StoneBlog.stonesoft.com

In StoneGate Management Center 5.2 the VPN troubleshooting tools have improved significantly. There are a lot of new drill-in actions available in System Status view. You can for example right-click any VPN tunnel in the VPN diagrams and drill-in to logs that flow through the selected tunnel. You can also right-click individual Gateways or Endpoints (from the Info panel) and drill-in to the related logs.

written by teroja - 278 views \\ tags: Drill-in, firewall, logs, Shortcuts, SMC, troubleshooting, VPN, VPN diagrams

StoneGate Management Center 5.0 introduces a new network diagram type: VPN diagrams. That gives you two interesting opportunities:

• Visualize the VPN topologies
• Monitor the status of VPN tunnels

VPN diagrams are autogenerated in the System Status view. You’ll see the VPN topology and the status of the VPN tunnels with a single click. You can also select individual Gateways from the Status tree. Then system draws you a diagram that includes all the tunnels of all your VPNs in which the selected gateway is used. And if these features don’t still satisfy your needs, you can of course create your custom VPN network diagrams that show you exactly the information you need. Network diagrams are btw a convenient tool also for documenting your environment.

written by teroja - 1,853 views \\ tags: 5.0, Features, SMC, stonegate, VPN

If there is a link with a smaller MTU somewhere between the VPN gateways, the router connected to the link will send ICMP fragmentation needed message (type 3, code 4) as a response to ESP packets that have DF bit set and that are bigger than the MTU.

However, only the MTU information is stored on the firewall at that time but no ICMP error message is sent to the endpoint of the original connection.

When the host in the internal network sends the following packet, that’s when the firewall handling the connection will reply with the ICMP error message.

written by RoarinPenguin - 1,865 views \\ tags: engine, fragmentation needed, ICMP, VPN

Some details about StoneGate MultiLink VPN and Load Balancing.

Goal is to explain a bit how it works to avoid false expectations.

Link selection is done per packet.
This means that single tcp/udp connection can change link during it’s lifetime.
This provides transparent connection failover of links when using Multi-Link VPN, but this does not mean that consecutive packets would be intelligently routed over different links in order to provide increased bandwidth.

Results, especially on multiple connections, is a de facto aggregation of multiple links performances with transparent failover (the latter is not possible with MultiLink ISP).

For example: there is a customer who has two sites (Site A and Site B) and there is a 1 Mbps connection between them. When the customer put StoneGate Multi-Link VPN there and added another 1Mbps ISP connection, the performance did not double to 2Mbps when it was tested. Why is that?

Because,

1. StoneGate Multi-Link VPN does provide load balancing based on host pairs. This customer had only one host on both sites and these hosts were changing messages between each other.
2. From StoneGate’s point of view this is one connection and this one connection is using the fastest ISP link. All connections between these two hosts will be using same ISP link. StoneGate cannot split one connection between several ISP links. That is why customer got 1Mbps performance instead of 2Mpbs.
3. This is a special case, because normally customers would have several hosts that are connected through Multilink VPN connection. Then StoneGate will and can load balance each host pair through different ISPs. Then customer would get on the average near 2Mpbs capacity as total capacity between sites.
4. You should remember that each separate VPN tunnel in this case has maximum speed of 1Mbps (because each ISP link had 1Mbps speed). But if you look at total capacity between the Site A and Site B then it would be 2 Mbps.
5. In laymen terms maximum speed stays at 1Mpbs when you add another ISP and use StoneGate Multi-Link VPN, but capacity doubles.

Maybe a good analogy is highway where you have 70 miles per hour speed limit. If you add another lane to highway then the speed limit is same (70 miles per hour), but you will get twice as many cars there.

Roar!

written by RoarinPenguin - 872 views \\ tags: load balancing, multilink, VPN

Everyone knows how to manage VPN client certificates through the GUI interface – a request can be created and then signed certificate for it can be easily imported. But what to do when there is an unattended install of the VPN client and it should be managed remotely or at least one has to import certificates for VPN authentication without touching the local GUI?

If external certificates needs to be used, they must be imported manually. This is done as follows:

1) Two files are needed, the certificate file and the private key file. They need to have the same file name body but different suffixes, .crt for the certificate and .prv for the private key. An example of a valid name pair is certificate.crt and certificate.prv.

2) These files have to be copied to the VPN client certificate directory. Copy both files at the same time so that VPN Client sees both files at same time. The certificate directory is
- Vista: “C:\ProgramData\Stonesoft\StoneGate IPsec VPN\certificates”
- XP and 2000: “C:\Documents and Settings\All Users\Application Data\Stonesoft\StoneGate IPsec VPN\certificates”

3) The certificate should now appear in the client GUI. If this is not the case, re-check that the file names are in the format specified in step 1). You may also need to restart the StoneGate IPsec VPN Service.
Similarly certificates can be removed from the GUI – they cannot be deleted by “right-clicking” the appropriate entry, but can be with a filesystem explorer going to the aforementioned directory.

written by DR - 786 views \\ tags: certificate, client, VPN