Compatible Systems INTRAPORT 2+ User Manual

IntraPort 2 and IntraPort 2+

VPN Access Server

Administrator’s Guide

Compatible Systems Co rporation

4730 Waln ut Street

Suite 102

Boulder, Colorado 80301

303-444-9532 800-356-0283

http://www.compatible.com

Copyright© 1997-1999 by Hi/fn, Inc. Includes one or more U.S. Patent Nos.: 4,701,745; 5,003,307; 5,016,009; 5,126,739; 5,146,221; 5,414,425; 5,414,850; 5,463,390; 5,506,580; 5,532,694. Other Patents Pending.

Part number : A00-1619

FCC Notice: This product has been certified to comply with the limits for a Class A computing device, pursuant to Subpart J of Part 15 of FCC Rules. It is designed to provide reasonable protection against radio or television communication interference in a commercial environment. Operation of this equipment in a residential area could cause interference with radio or television communication.

Chapter 1 - Introduction 1

ABOUT THE INTRAPORT 2/2+ VPN ACCESS SERVER 1 A NOTE ABOUT REMOTE CLIENT CONNECTIONS 1 INTRAPORT 2/2+ VPN ACCESS SERVER INSTALLATION OVERVIEW 1

Chapter 2 - Getting Started 5

A FEW NOTES 5

Please Read the Manuals 5 Warranty and Service 5 Getting Help with the IntraPort 2/2+ VPN Access Server 5

HAT YOU WILL NEED TO GET STARTED 6

Supplied with the IntraPort 2/2+ VPN Access Server 6 Needed for Installation 6 Ethernet Connecti o n Req ui rem en ts 7 VPN Client Software Requirements 7

Chapter 3 - Network Installation 9

Placing the Server 9 Connecting the Server to the Ethernet 9 Connecting a Management Console 10 Powering Up the Server 10

Chapter 4 - CompatiView Software Installation 11

CompatiView for Windows 11

System Requirements 11 Installation and Operation 12 Transport Protocols and CompatiView 12

Chapter 5 - Command Line Management 15

Out-of-Band Command Line Management 15 Temporarily Reconfiguring a Host for Command Line Management 16 Setting Up Telnet Operation 16

Chapter 6 - Basic Configuration Guide 19

SETUP OPTIONS 19

Diagram of Dual-Ethernet Setup 20 Diagram of Single-Ethernet Setup 21

CONFIGURATION USING COMPATIVIEW 22

VPN Client Tunnel Settings 22 CONFIGURING THE SERVER FOR LAN-TO-LAN TUNNELS 37 BASIC CONFIGURATION USING COMMAND LINE 41

VPN Client Tunnel Settings 41 CONFIGURING THE SERVER FOR LAN-TO-LAN TUNNELS 48

Chapter 7 - Alternate Protocols and Security Parameters 50

IPX Protocol 50

Required for IPX 50 Suggested for IPX 50

AppleTalk Protocol 51

Required for AppleTalk 51 Suggested for AppleTalk 51

SETTING UP RADIUS AUTHENTICATION 51

Setting the IntraPort for a RADIUS Server 51 RADIUS Server User Authentication Settings 52

SETTING UP SECURID AUTHENTICATION 53

Setting the IntraPort for an ACE/Server 54 ACE/Server Settings 54

SAVING A CONFIGURATION FILE TO FLASH ROM 55

Appendix A - Shipping Defaults 57

Ethernet Interface s 57

Default Password 57 IP Defaults 57 IPX Defaults 57 AppleTalk Defaults 57

Appendix B - Connector and Cable Pin Outs 58

Pin Outs for DB-25 Male to DB-25 Female RS-232 Data &

Console Cable 58

Appendix C - Security Dynamics ACE/Server Information 59

Appendix D - LED Patterns and Test S witch Settings 61

IntraPort 2/2+ VPN Access Servers LED Patterns 61

Ethernet Back Panel Indicators LEDs 61 Front Panel LEDs 61 Sys Ready 61 Power On, No Traffic 61 Ethernet Traffic Indicators 61 IntraPort 2 Connections/Users LEDs 62 IntraPort 2+ Connections/Users LEDs 62 IntraPort 2 Special Indicators 63 IntraPort 2+ Special Indicators 63

