singtel vpn as a service · singtel vpn as a service administration 1.1. remote access vpn when a...

SingTel VPN as a Service

Quick Start Guide

VPN Quick Start Guide

2/33

Document Control

# Date of Release Version # Page

Affected Remarks

1 25 April 2014 PT_SN20_1.0

2

3

4

5

6


3/33

Table of Contents

1. SingTel VPN as a Service Administration........................................................................................... 4

1.1. Remote Access VPN ................................................................................................................. 4

a. How to Add a User Account...................................................................................................... 4

b. How to Rename a User Account ............................................................................................... 5

c. Changing the Password ............................................................................................................ 6

d. How to Assign a User to a Group .............................................................................................. 6

1.2. Site-to-Site VPN........................................................................................................................ 7

a. Phase 1 .................................................................................................................................... 7

b. Phase 2 .................................................................................................................................... 9

2. Remote Access VPN Connection Mode .......................................................................................... 10

2.1. Remote Access Using Web Mode ........................................................................................... 10

a. How to Connect to VPN via Web Mode .................................................................................. 11

b. How to Add a Bookmark......................................................................................................... 12

c. How to End Remote Access Connection ................................................................................. 14

2.2. Remote Access using FortiClient ............................................................................................. 14

a. FortiClient First Time Installation ............................................................................................ 15

b. How to Connect to VPN Using FortiClient (Browser Plug-in) ................................................... 19

c. How to Access SSL VPN Using FortiClient (Computer) ............................................................. 21

d. How to Access SSL VPN Using FortiClient (Mobile) .................................................................. 26

3. CPE (Router) Configuration ............................................................................................................ 28

3.1. Cisco Router Configuration ..................................................................................................... 28

a. Configuration Template ......................................................................................................... 29

3.2. HP MSR Router Configuration ................................................................................................ 31

a. Configuration Template ......................................................................................................... 32


4/33

1. SingTel VPN as a Service Administration

1.1. Remote Access VPN

When a remote client connects to the SingTel VPN Cloud, it authenticates the user based on

username, password and OTP (One-time password).

By default, there are five (5) pre-defined user accounts. Depending on the number of users

subscribed, you can add/edit this users list.

a. How to Add a User Account

1. Go to User & Device > User > User Definition, and click Create NEW.

2. At the User Creation Wizard, select Local User. Click Next.

3. Type the username and password

4. Tick the SMS checkbox, enter the phone number, choose Custom Service Type, and select

Bizlive as SMS Provider. Click Next.


5/33

5. Tick Enable and User Group. Assign the user to its appropriate group. Click Done.

NOTE: Please be advised to rename and not delete a user account as it will disable the two-factor

authentication (See b. How to Rename a User Account). If the user account is deleted, please call

Singtel Helpdesk to enable back two-factor authentication via SMS.

b. How to Rename a User Account

1. Go to User & Device > User > User Definition.

2. Highlight the user, then click Edit User.

3. Change User Name.


6/33

c. Changing the Password


2. Highlight the user, then click Edit User. (Or double click)

3. Enter the new password at the Password text box.

4. Click OK.

d. How to Assign a User to a Group


2. Highlight the user, then click Edit User. (Or double click)

3. Tick the Add this User to groups, then assign to Full_Access group.

4. Click OK.


7/33

1.2. Site-to-Site VPN

A Site-to-Site VPN tunnel is established in two phases: Phase 1 and Phase 2. Several parameters

determine how this is done. Except for IP Addresses, the settings simply need to match at both your

IPsec enabled router and SingTel Cloud VPN (collectively called “VPN Gateways”).

The Site-to-Site VPN configuration is pre-configured by default. Except for the Pre-Shared Key (PSK),

the configurable parameters at Phase 1 and Phase 2 need not to be changed.

a. Phase 1

In phase 1, the two VPN Gateways exchange information about the encryption algorithms that

they support and then establish a temporary secure connection to exchange authentication

information.

