Policies, VPN Configuration | Planet Technology VRT-401 manual

VPN

∙Phase I is the negotiation and establishment up of the IKE connection.

∙Phase II is the negotiation and establishment up of the IPsec connection.

Because the IKE and IPsec connections are separate, they have different SAs (secu- rity associations).

Policies

VPN configuration settings are stored in Policies.

Each policy defines:

∙The address of the remote VPN endpoint

∙The traffic which is allowed to use the VPN connection.

∙The parameters (settings) for the IPsec SA (Security Association)

∙If IKE is used, the parameters (settings) for the IKE SA (Security Association)

Generally, you will need at least one (1) VPN Policy for each remote site for which you wish to establish VPN connections.

It is possible, and sometimes necessary, to have multiple Policies for the same remote site. In this case, the order (sequence) of the policies is important. The policies are examined in turn, and the first matching policy will be used.

VPN Configuration

The general rule is that each endpoint must have matching Policies, as follows:

Remote VPN ad- dress

Traffic Selector

IKE parameters

IPsec parameters

Each VPN endpoint must be configured to initiate or accept connections to the remote VPN client or Gateway.

Usually, this requires having a fixed Internet IP address. However, it is possible for a VPN Gateway to accept incom- ing connections from a remote client where the client's IP address is not known in advance.

This determines which outgoing traffic will cause a VPN connection to be established, and which incoming traffic will be accepted. Each endpoint must be configured to pass and accept the desired traffic from the remote endpoint.

If connecting 2 LANs, this requires that:

∙Each endpoint must be aware of the IP addresses used on the other endpoint.

∙The 2 LANs MUST use different IP address ranges.

If using IKE (recommended), the IKE parameters must match (except for the SA lifetime, which can be different).

The IPsec parameters at each endpoint must match.

