|
This chapter
applies to the Duolinks SW24 VPN and the Duolinks SW24 VPN Plus Load Balancers
only.
Virtual Private Network (VPN), is a connection
between two end points. VPN allows private data to be sent securely over a
public network, such as the Internet using encrypted tunnels.
Like the Syswan VPN Client, your Duolinks SW24 VPN
Series Load Balancer uses industry standard IPSec VPN protocol thus making all
Syswan Technologies VPN solutions 100% compatible with each other.
The Duolinks SW24 VPN Series Load Balancers provide
Remote-to-LAN and LAN-to-LAN VPN configurations. VPN Tunnels can be configured
for redundancy and failover and VPN MESH GROUPS can be created when inter
connecting two Duolinks SW24 VPN Plus Load Balancers.
Although the Duolinks SW24 VPN Series Load Balancer
can interoperate with many other IPSec VPN gateways and products, it is not in
the scope of Syswan Technologies support team to provide specific technical
support to any third party gateways or products involved in your network
configuration.
Important Note :
Data encryption may not be permitted by law in your country. Please make sure
that you comply with all local laws and regulations before building a VPN
Tunnel.
Before building your VPN infrastructure, you must
identify and plan your VPN requirements :
1. Is it a
Remote-to-LAN or a LAN-to-LAN VPN ? Do both end points have Duolinks SW24 VPN
Series Load Balancers or the Syswan VPN Client ?
2. Do both networks
have the same network settings (ie 192.168.1.0/24) ? If yes, you will need to
change network settings on one of the networks. For a LAN-to-LAN VPN
configuration, both networks have to be on different network segments.
3. What are the
security settings (authentication, preshared key
) ?
4. Do you have a
fixed IP address at least on the responder endpoint ? For security reasons, a
fixed IP address for each endpoint is recommended in LAN-to-LAN VPN
Configurations.
5. What is the encryption level (DES, 3DES or
AES) ?
IKE Global Setup
Page
To configure IPSec VPN on
your Duolinks SW24 VPN Series Load Balancer, first enable both WAN links (WAN1
and WAN2) on the IKE Global Setup page. You may leave the default configuration
which is suitable for most common situations.
The above example shows changes in default configurations for DH Group,
Encryption Method and Authentication Method.
You may change these
settings and specify other options here.
Once both WAN links are configured for IKE, click Submit and Reboot.
|
Global List (Phase 1) |
List WAN1 and WAN2 VPN phase1
setting. |
|
Global Parameter |
·
Enable Setting If you enable check box WAN1, WAN2 or both,
this will start IPSec Global Setting. ·
ISAkmp Port Internet Security Association and Key Protocol
Management (ISAkmp) is designed to negotiate, establish, modify and delete
security associations and their attributes. In particular, it was assigned
UDP port 500 by the IANA. ·
Phase 1 DH Group Use DH Group
1(768-bits),DH Group 2(1024-bits), Group 5 (1536-bits) to generate IPSec SA
keys. ·
Phase 1 Encryption
Method There are
three data encryption methods available : DES, 3DES,and AES. ·
Phase 1 Authentication
Method There are two
authentication available. MD5 and SHA1 (Secure Hash Algorithm). ·
Phase 1 SA Life Time By default the Security Association lifetime is
28800 Sec. ·
Maxtime to complete
phase 1 The aim of
phase 1 is to authenticate and establish a secure tunnel, which will protect
further IKE negotiation. The maximum time default is 10 sec. ·
Maxtime to complete
phase 2 Really
establish the IPSec SAs. By default the maximum time is 300 sec. |
|
Log Level |
Select a VPN log level that you like to display on the VPN logs. |
Use the IPSec Policy Setup page to create new VPN
tunnels (phase 2 policies) or to modify existing VPN tunnels. You will need to
specify all network related information and security related information
including encryption and authentication methods.
Please note that all these settings need to be the
same on the remote end point for your VPN tunnel to open.
Any misconfiguration on either side will not open
the VPN tunnel.
Once you have made the configuration settings at
both ends you may click Connection to initiate the VPN tunnel. The Set
Options.. button permits configuration of DPD (Dead Peer Detection) and
other advanced VPN features.
IPSec Policy Setup Page
A redundant VPN Failover
configuration is achieved by creating two (2) identical VPN tunnels between two
Duolinks SW24 VPN Series Load Balancers and by pointing each WAN link to
the corresponding WAN link on the remote device.
VPN Fail Over diagram
In case the first WAN link fails, the tunnel will be automatically
created using the second configuration.
A VPN Mesh configuration
is achieved by creating four (4) identical VPN tunnels between two Duolinks
SW24 VPN Plus Load Balancers and by pointing each local WAN link to both
WAN links on the remote device.
VPN Mesh Group diagram
In the event of one WAN link failure, the VPN tunnel will still be
maintained between both networks.
