Академический Документы
Профессиональный Документы
Культура Документы
User Guide
Contact: support@thegreenbow.com
Website: www.thegreenbow.com
All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or
mechanical, including photocopying, recording, taping, or information storage and retrieval systems - without the written
permission of the publisher.
Products that are referred to in this document may be either trademarks and/or registered trademarks of the respective
owners. The publisher and the author make no claim to these trademarks.
While every precaution has been taken in the preparation of this document, the publisher and the author assume no
responsibility for errors or omissions, or for damages resulting from the use of information contained in this document
or from the use of programs and source code that may accompany it. In no event shall the publisher and the author be
liable for any loss of profit or any other commercial damage caused or alleged to have been caused directly or indirectly
by this document.
Table of Contents
Part X Contacts 77
Index 78
I
Introducing TheGreenBow IPSec VPN Client
Introducing TheGreenBow IPSec VPN Client 2
TheGreenBow IPSec VPN Client is an IPSec VPN software for all Windows versions that allows to
establish secure connections over the Internet usually between a remote worker and the
Corporate Intranet. IPSec is the most secure way to connect to the enterprise as it provides strong
user authentication, strong tunnel encryption with ability to cope with existing network and firewall
settings.
TheGreenBow IPSec VPN Client is the result of many years of experience in network security and
Windows network driver development, as well as extensive research in related areas.
The IPSec VPN Client completes our range of network security products and like all our products
is extremely easy to use and to install.
TheGreenBow strategy is to support as many VPN gateway and appliance vendors as possible,
available right now on the market in order to offer a true multi vendor solution to its customers.
New IPSec VPN gateways or appliances are tested in our labs. The list of certified gateways is
available on our web site and is increasing daily, thus do not hesitate to regularly check for new
certified VPN gateways.
There are many USB Tokens and SmartCards available on the market. It is our mission to support
as many USB Token and SmartCard vendors as possible, in order to offer a true multi vendor
solution to our customers. New USB Token and SmartCard devices are tested in our labs. The list
of certified USB Tokens is available on our web site and is increasing daily, thus do not hesitate to
regularly check for new certified USB Tokens.
In case your USB Token is not listed, please contact our TechSupport and we'll work with you to
certified it.
TheGreenBow supports several implementations of Linux IPSec VPN like StrongS/WAN and
FreeS/WAN. Therefore TheGreenBow IPSec VPN Client is compatible with most of the IPSec
routers/appliances based on those Linux implementations. We will support more Linux
implementations in the future. The list of supported Linux VPN appliance is available on our
website.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Introducing TheGreenBow IPSec VPN Client 3
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Introducing TheGreenBow IPSec VPN Client 4
Mode Config "Mode Config" is an Internet Key Exchange (IKE) extension that
enables the IPSec VPN gateway to provide LAN configuration to
the remote user's machine (i.e. IPSec VPN Client). With Config-
Mode the end-user is able to address all servers on the remote
network by using their network name (e.g. //myserver/marketing/
budget) instead of their IP Address.
USB Drive VPN Configurations and security elements (certificates, preshared
key,…) can be saved into an USB Drive in order to remove security
information (e.g.user authentication) from the computer.
Automatically open and close tunnels when plugging in or
removing USB Drive. Ability to attach a VPN Configuration to a
specific computer or to a specific USB drive.
Smart Card and USB Token TheGreenBow IPSec VPN Client can read Certificates from Smart
Cards to make full use of existing corporate ID card or employee
cards that may carry Digital credentials.
Easy import of Smartcard ATR codes which enables easily and
quickly new Smartcard and USB Token models that have not been
embedded in software yet.
Log console All phase messages are logged for testing or staging purposes to
easily narrow the view on specific aspects.
Flexible User Interface Silent install and invisible graphical interface allow IT managers to
deploy solutions while preventing user to misuse configurations.
Tiny Connection Panel and VPN Configuration Panel can be
available to end-users separately with Access Control.
Drag & drop VPN Configurations into the IPSec VPN Client.
Multiple keyboard shortcuts to easily navigate the IPSec VPN Client
Scripts Scripts or applications can be launched automatically on several
events (e.g. before and after a tunnel opens, before and after a
tunnel is closed).
Configuration Management User Interface and Command Line.
Password protected VPN configuration file.
Specific VPN configuration file can be provided within the setup.
Embedded demo VPN Configuration to test and debug with online
TheGreenBow servers.
Ability to prevent software upgrade or un-installation if software
usage has been protected by password.
Live update Ability to check for online update.
Licensing Lifetime, Temporary, Release based Licensing are available.
Our offer is specially designed to target OEM clients and System Integrators. We provide a fully
functional VPN Client solution to complete existing offers. Our IPSec VPN Client can be re-
branded.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Part
II
Installing TheGreenBow IPSec VPN Client
Installing TheGreenBow IPSec VPN Client 6
TheGreenBow VPN Client installation is a classical Windows installation that does not require
specific information. After completing the installation, you will be asked to reboot your computer.
After reboot and session login, a window appears with several options:
· "Quit' will close this window and software.
· "Evaluate' allows you to continue software evaluation. Evaluation period left is displayed
into the orange bar above.
· "Activate' allows you to activate the software online. This requires a License Number. When
clicking on 'Activate' button, an Activation Wizard pops up.
· "Buy' allows you to go online and purchase a Software License in TheGreenBow online
shop.
Caution: On Windows 2000, XP, Vista and Windows7, you must have administrator rights. If it is
not the case, the installation stops after the language choice with an error message.
Note: Software Installation can be customized with several parameter options in command line.
Please refer to the "Deployment Guide" document available on our website.
A user might have restricted access rights on a given Windows computer. Here is what users can
have access to:
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Installing TheGreenBow IPSec VPN Client 7
To make it even easier, TheGreenBow IPSec VPN Client creates new rules into the Windows
Firewall (Vista and further) so that IPSec VPN traffic is enabled. Here are the Windows Firewall
rules:
It is possible to use TheGreenBow IPSec VPN Client during the evaluation period (i.e. limited to
30 days) by clicking on 'Evaluate' button. When the IPSec VPN Client is on "Evaluation" mode, the
register window appears at each start of the IPSec VPN Client. Evaluation period is displayed into
the orange bar above.
Once evaluation period expires, 'Evaluation' button is no longer available and the software is
disabled.
A Temporary Software License Number may be provided, for test purpose. The period of validity is
between 1 and 9 weeks. To receive a Temporary Software License Number, you can contact our
sales team: sales@thegreenbow.com.
The validity period of the Temporary Software License Number and the remaining time of use are
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Installing TheGreenBow IPSec VPN Client 8
During all the time a Temporary Software License Number is used, the activation window is
available from the Configuration Panel. It enables the user to activate a new license, for example a
life time License Number instead of a temporary one.
