Novell Home

AppNote: SSH Client Interoperability with NBM 3.8 Server

Novell Cool Solutions: AppNote
By Upendra Gopu

Digg This - Slashdot This

Posted: 11 Dec 2003
 

Abstract: This document is aimed at the users of the VPN client. This document briefly explains the usage of the SSH Sentinel client with the Novell BorderManager (NBM) 3.8 server in the following modes.

  • Authentication: Pre-shared key, X.509 certificate
  • Encryption: 3DES, DES

Table of Contents:

1.0 Introduction
1.1 Further Information
2.0 Requirements
2.1 Configuring the SSH Sentinel Client
2.2 Pre Shared key creation
2.3 Certificate Importing
2.4 Security Policy
2.4.1 IKE Proposal
2.4.2 IPSEC Proposal
2.5 Connection Initiation
3.0 Conclusion

1.0 Introduction

This document briefly explains the usage of the SSH Sentinel client with the NBM 3.8 server in the following modes.

  • Authentication: pre-shared key, X.509 certificate
  • Encryption: 3DES, DES

In addition to these, all the sample configurations in this document use the following IKE/IPsec proposals:

  • IP compress: disabled
  • IKE Lifetime: 240 minutes (4 hours)
  • IPsec lifetime: 60 minutes (1 hour)
  • IKE integrity: MD5-HMAC
  • IKE mode: Main mode
  • IKE Group: MODP 1024 (group 2)
  • IPsec integrity: MD5-HMAC, SHA-1-HMAC
  • IPsec mode: tunnel (for all VPN connections)
  • PFS: enabled. (MODP 1024, group 2), (MODP 768, group 1)

This document does not cover the following scenarios:

  • NAT-Traversal (NAT-T) patch
  • Transport mode host-to-host connections

1.1 Further Information

Novell BorderManager: http://www.novell.com/products/bordermanager/
SSH Sentinel Client: http://www.ssh.com/

2.0 Requirements

This document is based on the interoperability tests between SSH Sentinel client and the NBM 3.8 VPN server. The infrastructure used is:

  • Windows 2000 Professional with Support Pack 4
  • SSH Sentinel Client
  • NBM 3.8 VPN Server

2.1 Configuring the SSH Sentinel Client

Go to the system tray and right click the SSH Sentinel Client. The menu will be as shown in the diagram Figure 1. Click Run Policy Editor. You will get the box as shown in the diagram Figure 1.


Figure 1 Policy Editor

Click the Key Management Tab.

The following will appear:


Figure 2 Key Management

2.2 Pre Shared key creation

Click ADD in My Keys Folder for adding the pre-shared key. Select Create a Pre-shared Key Radio button on the wizard, click Next. Provide the name of the key, your shared secret and confirm it. Click Finish.

You should be able to see the key as a key symbol along with the name you have given during the creation in the My Keys folder as shown in Figure 2.

2.3 Certificate Importing

Import the user certificate into your local machine. In the Key Management tab right click the Host Key and click the Import tab. This will show a browse window. Provide the user certificate you have stored in your local machine. It will prompt some dialog boxes about the certificates, click Yes in them.

2.4 Security Policy

Click the Security Policy Tab. Click VPN Connections. Click ADD in VPN Connections for a new VPN connection. The ADD VPN Connection dialog box is depicted in the Figure 3. Give the IP Address of the VPN Security Gateway. Now click the '?' button to give a Remote network's Network Editor Box of the VPN Security Gateway as shown in the Figure 3. This will be the protected network of the server. Click OK and come to ADD VPN Connection. Give the Authentication Key either Pre-shared key or Certificate as shown in the figure 3. Check the check box Use Legacy Proposal.


Figure 3 VPN Connection

Click the Properties button in ADD VPN Connections and you will see the dialog box as shown in the Figure 4.


Figure 4 Rule Properties

In the General Tab click the Settings button in the IPsec/IKE proposal section and you will be able to see the Figure 5. The following will be seen.


Figure 5 IPsec or IKE Proposed Parameters

Now you can select the following:

2.4.1 IKE Proposal

  • Encryption algorithm: 3DES
  • Integrity function: MD5
  • IKE mode: main mode
  • IKE group: MODP 1024 (group 2)

2.4.2 IPSEC Proposal

  • Encryption algorithm: 3DES
  • Integrity function: HMAC-SHA-1
  • IPSEC mode: tunnel
  • PFS group: MODP 1024 (group 2)

In the Advance Tab in the Rule Properties dialog box click Settings. You will see the Security Associations Lifetimes dialog box as shown in the Figure 6.


Figure 6 IPsec and IKE Security Association Lifetimes

Provide the following values:

IKE security association:

Lifetime in minutes: 240 min.
Lifetime in megabytes: 0 MB.

IPsec security association:

Lifetime in minutes: 60 min.
Lifetime in megabytes: 0 MB.

Click OK and come back to the Policy Editor. Click Apply in the Policy Editor Dialog box.

At this point click the Diagnostics button highlighting the connection. If everything is correct it will show the following Figure 7.


Figure 7 Diagnostics

If you have a problem such as No Proposal chosen for either IKE or IPSEC you can refer to the server parameters as what are configured in the Traffic Rules for the client-to-site Services and change the client's parameters to the same Encryption, Authentication, Perfect Forward Secrecy, parameters of the server.

2.5 Connection Initiation

Right click the system tray SSH icon and then move the cursor to Select VPN in the menu. This would show your new connection. Click. After establishing the connection it will inform you that the connection has been established.

If you want to know whether the packets are encrypted or not click the SSH icon in the system tray, then click View Statistics.

3.0 Conclusion

This interoperability has been tested for the 3DES and DES encryption algorithms and HMAC-MD5, HMAC-SHA1 authentication algorithms, perfect forward secrecy off/on (PFS) and also for certificate mode and pre-shared key. Novell recommends that you verify the interoperability of the SSH Sentinel client and the NBM 3.8 server on a simulated test network before you deploy them directly in a production environment.

If you have any questions you may contact Upendra at gupendra@novell.com


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell