SingTel VPN as a Service
Quick Start Guide
VPN Quick Start Guide
2/33
Document Control
# Date of Release Version # Page
Affected Remarks
1 25 April 2014 PT_SN20_1.0
2
3
4
5
6
VPN Quick Start Guide
3/33
Table of Contents
1. SingTel VPN as a Service Administration........................................................................................... 4
1.1. Remote Access VPN ................................................................................................................. 4
a. How to Add a User Account...................................................................................................... 4
b. How to Rename a User Account ............................................................................................... 5
c. Changing the Password ............................................................................................................ 6
d. How to Assign a User to a Group .............................................................................................. 6
1.2. Site-to-Site VPN........................................................................................................................ 7
a. Phase 1 .................................................................................................................................... 7
b. Phase 2 .................................................................................................................................... 9
2. Remote Access VPN Connection Mode .......................................................................................... 10
2.1. Remote Access Using Web Mode ........................................................................................... 10
a. How to Connect to VPN via Web Mode .................................................................................. 11
b. How to Add a Bookmark......................................................................................................... 12
c. How to End Remote Access Connection ................................................................................. 14
2.2. Remote Access using FortiClient ............................................................................................. 14
a. FortiClient First Time Installation ............................................................................................ 15
b. How to Connect to VPN Using FortiClient (Browser Plug-in) ................................................... 19
c. How to Access SSL VPN Using FortiClient (Computer) ............................................................. 21
d. How to Access SSL VPN Using FortiClient (Mobile) .................................................................. 26
3. CPE (Router) Configuration ............................................................................................................ 28
3.1. Cisco Router Configuration ..................................................................................................... 28
a. Configuration Template ......................................................................................................... 29
3.2. HP MSR Router Configuration ................................................................................................ 31
a. Configuration Template ......................................................................................................... 32
VPN Quick Start Guide
4/33
1. SingTel VPN as a Service Administration
1.1. Remote Access VPN
When a remote client connects to the SingTel VPN Cloud, it authenticates the user based on
username, password and OTP (One-time password).
By default, there are five (5) pre-defined user accounts. Depending on the number of users
subscribed, you can add/edit this users list.
a. How to Add a User Account
1. Go to User & Device > User > User Definition, and click Create NEW.
2. At the User Creation Wizard, select Local User. Click Next.
3. Type the username and password
4. Tick the SMS checkbox, enter the phone number, choose Custom Service Type, and select
Bizlive as SMS Provider. Click Next.
VPN Quick Start Guide
5/33
5. Tick Enable and User Group. Assign the user to its appropriate group. Click Done.
NOTE: Please be advised to rename and not delete a user account as it will disable the two-factor
authentication (See b. How to Rename a User Account). If the user account is deleted, please call
Singtel Helpdesk to enable back two-factor authentication via SMS.
b. How to Rename a User Account
1. Go to User & Device > User > User Definition.
2. Highlight the user, then click Edit User.
3. Change User Name.
VPN Quick Start Guide
6/33
c. Changing the Password
1. Go to User & Device > User > User Definition.
2. Highlight the user, then click Edit User. (Or double click)
3. Enter the new password at the Password text box.
4. Click OK.
d. How to Assign a User to a Group
1. Go to User & Device > User > User Definition.
2. Highlight the user, then click Edit User. (Or double click)
3. Tick the Add this User to groups, then assign to Full_Access group.
4. Click OK.
VPN Quick Start Guide
7/33
1.2. Site-to-Site VPN
A Site-to-Site VPN tunnel is established in two phases: Phase 1 and Phase 2. Several parameters
determine how this is done. Except for IP Addresses, the settings simply need to match at both your
IPsec enabled router and SingTel Cloud VPN (collectively called “VPN Gateways”).
The Site-to-Site VPN configuration is pre-configured by default. Except for the Pre-Shared Key (PSK),
the configurable parameters at Phase 1 and Phase 2 need not to be changed.
a. Phase 1
In phase 1, the two VPN Gateways exchange information about the encryption algorithms that
they support and then establish a temporary secure connection to exchange authentication
information.
Below is the default Phase 1 configuration.
