Authentec VPN Client Guide 12/2/10

Dummy Page - To be discarded before printing Use this template with A6MotoLandscapeProduct1 StructApps. See the Reference Pages for template user instructions.

About This Document

This document contains instructions for QuickSec IPsec VPN Client for Android users, describing how to configure and operate the product.

Client User Interface

The client's Graphical User Interface (GUI) displays status information about Policy Manager and the active connection, allows controlling the runtime operations of the client, as well as editing the configuration settings.

Document conventions
Convention Bold Use Menus, GUI elements, strong emphasis. Series of menu selections, Filenames, commands, directories, URLs etc. Reference to other documents or products, emphasis. Example Click Apply or OK.

Android client user interface

The QuickSec VPN Client can be started by clicking the VPN Client icon (bottom left of the screen).

Monospace.

Select File Save. Refer to readme.txt

Italics

See Reference Manual.

About This Document

The initial screen of the QuickSec VPN Client lists the currently configured connections:

Connecting New connections can be created by pressing the Menu button and selecting the New option.

About This Document

Old connections can be edited by performing long touch on the connection name in list of connections and selecting the Edit option.

To remove the settings for a connection that is no longer required, select the Delete option from the Connection menu. Configuring connections The connection options can be set up using the graphical user interface by defining a value for each of the required parameters. Select the Connection Edit menu option to bring up the connection dialog. In the connection dialog, the following parameters can be defined: Connection name: Name of the connection shown at the start. Connection template: Type of the connection and pre-set parameters. These selections affect types of parameters below. Gateway: IP address of the security gateway. Certificate: Certificate to be used for authentication. Certificate Authority: CA to be used in this connection. Username: Username for authentication of the user

Connections can be activated by selecting the Connect option and disabled by selecting the Disconnect option.

Password: User's password. Pre-Shared Key Type: Key input method (text/hex) Pre-Shared Key: The key to be used to authenticate
About This Document 3

 Identity Type: Which IKE-identity type is to be used with this connection. Identity: Identity to be used. Internal Subnet IP: IP subnets to be accessed through this connection. This is used for split-tunneling.

For information on how to specify permanent configuration settings, see section 3 (Client Configuration). Connection settings example The following example specifies the manual connection parameters for a simple gateway connection also described in Gateway Connection Example on page 16: Gateway: 192.168.57.30 Pre-Shared Key Type: Text Pre-Shared Key: torstA1 Identity Type: User FQDN Identity: customer@example.com Internal subnet: 10.1.1.0/24

About This Document

Client Configuration
Android connection templates
To minimize the number of fields end-user needs to configure for the VPN connections, it is possible to pre-install connection templates to the VPN Client application. The built-in templates consist of information on IKE and IPsec parameters, but it is possible to pre-set more of the connection values in a template.

When a new connection definition is created, the contents of a template are copied into the connection definition. After this, a limited set of parameters in the new connection definition can be modified using the VPN Client GUI, as described in Configuring connections on page 3. By using template files it is possible for a network administrator to set connection parameters for VPN networks that the user may activate without the need to define the configuration manually. The VPN client come pre-loaded with the set of templates for most commonly used connection configurations. It is also possible to extend the set of available templates by side-loading customized templates to the following directory on SD card: /sdcard/vpn/templates/ The template package filename must match the following regular expression pattern: [a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[ a-fA-F0-9]{12}.txt or in plain words: "8 hex digits"-"4 hex digits"-"4 hex digits"-"4 hex digits"-"12 hex digits".txt

Client Configuration

Template model The following notation is used for describing the connection template file syntax: Each syntactic construct is defined by a rule consisting of the name of the construct, an equal sign and the definition of the construct. When there are multiple alternative definitions of a construct the right hand side of a rule consists of all these alternatives separated by vertical bars. In the definition part of a rule, words beginning with a capital letter indicate constructs defined by other rules. Words written in lowercase letters are keywords; they must be written in the file exactly as shown. Words written in uppercase letters are values. They may use the quoted or unquoted value syntax described above. Curly braces ({ and })and semicolons (;) must appear in the file exactly as shown. Spaces and line breaks within the rule are not part of the definition; they just help formatting this document. In the template model below, the letter W indicates optional white space, i.e. zero or more white space characters. At least one white space
6 Client Configuration

character must appear where two adjacent constructs cannot be separated otherwise, for example a keyword followed by an unquoted value. The following listing is an empty model for a template, containing placeholders for global settings, connection definitions and template definitions in a single file. Configuration-File = W Version W Configuration-Elements W Version = version W VERSION W ; Configuration-Elements = Empty | Configuration-Element W Configuration-Elements Configuration-Element = active-connection W CONNECTION-TITLE W ; | startup-connect W ; | connection W CONNECTION-TITLE W { W Connection-Parameters W } template W TEMPLATE-TITLE W { W Connection-Parameters W } Connection-Parameters = Empty | Connection-Parameter W Connection-Parameters

