Fvx538/fvs338 V2.0 how to deploy remote access to the enterprise VPN using Xauth Technology

Fvx538/fvs338
V2.0 how to deploy remote access to the enterprise VPN using Xauth Technology

1. Tutorial Purpose



2. Understand Xauth applications

3. experiment environment

4. Experiment operations

. Select the appropriate RADIUS service

4.2.fvx538 firewall Xauth configuration...

4.2.1. Set the Xauth mode of the VPN firewall...

4.2.2. Configure the VPN to prevent fire and use the local database for verification

4.3.configure the IPSec VPN Client Software Xauth

4. Test the connection

1.1 tutorial Purpose

This tutorial uses fvx538 version
2.0.0-139 is used as an example to describe the Xauth application configuration of Netgear series firewalls. Xahth is integrated in IPSec
The Xauth extension authentication protocol in VPN. Xauth provides an identity authentication mechanism for these applications that need to identify each user for authentication. This mechanism allows the VPN gateway to use
The user information in the RADIUS server or the local database record authenticates the user. It mainly includes the following content:

1. Select and configure the RADIUS server

2. Xauth configuration of fvx538 Firewall

3. Configure the IPSec VPN Client Software Xauth

Through the above experiment, the experimenter can apply the Xauth to the remote VPN network.(This article is applicable
Fvx538/fvs338
Product Users)

2. Understanding
Xauth application

At present, due to the rapid development of broadband access, a wide range of small and medium-sized commercial enterprises deploy IPSec
VPN network, it is very common to build remote clients to access the company's central resources. In the IPSec
In VPN applications, multiple clients are usually set to connect to the VPN center network. The common practice of network administrators is to set different VPN policies and preset passwords for each user to distinguish each user.
The amount is huge, and management is not convenient. Therefore, the mainstream IPSec
The VPN gateway device provides another solution, that is, if you configure a VPN policy in the VPN gateway, you can allow simultaneous access of up to 1000 remote clients, then
The customer can distribute the same policy configuration. In this way, because the VPN configuration policies of all remote clients are the same, each remote client is no longer differentiated separately, thus improving the convenience
At the same time, it reduces the security of the entire network.

In this way, users need to configure only one policy in the VPN gateway device, but each remote customer needs to provide different users during access.
The VPN gateway device can centrally manage the legal information of remote users. This greatly reduces the workload of network administrators and ensures the security of remote customer access.
Overall work efficiency. This technology is integrated in the IPSec
The Xauth extension authentication protocol in VPN. Xauth provides an identity authentication mechanism for these applications that need to identify each user for authentication. This mechanism allows the VPN gateway to use
The user information in the RADIUS server or the local database record authenticates the user.

Radius (Remote Authentication Dial-In User Service, RFC
2865)
Authentication, authorization, and billing (AAA) protocols for multiple users in a management network. The RADIUS server stores valid user information in the database and can grant Valid users who require access to network resources
Permission.

Xauth is a typical remote customer-to-center VPN gateway application:

Figure 1: Xauth and radius examples

Figure 1 when a remote client initiates a VPN connection request, the VPN gateway forcibly interrupts the VPN negotiation process through Xauth (extended verification) and requires
The client must enter a valid user name and password for verification. After receiving the user name and password provided by the client, the gateway first checks whether the information is valid in the local database.
The corresponding user name is forwarded to the RADIUS server for verification. If it is determined to be valid, the VPN negotiation process is continued and the remote client is assigned an IP address after the connection is successful. If the user
The VPN connection is interrupted.

Because Xauth combined with radius brings unprecedented security and convenient management features to commercial users relying on a large number of VPN technologies, many international
Well-known VPN device developers, such as Cisco, checkpoint, and Netgear, have started to support Xauth in their products.

 

3. experiment environment

Test environment: Set the wan1 port IP of fvx538 to 58.62.221.130, LAN
The IP address is 192.168.1.1, and the radius Server IP address is 192.168.1.200. Refer to Network Configuration:

Top

 

4. Experiment operations

4.1,
Select an appropriate
RADIUS service

Netgear ProSafe VPN Firewall
Fvx538 supports most standard free/commercial RADIUS service programs, such:

• FreeRADIUS
  , An open source Linux Code Program
• Microsoft
  Windows IAS
• Funk Software
  Steel-belted radius

All radius
Server configuration information can be referred to the standard configuration documentation provided by the manufacturer. This article will not detail the configuration of each radius method.

