PN - Multi-Tech Systems

RF760VPN
RF660VPN
RF600VPN
Setup Examples
Reference Guide
RF760VPN/RF660VPN/RF600VPN Application
Examples
PN S000283D
Copyright © 2003-5
This publication may not be reproduced, in whole or in part, without prior expressed written permission from Multi-Tech
Systems, Inc. All rights reserved. Multi-Tech Systems, Inc. makes no representations or warranty with respect to the
contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose.
Furthermore, Multi-Tech Systems, Inc. reserves the right to revise this publication and to make changes from time to time
in the content hereof without obligation of Multi-Tech Systems, Inc. to notify any person or organization of such revisions
or changes.
Revision
A
A1
A2
B
C
D
Date
Description
12/27/02
01/10/03
01/10/03
01/30/04
03/03/04
11/03/04 & 01/25/05
Initial release
Updated RF550VPN to V4.63, removed SSH procedure.
Made packet filter rule corrections.
Remove examples 2 and 3. Add RF760/660VPN for software version 3.10.
Added in examples 2 and 3.
Updated for software version 3.20 and 3.21.
The examples on the following pages illustrate:
1.
A LAN-to-LAN VPN configuration between two RF760VPN/RF660VPN/RF600VPNs. One at Site A and one at
Site B. Both RouteFinders using static IP addresses at their WAN port gateways.
2.
A LAN-to-LAN VPN configuration between an RF600VPN/RF660VPN/RF760VPN at Site A and an
RF550VPN/RF560VPN at Site B. Both RouteFinders using static IP addresses at their WAN port gateways.
3.
A LAN-to-LAN VPN configuration between an RF600VPN/RF660VPN/RF760VPN at Site A using a static IP
address and an RF550VPN/RF560VPN at Site B using dynamic IP addressing.
4.
A Client-to-LAN Configuration between RF760VPN/RF660VPN/RF600VPN at Site A and an SSH Sentinel IP
Client.
The RouteFinder software is pre-installed on the RouteFinder. Initial configuration is required in order for you to run the
Web Management program and begin operation. The browser-based interface eases VPN configuration and
management. The VPN functionality is based on IPSec and PPTP protocols and uses Triple DES 168-bit encryption to
ensure that your information remains private. These examples are based on RF600VPN/RF660VPN/RF760VPN
software version 3.21 and RF550VPN/RF560VPN firmware version 4.63.
IMPORTANT:
Any reference to RF760VPN or RF660VPN or RF600VPN configuration will apply to all three models. Any reference to
RF550VPN or RF560VPN configuration will apply to both models.
Caution: Use a safe Password! Your first name spelled backwards is not a sufficiently safe password; a password
such as xfT35$4 is better.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
2
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
Example 1
This example provides a sample RouteFinder configuration and related address scheme for an application employing
LAN-to-LAN IPSec VPN communication. This is an example of how to configure an RF760VPN, RF660VPN, or
RF600VPN at Site A and an RF760VPN, RF660VPN or RF600VPN at Site B so Site A and Site B can communicate
through a secure connection over the Internet. This example assumes both VPN gateways have fixed IP addresses.
LAN-to-LAN Fixed IP Configuration Diagram:
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
3
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
Example 1 LAN-to-LAN Configuration Chart
LAN-to-LAN Application – Site A:
RF760VPN/RF660VPN/RF600VPN - Static
1. Domain name = Site-A.com
2. Public Class C = 204.26.122.x
3. Networks & Services | Networks
LAN: 192.168.2.0 – 255.255.255.0
RemoteLAN: 192.168.10.0 – 255.255.255.0
RemoteWAN_IP: 204.26.122.3 – 255.255.255.255
4. Network Setup | Interface
Default gateway = 204.26.122.1
Host name = RF660VPN.Site-A.com
Eth0 = LAN, 192,168.2.1, 255.255.255.0
Eth1 = WAN, 204.26.122.103, 255.255.255.0
Eth2 = DMZ (don’t care)
5. Packet Filters | Packet Filter Rules
LAN – Any – Any – Accept
RemoteLAN – Any – Any – Accept
6. VPN | IPSec
Check and Save VPN Status
Add an IKE connection:
Connection name = SiteA
Check Perfect Forward Secrecy
Authentication Method = Secret
Enter secret key (must be the same on both
sides)
Select Encryption = 3DES
Local WAN IP = WAN
Local LAN Subnet = LAN
Remote Gateway IP = RemoteWAN_IP
Remote LAN = RemoteLAN
Disable UID
LAN-to-LAN Application – Site B:
RF760VPN/RF660VPN/RF600VPN - Static
1. Domain name = Site-B.com
2. Public Class C = 204.26.122.x
3. Networks & Services | Networks
LAN: 192.168.10.0 – 255.255.255.0
RemoteLAN: 192.168.2.0 – 255.255.255.0
RemoteWAN_IP: 204.26.122.103 – 255.255.255.255
4. Network Setup | Interface
Default gateway = 204.26.122.1
Host name = RF660VPN.Site-B.com
Eth0 = LAN, 192.168.10.1, 255.255.255.0
Eth1 = WAN, 204.26.122.3, 255.255.255.0
Eth2 = DMZ (don’t care)
5. Packet Filters | Packet Filter Rules
LAN – Any – Any – Accept
RemoteLAN – Any – Any – Accept
6. VPN | IPSec
Check and Save VPN Status
Add an IKE connection:
Connection name = SiteB
Check Perfect Forward Secrecy
Authentication Method = Secret
Enter secret key (must be the same on both sides)
Select Encryption = 3DES
Local WAN IP = WAN
Local LAN Subnet = LAN
Remote Gateway IP = RemoteWAN_IP
Remote LAN = RemoteLAN
Disable UID
For LAN-to-LAN connectivity, the RouteFinder utilizes the IPSec protocol to provide secure tunnels with strong 168-bit
3DES encryption using IKE and PSK key management. In addition, the RouteFinder provides very high performance up
to 50Mbps of 3DES encryption throughput.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
4
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
Address Table
Enter the configuration information (e.g., the Default Gateway and other IP addresses used) into the appropriate field of
the Address Table below. Please print this page and use it to fill in your specific RouteFinder information and keep for
future reference. (Example information below is shown to match with the diagram pictured above.)