During that period, the remaining time is available through the 'About' menu.
When the Temporary Software License Number expires, the 'Evaluate' button is disabled. The
user can 'Buy' and 'Activate' a life time software license.
For use beyond the evaluation period, TheGreenBow IPSec VPN Client software must be
activated on your computer. To use a License Number on new computer, you need to un-install
the software from the previous computer, and deactivation will be done automatically. The
Software Activation is a two step process which requires a License Number and an email address.
The 'Activation Wizard' can be launched from the VPN Client software as followed:
· Click on the 'Activate' button in the startup windows when you start the VPN Client.
· Click on the '?' menu once the software is started, and then click on "Activation Wizard...".
Enter your License Number, your email address and click 'Next' as shown below:
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Installing TheGreenBow IPSec VPN Client 9
Note: Be careful the email address is correct, it will be used to send you back the activation
confirmation.
Note: The email address may not be required: IT Managers can force this value during the setup,
then it will not be displayed by the Software Activation Wizard. This feature can be used to
centralize all the Software Activation confirmation emails to a single email address.
The 'Activation Wizard' will automatically connect to the online software activation server to
activate the VPN Client Software. You can go back at anytime to change the License Number but
you need to un-install first.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Installing TheGreenBow IPSec VPN Client 10
It is important to remember that a License Number is attached to one computer after installation.
However, the license number can be activated again on another computer after software
uninstallation.
Errors may occurred during the activation process. Each activation error is briefly explained on the
step 2 activation window. The link "More information about this error" below the progress bar
provides online full explanations and recommendations on how to proceed next.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Installing TheGreenBow IPSec VPN Client 11
Most of errors encountered may be fixed by carefully checking the following points:
Note: If you didn't succeed to activate the software despite the previous
recommendations, it is always possible to manually activate the software
on our website: www.thegreenbow.com/activation/osa_manual.html. This
enables users to immediately fully activate the software.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Installing TheGreenBow IPSec VPN Client 12
Example: My maintenance period is expired and my current software release is 3.12. I only can
upgrade to release 3.13 till 3.19. I cannot upgrade to release 3.20, 3.30 or 4.00.
If you want to subscribe or extend your maintenance period, please contact our sales team:
sales@thegreenbow.com
Note: The VPN Configuration is saved during a Software Upgrade and automatically enabled
again within the new release.
Note: Software upgrade requires the password that has been set in 'Access Control'. If no
password has been set, software upgrade does not require any password.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Part
III
Quick HowTo's
Quick HowTo's 14
3 Quick HowTo's
Also known as 'Dial up mode': A tunnel may be opened via a double-click on a VPN Configuration
(i.e. extension '.tgb' file). This feature enables to create various VPN Configuration on the windows
desktop, and to open tunnels by clicking on these VPN Configuration shortcut icon.
Note: You may protect the VPN Configuration with a password as it is exported. This password
will be asked each time the tunnel is clicked on.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Quick HowTo's 15
3. Go back to 'Phase 1' of that tunnel, click on 'Certificate' and then click on 'Certificates
Management...'.
4. Select one Certificate in the list displayed, or click on 'Import Certificate..' from a Certificate
file, then click 'Ok'.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Quick HowTo's 16
It is possible to open one or several VPN tunnels, manually or automatically, before Windows
Logon using a Windows logon technology called Credential Providers on Vista (aka GINA on
W2K/WXP).
Here are several possible use cases with their settings to trigger Credential Providers:
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Quick HowTo's 17
Here are the features that are disabled for tunnels with the option 'Enable before Windows Logon':
· The tiny window appearing before Windows logon is always visible. It is not possible to hide
it.
· In case 2 tunnels have been configured to 'Automatically open on traffic detection' and only
one of them with the option 'Enable before Windows Logon', it is possible that both would
open automatically before Windows Logon as the IKE services is running.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Quick HowTo's 18
· 'Scripts' that might have been configured are disabled for tunnels with the option 'Enable
before Windows Logon'.
· IPSec VPN Client can not be in 'USB Mode' (i.e. VPN Configuration moved to an USB
Drive) for tunnels with the option 'Enable before Windows Logon'.
· Config-Mode is disabled. DNS/WINS Server Address must be configured here.
Note: To enable a VPN tunnel to 'Automatically open on traffic detection' after windows logon, the
option 'Enable before Windows Logon' must not be selected.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Part
IV
Navigating the User Interface
Navigating the User Interface 20
TheGreenBow IPSec VPN Client is fully autonomous and can start and stop tunnels without user
intervention, depending on traffic to certain destinations. However it requires a VPN configuration.
The IPSec VPN Client configuration is defined in a VPN Configuration file. The software user
interface allows creating, modifying, saving, exporting or importing the VPN configurations
together with security elements (e.g. Preshared key, Certificates, ...).
The VPN Client software can be launched via a double click on application icon (Desktop or
Windows Start menu) or by single click on application icon in system tray. Once launched, the
VPN Client software shows an icon in the system tray that indicates whether a tunnel is opened or
not, using color code.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Navigating the User Interface 21
· "Save & Apply' will close established VPN tunnels, will apply latest VPN configuration
modification and reopen VPN tunnels which are configured to be started automatically.
· "Console' shows IPSec-IKE log window.
· "Connection Panel" opens the Connection Panel which enables to open, close and get
information about tunnels.
· "Configuration Panel" opens the Configuration Panel which enables to create and configure
tunnels.
· List of configured tunnels with current status. Tunnels can be opened or closed from this
menu as well.
Tooltips over the systray VPN Client icon shows the connection status of the VPN tunnel:
· "Tunnel <tunnelname>' when one or more tunnels are established.
· "Wait VPN ready...' when the IKE service is reinitializing.
· "TheGreenBow VPN Client' when the VPN Client is up but with no opened tunnel.
A tiny popup coming out from the systray icon shows up each time a tunnel is opening up or
closing.
1. The popup shows tunnel opening w/ different phases and disappears after 6 sec unless the
mouse is moved over.
3. In case the tunnel can not open, it displays a warning with a link to more information on our
website.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Navigating the User Interface 22
Shortcut Action
Ctrl + Enter Switches back and forth between the 'Configuration Panel' and the 'Connection
Panel'.
Note: in case, the Configuration Panel is protected with a password, the user will be
asked for this password when he tries to switch to the Configuration Panel.
Ctrl + D Opens the VPN 'Console' for network 'Debug'.
Ctrl + S 'Save & Apply' a VPN Configuration.
The Connection Panel enables users to open, close and get clear information about every tunnel
that have been configured. This is all the end-user needs to open and close tunnels.
This feature clearly help both IT Managers (who configure the VPN connections) and users (who
only open or close VPN connections) with their own usage.
It's possible to switch back and forth between the 'Connection Panel' and the 'Configuration Panel'
by using the shortcut 'Ctrl + Enter' (see section 'Shortcuts').
