1. Manuals
  2. Brands
  3. SnapGear Manuals
  4. Network Router
  5. VPN appliance Family 1.7.8
  6. User manual

SnapGear VPN appliance Family 1.7.8 User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
SnapGear VPN Appliance Family

User Manual

Rev: 1.7.8
May 2nd, 2003
SnapGear, Inc.
7984 South Welby Park Drive #101
Salt Lake City, Utah 84084
Email: support@snapgear.com
Web: www.snapgear.com
Introduction

Advertisement

Table of Contents
loading

Related Manuals for SnapGear VPN appliance Family 1.7.8

Summary of Contents for SnapGear VPN appliance Family 1.7.8

  • Page 1: User Manual

    SnapGear VPN Appliance Family User Manual Rev: 1.7.8 May 2nd, 2003 SnapGear, Inc. 7984 South Welby Park Drive #101 Salt Lake City, Utah 84084 Email: support@snapgear.com Web: www.snapgear.com Introduction...

  • Page 2: Table Of Contents

    Connecting to the Internet ..............30 Physically connect modem device............... 30 Select Internet connection ................... 31 Internet failover ....................34 Configure PCs to use SnapGear appliance Internet gateway ......37 Establishing the connection ................. 37 Dial-in server configuration ..............38 Dial-in setup......................40 Dial-in user accounts ...................
  • Page 3 Firewall ....................58 Incoming access ....................58 Outgoing access ....................62 Firewall rules......................63 Intrusion detection and blocking ................64 Content filtering....................66 Virtual Private Networking ..............69 PPTP client setup ....................70 PPTP server setup....................72 IPSec setup ......................85 IPSec interoperability................... 90 System.....................91 Time server......................

  • Page 4: Introduction

    A VPN enables remote workers or branch offices to securely access your company network to send and receive data at a very low cost. With the SnapGear appliance, you can remotely access your office network securely using the Internet. The SnapGear appliance can also connect to external VPNs as a client.
  • Page 5 Failover A method for detecting that the main Internet connection (usually a broadband connection) has failed and the SnapGear apliance cannot communicate with the Internet. If this occurs, the SnapGear appliance automatically moves to a lower speed, secondary Internet connection.
  • Page 6 The hardware address of an Ethernet interface. It is a 48-bit number usually written as a series of 6 hexadecimal octets, e.g. 00:d0:cf:00:5b:da. A SnapGear appliance has a MAC address for each Ethernet interface. These are listed on a label on the underneath of the device.

  • Page 7: Document Conventions

    Term Meaning not a full router, a switch partically understands how to route Internet packets. A switch increases LAN efficiency by utilizing bandwidth more effectively. TCP/IP Transmission Control Protocol/Internet Protocol. The basic protocol for Internet communication. TCP/IP address Fundamental Internet addressing method that uses the form nnn.nnn.nnn.nnn.

  • Page 8: Installing And Configuring Your Snapgear Appliance

    Installing and configuring your SnapGear appliance This manual contains instructions for installing and configuring your SnapGear appliance on your network. The basic steps and related chapters are: Step Chapter 1. Interconnect the SnapGear appliance Chapter 2, Getting started and PCs on a local area network.

  • Page 9: Your Snapgear Appliance

    Your SnapGear appliance The following items are included with your SnapGear appliance: • Power adapter • Installation CD • Printed Quick Install guide • Cabling including o 1 normal “straight through” UTP cable (blue color). o 1 “cross-over” UTP cable (either gray or red color). If you have the LITE+ or LITE2+ you will receive two straight through cables (blue color).
  • Page 10 Figure 1.2 SnapGear appliance back panels The following figure shows how your SnapGear appliance interconnects . If you are using the SnapGear LITE+ or LITE2+, a secondary hub/switch is not required as this unit has a 4-port Ethernet switch. Introduction...
  • Page 11 Figure 1.3 Network interconnections Introduction...

