4-1 pse_4konf.503 eagle getting started and configuration
TRANSCRIPT
4-1PSe_4Konf.503
EAGLE Getting Started and Configuration
Access
Preparation: There are 2 methods for entering the Eagle for the first time.
Static ARP entry HiDiscovery (self explanatory)
Static ARP entry is achieved by opening a command prompt on the configuration PC while attached to the secure port of the Eagle.
EX. Arp –s 1.1.1.1 00-11-22-33-44-55
The arp entry is transmitted in the direction of the Eagle and intercepted by the Eagle allowing WEB access @:
HTTPS://1.1.1.1
Eagle
Access
Preparation: There are 2 methods for entering the Eagle for the first time.
Static ARP entry
Eagle
Access
Login via Web Interface: Ex. HTTPS://10.24.228.222
Note the use of HTTPS in other words "encrypted" web access
Eagle
Access
Login via Web Interface: Makes Sure to accept the certificate
Eagle
(private)
Access
Login via Web Interface: User Name and Login same as switches Admin / Private
Eagle
Because it is necessary to build/establish an L2TP/IPSec VPN from the "unsecured" port of the Eagle, it is necessary to establish some rules for access to the unit before we begin.
Incoming Firewall rules
HTTPS access from "outside"
SNMPv3 Access for encrypted login
Eagle
Eagle
Configuration
Firewall: Select "Firewall"
Eagle
Configuration
Firewall: Select "Incoming" or "Untrusted"
Eagle
Select "New"
Eagle
Select either an IP range or individual address Both incoming and outgoing
Select which protocols to be allowed in
Then select OK
Because it is necessary to build/establish an L2TP/IPSec VPN from the "unsecured" port of the Eagle, it is necessary to establish some rules for access to the unit before we begin.
Incoming Firewall rules
HTTPS access from "outside"
SNMPv3 Access for encrypted login
Eagle
Configuration
External HTTPS: Select "Access"
Eagle
Configuration
External HTTPS: Select "HTTPS"
Eagle
Select "Yes"
Eagle
Select "New" then "OK"
Eagle
Because it is necessary to build/establish an L2TP/IPSec VPN from the "unsecured" port of the Eagle, it is necessary to establish some rules for access to the unit before we begin.
Incoming Firewall rules
HTTPS access from "outside"
SNMPv3 Access for encrypted login
Eagle
Configuration
External SNMP: Select "Access"
Eagle
Configuration
External SNMP: Select "SNMP"
Eagle
Select "Yes" in both places
Eagle
Select "New" then "OK"
Eagle
Because it is necessary to build/establish an L2TP/IPSec VPN from the "unsecured" port of the Eagle, it is necessary to establish some rules for access to the unit before we begin.
Incoming Firewall rules
HTTPS access from "outside"
SNMPv3 Access for encrypted login
Eagle
L2TP/IPSec VPN
Goal: To establish an encrypted communication between VPN client
software and the Eagle TX/TX with VPN
Suggestions: IP address scheme Access list (IP or User) in other words how many devices(users) will
have access to how many other devices(users).
Eagle
Eagle
HIRSCHMANN
VPN Tunnel
Untrusted Port10.24.228.222
10.24.228.xxx
Trusted Port192.168.1.1
192.168.1.3
L2TP/IPSec VPN
The diagram illustrates the machines, connections and addresses involved in the configuration
L2TP/IPSec VPN (Certificates)
There are a total of 4 (x.509) certificates necessary to build the intended VPN tunnel.
There are 2 "Machine" certificates with (.p12) file extensions Windows-Certificate e.g. WinMaCert.p12 Eagle-Certificate e.g EagleMaCert.p12
There are 2 "Trusted" or "connection" certificates with (.cer or .crt) extensions
CA-Certificate (trusted) e.g TrustedCA.crt Windows-Connection e.g WinCoCert.crt
It is extremely important that these 4 certificates be allocated to the proper locations. Any discrepancy in the location of these certificates will result in a security negotiation failure.