IntraPort 2/2+ VPN Access Server Switch Settings 63

Appendix E - Downloading Software From Comp at ible Systems 65

THE COMPATIBLE SYSTEMS WWW SERVER 65

Appendix F - Terms and Conditions 67

iii

Chapter 1 - Introduction 1

Chapter 1 - Introduction

About the IntraPort 2/2+ VPN Access Server

Congratulations on your purchase of the IntraPort 2 or IntraPort 2+

VPN Access Server. These VPN Access Servers provide secure

Internet-based remote access and site-to-site connections.

The IntraPort 2 will support up to 16 simultaneous LAN-to-LAN

connections and up to 64 simultaneous remote client connections. The

IntraPort 2+ will support up to 32 simultaneous LAN-to-LAN connec-

tions and up to 500 simultaneous remote client connections.

A Note About Remote Client Connections

In order to create a tunnel to a network over the In ternet, remote u sers

must run VPN Clie nt s oft w are o n a Windows95/98 PC, Windows NT

PC, Mac OS, Linux, or Solaris computer which is connected to the

Internet via PPP or Ethernet.

The IntraPort VPN Clients are applications which set up the remote

access VPN tunnels to the IntraPort 2/2+ VPN Access Server and make

sure that appropriate data gets sent.

The clients work in conjunction with your communications software.

Connections can be made to the Internet via PPP software or over a

local intranet via your workstation’s LAN adapter. Together, these

pieces provide cost-effective on-demand connections to your corpo-

rate network.

IntraPort 2/2+ VPN Access Server Installation Overview

This manual will help you install either the IntraPort 2 or the IntraPort

2+ VPN Access Server on your Local Area Network. For an overview

on installing and running the VPN Client software at remote user loca-

tions, refer to the VPN Client Reference Guide. For the most up-to-date

information available on Compatible Systems products, please visit the

Technical Support section of our Web site at:

http://www.compatible.com.

2 Chapter 1 - Introduction

In short, the installation steps are:

1. Install the IntraPort 2 or IntraPort 2+ hardware on your Ethernet

LAN and connect one or both of the 10/100 twisted-pair Ethernet interfaces to a Fast Ethernet or Ethernet hub.

2. Select the management tool you wish to use with the server. If you

want to use the CompatiView management software, you must install the software on a W in dows PC com puter which is connected to your network.

3. Configure the IntraPort 2/2 + LAN an d tu nnel paramet ers using the

management tool you have chosen.

4. Install an d Configure the VPN Client software for remote users.

The manual is divided into several sectio ns that should provide you

with all the information you will need to use the IntraPort 2/2+ on

your network.

Getting Started

This part of the manual describes the contents of the IntraPort 2/2+

package and outlines the preparation and equipment you will need to

install the device.

Network Installation

This part of the manual includes step-by-step instructions on how to

physically install the server and connect it to your local Ethernet.

Instructions are included for twisted-pair Ethernet environments.

CompatiView Software Installation

This part of the manual describes how to install CompatiView,

Compatible Systems’ GUI (Graphical User Interface) management

software which is included with your server.

Command Line Preparation

This part of the manual provides basic instructions for using command

line management and text-based configuration.

Basic Configuration Guide

This part of the manual contains a minimal list of parameters that must

be entered into a server for proper operation using CompatiView,

Compatible Systems’ management software, and text-based configura-

tion.

Chapter 1 - Introduction 3

Alternate Protocols and Security Parameters

This part of the manual lists configuration parameters that must be set in

order to use the IntraPort 2/2+ VPN Access Serv er wi th pro toc ols other

than TCP/IP, and when using additional security parameters such as

SecurID and RADIUS.

Appendices

Additional information that might be of interest to you, such as tech-

nical specifications, default settings, and how to download current soft-

ware from Compatible Systems ’ website, can be foun d at the end of this

guide.

Chapter 2 - Getting Started 5

Chapter 2 - Getting Started

A Few Notes

Please Read the Manuals

The manuals included with your IntraPort 2/2+ VPN Access Server

contain very important i nformation about the product and Virtual

Private Networking in general. Please read this manual thoroughly, and

refer to the management reference guides as required. It’s worth the few

minutes it will take.

Also, please fill out the warranty registration card and return it to us

today. This will help us keep you informed of updates to the IntraPort

2/2+ VPN Access Server and future products available from

Compatible Systems. You can also register on the web at

http://www.compatible.com. If you’d like to be notified via e-mail

about new products and receive important news from Compatible

Systems, please join our e-mail list on the web.

Warranty and Service

The IntraPort 2/2+ VPN Access Servers are covered by the Compatible

Systems Integrated Support Package, which includes a lifeti me

comprehensive warranty, a twenty-four hour advanced replacement

program, unlimited phone support and software upgrades for the life of

the product.

Compatible Systems maintains copies of current software updates on

the Internet. You may download product sof t ware from these s ou rces at

any time. For more information on downloading current product soft-

ware, see Append i x E of this manual.

Getting Help with the IntraPort 2/2+ VPN Access Server

If you have a question about the IntraPort 2/2+ VPN Access Server and

can’t find the answer in one of the manuals included with the product,

please visit the technical support section of our Web site

(http://www.compatible.com). This site includes extensive technical

resources which may answer many of your questions. You can also

request technical support by filling out a brief form. Technical support

requests received via the Web form will receive expedited treatment.

You may also call Compatible Systems Corporation or send support

6 Chapter 2 - Getting Started

questions via e-mail to support@compatible.com. Compatible Systems’

phone number is listed on the front of this guide. We will be happy to

help you.

What You Will Need To Get Started

Before installing the IntraPort 2/2+ VPN Access Server, please check

the list below to make sure that you have received all of the items that

are supplied with the server package.

You should also make sure you have any additional items that are

necessary to connect the server to your network.

Supplied with the IntraPort 2/2+ VPN Access Server

Please check your shipping package for the following items:

• IntraPort 2/2+ unit

• Wall-mount power supply

• One DB-25 male to DB-25 female console cable

• CD-ROM including:

4 CompatiView software 4 Operating software 4 VPN Client software (Windows and Mac OS versions) 4 HTML version of product documentation (which can be

viewed with your favorite web browser)

• CompatiView Management Software Reference Guide

• Text-Based Configuration and Command Line Management

Reference Guide

• VPN Client Reference Guide

• W ar rant y Regis t rati on card

Needed for Installation

Before connecting the IntraPort 2/2+ VPN Access Server to your

network, you need to make sure that you have the necessary equip-

ment for connecting to a local Ethernet and/or for remote users to

connect to the Internet.

Chapter 2 - Getting Started 7

Ethernet Connection Requirements

The server’s Ethernet interfaces directly support full or half duplex

100BaseTx or 10BaseT twisted-pair Ethernet. To connect the server’s

Ethernet interfaces to twisted-pair Ethernet cabling, you will need an

unshielded twisted-pair station cable that is connected to a

10BaseT-compatible twisted-pair hub (for a transmit speed of 10

Mbps) or a 100Mbps Fast Ethernet hub (at either transmit speed) for

each interface you plan to connect.

Note: Ethernet cables and cable connectors are no t s upp lied w ith th e

IntraPort 2/2+ product. Please contact your reseller or your Compatible Systems representative for information on obtaining the correct Ethernet cabling supplies.

VPN Client Software Requirements

In order to run the VPN Client software, your remote users will require

one of the following:

• A Windows PC with a 486 or later processor and either the Windows95/98 or Windows NT operating system

• A Macintosh or compatible computer with a PowerPC CPU, Mac OS 7.6 or later and Open Transport 1.1.1 or later.

• Linux kernel 2.0.36 (Intel) and Perl 5.004_04 or higher.

• A Sparc™ machine running a 32 bit Solaris OS.

In addition, remote users must have a PPP-based dial-up connection to an Internet Service Provider or be connected to an Ethernet which is linked to the Internet.

Chapter 3 - Network Installation 9

Chapter 3 - Network Installation

Figure 1. IntraPort 2/2+ VPN Access Server Back Panel

This section of the manual describes how to connect the IntraPort 2/2+ VPN Access Server to your Ethernet network. In summary , the steps for installation are:

1. Make sure the server is powered down and not connected to any power source .

2. Connect the server to the Ethernet network(s).

3. Connect a management console to the server (optional).

4. Plug in the power cable and power up the server.

Placing the Server

The IntraPort 2/2+ VPN Access Servers ar e meant to be left stand -alone on a desktop or equipment table.

Note: When stacking other equipment on the IntraPort 2/2+, do not

exceed 25 pounds of evenly distributed weight on top of the device. Additional weight may bend the case.

Connecting the Server to the Ethernet

Because Ethernet 1 is IPSec-only (meaning it will only handle IPSec packets and will drop all other traffic), you need to pay special attention to your Ethernet connection setup.

Ethernet 1 should only be used if you are planning to set the IntraPort 2/2+ to operate in parallel with your existing firewall. This is the recommended setup. In this scenario, Ethernet 1 should be connected to the same Ethernet segment as y our Inter net gateway rout er while Et hernet 0 will serve as an IP, IPX and AppleTalk router port for your internal networks.

10 Chapter 3 - Network Installation

The other option is to set up the server behind your Internet access router/firewall using Ethernet 0 only. In this scenario, Ethernet 1 is not used and should not be plugged in to anything. You will also have t o set up your firewall to allow IPSec traffic through (see the section on setting up an IP Gateway for Ethernet 0 in Chapter 6 for more information).

The 10/100 Ethernet interfaces directly support full or half duplex 100BaseTx or 10BaseT twisted-pair Ethernet. To connect one of the server’s Ethernet interfaces to twisted-pair Ethernet cabling, you will need an unshielded twisted-pair station cable that is connected to a 10BaseT -compatible twisted-pair hub (for a transmit speed of 10 Mbps) or a 100Mbps Fast Ethernet hub (for a transmit speed of 100 Mbps).

Note: Ethernet cables and cable connectors are not supplied with the

IntraPort 2/2+. Category 5 cabling is required for 100 BaseT operation. Please contact your reseller or your Compatible Systems sales representative for information on obtaining the correct Ethernet cabling supplies.

If your twisted-pair hub is already i n place, you can connect the server to an active network without interrupting network activity. The server must be powered off.

Simply plug an unshielded twisted-pair cable (that is already connected to your 10BaseT-compatible or 10 0Ba seTx-compatible twisted-pair hub) into the RJ-45 Ethernet connector on t he back of the unit.

Connecting a Management Console

If you wish to connect an out-of-band management console, use the supplied cable and connect to the Console interface on the back of the IntraPort 2/2+. You can use a dumb terminal or a computer equipped with VT100 terminal emulation.

The default settings for the Console interface are VT100 terminal emulation, 9600 bps, 8 bits, no parity, 1 stop bit, and no Flow Control.

Powering Up the Server

Power up the server. At power-up, the server will tak e appr oximately one minute to become visible to CompatiView.

Note: If you want to use Telnet as a management tool, you must first

configure an IP address into the server with either an out-of-band console, CompatiView or a reconf igur ed IP h ost or wo rkstation on the same Ethernet segment as the server. See Chapter 5 - Command Line

Management.

Chapter 4 - CompatiView Software Installation 11

Chapter 4 - CompatiView Software Installation

All of the products in the Compatible Systems networking family, including all IntraPort servers, RISC Router and MicroRouter models, can be managed from a single management platform called CompatiView. CompatiView is included on the CD-ROM which was shipped with your IntraPort 2/2+ VPN Access Server. If your IntraPort 2/2+ is running software version 5.0 or later, then you must use CompatiView version 5.3 or later. Earlier versions of CompatiView will not be able to log into the server.

Note: An older version of CompatiView for Mac OS is also included

on the CD-ROM shipped with your server. The Mac OS version can be used with other Compatibl e products such as MicroRoute rs and RISC Routers; however, it is not compatible with the IntraPort 2/2+ VPN Access Server software. You must use CompatiView for Windows, versions 5.0 or later, to manage your server with CompatiView. PC emulator software such as SoftWindows may be used for this purpose, if your Macintosh supports it.

Note: Once you have installed CompatiView, you can find more

information on how to use it in the CompatiView Management Software Reference Guide which was included with your server.

CompatiView for Windows

CompatiView for Windows allows you to man age the server from an IBM-compatible PC running Windows95/98 or Windows NT. The PC can either be configured as an IPX client on a Novell NetWare internet, or as an IP WinSock client on an IP internet.

System Requirements

In order to successfully run CompatiView for Windows, you need:

• IBM PC or compatible w/ 486 or later processor

• Microsoft Windows95/98 or Windows NT (version 3.51 or later)

installed

• VGA or better monitor

• IP - A WinSock-compatible transport stack

- and/or -

• IPX - A Netware or Microsoft Client installation

v Note: To choose the active transport protocol on a Windows machine

which has both IPX and IP installed, select “Options” from the Database menu and click the General tab. Then select the appropriate radio button under “Transport.”

Installation and Operation

The Window s version of the CompatiView program can be found in the Network Management/CompatiView/Windows directory on the CD-ROM that was included with your IntraPort 2/2+ VPN Access Server.

Run the auto-installation program (CV5x file) by double-clicking on it. The installation program will ask you to select (or create) a directory in which it should locate CompatiView and its associated files and database subdirectory.

Once the installation is complete, double click on the CompatiView icon to open the program. For further information on using CompatiView, see the CompatiView Management Software Reference Guide included with your server.

Note: For an up-to-date description of the changes (if any) made to

Win dow s sys tem files by the instal lat ion program, see the README.TXT file located in the CompatiView installation directory.

Transport Protocols and CompatiView

CompatiView will be able to use the transport protocol (IP or IPX) you have selected to access Compatible Systems pr oducts anywhere on your internetwork. Depending on your security setup, you may also be able to use the IP transport option to manage devices across the Internet.

The IP protocol does not provide a method for CompatiView to automatically discover the IntraPort 2/2+ VPN Access Server. To initially contact the server over IP using CompatiView, you must first enter a valid IP address into the server. You can do this either on a console directly connected to the server or by setting a workstation’s IP address to 198.41.12.2 with a Class C subnet mask (255.255.255.0) so that it can communicate over Ethernet with 198.41.12.1 (the shipping default of Ethernet 0). After setting the server’s IP address, be sure to change the workstation’s configuration back to its original settings.

The IPX protocol does the server. Compatible Systems devices are configured to autoseed the

allow CompatiView to automatically discover

Chapter 4 - CompatiView Software Installation 13

two most common IPX frame types upon startup (802.2 and 802.3 (raw)). If CompatiView has the IPX/SPX protocol selected as its transport, it will be necessary to either powerup the server before powering up the workstation, or reboot the workstation after the server has completed its boot sequence. This process will ensure that the workstation and the server have the proper IPX network bindings for communication.

For more information on using CompatiView management software to configure your server, see Chapter 6 - Basic Configuration Guide.