Network Port connected to the internal network
(LAN on eth0) Site A.
Network Port connected to the external
network(WAN on eth1) Site A
Network Port connected to the internal network
(LAN on eth0) Site B
Network Port connected to the external network
(WAN on eth1) Site B
IP Address
Net Mask
___.___._._
192.168.2.1
___ ___.___._
255.255.255.0
___.__.___.___
204.26.122.103
___.___.___._
255.255.255.0
___.___.__._
192.168.10.1
___.___.___._
255.255.255.0
___.__.___._
205.26.122.3
___.___.___._
255.255.255.0
Default
Gateway
___.__.___._
204.26.122.1
___.__.___._
204.26.122.1
LAN-to-LAN Application – Site A:
LAN-to-LAN Application – Site B:
1. Domain name = __________
1. Domain name = __________
2. Public Class C = ___.___.___.X
2. Public Class C = ___.___.___.X
3. Networks & Services | Networks
LAN: ___.___.___.0, 255.255.255.0
RemoteLAN: ___.___.___.0, 255.255.255.0
RemoteWAN_IP: ___.___.___.___, 255.255.255.255
3. Networks & Services | Networks
LAN: ___.___.___.0, 255.255.255.0
RemoteLAN: ___.___.___.0, 255.255.255.0
RemoteWAN_IP: ___.___.___.___, 255.255.255.255
4. Network Setup | Interfaces
Default gateway = ___.___.___.___
Host name = _____________
Eth0 = LAN, ___.___.___.___, 255.255.255.0
Eth1 = WAN, ___.___.___.___, 255.255.255.___
Eth2 = DMZ (don’t care)
4. Network Setup | Interfaces
Default gateway = ___.___.___.___
Host name = _____________
Eth0 = LAN, ___.___.___.___, 255.255.255.0
Eth1 = WAN, ___.___.___.___, 255.255.255.___
Eth2 = DMZ (don’t care)
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
5
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
Example 1 – Site A Configuration
1.
2.
3.
4.
Connect a workstation to the RouteFinder’s LAN port via the Ethernet for Site A.
Set the workstation IP address to 192.168.2.100 subnet.
Turn on power to the RouteFinder and wait until you hear 5 beeps.
Bring up your Web browser on the workstation. At the Web browser’s address line, type the default Gateway
address of https://192.168.2.1 and hit the Enter key. In some environments, one or more Security Alert screen(s)
display.
Note: Make sure your PC’s IP address is in the same network as the router’s IP Address. WINIPCFG
and IPCONFIG are tools for finding a computer’s default gateway and MAC address. In Windows
98/ME you can type WINIPCFG. In Windows 2000/NT, you can type IPCONFIG.
At the initial Security Alert screen, click Yes and follow any additional on-screen prompts. (This step is eliminated
when you have generated a CA certificate at Administration > Site Certificate)
5. The Login screen is displayed. Type the default User name of admin (all lower-case), tab to the Password entry
and type the default Password of admin (all lower-case), and click on Login. The User and Password entries are
case-sensitive (both must be all lower-case). The password can be up to 12 characters. You will later want to
change the User and Password entries from the default (admin) to something else. (If Windows displays the
AutoComplete screen, for security reasons, you may want to click No to tell the Windows OS to not remember the
Password.)
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
6
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
6. If someone else is already logged in to the RouteFinder, or if you were logged in recently, a message will ask you:
Do you want to log the user out?
Click the Yes Button.
The Login screen displays. Repeat step 5.
7. The Web Management Home screen displays.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
7
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
8. Click on Wizard Setup. Enter information for Site A of this example.
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
Enter the Administrator Email Address (can be anything). (Example: admin@yourdomain.com)
Enter the Host name for the RouteFinder (can be anything). (Example: RF660VPN.Site-A.com)
LAN IP Address and Subnet Mask should already be set to the defaults. This should be acceptable for Site A.
Enter the WAN IP Address. This is the PUBLIC STATIC IP address. (Example: 204.26.122.103)
Change the Gateway IP address; this is the IP address of the router that connects to the Internet. (Example:
204.26.122.1)
Place a checkmark in the box for the Packet Filter Rule: LAN-ANY-ANY-ALLOW. This will enable this rule.
Specify any changes to the passwords that you feel are necessary.
Click Save to save the settings you just entered.
The following screen will display to save changes. Click on OK.
The following screen displays. Saving your settings will take a few minutes. Since you kept the LAN IP address
the same, it is not necessary to change this system to a new IP address.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
8
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
9. Click on Networks & Services > Network. The LAN IP network is already defined. This is the private LAN on eth0
at Site A.
a) Define the IP network that is configured on the remote LAN port (the private LAN on eth0 at Site B) by entering
the following information. After this information is entered, it is added to the Network/Host list on this screen.
For example:
Name = RemoteLAN
IP address = 192.168.10.0
Subnet mask = 255.255.255.0
b) Define the IP address that is configured on the remote WAN port (the public WAN on eth1 at Site B) by
entering the following information. After this information is entered, it is added to the Network/Host list.
For example:
Name = RemoteWAN_IP
IP address = 204.26.122.3
Subnet mask = 255.255.255.255
After this information entered and the Add button clicked, it is displayed in the Network/Host list on this screen.
RemoteLAN
RemoteWAN_IP
192.168.10.0
204.26.122.3
255.255.255.0
255.255.255.255
10. Click on Packet Filters > Packet Filter Rules. The rule for LAN is already present.
a) Add the rule RemoteWAN_IP – Any – Any – ACCEPT. This allows the Remote WAN at Site B to access the
RouteFinder and LAN at Site A. After the rule is entered, it displays under User Defined Packet Filter Rules.
b) Add the rule RemoteLAN – Any – Any – ACCEPT. This allows the Remote LAN at Site B access to the
RouteFinder and LAN at Site A. After the rule is entered, it displays under User Defined Packet Filter Rules.
