Lancom Systems VPN 1711 User Manual

... connecting your business

LANCOM 1711 VPN

Business VPN router for professional site connectivity

쮿 5 IPSec VPN channels integrated; optional: 25 simultaneous VPN channels and hardware

VPN accelerator

쮿 Stateful-inspection firewall with intrusion detection/denial-of- service protection

쮿 4 separable switch ports

쮿 Quality of Service and bandwidth management

쮿 Load balancing with up to 4 WAN connections

쮿 ISDN interface for remote access, remote maintenance and dial-backup

쮿 For connection to an ADSL/SDSL/cable modem

쮿 Optional: VoIP PBX with SIP proxy and SIP gateway functions

The LANCOM 1711 VPN serves as a central firewall and VPN gateway for smaller and medium-sized sites.

Equipped with 5 VPN channels as standard, the LANCOM 1711 VPN can be combined with the 25-channel VPN-option activated VPN hardware accelerator that has sufficient

reserves for up to 25 simultaneous VPN dial-in connections (e.g. with the LANCOM Advanced VPN Client) or for site coupling with demanding applications such as VoIP.

LANCOM Dynamic VPN, our IPSec extension, offers the active establishment of connections to remote sites with dynamic IP addresses—even when the remote site is not always on.

More Security.

The integrated firewall with the latest security functions such as stateful inspection, Intrusion Detection and Denial-of- Service protection is supplemented by dynamic bandwidth

management and comprehensive functions for backup, high-availability and redundancy. The integrated VPN gateway that fulfills the IPSec standard, and the optional hardware

accelerator provide optimal security for connecting telecommuters and branch offices thanks to the high-security 3- DES or AES encryption and support of digital certificates.

More Management.

The management systems LANconfig and LANmonitor are included and offer not only cost-effective remote maintenance of entire installations and highly convenient setup wizards,

but also full real-time monitoring and logging. What’s more, service providers benefit from the broad range of scripting methods and professional access with individual access

rights for administrators via SSH, HTTPS, TFTP and ISDN dial-in.

More Benefits.

The versatile functions for address translation and routing allow completely different networks to be connected over common infrastructure. Existing networks at partner companies,

home-office workstations or subsidiaries can be integrated into the VPN without problem. With the option of port separation and a separate address range, your own web servers

can be securely separated from the LAN.

Upgrading with LANCOM VoIP Advanced Option and VoIP-32 Option to a VoIP PBX for up to 32 subscribers offers big savings through the use of existing data connections for

voice transmission (VoIP telephony) and no need for a separate PBX.

The integrated ISDN interface allows remote field installations, dial-up access and CAPI featured functions such as fax services for all connected PCs.

More Reliability for the Future.

From the very start, LANCOM products are designed for a product life of several years. They are equipped with hardware dimensioned for the future. Even reaching back to older

product generations, updates to the LANCOM Operating System—LCOS—are available several times a year, free of charge and offering major features. LANCOM offers unbeatable

protection of your investment!

LANCOM 1711 VPN

Firewall

Stateful inspection firewall Incoming/Outgoing Traffic inspection based on connection information

Packet filter Check based on the header information of an IP packet (IP or MAC source/destination addresses; source/destination ports,

Extended port forwarding Network Address Translation (NAT) based on protocol and WAN address, i.e. to make internal webservers accessible from WAN

N:N IP address mapping N:N IP address mapping for translation of IP addresses or entire networks

Tagging The firewall marks packets with routing tags, e.g. for policy-based routing

Actions Forward, drop, reject, block sender address, close destination port, disconnect

Notification Via e- mail, SYSLOG or SNMP trap

Quality of Service

Traffic shaping Dynamic bandwidth management with IP traffic shaping

Bandwidth reservation Dynamic reservation of minimum and maximum bandwidths, totally or connection bases, separate settings for send and receive

DiffServ/TOS Priority queuing of packets based on DiffServ/TOS fields

Packet-size control Automatic packet-size control by fragmentation or Path Maximum Transmission Unit (PMTU) adjustment.

Layer 2/Layer 3 tagging Automatic or fixed translation of layer-2 priority information (802.11p- marked Ethernet frames) to layer-3 DiffServ attributes in

Security

Intrusion Prevention Monitoring and blocking of login attempts and port scans

IP spoofing Source IP address check on all interfaces: only IP addresses belonging to the defined IP networks are allowed

Access control lists Filtering of IP or MAC addresses and preset protocols for configuration access and LANCAPI

Denial of Service protection Protection from fragmentation errors and SYN flooding

General Detailed settings for handling reassembly, PING, stealth mode and AUTH port

URL blocker Filtering of unwanted URLs based on DNS hitlists and wildcard filters

Password protection Password-protected configuration access can be set for each interface

Alerts Alerts via e-mail, SNMP- Traps and SYSLOG

Authentication mechanisms PAP, CHAP and MS-CHAP as PPP authentication mechanism

Anti-theft Anti-theft ISDN site verification over B or D channel (self-initiated call back and blocking)

Adjustable reset button Adjustable reset button for "ignore", "boot-only" and "reset-or-boot

High availability / redundancy

VRRP VRRP (Virtual Router Redundancy Protocol) for backup in case of failure of a device or remote station. Enables passive standby

FirmSafe For completely safe software upgrades thanks to two stored firmware versions, incl. test mode for firmware updates

ISDN backup In case of failure of the main connection, a backup connection is established over ISDN; automatic return to the main connection

Analog/GSM modem backup Optional operation of an analog or GSM modem at the serial interface

Load balancing Static and dynamic load balancing over up to 4 WAN connections; channel bundling with Multilink PPP (if supported by network

VPN redundancy Control of up to 16 redundant VPN gateways for high availability or load balancing

Line monitoring Line monitoring with LCP echo monitoring, dead-peer detection and up to 4 addresses for end-to-end monitoring with ICMP

VPN

1-Click- VPN Client assistant One click function in LANconfig to create VPN client connections, incl. automatic profile creation for the LANCOM Advanced

1-Click- VPN Site- to- Site Creation of VPN connections between LANCOM router via drag and drop in LANconfig

Number of VPN tunnels 5 IPSec connections active simultaneously (25 with VPN-25 Option), 25 connections configurable (50 with VPN-25 Option).

Hardware accelerator (optional) Activated 3DES/AES hardware encryption with the VPN-25 Option

IKE IPSec key exchange with Preshared Key or certificate

Certificates X.509 digital certificate support, compatible with Microsoft Server / Enterprise Server and OpenSSL, upload of PKCS#12 files via

Certificate rollout Automatic creation, rollout and renewal of certificates via SCEP (Simple Certificate Enrollment Protocol)

DiffServ attribute); remote-site dependant, direction dependant, bandwidth dependant

directions

routing mode. Translation from layer 3 to layer 2 with automatic recognition of 802.1p-support in the destination device.

groups or reciprocal backup between multiple active devices including load balancing and user definable backup priorities

operator)

polling.

VPN Client

Configuration of all remote sites via one configuration entry when using the RAS user template or Proadaptive VPN

HTTPS interface

Scope of features: as of LCOS version 7.2