71

Image 75

Planet Technology VRT-401 user manual Policies, VPN Configuration

Contents

Broadband VPN Router Copyright Table of Contents 107 Using Certificates 101Remote Administration 111 106 Internet Access Features VRT-401 Features Advanced Internet Functions LAN FeaturesConfiguration & Management Security Features Package Contents Front-mounted LEDs Physical Details Rear Panel To Clear All Data and restore the factory default values Connect LAN Cables ProcedureChoose an Installation Site Requirements Check the LEDs Using the DMZ PortPower Up Connect WAN Cable To Do this Refer to Overview Preparation Configuration ProgramUsing UPnP Using your Web Browser If you cant connect Password Dialog DSL Modems Config WizardCommon Connection Types Cable Modems Other Modems e.g. Broadband Wireless Big Pond Cable AustraliaSingTel RAS Navigation & Data Input Home Screen Data LAN Screen LAN Screen What Dhcp Does Using VRT-401’s Dhcp ServerUsing another Dhcp Server To Configure your PCs to use Dhcp Windows Clients TCP/IP Settings Overview Checking TCP/IP Settings Windows 9x/ME Using DhcpUsing Specify an IP Address Gateway Tab Win 95/98 Windows NT4.0 TCP/IP Checking TCP/IP Settings Windows NT4.0 Specify an IP Address Obtain an IP address from a Dhcp Server Windows NT4.0 Add Gateway Windows NT4.0 DNS Network Configuration Win Checking TCP/IP Settings Windows TCP/IP Properties Win Using a fixed IP Address Use the following IP Address Network Configuration Windows XP Checking TCP/IP Settings Windows XP TCP/IP Properties Windows XP For Windows XP Internet AccessAccessing AOL For Windows 9x/ME/2000 Fixed IP Address Macintosh ClientsLinux Clients Other Unix Systems Status Screen Operation Data Status Screen PPPoE Link Status Connection Status PPPoEData PPPoE Screen Connection Physical Address Connection Log Messages Operation and Status Dress Connection Status PptpData Pptp Screen Connection Physical Ad Data Telstra Big Pond Screen Connection Status Telstra Big Pond Connection Status Connection Details SingTel RAS Data SingTel RAS Screen Connection Details Fixed/Dynamic IP Address Data Fixed/Dynamic IP address ScreenInternet Physical Ad Buttons Release/Renew Internet Screen Advanced Internet Screen Communication Applications Special ApplicationsSpecial Applications Screen Using a Special Application Data Special Applications ScreenCheckbox Name Incoming Ports Outgoing Ports URL Filter DMZ Data URL Filter Screen URL Filter Screen Service works as follows Dynamic DNS Domain Name ServerDynamic DNS Screen Ddns Data User Name Ddns ServicePassword Domain Name Data Dynamic DNS Screen IP Address seen by Internet Users Virtual Servers Using the DMZ port for Virtual Servers Virtual Servers ScreenData Virtual Servers Screen Defining your own Virtual Servers Connecting to the Virtual ServersBackup DNS IP Address Options MTU size MTU Admin Login Screen Admin Login Password Dialog Access Control Access Control ScreenTo use this feature Data Access Control Screen View Log Group Members Screen Access Control Log Security Configuration This feature is for advanced administrators only Firewall RulesFirewall Rules Screen Data Firewall Rules Screen Source IP Define Firewall RuleData Define Firewall Rule Screen Type Dest IP ActionLog Internet Connec Enable Logs DoS AttacksLogs Data Logs Screen Timezone Access ControlSyslog Server Enable Syslog Firewall Rules Include Firewall SPI Firewall Enable DoSSecurity Options Data Security Options Screen Allow L2TP Options Respond toAllow IPsec Allow Pptp Scheduling Define Schedule ScreenData Define Schedule Screen Data Services Screen Services Buttons Delete VRT-401 does not support Transport Mode VRT-401 always uses Tunnel ModeIPSec Policies VPN Configuration Common VPN Situations VPN Pass-throughClient PC to VPN Gateway Connecting 2 VPN Gateways Connecting 2 LANs via VPN VPN Configuration VPN Policies ScreenData VPN Policies Screen Able/Disable Copy Adding a New PolicyOperations Add Keys General SettingsEnable Policy Endpoint Local IP addresses Type VPN Wizard Traffic Selector Manual Key Exchange Remote IP addresses Type ESP Authentica Tication is enabledManually assigned Keys ESP Encryption IKE Phase Local IdentityRemote Identity Mode AuthenticationEncryption IKE Exchange IPSec PFS IKE Phase 2 IPsec SA IPsec SA LifeAH Authentication Time Examples Example 1 Connecting 2 VRT-401sConfiguration Settings Setting LAN a Gateway LAN B Gateway IPSec SA Parameters DES VRT-401 Configuration Setting ValueExample 2 Windows 2000/XP Client to LAN Windows 2000/XP Local Security Settings Windows Client Configuration Windows 2000/XP Policy Properties Filter Properties Addressing New Rule Properties Filter Action Modify Security Method VPN Setting Windows Setting Tunnel Setting Windows 2000/XP Client to VRT-401 Filter List Filter Action Modify Security Method DUT to Win2K Properties Properties General Tab IKE Security Algorithms Key Exchange Security Methods Example 3 Windows 2000 Server to VPN Gateway Setting Single Client Server/Gateway Windows 2000 Server Addressing Windows 2000 Server Configuration Using Certificates Adding a Self Certificate Adding a Trusted Certificate Length Hash AlgorithmSignature Algorithm Signature Key To add a New CRL CRLs Upload CRL Remote Administra Tion RoutingUpgrade PC Database PC Database Screen PC Database Data PC Database Screen PC Database Admin Data PC Database Admin ScreenPC Properties Name Entry Update Se∙ Dchp Client Reserved IP Address Select this if the PC Buttons Add as New Remote Administration Data Remote Administration ScreenTo connect from a remote PC via the Internet Routing Screen Using this ScreenRouting Overview Enable RIP Data Routing ScreenStatic Routing Static Routing Table Entries Local Router Configuring Other Routers on your LAN For VRT-401’s Routing Table For Router As Default RouteStatic Routing Example Other Routers on the Local LAN Firmware Upgrade For Router Bs Default RouteTo perform the Firmware Upgrade Data Upnp Screen General Problems Internet AccessProblem 1 Cant connect to VRT-401 to configure it 119 FCC Statement VRT-401 FCC Radiation Exposure Statement CE Marking Warning