IPSecuritas 3.4

User Manual

Lobotomo SoftwareOctober 25, 2009

1

Legal DisclaimerContentsLobotomo Software (subsequently called "Author") reserves the right not to be responsible for the topicality, correctness, completeness or quality of the information provided. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. All offers are not-binding and without obligation. Parts of the document or the complete publication including all offers and information might be extended, changed or partly or completely deleted by the author without separate announcement.

ReferralsThe author is not responsible for any contents referred to or any links to pages of the World Wide Web in this document. If any damage occurs by the use of information presented there, only the author of the respective documents or pages might be liable, not the one who has referred or linked to these documents or pages.

CopyrightThe author intended not to use any copyrighted material for the publication or, if not possible, to indicate the copyright of the respective object. The copyright for any material created by the author is reserved. Any duplication or use of such diagrams, sounds or texts in other electronic or printed publications is not permitted without the author's agreement.

Legal force of this disclaimerThis disclaimer is to be regarded as part of this document. If sections or individual formulations of this text are not legal or correct, the content or validity of the other parts remain uninfluenced by this fact.

2

Table of Contents

Introduction% 1What is a VPN?% 1What is IPSec?% 1What is IPSecuritas?% 2

Overview% 2Main Window% 3

Starting IPSec % 3Restarting IPSec% 4Stopping IPSec% 4Changing the Profile% 4Connection Status Indication% 4

Menu Bar Item% 5Dashboard Widget% 7Connection Editor% 8

Connection List % 8Functions% 9Connection Parameters% 11

Certificates Manager% 18Certificates Tab% 18Requests Tab% 20

Profiles% 22Create Profile% 23Duplicate Profile % 23Remove Profile% 23

Connection Log% 23Clear Log% 24Export Log% 24

Preferences% 24

3

General% 25Connection Surveillance% 26Timers% 26Padding % 27Smart Environment Detection% 27

Software Updates% 28Troubleshooting% 28

General% 28Exception Logs% 29

Further Information% 30IPSec% 30

4

IntroductionWhat is a VPN?

A Virtual Private Network (VPN) is a closed, secure network that utilizes an insecure network like the internet to connect two peers. The peers can be single computers or whole company networks anywhere in this world. A secure communication between the peers is usually accomplished by using encryption and authentication algorithms.

VPNs are a cheap alternative to leased lines between company branches or can provide a traveling user or a home user access to a branch‘s network in a secure way.

There a various protocols supporting VPNs like PPTP, L2TP (both built into MacOS X‘s Internet Connect) or IPSec.

What is IPSec?IPSec (IP Security) is IETF‘s (The Internet Engineering Task Force, the standardization commitee for today‘s Internet aspects) proposal of a set protocols built into the Internet Protocol (IP/IPv6), providing VPN functionality.

IPSec can roughly be divided into two parts: Payload encryption and authentication and key exchange.

Payload Encryption and AuthenticationEncryption and authentication (check of data and address integrity) of the payload is achieved with two protocols called ESP (Encapsulating Security Payload) and AH (Authentication Header) that build directly onto IP. Since AH only provides authentication but no encryption, it is not in wide use today, making ESP the standard protocol to use with IPSec.ESP uses algorithms like DES/3DES or AES to encrypt the payload and authentication algorithms like MD5 or SHA-1 to assure data integrity. In a nutshell, ESP takes the original IP packet, signs it with a hash code, encrypts it with a secret key, puts it into a ESP packet and sends this ESP packet to the remote peer with IP.

1

The remote peer does exactly the reverse to retrieve the original IP packet.

Key ExchangeWhile ESP works well with static keys only known to both peers, it is more secure to change the key often. For this to achieve, the two peers agree on a key to be used with a special protocol called IKE (Internet Key Exchange), which allows for a secure key exchange over an insecure network. Besides the encryption key, IKE also provides means to negotiate other parameters (like the encryption and authentication algorithms used, the key length and the lifetime of the encryption key) and to authenticate the peers to each other (the peers, not the data).

The section IPSec in the appendix of this document provides more detailed information on IPSec.