NOTE: IP Address below is just an example. It will vary depends on the IP address provided upon
subscription. Pre-shared key can also be changed. See a) How to Change the Phase 1 Pre-Shared
Key (PSK)).
VPN Quick Start Guide
8/33
How to Change the Phase 1 Pre-Shared Key (PSK)
A pre-shared key or PSK is a shared secret which is shared between the two or more sites using
some secure channel. It contains at least 6 alphanumeric characters.
1. Go to VPN > IPSec > Auto Key (IKE)
2. Right-click the Phase 1, then select edit (or double-click)
3. Enter the new key under the Pre-shared Key text box.
VPN Quick Start Guide
9/33
b. Phase 2
Similar to Phase 1 process, the two VPN Gateways exchange information about the encryption
algorithms that they support for Phase 2.
Below is the default Phase 2 configuration.
VPN Quick Start Guide
10/33
2. Remote Access VPN Connection Mode
The remote client connects to the remote access VPN tunnel in various ways, depending on the VPN
configuration. Full-access mode is given to all of the users. This allows the use of either web mode
which uses a browser, or tunnel mode which uses FortiClient.
2.1. Remote Access Using Web Mode
Require nothing more than a web browser. Below are the lists of supported operating systems
and browsers with minimum requirement.
Operating System Web Browser
Microsoft Windows 7 32-bit SP1 Microsoft Internet Explorer versions 8,9,10 and 11
Mozilla Firefox version 26
Microsoft Windows 7 64-bit SP1 Microsoft Internet Explorer versions 8,9,10 and 11
Mozilla Firefox version 26
Linux CentOS version 5.6 and Ubuntu version 12..4
Mozilla Firefox version 26
Mac OS X v10.9 Mavericks Mozilla Firefox version 26
VPN Quick Start Guide
11/33
a. How to Connect to VPN via Web Mode
1. Launch your internet browser and access Remote Access VPN server IP address via https.
Example: https//118.201.129.10/sslvpn (see Figure 2). VPN server IP address is the same as
VPN Admin Portal address, which you will receive in your service letter.
2. Select Continue to this website on the certificate error prompt (Note: This is not a security
breach, but rather private certificate that is unrecognizable is being used).
3. Enter your username and password when login window appears.
VPN Quick Start Guide
12/33
4. An OTP (One-time Password) will be sent to your mobile phone once the username and
password are entered correctly.
5. After you successfully login, you will be directed to the Remote Access VPN welcome screen.
b. How to Add a Bookmark
1. On the Remote Access VPN Web home page, click on ‘Add’ and enter the following
information below:
Category
Select a category, or group, to include the bookmark. If this is the first bookmark added, you will be prompted to add a category. Otherwise, select Create from the drop-down list.
Name Enter a name for the bookmark.
Type Select the type of link from the drop-down list. Telnet, VNC, and RDP require a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.
Location Enter the IP address source.
SSO
Select if you wish to use single sign-on for any links that require authentication. When including a link using SSO, ensure to use the entire url. For example, http://10.10.5.0/login, rather than just the IP address.
Description
Select if you wish to use single sign-on for any links that require authentication. When including a link using SSO, ensure to use the entire url. For example, http://10.10.5.0/login, rather than just the IP address.
VPN Quick Start Guide
13/33
2. Click OK.
3. Added bookmarks will be shown on the welcome screen once configured. You just need to
click on the bookmark to access the remote server.
VPN Quick Start Guide
14/33
c. How to End Remote Access Connection
1. When you need to end the remote access session, click on the Logout button on the SSL
VPN welcome screen.
2.2. Remote Access using FortiClient
Establish a connection to a remote protected network that any application can use. This
requires FortiClient SSL VPN application that sends and receives data through the SSL VPN
tunnel. Below are the supported OS and FortiClient version and file format.
Desktop version is downloadable from SingTel.com while smart phone version like Android or
iOS are downloadable from respective app store.
