VPNet VSU 100 User manual

VSU-100
VPNware Service Unit
User Guide
VPNet Technologies, Inc.
Licenses, Warranties, Copyrights, and Trademarks
THE SPECIFICATIONS REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO
CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND
RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST
TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
LIMITED WARRANTY
Hardware. VPNet Technologies, Inc. (“VPNet”) warrants that for a period of one (1) year from the
date of shipment from VPNet that the Hardware will be free from defects in material and
workmanship under normal use. This limited warranty extends only to Customer as the original
purchaser. Customer’s exclusive remedy and the entire liability of VPNet and its suppliers under this
limited warranty will be, at VPNet or its service center's option, repair or replacement within ten (10)
business days or refund of the Hardware if returned to the party supplying the Hardware to Customer,
freight and insurance prepaid. VPNet replacement parts used in Hardware repair may be new or
equivalent to new.
Restrictions. This warranty does not apply if the product (a) has been altered, except by VPNet (b)
has not been installed, operated, repaired, or maintained in accordance with instructions supplied by
VPNet, (c) has been subjected to abnormal physical or electrical stress, misuse, negligence, or
accident, or (d) is used in ultrahazardous activities.
DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS
OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING,
WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT
ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL VPNET OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE,
PROFIT, OR DATA, OR FOR SPECIAL INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR
PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF
LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE PRODUCT EVEN IF
VPNET OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall VPNet's or its suppliers’ liability to Customer, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations
shall apply even if the above-stated warranty fails of its essential purpose.
VSU-100 User Guide
The following information is for FCC compliance of Class B devices: This equipment has been tested
and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC rules.
These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment generates, uses, and can radiate
radio-frequency energy and, if not installed and used in accordance with the instruction manual, may
cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case users will be required to correct the interference
at their own expense.
BMSI (Chinese Warning Label)
Hardware, including technical data, is subject to U.S. export control laws, including the U.S. Export
Administration Act and its associated regulations, and may be subject to export or import regulations
in other countries. Customer agrees to comply strictly with all such regulations and acknowledges
that it has the responsibility to obtain licenses to export, re-export, or import hardware.
VSU, VPNmanager, VPNremote, VPLink, VPNos, and VPNet are trademarks belonging to VPNet
Technologies, Inc. MD5 Message Digest Algorithm copyright RSA Data Security, Inc. All other
product names mentioned in this manual are trademarks or registered trademarks of their respective
manufacturers.
VSU-100 VPN Service Units User Guide
Copyright  2001 VPNet Technologies, Inc.
All rights reserved. Printed in USA.
January 2001
P/N 09-0041-02
VSU-100 User Guide
VSU-100 User Guide
Table of Contents
Preface
How This Guide Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
Product Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
Contacting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
Chapter 1
Introduction
Functional Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
VSU-100 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
General Site Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Chapter 2
Installing the VSU-100
Connecting the VSU-100 to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Chapter 3
Preparing the VSU-100 for Configuration
Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General Firmware Upgrade Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPENDIX A
Specifications
Glossary
VSU Acronyms
3-1
3-1
3-8
3-8
VSU-100 User Guide
Preface
This user guide provides installation and configuration information for the
VSU-100 VPN Service Unit (VSU).
How This Guide Is Organized
Chapter 1, Introduction, includes a functional overview of the VSU-100 and its
major components along with site requirements for safe installation and
operation of the VSU-100.
Chapter 2, Installing the VSU-100, provides instructions for physical installation,
including placement and connection to the network.
Chapter 3, Preparing the VSU-100 for Configuration, provides instructions for
setting up VSU-100 addressing and enabling remote connectivity for using the
VPNmanager.
Appendix A, Specifications, documents physical, environmental, electrical, and
compliance specifications, as well as additional features.
Product Registration
To register the VSU-100, navigate to http://www.vpnet.com on the World
Wide Web.
Contacting Technical Support
Technical support is available to registered users of the VSU-100.
• Voice: 1-888-VPNET-88 (within U.S.) or +1 408-404-1400 (outside U.S.)
i
VSU-100 User Guide
• FAX: +1 408-404-1414
• Email: [email protected]
• World Wide Web: http://www.vpnet.com
ii
Chapter 1
Introduction
Functional Overview
The VSU-100 is a dedicated hardware-based VPN gateway that enables secure
data communications over public IP networks such as the Internet for a small
enterprise or small office environment.