What is IPSecuritas?IPSecuritas is a modern IPSec client for MacOS X that allows you to configure and establish secure connections. It supports traveling users with connection profiles to easily switch the configuration for different locations like home or office.This all comes with a state-of-the-art MacOS X graphical interface.

OverviewIPSecuritas isn‘t just one single application. IPSecuritas consists of a permanently running background process, which is invisible to the user and does all the work: it registers network and configuration changes, system sleep and wake events and reacts appropriately by shutting down or re-establishing broken connections.

The interaction with the user is accomplished with three graphical interfaces, all working independently from each other: IPSecuritas, the application, a Menu Bar Item and a Dashboard Widget.Each of the three user interfaces let you control the operation of your IPSec connections and let you see their current state.Unlike other IPSec clients for MacOS X that come as one monolithic application, this approach allows you to minimize the space (both memory and screen estate) used while not actively

2

interacting with IPSec operation. It even allows you to setup connections that get started and kept alive automatically after system boot-up without user interaction - even without the necessity of a user to first log-in.

Main WindowThe main window shows the currently active profile and the state of each connection in this profile and the general status of IPSec.

The Start and Stop buttons let you control the IPSec connections.

Starting IPSecStart IPSec by pressing the button Start. If there are protected connections requireing authentication, you will be presented with a dialog asking you for the console user‘s password or a connection specific password that was entered when the connection was

protected.

3

Restarting IPSecIf there were any mondifications to the configuration (like changes in a connection or the preferences), an IPSec restart is necessary before the new settings take effect.

This is indicated by a small warning sign icon.

Stopping IPSecPress the Stop button to stop IPSec and terminate all active connections.

Changing the ProfileYou may change the profile at any time. However, the new profile is not active before you restart IPSec by pressing the Restart button.

Connection Status IndicationThe status mean the following:

The connection cannot be established because its definition is incomplete, the hostname cannot be resolved, there is no route to the firewall or it has not been authenticated.The connection is in the process of being established.The connection is established.The connection could not be established and has been suspended for a specified time (see sub-section Option in section Connection Editor). After this time, IPSecuritas will retry to establish the connection.

4

The connection has been added to the currently active profile while IPSec was running. It is not active and IPSec needs to be restarted to make it active.

There are additional icons with a minus embedded, meaning that the connection is currently active (with the status indicated) but is no longer part of the connection set and will be stoppped after a restart of IPSec.

Menu Bar Item

The menu bar item sits discretly in your Mac‘s menu bar and allows the most important operation with a single mouse clink from the menu bar. Since it works independently from the IPSecuritas application, there is no need to have the application running all the time.Activate the Menu Bar Item by enabling the option Show Status in Menubar in IPSecuritas‘ preferences.The color codes of the connection states are described in the section Connection Status Indication earlier in this document.

5

The icon of the menu bar item shows the IPSec status:

IPSec not running IPSec running and all connections connected

IPSec running but at least one connection suspended

IPSec running but at least one connection with an error

The currently selected profile is shown next to this symbol . You may change the profile by selecting one of the profiles appearing in the profile submenu. Note: the change take immediate effect, all connections will be restarted.

Selecting the menu item Statistics will show a floating window with important statistics about the connections.

6

Use the Connection Log menu item to see the detailed logs.

Dashboard Widget

The Dashboard Widget allows the most important operation with a single mouse clink from the Dashboard.

Since the Widget works independently from the IPSecuritas application, there is no need to have the application running all the time.

7

The profiles can be changed with the popup button on the left side of the widget. Note: the change take immediate effect, all connections will be restarted.

The Widget is automatically installed at the first launch of IPSecuritas.

The color codes of the connection states are described in the section Connection Status Indication earlier in this document.

Connection EditorThe connection editor allows you to create new connections, import connections from a file, edit, remove, export, protect or unprotect

existing connections from your connection list.

Connection ListThe connection list on the left side displays all your connections, selecting a connection will display its properties in the different tabs on the right side, unless the connection you selected is protected and the settings are hidden.You may also change the settings for the selected connection unless this is prohibited by an active connection protection.

