BANDIT CMG: Virtual Private Networks
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

BANDIT CMG: Virtual Private Networks

on

  • 690 views

 

Statistics

Views

Total Views
690
Views on SlideShare
690
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

BANDIT CMG: Virtual Private Networks Document Transcript

  • 1. Chapter 8 Virtual Private Networks O ne of the principal features of the VPN products is their use in virtual private networks (VPNs). This chapter discusses transmission security, VPNs, and the way a BANDIT device sets up and uses a VPN. Note: Virtual private networks are supported in the VSR-30, the VSR-1200, the ILR-100, the BANDIT Mini, the original BANDIT, the BANDIT IP, and the BANDIT Plus. A VPN is a secure encrypted transmission between two or more private endpoints over a public network. Tunneling—encapsulating data within secure packets—isolates the private data from other traffic carried by the public network, providing secure transport over the network. The public network uses the header information in the packets to deliver the packets to their destination. When the destination endpoint receives the packets, it authenticates and unpackages them, and decrypts the data. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 2. 8-2 Chapter 8: Virtual Private Networks Use of VPNs allows for dynamic, temporary connections instead of permanent physical connections. This allows an organization to build a private network over the public IP network, reducing the number of leased lines that the organization needs to maintain for connections, resulting in a saving of money. In addition, connection (via VPN client software) over the internet allows business travelers to communicate with the office network from any site that has a connection to the internet. Note: For a quick VPN setup conforming to the recommendations of the Virtual Private Network Consortium (VPNC), see Appendix B, VPNC Scenario for IPsec Interoperability. For setup with a VPN client, see Appendix C, Scenarios for Operation with a VPN Client. 8.1 The BANDIT in Virtual Private Networks This section deals principally with a VPN device’s role as a VPN gateway. A VPN device can encapsulate information into IP packets, so it can perform as a VPN gateway over public networks that use IP. The VSR-30, the ILR-100, the BANDIT Mini, the original BANDIT, and the BANDIT IP each support a maximum of 30 local tunnel terminations. The BANDIT Plus supports a maximum of 100 tunnels. The VSR-1200 supports 1200 tunnels. The VSR-1200 uses HiFn processors for hardware assistance; the other VPN products use an MPC 180 chip for hardware assistance. As a VPN gateway, a VPN device can perform IPsec tunnel initiation, IPsec tunnel termination, and IPsec passthrough. They use IPsec (described in RFC 2401) for VPN security, performing the functions listed in Table 8-1. Table 8-1. IPsec Components Used in the BANDIT Devices (1 of 2) Function Protocols Acronym Standard1 Key Exchange Internet Key Exchange IKE RFC 2409 Internet Security ISAKMP RFC 2408 Association and Key Management Protocol Encryption Data Encryption Standard DES FIPS PUB 46-2 Triple Data Encryption 3DES FIPS Standard PUB 46-3 VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 3. The BANDIT in Virtual Private Networks 8-3 Table 8-1. IPsec Components Used in the BANDIT Devices (2 of 2) Function Protocols Acronym Standard1 Security Encapsulating Security ESP RFC 2406 Protocols Payload Authentication Header AH RFC 2402 Authentication Hashed Message HMAC RFC 2403 Authentication Code: MD5 Message Digest 5 Hashed Message HMAC RFC 2404 Authentication Code: SHA-1 Secure Hash Algorithm 1 1. Each publication is from the Internet Engineering Task Force (IETF) unless noted as a Federal Information Processing Standard (FIPS). An Encore Networks VPN device can implement tunnels with another Encore Networks VPN device or with another IPsec-compliant VPN gateway or VPN client. The Encore Networks VPN products have the following modes of tunnel use: • Tunnel initiation: The device receives packets from a local user terminal. The device encapsulates the packets according to the IPsec user policy, and sends them across the public network to a remote VPN gateway to establish a VPN tunnel. • Tunnel passthrough: The device receives IPsec-encapsulated packets from a client VPN terminal, and provides transparent forwarding of the IP packets according to the IPsec user policy. The device sends the packets across the public network without repackaging them. • Tunnel termination: The device terminates (accepts) an IPsec tunnel initiated by a remote VPN gateway or VPN client across the public network. The device authenticates and unpackages the tunnel’s packets, and delivers them to the destination terminal. (To perform tunnel termination, the device must maintain a table of VPN users that function as prospective tunnel initiators. Table 8-3 provides an example of this: If a record’s Direction is “incoming,” then the record’s Source IP Addresses (in the range from Low to High) indicate one or more remote devices. If the Action is “tunnel termination,” a device with an IP address in the source range can initiate a tunnel that the local device will accept.) VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 4. 8-4 Chapter 8: Virtual Private Networks Note: Care must be taken when a VPN connection crosses a device that performs network address translation (NAT). As part of address translation, NAT repackages packets. In certain situations, repackaging will disrupt encrypted VPN packets and render them unintelligible even to the VPN tunnel endpoints. Be sure to use the appropriate configuration when a VPN connection will cross a device that performs NAT. When a BANDIT VPN product uses the ESP protocol, the connection can cross a device that performs NAT. When the BANDIT product uses the AH protocol, the connection must not cross a device that performs NAT. Figure 8-1 illustrates two BANDITs functioning as VPN gateways over the IP network. Figure 8-1. Sample Network: BANDITs as VPN Gateways Figure 8-2 shows a simplified example of the BANDIT’s encryption and encapsulation of data. Note: The transmission shown in Figure 8-2 originates from the laptop terminal (IP address 1.1.1.2) shown in Figure 8-1, and is destined for the desktop terminal (IP address 4.4.4.2) in Figure 8-1. To set up IP routing tables, see Section 6.2, IP Routing. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 5. Internet Key Exchange 8-5 Figure 8-2. Sample Encryption and Encapsulation 8.2 Internet Key Exchange When a BANDIT device uses automatic keying, it uses the Internet Key Exchange (IKE) protocol to provide secure transmission between VPN endpoints. IKE negotiates security associations (SAs) and provides authenticated keys for these SAs. (A security association is a set of policies that establish a protected, authenticated connection for data transmission.) IKE can be used to do the following: • Set up virtual private networks (VPNs). • Provide a remote user secure access to a network. (The remote user’s IP address does not need to be known in advance.) • Negotiate SAs (and hide identities) for VPN client endpoints. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 6. 