before installing the safenet softremote basic vpn client software, be sure to turn off any virus protection or firewall software you may be running on your pc.
procedure 3-5: configuring the softremotelt full client
to configure a policy for a secure local wireless connection to the fvm318 firewall using the softremotelt client, use the fvm318 configuration from “configure basic ipsec wireless connections” on page 3-13 and follow procedure below for configuring the full vpn client.
1.install the safenet softremotelt full vpn client
if you have installed the softremote basic client, you must uninstall it before installing softremotelt. during the uninstall process, you can choose to keep your existing security policy, simplifying the configuration of softremotelt. in softremotelt, you can configure multiple security policies, such as a policy for secure local wireless connection to the fvm318 firewall and a policy for connecting remotely from the internet.
2.open the security policy editor.
to launch the softremotelt client, click on the windows start button, then select programs, then safenet, then security policy editor. the security policy editor window will appear.
figure 3-22.safenet security policy editor
3.create a vpn connection.
you will need to provide: a descriptive name for the connection; and the lan address of the fvm318 firewall.
a.from the edit menu at the top of the security policy editor window, click add, then connection. a new connection listing will appear in the list of policies.
b.click and rename the new connection list item to indicate that this is the policy for your local wireless connection, such as wireless.
c.select secure on the right side of the security policy editor window in the connection security box.
d.select ip subnet in the id type menu.
e.type 0.0.0.0 in the subnet and mask fields.
f.select all in the protocol menu to allow all traffic through the vpn tunnel.
g.check connect using secure gateway tunnel.
h.select any in the id type menu below the checkbox.
i.select gateway ip address in the box to the right of id type.
j.enter the lan ip address of the fvm318 firewall in the lower right box (usually 192.168.0.1).
4.configure the security policy.
these settings do not depend on your network configuration information.
a.in the network security policy list on the left side of the security policy editor window, expand the new connection by double clicking its name or clicking on the “+” symbol.
my identity and security policy subheadings should appear below the connection name.
b.click on the security policy subheading to show the security policy menu.
c.select aggressive mode in the select phase 1 negotiation mode box.
d.check the enable perfect forward secrecy (pfs) checkbox.
e.select diffie-helman group 2 for pfs key group.
f.check the enable replay detection checkbox.
5.configure the vpn client identity
in this step, you will provide information about your client pc. you will need to provide:
1 the user name that you configured in the fvm318 firewall.
2 the pre-shared key that you configured in the fvm318 firewall.
a.click on my identity in the network security policy list on the left side of the security policy editor window.
b.choose none in the select certificate menu.
c.select domain name in the id type menu.
d.in the box below id type, enter the user name that you configured in the fvm318 firewall.
e.select disabled in the virtual adapter box.
f.in the internet interface box, select your wireless adapter or you may choose any if you will be switching between adapters or if you have only one adapter.
g.click the pre-shared key button.
h.click the enter key button in the pre-shared key dialog box.
i.enter the pre-shared key that you configured in the fvm318 firewall and click ok. note that this field is case sensitive.
6.configure vpn client authentication proposal
these settings do not depend on your network configuration information.
a.in the network security policy list on the left side of the security policy editor window, expand the security policy heading by double clicking its name or clicking on the “+” symbol.
b.expand the authentication subheading by double clicking its name or clicking on the “+” symbol. then select proposal 1 below authentication.
c.select pre-shared key in the authentication method menu.
d.select aes-256 in the encrypt alg menu. if your vpn client does not offer this selection, select triple des.
e.select sha-1 in the hash alg menu.
f.select seconds and enter 21600 in the sa life menu.
g.select diffie-hellman group 2 in the key group menu.
7.configure vpn client key exchange proposal.
these settings do not depend on your network configuration information.
a.expand the key exchange subheading by double clicking its name or clicking on the “+” symbol.
b.select proposal 1 below key exchange.
c.in the sa life menu, select seconds and enter 21600.
d.select none in the compression menu.
e.check the encapsulation protocol (esp) checkbox.
f.select aes-256 in the encrypt alg menu. if your vpn client does not offer this selection, select triple des.
g.select sha-1 in the hash alg menu.
h.select tunnel in the encapsulation menu.
i.leave the authentication protocol (ah) checkbox unchecked.
8.save the vpn client settings.
from the file menu at the top of the security policy editor window, select save changes.
after you have configured and saved the vpn client information, you can test the vpn connection in the manner described in “safenet system tray icon showing enabled condition” on page 3-16. you can also use the log and connection monitors described in “monitoring the pc vpn connection using safenet tools” on page 5-18.