background image

Specifications

A-1

APPENDIX A

Specifications

Packet Encryption 

DES encryption (56-bit key) 

Triple DES (EDE-CBC) encryption (168-bit key)

Weak and semi-weak keys are automatically discarded

Packet Authentication 

Keyed MD5™ AH Message Digest Algorithm (RFC 1321)

HMAC-MD5 and HMAC SHA-1 (RFC 2104) 

User Authentication 

RADIUS servers (Ascend Access Control™, Security Dynamics ACE/Server Access 
Manager, BaySecure™ Access Control, Funk Steel Belted RADIUS Server) 

CHAP and PAP

SecurID™ tokens 

Compression 

Stac™ Lempel-Ziv hardware data compression 

Key Management 

IKE: Key updates configurable starting from 60 seconds (RFC 2409) 

SKIP: Keys updated every 30 seconds 

Manual 

All packet, traffic, and authenticating keys automatically generated 

Firewall Integration 

Bypass mode for non-VPN traffic 

Summary of Contents for VSU 7500

Page 1: ...VSU 7500 VPNware Service Unit User Guide VPNet Technologies Inc ...

Page 2: ...o Software and documentation shall remain solely with VPNet The license is effective until terminated Customer may terminate this License at any time by destroying all copies of Software including any documentation This License will terminate immediately without notice from VPNet if Customer must destroy all copies of Software Software including technical data is subject to U S export control laws...

Page 3: ...et s or its suppliers liability to Customer whether in contract tort including negligence or otherwise exceed the price paid by Customer The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose Software VPNet warrants that for a period of ninety 90 days from the date of shipment from VPNet i the media on which the Software is furnished will be free of ...

Page 4: ...t is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case users will be required to correct the interference at thei...

Page 5: ...eneral Site Requirements 1 6 Chapter 2 Installing the VSU 7500 Installing the Power Supply Modules 2 1 Rackmount Installation 2 2 Connecting the VSU 7500 to the Network 2 4 Chapter 3 Preparing the VSU 7500 for Configuration Preparation 3 1 Configuration 3 1 FIPS Mode 3 8 General Firmware Upgrade Information 3 8 Chapter 4 Troubleshooting Power Supply 4 1 Cooling Fans 4 4 Ethernet Interface Modules ...

Page 6: ...VSU 7500 User Guide APPENDIX A Specifications APPENDIX B 10 100BASE T UTP Crossover Cable Pinouts Glossary VSU Acronyms ...

Page 7: ...er supply modules and mounting the VSU 7500 in an equipment rack are also included in this chapter Chapter 3 Preparing the VSU 7500 for Configuration provides instructions for setting up VSU 7500 addressing and enabling remote connectivity for using the VPNmanager Chapter 4 Troubleshooting includes troubleshooting and replacement procedures for the VSU 7500 power supply modules cooling fans and du...

Page 8: ...upport is available to registered users of the VSU 7500 Voice 1 888 VPNET 88 within U S or 1 408 404 1400 outside U S FAX 1 408 404 1414 Email support vpnet com World Wide Web http www vpnet com Version Date Changes 09 0045 01 August 2000 Initial Release 09 0045 02 January 2001 Chapter 3 Modified VSU Quick Setup section Added FIPS Mode and General Firmware Upgrade Imformation ...

Page 9: ...ns Like other platforms in the VPNware family the VSU 7500 adds compression encryption authentication and key management to public network data links to ensure privacy and integrity of corporate data and to enable the efficient and secure operation of virtual private networks VPNs It is designed to perform complex operations in real time without compromising network performance and in many cases c...

Page 10: ...enalty in return for security The extra bytes tend to lengthen packets and reduce the throughput measured in packets per second Of even greater impact is the tendency for packets lengthened by IPSec headers to be fragmented by network routers causing further reductions in performance and additional latency Real time compression performed by the VSU 7500 eliminates packet fragmentation and produces...