1
2
RemoteWAN_IP
RemoteLan
Any
Any
Any
Any
ACCEPT
ACCEPT
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
9
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
11. Click on VPN > IPSec to open this IPSec screen.
a) Enable VPN Status by placing a check mark in the box and clicking on Save.
b) Do not check IKE-Debugging.
c) Do not check IPSec Debugging.
d) Click on Add an IKE connection to enter a new IPSec connection.
The Add an IKE Connection screen displays.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
10
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
The IKE protocol does automatic negotiation of protocols, encryption algorithms; it keys automatic
exchange of keys. The following parameters must be set.
a) Connection name
Enter a text name that will identify the connection for you. For this example, enter SiteA.
b) Compression
Do not check for this example.
c) Perfect Forward Secrecy (PFS)
Check the PFS checkbox to enable PFS, a concept in which the newly generated keys are unrelated
to the older keys). This is enabled by default.
d) Authentication Method
Check the Secret authentication method for this example.
e) Secret
Since the authentication method is Secret, this field must be configured. Enter the key that matches
the secret key at Site B.
f) Select Encryption
Select the encryption method. Select 3DES.
g) IKE Life Time
The duration for which the ISAKMP SA should last is from successful negotiation to expiration. The
default value is 3600 seconds and the maximum is 28800 seconds.
h) Key Life
The duration for which the IPSec SA should last is from successful negotiation to expiration. The
default value is 28800 seconds and the maximum is 86400 seconds.
i) Number of Retries (Zero for Unlimited)
Enter of the number of retries you want the device to make in order to establish the connection. Use
zero for unlimited retries.
j) Local WAN IP
This is the interface initiating the IPSec tunnel. For this example, set to WAN.
k) Local LAN
This is the local security gateway for which the security services should be provided. For this example,
set to LAN.
l) Remote Gateway IP or FQDN
This is the interface where the IPSec tunnel ends. For this example with a static IP address, set to
RemoteWAN_IP.
Note: In the case of a Road Warrior with a Dynamic IP address, this should be configured to ANY.
m) Remote LAN
Remote security gateway for which the security services should be provided. For this example, set to
RemoteLAN.
n) UID (Unique Identifier String)
For this example, it is recommended that you accept the default to disable UID.
Note: When enabled, UID is used for compatibility purposes (other IPSec VPN gateways might require
you to input a Local and Remote IPSec Identifier).
o) Local ID
Do not set for this example.
p) Remote ID
Do not set for this example.
q) NetBIOS Broadcast
Do not set for this example.
Note: Check this option only to enable broadcasts over the connection. It will allow computers on the
network to share Microsoft file and printer sharing information.
This completes the configuration of the RouteFinder at Site A – Example 1.
Now move to the RouteFinder for Site B and access the LAN port from a workstation as
done for Site A.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
11
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
Example 1 - Site B Configuration
Site B Configuration
Follow the same basic procedures as used for Site A.
Note that some parameters are different for Site B.
For detail related to each step, see Site A procedures.
Step 1 – Connect a workstation to the RouteFinder’s LAN port via Ethernet for Site B.
Step 2 – Use the same IP Address as used for Site A (Set the workstation IP address as 192.168.10.100)
Step 3 – Apply power to the RouteFinder and wait until you hear 5 beeps.
Step 4 – Bring up your Web browser on the workstation. At the Web browser address line, type the default Gateway
address: https://192.168.10.1 and press the Enter key.
Step 5 – Follow the Site A User Name and Password login instructions.
Step 6 – If someone else is already logged in to the RouteFinder, or if you were logged in recently, a message will ask
you: Do you want to log the user out?
Click the Yes Button.
The Login screen displays. Repeat step 5.
Step 7 – The Web Management Home screen displays.
Step 8 – Click on Wizard Setup. Enter information for Site B of this example.
a) Enter the Administrator Email Address (can be anything). (Example: admin@yourdomain.com)
b) Enter the Host name for the RouteFinder (can be anything). (Example: RF660VPN.Site-B.com)
c) LAN IP Address and Subnet Mask should already be set to the defaults. This should be acceptable for
Site B.
d) Enter the WAN IP Address. This is the PUBLIC STATIC IP address. (Example: 204.26.122.3)
e) Change the Gateway IP address; this is the IP address of the router that connects to the Internet.
(Example: 204.26.122.1)
f) Place a checkmark in the box for the Packet Filter Rule: LAN-ANY-ANY-ALLOW. This will enable this
rule.
g) Specify any changes to the passwords that you feel are necessary.
h) Click Save to save the settings you just entered.
i) A screen displays prompting you to save your changes. Click on OK.
j) A screen displays indicating your IP Address.
Step 9 – Click on Networks & Services > Network. The LAN IP network is already defined. This is the private LAN on
eth0 at Site B.
a) Define the IP network that is configured on the remote LAN port (the private LAN on eth0 at Site B)
by entering the following information.
For example:
Name = RemoteLAN
IP address = 192.168.2.0
Subnet mask = 255.255.255.0
b) Define the IP address that is configured on the remote WAN port (the public WAN on eth1 at Site B)
by entering the following information.
For example:
Name = RemoteWAN_IP
IP address = 204.26.122.103
Subnet mask = 255.255.255.255
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
12
Example 1 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN
Step 10 – Click on Packet Filters > Packet Filter Rules. The rule for LAN is already present.
a) Add the rule RemoteWAN_IP – Any – Any – ACCEPT. This allows the Remote WAN at Site B to
access the RouteFinder and LAN at Site A. After the rule is entered, it displays under User Defined
Packet Filter Rules.
b) Add the rule RemoteLAN – Any – Any – ACCEPT. This allows the Remote LAN at Site B access to the
RouteFinder and LAN at Site A. After the rule is entered, it displays under User Defined Packet Filter
Rules.
Step 11 – Click on VPN > IPSec to open this IPSec screen.
a) Enable VPN Status by placing a check mark in the box and clicking on Save.
b) Do not check IKE-Debugging.
c) Do not check IPSec Debugging.
d) Click on Add an IKE connection to enter a new IPSec connection.
