1. Manuals
  2. Brands
  3. HoB Manuals
  4. Gateway
  5. HOBLink
  6. Administration manual

HoB HOBLink Administration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Administration Guide
HOBLink VPN Gateway
Software version: 2.1
Issue: November 2014

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the HOBLink and is the answer not in the manual?

Questions and answers

Summary of Contents for HoB HOBLink

  • Page 1 Administration Guide HOBLink VPN Gateway Software version: 2.1 Issue: November 2014...
  • Page 2 All information in this document is subject to change without notice, and does not represent a commitment on the part of HOB.

  • Page 3: Symbols And Conventions

    Purpose of this Guide This guide is designed to provide system administrators with detailed information concerning HOBLink VPN Gateway and to help them decide where and when this product can be most effectively deployed in their enterprise network. This documentation contains descriptions of numerous possible scenarios and explains required conditions.
  • Page 4 Dead Peer Detection User Datagram Protocol Distinguished Name Network TUNnel/Tap, the Virtual Network Device Tun/Tap Interface Remote Desktop Protocol Security Solutions by HOB...

  • Page 5: Table Of Contents

    Contents Introducing HOBLink VPN Gateway Introducing Kanji..................... 7 Introducing VPN Peers and VPN Rules ............7 Features of HOBLink VPN Gateway .............. 7 Components of HOBLink VPN Gateway ............9 Installing HOBLink VPN Gateway Starting HOBLink VPN Gateway ..............13 Managing HOBLink VPN Gateway...............
  • Page 6 Configuration Parameters for IPsec (ipsec)..........71 Configuration Parameters for Users (user) ..........73 Configuration Parameters for VPN (vpn)............74 6.10 Configuration Parameters for L2TP (l2tp) ..........80 6.11 Configuration Parameters for LDAP (ldap) ..........81 Information and Support Security Solutions by HOB...

  • Page 7: Introducing Hoblink Vpn Gateway

    Versions for different products are provided and are primarily available for Linux, BSD and Microsoft Windows platforms. It is intended to support HOBLink VPN 1.8 clients and gateways, as well as other RFC compliant solutions. HOBLink VPN Gateway enables you to have secure, economical, reliable and universal remote access to all your enterprise IT resources.
  • Page 8 Using multiple encryption methods such as AES128, AES192, AES256, 3DES,  Blowfish and CAST128. Fully compatible with HOBLink VPN 1.6 and 1.8 gateways and clients, users and  user groups, as well as the IPsec products from many other vendors.

  • Page 9: Components Of Hoblink Vpn Gateway

    Introducing HOBLink VPN Gateway Components of HOBLink VPN Gateway HOBLink VPN Gateway is a complete software solution that is delivered in a modular form. These modules, both core modules and configuration modules, are installed together and work together to provide the functionality you require.
  • Page 10 The browser-based configuration and retrieval of status information is managed by the HOB Portal system. This is installed in the folder HOBPortal which is found in the HOB folder of the installation. A standard TCP/IP connection from the Java-capable web browser is used to connect to the HOB Portal server, please see Section 3.1 HOB Portal...
  • Page 11 Use the HOBLink Security Manager to either create your own PKI or just add the available certificates to your own keystore. These files can be edited via the HOBLink Security Manager tool, which is delivered on CD for extra installation.
  • Page 12 Introducing HOBLink VPN Gateway HOBLink VPN Gateway Security Solutions by HOB...

  • Page 13: Installing Hoblink Vpn Gateway

    HOBLink VPN Gateway Installing HOBLink VPN Gateway Installing HOBLink VPN Gateway The HOBLink VPN Gateway software is provided in a compressed file that is installed using an install script. The compressed file is hob-vpn2-gw.tar.bz2 and the install script is installVPN2-GW.sh.

  • Page 14: Requirements Of Hoblink Vpn Gateway

    The following are the necessary minimum requirements for a successful installation of HOBLink VPN Gateway: System Requirements HOBLink VPN Gateway is designed to run on the Linux operating system platform. It requires only a standard Linux machine, with at least Kernel 2.6.x, including the Tun/Tap interface.

  • Page 15: Administering Hoblink Vpn Gateway

    Google Chrome - Version 34  HOB Portal HOB Portal is the interface for the browser connection to HOBLink VPN Gateway over an IP-based network. This interface provides information about the gateway and allows HOBLink VPN Gateway to be configured.

  • Page 16: Administering Hobportal

    Here you can find the path and name of the keystore as well as the password, which is hoblinkvpn by default. 3.1.3 Using your own SSL certificate To use your own SSL certificate when connecting to HOB Portal, perform the following steps: Create your Java keystore containing a valid certificate.