Below is the default Phase 1 configuration.

NOTE: IP Address below is just an example. It will vary depends on the IP address provided upon

subscription. Pre-shared key can also be changed. See a) How to Change the Phase 1 Pre-Shared

Key (PSK)).


8/33

How to Change the Phase 1 Pre-Shared Key (PSK)

A pre-shared key or PSK is a shared secret which is shared between the two or more sites using

some secure channel. It contains at least 6 alphanumeric characters.

1. Go to VPN > IPSec > Auto Key (IKE)

2. Right-click the Phase 1, then select edit (or double-click)

3. Enter the new key under the Pre-shared Key text box.


9/33

b. Phase 2

Similar to Phase 1 process, the two VPN Gateways exchange information about the encryption

algorithms that they support for Phase 2.

Below is the default Phase 2 configuration.


10/33

2. Remote Access VPN Connection Mode

The remote client connects to the remote access VPN tunnel in various ways, depending on the VPN

configuration. Full-access mode is given to all of the users. This allows the use of either web mode

which uses a browser, or tunnel mode which uses FortiClient.

2.1. Remote Access Using Web Mode

Require nothing more than a web browser. Below are the lists of supported operating systems

and browsers with minimum requirement.

Operating System Web Browser

Microsoft Windows 7 32-bit SP1 Microsoft Internet Explorer versions 8,9,10 and 11

Mozilla Firefox version 26

Microsoft Windows 7 64-bit SP1 Microsoft Internet Explorer versions 8,9,10 and 11


Linux CentOS version 5.6 and Ubuntu version 12..4


Mac OS X v10.9 Mavericks Mozilla Firefox version 26


11/33

a. How to Connect to VPN via Web Mode

1. Launch your internet browser and access Remote Access VPN server IP address via https.

Example: https//118.201.129.10/sslvpn (see Figure 2). VPN server IP address is the same as

VPN Admin Portal address, which you will receive in your service letter.

2. Select Continue to this website on the certificate error prompt (Note: This is not a security

breach, but rather private certificate that is unrecognizable is being used).

3. Enter your username and password when login window appears.


12/33

4. An OTP (One-time Password) will be sent to your mobile phone once the username and

password are entered correctly.

5. After you successfully login, you will be directed to the Remote Access VPN welcome screen.

b. How to Add a Bookmark

1. On the Remote Access VPN Web home page, click on ‘Add’ and enter the following

information below:

Category

Select a category, or group, to include the bookmark. If this is the first bookmark added, you will be prompted to add a category. Otherwise, select Create from the drop-down list.

Name Enter a name for the bookmark.

Type Select the type of link from the drop-down list. Telnet, VNC, and RDP require a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.

Location Enter the IP address source.

SSO

Select if you wish to use single sign-on for any links that require authentication. When including a link using SSO, ensure to use the entire url. For example, http://10.10.5.0/login, rather than just the IP address.

Description

Select if you wish to use single sign-on for any links that require authentication. When including a link using SSO, ensure to use the entire url. For example, http://10.10.5.0/login, rather than just the IP address.


13/33

2. Click OK.

3. Added bookmarks will be shown on the welcome screen once configured. You just need to

click on the bookmark to access the remote server.


14/33

c. How to End Remote Access Connection

1. When you need to end the remote access session, click on the Logout button on the SSL

VPN welcome screen.

2.2. Remote Access using FortiClient

Establish a connection to a remote protected network that any application can use. This

requires FortiClient SSL VPN application that sends and receives data through the SSL VPN

tunnel. Below are the supported OS and FortiClient version and file format.

Desktop version is downloadable from SingTel.com while smart phone version like Android or

iOS are downloadable from respective app store.