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Navigating the User Interface 23
The Configuration Panel enables to create VPN Configuration and is made of several elements:
· Three buttons 'Console', 'Parameters' et 'Connections' (left column)
· A tree list window (left column) that contains all the IKE and IPSec configurations
· A configuration window (right column) that shows the associated parameters for every tree
level.
A VPN Configuration file (i.e. extension '.tgb') can be drag and dropped onto the Configuration
Panel. This feature enables to easily apply a new VPN configuration. If a tunnel is configured to be
'opened when the VPN Client starts' (see section 'Phase2 Advanced Settings'), it will be
immediately opened as soon as the new VPN Configuration is applied ('Save & Apply').
· '?' menu gives access to 'check for update', 'online help' and window 'About'. '?' menu also
gives access to the 'Activation Wizard' when the software is not activated yet.
· The central box gives some information about VPN Client Software status (e.g. "opening
tunnel in progress", "saving configuration rules in progress", "VPN Client start up in
progress", …)
· The light box (right side) gives some information about tunnels (e.g. Green light
The 'About' window provides the VPN Client software release number and software activation
information. There is also an URL to our web site.
This feature is especially designed for IT Managers. It enables to lock the access to the
'Configuration Panel', and to restrict with password the use of the IPSec VPN Client to the
'Connection Panel' and/or to the 'systray menu'. Therefore, users cannot modify the VPN
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Navigating the User Interface 25
The Access Control with a password only concerns the 'Configuration Panel'. The access to the
'Connection Panel' is never controlled by password.
This password may be configured as an option of the setup (see section 'Setup options').
The Access Control window, available through the menu 'View > Configuration..' in the
Configuration Panel, also enables to configure the systray menu items. Thus, the IT Manager can
restrict the software access, from a full access to a completely hidden interface.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Navigating the User Interface 26
To remove the Access Control, just empty both fields 'Password' and 'Confirm' then click 'OK'.
Note: The 'Quit' item for the systray menu is disabled in the standard version of the software. It
can nevertheless be removed during the software setup, through the setup option "-menuitem"
(see section 'Setup option')
In case Access Control has been set, the 'Configuration Panel' can not be opened and showed by
double-clicking on desktop icon, by selecting Start menu. Right-click over the systray icon in
taskbar is limited to "Console" access, quitting the software, and opening/closing the configured
tunnels.
Here is an example:
4.6.5 Wizards
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Navigating the User Interface 27
USB Drive..'.
4.6.6 Preferences
Miscellaneous
Disable detection of interface disconnection allows the IPSec VPN Client maintain tunnels opened
while the network interface disconnects momentarily but very often. This type of behavior occurs
when the interface used to open tunnels is unstable such as WiFi, GPRS and all 3G interfaces.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Part
V
Connection Panel
Connection Panel 29
5 Connection Panel
The Connection Panel enables users to open, close and get clear information about every tunnel
that have been configured. This is all the end-user needs to open and close tunnels.
The user simply clicks on the 'Open' button of a tunnel to open this tunnel. The 'Open' button
automatically switch to 'Close' when the tunnel is opened. One click on the name of the tunnel
automatically opens the Configuration Panel, enabling to change the tunnel configuration. This
feature is disabled when the Connection Panel is protected with a password (see section 'Access
Control').
It's possible to switch back and forth between the 'Connection Panel' and the 'Configuration Panel'
by using the shortcut 'Ctrl + Enter' (see section 'Shortcuts').
It is also possible to automatically apply a new VPN Configuration by a drag & drop of a VPN
Configuration onto the Connection Panel. If a tunnel is configured to be automatically opened
when VPN Client starts (see section 'Phase2 Advanced Settings'), it will be immediately opened.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Connection Panel 30
If problems occur during the tunnel opening process, a warning is shown on the right of the tunnel
list.
A link associated to the warning automatically opens the 'Warning' popup and shows a detailed
message about the problem. Explicit warning messages help users and IT Managers to find the
VPN issue. These popups are also linked ("more information" link) to our online help web pages
that detail symptoms and give clues for troubleshooting.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Part
VI
Configuration Panel
Configuration Panel 32
6 Configuration Panel
To create a VPN tunnel from the 'Configuration Panel' (without using the Configuration Wizard),
you must follow the following steps:
2. Right-click on 'Root' in the tree list window and select 'New Phase 1'.
Several Authentication Phases (Phase1) can be configured. Therefore, one computer can
establish IPSec VPN connections with several gateways or other computers (peer to peer).
Similarly, several IPSec Configuration (Phase 2) can be created for a same Authentication Phase
(Phase 1).
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 33
Advanced features and parameters can be defined for Phase 1 and Phase 2.
Those defined in Phase 1 apply to all Phase 2 created in current VPN Configuration:
· Enable/Disable Config-Mode
· Enable/Disable NAT-T Agressive Mode
· Enable/Disable Redundant Gateway
· Select NAT-T mode (Forced, Disabled or Automatic)
· Set X-Auth Login/password with pop up option
· Enable/Disable Hybrid Mode which is an Hybrid Authentication Method
TheGreenBow IPSec VPN Client provides a Configuration Wizard which enables the creation of
VPN configuration in three easy steps. This Configuration Wizard is designed either for remote
computers that need to get connected to a corporate LAN through a VPN gateway or Peer to Peer
mode.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 34
For configuring this connection, open the Configuration Wizard's window by selecting menu 'VPN
Configuration' > 'Config. Wizard'.
You must specify the type of the equipment at the end of the tunnel: VPN gateway.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 35
The third step summaries your new VPN configuration. Other parameters may be further
configured directly via the 'Configuration Panel' (e.g. Certificates, virtual IP address, etc..).
The tunnel has been created and you can open it.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 36
'Authentication' or 'Phase 1' window will concern settings for Authentication Phase or Phase 1. It is
also called IKE Negotiation Phase.
Phase 1's purpose is to negotiate IKE policy sets, authenticate the peers, and set up a secure
channel between the peers. As part of Phase 1, each end system must identify and authenticate
itself to the other.
Name Label for Authentication phase used only the configuration user
interface. This value is never used during IKE negotiation. It is possible
to change this name at any time and read it in the tree control. Two
Phase 1 can not have the same name.
Interface IP address of the network interface of the computer, through which VPN
connection is established. If the IP address may change (when it is
received dynamically by an ISP or router), select "Any". In case he IP
address configured into the VPN Configuration file refers to an IP
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 37
address that does not exist on the computer then the default "Any" is
forced upon this parameter.
Remote Gateway IP address or DNS address of the remote gateway (in our example:
gateway.mydomain.com). This field is mandatory.
Pre-shared key Password or key shared with the remote gateway.
