (go to previous screen), Next (go to next screen) and Cancel (abort the InstallShield Wizard) are standard on every screen.Click Next to continue.

The HOBLink VPN Anywhere Client (SSO) version has to be installed locally on all computers.

19


Figure 7: Welcome Screen

2. Select one of the following options:

Figure 8: Product Key

Full version (Product key required) – enter the serial number and the product key which is included in the HOB Software License for a full version (for example 1-23456ABCDE).

20


Tryout version – this option allows you to use an evaluation version of HOBLink VPN Anywhere Client (SSO) for one month. After this period, a full version must be purchased to further use HOBLink VPN Anywhere Client (SSO).

4. Select the folder where HOBLink VPN Anywhere Client (SSO) is to be installed.The default folder is C:\Program Files\HOB\HOBLink Anywhere Client (SSO). Click the Browse button to choose a different folder.

Figure 10: Target Folder

5. Click Install to start the installation.

Upgrade from a tryout version to a full version

1. Delete the file rel44.gif from the installation folder.

2. Start HOBLink VPN Anywhere Client after the Windows logon. The following dialog appears:

Figure 9: Enter Product Key

3. Enter the serial number and the license key and click OK.

21


Figure 11: Start Installing

6. Once the installation process is completed the following dialog appears:

Figure 12: Configure VPN Settings Dialog

If you select Yes, KanjiDesktop opens, which has been installed together with HOBLink VPN Anywhere Client (SSO) (see Section 5.1 Using KanjiDesktop on page 30).

After you have edited and saved the XML configuration file, close KanjiDesktop and reboot the computer (see Section 5.3 Configuration Schemes on page 33). This will install HOBLink Anywhere Client (SSO) on the client machine.

If you select No, proceed as described in Step 7.

7. Before HOBLink VPN Anywhere Client (SSO) can be used for the first time, the computer has to be restarted. Select Yes, I want to restart my computer now to use the program right away or select No, I will restart my computer later.

KanjiDesktop is a tool which provides a graphical user interface that can be used to edit XML configuration files. It is written in Java and therefore requires Java Runtime Environment. It is recommended to use the latest version of Java Runtime Environment.

22


Figure 13: Install Wizard Complete

8. Click Finish to close the InstallShield Wizard.

4.3 Using HOBLink VPN Anywhere Client (SSO)

There are different logon options for HOBLink VPN Anywhere Client (SSO), these options being

SSO – see Section 4.3.1 Single Sign-on (SSO) on page 23

PLAP – see Section 4.3.2 Pre-Logon Authentication Provider (PLAP) on page 24

Application logon – see Section 4.3.3 Starting HOBLink VPN Anywhere Client (SSO) Manually on page 25

Users can exit or restart HOBLink VPN Anywhere Client or open the speedometer through the user interface at anytime regardless of the logon method used (see Section 3.4 Using HOBLink VPN Anywhere Client on page 15).

4.3.1 Single Sign-on (SSO)

With HOBLink VPN Anywhere Client (SSO) the user can directly sign on to the HOBLink VPN Gateway and establish the VPN tunnel prior to logging on to the Windows account and, afterwards automatically log on to Windows with the same username/password, without having to authenticate twice. On the Windows logon screen the SSO icon can be seen next to the Windows domain user icon and the other user icon.

23


Figure 14: Single Sign-On Icon

1. The user clicks the SSO icon. The logon entry fields appear.

2. The user enters their logon credentials (username, password).

All network drives are mapped automatically in the VPN session. This offers less administration load as administrators do not have to map those drives manually.The HOBLink VPN Anywhere Client icon shown in the taskbar indicates that the user is connected to the VPN gateway.

4.3.2 Pre-Logon Authentication Provider (PLAP)

With this option the user can directly sign on to the HOBLink VPN Gateway and then select the Windows user account they want to use.

1. The user clicks the Network Sign In symbol at the bottom of the logon screen.

Figure 15: PLAP Icon

2. The user clicks the PLAP icon. The logon entry fields appear.

3. The user enters their logon credentials (username, password) to connect to the VPN gateway.

4. Once the user has entered their credentials, a second logon screen appears where the user can select the Windows account they wish to use. Depending on the configuration in the XML file (see Section 4.4.2 PLAP Settings on page 27) the user can either log on to a local machine or a Windows domain.

Clicking the Network Sign In symbol brings up a screen displaying the PLAP icon:

24


4.3.3 Starting HOBLink VPN Anywhere Client (SSO) Manually

The user does not necessarily have to use the SSO or PLAP options to connect to the VPN gateway. They can log on to their Windows account and start HOBLink VPN Anywhere Client (SSO) as an application from the desktop.

1. The user starts HOBLink VPN Anywhere Client by clicking the application icon on the desktop. The following dialog appears:

Figure 16: Start HOBLink VPN Anywhere Client

2. When the user selects Yes a logon dialog is displayed:

Figure 17: Logon Dialog

3. The user enters the logon credentials (username, password) and clicks OK.A connection to the VPN gateway is established.

4.4 HOBLink VPN Anywhere Client (SSO) Settings in KanjiDesktop

The logon options can be configured in KanjiDesktop (see Section 5.1 Using KanjiDesktop on page 30). KanjiDesktop has automatically been installed in the HOBLink VPN Anywhere Client (SSO) installation folder.

4.4.1 SSO Settings

1. Open KanjiDesktop in the HOBLink VPN Anywhere Client (SSO) installation folder.

2. Click the HOBLink VPN Anywhere Client Configuration in the left panel of the KanjiDesktop opening screen to expand the child nodes of the organizational tree.

3. Select Configuration Schemes.

4. For a new configuration scheme click the New button below the list of configuration schemes or the Clone button to use the preconfigured settings from the sample-config file (see Section 5.3 Configuration Schemes on page 33 for more information).

25


Figure 18: Configuration Schemes – SSO

5. The following options must be selected to use SSO:

User authentication – Username/Password has to be selected from the dropdown menu.

Windows logon – Domain has to be selected from the dropdown menu. Selecting this option displays an entry field for the Windows domain.

Windows domain – enter the Windows domain to which the user is to connect.

26


4.4.2 PLAP Settings

For configuring PLAP authentication follow the steps 1 to 4 in Section 4.4.1 SSO Settings on page 25.

Figure 19: Configuration Schemes – PLAP

The following options have to be selected under Configuration Schemes:

User authentication – Username/Password has to be selected from the dropdown menu.

Windows logon – depending on the option selected, the user can either log on to a local computer or a Windows domain.

select Local from the dropdown menu to allow the user to log on to a local machine.

select Domain from the dropdown menu to enable the user to log on to a Windows domain. Selecting this option displays an entry field for the Windows domain.

Windows domain – enter the Windows domain to which the user is to connect.

27


28

Configuring HOBLink VPN Anywhere Client

5 ConfiguringHOBLink VPN Anywhere ClientKanjiDesktop is the generic configuration tool developed by HOB and written in Java that provides a GUI environment where the XML configuration files can be edited. KanjiDesktop is delivered with HOBLink VPN Anywhere Client and is intended for configuring the XML file of HOBLink VPN Anywhere Client (see Chapter 6 Using KanjiDesktop with XML Files on page 57 for more information).

The HOBLink VPN Anywhere Client configuration file can be edited using one of these methods:

using KanjiDesktop locally

editing the XML file manually – HOBLink VPN Anywhere Client configuration data is stored in a local XML file on the client device with the default name ibipseccl01.xml.

KanjiDesktop is the name given to the configuration tool used for the configuration of the XML file for HOBLink VPN Anywhere Client (named ibipseccl01.xml by default) that is not integrated into the software.

KanjiDesktop is a Java Swing application, running locally, that runs Kanji internally, and is the recommended tool to edit the XML configuration file ibipseccl01.xml.

This application is provided in a separate folder, KanjiDesktop, which is located with the installation of HOBLink VPN Anywhere Client. To use KanjiDesktop, simply copy the KanjiDesktop folder into the HOBLinkVPNAnywhereClient folder where it is installed on the system. Once the folder has been copied, launch the executable file KanjiDesktop.exe. This automatically loads the HOBLink VPN Anywhere Client configuration file ibipseccl01.xml and opens the dialog (see Figure 20 on page 30).

This XML configuration file is not integrated into HOBLink VPN Anywhere Client and so it cannot be edited from within this application. It is delivered separately by HOB alongside the installation and is named ibipseccl01.xml by default.

It is strongly recommended to use the KanjiDesktop to edit the HOBLink VPN Anywhere Client configuration file, as this avoids losing the data that is contained in the original XML file.

To enable KanjiDesktop editing the HOBLink VPN Anywhere Client XML configuration data properly, it needs to load the file named ibipseccl01.knj as well, as this file contains the program-specific information.

29


5.1 Using KanjiDesktop

Once the KanjiDesktop application has been started, the HOBLink VPN Anywhere Client configuration interface opens. Here the properties of this application can be seen, and all configuration settings can be entered or edited.

From the organizational tree in the panel to the left two elements can be seen:

Properties – Section 5.2 KanjiDesktop Properties on page 32

Configuration Schemes – Section 5.3 Configuration Schemes on page 33

Use these elements to set up HOBLink VPN Anywhere Client as desired.

Figure 20: KanjiDesktop Screen

The buttons in the main tool bar of this screen are as follows:

Open – click to open an existing Kanji or an XML file

Reload – click to reloads a previously saved KanjiDesktop configuration, all unsaved configurations are lost.