8

An exclamation mark symbol next to a connection in the list indicates that the connection is missing some crucial setting and cannot be activated. Move the mouse over the exclamation mark symbol to get a tooltip with a short explanation of the missing settings.

FunctionsThe following functions are offered by the Connection Editor:

Create New Connection

By clinking on the add connection icon a new connection with default values and name New Connection is created and added to the connecton list and the currently active profile. You need to adapt the default values and fill in the missing parameters to make the connection work with your remote endpoint. Refer to the section Connection Parameters for details on the meaning of the parameters.

Create New Connection with WizardA new connection can also be created based on known-to work parameters for various firewall models from various manufacturers. Clicking the wizard icon will open the first wizard dialog. Depending on teh firewall make and model you select, a few more parameters are queried and a new connection will be created at completion of the wizard. The connection is automaticall added to the connection list and the currently active profile.There is a number of short documents available that describe the proper setup of the firewall parameters.Usually, connections created with the wizard will work seamingless, in some cases - depnding on the configuration of your firewall - minor changes of some parameters may be required.

Duplicate ConnectionThis function duplicates the selected connection and adds it to your connection list and the currently active profile.

Remove Existing Connection

Clinking on the remove connection icon will remove the selected connection from the connection list. You need to acknowledge the

9

removal in the confirmation dialog that will come up. The removal cannot be undone.

Import Connection

The import connection function allows you import a previously exported connection from a file. You will be prompted for the import password that has been specified during the export. The connection will be added to the connection list and the currently active profile.

Export Connection

The export connection function will export the selected connection into a file. You need to specifiy a password to protect the exported connection from unauthorised use.You may also specify further protection that limits the modification or export of the connection once it has been imported. Refer to the section Protect Connection for a description of the parameters.

Protect ConnectionWith the protect connection function , the selected connection can be protected from misuse on various levels:If Hide Settings is enabled, the connection parameters are not visible anymore to the user. Enabling Write-Protect Settings will prevent changes of the parameters, while Allow Unprotected Copies allows the user to make a copy of the this connection, which will not be protected anymore. Disabling Allow Export will prevent the export of this connection into a

file. If Query Password Before Connection Start is enabled, the user will be prompted for either his login password or another password you specify, if Administrator‘s Password is not enabled. If specifying your own password, you may also force its change after the connection is imported.

10

The unprotect password is necessary to remove the connection protection with the Unprotect Connection function.

Unprotect Connection

The unprotect connection function allows the user to remove a previously applied protection, either of a imported connection or a manually protected connection. The user will be prompted for the unprotect password that needed be specified while exporting or protecting the connection manually.

Connection ParametersBasically, each IPSec connection is established in two phases. Phase 1 authenticates the peers to each other and establishes a protected (encryption and data integrity) IKE connection, which will then be used to establish a protected IPSec connection in Phase 2. Both phases require a number of parameters and values, whose meaning is described in the following. The names of the following sub-sections refer to the titles of the tabs in the connection editor.

If a connection definition is incomplete or incorrect, a exclamation mark symbol is shown in the connection list next to the connection. A short explanation of what‘s missing or incorrect is displayed as a

11

tooltip when you hover the mouse cursor over the exclamation mark symbol.

GeneralRemote IPSec Device: This is the IP address or a host name of the firewall of the remote side that you want to connect to. If you are in a IPv6 capable network and prefer to connect using IPv6, enable the option Prefer IPv6 Address for proper DNS resolution.

Local Side: This determines whether you want to connect a single machine (Host), one (Network) or multiple (Networks) local networks to the remote end. Most usually you connect a single machine.In Host mode, you may define a virtual local IP address. All traffic sent to the remote end will have this address as the sender address. If you leave the field empty, the address of the default network interface is used instead. Please clarify this with your system administrator if in doubt.