Operating System FortiClient version and format
Microsoft Windows 8.1 (32-bit & 64-bit), 8 (32-bit & 64-bit), 7 (32-bit & 64-bit)
v.4.4.2297 in .exe format
Linux CentOS 5.6 and Ubuntu 12.0.4 v.4.4.2297 in .tar.gz format
Mac OS X v10.9, 10.8 and 10.7 v.4.4.2297 in .dmg format
iPhone iOS 6 and 7 FortiClient
Android 4.3 and 4.4 FortiClient VPN
VPN Quick Start Guide
15/33
a. FortiClient First Time Installation
1. Launch SSLVPN via internet browser. Access Remote Access VPN server IP address via https.
Example: https//27.54.50.226 (see Figure 7)
2. Select ‘Continue to this website’ on certificate error prompt (Note: This is not a security
breach, but rather private certificate that is unrecognizable is being used).
3. Login pop-up window will be displayed on your screen. Enter your username and password.
4. An OTP (One-Time-Password) will be sent via SMS to your mobile phone once the username
and password are entered correctly. Enter the OTP code.
VPN Quick Start Guide
16/33
5. After you successfully login, you will be directed to the Remote Access VPN welcome screen.
You will be prompted to download and install Remote Access VPN Client application (applies
to 1st time appliance access only).
6. You can either select to Save (to disk) or Run the application directly from the web.
7. Select Run as administrator on the installation wizard.
VPN Quick Start Guide
17/33
8. All browsers must be closed including the Remote Access VPN browser, before taking the
next step of installation.
9. Click ‘Install’ on the installation wizard.
VPN Quick Start Guide
18/33
10. Wait until SSLVPN client application completes the installation before closing the installation
wizard.
VPN Quick Start Guide
19/33
b. How to Connect to VPN Using FortiClient (Browser Plug-in)
1. Launch your internet browser and access the Remote Access VPN Server IP address via
https. Example: https://118.201.129.10/sslvpn.
2. Select Continue to this website on the certificate error prompt (Note: This is not a security
breach, but rather private certificate that is unrecognizable is being used).
3. Enter your username and password when login window appears
4. An OTP (One-time-password) will be sent to your mobile phone once the username and
password are entered correctly.
VPN Quick Start Guide
20/33
5. After you successfully login, you will be directed to the Remote Access VPN welcome screen.
Click Connect button to initiate the remote access tunnel.
6. When tunnel is established, Link Status will indicate ‘Up’. You can now open any application
as if you are working in the boundaries of the company. Example: Access Outlook to read
your company mail. You must keep this VPN Welcome screen open during the duration of
the remote access.
VPN Quick Start Guide
21/33
7. To end the Remote Access session, you can click on the Disconnect button on the Remote
Access VPN welcome screen or simply close the browser.
c. How to Access SSL VPN Using FortiClient (Computer)
1. Launch the FortiClient SSLVPN application. First time user will find the fields empty. To
configure the fields, select Setting.
VPN Quick Start Guide
22/33
2. Pop-up window will appear for the application setting. Select New Connection.
VPN Quick Start Guide
23/33
3. Configuration Setup
Connection Name Enter a name to identify the remote access
Description Enter a description to identify the remote access network
Server Address Enter the remote SSLVPN server IP address
Username Enter username
Password Enter password
Client Certificate Leave this blank
VPN Quick Start Guide
24/33
4. Tick on Keep connection alive until manually stopped, then click the OK button.
5. Click the Connect button to initiate the Remote Access tunnel.
VPN Quick Start Guide
25/33
6. An OTP (One-time password) will be sent to your mobile phone once username and
password are entered correctly. Enter the OTP code and click on the Login button.
7. When tunnel is established, the Connection Status will indicate Connected. You can now
open any application as if you are working in the boundaries of the company. Example
access Outlook to read your company mail. You must keep this SSLVPN client application
open during the duration of the remote access.
VPN Quick Start Guide
26/33
8. To end the Remote Access session, you can click on the Disconnect button or simply close
the Remote Access VPN client application.
d. How to Access SSL VPN Using FortiClient (Mobile)
1. Launch the FortiClient App on your mobile phone. Click Add New to setup a new connection.
2. Initial configuration
VPN Quick Start Guide
27/33
3. Key in username and password. Once you successfully login, you will be asked to enter the
token you received via SMS.
4. To add a bookmark, click on Add Bookmark. Launch the bookmark by clicking on it.
5. To access a bookmark, click on one of the bookmarks added to access a remote server or
FTP.