  • Page 17: Users

    HOBLink VPN Gateway portal. Users When you access the quick link Add a new user you will see this screen. Here you can manage the users already configured in HOBLink VPN Gateway and add new users to the user list. 3.3.1 Add User...
  • Page 18 Administering HOBLink VPN Gateway HOBLink VPN Gateway There are also two buttons: click Reset to discard any edits and restore any previously entered information to this page. click Add user to save any changes and add the new user to the user list 3.3.2 Users...

  • Page 19: Sessions

    Sessions When you access the quick link Manage sessions, you will see this screen. Here you manage the sessions in HOBLink VPN Gateway. Figure 5: Sessions Sessions that are currently open are displayed in the list. Details of the sessions such as username, authorities and last request time are shown.

  • Page 20: Portlets

    Administering HOBLink VPN Gateway HOBLink VPN Gateway Portlets When you access the quick link Manage the portal, you will see this screen. Here you manage portlets and pages. There are three tabs on this interface: Portlets, Pages and New. 3.5.1 Portlets...
  • Page 21 HOBLink VPN Gateway Administering HOBLink VPN Gateway Here the page configurations are displayed. The ID for each page as well as the portlets that are on each page are shown. If a page is to be deleted, select that page and click the Delete Selected button to remove it.

  • Page 22: Using The Hob Portal

    Administering HOBLink VPN Gateway HOBLink VPN Gateway Using the HOB Portal When the HOBLink VPN Gateway Logon screen is displayed, you will see this screen: Figure 9: Logon Following the default installation, two default users are already configured: root (password = root) – the administrator user for the HOB Portal.
  • Page 23  page for more information. HOB Portal – it is possible to return to the HOB Portal screen by clicking on this button. - click this button on the right of the title bar for the following options: HOBLink VPN ...
  • Page 24 Administering HOBLink VPN Gateway HOBLink VPN Gateway Security Solutions by HOB...

  • Page 25: Configuring The Kanji Gui Tool

    HOBLink VPN Gateway Configuring the Kanji GUI Tool Configuring the Kanji GUI Tool When you select HOBLink VPN Gateway Configuration in the HOB Portal for the first time, the following screen is displayed. Figure 11: HOBLink VPN Gateway Start Screen...

  • Page 26: Defining Paths For Kanji And Xml Files

    Configuring the Kanji GUI Tool HOBLink VPN Gateway To configure HOBLink VPN Gateway using Kanji, it is necessary to specify the path of the VPN configuration file and check the parameters used to create the Kanji interface to ensure that it is running properly.

  • Page 27: Selecting Kanji And Xml Filepaths From The Kanji Configuration

    You can use the Add and Edit buttons to create a new path in this list or to edit an existing path. The other buttons on this screen; Back, Save, Save anyway, Reset, Clear and Validate, have the same functionality as on the HOBLink VPN Gateway configuration screens. Selecting Kanji and XML Filepaths from the Kanji...
  • Page 28 Configuring the Kanji GUI Tool HOBLink VPN Gateway Security Solutions by HOB...

  • Page 29: Configuring Hoblink Vpn Gateway

    Configuring HOBLink VPN Gateway Configuring HOBLink VPN Gateway To start configuring, log on to HOBLink VPN Gateway (with the VPN administrator profile) and select the VPN Gateway Configuration interface. The most important parts of the configuration (the VPN Peers and the VPN Rules) are set up in Section 5.11 VPN...
  • Page 30 Validate to make sure that any data entered in these fields is valid. On the left side of the maximized interface, the elements of the HOBLink VPN configuration are displayed in a hierarchical structure, making it easier to select the element to be configured.

  • Page 31: Auditing

    Number of CPUs – this setting controls the number of threads started by the gateway. The more CPUs available the more threads are started, if needed. The default value of zero lets HOBLink VPN automatically retrieve the real number of CPUs.
  • Page 32 Configuring HOBLink VPN Gateway HOBLink VPN Gateway Select the Enable syslog checkbox. Syslog servers where the logfiles can be written can now be set up on the following screen. The checkbox Enable syslog needs to be checked to generally enable the logging functionality.

  • Page 33: Network

    Configuring HOBLink VPN Gateway Network HOBLink VPN Gateway allows objects to be connected to create a VPN. In the screen shown here you can configure the individual objects. The List of Network Objects screen allows the configuration of objects of type Gateway, Network, Workstation and Group.