Save – click to save the configuration to the displayed location

Save To – click to save the configuration to the displayed location

Clear Data – click to clear all the information entered for this configuration.A prompt appears to confirm this action

Reset to defaults – click to return all entries to their default values. A prompt appears to confirm this action

30


Functions that are not included in the previous list but can be accessed through the main menu above this icon bar are:

The following buttons are also on this screen and have the same functionality as the buttons in the main tool bar:

Validate Data – click to check the values entered in the configuration for validity

Collapse Tree – click to collapse the organizational tree

Expand Tree – click to expand the organizational tree

Show Full Labels – click to show full labels when dialog is not fully expanded

Help – click to obtain more information about the Kanji Java interface

View Log – click to view the log. A list with the history of events appears

Exit – click to shut down the interface and close the HOBLink VPN Anywhere Client application

Include disabled fields when saving – click to ensure all fields are saved

Settings – click to launch the settings interface where the XML files can be managed, see Chapter 6 Using KanjiDesktop with XML Files on page 57 for more information

Look & Feel – click to change the appearance of this interface.Options available are: Java default, System default and Motif, all screenshots shown in this document are with the System default option selected.

Expand – this button expands the organizational tree

Collapse – this button collapses the organizational tree

Validate – this buttons checks the entered data for validity

31


5.2 KanjiDesktop Properties

Select the area of the KanjiDesktop that is to be configured by selecting it from the organizational tree on the left.

This screen displays the properties of the current configuration of KanjiDesktop.

Figure 21: KanjiDesktop – Properties

Version – the version of HOBLink VPN Anywhere Client may be selected.The default is RELEASE_2.1.

Configuration Scheme – select the configuration scheme to be used for this instance of HOBLink VPN Anywhere Client.

Multiple configuration schemes can be created depending on the requirements of the user, so care should be taken at this point to select the correct scheme for the current connection.

32


5.3 Configuration Schemes

The configuration schemes govern how HOBLink VPN Anywhere Client is set up and the options that are available to the users. Select Configuration Schemes from the organizational tree to display the fields where the required parameters can be entered.

Figure 22: KanjiDesktop – Configuration Schemes

On the Configuration Schemes screen, enter the details into the fields below. All fields marked with an asterisk (*) are mandatory. On this screen the available schemes for configuration are shown in the main panel.

Use these buttons to manage the list of available configuration schemes:

When the New button is clicked to add a new configuration scheme to the list the following dialog is displayed.

click to display a dialog where a name for a new configuration scheme can be entered

click to clone the selected existing configuration scheme, a dialog is shown where a name can be entered for the new cloned scheme

click to remove the selected scheme from this list

click to move the selected scheme up one place in this list

click to move the selected scheme down one place in this list

33


Figure 23: Enter Identifier

New Scheme name – enter the name of the new configuration scheme. Click OK to add it to the list or select Cancel to return to the Configuration Schemes screen.

In addition to the schemes panel the following fields are on this screen. All fields marked with an asterisk (*) are mandatory.

Scheme name – this holds the name of the scheme currently being configured.

Gateway – the IP address of the gateway is entered in this section. Use the Add button to enter the gateway address. All gateways are listed under Your Choices.

Filter – use this field to filter the list of gateways already selected to review if the correct gateways are present. All gateway addresses included in the list below are searched for the gateway address entered in the Filter field.

Your Choices – all gateways are listed here. Use the following buttons to manage the gateway lists:

Gateway round-robin – when this option is enabled the gateways in the Your Choices list are chosen randomly. Otherwise the gateways are selected as configured.

Peer intranet – in this section the intranets to be used for this configuration can be selected. Click the Add button to add a new item to the list. Use the arrow buttons to select the items in the Available list that are to be moved to the Your Choices list as needed for the configuration. ALL is shown by default.

click to move the selected item from the list of those available to the Your Choices list All gateways included in the Your Choices list are used for the vpn connection in the order they are listed.

click to move the selected item from the Your Choices list to the Available list

click to move all items to the Your Choices list

click to move all items out of the Your Choices list

click to move the selected item one place higher in the list to increase its priority

click to move the selected item one place lower in the list to reduce its priority

click to add a new item to this list

click to edit the selected item in this list

34


Filter – use this field to filter the list of intranets already selected to review if the correct intranets are present. All addresses that are included in the list below are searched for the address entered in the Filter fileld.

Your Choices – all intranets are listed here. Use the following buttons to manage the intranet lists:

User authentication – this dropdown box holds the three options available for authenticating users:

Username/Password – select so users must enter a username and password to authenticate. This is the default configuration, click the Default button to fill this option in the field.

HOB CDB/MS Crypto API – select to have user authentication checked by a user end certificate stored either in the HOB CDB file (see Section 3.3 Files Delivered with HOBLink VPN Anywhere Client on page 13 for more information) or in the Internet Explorer certificate store of the local system, accessible through the Microsoft CryptoAPI (CSP).

PKCS11 SmartCard Interface – select to have user authentications checked by a user end certificate stored on a smartcard accessible through a PKCS11 interface. Enter the smart card specific DLL name in the PKCS11 DLL Name field.

Save username to Windows registry – check this box to have the username saved to the Windows registry. The username will then not have to be entered for every login. This is displayed only when Username/Password has been selected as the User authentication to use.

PKCS11 DLL name – enter the name of the PKCS11 DLL in this field, this is displayed only when PKCS11 SmartCard Interface has been selected as the User authentication to use.

HOB CDB filename – enter the CDB (certificate database) filename in this field, the default setting is vpn.cdb, click the Default button to fill this option in the field.

click to move the selected item from the list of those available to the Your Choices list








35


5.4 NetWatch

NetWatch is a security feature developed by HOB that constantly monitors the TCP connections being made. To maintain the integrity of any VPN tunnel connection, the NetWatch feature will block any tunnel if too many attempts to establish more TCP connections are made. The NetWatch feature is configured using that part of the KanjiDesktop configuration interface shown here:

Figure 24: KanjiDesktop – NetWatch

The fields in this part of the interface are:

Enabled – click to enable NetWatch.

The following options are only displayed if the option Enabled is selected:

Check if Windows firewall is enabled – check this for NetWatch to see if the Windows firewall is enabled. If this is not enabled, NetWatch blocks the VPN tunnel and no connections using this tunnel are possible.

Network check interval (seconds) – enter the interval at which NetWatch should check for TCP connections and the status of the Windows firewall.

Allow connection to private networks only – click to restrict all connections to those from a private network only.

Define Exceptions – this panel contains a list of allowable exceptions that are accepted by NetWatch. This is enabled only if Allow connection to private networks only has not been enabled. Use the following buttons to manage this list:

click to display a dialog where a name for a new exception can be entered

click to clone the selected existing exception, a dialog is shown where a name can be entered for the new cloned exception

36


Ineta – enter the IP address and subnet mask for an allowed exception, this field is mandatory.

Port – enter a port number for this exception.

5.5 IKEv1

IKE is the protocol used to set up a security association in IPsec. Currently there are two versions of IKE (IKEv1 and IKEv2) that are used with HOBLink VPN Anywhere Client. Both types can be configured using the KanjiDesktop configuration interface.

IKE Version – select the version of IKE to be used, the default is IKEv1.This version is recommended as the most common and most supported of the VPN gateways available.

Figure 25: KanjiDesktop – IKEv1 (first part)

Username – enter the username in this field

click to remove the selected exception from this list

click to move the selected exception up one place in this list

click to move the selected exception down one place in this list

The fields on these screens change according to the version of IKE selected.

37


Password – enter the password in this field

Use Group Identification – check this box so that the users can be identified through their group membership and granted a connection as a member of that group.

Group name – this field is shown only if Use Group Identification is enabled.Enter the name of the group to be granted access under this configuration.

Show group dialog – select this option to show the group dialog when starting HOBLink VPN Anywhere Client; the group name is shown in the dialog.

Show authentication dialog always – check this box to have the authentication dialog appear independently of the gateway. This ensures the user can always log on using the credentials they need.

Mode – IKEv1 can be set up in Main mode (this protects the identity of the peers) or in Aggressive mode (this does not protect the identity of the peers), this mode is the default.

Authentication mode – there are three options available in the dropdown box: None, Hybrid and Xauth (this is the default option). The selection of the authentication mode depends on the peer gateway.

Initiator ID type – there are four options available for the type of initiator ID to be used, the choice depends on the peer gateway:

Key Identification – this ID type is often required by Cisco gateways

Fully Qualified Domain Name – this ID type is often required by other gateways

Fully Qualified Username – this is the default option

ASN.1_DN – this ID type is mainly used together with client authentication that requires a certificate

Certificate serial number – enter the certificate serial number of the gateway here

Encryption – select the types of encryption to be used. Currently available encryption algorithms are:

3DES

AES128

AES192

click to unmask the password entered here

click to mask the password entered here

The entry fields Username and Password are enabled only if the user authentication is done by Username/Password (see Figure 22 on page 33).

The Show authentication dialog always checkbox is shown only when Username/password or PKCAS11 Smart Card Interface are selected for user authentication, see Figure 22 on page 33 for more information.

38


AES256

Filter – use this field to filter the list of encryption types already selected to review if the correct types are present

Your Choices – all types of encryption that are to be used are listed here

Use these buttons to manage these lists:

Scroll down to display more fields:

Figure 26: KanjiDesktop – IKEv1 (second part)

click to move the selected algorithm to the Your Choices list

click to move the selected algorithm from the Your Choices list to the Available list

click to move all algorithms to the Your Choices list

click to move all algorithms out of the Your Choices list

click to move the selected algorithm one place higher in the list to increase its priority

click to move the selected algorithm one place lower in the list to reduce its priority

39


Hash – select the type of hash function to be used for the configuration. Use the arrow buttons (described previously under Encryption) to manage this list. Use the Filter field to filter the entries in the list of those already selected. The available hash functions are as follows:

MD5

SHA1

SHA2_256

SHA2_384

SHA2_512

Gateway authentication – select the type of authentication to be used for the gateway. Use the arrow buttons (described above under Encryption) to manage this list, and the Filter field to filter the entries in the list of those already selected.The available gateway authentication methods are:

PRESHAREDKEY – use this method when both HOBLink VPN Anywhere Client components share a common, secret character sequence.