The Add an IKE Connection screen displays. These are the same settings as for Site A.
a. Connection name
Enter a text name that will identify the connection for you. For this example, enter SiteB.
b. Compression
Do not check for this example.
c. Perfect Forward Secrecy (PFS)
Check the PFS checkbox. This is enabled by default.
d. Authentication Method
Check the Secret authentication method for this example.
e. Secret
Enter the key that matches the secret key at Site B.
f. Select Encryption
Select the encryption method. Select 3DES.
g. IKE Life Time
Select the default value 3600 seconds.
h. Key Life
Select the default value 28800 seconds.
i. Number of Retries (Zero for Unlimited)
Enter of the number of retries you want the device to make in order to establish the connection. Use
zero for unlimited retries.
j. Local WAN IP
This is the interface initiating the IPSec tunnel. For this example, set to WAN.
k. Local LAN
For this example, set to LAN.
l. Remote Gateway IP or FQDN
For this example with a static IP address, set to RemoteWAN_IP.
m. Remote LAN
For this example, set to RemoteLAN.
n. UID (Unique Identifier String)
For this example, it is recommended that you accept the default to disable UID.
o. Local ID
Do not set for this example.
p. Remote ID
Do not set for this example.
q. NetBIOS Broadcast
Do not set for this example.
This completes the configuration of the RF660VPN at Site B for Example 1.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
13
Example 1 – Testing Your Configuration
Testing Your Configuration
You can test your connection between the two RouteFinders using the PING command at a DOS prompt.
Testing Site A Workstation Connected to a LAN Port of the RouteFinder:
a)
At the DOS prompt ping a workstation connected to the LAN port of the RouteFinder at Site B.
Example: Ping 192.168.10.100 <return>
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
b) If this fails, try to ping the WAN port of the RouteFinder at Site B.
Example: Ping 204.26.122.3
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RF660VPNs make a secure connection.
c) If this fails, try to ping the WAN port of the RouteFinder at Site A.
Example: Ping 204.26.122.103
Note: If any of these tests fail then verify that the workstation is connected to the LAN port of the RouteFinder. The
LAN port LINK LED should be on and the ACT LED should blink on each time you ping the RF660VPN. Also verify
that the RouteFinder is configured properly.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
14
Example 1 – Testing Your Configuration
Testing Site B Workstation Connected to LAN Port of the RouteFinder:
a)
At the DOS prompt ping a workstation connected to the LAN port of the RouteFinder at Site A.
Example: Ping 192.168.2.100 <return>
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
b) If this fails, try to ping the WAN port of the RouteFinder at Site A.
Example: Ping 204.26.122.103
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
c) If this fails, try to ping the WAN port of the RouteFinder at Site B.
Example: Ping 204.26.122.3
Note: If any of these tests fail then verify that the workstation is connected to the LAN port of the RouteFinder. The
LAN port LINK LED should be on and the ACT LED should blink on each time you ping the RouteFinder. Also verify
that the RouteFinder is configured properly.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
15
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
Example 2
This example provides a sample RouteFinder configuration and related address scheme for an application employing
LAN-to-LAN IPSec VPN communication. This is an example on how to configure an RF760/660/600VPN at Site A and
an RF560/550VPN at Site B so Site A and B can communicate through a connection over the Internet. This example
assumes both VPN gateways have fixed IP addresses.
LAN-to-LAN Fixed IP Configuration Diagram:
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
16
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
Example 2 – LAN-to-LAN Configuration Chart:
LAN-to-LAN Application – Site A: RF660VPN - Static
1. Domain name = Site-A.com
2. Public Class C = 204.26.122.x
3. Networks & Services > Network
LAN: 192.168.2.0 – 255.255.255.0
RemoteLAN: 192.168.10.0 – 255.255.255.0
RemoteWAN_IP: 204.26.122.3 – 255.255.255.255
4. Network Setup > Interfaces
Default gateway = 204.26.122.1
Host name = RF660VPN.Site-A.com
Eth0 = LAN, 192,168.2.1, 255.255.255.0
Eth1 = WAN, 204.26.122.103, 255.255.255.0
Eth2 = DMZ (don’t care)
5. Packet Filter > Packet Filter Rules
LAN – Any – Any – Accept
RemoteLAN – Any – Any – Accept
6. VPN | IPSec
Check and Save VPN Status
Add an IKE connection:
Connection name = SiteA
Check Perfect Forward Secrecy
Authentication Method = Secret
Enter secret key (must be the same on both sides)
Local WAN IP = WAN
Local LAN Subnet = LAN
Remote Gateway IP = RemoteWAN_IP
Remote LAN Subnet = RemoteLAN
Disable UID
LAN-to-LAN Application – Site B: RF550VPN - Static
1. Domain name = Site-B.com
2. Public Class C = 204.26.122.x
3. SETUP WIZARD > CABLE/xDSL ISP SETTINGS
Check ‘Your ISP requires you to input IP settings’
IP assigned by your ISP: 204.26.122.3
IP Subnet Mask: 255.255.255.0
ISP Gateway Address: 204.26.122.103
Domain name Server: 0.0.0.0
4. SETUP WIZARD > VPN SETTINGS
Connection Name = SiteBtoA
Disable UID
Check Enabled Keep Alive
Remote IP Network = 192.168.2.0
Remote IP Netmask = 255.255.255.0
Remote Gateway IP = 204.26.122.103
Network Interface = WAN ETHERNET
Secure Association = check IKE
Perfect Forward Secure = check enabled
Encryption Protocol = 3DES
Preshared Key = (must match secret code at Site A)
Key Life = set to default
IKE Life Time = set to default
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
17
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
Address Table
Enter the configuration information (e.g., the Default Gateway and other IP addresses used) into the appropriate field of
the Address Table below. Please print this page and use it to fill in your specific RouteFinder information and keep for
future reference. (Example information below is shown to match with the diagram pictured above.)
IP Address
Net Mask
Network Port connected
to the internal network
(LAN on eth0) Site A.
___.___._._
192.168.2.1
___.___.___._
255.255.255.0
Network Port connected
to the external network
(WAN on eth1) Site A.
___.__.___.___
204.26.122.103
___.___.___._
255.255.255.0
Network Port connected
to the internal network
(LAN) on Site B.