Certificate X509 certificate used by the VPN Client . Click on 'Certificate
Management..' to choose the certificate source: PEM files, PKCS#21
file, SmartCard and tokens, or the Windows Certificate Store (see
section How to configure Certificates). One Certificate per tunnel can be
configured.
IKE encryption Encryption algorithm used during Authentication phase (3DES, AES, ...).
IKE authentication Authentication algorithm used during Authentication phase (MD5,
SHA, ...).
SHA1 and SHA2-256bit are supported.
IKE key group Diffie-Hellman key length.
For advanced features & parameters, click on 'P1 Advanced' button into Phase1 panel.
Config-Mode If checked, the VPN Client will activate Config-Mode for this tunnel. Config-
Mode allows to the VPN Client to fetch some VPN Configuration
information from the VPN gateway. If Config-Mode is enabled, and
provided that the remote Gateway supports Config-Mode, the following
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 38
parameters will be negotiated between the VPN Client and the remote
Gateway during the IKE exchange (Phase 1):
· Virtual IP address of the VPN Client
· DNS server address (optional)
· WINS server address (optional)
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 39
Popup" is selected, a popup window asking for a login and a password will
appear each time an authentication is required to open a tunnel with the
remote gateway. For more details go to Using X-Auth section.
If X-Auth authentication fails then the tunnel establishment will fail too.
Hybrid The Hybrid mode is a specific authentication method used within IKE
Authentication Mode Phase 1. This method assumes an asymmetry between the authenticating
entities. One entity, typically an Edge Device (e.g. firewall), authenticates
using standard public key techniques (in signature mode), while the other
entity, typically a remote User, authenticates using challenge response
techniques. These authentication methods are used to establish, at the
end of Phase 1, an IKE SA which is unidirectionally authenticated. To
make this IKE bi-directionally authenticated, this Phase 1 is immediately
followed by an X-Auth Exchange [XAUTH]. The X-Auth Exchange is used
to authenticate the remote User. The use of these authentication methods
is referred to as Hybrid Authentication mode. TheGreenBow IPSec VPN
Client implements the RFC 'draft-ietf-ipsec-isakmp-hybrid-auth-05.txt'.
X-Auth are extensions to the Internet Key Exchange (IKE) protocol. IKE is an important element of
PKI (Public Key Infrastructure) that defines how security credentials are exchanged over IPSec
tunneling protocol.
It requires the definition of the login and password for the X-Auth IPSec negotiation.
Login and password can be defined in Phase1 Advanced Settings and will be used each time a
VPN tunnel need to open without requesting user approval. Although it is not recommended to
leave login and password, this offers obvious easiness to the user.
If "X-Auth popup" is selected in Phase1 Advanced Settings, a popup window asking for a X-Auth
login and a password will appear each time an authentication is required to open a tunnel with the
remote gateway. The name of the VPN tunnel appears on the popup window to enter the right X-
Auth credentials in case of multiple VPN tunnel configuration.
The user has some times to enter his X-Auth credentials. But if the time allowed to enter X-Auth
credentials expires, a window warning appears and the user has to re-open VPN tunnel.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 40
The management of login / password verification differs depending on the VPN gateways. In case
of wrong login or wrong password, the action can be either of the following:
· The X-Auth window for entering the login / password is displayed again, with the number of
attempts.
· A window warning alerts the user to try again to open the VPN tunnel similar to the one
above or below.
'IPSec Configuration' or 'Phase 2' window will concern settings for Phase 2.
The purpose of Phase 2 is to negotiate the IPSec security parameters that are applied to the traffic
going through tunnels negotiated during Phase 1.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 41
Name Label for IPSec Configuration only used by the VPN Client. This
parameter is never transmitted during IPSec Negotiation. It is possible
to change this name at any time and read it in the tree list window. Two
Phases can not have the same name.
VPN Client address Virtual IP address used by the VPN Client inside the remote LAN: The
computer will appear in the LAN with this IP address. This IP address
can belong to the same remote LAN subnet (e.g., in the example,
you have an IP address like 192.168.204.10). In this case, it is
important to read the note below.
Address type The remote endpoint may be a LAN or a single computer,
In case the remote endpoint is a LAN, choose "Subnet address" or "IP
Range". When choosing "Subnet address", the two fields "Remote LAN
address" and "Subnet mask" become available. When choosing "IP
Range", the two fields "Start address" and "End address" become
available, enabling TheGreenBow IPSec VPN Client to establish a
tunnel only within a range of a predefined IP addresses. The range of IP
addresses can be just one IP address.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 42
Note1: "IP Range" feature combined with "Open tunnel when traffic" feature allows to
automatically open tunnel when traffic is detected for a specific range of IP Addresses. However,
the range of IP addresses must be authorized in the configuration of VPN gateway.
Note2: It is possible to have both local IP address of your computer and remote LAN as part of the
same subnet. To be able to do so, you must select "Auto open this tunnel on traffic detection" ('P2
Advanced'). Once the VPN tunnel opened in this configuration, all the traffic with remote LAN is
allowed but communication with local network becomes impossible.
Once the parameters are set, click on 'Save & Apply' to save and to take into account the new
configuration.
You'll find a set of useful VPN Client configuration documents available for each of the VPN
gateway we support. Please go to our knowledge base on our website.
For advanced features & parameters, click on 'P2 Advanced' button into Phase2 panel.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 43
Automatic Open The VPN Client can automatically open the specified tunnel (Phase2) on
Mode specific events such as:
· Auto open this tunnel when the VPN Client starts up.
· Auto open this tunnel when USB Drive is plugged in (see section "
USB Mode").
· Auto open this tunnel when the VPN Client detect traffic towards
remote LAN. If selected, the Phase 2 icon in the Configuration Panel
tree list changes its shape/color to reflect that this feature is now
active:
Gina Mode If Gina Mode selected, this tunnel can be used by Vista Credential
Providers (aka GINA on W2K/WXP) to process Windows logon. This is
useful when using a corporate employee Dbase for logon and the remote
computer need to connect to the corporate network before processing the
Windows logon. See 'HowTo open VPN tunnel before Windows Logon'.
Alternate Servers DNS and WINS server IP addresses of the remote LAN can be entered
here, to help users to resolve intranet addressing. The DNS or WINS
addresses are taken into account as soon as the tunnel is opened, and as
long as it is opened.
Those parameters are not required when working with 'Config-Mode'.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 44
Scripts may be configured in the Script configuration window. This window can be opened through
the button 'Scripts' of a Phase 2 Settings window.
Scripts or applications can be enabled for each step of a VPN tunnel opening and closing
process:
· Before tunnel is opened
· Right after the tunnel is opened
· Before tunnel closes
· Right after tunnel is closed
This feature enables to execute scripts (batches, scripts, applications...) at each step of a tunnel
connection for a variety of purposes e.g. to check current software release, to check database
availability before launching backup application, to check a software is running, a logon is set... .