Page 11: ...User Guide VSU 7500 Components Each of the major VSU 7500 components are shown in Figures 1 1 and 1 2 and described in Table 1 1 Figure 1 1 VSU 7500 Front Panel Figure 1 2 VSU 7500 Back Panel 14 12 13 15 10 9 8 2 5 4 11 3 6 7 1 ...

Page 12: ...ng Fans System reliability is increased by hardware redundancy of the main cooling system so a failure of either fan does not prevent the safe operation of the unit If a fan failure is detected error messages are sent to the console port and management workstation Table 1 1 VSU 7500 Component Descriptions Item Description 1 Redundant hot swappable cooling fans 2 Status indicator 3 AC power recepta...

Page 13: ...des a public and private interface port A failure on either primary interface port public or private will result in an automatic failover to the corresponding secondary interface without any disruption in service If a failover condition occurs error messages are sent to the console port and management workstation NOTE The dual port 10 100BASE T Ethernet cards are enclosed in the tamper evident cas...

Page 14: ...ns are included in Appendix A Site Power Considerations Check the power at your site to ensure that you are receiving clean power free of spikes and noise Install a power conditioner if necessary WARNING This product relies on the building s installation for short circuit overcurrent protection Ensure that a fuse or circuit breaker no larger than 120 VAC 15A U S 240 VAC 10A international is used o...

Page 15: ...sktop or shelf or mounted in a standard 19 inch equipment rack The location of the chassis and the layout of your equipment rack or wiring room are extremely important for proper system operation Equipment placed too close together inadequate ventilation and inaccessible panels can cause system malfunctions and shutdowns and can make system maintenance difficult Quantity Part Description 1 VSU 750...

Page 16: ...nsure that the rack frame does not block the ventilation grates If the chassis is installed on slides check the position of the chassis when it is seated all the way into the rack In an enclosed rack with a ventilation fan in the top excessive heat generated by equipment near the bottom of the rack can be drawn upward and into the ventilation grates of the equipment above it in the rack Ensure tha...

Page 17: ... supply modules refer to Figure 2 1 and perform the following steps 1 Remove the two power supply modules from their shipping containers NOTE The power supply modules feature autoranging of the source AC line voltage thus eliminating the need for a voltage selector switch 2 Slide each power supply module into the enclosure and press firmly on the front of the unit to securely seat the unit The bla...

Page 18: ...he following procedure to install the VSU 7500 to a standard 19 inch equipment rack 1 From one side of the VSU 7500 remove the two front side screws 2 Using the flat head screws provided with the bracket attach the bracket to the VSU 7500 3 Repeat previous steps to attach the bracket on the other side of the VSU 7500 4 Install the VSU 7500 into a standard 19 inch rack using screws that fit the rac...

Page 19: ...Installing the VSU 7500 2 3 VSU 7500 User Guide Figure 2 2 Installing the Rackmount Brackets ...

Page 20: ...500 to the Network Figure 2 3 shows a typical network using the VSU 7500 Figure 2 3 Typical VSU 7500 Hardware Installation Public Network VSU 7500 Secondary Private Port Secondary Public Port Primary Private Port Primary Public Port Router Hub Switch Router Private LAN ...

Page 21: ...nnection requires a null modem cable which is supplied The communication settings for a terminal or PC connected to the console port are provided in Table 2 1 The Public ports provide redundant interfaces to the public network while the Private ports provide redundant interfaces to the private network Connect UTP Crossover Cables between the VSU 7500 Public Ports and the Router Connect Standard UT...

Page 22: ...ect the other end of the UTP crossover cable to the router hub switch on the public side of the LAN Repeat this step for the Secondary Public port 2 Connect the VSU 7500 to the private side of the LAN Using a standard straight through 10 100BASE T UTP cable connect one of its RJ 45 connectors to the VSU 7500 Primary Private port and the second one to the hub or switch on the private secured LAN Re...