Remote Side: This determines whether you want to connect to a single machine (Host), one (Network) or multiple (Networks) remote networks or if all traffic should be routed through this tunnel (Anywhere). The most usual seup will be Network or Networks.The IP address in Host mode or the network addresses in Network or Networks mode are mandatory parameters. The netmask needs to be specified in CIDR notation (as oposed to four-dot notation like 255.255.255.0).Note: Anwhere mode needs support of the firewall. It is usually used to additionally protect traffic sent over wireless LANs with IPSec. In this case, the wireless base station is also the firewall.

If Host mode is selected for both ends, IPSec Transport Mode will be available (oposed to Tunnel Mode). Transport Mode allows slightly

12

improved performance due to reduced IPSec overhead, however, both ends need to have public IP addresses (no NAT).

Phase 1Lifetime: This specifies the life time of the established IKE connection. After the lifetime expires, a new one is created when needed (i.e. as soon as IKE traffic is sent from either side). Depending on the parameter Proposal Check (see below), this value needs to exactly match the same parameter in the firewall setup.

DH Group: This determines the group used for the Diffie-Hellman exponentiations. Higher values are more secure, but key exchange will be slower. Depending on the parameter Proposal Check (see below), this value needs to exactly match the same parameter in the firewall setup.

Encrption: This determines the encryption algorithm used for the IKE connection to guarantee data privacy. DES and 3DES offer best compatibility with common firewalls, but AES is faster and probably more secure. This parameter needs to exactly match the same parameter in the firewall setup.

Authentication: This specifies the authentication algorithm used for the IKE connection to guarantee data integrity. This parameter needs to exactly match the same parameter in the firewall setup.

Exchange Mode: This specifies the Phase 1 exchange mode. Most common are main and aggressive mode. Agressive mode is faster than main mode, but generally less secure. This parameter needs to exactly match the same parameter in the firewall setup.

Proposal Check: This parameter defines the behaviour if lifetime or DH group values differ between the peers. If obey is selected, the initiator (usually the local machine) will obey the responder and adopt its values, while strict means that the responder‘s values will be used by both sides if they are higher than the initiator‘s value - otherwise the connection request is rejected. If set to claim, the higher values of both sides are used automatically and when set to exact, the connection request is rejected if the values differ.Obey is the most compatible setting, exact the most secure one.

13

Nonce Size: This defines the length of the nonce payload, which is used in key generation and to prevent replay attacks. This parameter needs to exactly match the same parameter in the firewall setup.

Phase 2Lifetime: This specifies the life time of the established IPSec connection. After the lifetime expires, a new one is created when needed (i.e. as soon as IPSec traffic is sent from either side).

PFS Group: This determines the group used for the Diffie-Hellman exponentiations. Higher values are more secure, but key exchange will be slower. If set to none, any proposal will be accepted.

Encryption: This list defines which encryption algorithms are offered in which order (from top to bottom) for negotiation with the remote side. The first matching algorithm will be used to encrypt the IPSec connection. The order can be changed by drag‘n drop within the list. Note: Null encryption is only offered for debugging purposes and should not be used in a productive environment, since all traffic will be sent unencrypted!

Authentication: This list defines which authentication algorithms are offered in which order (from top to bottom) for negotiation with the remote side. The first matching algorithm will be used to guarantee data integrity of the IPSec connection. Like the encryption algorithm list, the order can be changed by drag‘n drop within the list. Note: Null authentication is only offered for debugging purposes and should not be used in a productive environment, since all traffic will have no data integrity protection!

IDLocal Identifier: This parameter defines the type of identification used to identify the local peer by the remote peer. The following types are available:

Address: The local IP address is used for identification.FQDN: A fully qualified distinguished name of the form aa.bb is used for identification. You need to enter a valid FQDN into the text field.

14

User FQDN: A username with a fully qualified distinguished name of the form user@aa.bb is used for identification. You need to enter a valid User FQDN into the text field.Key Id: The supplied KEY ID is used for identification.Certificate: The content of the Subject field of the local certificate is used for identification.

Remote Identifier: The remote identifier determines the type of identification used to identify the remote peer by the local peer. Refer to the description of Local Identifier above for an explanation of the different possible types.

