======HOW TO CONFIGURE A VPN TUNNEL======

=====Firewall VPN Configuration=====

  - 1 Log into the Firewall
  - Go to the VPN button and click on the “VPN Configure” tab
  - Locate the “Security Association” pull down menu and select “-Add New SA-“
  - Select “IKE” under the “IPSec Keying Mode:” pull down menu
  - Enter the name you wish to use to identify this Security Association in the SA Name field
  - Leave the “Enable Windows Networking (NetBIOS) broadcast” unchecked
  - Leave the “Destination Network” field of 0.0.0.0 (or blank) unchanged
  - Leave the “Destination Subnet Mask” field of 0.0.0.0 (or blank) unchanged
  - Leave the “IPSec Gateway Address” field of 0.0.0.0 (or blank) unchanged
  - Select either “Encrypt and Authenticate (ESP DES HMAC MD5)” or “Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)” under the Encryption Method pull down menu
  - Enter your “Shared Secret” in the Shared Secret field. This shared secret must be a minimum of 8 characters in length (if using DES) or at least 24 characters (if using 3DES) and will match the shared secret on the VPN client
  - Click on the “Update” button
  - The “Status” field at the bottom of the Firewall screen should state “Restart”
  - Click on the “Restart” link at the bottom of the page
  - Confirm you want to restart the Firewall by clicking “YES”


=====SafeNet IRE VPN Client Configuration=====

  - 1Launch the Secure Policy Editor. Start/Programs/SafeNet Soft-PK/Security Policy Editor (Alternatively, you can right click on the SN icon, which should be in the system tray. A menu will pop up and you can choose Secure Policy Editor)
  - Select Options/Global Policy Settings. Change the Retransmit Interval (seconds) from 15 to at least 30 (I recommend 45)
  - Click OK to close that window
  - Select Edit/Add/Connection
  - This will create a new connection, which you may title whatever you like
  - Click the “+” next to your newly created connection
  - Click the “+” next to Security Policy
  - Click the “+” next to Authentication (Phase 1)
  - Click the “+” next to Key Exchange (Phase 2)
  - Highlight Security Policy and check Aggressive Mode under “Select Phase 1 Negotiation Mode”. Click on the floppy disk icon to save changes
  - Highlight the name of your new connection
  - In the Connection Security section, select “Secure” (default)
  - In the Remote Party Identity and Addressing section, select ID Type “IP Subnet”
  - Type in the IP Address of the LAN port of the Firewall in the Subnet: field
  - Type in the subnet mask of the LAN port of the Firewall in the Mask: field
  - Under Protocol, select “All” to allow IP traffic through the VPN tunnel (default)
  - Check the box “Connect using Secure Gateway Tunnel”
  - Under that box, choose ID Type: Domain Name and enter the Unique Firewall Identifier located in the Firewall’s VPN Summary tab (for example, “00301E05201D”)
  - In the IP Address field enter the WAN IP Address of the Firewall. Save your changes
  - Highlight “My Identity”
  - In the My Identity section, click on the “Pre-Shared Key” button. Then, click the Enter Key button
  - Enter your “Pre-Shared Key”. This shared secret must be a minimum of 8 characters (for DES) or 24 characters (for 3DES) in length and will match the shared secret on the VPN Firewall
  - Click OK to close that window
  - From the “Select Certificate” drop down menu, select “None” (default)
  - From the “ID Type” drop down menu, choose “Domain Name” and enter any name you like (does not matter, so long as you put something in there)
  - In the “Internet Interface” section, select your ethernet NIC (or PPP addapter if using dial up networking). The IP Addr field will be set to the IP address assigned to your NIC. Save your changes
  - Highlight “Security Policy”
  - Leave unchecked the “Enable Perfect Forward Secrecy (PFS)” option (default), but check the “Enable Replay Detection” option (default). Save your changes
  - Highlight “Proposal 1” under “Authentication (Phase 1)”
  - In the Authentication Method and Algorithms section locate the Authentication Method drop down menu and select “Pre-Shared Key” (default)
  - In the Encryption and Data Integrity Algorithms section, select DES or Triple DES as the Encrypt Alg. (this will be determined by what was set on the firewall)
  - From the Hash Alg pull down menu, select “MD5”
  - From the SA Life, select “Unspecified” (default)
  - Leave the Key Group at “Diffe-Hellman Group 1” (default). Save your changes
  - Highlight “Proposal 1” under Key Exchange (phase 2)
  - Leave the SA Life set to “Unspecified” (default) and the Compression to “None” (default)
  - Check the box next to Encapsulation Protocol (ESP) (default)
  - Set the Encrypt Alg to DES or Triple DES (again, this follows whatever the firewall is set to)
  - Set the Hash Alg to “MD5”
  - Set the Encapsulation to “Tunnel” (default)
  - Make sure the “Authentication Protocol (AH)” check box is unchecked (default). Save your changes

//**NOTE**:To test your encrypted tunnel, send a PING from your client PC, located on the WAN side of the Firewall, to the IP address assigned to the LAN port of the Firewall. In most cases, the ping will time out, but it will serve to initiate the tunnel. If successful, the SN icon in your system tray should turn into a golden key (may take up to a minute). You should also be able to enter the IP address of the LAN port of the Firewall into your web browser and you should be able to login to the Firewall web management interface (once you have the golden key icon)//


 --- //[[nce@itclatam.com|David Gonzalez]] 2021/03/30 09:47//