Related Manuals for SnapGear VPN Router
Summary of Contents for SnapGear VPN Router
-
Page 1: User Manual
SnapGear VPN Router Family User Manual Rev: May 30, 2002 7984 South Welby Park Drive #101 Salt Lake City, Utah 84084 Tel: 801-282-8492 Fax: 801-282-8496... -
Page 2: Table Of Contents
Initial setup using Linux..................16 SnapGear Quick Setup Wizard................18 Configuring the PCs on your network ..............22 Connect to the Internet ................24 Physically connect modem device ................ 24 Select Internet connection..................25 Configure PCs to use SnapGear VPN Router Internet gateway......28... - Page 3 Establishing the connection .................. 28 Dial-in server configuration ..............30 Dial-in setup......................31 Dial-in user accounts..................... 34 Remote user configuration ..................38 Network Configuration ................48 IP Configuration..................... 48 Advanced IP Configuration ................... 51 DHCP Server......................53 Advanced Networking ................... 54 Firewall ....................56 Incoming Access ....................
- Page 4 IPSec Setup......................82 IPSec Interoperability .................... 87 System.....................88 Time Server ......................88 Password....................... 88 Diagnostics ......................88 Advanced....................... 89 RESET button......................89 9. Technical Support ..................90 Appendix A – LED Status Patterns ..............91...
-
Page 5: Introduction
The SnapGear VPN Router enables small to medium-sized businesses to securely interconnect computers on the office network to the Internet. The SnapGear VPN Router has all the features a business needs to take full advantage of the Internet. Whether you are connecting to the Internet for the first time or looking for a cost-effective and safe VPN solution, the SnapGear VPN Router will meet your needs. -
Page 6: Terminology
Terminology Some commonly used terms that you will find in this document are as follows: ADSL Asymmetric Digital Subscriber Line. A technology that allows for high-speed data transfer over existing telephone lines. ADSL supports data rates between 1.5 and 9 Mb/s when receiving data and between 16 and 640 Kb/s when sending data. - Page 7 Intruder Detection and Blocking. A feature of your SnapGear VPN Router that detects connection attempts from intruders and optionally blocks all further connection attempts from the intruders’ machine. Internet A worldwide system of computer networks - a public, cooperative, and self- sustaining network of networks accessible to hundreds of millions of people worldwide.
- Page 8 Point-to-Point Protocol. A networking protocol designed for simple links between two peers. PPPoE Point to Point Protocol over Ethernet. A protocol for connecting the users on an Ethernet to the Internet through a common broadband medium, such as a single DSL line, wireless device or cable modem.
-
Page 9: Document Style
Virtual Private Networking is the concept of having two locations able to communicate securely and effectively, usually across a public network such as the Internet. Three key traits of VPN technology are: privacy (nobody else can see what you are communicating), authentication (you know who you are communicating with), and integrity (nobody else can tamper with your messages/data). -
Page 10: Installing And Configuring The Snapgear Vpn Router
Installing and configuring the SnapGear VPN Router Instructions for installing and configuring your new SnapGear VPN Router on your network are contained in this manual. The basic steps and related chapters are as follows: Step See chapter: 1. Interconnect the SnapGear VPN Router Chapter 2, Getting Started and PCs on a local area network. -
Page 11: The Snapgear Vpn Router
The SnapGear VPN Router The following items will have been included with your SnapGear VPN Router: • Power adapter • Installation CD • Printed Quick Install guide • Cabling: • 1 x normal UTP cable – blue • 1 x “cross-over” UTP cable – (either gray or red) With the LITE+ you will instead receive two straight through cables (blue). - Page 12 COM 1, 2 Flashing For either of the SnapGear VPN Router COM ports, these LEDs indicate receive and transmit data. Virtual Private Networking is enabled. The rear panel contains connector ports for LAN (LAN) and modem (COM1, COM2), LAN 10BaseT status LEDs, WAN 10BaseT status LEDs, a reset button and power inlet. The upper LEDs represent “Link”...