Designed to work with an existing IP-based WAN-access router, the VSU-100
provides all the services required to implement a virtual private network (VPN),
including a network firewall, in one compact desktop enclosure.
The VSU-100 comes in two models:
• VSU-100 (site-to-site only)
• VSU-100R (site-to-site and supports VPNremote remote client access)
Figure 1-1
Introduction
The VSU-100
1-1
VSU-100 User Guide
The VSU-100R adds remote access support for remote clients running
VPNremote™ client software on their PCs. Both units support up to 100
conncurrent IPSec sessions. Each has its own version of embedded operating
system, VPNos. The VSU-100 VPNos can be field upgraded (optional) to the
VSU-100R.
Like other platforms in the VPNware family, the VSU-100 adds encryption,
compression, authentication, and key management to public network data links to
ensure privacy and integrity of corporate data over public IP networks, and to
enable the efficient and secure operation of virtual private networks (VPNs). It is
designed to perform complex operations, in real-time, without compromising
network performance, and in many cases can actually increase data throughput.
The VSU-100 supports a full suite of VPN services including: ICSA-certified
IPSec-based encryption, data compression, packet and user authentication, IKE
and SKIP key management, Network Address Translation (NAT), routing, and
packet filtering.
Security
The VSU-100 provides data stream privacy by employing cryptographic
algorithms and keys powerful enough for the most sensitive business
communications. It supports 56-bit DES and 168-bit Triple DES encryption, as
well as the ISAKMP and SKIP key management standards. The VSU-100 is able
to change keys frequently during transmission.
Data authenticity is assured by using MD5™ or SHA-1 hashing to reject altered
or forged packets. All security mechanisms employed by the VSU-100 conform
to IPSec standards, in order to provide interoperability and broaden the use of
VPN technology.
Performance
The VSU-100 supports IP over 10BASE-T or 100BASE-T local area networks
(LANs). Up to 100 concurrent site-tosite IPSec sessions are supported. When
packets are encrypted and authenticated according to IPSec protocol guidelines,
additional bytes—in the form of IPSec headers—must be added to packets. In
many cases, the additional packet overhead imposes a performance penalty in
return for security. The extra bytes may lengthen packets and reduce the
throughput (measured in packets per second). Of even greater impact is the
tendency for packets lengthened by IPSec headers to be fragmented by network
routers, causing further reductions in performance and additional latency. Real-
1-2
Introduction
VSU-100 User Guide
time compression performed by the VSU-100 eliminates packet fragmentation
and produces fewer, smaller packets, which can significantly enhance network
throughput and performance.
Plug-and-Play Installation
The VSU-100 can be placed in a variety of configurations on a 10/100BASE-T
LAN to provide VPN functionality. Native support for IP ensures that the
VSU-100 interoperates transparently with the broadest range of intranet and
other network applications.
The graphical VPNmanager™ (available separately) network management
application steps network managers through the configuration process and allows
them to create a VPN in minutes. The VPNmanager also supports extensive
facilities for VPN monitoring and troubleshooting, and for establishing multicompany extranets. The VSU-100 provides support for RADIUS servers,
enabling VPNs that support hundreds of remote users and a variety of
mechanisms for remote user authentication.
VSU-100 Components
Each of the major VSU-100 components are shown in Figure 1-2.
Private Port
Console Port
Figure 1-2
Public Port
Ethernet Ports
Status Indicators
DC Power
Connector
VSU-100 Front Panel
Ethernet Ports
The VSU-100 includes two 10/100BASE-T Ethernet interfaces for a public
(encrypted) and private (unencrypted) interface port.
Introduction
1-3
VSU-100 User Guide
NOTE: The VSU-100 is enclosed in a FIPS 140-1 compliant tamper-evident
case and may be opened only by an authorized service technician.
The status indication of the LEDs on each of the two Ethernet ports are shown in
Figure 1-3 below:
Activity
ON = Full Duplex
OFF = Half Duplex
ON = 100 Mbps Connection
OFF = 10 Mbps Connection
Link
Figure 1-3
Ethernet Port Status Indicators
General Site Requirements
This section describes the requirements your site must meet for safe installation
and operation of your system. Ensure that your site is properly prepared before
beginning installation.