___.___.__._
192.168.10.1
___.___.___._
255.255.255.0
Network Port connected
to the external network
(WAN) on Site B.
___.__.___._
205.26.122.3
___.___.___._
255.255.255.0
Default Gateway
___.__.___._
204.26.122.1
___.__.___._
204.26.122.1
LAN-to-LAN Application – Site A: RF660VPN
LAN-to-LAN Application – Site B: RF550VPN
1. Domain name = __________
1. Domain name = __________
2. Public Class C = ___.___.___.X
2. Public Class C = ___.___.___.X
3. Networks & Services | Networks
LAN: ___.___.___.0, 255.255.255.0
RemoteLAN: ___.___.___.0, 255.255.255.0
RemoteWAN_IP: ___.___.___.___, 255.255.255.255
3. SETUP WIZARD|CABLE/xDSL ISP SETTINGS
IP assigned by your ISP: ___.___.___.___
IP Subnet Mask: 255.255.255.___
ISP Gateway Address: ___.___.___.___
4. Network Setup | Interfaces
Default gateway = ___.___.___.___
Host name = _____________
Eth0 = LAN, ___.___.___.___, 255.255.255.0
Eth1 = WAN, ___.___.___.___, 255.255.255.___
Eth2 = DMZ (don’t care)
4. SETUP WIZARD|VPN SETTINGS
Remote IP Network = ___.___.___.0
Remote IP Netmask = 255.255.255.0
Remote Gateway IP = ___.___.___.___
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
18
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
Example 2 – Site A Configuration
To configure the Site A RF660VPN follow the same procedures used in Example 1.
Example 2 – Site B Configuration
1.
2.
3.
4.
5.
6.
Connect a workstation to one of the RF560/550VPN’s LAN ports via Ethernet for Site B.
Note: It is assumed that the IP Address of the RouteFinder’s LAN at Site B (Example: 192.168.10.1) has already
been changed so it does not conflict with the IP Address of the RouteFinder’s LAN port at Site A (Example:
192.168.2.1).
Set the workstation IP address to 192.168.10.100 subnet.
Apply power to the RF560/550VPN RouteFinder and connect the workstation to one of the RouteFinder LAN ports.
Bring up your Web browser on the workstation. At the Web browser address line, type the Gateway address of
http://192.168.10.1 and press the Enter key.
Note: Make sure your PC’s IP address is in the same network as the router’s IP address. WINIPCFG and
IPCONFIG are tools for finding a computer’s default gateway and MAC address. In Windows 98/ME you can type
WINIPCFG. In Windows 2000/NT, you can type IPCONFIG.
After typing the IP Address, the Password dialog box displays. Type admin (admin is the default user name) in the
user name box and leave the password box empty.
Note: To change your password, select the Advanced Settings button and choose Administrative Settings.
The RF550VPN main menu displays. Click the Setup Wizard button. Then click OK. The Setup Wizard screen
displays a step-by-step process for entering the basic configuration settings for your RF560/550VPN.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
19
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
7.
Select the Time Zone. Then click the Next button to continue.
8.
Device IP Settings - Enter the internal LAN IP address and subnet mask that you want assigned to the LAN ports of
the RF560/550VPN. This is not the IP address from your ISP but the local internal LAN IP address. The default IP
address is 192.168.2.1 but for our example we will use 192.168.10.1.
Device IP Address: 192.168.10.1.
Device IP Subnet Mask: 255.255.255.0
Click the Next button.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
20
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
9.
For Cable/xDSL ISP Settings check the box Your ISP requires you to input IP settings.
a)
b)
c)
d)
IP Assigned by your ISP: This is the IP address of the WAN port on the RF560VPN/RF550VPN.
Ex: 204.26.122.3
IP Subnet Mask: This is the IP address of the subnet mask for the WAN port on the RF550VPN.
Ex: 255.255.255.0
IP Gateway Address: This is the IP address of the WAN port on the RF660VPN at Site A.
Ex: 204.26.122.103
Domain Name Server (DNS): Can be left as 0.0.0.0 for LAN-to-LAN RouteFinder connection.
Click the Next button.
Note: For this scenario it is not necessary to enter any information for the ISP Additional Settings or Modem
Settings.
10. Click the button on the left side of the screen to open the VPN Settings screen. Use this screen to setup your LANto-LAN VPN connection.
a)
b)
In the Connection Name field, type a name that identifies for you a connection that you would like to
make.
Example: Site-B.
Click the Add button.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
21
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
11. The VPN Settings screen for entering specific VPN settings displays. The Connection Name (SiteBtoA) defaults
into the first field. Continue to enter the required settings:
a)
b)
Disable UID – Select this function and leave Local IPSec Identifier and Remote IPSec Identifier empty.
Enabled Keep Alive – Place a check mark in the box to enable this function.
c)
Remote IP Network – Enter the Remote IP Network address (LAN) for Site A. (Ex: 192.168.2.0)
d)
Remote IP Netmask – Enter the Remote IP Netmask address for Site A. (Ex: 255.255.255.0)
– Enter the Remote Gateway IP address (WAN) for Site A. (Ex: 204.26.122.103)
– Select the Network Interface from the drop-down list box. (Ex: WAN Ethernet)
g) Secure Association – Select IKE to set how inbound packets will be filtered. IKE is the default. IKE
e)
Remote Gateway IP
f)
Network Interface
primarily encompasses router key exchange and the negotiation of security policy. Selecting IKE displays the
following fields.
– Check the Enabled button.
h)
Perfect Forward Secure
i)
Encryption Protocol – Select the encryption protocol used for your configuration. The default protocol for
the RF550VPN communicating with another RF550VPN/RF560VPN is 3DES. (Ex: 3DES)
j)
PreShared Key – Enter the PreShared Key name (you can enter an alphanumeric name but it needs to
match the security code for the RouteFinder at Site A, step 12 in example 1, 1o2t3t4f).
k)
Key Life – Enter the amount of time that tells the router to renegotiate the Key. For example, 3600 seconds
is 60 minutes.
l)
IKE Life Time – Enter the amount of time that tells the router to renegotiate the IKE security association. For
example, 28800 seconds is 8 hours.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
22
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
12. Once the VPN settings are entered, click the Save button. The Connection Name now displays on the lower half of
the screen. You can edit or delete this connection by clicking the corresponding buttons, or you can enable it. To
enable this connection, check the Enable box that appears to the left of the connection name.