-
Page 13: Snapgear Vpn Router Features
The SnapGear VPN Router interconnects as shown below. In the case of the SnapGear LITE+ a secondary hub/switch is not required as the unit provides a 4-port Ethernet switch. Figure 1.3 Network interconnections SnapGear VPN Router features Software features •... - Page 14 For the SnapGear LITE and LITE+ models • 10/100BaseT LAN port to connect to local network Dial-in Connection • For SnapGear SOHO+ and PRO, external modems may be attached to the serial ports for dial-in connection Environmental • External power adaptor (voltages/current depend on individual models) •...
-
Page 15: Getting Started
Using an Ethernet cable, connect the SnapGear VPN Router’s LAN Ethernet port (marked LAN) to a spare port on the existing network hub. At this stage do not apply power to your SnapGear VPN Router. SnapGear VPN Router comes with an inbuilt DHCP server that can automatically assign IP addresses to other devices on the network. -
Page 16: New Networks
2. Install an Ethernet adapter and software driver in at least one of the PCs to be networked. 3. You will have to assign your PC an IP address in order to be able to configure the SnapGear VPN Router on the network. From the Start menu, select Settings, Control Panel, Network and click on the Configuration tab (or Protocols if using NT). -
Page 17: Setup Wizard
IP address. 2. Insert the SnapGear VPN Router Installation CD into the CD drive of any Windows PC on your network that meets the system requirements. From the Start menu, select Run and type z:\setup (where z is the letter of your CD drive). -
Page 18: Static Networks
Static Networks Setup Wizard will ask you to enter an IP address for your SnapGear VPN Router. Select an unused IP address that you want to assign to the SnapGear VPN Router (e.g. 10.0.0.199). The first three fields are auto-completed, based on the IP address and net mask of the local machine. Ensure that the SnapGear VPN Router is powered on and plugged into the network, then click OK. - Page 19 Figure 2.2 Setup Wizard Internet setup Once an IP address is allocated, the SnapGear Setup Wizard will then prompt you to change the SnapGear VPN Router’s internal password. This password controls access to the SnapGear VPN Router Configuration web pages and the SnapGear VPN Router unit itself. It is recommended that the new password be chosen so that it is easy or you to remember but hard for others to guess.
-
Page 20: Initial Setup Using Linux
SnapGear VPN Router as shipped is configured with no Internet (IP) address. When the SnapGear VPN Router is powered on and it has no IP address, it will flash all of its front panel LEDs (except the ‘Power’ LED). As soon as it acquires an address, it will stop flashing the LEDs. - Page 21 SnapGear VPN Router. If your network has a BOOTP server then you can use this to set up the SnapGear VPN Router. Edit the BOOTP server’s file, /etc/bootptab, and enter an entry for the SnapGear VPN Router. Use the Ethernet MAC address printed on a label on the bottom of the SnapGear VPN Router.
-
Page 22: Snapgear Quick Setup Wizard
3. Restart TCP/IP on your system. If you don’t know how, then just reboot the Linux system. Once the system is running it should serve the IP address to the SnapGear VPN Router when it is connected to your network. - Page 23 LAN Port Quick Setup Figure 2.3 LAN Port Quick Setup 1. Enter the name by which the SnapGear VPN Router will be known on the LAN. 2. Choose the method used to set the LAN port network address configuration, either DHCP or manual.
- Page 24 1. Select Cable Modem, Modem, ADSL, or Direct as the method you use to connect to your ISP. Note that Direct connections are those where the SnapGear Internet Port is connected to a LAN that has another gateway to the Internet.
- Page 25 4. If you connect to your ISP with ADSL (Asymmetric Digital Subscriber Line) the next step is to specify your ADSL connection type, either: a. Allow your SnapGear VPN Router to automatically detect your ADSL connection type. This is the best choice in most cases.
-
Page 26: Configuring The Pcs On Your Network
Configuring the PCs on your network In order to access the Internet, all PCs on the network must have the IP address of the SnapGear VPN Router defined as their default gateway and be using the DNS server provided by the ISP. - Page 27 Use the following IP address is checked. Then add the following information: • A unique IP address and appropriate subnet mask • Default Gateway (enter the IP address of the SnapGear VPN Router) • In the DNS tab, enter the DNS server address(es) provided by your ISP. Getting Started...