Operating System FortiClient version and format

Microsoft Windows 8.1 (32-bit & 64-bit), 8 (32-bit & 64-bit), 7 (32-bit & 64-bit)

v.4.4.2297 in .exe format

Linux CentOS 5.6 and Ubuntu 12.0.4 v.4.4.2297 in .tar.gz format

Mac OS X v10.9, 10.8 and 10.7 v.4.4.2297 in .dmg format

iPhone iOS 6 and 7 FortiClient

Android 4.3 and 4.4 FortiClient VPN


15/33

a. FortiClient First Time Installation

1. Launch SSLVPN via internet browser. Access Remote Access VPN server IP address via https.

Example: https//27.54.50.226 (see Figure 7)

2. Select ‘Continue to this website’ on certificate error prompt (Note: This is not a security


3. Login pop-up window will be displayed on your screen. Enter your username and password.

4. An OTP (One-Time-Password) will be sent via SMS to your mobile phone once the username

and password are entered correctly. Enter the OTP code.


16/33


You will be prompted to download and install Remote Access VPN Client application (applies

to 1st time appliance access only).

6. You can either select to Save (to disk) or Run the application directly from the web.

7. Select Run as administrator on the installation wizard.


17/33

8. All browsers must be closed including the Remote Access VPN browser, before taking the

next step of installation.

9. Click ‘Install’ on the installation wizard.


18/33

10. Wait until SSLVPN client application completes the installation before closing the installation

wizard.


19/33

b. How to Connect to VPN Using FortiClient (Browser Plug-in)

1. Launch your internet browser and access the Remote Access VPN Server IP address via

https. Example: https://118.201.129.10/sslvpn.

2. Select Continue to this website on the certificate error prompt (Note: This is not a security


3. Enter your username and password when login window appears

4. An OTP (One-time-password) will be sent to your mobile phone once the username and

password are entered correctly.


20/33


Click Connect button to initiate the remote access tunnel.

6. When tunnel is established, Link Status will indicate ‘Up’. You can now open any application

as if you are working in the boundaries of the company. Example: Access Outlook to read

your company mail. You must keep this VPN Welcome screen open during the duration of

the remote access.


21/33

7. To end the Remote Access session, you can click on the Disconnect button on the Remote

Access VPN welcome screen or simply close the browser.

c. How to Access SSL VPN Using FortiClient (Computer)

1. Launch the FortiClient SSLVPN application. First time user will find the fields empty. To

configure the fields, select Setting.


22/33

2. Pop-up window will appear for the application setting. Select New Connection.


23/33

3. Configuration Setup

Connection Name Enter a name to identify the remote access

Description Enter a description to identify the remote access network

Server Address Enter the remote SSLVPN server IP address

Username Enter username

Password Enter password

Client Certificate Leave this blank


24/33

4. Tick on Keep connection alive until manually stopped, then click the OK button.

5. Click the Connect button to initiate the Remote Access tunnel.


25/33

6. An OTP (One-time password) will be sent to your mobile phone once username and

password are entered correctly. Enter the OTP code and click on the Login button.

7. When tunnel is established, the Connection Status will indicate Connected. You can now

open any application as if you are working in the boundaries of the company. Example

access Outlook to read your company mail. You must keep this SSLVPN client application

open during the duration of the remote access.


26/33

8. To end the Remote Access session, you can click on the Disconnect button or simply close

the Remote Access VPN client application.

d. How to Access SSL VPN Using FortiClient (Mobile)

1. Launch the FortiClient App on your mobile phone. Click Add New to setup a new connection.

2. Initial configuration


27/33

3. Key in username and password. Once you successfully login, you will be asked to enter the

token you received via SMS.

4. To add a bookmark, click on Add Bookmark. Launch the bookmark by clicking on it.

5. To access a bookmark, click on one of the bookmarks added to access a remote server or

FTP.

