Manuals / SnapGear / Computer Equipment / Network Card

SnapGear 2.0.1 user manual Virtual Private Networking

Models: 2.0.1

1 189

Download 189 pages 52.42 Kb

Page 108

9. Virtual Private Networking

Virtual Private Networking (VPN) enables two or more locations to communicate securely and effectively, usually across a public network (e.g. the Internet) and has the following key traits:

∙Privacy - no one else can see what you are communicating

∙Authentication - you know who you are communicating with

∙Integrity - no one else can tamper with your messages/data

Using VPN, you can access the office network securely across the Internet using Point- to-Point Tunneling Protocol (PPTP), IPSec, GRE or L2TP. If you take your portable computer on a business trip, you can dial a local number to connect to your Internet access provider and then create a second connection (called a tunnel) into your office network across the Internet and have the same access to your corporate network as if you were connected directly from your office. Similarly, telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP.

VPN technology can also be deployed as a low cost way of securely linking two or more networks, such as a headquarters LAN to the branch office(s). IPSec is generally the most suitable choice in this scenario.

With the CyberGuard SG appliance you can establish a VPN tunnel over the Internet using either PPTP, IPSec, GRE or L2TP. IPSec provides the best security; however PPTP is the preferred protocol for integrating with existing Microsoft infrastructure. GRE and L2TP VPNs will generally be used for specialized purposes only. The CyberGuard SG appliance provides a PPTP server to enable remote Windows clients to securely access your office network. Using the CyberGuard SG appliance’s PPTP client or IPSec you can also connect your office network to one or more remote networks.

This chapter details how to configure the PPTP server and client and how to configure a remote client to connect, how to establish an IPSec tunnel, and also provides an overview of GRE and L2TP VPN tunneling.

