manualshive.com logo in svg

ETIC SIG, User Manual, Page: 59 / 83

Share
Download
ETIC SIG User Manual Download Page 59

 

CONFIGURATION

 

SIG Router & VPN server 

User’s guide ref. 9017409-01

 

Page 59

 

• 

Main filter table

 

The main filter is a table, each line being a rule. 
 
Each rule of the filter is composed a several fields which defines a 
particular  data flow  and another field which is called the action field.  
 
The fields which define the data flow are : 

Direction (« WAN to LAN » or  « LAN to WAN »),  
Protocol (TCP, UDP…),  
IP@ & port number, source & destination. 

 
The Action field can take two values 

Accept : To authorize the data flow to be forwarded to the router interface.  
Drop  : To drop the packet which matches the rule.

 

 

• 

How does the main filters works 

When the firewall receives a packet, it checks if it matches the first rule.. 
If it does, the decision is applied to the packet according to the “Action” field. 
 
If it does not, the firewall checks if it matches the second rule; and so on. 
 
If the packet does not match any of the rules of the table, the default policy is applied to 
the packet (drop or reject).

 

Summary of Contents for SIG

Page 1: ...SIG TLS or IPSec VPN server _________________ User manual Document reference 9017409 01 _________________ ...

Page 2: ...he SIG router VPN server is manufactured by ETIC TELECOM 13 Chemin du vieux chêne 38240 MEYLAN FRANCE TEL 33 0 4 76 04 20 05 FAX 33 0 4 76 04 20 01 E mail hotline etictelecom com web www etictelecom com ...

Page 3: ...guration 15 2 REBOOTING THE ROUTER AFTER PARAMETERS CHANGES 16 3 RECOVERING THE IP ADDRESS OF THE ROUTER 16 4 RECOVERING THE FACTORY CONFIGURATION 16 5 RESTRICTING ACCESS TO THE ADMINISTRATION SERVER 17 6 ASSIGNING IP ADDRESSES TO THE LAN AND THE WAN INTERFACES 18 6 1 Principles of operations 18 6 2 LAN interface parameters 19 6 3 WAN interface parameters 21 7 CREATING VPN CONNECTIONS BETWEEN ROUT...

Page 4: ...anced network address and port translation 39 10 VRRP REDUNDANCY 44 10 1 Principle 44 10 2 Configuring VRRP on the LAN interface 45 10 3 Configuring VRRP on the WAN interface 46 11 REMOTE USERS CONNECTIONS SERVICE 47 12 REMOTE USERS CONNECTIONS 48 12 1 Principles 48 12 2 Configuring a TLS connection 49 12 3 Configuring a PPTP connection 52 13 USERS LIST 53 14 FIREWALL 56 14 1 Overview 56 14 2 Main...

Page 5: ...ng a certificate 67 15 2 Alarms Erreur Signet non défini 15 3 Configuring the web portal 68 15 4 Configuring the DNS server 69 1 DIAGNOSTIC 71 2 SAVING THE PARAMETERS TO A FILE 72 3 UPDATING THE FIRMWARE 72 1 OVERVIEW 77 2 FUNCTIONS 78 3 OPERATION 78 Appendix 1 Administration html server Appendix 2 VPN mechanisms ...

Page 6: ......

Page 7: ...rth RoHS 2002 95 CE RoHS Supply voltage 110 to 230 VAC 50 60Hz 60 W Operating T 5 C 40 C Humidity 5 95 Internet connection Ethernet 4 Type Bridge PPPo Ethernet IP Router Ethernet IP router Ethernet 10 100 BT Port Ethernet 1 LAN conection Port Ethernet 4 WAN connection IP router Remote connections static routes RIP V2 Ip address translation Source IP translation NAT Destination IP translation DNAT ...

Page 8: ...lient or server PSK or X509 certificates TLS SSL Client or server X509 certificates Encryption 3DES Firewall Stateful packet inspection Logs Event logs date and time Remote access server RAS User list 25 users Connection VPN PPTP L2TP IPSec TLS Open VPN Login password Certificate X509 Alarms 3 inputs emails ...

