manualshive.com logo in svg

SnapGear VPN appliance Family 1.7.8, User Manual, Page: 86 / 105

Share
Download
SnapGear VPN appliance Family 1.7.8 User Manual Download Page 86

This displays the 

Destination Address

 window: 

 

Figure 7.10 Destination address 

Enter the SnapGear PPTP server’s IP address and click 

Next

. Select the 

Connection 

Availability

 you require on the next window and click 

Next

 to display the final window: 

 

Figure 7.11 Completing the network connection wizard 

Enter an appropriate name for your connection and click 

Finish

Your VPN client is now set up correctly. 

Virtual Private Networking 

83

Summary of Contents for VPN appliance Family 1.7.8

Page 1: ...SnapGear VPN Appliance Family User Manual Rev 1 7 8 May 2nd 2003 SnapGear Inc 7984 South Welby Park Drive 101 Salt Lake City Utah 84084 Email support snapgear com Web www snapgear com Introduction...

Page 2: ...SnapGear Quick Setup 24 Configuring the PCs on your network 28 3 Connecting to the Internet 30 Physically connect modem device 30 Select Internet connection 31 Internet failover 34 Configure PCs to u...

Page 3: ...0 PPTP server setup 72 IPSec setup 85 IPSec interoperability 90 8 System 91 Time server 91 Password 91 Diagnostics 92 Advanced 92 Flash upgrade 93 RESET button 93 9 Technical support 94 Appendix A LED...

Page 4: ...fices to securely access your company network to send and receive data at a very low cost With the SnapGear appliance you can remotely access your office network securely using the Internet The SnapGe...

Page 5: ...customers or other businesses Extranets add external parties to a company s intranet Failover A method for detecting that the main Internet connection usually a broadband connection has failed and the...

Page 6: ...other network Masquerading is one particular form of NAT Net mask The way that computers know which part of a TCP IP address refers to the network and which part refers to the host range NTP Network T...

Page 7: ...e Networking When two locations commmunicate securely and effectively across a public network e g the Internet The three key features of VPN technology are privacy nobody can see what you are communic...

Page 8: ...ter 2 Getting started 2 Connect the telecommunications hardware modem for dial in dial out Internet access Chapter 3 Connecting to the Internet 3 Set up the network IP addresses and firewall Chapter 2...

Page 9: ...e and detailed in the following table Figure 1 1 SnapGear SOHO PRO front panel LEDs Label Activity Description POWER PWR On Power is supplied to the SnapGear appliance Flashing System flashes once eve...

Page 10: ...upper on SME530 SME550 and PRO lower on PRO and SOHO where a cable is connected correctly to another device e g a cable modem The other light represents the activity as per the front panel Figure 1 2...

Page 11: ...Figure 1 3 Network interconnections Introduction 8...

Page 12: ...P CHAP MSCHAPv2 RADIUS and TACACS tunnel authentication RFC1334 RFC1994 Transparent tunnel support for PPTP IPSec pass through Dial in remote access with PAP CHAP MSCHAPv2 RADIUS and TACACS authentica...

Page 13: ...ine status LEDs for Internet VPN Rear panel Ethernet LEDs Link Transmit Receive LAN link features 10 100BaseT LAN port to connect to the local network Ethernet on PRO LITE2 LITE2 SME530 and SME550 mod...

Page 14: ...ower adaptor voltages current depend on individual models Front panel status LEDs Power Test Operating temperature between 0 C and 40 C Storage temperature between 20 C and 70 C Humidity between 0 to...

Page 15: ...omatically assign IP addresses to other devices on the network If you have an existing network you may already have an active DHCP server and the PCs and devices on the network may already have IP add...

Page 16: ...ppliance can be configured on the network From the Start menu select Settings Control Panel Network and click the Configuration tab or Protocols if using NT 3 Ensure that the TCP IP networking protoco...

Page 17: ...Setup Wizard will help assign an IP address to the SnapGear appliance On DHCP enabled i e dynamic networks or if you have performed a static IP reset the Setup Wizard will locate the IP address assign...