  • Page 34: Service

    This field is only shown if the Type is Group. Service HOBLink VPN Gateway allows services to be configured for your system. These services can be used across the network. Services configured here are used in VPN Rules to specify the data traffic that is allowed to go through a VPN tunnel.

  • Page 35: Remote Authentication Dial In User Service (Radius)

    Destination port – enter a specific destination port. Remote Authentication Dial In User Service (RADIUS) HOBLink VPN Gateway allows you to configure a single RADIUS server or a group of RADIUS servers for your system. RADIUS is a network protocol standard used to manage access, authentication and authorization of users in a network.
  • Page 36 Configuring HOBLink VPN Gateway HOBLink VPN Gateway Figure 22: List of RADIUS Groups RADIUS Group Here a list of the groups is shown. When you select a RADIUS group, the RADIUS servers configured in this group are shown in a list below.

  • Page 37: Lightweight Directory Access Protocol (Ldap)

    LDAP provides for the sharing of user, system and network information throughout the network. For HOBLink VPN Gateway, many different types of LDAP may be used, with each LDAP service having its own configuration. These different LDAP services can be based on different LDAP templates that can also be configured in this section.
  • Page 38 Configuring HOBLink VPN Gateway HOBLink VPN Gateway 5.6.1 List of LDAP Services Using this interface you can enter and manage the LDAP services that you wish to use for this configuration. Figure 23: List of LDAP Services List of LDAP Services This table holds a list of LDAP services in your network.
  • Page 39 HOBLink VPN Gateway Configuring HOBLink VPN Gateway LDAP Entry Here you can add LDAP servers to the selected LDAP service and configure them. The buttons below this list have the following functions: click New to create a new entry in the list of LDAP servers of the selected LDAP service.
  • Page 40 Configuring HOBLink VPN Gateway HOBLink VPN Gateway 5.6.2 List of LDAP Templates Using this interface you can enter and manage the LDAP templates that you wish to use for this configuration. All fields on this screen must be completed in order configure an LDAP template.

  • Page 41: Microsoft Layer 2 Tunneling Protocol (L2Tp)

    IPsec tunnel is still working. The default is 60 seconds. IPsec scheme – select the IPsec scheme to be used. The L2TP protocol does not provide encryption by itself, but HOBLink VPN Gateway provides for IPsec to be used.

  • Page 42: Internet Key Exchange (Ike)

    Internet Key Exchange (IKE) IKE is the protocol used in IPsec to set up a security association (SA). IKEv2 is an expanded and improved version of IKE, HOBLink VPN Gateway facilitates the use of both versions. Here you specify the IKE scheme (Version 1) to be used by default, which is important in Main mode.
  • Page 43 HOBLink VPN Gateway Configuring HOBLink VPN Gateway 5.8.1 List of IKEv1 Schemes Using this interface you can enter and manage the IKEv1 schemes that you wish to use for this configuration. Figure 27: List of IKEv1 Schemes List of IKEv1 Schemes A list of configured IKEv1 schemes is displayed.
  • Page 44 Configuring HOBLink VPN Gateway HOBLink VPN Gateway Use the arrow buttons to manage the order in which the IKE schemes appear in this list. The entry fields for the List of IKEv1 Schemes interface are as follows: Name – enter the name of the scheme you are adding to your network. This is a required field.
  • Page 45 HOBLink VPN Gateway Configuring HOBLink VPN Gateway Pre-shared key – enter the pre-shared key. You can use the Hide/Show button to hide or show the value. Note: This is only mandatory if the methods chosen for Gateway authentication include Pre-shared key.
  • Page 46 Configuring HOBLink VPN Gateway HOBLink VPN Gateway 5.8.2 IKEv2 This screen holds general IKEv2 parameters that are being used in this HOBLink VPN Gateway configuration. Other parameters that may be individual for each peer are held in IKEv2 schemes, see Section 5.8.3 List of IKEv2 Schemes...
  • Page 47 HOBLink VPN Gateway Configuring HOBLink VPN Gateway Hash – select the hash functions you wish to use from the list of those available in the list on the left by using the horizontal arrow buttons. You can then use the vertical arrow buttons to manage the list of hash functions that have already been selected.
  • Page 48 Configuring HOBLink VPN Gateway HOBLink VPN Gateway List of IKEv2 Schemes A list of configured IKEv2 schemes is displayed here. The buttons below the list have the following functions: click New to create a new entry in the list of IKEv2 schemes. You will then be prompted to enter a name as an identifier for the new scheme.