Connection-Parameter = gateway-address W ADDRESS W ; | internal-subnet W NETWORK W ; | host-authentication W MODE W ; | user-authentication W ; | own-identity W{ W type WTYPEW ; Wvalue W VALUE W; W } | pre-shared-key W { W type W TYPE W ; W value W VALUE W ; W } | ca-identity W { W type W TYPE W ; W valueW VALUE W ; W }| username W USERNAME W ; | password W PASSWORD W ; | tunnel-mode W MODE W ; | ike-parameters W { W IKE-Parameters W } | ipsec-parameters W { W IPsec-Parameters W } IKE-Parameters = Empty | IKE-Parameter W IKE-Parameters IPsec-Parameters = Empty | IPsec-Parameter W IPsec-Parameters

IKE-Parameter = version W VERSION W ; | aggressive-mode W ; | encryption W ENCRYPTION W ;| integrity W INTEGRITY W ; | group W GROUP W ; | lifeW LIFE W ; IPsec-Parameter = encryption W ENCRYPTION W ; | integrity W INTEGRITY W ; | perfect-forward-secrecy W ; | anti-replay W ; | lifeW { W type W TYPE W ; W value WVALUE W ;W } Empty =

Client Configuration

QuickSec VPN Client Templates Syntax

Template File Format Special Characters The following ASCII characters are special, unless escaped within a quoted value as explained below: Characters 9 (horizontal tab), 10 (line feed), 11 (vertical tab), 12 (form feed), 13 (carriage return) and 32 (space) are treated as white space. Character 34 (double quote ") is used to begin and end a quoted value. Character 59 (semicolon ;) terminates a keyword-value sequence. Character 92 (backslash \) is used as an escape character within a quoted value; outside quoted values it is not special. Character 123 (left curly brace {) begins and character 125 (right curly brace }) ends a structure consisting of multiple configuration elements.Keywords Character 123 (left curly brace {) begins and character 125 (right curly brace }) ends a structure consisting of multiple configuration elements. Keywords A keyword is a sequence of one or more characters that do not belong to the set of special characters
8 Client Configuration

defined above. Note: The backslash character (\) is not special within keywords. Values Values may be quoted or unquoted. A value is quoted if it is surrounded by double quotation marks (as in "value"). An unquoted value is similar to a keyword; it consists of characters that do not belong to the set of special characters. A value must be quoted if it contains special characters. It may be quoted in other cases too. Any special characters appearing in the value must be escaped by preceding them by the backslash character (\). This applies to the backslash character itself as well (\\). Escaping non-special characters has no effect. When processing the file, the extra backslash characters are removed and the following characters are treated as non-special. White Space White space characters are used to separate elements of the file from each other and to format the file for easy reading. Any number of white space characters may be used wherever white space is allowed. In some cases at least one white space character is necessary, for example between a keyword and an unquoted value. In other cases it is not necessary to

use white space at all, for example between a keyword and a left curly brace. Template Parameters In place of the Connection-Parameters string in a template denition, the following elements may appear, in any order (the minimum and maximum numbers of occurrences of a particular element are shown in parentheses): Gateway address (1, 1) Internal subnet (0, 4) Host authentication mode (1, 1) User authentication mode (1, 1) Own identity (0, 1) Pre-shared key (0, 1) Certicate authority identity (0, 1) Username (0, 1) Password (0, 1) Tunnel mode (1, 1) IKE parameters (1, 1) IPsec parameters (1, 1)

For a connection denition, the following restrictions apply: If pre-shared host authentication is specied, then a pre-shared key must be present. If public-key host authentication is specied, the own identity element is used to look up a certicate to be sent to the gateway. Also in this case the certicate authority identity element must be present and will be used to look up a CA certicate that will be used request a certicate from the gateway and validate it. Gateway address The gateway-address element defines the IP address of the remote VPN gateway in a connection definition. It is of the following form: gateway-address ADDRESS; The ADDRESS definition must be an IPv4 address in the dotted-decimal form, an IPv6 address expressed in text format (as specified in the RFC 2373 document), or a Fully Qualified Domain Name (FQDN). Internal Subnet The internal-subnetelement defines a protected IP sub-network accessed through the VPN connection. It is of the following form: internal-subnet NETWORK;
Client Configuration 9