104

Virtual Private Networking

Image 108

SnapGear 2.0.1 user manual Virtual Private Networking

Contents

Revision June 7 Contents Firewall 104159 169170 177Introduction CyberGuard SG Gateway AppliancesIntroduction CyberGuard SG PCI Appliances Bridged mode Secure by defaultText like this highlights important issues Document ConventionsYour CyberGuard SG Gateway Appliance Front panel LEDsSG300 model includes two blue straight through UTP cables Virtual Private Networking is enabled Rear panelCyberGuard SG Gateway Appliance Features Internet link featuresLAN link features DMZ link features SG570, SG575 onlyYour CyberGuard SG PCI Appliance LEDsCyberGuard SG PCI Appliance Features Network link featuresEnvironmental features Getting Started 192.168.0.1 255.255.255.0Page Right click on Local Area Connection and select Properties Set up the Password and LAN Connection Settings 192.168.0.100Root Getting Started Getting Started Set up Internet Connection Settings Cable modemAnalog modem DSL modemSet up the PCs on your LAN to Access the Internet LAN with a Dhcp server LAN with no Dhcp serverTo manually set up each Windows PC on your network Select Dhcp Server from the Networking menu Getting Started Install the Network Driver on your PC Set up your PC to Connect to the Web Management ConsoleSelect Internet Protocol TCP/IP and click Properties Select Use the following DNS server addresses and enterSet up the Password and Network Connection Settings Network Setup Connections page will display Click Apply and Reboot Ensure Dhcp assigned is uncheckedGetting Started Click Apply and Reboot Getting Started Page Network Connections ConnectionsNetwork Connections LAN BridgingInternet Internet Connection Methods Physically connect modem deviceCable Direct Internet Bridged Internet COM/Modem Failover Direct/Cable/ADSL InternetDialout Internet ISP. The Password and Confirm Password fields must Field DescriptionOptional Dialin access Direct DMZBridged DMZ Services on the DMZ Network Direct LANBridged LAN DMZ as a second Internet connectionDMZ as a backup/failover Internet connection Load BalancingInternet Failover Enable the primary connection for failover Set up a secondary backup Internet connectionNetwork Connections Routes Additional routesRoute management Advanced HostnameDNS Proxy Network Address Translation NAT/masquerading Dynamic DNS Interface aliases QoS Traffic Shaping Change MAC addressDialin Setup Dialin SetupDialin Setup Following table describes the fields on the Dial-In Setup Dialin User Accounts Account list Page Remote User Configuration Windows 95/98/MeDialin Setup Windows 2000/XP Dialin Setup Page Dhcp Server Configuration Dhcp ServerDhcp Server Dhcp Server Enable/Disable Subnet ListInterface SubnetDhcp Server Dhcp Proxy Incoming Access FirewallFirewall Administration services CyberGuard SG Administrative Web Server SSL/HTTPS Secure Http SSL Certificate Setup Add Local and Private CertificatesPacket Filtering Incoming InterfaceOutgoing Interface ActionAddresses Service groups Rules Enable Destination NAT/port forwardingDescriptive Name Destination Services Source NATSource Address Destination AddressTo-1 NAT Rules Access Control and Content Filtering User authenticationPage Browser setup Click AdvancedIP lists Web lists Content Reports CategoriesZoneAlarm Intrusion Detection Intrusion DetectionBenefits of using an IDS Basic Intrusion Detection and Blocking Page Advanced Intrusion Detection Advanced Intrusion Detection configuration Intrusion Detection Setting up the analysis server Page Web Cache Web cache is only available on SG575 modelsWeb Cache Web Cache Setup Cache sizeNetwork Shares Create a new user account100 Web Cache Create the network share 101 Web CacheSet the CyberGuard SG appliance to use the network share 102 Web CacheSet up LAN PCs to Use the Web Cache Peers103 Web Cache Virtual Private Networking 104 Virtual Private NetworkingPptp Client Setup 106 Virtual Private Networking Pptp Server Setup 107 Virtual Private NetworkingEnable and configure the Pptp VPN server 108 Virtual Private NetworkingData private as well as providing secure authentication Encryption is strongly recommended. This keeps your109 Virtual Private Networking Configuring user accounts for VPN server 111 Virtual Private Networking Configuring the remote VPN client 112 Virtual Private NetworkingWindows 95, Windows 98 and Windows Me Windows 114 Virtual Private Networking115 Virtual Private Networking Windows XP 116 Virtual Private NetworkingConnecting the remote VPN client 117 Virtual Private NetworkingIPSec Setup Set up the Branch OfficeCyberGuard SG appliance to CyberGuard SG appliance Enabling IPSec119 Virtual Private Networking Configure a tunnel to connect to the headquarters office Tunnel settings120 Virtual Private Networking 121 Virtual Private Networking 122 Virtual Private Networking Local endpoint settings 123 Virtual Private Networking124 Virtual Private Networking Other options 125 Virtual Private Networking126 Virtual Private Networking 127 Virtual Private Networking Tcgid 128 Virtual Private NetworkingPhase 1 settings Kept confidential129 Virtual Private Networking 130 Virtual Private Networking Phase 2 settings 131 Virtual Private NetworkingConfiguring the Headquarters 132 Virtual Private Networking133 Virtual Private Networking Remote endpoint settings Leave the Enable IP Payload Compression checkbox unchecked134 Virtual Private Networking 135 Virtual Private Networking Tunnel List ConnectionRemote party 136 Virtual Private NetworkingStatus 137 Virtual Private Networking138 Virtual Private Networking 139 Virtual Private Networking NAT Traversal Support Dynamic DNS Support140 Virtual Private Networking Certificate Management Extracting certificates141 Virtual Private Networking Creating certificates 142 Virtual Private NetworkingCreate the self-signed root CA certificate 143 Virtual Private NetworkingAdding certificates 144 Virtual Private NetworkingAdding a CA or CRL certificate 145 Virtual Private NetworkingAdding a local certificate 146 Virtual Private NetworkingTroubleshooting 147 Virtual Private Networking148 Virtual Private Networking 149 Virtual Private Networking 150 Virtual Private Networking Setting up a GRE tunnel CyberGuard SG appliance in Brisbane Internet addressLAN address CyberGuard SG appliance in Slough Internet addressRemote subnet/netmask 10.1.0.0 GRE over IPSec 154 Virtual Private Networking Local Internal Address Place on Ethernet Bridge 155 Virtual Private NetworkingTroubleshooting 156 Virtual Private NetworkingL2TP VPN client 157 Virtual Private NetworkingL2TP server 158 Virtual Private NetworkingSystem Date and TimeSet date and time NTP time serverLocality 160 SystemUsers 161 SystemAdministration DiagnosticEncrypted save/restore all User settingsDiagnostics Internet access via access controlsPassword DiagnosticsNetwork tests 164 SystemConfiguration files System log165 System Flash upgrade Reboot Reset buttonTechnical Support Appendix a IP Address Ranges B.c.d B.c.d-e B.c.d-e.f.g.h B.c.d/e169 Appendix a IP Address Ranges Appendix B Terminology Term Meaning170 Appendix B Terminology DNS 171 Appendix B TerminologyIDB 172 Appendix B TerminologyIsakmp 173 Appendix B TerminologyNTP 174 Appendix B TerminologySHA 175 Appendix B Terminology176 Access Logging Appendix C System LogDefault Deny Eth0Eth1 PppCreating Custom Log Rules 179 Appendix C System Log180 Appendix C System Log Iptables -I Forward -j LOG -i eth0 -p tcp 181 Appendix C System LogRate Limiting 182 Appendix C System LogAdministrative Access Logging Boot Log Messages183 Appendix C System Log Appendix D Firmware Upgrade Practices and Precautions 184 Appendix D Firmware Upgrade Practices and Precaut ions