This document explains the configuration settings for the AdmitOne VPN client from Funk Software (this is an OEM VPN client from SafeNet). This VPN client should work with the Superstack 3 firewall running Agent 6.02 or higher.
Settings on the Superstack 3 firewall
VPN SA Name: Any descriptive name. In this example we use the name: vpnclient
IKE support onlyIKE Preshared key: needs to be the same on both client and SA
Remote IPSEC Gateway: 0.0.0.0
Encryption Scheme: DES or 3DES. This example we use 3DES.
Authentication Scheme : SHA-1 or MD5. In this example we use MD5.
DH Group: Use DH group 1. As of agent 6.3 you can use other DH groups. Need to be the same on both SA and VPN client
VPN Destination network: Needs to be the virtual IP address of the VPN client. In this example we use IP address: 10.1.1.254/255.255.255.255
2 Settings on the Admitone VPN client:
Following information is required:
Tunnel gateway IP address is the WAN IP address of the Superstack 3 firewall
Uncheck “Use IP address as identity”.
User’s Identity is the name of the SA that is confugured on the firewall
Shared Secret is identical to the Shared Secret that is set on the firewall
Click “Advanced” on bottom left and uncheck “Auto IKE?IPSec setup”.
Now, the IKE setup and Ipsec options are enabled. First. Select the IKE setup option and use the settings as shown in the diagram below (3DES, MD5, DH Group 1 , No PFS). Click “OK” to confirm.
Now, select the IPsec setup in the Advanced configuration. Use the settings as shown in the diagram below. (3DES, MD5, no compression algorithm, no NAT Traversal). Click “OK” to confirm settings.
On the final configuration screen, we create an IP address range that requires encryption. Click the “New” button and enter an IP address range (see right screen below).
Click “OK” on the IP address Range screen and then “Finish” when you are done configuring secure subnets.
You can now select the configured VPN profile to connect. Normally, there is a Ping utility included with the adapter for testing the VPN connection. You can also verify the Firewall log or VPN screens to see whether a VPN has been established. Alternatively, you can use a browser to test connectivity by opening a connection to the LAN IP address of the firewall).
Notes:
• SA lifetime of the Admitone VPN client is 3600 seconds.
• The Admitone VPN client will renegotiate VPN connectivity after reaching 40% of the SA lifetime.
• NAT Traversal is not supported because the standards are not ratified yet.
• XAUTH will be supported in the next release of VPN client
— David Gonzalez 2021/03/30 10:24