Previous|Next  

9. Connecting to a Syswan Duolinks SW24 VPN series Load Balancer

 

9.1 Requirements

 

This section is intended for IT managers and network administrators.

 

It provides a comprehensive guide on how to configure your Syswan Duolinks SW24 VPN series load balancer and a remote IPSec VPN configuration using the Syswan VPN Client software, including the configuration of a redundant gateway.

 

If you are not familiar with network configurations and related tasks, please contact your IT manager or network administrator for assistance.

 

Requirements to implement this example VPN configuration :

 

1.       A Syswan Duolinks SW24 VPN or a Syswan Duolinks SW24 VPN Plus load balancer with basic configuration and at least one WAN link connected to the Internet.

2.       A computer on the load balancer network or a remote computer with Internet access for VPN configuration on the Syswan Duolinks SW24 VPN series load balancer.

3.       A remote computer on another network with Internet access and no firewall restrictions for IPSec traffic.

4.       Syswan VPN Client software.

 

All data given in this VPN network configuration are given as example only.

 

You will need to replace this information to suit your network settings and configuration.

 

Corporate network settings :

 

WAN Link 1       :           10.20.0.1                                   Your WAN Link 1           :_______________

WAN Link 2       :           10.30.0.1                                   Your WAN Link 2           :_______________

Local LAN         :           192.168.192.0                            Your local LAN              :_______________

Subnet Mask     :           255.255.255.0                            Your Subnet Mask         :_______________

 

Remote network settings :

 

Remote LAN      :           192.168.1.0                               Your remote LAN           :_______________

Remote Pc        :           192.168.1.100                            Your remote Pc             :_______________

 

 

Other required settings :

 

User ID             :           user@mycompany.com              Your user ID                  :_______________

Preshared Key   :           1234567890                               Your Preshared Key       :_______________

 

 

Important note:

During IKE Phase 1 activation, your load balancer will need to reboot as you will be changing primary settings.

 

9.2 Configuring the Syswan Duolinks SW24 VPN series Load Balancer

 

First, login to your Syswan Duolinks SW24 VPN Series load balancer.

 

Step 1 :

Go to “VPN Configuration > IKE Global setup” page.

 

Enable both WAN links and make sure that Phase 1 DH Group is set to DH Group 2 (1024-bit), Encryption Method is set to DES and Authentication Method is set to MD5.

 

You may leave all other settings on this page as default.

 

Choose “Submit and Reboot” to save your IKE configuration.

 

 

Important note:

During IKE Phase 1 activation, your load balancer will need to reboot as you will be changing primary settings.

 

Remember these settings as they must match those in the Phase 1 settings of your Syswan VPN Client software.

Step 2 :

Once step 1 is completed, go to “VPN Configuration > IPSec Policy Setup” page

 

Choose “New Policy” and create a VPN Configuration for WAN1 as per following screen capture.

 

Click “Add” when done :

 

 

Information required in this example :

 

Local Security Network : Type Subnet / IP 192.168.192.0 / Mask 255.255.255.0

Remote Security Network : Any

Remote Security Gateway : Distinguished ID / user@mycompany.com

Encryption Method : DES / Authentication Method : MD5

Key Type : Autokey(IKE)

Perfect Forward Secrecy : DH Group 2 (1024-bit) / Preshared Key : 1234567890

 

Remember these settings as they must match those in the Phase 2 settings of your Syswan VPN Client software.

Step 3 :

If you have a second WAN link connected to your load balancer, you may choose to activate the “Redundant Gateway” option on the Syswan VPN Client.

 

In order to benefit from the Redundant Gateway option for your remote user, you will need to create a second VPN configuration for the same user pointing to WAN 2 on your Syswan Duolinks SW24 VPN series load balancer.

 

Choose “New Policy” and create a second VPN Configuration for the same remote user.

 

Everything in the second configuration will be identical to the first one. You will need to define a new name for this configuration and change the “Traffic Binding Interface” to WAN 2 as the example screen capture below:

 

Click “Add” when done.

 

The configuration of your Syswan Duolinks SW24 VPN series load balancer is now complete.

Next, you will need to configure the Syswan VPN Client software on the remote user’s PC with the same Phase 1 and Phase 2 information.

 

9.3 Configuring the Syswan VPN Client

 

Make sure that the Syswan VPN Client software is installed on the remote computer.

 

You will find this software on the CD ROM included with your purchase.

 

You may also download the latest version of the Syswan VPN Client from our web site (http://www.syswan.com).

 

Step 1 :

Phase 1 configuration

 

Open the Syswan VPN Client software user interface.