DSA – DSA is a basic certificate algorithm of the DSS (Digital Signature Standard) and uses the SHA1 hash method. Both components need their own certificate as well as a root certificate (PKI – Personal Key Identification).

RSA – RSA is a basic certificate algorithm of the DSS and uses the SHA1 hash method. Both components need their own certificate as well as a root certificate (PKI).

Preshared key – enter the preshared key here. Use the Show button to unmask this entry.

Diffie-Hellman group – select the Diffie-Hellmann group to be used for this configuration here. Use the arrow buttons (described previously under Encryption) to manage this list and the Filter field to filter the entries in the list of those already selected. The available Diffie-Hellmann groups are:

MODP768 from DH Group 1




Scroll down to display more fields and complete the IKEv1 configuration:

40


Figure 27: KanjiDesktop – IKEv1 (third part)

The fields on the last part of the configuration interface for IKEv1 are:

SA lifetime (seconds) – enter the SA lifetime in seconds, the default is 6048000 seconds.

UDP timeout (seconds) – enter the amount of time before a UDP connection times out, the default is 10 seconds.

UDP retries – enter the number of retries an IKE is to make at sending protocol data to get a reply, the default is 2.

NAT detection – select if NAT detection is to be used, the default is yes with the choice depending on the VPN gateway in use.

Dead Peer Detection (DPD) – select if Dead Peer Detection is to be used, the default is yes.

DPD logging – select if DPD logging is to be used, the default is no.

DPD timer (seconds) – enter the amount of time in seconds before a check occurs to test if the peer is still alive, the default is 15 seconds.

DPD timeout (seconds) – enter the amount of wait time in seconds before a DPD packet is sent again if there was no reply, the default is 10 seconds.

DPD retries – enter the number of times that an attempt to connect to a peer is to be made if there is no reply before that peer is detected as being dead, the default is 2.

Logging – select to activate logging, the default is no.

Send ‘Initial contact’ – select to enable the initial contact for this connection to be made by this device, the default is yes. Depending on the VPN gateway being used (for example those offered by bintec elmeg), this may need to be set to no.

41


5.6 IKEv2

These are the screens that are displayed when IKEv2 is the version selected in the first field, IKE version.

Figure 28: KanjiDesktop – IKEv2 (first part)

Username – enter the username in this field

Password – enter the password in this field

Group Identification – check this box so that the users can be identified through their group membership and granted a connection as a member of that group.

Group name – this field is shown only if Use Group Identification is enabled.Enter the name of the group to be granted access under this configuration.

Show group dialog – select this option to show the group dialog when starting HOBLink VPN Anywhere Client; the group name is shown in the dialog.



The entry fields Username and Password are enabled only if the user authentication is done by Username/Password (see Figure 22 on page 33).

42


Show authentication dialog always – check this box to have the authentication dialog appear independently of the gateway. This ensures the user can always log on using the credentials they need.

EAP mode – select the mode to use for EAP here. This parameter should be chosen according to the gateway requirements, the default is MD5.

none

MD5

MS-Chap-v2

Initiator ID type – there are four options available for the type of initiator ID to be used, the choice depends on the peer gateway:

Fully Qualified Username – this is the default option

Fully Qualified Domain Name – this ID type is required by other gateways

Key Identification – this ID type is required by Cisco gateways

ASN. 1 Distinguished Name – this ID type is mainly used together with client authentication that requires a certificate

Encryption – select the types of encryption to be used from these lists.Currently available encryption algorithms are:

3DES

AES128

AES192

AES256

Use the Filter field to filter the entries in the list of those already selected, and use these buttons to manage these lists:

The Show authentication dialog always checkbox is shown only when Username/password or PKCAS11 Smart Card Interface are selected for user authentication, see Figure 22 on page 33 for more information.

click to move the selected algorithm from the list of those available to the Your Choices list

click to move the selected algorithm from the Your Choices list to the Available list

click to move all algorithms to the Your Choices list

click to move all algorithms out of the Your Choices list

click to move the selected algorithm one place higher in the list to increase its priority

click to move the selected algorithm one place lower in the list to reduce its priority

43


Scroll down to display more fields:

Figure 29: KanjiDesktop – IKEv2 (second part)

Hash – select the type of hash function to be used for the configuration. Use the arrow buttons (described previously under Encryption) to manage this list and the Filter field to filter the entries in the list of those already selected. The available hash functions are as follows:

HMAC_MD5

HMAC_SHA1

HMAC_SHA2_256

HMAC_SHA2_384

HMAC_SHA2_512

Gateway authentication – select the type of authentication to be used for the gateway. Use the arrow buttons (described previously under Encryption) to manage this list and the Filter field to filter the entries in the list of those already selected.The available gateway authentication methods are:

PRESHAREDKEY – use this method when both HOBLinkVPN Anywhere Client components share a common, secret character sequence.

DSA – DSA is a basic certificate algorithm of the DSS (Digital Signature Standard) and uses the SHA1 hash method. Both components need their own certificate as well as a root certificate (PKI – Personal Key Identification).

RSA – RSA is a basic certificate algorithm of the DSS and uses the SHA1 hash method. Both components need their own certificate as well as a root certificate (PKI).

44


Preshared key – enter the preshared key here. Use the Show button to unmask this entry.

Diffie-Hellman group – select the Diffie-Hellmann group to be used for this configuration here. Use the arrow buttons (described previously under Encryption) to manage this list and the Filter field to filter the entries in the list of those already selected. The available Diffie-Hellmann groups are:





Scroll down to display more fields and complete the IKEv2 configuration:

Figure 30: KanjiDesktop – IKEv2 (third part)

The fields on the last part of the configuration interface for IKEv2 are:

PRF – select the type of PRF (Pseudo Random Function) function to be used for the configuration. Use the arrow buttons (described previously under Encryption) to manage this list and the Filter field to filter the entries in the list of those already selected. The available PRF functions are as follows:

HMAC_MD5

HMAC_SHA1

HMAC_SHA2_256

HMAC_SHA2_384

HMAC_SHA2_512

SA lifetime (seconds) – enter the SA lifetime in seconds, the default is 6048000 seconds.

45


UDP timeout (seconds) – enter the amount of time before a UDP connection times out, the default is 10 seconds.

UDP retries – enter the number of retries an IKE is to make at sending protocol data to get a reply, the default is 2.

NAT detection – select if NAT detection is to be used, the default is yes with the choice depending on the VPN gateway in use.

Dead Peer Detection (DPD) – select if Dead Peer Detection is to be used, the default is yes.

DPD logging – select if DPD logging is to be used, the default is no.

DPD timer (seconds) – enter the amount of time in seconds before a check occurs to test if the peer is still alive, the default is 15 seconds.

DPD timeout (seconds) – enter the amount of wait time in seconds before a DPD packet is sent again if there was no reply, the default is 10 seconds.

DPD retries – enter the number of times that an attempt to connect to a peer is to be made if there is no reply before that peer is detected as being dead, the default is 2.

Logging – select to activate logging, the default is no.

5.7 IPsec

IPsec (Internet Protocol Security) is a protocol suite for securing IP communications by authenticating and encrypting each IP packet of a communication session.IPsec uses cryptographic security services to protect communications over IP networks.

As IPsec operates in the Internet layer of the Internet Protocol Suite, while some other common Internet security systems, such as TLS and SSH, operate in the application layer, only IPsec protects any application traffic over an IP network. Applications can be automatically secured by IPsec at the IP layer.

46


This interface enables IPsec to be configured for this connection:

Figure 31: KanjiDesktop – IPsec

The fields that are to be completed on this screen are:

Encapsulation mode – there are two possible selections.

Tunnel (RFC) – should be selected for most peer gateways, this is also the default setting

Cisco-ASA-Mode – if Cisco ASA is used as the peer gateway, then this mode should be selected

ESP encryption – here the different types of ESP encryptions can be selected.Use the arrow buttons (described previously under Encryption) to manage this list and the Filter field to filter the entries in the list of those already selected. The four options that can be selected and prioritized are:

3DES

AES128

AES192

AES256

47


Compression – select the type of compression required for this configuration.The options are either no compression or IPCOMP, default is no compression. Compression must be supported by the gateway before it can be selected.

IPCOMP – this field is shown only when IPCOMP has been selected as the type of compression to be used. DEFLATE is the only compression algorithm supported.

ESP integrity – this list holds the type of hash functions that can be used to provide ESP integrity. Use the arrow buttons (described previously under Encryption) to manage this list and the Filter field to filter the entries in the list of those already selected. The available hash functions are as follows:

HMAC_MD5

HMAC_SHA1

HAMC_SHA2_256

HAMC_SHA2_384

HAMC_SHA2_512

PFS – select here whether perfect forward secrecy (PFS) should be used.The options are yes or no, the default is no.

Diffie-Hellmann group – this field is shown only when yes is selected for PFS.Here the Diffie-Hellmann group to be used for this configuration is to be selected, the default is MODP1024/DH group 2

SA lifetime – in this field the duration of the SA lifetime in seconds can be specified. The default is 28800 seconds.

Enable volume – select if this function is to be enabled or disabled, the default is no.

SA max. volume (kilobytes) – this field is displayed only if Enable volume is set to yes. This allows the maximum volume to be set, default is 100000 kilobytes.

Replay detection – select if this function is to be enabled or disabled, the default is no.

NAT keepalive (seconds) – in this field the duration in seconds of the NAT keepalive can be specified. The default duration is 15 seconds.

Logging – select if logging is to be used for this configuration. The default is no.

PFS must be supported by the gateway for this option to be selected, and the setting for PFS should be the same on the client and the gateway for this function to work properly.

48


5.8 Dynamic NAT

HOB Dynamic NAT is a standard function of HOBLink VPN Anywhere Client that allows a connection to any number of company networks to be made while avoiding conflicts with the locally connected network. SIP communication and settings for FTP and SOCKS are needed for the HOB Dynamic NAT function.