Page 9: ...terface Ethernet 4 On that interface the SIG behaves as a VPN server The LAN interface Ethernet 1 The SIG is at the same time a VPN server able to manage up to 128 IPSec or TLS tunnels an IP router to route IP packets between its two interfaces a remote access server RAS to give a secure access to the LAN or to the remote sites for authenticated remote users SIG Router VPN server User s guide ref ...

Page 10: ...er Interface Led Function Ethernet 1 DATA Blinking quickly Data activity LINK Lit Interface connected Ethernet 4 DATA Blinking quickly Data activity LINK Lit Interface connected Power led Page 10 User s guide ref 9017409 01 SIG Router VPN server ...

Page 11: ... Tx TX polarity 3 Rx Reception polarity 4 N C 5 N C 6 Rx Reception polarity 7 N C 8 N C 2 Installation The product includes a fan Mount the SIG router in a 19 inch rack or place it on a flat surface Leave 10 cm of clearance at the sides and in the rear to avoid overheating Attach the brackets Secure the SIG router to the rack with the rack mounting screws ...

Page 12: ......

Page 13: ...P address Later in the text we often speak of network address We mean the lowest value of the addresses of the network For instance if the netmask of a network is 255 255 255 0 the network address of that network is X Y Z 0 Copy and paste Parameters must be entered with the keyboard they cannot be pasted However it can be useful to paste a string when it is long and to avoid errors In that case pa...

Page 14: ...nfiguration assign or instance 192 168 0 127 to the PC Step 2 Connect the PC directly to the LAN interface Ethernet 1 of the SIG using any Ethernet cable straight or cross wired Step 3 Launch the navigator Enter the LAN IP of the router 192 168 0 128 The Home page of the administration server is displayed Page 14 User s guide ref 9017409 01 SIG Router VPN server ...

Page 15: ...to the html server Launch the html browser and enter the IP address assigned to the router Or launch the ETICFINDER utility to detect the SIG address Enter the login and password which may restricts the access to the html server Modifying the configuration from the WAN The html administration server can be reached from the WAN either through a PPTP or TLS or L2TP IPSec remote user connection or th...

Page 16: ...ect the maintenance menu and then the Save restore menu Click the Save current configuration to disk button 3 Recovering the IP address of the router If you cannot access the SIG by any method it is possible to recover the stored IP address by using the ETIC FINDER software provided by ETIC TELECOM 4 Recovering the factory configuration It may be necessary to restore the factory configuration of t...

Page 17: ... a login and password To protect access to the administration server Select the Set up menu the Security menu and then the Administration menu Remark For more simplicity we advise to chose the login and the password of one of the remote users stored in the user list SIG Router VPN server User s guide ref 9017409 01 Page 17 ...

Page 18: ...The IP addresses pool assigned to the remote users when they connect The administration html server is located at that address The WAN interface The WAN interface is the Ethernet Nr 4 interface The SIG behaves at the same time like a VPN server and like a remote access server on that interface IP addresses assignment rules The SIG router will be able to route packets between the LAN and the WAN in...

Page 19: ...over the LAN interface That IP address will have to be entered to display the administration server of the router Netmask parameter Enter the IP netmask assigned to the LAN Start of users IP address pool end of users IP addresses pool parameters That parameters define the pool of addresses which will be assigned automatically to remote user s PC when they will connect to the router Enter the start...

Page 20: ...he LAN interface To configure the DHCP server function select the Set up menu and then LAN interface and then DHCP server IP address pool start IP addresses pool end parameters That parameters define the range of IP addresses which can be assigned by the SIG to the DHCP client devices Primary DNS IP address secondary DNS IP address parameters Enter the IP addresses of the domain name servers the D...

Page 21: ...address parameters IP address netmask parameters Enter the IP address and netmask assigned to the WAN interface of the router Default gateway parameter Enter the IP address of the default gateway Obtain DNS IP addresses automatically parameter Select that option if the Domain name server IP addresses are provided automatically through the WAN interface Otherwise enter the DNS servers IP addresses ...

Page 22: ... be easily used when the VPN must pass through several or even numerous company routers Once a type of VPN TLS or IPSec has been selected all the VPN set with the SIG router will be of the same type Two steps are necessary to configure the SIG to create VPN connections between routers 1 st step Select the VPN type and set up the VPN parameters Once a type of VPN has be selected it applies to all t...