  • Page 12: Snapgear Appliance Features

    SnapGear appliance features • Software features • Network Address Translation (NAT) firewall that isolates the LAN from the Internet and offers network access control and filtering. Usually a simple form of NAT called masquerading is used. • DHCP server and client that ensure simple and flexible IP network configuration.
  • Page 13 LITE2+. Dial-in connection features If you are using the SnapGear PRO+, PRO, SOHO+, SME530 or SME550, external modems may be attached via serial port for dial-in connections. Additionally, the SnapGear PRO+ has an internal modem that can be used for dial-in connections.
  • Page 14 Environmental features • External power adaptor (voltages/current depend on individual models). • Front panel status LEDs: Power Test. • Operating temperature between 0° C and 40° C. • Storage temperature between -20° C and 70° C. • Humidity between 0 to 95% (non-condensing). Introduction...

  • Page 15: Getting Started

    If you are connecting the SnapGear appliance to an established LAN, use a standard Ethernet cable to connect the SnapGear LAN port to a spare port on the network’s hub. If you are connecting your SnapGear appliance to a single PC, use the provided Ethernet crossover cable to interconnect them directly.

  • Page 16: New Networks

    1. Install an Ethernet adapter and software driver in at least one of the PCs to be networked. 2. Assign an IP address for your PC so the SnapGear appliance can be configured on the network. From the Start menu, select Settings, Control Panel, Network and click the Configuration tab (or Protocols if using NT).
  • Page 17 6. If you have chosen to use the static IP reset feature of the SnapGear appliance, choose an address in the range: 192.168.0.0 - 192.168.0.255 (192.168.0/24 prefix) Enter the value into the IP Address field followed by a number (1-254) to identify your PC (e.g.

  • Page 18: Configuring The Snapgear Appliance On Your Network

    Configuring the SnapGear appliance on your network Below is an overview of the steps in initial setup of the SnapGear appliance on your network: 1. Apply power to the SnapGear appliance. When the SnapGear appliance is powered on in factory default mode, it has no LAN IP address. This state is indicated by all front panel LEDs except Power flashing (except on LITE+ and LITE2+).
  • Page 19 These provide information on the operating status of your SnapGear appliance. In particular you should note: The Power/PWR LED is on when power is applied (use only the SnapGear Power Adapter packaged with the unit). The System/TST/Heart Beat LED blinks when the SnapGear appliance is running.
  • Page 20 IP address. If you use Linux, Unix, Macintosh or another operating system you may either use a DHCP server application to assign an IP address. The SnapGear Setup Wizard can be run from any PC on the network that is running Windows. To run SnapGear Setup Wizard: Insert the SnapGear Installation CD into your CD drive.
  • Page 21 This means either your network is DHCP enabled and another PC on the network has already given it an IP address, or you have chosen to boot the SnapGear appliance with an initial, static IP address. If this is the case, skip to Administrative Password further on in this chapter.
  • Page 22 If it is you will be asked to make a new selection, otherwise it is assigned to your SnapGear appliance. Note that this may take a few seconds. Your SnapGear VPN Router is now set up with an IP address so all front panel LEDs (except System/TST/Heart Beat) will stop flashing.
  • Page 23 This password controls access to the SnapGear Management Console web administration pages. SnapGear recommends that you select a new password that is easy for you to remember but difficult for other people to guess. Your password must be kept secret to maintain the security provided by the SnapGear appliance.

  • Page 24: Initial Setup Using Linux

    By default, your SnapGear appliance as shipped does not have any IP addresses configured. When the SnapGear appliance is powered on, if it has no LAN IP address all the front panel LEDs except Power will flash (except on LITE+ and LITE2+). The LEDs remain flashing until a LAN IP address is acquired.
  • Page 25 Internet Address. You can find the MAC address printed on the underside of your SnapGear appliance. If your network has a BOOTP server, it can be used to set up the SnapGear appliance. Edit the BOOTP server file /etc/bootptab and add an entry for the SnapGear appliance.
  • Page 26 You need to modify the IP address (tag "ip") to match the addressing for your local network and use an address in your local subnet. You also need to modify the MAC address (tag “ha”) to match your SnapGear appliance hardware. The MAC address is printed on a label on the underside of the SnapGear appliance.

  • Page 27: Snapgear Quick Setup

    SnapGear Quick Setup The SnapGear Quick Setup Wizard will guide you through the basic steps for configuring the LAN port for your SnapGear appliance and connecting to the Internet. To start the wizard, click the Quick Setup Wizard link on the SnapGear Appliance Configuration page.
  • Page 28 3. If you select DHCP or Skip, the Next button will take you to the ISP Connection configuration page. 4. If you select Manual, the Next button shows the Manual LAN Configuration page where you must enter an IP address and a Subnet mask for the SnapGear appliance’s LAN port. Getting started...
  • Page 29 Figure 2.4 ISP connection quick setup Select Cable Modem, Modem, ADSL, or Direct as the method for connecting to your ISP. Direct connections are where the SnapGear Internet Port is connected to a LAN with another gateway to the Internet.
  • Page 30 If you use ADSL (Asymmetric Digital Subscriber Line) to connect to your ISP, you must specify the ADSL connection type. This can be done in one of the following ways: • Allow your SnapGear appliance to automatically detect your ADSL connection type. This is the best choice in most cases. •...

  • Page 31: Configuring The Pcs On Your Network

    The IP address of the SnapGear appliance defined as their default gateway, and • Must use the DNS server provided by the ISP or the DNS proxy on the SnapGear appliance. You can enter these details manually (i.e. statically), or they can be dynamically assigned by a DHCP server each time the PC boots.
  • Page 32 The Default Gateway (enter the IP address of the SnapGear appliance). • In the DNS tab, enter the DNS server address(es) provided by your ISP, or the address of the SnapGear appliance if you are using the DNS proxy. Getting started...

  • Page 33: Connecting To The Internet

    The first step in connecting your office network to the Internet is to physically attach your SnapGear appliance to the modem device. For analog modems, attach the modem serial cable to one of the SnapGear appliance’s serial ports (i.e. COM1, COM2). For digital connections (e.g. cable, DSL), plug the cable into the Internet port.

  • Page 34: Select Internet Connection

    Select Internet connection The next step is to select the method for connecting your SnapGear appliance to the Internet. From the SnapGear appliance Config Pages, in the Networking menu, select Connect to Internet and select the method to connect to your local ISP. You can connect using a cable, ISDN, DSL or analog modem connection.
  • Page 35 Connect to Internet – direct Choosing Direct Connection to the Internet shows the IP Configuration page. See the section called IP configuration. Connect to Internet – modem The following figure shows the Setup modem Internet connection: Figure 3.2 Setup modem Internet connection If you are connecting to the Internet using a modem, the system displays the Connect to Internet via a Modem screen.
  • Page 36 Field Description Serial port to dial-out on Select the SnapGear appliance COM (serial) port you will use for the modem that will dial your ISP. This port will be dedicated for the Internet connection; any attempt to dial-in using this COM port will be blocked.

  • Page 37: Internet Failover

    Internet failover SnapGear appliances are designed with the real Internet in mind, which may mean downtime due to ISP equipment or telecommunications network failure. Failures can be caused by removing the wrong plug from the wall, typing in the wrong ISP password or many other reasons.
  • Page 38 The Internet connection fails immediately when the password is wrong, or if the SnapGear appliance is unable to contact an ADSL Time to wait between re- trying connections modem to make a connection. Specify the time to wait between retrying this connection after detecting the initial failure.
  • Page 39 For Internet connection types that require you to specify a static IP address or use DHCP, the SnapGear appliance cannot usually detect if the Internet connection is down. To ensure that the Internet connection is up, enter a host for the SnapGear appliance to ping.

  • Page 40: Configure Pcs To Use Snapgear Appliance Internet Gateway

    1. From any PC on the network, launch a browser application (e.g. Internet Explorer or Netscape Navigator). 2. The SnapGear appliance will dial the ISP and log in. On the front panel, the COM LED will flash when establishing the connection.

  • Page 41: Dial-In Server Configuration

    LAN resources as a local user. Note Not all SnapGear appliances support the RAS (Remote Access Server) functions in this section. The SnapGear appliance Models SOHO+, PRO and PRO+ support up to two dial-in connections.
  • Page 42 To configure the SnapGear appliance for a dial-in connection: 1. Attach external modems to the relevant SnapGear appliance serial ports. Refer to Chapter 7, Serial Ports and Modem Devices for modem configuration details. 2. Enable and configure the selected SnapGear appliance COM port for dial-in as detailed in Dial-in Setup.