It also enables to configure various network configuration before, during and after tunnel
connections.
Global Parameters are generic settings that apply to all created VPN tunnels. Once modified, click
on 'Save&Apply' to take into account your modifications.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 45
· Lifetime (sec.) IKE default lifetime Default lifetime for IKE rekeying.
IKE minimal lifetime Minimal lifetime for IKE rekeying.
IKE maximal lifetime Maximal lifetime for IKE rekeying.
IPSec minimal lifetime Default lifetime for IPSec rekeying.
IPSec maximal lifetime Maximal lifetime for IPSec rekeying.
IPSec minimal lifetime Minimal lifetime for IPSec rekeying.
· Dead Peer Check interval (sec.) Interval between DPD messages.
Detection (DPD)
Max number of retries Number of DPD messages sent.
Delay between retries Interval between DPD messages when no
(sec.) reply from remote gateway.
· Miscellaneous Retransmissions How many times a message should be
retransmitted before giving up.
IKE Port UDP port 500 is the port used by default
during Phase1 IKE negotiation. User can
change port number for IKE negotiation.
Exchanges are still on UDP but they can be
on another port than port 500 as some
firewalls do not allow IKE Port 500 or outgoing
traffic on Port 500 might not be allowed in
some places. The remote gateway must
support this feature and reroute the incoming
traffic associated with the new selected IKE
ports onto the default UDP 500 so that it is
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 46
Dead Peer Detection (i.e. DPD) is an Internet Key Exchange (IKE) extension (i.e. RFC3706) for
detecting a dead IKE peer. TheGreenBow IPSec VPN Client is using DPD:
· to delete opened SA in the VPN Client when peer has been detected dead.
· to re-start IKE negotiations with the Redundant Gateway if activated in the 'Phase1
Advanced' Configuration Panel.
Once the parameters are set, click on 'Save & Apply' to save and to take into account the new
configuration.
'Tunnel View' screen shows VPN tunnels currently opened This screen may also be used to close
opened tunnels. To close a VPN tunnel, select the tunnel in the list and click on 'Close Tunnel'.
Tunnels may also be viewed, opened and closed directly from the context menu of the system tray
icon and from the Connection Panel.
The Connection Panel can be opened with the button 'Connection Panel'. It's possible to switch
back and forth between the 'Connection Panel' and the 'Configuration Panel' by using the shortcut
'Ctrl + Enter' (see section 'Shortcuts').
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 47
TheGreenBow VPN Client brings the capability to secure VPN configurations and VPN security
elements (e.g. PreShared key, Certificates, …) onto an USB Drive and out of the computer. This
gives users the ability to attach a VPN Configuration:
· to a specific computer: therefore the VPN tunnels defined in the VPN configuration can only
be used on that specific computer, or,
· to a specific USB drive: therefore the VPN tunnels defined in the VPN configuration can only
be used with specific USB Drive.
When you select 'File' > 'Move VPN Configuration to USB Drive..', the VPN configuration and
security elements contained into the configuration are moved onto the USB Drive the first time you
plug it in.
Once done, you just need to plug in the USB Drive to automatically open tunnels. And you just
need to unplug the USB Drive to automatically close all opened tunnels.
A new USB Drive (no data) is enabled by copying VPN configuration and security elements onto it.
There are several ways to do that:
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 48
· Export VPN Configuration via menu 'File' > 'Export VPN Configuration' and then copy the
VPN Configuration file onto the USB Drive.
· Use the 'USB Mode Wizard' via menu 'File' > 'Move VPN Configuration to USB Drive..'.
1. The 'USB Mode Wizard' starts with 'USB Mode Wizard' step1.
In case an USB drive is already plugged in, the IPSec VPN Client will detect it as shown below.
Eventually the Wizard will ask to select one USB Drive, because several USB Drives could be
plugged in at the same time:
Note: if an USB Drive is plugged in while in 'USB Mode Wizard' step1 and it appears to be the only
one, the IPSec VPN Client will also detect it and jump to 'USB Mode Wizard' step2.
Note: if an USB Drive containing a VPN Configuration is plugged-in while a first USB drive with
another VPN Configuration is already plugged-in, a warning message asks the user to unplug
one of them before continuing.
The wizard proposes to enable the USB Drive through the following options:
· 'With this computer only': therefore the VPN tunnels defined in the VPN configuration can
only be used on this specific computer
· 'On any computer': therefore the VPN tunnels defined in the VPN configuration can be used
with specific USB Drive only, on any computer.
The VPN Configuration can be protected (not mandatory) by a password so that the USB Drive
would be lost without compromising company security.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 49
Note: At this step, if the USB Drive is unplugged, the wizard automatically go back to step1.
Note: The IPSec VPN Client software doesn't enable to change the password or the computer
association with the USB Drive. Nevertheless, it is always possible to plug the USB Drive
containing the VPN Configuration, export the VPN Configuration to a local disk, unplug the USB
Drive, import the VPN Configuration, and start the 'USB Mode Wizard' all over again to set new
password or new association with computer.
Then the wizard proposes to selected the VPN tunnels that need to be opened next time the USB
Drive is plugged in. The same 'Phase2 Advanced settings' option 'Auto open this tunnel when
USB Drive is plugged in' is used here for every tunnel.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 50
Step4 is a summary of previous settings. Upon confirmation, the IPSec VPN Client will copy the
VPN Configuration onto the USB Drive and remove all security information from the computer and
the IPSec VPN Client is considered in 'USB Mode'.
Note: Once moved to the USB Drive, the VPN Configuration is kept as long as the USB Drive is
plugged-in. As soon as the USB Drive is unplugged, the VPN Configuration is reset (an empty
configuration is shown in the 'Configuration Panel'). Next time the IPSec VPN Client starts, the
VPN Configuration will be empty.
6.7.3 How to automatically open tunnels when an USB Drive is plugged in?
Each and every tunnels may be configured individually using the option 'Auto open tunnels when
USB Drive is plugged in'.
If an USB Drive containing a VPN Configuration is plugged in, all VPN tunnels set with this feature
will open automatically. They will close when the USB Drive is un-plugged. Same behavior if the
USB Drive is already plugged-in when the IPSec VPN Client starts.
Obviously, if a USB Drive without any VPN Configuration is plugged-in or if no USB Drive is
plugged in, the IPSec VPN Client starts in local mode (using whatever VPN Configuration
available on local disk).
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 51
See also 'USB Mode Wizard' to enable an USB Drive via menu 'File' > 'Move VPN Configuration
to USB Drive..'.
Note: The option 'Automatically open this tunnel when USB Drive is inserted' is disabled before
Windows logon.
TheGreenBow IPSec VPN Client can use Certificates from various sources:
· PEM format files,
· PKCS#12 format file,
· Windows Certificate Store,
· USB Tokens or SmartCard.