Page 23: ...CONFIGURATION To create VPN connections between routers select the Set up menu and then Network and then VPN connections SIG Router VPN server User s guide ref 9017409 01 Page 23 ...

Page 24: ...rties Protocol parameter AH RFC2402 provides integrity authentication replay resistance and non repudiation but not encryption select AH if no encryption is required or if NAT traversal is required ESP provides the same services plus encryption If ESP is selected an encryption and an authentication protocols must be selected Page 24 User s guide ref 9017409 01 SIG Router VPN server ...

Page 25: ...s allow to define the encryption and hash algorithms in use during the phase 1 of the exchanges between the end points VPN set up and during the phase 2 data exchange The default value is Auto in that case both end points will negotiate a common algorithm DPD request period parameters A DPD request also called Keepalive message is a message sent periodically by each end point to the other one to m...

Page 26: ...on Remote LAN IP address Remote router Remote WAN IP address LAN IP address WAN IP address To set up an outgoing VPN connection Come back to the VPN connections screen Click the add a connection button Give a name to the connection and select the Outgoing option Page 26 User s guide ref 9017409 01 SIG Router VPN server ...

Page 27: ...ditional parameter has to be entered If a particular PSK must be used complete the configuration of the connection as explained below Unique PSK for this node parameter Select that option if a particular PSK key has to be used for this connection PSK value parameter Enter the value of the PSK My WAN address parameter Enter the IP address of the router on the WAN interface Certificate My subjectAlt...

Page 28: ...ddress LAN IP address Incoming connection Outgoing connection Remote WAN IP address WAN IP address Remote router IP network To set an ingoing VPN connection Come back to the VPN connections screen Click the add a connection button Page 28 User s guide ref 9017409 01 SIG Router VPN server ...

Page 29: ...cular PSK must be used carry out the configuration of the connection as explained below Use a specific key for this connection parameter If that option is not selected the preshared key entered in the VPN configuration screen will be used by the router If that option is selected enter the specific key My WAN address Remote WAN address parameters Enter the WAN IP address of the router and the WAN I...

Page 30: ...nnections menu Select the TLS VPN type and click Properties Port number protocol parameters Select the port Nr and the type of level 3 protocol used to transport the TLS VPN UDP will be preferred Attention The port number value must be different from the one used by remote users Page 30 User s guide ref 9017409 01 SIG Router VPN server ...

Page 31: ...er defines the maximum amount of time in seconds a VPN connection will stay established before being cleared if no response to the VPN control message has been received from the remote router Packet retransmit time out parameter A control message also called Keepalive message is sent periodically by the VPN server router to make sure that the VPN must be left active This parameters sets the amount...

Page 32: ...ddress Select the Set up menu the network menu and then the VPN connections menu Select the Set up menu the network menu and then the VPN connections menu Click the add a connection button Click the add a connection button Give a name to the connection and select the Outgoing connection direction option Give a name to the connection and select the Outgoing connection direction option Page 32 User ...

Page 33: ...er Enter the login and password the router will have to use to authenticate Remote WAN IP address URL parameter Enter the IP address of the remote router or its DNS name Remote WAN IP address parameters Enter the IP network address and netmask assigned to the remote router over its WAN interface ...

Page 34: ...t the Set up menu the network menu and then the VPN connections menu Click the add a connection button Give a name to the connection and select the ingoing connection direction option Remote router Login Remote router password parameters Enter the login and password of the remote router The remote router has to use that login and password to authenticate Page 34 User s guide ref 9017409 01 SIG Rou...

Page 35: ... router is ready to route frames between devices connected to the remote LAN network like RL1 and devices connected to the LAN network like L1 through a VPN between devices connected to the WAN network like W1 and devices connected to the LAN network like L1 RL1 VPN WAN 192 168 3 0 24 LAN 192 168 2 0 24 W1 L1 Remote WAN 192 168 4 0 24 R3 router 192 168 2 128 R2 router 192 168 3 128 192 168 4 128 1...

Page 36: ...24 Remote LAN 192 168 5 0 24 LAN 192 168 2 0 24 In that case it is necessary to enter the route to that hidden network 6 that route is called a static route A static route consists in a table which describes a destination network IP address and netmask and the IP address of the neighbour router through which an IP packet to that destination must pass Router 2 static routes Active Route name Destin...