Page 18: ...may need to contact customer support However the SnapGear appliance may be acquiring an initial IP address from another DHCP server on the LAN causing its LEDs to stop flashing soon after booting In...

Page 19: ...is applied use only the SnapGear Power Adapter packaged with the unit The System TST Heart Beat LED blinks when the SnapGear appliance is running For all modes except the LITE and LITE2 all LEDs exce...

Page 20: ...t you up and running the setup exe application is simply a miniature DHCP server that will give the SnapGear appliance a known IP address If you use Linux Unix Macintosh or another operating system yo...

Page 21: ...ur network is DHCP enabled If this is the case SnapGear Setup Wizard will prompt you to select which SnapGear VPN Router you wish to configure based on its LAN port MAC address The SnapGear Setup Wiza...

Page 22: ...IP address Verify that this address is acceptable and not already in use and click OK SnapGear Setup Wizard will check that the IP address you selected isn t already in use If it is you will be asked...

Page 23: ...pages Your SnapGear appliance is now configured The Setup Wizard will prompt you to launch a web browser to open the SnapGear Management Console web administration pages The SnapGear Management Conso...

Page 24: ...initial static IP address of 192 168 0 1 netmask 255 255 255 0 Refer to the start of this chapter for details on how to activate this option Using lin_set_ip The lin_set_ip program is a command line t...

Page 25: ...nd will contain the MAC address of your SnapGear appliance and the corresponding Internet Address You can find the MAC address printed on the underside of your SnapGear appliance If your network has a...

Page 26: ...IP address tag ip to match the addressing for your local network and use an address in your local subnet You also need to modify the MAC address tag ha to match your SnapGear appliance hardware The M...

Page 27: ...ar appliance and connecting to the Internet To start the wizard click the Quick Setup Wizard link on the SnapGear Appliance Configuration page To modify the configuration you need to enter the adminis...

Page 28: ...method for setting the LAN port network address configuration either DHCP or manual 3 If you select DHCP or Skip the Next button will take you to the ISP Connection configuration page 4 If you select...

Page 29: ...le modems you need to enter your Cable Modem Service Provider This is usually Generic Cable Modem Provider If you use an external analog modem to connect to your ISP you must also specify The serial p...

Page 30: ...on demand connections you need to specify the idle disconnect time in minutes Use DHCP to connect DHCP is used if your ISP requires you to get an IP address automatically from a DHCP server over the...

Page 31: ...atically or they can be dynamically assigned by a DHCP server each time the PC boots To take advantage of the SnapGear appliance s DHCP server or if you are already using a DHCP server on the network...

Page 32: ...on your network For each non configured Windows 2000 PC on the network open TCP IP Properties using the above instructions and ensure that Use the following IP address is checked and add the following...

Page 33: ...nal dialup analog modem an ISDN modem a permanent analog modem a cable modem or DSL link as shown in the following figure Figure 3 1 Internet connection Physically connect modem device The first step...

Page 34: ...tomatically Use PPPoE if your ISP uses username and password authentication to access the Internet Use DHCP if your ISP does not require a username and password or if your ISP instructed you to obtain...

Page 35: ...modem The following figure shows the Setup modem Internet connection Connecting to the Internet 32 Figure 3 2 Setup modem Internet connection If you are connecting to the Internet using a modem the sy...

Page 36: ...ord fields must match Click Advanced to configure the following options Field Description Idle timeout By default the SnapGear appliance dials on demand i e when there is traffic trying to reach the I...

Page 37: ...services to continue operating When the main Internet connection fails and the backup connection or failover is started VPN connections are restarted and dynamic DNS services are advised of the new IP...

Page 38: ...iately when the password is wrong or if the SnapGear appliance is unable to contact an ADSL modem to make a connection Specify the time to wait between retrying this connection after detecting the ini...

