VPN

Attention! VPN does not work, if the internet interface of the firewall is set to DHCP!

Road warrior installation

With kwickserver firewall you can integrate persons sitting outside of your networks into these networks over a VPN (virtual private network). For this there are a few steps to do. Here you can read, how to integrate a windows XP computer over VPN.

1. Go to the VPN page in the Kwickserver web administration and activate VPN for the local network you wish using the dropdown list and save with the button beside it.

2. Download the Certificate for your Windows XP computer. To do this, type a password in the Textbox "Password" (remember that password!) and click the button beside it. Now your browser should download a file named certificate.p12. Save that file somewhere.

3. Download the configuration file you need on your Windows XP computer with the link below.

4. Transfer both downloaded files on your client Windows computer. Do not use FTP or any other insecure protocol over the Internet for this transfer! The certificate.p12 has to be kept secret! Use scp or floppy disks etc.

5. Download the ipsec.exe utility from http://vpn.ebootis.de and unzip it to some directory on your Windows machine (e. g. c:\vpn)

6. Create a IPSEC + Certificates MMC
Start/Run/MMC
File (or Console) - Add/Remove Snap-in
Click on 'Add'
Click on 'Certificates', then 'Add'
Select 'Computer Account', and 'Next'.
Select 'Local computer', and 'Finish'.
Click on 'IP Security Policy Management', and 'Add'.
Select 'Local Computer', and 'Finish'
Click 'Close' then 'OK'

7. Add the certificate
Click the plus arrow by 'Certificates (Local Computer)'
Right-click 'Personal', and click 'All Tasks' then 'Import'
Click Next
Type in the path to the .p12 file (or browse and select the file), and click 'Next'
Type the export password, and click Next
Select 'Automatically select the certificate store based on the type of certificate', and click Next
Click Finish, and say yes to any prompts that pop up
Exit the MMC, and save it as a file so you don't have to re-add the Snap Ins each time

8. Set up the IPSec utility Install ipseccmd.exe (Windows XP) as described in the documentation for the ipsec utility. Note that for Windows XP SP2, you'll need a new version of ipseccmd.exe - it can be downloaded from http://support.microsoft.com/default.aspx?scid=kb;en-us;838079 .

Don't forget to copy the ipsec.conf File you downloaded from the Kwickserver into the directory of ipsec.exe !

9. Start ipsec.exe

Now you should be able to contact a computer inside your network with the windows machine on the Internet.

Thanks to Nate Carlson for help with this documentation!

Delete road warriors

If you want to prevent a road warrior to access the network in the future, you must revoke his certificate. For that you have to click on „manage certificates“ in the web administration. You now see a list of all ever created certificates. On the right side of every certificate you see a link for the revokation of the certificate. Click on this link and agree to the confirmation and the certificate is revoked.

Creating VPN tunnels

If you have two networks on distinct locations, which are protected by Kwickserver Firewall, you can build a VPN tunnel between these two networks. For that go to the VPN page in the web administration. In the last section of the page you see the tunnel administration. You can manage VPN tunnels for both networks.

For setting up a new tunnel, type in the following informations into the form:

1.The external IP address of the remote firewall

2.The address of the network behind the remote firewall

3.The netmask of the network behind the remote firewall

After you submitted the form, you can download the certificate with the link in the list and transfer it to the remote firewall. Be sure to transfer the certificate in a secure manner! In the web administration of the remote firewall you now can import the certificate in the very last form on the page.

After that you repeat this procedure on the remote firewall. After that you should be able to reach all computers from one network on the other. Be sure, that the addresses of the two networks do not overlap!

Deleting VPN tunnels To delete a tunnel, just delete the certificate from the list of one of the firewalls. It is advised to delete the certificates out of both firewalls.