-
Page 28: Connect To The Internet
(see Chapter 6, Firewall) to disallow any unwanted traffic into or out of your network. The SnapGear VPN Router can connect to the Internet via an external dialup analog modem, ISDN modem, permanent analog modem, cable modem or DSL link (see Figure 6). -
Page 29: Select Internet Connection
Select Internet connection The next step is to select how you will be connecting your SnapGear VPN Router to the Internet. From the SnapGear VPN Router Config Pages, in the Networking menu, select Connect to Internet and choose the method you will use to connect to your local Internet Service Provider (ISP). - Page 30 If you are unsure of the ADSL Connection Method to choose, select Autodetect connection type. Your SnapGear VPN Router will then attempt to automatically determine the appropriate connection method. Connect to Internet – Direct Choosing Direct Connection to the Internet will take you to the IP Configuration page. See IP Configuration.
- Page 31 Field Description SnapGear VPN Router Select the SnapGear VPN Router COM (serial) port that you will port to dial out on use for the modem that will dial your ISP. This port will then be dedicated for the Internet connection. Any attempt to dial in on this COM port will be blocked.
-
Page 32: Configure Pcs To Use Snapgear Vpn Router Internet Gateway
1. From any PC on the network, launch a browser application such as Internet Explorer or Netscape Navigator. 2. SnapGear VPN Router will dial the ISP and log in. On the front panel, you will see the relevant COM LED flash as the connection is established. - Page 33 If you are using a permanent connection device, like a cable modem, then Internet access is automatic. Connect to the Internet...
-
Page 34: Dial-In Server Configuration
SnapGear VPN Router enables you to securely access your office network remotely. This chapter details how to set up the dial-in features. Note: Not all SnapGear VPN Router models support the RAS (Remote Access Server) functions found in this chapter. -
Page 35: Dial-In Setup
Dial-in setup Figure 4.1 Dial-in setup Dial-in server configuration... - Page 36 To enable and configure SnapGear VPN Router’s Dial-In server, select Dial-In Setup from the Networking menu. The table below describes all the fields in the Dial-In Setup screen and explains how to enable and configure dial-in access on a SnapGear VPN Router COM port.
- Page 37 In users must be assigned local IP addresses. Specify a free IP address from your local network each dial-up client will use when connecting to the SnapGear VPN Router. Authentication The authentication scheme you choose is the method by Scheme which the SnapGear VPN Router will challenge users dialing into the network.
-
Page 38: Dial-In User Accounts
Once you have enabled and configured the selected SnapGear VPN Router COM ports to support dial-in, click Continue and you will be able to create and configure dial-in user accounts. Dial-in user accounts Figure 4.2 Dial-in user account creation Dial-in server configuration... - Page 39 Before remote users can dial into the SnapGear VPN Router, you must set up user accounts. The field options in Add New Account are detailed in the table below: Field Description Username This username is required for dial-in authentication only. The name selected is case-sensitive (for example, Jimsmith is not the same as jimsmith).
- Page 40 Figure 4.3 User Maintenance Screen Dial-in server configuration...
- Page 41 Account List As new dial-in user accounts are added, they are displayed on the updated Account List. To modify the password of an existing account, Select the account in the Account List then enter a new password identically in both the New Password and Confirm fields. Click Apply under the Delete or Change Password for the Selected Account heading, or reset if there is a mistake.
-
Page 42: Remote User Configuration
– as detailed in Chapter 6, Firewall. Warning: If you have enabled a SnapGear VPN Router COM port for dial-in, this port cannot be used simultaneously for dial-out activities such as dial-on-demand Internet connection. If a... - Page 43 Figure 4.5 Make New Connection From the Select a device pull down menu, select the modem you will be using. Click Next, then fill in the details for the phone number of the modem connected to the SnapGear VPN Router.
- Page 44 Check the Log on to network and Enable software compression check boxes. If you have set up your SnapGear VPN Router dial-in server to require MSCHAP-2 authentication, you will also need to check the Require encrypted password check boxes. Leave the other Advanced Options unchecked.