  • Page 43: Dial-In Setup

    The following figure shows the dial-in setup: Figure 4.1 Dial-in setup To enable and configure Dial-In server for the SnapGear appliance, select Dial-In Setup from the Networking menu. The following table describes the fields in the Dial-In Setup screen and explains how to enable and configure dial-in access on a SnapGear appliance COM port.
  • Page 44 5 minutes. Idle time can be set between 0 – 99 minutes. After enabling and configuring the selected SnapGear appliance COM ports to support dial-in, click Continue to create and configure the dial-in user accounts.

  • Page 45: Dial-In User Accounts

    Dial-in user accounts User accounts must be set up before remote users can dial-into the SnapGear appliance. The following figure shows the Dial-in user account creation: Figure 4.2 Dial-in user account creation The field options in Add New Account are shown in the following table:...
  • Page 46 The following figure shows the user maintenance screen: Figure 4.3 User maintenance screen Dial-in server configuration...
  • Page 47 Chapter 6, Firewall. Warning If you have enabled a SnapGear appliance COM port for dial-in, this port cannot be used simultaneously for dial-out activities (e.g. dial-on-demand Internet connection). If a port is set-up for Internet access, and is later enabled for dial-in, the Internet access function is automatically disabled.

  • Page 48: Remote User Configuration

    Dial-Up Networking software. Set up a new dial-out connection on the remote PC to dial the phone number of the modem connected to the SnapGear appliance COM port. After the dial-in is connected, users can access all network resources as if they were a local user.
  • Page 49 Figure 4.6 Server types Check the Log on to network and Enable software compression checkboxes. If your SnapGear appliance dial-in server requires MSCHAP-2 authentication, you also need to check the Require encrypted password checkbox. Leave all other Advanced Options unchecked.
  • Page 50 Dial-in and log on to the remote SnapGear appliance by double-clicking the Connection Name icon. You need to enter the Username and the Password that was set up for the SnapGear appliance dial-in account as shown in the following figure: Figure 4.7 Connect to dialogue box...
  • Page 51 Click Next to continue. Figure 4.9 Connection type Select Dial-up to private network as the connection type and click Next to continue. Figure 4.10 Phone number to dial Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote access in another area code or overseas.
  • Page 52 Click Next to continue. Figure 4.11 Connection availability Select the option Only for myself to make the connection only available for you. This is a security feature that will not allow any other users who log onto your machine to use this remote access connection: Figure 4.12 Connection name Enter a name for the connection and click Finish to complete the configuration.
  • Page 53 If you did not create a desktop icon, click Start, Settings, Network and Dial-up Connections and select the appropriate connection and enter the username and password set up for the SnapGear appliance dial-in account.

  • Page 54: Network Configuration

    For a static IP address on the LAN interface, enter the IP Address and Netmask in the fields provided. You must enter a static IP address if the SnapGear appliance will act as the DHCP server on your local network.
  • Page 55 Enter the IP address of the DNS Server that the SnapGear appliance will use to resolve domain names in the Domain Name Server field. This is only required if the SnapGear appliance is configured with a static IP address on the Internet interface and does not automatically get its DNS server address.

  • Page 56: Advanced Ip Configuration

    Advanced IP configuration The following figure shows the advanced IP configuration: Figure 5.2 Advanced IP configuration The Hostname is a descriptive name for the SnapGear appliance on the network. Network configuration...
  • Page 57 Address of your SnapGear appliance. The MAC address is a globally unique address and is specific to a single SnapGear appliance. It is set by the manufacturer and should not normally be changed. However, you may need to change it if your ISP has configured your ADSL or cable modem to only communicate with a device with a known MAC address.

  • Page 58: Dhcp Server

    To help keep your network design as simple as possible, your SnapGear appliance can act as a DHCP server for machines on your local network. To configure your SnapGear appliance as a DHCP server, you must set a static IP address and netmask on the LAN Interface (see the section called IP configuration).
  • Page 59 To take advantage of the SnapGear appliance’s DHCP server functionality, you should configure the other machines on your local network to get their IP addresses dynamically from the SnapGear appliance. Please refer the documentation for the other machines for instructions on how to configure the local network interface.

  • Page 60: Advanced Networking

    Advanced Networking page. Traffic shaping The Traffic Shaping feature of your SnapGear appliance allows you to allocate High, Medium, or Low priority to the following services: domain (tcp), domain (udp), ftp, ftp- data, http, https, imap, irc, nntp, ntp, pop3, smtp, ssh, and telnet.