The Certificate Management Panel allows to see all those Certificate sources in one single place
and to select the right Certificate for a particular tunnel.
1. Go to 'Phase 1' window of that tunnel, click on 'Certificate' and then click on 'Certificates
Management...'.
2. Select one Certificate in the list displayed, then click 'Ok'.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 52
Note: Only one Certificate can be selected and assigned to one tunnel.
Note: TheGreenBow VPN Client software doesn't create Certificates. Certificates must be created
(and stored on SmartCard/Tokens or Windows Certificate Store) by third party software. You'll find
additional support documents on "How to generate Certificates" or "How to convert Certificate
formats" on our website.
Certificates here are located on the VPN Configuration file used by the VPN Client software. It
means that this Certificate has been imported at some point from another source like a Certificate
file or the Microsoft Certificate Store.
Note: In case no Certificate has been configured into the VPN Configuration, this section will not
appear. However, if a Certificate has previously been configured in the VPN Configuration file but
it is not present anymore, then this section is disabled.
Those Certificates are located into Microsoft Certificate Store. To be visible and usable, a
Certificate has to follow those rules:
· Certificate has to be certified by a certificate authority and the Certificate status must
'Ok' (see 'Certificate troubleshooting')
· Certificate has to be located into the 'Personal' Certificate Store as it represents the
personal identity of the user trying to connect to its corporate network.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 53
Several USB Tokens and SmartCards can be plugged in and all the Certificates they contain will
all be displayed in this section.
Note: If the Certificate is not available into one of the Certificate Stores displayed, it is always
possible to import Certificates from files using 'Import Certificate..' button.
Details of any Certificates can be viewed including all properties like 'Issuer', 'Valid from', Valid to'
and 'Subject'.
Select the Certificate you want and click 'View Certificate..' as shown below:
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 54
6.8.2 How to configure a tunnel with Certificate from a PKCS#12 Certificate file
PKCS#12 certificates are supported by a lot of gateways. TheGreenBow IPSec VPN Client can
import PKCS#12 certificates into the VPN Configuration, from the Configuration Panel. One
PKCS#12 Certificate can be defined per tunnel. Therefore, it is possible to connect to several
gateways that do not use the same PKI software (Public Key Infrastructure).
Here are the steps to configure the IPSec VPN Client with a PKCS#12 Certificate file:
Step 1: Select radio button 'Certificate' in the 'Phase 1' window, click on 'Certificates
Management...' and then click on 'Import Certificate..'
Step 2: Select the 'PKCS#12 format' check box, then click 'Next'
Step 3: Select the PKCS#12 Certificate file you want to import. If the PKCS#12 Certificate is
protected, enter the password in the password pop up window. Once the Certificate is
correctly imported, it will be displayed into the Certificate Management Panel under
TheGreenBow Configuration File section.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 55
Step 4: Click 'Ok', PKCS#12 Certificates will be stored in the VPN Configuration file. No need to
click on "Save&Apply".
Note: Once the Certificate is imported, its subject is used for the local ID of the associated
Phase1. This is shown in the P1 Advanced window with the following indication:
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 56
6.8.3 How to configure a tunnel with Certificate from a PEM Certificate file
TheGreenBow IPSec VPN Client can import PEM Certificates into the VPN Configuration, directly
from the Configuration Panel. One PEM Certificate can be defined per tunnel. Therefore, it is
possible to connect to several gateways that do not use the same PKI (Public Key Infrastructure).
Here are the steps to configure the IPSec VPN Client with PEM Certificate.
Step 1: Select radio button 'Certificate' in the 'Phase 1' window, click on 'Certificates
Management...' and then click on 'Import Certificate..'
Step 2: Select the 'PEM format' check box, then click 'Next'
Step 3: Import the Root Certificate, the User Certificate and the Private Key by clicking on the
associated button. Once the Certificate is correctly imported, it will be displayed into the
Certificate Management Panel under 'TheGreenBow Configuration File' section.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 57
Step 4: Click 'Ok', PEM Certificates will be stored in the VPN Configuration file. No need to click
on "Save&Apply".
Note: Once the Certificate is imported, its subject is used for the local ID of the associated
Phase1. This is shown in the P1 Advanced window with the following indication:
Note: The PEM file enclosing the private key must not be encrypted or protected with a password.
6.8.4 How to configure a tunnel with Certificates from USB Token or SmartCard
TheGreenBow IPSec VPN Client can read Certificates from USB Tokens or Smart Cards. Smart
Cards can be used for securing X509 certificates that can be protected by a PIN code.
Here are the steps to configure a tunnel using Certificates from USB Tokens or Smart Cards:
Step 1: Select on 'Certificate' into the 'Phase 1' window of that tunnel, and click on 'Certificates
Management...'.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 58
Step 2: Select the Certificate from the Certificate Management Panel which shows a list of all
USB Tokens or Smart Cards accessible and their Certificates. Insert your USB Token or
Smart Card at this time if not done so already, and it will show up in the list. The (USB
token or SmartCard Reader) identification process starts and a PIN code may be
required. Enter your 'PIN code' and click 'OK'. Once the USB token or SmartCard is
successfully read and the Certificate is correctly imported, it will be displayed into the
Certificate Management Panel under 'TheGreenBow Configuration File' section.
6.8.5 How to open a tunnel with Certificates from USB Token or SmartCard
When a tunnel is configured to use Certificates from USB Token or SmartCard, the PIN code of
the USB Token or SmartCard is asked to the user each time the tunnel must be opened (excepted
on automatic VPN renegotiations).
Thus, to open a tunnel with Certificates from USB Token or SmartCard, it is required to have:
1. The SmartCard reader (middleware) correctly installed
2. A readable SmartCard inserted in the SmartCard reader or USB Token plugged in
3. The correct PIN code for reading the USB Token or SmartCard
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 59
Several errors may occur while connected to a USB Token or SmartCard and it is notified by a
small warning icon next to the Token name with a popup for more info when clicking on this icon:
· Token not found: previously plugged in but not at this time.
· Token found but no middleware to access it (often required when using smartcard readers)
· Token and Store found but no Certificate found
Certificates located into Microsoft Certificate Store has to follow those rules:
· Certificate has to be certified by a certificate authority and the Certificate status must
'Ok' (see 'Certificate troubleshooting')
· Certificate has to be located into the 'Personal' Certificate Store as it represents the
personal identity of the user trying to connect to its corporate network.
Note: Windows provides a Certificate Management tool you can use to troubleshot Certificate
issues: Go to 'Windows Start' > 'Run' > 'CERTMGR.MSC'
TheGreenBow VPN Client can import or export a VPN Configuration. With this feature, IT
managers can prepare a configuration and deliver it to other users.