Top

4.2, fvx538
Xauth configuration of the firewall

4.2.1. Settings
Xauth mode of VPN Firewall

When configuring the IKE policy of the VPN, you can enable the Xauth function of the VPN if you want to use Xauth. We are configuring
Xauth, the system provides two modes for users to select. As follows:

• IPSec host-as the client, you must provide the user name and password when connecting to the center.
• Edge device-as the server (center), the client must undergo password verification.

When the VPN firewall is defined as IPSec
When a VPN connection is established, the device will provide the server with the username and password information.

When the VPN firewall is defined as edge
In device mode, the VPN gateway requires the client to enter a valid user name and password for verification. After receiving the user name and password provided by the client, the gateway first goes to the local database
Check whether the information is legal. If the corresponding user name cannot be found in the local database, the information will be forwarded to the RADIUS server for verification. If it is determined to be legal, the VPN negotiation process will continue. If the user
The VPN connection is interrupted.

The specific settings are as follows:

1. EnterIke policies
   Option and clickEdit
   Press
   Button To Go To The Ike policies editing page
2. Under the X authentication project, selectEdge Device
   .
3. InAuthentication Type
   SelectGeneric
   Enable
   Use the PAP protocol. Otherwise, select chap to use the Chap protocol. If you plan to use radius, you must set the corresponding authentication protocol on the radius. Usual pap
   The Protocol is simple and practical, while chap is more secure.
4. Click Apply to make the configuration take effect.

5. Next, set whether your VPN firewall passes local database verification or extended RADIUS server verification. Firewall firstUser
   Database
   The user name and password of the local database defined in it for verification. If no matching condition is found, it is transferredRadius
   Clien
   The RADIUS server defined in the project for verification.

Top

4.2.2. Configuration
Verify the use of local database for VPN Fire Prevention

Even if you do not configure the RADIUS server, you can still use the user database that comes with the VPN firewall to implement user authentication. Before using this function, you must
InUser Database
Configure user information under the project as follows:

1. Click Add under the user database project.
2. Enter the corresponding information in the user name and password respectively.
3. Click the Apply button to start using the local database.

(3) configure the firewall to use the RADIUS server for verification

In VPN Client> radius
In the client project, you can define a master RADIUS server and a backup RADIUS server. The firewall first contacts the master RADIUS server.
If the server does not respond, go to the backup RADIUS server.

The settings in primary and backup server are described as follows:

• Do you want to enable a primary RADIUS server?
  Select
  Select Yes to enable the master RADIUS server.
• Do you want to enable a backup RADIUS server?
  Select
  Select No to enable the backup RADIUS server
• Server IP Address
  -Radius IP address.
• Secret phrase
  -
  The Communication Key between the radius client and the server. This key must be separately configured on the server and client, and must be consistent with each other.
• NAS identifier
  -The firewall acts as a NAS (Network Access Service) Role and is valid
  . In a radius session, NAS must submit the NAS identity to the RADIUS server. In this example, the NAS identity can be the IP address of the firewall.
  In some applications, the RADIUS server may require NAs to provide a valid user name. However, we can enter a valid user name here and submit it to the RADIUS service.
  . However, in most cases, the RADIUS server does not require NAs to provide a user name.

ClickApply
Save Configuration

Note: In the test, we used the steel server. The NAS identity does not need to be configured in the steel server.
For authentication type, select generic (PAP.

Top

4.3. IPSec VPN
Client Software
Xauth Configuration

Before that, you must configure the VPN Client without Xauth. After the connection to the VPN firewall passes the test, add the corresponding
Xauth options:

1. ClickAuthentication
   SelectProposal 1
   .
   Select parameters that match the IKE policy of the VPN firewall.
2. InAuthentication Method
   , SelectPre-shared
   Key; Extended Authentication
   .
3. ClickFloppy Disk
   Icon
   To save the configuration
   

Top

4.4 Test connection

1. In the Windows toolbar, right-click the VPN Client icon and choose my connections.
   /<Connection name>.

2. The login page will appear in a few seconds.
3. After you enter the correct user name and password, the client software displays "successfully connected to my
   Connections/<connection name> "Information
4. Ping the host in the Peer lan from the PC where the client software is installed.
5. When a fault occurs, you can refer to the VPN log in the VPN Client software to troubleshoot the fault.