 

Right click on “Configuration” and select “New Phase 1”

 

Enter your remote gateway IP address (WAN Link 1 IP address of your Syswan Duolinks SW24 VPN series load balancer. Example : 10.20.0.1)

 

Make sure that your enter correctly the previously defined preshared key as well as the other IKE options for Phase 1 here. (Example : 1234567890, DES, MD5 and Group2-DH1024).

 

 

Click “Save & Apply”.

 

Now select “P1 Advanced”.

 

In the P1 Advanced screen, select “Aggressive Mode”.

 

In Redund.GW enter the second IP address of your remote gateway (WAN Link 2 IP address of your Syswan Duolinks SW24 VPN series load balancer. Example : 10.30.0.1)

 

The Local ID type must be defined as “Email” as the previously defined settings.

 

Enter the email address as the ID value (Example : user@mycompany.com).

 

 

 

Click “Ok” and then “Save & Apply”.

 

Step 2 : Phase 2 configuration

 

Create a Phase 2 configuration by right clicking on the Phase 1 setting and choosing “Add Phase 2”.

 

Change the address type to read “Subnet address”.

 

Add the remote LAN address and the subnet mask. (example: 192.168.192.0 / 255.255.255.0)

 

 

Make sure that ESP Algorithms and PFS/DH Group match the previously defined settings. (Example : DES, MD5 and PFS/DH Group2-DH1024).

 

Note : Most SMB networks are configured with a subnet mask of 255.255.255.0 to permit one private

Class C network. A Class C network will provide 253 IP V4 addresses which is enough for these types of networks. If you do not know or are not sure of your subnet mask, please contact your IT manager or network administrator for assistance.

 

The VPN Client Address should not belong to the remote network subnet range (ie: to the 192.168.192.0/24 network in our example). If you leave the defaut settings of 0.0.0.0, the VPN Client Address will be the same as the phycial address of the remote machine either directly by the ISP or by a remote network.

If the remote network subnet range is equal to your corporate network subnet, then the remote user VPN connection will not be established. In this case, you must manually specify another IP address from another subnet range (ie 192.168.1.1 or 10.0.0.1) in the VPN Client address field.

 

When complete, click “Save & Apply”.

 

Note : You can optionally use the “Phase 2 Advanced” options to define tunnel opening modes and declare alternate DNS and/or WINS servers prior for this tunnel.

 

9.3 Opening the IPSec VPN Tunnel

 

Make sure that your local firewall permits IPSec traffic from within your remote network.

 

Click on “Save & Apply” on the Syswan VPN Client software window to make sure that all configuration modifications are saved.

 

Click on “Open Tunnel” to open the secure IPSec VPN Tunnel you just created between your remote computer and the corporate network.

 

 

You may select “Connections” to see opened VPN tunnels or try to access any remotely available services (ie: ping a PC on the corporate LAN or access a server resource) to test your configuration.

 

Select “Console” to access the Syswan VPN Client software IPSec logs on the remote computer.

 

 

Select “VPN Configuration > VPN Logs” on your Syswan Duolinks SW24 VPN Series load balancer to access IPSec VPN logs on the Corporate gateway.

 

 

Statistics for an active tunnel can be viewed by choosing the active tunnel in the “Tunnel list” under “VPN Configuration > IPSec Policy Setup” and by clicking on the “Tunnel Status…” button.

 

 

Example configuration test results :

 

 

 

The above screen capture shows the result of IPSec traffic transiting through the VPN tunnel.

 

Remote network settings : 192.168.1.0 / 24

Remote network gateway : 192.168.1.1

IP address of remote PC : 192.168.1.100

 

Corporate network settings : 192.168.192.0 / 24

Corporate network gateway : 192.168.192.1

IP address of server on Corporate network : 192.168.192.254

 

Remote to corporate LAN - Test 1 :
PING (ICMP echo) from 192.168.1.100 to 192.168.192.254 (Corporate server) – Successful.

 

Remote to corporate LAN - Test 2 :
PING (ICMP echo) from 192.168.1.100 to 192.168.192.1 (Corporate LAN gateway) – Successful.

 

 

 

9.4 Troubleshooting

 

The Chapter 9 details a working example of a remote-to-LAN IPSec VPN configuration using Syswan hardware and software solutions.

 

Configuring a VPN tunnel can be a difficult task as any missing parameter can prevent a VPN connection from being established.

 

Hint : If your configuration is not working, double check all the configurations entries (Phase 1 and Phase 2) at both ends and make sure that there are no errors.

 

Troubleshooting and other help documentations are available in the FAQ & Knowledgebase section of our web site.

 

You may also contact your IT manager or the network administrator for assistance.

 

 

  Previous|Next