Overview of Secure VPN Implementation - Page 17
Public Interface
A public interface is one that is used to connect IP Office directly to an xDSL or Internet
router and thereby provide Internet access. (A public LAN is sometimes referred to as a
demilitarized zone.) It is the function of the public interface to secure the Internal LAN
from the Internet. IP Office uses a firewall and NAT functionality to afford the necessary
protection on a public interface. A public interface connection is facilitated by the
following IP Office interface types:
•
LAN2
•
Logical LAN
•
WAN (PPP numbered)
The IP Office product family includes both single and dual interface systems as follows:
Single interface
- IP403 and IP406: For single LAN systems a Logical LAN must be
used for the configuration of the public interface.
Dual interface
- IP 412 and IP Office Small Office Edition (IPSOE): For dual LAN
systems the physical LAN2 interface is available and should be
used as the public (external) LAN interface.
The following table summarizes the feature support for these public interface types:
Feature
IP
41
2
IP
40
6
IP
40
3
IP
S
O
E
Description
Firewall
√
√
√
√
IP Office Integral Firewall
Logical LAN X
√
√
X
For single LAN systems a Logical LAN is a secondary
interface which is created on the physical LAN1
interface.
LAN2
√
X X
√
The LAN2 is a second physical Ethernet interface.
NAT
√
√
√
√
NAT allows multiple devices to communicate using a
single IP address.
NAT
Reverse
Translation
√
x x
√
The function that allows an unknown incoming IP
session to be mapped to a local internal LAN IP address.
DHCP
Client Mode
√
x x
√
IP Office can automatically obtain an IP address from a
DHCP server and add the IP address to the interface.
This function is not supported on a Logical LAN
interface.
H323
√
√
√
√
Originate or terminate H323.
IPSec
√
√
√
√
Originate or terminate IPSec.
L2TP
√
√
√
√
Originate or terminate L2TP.
Guidelines
1. DHCP client mode is not supported on the Logical LAN interface
2. DHCP client mode automatically adds a default route for Internet operation
3. RIP is not supported for IP Office secure VPN networking
4. For a PPP numbered WAN link:
a.
QOS is applied to VOIP traffic destined for VPN tunnel traffic before the
encryption stage.
b.
A minimum bandwidth of between 1-2 Mbps is required for the link between the
two systems is recommended.
c.
Do not run Multilink / QOS or IPHC on a WAN link that is passing VPN traffic.
d. The QoS characteristics of IPO VoIP implementation is shown below:
Description
Value
Voice UDP port numbers range
OxC000 to 0xCFFF
Signalling TCP port number
1720
DSCP (TOS/Diffserv) value
OXB8
IP Office (R3.0) Virtual Private Networking
Overview of Secure VPN Implementation - Page 17
40DHB0002UKER Issue 3 (4th February 2005)
Typical VPN Deployment