Authentication Method: The authentication method determines the type of authentication used to proove the local identity to the remote peer. The following types are available:

Preshared Key: A common secret password is used for authentication. The password needs to be known on both sides.Certificates: Signed X.509 certificates are used for authentication.XAUTH PSK: A username and password in combination with a preshared key is used to authenticate the local peer. The remote peer is only authenticated by the preshared key.Hybrid (XAUTH RSA): A username and password is used to authenticate the local peer. The remote peer authenticates itself with a X.509 type certificate.

DNSIf Enable domain specific DNS servers is enabled, the name servers listed in Name Server Addresses is used for all domains listed in the the Domains table instead of the system-wide defined DNS server. This is useful to resolve private host names only known when in remote network.

OptionsIPSec DOI: If enabled, IPSec-DOI as defined in RFC 2407 is used. This option should usually be enabled.

SIT_IDENTITY_ONLY: If enabled, SIT_IDENTITY_ONLY as defined in RFC 2407 is used. This option should usually be enabled.

15

Verify Identifier: If enabled, the remote identification is checked with the setting in the ID tab, and if not equal, the connection request will be rejected. Since identity check does not increase security, it is safe (and more compatible) to switch this option off.

Initial Contact: If enabled, an INITIAL-CONTACT message is sent in each new negotiation. This message is useful to prevent the remote side from using an old but still vaild SA. This option should usually be enabled.

Enabled MODE_CFG: If enabled, network informtion (like local IP address, netmasks, DNS server et al.) is requested from the remote side.

Local IP in Remote Network: If enabled, the local IP address may be within one of the remote network ranges, if the local endpoint mode is set to Host and the remote endpoint mode to Network or Networks.

Disable collision check: This option switches off all network collision checks performed prior activation of IPSec.CAUTION: Please exercise due care when enabling this option as unexpected side effects on your network traffic may occur.

NAT-T: Determines if NAT Traversal (IPSec traffic is encapsulated in UDP packet to pass NAT routers and firewalls more easily) is used. When set to Disabled, NAT-T is not used, when set to Enabled, NAT-T is only used when required (i.e. one or both peers use private IP addresses), and when set to Force, NAT-T is enforced regardless if required or not.Use the setting Checkpoint if the remote side is a firewall from Checkpoint (they use a propriatory NAT-T implementation).

Generate Policy: This setting is only used if the passive option is enabled and determines if matching policies should be created for incoming connection requests.Note: If enabled, any proposal from the remote peer will be accepted!

16

Support Proxy: If enabled, local and remote identifications are used for the local and remote address in phase 2.

Request Certificate: If enabled, IPSecuritas asks the remote side to provide its signed certificate.

Verify Certificate: If enabled, incoming certificates are checked against the specified cerificate or the against the appropriate CA certificate.

Send Certificate: If enabled, IPSecuritas sends the local certificate regardles whether the remote peer requested it or not.

Unique SAs: Multiple SAs are created for multiple remote networks if enabled. If disabled, only one SA is negotiated and used for all remote networks.

IKE Fragmentation: Allows fragmentation of IKE traffic when enabled. This is useful for certain routers that don‘t allow UDP fragmentation. Long messages are split into a number of smaller messages to prevent UDP fragmentation.

Passive: If enabled, IPSecuritas will not initiate a connection but wait for the remote side to do so. Usually disabled.

Enable Connection Check: Enables the periodic sending of a ping packet to the specified address in order to detect a broken connection. If there is no answer from the host within the specified time period (see section Preferences), the connection is re-established.

Action after connection timeout: Determines the action taken after a conenction could not be established within the specified time (Phase 1 + Phase 2 timeout as set in the general preferences, see section Preferences). The following options are available:

• Give Up: no further attempt to establish the connection is taken and the connection goes into state error.

• Retry immediately: Keep trying indefinitely to establish the connection

17

• Suspend 15 secs: IPSecuritas waits for 15 seconds before it tries to establish the connection again. This is indicated with the suspended icon.

• Suspend 30 secs, Suspend 1 min, Suspend 2 mins and Suspend 5 mins: like Suspend 15 secs, but with a different waiting period.

