Configuring the SmoothWall Express System
This guide assumes that your SmoothWall Express system has already been installed.
Command-line configuration of IPSec settings on the SmoothWall Express system can be used. In this guide, the Web interface is used to set up the initial policy. If you want information about how to configure different options. (SmoothWall uses the Open Source FreeS/WAN implementation of IPSec. For more information, see http://www.freeswan.org/.)
To configure the SmoothWall Express system, perform the following steps.
1)Access the SmoothWall Express Web interface by accessing https://172.25.3.1:441. (This is using the default SSL port accepted during the SmoothWall Express installation). You will see the following screen.
2)Click the about your smoothie tab. On this page, you can see that the VPN service is currently stopped.
3)Now select the VPN tab. For your initial testing, in Global settings, Local VPN IP, leave the box blank. As the page mentions, if this box is blank, the Red interface is used.
ISA04_Operations_IPSecSmoothWall_36#934edffa-59e4-41fb-abae-353b12664ecc
4)On the VPN tab, click the Connections navigation button. The concept of left and right is useful in visualizing the VPN setup. Either side can be left or right, as long as you are consistent when entering the respective subnet value. In this setup, the SmoothWall Express system will on the left and ISA Server on the right.
5)In Name, enter ISANet, in Left, enter 192.168.55.1, and in Left subnet, enter 172.25.3.0/24. In Right, enter 192.168.55.100 and in Right subnet, enter172.25.10.0/24. In Secret and Again, type 123456789. Then click Add.
The ISANet connection information will appear under Current connections.
6)After this is completed, on the VPN tab, click the Control navigation button. You should see the connection just created under Manual control and status. Its status will be Closed. Click Restart.
The ISANet connection should change to Open.
7)Now, click the about your smoothie tab, and then select the Advanced navigation button. The VPN service should now be running.
You have now configured the SmoothWall Express system.
Reconciling the ISA Server and SmoothWall Express IPSec Tunnel Mode Policy
The next step is to reconcile the IPSec tunnel mode policy. This involves changing one setting on the ISA Server computer. To reconcile the IPSec tunnel mode policy, perform the following steps.
1)Select the Virtual Private Networks (VPN) node in the ISA Server console, and then click the Remote Sites tab. Select SmoothwallNet, and then on theTasks tab, click Configure Remote Site.
2)Verify that Enable the VPN site-to-site connection is selected.
3)Click the Connection tab, and then click IPSec Settings.
The Phase I settings are displayed.
4)Click the Phase II tab.
5)Under Generate a new key every, change the seconds to 28800, to match the SmoothWall Express settings.
This setting is not visible in the SmoothWall Express Web interface. Examining the Oakley logs on the computer running Windows Server 2003 shows that the SmoothWall Express system sends a Session Key Lifetime setting that is different from the setting in the ISA Server wizard. The following is an explanation of an excerpt from the Oakley log, showing the Quick Mode failure.
- Line 1 is the Incoming Quick Mode offer from the SmoothWall system with the Initiator and Responder cookies set in lines 3 and 4.
- Line 12 is Proposal 0, which specifies the use of ESP. (Proposals can contain many different transforms that are combinations of encryption algorithms DES or 3DES, hashing algorithms MD5 or SHA1, Diffie-Hellman settings, and IP addresses pertinent to the IPSec tunnel mode policy.)
- Lines 13 through 18 contain the settings for Transform 0 and have the following settings:
- 3DES (line 13)
- Perfect Forward Secrecy (PFS) is group 2, which is the Diffie-Hellman group (line 14)
- Tunnel mode is specified (line 15)
- Session key lifetime is 28800 seconds (lines 16 and 17)
- MD5 (line 18)
- Lines 19 through 24 contain settings for Transform 1, which has all the same settings except for the hashing algorithm that is specified as SHA1 (line 24).
Еще бы на русском все статьи были