Appendices

Shortcuts

Connection Panel

Esc

Closes the window.

Ctrl+Enter

Opens the Configuration Panel (main interface).

Arrow keys

The Up and Down arrow keys are used to select a VPN connection.

Ctrl+O

Opens the selected VPN connection.

Ctrl+W

Closes the selected VPN connection.

Configuration Panel tree

F2

Used to edit the name of the selected.

Del

Deletes a selected phase, following confirmation by the user.

If the actual configuration is selected (root of the tree), the software asks whether a full reset of the configuration should be performed.

Ctrl+O

Opens the corresponding VPN tunnel if a Child SA is selected.

Ctrl+W

Closes the corresponding VPN tunnel if a Child SA is selected.

Ctrl+C

Copies the selected phase to the clipboard.

Ctrl+V

Pastes (adds) the phase that has previously been copied to the clipboard.

Ctrl+N

If the VPN configuration is selected, creates a new IKE Auth. If an IKE Auth is selected, creates a Child SA.

Ctrl+S

Saves the VPN configuration.

Configuration Panel

Ctrl+Enter

Switches to the Connection Panel.

Ctrl+D

Opens the Console window with VPN traces.

Ctrl+Alt+R

Restarts the IKE service.

Ctrl+Alt+T

Enables trace mode (log generation).

Ctrl+S

Saves the VPN configuration.

Administrator logs

ID Log define

ID Log value

Severity

Log string

LOGID_STARTERINIT

1001

Notice

Starter service is started.

LOGID_VPNCONFSTARTING

2001

Notice

GUI is starting.

LOGID_VPNCONFSTOPPED

2002

Notice

GUI has closed.

LOGID_TGBIKESTARTED

3001

Notice

IKE has started (status %d).

LOGID_TGBIKESTOPPED

3002

Notice

IKE has stopped.

LOGID_TUNNELOPEN

3004

Info

Tunnel %s is asked to open.

LOGID_VPNCONFCRASHED

2003

Notice

GUI crashed (state %d).

LOGID_TGBIKECRASHED

3003

Notice

IKE crashed (state %d).

LOGID_STARTERSTOP

1002

Notice

Starter service is stopped.

LOGID_RESETIKE

2007

Warning

IKE is asked to reset.

LOGID_VPNCONFSTARTED

2008

Notice

GUI has started from user %s.

LOGID_VPNCONFSTOPPING

2009

Notice

GUI is stopping from user %s.

LOGID_VPNCONFLOADERROR

2010

Error

Configuration couldn’t load (reason: %s).

LOGID_VPNCONFOPENTUNNEL

2011

Info

GUI opens tunnel (source: %s).

LOGID_VPNCONFCLOSETUNNEL

2012

Info

GUI closes tunnel (source: %s).

LOGID_VPNCONFSAVE

2013

Notice

New configuration is saved.

LOGID_VPNCONFIMPORT

2014

Info

%s has been imported.

LOGID_VPNCONFIMPORTERR

2015

Error

%s could not be imported (status %d).

LOGID_VPNCONFEXPORT

2016

Info

%s has been exported.

LOGID_TOKENINSERT

2017

Info

Token %s has been inserted.

LOGID_TOKENEXTRACT

2018

Info

Token %s has been extracted.

LOGID_USBINSERT

2019

Info

USB Key has been inserted.

LOGID_USBEXTRACT

2020

Info

USB Key has been extracted.

LOGID_INSTALLATION

2021

Info

VPN running for the 1st time.

LOGID_UPDATE

2022

Info

VPN software has been updated to version %s.

LOGID_VERSION

2023

Info

VPN Version is %s.

LOGID_GINASTARTED

4001

Notice

GINA has started.

LOGID_GINASTOPPING

4002

Notice

GINA is stopping.

LOGID_GINAOPENTUNNEL

4003

Info

GINA opens tunnel (source: %s).

LOGID_GINACLOSETUNNEL

4004

Info

GINA closes tunnel (source: %s).

LOGID_TUNNELAUTH_OK

3005

Info

Tunnel authentication Ok (%s).

LOGID_TUNNELTRAFIC_OK

3006

Info

Tunnel %s Ok

LOGID_TUNNELAUTH_NOK

3007

Error

Tunnel authentication failed (reason %d).

LOGID_TUNNELTRAFIC_NOK

3008

Error

Tunnel %s failed (reason %d).

LOGID_AUTHREKEYING

3009

Info

Tunnel %s initiated rekey (source %d).

LOGID_AUTHREKEYED

3010

Info

Tunnel %s rekeyed.

LOGID_TUNNELREKEYING

3011

Info

Tunnel %s initiated rekey (source %d).

LOGID_TUNNELREKEYED

3012

Info

Tunnel %s rekeyed.

LOGID_PINCODE

3013

Notice/Error

Pin code is entered (status %d).

LOGID_DRIVERNOK

3014

Critical

Driver could not be loaded (status %d).

LOGID_IKEEXT_STOP

1003

Warning

IKEEXT service is stopped.

LOGID_IKEEXT_RESTART

1004

Notice

IKEEXT service is restarted.

LOGID_IKEEXT_ERROR

1005

Critical

IKEEXT could not be stopped (status %d).

SYSTEMLOGID_VIRTIFOK

3015

Info

Virtual interface created successfully (instance %d).

SYSTEMLOGID_VIRTIFNOK

3016

Error

Virtual interface could not be created (error %d).

LOGID_TUNNELCLOSED

3017

Notice

%s tunnel successfully closed (%d min).

LOGID_TUNNELCLOSED_ERR

3018

Error

%s tunnel closed unexpectedly (%d).

LOGID_CERTERROR

3019

Error

Error %d when handling certificate %s.

TrustedConnect Panel diagnostics

The TrustedConnect Panel informs the user of any issues that may have occurred while establishing the VPN connection by displaying an error code.

These error codes, their diagnosis and possible solutions are detailed below. This list allows administrators to find possible answers to any issues that users may encounter and report.

Code

Diagnosis

Solution

0

VPN configuration issue

VPN connection not found in configuration

  • Make sure that the tgbvpn.conf file is available in the VPN Client installation directory.

1

Issue with a certificate

The VPN configuration uses a certificate whose private key cannot be found.

  • Check the VPN Client’s configuration and any possible associated authentication devices (smart card reader, token, or Windows Certificate Store).

  • Reimport the VPN configuration and then reimport the certificate concerned.

  • Create a ticket in your MyStormshield interface and attach to it all log files.

3

Configuration issue

The message No proposal chosen has been received during an IKE exchange: the cryptographic algorithm suite configured for the IKE_SA_INIT sequence does not match the one configured on the gateway.

  • Verify that the cryptographic algorithm suite for THE IKE_SA_INIT sequence of the VPN connection matches that of the gateway (refer to IKE Auth in the Configuration Panel).

4

Configuration issue

The message “No proposal chosen” has been received during an IKE exchange: the cryptographic algorithm suite of the ESP protocol does not match the one configured on the gateway.

  • Verify that the cryptographic algorithm suite of the ESP protocol (refer to Child SA in the Configuration Panel) matches that of the gateway.

5

Cannot access gateway

The gateway address (“Remote Router Address”) specified in the VPN configuration is not reachable. If it is an IP address, it cannot be found or cannot be reached. If it is a DNS address it may be inaccessible, indefinite, or cannot be resolved.

  • Check the address of the gateway/remote workstation. For example, try “pinging” this address.

6

Configuration issue

The message Remote ID other than expected has been received. This means that the value of the Remote ID does not match the value expected by the remote VPN gateway.

  • Make sure that the Local ID parameter on the VPN client's Protocol tab matches the Remote ID of the remote gateway (or workstation).
    The Remote ID on the router is the Local ID on the VPN Client and vice versa. Caution:

7

Gateway certificate

Checking the certificate chain of the certificate received from the VPN gateway is enabled. The gateway certificate chain could not be validated.

  • Check the gateway certificate expiration date.

  • Check the validity start date of the gateway certificate.

  • Check the signatures of all certificates in the certificate chain (including root certificate, intermediate certificates, and gateway certificate).

  • Check whether the CRLs of all certificate issuers in the certificate chain are up to date.

  • Make sure that none of the certificates concerned have been revoked in the corresponding CRL lists.

  • Make sure that the root certificate and all certificates in the certificate chain (root certification authority and intermediate certification authorities) are available in the Windows Certificate Store on the workstation.