Policy
Entry
|
·
Tunnel Name Given a name for this tunnel. ·
State Enable/Disable VPN
policy state. |
|
Traffic Binding |
·
Interface Select WAN1 or WAN2
for binding VPN tunnel. |
|
Local Identity Option |
·
Type There are three local
WAN identity types to choose: IP address, domain name and distinguished name. |
|
Traffic Selector |
·
Protocol Type You can choose either TCP/UDP/ICMP/GRE protocol as
your connection protocol. By default the protocol type is Any. ·
Local Security Network These entries identify the private network on
this VPN router, the hosts of which can use the LAN-to-LAN connection. You
can choose a single IP address, the subnet, or a selected IP range to make
VPN LAN-to-LAN connection. ·
Remote Security Network These entries identify the private network on
the remote peer VPN router whose hosts can use the LAN-to-LAN connection. You
can choose a single IP address, the subnet, or a selected IP range to make
VPN connection ·
Remote Security Gateway You can either select remote side domain name
or remote side IP address (WAN IP address) as your remote side security
gateway. |
|
Security Level |
·
Encryption Method It specifies
the encryption mechanism to use. Data encryption makes the data unreadable if
intercepted. There are three encryption method available; DES/3DES and AES.
The default is null. ·
Authentication It specifies the packets authentication
mechanism to use. Packets authentication proves that data comes from source
you think it comes from. There are three authentications available. MD5, SHA1
and SHA2. |
Key
Management
|
·
Key Type
There are two
key types (manual key and auto key) available for the key exchange
management. ·
Manual Key If manual key is selected, no key negotiation is
needed. Encryption Key- This field specifies a key to encrypt and decrypt IP
traffic. Authentication Key This field specifies a key use to
authentication IP traffic. Inbound/outbound SPI (Security Parameter Index) is
carried on the ESP header. Each tunnel must have a unique inbound and
outbound SPI, and no two tunnels share the same SPI. Notice that Inbound SPI
must match the other routers outbound SPI. ·
AutoKey (IKE) There are two types of operation
modes can be used. 1.
Main mode accomplishes a phase 1
IKE exchange establishing a secure channel. 2.
Aggressive Mode is another way of
accomplishing a phase 1 exchange. It is faster and simpler than main mode,
but does not provide identity protection for the negotiating nodes. ·
Perfect Forward Secrecy (PFS) If PFS is enable, IKE phase 2 negotiation will
generate a new key material for IP traffic encryption & authentication.
Preshared Key This field is to authenticate the remote IKE peer. ·
Key Lifetime- This is specified the lifetime of the IKE
generated Key. If the time expires or data is passed over this volume, a new
key will be renegotiated, By default, 0 is for no limit. |
|
Tunnel List |
Lists all VPN tunnel that are configured. You can modify, update or
delete VPN records. |
IPSec Policy
Options Page
|
Dead Peer Detection Feature |
Dead Peer
Detection (DPD) uses IPSec traffic patterns to minimize the number of IKE
messages that are needed to confirm aliveness. DPD mechanisms, is needed to
determine when to perform IKE peer failover, and to reclaim lost resources. ·
Detection Checked will enable Dead Peer Detection. ·
Check Method: ICMP use ICMP packets to prove
aliveness. Heartbeat is referring to a unidirectional (a HELLO only)
message to prove aliveness. Keep alive is referring to bi-directional
(HELLO/ACK) message to prove aliveness. ·
Action Executed action after DPD failure. There are Failover,
Remove Tunnel and Keep Tunnel Alive options available for this action. ·
Logging enable logging will
display log on VPN log view list. |
|
NAT Traversal Feature |
·
NAT Traversal Enable/Disable NAT
Traversal within the VPN tunnel. ·
Keep Alive Interval Time to keep NAT
entries. ·
UDP Checksum Enable/Disable UDP
Checksum for NAT Traversal. |
|
Options |
·
NetBIOS Broadcast This is used to forward NetBIOS broadcast
across the Internet. ·
Auto Triggered This is help to keep up the IPSec connection
tunnel. It can be re-established immediately, if a connection is dropped and
detected. ·
Anti Replay It ensures to keep track of IP packet-level
security in order. ·
Passive (Responder) mode This means that your PC establishes the data
connection. If you enable passive mode. ·
Check ESP Pad If enable ESP(Encapsulating Security
Payload),it will check ESP padding. ·
Allow Full ECN Enable will allow full Explicit Congestion
Notification (ECN). ECN is a standard proposed by the IETF that will cut down
on network congestion and routers dropping packets. ·
Copy DF Flag When an IP packet is encapsulated as payload
inside another IP packet, some of the outer header fields can be newly
written, and the others are
determined by the inner header. Among these fields is the IP DF (don't
fragment) flag. When the inner packet DF flag is clear, the outer packet may
copy it or set it; however, when the inner DF flag is set, the outer header
MUST copy it. ·
Set DF Flag If this DF (Do not Fragment) flag is set, it means the fragmentation of
this packet at the IP level is not permitted. |
This section only applies to the Duolinks SW24 VPN
Plus Load Balancer.
The following section
will help guide you on how to configure VPN load balancing through the mesh
group setup.
1.
On the mesh group configuration
page, click Create to display a configuration page similar to the VPN
policy setup page.
Mesh Group
Configuration Page
2.
Configure the Mesh group as
per your LAN-to-LAN VPN network requirements.
Mesh Group Setup
Page
You can modify a Mesh Group Policy by clicking
Modify.
Once you have created or modified a new VPN
Mesh Group policy you have to enable Group, apply and set
to validate your settings and to open the VPN load balancing tunnels between
both networks.
You may reduce the Dead Peer Detection
Idle and Retry Times settings on the Set Options.. page for better VPN
performance during a link failure. All other settings in the Set Options..
page should be left at their defaults for optimum VPN Mesh Group functionality.
|