This document explains the configuration settings for the AdmitOne VPN client from Funk Software (this is an OEM VPN client from SafeNet). This VPN client should work with the Superstack 3 firewall running Agent 6.02 or higher.

1. Settings on the Superstack 3 firewall

• VPN SA Name: Any descriptive name. In this example we use the name: vpnclient
• IKE support onlyIKE Preshared key: needs to be the same on both client and SA
• Remote IPSEC Gateway: 0.0.0.0
• Encryption Scheme: DES or 3DES. This example we use 3DES.
• Authentication Scheme : SHA-1 or MD5. In this example we use MD5.
• DH Group: Use DH group 1. As of agent 6.3 you can use other DH groups. Need to be the same on both SA and VPN client
• VPN Destination network: Needs to be the virtual IP address of the VPN client. In this example we use IP address: 10.1.1.254/255.255.255.255

1. 2 Settings on the Admitone VPN client:

• After installation of the VPN client software, you have to configure a profile. The Policy is secured by a username/password combination. Launch the A1 VPN client.

• After login, on the main window of the VPN client, go to “Secure Connections” and create a new Connection definition by doubleclicking “New Connection”.

Following information is required:

• Tunnel gateway IP address is the WAN IP address of the Superstack 3 firewall
• Uncheck “Use IP address as identity”.
• User’s Identity is the name of the SA that is confugured on the firewall
• Shared Secret is identical to the Shared Secret that is set on the firewall

Click “Advanced” on bottom left and uncheck “Auto IKE?IPSec setup”.

• Now, the IKE setup and Ipsec options are enabled. First. Select the IKE setup option and use the settings as shown in the diagram below (3DES, MD5, DH Group 1 , No PFS). Click “OK” to confirm.

• Now, select the IPsec setup in the Advanced configuration. Use the settings as shown in the diagram below. (3DES, MD5, no compression algorithm, no NAT Traversal). Click “OK” to confirm settings.

• Now, you can click the “Next” button on the configuration screen. We now need to configure a Virtual adapter. Enter the IP address that corresponds with the IP address that is entered in the Subnet information on the Superstack 3 firewall. Click the “Next” button.

• On the final configuration screen, we create an IP address range that requires encryption. Click the “New” button and enter an IP address range (see right screen below).
• Click “OK” on the IP address Range screen and then “Finish” when you are done configuring secure subnets.

You can now select the configured VPN profile to connect. Normally, there is a Ping utility included with the adapter for testing the VPN connection. You can also verify the Firewall log or VPN screens to see whether a VPN has been established. Alternatively, you can use a browser to test connectivity by opening a connection to the LAN IP address of the firewall).

Notes:

• SA lifetime of the Admitone VPN client is 3600 seconds.

• The Admitone VPN client will renegotiate VPN connectivity after reaching 40% of the SA lifetime.

• NAT Traversal is not supported because the standards are not ratified yet.

• XAUTH will be supported in the next release of VPN client

— David Gonzalez 2021/03/30 10:24