Page 37: ...parameters Enter the destination network IP address and netmask Gateway IP address parameters Enter the Ip address of the gateway through which the IP packets intended for that network must pass 8 3 RIP protocol RIP Routing Information Protocol is a routing protocol which enables each router belonging to a network to acquire the routes to any subnet The principle is as follows Routing table Each r...

Page 38: ...frames addressed to the WAN IP address of the router The transfer criteria is the port number the port number is used as an additional address field When a frame is addressed to the SIG router with a particular registered port it is transferred to a particular device connected to the LAN interface Example Let us suppose the PC named W1 of the WAN network has to send frames to the device PLC1 of th...

Page 39: ...s in replacing the source port and IP address or the destination port and IP address of particular frames received by the router on its interfaces according to configured rules It applies to all the frames received by the router on any of its two interfaces except to the IP packets contained in a remote user PPTP or TLS connection It applies as well to frames the destination address of which is th...

Page 40: ...s of the IP packets processed by the SIG router and because the firewall filters that frames it is very important to understand in which order that different functions are carried out Direction WAN to LAN LAN to WAN Page 40 User s guide ref 9017409 01 SIG Router VPN server DNAT FIREWALL SNAT WAN LAN Router LAN SNAT DNAT WAN FIREWALL Router ...

Page 41: ...ONFIGURATION 9 2 2 Configuration To set the advanced address translation functions select the Set up menu Network and then the Advanced NAT menu SIG Router VPN server User s guide ref 9017409 01 Page 41 ...

Page 42: ...e Select Yes to enable the rule Enter the replacement criterion Source IP address Destination IP address Protocol TCP UDP Source port Destination port Enter the new destination port number and IP address Page 42 User s guide ref 9017409 01 SIG Router VPN server ...

Page 43: ...tion port Click Add a SNAT rule Select Yes to enable the rule Enter the replacement criterions Source Destination IP address Protocol TCP UDP Source Destination port Enter the new source IP address SIG Router VPN server User s guide ref 9017409 01 Page 43 ...

Page 44: ...all the routers of the group This virtual address is the address which must be stored as the default gateway address in all the host devices belonging to the subnet A priority index is assigned to each router of the group Using that index the routers of the group can elect a master router the master router is the one which has the greatest priority code The other routers are the backup routers The...

Page 45: ... code must be assigned to all the routers of the group Virtual IP address parameter Enter the IP address the elected master router will use to answer to ARP requests Priority 1 255 parameter Assign a priority index to the router The router which has the greatest index will become the master router Use a virtual MAC address parameter A virtual MAC address can be associated to the virtual IP address...

Page 46: ... code must be assigned to all the routers of the group Virtual IP address parameter Enter the IP address the elected master router will use to answer to ARP requests Priority 1 255 parameter Assign a priority index to the router The router which has the greatest index will become the master router Use a virtual MAC address parameter A virtual MAC address can be associated to the virtual IP address...

Page 47: ...ss rights are automatically allocated to the remote user An IP address belonging to the LAN network is automatically assigned to the remote PC Data are encrypted TLS and L2TP IPSec only The connection is logged Moreover the SIG is compatible with the M2Me_Connect service when setting a direct connection is not possible To set up the remote user connection service the following steps must be carrie...

Page 48: ...r L2TP An IP address belonging to the local network is automatically assigned to the remote user s PC The SIG manages PPTP and TLS or L2TP remote connections Only one type can be selected It will apply to all the remote users connections A PPTP is the simplest type of remote user connection data is not encrypted The remote user can be identified only with a login and password A TLS connection prov...

Page 49: ... to the SIG easy moreover it includes a connection book in such a way one just need a click to connect to a remote site We describe hereafter how to configure the router and the M2Me_Secure software to set a TLS VPN between both Step 1 Router configuration To configure a remote user TLS connection select the Set up menu the Remote users menu and then the User list menu SIG Router VPN server User s...

Page 50: ...d the type of level 3 protocol used to transport the TLS VPN UDP will be preferred Attention The selected port number assigned to the remote users connections must be different from the one used for VPN connections between routers if such VPN connections have been configured Page 50 User s guide ref 9017409 01 SIG Router VPN server ...