- Page 45 You can dial in and log on to the remote SnapGear VPN Router by double-clicking on your Connection Name icon. You will need to enter the Username and the Password that has been set up for the SnapGear VPN Router dial-in account, as indicated in the figure below.
- Page 46 Figure 4.8 Network Connection Wizard Dial-in server configuration...
- Page 47 Figure 4.9 Connection Type Choose Dial-up to private network as the connection type. Dial-in server configuration...
- Page 48 Figure 4.10 Phone number to dial Tick Use dialing rules to enable you to choose a country code and area code. This feature is useful if you are using remote access in another state or overseas. Dial-in server configuration...
- Page 49 Figure 4.11 Connection Availability Select the option Only for myself to make the connection only available for you. This is a security feature that will not allow any other users who log onto your machine to use this remote access connection.
- Page 50 If you did not create a desktop icon, click Start, Settings, Network and Dial-up Connections and choose the appropriate connection. You will need to enter the username and password that had been set up for the SnapGear VPN Router dial-in account. Dial-in server configuration...
- Page 51 Figure 4.13 Remote Access Login Screen Dial-in server configuration...
-
Page 52: Network Configuration
5. Network Configuration IP Configuration Selecting IP Configuration from the Networking menu enables the user to set the IP address configuration of both the LAN and Internet interfaces. Network Configuration... - Page 53 LAN interface, enter the IP Address and Netmask in the fields provided. Note that you must enter a static IP address if the SnapGear VPN router is to act as the DHCP server on your local network.
- Page 54 If your SnapGear VPN Router is configured for a Direct Connection to the Internet, you must also set the IP address for the Internet Interface. Check DHCP assigned if the IP address of the Internet Interface is set via a DHCP server, or enter the IP Address and Netmask if you have a static address for the Internet interface.
-
Page 55: Advanced Ip Configuration
Advanced IP Configuration Figure 5.2 Advanced IP Configuration Network Configuration... - Page 56 The Hostname is a descriptive name by which the SnapGear VPN Router will be known on the network. The SnapGear VPN Router can utilize IP Masquerading, whereby users on the local network effectively share the one external IP address. Masquerading allows insiders to get out, without allowing outsiders in.
-
Page 57: Dhcp Server
DHCP Server Figure 5.3 DHCP Server Configuration To help keep your network design as simple as possible, your SnapGear VPN router can act as a DHCP server for machines on your local network. To configure your SnapGear VPN Router as a DHCP server, you must first set a static IP address and netmask on the LAN Interface (see IP Configuration). -
Page 58: Advanced Networking
MAC Address of the machine as well as the IP Address that is to be allocated to this machine. To take advantage of the SnapGear VPN Router’s DHCP server functionality, you should configure the other machines on your local network to obtain their IP addresses dynamically from the SnapGear VPN Router. -
Page 59: Traffic Shaping
Additional Routes Expert users may add additional static routes using this feature of the SnapGear VPN Router. These routes are in addition to those created automatically by the SnapGear VPN Router's configuration scripts. -
Page 60: Firewall
6. Firewall The SnapGear VPN Router comes with a full featured, stateful firewall. The firewall allows you to control both incoming and outgoing access and to detect intrusion attempts, so that PCs on the office network can be provided with tailored Internet access facilities and are shielded from malicious attacks. The SnapGear... - Page 61 Incoming Access - Administration Services Figure 6.1 Incoming Access configuration By default the SnapGear VPN Router runs a web administration server and a telnet daemon. Access to these services can be restricted to specific interfaces. For example, you may want to restrict access to the SnapGear VPN Router’s configuration web pages (Web Admin) to only machines on...
- Page 62 SnapGear VPN Router on the Internet. Note that after changing the web server port number, you must include the new port number in the URL to access the web administration pages.
-
Page 63: Outgoing Access
Port forwarding allows the SnapGear VPN Router to control access to services provided by machines on your private network from users on the Internet. Requests coming into the SnapGear VPN Router on the specified Incoming Port(s) will be forwarded to the Target Port on the Target Server. - Page 64 Your SnapGear VPN Router’s Outgoing Access Restrictions are configured by using security group classes. Click on the security group classes’ link on the Outgoing Access Configuration page to set the restrictions for each security group class. Each security group class can be configured to restrict certain TCP/IP application protocols or to block specified TCP and UDP ports.