The fields on the Dynamic NAT screen are as follows:

Figure 32: KanjiDesktop – Dynamic NAT Part 1

Enabled – if this option is disabled HOB Dynamic NAT is not used. The following section can is only displayed if this option has been selected.

5.8.1 Settings

This panel holds the following fields:

Virtual intranet – in this field a network address to be used for the virtual intranet should be added. The default is 172.16.0.0/16.

Alt. virtual intranet – in this field an alternate virtual intranet address should be entered. The default is 172.31.0.0/16.

Both networks should be different from one another so that there is no chance of address overlap with the locally connected network. HOBLink VPN Anywhere Client takes the first of these two addresses that does not overlap with the locally connected network and uses it as a pool for locally used virtual IP addresses.

Activate ALG for SIP – check this box to allow SIP communication to go through the application-level gateway (ALG) of the VPN tunnel.

49


5.8.2 FTP Servers

This panel holds the fields where a list of FTP servers can be configured and managed. Use these buttons to manage the list of FTP servers available to the system:

Figure 33: New Input – New DNS Name for FTP Server List

DNS name – enter the DNS name to be used for this FTP server. A fully qualified domain name is required in this field

TCP port – this section holds the TCP ports for the FTP server. Use the Add button to add a TCP port to the list.

Filter – use this field to filter the list of TCP ports for the FTP server already selected to review if the correct types are present

Your Choices – all TCP ports for the FTP server that are to be used are listed here

click to display the following dialog requesting the entry of a fully qualified DNS name for a new FTP server

click to clone the selected existing FTP server, a dialog is shown where a name can be entered for the new cloned server

click to remove the selected FTP server from this list

click to move the selected FTP server up one place in this list

click to move the selected FTP server down one place in this list

click to move the selected item from the list of those available to the Your Choices list All TCP ports for the FTP server included in the Your Choices list are used for the vpn connection in the order they are listed.








50


Figure 34: KanjiDesktop – Dynamic NAT – SOCKS Server

5.8.3 SOCKS Server

When an integrated DNS server is to be used the SOCKS protocol needs to be configured. This panel holds the fields where a list of SOCKS servers can be configured and managed. Use these buttons to manage the list of SOCKS servers available to the system:

Figure 35: New Input – New DNS Name for SOCKS Server List

DNS name – enter the DNS name to be used for this SOCKS server. A fully qualified domain name is required in this field

TCP port – this section holds the TCP ports for the SOCKS server. Use the Add button to add a TCP port to the list.

click to display the following dialog requesting the entry of a fully qualified DNS name for a new SOCKS server

click to clone the selected existing SOCKS server, a dialog is shown where a name can be entered for the new cloned server

click to remove the selected server from this list

click to move the selected server up one place in this list

click to move the selected server down one place in this list

51


Filter – use this field to filter the list of TCP ports for the SOCKS server already selected to review if the correct types are present

Your Choices – all TCP ports for the SOCKS server that are to be used are listed here

Display DNAT addresses in the console – enable this option to have dynamic NAT addresses displayed in the console

Activate integrated DNS server – check this box to activate the integrated DNS server. When this is enabled, new configuration panels are displayed for Socks server settings and DNS server settings, see Figure l on page 52

5.8.4 DNS Server

HOBLink VPN Anywhere Client contains an integrated DNS server. It can be configured to know host names with fully qualified DNS names and their related IPv4 address. This feature is useful if there is either no intranet DNS server available or if it is not configured through the IKE configuration mode. All local DNS queries are first searched for in that locally integrated DNS server configuration. If they are not found here, they are forwarded to the DNS servers configured over the IKE configuration mode.

click to move the selected item from the list of those available to the Your Choices list. All TCP ports included in the Your Choices list are used for the vpn connection in the order they are listed.








The TCP port entered in the TCP Port field must be the same as the port being used by the application running SOCKS5.

The application using the SOCKS connection should use address type 1 (IPv4 address) only. Other address types such as DNS names are not supported.

Configure the SOCKS servers here to have SOCKS5 communications work appropriately when HOB Dynamic NAT is enabled.

52


Figure 36: KanjiDesktop – Dynamic NAT – DNS Server

Use these buttons to manage the list of DNS servers available to the system:

Figure 37: New Input – New DNS Name for DNS Server List

DNS name – enter the DNS name to be used for this server. A fully qualified domain name is required in this field

IP address – enter the IP address to be used for this server

click to display the following dialog requesting the entry of a fully qualified DNS name for a new DNS server

click to clone the selected existing server, a dialog is shown where a name can be entered for the new cloned server

click to remove the selected server from this list

click to move the selected server up one place in this list

click to move the selected server down one place in this list

click to move the selected item from the list of those available to the Your Choices list All IP addresses included in the Your Choices list are used for the vpn connection in the order they are listed.

53









54


5.9 L2TP

L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality but relies on an encryption protocol that it passes within the tunnel to provide privacy. It can be configured using these dialogs:

Figure 38: KanjiDesktop – L2TP

Phonebook – enter a PBK (phonebook) file here, the default isHOBLink-VPN-01.pbk.

Name – enter the name of the L2TP to be used, the default is HOB-L2TP-02.

Authentication type – select the required type of authentication. There are three options:

local user – the user for the local L2TP connection is taken from the user currently logged on with Microsoft Windows, this is the default setting.

configured here – this option authenticates a specific user for access.When selected, this option displays the entry fields Username and Password.

VPN user – select this option to use the VPN/IKE authentication for the currently logged on user.

Username – enter the username of the user to use this L2TP authentication.

Password – enter the password of the user to use this L2TP authentication.



55


Local IP address – enter the IP address to be used for this L2TP configuration.This is a mandatory field and the default is 127.0.0.2.

Once all of the specifications for the configuration have been entered, save it.This configuration scheme can then be used by HOBLink VPN Anywhere Client.

5.10 External Library

Special functions in the external library are called when the VPN connection is established and ended. This feature may be used by customers providing their own external library to process additional functionality, such as launching other programs.

File name of external library – enter the file name of the external library here.The name of the external library can be configured with or without a path.

5.11 Manually Editing the XML File

To configure HOBLink VPN Anywhere Client manually, navigate to the file ibipseccl01_master.xml, in the folder HOBLinkVPNAnywhereClient. Create a working copy of this file, rename it ibipseccl01.xml and edit the configuration data in this file according to the needs of the network. This may be done by using any standard text editor.

Save this file once all of the desired changes have been made. This file can then be used by the HOBLink VPN Anywhere Client.

This username and password are used by Windows for several Windows related connection protocols going through the related VPN connection and that need user authentication. An example is SMB/CIFS.

Connect more than one peer gateway at the same time by starting ibipseccl01.exe for every peer gateway. Choose a new Local IP address (such as 127.0.0.3, 127.0.0.4, etc.) for each further connection.

A local L2TP VPN connection for multiple peer gateways can be set up to simultaneously support more than one peer gateway. Each L2TP connection must have its own connection name and may have its own phonebook.When this is configured the file ibipseccl01.exe starts once for each connection.

Contact HOB support for more information regarding API. For contact information see Chapter 9 Information and Support on page 91.

56

Using KanjiDesktop with XML Files

6 Using KanjiDesktop with XML FilesChanges can be made to the configuration schemes in order to suit the requirements of the company. To better manage how the users can work with HOBLink VPN Anywhere Client, the administrators can configure the interfaces that the users can access.

6.1 Using KanjiDesktop with Split XML Files

The Settings interface where this can be done is accessed through the main menu: Menu > Edit > Settings, as shown here:

Figure 39: Anywhere Client Settings – Main Menu

This launches the following screen where three tab fields can be seen, each of which manages the locations where the different XML files can be saved:

Hard Disk – this option reads the XML file from the hard disk of the local device, see Section 6.1.1 Hard Disk Save Locations on page 58

Database – this option is not yet supported, see Section 6.1.2 Database Save Locations on page 59

Directory Service – this option is not yet supported, see Section 6.1.3 Directory Service Save Locations on page 61

Settings – click this icon in the main menu bar to launch the settings interface where the XML files can be managed.

57


6.1.1 Hard Disk Save Locations

This tab manages the XML files saved to the hard disk of the local client.

Figure 40: Anywhere Client Settings – Hard Disk

The main field on this screen is the list of the XML files that have been configured to manage this instance of HOBLink VPN Anywhere Client:

These files are present in the list following the default installation:

full – this is the complete XML configuration file

split-main – this is the user settings part of the XML file, see Chapter 7 Splitting the XML Configuration Files on page 63 for more information

split-profile – this is the parameter-specific part of the XML file, see Chapter 7 Splitting the XML Configuration Files on page 63 for more information

Use these buttons to manage this list:

The fields below the file list are:

Entry name – this holds the name of the file currently selected in the list above

File path – this holds the path of the file currently selected in the list above

Hard Disk Settings Control Panel – this panel contains these buttons:

click to display a dialog where a name for a new configuration XML file can be entered

click to clone the selected existing configuration scheme, a dialog is shown where a name can be entered for the new cloned scheme

click to remove the selected scheme from this list

click to save the settings that are entered above. This file then becomes the XML file that is used for the configuration for this instance of HOBLink VPN Anywhere Client

58


6.1.2 Database Save Locations

This tab enables the XML files to be saved to a location on a database that need not be in a location on this client device.

Figure 41: Anywhere Client Settings – Database

The first panel on this tab holds the list of XML configuration files saved to a location on the database.

Use these buttons to manage the list of XML file locations saved in the database:

click to load the settings entered above into the configuration of this instance of HOBLink VPN Anywhere Client

click to clear the settings entered above

This option is not yet supported in this version of HOBLink VPN Anywhere Client.

click to display a dialog where the name of a new XML configuration file can be entered

59


Fields marked with an asterisk (*) on this tab are mandatory. The fields on this tab are:

Entry Name – enter the name for this configuration.

Driver – enter the driver used for this database.

IP Address – enter the location of the database used for this configuration.

Port – enter the port number where the database can be accessed.

User Name – enter the user name of the user that will be accessing the database.

Password – enter the password for this user, using the Show/Hide button to display or hide the password in this field

Database Name – enter the name of the database being accessed.

Table Name – enter the name of the table holding the data in the database.

Field Name – enter the name of the field holding the data in the database.

Search Criteria – this section allows the criteria for any search of the data in this database to be set. The criteria to be used can be selected from the list below using these buttons to manage the list of available search criteria:

This panel also has the following fields:

Search Field – enter the fields to be searched.

Value – enter the value to be searched for in the field.

Search Field Type – enter the type of field top be searched.

Database Settings Control Panel – this panel contains these buttons:

click to clone the selected existing XML configuration file, a dialog is shown where a name can be entered for this new cloned scheme

click to remove the selected XML file from this list

click to move the selected XML file up one place in this list

click to move the selected XML file down one place in this list

click to display a dialog where the name for a new entry to the list of search criteria can be entered

click to clone the selected entry, a dialog is shown where a name can be entered for the new clone

click to remove the selected entry from this list

click to move the selected entry up one place in this list

click to move the selected entry down one place in this list

click to save the settings that are entered above


60


6.1.3 Directory Service Save Locations

This tab enables the XML configuration files to be saved to specific locations in the directory service along with the necessary attribute and node settings.

Figure 42: Anywhere Client Settings – Directory Service

The main panel on this tab holds the list of XML configuration files saved to a directory service. Use these buttons to manage the list of available XML configuration files:

Fields marked with an asterisk (*) are mandatory. The fields on this screen are:

Entry Name – enter a name for this file.


This option is not yet supported in this version of HOBLink VPN Anywhere Client.

click to display a dialog where a name for a new XML configuration file can be entered

click to clone the selected existing XML configuration file, a dialog is shown where a name can be entered for the new cloned scheme

click to remove the selected file from this list

click to move the selected file up one place in this list

click to move the selected file down one place in this list

61


Initial Context Factory – enter the context for this entry. Use the default button to load the default setting.

IP Address – enter the IP address where HOBLink Anywhere Client can access the server holding the directory service.

Port – enter the port where the server holding the directory service can be accessed.

Base DN – enter the base DN for this configuration.

Security Authentication – select the level of security authentication required, the default is simple.

User name/Security Principal – enter the user name or the security principal to be used for this configuration.

Password – enter the password, the Show/Hide button can be used to display the password or keep it hidden.

Parent Node – enter the parent node for this configuration here.

Node – enter the node here.

Attribute – enter the attribute here.

Directory Service Settings Control Panel – this panel contains these buttons:

click to save the settings that are entered above



62

Splitting the XML Configuration Files

7 Splitting the XML Configuration FilesEach configuration file (XML and KNJ) can be separated into smaller files and then each more easily configured.

The configuration file ibipseccl01.xml can be split into two files:

ibipseccl01-Main.xml

ibipseccl01-Profile.xml

Each XML file also has the related KNJ files provided with the software.

ibipseccl01-Main.knj

ibipseccl01-Profile.knj

These files are split as follows:

Main – this file holds only a few client and user-specific parameters, including the name of the profile XML file.

Profile – this file holds a large number of IKE/IPsec protocol and gateway-specific parameters. It also contains a number of special parameters.

Separating the configuration file in this way allows changes to be made by the administrators while still allowing users to maintain their personal settings, according to their account profiles. It also makes it easier to have different configuration settings for different users that are simpler to manage.

7.1 Splitting the XML Files

The interface where the splitting of the files can be done is accessed through this icon, or through the main menu: Menu > File > Open.

Figure 43: Open XML File

Kanji File – enter the file to be used for this configuration. In this case the Browse button navigates directly to the KanjiDesktop folder delivered with this installation:

Open – click this icon in the main menu bar to launch the interface where the XML files can be edited

Browse – use these buttons to more easily locate the required files

63


Figure 44: Open Kanji File

From this list the required KNJ file can be selected.

XML File – enter the file to be used for this configuration. In this case the Browse button displays this dialog:

Figure 45: Select File Location

In this dialog, the location from where the XML file will be loaded can be specified, and also which XML file to use.

full – select to load the configuration file ibipseccl01.xml in its complete default form (i.e. not split)

split-main – select to load the split-main XML file

split-profile – select to load the split-profile XML file

Once both a KNJ file and an XML file are selected, click Open to open the KanjiDesktop interface, which now contains the information that a new KNJ file has been accessed. This can be seen in the information bar at the bottom of the screen, where the path of the KNJ file is displayed.

Currently only hard disk locations are supported in this version of HOBLink VPN Anywhere Client.

64


Figure 46: KanjiDesktop Opening Screen With Newly Loaded KNJ File

7.1.1 Split-Main Configuration

As the configuration file used for this application has been changed, it can be seen how this affects the interface of the application. This screen features a configuration using the files: ibipseccl01-Main.xml and ibipseccl01-Main.knj.

Figure 47: HOBLink VPN Anywhere Client Using The Split-Main Configuration

65


7.1.2 Split-Profile Configuration

The screen below features a configuration using the files: ibipseccl01-Profile.xml and ibipseccl01-Profile.knj.

Figure 48: HOBLink VPN Anywhere Client Using The Split-Profile Configuration

66

Supplementary Information

8 Supplementary InformationThis chapter contains a variety of information that is intended to assist in your understanding of HOBLink VPN Anywhere Client, and to make the installation, configuring and functioning of this software much easier.

8.1 Configuring with an AVM Router - FRITZ!Box

FRITZ!Box is a series of residential gateway devices produced by the company AVM GmbH, and is the most popular make of gateway devices in Germany.HOB GmbH & Co. KG has included this section to illustrate how such a gateway device can be configured in the German market.

8.1.1 FRITZ!Box VPN Features

Secure remote access to the FRITZ!Box network can be established by using a VPN client. This section shows how to set up the configuration when a FRITZ!Box 7390 router is the gateway with HOBLink VPN Anywhere Client.

It is important to consider the following features of this router:

The FRITZ!Box VPN solution is based on the IPsec standard

VPN connections can be set up for individual remote computers and remote networks for both computer-LAN coupling and LAN-LAN coupling

Up to eight simultaneous active VPN connections are supported

FRITZ!Box uses the AES encryption algorithm

The configuration files for the VPN connections are created using a separate program provided by the AVM website, Configure FRITZ!VPN Connection.This program is a wizard that guides the user step by step through the VPN configuration. All necessary VPN settings, such as the encryption method and access rules, are set automatically. The resulting configuration file must be imported to the FRITZ!Box.

8.1.2 Configuration File to FRITZ!Box

It is necessary to install the software Configure FRITZ!VPN Connection to set up the VPN connection.

1. Open this program and the following screen (see Figure 49) is displayed:

Those who use other gateway devices should refer to the documentation from the manufacturers of the devices for more information on their configuration.

67


Figure 49: Configure FRITZ!Box VPN Connection New

2. There are three options available on this screen. Select the option Configure VPN connection for one user (other options can be selected depending on the needs of the system in use) and click Next.

Figure 50: Configure Users Option

3. On the next screen (see Figure 51) select the device the user should use to access the FRITZ!Box network. If configuring the VPN connection on a PC, the option Computer with FRITZ!VPN must be chosen.

New – click to open the Configure FRITZ!Box VPN Connection wizard where a new connection can be set up

68


Figure 51: Select Device

4. Now the e-mail address of the user must be entered. Click Next and the next screen in the wizard is shown.

Figure 52: E-mail Address of the User

5. Enter the e-mail address as the user name of the VPN connection. Once the e-mail address has been entered, click Next and the wizard asks for the name through which the router can be reached on the Internet (see Figure 53).

69


Figure 53: Accessibility of Your FRITZ!Box in the Internet

6. In this screen the name of the FRITZ!Box is entered. In this example the default domain name of 203.0.113.0 is used, this should be changed to match the configuration of the system. A dynamic DNS entry in the FRITZ!Box user interface can also be set up. When this has been entered, click Next.

Figure 54: Enter the IP Network Of The Selected FRITZ!Box

7. In this screen, the IP network of the FRITZ!Box must be entered. Select the option Use a different IP network to specify the IP network. This actives the fields IP network and Subnet mask, where the correct IP address and subnet mask to ensure the access to the hosts and servers are specified and the specific IP address of the user that is assigned to the user PC in the VPN, the virtual IP address.

8. After completing these fields with the appropriate entries, click Next to display the following screen (see Figure 55).

70


Figure 55: Next Steps

9. In this screen select the option Display the folder that contains the configuration files as the exportation will be performed manually, and click Finish.

The configured users in the VPN and related to the router are displayed by means of a tree structure in the application interface.

Figure 56: Configure FRITZ!Box VPN Connection Existing Configurations

10. Configuring the VPN connection continues with the files received. The preshared key relevant for this configuration is in these files (see Section 8.1.4 Configuring HOBLink VPN Anywhere Client on page 74). The files received may also be found by following the path AVM\FRITZ!VPN\(network address).

11. To create another VPN user, select the router in the tree structure of the application interface (see Figure 51) and click New. Now select the option Configure VPN connection for one user and enter the information as described in the following steps.

71


12. When this step has been reached, select the FRITZ!Box to which the user is to have a VPN connection. In this case the default value of 203.0.113.0 is selected.Select Add new FRITZ!Box to create the VPN connection with other router.

Figure 57: Select a FRITZ!Box

The rest of steps are the same as before, but for the new user it is not necessary to introduce the IP network, only the IP address of the VPN user.

Figure 58: Enter the IP Address Of The User

This wizard can also be launched to create another user by selecting 203.0.113.0 and using the right mouse button.

13. Select New User from the mouse button menu and complete the steps as shown above.

72


8.1.3 Configuring the FRITZ!Box

In this section the procedure to upload a configuration file to FRITZ!Box is described. This allows a VPN connection with the clients to be established.

The configuration file necessary is in the folder opened by the AVM program upon completion of the creation process. The file uploaded to FRITZ!Box contains the information of all VPN connections, configured with the AVM software, related to the configured router. The name of the file contains the router IP. For example, if the router IP is 203.0.113.0, then the name of the file is fritzbox_203_0_113_0.cfg.

To do this, complete the following steps:

1. Open the router interface with a web browser, using its IP address (local IP), and log on.

Figure 59: FRITZ!Box 7390 Freigaben

2. To upload a VPN configuration file, in the screen that is now displayed, go to Freigaben > VPN. In the panel under the VPN tab, the section VPN-Verbindungen, contains a list of the VPN connections. Any new VPN connection that is created is shown in the list.

3. Click Datei auswählen, and look for the configuration file in the dialog that is displayed. Once the file is selected click the VPN-Einstellungen importieren button.

4. New VPN connections can be seen in the VPN-Verbindungen list.Click Übernehmen to apply the configuration.

5. It is also possible to deactivate or eliminate VPN connections configured in the router in the VPN-Verbindungen list. Deselect the checkbox to the left of the connection to deactivate any connections that are to be deactivated, or click the X button to eliminate a connection.

73


8.1.4 Configuring HOBLink VPN Anywhere Client

In this section how to configure the client is described. This allows a VPN connection with the Fritz!Box to be established. There are two folders that need to be configured in the KanjiDesktop interface, a tool to configure HOBLink VPN Anywhere Client. These folders that need to be configured are Properties and Configuration Schemes. (see Chapter 5 Configuring HOBLink VPN Anywhere Client on page 29).

The profile that works when the client is executed is selected in Properties.The parameters are chosen and set up under profiles within the configuration schemes, these profiles are defined in Configuration Schemes.

1. Open the KanjiDesktop interface by launching the file KanjiDesktop.exe.

2. In the screen that opens, click on Configuration Schemes to define a profile and configure its parameters. In Configuration Schemes the created profiles are shown with their parameters on the right side of the interface.

Figure 60: KanjiDesktop Configuration Scheme

It is necessary to have a different profile for each VPN user.

74


3. A new profile can be created or an existing clone can be cloned, depending on the demands of the network. Either of these actions creates a new profile for the VPN. Click New and enter a name for the profile. The new profile is empty except for some default parameters.

4. The fields to be completed for the configuration are as follows:

To edit the parameters of the correct profile it is necessary that the configuration scheme is selected in the Scheme Name field. Specify the gateway by entering the public IP address of the FRITZ!Box in the Gateway field.

Peer intranet – this is the list that shows the router networks the client has access to. The client can access networks in the right column. Use the horizontal arrow keys to select from the list of those available, and the vertical arrow keys to set the priority in which they are to be used. The Add button allows the creation of a new entry to this list, the Edit button allows an existing selected entry to be edited.

Scroll down to access further entry fields.

The default values should be used when defining the IKE configuration parameters. The protocol used to set up the security association in this configuration is IKEv1.

IKE – configure the IKE parameters using the values in this table:

Preshared key – enter the value for the preshared key using the information that can be found in the AVM configuration file (see Section 8.1.5 Username and Preshared Key Information and Location on page 76).

IPsec – configure the IPsec parameters using the values in this table:

IKE Parameters Value

Username (Name of VPN user)

Password (blank)

Use group identification Deactivated

Mode Aggressive

Authentication mode None

Initiator ID type USER_FQDN

Encryption AES256

Hash SHA1

Gateway authentication PRESHAREDKEY

IPsec (ESP) Parameters Value

Encapsulation mode Tunnel (RFC)

ESP encryption AES256

Compression IPCOMP (optional)

IPCOMP DEFLATE (optional)

ESP integrity HMAC_SHA1

PFS Yes

Diffie Hellman group MODP1024/DH group 2

Replay detection Yes

75


DNAT – in the entry field for HOB Dynamic NAT the local virtual intranet can be defined or the default configuration may be used, depending on the requirements of the network.

FTP servers – it is possible to define FTP servers and SOCKS servers, but in this scenario, these fields will be empty by default.

Activate integrated DNS server – it is very important to select this option (see Figure l on page 52) because the gateway is the FRITZ!Box and the server IP addresses behind the FRITZ!Box are automatically translated into virtual addresses by the HOBLink VPN Anywhere Client. For this process to work properly, a DNS resolution is needed for all servers to be connected to.

The FRITZ!Box does not provide any internal DNS server configurations to the VPN client over the IKE configuration mode, so it is necessary to enter the information of the hosts to which the device should have access to in the DNS server list.

DNS server – under this section click New and type in the host name.This creates a host that should then be selected and its IP address entered in the IP address field. This process is repeated with all hosts.

L2TP – the L2TP parameters can be modified but in this scenario the default values are used.

Those parameters (of several sections) that have not been mentioned in this chapter (logging, lifetime, timeout, retries, etc.) depend on the requirements of the network in use. In this case, the parameters have been left with default values.For more information on these parameters see Chapter 5 Configuring HOBLink VPN Anywhere Client on page 29.

5. The last step is to save the configuration. Click Save and the configuration process of the client is complete as long as the KanjiDesktop interface indicates that there are no data errors.

8.1.5 Username and Preshared Key Information and Location

The username and preshared key are different for each VPN user, that is, each user has their own username and preshared key that should match those stored in the server, acting as a password.

For this reason it is necessary to have the configuration file (created in Section 8.1.3 Configuring the FRITZ!Box on page 73, for example fritzbox_203_0_113_0.cfg) available because the IKE Username and value of the Preshared key must be known (see the figure below and Figure 62).

76


Figure 61: IKEv1 Configuration Showing Username

To obtain the username and preshared key follow these steps:

1. Open the files received in Section 8.1.2 Configuration File to FRITZ!Box on page 67 or by following the path AVM/FRITZ!VPN/(network address) with any text editor (Notepad, for example).

The name that is entered here must be the same as configured in the Fritz!Box.

It is very important that the username and preshared key are entered correctly. These must be obtained from the configuration file.

77


Figure 62: IKEv1 Configuration Showing Preshared Key

2. The code that can be seen in the text editor shows the defined connections and their parameters. The username and preshared key are the parameters user_fqdn and key (without inverted commas).

Figure 63: Username And Preshared Key Information From Text Editor

3. Once the username and preshared key have been obtained, they must be entered into their respective fields. It is best to use either the Kanji web interface or KanjiDesktop to do this.

4. The last step is to save the configuration. Click Save and the configuration process of the client is complete as long as the KanjiDesktop interface indicates that there are no data errors.

8.1.6 Establishing a VPN Connection

Once both ends of the VPN connection have been configured, the client (HOBLink VPN Anywhere Client) can be executed. When the VPN connection is established, the status of the FRITZ!Box can be seen in the list VPN-Verbindungen in the Freigaben > VPN dialog below. When the connection is established the status indicator is green. This list also shows all of the IP addresses assigned to all connected clients.

Figure 64: FRITZ!Box 7390 Freigaben With Information

78


8.2 Removing HOBLink VPN Anywhere Client

HOBLink VPN Anywhere Client can be removed from the network as follows:

If started from a local device, remove this device or delete the software modules

If started from the web, delete the folder HOBLink VPN Anywhere Client from the user storage on the local disk

79


8.3 Error Messages - IKEv1

This section contains a comprehensive list of error messages that can be generated by the HOBLink VPN Anywhere Client with an explanation on the meaning of the error, the possible cause of the error and any possible solutions.

Most common errors are caused by username, password, group, preshared key, IKE or IPsec setting mismatches between the client and the gateway.

If an error has multiple causes listed and some of the causes are protocol errors, it is more likely that the non-protocol errors are the causes of the problem (unless a new, untested third-party gateway, or untested third-party gateway feature is being used).

The majority of IKE errors are related to protocol errors and are not problems with the configuration. Such errors are listed here but their possible sources are not given as this document is not intended to replace RFC explanations and may cause conflict with any RFC explanations.

Some of the IKEv1 errors may be generated by IKEv2 if the error situation is the same.

Error Nr.

Error Message

Meaning Common Causes and Possible Solutions

1 INVALID PAYLOAD TYPE

A payload sent by the gateway contains an incorrect Type field.

1. Preshared-key mismatch - ensure that the <preshared-key> value in the client configuration matches the preshared key configured on the gateway.2. Protocol error (cannot be fixed by changing the configuration).

2 DOI NOT SUPPORTED

The DOI in an SA or Delete payload sent by the gateway was invalid (supported DOIs are 0 and 1).

1. Protocol error (cannot be fixed by changing the configuration).

3 SITUATION NOT SUPPORTED

The Situation field in an SA payload sent by the gateway was invalid (supported situations are: SIT_IDENTITY_ONLY: 1).


4 INVALID COOKIE

The IKE cookie sent by the gateway is incorrect.


5 INVALID MAJOR VERSION

The major version field in the IKE header of a received packet was not 1.


6 INVALID MINOR VERSION

The minor version field in the IKE header of a received packet was not 0.


7 INVALID EXCHANGE TYPE

An IKE packet was received with an unexpected value in the Exchange Type field.

1. Phase 1 group-name (or username) mismatch.2. Preshared-key mismatch.3. Protocol error (cannot be fixed by changing the configuration).

8 INVALID FLAGS

An IKE message with incorrect flags in the IKE header has been received.


80


9 INVALID MESSAGE ID

An IKE message with an incorrect value in the Message ID field has been received.


10 INVALID PROTOCOL ID

An invalid Protocol Field value was received in a payload.


11 INVALID SPI

A Phase 2 message sent by the gateway contained a payload with an invalid SPI.

1. The client or gateway IKE may have become de-synchronized with the other endpoint. A restart of the offending endpoint generally fixes this problem. Restarting the client should help in most cases. In some cases this error can be ignored since it can be temporary.2. Protocol error (cannot be fixed by changing the configuration or restarting).

12 INVALID TRANSFORM ID

A Transform Payload sent by the gateway contained an incorrect ID.


13 ATTRIBUTES NOT SUPPORTED

An Attribute Payload sent by the gateway contained an incorrect or unsupported attribute value for the attribute.


14 NO PROPOSAL CHOSEN

None of the Phase 1 or Phase 2 settings were accepted by the client or the gateway (the endpoint that generates this message is the one that rejected the settings and should provide more information about the mismatch).

1. Possible Phase 1 setting mismatches: <encryption>, <hash>, <authentication>, <diffie-hellman-group>.2. Possible Phase 2 setting mismatches: <encapsulation-mode>, <esp-encryption>, <esp-integrity>, <compression>, <ipcomp> (if <compression> is being used), <pfs>, <diffie-hellman-group> (if <pfs> is being used), <enable-volume>, <replay-detection>.Note: IKE does not provide a mechanism for the endpoint that generates this error to notify the other endpoint about what setting did not match. NO PROPOSAL CHOSEN errors need to be understood by looking at the logs and/or configuration of the generating endpoint in order to obtain further information about which setting was rejected.

15 BAD PROPOSAL SYNTAX

A gateway sent an incorrect proposal.


16 PAYLOAD MALFORMED

A payload sent by the gateway failed some basic IKE payload checks.

1. Preshared-key mismatch.2. <group-name> mismatch.3. <user> mismatch (if <group> is set to NO).4. Protocol error (cannot be fixed by changing the configuration).

81


18 INVALID ID INFORMATION

A value in an ID payload that was sent by the gateway was not accepted.

1. If this occurs during Phase 2 negotiations, this can often be fixed by ensuring that the configured intranets for IPsec SAs on the gateway and the <peer-intranet> settings in the client configuration match.2. If this occurs during Phase 1 negotiations when using certificates, ensure that the gateway's certificate identity matches with the certificate on the client.3. Protocol error (cannot be fixed by changing the configuration). This is very unlikely to be the cause of these errors.

19 INVALID CERT ENCODING

The gateway sent a certificate that was encoded in a format that did not match with any of the supported certificate encoding schemes.

1. Ensure that the certificate sent by the gateway is RSA or DSS encoded and that the proper IKE authentication method is configured on both the client and the gateway.

20 INVALID CERTIFICATE

The gateway sent a certificate (during a Phase 1 negotiation) that did not match any of the certificates available to the client.

1. Ensure that the certificate used by the gateway is available in the client certificate database in order to allow for proper verification of the certificate.

25 INVALID SIGNATURE

A Signature payload sent by the gateway did not pass validation.

1. Ensure that both the client and the gateway have access to the same certificate.

28 CERTIFICATE UNAVAILABLE

The requested certificate is not available on the client.

1. Ensure that the client certificate (if the client is using certificate authentication) is available in the certificate database.2. Ensure that the gateway certificate (if the gateway is using certificate authentication) is available in the certificate database.

30 UNEQUAL PAYLOAD LENGTHS

A received IKE packet was larger, or smaller, than the length in the IKE header.

1. Ensure that the gateway is sending the proper length for the packet; it is very unlikely that a gateway builds an IKE packet with an incorrect header length but it is possible (this is a protocol error).2. Ensure that nothing in the packet's path is causing the packet to be changed or trimmed.

50 Buffer too small

Reading from, or writing to, an internal buffer failed.

1. Ensure that the computer is not running very low on memory.2. Ensure that the gateway sent payloads with correct lengths.

51 SPI check failed.

A generated SPI matched with another previously generated SPI.

This is a temporary error that resolves in a very short period of time.

55 Negotiation failed.

A fatal error prevented an IKE negotiation from being completed.

Review the client logs to find out which errors occurred during the negotiation and fix those errors.

82


90 Failed to set up new phase 1 negotiation.

The client failed to initialize a new Phase 1 SA.

1. When this error occurs, another error string is displayed explaining the reason for the failure. This error generally means that the client failed to create a correct Phase 1 proposal payload which is most often an internal error.

91 Failed to start new phase 1 negotiation.

The client failed to create a Phase 1 packet.

1. Ensure that all of the IKE settings in the configuration are within the acceptable values.

92 Failed to set up new phase 2 negotiation.

The client failed to initialize a new Phase 2 SA.

1. When this error occurs, another error string will be displayed explaining the reason for the failure. This is most often an internal error.

93 Failed to start new phase 2 negotiation.

The client failed to create a Phase 2 packet.

1. Ensure that all of the IPsec settings in the configuration are within the acceptable values.

96 Replay status mismatch.

There is a mismatch between the replay status setting on the client and the gateway.

1. Ensure that the value of <replay-detection> in the client configuration matches with the gateway setting.

99 XAuth login failed due to an invalid username or password.

The gateway rejected the user credentials.

1. Ensure that the <user> and <password> setting were entered correctly as accepted by the gateway.2. If <group> is set to YES, ensure that the username and password are part of the specified group.

102 Failed to receive reply; retrying

A reply to a request was not received in a timely manner.

1. Ensure that the gateway IP address is configured correctly.2. Increase the value for the <UDP-timeout> setting.

103 Failed to receive reply; aborting negotiation.

A reply to a request was not received in a timely manner and all retires have been exhausted. .

1. Ensure that the gateway IP address is configured correctly.2. Increase the value for the <UDP-timeout> setting.3. Check for network connectivity between the client and the gateway.4. Check the gateway logs for any IKE errors that may be occurring.

106 ID type invalid or not supported.

The gateway peer sent an ID payload with an unsupported type.

1. Ensure that the gateway is configured to send an ID payload type that is supported by the client.Supported values are:Phase 1: ID_IPV4_ADDR (1), ID_FQDN (2), ID_USER_FQDN (3), ID_IPV6_ADDR (5), ID_DER_ASN1_DN (9), ID_KEY_ID (11).Phase 2: ID_IPV4_ADDR (1), ID_FQDN (2), ID_USER_FQDN (3), ID_IPV4_ADDR_SUBNET(4), ID_IPV4_ADDR_RANGE(7), ID_KEY_ID (11).

83


107 Invalid protocol.

The gateway peer sent a Phase 1 ID payload with an invalid protocol.

1. Ensure that the gateway sends Phase 1 ID payloads with protocol 0 or UDP.

108 Invalid port. The gateway peer sent a Phase 1 ID payload with an invalid port.

1. Ensure that the gateway sends Phase 1 ID payload s with port 0 or 500.

109 Invalid data size.

The gateway peer sent an ID payload with an incorrect data length for the ID type field.

1. Protocol error (cannot be fixed by changing the configuration): ensure that the gateway conforms to ID payload type length requirements as specified in RFCs.

110 ID payloads modified.

114 Missed dead peer detection keepalive; retrying.

The gateway peer did not reply to a DPD request sent by the client.

1. Increase the value for the <DPD-timeout> setting.

115 Dead peer detected.

The gateway peer did not reply to DPD requests and all retries have been exhausted.

1. Increase the values for the <DPD-timeout> and <DPD-retries> settings.2. Check for network connectivity between the client and the gateway.3. Check the gateway logs for any IKE errors that may be occurring.4. Ensure that the VPN gateway is still running.

116 Missing a compatible XAuth VID payload.

The client is configured to use XAuth but the gateway peer sent a Phase 1 message that did not contain an XAuth VID payload.

1. Ensure that the XAuth settings on both the client and the gateway match. The client's XAuth setting can be configured from the <authentication-mode> setting under <ike>.

117 Message from peer not received within time limit; aborting negotiation.

The gateway peer was expected to initiate a negotiation but it did not do so.

1. Check for network connectivity between the client and the gateway.2. Check the gateway logs for any IKE errors that may be occurring.3. Ensure that the VPN gateway is still running.4. This may be caused by a protocol error on the gateway's side.

130 Transform mismatch.

The gateway sent an SA payload Transform that was not matched by the client.

1. Check that the following settings match on the client and the gateway for both Phase 1 and Phase 2:<encryption>, <hash>, <authentication>, <diffie-hellman-group>, <sa-lifetime>, <encapsulation-mode>, <esp-encryption>, <esp-integrity>, <compression>, <ipcomp>,<pfs>, <enable-volume>.

84


131 Mismatch in encryption algorithm.

The gateway sent an SA payload with an unacceptable encryption algorithm value.

1. If this occurs during Phase 1, ensure that the <encryption> setting matches with that configured on the gateway. 2. If this occurs during Phase 2, ensure that the <esp-encryption> setting under <ipsec> matches with that configured on the gateway.

132 Mismatch in hash algorithm.

The gateway sent an SA payload with an unacceptable hash algorithm value.

1. If this occurs during Phase 1, ensure that the <hash> setting matches with that configured on the gateway.2. If this occurs during Phase 2, ensure that the <esp-integrity> setting under <ipsec> matches with that configured on the gateway.

133 Mismatch in authentication method.

The gateway sent an SA payload with an unacceptable hash algorithm value.

1. Ensure that the <authentication> setting under <ike> matches with that configured on the gateway.

134 Mismatch in group description.

The gateway sent an SA payload with an unacceptable Diffie-Helman group value.

1. If this occurs during Phase 1, ensure that the <diffie-hellman-group> setting matches with that configured on the gateway.2. If this occurs during Phase 2, ensure that the <diffie-hellman-group> setting under <ipsec> matches with that configured on the gateway

135 Mismatch in SA lifetime (seconds).

The gateway sent an SA payload with an unacceptable SA lifetime (seconds) value.