  • Page 61: Firewall

    6. Firewall The SnapGear appliance has a fully featured, stateful firewall. The firewall allows you to control both incoming and outgoing access and to detect intrusion attempts, so that PCs on the office network can have tailored Internet access facilities and be shielded from malicious attacks.
  • Page 62 The following figure shows the incoming access configuration page: Figure 6.1 Incoming access configuration By default the SnapGear appliance runs a web administration server and a telnet service. Access to these services can be restricted to specific interfaces. For example, you may want to restrict access to the SnapGear appliance’s configuration web pages (Web...
  • Page 63 The following figure shows how to configure external access to services: Figure 6.2 Configure external access to services The SnapGear appliance firewall on the Internet interface can be configured to accept or deny external requests on a specified incoming port, based on the originating (i.e.
  • Page 64 The following figure shows the port forwarding configuration: Figure 6.3 Port forwarding configuration Port forwarding allows the SnapGear appliance to control access to services provided by machines on your private network from users on the Internet. Requests coming into the SnapGear appliance on the specified Incoming Port(s) are forwarded to the Target Port on the Target Server.

  • Page 65: Outgoing Access

    Outgoing access Your SnapGear appliance can be configured to restrict network traffic going out the Internet interface. These restrictions can be applied to specific hosts or networks (defined by IP address), or globally across all hosts on your internal LAN.

  • Page 66: Firewall Rules

    To access this page, click Rules in the Firewall menu. Only experts on firewalls and iptables rules will be able to add effective custom firewall rules. Configuring the SnapGear firewall via the Incoming Access and Outgoing Access configuration pages is adequate for most applications.

  • Page 67: Intrusion Detection And Blocking

    Intrusion detection and blocking The following figure shows the Intrusion Detection and Blocking (IDB) configuration: Figure 6.6 Intrusion detection and blocking configuration IDB operates by offering a number of services to the outside world that are monitored for connection attempts. Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt, and the access attempt is denied.
  • Page 68 The list of monitored network ports can be freely edited. Several shortcut buttons also provide pre-selected lists of services to monitor. The basic button installs a bare bones selection of ports to monitor while still providing sufficient coverage to detect many intruder scans.

  • Page 69: Content Filtering

    Content filtering The SnapGear Content Filtering system limits the types of web-based content accessed. Web-based content featuring profanity, sexually explicit or other objectionable material can be limited or blocked from the following screens. The following figure shows content filtering: Firewall...
  • Page 70 Figure 6.7 Content filtering Firewall...
  • Page 71 An activity report is available by ticking the Enable Reports box. Warning The correct time/date must be set on your SnapGear appliance for Reporting to work. The most effective way to do this is by using a time server. The filtering and reporting can only be activated after visiting the Registration page.

  • Page 72: Virtual Private Networking

    This chapter explains how to configure the PPTP server and client, as well as IPSec, in your SnapGear appliance and how to set up remote clients to connect to your VPN tunnel as shown in the following figure: Figure 7.1VPN tunneling using the PPTP server...

  • Page 73: Pptp Client Setup

    The SnapGear PPTP client enables the SnapGear appliance to establish a VPN to a remote network running a PPTP server (usually a Microsoft Windows server). To set up a SnapGear PPTP VPN Client, select PPTP VPN Client from the VPN menu and create a new VPN connection by entering: •...
  • Page 74 To set a VPN connection as the default route for all network traffic, check the Make VPN the Default Route checkbox and click Apply. This option is only available when the SnapGear appliance is configured with a single VPN connection only.