-
Page 65: Firewall Rules
Please note that only experts on Firewalls and iptables rules will have the ability to add effective custom firewall rules. Configuring the SnapGear Firewall via the Incoming Access and Outgoing Access configuration pages is adequate for all but some very specialized applications. -
Page 66: Intruder Detection And Blocking
Intruder Detection and Blocking Figure 6.6 Intruder Detection and Blocking configuration Intruder Detection and Blocking (IDB) operates by offering a number of services to the outside world, which are then monitored for connection attempts. Remote machines that attempt to connect to these services generate a system log entry providing details of the access attempt and then the access attempt is categorically denied. - Page 67 The list of network ports that can be monitored can be edited freely. In addition, several short cut buttons are available which provide pre-selected lists of services to monitor. The basic button installs a bare bones selection of ports to monitor whilst still providing sufficient coverage to detect many intruder scans.
-
Page 68: Virtual Private Networking
VPN tunnel over their cable modem or DSL links to their local Internet Service Providers. With the SnapGear VPN Router you can establish a secure VPN over the Internet using either PPTP or IPSec. IPSec provides the better security, however, PPTP may be the VPN protocol to use when integrating with existing Microsoft infrastructure. - Page 69 Figure 7.1 VPN tunneling using PPTP Server Virtual Private Networking...
-
Page 70: Pptp Client Setup
PPTP client setup The SnapGear PPTP client enables the SnapGear VPN Router to establish a VPN to a remote network running a PPTP server. This server will most likely be a Microsoft Windows server. To begin setting up a SnapGear PPTP VPN Client, select PPTP VPN Client from the VPN menu. - Page 71 Figure 7.2 PPTP client configuration The SnapGear VPN Router supports multiple VPN client connections and more can be added in the same manner as above. A VPN connection may be set as the default route for all network traffic by checking Make VPN the Default Route and clicking Apply.
-
Page 72: Pptp Server Setup
PPTP server setup The SnapGear VPN Router includes PPTP Server, a virtual private network server that supports up to forty simultaneous VPN tunnels, depending on the SnapGear VPN Router model. The SnapGear PPTP Server allows remote Windows clients to securely connect to the local network. - Page 73 To enable and configure SnapGear VPN Router’s VPN server, select PPTP VPN Server from the VPN menu in the SnapGear VPN Router Config Pages. The table below describes the fields in the VPN Setup screen and the options available when enabling and configuring VPN access.
- Page 74 IP address from your local network that each VPN Points client will use when connecting to the SnapGear VPN Router. Please ensure that the IP addresses listed here are not in the range the DHCP server can assign. (Ranges are accepted - e.g.
- Page 75 PPTP VPN Server Accounts screen Before remote users can set up a VPN tunnel to the SnapGear VPN Router PPTP server, they must have user accounts set up. The field options in the Add New Account are detailed in the table below.
- Page 76 If the change request is unsuccessful, an error will be reported. Configuring the remote VPN client Having set up the SnapGear PPTP VPN server as described above, the remote VPN clients can now be configured to securely access the local network. You will need to supply the VPN client username and password.
- Page 77 Figure 7.5 VPN PPTP IP address Obtain the current IP address of the SnapGear VPN Router PPTP server. This address may change from time to time if your office network has an external DHCP server (i.e. your ISP dynamically assigns your an IP address). To determine the current SnapGear VPN Router’s PPTP server IP address, select Diagnostics from the System menu in the main menu bar.
- Page 78 From the Select a device drop-down menu, select the Microsoft VPN Adapter and click Next. Enter the PPTP IP address of the SnapGear VPN Router VPN server in the VPN Server field – note that this may change from time to time if your ISP uses dynamic IP assignment. Click OK and then Finish.
- Page 79 Figure 7.6 VPN client setup Right-click on the new icon and select Properties. Select the Server Types tab and check the Log on to network, Enable software compression, and Require encrypted password check boxes. Leave the other Advanced Options unchecked. Select the TCP/IP network protocols from the Allowed network protocols list.
