Ingate Virtual Private Network (VPN) can communicate with any VPN clients, firewalls and other products supporting the IPSec and IKE protocols. Ingate VPN is included in all Ingate Firewalls and SIParators. Following are technical specifications and other critical information for users of Ingate VPN.
To use VPN from off-site locations with an Ingate Firewall, VPN client software must be installed on the traveling computer. A Certifying Authority (CA) for signing certificates is also required.
Compatible VPN software must meet the following requirements:
Following are examples of VPN software that Ingate has successfully tested for compatibility with Ingate’s firewalls.
The Greenbow client can be bought from any Ingate reseller.
SSH Sentinel supports Windows 95, 98, NT, 2000 and XP.
SafeNet is a VPN client and supports Windows 98, NT and 2000 (not Windows 2000 for Cisco).
Principal agent in Sweden is MBG Elektronik AB, +46-(0)42-13 60 60.
A free implementation for Linux, http://www.freeswan.org/, combined with the X.509 patch at http://www.strongsec.com/freeswan/.
In order to be compatible with Ingate IPSec VPN, the IPSec software on the network must be authenticated by X.509 certificates, which are used to identify a computer when it communicates with other computers. An X.509 certificate is digitally signed to ensure that no one has changed the certificate. This signature is made by a special kind of software, called a Certifying Authority (CA).
An X.509 certificate consists of two parts: private and public. The private part should be kept secret and should not be moved more than is necessary. The public part can be freely distributed.
The public part contains a Distinguished Name (DN). A DN consists of several fields, each describing an identity of the computer and signed by a CA to guarantee this identity.
A Certifying Authority (CA) can be compared to a passport authority. The passport authority guarantees that the passport identity is correct, and uses various methods to make the passport hard to forge.
A CA producing X.509 certificates works in the same way. It uses a digital signature to guarantee that the certificate belongs to the computer using it. It is important that no unauthorized people can access the CA.
A CA has a certificate of its own. This certificate can be signed by the CA itself, as with the Ingate VPN's certificate engine.
This is how a certificate is created:
The CA of a company is among the most important things protecting the company's computer system. It should be installed on a machine that is designated solely for CA, and both physical and network access to it should be as restricted as possible.
The CA certificate is protected by a password used when another certificate is signed. This password should only be known by those who need to be able to sign certificates.
VPN clients need to know the public part of the CA's own certificate, so this should be put someplace where all current and future users can reach it. Backup the public and the private part of the CA's certificate, and store the backup where it can’t be modified or read.
There are two ways to create certificates for VPN clients:
From a security perspective, the first alternative is better, as the private part of the client certificate never leaves the client.
Following are suggested routines for creating and signing certificates for VPN clients and distribution of keys to and from the Ingate Firewall®.
This routine is used for clients able to create their own certificates, but which need help with signing them.
This routine is used for clients who cannot create certificates themselves.