Page 23: ...e This preliminary configuration is performed using a terminal or a PC running terminal emulation software connected to the RS 232 console port The following procedure assumes that the VSU 7500 has been physically installed on the network according to the instructions provided in Chapter 2 Configuration Beginning with VPNware 3 1 the following information is configured through the VSU console Quic...

Page 24: ... is passed through the VSU All non VPN IP traffic is dropped except for the following ICMP IGMP GGP EGP IGP DGP EIGRP and OSPF NOTE This mode should be used when the VSU dedicated to VPN traffic and is the only device between the private and the public networks Deny all non VPN traffic When checked all non VPN traffic is prevented from passing through the VSU This mode blocks non IP traffic and no...

Page 25: ...0 60 a1 00 23 f9 ethernet1 MAC Address 00 60 a1 00 23 fa ethernet2 MAC Address 00 60 a1 00 16 9a ethernet3 MAC Address 00 60 a1 00 16 9b Checking Non Volatile RAM integrity OK Checking Configuration Database OK Checking Certificate Database OK Calibrating CPU performance monitor OK Power Cooling subsystems Monitor initializing Power Subsystem is Good Cooling Subsystem Good Done VPNet Technologies ...

Page 26: ...s and mask are optional 3 Enter the default route for this VSU Typically the default route is the IP address of the gateway router that provides an IP route between the VSU 7500 and the public network e g Internet VPNet Technologies VSU XXXX Main Menu 1 Configuration 2 Statistics 3 Utilities 4 Logout 5 Quick Setup Your choice 1 5 5 IP address 192 0 2 1 Mask 255 255 255 0 IP address 210 1 18 135 IP...

Page 27: ...to allow the Network Administrator to initially configure this VSU through the VPNmanager application Press Return or enter n to leave the superuser name at its default value of root or enter y to change the superuser name Both the superuser name and password may be up to 31 characters and are case sensitive The name and password will be required later when first setting up the VSU through the VPN...

Page 28: ...want the VSU to run in FIPs compliant mode If you answer n the code skips to the date and time configuration Go to Step 7 Enter y if you want the VSU to run in FIPs compliant mode If you answer y answer the following configuration questions For more information regarding FIPS see FIPS Mode on page 3 8 Non VPN traffic mode non VPN traffic is currently forwarded Non VPN Traffic Configuration Menu 1 ...

Page 29: ... 00 00 is equivalent to 1 00 PM 9 Reboot the VSU 7500 Your VSU 7500 is now prepared for configuration by using the VPNmanager The VSU initially passes all traffic between its Public and Private ports This would be a good time to verify connectivity by pinging the VSU from public and private machines and by passing traffic between public and private machines Proceed to the VPNmanager Administrator ...

Page 30: ...an SHA 1 General Firmware Upgrade Information Configuration Items Left to the VPNmanager The following items are likely to be configured by most administrators but are left to VPNmanager or other VSU console menu items to keep the Quick Setup menu minimal LDAP servers used to authenticate VPNmanager console users Disable a VSU s SuperUser account Flushing the configuration on VPNware 3 1 In the ev...

Page 31: ...res for both types are provided in this section Fault Indication If one of the power supply modules fails an audible alarm will sound the green LED status indicator on the power supply subsystem extinguishes and an error message is sent to the console port In addition SNMP trap and syslog error messages are sent to the management station The VSU 7500 should continue to operate correctly with a sin...

Page 32: ...retaining lock button to the right and gently pull the defective module out of its enclosure 4 Set the ON OFF I O switch on the new power supply module to OFF 5 Slide the new power supply module into the enclosure and press firmly on the front of the module to securely seat the module Be sure the retaining lock is engaged to secure the module WARNING Do not insert any object into the power supply ...

Page 33: ...tive power supply module will be OFF 3 Set the ON OFF I O switch of the defective power supply to OFF 4 Grasp the handle on the power supply and gently pull the defective module out of its enclosure Figure 4 2 Alternate Power Supply Removal and Replacement 5 Set the ON OFF I O switch on the new power supply module to OFF then slide the new power supply module into the enclosure and press firmly on...