Note: If you uncheck the Enable box, the parameters will remain on the screen for you to enable, edit, or delete as
desired.
13. After you have finished making all the changes on the various pages, click Save and Restart to save the settings
and restart the device. After the restart, the device will function according to the saved settings.
.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
23
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
14. During the save and restart process, system messages will let you know that you have successfully configured the
settings for the device and saved the settings. You will see a status bar across the bottom of your browser showing
the progress of the startup process.
This completes the configuration of the RF560VPN/RF550VPN at Site B.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
24
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
Testing Your Configuration
You can test your connection between the two RouteFinders using the PING command at a DOS prompt.
Testing the Site A Workstation Connected to LAN Port of RF660VPN:
a)
b)
c)
At the DOS prompt ping a workstation connected to the LAN port of the RF560VPN/RF550VPN at Site B.
Example: Ping 192.168.10.100 <return>
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
If this fails, try to ping the WAN port of the RF560VPN/RF550VPN at Site B.
Example: Ping 204.26.122.3
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
If this fails, try to ping the WAN port of the RF660VPN at Site A.
Example: Ping 204.26.122.103
Note: If any of these tests fail then verify that the workstation is connected to the LAN port of the RF660VPN. The
LAN port LINK LED should be on and the ACT LED should blink on each time you ping the RF660VPN. Also verify
that the RF660VPN is configured properly.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
25
Example 2 – LAN-to-LAN Fixed IP Addresses Using RF760/660/600VPN and RF560/550VPN
Testing the Site B Workstation Connected to LAN Port of RF550VPN:
a)
b)
c)
At the DOS prompt ping a workstation connected to the LAN port of the RF660VPN at Site A.
Example: Ping 192.168.2.100 <return>
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
If this fails, try to ping the WAN port of the RF660VPN at Site A.
Example: Ping 204.26.122.103
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
If this fails, try to ping the WAN port of the RF550VPN at Site B.
Example: Ping 204.26.122.3
Note: If any of these tests fail then verify that the workstation is connected to a LAN port of the
RF560VPN/RF550VPN. The LAN port LINK LED should be on and the ACT LED should blink on each time you ping
the RF560VPN/RF550VPN. Also verify that the RF550VPN is configured properly.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
26
Example 3 – LAN-to-LAN Fixed IP Addresses Using RF560/550VPN
Example 3
This example shows a RouteFinder configuration and its related address scheme for an application employing LAN-toLAN IPSec VPN communication. This is an example of how to configure an RF760/660/600VPN at Site A and an
RF560/550VPN at Site B so that Site A and Site B can communicate through a connection over the Internet.
This example is similar to Example 2 except that it assumes the RF660VPN at Site A is using a VPN gateway (WAN
port) with a fixed static IP address and the RF550VPN at Site B is using a VPN gateway (WAN port) with a dynamic IP
address.
LAN-to-LAN Static/Dynamic IP Configuration Diagram:
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
27
Example 3 – LAN-to-LAN Fixed IP Addresses Using RF560/550VPN
Example 3 LAN-to-LAN Configuration Chart:
LAN-to-LAN Application – Site A: RF660VPN-Static
1. Domain name = Site-A.com
2. Public Class C = 204.26.122.x
LAN-to-LAN Application – Site B: RF550VPN-Dynamic
1. Domain name = Site-B.com
2. Public Class C = 204.26.122.x
3. Definitions | Network
LAN: 192.168.2.0 – 255.255.255.0
RemoteLAN: 192.168.10.0 – 255.255.255.0
4. Network | Interfaces
Default gateway = 204.26.122.1
Host name = fw.Site-A.com
Eth0 = LAN, 192,168.2.1, 255.255.255.0
Eth1 = WAN, 204.26.122.103, 255.255.255.0
Eth2 = DMZ (don’t care)
3. SETUP WIZARD | CABLE/xDSL ISP SETTINGS
Check ‘Your ISP requires you to input IP settings’
IP assigned by your ISP: 204.26.122.3
IP Subnet Mask: 255.255.255.0
ISP Gateway Address: 204.26.122.103
Domain name Server: 0.0.0.0
6. Packet Filter | Rules
LAN – Any – Any – Accept
RemoteLAN – Any – Any – Accept
7. VPN | IPSec
Check and Save VPN Status
Add an IKE connection:
Connection name = SiteA
Check Perfect Forward Secrecy
Authentication Method = Secret
Enter secret key (must be the same on both
sides)
Local WAN IP = WAN
Local LAN Subnet = LAN
Remote Gateway IP = Any
Remote LAN = RemoteLAN
Disable UID
4. SETUP WIZARD | VPN SETTINGS
Connection Name = SiteBtoA
Disable UID
Check Enabled Keep Alive
Remote IP Network = 192.168.2.0
Remote IP Netmask = 255.255.255.0
Remote Gateway IP = 204.26.122.103
Network Interface = WAN ETHERNET
Secure Association = check IKE
Perfect Forward Secure = check enabled
Encryption Protocol = 3DES
Preshared Key = (must match secret code at Site A)
Key Life = set to default
IKE Life Time = set to default
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
28
Example 3 – LAN-to-LAN Fixed IP Addresses Using RF560/550VPN
Address Table
Enter the configuration information (e.g., the Default Gateway and other IP addresses used) into the appropriate field of
the Address Table below. Please print this page and use it to fill in your specific RouteFinder information and keep for
future reference. (Example information below is shown to match with the diagram pictured above.)
IP Address
Net Mask
Network Port connected
to the internal network
(LAN on eth0) Site A.
___.___._._
192.168.2.1
___.___.___._
255.255.255.0
Network Port connected
to the external network
(WAN on eth1) Site A.
___.__.___.___
204.26.122.103
___.___.___._
255.255.255.0
Network Port connected
to the internal network
(LAN) on Site B.
___.___.__._
192.168.10.1
___.___.___._
255.255.255.0
Network Port connected
to the external network
(WAN) on Site B.