6. To disconnect from the VPN connection, click on the FortiClient button and click OK.
VPN Quick Start Guide
28/33
3. CPE (Router) Configuration
3.1. Cisco Router Configuration
Model Firmware
Cisco 881 (C880DATA-UNIVERSALK9-M), Version 15.2(4)M3
Cisco 1921, 1941 (C1900-UNIVERSALK9-M), Version 15.2(4)M3
VPN Quick Start Guide
29/33
a. Configuration Template
conf t
crypto keyring keyv4
pre-shared-key address VDOM_IP key PRE-SHARED-KEY
exit
crypto isakmp policy 4
encr aes 256
authentication pre-share
group 5
lifetime 86400
exit
crypto isakmp profile ipv4_isakmp_pro
keyring keyv4
match identity address VDOM_IP 255.255.255.255
exit
crypto ipsec transform-set ipv4_tran esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec security-association lifetime seconds 86400
crypto ipsec profile ipv4_ipsec_pro
set isakmp-profile ipv4_isakmp_pro
set transform-set ipv4_tran
set pfs group5
VPN Quick Start Guide
30/33
exit
interface Tunnel4
ip address TUNNEL_INT_IP
tunnel source LOCAL_WAN_IP
tunnel mode ipsec ipv4
tunnel destination VDOM_IP
tunnel protection ipsec profile ipv4_ipsec_pro
exit
ip route SSLVPN_Subnet Tunnel4
ip route LAN_Subnet1 Tunnel4
ip route LAN_Subnet2 Tunnel4
ip route LAN_SubnetN Tunnel4
Note: Only required to change those parameters in red.
Parameters Description
VDOM_IP The IP address of the VPN Cloud that will be used to establish the Site-
to-Site VPN
Pre-Shared-key Pre Shared key that will be used for Site-to-Site VPN authentication.
TUNNEL_INT_IP The IP address of the tunnel interface
LOCAL_WAN_IP The IP address of the local WAN IP that will be used to establish the
Site-to-Site VPN
SSLVPN_Subnet The IP address subnet that will be assigned to the remote access
users. By default, it will be 10.212.134.0/24.
LAN_SubnetN The various LAN subnets for other remote sites
VPN Quick Start Guide
31/33
3.2. HP MSR Router Configuration
Model Firmware
HP MSR 900, MSR 2020 Comware Software, Version 5.20.106, Release 2311
Note: If a NAT device exists between the 2 Site-to Site VPN devices, please use firmware
Comware Software, Version 5.20.106, Release 2511 instead.
VPN Quick Start Guide
32/33
a. Configuration Template
system-view
ike proposal 4
authentication-method pre-share
encryption-algorithm aes-cbc 256
dh group5
sa duration 86400
quit
ike peer v4peer1
proposal 4
pre-shared-key simple PRE-SHARED-KEY
remote-address VDOM_IP
nat traversal
quit
ipsec transform-set v4forti-ipsec
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm aes-cbc-256
quit
ipsec profile v4profile1
pfs dh-group5
ike-peer v4peer1
VPN Quick Start Guide
33/33
transform-set v4forti-ipsec
sa duration time-based 86400
quit
interface Tunnel4
ip address TUNNEL_INT_IP
tunnel-protocol ipsec ipv4
source LOCAL_WAN_IP
destination VDOM_IP
ipsec profile v4profile1
quit
ip route-static SSLVPN_Subnet Tunnel4
ip route-static LAN_Subnet1 Tunnel4
ip route-static LAN_Subnet2 Tunnel4
ip route-static LAN_SubnetN Tunnel4
Note: Only required to change those parameters in red.
Parameters Description
VDOM_IP The IP address of the VPN Cloud that will be used to establish the Site-
to-Site VPN
Pre-Shared-key Pre Shared key that will be used for Site-to-Site VPN authentication.
TUNNEL_INT_IP The IP address of the tunnel interface
LOCAL_WAN_IP The IP address of the local WAN IP that will be used to establish the
Site-to-Site VPN
SSLVPN_Subnet The IP address subnet that will be assigned to the remote access
users. By default, it will be 10.212.134.0/24.
LAN_SubnetN The various LAN subnets for other remote sites