Environmental Requirements
The VSU-100 is intended for use in a normal office environment. For more
extreme conditions, verify that temperature, humidity, and power conditions
meet the specifications indicated in Table 1-1.
Table 1-1
Environmental Requirements
Item
Operating Specification
Temperature
32° to 104° F, 0° to 40°C
Relative Humidity
5-90%, non-condensing
Altitude
0-12,000 feet, 0-3,660 meters
Voltage
100-240 VAC
Input Frequency
47-63 Hz
AC input current
0.7 Amp
Additional VSU-100 specifications are included in Appendix A.
1-4
Introduction
VSU-100 User Guide
Site Power Considerations
Check the power at your site to ensure that you are receiving “clean” power (free
of spikes and noise). Install a power conditioner if necessary.
WARNING: This product relies on the building's installation for short-circuit
(overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120
VAC, 15A U.S. (240 VAC, 10A international) is used on the phase conductor (all
current-carrying conductors).
Required Equipment
The VSU-100 shipping carton should contain:
Quantity
Part Description
1
VSU-100 VPN Service Unit
1
VSU-100 VPN Service Unit User Guide
1
Null Modem Cable
1
UTP Crossover Cable
1
VSU-100 DC Power Supply
1
Power cord (110V) or
Power cord (230V)
4
Rubber feet for desktop installations
1
VSU-100 Firmware diskette
To install and use the VSU-100 in a typical network, the customer must already
have or supply:
• Router providing connectivity to a WAN such as the Internet
• 10/100BASE-T Ethernet hub, router, or switch providing connectivity to the
office LAN
• CAT 3, 4, or 5 UTP cable to interconnect router, VSU-100, and hub(s)
• An asynchronous ASCII terminal supporting RS-232 or a PC running
terminal emulation software to provide initial IP configuration (IP address,
subnet mask, default router)
• PC workstation to run VPNmanager network management application
Introduction
1-5
VSU-100 User Guide
1-6
Introduction
Chapter 2
Installing the VSU-100
This chapter provides instructions for Connecting the VSU-100 to the Network.
Connecting the VSU-100 to the Network
Figure 2-1 shows a typical network using the VSU-100.
Figure 2-1
Installing the VSU-100
Router
Public Port
VSU-100
Private
LAN
Hub, Switch, Router
Private Port
Public
Network
Typical VSU-100 Hardware Installation
2-1
VSU-100 User Guide
The VSU-100 rear panel is shown in Figure 2-2.
Connect Cable between the
VSU-100 Public Port and the Router
Connect Cable between the VSU-100
Private Port and the Private LAN
Figure 2-2
VSU-100 Frontpanel Connectors
The console port accepts a female RS-232 DB-9 connection from an
asynchronous ASCII terminal or a PC running terminal emulation software. The
connection requires a null modem cable, (supplied) and is used to assign IP
network configuration.
The communication settings for a terminal or PC connected to the console port
are provided in Table 2-1.
Table 2-1
Terminal Settings
Parameter
Setting
Baud
9600
Data Bits
8
Stop bits
1
Parity
No
Flow control
Hardware (RTS/CTS)
The Public port provides an interface to the public network, while the Private
port provides an interface to the private network.
2-2
Installing the VSU-100
VSU-100 User Guide
Both Ethernet ports are 10/100BASE-T ports. They accept category 3, 4, or 5
UTP cabling terminated in an RJ-45 connector per IEEE 802.3 requirements for
10/100BASE-T.
Perform the following steps to install the VSU-100 in a typical LAN:
1.
Connect the VSU-100 Public port to the public side of the LAN.
2.
Connect the VSU-100 Private port to the private side of the LAN.
3.
Connect an asynchronous ASCII terminal or PC running terminal emulation
software to the VSU-100 console port using the RS-232 null modem cable
which came with the VSU-100.
The terminal’s communications parameters should be set to 9600 baud, 8 data
bits, 1 stop bit, no parity, and RTS/CTS hardware flow control.
4.
Connect the DC power cable from the power supply to the VSU-100, then
plug in the AC power cable into an outlet. Proceed to Chapter 3, Preparing
the VSU-100 for Configuration.
Figure 2-3
Installing the VSU-100
Connecting the DC Power Supply to the VSU-100
2-3
VSU-100 User Guide
2-4
Installing the VSU-100
Chapter 3
Preparing the VSU-100 for
Configuration
Preparation
Before the VSU-100 can be incorporated into a Virtual Private Network (VPN),
it must be configured through the VPNmanager. However, to enable
communication between the VPNmanager and the VSU-100, you must first
assign an IP address, subnet mask, and default route to the VSU-100.
This chapter describes how to set up the VSU-100 addressing and remote
connectivity capabilities in preparation for remote configuration using the
VPNmanager software. This preliminary configuration is performed using a
terminal (or a PC running terminal emulation software) connected to the RS-232
console port.
The following procedure assumes that the VSU-100 has been physically installed
on the network, according to the instructions provided in Chapter 2
Configuration
Beginning with VPNware 3.1, the following information is configured through
the VSU console Quick Setup:
• The VSU’s IP address and mask.
• The VSU’s secondary IP address and mask (Optional).
• The VSU’s default route.
• The VSU console password. Beginning with VPNware 3.1, if you forget this
password and need console access, it can be changed through the
VPNmanager’s Configuration console. Select the VSU Advanced Action tab,
then the Reset Password dialog box.
Preparing the VSU-100 for Configuration
3-1
VSU-100 User Guide
• The SuperUser name. This is the name that is authorized to perform any kind
of configuration request on a VSU. This name is provided by the
VPNmanager administrator the first time the VSU is added into the
VPNmanager database. The SuperUser name is case sensitive.
• The SuperUser password. This password authenticates the SuperUser name.
The SuperUser password is case sensitive. If the VPN administrator forgets
the SuperUser password, the VSU may still be reconfigured through the VSU
console Quick Setup menu as long the administrator has access to the VSU
console and knows the VSU console password.
• Configuration of blocking mode. This involves selecting one of three filtering
choices according to your organization’s security policy:
Permit all non-VPN traffic - When checked (default), all non VPN traffic is
allowed to pass through the VSU.
Deny all IP non-VPN traffic - When checked, all non-IP traffic is passed
through the VSU. All non-VPN IP traffic is dropped except for the following:
ICMP, IGMP, GGP, EGP, IGP, DGP, EIGRP, and OSPF. NOTE: This mode
should be used when the VSU dedicated to VPN traffic and is the only device
between the private and the public networks.
Deny all non-VPN traffic - When checked, all non-VPN traffic is prevented
from passing through the VSU. This mode blocks non-IP traffic and nonVPN IP traffic including broadcast traffic (e.g. ARPs), IP-multicast traffic
(e.g. OSPF updates) and other traffic containing routing information. NOTE:
This mode should be used when the VSU is dedicated to VPN traffic and is in
parallel with another device (such as a router or firewall) that will enforce
the network's non-VPN traffic policy. This mode should not be used when the
VSU is the only path between network devices and a router with which those
devices need to communicate.
• Setting the unit to run in FIPs-compliant mode or not.
• The current time and date.
NOTE: Each of these items are preserved over firmware upgrades.
When the VSU-100 is powered on for the first time, the terminal screen should
display the initial power on bootup screen shown in Figure 3-1.
3-2
Preparing the VSU-100 for Configuration
VSU-100 User Guide
VPNet Service Unit Model XXXX 3DES ENCRYPTION
Runtime System version x.x.xx, x/xx/2000
Copyright (C) 1996-2000 VPNet Technologies, Inc. All Rights
Reserved.
-- Month Day 2000, 17:06:01 --ethernet0: MAC Address
00:60:a1:00:23:f9
ethernet1: MAC Address 00:60:a1:00:23:fa
ethernet2: MAC Address 00:60:a1:00:16:9a
ethernet3: MAC Address 00:60:a1:00:16:9b
Checking Non Volatile RAM integrity... OK
Checking Configuration Database... OK
Checking Certificate Database... OK
Calibrating CPU performance monitor... OK
Power/Cooling subsystems Monitor initializing...
Power Subsystem is Good.
Cooling Subsystem Good.
...Done.
VPNet Technologies - VSU XXXX 3DES ENCRYPTION - Main
1)
2)
3)
4)
5)
Menu
Configuration
Statistics
Utilities
Logout
Quick Setup
Your choice [1-5]:
Figure 3-1
Preparing the VSU-100 for Configuration
Initial Power On Bootup Screen for VSU
3-3
VSU-100 User Guide
Preconfigure the VSU-100 to communicate with the VPNmanager using the
Quick Setup menu selection as described below:
1.
From the Main Menu, select 5) Quick Setup.
VPNet Technologies - VSU XXXX- Main Menu
1)
2)
3)
4)
5)
Configuration
Statistics
Utilities
Logout
Quick Setup
Your choice [1-5]: 5
You will be prompted for the information required to set up the VSU. To
accept the current value and go to the next prompt, press Return.
2.
Enter the IP address and netmask assigned to the VSU.
NOTE: The Secondary IP address and mask are optional.
IP address: 192.0.2.1
Mask: 255.255.255.0
IP address: 210.1.18.135
IP mask: 255.255.255.0
Do you want a secondary IP address on this unit? [yn] y
Secondary IP address:
Secondary Mask: 255.0.0.0
Secondary IP address: 10.0.0.1
Secondary IP mask: 255.255.255.0
3.
Enter the default route for this VSU.
Default Route is not configured.
Enter Default Route: 210.1.18.1
Typically, the default route is the IP address of the gateway router that
provides an IP route between the VSU-100 and the public network (e.g.,
Internet).
3-4
Preparing the VSU-100 for Configuration
VSU-100 User Guide
4.
To prevent unauthorized users from accessing the VSU-100 through the
console port, enter and confirm the new VSU console password.
VSU Console password may be up to 31 characters.
Enter new VSU console password: ******
Confirm new VSU console password: ******
CAUTION: Do not forget this password. As a security measure, the only way
to bypass an unknown console password is to return the VSU-100 to the
factory at the customer’s expense.
The password may be up to 31 characters in length and is case-sensitive.
Once the password is set, it must be entered to gain future access to the VSU
console.
Pressing Return without typing anything at the “Enter new VSU console
password” and “Confirm new VSU console password” prompts will set the
VSU console password to empty (no password required).
5.
A superuser name and password is required to allow the Network
Administrator to initially configure this VSU through the VPNmanager
application.
This VSU's superuser name is: "root". Change superuser name?
[yn] y
This VSU's superuser name may be up to 31 characters.
Enter new superuser name: superuser
This VSU's superuser password may be up to 31 characters.
Enter new superuser password: ******
Confirm new superuser password: ******
Press Return or enter “n” to leave the superuser name at its default value of
root, or enter “y” to change the superuser name.
Both the superuser name and password may be up to 31 characters and are
case-sensitive. The name and password will be required later when first
setting up the VSU through the VPNmanager application. After the VSU has
been initially set up, the VSU may use the VPNmanager Directory Server to
authenticate a configuration request, at the Network Administrator’s option.
Preparing the VSU-100 for Configuration
3-5
VSU-100 User Guide
Non-VPN traffic mode: non-VPN traffic is currently
forwarded.
Non-VPN Traffic Configuration Menu
1)
2)
3)
P)
Permit all non-VPN traffic
Deny IP non-VPN traffic only
Deny all non-VPN traffic
Previous menu
Your choice [1-3]:
6.
Select a traffic mode from the Traffic Configuration Menu.
Permit all non-VPN traffic - When checked (default), all non VPN traffic is
allowed to pass through the VSU.
Deny all IP non-VPN traffic - When checked, all non-IP traffic is passed
through the VSU.
Deny all non-VPN traffic - When checked, all non-VPN traffic is prevented
from passing through the VSU.
For additional information regarding traffic modes, see page 3-2.
Do you want this unit to run in FIPs-compliant mode? [yn] y
7.
Enter “n” if you do not want the VSU to run in FIPs-compliant mode. If you
answer “n”, the code skips to the date and time configuration. Go to Step 7.