Page 34: ...nt station If both fans fail the VSU 7500 will shut down to prevent thermal stress to the system s electrical components after notifying the management station Contact your customer service representative to obtain a replacement for the defective fan Fan Removal and Replacement Referring to Figure 4 3 perform the following steps to replace the cooling fan 1 Unscrew the two thumbscrews in the lower...

Page 35: ... a single card Thus if a card level failure occurs on the primary interface module it is convenient to failover the paired interfaces to the second interface module A failure on either primary interface port public or private will result in an automatic failover to the corresponding secondary interface without any operator intervention required VSU 7500 redundancy is configured through the VSU Act...

Page 36: ...SNMP trap and syslog error messages are sent to the management workstation Removal and Replacement The dual port 10 100BASE T Ethernet modules are enclosed in the tamper evident case and may be replaced only by an authorized service technician Contact your customer service representative or VPNet technical support for instructions on getting the unit serviced ...

Page 37: ...104 User Authentication RADIUS servers Ascend Access Control Security Dynamics ACE Server Access Manager BaySecure Access Control Funk Steel Belted RADIUS Server CHAP and PAP SecurID tokens Compression Stac Lempel Ziv hardware data compression Key Management IKE Key updates configurable starting from 60 seconds RFC 2409 SKIP Keys updated every 30 seconds Manual All packet traffic and authenticatin...

Page 38: ...riSign GTE Cybertrust Entrust Frontier Technologies Baltimore Netscape Microsoft and Thawte System Management Configuration via Java based VPNmanager Monitoring from any application with SNMPv1 via VSU 1100 MIB Configuration traffic secured through SSL Secure software download for system upgrades Syslog event and usage logging Remote Client Support VPNremote Client Software for Windows 95 98 NT Co...

Page 39: ...Input frequency 50 to 60 Hz AC input current 3 5 Amps Internal Battery non user serviceable part CAUTION Danger of explosion if memory backup battery is incorrectly replaced Replace only with the same or equivalent type recommended by the manufacturer Dispose of used batteries according to the manufacturer s instructions Operating Environment Temperature 32 to 104 F 0 to 40 C Relative Humidity 5 t...

Page 40: ...A 4 Specifications VSU 7500 User Guide ...

Page 41: ...ossover Cable Pinouts B 1 APPENDIX B 10 100BASE T UTP Crossover Cable Pinouts The 10 100BASE T UTP Crossover Cable defined below is provided with the VSU 1200 Signal Name Male RJ 45 Male RJ 45 TX 1 3 TX 2 6 RX 3 1 RX 6 2 ...

Page 42: ...B 2 10 100BASE T UTP Crossover Cable Pinouts VSU 7500 User Guide ...

Page 43: ...base system used to map host names to IP addresses and vice versa DCE Data Communication Equipment DSU CSU Data Service Unit Channel Service Unit DTE Data Terminal Equipment ECB Electronic Code Book encryption HDLC High level Data Link Control ISAKMP Internet Security Association Key Management Protocol IPSEC Internet Protocol SECurity MD5 Message Digest Algorithm ...

Page 44: ...For Comment SHA Secure Hash Algorithm SKIP Simple Key Management for Internet Protocol SNMP Simple Network Management Protocol SSL Secure Socket Layer TCP IP Transmission Control Protocol Internet Protocol URL Uniform Resource Locator UTP Unshielded Twisted Pair VPN Virtual Private Network VSU Virtual Service Unit ...

Page 45: ...stallation desktop 2 2 rackmount 2 2 IP address 3 4 IPSec standards 1 2 L LAN connections 2 6 N netmask 3 4 P password VSU console 3 5 performance 1 2 phone support 1 ii plug and play installation 1 2 power on bootup screen 3 2 product registration 1 ii Q quick setup menu 3 4 R reboot 3 7 registration 1 ii requirements environmental 1 6 router connections 2 6 S security 1 2 SHA1 1 2 SKIP 1 2 speci...

Reviews: