1. Manuals
  2. Brands
  3. ETIC Manuals
  4. Server
  5. SIG
  6. User manual

ETIC SIG User Manual

Tls or ipsec vpn server
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
SIG
TLS or IPSec VPN server
_________________
User manual
Document reference : 9017409-01
_________________

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SIG and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ETIC SIG

Summary of Contents for ETIC SIG

  • Page 1 TLS or IPSec VPN server _________________ User manual Document reference : 9017409-01 _________________...
  • Page 2 The SIG router & VPN server is manufactured by ETIC TELECOM 13 Chemin du vieux chêne 38240 MEYLAN FRANCE TEL : + (33) (0)4-76-04-20-05 FAX : + (33) (0)4-76-04-20-01 E-mail : hotline@etictelecom.com web : www.etictelecom.com...

  • Page 3: Table Of Contents

    OVERVIEW ........................9 INSTALLATION PRODUCT DESCRIPTION ..................10 INSTALLATION ......................11 CONFIGURATION CONFIGURING THE SIG ROUTER ................13 Overview ....................... 13 First configuration ..................14 Modifying the configuration................ 15 REBOOTING THE ROUTER AFTER PARAMETERS CHANGES ......16 RECOVERING THE IP ADDRESS OF THE ROUTER..........16 RECOVERING THE FACTORY CONFIGURATION ..........
  • Page 4 Configuring a TLS connection..............49 12.3 Configuring a PPTP connection ..............52 USERS LIST....................... 53 FIREWALL ......................... 56 14.1 Overview ....................... 56 14.2 Main filter ...................... 58 14.3 Remote users filters..................62 ../.. User’s guide ref 9017409-01 SIG Router & VPN server Page 4...
  • Page 5 SAVING THE PARAMETERS TO A FILE ..............72 UPDATING THE FIRMWARE..................72 OVERVIEW ........................ 77 FUNCTIONS....................... 78 OPERATION ......................78 Appendix 1 : Administration html server Appendix 2 : VPN mechanisms SIG Router & VPN server User’s guide ref. 9017409-01 Page 5...

  • Page 7: Technical Data

    Source IP @ translation (NAT) Ip address Destination IP @ translation (DNAT) translation Port translation (Port forwarding) IP address assignment LAN interface : Fixed IP @ or DHCP server Throughput 30 MB/s SIG Router & VPN server User’s guide ref. 9017409-01 Page 7...
  • Page 8 Event logs (date and time) Remote access server (RAS) User list 25 users VPN PPTP / L2TP-IPSec / TLS Open VPN Connection Login & password Certificate X509 Alarms 3 inputs : emails User’s guide ref 9017409-01 SIG Router & VPN server Page 8...

  • Page 9: Overview

    INSTALLATION Overview The SIG is designed to build safe and reliable remote control system through the internet or private extended networks. The SIG comes with two 10/100 BT Ethernet interfaces : The WAN interface (Interface Ethernet 4) On that interface, the SIG behaves as a VPN server.

  • Page 10: Product Description

    Function Ethernet 1 DATA Blinking quickly : Data activity LINK Lit : Interface connected Ethernet 4 DATA Blinking quickly : Data activity LINK Lit : Interface connected Power led User’s guide ref 9017409-01 SIG Router & VPN server Page 10...

  • Page 11: Installation

    N.C. Installation The product includes a fan. Mount the SIG router in a 19 inch rack or place it on a flat surface. Leave 10 cm of clearance at the sides and in the rear to avoid overheating. Attach the brackets.

  • Page 13: Configuration

    First set up For the first configuration, we advise to connect the PC directly to the LAN interface (Ethernet 1) of the SIG router. Set up modifications Modifications can be carried out from the LAN, or remotely from the WAN through a VPN or setting a remote access connection (RAS connection).

  • Page 14: First Configuration

    First configuration Step 1 : Create or modify the PC’s IP connection. Assign to the PC an IP @ in accordance with the SIG IP address. For the first configuration, assign or instance 192.168.0.127 to the PC. Step 2 : Connect the PC directly to the LAN interface (Ethernet 1) of the SIG using any Ethernet cable (straight or cross wired).

  • Page 15: Modifying The Configuration

    • Launch the html browser and enter the IP address assigned to the router. • Or, launch the ETICFINDER utility to detect the SIG address. • Enter the login and password which may restricts the access to the html server.

  • Page 16: Rebooting The Router After Parameters Changes

    Click the “Save current configuration to disk” button. Recovering the IP address of the router If you cannot access the SIG by any method, it is possible to recover the stored IP address by using the ETIC FINDER software provided by ETIC TELECOM.

  • Page 17: Restricting Access To The Administration Server

    Select the “Set up” menu, the “Security” menu and then the “Administration menu”. Remark : For more simplicity, we advise to chose the login and the password of one of the remote users stored in the user list. SIG Router & VPN server User’s guide ref. 9017409-01 Page 17...

  • Page 18: Assigning Ip Addresses To The Lan And The Wan Interfaces

    * The administration html server is located at that address. • The WAN interface : The WAN interface is the « Ethernet Nr 4 » interface. The SIG behaves at the same time like a VPN server and like a remote access server on that interface. •...

  • Page 19: Lan Interface Parameters

    PC when they will connect to the router. Enter the start address and the end address. SIG Router & VPN server User’s guide ref. 9017409-01 Page 19...
  • Page 20 DHCP server configuration Over the LAN interface, the SIG router can behave like a DHCP server. If you select that option, we advise to assign a fixed IP address to the SIG router itself over the LAN interface. To configure the DHCP server function, •...

  • Page 21: Wan Interface Parameters

    CONFIGURATION WAN interface parameters The « Ethernet 4 » RJ45 connector is the WAN interface. The SIG can be connected to a company network or to any Internet router through that interface. • Select the « Internet» menu and then « WAN interface» and then “Connection”.

  • Page 22: Creating Vpn Connections Between Routers

    LAN can exchange data with each device of the other one. To get more explanations about how VPNs work, refer to appendix 1. 128 VPNs can be set on the WAN interface of the SIG router. Two types of VPN can be set : TLS VPNs and IPSec VPNs.
  • Page 23 CONFIGURATION To create VPN connections between routers, • select the « Set up» menu and then « Network» and then “VPN connections”. SIG Router & VPN server User’s guide ref. 9017409-01 Page 23...

  • Page 24: Ipsec Vpn Connections

    AH, if no encryption is required or if NAT traversal is required. ESP provides the same services plus encryption. If ESP is selected, an encryption and an authentication protocols must be selected. User’s guide ref 9017409-01 SIG Router & VPN server Page 24...
  • Page 25 The same preshared key value will be used for remote users L2TP / IPSec connections. “Certificate” value The SIG router is delivered with a certificate stored into the product in our factory. To add a certificate, refer to the “Security” menu.
  • Page 26 To set up an outgoing VPN connection, • Come back to the “VPN connections” screen, • Click the “add a connection” button. Give a name to the connection and select the “Outgoing” option. User’s guide ref 9017409-01 SIG Router & VPN server Page 26...
  • Page 27 Paste the field "SubjectAltName" of the active certificate of the router you are configuring and the one the remote router. Attention : For ETIC certificates, this field is the Email field SIG Router & VPN server User’s guide ref. 9017409-01...
  • Page 28 Remote WAN IP address IP address Router Remote router To set an ingoing VPN connection, • Come back to the “VPN connections” screen, • Click the “add a connection” button. User’s guide ref 9017409-01 SIG Router & VPN server Page 28...
  • Page 29 “My WAN address & Remote WAN address” parameters : Enter the WAN IP address of the router and the WAN IP address of the remote router. Attention : For ETIC certificates, this field is the Email field • Certificate “My subjectAlt name” & “Remote subjectAlt name” parameters : Paste the field "SubjectAltName"...

  • Page 30: Tls Vpn Connections

    Select the port Nr and the type of level 3 protocol used to transport the TLS VPN; UDP will be preferred. Attention : The port number value must be different from the one used by remote users. User’s guide ref 9017409-01 SIG Router & VPN server Page 30...
  • Page 31 This parameters sets the amount of time (in seconds) the server will wait for the response before repeating it. “Encryption algorithm” & “Authentication algorithm” parameter : That parameters allow to define the encryption and hash algorithms in use. SIG Router & VPN server User’s guide ref. 9017409-01 Page 31...
  • Page 32 Click the “add a connection” button. • • Give a name to the connection and select the “Outgoing” Give a name to the connection and select the “Outgoing” connection direction option. connection direction option. User’s guide ref 9017409-01 SIG Router & VPN server Page 32...
  • Page 33 Enter the IP address of the remote router or its DNS name. “Remote WAN IP address” ” parameters : Enter the IP network address and netmask assigned to the remote router over its WAN interface. SIG Router & VPN server User’s guide ref. 9017409-01 Page 33...
  • Page 34 “Remote router Login” & “Remote router password” ” parameters : Enter the login and password of the remote router The remote router has to use that login and password to authenticate. User’s guide ref 9017409-01 SIG Router & VPN server Page 34...

  • Page 35: Routing Functions

    Enter the IP network address and netmask assigned to the remote LAN. “Common name” parameters : Enter the remote router certificate common name. Attention : For ETIC certificates, this field is the Email field. Routing functions Basic routing function Once an iP address has been assigned to the R2 router on the LAN interface and another one on the WAN interface (see drawing hereafter), the SIG R2 router is ready to route frames …...

  • Page 36: Static Routes

    IP packet to that destination must pass. Router 2 static routes : Active Route name Destination Netmask Gateway Network 6 192.168.6.0 255.255.255.0 192.168.5.1 Network 1 192.168.1.0 255.255.255.0 192.168.2.1 Network 192.168.4.0 255.255.255.0 192.168.5.128 Remote WAN User’s guide ref 9017409-01 SIG Router & VPN server Page 36...

  • Page 37: Rip Protocol

    Routing table broadcasting : Each router broadcasts its table. Routing table update : Each router updates its own table using the tables received from the other ones. SIG Router & VPN server User’s guide ref. 9017409-01 Page 37...

  • Page 38: Address And Port Translation

    The transfer criteria is the port number; the port number is used as an additional address field. When a frame is addressed to the SIG router with a particular registered port, it is transferred to a particular device connected to the LAN interface.

  • Page 39: Advanced Network Address And Port Translation

    IP packets contained in a remote user PPTP or TLS connection. It applies as well to frames the destination address of which is the SIG router itself or to frames the destination IP address is a device belonging to the LAN subnet, or to the WAN subnet or to another network.
  • Page 40 SNAT function which consists in replacing the source IP address. Because the DNAT and SNAT functions modify the IP addresses of the IP packets processed by the SIG router, and because the firewall filters that frames, it is very important to understand in which order that different functions are carried out.
  • Page 41 CONFIGURATION 9.2.2 Configuration To set the advanced address translation functions, • select the “Set up” menu, “Network” , and then the “Advanced NAT” menu. SIG Router & VPN server User’s guide ref. 9017409-01 Page 41...
  • Page 42 Enter the replacement criterion : Source IP address & Destination IP address. Protocol (TCP, UDP, …) Source port & Destination port • Enter the new destination port number and IP address. User’s guide ref 9017409-01 SIG Router & VPN server Page 42...
  • Page 43 Select “Yes” to enable the rule. • Enter the replacement criterions : Source & Destination IP address. Protocol (TCP, UDP, …) Source & Destination port • Enter the new source IP address. SIG Router & VPN server User’s guide ref. 9017409-01 Page 43...

  • Page 44: Vrrp Redundancy

    It will use the same virtual IP address and the virtual MAC address as the previous master router. The SIG router manages that protocol as well on the LAN and on the WAN interface. User’s guide ref 9017409-01 SIG Router &...

  • Page 45: Configuring Vrrp On The Lan Interface

    If that option is selected, the elected master router will answer to ARP requests by using that virtual MAC address. That MAC address is 00-00-5E-00-01-XX, where XX is the VRRP Id of the group coded in hexadecimal. SIG Router & VPN server User’s guide ref. 9017409-01 Page 45...

  • Page 46: Configuring Vrrp On The Wan Interface

    If that option is selected, the elected master router will answer to ARP requests by using that virtual MAC address. That MAC address is 00-00-5E-00-01-XX, where XX is the VRRP Id of the group coded in hexadecimal. User’s guide ref 9017409-01 SIG Router & VPN server Page 46...

  • Page 47: Remote Users Connections Service

    CONFIGURATION 11 Remote users connections service The SIG provides a full remote user connection function called RAS : • The remote user authenticates using the login, password and eventually a certificate; the router accepts the connection only if the remote user belongs to the user list.

  • Page 48: Remote Users Connections

    12.1 Principles A remote user connection is a tunnel set between a remote PC and a router providing the RAS function (Remote Access Service), like the SIG. A remote user connection provides security and simplicity advantages : • The remote user is identified with a login in and password or eventually a certificate.

  • Page 49: Configuring A Tls Connection

    Installed on a PC running Windows XP or Seven, M2Me_Secure makes TLS connections from a remote PC to the SIG easy; moreover it includes a connection book in such a way one just need a click to connect to a remote site.
  • Page 50 The selected port number assigned to the remote users connections must be different from the one used for VPN connections between routers if such VPN connections have been configured. User’s guide ref 9017409-01 SIG Router & VPN server Page 50...
  • Page 51 Select the « Advanced tab » ; select the level 3 protocol (UDP or TCP), the port number and the encryption algorithm. These parameters must have the same values must in the PC and in the router. SIG Router & VPN server User’s guide ref. 9017409-01 Page 51...

  • Page 52: Configuring A Pptp Connection

    Remark : The “properties” button allows to modify the authentication protocol; leave the default configuration if the PPTP client is a PC running Windows. Step 2 : Set a PPTP connection on the PC side. User’s guide ref 9017409-01 SIG Router & VPN server Page 52...

  • Page 53: Users List

    To display the user list, • select the “Set up” menu, the “Remote users” menu and then the “User list” menu. SIG Router & VPN server User’s guide ref. 9017409-01 Page 53...
  • Page 54 It is the name displayed in the user list. Login & password The login and the password will have to be entered by each user at the beginning of the remote connection. User’s guide ref 9017409-01 SIG Router & VPN server Page 54...
  • Page 55 The SIG will send an email to that address in two situations : Alarm email : the SIG sends an alarm email to the defined user If the input 1 is closed or opened (if that option has been set).

  • Page 56: Firewall

    The remote users filters The function of the remote users filters is to limit the IP domain an authenticated remote user can reach when he connects to the SIG router through the Internet. The remote users filters filter the destination IP address and port number of the IP packets included inside a PPTP or TLS or L2TP remote user connection.
  • Page 57 CONFIGURATION The firewall of the SIG firewall can thus be represented by the drawing hereafter : Users Remote user connection filters VPN between routers Main filter Port filter forwarding FIRE-WALL SIG Router & VPN server User’s guide ref. 9017409-01 Page 57...

  • Page 58: Main Filter

    For instance, if the default policy assigned the WAN to LAN traffic is “drop”, it means that an IP packet which does not match any of the rules of the main filter will be rejected. User’s guide ref 9017409-01 SIG Router & VPN server Page 58...
  • Page 59 If it does not, the firewall checks if it matches the second rule; and so on. If the packet does not match any of the rules of the table, the default policy is applied to the packet (drop or reject). SIG Router & VPN server User’s guide ref. 9017409-01 Page 59...
  • Page 60 VPN, have to be filtered. VPN traffic rules : The second part, entitled “VPN traffic rules” allows to define how the IP packets carried inside the VPNs have to be filtered. User’s guide ref 9017409-01 SIG Router & VPN server Page 60...
  • Page 61 1 to 32; It is the number of binary 1 of the netmask; for instance, the value 24 means 255.255.255.0; the value 16 means 255.255.0.0. SIG Router & VPN server User’s guide ref. 9017409-01 Page 61...

  • Page 62: Remote Users Filters

    A remote user filter is a table of destination port numbers and IP addresses belonging to the LAN network. Once a remote user is connected to the SIG router, the router applies the filter assigned to him (see the remote user form).
  • Page 63 The list of the devices of the LAN network is displayed. • Click « add a device ». • Assign a label and an IP address to the device and click OK. SIG Router & VPN server User’s guide ref. 9017409-01 Page 63...
  • Page 64 CONFIGURATION Step 3 : Build a remote user filter • Select the « security» menu, then « firewall» and then «Filter list» The users filters list is displayed. User’s guide ref 9017409-01 SIG Router & VPN server Page 64...
  • Page 65 Select a device among the ones which have been stored and a service (also called port). • Add other rules if necessary. • Click OK when the filter is complete ; the updated filter list is displayed. SIG Router & VPN server User’s guide ref. 9017409-01 Page 65...
  • Page 66 Select a user to which you want to assign a filter ; and click modify ; the user window is displayed. Assign a filter to the user ; click OK and save. User’s guide ref 9017409-01 SIG Router & VPN server Page 66...

  • Page 67: Advanced Functions

    ETIC TELECOOMUNICATIONS acting as a certification authority. That certificate can be used to set a VPN between two routers. Two SIG routers can set a VPN with one another using certificates only if the certificates have been provided by the same authority.

  • Page 68: Configuring The Web Portal

    If the we portal option has been selected (see below), the web portal page is displayed when the remote user launches the navigator and enters the Ip address assigned to the SIG router. In that case, the administration server, usually can be displayed at the same address but at the port number 8080 instead of 80 when the web portal page option is not selected.

  • Page 69: Configuring The Dns Server

    That function can be carried out only if the SIG IP address is pointed out as the main DNS server of the devices of the LAN.

  • Page 71: Diagnostic

    That menu displays the table of the VPN (remote user connections and remote routers connections) which are established. • Ping : That screen enables to send a ping frame to an IP address. SIG Router & VPN server User’s guide ref. 9017409-01 Page 71...

  • Page 72: Saving The Parameters To A File

    PC with a Web browser and an Ethernet cable; the FTP server software which can be downloaded from the « firmware page » of the ETIC « download area » web server. Step 2 : Download the release of the firmware from our download area to your PC Step 3 : Prepare the PC Check the Ip address of the PC is compatible with the one of the router.
  • Page 73 Step 4 : Update the firmware Launch the web browser Enter the IP address of the ETIC product ; the home page of the ETIC configuration server is displayed. Select the "System" menu and then " firmware Update". In the field "IP address of the TFTP server", enter the IP address of your PC.
  • Page 74 MAINTENANCE User’s guide ref 9017409-01 SIG Router & VPN server Page 74...
  • Page 75 To set up alarm SNMP traps Alarm To set up alarm emails To set up SNMP parameters System To enter the devices list To update the service list To update time and date SIG Router & VPN server User’s guide ref. 9017409-01 Page 75...
  • Page 76 To save or restore a configuration file Save / restore .To restore the factory configuration To restart he router Reboot 4/ About menu To display the certificate “product key” To display the firmware version User’s guide ref 9017409-01 SIG Router & VPN server Page 76...

  • Page 77: Overview

    Ethernet cable. VPN between a remote PC and a network Router IP network end-point end-point SIG Router & VPN server User’s guide ref. 9017409-01 Page 77...

  • Page 78: Functions

    During the initial phase, the two end-point exchange their codes; each party checks that the other party code is valid. User level authentication The SIG router holds a user list; once a VPN has been set with the remote user PC, the remote user identification code and password is checked.
  • Page 79 Periodically, each router (or at least the VPN server router) sends to the other one a control message to check the VPN must remain established. If no response is received from the other party, the VPN is cleared. SIG Router & VPN server User’s guide ref. 9017409-01 Page 79...
  • Page 80 APPENDIX2 VPN basic mechanisms User’s guide ref 9017409-01 SIG Router & VPN server Page 80...
  • Page 83 13, Chemin du Vieux Chêne 38240 Meylan - France Tel : 33 4 76 04 20 00 Fax : 33 4 76 04 20 01 E-mail : contact@etictelecom.com Web : www.etictelecom.com...

Table of Contents