Page 39: ...pecify a static IP address or use DHCP the SnapGear appliance cannot usually detect if the Internet connection is down To ensure that the Internet connection is up enter a host for the SnapGear applia...

Page 40: ...he connection 1 From any PC on the network launch a browser application e g Internet Explorer or Netscape Navigator 2 The SnapGear appliance will dial the ISP and log in On the front panel the COM LED...

Page 41: ...remote site establishes a dial in link using a modem connected to the SnapGear appliance The SnapGear appliance s dial in facility establishes a PPP connection to the remote user or site Dial in requ...

Page 42: ...and Modem Devices for modem configuration details 2 Enable and configure the selected SnapGear appliance COM port for dial in as detailed in Dial in Setup 3 Set up and configure user dial in accounts...

Page 43: ...gure 4 1 Dial in setup To enable and configure Dial In server for the SnapGear appliance select Dial In Setup from the Networking menu The following table describes the fields in the Dial In Setup scr...

Page 44: ...ll use when connecting to the SnapGear appliance Authentication Scheme The authentication scheme is the method the SnapGear appliance uses to challenge users dialing into the network Dial in clients m...

Page 45: ...field options in Add New Account are shown in the following table Field Description Username Username for dial in authentication only The name is case sensitive e g Jimsmith is different to jimsmith...

Page 46: ...The following figure shows the user maintenance screen Figure 4 3 User maintenance screen Dial in server configuration 43...

Page 47: ...change is shown on the Dial in Setup screen If the change is unsuccessful an error is reported as shown in the following figure Figure 4 4 Dial in password error When you have finished adding and modi...

Page 48: ...d users can access all network resources as if they were a local user For Windows 95 and Windows 98 From the Dial Up Networking folder double click Make New Connection and enter the Connection Name fo...

Page 49: ...ication you also need to check the Require encrypted password checkbox Leave all other Advanced Options unchecked Select the TCP IP network protocols from the Allowed network protocols list Warning Do...

Page 50: ...count as shown in the following figure Figure 4 7 Connect to dialogue box Windows 2000 To configure a remote access connection on a Windows 2000 computer click Start Settings Network and Dial up Conne...

Page 51: ...twork as the connection type and click Next to continue Figure 4 10 Phone number to dial Tick Use dialing rules to enable you to select a country code and area code This feature is useful when using r...

Page 52: ...urity feature that will not allow any other users who log onto your machine to use this remote access connection Figure 4 12 Connection name Enter a name for the connection and click Finish to complet...

Page 53: ...appear as in the next figure If you did not create a desktop icon click Start Settings Network and Dial up Connections and select the appropriate connection and enter the username and password set up...

Page 54: ...erface of the SnapGear appliance select either a dynamically or statically assigned IP address If the LAN interface of your SnapGear appliance gets its IP address from a DHCP server on your local netw...

Page 55: ...network to this machine Enter the IP address of the DNS Server that the SnapGear appliance will use to resolve domain names in the Domain Name Server field This is only required if the SnapGear applia...

Page 56: ...configuration The following figure shows the advanced IP configuration Figure 5 2 Advanced IP configuration The Hostname is a descriptive name for the SnapGear appliance on the network Network config...

Page 57: ...machine has its own private IP address SnapGear recommends setting Masquerade on the Internet interface Internet Interface Aliases allows the SnapGear appliance to respond to multiple IP addresses on...

Page 58: ...eep your network design as simple as possible your SnapGear appliance can act as a DHCP server for machines on your local network To configure your SnapGear appliance as a DHCP server you must set a s...

Page 59: ...Lease Time in seconds The lease time is the time that a dynamically assigned IP address is valid Click Configure the IP addresses to be handed out to enter the addresses from where the DHCP server wi...

Page 60: ...ature of your SnapGear appliance allows you to allocate High Medium or Low priority to the following services domain tcp domain udp ftp ftp data http https imap irc nntp ntp pop3 smtp ssh and telnet T...

Page 61: ...r Firewall filters packets at the network layer determines whether the session packets are legitimate and evaluates the contents of packets at the application layer to provide maximum protection for y...

