This Chapter describes the VPN capabilities and configuration required for common situations.
This section describes the VPN (Virtual Private Network) support provided by your Broadband VPN Gateway.
A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network - typically the Internet. This secure connection is called a VPN Tunnel.
There are many standards and protocols for VPNs. The standard implemented in the Broadband VPN Gateway is IPSec.
IPSec is a near-ubiquitous VPN security standard, designed for use with TCP/IP networks. It works at the packet level, and authenticates and encrypts all packets traveling over the VPN Tunnel. Thus, it does not matter what applications are used on your PC. Any application can use the VPN like any other network connection.
IPsec VPNs exchange information through logical connections called SAs (Security Associations). An SA is simply a definition of the protocols, algorithms and keys used between the two VPN devices (endpoints).
Each IPsec VPN has two SAs - one in each direction. If IKE (Internet Key Exchange) is used to generate and exchange keys, there are also SA's for the IKE connection as well as the IPsec connection.
There are two security modes possible with IPSec:
IKE (Internet Key Exchange) is an optional, but widely used, component of IPsec. IKE provides a method of negotiating and generating the keys and IDs required by IPSec. If using IKE, only a single key is required to be provided during configuration. Also, IKE supports using Certificates (provided by CAs - Certification Authorities) to authenticate the identify of the remote user or gateway.
If IKE is NOT used, then all keys and IDs (SPIs) must be entered manually, and Certificates can NOT be used. This is called a "Manual Key Exchange".
When using IKE, there are 2 phases to establishing the VPN tunnel:
Because the IKE and IPsec connections are separate, they have different SAs (security associations).
VPN configuration settings are stored in Policies.
Each policy defines:
Generally, you will need at least one (1) VPN Policy for each remote site for which you wish to establish VPN connections.
It is possible, and sometimes necessary, to have multiple Policies for the same remote site. In this case, the order (sequence) of the policies is important. The policies are examined in turn, and the first matching policy will be used.
The general rule is that each endpoint must have matching Policies, as follows:
Remote VPN address
|
Each VPN endpoint must be configured to initiate or accept connections to
the remote VPN client or Gateway.
Usually, this requires having a fixed Internet IP address. However, it is
possible for a VPN Gateway to accept incoming connections from a remote client
where the client's IP address is not known in advance.
|
Traffic Selector
|
This determines which outgoing traffic will cause a VPN connection to be
established, and which incoming traffic will be accepted. Each endpoint must be
configured to pass and accept the desired traffic from the remote
endpoint.
If connecting 2 LANs, this requires that:
|
IKE parameters
|
If using IKE (recommended), the IKE parameters must match (except for the
SA lifetime, which can be different).
|
IPsec parameters
|
The IPsec parameters at each endpoint must match.
|
Here, a PC on the LAN behind the Router/Gateway is using VPN software, but the Router/Gateway is NOT acting as a VPN endpoint. It is only allowing the VPN connection.
Figure 45: Client PC to VPN Server
In this situation, the PC must run appropriate VPN client software in order to connect, via the Internet, to the Broadband VPN Gateway. Once connected, the client PC has the same access to LAN resources as PCs on the local LAN (unless restricted by the network administrator).
Figure 46: Connecting 2 VPN Gateways
This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN.
This section covers the configuration required on the Broadband VPN Gateway when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies).
Details of using Certificates are covered in a later section.
To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies. If no policies exist, the list will be empty.
Note that the order of policies is important if you have more than one policy for particular traffic. In that case, the first matching policy (for the traffic under consideration) will be used.
VPN List |
|
Policy Name
|
The name of the policy. When creating a policy, you should select a
suitable name.
|
Enable
|
This indicates whether or not the policy is currently enabled. Use the
"Enable/Disable" button to toggle the state of the selected policy.
|
Remote VPN Endpoint
|
The IP address of the remote VPN endpoint (Gateway or client).
|
Key Type
|
This will indicate "Manual" (manual key exchange) or "IKE" (Internet Key
Exchange)
|
Operations |
|
Add
|
To add a new policy, click the "Add" button. See the following section for
details.
|
Edit
|
To Edit or modify an existing policy, select it and click the "Edit"
button.
|
Move
|
There are 2 ways to change the order of policies:
|
Enable/Disable
|
Use this to toggle the On/Off state of the selected policy.
|
Copy
|
If you wish to create a policy which is similar to an existing policy,
select the policy and click the "Copy" button.