Certificates ManagerThe certificate manager allows you to import and export certificates from and into different file formats, create certificate requests and

export them to a file.

Certificates TabThe list on the left side displays all available certificates. On the right side, the details for the selected certificates are shown.

Import Certifcate

Upon clicking on the import icon an import dialog is presented, asking the user to select the certificate file and its file format, the kind of certificate if its in PEM or DER file format and the password that has been used to protect the file.

18

If the file format is valid and the password correct, the certificate is imported and added to the list. In the case of a PKCS#12 file, there may be more than one certificate and the private key stored in the file. In this case, all certificates and the private key are imported.

When importing a an own certificate in PEM or DER format, the user will be prompted for a second file containing the private key.

Export Certificate

The export function presents an export dialog asking the user to specify a location and a file name, the desired file format and a password if the exported certificate should be encrypted (which is recommended if the private key is also exported). Export into DER file format cannot be encrypted.If a private key is available and the option Export Private Key is enabled, the private key is also included in the exported.

19

Remove Certificate

The remove function will remove the selected certificate and its private key (if present) from the list. You need to acknowledge the removal in the confirmation dialog that will come up. The removal cannot be undone.

Requests TabCertificate requests hold personal information about the future certificate holder. They are then usually sent to a certificate authority (CA), which will check the personal information and verify, that the person requesting a certificate is really who she claims to be.

20

On the left side, a list of all created certificate requests is displayed.

On the right side, the details for the selected request are shown.

New RequestThe new request function will present a dialog with values included in the certificate request and in the certificate, once it will

be signed.Remove Request

21

The remove function will remove the selected request from the list. You need to acknowledge the removal in the confirmation dialog that will come up. The removal cannot be undone.

Export RequestThe export function will present an export dialog, asking the user to specify the location and a file‘s name and format holding the exported request.Since certificate requests don‘t contain any confidential information, it is not necessary to encrypt the generated file.

ProfilesA profile contains a selection from all connections in your connection list. You can have any number of profiles with any selection of connections.

Most commonly, different profiles are used for different locations you use to work. As an example, you would have an Office profile, connecting you to your home network and the webserver but not the office network you are in anyway already. Likewise, you could have a Home profile, which will connect you to your office network and the webserver, but not to your local home network, since you are already physically connected to it.While this is the typical use of profiles, there are more uses to it:

• You might have the same connection twice, with small differences in its configuration (like the virtual local address)

22

You might have several connections with overlapping remote network, which can not be active at the same time - put them into different profiles and use the profile you need.

• When connecting with a small bandwith (dial-up or mobile), you might want to have minimal profiles providing you just the connections you need to reduce protocol overhead of negotiation of unused connection.

• Testing purposes: you may want to try new connections without interfering your existing, working connections.

• Debugging purposes: sometimes it‘s useful to have an isolated log output for a single, non-working connection, which you could put into a seperate profile.

There might be even more uses of profiles - you‘ll find them.

The active profile can be changed in the main window, the menu bar item and the widget.

Create ProfileBy clinking on the add profile icon a new profile with no active connections will be created. You will be prompted for a name for the new profileYou can change the name anytime later by double clicking the profile name on the left side.

Duplicate ProfileThis function duplicates the selected profile and adds it to your profile list.

Remove ProfileClinking on the remove profile icon will remove the selected profile from the profile list. You need to acknowledge the removal in the confirmation dialog that will come up. The removal cannot be undone.

Connection LogThe connection log shows events from the IKE daemon and the application, which can be useful in finding problems with non-working or unstable connections.

23

Clear LogThe Clear Log function will remove all messages from you log window.

Export LogThe Export Log function will export all your log messages into a plain text file than can be opened with Apple‘s Text Editor or any other text editor.You will be prompted for a location and a file name for the exported log.

PreferencesThe preferences set in the preferences dialog affect the general, connection independent behaviour of IPSecuritas and the IKE daemon.

24

This following section describes each parameter and its effect.