- Page 80 Figure 7.7 VPN client server settings Virtual Private Networking...
- Page 81 From the Dial-Up Networking dialog, click the New button. Select the Basic tab. In the Entry name field, enter SnapGear VPN Router or a similar descriptive name and click Next. Enter the SnapGear VPN Router’s PPTP IP address into the Phone Number field.
-
Page 82: Windows 2000
Windows 2000 To set up VPN access, you first need to set up a Dial Up Networking account to access the Internet. Once you have done this, you are ready to begin. The first thing you need to do is log in as Administrator on your PC. Once logged in, from the Start menu, select Settings and then Network and Dial-up Connections. - Page 83 To set up your VPN account, double-click on Make New Connection then click Next on the first window of this wizard, which will bring up the Network Connection Type window. Figure 7.9 Network Connection Type Select Connect to a private network through the Internet and click Next. This displays the Destination Address window.
- Page 84 Figure 7.10 Destination Address Enter the SnapGear PPTP server’s IP address and click Next. Select the Connection Availability that you require on the next window and click Next, which will display the final window in this wizard. Figure 7.11 Completing the Network Connection Wizard...
- Page 85 For Windows 95/98/2000, enter the username and password given to you by the SnapGear VPN Router’s VPN administrator and click Connect. For Windows NT, click Dial and enter the username and password given to you by the SnapGear VPN Router’s VPN administrator.
-
Page 86: Ipsec Setup
IPSec Setup The SnapGear VPN router supports IPSec tunnels as well as PPTP tunnels. To setup your VPN using IPSec, select IPSec from the VPN menu: Figure 7.12 IPSec Setup Virtual Private Networking... - Page 87 Enable the interface on which you want to use IPSec. This may be the default gateway or a ppp interface for ADSL and cable modems, or "eth1" if the SnapGear VPN Router is connected to a router before connecting to the Internet. Then click Submit.
- Page 88 Enter the local gateway settings. The Internal subnet/netmask refers to the private network behind the SnapGear VPN Router. The External IP refers to the public-network interface that the SnapGear VPN Router will use for IPSec. The Authentication Identifier is required when using RSA key signatures for multiple Road Warriors and is used to identify the other participant during authentication.
- Page 89 Dead Peer Detection allows the tunnel to be restarted if the remote gateway stops responding. This option will only have an effect if the remote gateway supports Dead Peer Detection. It operates by sending notifications and waiting for acknowledgements. Delay is the time between notifications. The tunnel will be restarted if no acknowledgements have been received for a period of Timeout.
- Page 90 Figure 7.14 Automatic Keying Setup Click Submit to add the new IPSec tunnel after selecting the appropriate Automatic Startup, Authorization, Authentication, and Key Configuration. Virtual Private Networking...
-
Page 91: Ipsec Interoperability
The default value of 1 hour is recommended. Checking the Enable Perfect Forward Secrecy of keys box means that an attacker who acquires the SnapGear VPN Router’s long-term key (i.e. the pre-shared secret or RSA Signature Key Private Section) can: •... -
Page 92: System
Password in the System menu. The SnapGear VPN Router’s password is the ‘key’ to the security of your network; it is essential to keep it secret. SnapGear recommends choosing a password that is easy for you to remember but hard for unauthorized people to guess. -
Page 93: Advanced
The simplest method of clearing the SnapGear VPN Router’s stored configuration information is to push the reset button on the back of the SnapGear VPN Router box. It is the small hole between the serial ports and ethernet ports. A bent paper clip is the simplest method. -
Page 94: Technical Support
The Technical Support Report page is an invaluable resource for the SnapGear Technical Support Staff to analyze problems with your SnapGear VPN Router. The information on this page gives the Support Staff important information about any problems you may be experiencing. -
Page 95: Appendix A - Led Status Patterns
Appendix A – LED Status Patterns The table below shows the various LED illumination combinations that serve to show possible error conditions. In each case, the LEDs indicated will be on and steady, unless otherwise noted, and all other LEDs will be off. The Power and System LEDs do not form part of the grouping of status-indicating LEDs.