Remember that the new policy must have a different name, and there can only
be one active (enabled) policy for each remote VPN endpoint.
|
Delete
|
To delete an exiting policy, select it and click the "Delete" button.
|
View Log
|
Clicking the "View Log" button will open a new window and display the VPN
log.
|
Figure 49: VPN Wizard - General
General Settings |
|
Policy Name
|
Enter a suitable name. This name is not supplied to the remote VPN. It is
used only to help you manage the policies.
|
Enable Policy
|
Enable or disable the policy as required. For each remote VPN, only 1
policy can be enabled at any time.
|
Remote VPN Endpoint
|
The Internet IP address of the remote VPN endpoint (Gateway or
client).
|
Keys
|
Select Manually assigned or IKE (Internet Key Exchange) as
required.
If you are setting up both endpoints, using IKE is recommended. |
Figure 50: VPN Wizard - Traffic Selector
Local IP addresses |
|
Type
|
The remote VPN must have these IP addresses entered as it's "Remote"
addresses.
|
Remote IP addresses |
|
Type
|
The remote VPN should have these IP addresses entered as it's "Local"
addresses.
|
Manual Key Exchange
Figure 51: VPN Wizard - Manual Key Exchange
These settings must match the remote VPN. Note that you cannot use both AH and ESP.
Manually assigned Keys |
|
AH Authentication
|
AH (Authentication Header) specifies the authentication protocol for the
VPN header, if used. (AH is often NOT used)
If AH is not enabled, the following settings can be ignored.
Keys
SPI
|
ESP Encryption
|
ESP (Encapsulating Security Payload) provides security for the payload
(data) sent through the VPN tunnel. Generally, you will want to enable both
Encryption and Authentication.
|
ESP Authentication
|
Generally, you should enable ESP Authentication. There is little difference
between the available algorithms. Just ensure each endpoint use the same
setting.
|
ESP SPI
|
This is required if either ESP Encryption or ESP Authentication is
enabled.
|
For Manual Key Exchange, configuration is now complete.
IKE Phase 1
If you selected IKE, the following screen is displayed after the Traffic Selector screen.
Figure 52: VPN Wizard - IKE Phase 1
IKE Phase 1 (IKE SA) |
|
Direction
|
Select the desired option:
|
Local Identity
|
This setting must match the "Remote Identity" on the remote VPN. IP
address is the more common method.
|
Remote Identity
|
This setting must match the "Local Identity" on the remote VPN.
IP address is the more common method. |
Authentication
|
|
Encryption
|
Select the desired method, and ensure the remote VPN endpoint uses the same
method. The "3DES" algorithm provides greater security than "DES", but is
slower.
|
IKE Exchange Mode
|
Select the desired option, and ensure the remote VPN endpoint uses the same
mode. Main Mode provides identity protection for the hosts initiating the IPSec
session, but takes slightly longer to complete. Aggressive Mode provides no
identity protection, but is quicker.
|
IKE SA Life Time
|
This setting does not have to match the remote VPN endpoint; the shorter
time will be used. Although measured in seconds, it is common to use time
periods of several hours, such 28,800 seconds.
|
DH Group
|
Select the desired method, and ensure the remote VPN endpoint uses the same
method. The smaller bit size is slightly faster.
|
IKE PFS
|
If enabled, PFS (Perfect Forward Security) enhances security by changing
the IPsec key at regular intervals, and ensuring that each key has no
relationship to the previous key. Thus, breaking 1 key will not assist in
breaking the next key.
This setting should match the remote endpoint.
|
Click Next to see the following IKE Phase 2 screen.
Figure 53: VPN Wizard - IKE Phase 2
IKE Phase 2 (IPsec SA) |
|
IPsec SA Life Time
|
This setting does not have to match the remote VPN endpoint; the shorter
time will be used. Although measured in seconds, it is common to use time
periods of several hours, such 28,800 seconds.
|
IPSec PFS
|
If enabled, PFS (Perfect Forward Security) enhances security by changing
the IPsec key at regular intervals, and ensuring that each key has no
relationship to the previous key. Thus, breaking 1 key will not assist in
breaking the next key.
|
AH Authentication
|
AH (Authentication Header) specifies the authentication protocol for the
VPN header, if used.