___.__.___._
205.26.122.3
___.___.___._
255.255.255.0
LAN-to-LAN Application –
Site A: RF660VPN-Static
Default Gateway
___.__.___._
204.26.122.1
___.__.___._
204.26.122.1
LAN-to-LAN Application –
Site B: RF550VPN-Dynamic
1. Domain name = __________
1. Domain name = __________
2. Public Class C = ___.___.___.X
2. Public Class C = ___.___.___.X
3. Networks & Services | Networks
LAN: ___.___.___.0 – 255.255.255.0
RemoteLAN: ___.___.___.0 – 255.255.255.0
3. SETUP WIZARD | CABLE/xDSL ISP SETTINGS
IP assigned by your ISP: ___.___.___.___
IP Subnet Mask: 255.255.255.___
ISP Gateway Address: ___.___.___.___
4. Network Setup | Interfaces
Default gateway = ___.___.___.___
Host name = _____________
Eth0 = LAN, ___.___.___.___, 255.255.255.0
Eth1 = WAN, ___.___.___.___, 255.255.255.___
Eth2 = DMZ (don’t care)
4. SETUP WIZARD | VPN SETTINGS
Remote IP Network = ___.___.___.0
Remote IP Netmask = 255.255.255.0
Remote Gateway IP = ___.___.___.___
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
29
Example 3 – LAN-to-LAN Fixed IP Addresses Using RF560/550VPN
Example 3 - Site A Configuration
Note: To configure the RF660VPN at Site A follow the same procedure as in Example 1, except for the following
items in the RF660VPN configuration:
1. Click on Networks & Services > Network.
a) Define the IP network configured on the remote LAN ports (the private LAN on the RF550VPN at Site B).
For example: Name = RemoteLAN
IP address = 192.168.10.0
Subnet mask = 255.255.255.0
b) It is not necessary to define the IP address that is configured on the remote RF550VPN WAN port.
After the IP network information is entered, it displays in the Network/Host list on this screen.
RemoteLAN
2.
192.168.10.0
255.255.255.0
Click on Packet Filters > Packet Filter Rules. The rule for LAN should already be present.
a) Change the lan – Any – Any - ACCEPT rule to Any – Any – Any – ACCEPT. This allows the LAN at Site A
access to any service on the Internet. After this is entered, it displays at the bottom of the screen.
1
Any
Any
Any
ACCEPT
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
30
Example 3 – LAN-to-LAN Fixed IP Addresses Using RF560/550VPN
3.
Click on VPN > IPSec.
a) Enable VPN Status by placing a check mark in the box and clicking on Save.
b) Do not enable IKE-Debugging.
c) Do not enable IPSec Debugging.
d) Click on Add an IKE connection to enter a new IPSec connection.
The Add an IKE Connection screen displays.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
31
Example 3 – LAN-to-LAN Fixed IP Addresses Using RF560/550VPN
The IKE protocol does automatic negotiation of protocols, encryption algorithms; it keys automatic
exchange of keys. The following parameters must be set.
a) Connection name
Enter a text name that will identify the connection for you. For this example, enter SiteA.
b) Compression
Do not check for this example.
c) Perfect Forward Secrecy (PFS)
Check the PFS checkbox to enable PFS, a concept in which the newly generated keys are
unrelated to the older keys). This is enabled by default.
d) Authentication Method
Check Secret for this example.
e) Secret
Since the authentication method is Secret, this field must be configured. Set to match the key at
Site B.
f) Select Encryption
Select the 3DES encryption method.
g) IKE Life Time
Accept the default value of 3600 seconds.
h) Key Life
Accept the default value of 28800 seconds.
i) Number of Retries (Zero for Unlimited)
Enter of the number of retries you want the device to make in order to establish the connection.
Use zero for unlimited retries.
j) Local WAN IP
This is the interface initiating the IPSec tunnel. For this example, set to WAN.
k) Local LAN
This is the local security gateway for which the security services should be provided. For this
example, set to LAN.
l) Remote Gateway IP or FQDN
This is the interface where the IPSec tunnel ends. For this example set to ANY.
m) Remote LAN
Remote security gateway for which the security services should be provided. For this example, set
to RemoteLAN.
n) UID (Unique Identifier String)
It is recommended that you accept the default to disable UID.
Note: When enabled, UID is used for compatibility purposes (other IPSec VPN gateways might
require you to input a Local and Remote IPSec Identifier).
o) Local ID
Do not set for this example.
p) Remote ID
Do not set for this example.
q) NetBIOS Broadcast
Do not set for this example.
Note: Check this option only to enable broadcasts over the connection. It will allow computers on
the network to share Microsoft file and printer sharing information.
This completes the configuration of the RF660VPN at Site A.
Example 3 – Site B Configuration
To configure the RF560VPN/RF550VPN, follow the same configuration procedure as given for Site B in Example 2.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
32
Example 3 – LAN-to-LAN Fixed IP Addresses Using RF560/550VPN
Testing Your Configuration
You can test your connection between the two RouteFinders using the PING command at a DOS prompt.
Testing the Site A Workstation Connected to LAN Port of RF660VPN:
a)
At the DOS prompt ping a workstation connected to the LAN port of the RF550VPN/RF560VPN at Site B.
Example: Ping 192.168.10.100 <return>
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
b) If this fails, try to ping the WAN port of the RF550VPN at Site B.
Example: Ping 204.26.122.3
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
c) If this fails, try to ping the WAN port of the RF660VPN at Site A.
Example: Ping 204.26.122.103
Note: If any of these tests fail then verify that the workstation is connected to the LAN port of the RF660VPN. The
LAN port LINK LED should be on and the ACT LED should blink on each time you ping the RF660VPN. Also verify
that the RF660VPN is configured properly.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
33
Example 3 – LAN-to-LAN Fixed IP Addresses Using RF560/550VPN
Testing the Site B Workstation Connected to LAN Port of RF560VPN/RF550VPN:
a)
b)
c)
At the DOS prompt ping a workstation connected to the LAN port of the RF660VPN at Site A.
Example: Ping 192.168.2.100 <return>
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
If this fails, try to ping the WAN port of the RF660VPN at Site A.