8-6 Chapter 8: Virtual Private Networks The Internet Key Exchange protocol has two phases: • Phase 1 is used for key exchange. In this phase, IKE negotiates the following items to establish an SA for Phase 2: - The encryption algorithm - The hash algorithm - The authentication method - The Diffie–Hellman group • Phase 2 negotiates an SA for services (such as IPsec) in the transmission. Then this phase is used for data transmission. The BANDIT products implement IKE in conformance to IETF RFC 2409. 8.2.1 Perfect Forward Secrecy Perfect forward secrecy (PFS)—the use of uniquely derived keys to establish security associations (SAs)—is an important feature of the IKE protocol. PFS comprises the following principles: • Material used to derive one key cannot be used to derive additional keys. • No key can be used to derive additional keys. • Discovery of a key endangers only transmissions protected by that key. IKE maintains PFS in the way it performs the following: • IKE uses a Diffie-Hellman (DH) exchange to set up phase 1. (A DH exchange protects the identities of the originator and the recipient.) Phase 1 can use main mode or aggressive mode (but not both). Phase 1 establishes an SA for phase 2, as follows: - The originator presents proposals for the SA. (The originator may send an unlimited number of proposals; the recipient can limit the number it will consider.) - The recipient chooses one proposal and sends its response. The recipient cannot change the proposal. If the originator notices that the proposal has changed in any way, the originator refuses the response. - When the originator accepts the response, the SA is set up for phase 2. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 7. Tunnel Features 8-7 • In phase 2, IKE establishes an SA for data transmission. as follows: - Phase 2 negotiates for services that will be used, such as IPsec. - When the phase 2 SA is ready for data transmission, IKE deletes the SA that phase 1 had established. - In the SA for data transmission, quick mode is used for transmission. Both sides of the connection can transmit data. Instead of extensive authentication, which consumes time and CPU resources, the SA now uses cookies for authentication. The cookie order established in phase 1 (originator vs. recipient) is always used; the cookies do not change order when the transmission direction changes. Note: Each IKE phase has a fixed lifetime. The lifetime can be defined in units of time, number of transmissions, or total amount of transmission (in kilobytes). A phase’s lifetime cannot be increased during the phase. 8.3 Tunnel Features The VSR-30, the original BANDIT, or the BANDIT IP can provide 1 to 30 tunnels for use at the same time. The BANDIT Plus provides 1 to 100 tunnels. The VSR-1200 provides 1 to 1200 tunnels. In some situations, a single VPN tunnel can provide services for more than one user. The following subsections discuss VPN tunnel features in the BANDITs. 8.3.1 Tunnel Initiation A BANDIT device can initiate a tunnel to another BANDIT device or to another IPsec-compliant VPN gateway. When a local user originates packets to the BANDIT, and the packets need to travel over a VPN tunnel, the BANDIT searches its database for an appropriate VPN policy and VPN profile. When an appropriate VPN policy and VPN profile have been determined, the BANDIT contacts the remote VPN gateway specified by the profile, and negotiates a security association. When the gateways agree on an SA and set up a VPN tunnel, the BANDIT encapsulates the packets according to the policy, and sends them across the public network. When the remote VPN gateway receives the packets, it forwards them to the remote destination. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 8. 8-8 Chapter 8: Virtual Private Networks Note: In order to use a VPN tunnel, the combination of origination and destination must conform to a VPN policy. Otherwise, the request will be rejected. (The policy specifies the VPN profile that the connection must use; the user must also be authorized to use the specified profile.) 8.3.2 Tunnel Termination A BANDIT device can terminate a tunnel for another VPN gateway or for a VPN remote user. When a BANDIT acts as a tunnel terminator, it looks for matches against the following items presented by the VPN gateway that initiated the tunnel: • IDs • Preshared key • Peer (remote) user ID (This can be a group ID or a single ID.) If the values match a VPN policy record, the BANDIT accepts the tunnel termination. Then the BANDIT negotiates the key, and accepts or rejects the proposals presented by the initiating VPN gateway. In Figure 8-3, a VPN remote user initiates a tunnel to the BANDIT’s external IP address. Because the remote user’s IDs matches a record in the BANDIT’s database, the BANDIT agrees to terminate the tunnel. Then, because the VPN remote user wishes to communicate with another site, the BANDIT initiates a tunnel to the other site, so that the VPN remote user can communicate with the site. Table 8-2 lists sample parameters for a remote VPN tunnel user. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 9. Tunnel Features 8-9 Figure 8-3. VPN Remote User Tunneling to BANDIT Tunneling to VPN Host Table 8-2. Sample Remote User Record (1 of 2) Field Sample Value Peer ID (Remote User ID) asmith@encore.com Preshared Key *********** Profile Group 1,2,4,5 Note: The profile group choices can include up to four VPN profiles. The BANDIT chooses the first profile that the peer ID matches. One of the group choices can be a wildcard. A wildcard means “any profile listed in the VPN Profile database.” You may list VPN profiles before a wildcard, but there is no need to list any profiles after a wildcard. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 10. 8-10 Chapter 8: Virtual Private Networks Table 8-2. Sample Remote User Record (2 of 2) Field Sample Value certificate *********** Note: The remote user’s IP address does not have to be known in advance. 8.3.3 Tunnel Passthrough Tunnel passthrough is used when a remote or local user sends IPsec- encapsulated packets to the BANDIT device. In passthrough mode, the BANDIT provides transparent forwarding of the IP packets according to the VPN policy. Tunnel passthrough occurs most often when packets are received from a VPN client. If a remote user is using VPN client software, the client sets up a VPN tunnel through the BANDIT to a remote network. In this case, the BANDIT uses passthrough mode; it does not initiate a new tunnel. In Figure 8-3, let the remote user be a VPN client. The client initiates a tunnel to the BANDIT’s external IP address. Because the VPN client’s IP address is in the BANDIT’s tunnel user profile table, the BANDIT terminates the tunnel. Because the VPN client wishes to use a VPN tunnel to communicate with another site, the BANDIT passes the tunnel through to the other site, so that the VPN client can communicate with the site. (This also hides the VPN client’s IP address.) 8.3.4 Tunnel Sharing More than one VPN profile can specify the same local and remote VPN gateways to reach its remote endpoint. If two such profiles are active at the same time, they are using the same tunnel between the gateways for their VPN connections to different endpoints. This is called tunnel sharing (or tunnel multiplexing). 