1. DL manuals
  2. Vasco
  3. Gateway
  4. aXsGUARD Gatekeeper
  5. How To Do

Vasco aXsGUARD Gatekeeper How To Do

Summary of aXsGUARD Gatekeeper

  • Page 1

    Axsguard gatekeeper pptp how to 1.7.

  • Page 2: Table of Contents

    Table of contents 1. Introduction 1.1. Audience and purpose of this document 1.2. Available guides 1.3. What is the axsguard gatekeeper? 1.4. About vasco 2. General concepts 2.1. Overview 2.2. What is a virtual private network? 2.3. What is pptp? 2.3.1. Protocol description 2.3.2. Key elements of pp...

  • Page 3

    4. Pptp client configuration 4.1. Overview 4.2. Client-side firewall 4.3. Windows xp configuration 4.4. Windows vista configuration 4.5. Windows 7 configuration 5. Troubleshooting 5.1. Client-side troubleshooting 5.2. Server-side troubleshooting 6. Support 6.1. Overview 6.2. If you encounter a probl...

  • Page 4

    List of figures 2.1. Vpn concept 2.2. Pptp packet 2.3. Pptp control and data channel 2.4. Listing the ppp device with ipconfig 2.5. Pptp client and pptp server with different ip ranges 2.6. Pptp client and pptp server in same ip range 2.7. Consequences of compromised client 3.1. Pptp feature activat...

  • Page 5

    List of tables 3.1. Pptp general settings 3.2. Pptp user settings 3.3. User level firewall settings © vasco data security 2011 4.

  • Page 6

    List of examples 3.1. Restricting access to two lan servers © vasco data security 2011 5.

  • Page 7

    Document version. This is version 1.7 of the axsguard gatekeeper pptp how to. Vasco products. Vasco data security, inc. And/or vasco data security international gmbh are referred to in this document as ‘vasco’. Vasco products comprise hardware, software, services and documentation. This document add...

  • Page 8: Chapter 1. Introduction

    In this how to, we explain the basic principles of pptp and how to deploy the axsguard gatekeeper pptp server in your network. This documents is intended for technical personnel and network administators. In chapter 2, general concepts , we briefly explain the concept of virtual private networking (...

  • Page 9

    Access to axsguard gatekeeper guides is provided through the permanently on-screen documentation button in the axsguard gatekeeper administrator tool. Further resources available include: • context-sensitive help, which is accessible in the axsguard gatekeeper administrator tool through the help but...

  • Page 10: Chapter 2. General

    In this section, we explain the general concepts of virtual private networking (vpn), in particular the point to point tunneling protocol (pptp). Topics covered in the section include: • the key elements underpinning pptp: authentication, tunneling and encryption. • the standard pptp deployment: how...

  • Page 11

    Pptp stands for point to point tunneling protocol and is an extension of the ppp protocol, defined per rfc 1171 . Pptp allows organizations to use the internet to securely transmit data across a vpn. It does this by embedding its own network protocol within the tcp/ip packets carried by the internet...

  • Page 12

    • authentication: the vpn server verifies the vpn client’s identity and restricts vpn access to authorized users only (ms-chap and ms-chap v2). The vpn server may also provide audit and accounting capabilities to monitor who accessed which information and when. • tunneling: a technology that enables...

  • Page 13

    Settings” ). The axsguard gatekeeper enforces 128 bit encryption by default, as this is the most secure option. Compression. Compression reduces the amount of information necessary to transmit data, hereby saving bandwidth and increasing the data transfer speed. Pptp uses the compression control pro...

  • Page 14

    Once the pptp vpn is up, a ppp interface with its own ip address is assigned to both the client and the pptp server. The client’s interface settings can be viewed by running the ipconfig command from a windows command prompt as shown below. On the client side, all network traffic not destined for th...

  • Page 15

    The pptp client with ip 10.0.0.1 sends a request to a server in the axsguard gatekeeper lan. This server has ip 192.168.250.200. The server receives the request and replies using the client’s ip address 10.0.0.1 as its destination. Since this ip address (10.0.0.1) is in a different range than the ax...

  • Page 16

    The pptp client with ip 192.168.250.100 sends a request to a server in the axsguard gatekeeper lan. This server has ip 192.168.250.200. The server replies using the client’s ip address 192.168.250.100 as its destination. Since this address is within the same ip range as the axsguard gatekeeper lan, ...

  • Page 17

    Risk as illustrated above 1. A hacker on the internet scans public ip addresses for open services and vulnerabilities. 2. The hacker hijacks the client which has a public ip address. 3. The hacker can execute any attack posing as the hijacked computer and can access the resources of the corporate la...