Eagle
L2TP/IPSec VPN (Certificates)
Configuration of the Windows Management Console for importing of certificates...
Start -> Run, enter mmc and click OK. Select Console -> Add/Remove Snap-in and click Add. Select Certificates from the list and click Add. Select Computer Account and click Next. Select Local Computer and select Finish. Close the "Add Stand alone Snap-In" window. The entry Certificates (local computer) should appear in the list, Click
OK. Select Console -> Save. Select Desktop from the Save In field. (Name it something Familiar to
YOU!!!) and click save. Close MMC by selecting Console -> Exit from the menu.
You should now have an icon on your desktop for direct access into the MMC
Eagle
L2TP/IPSec VPN (Certificates)
Import of the TrustedCA certificates... Double-Click the MMC icon on your desktop Right click Personal and select All Tasks -> Import Select Next Select Browse. Select the option X.509 Certificate (*.cer, *.crt) from Type of Files
and select TrustedCA. Select Open and click Next. Select the option Place all certificates in the following store
and click Next. Select Finish.
Eagle
L2TP/IPSec VPN (Certificates)
Import of the Machine certificates... Double-Click the MMC icon on your desktop Right click Trusted Root Certificate Authority and select All
Tasks -> Import Select Next Select Browse. Select the option Personal Information Exchange (*.pfx, *.p12)
from Type of Files and select windows machine certificate. Select Open and click Next. Enter the password, which protects the certificate against
unauthorized usage and click next. Select the option Place all certificates in the following store
and click Next. Select Finish.
Eagle
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
From the secure side under Router, assign an IP address to the "External Port"...
This is the address that we will be connecting to from our VPN client...
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
From the secure side, we must change the Eagle "Network Mode" to Router...
This will cause a reboot on the Eagle...
L2TP/IPSec VPN
Configuration of Eagle VPN settings. It is important to remember now to set the PC you are connecting from to the
same IP scheme and subnet as the unsecure port on the Eagle...
Log back into the Eagle from the UN-secure port of the Eagle and select VPN from the menu structure then "L2TP"...
Select "Yes" in the "Start L2TP Server for IPSec/L2TP" line then click ok...
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
Select "Connections" then click New and name the connection.
Select OK then click Edit...
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings. This is the most important section on the EDIT page as it will determine where
the VPN will originate, from where we will allow the connection as well as what type of connection will be used
Make sure the connection is enabled...
Enter the IP address from where the connection will be allowed (%any) means from any address,
Select "Transport (L2TP SSH Sentinel) if you have WinXP or the XP client..
Then select "Wait for connection from..."
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings. For L2TP/IPSec VPN connection from a software client, the authentication method
may only be X.509. This setting along with all the others are the defaults and can be left alone with the exception of PFS. PFS must be set to "NO"!!!
All of the other criteria on this page can be left as default!!!
Select OK...
Eagle
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
Click the configure button!
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
Select Browse...
Eagle
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
Select the proper certificate and click Open...
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
The file location should populate the field.
Select Import
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
The current certificate is shown
***You must select the Back button here before going any further...!!!
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
Then Select OK to save to the Eagle.
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
Next select machine certificate from the menu
Select browse
Eagle
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
Select the Eagle Machine Certificate
Click Open
L2TP/IPSec VPN
Configuration of Eagle VPN settings.
The file location should populate the field.
Enter the pre-assigned password
Select Import
Then select OK!!!
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Under "Network Connection" from your PC, select "Create New Connection"
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Under "Network Connection" from your PC, select "Create New Connection"
Eagle
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
Eagle
L2TP/IPSec VPN
Connection from the Windows VPN Client
L2TP/IPSec VPN
Functioning Tunnel
If you rememeber earlier when we turned the "L2TP Service" On, there was a connection range of IP addresses.
These addresses are assigned to the remote PC that authenticates or tunnels to the Eagle...
Eagle