Page 62: ...appliance s configuration web pages Web Admin to machines on your local network SnapGear does not recommend disallowing all services as this will make future configuration changes impossible unless y...

Page 63: ...similar to http 192 168 22 1 88 External access to services The following figure shows how to configure external access to services Figure 6 2 Configure external access to services The SnapGear applia...

Page 64: ...configuration Port forwarding allows the SnapGear appliance to control access to services provided by machines on your private network from users on the Internet Requests coming into the SnapGear appl...

Page 65: ...iance s Outgoing Access Restrictions are configured using security group classes Click the security group classes link on the Outgoing Access Configuration page to set the restrictions for each securi...

Page 66: ...Rules configuration page allows firewall experts to view the current firewall rules and add custom firewall rules To access this page click Rules in the Firewall menu Only experts on firewalls and ipt...

Page 67: ...onnection attempts Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt and the access attempt is denied Because network scans of...

Page 68: ...bled The trigger count value should be between 0 and 2 o represents an immediate blocking of probing hosts Larger settings mean more attempts are permitted before blocking and although allowing the at...

Page 69: ...ystem limits the types of web based content accessed Web based content featuring profanity sexually explicit or other objectionable material can be limited or blocked from the following screens The fo...

Page 70: ...Firewall 67 Figure 6 7 Content filtering...

Page 71: ...from some commonly blocked content and set the filtering levels according to your requirements Reporting contains the following filtering levels Filtering Level Description Green Allowed Access to con...

Page 72: ...access to your corporate network as if you were connected directly from your office Similarly telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP With th...

Page 73: ...he connection The remote PPTP server IP address to connect to A username and password to use when logging in to the remote VPN You may need to obtain this information from the system administrator of...

Page 74: ...Make VPN the Default Route checkbox and click Apply This option is only available when the SnapGear appliance is configured with a single VPN connection only After adding a new VPN two new tables are...

Page 75: ...apGear appliance and enable the appropriate authentication security Configure the VPN clients at the remote sites The client does not require special software The SnapGear PPTP Server supports the sta...

Page 76: ...following figure shows the PPTP server setup Figure 7 3 PPTP server setup To enable and configure your SnapGear appliance s VPN server select PPTP VPN Server from the VPN menu in the SnapGear applianc...

Page 77: ...160 250 254 Authentication scheme PPTP provides an authenticated communication tunnel between a client and a gateway by using a user ID and password The authentication scheme is the method the SnapGe...

Page 78: ...tion only The name selected is case sensitive e g Jimsmith is different to jimsmith Username can be the same as or different to the name set for dial in access Windows Domain Most Windows clients expe...

Page 79: ...check Delete in the Delete or Change Password for the Selected Account field If a requested change to a user account is successful the PPTP VPN Setup screen is shown with the change noted An error is...

Page 80: ...he names may or may not be the same as your normal network username and password and should be different from the username and password used by your remote users use to access their local ISP The foll...

Page 81: ...s installed on the remote PC If necessary install the Microsoft DUN update available on the SnapGear Installation CD and VPN Client update To create a VPN connection across the Internet you must set u...

Page 82: ...ld This may change if your ISP uses dynamic IP assignment Click OK and then click Finish Figure 7 6 VPN client setup Right click the new icon and select Properties Select the Server Types tab and chec...

Page 83: ...IP Address Server Assigned Name Server Address Use IP Header Compression and Use Default Gateway on Remote Network are all selected and click OK Figure 7 7 VPN client server settings Your VPN client...

Page 84: ...change if your ISP uses dynamic IP assignment In the Dial Using dialog box select RASSPPTPM VPN1 and click Next Click More and select Edit entry then Modem properties from the menu Select the Server t...

Page 85: ...gging in from the Start menu select Settings and then Network and Dial up Connections as shown in the following figure Figure 7 8 Network and dial up connections To set up your VPN account double clic...