8.3.5 Tunnel Switching A remote endpoint can initiate a VPN tunnel into the network. If the remote endpoint wishes to communicate with a destination endpoint that is outside the network, the BANDIT checks to see whether there is a VPN profile describing a tunnel to the requested destination. If so, the BANDIT initiates VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 11. VPN over Satellite Networks 8-11 a VPN tunnel to that destination, and routes the traffic from the initiating endpoint to the destination. This is called tunnel switching. 8.4 VPN over Satellite Networks Satellite networks permit telecommunication without laying ground lines. Satellite networks also permit communication across longer distances than do ground-based wireless networks. For reasons of topography or mobility, a satellite connection may be the best telecommunication choice for some users. Remote areas that cannot be reached easily with ground lines and mobile users who may not always be in reach of a ground connection or wireless tower can easily maintain access to a satellite network. The VSR-30, the VSR-1200, the ILR-100, the BANDIT Mini, the original BANDIT, the BANDIT IP, and the BANDIT Plus support connection to satellite networks, allowing transmission of information to any location that has a satellite dish—including a very small aperture terminal (VSAT), a small dish typically used in remote sites. A BANDIT product usually uses its WAN port for broadband IP connection to a satellite groundstation. Figure 8-4 shows BANDITs connecting LANs across a satellite network. Figure 8-4. BANDITs Connecting LANs across a Satellite Network VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 12. 8-12 Chapter 8: Virtual Private Networks 8.4.1 Spoofing Transmissions Most satellite networks use a star topology, with a hub directing transmissions to the proper groundstation. These satellite networks have the following components: • Hub (the main groundstation) • Satellite • Other groundstations Geosynchronous-orbit satellites (satellites that maintain the same position above a geographic point on the earth's surface) orbit at about 22,300 miles (about 35,900 km) above the earth's surface. Because of the distance that transmissions travel from one node (a groundstation) to a satellite node and then to another groundstation node, satellite networks have a significant transmission delay (Figure 8-5)—about ½ second per round trip. Figure 8-5. Ground-to-Satellite-to-Ground Transmission Many protocols will time out when they encounter the delay in a satellite network. Others, such as TCP, misinterpret the long delay as network congestion and, as a result, reduce their transmission rate. Because of these problems, a transmission from outside a satellite network is not generally sent directly from endpoint to endpoint across the satellite network. Instead, a groundstation node uses a performance-enhancing proxy (PEP) in its connection with an endpoint outside the satellite network. A PEP spoofs its transmission with the endpoint. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 13. VPN over Satellite Networks 8-13 Note: Satellite vendors and systems integrators developed PEPs as proprietary mechanisms to spoof TCP over satellite connections. There is not yet an official standard for PEPs. In spoofing, a groundstation’s PEP receives a transmission from an originating node outside the satellite network. The PEP acts as if it were the destination endpoint, and sends acknowledgment packets (ACK packets) to the originating node. This allows standard protocols to be used for transmission without timing out, as they would in the delay incurred across the satellite network. While the groundstation’s PEP is spoofing its transmission with the originating node, the groundstation is also taking the packets received from the originating node and is transmitting them across the satellite network to another groundstation node, for transmission to the destination endpoint. Satellite networks can use any protocol, including IP, to carry information. For IP transmissions, satellite networks use TCP (in the IP transport layer). Satellite network PEPs read the TCP header in order to send IP transmissions across the satellite network. TCP guarantees delivery of packets and guarantees that the packets will be assembled in the proper sequence. 8.4.2 Satellite Networks and Security Because satellite networks broadcast transmissions, they are inherently insecure; anyone with a satellite dish can receive a transmission. Therefore, endpoints have to create their own security. Virtual private networks based on the IPsec protocol provide one of the most secure transmissions from endpoint to endpoint over ground-based networks, because no node can decrypt the information except the VPN endpoints. IP Security (IPsec) comes in two formats: • Encapsulating Security Payload (ESP) encrypts each user IP packet, including the TCP header, and places it inside a new IP packet generated by the customer’s VPN router. • Authentication Header (AH) does not encrypt the payload, and thus leaves the TCP header visible. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 14. 8-14 Chapter 8: Virtual Private Networks Until now, there have been problems in using VPNs over satellite networks: • ESP encryption prevents the PEP from seeing or modifying the TCP header’s ACK and Window fields, so these sessions cannot be accelerated. • AH’s strong authentication process rejects a packet in which PEP modifies a header field; this also prevents acceleration by PEP. If the PEP cannot read the TCP header, it cannot spoof the packet; this inability to spoof the packet slows the transmission over the satellite network. The PEP needs to read the TCP header in order to improve performance. There are several proposed methods for getting around this situation. Most of the proposed methods involve a trade-off of VPN security for TCP use. However, Encore Networks, Inc., has developed a method that maintains VPN security while allowing satellite-network nodes to read TCP headers. This method—Selective Layer Encryption™—improves performance of IPsec-based VPNs over a satellite network. 8.4.3 Selective Layer Encryption Encore Networks has developed a proprietary technology, Selective Layer Encryption™ (SLE), for VPNs that traverse a satellite network. SLE works with a satellite groundstation’s PEP and maintains VPN security over satellite networks. Encore Networks’ technique preserves the authentication and encryption integrity of the IPsec VPN standards, yet allows the TCP to be spoofed over the satellite connection. Combining the use of SLE and PEP allows delay-sensitive applications to traverse satellite networks. Selective Layer Encryption™ creates satellite VPN solutions with IPsec that are both secure and channel-efficient. This combination of SLE and PEP significantly increases IPsec performance over satellite networks. Encore Networks, Inc., believes that SLE is the preferred method of maintaining IPsec VPN security over satellite networks. Test results have demonstrated interoperability with different satellite modem vendors that preserve the integrity of TCP fields across the satellite link. (To interpret SLE, a BANDIT VPN product must also sit somewhere on the other side of these modems.) The VSR-30, VSR-1200, original BANDIT, and BANDIT Plus models can use SLE VPNs with satellite networks, and they can support non-SLE VPNs over ground-based networks. A single BANDIT device in one of these models can support both types of VPNs at the same time. Figure 8-6 shows a sample satellite network combining PEP and the BANDIT’s SLE. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 15. VPN over Satellite Networks 8-15 Figure 8-6. Sample Satellite Network Configuration Using BANDIT VPN with SLE 8.4.3.1 SLE Configuration When you ordered your BANDIT device, you indicated whether it would use SLE. If you have a BANDIT that does not use SLE and you wish to enable the SLE feature in the BANDIT software, contact your Encore Networks sales representative. (SLE VPN configuration and non-SLE VPN configuration are the same for most parameters in the BANDIT.) A BANDIT device can support VPN tunnels with SLE and VPN tunnels without SLE, both at the same time. Note: The VSR products (the VSR-30 and the VSR-1200) are designed to support satellite networks as well as ground-based networks. Any BANDIT VPN device can support both VPN with SLE (for use over satellite networks) and VPN without SLE (for ground-based networks), depending on the software installed in the device. Most VPN devices can also support legacy applications.) VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 16. 8-16 Chapter 8: Virtual Private Networks The VSR-1200 is a high-end, high-performance router, and functions especially well as a hub for a large terrestrial (ground-based) or satellite network (or for a combined terrestrial–satellite network). In the BANDIT’s IPsec VPN software with SLE, all VPN tunnels use SLE, except in the following instance: • In SLE software, in the IP Policy Table, if you select a record, the record’s detail screen appears. Look at the name for the Description. If you start the description name with the letter “I” or “i,” the tunnel configuration uses IPsec VPN without SLE. (See Figure 8-11.) If the Description name begins with any other initial character, the tunnel configuration uses IPsec VPN with SLE. (See Figure 8-8.) You configure both types of IPsec the same way, except for this parameter. All other items needed are configured automatically. (However, you need to supply the appropriate IP addresses.) Note: In BANDIT software release 5.0 and above, the user does not configure FTP/HTTP ports 20, 21, and 80 for SLE. In addition, Network Address Translation is no longer required for SLE. The user can modify the VPN configuration, if desired. We recommend consulting with your Encore Networks sales representative before modifying an automatically generated configuration. Figure 8-7 shows part of the IP Policy Table for the BANDIT (A) in Figure 8-6. Note that record 3 is a catch-all policy for VPN with SLE; because it is a catch-all, it must follow all other records for VPN with SLE. Note that record 4 is a catch-all for VPN without SLE (and must follow all other records for VPN without SLE). Figure 8-8 through Figure 8-11 show details of the records. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 17. VPN over Satellite Networks 8-17 Source Src Destination Dest Protocol # Address Port Address Port /Flag Path Name I/O Action --- --------------- ------ --------------- ------ -------- ----------- --- ------ 1 172.16.10.131 * 10.10.11.1 * * * * 172.16.10.131 * 10.10.11.1 * H-3 Action: Allow 2 172.16.10.128 * 10.10.11.1 * * * * 172.16.10.255 * 10.10.11.1 * Tunnel To Remote 1 Action: Initiate VPN Profile: REMOTE 3 * * * * * * * * * * * H-1 Action: Allow 4 * * * * * * * * * * * I-Allow ALL Action: Allow Figure 8-7. Sample Entries in IP Policy Table for BANDIT in Figure 8-6, Including SLE over Satellite Networks 1) Source Address Low : 172.16.10.131 Source Address High : 172.16.10.131 Source TCP/UDP Port Low : * Source TCP/UDP Port High : * Destination Address Low : 10.10.11.1 Destination Address High : 10.10.11.1 Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Allow VPN Profile name : N/A Description : H-3 Figure 8-8. Detail of Record 1 in IP Policy Table, for SLE over Satellite Networks VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 18. 8-18 Chapter 8: Virtual Private Networks 2) Source Address Low : 172.16.10.128 Source Address High : 172.16.10.255 So Address Low : 10.10.11.1 Destination Address High : 10.10.11.1 Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Initiate VPN Profile name : REMOTE Description : Tunnel To Remote 1 Figure 8-9. Detail of Record 2 in IP Policy Table, for SLE over Satellite Networks 3) Source Address Low : * Source Address High : * Source TCP/UDP Port Low : * Source TCP/UDP Port High : * Destination Address Low : * Destination Address High : * Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Allow VPN Profile name : N/A Description : H-1 Figure 8-10. Detail of Record 3 in IP Policy Table, for SLE over Satellite Networks VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 19. Sample VPN Configuration 8-19 4) Source Address Low : * Source Address High : * Source TCP/UDP Port Low : * Source TCP/UDP Port High : * Destination Address Low : * Destination Address High : * Destination TCP/UDP Port Low : * Destination TCP/UDP Port High : * Protocol/Flags : * Path Name : * Incoming/Outgoing : * Filtering Action : Allow VPN Profile name : N/A Description : I-Allow ALL Figure 8-11. Detail of Record 4 in IP Policy Table, for IPsec VPN Traffic without SLE Note: For VPN with SLE over satellites, there must be another BANDIT VPN with SLE product somewhere in the network on the other side of the modem, handling SLE for the remote side of the connection. Over ground-based networks, the BANDIT VPN products use non-SLE software and can interoperate with non-BANDIT VPN gateways. See Appendix B, VPNC Scenario for IPsec Interoperability. 8.5 Sample VPN Configuration Note: For a quick VPN setup, conforming to the recommendations of the VPN Consortium (VPNC), see Appendix B, VPNC Scenario for IPsec Interoperability. The following tables provide an example of planning a configuration for your virtual private network users. Table 8-3 is a sample IP Policy Table. (Your IP Policy Table may include additional fields.) IP Policy Tables are used to establish processes and types of connections. The BANDIT’s IP Policy Table is described in Section 6.4, IP/ VPN Policy. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 20. 8-20 Chapter 8: Virtual Private Networks Table 8-3. Sample IP Policy Table Value for Value for Records 3, Field Record 1 Record 2 4, 5, . . . Low IP Address for 1.1.1.1 4.4.4.1 ... Source High IP Address for 1.1.1.255 4.4.4.255 ... Source Low IP Address for 4.4.4.1 1.1.1.1 ... Destination High IP Address for 4.4.4.255 1.1.1.255 ... Destination Global Path LAN LAN ... Direction Outgoing Incoming ... Action Tunnel Tunnel ... Initiation Termination Description Tunnel A Terminate P27 . . . VPN Profile Used Profile 1 Profile 7 ... The IP Policy Table must include a field naming the profile used in the policy. (In Table 8-3, this is the field VPN Profile Used.) The value in this field cross-references the profile’s configuration, shown in a VPN Profile Table. Table 8-4 shows a sample VPN profile table, with the field VPN Profile Name cross-referenced against profiles listed in the IP Policy Table. (Your VPN Profile Table may show additional fields.) The BANDIT’s VPN Profile Table is described in Section 8.6.1, Configuring VPN Profiles. You also need to configure an IP Routing Table. See Section 6.2, IP Routing. Note: Appendix A, Site Planning Worksheets, contains worksheets for preparing entries for the BANDIT’s IP Policy Table and VPN Profile Table. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 21. Sample VPN Configuration 8-21 Table 8-4. Sample VPN Profile Table (1 of 2) Value for Value for Records 3, Field1 Record 1 Record 2 4, 5, . . . VPN Profile Profile 1 John’s VPN ... Name Connection Local ID 1.2.1.12 Set_1@encore- ... (User ID) networks.com Remote VPN 3.43.3.12 3.43.3.12 ... Gateway Address Keying Manual2 Auto-Key ... Security Protocol ESP ——— ... Local SPI 1ffff ——— ... Remote SPI 1000 ——— ... Authentication ——— Main mode, ... Mode Aggressive mode Authentication HMAC-SHA1 ——— ... Protocol Authentication 48454C4C4F000000 ——— ... Key 0000000000000000 Preshared key ——— ****** ... Encryption 3DES ——— ... Encryption Key 48454C4C4F000000 ——— ... Phase 1, ——— PRE-G2-DES-MD5 ... Proposal 1 Phase 1, ——— VSA-G2-3DES- ... Proposal 2 SHA Phase 2, ——— STD-G2-3DES- ... Proposal 1 MD5 Phase 2, ——— PFS-G2-3DES-SHA . . . Proposal 2 Replay ——— enabled ... Protection User ID ——— enabled ... Verification VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 22. 8-22 Chapter 8: Virtual Private Networks Table 8-4. Sample VPN Profile Table (2 of 2) Value for Value for Records 3, Field1 Record 1 Record 2 4, 5, . . . Password ——— disabled ... Verification Timeout ——— 30 ... 1. A VPN Profile Table includes all records—those that use fields for manual keying and those that use fields for autokeying. (Some fields are used by both types of records.) When the user specifies the type of keying the profile will use, the BANDIT presents for configuration only the fields that apply to the specified keying. (Table 8-5 presents parameters for manual keying. Table 8-6 presents parameters for autokeying.) 2. The BANDIT products do not use manual keying in normal operation. If you wish to use manual keying, contact your Encore Networks representative. 8.5.1 Manual Keying Manual keying—the use of manual keys for authentication and encryption—was the original method of exchanging security information between two VPN gateways. This method involves manually entering long strings of characters. The keys do not change during the connection, and may be used for subsequent connections as well. Because the authentication and encryption keys are constant, manual keying is vulnerable to persistent attack, and thus does not provide much security. Today manual keying is used mostly for troubleshooting VPN connections. Except for troubleshooting, most VPN gateways now use automatic keying to set up VPN connections. (Autokeying provides excellent security because the keys are always changing and being re-negotiated. IKE autokeying is the industry-preferred option for VPN tunnel negotiation. See Section 8.5.2, Automatic Keying.) Note: With software version 0171 and above, the BANDIT products do not use manual keying in normal operation. If you wish to use manual keying in a BANDIT, contact your Encore Networks representative. Table 8-5 shows sample parameters used to set up manual keying for a VPN connection. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 23. Sample VPN Configuration 8-23 Table 8-5. Sample VPN Profile, Manual Keying Field Sample Values Profile Name profile 1 Keying manual Remote Gateway w.w.w.w Security Protocol ESP Local SPI1 **** Remote SPI1 *** Authentication Protocol MD5, SHA-1 Authentication Key ****************************** Encryption Protocol 3DES, DES Encryption Key **************************** 1. If keying is manual, the SPI (security parameter index) must be indicated. 8.5.2 Automatic Keying In autokeying, keys are dynamic, always changing. Special keys are exchanged at the beginning of the connection, and the VPN gateways negotiate other keys for the connection. If desired, keys can be timed out, and new keys can be negotiated for subsequent parts of the connection. The BANDIT products use the Internet Key Exchange (IKE) protocol for automatic generation of keys in VPN connections. When a BANDIT uses the automatic keying feature, an IKE tunnel is set up for key exchange. The IKE tunnel sets up keys for the subsequent data tunnel. The data tunnel is used for data exchange. See Section 8.2, Internet Key Exchange. Table 8-6 shows sample parameters to set up automatic keying for a VPN connection. Table 8-6. Sample VPN Profile, Automatic Keying (1 of 2) Sample Fields Sample Values Authentication Mode Main mode (also known as ID Protection), Aggressive mode 1 Local ID (User ID) Set_1@encorenetworks.com VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 24. 8-24 Chapter 8: Virtual Private Networks Table 8-6. Sample VPN Profile, Automatic Keying (2 of 2) Sample Fields Sample Values Remote Gateway IP 3.3.3.1 Address2 Preshared Key3 ****** Phase 1, Proposal 1 4 PRE-G2-DES-MD5 Phase 1, Proposal 2 VSA-G2-3DES-SHA Phase 2, Proposal 1 STD-G2-3DES-MD5 Phase 2, Proposal 2 PFS-G2-3DES-SHA Replay Protection Enable/Disable 1. There are three formats for the local ID: • E-mail format: ascii-format@ascii-format • IP address format: x.x.x.x • Perfect domain name format: hostdomain.net 2. There are two kinds of remote IP addresses: static and dynamic. (Dynamic is not implemented at this time.) 3. The preshared key is used to establish the IKE tunnel. This preshared key must be protected as a super-password. The preshared key uses Diffie–Hellman Exchange 2 (DH2). 4. The BANDIT lets you provide up to four proposals per phase. The recipient must choose at least one proposal for each phase. Table 8-7 and Table 8-8 illustrate sample proposal combinations for phase 1 and phase 2, respectively. Table 8-7. Sample Phase 1 Proposal Sample Fields Sample Values1 Authentication mode preshared Diffie–Hellman (DH) group 2 group Encryption DES, 3DES Authentication HMAC-MD5, HMAC-SHA1 Lifetime2 1–100 units 2 Lifetime units seconds, minutes, hours, days 1. This sample proposal is tunnel-specific, not session-specific. 2. When the lifetime is reached for the indicated unit, a new key is exchanged. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 25. Sample VPN Configuration 8-25 Table 8-8. Sample Phase 2 Proposal Sample Fields Sample Values Perfect forward secrecy none (PFS) DH2 (Diffie–Hellman 2) Security protocol ESP AH Encryption 3DES DES Authentication HMAC-MD5 HMAC-SHA1 Lifetime1 1–100 units 1 Lifetime unit number of seconds number of minutes number of hours number of days kilobytes of data sent through the tunnel 1. When the lifetime is reached for the unit indicated, a new key is exchanged. 8.5.3 Sample Configuration for a Remote User Figure 8-3 shows a VPN remote user tunneling to a BANDIT gateway. The BANDIT, in turn, has created a tunnel to a VPN host at another site. Table 8-9 lists a sample set of values for the connection between the BANDIT and the remote user. Table 8-9. Sample Tunnel User Table (1 of 2) Fields Values Profile Name profile 2 Authentication Mode aggressive Keying auto-IKE Local User ID agency_a@encorenetworks.com VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 26. 