· Importing a configuration, select menu 'File' > 'Import VPN Configuration'.
· Exporting a configuration, select menu 'File' > 'Export VPN Configuration'.
Exported VPN Configuration can be protected by a password. When the user wants to export a
configuration, a window automatically asks if the exportated VPN configuration must be protected
with a password or not.
When a VPN Configuration is protected with a password, its importation will automatically ask the
user to enter the password. An exported VPN Configuration which is not protected with a
password will be automatically imported without any request to the user.
Note: A VPN Configuration file can also be imported via the command line.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 61
TheGreenBow IPSec VPN Client can import one or several tunnels into an existing VPN
Configuration. With this feature, IT managers can merge a new VPN Configuration with new
gateways into an existing VPN Configuration and deliver it to users or group of users.
1. Import new VPN Configuration via menu 'File' > 'Import VPN Configuration' and then select
'Add' instead of 'Replace'.
2. Drag&drop a new VPN Configuration into the software with an existing VPN Configuration
already opened. The exact same popup window (see above) will appear asking if the user
wants to 'Add' or 'Replace' existing VPN Configuration.
Anyway you choose to import VPN Configuration, here are common behaviors:
· Global parameters are not imported in case at least one tunnel was already configured prior to
import and user selects 'Add' VPN Configuration in the popup.
· Global parameters are imported in case the user selects 'Replace' or no tunnel was configured
prior to import.
· Tunnel name conflict between existing and imported VPN Configurations are solved by software
automatically by adding an increment between bracket e.g. tunnel_office(1) to the imported
tunnel names (i.e. both Phase1 and Phase 2).
TheGreenBow IPSec VPN Client can export one tunnel from an existing VPN Configuration. With
this feature, IT managers can split existing VPN Configuration into smaller VPN Configuration and
deliver it to users or group of users.
1. Right click on any tunnel Phase 2 from your VPN Configuration, then select 'Export
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 62
Tunnel'.
3. Once exported, the VPN Configuration can be sent to users or you can double click on
it to start TheGreenBow IPSec VPN Client.
Note:
· Export of a Phase 2 will export the associated Phase 1 as well. This means also export of
Certificates that might have been defined in this Phase 1.
· Export of a Phase 2 will export the Global Parameters as well.
6.9.4 Embed your own VPN Configuration into IPSec VPN Client Setup
A (pre-created) VPN Configuration may be enclosed into the IPSec VPN Client Setup. Enclosing
VPN Configuration within the IPSec VPN Client Setup enables IT Manager to deploy
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Configuration Panel 63
pre-configured IPSec VPN Client software in a single package to all company users.
The IPSec VPN Client Setup embeds a Demo VPN Configuration. This Demo VPN Configuration
enables to open a tunnel to our TheGreenBow Demo Server as soon as the IPSec VPN Client
software is installed.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Part
VII
Deployment
Deployment 65
7 Deployment
A VPN Configuration ".tgb" file embedded within the IPSec VPN Client Setup (unzipped, see
'Deployment Guide' description on our website) is automatically imported by the IPSec VPN Client
during software installation.
Important note: the Setup cannot import and use an encrypted (protected) VPN Configuration.
When creating your VPN Configuration make sure it is exported without being encrypted (without
being protected with a password).
Several options are available with the IPSec VPN Client Setup.
1. Configuration of the GUI mode: 'full', 'user' or 'hidden'.
2. Protection of the GUI mode Access Control with a password.
3. Configuration of the Systray menu items.
4. Other options for Software Start, License Number, Auto Software Activation, no trial
windows, languages and Activation email.
Syntax example:
Setup.exe /S --license=0123456789ABCDEF0123 --start=1
--activmail=smith@smith.com
For more details, please see the 'Deployment Guide' on our website.
Syntax: --guidefs=full|user|hidden
enables to define the GUI appearance when the IPSec VPN Client starts.
Syntax: --password=mypwd
Enables to control the access to the 'Configuration Panel' with a password. See 'Access Control &
Hidden Interface' for more info.
Syntax: --menuitem=[0...31]
Enables to specify the items of the systray menu that the IT manager wants to keep.
Example: --menuitem=5 will configure a systray menu with the items: Quit + Console.
Note 1: the tunnels are always shown in the systray menu, and can always be opened and closed
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Deployment 67
Here are the other installation parameters for the setup command line:
Syntax: /D=[install path] ("D" must be preceded by only 1 slash, case sensitive)
Usage: [install path] is the path where to install the software. No quotation marks even if space in
the path.
Warning: This options must be used with the option “/S" (silent mode) and must be placed at the
end of the command line, as the last option if any others.
Syntax: --license=[license_number]
Allows to configure the license number. The License Number is a set of 24 hexadecimal
characters. Old License Numbers might be 20 hexadecimal characters.
Syntax: --start=[1|2]
Allows to configure the start mode for the VPN Client: after the logon windows [1] or manually [2].
Default is [1].
Syntax: --activmail=[activation_email]
Allows to force the email used for activation confirmation. During the activation process, the edit
box used for entering this email will be disabled
Syntax: --autoactiv=1
In case of software upgrade (i.e. license number and activation email have already been entered
in previous installation) and --autoactiv=1 option is added, the software will try to activate software
automatically when starting if network is available or when requesting to open a tunnel if network
was not available at startup.
Syntax: --noactiv=1
No display of the ‘Trial window’ once software started until trial period ends. User doesn’t know he
is in trial period and software will be disabled at the end of trial period. It means that if the user
tries to launch the software after the end of trial period, the software will start and open the ‘Trial
window’ but the ‘Evaluate’ button will be disabled.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Deployment 68
PT 2070 Portuguese
DE 1031 German
NL 1043 Dutch
IT 1040 Italian
ZH 2052 Chinese simplified
SL 1060 Slovenian
TR 1055 Turkish
PL 1045 Polish
EL 1032 Greek
RU 1049 Russian
JA 1041 Japanese
FI 1035 Finnish
SR 2074 Serbian
TH 1054 Thai
AR 1025 Arabic
HI 1081 Hindi
Example:
TheGreenBow_VPN_Client.exe /S --license=0123456789ABCDEF0123
--start=2 --activmail=smith@smith.com
Several command lines are available, they are meant to be used by IT managers to adapt the
IPSec VPN Client behavior to their needs and to help integration with other applications.
· Stopping IPSec VPN Client
· Importing or Exporting VPN Configuration
· Opening or Closing VPN tunnels
For more details, please see the 'Deployment Guide' on our website.
TheGreenBow VPN Client can open or close a VPN tunnel by the command line. Both command
lines can be invoked while TheGreenBow IPSec VPN Client is running:
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Deployment 69
Both arguments "open" and "close" are exclusives and cannot be used together.
Restriction note:
· Execution of those command lines will open the Software Graphical User Interface (GUI). This
restriction will be removed in further software release.