  • Page 75: Pptp Server Setup

    PPTP server setup The SnapGear appliance includes a PPTP Server, a virtual private network server that supports up to forty simultaneous VPN tunnels (depending on your SnapGear appliance model). The SnapGear PPTP Server allows remote Windows clients to securely connect to the local network.
  • Page 76 Enable and configure the PPTP VPN server The following figure shows the PPTP server setup: Figure 7.3 PPTP server setup To enable and configure your SnapGear appliance’s VPN server, select PPTP VPN Server from the VPN menu in the SnapGear appliance Config Pages. Virtual Private Networking...
  • Page 77 IP address on your local network that each VPN Points client will use when connecting to the SnapGear appliance. Please ensure that the IP addresses listed here are not in the range the DHCP server can assign. Ranges are accepted; for example 192.168.160.250-254.
  • Page 78 Accounts screen as shown in the following figure: Figure 7.4PPTP VPN server accounts screen Before remote users can set up a VPN tunnel to the SnapGear appliance PPTP server, they must have a user accounts set up. The field options in the Add New Account are detailed in the following table.
  • Page 79 To delete an existing account, Select the account in the Account List and then check Delete in the Delete or Change Password for the Selected Account field. If a requested change to a user account is successful, the PPTP VPN Setup screen is shown with the change noted.
  • Page 80 Configuring the remote VPN client After setting up the SnapGear PPTP VPN server, the remote VPN clients can be configured to securely access the local network. You need to enter the VPN client username and password that your remote users will use to access the SnapGear PPTP VPN from the remote site.
  • Page 81 ADSL, ISDN or other Internet link. Ensure that both the VPN and Dial Up Networking (DUN) software is installed on the remote PC. If necessary, install the Microsoft DUN update (available on the SnapGear Installation CD) and VPN Client update.
  • Page 82 From the Select a device drop-down menu, select the Microsoft VPN Adapter and click Next. Enter the PPTP IP address of the SnapGear appliance VPN server in the VPN Server field. This may change if your ISP uses dynamic IP assignment. Click OK and then click Finish.
  • Page 83 Click TCP/IP Settings. Confirm that the Server Assigned IP Address, Server Assigned Name Server Address, Use IP Header Compression and Use Default Gateway on Remote Network are all selected and click OK. Figure 7.7 VPN client server settings Your VPN client is now set up correctly. Virtual Private Networking...
  • Page 84 Windows NT From the Dial-Up Networking dialog, click New and select the Basic tab. In the Entry name field, enter SnapGear appliance or a similar descriptive name and click Next. Enter the SnapGear appliance’s PPTP IP address into the Phone Number field.
  • Page 85 Windows 2000 To set up VPN access, first setup a Dial Up Networking account to access the Internet. Once you have done this, you are ready to begin. The first thing you need to do is log in as Administrator on your PC. After logging in, from the Start menu, select Settings and then Network and Dial-up Connections as shown in the following figure: Figure 7.8 Network and dial-up connections...
  • Page 86 This displays the Destination Address window: Figure 7.10 Destination address Enter the SnapGear PPTP server’s IP address and click Next. Select the Connection Availability you require on the next window and click Next to display the final window: Figure 7.11 Completing the network connection wizard Enter an appropriate name for your connection and click Finish.
  • Page 87 Connecting the remote VPN client Firstly, connect to the Internet using the network connection to your ISP. After authenticating the connection to your ISP, select the connection for the SnapGear appliance VPN. For Windows 95/98/2000, enter the username and password allocated by your SnapGear appliance’s VPN administrator and click Connect.

  • Page 88: Ipsec Setup

    IPSec setup The SnapGear appliance supports IPSec tunnels as well as PPTP tunnels. To setup your VPN using IPSec, select IPSec from the VPN menu to display the following screen: Figure 7.12 IPSec setup Enable IPSec by clicking the Enable IPSec box underneath the IPSec Setup title and then click Submit.
  • Page 89 To add a new IPSec connection click on Add under Add New IPSec Connection to show the following screen: Figure 7.13 Add new IPSec connection Enter a descriptive name for the connection in the Connection Name field. Choosing to connect with Aggressive Mode increases interoperability with third party IPSec servers that only support aggressive mode connections.
  • Page 90 This option is only available if you have chosen a specific route; SnapGear recommends that you use the default route. Enter the remote gateway settings. To connect to/from a remote machine that does not have a fixed IP address (e.g.
  • Page 91 Click Add to complete the IKE setup as shown in the following screen: Figure 7.14 Automatic keying setup Virtual Private Networking...
  • Page 92 Key Lifetime is the time between consecutive re-keying events (i.e. the lifetime of a key). Shorter values offer higher security at the expense of the computational overhead required to calculate the new keys. SnapGear recommends a default value of 1 hour. Virtual Private Networking...

