Logo
About Us
Partners
Product Information
Latest News
Support
FAQs
Version Changes
Administrator's Manual
Links & Resources
Product Announcements
Howto Guides
Site Map

Technical difficulties
or feedback:
webmaster@cequrux.com 		  Home Contact Us Support home

 

F-Secure 5.x VPN client in IPSEC transport mode with a CEQURUX Firewall/VPN

For illustrative purposes, the POP3 service has been used as an example.

Client configuration
  1. Right-click on the F-Secure Icon in your system tray and then left-click on options
  2. On the Settings and Statistics dialog (fig.1), select the application: F-Secure VPN+ and then click on the Properties button.
  3. On the Connections/Rules tab (fig.2), Click on one of the Add buttons to create a new connection rule.
  4. You will now see the Connection Editor window (fig.3) with your focus being on the Connection/Rule Tab.
  5. Give this connection a name and select Encrypted Connection from the Type drop-down menu.
  6. Select the method by which you will identify the remote Firewall and enter the appropriate information in the Name field below that (ie. FQDN or IP address).
    Leave the Networks behind gateway field blank - that is for tunnel mode only.
    You should also not need to set any Flags. For information on flags, please see the F-Secure documentation.
  7. Now click on the Encryption tab. See fig.4 for a screenshot.
  8. Select preshared key as the encryption type and then type the shared secret into the Name field.
    Remember that this must match exactly the Firewall's config.
    Fill in your FQDN (fully qualified domain name) as the name of your Own identity.
  9. Click on the SA settings button and select the protocols and ports that you wish to use and then click OK. See fig.5 for an example.
  10. Click on the Phase 1 button and select Aggressive mode and the Proposals and Lifetimes that correspond with the Firewall's configuration. See fig.6.
  11. Click on the Phase 2 button and similarly configure the Proposals and Lifetimes as per the Firewall. Please set the PFS group to none. Check the keepalive checkbox if you want the connection to stay up forever after initialised. See fig.7 for a screenshot.
  12. If you installed F-secure with the Distributed Firewall option, you will need to configure the Services that should be allowed. The default is to allow all services in both directions. fig.8 shows an example setup.

 

Firewall configuration


To configure the firewall using fwadmin, follow these steps:
  1. Invoke fwadmin as root user on the firewall and navigate to Other Keys->Setup->Other Keys->VPNs->IPSEC VPNs->IKE Transport
  2. You should see a screen that looks similar to fig.15. Set the FQDN and Shared Secret as per step 8 above.
    You MUST use ESP as the protocol. At the moment, it is the only protocol that will work with the F-Secure client.
    Set your Algorithms, Group and Lifetimes to be the same as per the client (as per Steps 10 & 11 above).
  3. Now you will need to configure the proxy to use IPSEC for the service that you wish to use. In this example we have setup a POP3 proxy as per fig.16. Note that the IPSEC only field is set to YES.
  4. Remember to save your configuration.

To configure the firewall using remadmin, follow these steps:
  1. Invoke remadmin and make a connection to the firewall.
  2. Click on the VPN radio button at the bottom, and then on the IKE Transports tab (see fig.17).
  3. Click on the New button to create a new entry. Your screen should look something like fig.18. Set the FQDN and Shared Secret as per step 8 in the client config. above.
    You MUST use ESP as the protocol. At the moment, it is the only protocol that will work with the F-Secure client.
    Set your Algorithms, Group and Lifetimes to be the same as per the client (as per Steps 10 & 11 in the client config. above).
  4. Now you will need to configure the proxy to use IPSEC for the service that you wish to use. This cannot be done using the remadmin tool as there is no toggle for the IPSEC only field. You must therefore use fwadmin to set the proxy. See step 3 above (...using fwadmin).
  5. Remember to save your configuration.

 

Making the connection


  1. The connection will be initiated from the client side, so depending on the service that you wish to connect to, invoke that particular client and attempt to connect to the service on the remote firewall. In the case of our example, it would be a POP3 mail client connecting to port 110 on 192.96.22.29.
  2. The system tray icon will change indicating a link (not necessarily success).
  3. If one has a look at the logs in the web interface (Status tab, then click View configuration, then full logs), one should see succesful Phase1 and Phase2 negotiations. If you see only Phase1, then something has gone wrong.
    fig.10 shows a screenshot of the logs for a succesful negotiation.
  4. To see established IKE connections, one can look at the IKE tab (fig.11) or the link on the web interface (fig.13).
  5. To see established IPSEC connections, one can look at the IPSEC tab (fig.12) or the link on the web interface (fig.14). You will only see information here if Phase2 completed succesfully and you actually connected to the remote service.