Enabling Hybrid Mode Authentication 4.1

Enabling Hybrid Mode Authentication 4.1

Hybrid Mode Authentication using IKE

Tested on Firewall-1 4.1 SP5
To allow client machines to connect, authenticate and encrypt data using any a form of authentication other than IKE pre-shared secrets an administrator must create an ICA "Internal Certificate Authority on the firewall management station

Follow these steps to create an ICA on the manager.
1. Type: fwstop.

2. Delete $FWDIR/conf/objects.C.bak and objects.C.sav

3. Create the Internal Certificate Authority.
Type: fw internalca create –dn “o=<company name>, c=<country>” [-force]
For example my company is called firewallsrus and I'm in the UK so the command would look like this: fw internalca create -dn "o=firewallsrus, c=GB" -force
Note: The –force flag is used to overwrite an existing CA.

4. Certify the firewall module that will receive the SecuRemote connections.
Type: fw internalca certify –o <object name> [-force] “o=<company name>, c=<country>”
For example my firewall object is called penfold so the the command would look like this:
fw internalca certify -o penfold -force "o=firewallsrus, c=GB"
Note: The –force flag is used to overwrite an existing certificate.

5. Type: fwstart. Check that the ICA has been installed correctly by opening the Management GUI and selecting the firewall objects certificate tab. You should see a certificate in the list.

6. Open the firewall management GUI and select Manage Network Objects <firewall module name> VPN Tab IKE Properties. Select the required authentication method(s). Make sure that ‘Supports Aggressive Mode’ is NOT selected.

7. Define a user with the appropriate encryption scheme, strength and authentication method. The encryption scheme and strength should match those of the SecuRemote client software that the user will be using. The encryption scheme is defined under the users Encryption Tab, where it may also be useful to select ‘Log’ for ‘Successful Authentication Track’. The encryption strength is defined under the schemes’ properties under the Encryption Tab. IKE authentication methods are discussed at the start of this section.

8. Define an encryption domain.

9. Under the firewall modules’ properties, define the encryption domain in the VPN tab, and select ‘Exportable for SecuRemote’.
10. Define a group of users who will be using SecuRemote.

11. Define a rule that allows the above group of users, from the appropriate networks, access to the encryption domain, using the desired services. For the Action select Client Encrypt.

12. Push the policy to the firewall module and test.

Note:
Hybrid mode IKE uses an internal CA to authenticate / sign the packets from the gateway to the SecuRemote client. Without this, the SecuRemote client would not know if it was talking to the appropriate firewall or one that was hijacked. SecuRemote gets the internal CA public key when it downloads the topology. The SecuRemote client can then verify it is talking to the correct firewall. When the user goes through Hybrid Authentication the firewall knows who they are and a two way trust isestablished.

23/APR/02 Jim Parker

< back