The NETWORK definition specifies the sub-network using the Classless Inter-Domain Routing (CIDR) notation. It consists of an IPv4 or IPv6 address in the same format as in the gateway address element above, a forward slash (ASCII character 47, or /) and a decimal number specifying the prefix length, i.e. the number of bits in the address that specify the network -for example 192.168.100.1/24. Bits of the address that are not part of the prefix must be zero. Host Authentication Mode The host-authenticationelement specifies whether host (machine) authentication is done using Pre-Shared Keys (PSK) or Public Key Infrastructure (PKI). It is of the following form: host-authentication MODE; The MODE definition is one of the following values: pre-shared public-key User Authentication When the user-authentication element is present, password-based user authentication is done in addition to machine authentication. The element is of the following form: user-authentication;
10 Client Configuration

Own Identity The own-identity element defines the identity of the VPN Client machine in the IKE negotiation. It is of the following form: own-identity { type TYPE; value VALUE; } The TYPE definition specifies how VALUE is to be interpreted. Acceptable values of TYPE and the corresponding interpretations of VALUE are the following: ip-address: an IPv4 or IPv6 address. fqdn: a Fully Qualified Domain Name (FQDN). user-fqdn: a fully qualified username string, i.e. a username followed by an at sign (ASCII character 64, or @) and a Fully Qualified Domain Name (FQDN) -for example user@example.com. distinguished-name: string representation of an X.500 Distinguished Name (DN) in the format specified in the RFC 4514 document. key-identifier: an opaque key or certificate identifier expressed as a string of hexadecimal digits. If public-key host authentication is used, it must be possible to associate the identity with a certificate and a private key in the local certificate store using the subjectName, subjectAltName or subjectKeyIdentifiercomponents of the certificate.

Pre-Shared Key This element defines a pre-shared key used in the IKE negotiation. It is of the following form: pre-shared-key { type TYPE; value VALUE; } The TYPE definition specifies how VALUE is to be interpreted. Regardless of TYPE, VALUE is the base64 encoding (according to the RFC 2068 document) of the bytes of an UTF-8 string. TYPE applies to the string after base64 decoding. Acceptable values of TYPE and the corresponding interpretations of decoded VALUE are the following: string: decoded VALUE is an UTF-8 string and the bytes of the UTF-8 representation become the pre-shared key. hexadecimal: decoded VALUE must be a string of hexadecimal digits that are read two at a time to get the values of the bytes of the pre-shared key. Certificate Authority Identity The ca-identity element specifies the identity that is used to look up a Certificate Authority (CA) certificate in the certificate store of the VPN Client machine. It is of the following form: ca-identity { type TYPE; value VALUE; }

Android Configuration Syntax The TYPE and VALUE definitions follow the same rules as in the own-identity element above. The identity is used to look up a CA certificate in the local certificate store. An identifier of the CA certificate is sent to the VPN gateway to request it to send its own certificate. The CA certificate is subsequently used to validate the certificate sent by the gateway. Username The usernameelement specifies the username to be used in user authentication after host authentication is completed. It is of the following form: username USERNAME; The USERNAME definition may be any string. The value sent to the gateway consists of the bytes of the UTF-8 representation of the string. Password This element specifies the password to be used in user authentication after host authentication is completed. It is of the following form: password PASSWORD; The PASSWORD definition is the base64 encoding (according to RFC 2068) of the bytes of an UTF-8 string. The value sent to the gateway consists of the bytes of the UTF-8 representation.
Client Configuration 11

Tunnel Mode The tunnel-mode element specifies the VPN tunneling and client configuration method. It is of the following form: tunnel-mode MODE; The MODE definition is one of the following values: ipsec: specifies IPsec in tunnel mode with internal IP address configured using IKE Config Mode (IKEv1) or IKE Configuration Payload (IKEv2). l2tp-over-ipsec: specifies Layer 2 Tunneling Protocol (L2TP) over transport-mode IPsec with internal IP address configured using Point-to-Point Protocol (PPP). IKE Parameters The IKE-parameterselement specifies the parameters to be used to negotiate the Internet Key Exchange (IKE) Security Association (SA). It is of the following form: IKE-parameters { IKE-Parameters } IKE-Parametersmust contain the following elements, in any order: IKE version (mandatory) IKE phase 1 aggressive mode (optional) IKE encryption (mandatory)
12 Client Configuration