AH is often NOT used. If you do enable it, ensure the algorithm selected
matches the other VPN endpoint.
|
ESP Encryption
|
ESP (Encapsulating Security Payload) provides security for the payload
(data) sent through the VPN tunnel. Generally, you will want to enable both ESP
Encryption and ESP Authentication.
Select the desired method, and ensure the remote VPN endpoint uses the same
method. The "3DES" algorithm provides greater security than "DES", but is
slower.
|
ESP Authentication
|
Generally, you should enable ESP Authentication. There is little difference
between the available algorithms. Just ensure each endpoint use the same
setting.
|
For IKE, configuration is now complete.
This section describes some examples of using the Broadband VPN Gateway in common VPN situations.
In this example, 2 LANs are connected via VPN.
Figure 54: Connecting 2 Broadband VPN Gateways
Note
Configuration Settings
Setting |
LAN A Gateway |
LAN B Gateway |
Notes |
Name
|
Policy 1
|
Policy 1
|
Name does not affect operation. Select a meaningful name.
|
Remote Endpoint
|
205.17.11.43
|
202.11.13.211
|
Other endpoint's WAN (Internet) IP address.
|
Local
IP addresses |
Any
|
Any
|
Use a more restrictive definition if possible.
|
Remote
IP addresses |
192.168.1.1 to 192.168.1.254
|
192.168.0.1 to 192.168.0.254
|
Address range on other endpoint.
Use a more restrictive definition if possible. |
Key Exchange
|
IKE
|
IKE
|
Must match
|
IKE SA Parameters
|
|||
IKE Direction
|
Both ways
|
Both ways
|
Does not have to match. Either endpoint can block 1 direction.
|
Local Identity
|
IP address
|
IP address
|
IP address is the most common ID method
|
Remote Identity
|
IP address
|
IP address
|
IP address is the most common ID method
|
IKE Authentication method
|
Pre-shared Key
|
Pre-shared Key
|
Certificates are not widely used.
|
Pre-shared Key
|
Xxxxxxxxxx
|
Xxxxxxxxxx
|
Must match
|
IKE Authentication algorithm
|
MD5
|
MD5
|
Must match
|
IKE Encryption
|
DES
|
DES
|
Must match
|
IKE Exchange mode
|
Main Mode
|
Main Mode
|
Must match
|
DH Group
|
Group 1 (768 bit)
|
Group 1 (768 bit)
|
Must match
|
IKE SA Life time
|
28800
|
28800
|
Does not have to match. Shorter period will be used.
|
IKE PFS
|
Disable
|
Disable
|
Must match
|
IPSec SA Parameters
|
|||
IPSec SA Life time
|
28800
|
28800
|
Does not have to match. Shorter period will be used.
|
IPSec PFS
|
Disabled
|
Disabled
|
Must match
|
AH authentication
|
Disabled
|
Disabled
|
AH is rarely used
|
ESP authentication
|
Enable/MD5
|
Enable/MD5
|
Must match
|
ESP encryption
|
Enable/DES
|
Enable/DES
|
Must match
|
In this example, a Windows 2000/XP client connects to the Broadband VPN Gateway and gains access to the local LAN.
Figure 55: Windows 2000/XP Client to Broadband VPN Gateway
![]() |
To use 3DES encryption, you need Service Pack 3 or later installed on Windows 2000. |
Broadband VPN Gateway Configuration
Setting
|
Value
|
Notes
|
Name
|
Win Client
|
Name does not affect operation. Select a meaningful name.
|
Remote Endpoint
|
172.16.9.10
|
Other endpoint's WAN (Internet) IP address.
|
Local
IP addresses |
Subnet address:
192.168.0.0 255.255.255.0 |
Allows access to entire LAN. Use a more restrictive definition if
possible.
|
Remote
IP addresses |
172.16.9.10
|
For a single client, this is the same as the Gateway.
|
Key Exchange
|
IKE
|
Must match
|
IKE SA Parameters
|
||
IKE Direction
|
Responder
|
Only want to accept client connections.
|
Local Identity
|
IP address
|
Required.
|
Remote Identity
|
IP address
|
Required
|
IKE Authentication method
|
Pre-shared Key
|
Certificates are not widely used.
|
Pre-shared Key
|
Xxxxxxxxxx
|
Must match client PC
|
IKE Authentication algorithm
|
SHA-1
|
Must match client PC
|
IKE Encryption
|
3DES
|
Must match client PC
|
IKE Exchange mode
|
Main Mode
|
Must match client PC
|
DH Group
|
Group 1 (768 bit)
|
Must match client PC
|
IKE SA Life time
|
28800
|
Does not have to match client PC. Shorter period will be used.