Page 51: ...red in the user list Encryption algorithm Message digest algorithm parameters Leave the default values Step 2 Configure the M2Me_Secure software For detailed information refer to the M2Me_Secure manual Click Menu and then New site The Site configuration window is displayed Select the General tab and enter a site name Select the Connection tab select the option That site can be reached through the ...

Page 52: ...Router configuration select the Set up menu the Remote users menu and then the User list menu Select the VPN type PPTP Remark The properties button allows to modify the authentication protocol leave the default configuration if the PPTP client is a PC running Windows Step 2 Set a PPTP connection on the PC side Page 52 User s guide ref 9017409 01 SIG Router VPN server ...

Page 53: ...ch user form stores the identity of the user Login and password his email address to send alarm emails and the filter assigned to him To display the user list select the Set up menu the Remote users menu and then the User list menu SIG Router VPN server User s guide ref 9017409 01 Page 53 ...

Page 54: ...form Click the add a user button Active value Yes or NO Select No if you want to prevent the user to access the network Select yes to authorize the user to access the network Full name It is the name displayed in the user list Login password The login and the password will have to be entered by each user at the beginning of the remote connection Page 54 User s guide ref 9017409 01 SIG Router VPN s...

Page 55: ...e input 1 is closed or opened if that option has been set Internet connection email Once connected to the Internet the SIG will send to the demanding user an email containing the dynamic IP assigned to the SIG by the provider See OPERATION chapter Firewall filter Select a filter in the list A filter defines a domain of the local network Thus once assigned to a user a filter limits his or her acces...

Page 56: ...ed individually to each of the users declared in the user list The source IP address of the packets is not checked by the remote users filters because the filters apply to the remote users connections according the login and password of the remote user checked when the remote user connection is set The main filter It filters IP packets whether carried inside one of the VPNs or outside a VPN The ma...

Page 57: ... SIG firewall can thus be represented by the drawing hereafter VPN between routers WAN LAN Users filters Main filter FIRE WALL DoS filter Port forwarding Remote user connection SIG Router VPN server User s guide ref 9017409 01 Page 57 ...

Page 58: ...transmitted outside the VPNs Each of that two filters is made of a filter policy and a filter table each line of which is a filter rule Main filter default policy The default policy is the decision which will be applied if a packet does not match any of the rules of the filter The WAN to LAN and the LAN to WAN traffic are regarded separately because the decision can be opposite for a packet coming...

Page 59: ...DP IP port number source destination The Action field can take two values Accept To authorize the data flow to be forwarded to the router interface Drop To drop the packet which matches the rule How does the main filters works When the firewall receives a packet it checks if it matches the first rule If it does the decision is applied to the packet according to the Action field If it does not the ...

Page 60: ...wo parts WAN traffic rules The first part entitled WAN traffic rules is made to define how the IP packets not carried in a VPN have to be filtered VPN traffic rules The second part entitled VPN traffic rules allows to define how the IP packets carried inside the VPNs have to be filtered Page 60 User s guide ref 9017409 01 SIG Router VPN server ...

Page 61: ...P packet will be rejected The cautious default policy is to choose the value Drop at the opposite if the value Accept is selected a frame which does not match any of the rules of the filter is transmitted Step 2 Add a rule to the filter Click the add a rule button Direction parameter Select the direction of the data flow to which the rule applies Action parameter Select the value Accept if the IP ...

Page 62: ...s the filter assigned to him see the remote user form According to his identity Login and password he will thus only access to the IP domain defined by the filter Example Filter name Access to the device PLC1 html and modbus Filter policy All is forbidden except what we specify Rules list Action Device Service Allow PLC1 192 168 0 12 80 Allow PLC1 192 168 0 12 Modbus 502 A filter must be assigned ...

Page 63: ... the LAN network Select the System menu then Devices list The list of the devices of the LAN network is displayed Click add a device Assign a label and an IP address to the device and click OK SIG Router VPN server User s guide ref 9017409 01 Page 63 ...

Page 64: ...CONFIGURATION Step 3 Build a remote user filter Select the security menu then firewall and then Filter list The users filters list is displayed Page 64 User s guide ref 9017409 01 SIG Router VPN server ...

Page 65: ...at we specify is the advised policy Click add a new rule to the list Select a device among the ones which have been stored and a service also called port Add other rules if necessary Click OK when the filter is complete the updated filter list is displayed SIG Router VPN server User s guide ref 9017409 01 Page 65 ...