IKE pseudo-random function (mandatory) IKE integrity (mandatory) IKE group (mandatory) IKE life (mandatory) IKE Version The version element specifies the IKE protocol version (IKEv1 or IKEv2) to be used with the VPN connection. It is of the following form: version VERSION; The VERSION definition is one of the following values: 1 2 IKE Phase 1 Aggressive Mode When the aggressive-mode element is present, aggressive mode phase 1 exchange is used with IKEv1 instead of main mode. It is of the following form: aggressive-mode; Note: This value has no effect on IKEv2 connections. IKE Encryption The encryption element specifies the encryption algorithm of the IKE Security Association. It is of the following form:

encryption ENCRYPTION; The ENCRYPTION definition is one of the following values: 3des-cbc aes-cbc-128 aes-cbc-192 aes-cbc-256 IKE Integrity The integrity element specifies the integrity algorithm of the IKE Security Association. It is of the following form: integrity INTEGRITY; The INTEGRITY definition is one of the following values: hmac-md5-96 hmac-sha1-96 aes-xcbc-mac-96 hmac-sha-256-128 hmac-sha-384-192 hmac-sha-512-256 Note: The aes-xcbc-mac-96value is not valid with IKE version 1. IKE Group

The group element specifies the Diffie-Hellman group used in the IKE SA negotiation. It is of the following form: group GROUP; The GROUP definition is one of the following values (the corresponding IKEv1/IKEv2 group id is shown in parentheses): modp-768(group id 1) modp-1024(group id 2) modp-1536(group id 5) modp-2048(group id 14) modp-3072(group id 15) modp-4096(group id 16) modp-6144(group id 17) modp-8192(group id 18) ecp-256(group id 19) ecp-384(group id 20) ecp-521(group id 21) IKE Life The life element specifies the maximum lifetime of the IKE SA. It is of the following form: life LIFE;
Client Configuration 13

The LIFE definition must be a decimal number and specifies the IKE SA lifetime in seconds. IPsec Parameters The IPsec-parameterselement specifies the parameters to be used to negotiate IPsec Security Associations. It is of the following form: ipsec-parameters { IPsec-Parameters } IPsec-Parametersmust contain the following elements, in any order: IPsec encryption (mandatory) IPsec integrity (mandatory) IPsec perfect forward secrecy (optional) IPsec anti-replay (optional) IPsec life (mandatory) IPsec Encryption The encryption element specifies the encryption algorithm of an IPsec Security Association. It is of the following form: encryption ENCRYPTION; The ENCRYPTION definition is one of the following values: 3des-cbc aes-cbc-128
14 Client Configuration

aes-cbc-192 aes-cbc-256 aes-gcm-128 aes-gcm-192 aes-gcm-256 null Note: The value null must be used if IPsec integrity algorithm is aes-gmac-128, aes-gmac-192 or aes-gmac-256and must not be used with any other IPsec integrity algorithm values. IPsec Integrity The integrityelement specifies the integrity algorithm of an IPsec SA. It is of the following form: integrity INTEGRITY; The INTEGRITY definition is one of the following values: hmac-md5-96 hmac-sha1-96 aes-xcbc-mac-96 hmac-sha-256-128 hmac-sha-384-192 hmac-sha-512-256 null aes-gmac-128

 aes-gmac-192 o aes-gmac-256 Note: The values aes-gmac-128, aes-gmac-192and aes-gmac-256are not valid with IKE version. The value null must be used if IPsec encryption algorithm is aes-gcm-128, aes-gcm-192 or aes-gcm-256and must not be used with any other IPsec encryption algorithm values. IPsec Perfect Forward Secrecy When the perfect-forward-secrecyelement is present, IPsec Perfect Forward Secrecy (PFS) is used. It is of the following form: perfect-forward-secrecy; The Diffie-Hellman group used for IPsec SA keying with PFS is the one specified for IKE in IKE Parameters. IPsec Anti-Replay When the anti-replayelement is present, IPsec anti-replay is used. It is of the following form: anti-replay; IPsec Life The lifeelement specifies the maximum lifetime of an IPsec SA. It is of the following form: life { type TYPE; value VALUE; }

The TYPE definition specifies how VALUE is to be interpreted. Acceptable values of TYPE and the corresponding interpretations of VALUE are the following: seconds: a decimal number that specifies the maximum SA lifetime in seconds. kilobytes: a decimal number that specifies the maximum SA lifetime in kilobytes of data transferred through the SA.