Chapter 5 - Command Line Management 15

Chapter 5 - Command Line Management

The command line interface allows you to configure and monitor the server in-band via Telnet or out-of-band with a terminal connected to the server’s Console interface.

Note: Proper syntax is vital to effective operation of command line

management. Case is not significant – you may enter commands in upper case, lower case, or a combination of the two.

Out-of-Band Command Line Management

You can use command line management and text-based configuration out-of-band as a per manent management method, o r only t emporarily in order to set the server’s IP parameters to allow in-band Telnet access.

In order to access the command line out-of-band, do the following:

1. Set a terminal or a PC equipped with VT100 terminal emulation to a baud rate of 9600, 8 bits, no parity, 1 stop bit and no Flow Control.

2. Connect it to the server’s Console interface using the cable which was supplied with the IntraPort 2/2+.

3. Press the <Return> key one or two times.

4. Enter the default password letmein at the password prompt. The command line interface prompt will appear on the screen.

If you plan to use out-of-band access for ongoing management of your server, you can find further information on configuring your server in

Chapter 6 - Basic Configuration using Command Line. Otherwise, see

the section later in this chapter on Setting Up Telnet Operation for information on setting the server to allow Telnet access from hosts on its network.

Temporarily Reconfiguring a Host for Command Line Management

You can temporarily reconfigure an IP host in order to set the server’s IP parameters to allow in-band Telnet access.

If you wish to set the server’s basic IP parameters in this fashion, the host must be on the same Ethernet segment as the IntraPort’s server’s 0 interface. You can then do the following:

1. Set the host’s IP address to 198.41.12.2, with a Class C subnet mask (255.255.255.0) and then Telnet to 198.41.12.1.

2. Enter the default password letmein at the password prompt. The command line interface prompt will appear on the screen.

3. Use the configure command and set the IPAddress, SubnetMask, and IPBroadcast keywords in the IP Ethernet 0 section.

4. Use the save command to save the changes to the device’s Flash ROM.

5. Change the ho st’s configuration back to its original settings.

See the next section (Setting Up Telnet Operation) for information on setting the server to allow Telnet access from hosts on its network.

Setting Up Telnet Operation

Telnet is a remote terminal communications protocol based on TCP/IP. With Telnet you can log into and manage the IntraPort 2/2+ from anywhere on your IP i ntern etwo rk, in cludi ng acro ss the In t ernet if your security setup allows it.

To manage the server with Telnet, you must:

1. Run Telnet client software on your local computer, which will communicate with the Telnet server built into the IntraPort 2/2+.

2. You must also set some basic IP parameters in the server. The required parameters for Telnet access to an interface are the IP address, IP subnet mask, and IP broadcast address. There are several ways to set them.

• You may set them using text-based configuration either

out-of-band via the Console interface or in-band via a reconfigured IP host. Instructions for setting up these two methods were given earlier in this chapter. Once you have set up the

Chapter 5 - Command Line Management 17

command line interface, do the following: A. Use the configure command and set the IPAddress, Sub-

netMask, and IPBroadcast keywords in the IP Ethernet 0 section.

B. Use the save command to save the changes to the device’s

Flash ROM.

• You may also use CompatiView from a reconfigured IP host

(if using the IP transport protocol), or anywhere on your network (if using the IPX transport protocol). Instructions for these two methods are given in Chapter 4 - CompatiView Soft-

ware Installation.

With CompatiView, basic IP parameters can be set using the TCP/IP Routing: Ethernet 0:0 dialog box. Use the Save to/Device option under the File menu to save the changes.

After you have set these IP parameters and saved the changes, you can use Telnet to access the server from any node on your IP network. Invoke the Telnet client on your local host with the IP address of the server you wish to manage.

For more information on using Text-Based Configuration and Command Line Management to configure your server, see Chapter 6 -

Basic Configuration Guide.

+ 52 hidden pages