  • Page 93: Ipsec Interoperability

    Checking the Enable Perfect Forward Secrecy of keys checkbox means that an attacker who acquires the SnapGear appliance’s long-term key (i.e. the pre-shared secret or RSA Signature Key Private Section) cannot: • Read previous messages which they may have archived, or •...

  • Page 94: System

    The SnapGear appliance’s password is used to restrict access to the SnapGear appliance’s configuration web pages (WebAdmin) and the SnapGear appliance itself. The SnapGear appliance password is the ‘key’ to the security of your network and must be kept secret. SnapGear recommends choosing a password that is easy for you to remember but hard for unauthorized people to guess.

  • Page 95: Diagnostics

    SnapGear appliance are operating correctly. See Appendix B – System Log for further details. The SnapGear appliance also provides the option of re-directing log output to a remote machine using the syslog protocol. Enable this option by selecting Enable Remote Logging, entering the IP address of the remote machine and clicking Apply.

  • Page 96: Flash Upgrade

    A TFTP server must be running on the machine hosting the file. During the upgrade, the front panel LEDs on the SnapGear appliance will flash in an in- and-out pattern. The SnapGear appliance retains its configuration information with the new firmware.

  • Page 97: Technical Support

    Technical Support Staff to analyze problems with your SnapGear appliance. The information on this page gives the Support Staff important information about any problems you may be experiencing. If you experience a fault with your SnapGear appliance, please attach the Technical Support Report to your support request. 9. Technical support...

  • Page 98: Appendix A - Led Status Patterns

    Appendix A – LED status patterns The following table shows the different LED illumination combinations that can indicate possible error conditions. In each case, the LEDs indicated will be on and steady, unless otherwise noted, and all other LEDs will be off. The Power and System LEDs are not part of the LEDs indicating status.

  • Page 99: Appendix B - System Log

    Appendix B – System Log Access Logging It is possible to log any traffic that arrives at or traverses the SnapGear appliance. The only logging that is enabled by default is to take note of packets that were dropped. While it is possible to specifically log exactly which rule led to such a drop, this is not configured by default.
  • Page 100 Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port pppX eg. ppp0 or ppp1 – a PPP session ipsecX eg. ipsec0, an IPSec interface The firewall rules deny all packets arriving from the WAN port by default. There are a few ports open to deal with traffic such as DHCP, VPN services and similar.

  • Page 101: Creating Custom Log Rules

    (OUT=<nothing>) from IP address 140.103.74.181 (SRC=140.103.74.181), attempting to go to port 139 (DPT=139, Windows file sharing) was dropped. If the packet is traversing the SnapGear appliance to a server on the private network, the outgoing interface will be eth0, e.g.: Mar 27 09:52:59 2003 klogd: IN=eth1 OUT=eth0 SRC=140.103.74.181...
  • Page 102 For example, to log all inbound access requests from anywhere on the Internet (0.0.0.0/0) to the PPTP service (port 1723) on the SnapGear appliance (IP address 1.2.3.4): iptables -I INPUT -j LOG -p tcp --syn -s 0.0.0.0/0 -d 1.2.3.4 --dport 1723 --log-prefix "Internet PPTP access: "...
  • Page 103 iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This will result in log output something like this: <12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.6.7.8 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=45507 DF PROTO=TCP SPT=4088 DPT=25 WINDOW=64240 RES=0x00 SYN URGP=0 Note how the OUT value has now changed to show which interface the access attempt...

  • Page 104: Rate Limiting

    The LOG rules configured by default (e.g. Default Deny:) are all limited to: --limit 3/hour --limit-burst 5 Administrative Access Logging When a user tries to log onto the SnapGear Management Console web administration pages, one of the following log messages appears: Jan 30 03:00:18 2000 boa: Authentication successful for root from 10.0.0.2...

  • Page 105: Boot Log Messages

    10.0.0.2 Once again, showing the same information as a web login attempt. Boot Log Messages The SnapGear appliance’s startup boot time messages are identified by log messages similar to the following: klogd: Linux version 2.4.20-uc0 (jamma@daniel) (gcc version 3.0.4) #4 Mon Feb 3 15:17:50 EST 2003 This also shows the version of the operating system (linux), and the build date and time.

This manual is also suitable for:

Vpn appliance series

Table of Contents