Page 66: ...9 01 SIG Router VPN server Step 4 Assign a filter to each user Select the Remote user and then User list Select a user to which you want to assign a filter and click modify the user window is displayed Assign a filter to the user click OK and save ...

Page 67: ...can be downloaded into the router To import a new certificate the file extension can be PKCS 12 with a password or PEM Even if more than one certificate have been downloaded into the SIG router one certificate can be used for all the connections 15 2 SNMP The SIG router is able to send snmp traps when alarms occur Activation If that option is selected the router will send an SNMP trap if an alarm ...

Page 68: ...he associated machine if it is a Windows machine The ftp link To explore the files of the associated device If the we portal option has been selected see below the web portal page is displayed when the remote user launches the navigator and enters the Ip address assigned to the SIG router In that case the administration server usually can be displayed at the same address but at the port number 808...

Page 69: ...he destination device The SIG router is able to resolve any domain name composed with the name of one of the devices entered in the devices list followed the site name which is entered at the top of the devices list DNS relay The SIG router behaves also like a DNS relay any DNS request it receives from the LAN which cannot be resolved because the device is not registered in the devices list will b...

Page 70: ......

Page 71: ...That screen displays the current status of the LAN interfaces and of the Internet connection LAN interfaces That part of the page shows the data of the LAN interface MAC address Ethernet mode 10 100 half or full IP address WAN interface That part of the page shows the data of the Internet interface MAC address Ethernet mode 10 100 half or full IP address DNS servers addresses Default gateway VPN s...

Page 72: ...restart the product Attention A parameters file can only be restored towards a product having the same firmware version 3 Updating the firmware Step 1 Before starting you need a PC with a Web browser and an Ethernet cable the FTP server software which can be downloaded from the firmware page of the ETIC download area web server Step 2 Download the release of the firmware from our download area to ...

Page 73: ...te The IP address of the PC is written in the field Server Interface in the TFTP server windows Click Save and then Update The first file should begin to be downloaded from the PC to the router During the operation the led blinks When the download is finished the product automatically reboots To be sure the new release has been installed go to About in the administration web page of the IP product...

Page 74: ...MAINTENANCE Page 74 User s guide ref 9017409 01 SIG Router VPN server ...

Page 75: ...er on the LAN interface WAN interface To enter the IP of the router over the WAN interface Network To configures the VPNs To enter static routes and enable the RIP protocol To set up the VRRP redundancy protocol To set up port forwarding To set up advanced Ip addr translation functions Security To set the firewall rules User filter and main filter To add a certificate To restrict access to the adm...

Page 76: ...AC IP ADSL VPN VPN status Routing tables Tools To send Pings from the router Advanced To store the internal report to a disk for diagnostic purposes 3 Maintenance menu Firmware update To update the firmware Save restore To save or restore a configuration file To restore the factory configuration Reboot To restart he router 4 About menu To display the certificate product key To display the firmware...

Page 77: ...lly safe VPN between two networks Réseau IP VPN Router VPN end point Router VPN end point Once a VPN has been set between the two routers any device of the first network can communicate with any device of the second one as if the two routers were directly connected with an Ethernet cable VPN between a remote PC and a network VPN VPN end point VPN end point IP network Router SIG Router VPN server U...

Page 78: ...of authentication can be performed using a VPN Device level authentication A code is stored in each end point i e router or PC it can be a Key or a certificate delivered by a certification authority During the initial phase the two end point exchange their codes each party checks that the other party code is valid User level authentication The SIG router holds a user list once a VPN has been set w...

Page 79: ...User s guide ref 9017409 01 Page 79 VPN clearing Periodically each router or at least the VPN server router sends to the other one a control message to check the VPN must remain established If no response is received from the other party the VPN is cleared ...

Page 80: ...APPENDIX2 VPN basic mechanisms Page 80 User s guide ref 9017409 01 SIG Router VPN server ...

Page 81: ......

Page 82: ......

Page 83: ...13 Chemin du Vieux Chêne 38240 Meylan France Tel 33 4 76 04 20 00 Fax 33 4 76 04 20 01 E mail contact etictelecom com Web www etictelecom com ...

Reviews:

No comments