  • Page 18: Chapter 3. Pptp Server

    In this section, we explain the required axsguard gatekeeper pptp server configuration settings, such as: • activating the pptp server • encryption settings. • accepted ip ranges. • dns settings. • vpn user settings. • important pptp authentication settings, such as digipass authentication and direc...

  • Page 19

    1. Log on to the axsguard gatekeeper as explained in the system administration how to. 2. Navigate to vpn & ras ⇒ pptp ⇒ general. A screen as shown below is displayed. 3. Configure the settings as explained in the table below. 4. Click on update when finished. 3.3. General configuration settings fig...

  • Page 20

    The axsguard gatekeeper itself is not a wins server. The wins server is usually the primary domain controller in your windows domain. Field description accept proposed remote client ip check to accept the ip address proposed by the remote client. Ip address restrictions may apply to certain applicat...

  • Page 21

    Vasco highly recommends the use of digipass authentication for pptp access. This is the most secure option. You can also combine local passwords with digipass authentication. The following authentication methods can be enforced for pptp: • static password • digipass • digipass or static password • d...

  • Page 22

    Unsupported authentication policies generate a validation warning when selected. More information about authentication methods, rules and policies and how to assign them to axsguard gatekeeper services, computers, groups and users, is provided in the authentication how to, which is accessible via th...

  • Page 23

    Figure 3.4. User settings field description user login enabled check / uncheck to enable / disable the user account. Use different password for ras check this option if you want the user to authenticate with a different local password than the one specified for axsguard gatekeeper authentication. Yo...

  • Page 24

    Always use the strictest firewall settings for pptp (also see section 2.6, “firewalls and pptp” ). Do not use the axsguard gatekeeper no-restrictions and the int-no-restrictions firewall policies as these seriously jeopardize your network security. These policies should be used for testing or troubl...

  • Page 25

    System-wide firewall rights: system-wide firewall rights apply to all users in the axsguard gatekeeper network. Since connected pptp vpn users are considered a part of the secure network zone, it is of utmost importance to restrict the system-wide firewall rights as much as possible. The default axs...

  • Page 26

    Example 3.1. Restricting access to two lan servers assume you only wish to grant access to 2 specific servers in the lan for a pptp vpn user. Access to any other servers in the lan is not allowed. This requires you to create two new through firewall rules on the axsguard gatekeeper, allowing traffic...

  • Page 27

    7. Specify the destination ip of the server which can be accessed, e.G. 10.0.0.1/32 . 8. Select allow as the target. 9. Decide whether you want to log traffic by checking / unchecking the log this rule target? Option. 10. Save the rule. 11. Repeat the same steps for the second server, e.G. 10.0.0.2/...

  • Page 28

    Important information recorded in the logs: • when a connection was initiated / terminated • the public ip address of the remote client • the ppp ip address used by the remote client • the authentication information • information about encryption • the type of compression • useful error messages for...

  • Page 29: Chapter 4. Pptp Client

    In this chapter, we explain how to configure your pptp client in: • windows xp 32-bit • windows vista 32-bit • windows 7 32-bit as mentioned in section 2.6, “firewalls and pptp” , vasco recommends the use of a strong client-side firewall. Ensure that pptp vpn pass-through is allowed on the client fi...

  • Page 30

    3. Select connect to the network at my workplace and click on next. 4. Select virtual private network connection and click on next. Figure 4.1. Windows xp network connections figure 4.2. Connecting to the network at my workplace © vasco data security 2011 29.

  • Page 31

    5. Enter a connection name and click on next. Figure 4.3. Virtual private connection figure 4.4. Connection name © vasco data security 2011 30

  • Page 32

    6. Enter the public ip address or the public fqdn of the axsguard gatekeeper pptp server and click on next. Afterwards click on finish. 7. In the connection screen, click on properties. Figure 4.5. Vpn server selection © vasco data security 2011 31.

  • Page 33

    8. Select the security tab and check the require data encryption option. Click on ok to continue. Figure 4.6. Pptp vpn properties © vasco data security 2011 32.

  • Page 34

    9. Enter the user name and password provided by your system administrator and click on the connect button. The connection should be up after a few seconds. You can verify the status of the vpn connection by navigating to the network connections screen (see step 1). 1. From the start button, select c...

  • Page 35

    2. Select set up a connection or network. Figure 4.8. Windows vista pptp setup © vasco data security 2011 34.

  • Page 36

    3. Select connect to a workplace. 4. Click on next. Figure 4.9. Set up a connection or network figure 4.10. Connect to a workplace © vasco data security 2011 35.