  • Page 49: Internet Protocol Security (Ipsec)

    604800. Internet Protocol Security (IPsec) HOBLink VPN Gateway uses the IPsec security protocol to encrypt the communications between the peers in the network. How this is done can be configured in the following sections. This following screen shows the IPsec scheme that is defined by default for all new connections.
  • Page 50 Here you can individually configure the IPsec schemes that can be used in HOBLink VPN Gateway. The buttons below this list have the following functions: click New to create a new entry in the list of IPsec schemes. You will then be prompted to enter a name as an identifier for this new scheme.
  • Page 51 HOBLink VPN Gateway Configuring HOBLink VPN Gateway Description – enter a description of the scheme to help identification and management of the scheme. Protocol – select the type of IPsec protocol to be used. The supported protocols are NONE, ESP, AH and AHESP. The default option NONE can only be specified if Compression is not NONE.

  • Page 52: 5.10 Users

    Figure 32: List of Users List of Users The users of HOBLink VPN Gateway also need to be configured. A list of configured users is displayed here. The buttons below this list have the following functions: click New to create a new entry in the list of users. You will then be prompted to enter a name as an identifier for this new user.
  • Page 53 Figure 33: List of User Groups List of User Groups The user groups of HOBLink VPN Gateway also need to be configured. A list of configured user groups is displayed here. The buttons below this list have the following functions: click New to create a new entry in the list of user groups.

  • Page 54: 5.11 Vpn

    HOBLink VPN Gateway 5.11 VPN HOBLink VPN Gateway enables a VPN to be established between multiple devices. It needs to be installed on a host device, and the other participants, also known as VPN Peers, in the communication network are then facilitated in their communications by this host.
  • Page 55 HOBLink VPN Gateway Configuring HOBLink VPN Gateway IPIP substitute – (only used by Windows systems) the value should be in the range of 1-255. The default is 145. NATT substitute – (only used by Windows systems) the value should be in the range of 1-255.
  • Page 56 Configuring HOBLink VPN Gateway HOBLink VPN Gateway Enabled – check to enable the peer. This is enabled by default. Description – enter a description of the peer to help identify and manage it. Type – select the type category of the peer. Supported types are Gateway (default), User or User Group.
  • Page 57 HOBLink VPN Gateway Configuring HOBLink VPN Gateway Virtual IP pool – select from the drop down box the name of the network object that contains the pool. This is the pool of virtual IP address and masks of the peer type User Group.
  • Page 58 Configuring HOBLink VPN Gateway HOBLink VPN Gateway List of VPN Rules Here you configure the rules to be used with the VPN. The buttons below this list of configured VPN rules have the following functions: click New to create a new entry in the list of VPN rules. You will then be prompted to enter a name as an identifier for this new rule.

  • Page 59: 5.12 Vpn Gateway Statusinfo

    As a VPN functions across a number of devices simultaneously, it is always important to be able to check the status of the VPN on the various devices to make sure that they are functioning properly. HOBLink VPN Gateway provides the status information for this reason.
  • Page 60 HOBLink VPN Gateway 5.12.2 VPN Status This allows you to check the connections of the machines where the HOBLink VPN Gateway is running. Figure 38: VPN Status The information shown on this screen is divided into two parts: The panel on the left contains the peers connected to the gateway (with the ...

  • Page 61: Configuring Xml Parameters For Hoblink Vpn Gateway

    HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway The following is a list of the parameters contained in the vpnconfig.xml file and an accompanying explanation of each. These parameters may be edited as desired to improve functionality and applicability within your system or company.

  • Page 62: Configuration Parameters For Network (Network)

    Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway Parameters XML Name Description Name This is the unique name for a name Syslog Server IP Address This is the IP address or DNS ineta name of your Syslog Server(s)

  • Page 63: Configuration Parameters For Service (Service)

    HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway List of group members member-list This is only valid for type GROUP. This is a prioritized comma- separated list of network objects that belong to the group. At least one network object is required (network\networkobject- list\networkobject-entry\name).

  • Page 64: Configuration Parameters For Radius (Radius)

    Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway Source Port This is only valid for types TCP src-port Port and UDP Port. It is a specified source port and is valid if 'any-src- port' = NO. The value should be in...
  • Page 65 HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway Option Two options are possible: option MS-CHAP-V2 – this protocol is used to have more secure communications. NONE – this is selected when 'option' is empty. It is used the...

  • Page 66: Configuration Parameters For Ike (Ike)

    Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway Configuration Parameters for IKE It is possible to use IKEv1 or IKEv2. The schemes should be selected by default to be IKEv1. Parameters XML Name Description Standard IKEv1 This is the scheme used by default...
  • Page 67 HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway Diffie-Hellman Group diffie-hellman- This is a prioritized comma- separated list of Diffie-Hellman group groups. The supported groups are MODP768, MODP1024, MODP1536, MODP2048, MODP3072, MODP4096, MODP6144, MODP8192, EC2NGF163, EC2NGF283, EC2NGF409, EC2NGF571 IKE SA Lifetime The SA lifetime in seconds.
  • Page 68 Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway Enable Dead Peer This is used to enable the Dead Detection Peer Detection (YES/NO). The value by default is 'YES' Enable DPD logging This is only valid if 'DPD' is DPD-logging enabled.
  • Page 69 HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway Hash This is a prioritized comma- hash separated list of hash methods. The supported methods are HMAC_MD5 and HMAC_SHA1. If ‘authentication’ is DSA, the use of HMAC_SHA1 is required Gateway...
  • Page 70 Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway Maximum allowed This is only valid if 'enable-auth- max-auth-retry- authentication retries retry' is enabled. This is the count maximum number of allowed authentication retries. The value should be in the range 1-5, and 3 is...

  • Page 71: Configuration Parameters For Ipsec (Ipsec)

    HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway Configuration Parameters for IPsec ipsec The List of IPsec schemes (ipsec-scheme-list) contains a list of IPsec schemes used in the VPN Rules (vpn\rule-list\rule-entry\ipsec- scheme) configuration. For XML every list element is grouped in the node ipsec- scheme-entry..
  • Page 72 Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway ESP integrity This is only valid for protocols ESP esp-integrity and AHESP. This is a prioritized comma-separated list of integrity methods. The supported methods are HMAC_SHA1, HMAC_MD5 Compression This is the compression protocol compression used.

  • Page 73: Configuration Parameters For Users (User)

    HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway NAT keepalive This is the duration between two nat-keepalive successive NAT keepalive retransmissions, in seconds. It is possible to select a time between 1 and 86400, or the value 0 to deactivate NAT keepalive retransmissions.

  • Page 74: Configuration Parameters For Vpn (Vpn)

    Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway 6.8.2 The 'List of Usergroups' (usergroup-list) This list contains a list of groups used in the VPN Rules (vpn/rule-list/rule- entry/source) and in the List of VPN Peers (vpn/peer-list/peer-entry/ name) configuration. For XML every list element is grouped in the node usergroup-entry.
  • Page 75 HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway IPCOMP Substitute This is only used for Windows. The ipcomp- protocol number value should be in the range 1- substitute 255. The value by default is 144 IPIP Substitute This is only used for Windows. The...
  • Page 76 Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway IKEv2 scheme ike2-scheme-name This is only valid if 'ike-version' is 2. This is the name of the IKE scheme used. The schemes should be specified previously in the list of IKE schemes (ike\ike2-...
  • Page 77 HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway RADIUS group This is only valid for client radius-group authentication RADIUS. The groups should be specified previously in the list of RADIUS groups (radius\radius- group\name), because the RADIUS group name is used in this field.
  • Page 78 Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway Pool of Virtual IP This is only valid for type GROUP ineta-pool-name Address and Mask and virtual-ineta-type IKE. This is the pool of virtual IP addresses and Masks of the peer type Usergroup.
  • Page 79 HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway 6.9.2 List of VPN Rules (rule-list) For XML every element is grouped as rule-entry. Parameters XML Name Description Enabled This is used to enable the rule enabled (YES/NO). The value by default is...

  • Page 80: Configuration Parameters For L2Tp (L2Tp)

    Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway IPsec Scheme This is only valid for action IPSEC. ipsec-scheme This is the name of the IPsec scheme. The schemes should be specified previously in the list of IPsec schemes (ipsec\ipsec-...

  • Page 81: Configuration Parameters For Ldap (Ldap)

    HOBLink VPN Gateway Configuring XML Parameters for HOBLink VPN Gateway 6.11 Configuration Parameters for LDAP ldap There are two parts: LDAP services and LDAP templates. It is possible that several groups of LDAP services and several LDAP templates exist. For XML, every group of the LDAP services part is grouped in the node LDAP- service.
  • Page 82 Configuring XML Parameters for HOBLink VPN Gateway HOBLink VPN Gateway Buffer size for search The value should be in the range search-result- results 1024 - 65535, and 1024 is the buffer-size value by default Maximum number of The value should be in the range...

  • Page 83: Information And Support

    HOBLink VPN Gateway Information and Support Information and Support If you would like further information about HOBLink VPN Gateway or if you need product support, please contact us at: U.S.A. and Canada General Enquiries: Phone: + 1 866 914 9970...

Table of Contents