Enter “y” if you want the VSU to run in FIPs-compliant mode. If you answer
“y”, answer the following configuration questions. For more information
regarding FIPS, see “FIPS Mode” on page 3-8.
FIPs-compilant mode may only be disabled via VPNmanager.
Please confirm that you want this unit to run in FIPscompilant mode. [yn] y
3-6
Preparing the VSU-100 for Configuration
VSU-100 User Guide
8.
Enter the current date and time.
Date: 3-9-2000
Enter date [MM-DD-YYYY]:
Time: 13:51:53
Enter time [HH:MM:SS]:
This date and time setting are primarily used to ensure accurate timestamps
when logging events. When changing either the date or time, all three parts of
the date (MM-DD-YYYY) or time (HH:MM:SS) must be entered. A 24-hour
clock is used when setting the time. For example, 13:00:00 is equivalent to
1:00 PM.
9.
Reboot the VSU-100.
Reboot is required to complete Quick Setup. Reboot Now? [yn]
y
Your VSU-100 is now prepared for configuration by using the VPNmanager.
The VSU initially passes all traffic between its Public and Private ports. This
would be a good time to verify connectivity by pinging the VSU from public
and private machines, and by passing traffic between public and private
machines.
Proceed to the VPNmanager Administrator Guide to continue configuring
your VSU.
Preparing the VSU-100 for Configuration
3-7
VSU-100 User Guide
FIPS Mode
FIPS (Federal Information Processing Standards) Mode forces the VSU to
operate in a FIPS 140-1 Level 2 compliant mode. It is recommended that this
mode only be used if your organization’s policy requires FIPS 140-1 Level 2
certification for cryptographic devices.
Note that in the FIPS mode (as dictated by the FIPS 140-1 requirements
specification), the following are NOT supported:
• SKIP VPNs
• VPNremote 2.5x Clients
• Any encryption algorithm other than DES or 3DES
• Any authentication algorithm other than SHA-1
General Firmware Upgrade Information
Configuration Items Left to the VPNmanager
The following items are likely to be configured by most administrators, but are
left to VPNmanager or other VSU console menu items to keep the Quick Setup
menu minimal:
• LDAP servers used to authenticate VPNmanager console users.
• Disable a VSU’s SuperUser account.
Flushing the configuration on VPNware 3.1
In the event you flush the configuration (via VSU console menu item
Configuration->Flush Configuration) on a VSU running VPNware 3.1 the
following occurs:
• The superuser name will be “root”.
• There will be no superuser password.
• If a VSU console password is configured, it will be preserved.
• The secondary IP address will be empty.
• The blocking mode will be set to forward all non-VPN traffic.
3-8
Preparing the VSU-100 for Configuration
APPENDIX A
Specifications
Packet Encryption
• DES encryption (56-bit key)
• Triple DES (EDE-CBC) encryption (168-bit key)
• Weak and semi-weak keys are automatically discarded
Packet Authentication
• Keyed MD5™ AH Message Digest Algorithm (RFC 1321)
• HMAC-MD5 and HMAC SHA-1 (RFC 2104)
User Authentication
• RADIUS servers (Ascend Access Control™, Security Dynamics ACE/Server Access
Manager, BaySecure™ Access Control, Funk Steel Belted RADIUS Server)
• CHAP and PAP
• SecurID™ tokens
Compression
• Stac™ Lempel-Ziv hardware data compression
VSU-100 User Guide
A-1
Specifications
Key Management
•
•
•
•
IKE: Key updates configurable starting from 60 seconds (RFC 2409)
SKIP: Keys updated every 30 seconds
Manual
All packet, traffic, and authenticating keys automatically generated
Firewall Integration
• Bypass mode for non-VPN traffic
Network Address Translation (NAT)
• Supports static, dynamic, and port mapping
• Reverse address translation for dynamic IP clients
Protocol Support
• IEEE 802.3, Ethernet
• Full IPSec compliance: RFC 2401, 2402, 2403, 2404, 2405, 2406, 2407, 2408, 2409,
2410, 2412, 2451, IPSec Key Management using SKIP or IKE.
(Tunnel and transport modes supported.)