  • Page 37

    5. Select use my internet connection (vpn). If prompted for do you want to use a connection that you already have?, select no, create a new connection and click on next. 6. In the internet address field, type the external ip address or the fqdn of the axsguard gatekeeper pptp server. 7. In the desti...

  • Page 38

    9. Enter the username and password provided by your system administrator. Do not enter a password if you are using digipass authentication. Figure 4.12. Connection ip and description © vasco data security 2011 37.

  • Page 39

    10. Click on the create button and then the close button. Figure 4.13. User name and password screen figure 4.14. Final configuration step © vasco data security 2011 38.

  • Page 40

    11. To connect to the pptp vpn server after creating the vpn connection, click on start, then on connect to. 12. Select the vpn connection in the window and click on connect. 13. Enter the user name and password provided by your system administrator and click on the connect button. The connection sh...

  • Page 41

    You can verify the status of the vpn connection by clicking on the network icon in the lower right corner of your windows desktop (see the image below). 1. Click on the start button and navigate to the control panel. Figure 4.16. Connection successful figure 4.17. Pptp connection status 4.5. Windows...

  • Page 42

    2. In the control panel, select network and internet. Figure 4.18. Windows 7 control panel © vasco data security 2011 41.

  • Page 43

    3. Select network and sharing center. 4. Click on set up a new connection or network. Figure 4.19. Windows 7 control panel figure 4.20. Windows 7 network and sharing center © vasco data security 2011 42.

  • Page 44

    5. Select connect to a workplace and click on next. 6. Select the first option (create a new connection) as shown below and click on next. Figure 4.21. Set up a new connection or network figure 4.22. Connect to a workplace © vasco data security 2011 43.

  • Page 45

    7. Click on use my internet connection. Figure 4.23. Creating a new connection figure 4.24. Creating a new connection © vasco data security 2011 44.

  • Page 46

    8. Enter the external ip address or fqdn of the axsguard gatekeeper pptp server you are connecting to (e.G. 62.58.227.146 or vpn.Mydomain.Com ) and enter a name for the connection (e.G. Office). 9. Leave the other options open and click on next. 10. Enter the user name and password provided by your ...

  • Page 47

    12. Click on connect. You should be connected after a few seconds, depending on the speed of your internet connection. You can verify the status of the vpn connection by clicking on the network icon in the lower right corner of your windows desktop (see the image below). Figure 4.26. Pptp connection...

  • Page 48

    Figure 4.27. Pptp status © vasco data security 2011 47.

  • Page 49: Chapter 5. Troubleshooting

    The client is connected to the pptp vpn, but cannot access any resources. 1. Check the vpn & ras firewall rights of the user and adjust them if necessary (see section 3.6, “pptp firewall settings” ). 2. Check the ip address of the client’s ppp device. If the client’s ppp device’s ip address is withi...

  • Page 50

    Pptp error 734: the ppp link control protocol was terminated. You probably are using incompatible encryption or authentication settings for pptp: 1. Create a new vpn connection with standard settings (see section 4.3, “windows xp configuration” ). 2. Test the new vpn connection. Pptp error 741: the ...

  • Page 51

    1. The client sits behind a firewall which is blocking pptp / gre traffic. The firewall should be configured to allow this traffic (see section 2.6, “firewalls and pptp” and section 4.2, “client-side firewall” ). Refer to your router / firewall documentation if necessary. 2. Verify the user’s pptp s...

  • Page 52

    1. Log on to the axsguard gatekeeper administrator tool as explained in the command line interface how to. 2. Use the tcpdump command on the internet device. Pptp log error gre: read(fd=7,buffer=8056b60,len=8260) from network failed: status = -1 error = protocol not available 1. Client firewall: mak...

  • Page 53: Chapter 6. Support

    In this section we provide instructions on what to do if you have a problem, or experience a hardware failure. If you encounter a problem with a vasco product, follow the steps below: 1. Check whether your problem has already been solved and reported in the knowledge base at the following url: http:...

  • Page 54: Alphabetical Index

    A authentication, supported authentication methods axsguard gatekeeper, what is the axsguard gatekeeper? C chap, key elements of pptp security control channel, standard pptp deployment d data channel, standard pptp deployment documentation, available guides e encapsulation, protocol description f fi...

  • Page 55

    R routing, overview s support, support t troubleshooting, troubleshooting tunneling, protocol description v virtual private network, what is a virtual private network? Vpn, what is a virtual private network? © vasco data security 2011 54.