|
IKE PFS
|
Disable
|
Must match client PC
|
IPSec SA Parameters
|
||
IPSec SA Life time
|
28800
|
Do not have to match. Shorter period will be used.
|
IPSec PFS
|
Disable
|
Must match client PC
|
AH authentication
|
Disabled
|
AH is rarely used
|
ESP authentication
|
Enable/MD5
|
Must match client PC
|
ESP encryption
|
Enable/DES
|
Must match client PC
|
Windows Client Configuration
Figure 57: Windows 2000/XP - Policy Properties
VPN Setting
|
Windows Setting
|
IKE enabled
|
Negotiate security
|
AH disabled
|
AH Integrity: <None>
|
ESP encryption: Enable/DES
|
ESP Confidentially: DES
|
ESP authentication: Enable/MD5
|
ESP Integrity: MD5
|
Figure 81: Windows 2000/XP Client to Broadband VPN Gateway
Configuration is now complete.
In this example, a Windows 2000 Server connects to the Broadband VPN Gateway. Users on each LAN can then gain access to the remote LAN.
Figure 82: Broadband VPN Gateway to Windows 2000 Server
Broadband VPN Gateway Configuration
This is the same as for the client setup earlier, with the exception of the IP address range for the remote endpoint.
Setting
|
Single Client
|
Server/Gateway
|
Remote
IP addresses |
172.16.9.10
For a single client, this is the same as the Gateway address
|
Subnet address:
11.5.0.0 255.255.0.0 Address range used on the remote LAN.
|
Windows 2000 Server Configuration
Configuration is the same as for Example 2: Windows 2000/XP Client to except for specifying the Source and Destination addresses for the "Filter Properties". Instead, for both IP Filters, the Filter Properties- Addressing should be completed as follows.
Figure 83: Windows 2000 Server - Addressing
Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates".
Each CA also issues a certificate to itself. This Certificate is required in order to validate communication with the CA. These certificates are called "Trusted Certificates."
The Certificates screen lists both the Trusted Certificate - the certificates of each CA itself - and Self Certificates - the certificates issued to you.
Figure 84: Certificates Screen
Trusted Certificates |
|
Subject Name (CA)
|
The "Subject Name" is always the company or person to whom the Certificate
is issued. For trusted certificates, this will be a CA.
|
Issuer Name
|
The CA (Certification Authority) which issued the Certificate.
|
Expiry Time
|
The date on which the Certificate expires. You should renew the Certificate
before it expires.
|
Delete button
|
Use this button to delete a Trusted Certificate. Select the checkbox in the
Delete column for any Certificates you wish to delete, then click the
"Delete" button.
|
Self Certificates |
|
Name
|
The name you assigned to this Certificate. You should select a name which
helps to identify this particular certificate.
|
Subject Name
|
The company or person to whom the Certificate is issued.
|
Issuer Name
|
The CA (Certification Authority) which issued the Certificate.
|
Expiry Time
|
The date on which the Certificate expires. You should renew the Certificate
before it expires.
|
Delete button
|
Use this button to delete a Self Certificate. Select the checkbox in the
Delete column for any Certificates you wish to delete, then click the
"Delete" button.
|
This process is different to obtaining a Trusted Certificate. The Broadband VPN Gateway must generate a request for the CA. You cannot request a Certificate directly. The correct procedure is as follows:
Name
|
Enter a name which helps to identify this particular certificate. This name
is only for your reference.
|
Subject Name
|
This is the name which other organizations will see as the Holder (owner)
of this Certificate. This should be your registered business name or official
company name. Generally, all Certificates should have the same value in the
Subject field.
|
Hash Algorithm
|
Select the desired option.
|
Signature Algorithm
|
Select the desired option. RSA is recommended.
|
Signature Key Length
|
Select the desired option. Normally, 1024 bits provides adequate
security.
|
CRLs are only necessary if using Certificates.
CRL (Certificate Revocation List) files show Certificates which have been revoked, and are no longer valid. Each CA issues their own CRLs.
It is VERY IMPORTANT to keep your CRLs up-to-date. You need to obtain the CRL for each CA regularly. The "Next Update" field in the CRL shows when the next update will be available.
To add a New CRL