Digital Certificates
• X.509v3 for management and IPSec communication
• Compatible with certificates generated by VeriSign, GTE Cybertrust, Entrust,
Frontier Technologies, Baltimore, Netscape, Microsoft, and Thawte
System Management
•
•
•
•
•
Configuration via Java-based VPNmanager™
Monitoring from any application with SNMPv1 via VSU-1100 MIB
Configuration traffic secured through SSL
Secure software download for system upgrades
Syslog event and usage logging
Remote Client Support
• VPNremote Client Software for Windows 95/98/NT
A-2
VSU-100 User Guide
Specifications
Compatibility
• Fully compatible with all other VPNware Service Units and VPNremote Client
Software for Windows 95/98/NT (using transport or tunnel mode)
• ICSA-certified IPSec
Dimensions
• 7.75" W x 6.5" D x 1.9" H (19.68 cm x 16.5 cm x 4.8 cm)
Weight
• 16 ounces. (497 grams)
Physical Security
• Tamper-evident enclosure (FIPS 140-1 Level 2)
LAN Interface
• Two 10/100BASE-T Ethernet ports
Management Interfaces
• RS-232 and Ethernet
Software Upgrade
• Via built-in flash memory
Power Requirements (AC Adapter)
•
•
•
•
•
100/240 VAC
Input frequency: 50 to 60 Hz
AC input current: 1 Amp
Input +5.0 VDC 5%, 10 watts max.
CAUTION: Danger of explosion if memory backup battery is incorrectly replaced.
Replace only with the same or equivalent type recommended by the manufacturer.
Dispose of used batteries according to the manufacturer’s instructions. Note that the
battery in this unit is a non-serviceable part.
Operating Environment
• Temperature: 32° to 104° F, 0 to 40°C
• Relative Humidity: 5 to 90% (non-condensing)
• Altitude: 0-12,000 feet, 3660 meters
VSU-100 User Guide
A-3
Specifications
Safety Certification
• UL, CSA, CE , CB Scheme
EMI/RFI
• FCC Part 15, Class B, CISPR 22/85A
• VCCI
A-4
VSU-100 User Guide
GLOSSARY
VSU Acronyms
CBC – Cipher Block Chaining encryption
DES – Data Encryption Standard encryption
DNS – Domain Name Server (a distributed database system used to map host
names to IP addresses and vice versa)
DCE – Data Communication Equipment
DSU/CSU – Data Service Unit/Channel Service Unit
DTE – Data Terminal Equipment
ECB – Electronic Code Book encryption
HDLC – High-level Data Link Control
ISAKMP – Internet Security Association Key Management Protocol
IPSEC – Internet Protocol SECurity
MD5 – Message Digest Algorithm
VSU-100 User Guide
G-1
PPP – Point to Point Protocol
RADIUS – Remote Authentication Dial-In User Server
RFC – Request For Comment
SHA – Secure Hash Algorithm
SKIP – Simple Key Management for Internet Protocol
SNMP – Simple Network Management Protocol
SSL – Secure Socket Layer
TCP/IP – Transmission Control Protocol / Internet Protocol
URL – Uniform Resource Locator
UTP – Unshielded Twisted Pair
VPN – Virtual Private Network
VSU – Virtual Service Unit
G-2
VSU-100 User Guide
Index
B
bootup screen 3-2
C
configuration
preparation 3-1
configuring
using quick setup menu 3-4
connections
Ethernet LAN 2-3
router 2-3
console password 3-5
contacting VPNet 1-i
D
date and time 3-7
default route 3-4
DES 1-2
E
email support 1-i
environmental requirements 1-4
equipment
provided by customer 1-5
provided by VPNnet 1-5
F
FAX support 1-i
I
IP address 3-4
IPSec standards 1-2
L
LAN connections 2-3
N
netmask 3-4
P
password
VSU console 3-5
performance 1-2
phone support 1-i
plug-and-play installation 1-3
power on bootup screen 3-2
product registration 1-i
Q
quick setup menu 3-4
R
reboot 3-7
registration 1-i
requirements
environmental 1-4
router connections 2-3
S
security 1-2
SHA1 1-2
SKIP 1-2
specifications A-1
T
technical support 1-i
terminal settings 2-2
time 3-7
triple DES 1-2
V
VPNmanager 3-1, 3-7
VSU console password 3-5
W
world wide web support 1-i