Page 86: ...dress and click Next Select the Connection Availability you require on the next window and click Next to display the final window Figure 7 11 Completing the network connection wizard Enter an appropri...

Page 87: ...ord allocated by your SnapGear appliance s VPN administrator After you are authenticated to the network you can check your e mail use the office printer access shared files and browse the network as i...

Page 88: ...2 IPSec setup Enable IPSec by clicking the Enable IPSec box underneath the IPSec Setup title and then click Submit Enable the interface where you want to use IPSec This may be the default gateway or a...

Page 89: ...g screen Virtual Private Networking 86 Figure 7 13 Add new IPSec connection Enter a descriptive name for the connection in the Connection Name field Choosing to connect with Aggressive Mode increases...

Page 90: ...nter the remote gateway settings To connect to from a remote machine that does not have a fixed IP address e g a Road Warrior enter an External IP of 0 0 0 0 only Dead Peer Detection allows the tunnel...

Page 91: ...Click Add to complete the IKE setup as shown in the following screen Figure 7 14 Automatic keying setup Virtual Private Networking 88...

Page 92: ...xt for each Hash functions A complex operation that uses both a hashing algorithm MD5 or SHA and a key Diffie Hellman The Diffie Hellman key agreement protocol allows two parties A and B to agree on a...

Page 93: ...ture messages without performing additional successful attacks Perfect forward secrecy of keys provides the maximum security and is the recommended setting IPSec interoperability Please see the Suppor...

Page 94: ...ar appliance s configuration web pages WebAdmin and the SnapGear appliance itself The SnapGear appliance password is the key to the security of your network and must be kept secret SnapGear recommends...

Page 95: ...ork administrators and advanced users only Warning Altering the advanced configuration settings may render your SnapGear appliance inoperable The System Log contains debugging information that may be...

Page 96: ...he file During the upgrade the front panel LEDs on the SnapGear appliance will flash in an in and out pattern The SnapGear appliance retains its configuration information with the new firmware Warning...

Page 97: ...lowing figure Figure 9 1 Technical support The Technical Support Report page is an invaluable resource for the SnapGear Technical Support Staff to analyze problems with your SnapGear appliance The inf...

Page 98: ...ssist with faster response and recovery action LED Pattern Status Action VPN Memory failure Please contact your dealer COM2 Console device cannot initialize Please contact your dealer All LEDs on In r...

Page 99: ...he syslog var log messages or external syslog server of the following format Date Time klogd prefix IN incoming interface OUT outgoing interface MAC dst src MAC addresses SRC source IP DST destination...

Page 100: ...to detect various attacks smurf teardrop etc When outbound traffic from LAN to WAN is blocked by custom rules configured in the GUI the resultant dropped packets are also logged The prefix for all th...

Page 101: ...181 LEN 60 TOS 0x00 PREC 0x00 TTL 63 ID 62830 DF PROTO TCP SPT 46486 DPT 22 WINDOW 5840 RES 0x00 SYN URGP 0 Creating Custom Log Rules Additional log rules can be configured to provide more detail if...

Page 102: ...klogd Internet PPTP access IN eth0 OUT MAC 00 d0 cf 00 07 03 00 50 bf 20 66 4d 08 00 SRC DST 1 2 3 4 LEN 48 TOS 0x00 PREC 0x00 TTL 127 ID 43470 DF PROTO TCP SPT 4508 DPT 1723 WINDOW 64240 RES 0x00 SYN...

Page 103: ...se the i and o arguments to specify the interface that are to be considered for IN and OUT respectively When the argument is used before the interface name the sense is inverted If the name ends in a...

Page 104: ...t is 3 hour limit burst number number is the maximum initial number of packets to match This number gets recharged by one every time the limit specified above is not reached up to this number The defa...

Page 105: ...thentication attempt failed for root from 10 0 0 2 Jan 30 03 18 40 2000 login Authentication successful for root from 10 0 0 2 Once again showing the same information as a web login attempt Boot Log M...

Reviews:

No comments