TheGreenBow VPN Client can be stopped at any time by the command line:
" [path]\vpnconf.exe /stop " where [path] is the IPSec VPN Client installation
directory.
This feature can be used, for example, in a script that launch the VPN Client after establishing a
dialup connection and exit it just before the disconnection.
TheGreenBow VPN Client can import a specific configuration file by the command line:
" /import: " may be used either if the VPN Client is running or not. When the VPN Client is
already running, it imports dynamically the new configuration and automatically applies it (i-e:
restarts the IKE service). If the VPN Client is not running, it is launched with the new configuration.
" /importonce: " enables to import a VPN configuration file without running the VPN Client.
This command is especially useful in installation scripts: it allows to run a silent installation and to
import a configuration automatically.
" /export: " enables to export the current VPN Configuration (including certificates) in the
specified file. This command start the VPN Client if it is not already running.
" /exportonce: " enables to export the current VPN Configuration (including Certificates) in
the specified file. This command doesn't start the VPN Client if it is not running already.
" /add: " enables to import a new VPN Configuration into an existing VPN Configuration and
merge both into a single VPN Configuration. This command line may be used either if the VPN
Client is running or not. This command doesn't start the VPN Client if it is not running already.
" /replace: " enables to replace the current configuration by a new VPN Configuration. This
feature is available in software release 4.1 and older, and may be used instead of the /importonce
option to import a VPN configuration file without running the VPN Client.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Deployment 70
" /pwd:[password]" enables to set a password for import operations. This option can be used
together with the /import, /importonce, /export, /exportonce, /add and /replace options but it must
be placed after one of those options.
TheGreenBow VPN Client always includes the latest list of ATR code available from Token and
SmardCard vendors. However, new ATR code appears every day and this feature allows to add
one or several new ATR codes without waiting for a new software release.
TheGreenBow VPN Client can take into account new Token ATR code as soon as they are
declared in an initialization file called "vpnconf.ini". This file "vpnconf.ini" must be a text file and
must be saved in the same install folder as tgbike.exe.
[3B:65:00:00:9C:02:02:07:02]
mask="FF:FF:00:00:FF:FF:FF:FF:FF"
scname="My token"
manufacturer="Token Manufacturer"
pkcs11DllName="pkcs11.dll"
registry="HKEY_LOCAL_MACHINE:SOFTWARE\\Microsoft\\Windows\
\CurrentVersion\\App Paths\\TgbIke.exe:DllPath"
[3B:65:00:00:9C:02:02:07:03]
mask="FF:FF:00:00:FF:FF:FF:FF:FF"
scname="My token2"
manufacturer="Token Manufacturer"
pkcs11DllName="pkcs11.dll"
registry="HKEY_LOCAL_MACHINE:SOFTWARE\\Microsoft\\Windows\
\CurrentVersion\\App Paths\\TgbIke.exe:DllPath"
[atr] Token ATR code. This the delimiter to separate several ATR codes.
mask Token mask code
scname Token name
manufacturer Token manufacturer's name
pkcs11DllName PKCS#11 middleware file
registry Value in the registry that points to the complete path of the DLL
Note: If the PKCS#11 DLL (here as pkcs11.dll) is not in c:\windows\system32\ then "registry" must
be set.
Note: Registry is the value in the registry that points to the complete path of the DLL. The syntax is
HKEY_LOCAL_MACHINE:<registry key>:<value in the registry key>.
For example, if a value "DllPath" with content "C:\Program Files\TheGreenBow\TheGreenBow
VPN\pkcs11.dll" is created in "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Deployment 71
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Part
VIII
Console and Logs
Console and Logs 73
The 'Console' window is available from the context menu of the systray icon or from 'Console'
button in the Configuration Panel. This window can be used to analyze VPN tunnels. This tool is
particularly useful for IT managers in setting up their network.
Button Description
Save Save current logs in a file. Future logs won't be saved in the selected
file.
Start/Stop Start/Stop collecting logs.
Clear Clear console window content
Reset IKE Restart IKE process.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Part
IX
Software Localization
Software Localization 75
9 Software Localization
The localization (L10N) of the IPSec VPN Client is now possible, even by a third party company.
All the strings used by the VPN Client are listed in a Translation tool, ready for translation.
Step1: Download the VPN Client Translation tool from our website.
Step2: Translate the strings into your own language
Step3: Send us back the translated VPN Client string file to: support@thegreenbow.com
Step4: We will include your language into the next Generally Available (GA) Product release of
the IPSec VPN Client. See on our website who is contributing already.
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Part
X
Contacts
Contacts 77
10 Contacts
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Index 78
How to install ? 6
-I-
-A- IKE Port 44
About 24 Import Command line 69
Activation errors 10 Import VPN Configuration 14, 60, 61
Activation Wizard 8 Import with double click on VPN 14
Configuration icon
-C- -L-
Certificate from PEM file 51, 56
Certificate from PKCS#12 file 51, 54 License Number 8
Certificate from SmartCard 51 Linux appliance compatibility 2
Certificate Management
14, 51, 52, 53, 54, 56, 57, 58, 59 Localization 75
Command line 68, 69
Configuration Panel
Configuration Wizard
23
34, 35
-M-
Configuration Wizard to create VPN 33 Maintenance 11
tunnels Menu 23
Connection Panel 22, 29, 30 Multi Gateway Compatibility 2
Console 73
-D- -N-
NAT Port 44
Default VPN Configuration 63
-E- -O-
OEM Partners 4
Embed VPN Configuration 62 Open tunnel before Wndows logon 16
Evaluation period 7
Export VPN Configuration 60, 61
-P-
-F- PEM
Phase1 Advanced Settings
51, 56
37
Features 3 Phase1 Settings 36
Phase2 Advanced Settings 42
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
79 Index
-S-
Sales contact 77
Script 44
Setup 62
Setup options 65, 66, 67
Shortcut 22
SmartCard 57, 58
Software Activation 8, 9, 10
Software upgrade 11
Status Bar 24
Stop software 69
Support contact 77
System tray icon 20
-T-
Temporary Software License 7
-U-
Uninstall 12
USB Token 57, 58
-V-
View Certificate details 52, 53
VPN Configuration 60, 61, 62, 63, 65, 69
VPN Configuration merge 61
VPN Configuration split 61
VPN Configuration with14,Certificates
52, 53, 54, 56, 57, 58, 59
-W-
What is IKE Phase 1 ? 36
What is IKE Phase 2 ? 40
What is USB Mode ? 47
What's the IPSec VPN Client for ? 2
Windows 7 3
Windows Seven 3
Wizard 26
TheGreenBow IPSec VPN Client - User Guide Property of TheGreenBow© - Sistech SA 2001-2010
Secure, Strong, Simple.
TheGreenBow Security Software