  • Make sure that the CRLs of the various certification authorities are available in the Windows Certificate Store, or that these CRLs can be downloaded when the VPN connection is opened.

9

No response from gateway

The VPN Client has abandoned the connection, most often after several connection attempts.

  • Check whether the gateway is still accessible from the workstation.

10

Authentication issue

The gateway has declined the user’s authentication credentials.

  • Check the user certificate.

  • Check that the Local ID on the Protocol tab of the Configuration Panel matches the value and type defined on the gateway.
    Caution: The Local ID on the VPN Client is the Remote ID on the router and vice versa.

  • Check the logs on the remote gateway to get more information about this issue.

13

Configuration issue

An error occurred while establishing the VPN connection. Establishing the VPN connection has been abandoned.

  • Retrieve the user log files. They must be analyzed.

  • Create a ticket in your MyStormshield interface and attach to it all log files.

14

Network configuration

An error occurred while creating the virtual interface used for the VPN connection.

  • Retrieve the user log files. They must be analyzed.

  • Create a ticket in your MyStormshield interface and attach to it all log files.

15

Network configuration

The virtual IP address assigned during the VPN connection already exists on one of the workstation’s interfaces.

  • Change the virtual IP address (VPN Client address parameter) specified in the VPN Client’s configuration.

  • Change the IP address provided by the gateway to the VPN Client.

16

Network configuration

An error occurred while creating the virtual interface used for the VPN connection.

  • Retrieve the user log files. They must be analyzed.

  • Create a ticket in your MyStormshield interface and attach to it all log files.

24

Configuration issue

The gateway did not accept the cryptographic algorithm suite provided by the VPN Client.

  • Make sure that the VPN Client’s cryptographic algorithm suites match those of the gateway.

  • Check the Local ID and Remote ID.
    Warning: the Local ID on the router is the Remote ID on the VPN Client and vice versa.

25

Configuration issue

The gateway did not accept the remote network configured in the VPN Client or the virtual IP address provided by the VPN Client.

  • Make sure that the virtual IP address (VPN Client address parameter) specified in the VPN Client’s configuration is acceptable at the gateway end.

  • Make sure that the remote network (Remote network address parameter) specified in the VPN Client's configuration is acceptable on the gateway end.

26

Configuration issue

The VPN client provides its own traffic selectors, while the gateway is configured to provide them.

  • Check the Request configuration from the gateway parameter on the Child SA tab.

27

Gateway error

The gateway reported an error not supported by the VPN Client.

  • Analyze the logs on the gateway end.

  • Retrieve the user log files. They must be analyzed.

  • Create a ticket in your MyStormshield interface and attach to it all log files.

28

Login/password error

The gateway has rejected the EAP authentication while establishing the VPN connection.

  • Check the EAP authentication parameters in the VPN Client's configuration.

  • Make sure that the user knows his or her credentials, should he or she need them while establishing the connection.

30

Smart card or token error

Cannot access the certificate stored the on the smart card or token.

  • Check that the smart card reader or token is correctly configured on the workstation, and that the VPN Client can access it.

31

Captive portal authentication timeout expired

No session has been opened on the captive portal. The workstation therefore has no internet connectivity.

  • Click the Connect button in order to authenticate on the captive portal.

100

Cannot load the VPN configuration

No VPN connection has been found in the configuration file.

  • Make sure that at least one tunnel is configured in the Connection Panel. Go to Tools > Connections Configuration, then add a tunnel and save the configuration.

101

GINA configuration error

A tunnel is active before logon, but has not been configured to be used by the TrustedConnect Panel.

  • Make sure that the tunnel which is active before logon is also configured in the Connection Panel. Go to Tools > Connections Configuration, then add a tunnel and save the configuration.

102

IKE initialization error

An error occurred while initializing the IKE daemon.

  • Retrieve the user log files.

  • Create a ticket in your MyStormshield interface and attach to it all log files.

103

DNS error

A DNS name could not be resolved in the set of rules for the filtering mode.

  • Make sure that the workstation can access the internet.

  • Make sure that the filtering mode does not itself block access to DNS queries.

  • Replace DNS names with IP addresses.

200

Software activation

The software is not activated and the trial period has expired.

  • Retrieve the user log files.

  • Check software activation.