GeneralLog Level: Specifies the verbosity of the log output. While debugging a connectin, level Debug is recommended, in normal operation, Info is the recommended log level.

Keep Lines: Determines the maximum number of lines shown in th e log window.

Autostart: When enabled, IPSecuritas will automatically start IPSec with the selected profile after boot up of the computer (no user needs to be logged in).

Show Status in Menubar: Enables the menu bar item to control IPSecuritas (see section Menu Bar Item).

MTU Reduction: This option reduces the MTU of all active interfaces by the value specified. IPSec adds additional headers to the original IP packets, which makes the new packets larger and makes fragmenatation necessary. Since some routers don‘t allow fragmented IPSec traffic, lowering the MTU will prevent

25

fragmentation. Try this option with values between 8 and 56 Bytes if you encounter connectivity problems to machines in the remote network.

Check for Updates: When enabled, IPSecuritas automatically checks for updated versions of the application once per week. If a new version of IPSecuritas is available, the user will be asked if the update should be installed. No information is sent to Lobotomo Software‘s servers.

Connection SurveillancePing Interval: This parameter specifies the interval between the ping packets sent if the Keep-Alive Ping option is enabled.

Ping Timeout: This parameter specified the maximum time that is waited for a reply to a ping packet before IPSecuritas considers the connection dead and tries to re-establish it (if the option Detect dead connection is enabled).

TimersThe following are counters and timers that affect the way the IKE key exchange works. Please be careful when changing them.

Counter: The maximum number a packet is sent before the negotation fails. Valid for both Phase 1 and Phase 2 packets.The default value is 5.

Interval: The time in seconds before a packet is resent if no answer was received. The default value is 5 seconds.

Per Send Packets: The number of times a packet is sent. This is usually set to 1, however, if you are connected through an unreliable internet connection that drops packets often, you might want to increase this value. In this case, each packet is automatically transmitted multiple times.The default value is 1.

26

Phase 1 Timeout: The maximum time allowed for completion of Phase 1 negotiation.The default value is 15 seconds.

Phase 2 Timeout: The maximum time allowed for completion of Phase 2 negotiation.The default value is 15 seconds.

PaddingThe following parameters affect the message padding. IKE messages need padding with dummy bytes if the messages are encrypted with a block ciphering algorithm.Please be careful when changing these parameters.

Randomize: If enabled, the padding bytes are randomized rather than zeros.The default is enabled.

Strict Check: If enabled, the padding of received messages is stricly tested and, if wrong, the message is dumped.The default is disabled.

Exclusive Tail: If enabled, the length of the padding is put in an additional byte after the padding.The default is enabled.

Maximum Length: Determines the maximum number of bytes for the padding.The default length is 20 bytes.

Smart Environment DetectionSmart Environment Detection is a function to support mobile users who work in different network environments, e.g. office network, home network and public access points.When enabled, IPSecuritas remembers which profile was used in which network environment and whether IPSec was active or not. Whenever a known network is used, IPSecuritas automatically starts or stop IPSec and changes the profile to the profile selected when the computer was used in that network environment.

27

Software UpdatesLobotomo Software permanently updates IPSecuritas and the list list of compatible devices and makes software and configuration updates available.You may also check for updates manually by selecting the respective entry in the File menu.

This will update your software and the configuration for of known devices.

TroubleshootingGeneral

I can‘t seem to connect, the dot stays redThis may have several different reasons. A tooltip appearing when moving the mousepointer over the connection status indication in the main window will show a small explanation of the problem:

• The configuration of the connection is incomplete. Check the indication in the connection list in the connection editor.

• There is no network connection available. Check your network connectivy.

• The hostname of the remote firewall cannot be resolved into an IP address. Check the hostname in the connection editor.

• There is no known route to the remote firewall. This usually only happens if you don‘t have a default route configured.

• There are overlapping address ranges between two connections (either local or remote network addresses). Make different profiles with for the conflicting connections.