8-26 Chapter 8: Virtual Private Networks Table 8-9. Sample Tunnel User Table (2 of 2) Fields Values Gateway 3.3.3.1 Preshared Key ******** Phase 1, Proposal 1 PRE-G2-DES-MD5 Phase 1, Proposal 2 VSA-G2-3DES-SHA Phase 2, Proposal 1 STD-G2-3DES-MD5 Phase 2, Proposal 2 PFS-G2-3DES-SHA Replay Protection enable 8.6 Configuring the BANDIT for VPN To configure the BANDIT for virtual private network connections, use the following procedure. Note: For a quick VPN setup, conforming to the recommendations of the VPN Consortium (VPNC), see Appendix B, VPNC Scenario for IPsec Interoperability. For a sample setup of a BANDIT VPN gateway operating with a remote VPN client, see Appendix C, Scenarios for Operation with a VPN Client. In addition to the procedures in this section, you need to configure an IP routing table, an IP policy table, and an IP quality of service table for the VPN. See the following: • Section 6.2, IP Routing • Section 6.4, IP/VPN Policy • Section 6.5, IP Quality of Service Note: All VPN tables are maintained by BANDIT software inside the BANDIT device. The tables are not copied to or maintained at any other point in the network. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 27. Configuring the BANDIT for VPN 8-27 Note: In the VSR-1200, a VPN tunnel can be added and brought up without resetting the box, provided the tunnel’s IP routing entries are already configured and working. This allows active VPN tunnels to remain up, so that calls are not dropped. (Active calls are dropped during a standard reset.) A VPN tunnel needs a policy table entry and a VPN profile entry; both entries must be properly configured in order for a VPN tunnel to work properly. When a VPN profile is added or edited in the database, the configuration menu displays a prompt asking whether to activate the changes. If the user answers “yes,” the changes takes effect the next time the tunnel comes up; no system reset has to be executed. In like manner, when an IP policy table entry with an associated VPN tunnel is added or edited, the configuration menu displays a prompt asking whether to activate the changes (without resetting). If the user answers “yes,” the system implements the changes the next time the tunnel comes up. Filtering must be enabled in order for tunnel configurations to have any effect. In the situations mentioned above, changes made to an active tunnel do not take effect until the tunnel goes down. When the tunnel comes back up the next time, it uses the new configuration. How to Configure VPN Connections 1 To configure VPN connections, do the following: a Log in to the BANDIT device. (For details, see Section 3.2, Connecting a Supervisory Terminal and Logging in to the BANDIT.) b When the Main Menu appears, select Advanced Configurations. (For details, see Section 3.3, The Main Menu.) The Advanced Configurations menu is displayed. c On the Advanced Configurations menu, select Routing. (For details, see Section 3.3.4, The Advanced Configurations Menu.) The Configure Routing menu appears. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 28. 8-28 Chapter 8: Virtual Private Networks d On the Configure Routing menu, select IP Routing. (For details, see Section 6.1, The Routing Menu.) The IP Routing Configuration menu appears. e On the IP Routing Configuration menu, select IP/VPN Routing. (For details, see Section 6.2.1, Configuring IP Routing.) The Virtual Private Network Configuration menu appears. Virtual Private Network Configuration -------------------------------------- 1) VPN Profiles 2) IP/VPN Policy Table Enter choice : 2 To see the BANDIT’s list of VPN connections and associated security protocols, select VPN Profiles. The VPN Profile Table appears. Go to Section 8.6.1, Configuring VPN Profiles. 3 To see the BANDIT’s list of policies for secure connections, select IP/ VPN Policy. The IP/VPN Policy Table appears. Go to Section 6.4, IP/VPN Policy. 4 To return to the Main Menu, press the Escape key several times. The Main Menu appears. Go to Section 3.3, The Main Menu. Note: You must also configure an IP routing table and an IP quality of service table, for use by the virtual private network. See Section 6.2, IP Routing, and Section 6.5, IP Quality of Service. 8.6.1 Configuring VPN Profiles 1 To configure VPN profiles, do the following: VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 29. Configuring the BANDIT for VPN 8-29 a Log in to the BANDIT device. (See Section 3.2, Connecting a Supervisory Terminal and Logging in to the BANDIT.) b On the Main Menu, select Advanced Configurations. (For details, see Section 3.3, The Main Menu.) The Advanced Configurations menu is displayed. c On the Advanced Configurations menu, select Routing. (For details, see Section 3.3.4, The Advanced Configurations Menu.) The Configure Routing menu appears. d On the Configure Routing menu, select IP Routing. (For details, see Section 6.1, The Routing Menu.) The IP Routing Configuration menu appears. e On the IP Routing Configuration menu, select IP/VPN Routing. (For details, see Section 6.2.1, Configuring IP Routing.) The Virtual Private Network Configuration menu appears. f On the Virtual Private Network Configuration menu, select VPN Profile. (See Section 8.6, Configuring the BANDIT for VPN.) The VPN Profile Table appears. Each VPN profile lists the following: • The record number (line number) • The connection’s profile name • The profile’ tunneling mode • The IP address of the BANDIT at the other end of the VPN (the remote gateway) • The security protocols associated with this profile’s connection • Ping status • The users allowed to use this profile VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 30. 8-30 Chapter 8: Virtual Private Networks VPN Profile Table ----------------------------------------------------------------------------- No. Name Mode VPN Gateway Phase1 Proposal#1 Ping User ID --- ---------- ---- --------------- ----------------- ---- ----------------- 1) profile 1 AGGR 0.0.0.0 ESP HMAC-MD5 3DES OFF 2) profile 2 AGGR 0.0.0.0 psk-g1-des-md5 OFF 3) profile 3 MAIN 0.0.0.0 psk-g2-des-md5 OFF 4) profile 4 MAIN 0.0.0.0 psk-g5-des-md5 OFF 5) Remote AGGR 22.23.24.25 psk-g2-des-md5 OFF bandit 6) AGGR_G2 AGGR None psk-g2-3des-sha1 OFF 7) AGGR_G1 AGGR None psk-g1-des-md5 OFF 8) MAIN_G2 MAIN None psk-g2-des-md5 OFF 9) MAIN_G5 MAIN None psk-g5-des-md5 OFF Enter 'm' to modify, 'd' to delete, 'c' to copy or <ESC> to exit: 2 Do one of the following: a To change the profile of an item in the list, type m. The following prompt is displayed. Go to Step 3. Enter the entry number to modify (1 to 7) b To delete an item, type d. A prompt similar to the following is displayed. Go to Step 4. Enter the entry number to delete (1 to 7) c To add an item, type c. A prompt similar to the following is displayed. Go to Step 5. Enter the entry number to Copy FROM:(1 to 5)[1] : VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 31. Configuring the BANDIT for VPN 8-31 d To return to the Virtual Private Network Configuration menu, press Escape. The Virtual Private Network Configuration menu is redisplayed. Go to Section 8.6, Configuring the BANDIT for VPN. 3 To modify an entry in the VPN Profile Table, do all of the following: a Enter the line number of the profile to modify (listed under the heading No., shown above), and press Enter. The fields for the selected profile are displayed. Note: Although all records have all fields, the profile displays only the fields pertinent to the keying used—automatic keying (IKE) or manual keying. Note: The BANDIT products do not use manual keying in normal operation. If you wish to use manual keying in the BANDIT, contact your Encore Networks representative. • Sample display for autokeying (IKE): VPN PROFILE ENTRY ---------------------------- 1) Profile Name: AGGR_G1 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: 0.0.0.0 4) User ID: 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal 10) Phase 2 Proposal Enter the number of the item to change:9 b Type the line number of the field whose value you wish to change, and press Enter. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 32. 8-32 Chapter 8: Virtual Private Networks If you select a phase proposal, a menu similar to the following is presented. Go to Section 8.6.1.1, Configuring Phase Proposals for IKE Autokeying. Phase 1 Proposals ------------------------ 1) Proposal 1: Preshared - DH GROUP G2 - DES - HMAC-MD5 2) Proposal 2: Preshared - DH GROUP G1 - DES - HMAC-SHA1 3) Proposal 3: Preshared - DH GROUP G5 - 3DES - HMAC-MD5 4) Proposal 4: Preshared - DH GROUP G2 - 3DES - HMAC-SHA1 Enter your choice: If you select any other field (from either display), the field is presented, so that you may enter a new value. (This example shows the VPN Gateway field, to enter the IP address or DNS for the remote VPN gateway.) Enter Peer VPN Gateway (1 = IP, 2 = DNS URL), [1]: c Type the new value for the field, and press Enter. The new value is accepted, and the selected profile is displayed with the new value. VPN PROFILE ENTRY ---------------------------- 1) Profile Name: MAIN_G2 2) Tunneling Mode: MAIN 3) VPN Gateway: 0.0.0.0 4) User ID: N/A 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal 10) Phase 2 Proposal Enter the number of the item to change: VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 33. Configuring the BANDIT for VPN 8-33 Note: You can configure a VPN profile to use pings to maintain or monitor connections. See Section 8.6.1.2, Configuring Pings in VPN Profiles. d Do one of the following: • If you wish to modify another field’s value, return to Step 3b. • When you have finished modifying this profile, press Escape to save the new values. The following prompt is displayed: Do you want to keep your change? (Y/N): e Do one of the following: • To save the changes, press Y. • To discard the changes and keep the prior information, press N. Whether you answer Y or N, the VPN Profile Table is redisplayed. Return to Step 2. 4 To delete a profile from the VPN Profile Table, do all of the following: a Type the line number of the profile to delete (listed under the heading No., shown above), and press Enter. A prompt similar to the following is displayed. Do you want to delete this profile? (Y/N): b Do one of the following: • To delete the profile, press Y. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 34. 8-34 Chapter 8: Virtual Private Networks • To discard the changes and keep the profile, press N. Whether you answer Y or N, the VPN Profile Table is redisplayed. Return to Step 2. 5 To add a profile to the VPN Profile Table, do all of the following: a Enter the line number of the profile you wish to use as a model for a new profile, and press Enter. The following message appears, listing the name of the profile you have copied, and asking for a name to identify the new profile. You selected COPY FROM profile name : profile 1 Please enter COPY TO profile name : b Enter a unique name for the new profile, and press Enter. Note: You may use profile names that are meaningful in your network—for example, Springfield Office, or Business Traveler 9. The new profile name is accepted, and the VPN Profile Table is displayed, with the new profile at the bottom of the list. c Return to Step 2. (Then select m to modify the new profile.) 8.6.1.1 Configuring Phase Proposals for IKE Autokeying In connections that use automatic keying, a BANDIT product negotiates keys and proposals (sets of protocols) for data transmission. You can configure the proposals presented for each phase in the Internet Key Exchange. How to Configure Phase Proposals 1 To configure phase proposals for automatic keying, do the following: VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 35. Configuring the BANDIT for VPN 8-35 a Log in to the BANDIT. (See Section 3.2, Connecting a Supervisory Terminal and Logging in to the BANDIT.) b On the Main Menu, select Advanced Configurations. (For details, see Section 3.3, The Main Menu.) The Advanced Configurations menu is displayed. c On the Advanced Configurations menu, select Routing. (For details, see Section 3.3.4, The Advanced Configurations Menu.) The Configure Routing menu appears. d On the Configure Routing menu, select IP Routing. (For details, see Section 6.1, The Routing Menu.) The IP Routing Configuration menu appears. e On the IP Routing Configuration menu, select IP/VPN Routing. (For details, see Section 6.2.1, Configuring IP Routing.) The Virtual Private Network Configuration menu appears. f On the Virtual Private Network Configuration menu, select VPN Profiles. (See Section 8.6, Configuring the BANDIT for VPN.) The VPN Profile Table appears. g On the VPN Profile Table, indicate that you wish to modify a line that uses autokeying (IKE). Then select the line number. The fields for autokeying are displayed. VPN PROFILE ENTRY ---------------------------- 1) Profile Name: AGGR_G2 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: 0.0.0.0 4) User ID: 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal 10) Phase 2 Proposal Enter the number of the item to change: VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 36. 8-36 Chapter 8: Virtual Private Networks h Select the phase you wish to modify. The proposals already configured for the phase are listed. • Sample Phase 1 Proposal List: Phase 1 Proposals ------------------------ 1) Proposal 1: Preshared - DH GROUP G2 - DES - HMAC-MD5 2) Proposal 2: Preshared - DH GROUP G2 - DES - HMAC-SHA1 3) Proposal 3: Preshared - DH GROUP G2 - 3DES - HMAC-MD5 4) Proposal 4: Preshared - DH GROUP G2 - 3DES - HMAC-SHA1 Enter your choice: • Sample Phase 2 Proposal List: Phase 2 Proposals ---------------------------- 1) Proposal 1: PFS ON - ESP - DES - HMAC-MD5 2) Proposal 2: PFS ON - ESP - DES - HMAC-SHA1 3) Proposal 3: PFS ON - ESP - DES - HMAC-SHA1 4) Proposal 4: PFS ON - ESP - DES - HMAC-MD5 Enter your choice: 2 Do one of the following: a To return to the profile display, press Escape. The autokeying profile’s list of fields is displayed. Go to Step 3d in Section 8.6.1, Configuring VPN Profiles. b Select the proposal you wish to modify. The proposal’s values are listed. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 37. Configuring the BANDIT for VPN 8-37 • Sample Phase 1 Proposal Menu: Phase 1 Proposal 4 ------------------------ 1) Authentication Mode : Preshared 2) DH Group: DH GROUP G2 3) Encryption: 3DES 4) Authentication: HMAC-SHA1 5) Life: 28800 sec 6) Life Units: sec Enter your choice: • Sample Phase 2 Proposal Menu: Phase 2 Proposal 3 --------------------- 1) PFS : PFS ON 2) Security Protocol: ESP 3) Encryption: DES 4) Authentication: HMAC-SHA1 5) Life: 28800 sec 6) Life Units: sec Enter your choice: 3 Select the field whose value you wish to change, and press Enter. Possible values for the field are listed. (The values shown are for Authentication Mode in a phase 1 proposal.) Enter Authentication (1 = HMAC-MD5, 2 = HMAC-SHA1, 3 = NULL) [1]: 4 Enter a new value for the field, and press Enter. The field’s new value is accepted and the proposal’s values are listed again. 5 Do one of the following: a To change another field’s value, return to Step 3. b To return to the list of proposals configured for the selected phase, press Escape. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 38. 8-38 Chapter 8: Virtual Private Networks The list of configured proposals is displayed again. Return to Step 2. 8.6.1.2 Configuring Pings in VPN Profiles You can configure pings as part of a VPN profile, in order to maintain connections. In the VPN Profile Entry menu, pings can be configured for the following purposes: • The Phase 1 Ping keeps Phase 1 tunnels up. • The Phase 2 Ping keeps Phase 2 tunnels up. • The Monitor Ping (also called the “backup ping”) monitors the status of the tunnel after set-up. If the tunnel is dropped, the BANDIT can use dial backup to re-establish the tunnel connection. (Dial backup must have already been configured in order to re-establish the connection.) VPN PROFILE ENTRY ---------------------------- 1) Profile Name: AGGR_G2 2) Tunneling Mode: AGGRESSIVE 3) VPN Gateway: 0.0.0.0 4) User ID: 5) Pre-shared Key: ***** 6) Phase 1 Ping : Disabled Idle Time: 120 seconds 7) Phase 2 Ping : Disabled Idle Time: 120 seconds 8) Monitor Ping : Disabled Idle Time: 120 seconds 9) Phase 1 Proposal 10) Phase 2 Proposal Enter the number of the item to change: To configure a ping, do the following: 1 On the VPN Profile Entry menu, select one of the following: • Phase 1 Ping • Phase 2 Ping • Monitor Ping The ping’s configuration menu is displayed. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 39. Configuring the BANDIT for VPN 8-39 Phase1 Ping ------------------------ 1) IP Address : 0.0.0.0 2) Packet Size : 50 Bytes 3) Interval : 20 Seconds 4) Idle Time : 120 Seconds Enter Choice : 2 Select IP Address and configure the IP address of a device in the remote network. (Although this can be the remote VPN gateway, we recommend that this be another device in the remote network.) Caution: This must be the IP address of a device that is ! always up on the network. If a device is regularly powered down or removed from the network, the ping will initiate a dial backup connection because it is not receiving a reply. Enter PING IP Address: 3 Select Packet Size and configure the size of the packet to send when pinging. Enter PING Packet Size(50 to 100)[50] : 4 Select Interval and configure the amount of time between pings. Enter PING Interval(seconds)(5 to 300)[30] : VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 40. 8-40 Chapter 8: Virtual Private Networks 5 Select Idle Time. If the ping receives no reply from the remote device, this is the amount of time the BANDIT waits before initiating a dial backup. Type the number of seconds to wait, and press Enter. Enter Receive Idle Time(Seconds)(30 to 30000)[90] : 6 When you have finished configuring this ping, press Enter to return to the VPN Profile Entry menu. 8.7 Using and Tracking VPN Connections Note: Before you can use or track VPN connections, you must configure the BANDIT device for VPN, as described in Section 8.6, Configuring the BANDIT for VPN. How to Use and Track VPN Connections 1 To use and track VPN connections, do the following: a Log in to the BANDIT device. (See Section 3.2, Connecting a Supervisory Terminal and Logging in to the BANDIT.) b On the Main Menu, select System Administration. (See Section 3.3, The Main Menu.) c If the BANDIT requests your password for the System Administration menu, type the password and press Enter. (The default password is encore. For details, see Section 3.3.1, The System Administration Menu.) The System Administration menu appears. d On the System Administration menu, select VPN Commands. (For details, see Section 3.3.1, The System Administration Menu.) The VPN Commands menu appears. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 41. Using and Tracking VPN Connections 8-41 VPN Commands ------------- 1) Establish VPN Tunnel 2) Conclude VPN Tunnel 3) VPN Trace Level - current value : None 4) Show VPN Trace 5) Clear VPN Trace Log Enter Choice : 2 Do one of the following: a To initiate a tunnel, select Establish VPN Tunnel. The menu to Initiate a Manual VPN Tunnel is displayed. Go to Step 3. Initiate a Manual VPN Tunnel ----------------------------- Y) Yes N) No Are You Sure? : b To terminate a tunnel, select Conclude VPN Tunnel. The menu to Terminate a VPN Tunnel is displayed. Go to Step 3. Terminate a VPN Tunnel ----------------------- Y) Yes N) No Are You Sure? : c To set the VPN trace level, select VPN Trace Level. The Virtual Private Network Tracing menu appears. Go to Step 5. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 42. 8-42 Chapter 8: Virtual Private Networks Virtual Private Network Tracing -------------------------------- N) No Trace - Turn Trace Off H) High Level Trace - Output Information M) Medium Level Trace - Input/Output Information L) Low Level Trace - All information except raw data D) Detail Level Trace - All information including raw data Enter Choice : d To see the VPN trace, select Show VPN Trace. Information about the VPN connection is shown. (A sample appears here.) Then the VPN Commands menu is redisplayed. Return to Step 2. 0:added connection description "Remote" e To clear the VPN trace information, select Clear VPN Trace. Information about the VPN connection is erased. (At this point, a Show Trace displays the following message. The trace now begins to collect information from this point forward.) Then the VPN Commands menu is redisplayed. Return to Step 2. Trace Log is empty 3 To initiate (start) or terminate (accept) the tunnel, select Yes. One of the following prompts appears (as appropriate for initiating or terminating a tunnel). Enter Profile Name of VPN Tunnel to start (Maximum 15 characters): VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 43. Using and Tracking VPN Connections 8-43 Enter Profile Name of VPN Tunnel to terminate (Maximum 15 characters): 4 Enter the name of the VPN profile you wish to use, and press Enter. Note: The VPN profile must already have been defined in the VPN Profile Table. In addition, you must type the profile name exactly as it appears in the VPN Profile Table, including capitalization. If you are starting a tunnel from one of the preconfigured (automated) scenarios, enter the VPN profile name Remote and press Enter. (For details of preconfigured scenarios, see Appendix B, VPNC Scenario for IPsec Interoperability.) If the tunnel cannot be established, a message similar to the following message appears. Then the VPN Commands menu is displayed again. Return to Step 2. Profile Name Incorrect If the tunnel is being established, the following message appears. Then the VPN Commands menu is displayed again. Press Enter until you reach the Main Menu. Manual connection initiation 5 To set the VPN trace, do the following: a Select the trace level. If you select No Trace, the trace is turned off, and the VPN Commands menu is redisplayed. Return to Step 2. VPN and Legacy-to-IP Products Customization and Maintenance Guide
  • 44. 8-44 Chapter 8: Virtual Private Networks If you select a trace level, the following menu asks for confirmation of the trace. Initiate background tracing ---------------------------- Y) Yes N) No Are You Sure? : b Select Yes. The following message appears, followed by the VPN Tracing menu. Background logging begun. c Press Escape. The VPN Commands menu is redisplayed. Return to Step 2. VPN and Legacy-to-IP Products Customization and Maintenance Guide