6. To disconnect from the VPN connection, click on the FortiClient button and click OK.


28/33

3. CPE (Router) Configuration

3.1. Cisco Router Configuration

Model Firmware

Cisco 881 (C880DATA-UNIVERSALK9-M), Version 15.2(4)M3

Cisco 1921, 1941 (C1900-UNIVERSALK9-M), Version 15.2(4)M3


29/33

a. Configuration Template

conf t

crypto keyring keyv4

pre-shared-key address VDOM_IP key PRE-SHARED-KEY

exit

crypto isakmp policy 4

encr aes 256

authentication pre-share

group 5

lifetime 86400

exit

crypto isakmp profile ipv4_isakmp_pro

keyring keyv4

match identity address VDOM_IP 255.255.255.255

exit

crypto ipsec transform-set ipv4_tran esp-aes 256 esp-sha-hmac

mode tunnel

exit

crypto ipsec security-association lifetime seconds 86400

crypto ipsec profile ipv4_ipsec_pro

set isakmp-profile ipv4_isakmp_pro

set transform-set ipv4_tran

set pfs group5


30/33

exit

interface Tunnel4

ip address TUNNEL_INT_IP

tunnel source LOCAL_WAN_IP

tunnel mode ipsec ipv4

tunnel destination VDOM_IP

tunnel protection ipsec profile ipv4_ipsec_pro

exit

ip route SSLVPN_Subnet Tunnel4

ip route LAN_Subnet1 Tunnel4

ip route LAN_Subnet2 Tunnel4

ip route LAN_SubnetN Tunnel4

Note: Only required to change those parameters in red.

Parameters Description

VDOM_IP The IP address of the VPN Cloud that will be used to establish the Site-

to-Site VPN

Pre-Shared-key Pre Shared key that will be used for Site-to-Site VPN authentication.

TUNNEL_INT_IP The IP address of the tunnel interface

LOCAL_WAN_IP The IP address of the local WAN IP that will be used to establish the

Site-to-Site VPN

SSLVPN_Subnet The IP address subnet that will be assigned to the remote access

users. By default, it will be 10.212.134.0/24.

LAN_SubnetN The various LAN subnets for other remote sites


31/33

3.2. HP MSR Router Configuration

Model Firmware

HP MSR 900, MSR 2020 Comware Software, Version 5.20.106, Release 2311

Note: If a NAT device exists between the 2 Site-to Site VPN devices, please use firmware

Comware Software, Version 5.20.106, Release 2511 instead.


32/33

a. Configuration Template

system-view

ike proposal 4

authentication-method pre-share

encryption-algorithm aes-cbc 256

dh group5

sa duration 86400

quit

ike peer v4peer1

proposal 4

pre-shared-key simple PRE-SHARED-KEY

remote-address VDOM_IP

nat traversal

quit

ipsec transform-set v4forti-ipsec

encapsulation-mode tunnel

transform esp

esp authentication-algorithm sha1

esp encryption-algorithm aes-cbc-256

quit

ipsec profile v4profile1

pfs dh-group5

ike-peer v4peer1


33/33

transform-set v4forti-ipsec

sa duration time-based 86400

quit

interface Tunnel4

ip address TUNNEL_INT_IP

tunnel-protocol ipsec ipv4

source LOCAL_WAN_IP

destination VDOM_IP

ipsec profile v4profile1

quit

ip route-static SSLVPN_Subnet Tunnel4

ip route-static LAN_Subnet1 Tunnel4

ip route-static LAN_Subnet2 Tunnel4

ip route-static LAN_SubnetN Tunnel4

Note: Only required to change those parameters in red.

Parameters Description

VDOM_IP The IP address of the VPN Cloud that will be used to establish the Site-

to-Site VPN

Pre-Shared-key Pre Shared key that will be used for Site-to-Site VPN authentication.

TUNNEL_INT_IP The IP address of the tunnel interface

LOCAL_WAN_IP The IP address of the local WAN IP that will be used to establish the

Site-to-Site VPN

SSLVPN_Subnet The IP address subnet that will be assigned to the remote access

users. By default, it will be 10.212.134.0/24.

LAN_SubnetN The various LAN subnets for other remote sites

singtel vpn as a service · singtel vpn as a service administration 1.1. remote access vpn when a...

Documents