I can‘t seem to connect, the dot stays yellowThis may have several different reasons. A closer look at the log may help (see also the section below):

28

• IPSecuritas and the remote firewall have incompatible settings. This may be anything like:

• Lifetimes (Phase 1 or 2)• Encryption or authentication algorithms (Phase 1 or 2)• Local or remote identification (remember to set them over

cross)• Authentication information (preshared key, certificates or Key

ID)• The remote firewall does not respond.• Your local firewall doesn‘t let IKE traffic pass (UDP port 500 and

ev. 4500, if NAT-T is enabled).

The green dot appears, indicating the connection has been established, but I can‘t access the remote networkThis may have several different reasons:

• Your local router does not support IPSec pass-through, a way that allows to route ESP traffic transparently from a public network into a provate (NATed) network. Try enabling NAT-T.

• Your local firewall doesn‘t let ESP traffic pass. Try enabling NAT-T.• Some parts of the infrastructure doesn‘t support ESP traffic (often

in public wireless networks or in mobile phone netwkorks with GPRS/UMTS). Try enabling NAT-T.

I want to connect to multiple networks, the green dot appears but I can only access one networkYou probably need to enable the Unique SA option for this connection.

Exception LogsIn case of an internal problem, IPSecuritas and the background daemon, IPSecuritasDaemon, write exception logs at the following locations:

IPSecuritas/Volumes/Users/nadig/Library/Logs/IPSecuritasExceptionLog

IPSecuritasDaemon/Library/Logs/IPSecuritasDaemonExceptionLog

29

If you encounter entries in these files, we‘d be very grateful if you could send them to lobotomo@lobotomo.com

Further InformationIPSec

The following URLs provide more information on IPSec and IKE:• http://en.wikipedia.org/wiki/IPsec• http://www.digisafe.com/products/pdf/IPSec_Primer.pdf• http://www.vpnc.org/• http://www.kame.net/

IPSec and IKE is defined in the following RFCs:

RFC 2367PF_KEY InterfaceRFC 2401 (obsoleted by RFC 4301)Security Architecture for the Internet ProtocolRFC 2402 (obsoleted by RFC 4302 and RFC 4305)Authentication HeaderRFC 2403The Use of HMAC-MD5-96 within ESP and AHRFC 2404The Use of HMAC-SHA-1-96 within ESP and AHRFC 2405The ESP DES-CBC Cipher Algorithm With Explicit IVRFC 2406 (obsoleted by RFC 4303 and RFC 4305)Encapsulating Security PayloadRFC 2407 (obsoleted by RFC 4306)IPsec Domain of Interpretation for ISAKMP (IPsec DoI)RFC 2408 (obsoleted by RFC 4306)Internet Security Association and Key Management Protocol (ISAKMP)RFC 2409 (obsoleted by RFC 4306)Internet Key Exchange (IKE)RFC 2410The NULL Encryption Algorithm and Its Use With IPsecRFC 2411

30

IP Security Document RoadmapRFC 2412The OAKLEY Key Determination ProtocolRFC 2451The ESP CBC-Mode Cipher AlgorithmsRFC 2857The Use of HMAC-RIPEMD-160-96 within ESP and AHRFC 3526More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)RFC 3706A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) PeersRFC 3715IPsec-Network Address Translation (NAT) Compatibility RequirementsRFC 3947Negotiation of NAT-Traversal in the IKERFC 3948UDP Encapsulation of IPsec ESP PacketsRFC 4106The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)RFC 4301 (obsoletes RFC 2401)Security Architecture for the Internet ProtocolRFC 4302 (obsoletes RFC 2402)IP Authentication HeaderRFC 4303 (obsoletes RFC 2406)IP Encapsulating Security Payload (ESP)RFC 4304Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP)RFC 4305 (obsoletes RFC 2404 and RFC 2406)Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)RFC 4306 (obsoletes RFC 2407, RFC 2408, and RFC 2409)Internet Key Exchange (IKEv2) ProtocolRFC 4307

31

Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)RFC 4308Cryptographic Suites for IPsecRFC 4309Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)RFC 4621Design of the IKEv2 Mobility and Multihoming (MOBIKE) ProtocolRFC 4809Requirements for an IPsec Certificate Management Profile

32