[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    [Sidewinder] RE: Symantec VPN Client with Sidewinder G2 6.1?
From:       sidewinder-admin () adeptech ! com
Date:       2004-04-12 18:08:06
Message-ID: 200404121825.i3CIPr506740 () aag ! adeptech ! com
[Download RAW message or body]

To start, if your Sidewinder doesn't have a fixed IP, give up right now
and just shoot yourself. Not only will it be easier, it will be more
fun. :)
Assuming however you have a fixed IP for your firewall....
> However, with the Sidewinder G2 VPN configuration, I'm not 
> sure what would correspond to the "client ID".  I tried the 
> CN parameter, I tried e-mail address, and just about 
> everything else I could configure in "Remote Identities".
For the remote Identity on the client, I assume you are referring to the
Remote party identity and addressing section of the client configuration
editor. The settings here are dependent on how you want to connect to
the firewall. We grant a connection to our in house network, so the
network address and subnet address for the in house network go here. The
remote ID part comes at the bottom. We connect with secure gateway
tunnels, which I guess is common.
We use the address of the firewall in the remote party ID. Whatever you
put here must match the authentication tab of the security association
for the VPN connection you are setting up. This is in the management
console app for the Sidewinder G2. You can use the FQDN of the domain or
email here, but don't. Just use the firewall address.

Make sure you require XAUTH on the tab labelled Authentication method in
the Sidewinder management console also or you will never get a
connection. You must set up a user ID on the firewall under Policy
Configuration_>Rule Elements->Users and User Groups so they can
authenticate. 

In your shared secret avoid spaces, underlines, dashes or other
punctuation. Keep passwords to 8 characters, and oh yes, my favorite
bug, when setting up the SoftRemote client, save EACH little window,
each screen,  before moving to another window. Otherwise, it might keep
your changes, or it might not, hard to say. 
  
> can't use IP address, because not all of the clients have 
> static IP addresses.  I'm pretty sure this should be 
> do-able--the SVPNC is supposed to be compatible with other 
> firewalls/VPN devices.  Any ideas?
> 
For our client IDs that is, the MY IDENTITY tab of SoftRemote, not the
remote ID set up on the client, see above for that, we use the email
address of the client and just create an arbritrary string in the form
of a bogus email address like executive@mycorp.com, which seems to work
fine. We have one user with a domain name that is just an all caps
string, that works fine. No punctuation in the domain name. 

Just remember that whatever you do on the client, do on the server. Oh
yeah, one more tip. On the client the IPSec SA life of the IPSEC
protocols on the Phase 2 key exchange should be indeterminate. Set this
on the firewall in seconds. The phase one key sa life should be set
slightly lower than the ISAKMP Phase one rekey time on the advanced tab
of the security association set on the console app. The firewall ignores
any client attempt to renegotiate the IKE phase one key anyway (yes that
is a HUGE problem, especially if your client address is NATted, although
Secure doesn't seem to think so). 

And before you ask, ALL, and I mean ALL the documentation I have
received from Secure about this is WRONG. It is just wrong, in error,
incorrect, not operational, wrong, wrong, wrong. Don't waste your time
on it. It may be useful for starting fires, but if so, that is its
highest best use that I will have seen to date. And if I sound a little
bitter about this, its only because I am.


Dan Sichel
Ponderosa Telephone

_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]