1. If this occurs during Phase 1, ensure that the <sa-lifetime> setting under <ike> matches with that configured on the gateway.2. If this occurs during Phase 2, ensure that the <sa-lifetime> setting under <ipsec> matches with that configured on the gateway.

136 Mismatch in SA lifetime (kilobytes).

The gateway sent an SA payload with an unacceptable SA lifetime (kilobytes) value.

1. Ensure that <enable-volume> is set to YES.2. Ensure that the <sa-max-volume> setting under <ipsec> matches with that configured on the gateway.

137 Mismatch in encapsulation mode.

The gateway sent an SA payload with an unacceptable Phase 2 encapsulation mode value.

Ensure that the gateway is using UDP-encapsulated Tunnel mode.

138 Mismatch in authentication algorithm.

The gateway sent an SA payload with an unacceptable Phase 2 authentication algorithm value.

Ensure that the <esp-integrity> setting under <ipsec> matches with that configured on the gateway.

139 Mismatch in key length.

The gateway sent an SA payload with an unacceptable encryption algorithm key-length value.

1. If this occurs during Phase 1, ensure that the <encryption> setting matches with that configured on the gateway.2. If this occurs during Phase 2, ensure that the <esp-encryption> setting under <ipsec> matches with that configured on the gateway.

85


8.4 Error Messages - IKEv2

The majority of IKE errors are related to protocol errors and are not problems with the configuration. Such errors are listed here but their possible sources are not given as this document is not intended to replace RFC explanations and may cause conflict with any RFC explanations. Some of the IKEv1 errors may be generated by IKEv2 if the error situation is the same.

140 Protocol mismatch.

The gateway sent an SA Transform with an unacceptable Phase 2 protocol value.

Ensure that the gateway negotiates ESP SAs during Phase 2.

143 VIP negotiation failed.

The gateway sent an unacceptable VIP negotiation.

Protocol error (cannot be fixed by changing the configuration): ensure that the gateway sends an attribute type value of 2 for VIP replies.

144 Expecting a VIP VID payload.

The gateway did not send a VIP VID payload.

Ensure that the gateway is configured to carry out VIP (IKE MODE CONFIG) negotiations.

Error Nr.

Error Message

Meaning Common Causes and Possible Solutions

214 Mismatch in Traffic Selectors.

It was not possible to negotiate Traffic Selectors due to a mismatch between the client and the gateway.

1. Ensure that at least one of the values in <peer-intranet> matches with the intranets protected by IPsec configured on the gateway.2. Ensure that the gateway is sending Traffic Selectors with protocol 0, source port 0 and destination port 65535.

215 EAP login failed due to an invalid username or password.

The gateway rejected the username, password or group that were sent by the client.

Ensure that the correct credentials are provided in either the X

ML configuration or the Authentication Dialog Box.

216 Invalid KE Payload received.

The gateway sent a request to create or rekey a new IKE SA that contained a KE payload that did not match to the Diffie-Hellman group that the client selected from the list of proposed Diffie-Hellman groups sent by the gateway.

This error is automatically resolved by IKE but causes the sending of additional messages. If it is desired to get rid of this error, reduce the number of <diffie-hellman-group> entries to one (on both client and gateway) and making sure that the this value matches on both the client and the gateway.

220 COOKIE notification reply mismatch.

The data in a COOKIE notification sent by the gateway did not match the data that was expected to be contained in the COOKIE notification.

Protocol error (cannot be fixed by changing the configuration).

86


222 Received NO_ADDITIONAL_SAS. Negotiating a new IKE SA.

The peer gateway does not support IKE SAs with multiple Child SAs so negotiation for an additional Child SA on an IKE SA was rejected.

Implementation limitation on the gateway. This error is automatically fixed by IKE as the client initiates a new IKE SA negotiation, including a new Child SA.

227 An expected CP(CFG_REQ) payload was not included.

The gateway expected Configuration Payload Request in a request sent by the client but such a payload was not sent by the client.

Interoperability issue between the client and the gateway (the client always sends a Configuration Payload during IKE_AUTH exchange requests).

229 Mismatch in IKEv2 Pseudo Random Function (PRF).

None of the PRF values sent by the gateway matched the configured PRF algorithms.

Ensure that at least one of the <prf> values on the client matches those that are configured on the gateway.

230 Extended Sequence Numbers (ESN) are not supported.

The gateway requested the use of Extended Sequence Numbers but these are not supported by the client.

Disable the use of ESN on the gateway.

231 INVALID IKE SPI

An IKE message was received on an unknown IKE SA.

This error generally occurs due to state mismatch between the client and the gateway and should be resolved automatically after some time.

232 INVALID SYNTAX

An IKE message sent by the gateway failed some protocol checks.

Protocol error (cannot be fixed by changing the configuration). Note: The error message also includes additional information related on the cause of the error since INVALID SYNTAX errors have multiple possible causes.

233 CHILD_SA_NOT_FOUND

The client attempt to rekey a Child SA that was no longer present on the gateway.

This is a temporary error due to state mismatch that is automatically fixed after short amount of time.

234 TEMPORARY_FAILURE

A temporary condition on the gateway caused a request sent by the client to be ignored.

This is a temporary error that is resolved after a short amount of time.

87


8.5 IPsec Errors

Most common errors are caused by username, password, group, preshared key, IKE or IPsec setting mismatches between the client and the gateway.

235 Received Windows error <error number>

A Microsoft Windows gateway reported a Microsoft specific error during an IKE negotiation.

The cause of such errors depends on the error that is reported by the gateway; reviewing of the error is required in order to find a solution.Note: Common error codes are:- 812: A policy on the server is causing the client not to connect. Check NPS and Dail-In settings for the user that is connecting.- 13806: No IKEv2 certificates were found.- 13819: The certificate that was chosen by the gateway does not meet the IKEv2 requirements. Check the certificates to ensure that only one IKEv2 certificate is available.

236 Received Internal Address Failure

The gateway was unable to assign a Virtual IP for the client.

Ensure that the gateway is properly configured to assign Virtual IP addresses to connecting clients.

Error Nr.

Error Message

Meaning Common Cause and Possible Solutions

163 Inbound SA not found.

The peer gateway sent an IPsec packet on an unknown inbound SA.

This error generally occurs when either the client or the gateway loses state or some IKE management packets (mainly DELETE Informational messages) are lost on the network. Both the client and gateway should manage to automatically recover from such errors in a short amount of time but it may not always be the case. In some extreme cases where the state is not recovered in due time, it may be required to restart the client. It is also possible for this error to occur because of man-in-the-middle attacks that aim at wasting resources on the client.

164 Outbound SA not found.

No IPsec SA over which to send a packet from the client machine was found.

This error can mean that either the client or the gateway lost state and most often occurs when the gateway stops responding to IKE negotiations.Both client and gateway logs should be looked at in order to identify the underlying cause for the loss of state and IPsec SAs should then start working when state synchronizes again. It is possible for state to be automatically recovered if the loss occurred due to some temporary network outage.

88


165 SA expired. An attempt was made to send a packet over IPsec using an SA that has expired (the maximum lifetime of the SA has been exceeded but the SA is still present).

This error generally occurs when a large amount of data is sent over a very short period of time on an IPsec SA that is configured with a low value in <sa-max-volume>. The error will resolve itself since the client will trigger new IPsec SA negotiations however these errors can be avoided (or made less common) by increasing the value of <sa-max-volume>.

166 Sequence number overflow.

The sequence of an IPsec SA cycled (more than 2^32 packets were sent over the IPsec SA).

1. The <sa-lifetime> setting is too high for the amount of data that is going through the IPsec SA. Attempt reducing this value if it is required to have rekeying based on duration.2. Consider using <sa-max-volume>.

167 Outbound SA cannot be used as it is on hold.

The IKE negotiation for the outbound SA is still in progress.

This is a temporary error that resolves itself after a very short time; no action is required.

171 Replay check failed.

An IPsec packet received by the client failed Anti-Reply checks; it is either a duplicate or is delayed on the network thus received out of synch in relation to other IPsec packets sent by the gateway.

1. Sporadically congested network conditions: set <replay-detection> to NO.2. Man-in-the-middle (replay) attacks.

172 ICVs do not match.

The client receives an IPsec packet which contained incorrect authentication data.

1. The packet was tampered with during transmission.2. The gateway that sent the IPsec packet incorrectly calculated the authentication data of the packet.Note: A workaround for such errors is to remove usage of <esp-integrity> on the client (which requires a matching setting on the gateway). The cause of such errors should be identified.

173 Incorrect padding length.

The client receives an IPsec packet containing a padding length that does not match the block size of the IPsec encryption algorithm used.

This is a protocol error by the gateway; attempt using a different value for <esp-encryption> to check if the gateway properly creates IPsec packets when using a different encryption algorithm.

89


90

Information and Support

9 Information and SupportIf you would like further information about HOBLink VPN Anywhere Client or if you need product support, please contact us at:

U.S.A. and Canada

General Enquiries:

Phone: + 1 866 914 9970

Fax: + 49 9103 715 3299

E-mail: [email protected]

Web: www.hobsoft.com

Technical Support:

Phone: + 1 866 914 9970

Fax: + 49 9103 715 3299


Germany

General Enquiries:

Phone: + 49 9103 715 0

Fax: + 49 9103 715 3271


Web: www.hob.de

Technical Support:

Phone: + 49 9103 715 3161

Fax: + 49 9103 715 3299


Other Countries

General Enquiries:

Phone: + 49 9103 715 3103

Fax: + 49 9103 715 3299


Web: www.hobsoft.com

Technical Support:

Phone: + 49 9103 715 3103

Fax: + 49 9103 715 3299


91

mailto:[email protected]


http://www.hobsoft.com





http://www.hobsoft.com

hoblink vpn anywhere client - hob, inc.€¦ · the solution can access all servers in the internal...

Documents