Technical characteristics of SN VPN Client Exclusive

General

Windows version

Windows 11 64-bit
Windows 10 64-bit

Languages

Arabic, Chinese (simplified), Czech, Danish, Dutch, English, Farsi, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Russian, Serbian, Slovenian, Spanish, Thai, Turkish

Operating mode

Invisible mode

Automatically open tunnel when traffic is detected

Control access to VPN configurations

Hide part or all the interfaces

USB mode

No more VPN configurations stored on the workstation

Open tunnel when a USB drive configured for VPN is inserted

Automatically close tunnel when a USB drive configured for VPN is removed

Gina

Open a tunnel before Windows logon using:

GINA/Credential providers on Windows 10

Scripts

Run configurable scripts when opening or closing a VPN tunnel

Remote Desktop Sharing

Open a remote computer with a single click via RDP and VPN tunnel

TrustedConnect Panel

Automatically open tunnel with Always-On and trusted network detection (TND)

Connection/Tunnel

Connection mode

Peer-to-gateway

Networks

IPv4 and IPv6

Protocols

IPsec/IKEv2

SSL/OpenVPN

Tunneling modes

Main mode and Aggressive mode

Mode Config/Mode CP

Automatically retrieve network parameters from VPN gateway

Cryptography

Encryption, Key group, Hash (IKEv2)

Symmetric: AES CBC/CTR/GCM 128/192/256 bits

Diffie-Hellman: DH14 (MODP 2048), DH15 (MODP 3072), DH16 (MODP 4096), DH17 (MODP 6144), DH18 (MODP 8192), DH19 (ECP 256), DH20 (ECP 384), DH21 (ECP 521), DH 28 (BrainpoolP256r1)

Hash: SHA-256, SHA-384, SHA-512

TLS security suites (OpenVPN)

TLS 1.2—Medium

TLS 1.2—High

TLS 1.3:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_128_CCM_SHA256

  • TLS_AES_128_CCM_8_SHA256

Encryption, Hash (OpenVPN)

Symmetric: AES-128-CBC, AES-192-CBC and AES-256-CBC

Hash: SHA-224, SHA-256, SHA-384 and SHA-512

User authentication

Administrator: Protect access to the VPN configurations

User:

  • Preshared key

  • EAP (MSCHAP-V2)

  • X.509 certificates

  • Multiple Auth

Certificate authentication

  • Method 1: RSA Digital Signature with SHA-2 [RFC7296]

  • Method 9: ECDSA “secp256r1” with SHA-256 on the P-256 curve [RFC4754]

  • Method 10: ECDSA “secp384r1” with SHA-384 on the P-384 curve [RFC4754]

  • Method 11: ECDSA “secp521r1” with SHA-512 on the P-521 curve [RFC4754]

  • Method 14: Digital Signature RSASSA-PSS and RSASSA-PKCS1-v1_5 [RFC7427]

  • ECDSA “BrainpoolP256r1” with SHA-2

PKI

  • Support for certificates in X.509 format

  • Importing PKCS#12, PEM/PFX certificates

  • Multiple media: Windows Certificate Store, smart card, token, configuration file

  • Support for Certificate Revocation List (CRL)

  • Automatically detect a smart card reader or token according to criteria

  • PKCS#11 and CNG access to tokens and smart cards

  • Complete check of the “user” and “gateway” certificate chain

Miscellaneous

NAT/NAT-Traversal

NAT-Traversal Draft 1 (enhanced), Draft 2, Draft 3 and RFC 3947, IP address emulation, includes support for: NAT_OA, NAT keepalive, NAT-T aggressive mode, NAT-T in forced, automatic or disabled mode

DPD

RFC3706. Detection of inactive IKE endpoints.

Redundant gateway

Redundant gateway management, automatically selected when DPD is triggered (inactive gateway)

Administration

Deployment

Silent installation using Microsoft Installer (MSI)

VPN configuration management

Import and export options for VPN configurations

Secure import/export using passwords, encryption, and integrity control

Automation

Ability to open, close, and monitor a tunnel using command lines (batch and scripts)

Ability to start and quit the software using batches

Logs and traces

IKE/IPsec and SSL/OpenVPN log console and trace mode can be enabled

Administrator logs: local file, Windows Event Log, syslog server

Upgrades

Check for available updates from within the software

License and activation

Licenses available on a subscription basis, manual/automatic/silent activation