Example: Ping 204.26.122.103
You should see four successful packet transmit/receive statements. If you do not, try several more times. You
may see several initial failures while the two RouteFinders make a secure connection.
If this fails, try to ping the WAN port of the RF560VPN/RF550VPN at Site B.
Example: Ping 204.26.122.3
Note: If any of these tests fail then verify that the workstation is connected to a LAN port of the
RF560VPN/RF550VPN. The LAN port LINK LED should be on and the ACT LED should blink on each time you ping
the RF560VPN/RF550VPN. Also verify that the RF550VPN is configured properly.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
34
Example 4 – SSH Sentinel Accessing LAN Through the RouteFinder
Example 4
The RouteFinder provides an easy-to-use IPSec VPN client connection that transparently secures your Internet
communications anytime, anywhere. This example will show the setup procedure for the RouteFinder to allow a
remote client to see a LAN, where the remote client is using SSH Sentinel version 1.3.
Note: Make sure that all routers between both SSH IPSec ends can route IP protocol 50 (IPSec). Sometimes routers
are configured to route only TCP (protocol 6), UDP (protocol 17) and ICMP (protocol 1) and drop all other protocols.
VPN routers configured that way won’t work with IPSec!
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
35
Example 4 – SSH Sentinel Accessing LAN Through the RouteFinder
Example 4 – Site A Configuration
Configure the RouteFinder at Site A same as was explained in the RF660VPN-to-RF660VPN example 1, with the
exception of the following changes:
1. Click on Networks & Services > Network.
a) Define the IP address that is configured on the remote SSH Sentinel Client.
For example: Name = Sentinel Client
IP address = 204.26.122.50
Subnet mask = 255.255.255.255
After the SSH Sentinel Client information is entered, it displays in the Network/Host list on this screen.
Sentinel Client
2.
204.26.122.50
255.255.255.255
Click on Packet Filters > Packet Filter Rules. The rule for LAN is already present.
Add the rule Sentinel_Client – Any – Any – ACCEPT. This allows the Remote Sentinel Client access to the
RouteFinder and LAN at Site A.
Note: The rules for LAN and Sentinel_Client require a static IP Address for the Sentinel client. If you want to
use a dynamic IP Address for the Sentinel client, then include and enable the rule Any – Any – Any –
ACCEPT.
After the rule is entered, it displays in the User Defined Packet Filter Rules at the bottom of the screen.
1
Sentinel_Client
Any
Any
ACCEPT
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
36
Example 4 – SSH Sentinel Accessing LAN Through the RouteFinder
3.
Click on VPN > IPSec to add a new connection for the Sentinel SSH IPSec client.
a) Enable VPN Status by placing a check mark in the box and clicking on Save.
b) Do not enable IKE-Debugging.
c) Do not enable IPSec Debugging.
d) Click Add an IKE connection to enter a new IPSec connection.
The Add an IKE Connection screen displays. Enter the information for Sentinel.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
37
Example 4 – SSH Sentinel Accessing LAN Through the RouteFinder
The IKE protocol does automatic negotiation of protocols, encryption algorithms; it keys automatic
exchange of keys. The following parameters must be set.
a) Connection name
Enter a text name that will identify the connection for you. For this example, enter Sentinel.
b) Compression
Do not check for this example.
c) Perfect Forward Secrecy (PFS)
Check the PFS checkbox to enable PFS, a concept in which the newly generated keys are
unrelated to the older keys). This is enabled by default.
d) Authentication Method
Check the Secret authentication method.
e) Secret
Since the authentication method is Secret, this field must be configured. The Secret must be
agreed upon and shared by the VPN endpoints; it must be configured at both endpoints of the
tunnel.
f) Select Encryption
Select the 3DES encryption method for this example.
g) IKE Life Time
The duration for which the ISAKMP SA should last is from successful negotiation to expiration. The
default value is 3600 seconds and the maximum is 28800 seconds.
h) Key Life
The duration for which the IPSec SA should last is from successful negotiation to expiration. The
default value is 28800 seconds and the maximum is 86400 seconds.
i) Number of Retries (Zero for Unlimited)
Enter of the number of retries you want the device to make in order to establish the connection.
Use zero for unlimited retries.
j) Local WAN IP
This is the interface initiating the IPSec tunnel. For this example, select WAN.
k) Local LAN
Local security gateway for which the security services should be provided. Select LAN.
l) Remote Gateway IP or FQDN
Interface where the IPSec tunnel ends. If you use a Dynamic IP address, this should be configured
to ANY. If you use a Static IP Address, then set to IP=Sentinel Client.
m) Remote LAN
Remote security gateway for which the security services should be provided. If the remote end is
the host, this should be configured as None.
n) UID (Unique Identifier String)
It is recommended that you accept the default to disable UID.
Note: When enabled, UID is used for compatibility purposes (other IPSec VPN gateways might
require you to input a Local and Remote IPSec Identifier).
o) Local ID
Do not set for this example.
p) Remote ID
Do not set for this example.
q) NetBIOS Broadcast
Do not set for this example.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
38
Example 4 – SSH Sentinel Accessing LAN Through the RouteFinder
Example 4 - Remote Client Configuration
Using SSH Sentinel
To see how to install and run SSH Sentinel in Windows 2000 Professional review the quick start guide for SSH
Sentinel (RFIPSC). This quick start guide is included with most RouteFinders on the RouteFinder CD; it also available
on the Multi-Tech Web site at: http://www.multitech.com/DOCUMENTS/collateral/manuals/
To test the connection from Sentinel client to the RouteFinder, open a DOS command prompt window and attempt to
ping the LAN located behind the RouteFinder. If the ping is successful, the configuration process to connect SSH
Sentinel client to a RouteFinder is complete.
Note: The Sentinel Policy Manager may need to be stopped and started in order for you to successfully ping the
remote LAN. Once you can ping the remote LAN, do not run the diagnostics test again, otherwise, you will have to
stop and start the policy manager in order to once again ping successfully.
Multi-Tech Systems, Inc. RF760VPN/RF660VPN/RF600VPN Setup Examples Reference Guide (S000283D)
39