Client Configuration

15

Certificate Support
QuickSec IPsec VPN Client for Android supports BER-encoded public-key certificates and PKCS #8 formatted private keys. Supported certificate and private key types and their filename extensions are the following: .caCertificate Authority (CA) certificate .crt: end-user certificate .pkcs8: private key Certificate Storage QuickSec IPsec VPN Client for Android stores certificates and private keys in the following directory: /sdcard/vpn/certificates/ There is no integration to existing certificate store or secure key storage in current version. Certificate store support will be added in the follow-up revision. New certificates and private keys can be added to the certificate directory by using the Android Debug Bridge (ADB) package. End-user or IT admin should pre-install any required certificates and private keys in the device.

Android Configuration Examples

Gateway Connection Example An example connection to a gateway can be specified using the following configuration data: connection Example Gateway { gateway-address 192.168.57.30; internal-subnet 10.1.1.0/24; host-authentication pre-shared; pre-shared-key { type string; value UGVyamFUD; own-identity { type user-fqdn; value customer@example.com; } ipsec-parameters { encryption aes-cbc-128; integrity hmac-sha1-96; anti-replay; life { type seconds;

16

Client Configuration

value 28800; } } ike-parameters { version 2; encryption aes-cbc-128; integrity hmac-sha1-96; group modp-1024; life 86400; } } Example of Template Use The example below contains global settings, connection definitions and template definitions in a single file. version 1.0; active-connection "EMEA Low Security; startup-connect; connection "VPN to Company" { gateway-address 1.1.1.1; internal-subnet 1.1.2.0/24; internal-subnet 1.1.3.0/24;

internal-subnet 2001::0/64; host-authentication pre-shared; own-identity {type user-fqdn; value user@example.com;} pre-shared-key {type string; value foo;} tunnel-mode ipsec; ike-parameters { version 1; encryption 3des-cbc; pseudo-random hmac-sha1; integrity hmac-sha1-96; group modp-1024; life 86400; } ipsec-parameters { encryption 3des-cbc; integrity hmac-sha1-96; perfect-forward-secrecy; anti-replay; life {type seconds; value 28800;} } }
Client Configuration 17

connection "VPN to Corporation" { gateway-address 2.2.2.2; internal-subnet 2.2.0.0/16; internal-subnet 2.3.0.0/16; internal-subnet 2003::0/64; host-authentication public-key; user-authentication; own-identity { type distinguished-name; value "CN=User Account, O=AuthenTec, C=FI"; } ca-identity { type distinguished-name; value "CN=APAC CA, O=AuthenTec, C=KR"; } username "user"; password "bing bong tilt"; tunnel-mode ipsec; ike-parameters { version 2; encryption aes-cbc-128;
18 Client Configuration

pseudo-random aes-xcbc-prf-128; integrity aes-xcbc-mac-96; group modp-2048; life 86400; } ipsec-parameters { encryption aes-cbc-128; integrity aes-xcbc-mac-96; perfect-forward-secrecy; anti-replay; life {type seconds; value 28800;} } } template "Company" { gateway-address 1.1.1.1; internal-subnet 1.1.2.0/24; internal-subnet 1.1.3.0/24; internal-subnet 2001::0/64; host-authentication pre-shared; tunnel-mode ipsec; ike-parameters {

version 1; encryption 3des-cbc; integrity hmac-sha1-96; group modp-1024; life 86400; } ipsec-parameters { encryption 3des-cbc; integrity hmac-sha1-96; perfect-forward-secrecy; anti-replay; life {type seconds; value 28800;} } template "Corporation" { gateway-address 2.2.2.2; internal-subnet 2.2.0.0/16; internal-subnet 2.3.0.0/16; internal-subnet 2003::0/64; host-authentication public-key; user-authentication; tunnel-mode ipsec;

ike-parameters { version 2; encryption aes-cbc-128; integrity aes-xcbc-mac-96; group modp-2048; life 86400; } ipsec-parameters { encryption aes-cbc-128; integrity aes-xcbc-mac-96; perfect-forward-secrecy; anti-replay; life {type seconds; value 28800;} } }

Client Configuration

19